Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

CISM Review 2023 > Domain 1: Information Security Governance (24%) > Flashcards

Domain 1: Information Security Governance (24%) Flashcards

(97 cards)

Start Studying
1
Q

Cybersecurity governance programs guide and direct ???.

A

Governance programs guide and direct organization wide cyber security efforts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A Goveranance frameworks consist of?

A

Policies, Controls, standards, procedures, guidelines, and metrics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Organizations often adopt a set of security policies covering different areas of their security programs.
What are the different policies that are part of the security programs:

A

Organizations often adopt a set of security policies covering different areas of their security programs.
Common policies used in security programs include an

information security policy
acceptable use policy
data ownership policy
data retention policy
account management policy
password policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Why should policy documents include exception processes?

A

Exception processes should outline the information required to receive an exception to security policy and the approval authority for each exception.

The process should also describe the requirements for compensating controls that mitigate risks associated with approved security policy exceptions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What type of frameworks do security managers use?

A
  1. Like other types of models, organizations are expected to consider tailoring a standard framework to align with the organization and its business model, practices, and culture.

Governance frameworks involve activities to ensure that executives are in control of the organization and that they are adequately informed.

Control frameworks: involve IT, security, and privacy controls, the detailed statements describing desired outcomes that are examined for proper design and effectiveness.

Architecture Frameworks

Risk Management Frameworks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

how does the vision of a business flow down in an organization from IT to Security strategy?

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Organizational culture is the term that describes how people within an organization ???

A

Organizational culture is the term that describes how people within an organization
* treat one another
* how they get things done.
* Many organizations establish a set of values that defines the norms of professional behavior.
Terms such as respect, collaboration, and teamwork are often used in these values.
* Some organizations publish formal value statements and print them for display in lobbies, offices, and conference rooms.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Every organization also has a risk culture, which affects how the organization does what with risk?

Where does it come from?

A

Every organization also has a risk culture, which affects how the organization
* Deals with risk
* How it treats risk over time.

This culture is developed from several sources.
First, it can come from the organization’s leadership, based on their business and management philosophies, attitudes, education, and experience.
It can also come from the organization’s governance.
Remember that governance essentially comprises the rules and regulations imposed on the organization by either external entities (in the form of laws, for example) or internally by the organization itself. As discussed, risk tolerance and risk appetite support the culture. organizational risk culture.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the goal of the organization’s cybersecurity steering comittee?

A

Reading between the lines, the primary mission of a security steering committee is to identify and resolve conflicts and to maximize the effectiveness of the security program, as balanced among other business initiatives and priorities.
Governance is usually undertaken through a steering committee that consists of executives from throughout the organization. The steering committee is responsible for setting overall strategic direction and policy, ensuring that security strategy aligns with the organization’s IT and business strategy and objectives. The directives of the steering committee are carried out through projects and tasks that steer the security organization toward strategic objectives. The steering committee can monitor progress through metrics and a balanced scorecard.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Security governance is accomplished using the same means as IT governance: it begins with board-level involvement that sets the tone for risk appetite and is carried out through the chief information security officer,

A

Security governance is accomplished using the same means as IT governance: it begins with board-level involvement that sets the tone for risk appetite and is carried out through the chief information security officer, who develops security and privacy policies, as well as strategic security programs, including software assurance, change management, vendor management, configuration management, incident management, vulnerability management, security awareness training, and identity and access management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

For an information security program to be successful, it must ….

A

align with the business and its overall mission, goals and objectives, and strategy.
The security program must consider the organization’s notion of asset value, culture, risk tolerance/appetite, legal obligations, and market conditions.
A successful and aligned security program does not lead the organization but enables and supports it to carry out its mission and pursue its goals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Security governance is used to establish roles and responsibilities for:
Where are the roles and responsibilities defined?

A

Security governance is used to establish roles and responsibilities for security-related activities throughout all layers of the organization, from the board of directors to individual staff.

Roles and responsibilities are defined in job descriptions, policy and process documents, and RACI charts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

The security steering committee is responsible for

A

The security steering committee is responsible for security strategic planning.
The security steering committee will develop and approve security policies and appoint managers to develop and maintain processes, procedures, and standards, all of which should align with one another and with the organization’s overall mission, strategy, goals, and objectives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What does the CISO do?

