Top 223 Information assurance Goals and Objectives Questions

What is involved in Information assurance

Find out what the related areas are that Information assurance connects with, associates with, correlates with or affects, and which require thought, deliberation, analysis, review and discussion. This unique checklist stands out in a sense that it is not per-se designed to give answers, but to engage the reader and lay out a Information assurance thinking-frame.

How far is your company on its Information assurance journey?

Take this short survey to gauge your organization’s progress toward Information assurance leadership. Learn your strongest and weakest areas, and what you can do now to create a strategy that delivers results.

To address the criteria in this checklist for your organization, extensive selected resources are provided for sources of further research and information.

Start the Checklist

Below you will find a quick checklist designed to help you think about which Information assurance related domains to cover and 223 essential critical questions to check off in that domain.

The following domains are covered:

Information assurance, Anti-virus software, Business continuity, Business continuity planning, Computer emergency response team, Computer science, Corporate governance, Data at rest, Data in transit, Disaster recovery, Factor Analysis of Information Risk, Fair information practice, Forensic science, ISO/IEC 27001, ISO/IEC 27002, ISO 17799, ISO 9001, IT risk, Information Assurance Advisory Council, Information Assurance Collaboration Group, Information Assurance Vulnerability Alert, Information security, Management science, McCumber cube, Mission assurance, PCI DSS, Reference Model of Information Assurance and Security, Regulatory compliance, Risk IT, Risk Management Plan, Risk assessment, Risk management, Security controls, Security engineering, Systems engineering:

Information assurance Critical Criteria:

Merge Information assurance leadership and ask questions.

– What is the purpose of Information assurance in relation to the mission?

– What are the long-term Information assurance goals?

Anti-virus software Critical Criteria:

Accelerate Anti-virus software quality and change contexts.

– Does each mobile computer with direct connectivity to the internet have a personal firewall and anti-virus software installed?

– Is anti-virus software installed on all computers/servers that connect to your network?

– Have you identified your Information assurance key performance indicators?

– Is the anti-virus software package updated regularly?

– Are there Information assurance problems defined?

Business continuity Critical Criteria:

Bootstrap Business continuity governance and do something to it.

– Who will be responsible for leading the various bcp teams (e.g., crisis/emergency, recovery, technology, communications, facilities, Human Resources, business units and processes, Customer Service)?

– Has specific responsibility been assigned for the execution of business continuity and disaster recovery plans (either within or outside of the information security function)?

– Has the organization established an enterprise-wide business continuity/disaster recovery program that is consistent with requirements, policy, and applicable guidelines?

– What management system can we use to leverage the Information assurance experience, ideas, and concerns of the people closest to the work to be done?

– Does our business continuity and/or disaster recovery plan (bcp/drp) address the timely recovery of its it functions in the event of a disaster?

– Do the response plans address damage assessment, site restoration, payroll, Human Resources, information technology, and administrative support?

– Do our business continuity andor disaster recovery plan (bcp/drp) address the timely recovery of our it functions in the event of a disaster?

– What programs/projects/departments/groups have some or all responsibility for business continuity/Risk Management/organizational resilience?

– Will Information assurance have an impact on current business continuity, disaster recovery processes and/or infrastructure?

– Which data center management activity involves eliminating single points of failure to ensure business continuity?

– What is the role of digital document management in business continuity planning management?

– Does increasing our companys footprint add to the challenge of business continuity?

– Has business continuity thinking and planning become too formulaic?

– Is there a business continuity/disaster recovery plan in place?

– What is business continuity planning and why is it important?

– Do you have any DR/business continuity plans in place?

– Do you have a tested IT disaster recovery plan?

– Is Information assurance Required?

Business continuity planning Critical Criteria:

Consider Business continuity planning planning and change contexts.

– Is the Information assurance organization completing tasks effectively and efficiently?

– Do you monitor the effectiveness of your Information assurance activities?

Computer emergency response team Critical Criteria:

Define Computer emergency response team issues and triple focus on important concepts of Computer emergency response team relationship management.

– Do you monitor security alerts and advisories from your system vendors, Computer Emergency Response Team (CERT) and other sources, taking appropriate and responsive actions?

– For your Information assurance project, identify and describe the business environment. is there more than one layer to the business environment?

