Chapter 1: TODAYS INFORMATION SECURITY MANAGER Flashcards
What are the 3 complementary objectives of Cybersecurity ?
The CIA Triad :
- Confidentiality
- Integrity
- Availability
What is the role of an Information Security Manager ?
Information security managers are responsible for safeguarding the confidentiality, integrity, and availability of the information and systems used by their organization.
ut they must achieve these goals within the context of the organization’s day-to-day activities and strategic objectives.
What are the 2 hats of an Information Security Manager
- CyberSecurity Subject Matter Expert
- Business leader engaged with the organization’s mission.
Exemples of threats that can affect either integrity or availability?
- Intentional attacks
- Human error
- Mechanical failure
- Environmental Conditions
- Fire
- Flood
What make an Information Security Manager differ from an Information Security Professional?
The “dual-hattedness”: CyberSecurity SME and Business Leader.
Information security professionals can narrow much of their focus to cybersecurity matters.
Leaders, on the other hand, must maintain that organizational focus at the same time and use their expertise to help guide the organization in making decisions that are both sound from a business perspective and reasonable from a risk management perspective.
What is a CISO ?
Chief Information Security Officer (CISO).
The most senior information security leader within an organization
The CISO is a senior business executive who is responsible for overseeing all information security efforts within the organization.
The CISO title is commonly accepted as the standard for an organization’s information security leader, although some organizations may use different titles, including these:
Vice president for information security (or assistant/associate vice president)
Director of information security
Information security manager
Explain the difficulties with the term CISO ?
The CISO title is commonly accepted as the standard for an organization’s information security leader. However, the exact job title given by the organization might differ: InfoSec Manager or Senior Manager or even General Manager, Director or VP of Information Security, etc.
The CISO title has 2 words that may mislead others on your exact position within the company:
- Chief: which often indicates a grade (hierarchical, salary, etc.). Many CISO (Security Leader) don’t have the grade of “Chief” in their company.
- Officer: which may indicate that the CISO is a “legal officer” of the corporation. Meaning that they have been formally elected or appointed by the governing board.
- Officer: that may indicates
What are the possible reporting lines of a CISO ?
- CIO / CTIO
- Chief executive officer (CEO)
- Chief risk officer (CRO)
- Chief security officer (CSO) (this role includes oversight of information security, physical security, and other security concerns)
- Chief operating officer (COO)
- Chief audit executive
What is a span of control ?
The span of control represents the number of individuals who directly report to a position. Different organizations have different philosophies on span of control, but it is commonly thought that managers with less than five direct reports likely have too small of a span of control and could take on additional responsibilities, whereas managers with more than 10 direct reports may have difficulty effectively managing a very large team.
CyberSecurity vs Information Security
The goal of information security is to protect the confidentiality, integrity, and availability of an organization’s information and information assets. The goal of cybersecurity is to protect the confidentiality, integrity, and availability of an organization’s digital resources. These terms are closely related, but there are subtle differences.
Information security, properly defined, is responsible for the security of all information, whether in digital or analog form. An information security program would be responsible not only for electronic information systems but also for the protection of paper records and other nondigital assets. Cybersecurity, properly defined, is responsible for the security of all digital assets and may be thought of as a subset of the field of information security.
Describe the R in RACI
Responsible (R) roles are those who actually carry out the work involved. There must be at least one role assigned as responsible for each responsibility, although there may be more than one.
Describe de A in RACI
Accountable (A) roles bear ultimate and final responsibility for achieving the objective. Consider this the “buck stops here” role for the responsibility. Each responsibility in the matrix must have one, and only one, accountable role.
Describe the C in RACI
Consulted (C) roles are those who provide input that affects the responsibility because of their subject matter expertise.
Describe the I in RACI
Informed (I) roles are those who are provided with regular updates on the status of the effort. They may need this information to complete their work, oversee the organization, or perform other tasks, but the key characteristic is that, unlike consulted roles, informed roles receive updates but do not provide input.
What is the DAD triad ?
Disclosure
Alteration
Denial
It is a threat model that explains the three important threats to cybersecurity efforts: disclosure, alteration, and denial.
Each of these three threats maps directly to one of the main goals of cybersecurity
