Information Security Governance and ISSC

Questions and Answers

What is the primary responsibility of a LAN administrator?

Training end-users on programming languages

Implementing security protocols for remote access

Designing application software

Ensuring the technical and administrative control over the LAN (correct)

What is a significant risk of not having segregation of duties (SoD) within an organization?

Inaccurate financial documentation (correct)

Increased employee satisfaction

Enhanced data backup procedures

Streamlined decision-making processes

Which type of responsibilities should a LAN administrator not have?

Systems programming

End-user support

Network troubleshooting

Application programming (correct)

What is the primary role of an auditor in the context of information security?

To provide suitable audit trails and logs

Which of the following duties is not typically included in the segregation of duties?

Software development

What is the advisable reporting structure for LAN administrators in a decentralized operation?

To both the end-user manager and the director of IPF

Which role can be responsible for information security if a Chief Information Security Officer (CISO) is not present?

Chief Financial Officer (CFO)

What is an essential characteristic of the IT Steering Committee?

A member of the board should ideally chair the committee.

What can occur if senior management fails to recognize their governance responsibilities?

Lack of effective governance structures

Who typically has the ultimate legal responsibility for information security within an organization?

Board of Directors

Which of the following statements about the membership of the ISSC is true?

Members can be modified to suit the organization's context.

What is one of the functions of the IT Steering Committee?

To oversee the activities of the IT function

Which of the following is NOT a potential consequence of failing to implement good governance in information security?

Enhanced security policies

What is a primary function of the IT steering committee?

Reviewing and approving major acquisitions of hardware and software

Which task is NOT typically performed by the IT steering committee?

Developing end-user training programs

How does the IT steering committee support information security?

By developing and implementing an enterprise-wide information security management program

What should each enterprise have for its IT steering committee?

Formally documented and approved terms of reference

Which area does the IT steering committee NOT typically oversee?

User-specific software configurations

Which statement best describes the relationship between the IT steering committee and the board of directors?

The IT steering committee reports on IS activities to the board of directors

What is essential for IS auditors concerning the IT steering committee?

Understanding of the committee's primary functions and responsibilities

Which of the following accurately reflects the responsibility of the IT steering committee?

Approving and monitoring major projects and IS budgets

Which phase is not included in the project life cycles that a system security engineer supports?

Marketing

What is a critical responsibility of the applications staff in maintaining production environments?

They should work in a test-only environment.

Which action must IT management take to ensure proper monitoring of infrastructure staff?

Ensure electronic logs capture activities.

Which of the following is a responsibility of network administrators?

Manage routers and switches.

What must be tightly controlled regarding infrastructure staff?

Their access to system libraries.

Which type of networks are typically managed by network administrators?

Wireless and LANs

Concurrent interactions with which disciplines are part of the system security engineer's responsibilities?

Engineering activities and system management

What is essential for effective management of staff who develop the application?

Restrict their capability to alter production data.

What is one of the main responsibilities of a systems administrator?

Installing systemwide software

In larger enterprises, how are systems administrators typically organized?

They typically operate in teams.

What is required to ensure adequate security administration?

A clear written policy by management

What should a security administrator regularly evaluate?

The security policy

What is one of the main tasks of the database administrator (DBA)?

Creating data structures

Which of the following is a duty of the security administrator?

Maintaining access rules to data

Why might a small organization find it impractical to hire a full-time security administrator?

They might not budget for such a position.

What is a primary focus of the systems administrator related to security?

Ensuring user compliance with security policies

Study Notes

Information Security Steering Committee (ISSC)

• The ISSC is a crucial component of an organization's information security governance structure.
• Membership should be tailored to the organization's context and control objectives, with representatives from senior management, each line of business, corporate departments (like HR and finance), and the IT department
• The ISSC's responsibilities should be defined in a formal charter, with members having the authority to make decisions within their respective areas.
• The ISSC should not become involved in routine IT operations.
• The ISSC has a number of primary functions, which include reviewing long- and short-range IT plans, major hardware and software acquisitions, and IS projects, as well as approving sourcing strategies, resource allocation decisions, and information security management programs.
• The ISSC should ensure the alignment of IT activities with corporate objectives, and report on IS activities to the board of directors.

