The chief information security officer (CISO) “owns” the information protection program for the organization. He or she must monitor the adoption and effectiveness of the security policies. The CISO must ensure that noncompliance is escalated to senior leadership for enforcement. Still, it’s everyone’s responsibility to enforce security policies. This is accomplished by the collective action of leaders. Enforcement starts with executive support. This support goes beyond granting permission to implement security policies. Executive support also means personal commitment by the managers to use their position and skills to influence the direction of their teams. Once executives put their own credibility behind policies, they are less likely to allow violations to occur.
The organization also enforces policies through committees. These committees act as a gateway to check that security policies are being followed. This may mean monitoring employee use of the computer. When behavior does not conform to policies, it is the role of front-line managers and supervisors to act.
This chapter examined the relationship among organizational layers (governance and management), laws, regulations, and policies. It defined what is law and what is policy. It examined different methods of enforcing policies. It also examined the strengths and weaknesses of automated and manual controls. Finally, the chapter examined the legal implication of enforcing security policies.
Which of the following is not an organizational gateway committee?
Architecture review committee
Internal connection committee
Vendor governance committee
Security compliance committee
_____________ often focuses on enterprise risk management across multiple lines of business to resolve strategic business issues.
The security compliance committee has one role, which is to identify when violations of policies occur.
True
False
Which of the following is not an access control?
Authentication
Authorization
Decryption
Logging
In which of the following areas might a company monitor its employees’ actions?
Internet
Email
Computers
A and B
A, B, and C
_____________ establish how the organization achieves regulatory requirements.
Laws define the specific internal IT processes needed to be compliant.
True
False
What is not required in modern-day CISO positions?
Must rely on the organization to enforce policy
Needs to have strong law enforcement background
Needs to build relationships and consensus
Must influence behavior and change culture to enforce policy
What is an example of a manual control?
Background checks
Authentication
Access rights reviews
A and C
A, B, and C
A breach of a single customer record cannot be considered a pervasive control weakness.
True—you must lose a significant amount of data for it to be considered a pervasive control weakness.
False—any breach can be a pervasive control weakness, depending on the control that failed.
Connecting a personal device to the company network can create legal implications.
True
False
Line management does which of the following to make policies operational?
Acts as go-to people for addressing questions
Applies policies consistently
Gathers metrics on the policies’ effectiveness
A and C
A, B, and C
In which process would you place quality assurance controls?
Governance processes
Management processes
Both governance and management processes
Neither governance nor management processes
Which of the following is not reviewed when monitoring a user’s email and Internet activity?
Data leakage
Viruses and malware
Unauthorized access to sites
Network performance
When testing for security in an application code, the quality assurance process tests _____________ the code is in production and quality control tests _____________ the code is in production.
The operational risk function is responsible for ensuring that the business operates within risk _____________ and risk _____________.