IT Governance

Question 1

3 Types of Governance Models

Answer 1

1. Centralized
2. Decentralized
3. Hybrid

Question 2

Due Diligence

Answer 2

Pre-emptive measure made to avoid harm to other persons or their property
Leads to due care
Examples: employee background checks, credit checks, risk assessments

Question 3

Due Care

Answer 3

Used to describe the care a “reasonable person” would exercise under given circumstances
Individual’s or organization’s legal duty
Lack of due care = negligence

Question 4

Types of Security Policies

Answer 4

1. Organizational or Program Policy
2. Functional, Issue Specific Policies
3. System Specific Policies

Question 5

Organizational or Program Policy

Answer 5

Addresses goals of confidentiality, integrity, and availability

Question 6

Functional, Issue Specific Policies

Answer 6

Addresses areas of particular security concern requiring clarification

Question 7

System Specific Policies

Answer 7

Areas where it is desired to have clearer direction or greater control for a specific technical or operational area may have more detailed policies

Question 8

Standards

Answer 8

Specific requirements for systems in an organization
Requires consistency across the organization
Hardware and software security mechanisms needed in controlling security risks

Question 9

Policies

Answer 9

Define what organizations need

Question 10

Baselines

Answer 10

Describes how to best implement the security configuration or standard of a software or environment to ensure that it is consistent throughout the organization
Specific rules describing how to implement the best security controls in support of policy and standards

Question 11

Procedures

Answer 11

Step-by-step instructions to support compliance with the policies and standards (best way to implement)

Question 12

Guidelines

Answer 12

Optional recommendations that can be used to enable individuals to make judgments with respect to security actions

Question 13

Security Policy Best Practices

Answer 13

1. Clearly defined process for policy initiation, creation, review, approval,
   distribution and communication
2. Do not be too specific in policy statements
3. Use forceful, directive wording
4. Policies must be technology independent
5. Provide references to supporting documentation
6. Conduct management review and sign-off
7. Employees should explicitly acknowledge policies
8. Define policy exception rules
9. Review incidents and adjust policies as needed
10. Periodically review policies
11. Develop sanctions for non-compliance

Question 14

Directive Controls

Answer 14

1. Information security policies
2. Procedures
3. Standards
4. Baselines
5. Guidelines

Question 15

Factors that Drive Frequency of Monitoring

Answer 15

1. Organizational mission/business functions, and their ability to use monitoring results to facilitate greater situational awareness
2. Anticipated frequency of changes in organizational information systems and operating environments
3. Potential impact of risk if not properly addressed
4. Degree to which the threat space is changing

Question 16

Automated Monitoring

Answer 16

Usually faster, more efficient, more cost-effective, and less prone to human error

Question 17

Security Roles

Answer 17

1. End User
2. Executive Management
3. Information Systems Security Professional
4. Data Owner
5. Data Custodian

Question 18

End User

Answer 18

Responsiblefor protecting information assets on a daily basis through adherence to the security policies that have been communicated

Question 19

Executive Management

Answer 19

Maintainsthe overall responsibility for protection of the information assets

Question 20

Information Systems Security Professional

Answer 20

Coordinate drafting of security policies, standards and supporting guidelines, procedures, and baselines

Question 21

Data Owner

Answer 21

Responsible for an information asset

Question 22

Data Custodian

Answer 22

Takes care of the information on behalf of the owner

Question 23

Risk Monitoring Strategy

Answer 23

1. Monitoring Compliance
2. Monitoring Effectiveness
3. Monitoring Changes
4. Automated Versus Manual Monitoring
5. Frequency of Monitoring