Download ppt - © 2003 ISACA Chapter 1 Information Security Governance 2003 CISM ™ Review Course

© 2003 ISACA

Chapter 1Chapter 1

Information Security Information Security GovernanceGovernance

2003 CISM2003 CISM™™ Review Review CourseCourse

© 2003 ISACAChapter 1 - page 22003 CISM Review Course

Chapter OverviewChapter Overview

This Area is comprised ofThis Area is comprised of

8 Task Statements8 Task Statements

&&

21 Knowledge Statements21 Knowledge Statements


Chapter ObjectiveChapter Objective

Ensure that the CISM knows how to…Ensure that the CISM knows how to…

““Establish and maintain a framework to Establish and maintain a framework to

provide assurance that information provide assurance that information

security strategies are aligned with security strategies are aligned with

business objectives and consistent business objectives and consistent

with applicable laws and regulations.with applicable laws and regulations. ””


Chapter SummaryChapter Summary

According to the CISM Certification According to the CISM Certification

Board, this area will represent Board, this area will represent

approximately 21% of the CISM approximately 21% of the CISM

examination examination

(approximately 42 questions)(approximately 42 questions)


Task 1Task 1

The alignment of the information security strategy and The alignment of the information security strategy and business strategy is supported in many standards business strategy is supported in many standards including:including:

• Information Systems Audit and Control Association, COBIT Information Systems Audit and Control Association, COBIT Organization for Economic Cooperation and Development (OECD) Organization for Economic Cooperation and Development (OECD) Security GuidelinesSecurity Guidelines

• Institute of Chartered Accountants in England, Turnbull reportInstitute of Chartered Accountants in England, Turnbull report• ISO/IEC 17799ISO/IEC 17799• BS 7799BS 7799• The Information Security Forum’s Standard of Good PracticeThe Information Security Forum’s Standard of Good Practice

Develop the information security strategyDevelop the information security strategy in support of business strategy and in support of business strategy and direction.direction.


Task 1 Task 1 (continued)(continued)

The information security manager should The information security manager should ensure that a security strategy is ensure that a security strategy is designed, developed, implemented and designed, developed, implemented and maintained. The security strategy often maintained. The security strategy often includes:includes:• Business strategy linkagesBusiness strategy linkages• PolicyPolicy• AuthenticationAuthentication• AuthorizationAuthorization• AdministrationAdministration• RecoveryRecovery• Support ServicesSupport Services• Enabling technologiesEnabling technologies


Task 2Task 2

Senior management (board-level directors or equivalent) should have a high level of commitment to:

• Achieving high standards of corporate governance• Treating information security as a critical business issue and

creating a security-positive environment• Demonstrating to third parties that the organization deals with

information security in a professional manner• Applying fundamental principles such as assuming ultimate

responsibility for information security, implementing controls that are proportionate to risk and achieving individual accountability

Obtain senior management commitment Obtain senior management commitment and support for information security and support for information security throughout the enterprise. throughout the enterprise.



Senior management should demonstrate

their commitment to information security by:

• Becoming directly involved in high-level

information security arrangements, such as information security policy

• Providing high-level control • Allocating sufficient resource to information

security


Task 3 Task 3

Ensure that definitions of roles and responsibilities Ensure that definitions of roles and responsibilities throughout the enterprise include information security throughout the enterprise include information security governance activities.governance activities.

• Security governance activities should be defined in employee Security governance activities should be defined in employee job descriptionsjob descriptions

• Roles and responsibilities should be clearly definedRoles and responsibilities should be clearly defined• Employee compensation is a tool that can be used to effect Employee compensation is a tool that can be used to effect

behaviorbehavior• Job performance reviews should include security-related Job performance reviews should include security-related

measurementsmeasurements• Information security manager should work with human Information security manager should work with human

resources to define and implement security-related policy resources to define and implement security-related policy changeschanges

• Policies should be communicated to appropriate personnel, and Policies should be communicated to appropriate personnel, and regularly updatedregularly updated


Task 4 Task 4

Establish reporting and communication Establish reporting and communication channels that support information channels that support information security governance activities.security governance activities.

