CISM Exam Prep Latest 2022

Document Content and Description Below

Information security governance is primarily driven by: Business strategy Who should drive the risk analysis for an organization? the Security Manager Who should be responsible for enfor... cing access rights to application data? Security administrators The MOST important component of a privacy policy is: notifications Investment in security technology and processes should be based on: clear alignment with the goals and objectives of the organization Define information security governance 1. A set of policies and procedures that establishes a framework of information security strategies 2. A practice area that ensures efficient utilization of information resources The main purpose of information security governance to ensure the safety of information including its Confidentiality, Integrity and Availability. Information security governance protects information from loss, misuse, unauthorized usage, and destruction during its life cycle or the time it is being used in an organization. Benefits of information security governance - accountability for protecting information during important business activities - reduction of the impact of security incidents - reduction in risks to tolerable limits - protection from civil and legal liabilities - enhancement of trust in customer relationships - assurance of policy compliance - protection of company reputation In order to be effective, information security governance needs to provide 6 basic outcomes: - strategic alignment - value delivery - risk management - performance measurement - resource management - integration Should information security investments be optimized or minimized? Optimized so that they support business objectives. Primary goals of resource management: - keeping a record of security practices and processes - acquiring knowledge and making it accessible - building a security architecture that identifies and uses infrastructure resources properly What is Corporate Governance? Corporate governance is a set of procedures and duties performed by the board of directors and executive management to direct and control the organization. Corporate governance helps the board of directors to • ensure that business objectives are met • provide strategic direction for business activities • verify the efficient use of the organization's resources, and ensure proper handling of business risks Upgrade to remove ads Only $35.99/year Information Security Governance While corporate governance deals with performance and control at all levels of the organization, information security governance is a subset of corporate governance. Information security governance is concerned with the policies and controls related to protecting information in the organization. It helps you to • ensure that information security objectives are achieved • provide strategic direction for information security activities • ensure the efficient use of information resources, and manage information security risks General components of the Information Security Governance Framework are: - security strategy - security policies - standards - security organizational structure - metrics and monitoring Steering Committee Consists of senior representatives of departments that are directly or indirectly affected by information security policies. The steering committee aims to involve all stakeholders influenced by security aspects. Who is responsible for identifying information assets that need to be protected and assigning appropriate priorities and protection levels for them? The Board of Directors Who is responsible for achieving organizational consent over priorities related to information security and ensuring the involvement of all stakeholders influenced by security considerations? The Steering Committe Who needs to establish reporting and communication channels in the whole organization to make sure that information security governance is effective? The CISO Who should establish processes for integrating security with business objectives and provide proper leadership and continuous support to the people working to implement information security? Executive Management What is GRC? Governance, Risk Management, Compliance What are the 3 GRC processes? - Governance is the process that senior management can use to direct and control an organization. It involves developing methods to ensure that all employees of the organization adhere to its policies, standards, and procedures. - Risk management helps you create and implement methods for mitigating risks. Using this process, you can establish the organization's risk tolerance, recognize potential risks and their impact on business operations, and decide the priority for mitigating the risks based on business goals and risk tolerance. - Compliance is the process using which you can supervise the controls and methods that ensure adherence to an organization's policies, standards, and procedures. Systems Theory Systems Theory is a network of processes, people, technologies, relationships, events, reactions, and results that interact with each other to achieve one common goal. By analyzing these interactions, an information security manager can understand the working of a system in an organization and control any risks to it. 4 elements of the information security business model • organization design and strategy • people • process • technology 6 dynamic interconnections of the information security business model • governance • culture • enablement and support • emergence • human factors • architecture Governance dynamic interconnection of information security business model The governance dynamic interconnection links the organization and process elements. It involves guiding and controlling an organization. Culture dynamic interconnection of information security business model The culture dynamic interconnection links the organization and people elements. It represents people's beliefs, opinions, and behaviors. Enablement and Support dynamic interconnection of information security business model The enablement and support dynamic interconnection links the technology and process elements. It involves creating security policies, guidelines, and standards to support business requirements. Emergence dynamic interconnection of information security business model The emergence interconnection links the people and process elements. It indicates patterns in an organization's life that appear and grow without any evident reason, and have results that are difficult to forecast and control. Human Factors dynamic interconnection of information security business model The human factors interconnection links the people and technology elements, and indicates the relationship and gap between these elements. Architecture dynamic interconnection of information security business model The architecture interconnection links the organization and technology elements. It completely covers an organization's policies, processes, people, and technology that compose the security practices. for the information security strategy to be effective, it should be developed to achieve certain high-level outcomes: - strategic alignment - risk management - value delivery - resource management - performance measurement - process assurance Which 3 key participants are involved in the development of the information security strategy? 1. The BOD or the senior management 2. the executive management and steering committee 3. the CISO or ISM responsibilities of key participants involved in developing an information security strategy The senior management ensures that the organization's information security strategy is aligned with its business strategy and objectives. The executive management and steering committee are actively involved in risk management. It involves managing the threats to information assets during strategy implementation. To implement an information security strategy, the CISO and information security managers need to create detailed security action plans. The CISO specifies the security plans to be implemented. In the McKinsey model, to ensure that security initiatives are carefully managed, they need to be: - distributed equally across the organization's core business activities to manage new challenges - reviewed and updated regularly based on the changes in the business environment, and - directed towards initiating new businesses This model reinforces the importance of analyzing business requirements from a security perspective while developing a security architecture. SABSA. Sherwood Applied Business Security Architecture. What are the 6 layers of the SABSA model? - Business View - also called the Contextual Security Architecture - Architect's View - also called the Conceptual Security Architecture - Designer's View - also called the Logical Security Architecture - Builder's View - also called the Physical Security Architecture - Tradesman's View - also called the Component Security Architecture, and - Service Manager's View - also called the Security Service Management Architecture 5 steps to develop an information security strategy: - define the goals and objectives of the security program - create a business case - describe the desired state of the organization's security - determine the current state of the organization's security, and - establish an action plan to move from the current state to the desired state Questions to ask when creating specific goals of information security: Which resources are vital to the success of your business? Which of them should be confidential? Which are for internal use only? Which should be available for the public? For your goals to answer these key questions, y [Show More]

Last updated: 1 year ago

Preview 1 out of 8 pages