IS Governance Flashcards
How can a Legal team stay up to date on new laws and regulations concerning information security and privacy?
Subscribe to a service that publishes updates on new and changing laws and regulations.
What is the most effective way in conveying the status of an organization’s security program to executive management?
Key risk indicators (KRIs)
Explain the different between policies, standards, guidelines, and procedures.
Policies are overarching assertions of acceptable actions. Standards establish an acceptable level of attainment or quality. Procedures explain how to perform a process and a guideline, which is optional determines a recommended course of action.
What metrics would best show progress on a new SIEM implementation?
% of log sources sending log data and number of use-cases developed.
Define the term Information Security Governance
A process, or set of processes, where senior management exerts strategic control over business functions through policies, objectives, delegation of authority, monitoring, and reporting.
What is the best way to determine tailgating at a building with card readers?
Observe employee behavior using video surveillance
Which member of a cyber risk steering committee should have veto power for specific cyber-risk decisions?
The business owner for a relevant business process or system
Name the CMMI levels
Initial, repeatable, defined, managed, optimizing
Name the elements of a business case
Description of current state, desired state, success criteria, requirements, constraints, approach, and plan.
What is the purpose of an information security steering committee?
Ensure alignment of the information security program with current and future business needs.
What should inform a CISO of new 3rd party service providers?
IT, Legal, and Procurement
What is FAIR?
Factor Analysis of Information Risk is a taxonomy of the factors that contribute to risk and how they affect each other. It is primarily concerned with establishing accurate probabilities for the frequency and magnitude of data loss events. The taxonomy takes a risk and breaks it down into 2 branches of a decision tree called Loss Event Frequency and Loss Magnitude
What is NIST 800-30?
NIST 800-30 is a framework meant to provide guidance for conducting risk assessments of federal information systems and organizations, amplifying the guidance in Special Publication 800-39
What is ISO 27001?
A framework for management of an information security management system
Which of the following is the norm for frequency of security awareness training?
At the time of hire and annually thereafter