• Information security manager should report to a senior person Information security manager should report to a senior person in the organization (e.g. CIO, CFO, COO, CEO)in the organization (e.g. CIO, CFO, COO, CEO)

• Metrics should be established to measure the security programMetrics should be established to measure the security program• Metrics should be regularly reportedMetrics should be regularly reported• Should report to senior group such as Board-level or security Should report to senior group such as Board-level or security

committeecommittee• Should also report some metrics to all employees to promote Should also report some metrics to all employees to promote

security awareness (eg. newsletters, intranet, formal classes)security awareness (eg. newsletters, intranet, formal classes)• Information security manager should also continue education Information security manager should also continue education

through involvement in information security organizationsthrough involvement in information security organizations


Task 5 Task 5

Identify current and potential legal and Identify current and potential legal and regulatory issues affecting information regulatory issues affecting information security and assess their impact on the security and assess their impact on the enterprise. enterprise.

• Information security manager needs to identify and assess Information security manager needs to identify and assess those legal and regulatory issues affecting information security those legal and regulatory issues affecting information security that apply to their organizationthat apply to their organization

• It is possible that different governing bodies may have It is possible that different governing bodies may have conflicting regulationsconflicting regulations

• Some sources of regulations can include but are not limited to:Some sources of regulations can include but are not limited to:• COBIT • ISO/IEC 17799• BS 7799• National Fire Protection Association (NFPA), Occupational

Safety & Health Administration (OSHA)



• Some sources of regulations can include but are not limited Some sources of regulations can include but are not limited to (continued):to (continued):

• HIPAAHIPAA • Copyright and Patent laws, for each country that an Copyright and Patent laws, for each country that an

organization performs businessorganization performs business• Office of the Comptroller (OCC), Circular 235 and Thrift Bulletin Office of the Comptroller (OCC), Circular 235 and Thrift Bulletin

30. Security Statutes (Cover areas of computer fraud, abuse 30. Security Statutes (Cover areas of computer fraud, abuse and misappropriation of computerized assets) for example, the and misappropriation of computerized assets) for example, the Federal Computer Security Act.Federal Computer Security Act.

• Federal Financial Institutions Examination Council (FFIEC) Federal Financial Institutions Examination Council (FFIEC) guidelines, which replaced previously issued Banking Circulars guidelines, which replaced previously issued Banking Circulars BC-177, BC-226, etc.BC-177, BC-226, etc.

• COSOCOSO• Organization for Economic Cooperation and Development Organization for Economic Cooperation and Development

(OECD) Security guidelines(OECD) Security guidelines



• Some sources of regulations can include but are not Some sources of regulations can include but are not limited to (continued):limited to (continued):

• Foreign Corrupt Practices Act (FCPA) Foreign Corrupt Practices Act (FCPA) • Vital records management statutesVital records management statutes• Specifications for the retention and disposition Specifications for the retention and disposition

of corporate electronic and hardcopy records, of corporate electronic and hardcopy records, e.g., IRS records retention requirements. e.g., IRS records retention requirements.


Task 6 Task 6

Establish and maintain information security Establish and maintain information security policies that support business goals and policies that support business goals and objectives.objectives.

• Process needs to be established for the development and Process needs to be established for the development and maintenance of security policiesmaintenance of security policies

• Should become a vital part of overall governance Should become a vital part of overall governance • Need to be continuously monitored and updatedNeed to be continuously monitored and updated• Good practices demonstrate that a security template be Good practices demonstrate that a security template be

establishedestablished• Examples and supporting information for policies can be found:Examples and supporting information for policies can be found:

• ISO/IEC 17799ISO/IEC 17799• BS 7799BS 7799• The SANS InstituteThe SANS Institute• Consulting firmsConsulting firms


Task 6 Task 6 (Continued)(Continued)

Steps for establishing and maintaining information Steps for establishing and maintaining information security policies can include: security policies can include: • Implementing a process for the development and Implementing a process for the development and

maintenance of security policiesmaintenance of security policies• Identifying the personnel responsible for various Identifying the personnel responsible for various

aspects of the security policy including approvalaspects of the security policy including approval• Researching existing organizational policies such as Researching existing organizational policies such as

personnel and physical security policiespersonnel and physical security policies• Developing the policy based on templates that already Developing the policy based on templates that already

existexist• Implementing a review of the security policy into the Implementing a review of the security policy into the

organization’s change management processorganization’s change management process• Developing an awareness program to educate the Developing an awareness program to educate the

organizations employees on relevant aspects of the organizations employees on relevant aspects of the security policy security policy


Task 7Task 7

Ensure the development of procedures and Ensure the development of procedures and guidelines that support information security guidelines that support information security policies.policies.

