CISM EXAM

PREPARATION

Pre-Course Question 1

Which of the following reasons is the MOST important to

develop a strategy before implementing an information security
program?

A. To justify program development costs

B. To integrate development activities
C. To gain management support for an information security
program
D. To comply with international standards

1
Pre-Course Question 2

How does knowledge of risk appetite help to increase security

control effectiveness?

A. It shows senior management that you understand their

needs.
B. It provides a basis for redistributing resources to mitigate risk
above the risk appetite.
C. It requires continuous monitoring because the entire risk
environment is constantly changing.
D. It facilitates communication with management about the
importance of security.

Pre-Course Question 3

When an organization is setting up a relationship with a third-

party IT service provider, which of the following is one of the
MOST important topics to include in the contract from a security
standpoint?

A. Compliance with international security standards

B. Use of a two-factor authentication system
C. Existence of an alternate hot site in case of business
disruption
D. Compliance with the organization’s information security
requirements

2
Pre-Course Question 4

Which of the following choices is MOST important to verify to

ensure the availability of key business processes at an alternate
site?

A. Recovery time objective

B. Functional delegation matrix
C. Staff availability to the site
D. End-to-end transaction flow

Domain 1

Information Security Governance

3
Domain 1

Establish and/or maintain an information

security governance framework and
supporting processes to ensure that the
information security strategy is aligned with
organizational goals and objectives

Domain 1 (cont’d)

▪ This domain reviews the body of knowledge and

associated tasks necessary to develop an
information security governance structure aligned
with organizational objectives.

4
 Domain Objectives

▪ Ensure that the CISM Candidate has the knowledge

necessary to:
– Understand the purpose of information security
governance, what it consists of, and how to accomplish it.
– Understand the purpose of an information security
strategy, its objectives and the reasons and steps required
to develop one.
– Understand the meaning, content, creation and use of
policies, standards, procedures and guidelines and how
they relate to each other.
– Develop business cases and gain commitment from senior
leadership.
– Define governance metrics requirements, selection and
creation.
9

On the CISM Exam

▪ This domain represents 24% (approximately 36

questions) of the CISM exam

Domain 1:
Domain 4:
Information Security
Information Security
Governance, 24%
Incident
Management, 19%

Domain 3:
Information Security Domain 2:
Program Information Security
Development and Risk Management,
Management, 27% 30%

10

5
 Governance vs. Management

▪ Governance ▪ Management
– Purpose is to set goals – Purpose is plan, build,
– “Do the right thing” execute and monitor
activities to achieve
goals
– “Do the thing right”

11

Why Does Governance Matter?

Information is critical to our lives.

Protecting information is key, but costs and benefits vary.

How can we be sure we are choosing the appropriate option?

▪ Governance helps align information security with

business goals and objectives
12

6
 Effective Information Security

An effective information security

program:
▪ Supports what the
organization is trying to do
▪ Keeps risk within acceptable
levels
▪ Tracks success and areas of
improvement
▪ Changes with the
organization

13

Domain 1 Overview

▪ Section One: Designing a Strategy and Governance

Framework
▪ Section Two: Gaining Management
Support/Approval
▪ Section Three: Implementing the Security Strategy

Refer to the CISM Job Practice

for Task and Knowledge
Statements.

14

7
 Section One

Designing a Strategy and

Governance Framework

Task Statements
▪ T1.1 Establish and/or maintain an information security
strategy in alignment with organizational goals and
objectives to guide the establishment and/or ongoing
management of the information security program.

▪ T1.2 Establish and/or maintain an information security

governance framework to guide activities that support the
information security strategy.

▪ T1.3 Integrate information security governance into

corporate governance to ensure that organizational goals
and objectives are supported by the information security
program.

