Anda di halaman 1dari 132

CISM EXAM

PREPARATION

Copyright 2016 ISACA. All rights reserved.


Pre-Course Question 1

Which of the following reasons is the MOST important to


develop a strategy before implementing an information
security program?

A. To justify program development costs


B. To integrate development activities
C. To gain management support for an information security
program
D. To comply with international standards

2 Copyright 2016 ISACA. All rights reserved.


Pre-Course Question 2

How does knowledge of risk appetite help to increase


security control effectiveness?

A. It shows senior management that you understand their


needs.
B. It provides a basis for redistributing resources to
mitigate risk above the risk appetite.
C. It requires continuous monitoring because the entire risk
environment is constantly changing.
D. It facilitates communication with management about the
importance of security.

3 Copyright 2016 ISACA. All rights reserved.


Pre-Course Question 3

When an organization is setting up a relationship with a


third-party IT service provider, which of the following is one
of the MOST important topics to include in the contract from
a security standpoint?

A. Compliance with international security standards


B. Use of a two-factor authentication system
C. Existence of an alternate hot site in case of business
disruption
D. Compliance with the organizations information security
requirements

4 Copyright 2016 ISACA. All rights reserved.


Pre-Course Question 4

Which of the following choices is MOST important to verify


to ensure the availability of key business processes at an
alternate site?

A. Recovery time objective


B. Functional delegation matrix
C. Staff availability to the site
D. End-to-end transaction flow

5 Copyright 2016 ISACA. All rights reserved.


Domain 1

Information Security Governance

Copyright 2016 ISACA. All rights reserved.


Domain 1

Establish and/or maintain an information


security governance framework and
supporting processes to ensure that the
information security strategy is aligned
with organizational goals and objectives

7 Copyright 2016 ISACA. All rights reserved.


Domain 1 (contd)

This domain reviews the body of knowledge and


associated tasks necessary to develop an
information security governance structure
aligned with organizational objectives.

8 Copyright 2016 ISACA. All rights reserved.


Domain Objectives

Ensure that the CISM Candidate has the knowledge


necessary to:
Understand the purpose of information security
governance, what it consists of, and how to accomplish it.
Understand the purpose of an information security
strategy, its objectives and the reasons and steps required
to develop one.
Understand the meaning, content, creation and use of
policies, standards, procedures and guidelines and how
they relate to each other.
Develop business cases and gain commitment from senior
leadership.
Define governance metrics requirements, selection and
creation.
9 Copyright 2016 ISACA. All rights reserved.
On the CISM Exam

This domain represents 24% (approximately 36


questions) of the CISM exam

Domain 1:
Domain 4:
Information
Information Security
Security
Incident
Governance, 24%
Management, 19%

Domain 3:
Information Security Domain 2:
Program Information Security
Development and Risk Management,
Management, 27% 30%

10 Copyright 2016 ISACA. All rights reserved.


Governance vs. Management

Governance Management
Purpose is to set Purpose is plan,
goals build, execute and
Do the right thing monitor activities to
achieve goals
Do the thing right

11 Copyright 2016 ISACA. All rights reserved.


Why Does Governance Matter?

Information is critical to our lives.

Protecting information is key, but costs and benefits vary.

How can we be sure we are choosing the appropriate option?

Governance helps align information security


with business goals and objectives
12 Copyright 2016 ISACA. All rights reserved.
Effective Information Security

An effective information
security program:
Supports what the
organization is trying to do
Keeps risk within
acceptable levels
Tracks success and areas
of improvement
Changes with the
organization

13 Copyright 2016 ISACA. All rights reserved.


Domain 1 Overview

Section One: Designing a Strategy and


Governance Framework
Section Two: Gaining Management
Support/Approval
Section Three: Implementing the Security
Strategy

Refer to the CISM Job


Practice for Task and
Knowledge Statements.

14 Copyright 2016 ISACA. All rights reserved.


Section One

Designing a Strategy and


Governance Framework

Copyright 2016 ISACA. All rights reserved.


Task Statements
T1.1 Establish and/or maintain an information
security strategy in alignment with organizational
goals and objectives to guide the establishment
and/or ongoing management of the information
security program.

