Module 2.1 Flashcards
What are the tasks of the CISO and Information security team?
1) Creation of a strategic plan
2.) How security objectives will be implemented
What are policies?
laws within an organization still has penalties
What are the three principles to take note of in governance
oversight (covers everything)
accountability
strategic perspective
What are the goals of information security governance
1) Strategic alignment (if IS supports business objectives)
2) Risk management (have appropriate measures to manage threats)
3) Resource management (using information security resources properly)
4) Performance measurement (measuring information security metrics)
5) Value delivery (optimizing IS investments)
What are the 4 governance committees
IT Strategy, Information Security, Change Control Board, Internal Audit (quality assurance people)
What are the four major organizational changes
Labor disruptions, Acquisitions, Reorganization, and Divestitures
RACI Model
R - Responsible (task-oriented)
A - Accountable (final authority)
C - Consulted (insights for the team)
I - Informed (should be updated but isn’t directly part)
What is the difference between information owners and systems owners
Information Owners = owns the info (data)
System Owners = works on the system (data analyst)
What are the roles of IT Security
Custodian - highest access, managers
Developer - make systems
Auditor - check the system to ensure that they are policy compliant
User - end user
What are the security frameworks
Authoritative - strict
Auditable - technical frameworks
Holistic - overall
What is the purpose of frameworks
To know if you’re doing the right things, marketing (our company uses these frameworks), development of security framework
ISO 27000
IT Security Standards
OWASP
Open Web Application Security Project
PCI-DSS / PA-DSS
Payment Application Data Security Standard
