Chapter 2 review

Question 1

Chapter 2 Review

A strategy is a plan to achieve a defined set of these

Answer 1

OBJECTIVES

Question 2

Chapter 2 Review

Objectives are the desired what in an organization, and within the organization’s information security program

Answer 2

FUTURE STATE

Question 3

Chapter 2 Review

A strategy should be business aligned to be able to deliver on these 3 things.
1. ____ ; Demonstrate good investment
2. ____ ; Demonstrate cost-benefit by getting the most out of available components
3. ____ ; Demonstrate the above through reporting

Answer 3

1. VALUE
2. OPTIMIZE RESOURCES
3. BE MEASURABLE

Question 4

Chapter 2 Review

To be successful, an information security program must be aligned with the business and its overall (i) ____ ,(ii) ____ and ____ ,(iii) ____

Answer 4

1. MISSION
2. GOALS AND OBJECTIVES
3. STRATEGY

Question 5

Chapter 2 Review

A successful and aligned security program does not lead the organization, but will instead do this for it.

Answer 5

ENABLE AND SUPPORT

Question 6

Chapter 2 Review

Risk assessments, vulnerability assessments, threat assessments, business impact analysis, metrics, a risk register, and incident logs are a number of resources used reveal the organisations current state which helps in the development of this that helps achieve objectives.

Answer 6

DEVELOPMENT OF A STRATEGY

Question 7

Chapter 2 Review

1. policy
2. standards
3. guidelines
4. processes and procedures
5. architecture
6. controls
7. staff skills
8. insurance
9. outsourced services.

Inputs from the above are required to better define the structure of this program

Answer 7

SECURITY PROGRAM

Question 8

Chapter 2 Review

It is critical that the security leader understands this about the security team, IT department, and entire organisation

Answer 8

CULTURE

Question 9

Chapter 2 Review

A security strategist must first understand this in order to develop a strategy and then be able to define a desired future state

Answer 9

CURRENT STATE

Question 10

Chapter 2 Review

This technique helps the strategist understand missing capabilities.

Answer 10

GAP ANALYSIS

Question 11

Chapter 2 Review

This planning tool defines the steps to develop missing capabilities and augment existing capabilities

Answer 11

ROADMAP

Question 12

Chapter 2 Review

Strategic planning can be supported by a SWOT analysis;

1. S____
2. W____
3. O____
4. T____

Answer 12

1. STRENGTHS
2. WEAKNESS
3. OPPORTUNITIES
4. THREATS

Question 13

Chapter 2 Review

The strategist may employ one or more of these to help determine appropriate future states of key security processes. An example includes CMMI-DEV

Answer 13

CAPABILITY MATURITY MODEL

Question 14

Chapter 2 Review

Strategy development beings with the development of these 2 componets of a security program, 1 defines the way security governance is applied and the other techniques and methods used to reduce identified risks.

Answer 14

SECURITY POLICIES and CONTROLS

Question 15

Chapter 2 Review

A security leader may choose to align the structure of security policy and controls to one of several standards;

1. ____ 2019
2. NIST SP 800- ____
3. NIST SP 800- ____
4. ISO/IEC ____
5. H ____ / H ____
6. P ____ D ____
7. C ____ C ____

Answer 15

1. COBIT 2019
2. NIST SP 800-53
3. NIST SP 800-171
4. ISO/IEC 27002
5. HIPAA / HITECH
6. PCI DSS
7. CIC CSC

Question 16

Chapter 2 Review

These 3 things should form part of strategy development after a security leader has developed and updated policy and controls, and chosen an industry standard to align to;

1. ____ ; Baselines
2. ____ ; Ownership
3. ____ ; Educating the business

Answer 16

1. STANDARDS
2. ROLES AND RESPONSIBILITIES
3. PERSONNEL TRAINED

Question 17

Chapter 2 Review

Commitment from these 2 parties is essential if the security strategy to succeed.

Answer 17

EXECUTIVE and BUSINESS OWNERS

Question 18

Chapter 2 Review

The following are examples of what that a security strategist must be aware of when trying to achieve strategic objectives;

1. culture
2. organizational structure
3. existing staff capabilities
4. budgets
5. time
6. legal and regulatory obligations.

