Security Programme management and oversight 5.1

Question 1

Security Policy Guidelines.

Answer 1

What rules are you following to provide CIA.

Security Policies answer the what and the why.

Question 2

Information security policy

Answer 2

A big list of all security related policies.

Question 3

Acceptable Use Policy

Answer 3

Acceptable Use Policy
Defines what users are able to do with the technology has been provided to them.

Question 4

Business Continuity

Answer 4

Plan for when technology does not work.

Question 5

Disaster Recovery plan

Answer 5

It should be ready to respond to disaster

Question 6

Security Incidents

Answer 6

policy to be able to react to different events.

Question 7

Incident response team

Answer 7

Specialised team to respond to a security incident.

Question 8

NIST

Answer 8

National institute of standards and technology.

Incident response lifecycle:

Preparation, Detection, Containment, Post-incident Activity.

Question 9

SDLC

Answer 9

Systems development cycle
AGILE VS WATERFUL

Question 10

Change management

Answer 10

Policies which need to be followed in relation to making a change.

Question 11

Security Standards

Answer 11

A formal definition for using security technologies and processes.

Many standards are already available
ISO (International Organisation for Standardisation).
NIST (National Institute of Standards and Technology)

Question 12

Passwords

Answer 12

Ensure a specific set of password policies are being used when setting a password.

Question 13

Access control

Answer 13

Define which access control types are used. Determine which information, at what time.

Question 14

Physical Security - Standards

Answer 14

Rules and Policies regarding physical security controls.

Question 15

Encryption - standards

Answer 15

Password storage (Encrypted).
Data encryption standards depending on the state of data.

Question 16

Regulations are often mandated.

Answer 16

Security standards are often mandated by regulations. Sox Hippa.

Question 17

Legal - Oversight.

Answer 17

The Security team is often tasked with the legal responsibilities.

Disclosure, Reporting illegal activities, Holding data required for legal proceedings.

Question 18

Industry -

Answer 18

The industry may require specific security consideration.

Question 19

Geographical Security

Answer 19

May be different standards depending on where you are in the world.

Question 20

Security Procedures - Change management

Answer 20

Scope of change
Risk of change
Create a plan
Change control board
Have a back out plan.

Question 21

On boarding

Answer 21

Bringing someone into the building,
New Accounts will need to be created.

Question 22

Off boarding

Answer 22

What should happens when users decide to leave the organisation. What happens to the data on any of their devices.

Question 23

Playbook

Answer 23

Conditional steps to follow,

For example; investigate a data breach, recover from ransomware.

Often Integrated into a SOAR platform.

Question 24

SOAR

Answer 24

Security Orchestration, Automation and Response.

Question 25

Monitoring and Revision

Answer 25

Look for opportunities to tweak security systems to enhance security.

Question 26

Governance Structures

Answer 26

Board - Panel of specialists which set the tasks or requirements for the committees.

Centralised/Decentralised
Centralised governance is located in one location with a group of decision makers. Decentralised governance spreads the decision-making process around to other individuals or locations.

Question 27

Data Responsibility

Answer 27

Who is responsible what data. For example: Treasurer is responsible for all financial data.

Question 28

Data controller

Answer 28

Manages how the data will be used.
Manages the purposes and means by which personal data is processed.

Eg: Payroll Controller

Question 29

Data processor

Answer 29

Processes the data on behalf of the data controller. Often a third-party or different group.

Eg: Py roll processor.

Question 30

Data Custodian/ Steward

Answer 30

Making sure that the data is being handled in a way which is compliance to laws and standards set. Responsible for accuracy, privacy and security.

Responsible for determining what type of user has access to what type of data.