Certified Information Security Manager (CISM) Domain 1 - Information Security Governance
Certified Information Security Manager (CISM) Domain 1 - Information Security Governance
Certified Information Security Manager (CISM) Domain 1 - Information Security Governance
Slide 2
Slide 3
Slide 4
Slide 5
Slide 6
Slide 7
Slide 8
Slide 9
Slide 10
Slide 11
Slide 12
Slide 13
Slide 14
Slide 15
Slide 16
Slide 17
Board of Directors:
Information security governance needs strategic direction as well as commitment,
resources and the assignment of responsibilities
The board needs to be aware of the information assets and how critical they are to
business operations which can be done through periodic reviews
Policies should always be top-down
Executive management:
The policy set forth by senior management must have leadership and ongoing
support from executive management to succeed
Slide 18
Organizations should have a chief information security officer, even if not as a
formal title.
This position exists, coupled with a responsibility, authority and required
resources to manage information security
Slide 19
Slide 20
Slide 21
Slide 22
Slide 23
Slide 24
Slide 25
Dynamic Interconnections
Dynamic interconnections link the elements together and exert a multi-
directional force that pushes and pulls as things change. This motion that
occurs in dynamic interconnections can force the model out of balance
or bring it back to a stable point.
The six dynamic interconnections are:
Enablement and Support
Human Factors
Slide 26
Slide 27
Slide 28
Slide 29
Slide 30
Slide 31
Slide 32
Slide 33
Slide 34
As the security manager you should have knowledge of a variety of
security technologies that can be used such as:
PKI, SSL, encryption
Authentication, biometrics
Identity and Access Management
Slide 35
Slide 36
Reporting structures for information security varies widely from
company to company.
Recent surveys have shown that reporting is often done to the CIO which may be
adequate functionally, but still seen as a suboptimal reporting method
Security is a regulatory function while IT is operational department
This means that issues dealing with security should be reported to the CEO
Often the CIO and the IT departments are under pressure to increase performance
and cut costs, meaning security could be the victim of those priorities
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Slide 42
Slide 43
Slide 44
Slide 45
Having different aspects of security divided into different bureaucracies
often do not provide the optimum results
One example may be integration of physical security as a relates to data security
Slide 46
Slide 47
Slide 48
Technical metrics can be useful and are often obtained from technical
systems such as:
Intrusion detection systems
Proxy servers
Slide 49
Metrics Continued
Technical metrics do not answer questions such as:
How secure is the organization?
How much is enough security?
Has an adequate level of security been achieved?
What is the degree of risk?
Is the security programming reaching its objectives?
How does a lack of security affect business productivity?
What is the impact of a catastrophic security breach?
Slide 50
Slide 51
Slide 52
Slide 53
Slide 54
Strategic Alignment
The alignment of information security with organizational objectives is
the desired goal
Without organizational objectives being used as a reference point, then
any other gauge which might include, best practices, could be overkill,
inadequate or misdirected
Slide 55
Slide 56
Risk Management
It can be said that risk management is the ultimate objective of all
information security activities
There is no real direct measurement of risk management’s effectiveness, but there
are indicators to show that it can be successful. These indicators could be:
Understanding the companies risk type
Slide 57
Value Delivery
This is a function of the alignment of security business objectives,
leading to an optimal investment to achieve acceptable risk. Key
indicators could include:
Cost of protection as a function of revenue or asset value
Security resources allocated by assessed risk and potential impact
Periodic testing of controls
Periodic review of costs along with compliance and effectiveness
Slide 58
Resource Management
This is thought of as a way to describe the processes to plan, allocate
and control information security resources such as:
Slide 59
Slide 60
Performance Measurement
Metrics of information security processes are needed to ensure the
organizations objectives are achieved
You cannot manage what you cannot measure
Slide 61
Slide 62
Slide 63
Slide 64
Slide 65
Steering CMT / Risk Management / IS Security Attributes
Exec Mgmt
CISO/ Steering Security Action Plan, Policies,
CMT Standards
Slide 66
Common Pitfalls
The status quo bias
Mental accounting
The herding instinct
False consensus
Slide 67
Slide 68
Slide 69
Defining Objectives
Again, a good security strategy is used as the basis for plan of action, it
is necessary to define the objectives to have a “desired state”
Without an objective the strategy may be created in an ad hoc fashion
Some objectives may simply be made to lower risks
Objectives should also deal with aligning the strategy to the business objectives
Slide 70
Business Linkages
Business linkages should be viewed from the
perspective of the business objectives
For example, an e-commerce based business may seem
relatively straightforward, but most will rely on
information from banks, warehouses, suppliers, and
protecting customer information
Understanding that perspective can help in building the
proper objectives
Slide 71
Slide 72
Slide 73
Slide 74
Slide 75
Slide 76
COBIT focuses on IT related processes from IT governance,
management and control perspectives
COBIT is a framework of supporting tools to bridge the gap between technical
issues and business risks
With regards to the CISM, control objectives and procedures should extend beyond
IT activities to include any activity that could impact information security
Slide 77
COBIT Controls
