Information Security Governance

Questions and Answers

Who is primarily responsible for developing a security strategy?

Business process owners

Steering committee

Data owners

Information security manager (correct)

What is the primary goal of information security governance?

To develop a security strategy

To review security policies

To implement security controls

To ensure confidentiality, integrity and availability of transactions (correct)

What is a high-level statement of an organization's beliefs, goals, roles, and objectives?

Strategy

Policy (correct)

Baseline

Procedure

What is the purpose of a steering committee in information security governance?

To review the security strategy

What is the responsibility of data owners in information security governance?

To ensure confidentiality, integrity and availability of transactions

What is the difference between a baseline and a strategy in information security governance?

A baseline assumes a minimum security level, while a strategy aligns with business objectives

What is the first step in developing a new organization information security strategy?

Define the scope

Who is responsible for legal and regulatory liability in an organization?

Board and senior management

What is the most effective way to obtain senior management support for establishing a warm site?

Developing a business case

What should be done with information that no longer supports the main purpose of the business from an information security perspective?

Analyze it under the retention policy

Why is it important to define the scope of the information security strategy?

To determine the boundaries of the program

What is the primary benefit of developing a business case for establishing a warm site?

It includes a cost-benefit analysis

Study Notes

Information Security Strategy Development

• Chief Information Security Officer (CISO) is primarily responsible for developing a security strategy.
• The primary goal of information security governance is to ensure the confidentiality, integrity, and availability of an organization's information assets.
• A mission statement is a high-level statement of an organization's beliefs, goals, roles, and objectives.
• A steering committee in information security governance provides oversight and guidance, ensuring alignment with business objectives.
• Data owners are responsible for determining the sensitivity of data, and for establishing appropriate security controls.
• A baseline defines minimum security standards, while a strategy outlines how an organization will achieve its security objectives.
• Conducting a risk assessment is the first step in developing a new organization information security strategy.
• Senior management is responsible for legal and regulatory liability in an organization.
• Demonstrating the business value of establishing a warm site is the most effective way to obtain senior management support.
• Information that no longer supports the main purpose of the business should be disposed of securely, ensuring data confidentiality and integrity.
• Defining the scope of the information security strategy ensures that it addresses the specific needs of the organization and its information assets.
• The primary benefit of developing a business case for establishing a warm site is to justify the investment to senior management and demonstrate its value.

Description

Test your knowledge of information security governance, including strategy development, review, and communication. Discover the primary responsibilities of an information security manager.