You are the CISO working for a direct bank based in Taiwan that relies entirely on internet banking. Your bank is considering outsourcing the customer relationship management (CRM) system to an offshore software development vendor. Which of the following action should your bank take first?
A. Conduct the threat scenario analysis
B. Describe threat sources that are relevant to the organization
C. Develop and select threat events for analysis
D. Determine applicable controls
Continue reading →

You are the CISO working for a direct bank based in Taiwan that relies entirely on internet banking. You want to evaluate if security controls are implemented correctly, operating as intended, and producing the desired outcome. Which of the following should you conduct?
A. Risk assessment
B. Third-party audit
C. Business impact analysis
D. Security control assessment
Continue reading →

You are the CISO working for a direct bank based in Taiwan that relies entirely on internet banking. The software development team is developing a customer relationship management (CRM) system. You are drafting the privacy policy for customer data. Which of the following behavior of the system will concern you most?
A. It shows the privacy policy with the opt-in option to consent
B. It provides an “unsubscribe” link to opt-out of receiving marketing emails
C. It constrains the customer from updating personal data to meet the use limitation principle
D. It opens to the customer to update personal data online
Continue reading →

You are the CISO working for a direct bank based in Taiwan that relies entirely on internet banking. You are reviewing applicable legal and regulatory requirements for compliance. Which of the following will concern you most?
A. Procurement staff issued a contract without minimum security requirements
B. The development team used an open-source component with an unknown source
C. Policies are published after a new law or regulation as a reactive response
D. Personal data is open for the data subject to update
Continue reading →

• Download: Cybersecurity Career Blueprint (PDF)

You are the CISO working for a direct bank based in Taiwan that relies entirely on internet banking. You are collaborating with auditors to facilitate auditing activities to ensure compliance with information security policy. Which of the following is least commonly adopted?
A. Employing the Delphi method
B. Interviewing with senior management
C. Reviewing data backup policy
D. Sending questionnaires to the target group
Continue reading →

The terms “goal” and “objective” are often used interchangeably. However, there are some differences. A goal is a written statement of desired outcomes or future state; an objective is the result to be achieved. A goal is typically broken down into objectives.

KGI and KPI

Given a hierarchy of objectives, a goal is the upper-level objective (parent) relative to the lower-level ones (children) broken down from it. A goal is measured by Key Goal Indicators (KGIs), while its subsidiary objectives are measured by Key Performance Indicators (KPIs). KGI is a measure for the outcome; while KPI is a measure for performance. A KGI at the lower level serves as a KPI to the parent KGI. The term KGI comes from COBIT, which distinguishes KGI as a lagging indicator from KPI as a leading indicator. However, it’s not uncommon to call a KGI (the effect) just KPI (the cause).

Performance Measurement

Success is the result of achieving a goal. Performance is a measurable result used to measure the progress to the objective or goal.

Measure

A measure is a variable with “a standard unit used to express the size, amount, or degree of something” (Google Dictionary).  In other words, a measure collects facts, but it isn’t associated with an objective or goal, while a metric does.

Measurement is a process to determine a value; it also refers to the result of a measurement. Measurements are values of a variable, or instances of a measure.

Metric and Indicator

A metric is a quantitative measure that is associated with an objective or goal so that the performance can be measured. An indicator is also a measure, but it can be either quantitative or qualitative.