CISM Domain 1 V 5

Agenda
01 CISM Exam
02
02 How to approach
03 Course overview
04
04 Training deliverables
S.Srinivasan
+91 96770 38871
www.sspacademy.org
3
CISM exam contains 150 multiple choice questions

01
Each question contains the body of the question and 4 answer choices.
The candidates are required to select one “Correct” or “Best” answer
02
EXAMINATIO
N Exam questions are application oriented. The candidates are expected
to apply the knowledge learned in practice and studies to solve the
03 questions
A candidate is given 4 hours (240) minutes to complete the

04 examination
How to approach the Exam
Read each question carefully. Eliminate known incorrect answers. Make the “Best” choice possible.
01 Do not look for correctness in every case
Identify key phrase in each question like “MOST”, “BEST”, “FIRST”, “PRIMARILY” etc., before
02 selecting and recording the answer.
03 Answer all questions. There are no negative marks for wrong answers.
04 Grading is solely based on the number of correct questions answered

1. The PRIMARY objective of periodically testing an incident response plan should be to:
A. improve internal processes and procedures,
B. harden the technical infrastructure.
C. improve employee awareness of the incident response process,
D. highlight the importance of incident response and recovery.
2. What information is MOST helpful in demonstrating to senior management how

information security governance aligns with business objectives?
Sample E. Metrics of key information security deliverables
F. A list of monitored threats, risks and exposures
Questio G. Drafts of proposed policy changes
H. Updates on information security projects in development
ns
3. The BEST way for an information security manager to understand the critically of an online
application is to perform a
I. threat assessment
J. business process analysis
K. business impact analysis (BlA)
L. vulnerability assessment
4. Which of the following is the MOST effective way for an organization to ensure its third- party service
providers are aware of information security requirements and expectations?
A. Inducting information security clauses within contracts
B. Auditing the service delivery of third-party providers
C. Requiring third parties to sign confidentiality agreements
D. Providing information security training to third-party personnel
5. Which of the following is MOST helpful to developing a comprehensive Information security strategy?
E. Performing a business impact analysts (BIA).
Sample F. Conducting a risk assessment
G. Adopting an industry framework
Questio H. Gathering business objectives
ns
6. A business unit is preparing the business case for acquiring an e-commerce solution. Which of the
following should be provided by the information security manager?
I. A cost-benefit analysis of the solution to be acquired
J. An analysis of the solution's security requirements
K. Information security staff training requirements to support the solution
L. A return on investment (ROI) assessment of the solution to be acquired
Exam scoring and report
01 Only correct answers are scored. The candidates scores are reported as scaled score. A scaled score
is a conversion of candidate’s raw score to a common scale
The grading is between 200 and 800. To pass a candidate should obtain minimum of 450 or above
02
03 At the completion of the exam, preliminary results will flash in the screen. The official scores will
be sent with domain wise grades scored with in 14 days of exam date.
How to get certified?
01 Pass the CISM Exam
Submit an application (within five years of the exam passing date) with verified evidence of a
02 minimum of at least five years of cumulative work experience performing the tasks of a CISM
professional. For more information visit ISACA website www.isaca.org
03 Agree to the ISACA’s code of professional ethics
04 Agree to comply with CISM continuing education policy

9
Domain Content Domain 1

Information Security Governance
24%
Domain 4 Domain 2
Information Security 30% Information Security

19% Risk Management
Incident Management
27%
Information Security Program

Domain 3 Development and Management
10
Domain 1

Overview
Establish and/or maintain an information

security governance framework and supporting
processes to ensure that the information security
strategy is aligned with organizational goals and
objectives
12
• Ensure that the CISM Candidate has the knowledge necessary to:
– Understand the purpose of information security governance, what it
consists of, and how to accomplish it.
– Understand the purpose of an information security strategy, its objectives
and the reasons and steps required to develop one.
Objectives – Understand the meaning, content, creation and use of policies, standards,
procedures and guidelines and how they relate to each other.
– Develop business cases and gain commitment from senior leadership.
– Define governance metrics requirements, selection and creation.
Governance Vs Management
Information security governance is the system by which an organization

directs and controls IT security. Governance determines who is authorized
to make decisions. IT security management is concerned with making
decisions to mitigate risks. Governance specifies the accountability

framework and provides oversight to ensure that risks are adequately
mitigated, while management ensures that controls are implemented to
mitigate risks. Governance ensures that security strategies are aligned
with business objectives and consistent with regulations. Management
recommends security strategies.
14
Task Statements
• T1.1 Establish and/or maintain an information security strategy in alignment with organizational
goals and objectives to guide the establishment and/or ongoing management of the information
security program.
• T1.2 Establish and/or maintain an information security governance framework to guide activities
that support the information security strategy.
• T1.3 Integrate information security governance into corporate governance to ensure that
organizational goals and objectives are supported by the information security program.
• T1.4 Establish and maintain information security policies to guide the development of standards,
procedures and guidelines in alignment with enterprise goals and objectives.
• T1.5 Develop business cases to support investments in information security.
15
Task Statements
• T1.6 Identify internal and external influences to the organization (e.g., emerging technologies, social media,
business environment, risk tolerance, regulatory requirements, third-party considerations, threat landscape) to
ensure that these factors are continually addressed by the information security strategy.
• T1.7 Gain ongoing commitment from senior leadership and other stakeholders to support the successful
implementation of the information security strategy.
• T1.8 Define, communicate and monitor information security responsibilities throughout the organization (e.g.,
data owners, data custodians, end users, privileged or high-risk users) and lines of authority.
• T1.9 Establish, monitor, evaluate and report key information security metrics to provide management with
accurate and meaningful information regarding the effectiveness of the information security strategy.
Introduction
• The first step in establishing information security governance is senior management determining the
outcomes it wants from the information security program.
• This is the result of information risk management and the levels of acceptable risk.
• The outcomes and levels of acceptable risk should be determined and used to set control objectives.
• For information security to effectively address adequate protection for information assets, an
information security strategy is essential.