A

The CISO develops business-aligned security strategies that support the organization’s overall mission and goals and is responsible for the organization’s overall security program, including policy development, risk management, and perhaps some operational activities such as vulnerability management, incident management, access management, and security awareness training. In some organizations, the topmost security executive has the title of chief security officer or chief information risk officer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What does the Chief Privacy Officer do?

A

The chief privacy officer is responsible for the protection and proper use of sensitive personal information (often referred to as personally identifiable information). The CPO’s information protection responsibilities are sometimes shared with the CISO, who has overall information protection responsibilities. The chief compliance officer is responsible for a broad range of compliance tracking and reporting.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is a strategy?

What is the purpose of a strategy?

A

While a specific strategy itself may be complex, the concept of a strategy is quite simple: it can be defined as the plan to achieve an objective.

The effort to build a strategy requires more than saying those six words. Again, however, the idea is not complicated. The concept is this:

Understand where you are now and where you want to be.

The strategy is the path you have outlined, communicated, and documented that the organization will follow to get from where you are (current state) to where you want to be (strategic objective).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are the objectives of a stratgegy?

A

The security objectives are the desired future state of the organization’s security posture and level of risk.

There are, in addition, objectives of a strategy. These objectives are as follows:

*Business alignmentThe desired future state, and the strategy to get there, must be in alignment with the organization and its strategy and objectives.

*Risk appetite alignmentAn organization’s information security program implicitly drives an organization toward a specific level of risk, which may or may not align with the organization’s true level of risk appetite.

*Effective risk managementA security program must include a risk management policy, processes, and procedures. Without effective risk management, decisions are made blindly without regard to their consequences or level of risk.

*Value deliveryThe desired future state of a security program should include a focus on continual improvement and increasing efficiency. No organization has unlimited funds for security; instead, organizations need to reduce risk at the lowest reasonable cost.

*Resource optimizationSimilar to value delivery, strategic goals should efficiently utilize available resources. Among other things, this means having only the necessary staff and tools to meet strategic objectives.

*Performance measurementAlthough it is important for strategic objectives to be SMART (specific, measurable, achievable, relevant, and time-related), the ongoing security and security-related business operations should themselves be measurable, giving management an opportunity to drive continual improvement.

*Assurance process integrationOrganizations typically operate one or more separate assurance processes in silos that are not integrated. An effective strategy would work to break down these silos and consolidate assurance processes, reducing hidden risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What are the parts of strategy resources?

Before a strategy can be developed, it is first necessary to understand everything that is in place currently. A strategy describes how goals and objectives are to be met. Without knowing the starting place of a journey, it is not possible to chart a course to the journey’s destination. Before future security capabilities can be mapped out, it’s necessary to understand an organization’s current state and capabilities.

A

The differences can be seen as a gap that needs to be filled, whether that means employing tools, technologies, skills, policies, or practices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Policy Development

A

The execution of a security strategy may result in additions or improvements in its security-related capabilities. These additions or improvements may require that one or more security policies be updated to reflect the new or improved capabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

It is a common practice to structure the organization’s security policy using one or more relevant standards or frameworks, though this is not generally required for most industries. Common standards and frameworks used in this way include:

A
  • NIST SP 800-53
  • NIST SP 800-171 and NIST SP 800-172
  • ISO/IEC 27001 and ISO/IEC 27002
  • COBIT (formerly, Control Objectives for Information and Related Technologies)
  • HIPAA/HITECH (Health Insurance Portability and Accountability Act/Health Information Technology for Economic and Clinical Health)
  • PCI DSS (Payment Card Industry Data Security Standard)
  • CIS CSC (Center for Internet Security Critical Security Controls)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Difference between Governance framework and control frameworks

A

Information Governance Frameworks and Standards
It is not necessary for organizations to develop governance models from scratch: plenty of mature models are available to adapt to individual organization needs. Like other types of models, organizations are expected to consider tailoring a standard framework to align with the organization and its business model, practices, and culture.

