Module 4 - Enterprise Information Security Program - Roles and Responsibilities

1. Define the following terms:

a. Information Security
Preservation of confidentiality, integrity and availability of information
b. Availability
Property of being accessible and usable upon demand by an authorized entity
c. Confidentiality
Property that information is not made available or disclosed to unauthorized
individuals, entities, or processes
d. Integrity
Property of accuracy and completeness
e. Authenticity
Property that an entity is what it is claims to be
f. Accountability
Principle that an individual is entrusted to safeguard and control equipment,
keying material, and information and is answerable to proper authority for the
loss or misuse of that equipment or information.
g. Non-repudiation
Ability to prove the occurrence of a claimed event or action and its originating
entities
h. Reliability
Property of consistent intended behavior and results
2. List the five core components of an effective information system security program? Slide
Governance and Organization
Information Security Strategy
Information Security Framework
Information Security Risk Management
Measurement and Metrics

3. Define the following Terms

Vision
Is a clear, comprehensive photograph of an organization at some point
in the future
Provides direction because it describes what the organization needs to be
like, to be successful within the future
Mission
Purpose for the organizations existence
Represents fundamental and unique aspirations that make the
organization different from others: who we are, what we do
Guides the planning process
All sub-units should be focused on the organizations mission and how
they contribute toward accomplishments.
Scope of Vision
Defines the type of activities and services that will be performed
Should be clearly identified (detailed) to help employees and customers
understand the priorities of the organization
Serves as basis for development of certain goals and objectives
Values
Values statement should be one of the first positions that management
must articulate
The trust and confidence of stakeholders and the public are important
By establishing a formal set of principles and qualities in a values
statement
Goals
Goalexplains how the mission will be realized ; describes what is to be
accomplished
Objectives
Objectivesspecify how and when goals will be met
4. What does SMART mean and define each element? Slides 28-33
Specific: Be precise about what you are going to achieve
Measurable: Quantify the objectives
Appropriate: Align with the needs of the target audience
Realistic: Do you have the resources to make the objective happen?
Time-Specific: State when you will achieve the objective

5. What does RACI stand for and define element? Slides 46-47
A accountable The buck stops here yes/no authority
R responsible The doer working on the activity
C consult
In the loop involved prior to decision/action
I Inform
Keep in the picture needs to know of the decision/action
6. How many As can any RACI tasks have? Slide 47
Only one A can be assigned to a task
7. What are the Board of Directors responsibilities in regards to information security
governance? Slide 54
Setting strategic direction
Ensuring that risk is managed appropriately
Ensuring that adequate resources are used responsibly
Ensuring performance measurement
8. What are Executive Management responsibilities in regards to information security
governance? Slide 57
Active support for security initiatives must come from management to maximize
successful outcomes
9. What is a charter according to the text? Slide 59 and 60
Defines the program in order to ensure its success
Name / Title
Start and end date / timeline
Approval authorities / executive sponsorship
Team leadership / management
Key players / stakeholders
Business case / purpose / regulatory requirements
Problem statement or opportunity
Business benefits
Measurable performance outcome / metrics
Scope of work
Key milestones
Roles and responsibilities
Manpower and budget requirements
Barriers to success and risks
Communication plan

10. What are the benefits in having a Security Steering Committee? Slide 58
A number of benefits including
A forum for identifying and prioritizing current and emerging risks
An invaluable channel for gathering organizational intelligence
An avenue for disseminating important security-related information
11. What are the responsibilities of a CISO? Slide 61
Integrating physical security with information security
12. List the different Organizational Structures where a CISO may be placed and describe the
pros and cons of each? Slides 66-69
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
13. What are some of the steps one can take to align the Information Security organization
within the companys overall structure? Slides 75-79
Formalize a common definition of security and risk governance in your organization
Define and implement an information security and risk governance function that is
integrated with the organizations corporate and IT governance functions
Focus on the governance processes and functions, rather than on the organizational
position of the activities
Establish a consistent channel of communication within your organization to speak
on how the security program contributes to the organizations mission
Attempt to create an effective program regardless of where you sit in the
organization

 If you are not placed in the proper organization structure, what should you do?
Strategies:
a. Find your champions by gaining allies in your organization
b. Build cross- functional relationships outside of IT
c. Show your value
Identify security advocates outside of your reporting structure to help you promote
information security across the organization and gain consensus
Define how information security risk should be tracked, presented, and
communicated.
Tailor the information security program (where appropriate) with different
business units by understanding their unique risks and processes
Regularly benchmark your information security program with peer and non- peer
companies to identify any potential gaps, and to reassure organizational management
that reasonable diligence is occurring
a. Ideally this is done formally, but informal approaches can also work.
Consider creating an overall objective or mission statement for your information
security program that is closely aligned with organizational imperatives and is
understood/approved by key stakeholders
Continuously adapt the mission statement to the organizational direction, and align
the information security program with it ongoing.
Define and document the scope of your security program:
a. Cross-functional responsibilities
b. Localization (regional/geographic areas)
c. Recognition of information security functions outside of the designated
information security team (if appropriate), such as through virtual or matrixes
relationships, or ad hoc situations
Identify the employees or third-parties assigned to information security functions
a. Internal resource (full-time staff, part-time staff, dedicated, or matrix)
b. Third-party/outsourced resources
Identify and document the financial resources/budget allocated to security functions
Identify actions necessary to secure funding to address extraordinary security needs

14. Define Configuration Management? Slides 3-5 CM

A management process for establishing and maintaining consistency of a products
performance, functional and physical attributes with its Requirements, design, and
operational information throughout its life
A process intended to ensure that the system performs as intended, and is documented
to a level of detail sufficient to meet needs for operation, maintenance, repair and
replacement
The primary goals of configuration management are:
a. Establish System and project product integrity
b. Maintain this integrity throughout the lifecycle
15. What are the fundamental sources of change? Slide 6 and 8 CM
New business or market conditions
a. dictate changes to SW requirements or business rules
New customer needs
a. demand modification of data, functionality, or services
Business reorganization
a. causes changes in project priorities or software engineering team structure
Budgetary or scheduling constraints
a. cause system to be redefined
16. What is version control? Slide 14 CM
Combines procedures and tools to manage the different versions of configuration
objects created during the software process
17. What are some of the listed system building problems? Slide 32

Do the build instructions include all required components?

Is the appropriate version specified for each build component?
Are all data files available?
Are data file references within components correct?
Is system being built for the right platform?
Is the correct versions of the compiler and other tools specified?

18. Define IT Asset Management Program? Slide 3 ITAM

the set of business practices that join financial, contractual and inventory functions to
support lifecycle management and strategic decision making for the IT environment
in support of the organizations overall business objectives.

19. Why do IT Asset Management? Slide 4 ITAM

So that maximum value is gained from the use of the assets across the lifecycle and
beyond Value is:
o Financial accountability
o Risk reduction such as through proper disposition of waste
o Efficiency, performance
o Customer satisfaction
o Control, long-term manageability
20. What are commonly managed assets? Slide 11 ITAM
Software Licensing compliance risk high cost and audits
Mainframes high cost
Laptops mobility, cost, risk factors
Desktops redeployment candidate, often leased
PAD/BYOD devices risk factors
Telecom division of ownership
Servers cost, risk to business continuity