2.7 Key Terms and Review Questions
After completing this chapter, you should be able to define the following terms:
chief executive officer (CEO)
chief information officer (CIO)
chief information security officer (CISO)
chief operating officer (COO)
chief privacy officer (CPO)
chief risk officer (CRO)
chief security officer (CSO)
enterprise risk management (ERM) committee
Federal Enterprise Architecture Framework (FEAF)
information security architecture
information security governance
information security implementation/operations
information security steering (ISS) committee
information security management
information security strategic planning
information technology (IT)
IT strategic planning
Answers to the Review Questions can be found online in Appendix C, “Answers to Review Questions.” Go to informit.com/title/9780134772806.
Briefly differentiate between information security governance and information security management.
Explain how the three supplemental factors in Figure 2.1—internal incident and global vulnerability reports, standards and best practices, and user feedback—play interconnected roles in designing a security program.
Differentiate between internal and external stakeholders from an information security point of view.
What are the two key pillars on which IT strategy planning should ideally be based?
What are the three categories of metrics for evaluating an organization’s security governance?
What are the five roles within a security governing body structure defined in COBIT 5?
Explain the acronym RACI from context of information security policy.