– Who are the people involved in developing and implementing Information assurance?

– What vendors make products that address the Information assurance needs?

Computer science Critical Criteria:

Focus on Computer science projects and plan concise Computer science education.

– Record-keeping requirements flow from the records needed as inputs, outputs, controls and for transformation of a Information assurance process. ask yourself: are the records needed as inputs to the Information assurance process available?

– Is Information assurance Realistic, or are you setting yourself up for failure?

– How do we maintain Information assurances Integrity?

Corporate governance Critical Criteria:

Nurse Corporate governance goals and find out what it really means.

– What are the disruptive Information assurance technologies that enable our organization to radically change our business processes?

– What prevents me from making the changes I know will make me a more effective Information assurance leader?

– In a project to restructure Information assurance outcomes, which stakeholders would you involve?

Data at rest Critical Criteria:

Design Data at rest issues and prioritize challenges of Data at rest.

– How do we measure improved Information assurance service perception, and satisfaction?

– Do we have past Information assurance Successes?

– How to Secure Information assurance?

Data in transit Critical Criteria:

Air ideas re Data in transit risks and devote time assessing Data in transit and its risk.

– Who will be responsible for documenting the Information assurance requirements in detail?

– What business benefits will Information assurance goals deliver if achieved?

– Is the scope of Information assurance defined?

Disaster recovery Critical Criteria:

Guide Disaster recovery leadership and probe the present value of growth of Disaster recovery.

– Has your organization ever had to invoke its disaster recovery plan which included the CRM solution and if so was the recovery time objective met and how long did it take to return to your primary solution?

– How do you intend to fund the reopening: from existing business sources, your own resources, other investors, banks, lenders, or a mix?

– What is your insurance agent telling you about your policy and what will be covered and what wont be covered?

– Can existing lines of credit be accessed (and increased if necessary) to fund the reopening of the business?

– Do we know what we have specified in continuity of operations plans and disaster recovery plans?

– Can we self insure for disaster recovery or do we use a recommend vendor certified hot site?

– How will businesses be impacted by a disaster (e.g., earthquake, tsunami, flood)?

– How often do you fully test your disaster recovery capabilities?

– Key customers and/or suppliers will be affected by the disaster?

– What is the current financial position of your business?

– Make decisions about staff in immediate future. layoff?

– Who needs to know about Information assurance ?

– What types of businesses will be impacted?

– What are ideal use cases for the cloud?

– If I didnt reopen, what would I do?

– What are your chances for success?

– What is post-disaster recovery?

– Can team members work off site?

– Access to your computers?

– What was selling?

Factor Analysis of Information Risk Critical Criteria:

Co-operate on Factor Analysis of Information Risk planning and spearhead techniques for implementing Factor Analysis of Information Risk.

– How would one define Information assurance leadership?

Fair information practice Critical Criteria:

Rank Fair information practice quality and perfect Fair information practice conflict management.

– What are the barriers to increased Information assurance production?

– How do we go about Comparing Information assurance approaches/solutions?

– What are the usability implications of Information assurance actions?

Forensic science Critical Criteria:

Mine Forensic science tactics and get going.

– Why is Information assurance important for you now?

ISO/IEC 27001 Critical Criteria:

Map ISO/IEC 27001 adoptions and describe which business rules are needed as ISO/IEC 27001 interface.

– What is the total cost related to deploying Information assurance, including any consulting or professional services?

– To what extent does management recognize Information assurance as a tool to increase the results?

– Can Management personnel recognize the monetary benefit of Information assurance?

ISO/IEC 27002 Critical Criteria:

Cut a stake in ISO/IEC 27002 visions and probe using an integrated framework to make sure ISO/IEC 27002 is getting what it needs.

– Is maximizing Information assurance protection the same as minimizing Information assurance loss?

– How important is Information assurance to the user organizations mission?

ISO 17799 Critical Criteria:

Accumulate ISO 17799 decisions and innovate what needs to be done with ISO 17799.

– Does our organization need more Information assurance education?

ISO 9001 Critical Criteria:

Scan ISO 9001 failures and question.

– In the case of a Information assurance project, the criteria for the audit derive from implementation objectives. an audit of a Information assurance project involves assessing whether the recommendations outlined for implementation have been met. in other words, can we track that any Information assurance project is implemented as planned, and is it working?