Security professionals often confuse governance frameworks with control frameworks. While the two are related, they are distinct and different from each other. Governance frameworks involve activities to ensure that executives are in control of the organization and that they are adequately informed. Control frameworks involve IT, security, and privacy controls, the detailed statements describing desired outcomes that are examined for proper design and effectiveness.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Information security governance efforts should integrate with what other corporate governance programs to support both?

A

business goals
security strategy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Why should organizations draw on existing governance frameworks, such as xx and xxx

A

COBIT and the ISO standards, to avoid redundant effort and to align with industry best practices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is the difference between policies, standards, procedures, and guidelines?

A

Policies are high-level statements of management intent for the information security program.

Standards describe the detailed implementation requirements for policies.

Procedures offer step-by-step instructions for carrying out security activities.

Compliance with policies, standards, and procedures is mandatory.

Guidelines offer optional advice that complements other elements of the policy framework.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Information security governance typically focuses on several key processes, which include:
* personnel management, sourcing, * risk management * configuration management * change management * access management * vulnerability management * incident management * Business continuity planning Another key component is establishing an effective organizational structure and clear statements of roles and responsibilities
24
Information security governance typically focuses on several key processes, which include:
* personnel management, sourcing, * risk management * configuration management * change management * access management * vulnerability management * incident management * Business continuity planning Another key component is establishing an effective organizational structure and clear statements of roles and responsibilities
25
What are the influencers of your cybersecurity heirarchical framework and where do they fit in?
Control Objectives Policies https://www.complianceforge.com/free-guides/hierarchical-cybersecurity-governance-framework/
26
What are the documents inside a Business Case?
Problem statement This is a description of the business condition or situation that the initiative is designed to solve. The condition may be a matter of compliance, a finding in a risk assessment, or a capability required by a customer, partner, supplier, or regulator. * Current state This is a description of the existing conditions related to the initiative. * Desired state This describes the future state of the relevant systems, processes, or staff. * Success criteria These are the defined items that the program will be measured against. * Requirements This is a list of required characteristics and components of the solution that will remedy the current state and bring about the desired future state. * Approach This describes the proposed steps that will result in the desired future state. This section may include alternative approaches that were considered, with reasons why they were not selected. If the initiative requires the purchase of products or professional services, business cases may include proposals from vendors. Alternatively, the business case may include a request for proposal (RFP) or a request for information (RFI) that will be sent to selected vendors for additional information. * Plan This includes costs, timelines, milestones, vendors, and staff associated with the initiative.
27
What do the roles or title of risk manager, policy manager, or controls manager do?
*   Risk manager   This person is responsible for performing risk assessments and maintaining the risk register. *   Policy manager   This position is responsible for maintaining security and privacy policy documents and related information. This person works closely with the risk manager, identifying risks that may identify the need for new and updated policy. *   Controls manager   This position is responsible for maintaining security controls, advising control owners on responsibilities and expectations, and assessing controls for effectiveness.
28
What does the role of Security awareness training  
 This person is responsible for developing and delivering content of various types to enable the workforce to understand their information security and privacy responsibilities.
29
How would you measure the maturity of a process?
Capability maturity models are useful tools for understanding the maturity level of a process. Maturity models in other technology disciplines have also been developed, such as the Systems Security Engineering Capability Maturity Model (SSE-CMM). Software Engineering Institute (SEI) at Carnegie Mellon University accomplished a great deal with its development of the Capability Maturity Model Integration for Development (CMMI-DEV). The CMMI-DEV uses five levels of maturity to describe the formality of a process: *   Level 1: Initial   This represents a process that is ad hoc, inconsistent, unmeasured, and unrepeatable. *   Level 2: Repeatable   This represents a process that is performed consistently and with the same outcome. It may or may not be well-documented. *   Level 3: Defined   This represents a process that is well-defined and well-documented. *   Level 4: Managed   This represents a quantitatively measured process with one or more metrics. *   Level 5: Optimizing   This represents a measured process that is under continuous improvement.
30
How do you assign a maturity level to all your processes?
