Security and Risk Mgmt Flashcards
1
Q
How should IT governance be considered by Board or Directors?
A
IT Governance Institute says board of directors should:
- be informed about info security
- set direction to drive policy and strategy
- provide resources to security efforts
- assign mgmt responsibilities
- set priorities
- support changes required
- define cultural values related to risk assessment
- obtain assurance from internal and external auditors
- insist that security investments are made measurable and reported on for program effectiveness
2
Q
What should management do in regards to IT governance?
A
Management should:
- write security policies with biz input
- ensure that roles and responsibilities are defined and clearly understood
- identify threats and vulnerabilities
- implement security infrastructures and control frameworks (standards, guidelines, baselines, and procedures)
- ensure that policy is approved by governing body
- establish priorities and implement security project in a timely manner
- monitor breaches
- conduct periodic reviews and tests
- reinforce awareness education as critical
- build security into the systems development lifecycle