T1.2 Establish and/or maintain an information


security governance framework to guide activities
that support the information security strategy.

T1.3 Integrate information security governance into


corporate governance to ensure that organizational
goals and objectives are supported by the
information security program.

16 Copyright 2016 ISACA. All rights reserved.


Knowledge Statements

How does Section One relate to each of the following


knowledge statements?
Knowledge Statement Connection
K1.1 Techniques are ways to analyze what is needed and how it
differs from what is currently in place.
K1.2 Relationships provide a lens through which to understand
InfoSec.
K1.3 By using security frameworks, organizations can avoid
reinventing the wheel by using existing resources and
adapting it to the organization.
K1.4 Standards/frameworks are shortcuts for knowing what is
possible and how to get there.
K1.5 It is important to understand the foundational concepts of
governance along with the insights and lessons from
experts.

17 Copyright 2016 ISACA. All rights reserved.


Knowledge Statements

How does Section One relate to each of the following


knowledge statements?
Knowledge Statement Connection
K1.6 Making the most of a framework requires a good
understanding of its benefits and how to put it in place.
K1.7 Other departments or business units may not immediate
understand the value of information security. This makes it
important for the information security organization to
communicate with those outside of the security workspace.
K1.10 An effective program is one that the organization can
afford and that delivers useful, actionable information.
K1.11 The InfoSec program needs to adapt to changes in the
complex ecosystem of the organization to remain useful
K1.12 Programs are only as good as they are seen to be; a well-
designed program that is poorly communicated wont get
off the ground.

18 Copyright 2016 ISACA. All rights reserved.


Key Terms

Key Term Definition


Control The means of managing risk, including policies, procedures,
guidelines, practices or organizational structures, which can be
of an administrative, technical, management, or legal nature
Framework An outline of what relationships may exist between activities
without specifying how those relationships must be made to
work
Policy Overall intention and direction as formally expressed by
management
Risk The combination of the probability of an event and its
consequence. (ISO/IEC 73)
Standard A mandatory requirement, code of practice or specification
approved by a recognized external standards organization,
such as International Organization for Standardization (ISO)
Strategy A high-level plan to achieve an objective

See www.isaca.org/glossary for more key terms.


19 Copyright 2016 ISACA. All rights reserved.
Goals and Strategy

Business goals are set by the board of


directors
o Senior management builds the
strategy to achieve these goals Goals

Governance ensures business strategy


remains consistent with business goals
Information security governance provides Objectives

strategic guidance for security


Information security strategy should
be linked to the overall business
strategy
Strategy

20 Copyright 2016 ISACA. All rights reserved.


Outcomes of Information Security
Governance
Six basic outcomes of a security program:
Strategic alignment
Risk management
Value delivery
Resource optimization
Performance measurement
Assurance process integration

21 Copyright 2016 ISACA. All rights reserved.


Risk Appetite

Risk is part of any business activity.


Potential for greater rewards comes with potential higher
consequences
Risk capacity: Amount of loss an enterprise can tolerate
without its continued existence being questioned.
Risk appetite: The amount of risk that an entity is willing
to accept in pursuit of its mission.

22 Copyright 2016 ISACA. All rights reserved.


Strategy and Risk

Purpose of information security: Manage


information risk to an acceptable level
Understand the risk profile
Understand risk exposure
Be aware of risk management priorities
Ensure sufficient risk mitigation
Base risk treatment decisions on potential
consequences

23 Copyright 2016 ISACA. All rights reserved.


Discussion Question

Why is it important to have a formal process for


accepting risk?

24 Copyright 2016 ISACA. All rights reserved.


Governance, Risk and Compliance

GRC is an
integrated
assurance process
Governance
Convergence can
exist independently
across different
business functions
Risk Compliance
Information security
is often a part of
GRC

25 Copyright 2016 ISACA. All rights reserved.


Pitfalls in Strategy Development

Overconfidence/Optimism
Anchoring
Status quo bias
Mental accounting
Herding instinct
False consensus
Confirmation bias
Groupthink

26 Copyright 2016 ISACA. All rights reserved.


Start with the Goals

What is the goal?