16

8
 Knowledge Statements

How does Section One relate to each of the following

knowledge statements?
Knowledge Statement Connection
K1.1 Techniques are ways to analyze what is needed and how it
differs from what is currently in place.
K1.2 Relationships provide a lens through which to understand
InfoSec.
K1.3 By using security frameworks, organizations can avoid
“reinventing the wheel” by using existing resources and
adapting it to the organization.
K1.4 Standards/frameworks are shortcuts for knowing what is
possible and how to get there.
K1.5 It is important to understand the foundational concepts of
governance along with the insights and lessons from experts.

17

Knowledge Statements

How does Section One relate to each of the following

knowledge statements?
Knowledge Statement Connection
K1.6 Making the most of a framework requires a good understanding
of its benefits and how to put it in place.
K1.7 Other departments or business units may not immediate
understand the value of information security. This makes it
important for the information security organization to
communicate with those outside of the security workspace.
K1.10 An effective program is one that the organization can afford and
that delivers useful, actionable information.
K1.11 The InfoSec program needs to adapt to changes in the complex
ecosystem of the organization to remain useful
K1.12 Programs are only as good as they are seen to be; a well-
designed program that is poorly communicated won’t get off the
ground.

18

9
 Key Terms

Key Term Definition

Control The means of managing risk, including policies, procedures,
guidelines, practices or organizational structures, which can be of an
administrative, technical, management, or legal nature
Framework An outline of what relationships may exist between activities without
specifying how those relationships must be made to work

Policy Overall intention and direction as formally expressed by

management
Risk The combination of the probability of an event and its consequence.
(ISO/IEC 73)
Standard A mandatory requirement, code of practice or specification approved
by a recognized external standards organization, such as
International Organization for Standardization (ISO)
Strategy A high-level plan to achieve an objective

See www.isaca.org/glossary for more key terms.

19

Goals and Strategy

• Business goals are set by the board of

directors
o Senior management builds the strategy to
Goals
achieve these goals
• Governance ensures business strategy
remains consistent with business goals
Objectives
• Information security governance provides
strategic guidance for security
• Information security strategy should be
linked to the overall business strategy

Strategy

20

10
 Outcomes of Information Security
Governance
▪ Six basic outcomes of a security program:
– Strategic alignment
– Risk management
– Value delivery
– Resource optimization
– Performance measurement
– Assurance process integration

21

Risk Appetite

▪ Risk is part of any business activity.

– Potential for greater rewards comes with potential higher
consequences
▪ Risk capacity: Amount of loss an enterprise can tolerate
without its continued existence being questioned.
▪ Risk appetite: The amount of risk that an entity is willing to
accept in pursuit of its mission.

22

11
 Strategy and Risk

▪ Purpose of information security: Manage information

risk to an acceptable level
– Understand the risk profile
– Understand risk exposure
– Be aware of risk management priorities
– Ensure sufficient risk mitigation
– Base risk treatment decisions on potential consequences

23

Discussion Question

▪ Why is it important to have a formal process for accepting

risk?

24

12
 Governance, Risk and Compliance

▪ GRC is an integrated
assurance process
Governance ▪ Convergence can
exist independently
across different
business functions
▪ Information security
Risk Compliance is often a part of
GRC

25

Pitfalls in Strategy Development

▪ Overconfidence/Optimism
▪ Anchoring
▪ Status quo bias
▪ Mental accounting
▪ Herding instinct
▪ False consensus
– Confirmation bias
– Groupthink

26

13
 Start with the Goals

▪ What is the goal?

– Typically to assure the reliability of information-related
business processes
▪ Often unaware of what information exists within the
enterprise, criticality, etc.
– Impact cost-effectiveness
▪ Goals help set objectives, which drive strategy
– Should tie to enterprise goals

27

Asset Classification

▪ Initial classification can be

time consuming
– Does not get easier over
time
▪ Best approach is to start as
soon as possible
– Classify new assets when
they are created
– Monitor for changes over
time

28

14
 Focus on Data

▪ Information security has traditionally focused on IT

systems.
▪ Business process owners regard IT systems as
tools, while data produced has value
▪ Integration with corporate governance becomes
easier with a data focus

29

Valuation of Data

▪ Criticality of data can be derived from criticality of

processes that use that data.
▪ Sensitivity can be derived by determining
consequences of data leakage.
– Sensitivity of data may be subjective.
– Certain types of data may be considered
sensitive by law or regulation.