Answer 18

OBSTACLES

Question 19

Chapter 2 Review

Security leaders should be aware of this phenomenon, which is the belief security incidents will never happen.

Answer 19

NORMALCY BIAS

Question 20

Chapter 2 Review

Strategy development may include understanding and establishing this desired objective

Answer 20

RISK LEVELS

Question 21

Chapter 2 Review

This model was developed by ISACA and is a guide for business-aligned, risk-based security governance.

Answer 21

BUSINESS MODEL FOR INFORMATION SECURITY
(BMIS)

BMIS Model

Question 22

Chapter 2 Review

The Business Model for Information Security (BMIS) consists of these four elements:

1. O____
2. P____
3. T____
4. P____

BMIS Model

Answer 22

1. ORGANISATION
2. PEOPLE
3. TECHNOLOGY
4. PROCESS

Question 23

Chapter 2 Review

The Business Model for Information Security (BMIS) model consists of six dynamic interconnections (DIs)

1. G____
2. E____
3. E____ & S ____
4. C____
5. A____
6. H____

BMIS Model

Answer 23

1. Process < Governing > Organisation
2. Process < Emergence > People
3. Process < Enabling & Support > Technology
4. People < Culture > Organisation
5. Organisation < Architecture > Technology
6. Technology < Human Factors > People

Question 24

Chapter 2 Review

This structure represents the implementation of the overall security strategy as well as the details that define the role of technology and asset protection

Answer 24

SECURITY ARCHITECTURE

Zachman Framework

TOGAF

Question 25

# Chapter 2 Review **ISO/IEC 27001** is a renowned standard for the development and management of an this **management system**

Answer 25

INFORMATION SECURITY MANAGEMENT SYSTEM (ISMS)

Question 26

# Chapter 2 Review The **NIST Cybersecurity Framework (CSF)** maps **high-level outcomes** to **several control frameworks**. It is a taxonomy for **assessing** these **2 things** of an organisations current state.

Answer 26

SECURITY CAPABILITIES and MATURITY

Question 27

# Chapter 2 Review The **NIST risk management framework (RMF)**, described in NIST SP 800-37, provides a model for the **risk management lifecycle**, which is considered essential for organizations to do this effectively in regards to cyber risks.

Answer 27

IDENTIFY and MANAGE CYBER RISKS

Question 28

# Chapter 2 Review With **Strategic planning**, one or more persons develop the steps and resources required to achieve a what.

Answer 28

DESIRED END STATE (which is an objective)

Question 29

# Chapter 2 Review **Strategic planning** should include the **steps and resources required** for principal functions of the information **security program** to protect these things within the organization adequately

Answer 29

INFORMATION ASSETS

Question 30

# Chapter 2 Review A **roadmap** is the list of steps required to achieve these

Answer 30

STRATEGIC OBJECTIVES

Question 31

# Chapter 2 Review Building an effective one of these will **help executive management agree** to **support and fund** a strategy or security initiative

Answer 31

BUSINESS CASE

Question 32

# Chapter 2 Review 1. problem statement 2. description of the current state 3. desired future state 4. requirements 5. approach 6. plan to achieve the strategy Each of the above items are examples of things to be addressed in one of these

Answer 32

BUSINESS CASE

Question 33

# Chapter 2 Review This party will review **Business cases**, and consists of **business stakeholders**

Answer 33

IT STEERING COMMITTEE

Question 34

# Chapter 2 Review **Control objectives** are **developed to achieve** this in regards to risk

Answer 34

ACCEPTABLE LEVEL OF RISK

Question 35

# Chapter 2 Review The **extent** to which **levels of acceptable risk are achieved** through control objectives is a **good measure** of the **effectiveness** of this

Answer 35

EFFECTIVENESS OF SECURITY STRATEGY

Question 36

# Chapter 2 Review This **policy** will state the **required failure modes** i.e. fail open or fail closed. This has implications on safety, confidentiality, and availability

Answer 36

CONTROL POLICY

Question 37

# Chapter 2 Review During a **security program development**, this is the primary reason why policies will be changed

Answer 37

NO LONGER REFLECT MANAGEMENT INTENT AND DIRECTION