These are defined as policies, procedures, practices and organizational
structures designed to provide reasonable assurance of business
objectives being achieved
COBIT defines enterprise governance as a set of responsibilities and practices
exercised by the board and executive management
Slide 78
COBIT Framework
The 34 processes to manage and control information technology are
divided in four domains:
Plan and organize – strategy and tactics to achieve business objectives
Acquire and implement – identify, develop, or acquire IT solutions
Deliver and support – deliver of required services or training
Monitor and evaluate – assessment for quality and compliance with requirements
Slide 79
Slide 80
Balanced Scorecard
This is a management and measurement system to help organizations
clarify their vision and strategy and translate them into action
The balance scorecard uses four perspectives:
Learning and growth
Business process
Slide 81
Architectural Approaches
Enterprise Information Security Architecture (EISA) is a subset of
enterprise architecture
There is a number of different methodologies that have evolved, including process
models, frameworks and ad hoc approaches
Architectural approaches that are inclusive of business processes that may help in
defining the desired state of security can be exemplified by the open group
architecture framework (TOGAF), the Zachman enterprise architecture framework,
or the extended enterprise architecture framework (EA2F)
Slide 82
Slide 83
Risk Objectives
The major factor in the defining of the desired state
involves the approach to risk and risk appetite
Without a clear determination of acceptable risk it is
difficult to determine whether security is meeting its
Operational risk management exemplifies the trade-off of
the risk associated with taking an action or the risk of not
taking the action
Slide 84
Slide 85
Slide 86
Current Risk
Current state of risk should be assessed by a comprehensive risk
assessment, just as risk objectives must be determined as a part of the
desired state
A full risk assessment includes threat and vulnerability analysis
May also include a Business Impact Analysis
Slide 87
Slide 88
The current risk should include a thorough Business Impact Analysis of
critical systems and processes to gain a current state of security
A Business Impact Analysis will provide some of the information needed to create an
effective strategy
The difference between acceptable levels of impact and current levels of potential
impact must be addressed by the strategy
Slide 89
Slide 90
Elements of a Strategy
The question is, what should go into a security strategy, and have the
starting point and destination been defined?
The roadmap: this should be a document that maps how to achieve the defined,
security desired state. These would include:
Other resources
Slide 91
The Roadmap
Prior to beginning the roadmap to desired security, an architecture
should be chosen as a framework from which to begin
Remember that the desired state is usually a long-term goal that may consist of a
series of projects and initiatives
This means the overall roadmap would be broken down into a series of short-term
Slide 92
Slide 93
Slide 94
Slide 95
Slide 96
Policies: the high-level statements of management intent, expectations
and direction; these usually remain static
Standards: represent the metrics, allowable boundaries, or the process
used to decide if procedures, processes or systems meet policy
Procedures: clarify the responsibility of operations, including security
operations; they should provide the step-by-step instructions required
for an activity
Guidelines: are used for executing procedures and contain information
that’s helpful and exceeding procedure
Slide 97
Slide 98
These are the primary components to consider when developing an
information security strategy. Controls can be categorized as physical,
technical or procedural. Examples may be:
IT controls
COBIT focuses on IT controls; they may have some of the most comprehensive
approaches to determining control objectives
Non-IT controls
Controls for handling non-technical events, such as social engineering or device re-use
Layer defenses
One layer failure does not cascade to the next layer
Slide 99
These are measures of protection that reduce the level vulnerability to
threats. Sometimes these are thought of as targeted controls
One example may be in restricting access to important information from a secure
Slide 100
Types of technologies used to improve security
has continued to evolve over the years
As an information security manager, one should be
familiar with how these technologies can help achieve
the desired state of security
Slide 101
Personnel security is an important area for an information
security manager
Unfortunately, personnel are often the weakest link with security
Damage from personnel can be intentional or accidental
Slide 102
Organizational Structure
It is not enough for the information security manager to simply verify
that managers report to the CIO
Determine the type of management models that might be used such as:
Slide 103
Slide 104
It would be prudent to create a skills inventory
from amongst the existing employees
These skills may be important in implementing a
security strategy
Training, education and awareness are always
vital to the overall strategy
This is especially true in dealing with security issues
Slide 105
Internal and external audits are the main methods of determining any
information security deficiencies that might exist
Internal audits in most large organizations are conducted by internal departments,
and they generally report to chief risk officer or to an audit committee
Usually the focus is on policy compliance
External audits are often under the purview of the finance department
These are often not done with the security department
Slide 106
Compliance Enforcement
Procedures for security violations should be completed
Again, these need to be supported from the top-down, especially in the area of
One effective approach to compliance is an open system of trust