Technical and nontechnical procedures guidelines should Technical and nontechnical procedures guidelines should be built to support information security policies including, be built to support information security policies including, technicaltechnical::• Backup and recoveryBackup and recovery• Enforcement for noncompliance with policies (audit, Enforcement for noncompliance with policies (audit,

intrusion detection)intrusion detection)• Monitoring of policy compliance Monitoring of policy compliance • Network security policies (firewalls, routers, etc.)Network security policies (firewalls, routers, etc.)• Operating system polices (UNIX, Windows2000, etc.)Operating system polices (UNIX, Windows2000, etc.)


Task 7 Task 7 (Continued)(Continued)

Technical and nontechnical procedures guidelines Technical and nontechnical procedures guidelines should be built to support information security should be built to support information security policies including, policies including, nontechnicalnontechnical::• Review proceduresReview procedures• Authorization proceduresAuthorization procedures• Risk acceptance proceduresRisk acceptance procedures• Incident response proceduresIncident response procedures

An overall process including the following should be An overall process including the following should be established regarding security policies and the established regarding security policies and the overall security program:overall security program:• AssessAssess• DesignDesign• ImplementImplement• MaintainMaintain


Task 8 Task 8

Develop business case and enterprise value Develop business case and enterprise value analysis that support information security analysis that support information security program investments.program investments.

Information security manager should seek to justify Information security manager should seek to justify security projects value through methods such as: security projects value through methods such as: • Return On Investment (ROI)Return On Investment (ROI)• Total Cost of Operations (TCO)Total Cost of Operations (TCO)

Will likely need to present justification to senior Will likely need to present justification to senior managementmanagement

Return on Security Investment (ROSI) methodologies Return on Security Investment (ROSI) methodologies have been slow to develop and gain acceptancehave been slow to develop and gain acceptance

Recent advances in single sign-on and role-based security Recent advances in single sign-on and role-based security have begun to identify real cost savingshave begun to identify real cost savings


Task 8 Task 8 (continued)(continued) Several organizations including universities have begun to Several organizations including universities have begun to

promote return on security investment methodologies.promote return on security investment methodologies. One One example is below:example is below:

(R-E) + T = ALE(R-E) + T = ALE

• ““T”T” is the cost of the intrusion detection tool is the cost of the intrusion detection tool• ““E”E” is the dollar savings gained by stopping any number of is the dollar savings gained by stopping any number of

intrusions through the introduction of an intrusion detection tool.intrusions through the introduction of an intrusion detection tool.• ““R”R” is the cost per year to recover from any number of is the cost per year to recover from any number of

intrusions. intrusions. • Doing this equation yields the annual loss expectancy: Doing this equation yields the annual loss expectancy:

(R - (ALE) = ROSI) (R - (ALE) = ROSI)• To determine the return on security investment (ROSI), subtract To determine the return on security investment (ROSI), subtract

what the organization expects to lose in a year (ALE) from the what the organization expects to lose in a year (ALE) from the annual cost of intrusion.annual cost of intrusion.


Knowledge Statement 1Knowledge Statement 1

Knowledge of information security Knowledge of information security conceptsconcepts

• Information security policies and procedures are Information security policies and procedures are requiredrequired to protect and organizations information to protect and organizations information

• Information security manager is responsible to Information security manager is responsible to understand:understand:• the business need for securitythe business need for security• its importance to the organizationits importance to the organization• implementing and monitoring security policies and implementing and monitoring security policies and

procedures to meet business objectives.procedures to meet business objectives.


Knowledge Statement 1 (cont)Knowledge Statement 1 (cont)

• The information security manager should be The information security manager should be aware of generally accepted security aware of generally accepted security concepts including:concepts including:• ConfidentialityConfidentiality• IntegrityIntegrity• AvailabilityAvailability• Audit abilityAudit ability• AuthenticationAuthentication• AuthorizationAuthorization• NonrepudiationNonrepudiation



Knowledge of the relationship between Knowledge of the relationship between information security and business operationsinformation security and business operations

The relationship needs to be in place and maintained and The relationship needs to be in place and maintained and can be developed through activities such as:can be developed through activities such as:

• Understanding the business missionUnderstanding the business mission• Understanding the business objectives and critical Understanding the business objectives and critical

processesprocesses• Obtaining upper management understanding and Obtaining upper management understanding and

supportsupport• Developing security procedures and guidelines that Developing security procedures and guidelines that

align with the business objectives of the organizationalign with the business objectives of the organization• Establishing a security governance processEstablishing a security governance process



Knowledge of techniques used to secure senior Knowledge of techniques used to secure senior management commitment and support of management commitment and support of information security managementinformation security management

• Formal presentations are most used techniqueFormal presentations are most used technique• Used to educate and communicate key security program Used to educate and communicate key security program

aspectsaspects• Should employ common business practices including:Should employ common business practices including:

• Aligning security objectives with business objectivesAligning security objectives with business objectives• Identifying budget items so that senior management can Identifying budget items so that senior management can

quantify the costs of the security programquantify the costs of the security program• Utilizing commonly accepted project risk/benefit models, Utilizing commonly accepted project risk/benefit models,

such as TCO or ROIsuch as TCO or ROI• Defining the monitoring measures that will be included in Defining the monitoring measures that will be included in

the security programthe security program



• Should employ common business practices Should employ common business practices including including (continued):(continued):

• Utilizing methods such as balanced business Utilizing methods such as balanced business scorecardsscorecards

• Requiring that risk management be integrated into the Requiring that risk management be integrated into the operation of the security programoperation of the security program

• Ensuring that clear accountabilities/responsibilities are Ensuring that clear accountabilities/responsibilities are defineddefined

• Information security manager should seek to gain Information security manager should seek to gain employee acceptance of security program to employee acceptance of security program to promote successpromote success



Knowledge of methods of integrating Knowledge of methods of integrating information security governance into the information security governance into the overall enterprise governance frameworkoverall enterprise governance framework

Two factors are in evidence in most organizations Two factors are in evidence in most organizations today:today:1.1. The level of change occurring has never beenThe level of change occurring has never been greater.greater.2.2. The level of risk and exposure to informationThe level of risk and exposure to information vulnerabilities has never been greater.vulnerabilities has never been greater.

• Senior positions including Chief Security Officer Senior positions including Chief Security Officer are becoming commonplaceare becoming commonplace



Knowledge of practices associated with an overall Knowledge of practices associated with an overall policy directive that captures senior policy directive that captures senior management-level direction and expectations management-level direction and expectations for information security in laying the foundation for information security in laying the foundation for information security management within an for information security management within an organizationorganization

Senior management should understand various Senior management should understand various directives in a security policy including defining:directives in a security policy including defining:• direction and expectations before implementing security direction and expectations before implementing security

policies and procedurespolicies and procedures• need for maintenance of the security programneed for maintenance of the security program• need for monitoring, risk management and crisis need for monitoring, risk management and crisis

managementmanagement



Knowledge of an information security steering Knowledge of an information security steering group functiongroup function

Information security steering group provides the Information security steering group provides the information security manager with regular contact information security manager with regular contact with the organization’s business leaderswith the organization’s business leaders

Enables information security manager to make Enables information security manager to make contact with various levels of the organization contact with various levels of the organization providing a communication vehicle for security providing a communication vehicle for security topicstopics

Provides the information security manager with Provides the information security manager with information about organizational changesinformation about organizational changes

Group usually responsible for establishing and Group usually responsible for establishing and maintaining a cost effective security programmaintaining a cost effective security program



Knowledge of information security management Knowledge of information security management roles, responsibilities, and organizational roles, responsibilities, and organizational structurestructure

• Common key roles include:Common key roles include:• Reporting directly to a senior functional executive (EVP, Reporting directly to a senior functional executive (EVP,

COO, CFO, CIO) or CEOCOO, CFO, CIO) or CEO• Overseeing and coordinating efforts across the companyOverseeing and coordinating efforts across the company• Identifying key corporate security initiatives and standards Identifying key corporate security initiatives and standards

(e.g., virus protection, security monitoring, intrusion (e.g., virus protection, security monitoring, intrusion detection and access control to facilities)detection and access control to facilities)

• Working with outside consultants, as appropriate, for Working with outside consultants, as appropriate, for independent security auditsindependent security audits

• Identifying protection goals and objectives consistent Identifying protection goals and objectives consistent with corporate strategic planwith corporate strategic plan