 Each control or process may have its own maturity level. It is neither common nor prudent to assign a single maturity level target for all controls and processes. Instead, organizations with skilled strategists can determine the appropriate level of maturity for each control and process. They need not all be the same. Instead, it is more appropriate to use a threat-based or risk-based model to determine an appropriate level of maturity for each control and process. Some will be 2, some will be 3, some will be 4, and a few may even be 5.
31
What is the primary cause of the failure of information security programs?
Failed governance In the majority of cases, failed governance has resulted in ineffective information security programs. Without proper governance, a program may be directionless and ineffective, and may not align with the business.
32
To be successful, security governance needs to be raised to what level in an organization?
For security governance to be effective, the board of directors needs to be involved.
33
During strategy development, a security manager wants to understand the level of capabilities of current functions in the security team. What information should the security manager examine?
A security manager would use a maturity model such as SEI-CMMI to understand the level of capability for functions in a security program.
34
A security manager wants to enact several strategic improvements in the organization and needs to sell these ideas to executives. What type of documents should the security manager develop?
A business case describes a business problem, the current state, the desired end state, and the required resources in business terms suitable for executive audiences.
35
Executive leadershi in an organization is uninterested in cybersecurity. A CISO’s best course of action is:
The best way to engage executive leadership in an organization is to understand the business from their perspective and to discuss information risk in business terms that they will understand.
36
A CISO is attempting to develop a strategy to align with the business. How should the CISO proceed?
The best way to align to the business is through face-to-face discussions with business unit leaders. Any written artifacts could be outdated or incomplete.
37
Who should be accountable for the success of an organization’s information security program?
The board of directors or equivalent governing body must bear ultimate responsibility for the success of an organization’s information security program.
37
Who should be accountable for the success of an organization’s information security program?
The board of directors or equivalent governing body must bear ultimate responsibility for the success of an organization’s information security program.
38
How can a new CISO overcome the “business prevention” reputation of the previous CISO?
The new CISO will need to earn trust, collaborate with stakeholders, and build consensus.
39
During strategy development, a security manager has developed a gap analysis to compare current state to desired end state. What is the next step in strategy development?
After the gap analysis is completed, a roadmap is developed to define how to move the program from the current state to the desired end state.
40
A business executive has delegated responsibility for granting access requests to the IT department. The IT department in this role is functioning as the:
IT is acting as a custodian in the access request process for the business application.
41
What Is a Security Exception?
A security exception happens when you don't apply a certain internal cybersecurity policy, based on functional or strategic factors. That is, some set of circumstances arises where the organization decides to grant an exception to security policies that would normally be in place. https://www.cisecurity.org/wp-content/uploads/2020/06/Information-Security-Exception-Policy.docx
42
" " ensures that unauthorized individuals are not able to gain access to sensitive information.
Confidentiality
43
" " ensures that there are no unauthorized modifications to information or systems, either intentionally or unintentionally.
Integrity
44
"" ensures that information and systems are ready to meet the needs of legitimate users at the time those users request them.
Availability
45
"" are responsible for safeguarding the confidentiality, integrity, and availability of the information and systems used by their organization. **But they must achieve these goals within the context of the organization's day-to-day activities and strategic objectives.
Information security managers
46
What is a typical Cybersecurity organizational structure?
47
The " " represents the number of individuals who directly report to a position. Different organizations have different philosophies on " " , but it is commonly thought that managers with less than five direct reports likely have too small of a and could take on additional responsibilities, whereas managers with more than 10 direct reports may have difficulty effectively managing a very large team.
span of control
48
What is a RACI Matrix used for?
Responsible (R) roles are those who actually carry out the work involved. There must be at least one role assigned as responsible for each responsibility, although there may be more than one. Accountable (A) roles bear ultimate and final responsibility for achieving the objective. Consider this the “buck stops here” role for the responsibility. Each responsibility in the matrix must have one, and only one, accountable role. Consulted (C) roles are those who provide input that affects the responsibility because of their subject matter expertise. Informed (I) roles are those who are provided with regular updates on the status of the effort. They may need this information to complete their work, oversee the organization, or perform other tasks, but the key characteristic is that, unlike consulted roles, informed roles receive updates but do not provide input.
49