– What are our best practices for minimizing Information assurance project risk, while demonstrating incremental value and quick wins throughout the Information assurance project lifecycle?

– Does a supplier having an ISO 9001 or AS9100 certification automatically satisfy this requirement?

– Does Information assurance analysis isolate the fundamental causes of problems?

IT risk Critical Criteria:

Frame IT risk failures and revise understanding of IT risk architectures.

– Do you have a good understanding of emerging technologies and business trends that are vital for the management of IT risks in a fast-changing environment?

– Roles and Responsibilities: Who are the individuals responsible for implementing specific tasks and providing deliverables related to risk management?

– Do you have enough focus on ITRM documentation to help formalize processes to increase communications and integration with ORM?

– Is there a need to use a formal planning processes including planning meetings in order to assess and manage the risk?

– Risk Documentation: What reporting formats and processes will be used for risk management activities?

– What is the effect on the organizations mission if the system or information is not reliable?

– Estimate the change in financial investment for ITRM activities in the next 12 months?

– How does your company report on its information and technology risk assessment?

– Does the IT Risk Management framework align to a three lines of defense model?

– How can organizations advance from good IT Risk Management practice to great?

– Which risks are managed or monitored in the scope of the ITRM function?

– To what extent are you involved in IT Risk Management at your company?

– Does the board explore options before arriving at a decision?

– Where specifically is the information processed and stored?

– To what extent are you involved in ITRM at your company?

– Does the board have a manual and operating procedures?

– Does your company have a formal ITRM function?

– What will we do if something does go wrong?

Information Assurance Advisory Council Critical Criteria:

Have a session on Information Assurance Advisory Council projects and simulate teachings and consultations on quality process improvement of Information Assurance Advisory Council.

– Are there any easy-to-implement alternatives to Information assurance? Sometimes other solutions are available that do not require the cost implications of a full-blown project?

– What are the record-keeping requirements of Information assurance activities?

Information Assurance Collaboration Group Critical Criteria:

Trace Information Assurance Collaboration Group strategies and attract Information Assurance Collaboration Group skills.

– Who will be responsible for deciding whether Information assurance goes ahead or not after the initial investigations?

– Does Information assurance systematically track and analyze outcomes for accountability and quality improvement?

– What are the business goals Information assurance is aiming to achieve?

Information Assurance Vulnerability Alert Critical Criteria:

Adapt Information Assurance Vulnerability Alert adoptions and finalize the present value of growth of Information Assurance Vulnerability Alert.

– Among the Information assurance product and service cost to be estimated, which is considered hardest to estimate?

– What threat is Information assurance addressing?

– Are we Assessing Information assurance and Risk?

Information security Critical Criteria:

Demonstrate Information security tasks and track iterative Information security results.

– Is the software and application development process based on an industry best practice and is information security included throughout the software development life cycle (sdlc) process?

– Do we maintain our own threat catalogue on the corporate intranet to remind employees of the wide range of issues of concern to Information Security and the business?

– Is there an information security policy to provide mgmt direction and support for information security in accordance with business requirements, relevant laws and regulations?

– Do suitable policies for the information security exist for all critical assets of the value added chain (indication of completeness of policies, Ico )?

– Is the risk assessment approach defined and suited to the ISMS, identified business information security, legal and regulatory requirements?

– Is the documented Information Security Mgmt System (ISMS) established, implemented, operated, monitored, reviewed, maintained and improved?

– Are information security roles and responsibilities coordinated and aligned with internal roles and external partners?

– Have the roles and responsibilities for information security been clearly defined within the company?

– Does your organization have a chief information security officer (CISO or equivalent title)?

– Are damage assessment and disaster recovery plans in place?

– Is information security an it function within the company?

– Does your company have an information security officer?

– What is the goal of information security?

– What is information security?

Management science Critical Criteria:

Be clear about Management science goals and proactively manage Management science risks.

– How does the organization define, manage, and improve its Information assurance processes?

– What are the Essentials of Internal Information assurance Management?

– Have all basic functions of Information assurance been defined?

McCumber cube Critical Criteria:

Look at McCumber cube strategies and revise understanding of McCumber cube architectures.

