Chapter 2 Review Answers
a. Strategic Planning- lays out the long-term direction to be taken by the organization. It also guides organizational efforts and focuses resources toward specific, clearly defined goals in the midst of an ever-changing environment. b. Tactical Planning- is more of a short-term focus with usually one to three years. It breaks down each applicable strategic goal into a series of incremental objectives. Operational Planning- is derived from tactical plans to organize the ongoing day-to-day performance of tasks. The constraints of resources can affect the need for planning negatively especially at the tactical planning level which needs more of resource allocation. 2.
a. Values Statement- means the trust and confidence of stakeholders and the public are important factors for any organization. b. Vision Statement- means it expresses the aspirations of what the organization is and wants to become. c. Mission Statement- explicitly declares the business of the organization and its intended areas of operations. 3. Stakeholders’ is a person, group of persons or an organization that has an interest or concern in an organization. Stakeholders can affect the organization’s action, objectives and policies because of the resources the organization derives from them. 4. A mission statement declares the business of an organization and its intended areas of operations. Vision statement expresses the aspirations of what the organization is and wants to become. Value statement means the trust and confidence of stakeholders and the public are important factors for an organization. They are important to implementing an effective and efficient plan. They also contain the ethics, entrepreneurial and philosophical approaches to an organization. 5. Strategy is an act of planning that guides organizational efforts and focuses resources toward specific, clearly defined goals in the midst of an ever-changing environment. 6. Information security governance is a strategic plan responsible for securing the information assets of an organization. 7.
a. Inculcating a culture that recognizes the criticality of information and information security in the organization. b. Verifying that management’s investment in information security is properly aligned with organizational strategies and the organization’s risk environment. c. Assuming that a comprehensive information security program is developed and implemented. d. Demanding reports from the various layers of management on the information security program’s effectiveness and adequacy. 8.
a. Strategic alignment of information security with business strategy to support organizational objectives. b. Risk management by executing appropriate measures to manage and mitigate threats to information resources. c. Resource management by utilizing information security knowledge and infrastructure efficiently and effectively. d. Performance measurement by measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved. e. Value delivery by optimizing information security investments in support of organizational objectives. 9. The top-down strategic planning features strong upper-management support, a dedicated champion, usually assured funding, a clear planning and implementation process and the ability to influence organizational culture; while bottom-up strategic planning begins as a grass-roots effort in which systems administrators attempt to improve the security of their systems. The top-down strategic planning is more effective in implementing security in a large diverse organization. 10. The systems development life cycle (SDLC) is a methodology for the design and implementation of an information system in an organization; while SecSDLC is the adoption of traditional SDLC to support the specialized...