SWOT analysis is a technique commonly used by organizations to assess their current state and develop their forward-looking strategy. SWOT is an acronym describing the four major elements of the analysis:
Strengths are internal characteristics of the organization that provide it with an advantage toward achieving its goals/mission. For example, a cybersecurity team might consider its cybersecurity awareness program as a strength if it is particularly effective. Weaknesses are internal characteristics of the organization that place it at a disadvantage toward achieving its goals/mission. For example, a cybersecurity team might identify the lack of application security skills as a weakness. Opportunities are external factors that the organization might exploit to better achieve its goals/mission. For example, a cybersecurity team might consider the use of managed service providers as an opportunity to relieve the burden on the team and focus their work on value-added activities. Threats are external factors that might jeopardize the organization's ability to achieve its goals/mission. For example, a new privacy law passed by a jurisdiction within which the company operates might pose a threat to the organization.
50
Maturity Models
In addition to performing an objectives-based gap analysis, organizations may use maturity models to assess the state of their IT organization against industry best practices. ISACA offers the Capability Maturity Model Integration (CMMI) as a method to assess maturity of an organization. The use of these models is particularly common in software development efforts and in U.S. government contracting work, but the model may also be applied to security and other processes.
51
At the top tier of the CMMI, Level 5: Optimizing organizations use a " " to adjust and fine-tune the way that they work to achieve peak efficiency and effectiveness.
Continuous process improvement approach
52
Risk Assessments
A strategist should choose to have a risk assessment performed to reveal risks present in the organization. This helps the strategist understand threat scenarios and their estimated impact and frequency of occurrence. The results of a risk assessment give the strategist valuable information on the types of resources required to bring risks down to acceptable levels. This is vital for developing and validating strategic objectives.
53
Threat Assessments
This assessment provides the strategist with information about the types of threats most likely to have an impact on the organization, regardless of the effectiveness of controls.
54
Why would a new CISO conduct a policy review?
An organization’s security policy, as well as its practices in relation to its policy, may say a great deal about its desired current state. Security policy can be thought of as an organization’s internal laws and regulations with regard to the protection of important assets (as well as personnel safety). Examination of current security policy can reveal a lot about what behaviors are required in the organization.
55
Why would a new CISO conduct a standards review?
An organization’s security standards describe, in detail, the methods, techniques, technologies, specifications, brands, and configurations to be used throughout the organization. As with security policy, it is important to understand the organization’s standards, including the breadth of coverage, strictness, compliance, and last review and update. These all tell the security manager the extent to which an organization’s security standards are used—if at all.
56
Why would a new CISO review the organization's security controls?
The presence of controls—and the control framework—speaks volumes about the organization’s security program. Controls, however, may exist only on paper and not in practice. It is useful to read about the organization’s controls, but on paper alone, they offer little information about whether the controls are actually being implemented. It’s even more important to know whether they are effective.
57
What does a Risk Register provide insights on?
A risk register, also known as a risk ledger, can offer the strategist a great deal of insight into risk management and risk analysis activities in the organization.
58
How is your organization's approach to security is influenced by the broader business environment?
The demands of customers and pressures placed on the organization by competitors will influence the level of commitment to and investment in cybersecurity, both positively and negatively.
59
How is your organization's approach to security is influenced by the risk tolerance?
risk tolerance. This is the degree of risk that you are willing to undertake as you seek to achieve your business objectives.
60
How is your organization's approach to security is influenced by the Social media?
Social media spreads news at faster rates than ever before. Even if your organization does not directly discuss cybersecurity issues on social media, rest assured that your customers and other stakeholders will.
61
How is your organization's approach to security is influenced by the threat landscape?
As adversaries adapt their tactics and techniques, your cybersecurity strategy must evolve to combat those changes
62
Data owners
Senior-level officials who bear overall responsibility for particular datasets. The data owner sets policies and guidelines for data use and data security and has the authority to make final decisions regarding a dataset. Data owners are usually the business leaders who have responsibility for the mission area most closely related to the dataset.
63
Data processors
Third-party organizations that handle data on behalf of a data owner. For example, if the IT team at an organization stores data in a cloud service, that cloud service provider is a data processor.
64
Data minimization techniques
Reduce risk by reducing the amount of sensitive information that we maintain on a regular basis. The best way to achieve data minimization is to simply destroy data when it is no longer necessary to meet our original business purpose.