– How do mission and objectives affect the Information assurance processes of our organization?

Mission assurance Critical Criteria:

Win new insights about Mission assurance goals and integrate design thinking in Mission assurance innovation.

– Who will provide the final approval of Information assurance deliverables?

PCI DSS Critical Criteria:

Study PCI DSS results and gather practices for scaling PCI DSS.

– Do those selected for the Information assurance team have a good general understanding of what Information assurance is all about?

– What knowledge, skills and characteristics mark a good Information assurance project manager?

Reference Model of Information Assurance and Security Critical Criteria:

Understand Reference Model of Information Assurance and Security quality and grade techniques for implementing Reference Model of Information Assurance and Security controls.

– What are all of our Information assurance domains and what do they do?

– How do we go about Securing Information assurance?

Regulatory compliance Critical Criteria:

Own Regulatory compliance strategies and summarize a clear Regulatory compliance focus.

– Does Information assurance include applications and information with regulatory compliance significance (or other contractual conditions that must be formally complied with) in a new or unique manner for which no approved security requirements, templates or design models exist?

– In the case of public clouds, will the hosting service provider meet their regulatory compliance requirements?

– Regulatory compliance: Is the cloud vendor willing to undergo external audits and/or security certifications?

– Risk factors: what are the characteristics of Information assurance that make it risky?

– What about Information assurance Analysis of results?

– What are our Information assurance Processes?

– What is Regulatory Compliance ?

Risk IT Critical Criteria:

Troubleshoot Risk IT planning and get the big picture.

– A compounding model resolution with available relevant data can often provide insight towards a solution methodology; which Information assurance models, tools and techniques are necessary?

– Risk Probability and Impact: How will the probabilities and impacts of risk items be assessed?

– Which individuals, teams or departments will be involved in Information assurance?

Risk Management Plan Critical Criteria:

Contribute to Risk Management Plan planning and use obstacles to break out of ruts.

– Marketing budgets are tighter, consumers are more skeptical, and social media has changed forever the way we talk about Information assurance. How do we gain traction?

– Have you fully developed a Risk Management plan for any outsourcing agreement from inception to termination – for whatever reason?

– Has identifying and assessing security and privacy risks been incorporated into the overall Risk Management planning?

– Has the risk management plan been significantly changed since last years version?

– Has the Risk Management Plan been significantly changed since last year?

– What can we expect from project Risk Management plans?

Risk assessment Critical Criteria:

Differentiate Risk assessment visions and inform on and uncover unspoken needs and breakthrough Risk assessment results.

– Have the it security cost for the any investment/project been integrated in to the overall cost including (c&a/re-accreditation, system security plan, risk assessment, privacy impact assessment, configuration/patch management, security control testing and evaluation, and contingency planning/testing)?

– Do we have a a cyber Risk Management tool for all levels of an organization in assessing risk and show how Cybersecurity factors into risk assessments?

– Are interdependent service providers (for example, fuel suppliers, telecommunications providers, meter data processors) included in risk assessments?

– With Risk Assessments do we measure if Is there an impact to technical performance and to what level?

– How frequently, if at all, do we conduct a business impact analysis (bia) and risk assessment (ra)?

– What operating practices represent major roadblocks to success or require careful risk assessment?

– What other jobs or tasks affect the performance of the steps in the Information assurance process?

– Who performs your companys information and technology risk assessments?

– How often are information and technology risk assessments performed?

– Are accountability and ownership for Information assurance clearly defined?

– Do you use any homegrown IT system for ERM or risk assessments?

– How are risk assessment and audit results communicated to executives?

– Do you use any homegrown IT system for ERM or risk assessments?

– What drives the timing of your risk assessments?

– Are regular risk assessments executed across all entities?

– Who performs your companys IT risk assessments?

– Are risk assessments at planned intervals reviewed?

Risk management Critical Criteria:

Think carefully about Risk management engagements and ask questions.

– At what point will vulnerability assessments be performed once Information assurance is put into production (e.g., ongoing Risk Management after implementation)?

– Has Cybersecurity been identified in the physical security plans for the assets, reflecting planning for a blended cyber/physical attack?

– Which is the financial loss that the organization will experience as a result of every possible security incident ?