30

15
 Current Vs. Desired State

▪ Desired State ▪ Gaps between current

– Ideal information security and desired state
environment – Plans for achieving
– Frameworks/standards helpful to desired state
identify outcomes
– Defined desired state makes it
easier to identify path from
current state
▪ Current State
– What is actually occurring
– Help to identify where the
environment falls short of the
desired

31

Good to Know

▪ Knowledge of the current state is never quite complete, and

the desired state may change over time.
▪ An accurate view of how things are today and what is a
desired target state is good enough for governance purposes.

32

16
 Building the Strategy

▪ Strategy provides a road map

to the desired state
▪ Path could be long depending
on distance between current
and desired state
▪ Should identify:
– Available resources
– Available methods
– Constraints

33

Policies, Standards and Controls

Policies Standards Controls

Part of
Governance Management
security
tools tools
architecture

“Constitution” “Laws” “Enforcement”

34

17
 Strategy Constraints

▪ Legal
▪ Physical
▪ Ethics
▪ Culture
▪ Costs
▪ Personnel
▪ Organizational structure
▪ Resources
▪ Capabilities
▪ Time
▪ Risk appetite
35

Legal and Regulatory Requirements

▪ Information security linked to

privacy, IP and law
▪ Security strategies for
different regions may be
required
▪ Retention requirements
▪ E-discovery
▪ Treat as any other risk

36

18
 Physical Constraints

▪ Include capacity, space, environmental hazards, etc.

▪ Safety of personnel should also be considered
▪ Often ignored and can lead to interruptions or
breaches
▪ Disaster recovery should be considered

37

Ethics and Culture

▪ Ethics
– Perception of the enterprise’s behavior
– Influenced by location and culture
▪ Culture
– Internal culture
– Local culture

38

19
 Costs

▪ Justify spending based on a project’s value.

▪ Cost-benefit/financial analysis most widely accepted
▪ ALE
▪ ROI

39

Personnel and Organizational Structure

▪ Personnel
– Resistance to changes can impact the success of strategy
implementation
▪ Organizational structure
– Impacts how a governance strategy can be implemented
– Cooperation is needed
– Senior management buy-in helps to ensure cooperation

40

20
 Resources, Capabilities and Time

▪ Resources
– Consider available budgets, TCO and personnel
requirements
▪ Capabilities
– Expertise and skills
▪ Time
– Deadlines/Windows of opportunity

41

Risk Appetite

▪ Risk acceptance and risk tolerance play a major role

▪ Difficult to measure
▪ RTOs/RPOs

42

21
 Ongoing Assessment

▪ The information security

strategy needs to be dynamic.
▪ Update assessments
regularly.

43

Discussion Question

▪ What are some reasons that the information risk environment

changes over time?

44

22
 Strategy and Framework

• A framework is a scaffold of
interlinked items
• Strategy is the starting point
of the framework
• Ensures that information security
is focused on the right goals

45

Frameworks and Architecture

▪ Frameworks are closely

associated with enterprise
architecture
– Goals = conceptual architecture
– Framework = logical architecture
▪ Physical architecture
implements the logical
architecture through policies,
standards and controls

46

23
 Relationship of Governance Elements

47

Third-party Resources

▪ Variety of resources available to use as a basis

– COBIT, CMMI, ISO, etc.
▪ Frameworks define relationships
▪ May derive benefit from certified compliance with
third-party standards (e.g., ISO)

48

24
 SABSA Security Architecture Matrix

Source: Copyright SABSA Institute, www.sabsa.org. Reproduced with permission.