• Next, the information security manager can determine what needs to be done to move from the current
to the desired state by using a gap analysis. This, then, becomes the basis of the strategy.
• Strategy provides the basis to implement effective information security governance.
• Governance is broadly defined as the rules that run the organization, including policies, standards and
procedures that are used to set the direction and control the organization’s activities.
• The information security manager then has the information needed to develop a set of requirements for
a security program.
• This is followed by setting a series of specific objectives that, when achieved, will satisfy the
requirements.
Effective information
security
Progra Strateg
m y
• Supports what the organization wants • Effective Information System Security
to do needs a good information security Strategy
• Keeps risks with in acceptable level • This strategy documents the goals and
• Tracks success and areas of objectives of the information security
improvements program
• Changes with the organization • This forms the basis of the information
security governance.
The desired
state
• The levels of acceptable risk as defined by the management is often defined as “Risk appetite”
• This forms the desired state the information system security program should achieve.
• Thus the strategy is to develop a set of programs that runs the security requirement in achieving the
desired state, which is the objective of the information security program.

• To achieve this objective, road map needs to be created to achieve the specifics
• The second step is to identify the resources needed
• Same time constraints needs to be identified (laws and regulations, timelines, available skill
sets, etc.
• Existing controls needs to be identified such as technologies, standards and procedures
The information security
governance
• To achieve the desired level of effectiveness information system security Senior Management and
Board of Directors must be help accountable for information security governance.
• To achieve this they must provide necessary leadership, resources, organizational structure and good
oversight and processes.

• This should ensure that information security governance is an integral and transparent part of
enterprise governance.
• Scores of laws and regulations demand high levels of compliance and higher levels of accountability
on the governance body.
The outcome of information security governance
Strategic alignment Value Delivery
Risk Management Resource optimization
Assurance Process Integration Performance Measurement

The importance of information security
governance
Benefits of good information security governance include:
• Providing assurance of policy compliance
• Increasing predictability and reducing uncertainty of business operations by lowering risk to
definable and acceptable levels
• Providing the structure and framework to optimize allocations of limited security resources
• Providing a level of assurance that critical decisions are not based on faulty information
• Providing a firm foundation for efficient and effective risk management, process improvement,
rapid incident response and continuity management
• Providing greater confidence in interactions with trading partners
• Improving trust in customer relationships
• Protecting the organization’s reputation
• Enabling new and better ways to process electronic transactions
• Providing accountability for safeguarding information during critical business activities, such
as mergers and acquisitions, business process recovery, and regulatory response
• Effective management of information security resources
• Aligning information security with business strategy to support organizational
objectives such as:
• Security requirements driven by enterprise requirements that are
thoroughly developed to provide guidance on what must be done and a
Strategic measure of when it has been achieved

• Security solutions fit for enterprise processes that take into account the
Alignment culture, governance style, technology and structure of the organization
• Investment in information security that is aligned with the enterprise
strategy; enterprise operations; and a well-defined threat, vulnerability
and risk profile
• Executing appropriate measures to mitigate risk and reduce potential
impacts on information resources to an acceptable level such as:
• Collective understanding of the organization’s threat, vulnerability and
risk profile
• Understanding of risk exposure and potential consequences of
Risk compromise
Management • Awareness of risk management priorities based on potential
consequences
• Risk mitigation sufficient to achieve acceptable consequences from
residual risk
• Risk acceptance/deference based on an understanding of the potential
consequences of residual risk
• Optimizing security investments in support of business objectives such as:
• A standard set of security practices (i.e., baseline security requirements following
adequate and sufficient practices proportionate to risk and potential impact)
• Information security overheads that are maintained at a minimum level while
maintaining a security program that enables the organization to achieve its
objectives
• A properly prioritized and distributed effort to areas with the greatest probability
Value and highest impact and business benefit
Delivery • Institutionalized and commoditized standards-based solutions with the greatest cost
effectiveness
• Complete solutions, covering organization and process as well as technology based
on an understanding of the end-to-end business of the organization
• A continuous improvement culture based on the understanding that security is an
ongoing process, not an event
• Using information security knowledge and infrastructure efficiently and
effectively to:
Resource • Ensure that knowledge is captured and available
Optimization • Document security processes and practices
• Develop security architecture(s) to define and utilize infrastructure
resources efficiently
• Integrating all relevant assurance factors to ensure that processes operate
as intended from end to end by:
• Determining all organizational assurance functions
• Developing formal relationships with other assurance functions
Assurance • Coordinating all assurance functions for more cost-effective security
process • Ensuring that roles and responsibilities between assurance functions
integration overlap and leave no gaps in protection

• Employing a systems approach to information security planning,
deployment, metrics and management
• Monitoring and reporting on information security processes to ensure that
objectives are achieved, including:
• A defined, agreed-upon and meaningful set of metrics that are
properly aligned with strategic objectives and provide the information
Performance needed for effective decisions at the strategic, management and
operational levels
Measurement • Measurement process that helps identify shortcomings and provides
feedback on progress made resolving issues
• Independent assurance provided by external assessments and audits
• Criteria for separating the most useful metrics from the variety of
things that can be measured
Effective Information Security Governance
• Information security governance is the responsibility of the board of directors and senior
management.
• It must be an integral and transparent part of enterprise governance and complement or encompass
the IT governance framework
• Boards of directors will be required to make information security an intrinsic part of governance
• This includes monitoring and reporting processes to ensure that governance processes are effective
and compliance enforcement is sufficient to reduce risk to acceptable levels.
• effective information security governance is required to address legal and regulatory requirements
and is becoming mandatory in the exercise of due care
Governance and Business Goals and Objectives
• Corporate governance is the set of responsibilities and practices exercised by the board and
senior management with the goals of:
– providing strategic direction,
– ensuring that objectives are achieved

– ascertaining that risk is managed appropriately
– verifying that the enterprise’s resources are used responsibly
• Strategy is the plan to achieve an objective.
• To be of value to the organization, information security must support the business strategy
Governance and Business Goals and Objectives
• Information security governance is a subset of corporate governance.

