Self-Exercises Information Security Strategy 1. An information security strategic plan can position an organization to mitigate, transfer accept or avoid information risk related to people, processes and technologies. Describe what should be included in an Information Security Strategic Plan. 2. Describe the steps in developing an information security strategy 3. For a security strategy to be effective it should meet certain conditions, i.e. how the strategy should be. Discuss these conditions. 4. Strategy and planning requires a thorough understanding of many issues. Discuss five (S) of these issues that need to be considered when developing an information security strategy 5. Risk management is an important process in security planning. Explain the steps to manage risks, as part of a security plan [NIST SP 800-53]. Information Security Management System (ISMS) 1. An Information Security Management System (ISMS) is a set of policies concerned with information security management or IT related risks. The goveming principle behind an ISMS is that an organization should design, implement and maintain a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information security risk. Describe the "Plan-Do-Check-Act" (PDCA), or Deming cycle approach in ISMS 2. Discuss the critical success factors for an ISMS to be effective. 3. Discuss three main problems which lead to uncertainty in information security management systems (ISMS). 4. Discuss the 11 domains of the information security management systems (ISMS). Information Security Culture 1. Information security culture refers to ideas, customs and social behaviors of a group of people, that impacts their security. It describes the kind of behaviors organizations would like to see in their employees, in areas like cybersecurity, physical security and personnel security. Discuss three tips on how to create a cyber security culture at work