IT Steering Committee

• The IT steering committee provides oversight of the IT function and its activities.
• It should have members who understand the risks and issues associated with IT and who can ensure alignment with the corporate mission and objectives.
• Membership should include representatives from senior management, each line of business, corporate departments, such as HR and finance, and the IT department.
• The IT steering committee should have a formal charter defining its duties and responsibilities.
• Members should be knowledgeable about IT department policies, procedures, and practices.
• The IT steering committee typically acts as a review board for major IT projects.

Matrix of Outcomes and Responsibilities

• The matrix displays the relationships between the outcomes of effective security governance and management responsibilities.
• The matrix is intended to illustrate some primary tasks and the management level responsible for them.
• It emphasizes that the roles and responsibilities should exist, even if different labels are used for management titles in various organizations.

Security Administration

• Security administration is a critical function that begins with management commitment.
• Management must understand and evaluate security risks, and develop and enforce a written security policy that outlines standards and procedures.
• The duties of the security administrator should be defined in the policy.
• The security administrator should ideally be a full-time employee who reports directly to the infrastructure director.
• The security administrator ensures that users comply with the corporate security policy, and oversees access to company assets.
• The security administrator's responsibilities include maintaining access rules, ensuring the security of user IDs and passwords, monitoring security violations, reviewing and evaluating the security policy, preparing and monitoring security awareness programs, testing the security architecture, and collaborating with compliance, risk management, and audit functions.

Database Administration

• The database administrator (DBA) is responsible for defining and maintaining the data structures within the corporate database system.
• The DBA must understand the organization's data requirements, user data, and data relationships.
• The DBA is responsible for the security of the shared data stored on database systems.

System Security Engineer

• The system security engineer provides technical information system security engineering support to the organization.
• The system security engineer contributes to project life cycles, organizational activities, and interactions with other disciplines, and works with other organizations on activities like acquisition, system management, and certification.

Applications Development and Maintenance

• Applications staff are responsible for developing and maintaining applications, including developing new code and modifying existing application configurations.
• Management must ensure that staff cannot modify production programs or data, as development occurs in a test-only environment.
• Development work must be transferred to another group for deployment into the production environment.

Infrastructure Development and Maintenance

• Infrastructure staff are responsible for maintaining the systems software, including the operating system.
• This function requires staff to have broad access to the entire system, requiring close management monitoring through electronic logs to capture and prevent alteration of activity records.
• Infrastructure staff should have access limited to the system libraries of the specific software they maintain.
• The use of domain administration and superuser accounts should be tightly controlled and monitored.

Network Management

• Network administrators are responsible for key network infrastructure components, such as routers, switches, firewalls, network segmentation, performance management, and remote access.
• The geographic dispersion of networks often requires dedicated administrators for each local area network (LAN).
• Network administrators may report to the director of the information processing facility (IPF) or, in decentralized operations, to the end-user manager, with a dotted line reporting relationship to the IPF director recommended.
• The network administrator controls the LAN technically and administratively, ensuring transmission link functionality, system backups, authorized software and hardware purchases, and proper installation.
• In smaller settings, the network administrator may also be responsible for LAN security administration.
• The LAN administrator should typically avoid application programming responsibilities but may have some involvement in systems programming and end-user tasks.

Segregation of Duties (SoD) Within IT

• Adequate SoD is crucial for preventing errors, misappropriations, and fraudulent activities.
• SoD involves separating critical functions to prevent a single person from controlling multiple aspects of a process that could lead to undetectable errors or misappropriations.
• Duties that should be segregated include custody of assets, authorization, and recording transactions.
• The lack of SoD can lead to misappropriation of assets, misstated financial statements, and inaccurate financial documentation.

Description

This quiz covers the role and responsibilities of the Information Security Steering Committee (ISSC) in an organization's governance structure. It emphasizes the importance of tailored membership, formal charters, and alignment of IT activities with corporate objectives. Test your knowledge on the key functions and considerations involved in overseeing information security.