Security Policies and Governance Flashcards
What are the 4 levels of security policy development?
- Acceptable Use Policy
- assigns roles and ties responsibilities to those roles
- Security Baselines
- defines minimum levels of security that every system within an organization needs to meet
- Security Guidelines
- recommendations on how standards and baselines are implemented
- provides guidance for both security professionals and users
- Security Procedures
- step-by-step ways to accomplish a task
- support policy goals and provide consistency
What are the 3 types of plans?
- Strategic
- long term, stable plan
- should include a risk assessment
- typically 5-year horizon with annual updates
- designed to strategically align the security functions with business objectives
- Tactical
- midterm plan developed to provide more details on goals of the strategic plan
- provides more flexibility, as ad-hoc adjustments can be made, given the right circumstances
- usually one year plan
- Operational
- short-term, highly detailed plan based on the strategic and tactical plans
- includes budgetary figures, staff assignments, step-by-steps procedures
- monthly or quarterly plan
What does security policy define?
scope of security that’s needed by the organization, assets that need to be protected and the extend the business should go to protect them
What’s the purpose of security policy?
- authority
- declares compliance with laws and ethics
- demonstrate management commitment
- provides direction and guidance
What are signs of a good security policy? (7)
- up to date
- communicated
- legal
- defines exceptions
- concise
- unambiguous
- senior management sign-off
What’s governance?
establishment and oversight of policies, procedures, accountability, strategic thinking and controls to ensure the effective management and protection of an organization’s information assets
What’s included in governance?
- Policies and Procedures
- involves the development and implementation of policies and procedures that guide the organization’s security practices
- Risk Management
- establishing a risk management framework that identifies, assesses, and manages information security risks
- Compliance and Regulatory Requirements
- ensures compliance with relevant laws, regulations, and industry standards pertaining to information security
- Stakeholder Management
- engaging and communicating with stakeholders to align security initiatives with organizational objectives
- Performance Measurement and Reporting
- defining performance metrics and establishing mechanisms to monitor and measure the effectiveness of security controls, incident response capabilities, and overall security posture
- Continuous Improvement
- encourages a culture of continuous improvement by fostering a proactive approach to security
What are different organizational changes?
- Acquisitions
- process of acquiring or merging with another organization
- Divestitures
- process of selling or separating a part of an organization
- Reorganizations
- significant structural changes within an organization, such as mergers, restructurings, or changes in leadership
- Labor Disruptions
- strikes, labor disputes, or work stoppages, can have a significant impact on an organization’s operations, including information security
What’s COBIT and what’s the goal of COBIT?
- IT management and governance framework
- aims to bridge the gap between business and IT by providing a framework that aligns IT activities with business objectives, manages IT-related risks, and ensures the efficient use of IT resources
What are COBIT’s 5 key principles that guide organizations in achieving effective IT governance and aligning IT with business goals?
- Meeting Stakeholder Needs
- emphasizes the importance of understanding and addressing the needs, expectations, and objectives of various stakeholders
- Covering the Enterprise End-to-End
- COBIT promotes a holistic view of IT governance by recognizing the interconnectedness of IT processes and their impact across the entire enterprise
- Applying a Single Integrated Framework
- COBIT advocates for the use of a single, integrated framework to govern and manage enterprise IT
- Enabling a Holistic Approach
- highlights the importance of considering various components of IT governance as interconnected and interdependent
- Separating Governance from Management
- COBIT distinguishes between IT governance and IT management, recognizing that these are distinct but complementary activities
What does IT governance focuses on?
governance focuses on setting objectives, establishing policies, and providing oversight to ensure that IT aligns with business goals and meets stakeholder need
What does IT management focus on?
involves the execution of activities to achieve those objectives and implement the established governance framework
What’s the planning time horizon of strategic planning?
up to 5 years in most cases
What are the 4 types of security baselines?
What do they define?
- defines controls recommended if a loss of confidentiality, integrity or availability will have an impact on the business mission
- low/moderate/high impact and privacy control baseline (processes PII)
What measures do organizations use to apply security baselines according to NIST 800-53B?
scoping and tailoring