This should include self-reporting
There should also be voluntary compliance
Slide 107
Threat Assessment
This is usually a part of risk assessment that is important for the strategic
consideration of the policies
The threats will ultimately lead to the choice of controls used for mitigation of the risk
Policy development should map to a threat profile
Often this is because threats are constant in some sense (fires, floods, malware, theft)
Slide 108
Vulnerability Assessment
Often conducted by automated scans but by themselves are limited in
their value
There should also be the human involvement
These assessments should include:
Slide 109
Risk Assessment
Risk assessment is accomplished by first determining the viable threats
to information resources
This includes physical and environmental as well as technology
The assessment should include the likelihood of the threat occurring
Frequency of occurrence as well as magnitude should be included in this assessment
Slide 110
Some risks may be addressed by transference of the risk to a third-
party, such as the purchase of insurance
Natural disasters
Property damage
Liability insurance
Business interruption
Slide 111
Slide 112
Communications with the third-party
Slide 113
Slide 114
Tax laws
Restrictions on data import/export
Many requirements exist for the retention of content and business records
This is also called E-discovery
Slide 115
Physical Constraints
A security strategy may be limited by the
physical and environmental factors
Facilities placement can be of concern - an
example might be having facilities in a high
crime area
Environmental factors might include the
frequency of flooding
Strategy could simply be constrained based on
the infrastructure’s capacity
Slide 116
Slide 117
Slide 118
Gap Analysis
Gap analysis should be required to compare the state of current
components to the goal of the strategy
This could include:
Maturity levels
Control objectives
Risk and impact objectives
The gap analysis can help identify the steps needed to achieve the security strategy
Slide 119
Slide 120
Slide 121
Policy Development
IT policy may have to undergo changes in the execution of the strategy
Policies should capture the intent, expectations and direction of management as well
as stating compliance to regulatory conditions
If one of the objectives is an ISO compliance, then the policy should address any
relevant domain or subsection of that certification
Policies should be linked to strategy elements; if not, then either the strategy or the
policy is incorrect
Slide 122
Slide 123
Standards Development
Standards are security management tools that set the permissible
bounds for procedures and practices regarding technology systems
The standard can be thought of as the law supporting policy
Standards of responsibility of the information security manager
Standards must be communicated to those who have to follow them
In some cases, there should also be a plan for exceptions to the standards
Slide 124
Slide 125
Slide 126
Slide 127
Slide 128
Slide 129
Slide 130
CMM4 Statements
The assessment of risk is a standard procedure, and exceptions to
following the procedure would be noticed by security management
Information security risk management is a defined management function
with senior-level responsibility
Senior management and information security management have
determined the levels of risk that the organization will tolerate and have
an appropriate risk/return ratio measurement
Slide 131
Review Questions:
2. The most important reason to make sure there is good communication about security
throughout the organization is:
A. To make security more palatable to resistant employees
B. Because people are the biggest security risk
C. To inform business units about security strategy
D. To conform to regulations requiring all employees to be informed about security
1. B
A security strategy will define management intent and direction for a security program. It
should also be a statement of how security aligns with and supports business objectives,
and provides the basis for good security governance.
2. B
Communication is important to ensure continued awareness of security policies and
procedures. Communication is an important monitoring tool for the security manager to
be aware of potential security issues. Security failures are, in the majority of instances,
directly attributed to lack of awareness or failure of employees to follow procedures.
3. C
While it can be useful to stay abreast of all current and emerging regulations, it can be a
full-time job on its own. Treating regulations as another risk puts them in the proper
perspective, and the mechanisms to deal with them should already exist.
4. A
The basis for relevant security policies must be based on viable threats to the
organization, prioritized by their potential impact on the business. The strictest policies
apply to the areas of greatest risk. This ensures that proportionality is maintained and
great effort is not expended on unlikely threats or threats with trivial impacts.
5. B
All of the answers are obviously important, but the first criteria must be to ensure that
there is no ambiguity in the procedures and that from a security perspective, they meet
the applicable standards, and therefore comply with policy. While it is important to make
sure that procedures work as intended, the fact that they do not may not be a security
6. B
The level of effectiveness of employees will be determined by their existing knowledge
and capabilities; in other words, their proficiencies. Senior management support is
always important but not essential to effectiveness of employee activities. Mapping roles
to the tasks that are required can be useful, but is no guarantee that people can perform
the required task.
7. B
The bottom line of security efforts is to ensure that business can continue with an
acceptable level of disruption that does not unduly constrain revenue-producing
activities. The other choices are useful but subordinate outcomes as well.