• It provides strategic direction for security activities and ensures that objectives are achieved.
• It ensures that information security risk is appropriately managed and enterprise information
resources are used effectively and efficiently.

• To achieve effective information security governance, management must establish and ensure
maintenance of a framework to guide the development and management of a comprehensive
information security program that supports the business objectives
Components of a Governance Framework
• The governance framework will generally consist of the following:
– A comprehensive security strategy intrinsically linked with business objectives
– Governing security policies that clearly express management intent and address each aspect of
strategy, controls and regulation

– A complete set of standards for each policy to ensure that people, procedures, practices and
technologies comply with policy requirements and set appropriate security baselines for the
enterprise
– An effective security organizational structure with sufficient authority and adequate resources,
void of conflicts of interest
– Defined workflows and structures that assist in defining responsibilities and accountability for
information security governance
– Institutionalized metrics and monitoring processes to ensure compliance, provide feedback on
control effectiveness and provide the basis for appropriate management decisions
• This framework provides the basis for developing a cost-effective information security program that
supports the organization’s business goals.
Relationship of Governance Elements
Strategy and Risk
• Purpose of information security: Manage information risk to an acceptable level
• Understand the risk profile
• Understand risk exposure

• Be aware of risk management priorities
• Ensure sufficient risk mitigation
• Base risk treatment decisions on potential consequences
Risk Capacity and Risk Appetite
• Risk capacity: Amount of loss an enterprise can tolerate without its continued existence being questioned.
• Risk appetite: The amount of risk that an entity is willing to accept in pursuit of its mission.
Risk Appetite
• Risk appetite is an essential element for virtually all aspects of information security as well as
most other aspects of organizational activities.
• It will determine many aspects of strategy including control objectives, control implementation,
baseline security, cost-benefit calculations, risk management options, severity criteria
determinations, required incident response capabilities, insurance requirements and feasibility
assessments, among others.
• Risk appetite is translated into a number of standards and policies to contain the risk level within
the boundaries set by the risk appetite.
• These boundaries need to be regularly adjusted or confirmed.
Risk Acceptance
• Risk acceptance is a formal and explicit process that affirms that the risk requires and warrants no additional
response by the organization as long as it and the risk environment stay substantially the same and
accountability for the risk is assigned to a specific owner

• Risk acceptance generally should not exceed the risk appetite of the organization, but it must not exceed the
risk capacity (which would threaten the continued existence of the organization).
Scope and Charter of IS Governance
• Information security deals with all aspects of information, in any medium (e.g., written, spoken,
electronic), regardless of whether it is being created, viewed, transported, stored or disposed.
• IT security is concerned with security of information within the boundaries of the technology
domain, usually in a custodial capacity.

• IT usually is not the owner of most of the information in its systems; rather, it owns the
machinery that processes it. The information is in IT’s care, control and custody, and, therefore,
IT functions as a custodian for the data owners.
• In the context of information security governance, it is important that the scope and
responsibilities of information security are clearly set forth in the information security strategy
and reflected in the policies.
• To be successful, information security to be fully supported by senior management and the
various organizational units. Without clearly defined information security responsibilities, it is
impossible to determine accountability.
Governance Risk and Compliance
• GRC is an integrated assurance process

• Convergence can exist independently across different
business functions
• Information security is often a part of GRC

Governance
• It is important to recognize that effective integration of GRC
processes requires that governance is in place before risk can
be effectively managed and compliance enforced.
• It is usually focused on financial, IT and legal areas.
• Financial GRC is used to ensure proper operation of financial Risk
processes and compliance with regulatory requirements Management Compliance
• In a similar fashion, IT GRC seeks to ensure proper
operation and policy compliance of IT processes.
• Legal GRC may focus on overall regulatory compliance.
Information Security Business Model
• The BMIS model uses systems thinking to clarify complex relationships within the enterprise to more
effectively manage security.
• BMIS provides the context for frameworks such as CoBIT.
• BMIS is best viewed as a flexible, three-dimensional, pyramid-shaped structure made up of four elements
linked together by six dynamic interconnections.

• All aspects of the model interact with each other. If any one part of the model is changed, not addressed or
managed inappropriately, the equilibrium of the model is potentially at risk.
• The dynamic interconnections act as tensions, exerting a push/pull force in reaction to changes in the
enterprise, allowing the model to adapt as needed.
The four dimensions of BMIS
• Organization design and strategy: An organization is
a network of people, assets and processes interacting
with each other in defined roles and working toward a
common goal.
• People: The human resources and the security issues
that surround them. It defines who implements

