5. What does RACI stand for and define element? Slides 46-47
A accountable The buck stops here yes/no authority
R responsible The doer working on the activity
C consult
In the loop involved prior to decision/action
I Inform
Keep in the picture needs to know of the decision/action
6. How many As can any RACI tasks have? Slide 47
Only one A can be assigned to a task
7. What are the Board of Directors responsibilities in regards to information security
governance? Slide 54
Setting strategic direction
Ensuring that risk is managed appropriately
Ensuring that adequate resources are used responsibly
Ensuring performance measurement
8. What are Executive Management responsibilities in regards to information security
governance? Slide 57
Active support for security initiatives must come from management to maximize
successful outcomes
9. What is a charter according to the text? Slide 59 and 60
Defines the program in order to ensure its success
Name / Title
Start and end date / timeline
Approval authorities / executive sponsorship
Team leadership / management
Key players / stakeholders
Business case / purpose / regulatory requirements
Problem statement or opportunity
Business benefits
Measurable performance outcome / metrics
Scope of work
Key milestones
Roles and responsibilities
Manpower and budget requirements
Barriers to success and risks
Communication plan
10. What are the benefits in having a Security Steering Committee? Slide 58
A number of benefits including
A forum for identifying and prioritizing current and emerging risks
An invaluable channel for gathering organizational intelligence
An avenue for disseminating important security-related information
11. What are the responsibilities of a CISO? Slide 61
Integrating physical security with information security
12. List the different Organizational Structures where a CISO may be placed and describe the
pros and cons of each? Slides 66-69
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
13. What are some of the steps one can take to align the Information Security organization
within the companys overall structure? Slides 75-79
Formalize a common definition of security and risk governance in your organization
Define and implement an information security and risk governance function that is
integrated with the organizations corporate and IT governance functions
Focus on the governance processes and functions, rather than on the organizational
position of the activities
Establish a consistent channel of communication within your organization to speak
on how the security program contributes to the organizations mission
Attempt to create an effective program regardless of where you sit in the
organization
If you are not placed in the proper organization structure, what should you do?
Strategies:
a. Find your champions by gaining allies in your organization
b. Build cross- functional relationships outside of IT
c. Show your value
Identify security advocates outside of your reporting structure to help you promote
information security across the organization and gain consensus
Define how information security risk should be tracked, presented, and
communicated.
Tailor the information security program (where appropriate) with different
business units by understanding their unique risks and processes
Regularly benchmark your information security program with peer and non- peer
companies to identify any potential gaps, and to reassure organizational management
that reasonable diligence is occurring
a. Ideally this is done formally, but informal approaches can also work.
Consider creating an overall objective or mission statement for your information
security program that is closely aligned with organizational imperatives and is
understood/approved by key stakeholders
Continuously adapt the mission statement to the organizational direction, and align
the information security program with it ongoing.
Define and document the scope of your security program:
a. Cross-functional responsibilities
b. Localization (regional/geographic areas)
c. Recognition of information security functions outside of the designated
information security team (if appropriate), such as through virtual or matrixes
relationships, or ad hoc situations
Identify the employees or third-parties assigned to information security functions
a. Internal resource (full-time staff, part-time staff, dedicated, or matrix)
b. Third-party/outsourced resources
Identify and document the financial resources/budget allocated to security functions
Identify actions necessary to secure funding to address extraordinary security needs