Common Key roles include Common Key roles include (continued):(continued):• Identifying key security program elementsIdentifying key security program elements• Managing development and implementation of global security Managing development and implementation of global security

policy, standards, guidelines and procedures to ensure policy, standards, guidelines and procedures to ensure ongoing maintenance of securityongoing maintenance of security

• Assisting with the investigation of security breaches and Assisting with the investigation of security breaches and assist with disciplinary and legal matters Coordinating assist with disciplinary and legal matters Coordinating implementation plans of security productsimplementation plans of security products

The role of the security department is to safeguard the The role of the security department is to safeguard the confidential information, assets and intellectual property confidential information, assets and intellectual property of an organization. The scope primarily involves of an organization. The scope primarily involves computer security, but also covers physical security as computer security, but also covers physical security as it relates to safeguarding of information and assets.it relates to safeguarding of information and assets.



Knowledge of areas of governance (e.g., risk Knowledge of areas of governance (e.g., risk management, data classification management, management, data classification management, network security, system access)network security, system access)

• Strong governance areas can include:Strong governance areas can include:• Risk managementRisk management• Data classification managementData classification management• Network securityNetwork security• System accessSystem access• Change managementChange management• Reporting and crisis managementReporting and crisis management• Organization continuanceOrganization continuance• Security monitoringSecurity monitoring

• Information security manager should have strong management and Information security manager should have strong management and communication skills and the ability to prioritize numerous taskscommunication skills and the ability to prioritize numerous tasks



Knowledge of centralized and decentralized approaches to coordinating information security

• An organization’s cultural makeup often decides whether it is centralized or decentralized

• Both forms, however, need to have:• Be closely aligned with the business objectives• Be sponsored and approved from senior management• Have monitoring in place• Have reporting and crisis management in place• Have organizational continuance procedures• Have risk management in place



Knowledge of legal and regulatory issues associated with Internet business, global transmissions and transborder data flows (e.g., privacy, tax laws and tariffs, data import/export restrictions, restrictions on cryptography, warranties, patents, copyrights, trade secrets, national security)

• Information security manager should work closely with legal counsel to understand legal security implications

• Different jurisdictions employ different laws covering electronic commerce and information



Knowledge of common insurance policies and imposed conditions (e.g., crime or fidelity insurance, business interruptions)

• Insurance as a tool to assist in the preservation of critical information

• The security program should meet the objectives set out in various insurance policies that the organization has in force

• Premiums can be discounted with proper data classification, network security and/or business continuity plans



Some insurance types that information security managers should be aware of include:• Business interruption • Critical data loss• Legal liability to others• Professional liability• Network security property loss• Web content liability• Crisis communication



Some definitions used by insurance providers include:Some definitions used by insurance providers include:

• Objectives of information security program – The information Objectives of information security program – The information security program shall be designed to:security program shall be designed to:• Ensure security and confidentiality of customer informationEnsure security and confidentiality of customer information• Protect against any anticipated threats or hazards to the security or Protect against any anticipated threats or hazards to the security or

integrity of such informationintegrity of such information• Protect against unauthorized access to or use of such information Protect against unauthorized access to or use of such information

that could result in substantial harm or inconvenience to any that could result in substantial harm or inconvenience to any customer.customer.

• Assess risk – The insured:Assess risk – The insured:• Identifies reasonably foreseeable internal or external threats that Identifies reasonably foreseeable internal or external threats that

could result in unauthorized disclosure, misuse, alteration or could result in unauthorized disclosure, misuse, alteration or destruction of customer information or customer information systemsdestruction of customer information or customer information systems

• Assesses the likelihood and potential damage of these threats, taking Assesses the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer informationinto consideration the sensitivity of customer information

• Assesses the sufficiency of policies, procedures, customer Assesses the sufficiency of policies, procedures, customer information systems and other arrangements in place to control risks.information systems and other arrangements in place to control risks.



• Manage and control risk – The insured:Manage and control risk – The insured:

• Designs its information security program to control the Designs its information security program to control the identified risks, commensurate with the sensitivity of the identified risks, commensurate with the sensitivity of the information as well as the complexity and scope of the information as well as the complexity and scope of the licensee’s activitieslicensee’s activities

• Trains staff, as appropriate, to implement the licensee’s Trains staff, as appropriate, to implement the licensee’s information security programinformation security program

• Regularly tests the key controls, systems and procedures Regularly tests the key controls, systems and procedures of the information security program. The frequency and of the information security program. The frequency and nature of such tests are determined by the licensee’s risk nature of such tests are determined by the licensee’s risk assessment.assessment.