(through design) each part of the strategy. It represents
a human collective and must take into account values,
behaviors and biases.
• Process: Includes formal and informal mechanisms
(large and small, simple and complex) to get things
done and provides a vital link to all of the dynamic
interconnections.
• Technology: Composed of all of the tools, applications
and infrastructure that make processes more efficient.
The dynamic interconnection
• The dynamic interconnections link the elements together and exert a multidirectional force that
pushes and pulls as things change.
• Actions and behaviors that occur in the dynamic interconnections can force the model out of
balance or bring it back to equilibrium. The six dynamic interconnections are:
– Governance
– Culture
– Enablement and Support
– Emergence
– Human Factors
– Architecture
The Assurance Process - Convergence
• The assurance function is traditionally segmented to treat security in silo’s. Thus there are
separate assurance functions for Operations, IT, Governance, Finance, HR etc., to name a few.
• With almost end to end automation now a days, the necessity is felt to converge the assurance
function as the auditee also feels the stress in answering many audit requirements.
• Information security is back bone of all the security related initiatives. Of course information
security cannot be achieved by only looking at technical controls. Physical and environmental
control also plays a vital role in securing information processing assets.
Tracking Roles
Practice Question
• Business goals define the strategic direction of the organization. Functional goals define the
tactical direction of a business function. Security goals define the security direction of the
organization. What is the MOST important relationship between these concepts?
A. Functional goals should be derived from security goals.
B. Business goals should be derived from security goals.

C. Security goals should be derived from business goals.
D. Security and business goals should be defined independently from each other.
Practice Question
• An organization's information security strategy should be based on:

A. managing risk relative to business objectives.
B. managing risk to a zero level and minimizing insurance premiums.
C. avoiding occurrence of risks so that insurance is not required.

D. transferring most risk to insurers and saving on control costs.
Roles and Responsibilities
• Board of Directors
– Need to be aware of information assets
– Provided with high-level results of risk assessments and BIAs.
– Exercise due care in protecting key assets
• Steering committee
– Comprised of senior representatives of groups impacted by information security
– Ensures alignment of security program with business objectives
• Common topics:
– Security strategy and integration efforts
– Specific actions and progress related to business unit support of information security program
functions
– Emerging risk, business unit security practices and compliance issues
Roles and Responsibilities
• Senior Management
– Ensure needed functions/resources are available
– Ensure resources are properly utilized
– Promote cooperation, arbitrate when needed and set priorities

• Chief Information Security Officer:
• Many not be an official position
– Trends have shown most organizations have a CISO in charge of the security program
– Some organizations have a CSO over information security and physical security.
• Most often reports to the CEO, followed by the CIO and board
– Conflicts of interest may arise if the CISO reports to the CIO because security is often seen as
a constraint on IT
Risk Management Roles and Responsibilities
• Chief Risk Officer

– Generally responsible for all non-information risk and overall ERM
• Chief Information Officer
– Responsible for IT planning, budgeting and performance

• Information Security Manager
– Responsible for Information Risk Management and organization information security
programs
• Systems and Information Owners
– Responsible for ensuring proper controls to address CIA
• IT Security Practitioners
– Responsible for proper implementation of security requirements in their IT Systems
• IT Security Awareness Trainers and SME’s
Senior Management Commitment
• Addressing information security issues at board/senior management meetings

• Clear approval and support for formal security strategies and policies
• Monitoring and measuring organizational performance in implementing security policies
• Periodically reviewing information security effectiveness
• Providing high-level oversight and control

• Supporting security awareness and training for all staff throughout the organization
• Adequate resources and sufficient authority to implement and maintain security activities
• Treating information security as a critical business issue and creating a security-positive environment
• Demonstrating to third parties that the organization deals with information security in a professional
manner
• Setting an example by adhering to the organization’s security policies and practices
• The CISO should ensure adequate trainings and workshops to the senior managers to make them
understand the importance of the program.
Senior Management Commitment
• In many cases the support from Senior Management may not be visible, because they may not
be able to understand and appreciate the importance of Information security. In those
situations, the CISO should ensure adequate trainings and workshops to the senior managers to
make them understand the importance of the program.
• In other cases, support for information security programs may be limited for financial or other
reasons. The information security manager must recognize these constraints, prioritizing and
maximizing the effects of available resources in addition to working with management to
develop additional resources.
The Business Case
• Provides a formal proposal for a project

– Likely costs
– Benefits
• Should have enough detail to explain the why of a project and what it will deliver back.
• Provides the information required for an organization to decide whether a project should proceed.
• The essential consideration is the value proposition, or the cost-benefit analysis of moving forward
with the project
Preparing a Business Case
• Elements of a feasibility study

– Project scope defines the business problem and/or opportunity to be addressed. It should be clear,
concise and to the point.
– Current analysis defines and establishes an understanding of a system, a software product, an
information security control, etc. Based on this analysis, it may be determined that the current
system or software product is working correctly, some minor modifications are needed, or a
complete upgrade or replacement is required. At this point in the process, the strengths and
weaknesses of the current system or software product are identified.
– Requirements are defined based on stakeholder needs and constraints. Defining requirements for
software differs from defining requirements for systems.
– Recommended approach is the recommended system and/or software solution to satisfy the
requirements. This step clearly identifies the alternatives that were considered and the rationale as
to why the preferred solution was selected. This is the process wherein the use of existing structures
and commercial alternatives are considered (e.g., “build versus buy” decisions).
Preparing a Business Case
• Elements of a feasibility study (contd…)
– Evaluation is based on the previously completed elements within the feasibility study. The final report
addresses the cost-effectiveness of the approach selected or the value proposition. Elements of the final
report include:
• The estimated total cost of the project if the preferred solution is selected, along with the alternates
to provide a cost comparison, including:

