Security & Privacy Governance

When an organization is implementing an information security governance program, its board of directors should be responsible for:

Setting the strategic direction of the program

How do you ensure the success of information security governance within an organization?

Steering committees approve security projects

From an information security manager perspective, what is the immediate benefit of clearly-defined roles and responsibilities?

Better accountability

Who is responsible for ensuring that information is categorized and that specific protective measures are taken?

Senior management

A business unit intends to deploy a new technology in a manner that places it in violation of existing information security standards. What immediate action should an information security manager take?

Perform a risk analysis to quantify the risk

What is the important information to include in an information security standard?

Last Review Date

What is the important information to include in a strategic plan for information security?

Current state and desired future state

At what stage of the applications development process should the security department initially become involved?

At detail requirements

While implementing information security governance an organization should?

Define the security strategy

What is the justification to convince management to invest in an information security program?

Increased Business Value

What is the FIRST step in developing an information security plan?

Analyze the current business strategy

What is the MOST important goal of an information security governance program?

Ensuring trust in data

WHY?

The development of trust in the integrity of information among stakeholders should be the primary goal of information security governance. Review of internal control mechanisms relates more to auditing, while the total elimination of risk factors is not practical or possible.

Proactive involvement in business decision making implies that security needs dictate business needs when, in fact, just the opposite is true. Involvement in decision making is important only to ensure business data integrity so that data can be trusted.

The BEST way to justify the implementation of a single sign-on (SSO) product is to use:

A Business Case

WHY?

A business case shows both direct and indirect benefits, along with the investment required and the expected returns, thus making it useful to present to senior management.

Last updated