Typically to assure the reliability of information-related
business processes
Often unaware of what information exists within
the enterprise, criticality, etc.
Impact cost-effectiveness
Goals help set objectives, which drive strategy
Should tie to enterprise goals

27 Copyright 2016 ISACA. All rights reserved.


Asset Classification

Initial classification can


be time consuming
Does not get easier over
time
Best approach is to start
as soon as possible
Classify new assets when
they are created
Monitor for changes over
time

28 Copyright 2016 ISACA. All rights reserved.


Focus on Data

Information security has traditionally focused on


IT systems.
Business process owners regard IT systems as
tools, while data produced has value
Integration with corporate governance becomes
easier with a data focus

29 Copyright 2016 ISACA. All rights reserved.


Valuation of Data

Criticality of data can be derived from criticality


of processes that use that data.
Sensitivity can be derived by determining
consequences of data leakage.
Sensitivity of data may be subjective.
Certain types of data may be considered
sensitive by law or regulation.

30 Copyright 2016 ISACA. All rights reserved.


Current Vs. Desired State

Desired State Gaps between current


Ideal information security and desired state
environment Plans for achieving
Frameworks/standards desired state
helpful to identify outcomes
Defined desired state makes
it easier to identify path from
current state
Current State
What is actually occurring
Help to identify where the
environment falls short of the
desired

31 Copyright 2016 ISACA. All rights reserved.


Good to Know

Knowledge of the current state is never quite complete,


and the desired state may change over time.
An accurate view of how things are today and what is a
desired target state is good enough for governance
purposes.

32 Copyright 2016 ISACA. All rights reserved.


Building the Strategy

Strategy provides a road


map to the desired state
Path could be long
depending on distance
between current and
desired state
Should identify:
Available resources
Available methods
Constraints

33 Copyright 2016 ISACA. All rights reserved.


Policies, Standards and Controls

Policies Standards Controls

Part of
Governance Management
security
tools tools
architecture

Constitution Laws Enforcement

34 Copyright 2016 ISACA. All rights reserved.


Strategy Constraints

Legal
Physical
Ethics
Culture
Costs
Personnel
Organizational structure
Resources
Capabilities
Time
Risk appetite
35 Copyright 2016 ISACA. All rights reserved.
Legal and Regulatory Requirements

Information security linked


to privacy, IP and law
Security strategies for
different regions may be
required
Retention requirements
E-discovery
Treat as any other risk

36 Copyright 2016 ISACA. All rights reserved.


Physical Constraints

Include capacity, space, environmental hazards,


etc.
Safety of personnel should also be considered
Often ignored and can lead to interruptions or
breaches
Disaster recovery should be considered

37 Copyright 2016 ISACA. All rights reserved.


Ethics and Culture

Ethics
Perception of the enterprises behavior
Influenced by location and culture
Culture
Internal culture
Local culture

38 Copyright 2016 ISACA. All rights reserved.


Costs

Justify spending based on a projects value.


Cost-benefit/financial analysis most widely
accepted
ALE
ROI

39 Copyright 2016 ISACA. All rights reserved.


Personnel and Organizational Structure

Personnel
Resistance to changes can impact the success of
strategy implementation
Organizational structure
Impacts how a governance strategy can be
implemented
Cooperation is needed
Senior management buy-in helps to ensure
cooperation

40 Copyright 2016 ISACA. All rights reserved.


Resources, Capabilities and Time

Resources
Consider available budgets, TCO and personnel
requirements
Capabilities
Expertise and skills
Time
Deadlines/Windows of opportunity

41 Copyright 2016 ISACA. All rights reserved.


Risk Appetite

Risk acceptance and risk tolerance play a major


role
Difficult to measure
RTOs/RPOs

42 Copyright 2016 ISACA. All rights reserved.


Ongoing Assessment

The information security


strategy needs to be
dynamic.
Update assessments
regularly.

43 Copyright 2016 ISACA. All rights reserved.


Discussion Question

What are some reasons that the information risk


environment changes over time?