– Estimate of employee hours required to complete
– Material and facility costs
– Vendors and third-party contractors costs
– Project schedule start and end dates
– A cost and evaluation summary encompassing cost-benefit analysis, return on investment
(ROI), etc.
– Formal review This review both validates the completeness and accuracy of the feasibility study and
renders a decision to approve or reject the project or ask for corrections before making a final decision.
• The business case should have sufficient detail to describe the justification for setting up and continuing a
project and provide the reasons for the project by answering the question, “Why should this project be
undertaken?”
Business Case and Project Management
• The business case drives the decision process

– If no longer valid, project should be review
– Used at stage gates (kill points)
– Reevaluation/reapproval needed when circumstances change
Business Case and Project Management
• The formal presentation to senior management is used as a means to educate and communicate key
aspects of the overall security program. Key points include:
– Aligning security objectives with business objectives, enabling senior management to
understand and apply the security policies and procedures

– Identifying potential consequences of failing to achieve certain security-related objectives and
regulatory compliance
– Identifying budget items so that senior management can quantify the costs of the security
program
– Using commonly accepted project risk/benefit or financial models, such as total cost of
ownership (TCO) or ROI, to quantify the benefits and costs of the security program
– Defining the monitoring and auditing measures that will be included in the security program
Practice Question
• While implementing information security governance an organization should FIRST:

• A. adopt security standards.
• B. determine security baselines.
• C. define the security strategy.

• D. establish security policies.
Practice Question
• The FIRST step in developing an information security management program is to:

• A. identify business risk that affects the organization.
• B. establish the need for creating the program.
• C. assign responsibility for the program.

• D. assess adequacy of existing controls.
Communication Channels
• To ensure effective and efficient implementation of Information Security Program, proper communication
channels should be established.
• This should include consistent and reliable reporting from various parts of the organization.
• These along with along with other metrics serve as the early warning system for potential threats and emerging
security issues.
• Communication channels may be formal or informal.
• Periodic presentation to the senior management is necessary to make them understand the state of the
information security program.
• The presentations should at a minimum contain:

– Status of the implementation of the system based on the approved strategy
– Overall BIA result comparison (prior to and after implementation)
– Statistics of detected and prevented threats as a means of demonstrating value
– Identifying the weakest security links in the organization and potential consequences of compromise
– Performance measurement data analysis supported with independent, external assessment or audit reports,
if available
– Addressing ongoing alignment for critical business objectives, operation processes or corporate
environments
– Requiring the approval for renewed plans, as well as related budget items
• In addition to the formal presentations, four other groups needs different communications:
• Senior management
– Attend business strategy meetings to become more aware and understand the updated business
strategies and objectives.

– Hold periodic one-to-one meetings with senior management to understand the business
objectives from its perspective.
• Business process owners
– Join operation review meetings to realize the challenges and requirements of daily operations
and their dependencies.
– Initiate monthly one-to-one meetings with different process owners to gain continued support in
the implementation of information security governance and address current individual security
related issues.
• Other management
– Inform line managers, supervisors and department heads charged with various security and
risk management-related functions, including ensuring adequate security requirement
awareness and policy compliance, of their responsibilities.
• Employees
– Offer timely training and education programs.
– Initiate a centralized on-board training program for new hires.
– Distribute organizational education material on updated strategies and policies.
– Instruct personnel to access the intranet or email-based notifications for periodic reminders
or ad hoc adaptations.
– Support senior management and business process owners by assigning an information
security governance coordinator within each functional unit to obtain accurate feedback of
daily practices in a timely manner.
Governance of Third Party Relationships
• The governance of third parties include:

– Service providers
– Outsourced operations
– Trading partners
– Merged or acquired organizations

• To ensure that the organization is adequately protected, the information security manager must
assess the impacts of any of the reasonably possible security failures of any third party that
may become involved with the organization.
• Policies, standards and procedures establishing the involvement of information security should
be developed prior to the creation of any third-party relationship
• there should be a formalized engagement model between the information security organization
and those groups that establish and manage third-party relationships for the organization.
Metrics and Measurement
Metrics allow the measurement of the achievement of a process goal. Security metrics should tell us
about the state or degree of security relative to a reference point.
It is important to keep in mind that technical metrics are only useful for the tactical operational
management of technical security systems, such as intrusion detection systems, proxy servers,
firewalls, etc. They say nothing about strategic alignment or governance.
From a management perspective, technical metrics cannot provide answers to questions such as:
• How secure is the organization?
• How much security is enough?
• How do we know when we have achieved an adequate level of security?
• What are the most cost-effective security solutions?

• How do we determine the degree of risk?
• How well can risk be predicted?
• Is the security program achieving its objectives?
• What impact is lack of security having on productivity?
• What impact would a catastrophic security breach have?
• What impact will security solutions have on productivity?
• Metrics should be SMART:

– Specific
– Measurement
– Attainable
– Relevant
– Timely
• Avoid measuring something simply because it can be measured.
Practice Questions
• "Sensitive data must be protected to prevent loss, theft, unauthorized access and/or unauthorized disclosure" is a
statement that would MOST likely be found in a:
• A. guideline.
• B. policy.
•
C. procedure.
• D. standard.
Practice Questions
• The PRIMARY objective for information security program development should be:
• A. creating an information security strategy.
• B. establishing incident response procedures.
• C. implementing cost-effective security solutions.
• D. reducing the impact of the risk in the business.

Information Security Strategy
• The objective of the security strategy is the desired state defined by business and security attributes.
• The strategy provides the basis for an action plan composed of one or more security programs that, as
implemented, achieve the security objectives.
• The action plan(s) must be formulated based on available resources and constraints, including
consideration of relevant legal and regulatory requirements.

