CHAPTER SUMMARY
The chief information security officer (CISO) “owns” the information protection program for the organization. He or she must monitor the adoption and effectiveness of the security policies. The CISO must ensure that noncompliance is escalated to senior leadership for enforcement. Still, it’s everyone’s responsibility to enforce security policies. This is accomplished by the collective action of leaders. Enforcement starts with executive support. This support goes beyond granting permission to implement security policies. Executive support also means personal commitment by the managers to use their position and skills to influence the direction of their teams. Once executives put their own credibility behind policies, they are less likely to allow violations to occur.
The organization also enforces policies through committees. These committees act as a gateway to check that security policies are being followed. This may mean monitoring employee use of the computer. When behavior does not conform to policies, it is the role of front-line managers and supervisors to act.
This chapter examined the relationship among organizational layers (governance and management), laws, regulations, and policies. It defined what is law and what is policy. It examined different methods of enforcing policies. It also examined the strengths and weaknesses of automated and manual controls. Finally, the chapter examined the legal implication of enforcing security policies.
KEY CONCEPTS AND TERMS
CHAPTER 14 ASSESSMENT
- Which of the following is not an organizational gateway committee?
- Architecture review committee
- Internal connection committee
- Vendor governance committee
- Security compliance committee
- _____________ often focuses on enterprise risk management across multiple lines of business to resolve strategic business issues.
- The security compliance committee has one role, which is to identify when violations of policies occur.
- True
- False
- Which of the following is not an access control?
- Authentication
- Authorization
- Decryption
- Logging
- In which of the following areas might a company monitor its employees’ actions?
- Internet
- Computers
- A and B
- A, B, and C
- _____________ establish how the organization achieves regulatory requirements.
- Laws define the specific internal IT processes needed to be compliant.
- True
- False
- What is not required in modern-day CISO positions?
- Must rely on the organization to enforce policy
- Needs to have strong law enforcement background
- Needs to build relationships and consensus
- Must influence behavior and change culture to enforce policy
- What is an example of a manual control?
- Background checks
- Authentication
- Access rights reviews
- A and C
- A, B, and C
- A breach of a single customer record cannot be considered a pervasive control weakness.
- True—you must lose a significant amount of data for it to be considered a pervasive control weakness.
- False—any breach can be a pervasive control weakness, depending on the control that failed.
- Connecting a personal device to the company network can create legal implications.
- True
- False
- Line management does which of the following to make policies operational?
- Acts as go-to people for addressing questions
- Applies policies consistently
- Gathers metrics on the policies’ effectiveness
- A and C
- A, B, and C
- In which process would you place quality assurance controls?
- Governance processes
- Management processes
- Both governance and management processes
- Neither governance nor management processes
- Which of the following is not reviewed when monitoring a user’s email and Internet activity?
- Data leakage
- Viruses and malware
- Unauthorized access to sites
- Network performance
- When testing for security in an application code, the quality assurance process tests _____________ the code is in production and quality control tests _____________ the code is in production.
- The operational risk function is responsible for ensuring that the business operates within risk _____________ and risk _____________.