CHAPTER SUMMARY
This chapter examined various IT security policy frameworks. The frameworks share many of the same concepts and goals of controlling risk; however, their approach and scope of coverage differ. The chapter discussed how these differences are not always in conflict, but rather create an opportunity to adopt strengths of multiple frameworks such as COBIT and ISO. The chapter walked through methods to identify which best practice is appropriate for an organization. The implementation approach to each framework will vary by the type of framework and the organization’s culture.
The chapter examined separation of duties from a roles and organizational view. The organizational view was used to create three lines of defense to enhance the risk management program. Finally, the importance of the frameworks was highlighted in case studies. These case studies illustrated how implementing a policies framework to control risk prevents breaches and ensures compliance. The case studies also showed how contractors and insiders can be as much of a threat as external hackers.
KEY CONCEPTS AND TERMS
Committee of Sponsoring Organizations (COSO)
Control Objectives for Information and related Technology (COBIT)
Enterprise risk management (ERM)
Governance, risk management, and compliance (GRC)
Head of information management
International Organization for Standardization (ISO)
CHAPTER 8 ASSESSMENT
- The security committee is the key committee for the CISO.
- True
- False
- Which of the following is not an IT security policy framework?
- COBIT
- ISO
- ERM
- OCTAVE
- Which of the following are PCI DSS network requirements?
- Network segregation
- Penetration testing
- Virus scanning
- All of the above
- A and B only
- Which of the following are common IT framework characteristics?
- Risk-based management
- Aligned business risk appetite
- Reduced operation disruption and losses
- Established path from requirements to control
- All of the above
- A and C only
- Which of the following applies to both GRC and ERM?
- Defines an approach to reduce risk
- Applies a rigid framework to eliminate redundant controls, policies, and efforts
- Passively enforces security policy
- Seeks line of sight into root causes of risks
- The underlying concept of SOD is that individuals execute high-risk transactions as they receive preapproval.
- True
- False
- A risk management and metrics team is generally the first team to respond to an incident.
- True
- False
- Once you decide not to eliminate a risk but to accept it, you can ignore the risk.
- True
- False
- Which of the following is not a key area of improvement noted after COBIT implementation?
- Value delivery
- Decentralization of the risk function
- Better resourcing of IT
- Better communication
- A security team’s organizational structure defines the team’s ________.
- Implementing a governance framework can allow an organization to systemically identify and prioritize risks.
- True
- False
- The more layers of approval required for SOD, the more ________ it is to implement the process.
- Asking to borrow someone’s keycard is an example of ________.
- All organizations should have a full-time team dedicated to collecting, reviewing, and reporting to demonstrate adherence to regulations.
- True
- False
ENDNOTES
1. Office of the Comptroller of the Currency, “Supervisory Guidance on Operational Risk Advanced Measurement Approaches for Regulatory Capital,” July 2, 2003, http://www.occ.treas.gov/ftp/release/2003-53c.pdf, accessed April 30, 2010.