49

The Structure of the TOGAF Document

Source: The Open Group; TOGAF, Version 9.1., United Kingdom 2011

50

25
 Building Consistency

▪ Integration ensures consistency.

▪ When adding information security to an existing
governance structure, it is not necessary to use a
different framework.
▪ If no general framework is used, find a framework
that is comprehensive and can be used across the
organization

51

Section One

52

26
 In the Big Picture

• Governance authority comes

from the board of directors.

• The information security

strategy is how the
Section One organization manages risk
Designing a Strategy and Governance associated with information
Framework assets and ensures that they
are able to support the
attainment of business goals.

53

Section One

Exam Review Questions

27
 Review Question

Which of the following steps should be FIRST in developing an

information security plan?

A. Perform a technical vulnerabilities assessment.

B. Analyze the current business strategy.
C. Perform a business impact analysis.
D. Assess the current levels of security awareness.

55

Review Question

Information security governance is PRIMARILY driven by:

A. technology constraints.
B. regulatory requirements.
C. litigation potential.
D. business strategy.

56

28
 Review Question

The FIRST step to create an internal culture that embraces

information security is to:

A. implement stronger controls.

B. conduct periodic awareness training.
C. actively monitor operations.
D. gain endorsement from executive management.

57

Review Question

The purpose of an information security strategy is to:

A. express the goals of an information security program and the

plan to achieve them.
B. outline the intended configuration of information system
security controls.
C. mandate the behavior and acceptable actions of all
information system users.
D. authorize the steps and procedures necessary to protect
critical information systems.

58

29
 Section Two

Gaining Management
Support/Approval

Task Statements
▪ T1.5 Develop business cases to support investments in
information security.

▪ T1.6 Identify internal and external influences to the

organization (e.g., emerging technologies, social media,
business environment, risk tolerance, regulatory
requirements, third-party considerations, threat
landscape) to ensure that these factors are continually
addressed by the information security strategy.

▪ T1.7 Gain ongoing commitment from senior leadership

and other stakeholders to support the successful
implementation of the information security strategy.

60

30
 Knowledge Statements

How does Section Two relate to each of the following

knowledge statements?
Knowledge Statement Connection
K1.7 Factors outside of the organization may impact how it
approaches governance, and that approach may not be flexible.
It’s often necessary to change the information security
governance model to align with corporate governance rather
than expecting the reverse.
K1.9 Executives and decision-makers tend to be well-versed in
evaluating business cases. You need to speak their language to
gain support.
K1.10 Understanding costs and benefits helps keep focus on the
value that information security can provide.

61

Knowledge Statements

How does Section Two relate to each of the following

knowledge statements?
Knowledge Statement Connection
K1.11 The information security program exists within a complex
ecosystem of dynamic processes inside and outside of the
organization. It needs to be able to adapt to changes in this
ecosystem to remain relevant and useful.
K1.12 Programs are only as good as they are seen to be. A well-
designed program poorly communicated won’t get off the
ground.
K1.13 Going to the right people at the right times and in the right ways
can make all of the difference in whether a proposal is
approved or rejected. It’s important to know how and wen
people want to be contacted and do your best to meet their
expectations whenever possible.

62

31
 Key Terms

Key Term Definition

Business case Documentation of the rationale for making a business investment,
used both to support a business decision on whether to proceed with
the investment and as an operational tool to support management of
the investment through its full economic life cycle

Risk tolerance The acceptable level of variation that management is willing to allow
for any particular risk as the enterprise pursues its objectives

Stakeholder Anyone who has a responsibility for, an expectation from or some

other interest in the enterprise. Examples: shareholders, users,
government, suppliers, customers and the public
Threat landscape The set of all known threats facing the organization

See www.isaca.org/glossary for more key terms.

63

Commitment is Key

▪ Senior management backing

is essential to success
▪ Information security may need
to educate senior managers
to get them on board
▪ Use business language, not
technical jargon

64

32
 Selling the Strategy

▪ The security strategy should manage information risk

at an acceptable level in line with the business
strategy.

▪ Information security managers need to convey the

value proposition of what is proposed.

65

Lay the Foundation

▪ Workshops or briefings
can set the stage for
strategy implementation.
▪ Try to anticipate
issues/concerns
managers already have

66

33
 Roles and Responsibilities

▪ Board of Directors ▪ Senior Management

– Need to be aware of information – Ensure needed
assets functions/resources are
available
– Provided with high-level results
of risk assessments and BIAs. – Ensure resources are
properly utilized
– Exercise due care in protecting
key assets – Promote cooperation,
arbitrate when needed and
set priorities

67

Roles and Responsibilities

▪ Steering committee
– Comprised of senior representatives of groups impacted by
information security
– Ensures alignment of security program with business
objectives
▪ Common topics:
– Security strategy and integration efforts
– Specific actions and progress related to business unit
support of information security program functions
– Emerging risk, business unit security practices and
compliance issues

68

34
 Roles and Responsibilities

▪ Chief Risk Officer

– Generally responsible for all non-information risk and
overall ERM
▪ Chief Information Officer
– Responsible for IT planning, budgeting and performance
▪ Chief Information Security Officer
– Similar functions as information security manager with
more strategic and management elements; IT strategy

69

Good to Know

▪ Many not be an official position

– Trends have shown most organizations have a CISO in
charge of the security program
– Some organizations have a CSO over information security
and physical security.
▪ Most often reports to the CEO, followed by the CIO
and board
– Conflicts of interest may arise if the CISO reports to the
CIO because security is often seen as a constraint on IT

70

35
 Tracking Roles

Source: ISACA, COBIT 5: Enabling Processes, USA, 2012

71

Activity

▪ Complete the following RACI chart.

72

36
 Activity Answers
Information Board of Chief Chief Business
Security Directors Information Executive Process
Manager Officer Officer Owner
Define target C R A I
IT capabilities.

Conduct a gap R A R
analysis.
Define the C A C
strategic plan
and road map.

Communicate I I R R I
the IT strategy
and direction.

73

The Business Case

▪ Provides a formal proposal for

a project
– Likely costs
– Benefits
▪ Should have enough detail to
explain the why of a project
and what it will deliver back

74

37
 Preparing a Business Case

▪ Elements of a feasibility study

– Project scope
– Current analysis
– Requirements
– Recommended approach
– Evaluation
– Formal review

Note: The feasibility study focuses on direct, up-front costs,

while the business case should focus on total cost of ownership.

75

The Business Case and Project Management

▪ The business case drives the decision process

– If no longer valid, project should be review
– Used at stage gates (kill points)
– Reevaluation/reapproval needed when circumstances
change

76

38
 Communicating Value

▪ Value can be estimated as

revenue, savings or both
▪ An effective information
security program:
– Reduces likelihood of a
significant event
– Reduces the losses from an
event
▪ Either of the two outcomes
equal savings

77

Stakeholder Buy-in

▪ Other groups are affected by the information security

proposal
▪ Stakeholders may be internal/external
▪ Failure to achieve buy-in can sabotage your proposal

78

39
 Discussion Question

▪ Who are some of the stakeholders in an organization’s

information security strategy?

79

Internal Stakeholders

▪ Managers responsible for key business processes

▪ Managers responsible for revenue-producing
activities
▪ Human resources
▪ Legal and privacy

Note: The business case should be updated to note

requests, even if they are not accepted.

80

40
 External Stakeholders

▪ Service providers
▪ Critical vendors
▪ Outsourcing partners
▪ Consumers/members

▪ Information security may

be affected by contracts.

81

Presenting the Strategy

▪ Can be used to educate

and communicate
▪ Common factors for
acceptance:
– Aligning security with
business objectives
– Identifying potential
consequences
– Identifying budget items
– Using common risk/benefit
or financial models
– Defining monitoring and
auditing measures

82

41
 Presenting the Strategy

▪ Remember: You are the subject matter expert!

– Be concise, but be honest
– Senior management may not realize the impact of
reputational damage
▪ Alignment is key: If the strategy is aligned with the
business, it is more likely to be approved.

83

Section Two

84

42
 In the Big Picture

• The information security

strategy supports the goals
and business strategy of the
organization.

• Having senior leadership

Section Two approval to implement the
Gaining Management Support/Approval strategy is essential because
it provides access to
resources and helps to
remove procedural
roadblocks.

85

Section Two

Exam Review Questions

43
 Review Question

Senior management commitment and support for information

security can BEST be obtained through presentations that:

A. use illustrative examples of successful attacks.

B. explain the technical risk to the organization.
C. evaluate the organization against good security practices.
D. tie security risk to key business objectives.

87

Review Question

A security manager is preparing a report to obtain the

commitment of executive management to a security program.
Inclusion of which of the following items would be of MOST
value?

A. Examples of genuine incidents at similar organizations

B. Statement of generally accepted good practices
C. Associating realistic threats to corporate objectives
D. Analysis of current technological exposures

88

44
 Review Question

The MOST important requirement for gaining management

commitment to the information security program is to:

A. benchmark a number of successful organizations.

B. demonstrate potential losses and other impacts that can
result from a lack of support.
C. inform management of the legal requirements of due care.
D. demonstrate support for desired outcomes.

89

Review Question

Which of the following situations would MOST inhibit the

effective implementation of security governance?

A. The complexity of technology

B. Budgetary constraints
C. Conflicting business priorities
D. Lack of high-level sponsorship

90

45
 Section Three

Implementing the Security Strategy

Task Statements
▪ T1.4 Establish and maintain information security policies
to guide the development of standards, procedures and
guidelines in alignment with enterprise goals and
objectives.

▪ T1.8 Define, communicate and monitor information

security responsibilities throughout the organization (e.g.,
data owners, data custodians, end users, privileged or
high-risk users) and lines of authority

▪ T1.9 Establish, monitor, evaluate and report key

information security metrics to provide management with
accurate and meaningful information regarding the
effectiveness of information security strategy

92

46
 Knowledge Statements

How does Section Three relate to each of the following

knowledge statements?
Knowledge Statement Connection
K1.2 Relationships provide a lens through which to understand
information security.
K1.8 Policies require executive support to be effective, so you need
to know how to engage the people at the top in ways that fit
your organizational culture. If the executives aren’t willing to
follow a policy they put in place, neither will anyone else.

K1.10 An effective program is one that the organization can afford and
that delivers useful, accountable information.

93

Knowledge Statements

How does Section Three relate to each of the following

knowledge statements? Pg. 19 of the
Review Manual

Knowledge Statement Connection

K1.15 Information security can require involvement at virtually any
level of an organization—from functional teams up to the board
of directors. It’s critical to know how information flows and who
approves which levels of escalation.
K1.16 The right people need to get the right information at the right
times. Understanding the structure helps avoid overlooking
anyone who may need to know something and also makes it
easier to limit reporting of what may be sensitive information.

K1.17 Organizations change over time, and changes to reporting

relationships and structures outside of the information security
function may not always be widely communicated. Develop a
way to monitor these changes as they occur and build them into
the governance process.

94

47
 Knowledge Statements

How does Section Three relate to each of the

following knowledge statements?
Knowledge Statement Connection
K1.18 Avoid creating new communication methods whenever existing
methods can be adapted or expanded to include information
security. When new channels are needed, understand how your
organization expects them to be evaluated and approved
before they’re established.
K1.19 Information security covers a huge array of processes,
technologies and concerns that can be individually or
collectively monitored. Identifying the key indicators for risk,
performance and other considerations helps make reporting
more effective.

95

Key Terms

Key Term Definition

Data custodian The individual(s) and department(s) responsible for the
storage and safeguarding of computerized data
Guideline A description of a particular way of accomplishing something
that is less prescriptive than a procedure.
Metric A quantifiable entity that allows the measurement of the
achievement of a process goal
Procedure A document containing a detailed description of the steps
necessary to perform specific operations in conformance with
applicable standards. Procedures are defined as part of
processes.

See www.isaca.org/glossary for more key terms.

96

48
 Policies

▪ Directly traceable to strategy

elements
▪ Broad enough to not require
regular revision, but should be
periodically reviewed
▪ Approved at the highest level
▪ Pave the way for effective
implementation

97

Policies

▪ Attributes of good policies:

– Should capture the intent, expectations and direction of
management
– Should state only one general security mandate
– Must be clear and easily understood
– Includes just enough context to be useful
– Rarely number more than two dozen in total

98

49
 Setting Standards

▪ Provide measurement for compliance

▪ Govern procedure and guideline creation
▪ Set security baselines
▪ Reflect acceptable risk and control objectives
▪ Act as criteria for evaluating acceptable risk
▪ Are unambiguous, consistent and precise
▪ Are disseminated to those governed by them and
those impacted

99

Setting Standards

▪ Third-party standards are

typically prescriptive to allow
for certification.
– If used as a reference, your
organization may have some
flexibility when using the
standard.
▪ Exception processes must be
developed

100

50
 Discussion Question

▪ Once standards are set, what are some factors that may
determine whether or not they are followed?

101

Training and Awareness

▪ People need to be aware of security policies and

standards in order to be compliant.
▪ Training and awareness go beyond publishing a
policy
– Type should be appropriate to logistics, culture, etc.
– Relevant to the audience

102

51
 Tone at the Top

▪ Employees emulate the

behavior of management
▪ If mangers ignore standards
and policies, fewer people will
follow them.

103

Controls

▪ Influence the behaviors of people, processes and

technology in order to manage risk to acceptable
levels
▪ Keep in mind:
– Controls are not always as effective as intended
– Controls may not address all outcomes
– Changes in technology may render controls obsolete

104

52
 Discussion Question

▪ What are some examples of how changes in technology can

bypass or negate previously effective controls?

105

IT Controls

▪ Constitute the majority of controls in an organization

▪ Control objective: “A statement of the desired result
or purpose to be achieved by implementing control
procedures in a particular IT activity.”

106

53
 Layered Defense

▪ Deploying controls in layers is good practice

– Defense in depth
▪ Uses:
– To provide additional protection in the event of a control
failure
– Because a single control is known to be inadequate
▪ Controls tailored to specific threats may be more
cost effective

107

Layered Defense

108

54
 Countermeasures

▪ Designed to reduce a single vulnerability or a threat

▪ Can be passive or active
▪ Should be considered from a strategic perspective

109

Non-IT Controls

▪ Information security extends beyond IT

▪ Include:
– Secure marking, handling and storage
– Efforts to prevent social engineering
▪ Can help to mitigate risk posed by individual
judgement calls

110

55
 Discussion Question

▪ One example of a non-IT control is educating people on the

importance of not writing down or sharing passwords. What
others come to mind?

111

Procedures

▪ A non-IT control direct precisely how something is to

be done
▪ Responsibility of operations staff
– Uses unambiguous language
– Include all necessary steps
▪ Ensure an organization can continue operations
even if regular staff are unavailable

112

56
 Good to Know

▪ People tend to memorize their actions when doing something

regularly and may not refer to procedures.
▪ This makes it harder to keep procedures up to date and
increases the probability of errors.
▪ Checklists are helpful to promote regular use of procedures.

113

Guidelines

▪ Contain information that will be helpful in executing

procedures
▪ Enable use of individual judgement
▪ Can be helpful when an outcome needs to be
achieved, but the how does not matter

114

57
 Metrics and Measurement

▪ Security metrics tell us about the state of security

relative to a reference point
▪ Technical metrics of little value from a strategic
standpoint

115

Metrics and Measurement

▪ Metrics should be SMART:

– Specific
– Measurement
– Attainable
– Relevant
– Timely
▪ Avoid measuring something
simply because it can be
measured.

116

58
 Metrics at the Strategic Level

▪ Key goal indicators (KGIs) and key performance

indicators (KPIs) can be useful for process or service
goals.
▪ High-level metrics related to implementing a strategy
include:
– Alignment with business goals and objectives
– Management of risk to acceptable levels
– Effective management of resources
– Performance and value delivery

117

Risk Management Metrics

▪ Indicators of appropriate risk

management include:
– Defined risk appetite and
tolerance
– Process for management of
adverse impacts
– Trends in periodic risk
assessment and impacts
– Completeness of asset
inventory
– Ratio of security incidents
from known to unknown
security risks

118

59
 Value Delivery Metrics

▪ KGIs and KPIs include:

– The cost of security being proportional to the value of
assets
– Security resources that are allocated by degree of
assessed risk and potential impact
– Protection costs that are aggregated as a function of
revenues or asset valuation
– An adequate and appropriate number of controls to
achieve acceptable risk and impact levels
– Policies in place that require all controls to be periodically
reevaluated for cost, compliance and effectiveness
– The use and effectiveness of controls

119

Resource Management Metrics

▪ Indicators of effective resource
management include:
– Infrequent problem solution
rediscovery
– Effective knowledge capture and
dissemination
– Clearly defined roles and
responsibilities
– The percentage of information assets
and related threats adequately
addressed by security activities
– The proper organizational location,
level of authority and number of
personnel for the information security
function
– Resource utilization levels
– Staff productivity
– Per-seat cost of security services

120

60
 Performance Measurement

▪ Indicators of effective performance measurement

include:
– The time required to detect and report security events
– The number and frequency of unreported incidents
– Benchmarking comparable organizations for costs and
effectiveness
– Knowledge of evolving and impending threats
– Methods of tracking evolving risk
– Consistency of log review practices
– Results of BCP/DR tests
– Extent to which key controls are monitored

121

Auditing and Compliance

▪ Audits can be useful as a means of identifying

shortfalls.
▪ Senior managers tend to believe audit reports.
▪ Audit reports indicate what has already happened.
– Useful for insight
– Cannot be used as the only means of identifying problems

122

61
 Section Three

123

In the Big Picture

• The success of an information

security strategy depends on
the behavior of people,
processes and technology.
Section Three
Implementing the Security Strategy • Security is dynamic and
regular monitoring and
auditing are needed.

124

62
 Section Three

Exam Review Questions

Review Question

The enactment of policies and procedures for preventing hacker

intrusions is an example of an activity that belongs to:

A. risk management.
B. compliance.
C. IT management.
D. governance.

126

63
 Review Question

Which of the following choices would be the MOST significant

key risk indicator?

A. A deviation in employee turnover

B. The number of packets dropped by the firewall
C. The number of viruses detected
D. The reporting relationship of IT

127

Review Question

Which person or group should have final approval of an

organization’s information technology (IT) security policies?

A. Business unit managers

B. Chief information security officer
C. Senior management
D. Chief information officer

128

64
 Review Question

Which of the following is the PRIMARY reason to change

policies during program development?

A. The policies must comply with new regulatory and legal

mandates.
B. Appropriate security baselines are no longer set in the
policies.
C. The policies no longer reflect management intent and
direction.
D. Employees consistently ignore the policies.

129

Domain 1

Summary

65
 Summary

▪ Effective information security governance requires

alignment with business goals.
▪ Senior management commitment to the information
security strategy is key to success.
▪ Security is dynamic, so metrics are key to
determining success and monitoring is required to
indicate any issues.

131

Questions

132

66