65
Hashing
Uses a hash function to transform a value in our dataset to a corresponding hash value. If we apply a strong hash function to a data element, we may replace the value in our file with the hashed value. Hashing uses a one-way function, meaning that it is not possible to retrieve the original value if you only have access to the hashed value.
66
Masking
Partially redacts sensitive information by replacing some or all sensitive fields with blank characters. For example, we might replace all but the last four digits of a credit card number with X's or *'s to render the card number unreadable.
67
Tokenization
Replaces sensitive values with a unique identifier using a lookup table. For example, we might replace a widely known value, such as a student ID, with a randomly generated 10-digit number. We'd then maintain a lookup table that allows us to convert those back to student IDs if we need to determine someone's identity. Of course, if you use this approach, you must keep the lookup table secure!
68
Describe how information security strategies should be aligned with organizational goals and objectives.
As information security managers develop their plans, they should use reliable techniques to assess the current state of the program, such as threat research, SWOT analysis, and gap analysis. They may then identify the initiatives that will move the organization from the current state to its desired state.
69
Explain how security strategies are influenced by internal and external factors.
Security strategies must be aligned with the business, but they must also incorporate other influences. Information security managers must remain abreast of emerging technologies, social media, the business environment, the organization's risk tolerance, regulatory requirements, third-party considerations, and the threat landscape as they develop, monitor, and revise cybersecurity strategies.
70
Explain why data must be protected in transit, at rest, and in use.
Attackers may attempt to eavesdrop on network transmissions containing sensitive information. This information is highly vulnerable when in transit unless protected by encryption technology. Attackers also might attempt to breach data stores, stealing data at rest. Encryption serves to protect stored data as well as data in transit. Data is also vulnerable while in use on a system and should be protected during data processing activities.
71
Explain how data minimization reduces risk by reducing the amount of sensitive information that we maintain.
In cases where we cannot simply discard unnecessary information, we can protect information through de-identification and data obfuscation. The tools used to achieve these goals include hashing, tokenization, and masking of sensitive fields.
72
Know how data loss prevention (DLP) systems block data exfiltration attempts.
DLP technology enforces information handling policies to prevent data loss and theft. DLP systems may function at the host level, using software agents to search systems for the presence of sensitive information. They may also work at the network level, watching for transmissions of unencrypted sensitive information. DLP systems detect sensitive information using pattern-matching technology and/or digital watermarking.
73
Describe the diverse impacts of data breaches on organizations.
When an organization suffers a data breach, the resulting data loss often results in both direct and indirect damages. The organization suffers immediate financial repercussions due to the costs associated with the incident response, as well as long-term financial consequences due to reputational damage. This reputational damage may be difficult to quantify, but it may also have a lasting impact. In some cases, organizations may suffer operational damage if they experience availability damages, preventing them from accessing their own information.
74
Know why stakeholder commitment and communication are essential to success.
As information security leaders roll out new strategies, they must ensure that they have the support of senior leaders and other stakeholders. They may do this by clearly outlining how information security supports the organization's broader goals and objectives, identifying the business impact of security initiatives, and identifying clear success criteria.
75
Explain how security controls may be categorized based on their mechanism of action and their intent.
Controls are grouped into the categories of managerial, operational, and technical based on the way that they achieve their objectives. They are divided into the types of preventive, detective, corrective, deterrent, compensating, and physical based on their intended purpose.
76
Know how data loss prevention (DLP) systems block data exfiltration attempts.
DLP technology enforces information handling policies to prevent data loss and theft. DLP systems may function at the host level, using software agents to search systems for the presence of sensitive information. They may also work at the network level, watching for transmissions of unencrypted sensitive information. DLP systems detect sensitive information using pattern-matching technology and/or digital watermarking.
77
Governance programs
The sets of procedures and controls put in place to allow an organization to effectively direct its work. Without governance, running a large organization would be virtually impossible. I
78
governance, risk, and compliance (GRC) programs are?
Governance of the organization Risk management Compliance
79
Information Security Governance
