Security Policies and Governance Flashcards

1
Q

What are the 4 levels of security policy development?

A
  • Acceptable Use Policy
    • assigns roles and ties responsibilities to those roles
  • Security Baselines
    • defines minimum levels of security that every system within an organization needs to meet
  • Security Guidelines
    • recommendations on how standards and baselines are implemented
    • provides guidance for both security professionals and users
  • Security Procedures
    • step-by-step ways to accomplish a task
    • support policy goals and provide consistency
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the 3 types of plans?

A
  • Strategic
    • long term, stable plan
    • should include a risk assessment
    • typically 5-year horizon with annual updates
    • designed to strategically align the security functions with business objectives
  • Tactical
    • midterm plan developed to provide more details on goals of the strategic plan
    • provides more flexibility, as ad-hoc adjustments can be made, given the right circumstances
    • usually one year plan
  • Operational
    • short-term, highly detailed plan based on the strategic and tactical plans
    • includes budgetary figures, staff assignments, step-by-steps procedures
    • monthly or quarterly plan
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What does security policy define?

A

scope of security that’s needed by the organization, assets that need to be protected and the extend the business should go to protect them

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What’s the purpose of security policy?

A
  • authority
  • declares compliance with laws and ethics
  • demonstrate management commitment
  • provides direction and guidance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are signs of a good security policy? (7)

A
  1. up to date
  2. communicated
  3. legal
  4. defines exceptions
  5. concise
  6. unambiguous
  7. senior management sign-off
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What’s governance?

A

establishment and oversight of policies, procedures, accountability, strategic thinking and controls to ensure the effective management and protection of an organization’s information assets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What’s included in governance?

A
  • Policies and Procedures
    • involves the development and implementation of policies and procedures that guide the organization’s security practices
  • Risk Management
    • establishing a risk management framework that identifies, assesses, and manages information security risks
  • Compliance and Regulatory Requirements
    • ensures compliance with relevant laws, regulations, and industry standards pertaining to information security
  • Stakeholder Management
    • engaging and communicating with stakeholders to align security initiatives with organizational objectives
  • Performance Measurement and Reporting
    • defining performance metrics and establishing mechanisms to monitor and measure the effectiveness of security controls, incident response capabilities, and overall security posture
  • Continuous Improvement
    • encourages a culture of continuous improvement by fostering a proactive approach to security
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are different organizational changes?

A
  • Acquisitions
    • process of acquiring or merging with another organization
  • Divestitures
    • process of selling or separating a part of an organization
  • Reorganizations
    • significant structural changes within an organization, such as mergers, restructurings, or changes in leadership
  • Labor Disruptions
    • strikes, labor disputes, or work stoppages, can have a significant impact on an organization’s operations, including information security
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What’s COBIT and what’s the goal of COBIT?

A
  • IT management and governance framework
  • aims to bridge the gap between business and IT by providing a framework that aligns IT activities with business objectives, manages IT-related risks, and ensures the efficient use of IT resources
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are COBIT’s 5 key principles that guide organizations in achieving effective IT governance and aligning IT with business goals?

A
  • Meeting Stakeholder Needs
    • emphasizes the importance of understanding and addressing the needs, expectations, and objectives of various stakeholders
  • Covering the Enterprise End-to-End
    • COBIT promotes a holistic view of IT governance by recognizing the interconnectedness of IT processes and their impact across the entire enterprise
  • Applying a Single Integrated Framework
    • COBIT advocates for the use of a single, integrated framework to govern and manage enterprise IT
  • Enabling a Holistic Approach
    • highlights the importance of considering various components of IT governance as interconnected and interdependent
  • Separating Governance from Management
    • COBIT distinguishes between IT governance and IT management, recognizing that these are distinct but complementary activities
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What does IT governance focuses on?

A

governance focuses on setting objectives, establishing policies, and providing oversight to ensure that IT aligns with business goals and meets stakeholder need

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What does IT management focus on?

A

involves the execution of activities to achieve those objectives and implement the established governance framework

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What’s the planning time horizon of strategic planning?

A

up to 5 years in most cases

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the 4 types of security baselines?
What do they define?

A
  • defines controls recommended if a loss of confidentiality, integrity or availability will have an impact on the business mission
  • low/moderate/high impact and privacy control baseline (processes PII)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What measures do organizations use to apply security baselines according to NIST 800-53B?

A

scoping and tailoring

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is SCA and who performs it?

A

Security Control Assessment often refers to a formal government process and is often paired with Security test and Evalluation - ST&E

17
Q

What is the minimum security standard to require of possible venodrs?

A

handling information in the same manner the organization would

18
Q

The CIS benchmarks are an example of what sort of compliance tool?

A

security baseline

19
Q

What type of planning or security management should be the primary tool used to address the security concerns of acquisitions, divestitures, and governance committees?

A

**security governance **should include acquisitions, divestitures, and governance committees