• The strategy and action plans must contain provisions for monitoring as well as defined metrics to
determine the level of success.
• This provides feedback to the CISO and steering committee to allow for midcourse correction and ensure
that security initiatives are on track to meet defined objectives.
Pitfalls in strategy development
• Confirmation bias—Seeking opinions and facts that support one’s own beliefs
• Selective recall—Remembering only facts and experiences that reinforce current assumptions
• Biased assimilation—Accepting only facts that support an individual’s current position or
perspective
• Biased evaluation—Easy acceptance of evidence that supports their one’s hypotheses while
contradictory evidence is challenged and, almost invariably, rejected. Critics are often charged
with hostile motives or their competence is impugned.
• Groupthink—Pressure for agreement in team-based cultures
Information Security Strategy Objectives
• The objectives of developing an information security strategy must be defined and metrics developed to
determine if those objectives are being achieved. Typically, the six defined outcomes of security governance
will provide high-level guidance. The six outcomes are:
– Strategic alignment
– Effective risk management

– Value delivery
– Resource optimization
– Performance measurement
– Assurance process integration
Start With the Goals
• What is the goal?
– Typically to assure the reliability of information-related business processes
• Often unaware of what information exists within the enterprise, criticality, etc.
– Impact cost-effectiveness
• Goals help set objectives, which drive strategy

– Should tie to enterprise goals
Asset Classification
• Classification provides the basis for applying protective measures in proportion to the business
value, resulting in more cost-effective controls
• Initial classification can be time consuming
– For large organizations, this can amount to terabytes of useless data and literally thousands of
outdated and unused applications accumulated over decades.

– Does not get easier over time
– Reluctance of the management to allocate resource for this as they feel this non value added
activity
• Best approach is to start as soon as possible
– Classify new assets when they are created
– Monitor for changes over time
– Classification should be proportional to the value of the assets so cost effective controls can be
applied
– Non classification will result in wasteful protection of non critical or sensitive information
Valuation of Data
• Information security has traditionally focused on IT systems.

• Business process owners regard IT systems as tools, while data produced has value
• Integration with corporate governance becomes easier with a data focus
• Criticality of data can be derived from criticality of processes that use that data.
• Sensitivity can be derived by determining consequences of data leakage.
– Sensitivity of data may be subjective.
– Certain types of data may be considered
sensitive by law or regulation.
– Valuation of data may be qualitative or quantitative.
– Business dependency analysis can be used as an indication of value
Current Vs Desired State
• Desired State
– Ideal information security environment
– Frameworks/standards helpful to identify outcomes
– Defined desired state makes it easier to identify path from current state
– Risk objectives such as risk appetite and risk tolerance and the organization’s risk culture
• Current State
– What is actually occurring
– Help to identify where the environment falls short of the desired
– Business Impact Analysis can be used a tool to determine the current state
Building the Strategy
• Strategy provides a road map to move from the current state to the desired state
• Path could be long depending on distance between current and desired state
• Should identify:
– Available resources
– Available methods
– Constraints
Resources
• Policies • Training
• Standards • Awareness and Education
• Procedures • Audits
• Guidelines • Compliance enforcement
• Architecture(s) • Threat assessment
• Controls—physical, technical, • Vulnerability assessment

procedural • BIA
• Countermeasures • Risk analysis
• Layered defenses • Resource dependency analysis
• Technologies • Third-party service providers
• Personnel security • Other organizational support and assurance
• Organizational structure providers
• Roles and responsibilities • Facilities
• Skills • Environmental security
Strategy Constraints
• Legal
• Physical
• Ethics
• Culture
• Costs
• Personnel
• Organizational structure
• Resources
• Capabilities
• Time
• Risk appetite
Legal and Regulatory Requirements
• There are a number of legal and regulatory issues affecting information security that must be
considered in developing a strategy.
• Information security is inevitably intertwined with questions of privacy; intellectual property; and
contractual, civil and criminal law. Any effort to design and implement an effective information
security strategy must be built on a solid understanding of the pertinent legal requirements and
restrictions.
• Different regions in a global organization may be governed by conflicting legislation. An example of
this is in the area of privacy legislation, where different cultures place different degrees of importance
on privacy.
Legal and Regulatory Requirements
• The global organization may need to establish different security strategies for each regional division,
or it can base policy on the most restrictive requirements to be consistent across the enterprise.
• From the perspective of the information security manager, regulatory compliance should be treated as
any other risk and the extent of compliance is ultimately a business decision that must be made by
senior management with input as to risk and potential impact.

• The strategy must also take into consideration that personnel safety is a priority and the subject of
regulations in many jurisdictions.
Retention Requirements
• Two main aspects an information security strategy must take into consideration regarding the content
and retention of business records and compliance:
– The business requirements for business records
– The legal and regulatory requirements for records
• Depending upon an organization’s location and industry, regulatory bodies have requirements that an
organization must comply with, including legal, medical and tax records.
E-discovery
• Civil and criminal actions rely on evidence obtained from email and other electronic communications
in response to a production request or subpoena. If information has been archived without being
classified and cataloged, retrieving the required material can be an arduous and expensive task
• Generally, the best option is to have a policy that requires destruction of any data not required to be
retained by law or for specific business reasons.
Physical Constraints
• Include capacity, space, environmental hazards, etc.

• Safety of personnel should also be considered
• Often ignored and can lead to interruptions or breaches
• Disaster recovery should be considered

Ethics and Culture Costs
• Ethics • Justify spending based on a
– Perception of the enterprise’s project’s value.
behavior • Cost-benefit/financial analysis
– Influenced by location and culture most widely accepted

• Culture • ALE
– Internal culture • ROI
– Local culture
Personnel and Organization Structure
• Personnel
– Resistance to changes can impact the success of strategy implementation
• Organizational structure
– Impacts how a governance strategy can be implemented
– Cooperation is needed
– Senior management buy-in helps to ensure cooperation
Resources Capabilities and Time
• Resources
– Consider available budgets, TCO and personnel requirements
• Capabilities
– Expertise and skills
• Time
– Deadlines/Windows of opportunity
Risk Appetite
• Risk acceptance and risk tolerance play a major role

• Difficult to measure
• RTOs/RPOs
Ongoing Assessment
• The information security strategy needs to be dynamic.

