CISM Manual Part 1

Certified Information
CISM. Security Manager‘

_._I—
An ISAU‘ canuiamn
discussed. The glossary is an extension of the text in the manual the appropriate answer that is MOST likely or BEST, or the
and can, therefore, be another indication of areas in which the candidate may be asked to choose a practice or procedure that
candidate may need to seek additional references. would be performed FIRST related to the other answers. In every
case, the candidate is required to read the question carefully,
eliminate known wrong answers and then make the best choice
USING THE CISM REVIEW MANUAL WITH OTHER
possible. Knowing that these types ofquestions are asked and
ISACA RESOURCES how to study to answer them will go a long way toward answering
The ClSMReview Manual can be used in conjunction with other them correctly. The best answer is of the choices provided. There
CISM exam preparation. These products are based on the CISM can be many potential solutions to the scenarios posed in the
job practice, and referenced task and knowledge statements can questions, depending on industry, geographical location, etc. It
be used to find related content within the CISM Review Manual. is advisable to consider the information provided in the question
These resources include: and to determine the best answer of the options provided.
- CISM Review Questions, Answers and Explanations Manual
9’" Edition Each CISM question has a stem (question) and four options
- CISM Review Questions, Answers and Explanations Database — (answer choices). The candidate is asked to Choose the correct or
12 Month Subscription best answer from the options. The stem may be in the form of a
- Chapter CISM Review Courses question or incomplete statement. In some instances, a scenario
or description also may be included. These questions normally
include a description of a situation and require the candidate to
ABOUT THE CISM REVIEW QUESTIONS, ANSWERS answer two or more questions based on the information provided.
AND EXPLANATIONS PRODUCTS
The CISMM’ Review Questions, Answers & Explanations Manual A helpful approach to these questions includes the following:
9’“ Edition consists of 1,000 multiple—choice study questions, - Read the entire stem and determine what the question is asking.
answers and explanations arranged in the domains of the current Look for key words such as “BEST,” “MOST,” “FIRST,” etc.
CISM job practice. and key terms that may indicate what domain or concept that is
being tested.
Another study aid that is available is the CISM® Review - Read all of the options, and then read the stem again to see if
Questions,Answers & Explanations Database — 12 Month you can eliminate any of the options based on your immediate
Subscription. The database consists of the 1,000 questions, understanding of the question.
answers and explanations included in the CISM” Review - Re—read the remaining options and bring in any personal
Questions, Answers & Explanations Manual 9"'Ed17ti0n. With this experience to determine which is the best answer to the question.
product, CISM candidates can quickly identify their strengths and
weaknesses by taking random sample exams of varying length Another condition the candidate should consider when preparing
and breaking the results down by domain. Sample exams also for the exam is to recognize that information security is a global
can be chosen by domain, allowing for concentrated study, one profession, and individual perceptions and experiences may
domain at a time, and other sorting features such as the omission not reflect the more global position or circumstance. Because
of previous correctly answered questions are available. the exam and CISM manuals are written for the international
information security community, the candidate will be required
Questions in these products are representative of the types of to be somewhat flexible when reading a condition that may be
questions that could appear on the exam and include explanations contrary to the candidate’s experience. It should be noted that
of the correct and incorrect answers. Questions are sorted by the CISM exam questions are written by experienced information
CISM domains and as a sample test. These products are ideal for security managers from around the world. Each question on the
use in conjunction with the CIS "’ Review Manual 15'“ Edition. exam is reviewed by lSACA’s CISM Exam Item Development
These products can be used as study sources throughout the study Working Group, which consists of international members. This
process or as part of a final review to determine where candidates geographic representation ensures that all exam questions are
may need additional study. It should be noted that these questions understood equally in every countiy and language.
and suggested answers are provided as examples; they are not
actual questions from the examination and may differ in content Note: When using the CISM review materials toprepare
from those that actually appear on the exam. forthe exam, it should be noted that they cover a broad ‘
spectrum of information security management issues. Again,
candidatesshould not assume that reading these manuals
TYPES OF QUESTIONS ON THE CISM EXAM and answering review questions will fully prepare them '
CISM exam questions are developed with the intent of for the examination. Since actual exam questions ofien relate
measuring and testing practical knowledge and the application to practical experiences, candidates should refer to their own
of information security managerial principles and standards. As expatiences and other reference sources, and draw upon the
previously mentioned, all questions are presented in a multiple— experiences of colleagues and others Who have earned the
choice format and are designed for one best answer. CISM designation.
The candidate is cautioned to read each question carefully. Many
times a CISM exam question will require the candidate to choose
CISM Review Manual 15‘" Edition 15

ISACA. All Rights Reserved.
. Certified Information
CISM Security Manager
__+_..__
MISACA‘EanIllc-dm
Page intentionally left blank
16 CISM Review Manual 15‘" Edition

CISM. Chapter 1:
Certifiedlnformation Information security
Security Manager'
AnlSACA‘Certlfication G o V e r n a n c 6
Section One: Overview
Domain Definition .............................................................................................................................................................................. 18

Task and Knowledge Statements ...................................................................................................................................................... 18
Suggested Resources for Further Study ........................................................................................................................................... 21
Self~assessment Questions ................................................................................................................................................................. 22
Answers to Self-assessment Questions ............................................................................................................................................. 23
Section Two: Content
1.0 Introduction ............................................................................................................................................................................... 25

1.1 Information Security Governance Overview .......................................................................................................................... 26
1.2 Effective Information Security Governance ........................................................................................................................... 28
1.3 Roles and Responsibilities ........................................................................................................................................................ 33
1.4 Risk Management Roles and Responsibilities ........................................................................................................................ 36
1.5 Governance of Third-party Relationships .............................................................................................................................. 39
1.6 Information Security Governance Metrics ............................................................................................................................. 40
1.7 Information Security Strategy Overview ................................................................................................................................ 44
1.8 Information Security Strategy Objectives .............................................................................................................................. 47
1.9 Determining the Current State of Security ............................................................................................................................ 53
1.10 Information Security Strategy Development.......................................................................................................................... 53
1.11 Strategy Resources .................................................................................................................................................................... 55
1.12 Strategy Constraints ................................................................................................................................................................. 63
1.13 Action Plan to Implement Strategy ......................................................................................................................................... 65
1.14 Information Security Program Objectives ............................................................................................................................. 68
1.15 Case Study ...................................................................................................................................................................... 69
Chapter 1 Answer Key ....................................................................................................................................................................... 7l
CISM Review Manual 15‘“ Edition 17

Chapter 1—Information Security Governance Section One: Overwew
Certified Information
CISM- Security Manager
An IsAm' mummy:
T1.7 Gain ongoing commitment from senior leadership

Section One: Overview and other stakeholders to support the successful
implementation of the information security strategy.
This chapter reviews the body of knowledge and associated tasks T1.8 Define, communicate and monitor information security
necessary to develop an information security governance structure responsibilities throughout the organization (e.g., data
aligned with organizational objectives. owners, data custodians, end users, privileged or
high—risk users) and lines of authority.
DOMAIN DEFINITION Tl.9 Establish, monitor, evaluate and report key information
Establish and/or maintain an information security governance security metrics to provide management with accurate
framework and supporting processes to ensure that the and meaningful information regarding the effectiveness
information security strategy is aligned with organizational goals of the information security strategy.
and objectives.
KNOWLEDGE STATEM ENTS
LEARNING OBJECTIVES The CISM candidate must have a good understanding of each
The objective of this domain is to ensure that the CISM candidate of the areas delineated by the knowledge statements. These
has the knowledge necessary to: statements are the basis for the exam.
- Understand the purpose of information security governance,
what it consists of and how to accomplish it There are 19 knowledge statements within the information
- Understand the purpose of an information security strategy, its security governance domain:
objectives, and the reasons and steps required to develop one K1 '1 Knowledge 0f techniques used to develop an
- Understand the meaning, content, creation and use of policies, information security strategy (e.g., SWOT. [strengths,
standards, procedures and guidelines and how they relate to weaknesses, opportunitles, threats] analysrs, gap
each other analys1s, threat research) . ‘ . _
- Develop business cases and gain commitment from senior K19- Knowledge 0fthe relathnshlp of information security
leadership to business goals, objectives, functlons, processes and
- Define governance metn'cs requirements, selection and creation practices . . . .
K1.3 Knowledge of available information security governance
EX A frameworks
CI_SM , M REFERENCE . _ K1.4 Knowledge of globally recognized standards, frameworks
This domain represents 24 percent of the CISM exammatmn and industry best practices related to information security
(approx1mately 36 questions). governance and strategy development
K15 Knowledge of the fundamental concepts of governance
TASK AND KNOWLEDGE STATEM ENTS and how they relate to information security
TASK STATEM ENTS K1.6 Knowledge ofmethods to assess, plan, des1gn and
. . _ . . , implement an Informanon secunty governance framework
There are nine tasks w1th1n thls domaln that a CISM candidate K1 7 Knowledge of methods to integrate inf0rmation security
must know howto perform: . _ _ , _ governance into corporate governance
T1 '1 Establish ami/or maintain an mf‘?“‘?‘“°“ security K1.8 Knowledge of contributing factors and parameters (e.g.,
strategy in ahgnment With organizational goals and organizationa1 structure and culture, tone at the top,
ObJBCtIVCS to guide the establishment and/or ongomg regulations) for information security policy development
management ofthe information security program. K1 .9 Knowledge of content in, and techniques to develop,
T1.2 Estabhsh and/or maintain an mformatlon secunty business cases
governance framework to gu1de act1v1t1es that support K1.10 Knowledge of strategic budgetary planning and
the information secunty strategy. rep0rting methods
T1.3 Integrate information security governance into corporate K1 .1 1 Knowledge of the internal and external influen0es to
goyernance to ensure that organlzatlonalfioals anti the organization (e.g., emerging technologies, social
0b] ectwes are supported by the information security media, business environment, risk tolerance, regulatory
pmgram' , , , _ , . , requirements, third-party considerations, threat
T1 .4 Establish and malntam information secunty pohcws landscape) and how they 1- mpact the information
to guide the development of standards, procedures security strategy
3“? guidelines in alignment With enterprise goals and K1 . 12 Knowledge of key information needed to obtain
Obj ectives. . . . commitment from senior leadership and support from
T1.5 Develop busmess cases to support investments 1n other stakeh01ders (6% how inf0rmation security
1nformation security. . supports organizational goals and objectives, criteria for
T1 '6 Identity internal and external Influences t0 the determining successful implementation, business impact)
organizauon (6%" emerging technologies, soc1al Kl.13 Knowledge of methods and considerations for
deia’ busmess enVironment, FISk tolerance, regulatory communicating with senior leadership and other
requ1rements,third—party cons1deratlons, threat stakeholders (e.g., organizational culture, channels
landscape) to ensure that these factors are contlnually of communication highlighting essential aspects of
addressed by the information security strategy. information security)
18 CISM Review Manual 15'" Edition

: cemfiw'm‘lmfim
<6 ISM. Chapter 1—lnformation Security Governance Section One: Overview
Security‘Manager‘
I
An 1W Emlllnmn
K1.l4 Knowledge of roles and responsibilities of the RELATIONSHIP OF TASK TO KNOWLEDGE STATEMENTS
information secuntyhmanager _ The task statements are what the CISM candidate is expected
K115 Knowledge 0f organizational structures, lines Of to know how to perform. The knowledge statements delineate
authority and escalation pomts _ . . ,. each of the areas in which the CISM candidate must have a good
K1.16 Knowledge of information secunty respons1b1ht1es of understanding to perform the tasks. The task and knowledge
staff across the organizatlon (e.g., data owners, end statements are mapped, insofar as it is possible to do so. Note that
users, pnv1leged or high-nsk users) although there is ofien overlap, each task statement will generally
K1.l7 Knowledge of processes to monitor performance of map to several knowledge statements.
information security responsibilities
K1.18 Knowledge of methods to establish new, or utilize
existing, reporting and communication channels
throughout an organization
K1.19 Knowledge of methods to select, implement and
interpret key information security metrics (e.g., key goal
indicators [KGIs], key performance indicators [KPIs],
key risk indicators [KRlsD
Task and Knowledge Statements Mapping

_ Task Statement ‘ - , 1, , _ _ ' Knowledge Statements , _, _ ,
T1.1 Establish and/or maintain an information K1.1 Knowledge of techniques used to develop an information security strategy (e.g., SWOT
security strategy in alignment with [strengths weaknesses, opportunities, threats] analysis, gap analysis, threat research)
organizational goals and objectives to guide the K12 Knowledge of the relationship of information security to business goals, objectives,
establishment and/or ongoing management of functions, processes and practices
the information security program. K1.4 Knowledge of globally recognized standards, frameworks and industry best practices
related to information security governance and strategy development
K1.10 Knowledge of strategic budgetary planning and reporting methods
K1.11 Knowledge of the internal and external influences to the organization (e.g., emerging
technologies, social media, business environment, risk tolerance, regulatory
requirements, third-party considerations, threat landscape) and how they impact the
information security strategy
K1.12 Knowledge of key information needed to obtain commitment from senior
leadership and support from other stakeholders (e.g., how information security
supports organizational goals and objectives, criteria for determining successful
implementation, business impact)
T12 Establish and/or maintain an information K1.3 Knowledge of available information security governance frameworks
security governance framework to guide K1.4 Knowledge of globally recognized standards, frameworks and industry best
activities that support the information security practices related to information security governance and strategy development
strategy. K1.5 Knowledge of the fundamental concepts of governance and how they relate to
information security
K1.6 Knowledge of methods to assess, plan, design and implement an information
security governance framework
T1.3 Integrate information security governance K12 Knowledge of the relationship of information security to business goals, objectives,
into corporate governance to ensure that functions, processes and practices
organizational goals and objectives are K1.3 Knowledge of available information security governance frameworks
supported by the information security program. K1.4 Knowledge of globally recognized standards, frameworks and industry best practices
related to information security governance and strategy development
K1 .5 Knowledge of the fundamental concepts of governance and how they relate to
information security
K16 Knowledge of methods to assess, plan, design and implement an information
security governance framework
K1.7 Knowledge of methods to integrate information security governance into corporate
governance
T1.4 Establish and maintain information security K1.2 Knowledge of the relationship of information security to business goals, objectives,
policies to guide the development of standards, functions, processes and practices
procedures and guidelines in alignment with K1.8 Knowledge of contributing factors and parameters (e.g., organizational structure and
enterprise goals and objectives. culture, tone at the top, regulations) for information security policy development
T1.5 Develop business cases to support investments K1.9 Knowledge of content in, and techniques to develop, business cases
in information security. K1.10 Knowledge of strategic budgetary planning and reporting methods
K1 .12 Knowledge of key information needed to obtain commitment from senior
leadership and support from other stakeholders (e.g., how information security
supports organizational goals and objectives, criteria for determining successful
implementation, business impact)
CISM Review Manual 15”1 Edition 19

Chapter 1—lnformation Security Governance Section One: Overview CISM'Efififififii'imi'fi-m
_....+—_
An iSAEA‘CmIIhIIm
T1.6 Identify intemai and external influences to K1.2 Knowledge of the relationship of information security to business goals, objectives,
the organization (e.g., emerging technologies, functions, processes and practices
social media, business environment, risk K1.7 Knowledge of methods to integrate information security governance into corporate
tolerance, regulatory requirements, third-party governance
considerations, flireat landscape) to ensure that K1.11 Knowledge of the internal and external influences to the organization (e.g., emerging
these factors are continually addressed by the technologies, social media, business environment, risk tolerance, regulatory
information security strategy. requirements, third—party considerations, threat landscape) and how they impact the
information security strategy
T1.7 Gain ongoing commitment from senior K1.12 Knowledge of key information needed to obtain commitment from senior
leadership and other stakeholders to support leadership and support from other stakeholders (e.g., how information security
the successful implementation of me supports organizational goals and objectives, criteria for determining successful
information security strategy. implementation, business impact)
K113 Knowledge of methods and considerations for communicating with senior leadership
and other stakeholders (e.g., organizational culture, channels of communication,
highlighting essential aspects of information security)
T18 Define, communicate and monitor information K1.15 Knowledge of organizational structures, lines of authority and escalation points
security responsibilities throughout the K1 .16 Knowledge of information security responsibilities of staff across the organization
‘ organization (e.g., data owners, data (e.g., data owners, end users, privileged or high-risk users)
custodians, end users, privileged 0r high—risk K1.17 Knowledge of processes to monitor performance of information security
users) and lines of authority. responsibilities
K1 .18 Knowledge of methods to establish new, or utilize existing, reporting and
communication channels throughout an organization
T1.9 Establish, monitor, evaluate and report key K1.10 Knowledge of strategic budgetary planning and reporting methods
information security metrics to provide K1 .19 Knowledge of methods to select, implement and interpret key information security
management with accurate and meaningful metrics,(e.g., key goal indicators [KGis], key performance indicators [KPls], key risk
information regarding the effectiveness of the indicators [KRis])
information security strategy.
TASK STATEMENT REFERENCE GUIDE

The following section contains the task statements a CISM candidate is expected to know how to accomplish mapped to and the areas
in the review manual with information that supports the execution of the task. The references in the manual focus on the knowledge the
information security manager must know to accomplish the tasks and successfiilly negotiate the exam.
Task Statement Reference Guide

, ,7 _ _ , , 7 ‘ - _ Task Statement? * , y, , _ _ j, _ _ , , Reterehcein Manuaifl
T1.1 Establish and/or maintain an information security strategy in 1.2 Effective Information Security Governance
alignment with organizational goals and objectives to guide file 1.7 information Security Strategy Overview
establishment and/or ongoing management of the information 1.7.1 Developing an Information Security Strategy
security program. 1.8 Information Security Shategy Objectives
1.13 Action Plan to Implement Strategy
T1.2 Establish and/or maintain an information security governance 1.2.5 Business Model for Information Security
framework to guide activities that support the information security 1.8.3 The Desired State
strategy.
T13 integrate information security governance into corporate 1.1 information Security Governance Overview
governance to ensure that organizational goals and objectives are 1.2.1 Business Goals and Objectives
supported by the information security program. 1.8.3 The Desired State
1.9 Determining the Current State of Security
1.10 Information Security Strategy Development
T1.4 Establish and maintain information security policies to guide the 1.3 Roles and Responsibilities
development of standards, procedures and guidelines in alignment 1.11.1 Policies and Standards
with enterprise goals and objectives.
T1.5 Develop business cases to support investments in information 1.4.2 Developing and Presenting the Business Case
security. 3.10.8 Business Case Development

CISM . SecufityAManager.
Certified information
Chapter 1 _Information
" '
Security Governance '
Section One.. Overvrew
-
r
A» 15AM Emllinitwi
Task Statement Reference Guide (cant)

Task Statement ‘ ' L ‘2 Reference 111 Manual
T1.6 identify internal and external influences to the organization (e.g., 1.5 Governance of Third-party Relationships
emerging technologies, social media, business environment, risk 1.12 Strategy Constraints
tolerance, regulatory requirements, third—paity considerations,
threat landscape) to ensure that these factors are continually
addressed by the information security strategy.
T1.7 Gain ongoing commitment from senior leadership and other 1.4.2 Obtaining Senior Management Commitment
stakeholders to support the successful implementation of the
information secur‘rty strategy.
T1.8 Define, communicate and monitor information security 1.3 Roles and Responsibilities
responsibilities throughout the organization (e.g., data owners,
data custodians, end users, privileged or high~risk users) and lines
of authority.
T1.9 Establish, monitor, evaluate and report key information security 1.6 information Security Governance Metrics
metrics to provide management with accurate and meaningful
information regarding the effectiveness of the information security
strategy.
SUGGESTED RESOURCES FOR FURTHER STUDY

Brotby, W. Krag, and IT Governance Institute; Information Security Governance: Guidancefor Boards 0fDirect0rs and
Executive Management, 2"” Edition, ISACA, USA, 2006
Brotby, W. Krag, and IT Governance Institute; Information Security Governance: Guidancefor Information Security Managers,
ISACA, USA, 2008
Brotby, W. Krag; Infimnaz‘ion Security Governance: A Practical Development and Implementation Approach, Wiley & Sons, 2009
Committee of Sponsoring Organizations of the Treadway Commission (COSO), Internal Controlwlntegmted Framework, USA, 2013
International Organization for Standardization (ISO), ISO/IEC 27001 :2013 Information technology—Security techniques—[nfbrmation
security managementsystems—Requiremen1S, Switzerland, 2013
ISO, [SO/[EC 270022013 Information tec/mology~—Security techniques—Code ofpractz'cefor information security controls,
Switzerland, 2013
ISO, [SO/[EC 2 7014:2013 Information teclmology—Security tec/miques—Govemance ofiiy’ormation security, Switzerland, 2013
ISACA, The Business Modelfor Information Security, USA, 2010
ISACA, COBIT 5, USA, 2012, wmv.isaca.mg/c0bit
ISACA, COBIT:1 5: Enabling Processes, USA, 2012, www.isacamjg/cobit
ISACA, C0317“0 5for Information Security, USA, 2012, www.isaca.org/c0bit
National Institute of Standards and Technology (NIST), NlSTSpecial Publication 800—53, Revision 4 Security and Privacy Controlsfor
Federal Information Systems and Organizations, USA, 2013
PricewaterhouseCoopers, The Global State oflrzf?)rmation Security Survey 2016, www.pwc.c0)n/gx/en/consulting—services/informcztion—

security—survey
Note: Publications in bold are stocked in the ISACA Bookstore.

Chapter 1—lnformation Security Governance Section One: Overwew Certified Information
CISM' Security Manager
__f—,
An Wcmirkaikm
SELFASSESSMENT QUESTIONS 1-4 The MOST important consideration in developing security

CISM exam questions are developed with the intent of measuring policies is that:
and testing practical knowledge in information security .
management. All questions are multiple choice and are designed A' they are based on a threat profile.
for one best answer. Every CISM question has a stem (question) 13- they are complete and no detall 1s left out.
and four options (answer choices). The candidate is asked to 0 management S‘ghs 011 on them.
choose the correct or best answer from the options. The stem 13' all employees read and understand them.
may be in the form of a question or incomplete statement. In _ _ . _ .
some instances, a scenario or a description problem may also 1'5 The PRIMARY security objective th creating good
be included. These questions normally include a description procedures 15:
of a situation and require the candidate to answer two or more .
questions based on the information provided. Many times a CISM A' to make sure they work as intended.
examination question will require the candidate to choose the B- that they are unambiguous and meet the standards.
most likely or best answer. C. that they are written in plain language and widely
distributed.
In every case, the candidate is required to read the question D- that compliance can be monitored.
carefully, eliminate known incorrect answers and then make the _ .
best choice possible. Knowing the fomiat in which questions are 1'6 Whteh Of the followmg MOST IICIIPSI ensure that
asked, and how to study to gain knowledge of what will be tested, ass1gnment 0t roles and responsrbihties is effective?
will go a long way toward answering them correctly.
A. Senior management is in support of the assignments.
1-1 A secun'ty strategy is important for an organization B‘ The assignments are consistent With existing
PRIMARILY because it: prOfICIGHCIES.
C. The assignments are mapped to required skills.
A. provides a basis for determining the best logical security D- The assignments are given on a voluntary basis.
architecture for the organization. . _ . _ _
B. provides the approach to achieving the outcomes 1'7 Whteh etthe following benefits ts the MOST important
management wants. to an organlzation w1th effective information security
C. provides users guidance on how to operate securely in governance?
everyday tasks. . . . . _
D. helps IS auditors ensure compliance. A. Maintaining appropriate regllatory compliance
B. Ensuring disruptions are within acceptable levels
C. Prioritizing allocation of remedial resources
1-2 Which of the following is the MOST important reason D' Maximizing return Oh security investments
to provide effective communication about information . . _
security? 1—8 From an information security manager’s perspective, the
MOST important factors regarding data retention are:
A. It makes information security more palatable to resistant . .
employees. A. busmess and regulatory requirements.
B. It mitigates the weakest link in the information security 3- document Integrity and destructlon.
landscape. C. media availability and storage. I
C. It informs business units about the information security 13- data eehhdehhahty and encryption.
strategy. . . . . . . .
D. It helps the organization conform to regulatory 1—9 Wthh role 15 in the BEST posttion to rev1ew and confirm
information security requirements. the appropriateness of a user access 11st?
1-3 Which of the following approaches BEST helps the A' Data owner .
information security manager achieve compliance with 13- Information seeurity manager
various regulatory requirements? 0 Domain administrator
D. Busmess manager
A. Rely on corporate counsel to advise which regulations
are the most relevant. 1—1 0 In implementing information security governance, the
B. Stay current with all relevant regulations and request information security manager is PRIMARILY
legal interpretation. responSIble for:
C. Involve all impacted departments and treat regulations as
just another risk. A. deyeloping the security strategy.
D. Ignore many of the regulations that have no penalties. 13- rev1ew1ng the security strategy.
C. communicating the security strategy.
D. approving the security strategy.

Cemfied'mmnam"
GISM' SecurityIManager'
Chapter 1—lnformation Security Governance Section One: Overview
r
An (Wuniiiumn
ANSWERS T0 SELF—ASSESSMENT QUESTIONS Even if certain regulations have few or no penalties,

1-1 A. Policies have to be developed to support the security ignoring them without consideration for other potential
strategy, and an architecture can only be developed after impacts (e.g., reputational damage) and whether they
policies are completed (i.e., the security strategy is not might be relevant to the organization is not generally a
the basis for architecture; policies are). prudent approach.
A security strategy will define the approach to
achieving the security program outcomes management The basis for developing relevant security policies
wants. It should also be a statement of how security is addressing viable threats to the organization,
aligns with and supports business objectives, and it prioritized by the likelihood of occurrence and
provides the basis for good security governance. their potential impact on the business. The strictest
A security strategy may include requirements for users policies apply to the areas of greatest business value.
to operate securely, but it does not address how that is to This ensures that protection proportionality is
be accomplished. maintained.
IS auditors do not determine compliance based on Policies are a statement of management’s intent and
strategy, but rather on elements such as standards and direction at a high level and provide little, if any, detail.
control objectives. While the policies are being developed, management
would not be asked to sign them until they have been
Effective communication may assist in making completed.
information security more palatable, but that is not the Employees would not be reading and understanding the
most important aspect. policies while they are being developed.
Security failures are, in the majority of instances,
directly attributable to lack of awareness or failure While it is important to make sure that procedures
of employees to follow policies or procedures. work as intended, the fact that they do not may not be a
Communication is important to ensure continued security issue.
awareness of security policies and procedures among All of the answers are important, but the first
staff and business partners. criterion must be to ensure that there is no
Effective communication will allow business units to be ambiguity in the procedures and that, from a
informed about various aspects of information security, security perspective, they meet the applicable
including the strategy, but it is not the most important standards and, therefore, comply with policy.
aspect. Of importance, but not as critical, is that procedures are
Effective communication will assist in achieving clearly written and that they are provided to all staff as
compliance because it is unlikely that employees will needed.
be compliant with regulations unless they are informed Compliance is important, but it is essential that it is
about them. However, it is not the most important compliant with a correct procedure.
consideration.
Senior management support is always important, but it
1—3 A. Corporate counsel is generally involved primarily is not of as significant importance to the effectiveness
with stock issues and the associated filings required of employee activities.
by regulators and with contract matters. It is unlikely The level of effectiveness of employees will be
that legal staff will be current on information security determined by their existing knowledge and
regulations and legal requirements. capabilities—in other words, their proficiencies.
While it can be useful to stay abreast of all current and Mapping roles to the tasks that are required can be
emerging regulations, it is, as a practical matter, nearly useful but it is no guarantee that people can perform the
impossible, especially for a multinational company. required tasks.
Departments such as human resources, finance and While employees are more likely to be enthusiastic
legal are most often subject to new regulations and, about a job they have volunteered for, it is not a
therefore, must be involved in determining how best requirement for them to be effective.
to meet the existing and emerging requirements and,
typically, would be most aware of these regulations. Maintaining appropriate regulatory compliance is a
Treating regulations as another risk puts them in useful, but subordinate, outcome.
the proper perspective, and the mechanisms to deal The bottom line of security efforts is to ensure that
with them should already exist. The fact that there business can continue to operate with an acceptable
are so many regulations makes it unlikely that they level of disruption that does not unduly constrain
can all be specifically addressed efficiently. Many revenue-producing activities.
do not currently have significant consequences and, Prioritizing allocation of remedial resources is a useful,
in fact, may be addressed by compliance with other but subordinate, outcome.
regulations. The most relevant response to regulatory Maximizing return on security investments is a useful,
requirements is to determine potential impact to the but subordinate, outcome.
organization just as must be done with any other risk.
CISM Review Manual 15‘“ Edition 23

Chapter 1—lnformation Security Governance Section One: Overview Certified lnfunnation
CISM'secunty
‘ Manager'
An ISAIZA' Clrltiirzlhn
1-8 A. Business and regulatory requirements are the 1-10 A. The information security manager is responsible
driving factors for data retention. for developing a security strategy based on business
B. Integrity is a key factor for information security; objectives with the help of business process owners
however, business and regulatory requirements are the and senior management.
driving factors for data retention. B. The information security strategy is the responsibility of
C. Availability is a key factor for information security; a steering committee and/or senior management.
however, business and regulatory requirements are the C. The information security manager is not necessarily
driving factors for data retention. responsible for communicating the security strategy.
D. Confidentiality is a key factor for information security; D. Final approval of the information security strategy must
however, business and regulatory requirements are the be made by senior management.
driving factors for data retention.
1-9 A. The data owner is responsible for periodic

reconfirmation of the access lists for systems
he/she owns.
B. The information security manager is in charge of the
coordination of the user access list reviews but he/she
does not have any responsibility for data access.
C. The domain administrator may technically provide the
access, but he/she does not approve it.
D. The business manager is incorrect because the business
manager may not be the data owner.

Cemfiw'mn’mat‘m
CISM. Security‘Manager'
Chapter 1--Information Security Governance Section Two: Content
I
An 15mi- Emllluflmi
enterprise governance is structured using a particular framework,

Section Two: Content it would make sense to use the same framework for information
security governance to facilitate integration.
1.0 INTRODUCTION
For information security to effectively address the ever—growing Security policies are designed to mitigate risk and are usually
challenges ofproviding adequate protection for information developed in response to an actual or perceived threat. Policies
assets, an information security strategy is essential. This strategy state management intent and direction at a high level. With the
documents the direction and goals for the information security development of an information security strategy, the policies have
program, as determined by senior management. Subsequently, to be developed or modified to support the strategic objectives.
the strategy provides the basis to implement effective information
security governance. Governance is broadly defined as the Standards are developed or modified to set boundaries for
rules that run the organization, including policies, standards people, processes, procedures and technologies to maintain
and procedures that are used to set the direction and control the compliance with policies and support the achievement of the
organization’s activities. organization’s goals and objectives. There are usually several
standards for each policy, depending on the classification levels
The first step in establishing information security governance is of the asset related to the standard. Collectively, standards
senior management determining the outcomes it wants from the are combined with other controls (i.e., technical, physical,
information security program. Often, those outcomes are stated in administrative) to create the security baselines.
terms of risk management and the levels of acceptable risk. This
can be accomplished through a set of facilitated meetings with Baseline security, control objectives, acceptable risk, n'sk appetite
senior management and business unit leaders. The information and residual risk are related to one another. Control objectives
security manager then has the information needed to develop a are set to fall within the boundaries of acceptable risk. Risk
set of requirements for a security program. This is followed by mitigation should keep the organization within the level of
setting a series of specific objectives that, when achieved, will acceptable risk and achieving the control objectives. Residual
satisfy the requirements. risk levels set the security baselines. These topics are discussed in
greater detail in chapters 2 and 3.
An element of developing the strategy is to develop objectives,
or the desired state of the enterprise’s information security. The New information security projects should support the information
desired state is based on the outcomes set by senior management, security strategy. A business case is used to capture the business
and a variety of frameworks are available to assist in defining reasoning for initiating a project or task. In the context of
this desired state. The outcomes and levels of acceptable risk information security, it should concisely identify the needs and
should be determined and used to set control objectives. Next, the business purpose for implementing various governance
the information security manager can determine what needs to be processes, including technologies and the cost benefit (i.e., the
done to move from the current to the desired state by using a gap value proposition) of doing so.
analysis. This, then, becomes the basis of the strategy.
The business case should include all the factors that can materially
Next, a road map is created to identify the specifics needed affect the project’s success or failure. The method ofpresentation
to achieve the objectives. This is followed by identifying the should be consistent with the organization’s usual approach (i.e.,
resources needed to navigate the road map and implement the slide show, electronic or written document). It must persuasively
strategy. At the same time, the constraints need to be identified encompass benefits, costs and risk. The benefits must be
and considered. Constraints include time limits, skills available, tangible, supportable and relevant to the organization. Particular
funding, laws and regulations. attention must be given to the financial aspects of the proposal.
The total cost of ownership (TCO) and risk must be realistically
Many resources must be considered for achieving the strategy’s represented for the full life cycle of the project. It is important to
objectives, including controls such as technologies, standards avoid overconfidenee, overly optimistic projections and excessive
and processes. precision for what are likely to be somewhat speculative results.
Information security governance needs to be integrated into The strategy should keep in mind that information security is never
the overall enterprise governance structure to ensure that the static. Threats, vulnerabilities and exposures are always changing
organizational goals are supported by the information secun'ty because of intemal and external factors. Internal factors include
program. The governance framework is an outline or skeleton of changes in technology, personnel, business activities and financial
interlinked items that supports a particular approach to a specific capacity to absorb loss. External factors include changing markets,
objective as stated in the strategy. Several governance frameworks emerging threats, new technologies, increasing sophistication of
may be suitable for an organization to implement, including COBIT attackers and new regulations. Risk and impact assessments are
5 and ISO/I EC 27000. High-level architecture can serve as a often a good indicator of changes that may need to be made to
framework as well. The framework will serve to integrate and guide strategy elements. Another indicator is number of secun'ty incidents.
activities needed to implement the information security strategy.
To continue to be effective, the strategy must be a living
Information security governance is a subset of corporate govemance document with objectives, approaches and methods changing to
and must be consistent with the enterprise’s governance. If meet new conditions. In many cases, the high-level objectives

Section Two: Content Certified information
Chapter 1—lnformation Security Governance CISM' Security Manager
—._f_—.....
[in W :nniiinium
may not change significantly while the approaches, methods and No profession or activity has achieved reliable and effective
technologies may evolve as conditions warrant. maturity prior to the development of a suite of good metrics.
Metrics must be considered at three levels—operational,
Internal metrics and ongoing monitoring will aid the information management and strategic.
security manager in keeping aware of changing conditions.
Keeping current on external events that may affect the enterprise One of the most important requirements for good metrics is to
and its risk is also key. find out what information is needed at the different organizational
levels to make informed decisions. This information becomes
For an effective information security program and strategy, it is the basis for effective information security metrics. Of course,
necessary to have ongoing support from senior management, the information needed by the chief executive officer (CEO) or
business owners and department heads. Information security managing director is different from what is needed by a system
cannot be driven up from the middle of an organization. Without administrator to make informed information security decisions.
support of senior management, the issues of inadequate funding, The first step to establish a system of metrics is to determine
insufficient staffing and poor compliance will be ongoing. what is meaningfiil to the recipients. Then those metrics must be
An organization’s culture is largely a reflection of senior monitored, evaluated and communicated to the appropriate people
management, and senior management’s lack of support will be on a timely basis.
reflected in the entire organization. This is evidenced by the
organization’s perception of and relationship to information
security specifically and risk management generally.
1.1 INFORMATION SECURITY GOVERNANCE
OVERVIEW
A lack of commitment and support from senior management Information can be defined as “data endowed with meaning
cascades down and result in little support from business owners and purpose.” It plays a critical role in all aspects of our lives.
and department heads. Because this group is largely responsible Information has become an indispensable component of
for policy administration and compliance enforcement, it is likely conducting business for virtually all organizations. In a growing
that information security policy compliance will be poor. number of companies, information is the business.
Support can be gained by educating senior management or Approximately 80 percent of national critical infrastructures in
developing persuasive business cases. Unfortunately, more often, the developed world are controlled by the private sector. Coupled
it is a serious incident or major compromise that is needed to with often ineffective bureaucracies, countless conflicting
generate management commitment. In organizations that are jurisdictions and aging institutions unable to adapt to dealing with
subject to strong governmental regulation, frequent audits and burgeoning global information crime, a preponderance of the task
costly sanctions, support and commitment may be high as a result. of protecting information resources critical to survival is falling
squarely on corporate shoulders. However, studies continue to
It is ofien said that security is only as strong as the weakest link, show that a large percentage of organizations do not adequately
and this is certainly true for information security. For information address either existing or emerging security issues. The findings
security to be effective across the entire organization, everyone of the 2015 Ernst and Young Global Information Security Survey
should have responsibilities related to information security or risk highlight the problem. According to the survey:
management. It is up to the information security manager to define - Only 12 percent of organizations believe that information
those responsibilities for everyone in the organization. The next security meets the needs of the organization, and 67 percent are
step is to inform employees of those responsibilities on an ongoing still making improvements.
or frequent basis. Most employees will do most of what is required - Sixty—nine percent noted that the information security budget
most of the time if they are clearly aware of their responsibilities should increase by as much as 50 percent to be able to protect the
and the consequences of failing to do so. To reinforce responsible organization in line with the risk tolerance set by management.
information security behavior, it is necessary to monitor compliance
on a regular basis because information security is often an The conclusion that can be drawn from this report is that
afierthought for busy employees focusing on other tasks. information security failures are predominantly a failure of
governance and cannot be solved by technology alone. The need
What cannot be measured cannot be managed. Information for adequate protection of information resources needs to be
security has been managed for some time without good raised at the board level, like other critical governance functions,
metrics in an ad 1106, haphazard and often ineffective way. The to be successful. The complexity, relevance and criticality of
resistance to developing good metrics appears to be related to information security and its governance mandate that it be
management’s desire to avoid knowing too much that might addressed and supported at the highest organizational levels.
require taking action; this enables management to sidestep
being held accountable and supports plausible deniability. Ultimately, to achieve significant improvement in information
For some information security managers, a suite of effective security, senior management and the board of directors must
information security metrics may increase oversight, performance be held accountable for information security governance and
accountability and workload. Whatever the underlying causes, must provide the necessary leadership, organizational structures,
information security suiTers from a lack of or poor metrics oversight, resources and processes to ensure that information
especially at the management and strategic levels—precisely security governance is an integral and transparent part of
where informed decision making must take place. enterprise governance.

. Certified Information Chapter 1—lnformation Security Governance Section Two: Content
CISM SeeuriLyManager'
I
An isAu- Emiiinlian
Increasingly, those who understand the scope and depth of ' Providing greater confidence in interactions with trading partners
risk to information take the position that, as a critical resource, - Improving trust in customer relationships
information must be treated with the same care, caution and - Protecting the organization’s reputation
prudence that any other asset essential to the survival of the - Enabling new and better ways to process electronic transactions
organization and, perhaps society, would receive. - Providing accountability for safeguarding information during
critical business activities, such as mergers and acquisitions,
Often, the focus ofprotection has been on the IT systems that business process recovery, and regulatory response
process and store the vast majority of information rather than - Effective management of information security resources
on the information itself. But this approach is too narrow to
accomplish the level of integration, process assurance and overall In summary, because new information technology provides
security that are required. Information security takes the larger the potential for dramatically enhanced business performance,
View that the content, information and the knowledge based on effective information security can add significant value to the
it must be adequately protected, regardless of how it is handled, organization by reducing losses from security«related events
processed, transported or stored. and providing assurance that security incidents and breaches are
not catastrophic. In addition, evidence suggests that improved
Senior management is increasingly confronted by the need to stay perception in the market has resulted in increased share value.
competitive in the global economy and heed the promise of ever
greater gains from the deployment of more information resources. 1.1.2 OUTCOMES OF INFORMATION SECURITY
Even as organizations reap those gains, the increasing dependence
on information and the systems that support it, and advancing risk
GOVERNANCE
from an increasing host of threats, are forcing management to make Information security governance includes the elements required to
difiicult and ofien costly decisions about how to effectively address provide senior management assurance that its direction and intent
information security. In addition, scores of new and existing laws are reflected in the security posture of the organization by using
and regulations are increasingly demanding compliance and higher a structured approach to implementing a security program. Once
levels of accountability in an efiort of governments to address those elements are in place, senior management can be confident
increasingly sophisticated attacks and growing losses that pose that adequate and effective information security will protect the
mounting threats to their national critical infrastructures. organization’s vital information assets.
The objective ofinformation security governance is to develop,

1.1.1 IMPORTANCE OF INFORMATION SECURITY implement and manage a security program that achieves the
GOVERNANCE following six basic outcomes: .
From an organization’s perspective, information security 1. Strategic alignment—Aligning information security with
governance is increasingly critical as dependence on information business strategy to support organizational objectives such as:
has grown essential to survival. - Security requirements driven by enterprise requirements that -
are thoroughly developed to provide guidance on what must
For most organizations, information, and the knowledge based be done and a measure of when it has been achieved
on it, is one of their most important assets because conducting - Security solutions fit for enterprise processes that take
business without it would not be possible. The systems and into account the culture, governance style, technology and
processes that handle this information have become pervasive structure of the organization
throughout organizations across the globe. This reliance on ' Investment in information security that is aligned with the
information and their related systems have made information enterprise strategy; enterprise operations; and a well-defined
security governance a critical facet of overall enterprise threat, vulnerability and risk profile
governance. In addition to addressing legal and regulatory 2. Risk managementhxecuting appropriate measures to
requirements, effective information security governance is good mitigate risk and reduce potential impacts on information
business. Prudent management understands that it provides a resources to an acceptable level such as:
series of significant benefits, including: - Collective understanding of the organization’s threat,
- Addressing the increasing potential for civil or legal liability vulnerability and risk profile
inuring to the organization and senior management as a result - Understanding of risk exposure and potential consequences of
of information inaccuracy or the absence of due care in its compromise
protection or inadequate regulatory compliance ' Awareness of risk management priorities based on potential
- Providing assurance ofpolicy compliance consequences
' Increasing predictability and reducing uncertainty of business - Risk mitigation sufficient to achieve acceptable consequences
operations by lowering risk to definable and acceptable levels from residual risk
- Providing the structure and framework to optimize allocations of ' Risk acceptance/deference based on an understanding of the
limited security resources potential consequences of residual risk
- Providing a level of assurance that critical decisions are not 3.Value delivery-«Optimizing security investments in support of
based on faulty information business objectives such as:
- Providing a firm foundation for efficient and effective risk - A standard set of security practices (i.e., baseline security
management, process improvement, rapid incident response and requirements following adequate and sufficient practices
continuity management proportionate to risk and potential impact)
CISM Review Manual 15‘h Edition 27

Chapter 1—lnfarmation Security Governance Section Two: Content Certified information
CISM' Security Manager
—f__
An ismr Ennlllnllm
' Information security overheads that are maintained at a According to the developers of the Business Model for
minimum level while maintaining a security program that Information Security"M (BMTS‘M) (see section 1.2.5), “It is no
enables the organization to achieve its objectives longer enough to communicate to the world of stakeholders why
' A properly prioritized and distributed effort to areas with the we [the organization] exist and what constitutes success, we must
greatest probability and highest impact and business benefit also communicate how we are going to protect our existence.”
- Institutionalized and commoditized standards-based solutions This suggests that a clear organizational strategy for preservation is
with the greatest cost—efiectiveness equally important to, and must accompany, a strategy for progress.
‘ Complete solutions, covering organization and process as well
as technology based on an understanding of the end-to-end In addition to protection of information assets, effective
business of the organization information security governance is required to address legal
' A continuous improvement culture based on the understanding and regulatory requirements and is becoming mandatory in the
that security is an ongoing process, not an event exercise of due care.
4. Resource optimizafioansing information security
knowledge and infrastructure efiiciently and effectively to: 1.2.1 BUSINESS GOALS AND OBJECTIVES
° Ensure that knowledge is captured and available
Corporate governance is the set of responsibilities and practices
- Document security processes and practices
exercised by the board and senior management with the goals
° Develop security architecture(s) to define and utilize
of providing strategic direction, ensuring that objectives are
infrastructure resources efficiently
achieved, ascertaining that risk is managed appropriately and
5. Performance measurement—Monitoring and reporting on
verifying that the enterprise’s resources are used responsibly.
information security processes to ensure that objectives are
Strategy is the plan to achieve an objective. The strategic direction
achieved, including:
of the business is defined by the objectives set forth in the
- A defined, agreed—upon and meaningfiil set of metrics that
strategy. To be of value to the organization, information security
are properly aligned with strategic objectives and provide the
must support the business strategy and the activities that take
information needed for effective decisions at the strategic,
place to achieve the objectives.
management and operational levels
- Measurement process that helps identify shortcomings and
Information security governance is a subset of corporate
provides feedback on progress made resolving issues
governance. It provides strategic direction for security activities
- Independent assurance provided by external assessments
and ensures that objectives are achieved. It ensures that
and audits
information security risk is appropriately managed and enterprise
- Criteria for separating the most useful metrics from the
information resources are used effectively and efficiently.
variety of things that can be measured
6. Assurance process integration—Integrating all relevant
To achieve effective information security governance,
assurance factors to ensure that processes operate as intended
management must establish and ensure maintenance of a
from end to end by:
framework to guide the development and management of a
- Determining all organizational assurance functions
comprehensive information security program that supports the
- Developing formal relationships with other assurance fimctions
business objectives.
- Coordinating all assurance functions for more cost-effective
security
The governance framework will generally consist of the following:
- Ensuring that roles and responsibilities between assurance
1. A comprehensive security strategy intrinsically linked with
fimctions overlap and leave no gaps in protection
business objectives
- Employing a systems approach to information security
2. Governing security policies that clearly express management
planning, deployment, metrics and management
intent and address each aspect of strategy, controls
and regulation
1.2 EFFECTIVE INFORMATION SECURITY 3. A complete set of standards for each policy to ensure that
people, procedures, practices and technologies comply with
GOVERNANCE policy requirements and set appropriate security baselines for
Information security governance is the responsibility of the board
the enterprise
of directors and senior management. It must be an integral and
4. An effective security organizational structure with sufficient
transparent part of enterprise governance and complement or
authority and adequate resources, void of conflicts of interest
encompass the IT governance framework. While senior management
5. Defined workflows and structures that assist in defining
has the responsibility to consider and respond to increasingly
responsibilities and accountability for information
complex and potentially destructive information security issues,
security governance
boards of directors will be required to make information security
6. Institutionalized metrics and monitoring processes to ensure
an intrinsic part of governance, integrated with the processes they
compliance, provide feedback on control effectiveness and
have in place to govern other critical organizational resources.
provide the basis for appropriate management decisions
This includes monitoring and reporting processes to ensure that
governance processes are effective and compliance enforcement is
This framework provides the basis for developing a cost—effective
sufficient to reduce risk to acceptable levels.
information security program that supports the organization’s
business goals. Implementing and managing a security program
is covered in chapter 3. The objective of the program is a set of
28 CISM Review Manual 15'“ Edition

<CISM:. Certified lnfon'nation
SecurflyIManager. Chapter 1 _Information
' "
Security Governance Section Two: Content
I
An IsAu‘ mulniion
activities that provide assurance that information assets are given best be achieved with technologies defined in the physical
a level of protection commensurate with their business value architecture. The physical architecture comprises the specific
or with the risk their compromise poses to the organization. devices such as servers, databases, firewalls, switches and routers,
The relationships among IT, information security, controls, along with their interconnections. Controls must be developed
architecture and the other components of a governance framework that are consistent with the standards and control choices will
are represented in figure 1.1. While linkage between IT and affect the specifics of both the physical and the operational
information security may occur at various higher levels, strategy architectures. Finally, both the strategy and information security
is the point where information security must integrate IT to procedures are input into the operational architecture.
achieve its objectives.
Figure 1.1 shows the relationship between IT and information
Note that the main requirement for IT is an adequate level security governance and the sequence of the development process.
of performance; for information security, it is managing risk Once the information security strategy has been developed, it
to an acceptable level. Once outcomes, requirements and the must inform the IT strategy to ensure adequate protection for
objectives that will meet the requirements are established, information assets and align subsequent IT development and
high—level conceptual security architecture can be considered. management processes with information security requirements.
The security architecture should simply be an overlay on the
enterprise architecture, although ideally these would be created In Practice: Identify an IT—related goal in
simultaneously to "bake in” the security elements. your organization. Next, consider the IT-related
goal in the context of the enterprise’s goals.
When the basic information security/risk management strategy is How does the IT—related goal serve to support
formulated, a logical architecture showing the various functions the enterprise’s overall goals? If it does not,
and data flows can be developed. A road map can then be laid out what could be done to change the goal so it
with the specific steps needed to attain the goals defined in the better aligns with the organization? Use the
strategy. The specifics include the control objectives necessary information provided in this chapter to guide
to achieve acceptable risk levels. Some of these objectives will your recommendations.
Figure 1.1—Relationship of Governance Elements
[: _ PerfOrmanc'e, i ][ Acceptabie Risk 1

, .' ] [information Security i
l l
[ ' Outcomes [ OutcOmes i
l l
[ Requirements ” [ Requirements J
1 l Conceptual
[ Objectives , [ Objectives Architecture 1
l l
[ Strategy ' )4—[ Strategy Logical Architecture
1 l Control ,
[, , Road Map )4——{ Road Map . = b Objectives
l Physical
[_ IT Policies H Info Security Policies Architecture , ,
1 Controls ‘ '
[IT Operations StandardsH Standards
1 Procedures ] [ Procedures ] Operatio’nai

I | Architecture
17

Chapter 1—Information Security Governance Section Two: Content Certified infonnafion
CISM- Security Manager
—_f—
An W Enmrhihu
1.2.2 DETERMINING RISK CAPACITY AND Many organizations have a corporate security function as well
as an IT security operation dealing specifically with security
ACCEPTABLE RISK (RISK APPETITE)
of the IT systems. While this is an essential fimction that must
Every organization has a particular risk capacity, defined as the
be governed by the information security policies and standards,
objective amount of loss an enterprise can tolerate without its confidential information disclosed in an elevator conversation or
continued existence being called into question. Subject to the sent Via the postal mail would be outside the scope of IT security
absolute maximum imposed by this risk capacity, the owners or
but squarely in the purview of information security.
board of directors of an organization set the risk appetite for the
organization. Risk appetite is defined as the amount of risk, on
Cybersecurity is an area of concern and importance to
a broad basis, that an entity is willing to accept in pursuit of its information security governance and management. It includes
mission. In some cases, setting the risk appetite may be delegated both information and IT security, and although definitions
by the board of directors to senior management as part of
vary widely, a common position holds that cybersecurity is a
strategic planning. subdiscipline of information security. Specific areas of concern
for cybersecurity include advanced persistent threats (APTs),
Acceptable risk determination or risk appetite and the criteria malware, ransomware, phishing in all its forms, and the host of
by which it can be assessed is an essential element for virtually other threats related to, and enabled by, cyberspace.
all aspects of information security as well as most other aspects
of organizational activities. It will determine many aspects of In the context of information security governance, it is important
strategy including control objectives, control implementation,
that the scope and responsibilities of information security
baseline security, cost—benefit calculations, risk management are clearly set forth in the information security strategy and
options, severity criteria determinations, required incident reflected in the policies. It is also essential that information
response capabilities, insurance requirements and feasibility
security is fully supported by senior management and the various
assessments, among others.
organizational units. Without clearly defined information security
responsibilities, it is impossible to determine accountability.
Risk appetite is translated into a number of standards and
policies to contain the risk level within the boundaries set by
the risk appetite. These boundaries need to be regularly adjusted 1.2.4 GOVERNANCE, RISK MANAGEMENT AND
or confirmed. Within these boundaries, risk may be accepted, COMPLIANCE
a formal and explicit process that affirms that the risk requires Governance, risk management and compliance (GRC) is
and warrants no additional response by the organization as long an example of the growing recognition of the necessity for
as it and the risk environment stay substantially the same and convergence, or assurance process integration, as discussed in
accountability for the risk is assigned to a specific owner. section 1.2.6 Assurance Process lntegration—Convergence.
Risk acceptance generally should not exceed the risk appetite of GRC is a term that reflects an approach that organizations can
the organization, but it must not exceed the risk capacity (which adopt to integrate these three areas. Ofien stated as a single
would threaten the continued existence of the organization). Risk business activity, GRC includes multiple overlapping and related
tolerance levels are deviations from risk appetite, which are not activities within an organization, which may include internal
desirable but are known to be sufficiently below the risk capacity audit, compliance programs such as the US Sarbanes-Oxley Act,
that acceptance of risk is still possible when there is compelling ERM, operational risk, incident management and others.
business need and other options are too costly. Risk tolerance may
be defined using IT process metrics or adherence to defined 1T Governance, as discussed previously, is the responsibility of
procedures and policies, which are a translation of the IT goals senior management and the board of directors and focuses on
that need to be achieved. Like risk appetite, risk tolerance is creating the mechanisms an organization uses to ensure that
defined at the enterprise level and reflected in the policies created personnel follow established processes and policies.
by senior management. Exceptions can be tolerated at lower levels
of the enterprise as long as the overall exposure does not exceed Risk management is the process by which an organization
the risk appetite at the enterprise level. manages risk to acceptable levels within acceptable tolerances,
identifies potential risk and its associated impacts, and prioritizes
1.2.3 SCOPE AND CHARTER OF INFORMATION their mitigation based on the organization’s business objectives.
Risk management develops and deploys internal controls to
SECURITY GOVERNANCE
manage and mitigate risk throughout the organization.
Information security deals with all aspects of information, in any
medium (e.g., written, spoken, electronic), regardless of whether Compliance is the process that records and monitors the policies,
it is being created, Viewed, transported, stored or destroyed.
procedures and controls needed to ensure that policies and
This is contrasted with IT security, which is concerned with standards are adequately adhered to.
security of information within the boundaries of the technology
domain, usually in a custodial capacity. It is important to note this It is important to recognize that efi'ective integration of GRC
distinction. IT usually is not the owner of most of the information processes requires that governance is in place before risk can be
in its systems; rather, it owns the machinery that processes it. The effectively managed and compliance enforced.
information is in IT’s care, control and custody, and, therefore, IT
fiinctions as a custodian for the data owners.

Certified information
CISM. SecurityIManager'
Chapter 1—Information Security Governance Section Two: Content
I
An ISACA‘ unmailm
According to Michael Rasmussen, an industry GRC analyst, the elements linked together by six dynamic interconnections. All
challenge in defining GRC is that, individually, each term has “many aspects of the model interact with each other. If any one part of
different meanings within organizations.” Development of GRC was the model is changed, not addressed or managed inappropriately,
initially a response to the US Sarbanes—Oxley Act, but has evolved the equilibrium of the model is potentially at risk. The dynamic
as an approach to enterprise risk management (ERM). interconnections act as tensions, exerting a push/pull force in
reaction to changes in the enterprise, allowing the model to adapt
While a GRC program can be used in any area of an organization, as needed.
it is usually focused on financial, IT and legal areas. Financial
GRC is used to ensure proper operation of financial processes and Figure1.2—Business Model for infomation Security
compliance With regulatory requirements. In a similar fashion, IT
GRC seeks to ensure proper operation and policy compliance of [T
processes. Legal GRC may focus on overall regulatory compliance.
1.2.5 BUSINESS MODEL FOR INFORMATION

SECURITY
The BMIS model uses systems thinking to clarify complex
relationships within the enterprise to more effectively manage
security. The elements and dynamic interconnections that form
the basis of the model establish the boundaries of an information
security program and model how the program functions and reacts
to internal and external change. BMIS provides the context for
frameworks such as COBIT.
A system needs to be viewed holistically—not merely as a sum of its

parts—to be accurately understood. This is the essence of systems
theory. A holistic approach examines the system as a complete The four elements of the model are:
fimctioning unit. Another tenet of systems theory is that one part 1. Organization design and strategy—An organization is a
of the system enables understanding of other parts ofthe system. network of people, assets and processes interacting with each
“Systems thinking” is a widely recognized term that refers to the other in defined roles and working toward a common goal.
examination ofhow systems interact, how complex systems work ° An enterprise’s strategy specifies its business goals and the
and why “the whole is more than the sum of its parts.” objectives to be achieved as well as the values and missions
to be pursued. It sets the basic direction of the enterprise.
Systems theory is most accurately described as a complex The strategy should adapt to external and internal factors.
network of events, relationships, reactions, consequences, Resources are the primary material to design the strategy
technologies, processes and people that interact in often unseen and can be of different types (e.g., people, equipment,
and unexpected ways. Studying the behaviors and results of
know—how).
the interactions can assist the manager to better understand - Design defines how the organization implements its
the organizational system and the way it functions. While strategy. Processes, culture and architecture are important in
management of any discipline within the enterprise can be
determining the design.
enhanced by approaching it from a systems thinking perspective, 2. People—The human resources and the security issues that
its implementation will certainly help with managing risk. surround them. It defines who implements (through design)
each part of the strategy. It represents a human collective and
The success that the systems approach has achieved in other must take into account values, behaviors and biases.
fields bodes well for the benefits it can bring to security. The - Internally, it is critical for the information security manager
often dramatic failures of enterprises to adequately address to work with the human resources and legal departments to
security issues in recent years are due, to a significant extent, address issues such as:
to their inability to define security and present it in a way that — Recruitment strategies (access, background checks,
is comprehensible and relevant to all stakeholders. Using a interviews, roles and responsibilities)
systems approach to information security management will — Employment issues (location of office, access to tools
help information security managers address complex and and data, training and awareness, movement within the
dynamic environments and will generate a beneficial effect on enterprise)
collaboration within the enterprise, adaptation to operational —Termination (reasons for leaving, timing of exit, roles
change, navigation of strategic uncertainty and tolerance of the and responsibilities, access to systems, access to other
impact of external factors. employees)
- Externally, customers, suppliers, media, stakeholders and
As illustrated in figure 1.2, BMIS is best viewed as a flexible,
others can have a strong influence on the enterprise and need
three—dimensional, pyramid—shaped structure made up of four to be considered within the security posture.
CISM Review Manual 15‘h Edition 31

Chapter 1—Information Security Governance Section Two: Content GISM-gggfififihgnfigfit’“
An IsAcIrczniiiunun
3. Process—Includes formal and informal mechanisms (large 3. Enablement and support—Connects the technology element
and small, simple and complex) to get things done and to the process element.
provides a vital link to all of the dynamic interconnections. ' One way to help ensure that people comply with technical
Processes identify, measure, manage and control risk, security measures, policies and procedures is to make
availability, integrity and confidentiality, and they also ensure processes usable and easy. Transparency can help generate
accountability. They derive from the strategy and implement acceptance for security controls by assuring users that
the operational part of the organization element. To be security will not inhibit their ability to work effectively.
advantageous to the enterprise, processes must: - Many of the actions that affect both technology and
- Meet business requirements and align with policy processes occur in the enablement and support dynamic
- Consider emergence and be adaptable to changing requirements interconnection. Policies, standards and guidelines must be
° Be well documented and communicated to appropriate designed to support the needs of the business by reducing or
human resources eliminating conflicts of interest, remaining flexible to support
- Be reviewed periodically, once they are in place, to ensure changing business objectives, and being acceptable and easy
efficiency and effectiveness for people to follow.
. Technology—Composed of all of the tools, applications 4. Emergence—Connotes surfacing, developing, growing and
and infrastructure that make processes more efficient. As evolving, and refers to patterns that arise in the life of the
an evolving element that experiences frequent changes, enterprise that appear to have no obvious cause and whose
it has its own dynamic risk. Given the typical enterprise’s outcomes seem impossible to predict and control. The
dependence on technology, technology constitutes a core part emergence dynamic interconnection (between people and
of the enterprise’s infrastructure and a critical component in processes) is a place to introduce possible solutions such as
accomplishing its mission. feedback loops; alignment with process improvement; and
° Technology is often seen by the enterprise’s management consideration of emergent issues in system design life cycle,
team as a way to resolve security threats and risk. While change control and risk management.
technical controls are helpfiil in mitigating some types of 5. Human factors—Represents the interaction and gap
risk, technology should not be Viewed as an information between technology and people and, as such, is critical to an
security solution. information security program. If people do not understand
- Technology is greatly impacted by users and by organizational how to use technology, do not embrace technology or will
culture. Some individuals still mistrust technology; some not follow pertinent policies, serious security problems can
have not learned to use it; and others feel it slows them down. evolve. Internal threats such as data leakage, data theft and
Regardless of the reason, information security managers misuse of data can occur within this dynamic interconnection.
must be aware that, just as with physical and administrative Human factors may arise because of experience level, cultural
controls, some people will try to sidestep technical controls. experiences and differing generational perspectives. Because
human factors are critical components in maintaining balance
Dynamic Interconnections within the model, it is important to train all of the enterprise’s
The dynamic interconnections link the elements together and human resources on pertinent skills.
exert a multidirectional force that pushes and pulls as things 6. Architecture—A comprehensive and formal encapsulation of
change. Actions and behaviors that occur in the dynamic the people, processes, policies and technology that comprise an
interconnections can force the model out of balance or bring it enterprise’s security practices.
back to equilibrium. The six dynamic interconnections are: - A robust business information architecture is essential to
1. Governance—Steering the enterprise and demanding strategic understanding the need for security and designing the
leadership. Governing sets limits within which an enterprise security architecture.
operates and is implemented within processes to monitor - It is within the architecture dynamic interconnection that the
performance, describe activities and achieve compliance while enterprise can ensure defense in depth. The design describes
also providing adaptability to emergent conditions. Governing how the security controls are positioned and how they
incorporates ensuring that objectives are determined and relate to the overall enterprise architecture. An enterprise
defined, ascertaining that risk is managed appropriately, and security architecture facilitates security capabilities across
verifying that the enterprise’s resources are used responsibly. lines of businesses in a consistent and cost—effective manner
. Culture—A pattern of behaviors, beliefs, assumptions, and enables enterprises to be proactive with their security
attitudes and ways of doing things. It is emergent and learned, investment decisions.
and it creates a sense of comfort.
' It is important to understand the culture ofthe enterprise 1.2.6 ASSURANCE PROCESS INTEGRATION—
because it profoundly influences what information is
CONVERGENCE
considered, how it is interpreted and what will be done with it.
- Culture may exist on many levels, such as national The tendency to segment security into separate but related
(legislation/regulation, political and traditional), functions has created the need to integrate the variety of assurance
organizational (policies, hierarchical style and expectations) processes found in a typical organization. These activities are
and social (family, etiquette). It is created from both external often fragmented and segmented in silos with difl‘erent reporting
and internal factors, and is influenced by and influences structures. They tend to use different terminology and generally
organizational patterns. reflect different understandings of their processes and outcomes
with, at times, little in common. These assurance silos can include
32 CISM Review Manual 15'“ Edition

. Certified lnfnnnatiun Chapter 1—lnformation Security Governance Section Two: Content
CISM SecurityIManager'
I
An |SACK Earlillnlim
risk management, change management, internal and external obtain valuable login information. This situation highlights and
audit, privacy offices, insurance offices, human resources (HR), reinforces the need to bring together—in fact, convergewall
legal, and others. Evaluating business processes from start to components of an organization’s security through an integrated
finish (along with their controls), regardless of which particular and deliberate approach. To be effective, this converged approach
assurance process is involved, can mitigate the tendency for should reach across people, processes and technology, and enable
security gaps to exist among various assurance fiinctions. enterprises to prevent, detect, respond to and recover from any
type of security incident.
GRC, discussed in section 1.2.4, is a recent effort to address
integration issues among the major functions of governance, risk In addition to the costs that companies face to deal with the
management and compliance. immediate effects of an incident, security incidents can cause
more costly, long-term harm such as damage to reputation and
BMIS, covered in section 1.2.5, is an effort by ISACA to develop brand. Beyond the impact to market capitalization, if the issue
a fully integrated approach to information security using a threatens the public good, regulators may intervene, enacting
systems approach. stricter requirements to govern future business practices.
lSO/IEC 270012013, covered in section 3.5.2, specifies

1.3 ROLES AND RESPONSIBILITIES
the requirements for establishing, implementing, operating,
Part of effective information security governance is having
monitoring, reviewing, maintaining and improving a documented
clearly defined roles and responsibilities. Because everyone in
information security management system (ISMS) within the
the organization has some information security responsibilities,
context of the organization’s overall business risk.
it is essential these responsibilities are clearly defined and
communicated throughout the enterprise on a recurring basis.
Convergence
For several decades, security-related activities have been divided A role is a designation assigned to an individual by virtue of
into separate divisions, such as physical security, IT security, risk a job function or other label. A responsibility is a description
management, privacy, compliance and information security. This of some procedure or function related to the role that someone
has not been conducive to achieving optimal results, which has is accountable to perform. Roles are important to information
led professionals and managers to reconsider this separation. It is security because they allow responsibilities and/or access rights
becoming more common to see CISOs elevated to CSOs or the to be assigned based on the fact that an individual performs a
functions combined to better integrate the main security elements. fimction rather than having to assign them to individual people.
Physical security has become fairly routine and is more easily There are typically many j ob functions in the organization
integrated into information security than the other way around. that support security functions and the ability to assign access
authorizations based on roles simplifies administration.
Because it is not possible to effectively deliver information
security without a number of physical considerations, the RACI (responsible, accountable, consulted, informed) charts
evolution is natural. It is reasonable to expect that integration of can be used effectively in defining the various roles associated
many security activities will center around information security with aspects of developing an information security program.
in the coming decade. As a result, integration of physical security Clear designation of roles and responsibilities is necessary to
and other assurance functions will be increasingly relevant for ensure effective implementation. Figure 1.3 shows a number of
management to consider. typical organizational roles and related governance activities. The
specific requirement is shown by the letter: R—responsible,
In other words, this is a holistic and encompassing approach A—accountable, C—consulted, I—informed.
that looks beyond assets and considers such factors as culture,
organizational structure and processes such as the systems approach
Skills
discussed in section 1.2.5 Business Model for Information Security.
Skills must necessarily be considered when developing RACI
Survey findings clearly show convergence as a business trend
charts. Skills are the training, expertise and experience held by
with a great deal ofmomentum. Delivering on convergence is not
the personnel in a given job fimction. It is important to understand
just about organizational integration; rather, it is about integrating
the proficiencies of available personnel to ensure that they map
the security disciplines with the business’s mission to deliver
to competencies required for program implementation. Specific
shareholder value through consistent, predictable operations and
skills needed for program implementation can be acquired through
optimizing the allocation of security resources.
training or utilizing external resources. External resources, such as
consultants, are often a more cost—effective choice for skills required
As new technologies emerge and threats become increasingly
for only a short time for specific projects.
complex and unpredictable, senior security executives recognize
the need to merge security functions throughout the entire
Once it has been agreed that certain personnel will have specific
enterprise. An incident at the Sumitomo Mitsui Bank in London,
information security responsibilities, formal employment
England, in which hackers attempted to steal £220 million from
agreements should be established that reference those
the bank, underlines this principle. Even though the bank had
responsibilities, and these must be considered when screening
strong IT security measures in place, a physical security lapse
applicants for employment.
occurred. Adversaries posing as janitors installed devices on
computer keyboards (i.e., key loggers) that allowed them to

Chapter 1—lnformation Security Governance Section Two: Certified Infonnatlnn
Content CISM. Security Manager
_.__’_____
An IsAcr cmmuxim
Figure1.3—Sampie RACI Chart
7EDMD1 RACI Chart
E
m,
D.
O
1:."
‘5,
AU:
0'.
Governance Practice =3:
EDM01.01
Evaluate the A R C C R R O
('3
:U
govemance system.
EDM01.02
Direct the governance system.
EDM01.03
Monitorthe governance A R C C R I R I i
system.
Source: ISACA, COBITS: Enabling Processes, USA, 2012
Culture been answered, effective communications can be tailored to these

Culture is another issue that warrants consideration when messages.
determining responsibilities and accountability as it represents
organizational behavior, methods for navigating and influencing Some indicators of a successful security culture are the
the organization’s formal and informal structures to get the information security department being brought into projects
work done, attitudes, norms, level of teamwork, existence at the appropriate times, end users knowing how to identify
or lack of turf issues, and geographic dispersion. Culture is and report incidents, the organization’s ability to identify the
impacted by the individual backgrounds, work ethics, values, security manager, and people knowing their role in protecting the
past experiences, individual filters/blind spots and perceptions of information assets of the organization and integrating information
life that individuals bring to the workplace. Every organization security into their daily practices.
has a culture, whether it has been purposely designed or simply
emerged over time as a reflection of the leadership, and it must be 1.3.1 BOARD OF DIRECTORS
considered in determining roles and responsibilities.
Board members need to be aware of the organization’s
information assets, risk to those assets and their criticality
Information security primarily involves logical and analytical
to ongoing business operations. According to the
activities; however, building relationships, fostering teamwork
PricewaterhouseCoopers’ Global State oflriformation Security
and influencing organizational attitudes toward a positive
Survey 2016, 45 percent of respondents say the board participates
security culture rely more on good interpersonal skills. The
in the overall security strategy of an organization. The board
astute information security program manager will recognize the
should periodically be provided with the high-level results of
importance of developing both types of skills as essential to being
comprehensive risk assessments and business impact analysis
an effective manager.
(BIA). A result of these activities should include board members
validating/ratifying the key assets they want protected and that
Building a security~aware culture depends on individuals
protection levels and priorities are appropriate to a standard
in their respective roles performing their jobs in a way that
of due care.
protects information assets. Each person, no matter what level
or role within the organization, should be able to articulate how
Security expectations should be met at all levels of the enterprise.
information security relates to their role. For this to happen,
Penalties for noncompliance must be defined, communicated and
the security manager must plan communications, participate in
enforced from the board level down.
committees and proj ects, and provide individual attention to the
end users’ or managers’ needs. The security department should be
Beyond these requirements, the board has an ongoing obligation
able to answer “What is in it for me?” or “Why should I care?”
to provide a level of oversight of the activities of information
for every person in the organization. Once these questions have
security. Given the legal and ethical responsibility of directors
34 CISM Review Manual 15“1 Edition


CISM Manual Part 1

Uploaded by

Copyright:

Available Formats

CISM Manual Part 1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CISM Manual Part 1

Uploaded by

Copyright:

Available Formats

What are some study resources mentioned for the CISM exam?

What are some study resources mentioned for the CISM exam?

What types of questions are on the CISM exam?

What types of questions are on the CISM exam?

Certiﬁed Information

CISM. Security Manager‘

CISM Review Manual 15‘" Edition 15

Page intentionally left blank

16 CISM Review Manual 15‘" Edition

Section One: Overview

Domain Definition .............................................................................................................................................................................. 18

Section Two: Content

1.0 Introduction ............................................................................................................................................................................... 25

CISM Review Manual 15‘“ Edition 17

T1.7 Gain ongoing commitment from senior leadership

18 CISM Review Manual 15'" Edition

Task and Knowledge Statements Mapping

CISM Review Manual 15”1 Edition 19

TASK STATEMENT REFERENCE GUIDE

Task Statement Reference Guide

20 CISM Review Manual 15'" Edition

Task Statement Reference Guide (cant)

SUGGESTED RESOURCES FOR FURTHER STUDY

ISACA, The Business Modelfor Information Security, USA, 2010

ISACA, COBIT 5, USA, 2012, wmv.isaca.mg/c0bit

ISACA, COBIT:1 5: Enabling Processes, USA, 2012, www.isacamjg/cobit

ISACA, C0317“0 5for Information Security, USA, 2012, www.isaca.org/c0bit

PricewaterhouseCoopers, The Global State oflrzf?)rmation Security Survey 2016, www.pwc.c0)n/gx/en/consulting—services/informcztion—

Note: Publications in bold are stocked in the ISACA Bookstore.

CISM Review Manual 15‘" Edition 21

SELFASSESSMENT QUESTIONS 1-4 The MOST important consideration in developing security

22 CISM Review Manual 15‘" Edition

ANSWERS T0 SELF—ASSESSMENT QUESTIONS Even if certain regulations have few or no penalties,

CISM Review Manual 15‘“ Edition 23

1-9 A. The data owner is responsible for periodic

24 CISM Review Manual 15'" Edition

enterprise governance is structured using a particular framework,

CISM Review Manual 15‘" Edition 25

26 CISM Review Manual 15‘" Edition

The objective ofinformation security governance is to develop,

CISM Review Manual 15‘h Edition 27

28 CISM Review Manual 15'“ Edition

Figure 1.1—Relationship of Governance Elements

[: _ PerfOrmanc'e, i ][ Acceptabie Risk 1

1 Procedures ] [ Procedures ] Operatio’nai

CISM Review Manual 15‘" Edition 29

30 CISM Review Manual 15'" Edition

1.2.5 BUSINESS MODEL FOR INFORMATION

A system needs to be viewed holistically—not merely as a sum of its

CISM Review Manual 15‘h Edition 31

32 CISM Review Manual 15'“ Edition

lSO/IEC 270012013, covered in section 3.5.2, specifies

CISM Review Manual 15‘" Edition 33

Figure1.3—Sampie RACI Chart

7EDMD1 RACI Chart

Source: ISACA, COBITS: Enabling Processes, USA, 2012

Culture been answered, effective communications can be tailored to these

34 CISM Review Manual 15“1 Edition

You might also like