– How can senior executive teams strengthen Risk Management in a way that is both strategic and value-adding?

– Is our organization doing any form of outreach or education on Cybersecurity Risk Management?

– Are we currently required to report any cyber incidents to any federal or state agencies?

– People risk -Are people with appropriate skills available to help complete the project?

– If information is destroyed due to a virus or catastrophe, how could it be restored?

– Do you have an enterprise-wide risk management program that includes Cybersecurity?

– Does your company have a formal IT risk framework and assessment process in place?

– Our project management standards do they support or undermine Risk Management?

– Are new risks introduced as a result of the identified risks being controlled?

– What is our approach to Risk Management in the specific area of social media?

– Where specifically is the Risk assessed information processed and stored?

– Can highly-effective IT Risk Management programs ever eliminate IT Risk?

– Is the Cybersecurity policy reviewed or audited?

– Which rules appear frequently? Which are anomalies?

– what is our Ultimate Disaster Scenario?

– Who needs risk planning ?

– How do we categorize risk?

Security controls Critical Criteria:

Differentiate Security controls decisions and suggest using storytelling to create more compelling Security controls projects.

– Are there multiple physical security controls (such as badges, escorts, or mantraps) in place that would prevent unauthorized individuals from gaining access to the facility?

– Does the cloud service agreement make its responsibilities clear and require specific security controls to be applied to the application?

– Are regular reviews of the effectiveness of the ISMS (including meeting of ISMS policy and objectives and review of security controls) undertaken?

– Do the security controls encompass not only the cloud services themselves, but also the management interfaces offered to customers?

– Can the cloud service provider demonstrate appropriate security controls applied to their physical infrastructure and facilities?

– Do we have policies and methodologies in place to ensure the appropriate security controls for each application?

– Is the measuring of the effectiveness of the selected security controls or group of controls defined?

– Why is it important to have senior management support for a Information assurance project?

– Does the cloud service provider have necessary security controls on their human resources?

– Do we have sufficient processes in place to enforce security controls and standards?

– Have vendors documented and independently verified their Cybersecurity controls?

– Do we have sufficient processes in place to enforce security controls and standards?

– What are the known security controls?

Security engineering Critical Criteria:

Contribute to Security engineering risks and learn.

– Is there any existing Information assurance governance structure?

– How do we Lead with Information assurance in Mind?

Systems engineering Critical Criteria:

Consolidate Systems engineering goals and oversee implementation of Systems engineering.

– The complexity of our design task is significantly affected by the nature of the objectives for the systems to be designed. is the task intricate, or difficult?

– Is the project using any technologies that have not been widely deployed or that the project team is unfamiliar with?

– Do we have confidence in the reliability and robustness of the systems we design?

– What is the detailed set of functions and properties of a given interface?

– What are the elements and the high-level capabilities of the system?

– Is systems engineering the solution to all of our systems problems?

– What kind of support for requirements management will be needed?

– Why has systems engineering emerged as a distinct discipline?

– Does the requirement have a verification method assigned?

– Who will use the systems engineering plan (sep)?

– What policies are currently being implemented?

– Where would we like to be in the future?

– How much architecting is enough?

– Is the schedule too aggressive?

– How confident are we?

– What option is best?

– Right business case?

– What is a system?


This quick readiness checklist is a selected resource to help you move forward. Learn more about how to achieve comprehensive insights with the Information assurance Self Assessment:

Author: Gerard Blokdijk

CEO at The Art of Service |

Gerard is the CEO at The Art of Service. He has been providing information technology insights, talks, tools and products to organizations in a wide range of industries for over 25 years. Gerard is a widely recognized and respected information expert. Gerard founded The Art of Service consulting business in 2000. Gerard has authored numerous published books to date.

