Strayer CIS 438 Information Security Legal Issues, Assignment 4: Information Security Governance
Due Week 9, 7 pages, 1229 words.
Information security management and governance are not simply implemented tasks within organizations. An information security governance program is a program that must be thoroughly planned, include senior-level management involvement and guidance, be implemented throughout the organization, and be updated and maintained. The International Organization for Standards (ISO) and the International Electrotechnical Commission (IEC) has created information security governance standards. Review the information security governance information provided by ISACA.
Write a 3-5 page paper in which you:
1. Define the information security governance and management tasks that senior management needs to address.
2. Describe the outcomes and the items that will be delivered to the organization through the information security program.
3. Develop a list of at least five (5) best practices for implementing and managing an information security governance program within an organization.
4. Develop a checklist of items that needs to be addressed by senior management, including priorities and needed resources.
Download Now(sent via email)
Develop your introductory remarks to the teams, including five main points of risk
assessment and five main points of incident response that you want to
The Office of the CIO strives to help all the corporation provide a secure
environment for all of us to work within. In order for the employees to trust the
confidentiality, integrity, and accuracy of the information with which they work
therefore the risk assessment team and incident response team have been
formed. Working together is critical to our effectiveness and success.
The five main points of risk assessment are:
1. Identify probability of threats and vulnerabilities.
2. Review the potential harm from a realized risk.
3. Identify policies and controls to respond to the potential risk.
4· Identification of all assets associated with the RA project.
5. Learn about vulnerabilities and threats external to the company.
The five main points of incident response:
1. Incident triage
3. Containment or mitigation
Decide what you will say to the team to attempt to avoid conflicts of interest.
It may seem there are conflicts between responsibilities of the risk assessment
team and incident response team, in reality the responsibilities are distinctly
different. The one goal we do share is to ensure the confidentiality, integrity
and availability of the company’s data. Both teams are to work towards this
common goal, keeping the interest of the company at the forefront of all
From thee-Activity, identify the beneficial information, provided by US-CERT,
in the development of a risk assessment team or an incident response team.
The CERT program has seen an evolution from organizations that performed
incident response in a purely reactive, ad hoc approach to those implementing a
more formal, comprehensive approach. Having such an organized, strategic
plan to handle computer security events and incidents from their detection
through their resolution is known as an incident management capability.
Having this capability implies the end-to-end management for controlling or
directing how security events and incidents will be monitored and detected,
responded to, or recovered from, to ensure the organization can continue to
meet its operational mission. To do this, the capability must be designed and
managed to provide
The CERT program provides a framework for identifying, tracking, and
managing software risks. Best practices associated with software risk
management are presented, along with content that discusses understanding
software risks in a business context, identifying business and technical risks,
prioritizing business and technical risks, and defining risk mitigation
Compare and contrast quantitative and qualitative risk analysis.
Quantitative risk analysis is more focused on the implementation of safety
measures that have been established, in order to protect against every defined
risk. By using a quantitative approach, an organization is able to create a very
precise analytical interpretation that can clearly represent which risk-resolving
measures have been most well-suited to various project needs. This makes the
quantitative approach favored by many management teams since risk
assessments can be clearly represented in the empirical forms like percentages
or probability charts, since it emphasizes using tools such as metrics.
The objective of conducting a qualitative risk analysis is to acquire safety
against recognized risks and to increase the alertness of management, team
members, and all personnel who are vulnerable to them. This method of risk
analysis is designed to identify issues that are looked upon as project
management impediments, but have the potential to become definite risk
Describe a situation when a qualitative risk analysis method is most
appropriate, and describe a situation when a quantitative risk analysis method
is most appropriate.
Qualitative risk analysis generally involves assessing a situation by instinct or
“gut feel,” and is characterized by statements like, “That seems too risky” or
“We’ll probably get a good return on this.” Quantitative risk analysis attempts to
assign numeric values to risks, either by using empirical data or by quantifying
Example of when to use Quantitative RA method –
1. Recommend moving customer servers from one data center to newer, more
secure data center.
2. Customer required to absorb the cost of the move over the next five year
3. Risks and costs of staying vs moving are identified and ranked.
4· Customer can determine if it is cost beneficial to move or stay.
5· The risk is about the impact of moving vs not moving on the business over
the 5 year contract.
Same scenario but use Qualitative RA method –
1. The current location is in a high-crime area and many businesses have
experienced vandalism and break ins over the past 6 months.
2. Sales have dropped due to the fact the location is no longer safe.