Information security governance is a natural extension of corporate governance. The board delegates operational authority to the CEO, who then delegates specific areas of authority to subordinate executives. For example, the CEO might delegate financial authority to the chief financial officer (CFO) and operational authority to the chief operations officer (COO). Similarly, the CEO delegates information security responsibility to the chief information security officer (CISO) or other responsible executive, following one of the options discussed in Chapter 1. This hierarchical approach to governance helps ensure that information security governance efforts are integrated into corporate governance efforts, ensuring that the organization's information security program supports broader organizational goals and objectives. The CISO and CEO must work together to ensure the proper alignment of the information security program with corporate governance.
80
Master service agreements (MSAs)
provide an umbrella contract for the work that a vendor does with an organization over an extended period of time. The MSA typically includes detailed security and privacy requirements. Each time the organization enters into a new project with the vendor, they may then create a statement of work (SOW) that contains project-specific details and references the MSA.
81
memorandum of understanding (MOU)
is a letter written to document aspects of the relationship. MOUs are an informal mechanism that allows the parties to document their relationship to avoid future misunderstandings. MOUs are commonly used in cases where an internal service provider is offering a service to a customer that is in a different business unit of the same company.
82
n organization's information security policy framework contains a series of documents designed to describe the organization's cybersecurity program. The scope and complexity of these documents vary widely, depending on the nature of the organization and its information resources. These frameworks generally include four different types of document:
Policies Standards Procedures Guidelines
83
Policies
Policies are broad statements of management intent. Compliance with policies is mandatory. An information security policy will generally contain generalized statements about cybersecurity objectives, including the following:
84
Standards
Standards provide mandatory requirements describing how an organization will carry out its information security policies. These may include the specific configuration settings used for a common operating system, the controls that must be put in place for highly sensitive information, or any other security objective.
85
Developing Policies
When developing new policies, cybersecurity managers should align their work with any other policy development mechanisms that may exist within their organization. Obtain input from all relevant stakeholders. Follow the chain of command. Accommodate the organizational culture Meet internal and external requirements.
86
Governance programs guide and direct security efforts.
Information security governance efforts should integrate with other corporate governance programs to support both the business's goals and its security strategy. Organizations should draw on existing governance frameworks, such as COBIT and the ISO standards, to avoid redundant effort and to align with industry best practices.
87
Policy frameworks
Consist of policies, standards, procedures, and guidelines. Policies are high-level statements of management intent for the information security program. Standards describe the detailed implementation requirements for policies. Procedures offer step-by-step instructions for carrying out security activities. Compliance with policies, standards, and procedures is mandatory. Guidelines offer optional advice that complements other elements of the policy framework.
88
Organizations often adopt a set of security policies covering different areas of their security programs.
Common policies used in security programs include an information security policy, an acceptable use policy, a data ownership policy, a data retention policy, an account management policy, and a password policy. The specific policies adopted by any organization will depend on that organization's culture and business needs.
89
Organizations face a variety of security compliance requirements.
Merchants and credit card service providers must comply with the Payment Card Industry Data Security Standard (PCI DSS). Organizations handling the personal information of European Union residents must comply with the EU General Data Protection Regulation (GDPR). All organizations should be familiar with the national, territory, and state laws that affect their operations.
90
Standards frameworks provide an outline for structuring and evaluating cybersecurity programs.
Organizations may choose to base their security programs on a framework, such as the NIST Cybersecurity Framework (CSF) or International Organization for Standardization (ISO) standards. U.S. federal government agencies and contractors should also be familiar with the NIST Risk Management Framework (RMF). These frameworks sometimes include maturity models that allow an organization to assess its progress. Some frameworks also offer certification programs that provide independent assessments of an organization's progress toward adopting a framework.
91
Audits and assessments monitor compliance with requirements.
Audits are externally commissioned, formal reviews of the capability of an organization to achieve its control objectives. Assessments are less rigorous reviews of security issues, often performed or commissioned by IT staff. Organizations providing services to other entities may wish to conduct a service organization controls (SOC) audit under SSAE 18.
92
The relationship between mission, goals, and objectives can be summarized as follows:
The mission statement provides the overall direction for the organization. The goals are specific, measurable statements that the organization sets out to achieve in order to fulfill its mission. The objectives are the specific steps that the organization takes to achieve its goals.
93
What is privileged access management?
Solutions safeguard administrative accounts.
94

CISM Review 2023 (7 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions