01. Intro to Sec Governance

Question 1

Intro to Sec Governance

What is GOVERNANCE

Answer 1

Senior management exrts strategic control over business functions through
1. policies
2. objectives
3. delegation of authority
4. monitoring

33

Question 2

Intro to Sec Governance

How is governance usually established

Answer 2

Steering committees

33

Question 3

Intro to Sec Governance

9 typical processes that information security GOVERNANCE focuses on

Answer 3

1. Personnel Management
2. Sourcing
3. Risk Management
4. Configuration Management
5. Change Management
6. Access Management
7. Vulnerability Management
8. Incident Management
9. Business Continuity P.anning (BCP)

Question 4

Intro to Sec Governance

Organisations not adequately protecting their information through an information security program have a ____ problem

Answer 4

Business Problem

34

Question 5

Intro to Sec Governance

A lack of understanding and committment by these parties is typically the reason why business have a problem protecting their information

The most typical reason why a business will have a problem implementing or putting in place an information security program to protect their information

Answer 5

Board of directors and Senior Management

34

Question 6

Intro to Sec Governance

When information security becomes a people issue and people from each level in the organisation understand the importance, the organisation will be in a position of what

Answer 6

Reduced Risk

34

Question 7

Intro to Sec Governance

reduction in risk results in;
1. Fewer ____
2. When they do occur, have lower ____
3. This is felt on the organisations ____ and ____

Answer 7

1. Incidents
2. Impact
3. Reputation and Operations

34

Question 8

Intro to Sec Governance

Information Security Governance is a set of established activities that helps management understand the state of the organisations ____, its current ____, and its direct ____

Answer 8

1. security program
2. risks
3. activities

34

Question 9

Intro to Sec Governance

A goal of the ____ is to continue to contribute toward the fulfilment of the security strategy

Answer 9

Security Program

34

Question 10

Intro to Sec Governance

The security strategy will continue to align with the ____

Answer 10

Business and Business Objectives

34

Question 11

Intro to Sec Governance

What does GOVERNANCE begin with establishing, that is translated into actions, policies, processes, procedures, and other activities down through the levels of the organisation

Answer 11

Top-Level Strategic Objectives

34

Question 11

Intro to Sec Governance

What other program must an organisation have in place in order for the information security governance to succeed

Answer 11

Effective IT Governance Program

34

Question 12

Intro to Sec Governance

What is the purpose of security governance

Answer 12

Align SECURITY PROGRAM with the NEEDS OF THE BUSINESS

35

Question 13

Intro to Sec Governance

A collection of top-down activities intended to control the security of the organisation from a strategic perspective

Answer 13

Information Security Governance

35

Question 14

Intro to Sec Governance

Desired capabilities or end states are ideally expressed in achievable, measureable terms

Artifacts and actions that flow out of a healthy security governance program

Answer 14

Objectives

35

Question 15

Intro to Sec Governance

A plance to achieve one or more objectives

Artifacts and actions that flow out of a healthy security governance program

Answer 15

Strategy

35

Question 16

Intro to Sec Governance

At its minimum, this should directly reflect the mission, objectives, and goals of the overall organisation

Artifacts and actions that flow out of a healthy security governance program

Answer 16

Policy

35

Question 17

Intro to Sec Governance

These should flow directly from the organisations mission, objectives and goals. Whatever is most important to the organisation should also be essential to information security

Artifacts and actions that flow out of a healthy security governance program

Answer 17

Priorities

35

Question 18

Intro to Sec Governance

These help drive a consistent approach to solving business challenges. The choice of these should facilitate solutions that meet the organisations needs in a cost-effective and secure manner

Artifacts and actions that flow out of a healthy security governance program

Answer 18

Standards

35

Question 19

Intro to Sec Governance

Formalised descriptions of repeated business activities inlcuding instructions to applicable personnel.

Artifacts and actions that flow out of a healthy security governance program

Answer 19

Processes

35

Question 20

Intro to Sec Governance

Formal descriptions of critical activities to ensure desired outcomes

Artifacts and actions that flow out of a healthy security governance program

Answer 20

Controls

35

Question 21

Intro to Sec Governance

These should be organised and performed in a consistent manner that reflects the business priorities and supports the business

Artifacts and actions that flow out of a healthy security governance program

Answer 21

Programs and project management

35

Question 22

Intro to Sec Governance

Formal measurements of processes and controls so that management understands and can measure them

Artifacts and actions that flow out of a healthy security governance program

Answer 22

Metrics / Reporting

35

Question 23

Intro to Sec Governance

What 2 things must the information security manager understand withn the business concerning confidentiality, integrity, and availability (CIA)

Answer 23

Appetite and priority

36

Question 24

# Intro to Sec Governance Management will ensure that risk assessments are performed to identify risks in information systems and supported processes ## Footnote Activities required to protect the organisation which senior management will ensure are in place to support the business operations

Answer 24

Risk Management ## Footnote 36

Question 25

# Intro to Sec Governance Management will ensure this activity is conducted when key changes are made which result in security improvements ## Footnote Activities required to protect the organisation which senior management will ensure are in place to support the business operations

Answer 25

Process Improvement ## Footnote 36

Question 26

# Intro to Sec Governance Management will put technologies and processes in place to ensure that security incidents will be identified as quickly as possible ## Footnote Activities required to protect the organisation which senior management will ensure are in place to support the business operations

Answer 26

Event Identification ## Footnote 36

Question 27

# Intro to Sec Governance Management will put this in place to reduce the impact and probability of incidents, and improve response capabilities to minimize their impact ## Footnote Activities required to protect the organisation which senior management will ensure are in place to support the business operations

Answer 27

Incident response ## Footnote 36

Question 28

# Intro to Sec Governance Management will identify all applicable laws, regulations and standards and carry out activities to confirm the organisation and attain and maintain compliance ## Footnote Activities required to protect the organisation which senior management will ensure are in place to support the business operations

Answer 28

Improved Compliance ## Footnote 37

Question 29

# Intro to Sec Governance Management define objectives and allocate resources to develop a plan in the event of major business disruption ## Footnote Activities required to protect the organisation which senior management will ensure are in place to support the business operations

Answer 29

Business Continuity and Disaster Recoery Planning ## Footnote 37

Question 30

# Intro to Sec Governance Management will establish processes to measure key security events such as incidents, policy changes and violations, audits, and training ## Footnote Activities required to protect the organisation which senior management will ensure are in place to support the business operations

Answer 30

Metrics ## Footnote 37

Question 31

# Intro to Sec Governance The allocation of workforce, budget, and other elements to meet the security objectives ## Footnote Activities required to protect the organisation which senior management will ensure are in place to support the business operations

Answer 31

Resource Management ## Footnote 37

Question 32

# Intro to Sec Governance An effective security governance program will resul tin better strategic decisions in IT organisation that keep risks at an acceptably low level ## Footnote Activities required to protect the organisation which senior management will ensure are in place to support the business operations

Answer 32

Improved IT Governance ## Footnote 37

Question 33

# Intro to Sec Governance The 2 key results of an effective security governance program

Answer 33

**Increased Trust** Customers, suppliers etc. trust the organisation more when they see security is managed effectively **Improved Reputation** Business community will hold the organisation in higher regard ## Footnote 37

Question 34

# Intro to Sec Governance An organisations information security program needs to do what with the rest of the organisation

Answer 34

Align ## Footnote 37

Question 35

# Intro to Sec Governance To be business aligned, people in the security program need to be aware of and understand the 5 following components

Answer 35

1. Culture 2. Asset Value 3. Risk Tolerance (appetite) 4. Legal Obligations 5. Market Conditions ## Footnote 38

Question 36

# Intro to Sec Governance The term used to define a scenario where individuals or groups bypass corporate IT and procure their own computing services putting the organisation at a greater risk of data leakage

Answer 36

Shadow IT ## Footnote 38

Question 37

# Intro to Sec Governance The level of risk that an organisation is willing to accept while pursuing its mission, strategy, and objectives before taking action to treat the risk

Answer 37

Risk Appetite