Knowledge of the requirements for the content and retention of business records and complianceTwo main aspects to understand about the content Two main aspects to understand about the content and retention of business records and compliance:and retention of business records and compliance:

1.1. What are the business requirements for its What are the business requirements for its business records?business records?

2.2. What are the legal and regulatory requirements?What are the legal and regulatory requirements?

Bodies that may impose retention requirements are:Bodies that may impose retention requirements are: - - Legal - Medical - TaxLegal - Medical - Tax



Knowledge of the process for linking policies to enterprise business objectives• Information security manager should ensure that

security policies align with the enterprise business objectives including:• Determining whether or not information security investment is

proportionate with the organization’s risk profile and business objectives

• Determining the information/data classification of the organization so that security policies can be implemented to protect them

• Determining whether or not the security policies are appropriately designed and implemented to protect the organization’s information.



Knowledge of the function and content of essential elements of an information security program (e.g., policy statements, procedures and guidelines)

• Information security program should include the following essential elements:• Policy Statement• Procedures• Guidelines



• In addition to understanding the essential elements of an information security policy, the information security manager also should be familiar with the content of the policy. Key areas of the information security policy can include:• Management support and commitment• Access philosophy• Compliance with relevant legislation and regulations• Access authorization• Reviews of access authorization• Security awareness• Security measurement• Change control



Knowledge of techniques for developing an information security process improvement model for sustainable and repeatable information security policies and procedures

• The following techniques can be employed to ensure sustainable and repeatable information security policies and procedures:

- Senior management support - Awareness- Responsibility - Assessment- Communication - Change management



Knowledge of information security process improvement and its relationship to traditional process management

• Any strong organizational initiative needs strong project and process management techniques, including Information security management

• The information security manager administers a wide range of tasks and has multiple responsibilities regarding a successful security environment

• The information security manager must have a strong knowledge of traditional process management to achieve the security program’s goals and to be effective



Knowledge of information security process improvement and its relationship to security architecture development and modeling

• Security is a continuous process• Through mechanisms set up to manage change, the

information security manager will receive regular updates regarding areas where the security procedures need to be updated

• Updates may include changes to the security architecture• Security models can be used to determine the impact on the

overall security strategy before they are implemented.• (One example of a commonly used model is the PDCA (Plan, Do,

Check, Act) model referenced in BS 7799 Part 2, ISO 9000 and 14000)



Knowledge of information security process improvement and its relationship to security infrastructure

Two methods commonly are used when changes to security infrastructure are employed:

1. Modifying the security procedure on a test system

2. Running the security procedure in test mode

Both of these types of testing provide the information security manager the ability to model changes to the security infrastructure and to monitor their effects on the system.



Knowledge of generally accepted international standards for information security management and related process improvement models

• Generally accepted international standards for security management and process improvement models exist

• The information security manager should be aware of these and adopt them to the organization

• Provides the information security manager with models and areas of importance that might otherwise be overlooked



Knowledge of the key components of cost-benefit analysis and enterprise transformation/migration plans (e.g.: architectural alignment, organizational positioning, change management, benchmarking, market/competitive analysis)

• Knowledge of cost-benefit analysis and enterprise transformation/migration plans gives the manager input for the security investment business case

• Information regarding enterprise transformation/migration plans can be gained through the security steering committee

• Important in that there will likely be an impact to the security environment and security objectives must continue to be met



Knowledge of methodology for business case development and computing enterprise value proposition

• Information security manager needs to demonstrate how information security is a critical enterprise value

• Information security manager should perform a risk assessment and business impact

• Identify vulnerabilities

• Coordinated with business objectives

• Legal and Regulatory compliance

• Identify tangible an intangible impacts

• Present to senior management


Chapter 1: GlossaryChapter 1: Glossary

• Authentication

• Availability

• Confidentiality

• Information Security Governance

• Integrity

• Non-repudiation


Sample QuestionSample Question

The PRIMARY responsibility of the information security steering committee is:

A. direction setting and performance monitoring.

B. information security policy development.

C. information security control implementation.

D. provision of information security training for employees.


Chapter 1: RecapChapter 1: Recap

• Group discussion Group discussion

• QuestionsQuestions