• Update assessments regularly.
Practice question
• It is essential for the board of directors to be involved with information security activities
primarily because of concerns regarding:
• A. technology.
• B. liability.
• C. compliance.
• D. strategy.
Practice question
• The FIRST step to create an internal culture that embraces information security is to:
• A. implement stronger controls.
• B. conduct periodic awareness training.
• C. actively monitor operations.

• D. gain endorsement from executive management.
Strategic Resources
Policies Standards Controls

Management Part of security

Governance tools
tools architecture
“Constitution” “Laws” “Enforcement”

Policies
• Directly traceable to strategy elements
• Broad enough to not require regular revision, but should be periodically reviewed
• Approved at the highest level
• Pave the way for effective implementation
• Attributes of good policies:

– Should capture the intent, expectations and direction of management
– Should state only one general security mandate
– Must be clear and easily understood
– Includes just enough context to be useful
– Rarely number more than two dozen in total
Setting Standards
• Provide measurement for compliance
• Govern procedure and guideline creation
• Set security baselines
• Reflect acceptable risk and control objectives
• Act as criteria for evaluating acceptable risk

• Are unambiguous, consistent and precise
• Are disseminated to those governed by them and those impacted
• Third-party standards are typically prescriptive to allow for certification.
– If used as a reference, your organization may have some flexibility when using the standard.
• Exception processes must be developed
Procedures
• A non-IT control direct precisely how something is to be done
• Responsibility of operations staff
– Uses unambiguous language
– Include all necessary steps
• Ensure an organization can continue operations even if regular staff are unavailable
Guidelines
• Contain information that will be helpful in executing procedures
• Enable use of individual judgment
• Can be helpful when an outcome needs to be achieved, but the how does not matter
Framework and Architecture
• The approach for EA, including security, that has gained ground during the past decade is TOGAF,
which addresses the following four interrelated areas of specialization called architecture domains:
– Business architecture, which defines the business strategy, governance, organization and key
business processes of the organization
– Applications architecture, which provides a blueprint for the individual application systems to be
deployed, the interactions among the application systems, and their relationships to the core
business processes of the organization with the frameworks for services to be exposed as business
functions for integration
– Data architecture, which describes the structure of an organization’s logical and physical data assets
and the associated data management resources
– Technical architecture, or technology architecture, which describes the hardware, software and
network infrastructure needed to support the deployment of core, mission-critical applications
Framework
• The framework details the organization, roles, entities and relationships that exist, or should exist,
to perform a set of business processes.
• The framework should provide a rigorous taxonomy that clearly identifies what processes a
business performs and detailed information about how those processes are executed and secured.
• The end product is a set of artifacts that describe, in varying degrees of detail, exactly what and
how a business operates and what security controls are required.
• There are many resources available. One of the best known framework is COBIT 2019.
• Integration ensures consistency.
• When adding information security to an existing governance structure, it is not necessary to use a
different framework.
• If no general framework is used, find a framework that is comprehensive and can be used across
the organization
Controls
Controls are the primary components to consider when developing an information security strategy. Controls can be physical,
technical or procedural. The choice of controls must be based on a number of considerations including ensuring their
effectiveness, their cost or potential restriction to business activities, and their optimal form of control.
Non-IT Controls
The information security manager must be aware that information security controls must be developed for non-IT-related
information processes as well. This will include secure marking, handling and storage requirements for physical information
and considerations for handling and preventing social engineering. Environmental controls must also be taken into account so
otherwise secure systems are not subject to simply being stolen
Countermeasures
Countermeasures are the protection measures that directly reduce a vulnerability or a threat. Countermeasures can simply be
considered targeted controls.
Layered Defences
Layering defenses, or defense in depth, is an important concept in designing an effective information security strategy or
architecture. The layers must be designed so that the cause of failure of one layer does not also cause failure of the next layer.
Practice Question
• It is MOST important that information security architecture be aligned with which of the following?
• A. Industry good practices
• B. Business goals and objectives
• C. Information technology plans

• D. International information security frameworks
Practice Question
Which of the following is the PRIMARY reason to change policies during program development?
A. The policies must comply with new regulatory and legal mandates.
B. Appropriate security baselines are no longer set in the policies.
C. The policies no longer reflect management intent and direction.

D. Employees consistently ignore the policies.
Personnel
• Trustworthiness and dependability of personnel
• Background checks
• Development of appropriate email policy and investigation & background verification policy
• Policies must be reviewed by HR and Legal for adequacy and Management for culture and approach.
• Appropriate email policies that inform employee that emails are not private may be inspected should
be communicated to the staff and where ever necessary, emails should be inspected.
• Legal protections vary on this type of monitoring and it is the responsibility of the information
security officer to understand the legal requirements of the jurisdiction involved.
Organization Structure
• Flexible and evolving structure is good for implementing infosec strategy.

• Infosec department reporting void of conflict of interest. CISO reporting to CEO or COO would
be appropriate.
• Centralized or decentralized nature of security also plays a role.
• Centralized approach needs consideration of local requirement in case of multinational diversity.