External links:

To address the criteria in this checklist, these selected resources are provided for sources of further research and information:

Information assurance External links:


Title Information Assurance Jobs, Employment |

[PDF]Information Assurance Specialist – GC Associates USA

Anti-virus software External links:

UK agencies warned off Russian anti-virus software – CNN

Business continuity External links:

[PDF]Job Description Job Title: Business Continuity …

Computer emergency response team External links:

Ghana Computer Emergency Response Team | Services

Tz Cert – Tanzania Computer Emergency Response Team

Computer science External links:

College of Engineering and Computer Science | Wright …

Wendt Commons Library | Engineering and Computer Science

Computer Science and Engineering

Corporate governance External links:

Corporate Governance – About Us | Aetna

Morgan Stanley Corporate Governance

Cleary Gottlieb M&A and Corporate Governance Watch

Data at rest External links:

What is data at rest? – Definition from

Data in transit External links:

Physical Security for Data in Transit – TCDI

Disaster recovery External links:

United Way Disaster Recovery Funds | United Way Worldwide

Disaster Recovery Assistance | United States Department …

Enterprise & Private Cloud – Disaster Recovery – Backup

Factor Analysis of Information Risk External links:

FAIR means Factor Analysis of Information Risk – All …

ITSecurity Office: FAIR (Factor Analysis of Information Risk)

Fair information practice External links:

[PDF]FIPPs Fair Information Practice Principles

Fair Information Practices are a set of principles and practices that describe how an information-based society may approach information handling, storage, management, and flows with a view toward maintaining fairness, privacy, and security in a rapidly evolving global technology environment.

Forensic science External links:


What is Forensic Science (Staffordshire University)

ISO/IEC 27001 External links:

ISO/IEC 27001 certification standard

ISO/IEC 27001:2013
http://ISO/IEC 27001:2013 is an information security standard that was published on the 25th September 2013. It supersedes ISO/IEC 27001:2005, and is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27.

ISO/IEC 27001 Information Security | BSI America

ISO/IEC 27002 External links:

ISO/IEC 27002
http://ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), titled Information technology – Security techniques – Code of practice for information security management.

Iso/iec 27002 : 2013. (Book, 2013) []

ISO 17799 External links:

ISO 17799 Information Security Standard –

ISO 17799 – What is iso17799 (the ISO Security Standard)?

HIPAA, Sarbanes-Oxley, ISO 17799 – Gap Analysis – netlogx

ISO 9001 External links:

ISO 9001 : 2015 Certification – Chicago

What Is ISO 9001? | eHow

Bevel Gear Co., LTD | ISO 9001 Precision Gear Manufacturer

IT risk External links:

Magic Quadrant for IT Risk Management Solutions – Gartner

How to Develop an IT Risk‐Management Policy: 12 Steps‐Management-Policy

Information Assurance Advisory Council External links:

Information Assurance Advisory Council –

Information Assurance Vulnerability Alert External links:

Information Assurance Vulnerability Alert – RMF for DoD IT

Information security External links:

Information Security

Title & Settlement Information Security

[PDF]Tax Information Security Guidelines For Federal, …

Management science External links:

Management science (Book, 1990) []

Management Science on JSTOR

Management Science – Official Site

McCumber cube External links:

Information Security Awareness: “The McCumber Cube” – YouTube

Mccumber Cube – Term Paper

McCumber Cube: Key Aspects by Aaron Haglund on Prezi

Mission assurance External links:

[PDF]Department of Defense Mission Assurance Strategy

Mission Assurance Jobs, Employment |

Office of Mission Assurance – GSA

PCI DSS External links:

PCI Compliance Guide about PCI DSS | PCICompliance…

Reference Model of Information Assurance and Security External links:

A reference model of information assurance and security

Regulatory compliance External links:

Regulatory Compliance Consulting for Money Managers

What is regulatory compliance? – Definition from

Chemical Regulatory Compliance – ChemADVISOR, Inc.

Risk Management Plan External links:

School Risk Management Plan – North Carolina

[PDF]Sample Risk Management Plan for a Community …

Risk Management Plan (RMP) Rule | US EPA

Risk assessment External links:

[PDF]Deliberate Risk Assessment Worksheet – United …


Breast Cancer Risk Assessment Tool

Risk management External links:

Driver Risk Management Solutions | AlertDriving

Celgene Risk Management

Security controls External links:

Picture This: A visual guide to security controls – CertMag

Security engineering External links:

Blockchain Protocol Analysis and Security Engineering …

Master of Science Cyber Security Engineering – USC Online

Systems engineering External links:

DoD Systems Engineering – Guidance & Tools

Industrial & Systems Engineering | College of Engineering

Systems Engineering and Operations Research