Local laws may not allow storage of data outside their boundaries. Policies must be tailored to
local needs.
• Decentralized approach has advantages in security is being closer to the user as they understand
local issues better.
• Disadvantage of decentralized approach may be that the quality of the security service may vary
and standardization might be difficult due to the training levels available locally.
Organization Structure
• Whatever may be the structure, the responsibilities and objectives will remain same as they must
be:
– Be closely aligned with the business objectives
– Be sponsored and approved by senior management
– Have monitoring in place

– Have reporting and crisis management in place
– Have organizational continuance procedures
– Have risk management in place
– Have appropriate security awareness and training programs
Other requirements…
• Employee roles and responsibilities:

– Security requirements must be integrated into the jobs descriptions / roles and responsibilities
of the employees.
– This ensures better chances of strategy success.
• Employee Skills:
– Strategy must be chosen that utilizes the existing skills within an organization for better
chances of success.
– Proficiency testing may be useful to determine if the requisite skills are available or can be
achieved through training.
Awareness and Education
• Security is often weakest in the end user level.

• People need to be aware of security policies and standards in order to be compliant.
• Training and awareness go beyond publishing a policy
– Type should be appropriate to logistics, culture, etc.
– Relevant to the audience

Auditing and Compliance
• Audits can be useful as a means of identifying shortfalls.
• Senior managers tend to believe audit reports.
• Audit reports indicate what has already happened.
– Useful for insight
– Cannot be used as the only means of identifying problems

Threat and Vulnerability Assessment
• Threat assessment helps in understanding viable threats.

• A threat profile development helps to develop an infosec policy tailored to assessed threats.
• Vulnerability assessments should go beyond traditional technical scans.
• They must consider gaps in processes, procedures, policies, technologies, facilities, SLA’s legal and
regulatory exposures.
• Vulnerability assessments must be done holistically at an entity level covering all types of
exposures.
Risk Assessment and Management
• Conducting a threat and vulnerability assessment alone is not sufficient to have a comprehensive
infosec strategy
• Formally assessing risk is accomplished by first determining the viable threats to information
resources that an organization faces.

• The next consideration is the likelihood that these threats will materialize and their probable
magnitude. This is the risk identification phase of risk assessment.
• The next step is to determine the extent of organizational weaknesses and exposure to these threats.
The combination of the frequency and magnitude and the extent of the organization’s vulnerability
will determine the relative level of risk.
• By using this information to calculate the resulting probable ALE —considering frequency, magnitude
and exposure—management is in a position to decide on acceptability.
Business Impact Analysis
• For management, business impact is the bottom line of risk.

• A BIA is an exercise that determines the consequences of losing the support of any resource to an
organization and is a part of the risk assessment process.
• The consequences are typically reduced to financial impacts. Risk that cannot result in an appreciable
impact is not important.
• BIAs are an important component of developing a strategy that addresses potential adverse impacts to
the organization.
• A BIA must also be considered as a requirement to determine the criticality and sensitivity of systems
and information.
• Thus it will provide the basis for developing an approach to information classification and addressing
business continuity requirements.
Outsourcing service providers
• From an information security point of view, outsourcing arrangements can present risk that may be
difficult to quantify and potentially difficult to mitigate.
• Providers may operate on different standards and can be difficult to control.
• The security strategy should consider outsourced security services carefully to ensure that they either
are not a critical single point of failure or there is a viable backup plan in the event of service provider
failure.
• Risk posed by outsourcing can also materialize as the result of mergers and acquisitions.
End of Domain 1

CISM Domain 1 V 5

Uploaded by

Copyright:

Available Formats

CISM Domain 1 V 5

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CISM Domain 1 V 5

Uploaded by

Copyright:

Available Formats

Agenda

CISM exam contains 150 multiple choice questions

A candidate is given 4 hours (240) minutes to complete the

04 Grading is solely based on the number of correct questions answered

2. What information is MOST helpful in demonstrating to senior management how

01 Pass the CISM Exam

03 Agree to the ISACA’s code of professional ethics

04 Agree to comply with CISM continuing education policy

Domain Content Domain 1

Information Security 30% Information Security

Information Security Program

Information Security Governance

Establish and/or maintain an information

Information security governance is the system by which an organization

decisions to mitigate risks. Governance specifies the accountability

information security strategy is essential.

• Supports what the organization wants • Effective Information System Security

to do needs a good information security Strategy

• Tracks success and areas of objectives of the information security

desired state, which is the objective of the information security program.

oversight and processes.

Strategic alignment Value Delivery

Risk Management Resource optimization

Assurance Process Integration Performance Measurement

Strategic measure of when it has been achieved

integration overlap and leave no gaps in protection

– ensuring that objectives are achieved

• Information security governance is a subset of corporate governance.

resources are used effectively and efficiently.

strategy, controls and regulation

• Understand risk exposure

Risk Capacity and Risk Appetite

accountability for the risk is assigned to a specific owner

domain, usually in a custodial capacity.

• GRC is an integrated assurance process

• Information security is often a part of GRC

linked together by six dynamic interconnections.

that surround them. It defines who implements

B. Business goals should be derived from security goals.

• An organization's information security strategy should be based on:

C. avoiding occurrence of risks so that insurance is not required.

– Promote cooperation, arbitrate when needed and set priorities

• Chief Risk Officer

– Responsible for IT planning, budgeting and performance

• Addressing information security issues at board/senior management meetings

• Providing high-level oversight and control

• Provides a formal proposal for a project

• Elements of a feasibility study

to provide a cost comparison, including:

• The business case drives the decision process

understand and apply the security policies and procedures

• While implementing information security governance an organization should FIRST:

• C. define the security strategy.

• The FIRST step in developing an information security management program is to:

• C. assign responsibility for the program.

• The presentations should at a minimum contain:

strategies and objectives.

• The governance of third parties include:

– Merged or acquired organizations

• What are the most cost-effective security solutions?