44 Copyright 2016 ISACA. All rights reserved.


Strategy and Framework

A framework is a scaffold of
interlinked items
Strategy is the starting
point of the framework
Ensures that information
security is focused on the right
goals

45 Copyright 2016 ISACA. All rights reserved.


Frameworks and Architecture

Frameworks are closely


associated with enterprise
architecture
Goals = conceptual
architecture
Framework = logical
architecture
Physical architecture
implements the logical
architecture through
policies, standards and
controls

46 Copyright 2016 ISACA. All rights reserved.


Relationship of Governance Elements

47 Copyright 2016 ISACA. All rights reserved.


Third-party Resources

Variety of resources available to use as a basis


COBIT, CMMI, ISO, etc.
Frameworks define relationships
May derive benefit from certified compliance with
third-party standards (e.g., ISO)

48 Copyright 2016 ISACA. All rights reserved.


SABSA Security Architecture Matrix

Source: Copyright SABSA Institute, www.sabsa.org. Reproduced with permission.

49 Copyright 2016 ISACA. All rights reserved.


The Structure of the TOGAF Document

Source: The Open Group; TOGAF, Version 9.1., United Kingdom 2011

50 Copyright 2016 ISACA. All rights reserved.


Building Consistency

Integration ensures consistency.


When adding information security to an existing
governance structure, it is not necessary to use
a different framework.
If no general framework is used, find a
framework that is comprehensive and can be
used across the organization

51 Copyright 2016 ISACA. All rights reserved.


Section One

52 Copyright 2016 ISACA. All rights reserved.


In the Big Picture

Governance authority comes


from the board of directors.

The information security


strategy is how the
organization manages risk
Section One associated with information
Designing a Strategy and Governance assets and ensures that they
Framework are able to support the
attainment of business
goals.

53 Copyright 2016 ISACA. All rights reserved.


Section One

Exam Review Questions

Copyright 2016 ISACA. All rights reserved.


Review Question

Which of the following steps should be FIRST in developing


an information security plan?

A. Perform a technical vulnerabilities assessment.


B. Analyze the current business strategy.
C. Perform a business impact analysis.
D. Assess the current levels of security awareness.

55 Copyright 2016 ISACA. All rights reserved.


Review Question

Information security governance is PRIMARILY driven by:

A. technology constraints.
B. regulatory requirements.
C. litigation potential.
D. business strategy.

56 Copyright 2016 ISACA. All rights reserved.


Review Question

The FIRST step to create an internal culture that embraces


information security is to:

A. implement stronger controls.


B. conduct periodic awareness training.
C. actively monitor operations.
D. gain endorsement from executive management.

57 Copyright 2016 ISACA. All rights reserved.


Review Question

The purpose of an information security strategy is to:

A. express the goals of an information security program


and the plan to achieve them.
B. outline the intended configuration of information system
security controls.
C. mandate the behavior and acceptable actions of all
information system users.
D. authorize the steps and procedures necessary to
protect critical information systems.

58 Copyright 2016 ISACA. All rights reserved.


Section Two

Gaining Management
Support/Approval

Copyright 2016 ISACA. All rights reserved.


Task Statements
T1.5 Develop business cases to support
investments in information security.

T1.6 Identify internal and external influences to the


organization (e.g., emerging technologies, social
media, business environment, risk tolerance,
regulatory requirements, third-party considerations,
threat landscape) to ensure that these factors are
continually addressed by the information security
strategy.

T1.7 Gain ongoing commitment from senior


leadership and other stakeholders to support the
successful implementation of the information
security strategy.
60 Copyright 2016 ISACA. All rights reserved.
Knowledge Statements

How does Section Two relate to each of the following


knowledge statements?
Knowledge Statement Connection
K1.7 Factors outside of the organization may impact how it
approaches governance, and that approach may not be
flexible. Its often necessary to change the information
security governance model to align with corporate
governance rather than expecting the reverse.
K1.9 Executives and decision-makers tend to be well-versed in
evaluating business cases. You need to speak their
language to gain support.
K1.10 Understanding costs and benefits helps keep focus on the
value that information security can provide.

61 Copyright 2016 ISACA. All rights reserved.


Knowledge Statements

How does Section Two relate to each of the following


knowledge statements?
Knowledge Statement Connection
K1.11 The information security program exists within a complex
ecosystem of dynamic processes inside and outside of the
organization. It needs to be able to adapt to changes in
this ecosystem to remain relevant and useful.
K1.12 Programs are only as good as they are seen to be. A well-
designed program poorly communicated wont get off the
ground.
K1.13 Going to the right people at the right times and in the right
ways can make all of the difference in whether a proposal
is approved or rejected. Its important to know how and
wen people want to be contacted and do your best to meet
their expectations whenever possible.

62 Copyright 2016 ISACA. All rights reserved.


Key Terms

Key Term Definition


Business case Documentation of the rationale for making a business
investment, used both to support a business decision on
whether to proceed with the investment and as an operational
tool to support management of the investment through its full
economic life cycle
Risk tolerance The acceptable level of variation that management is willing to
allow for any particular risk as the enterprise pursues its
objectives
Stakeholder Anyone who has a responsibility for, an expectation from or
some other interest in the enterprise. Examples: shareholders,
users, government, suppliers, customers and the public
Threat landscape The set of all known threats facing the organization

See www.isaca.org/glossary for more key terms.

63 Copyright 2016 ISACA. All rights reserved.


Commitment is Key

Senior management
backing is essential to
success
Information security may
need to educate senior
managers to get them on
board
Use business language,
not technical jargon

64 Copyright 2016 ISACA. All rights reserved.


Selling the Strategy

The security strategy should manage


information risk at an acceptable level in line
with the business strategy.

Information security managers need to convey


the value proposition of what is proposed.

65 Copyright 2016 ISACA. All rights reserved.


Lay the Foundation

Workshops or briefings
can set the stage for
strategy
implementation.
Try to anticipate
issues/concerns
managers already have

66 Copyright 2016 ISACA. All rights reserved.


Roles and Responsibilities

Board of Directors Senior Management


Need to be aware of Ensure needed
information assets functions/resources are
available
Provided with high-level
results of risk assessments Ensure resources are
and BIAs. properly utilized
Exercise due care in Promote cooperation,
protecting key assets arbitrate when needed
and set priorities

67 Copyright 2016 ISACA. All rights reserved.


Roles and Responsibilities

Steering committee
Comprised of senior representatives of groups
impacted by information security
Ensures alignment of security program with business
objectives
Common topics:
Security strategy and integration efforts
Specific actions and progress related to business unit
support of information security program functions
Emerging risk, business unit security practices and
compliance issues

68 Copyright 2016 ISACA. All rights reserved.


Roles and Responsibilities

Chief Risk Officer


Generally responsible for all non-information risk and
overall ERM
Chief Information Officer
Responsible for IT planning, budgeting and
performance
Chief Information Security Officer
Similar functions as information security manager with
more strategic and management elements; IT
strategy

69 Copyright 2016 ISACA. All rights reserved.


Good to Know

Many not be an official position


Trends have shown most organizations have a CISO
in charge of the security program
Some organizations have a CSO over information
security and physical security.
Most often reports to the CEO, followed by the
CIO and board
Conflicts of interest may arise if the CISO reports to
the CIO because security is often seen as a constraint
on IT

70 Copyright 2016 ISACA. All rights reserved.


Tracking Roles

Source: ISACA, COBIT 5: Enabling Processes, USA, 2012

71 Copyright 2016 ISACA. All rights reserved.


Activity

Complete the following RACI chart.

72 Copyright 2016 ISACA. All rights reserved.


Activity Answers
Information Board of Chief Chief Business
Security Directors Information Executive Process
Manager Officer Officer Owner
Define target C R A I
IT
capabilities.

Conduct a R A R
gap analysis.
Define the C A C
strategic plan
and road
map.
Communicate I I R R I
the IT
strategy and
direction.

73 Copyright 2016 ISACA. All rights reserved.


The Business Case

Provides a formal proposal


for a project
Likely costs
Benefits
Should have enough detail
to explain the why of a
project and what it will
deliver back

74 Copyright 2016 ISACA. All rights reserved.


Preparing a Business Case

Elements of a feasibility study


Project scope
Current analysis
Requirements
Recommended approach
Evaluation
Formal review

Note: The feasibility study focuses on direct, up-front costs,


while the business case should focus on total cost of
ownership.

75 Copyright 2016 ISACA. All rights reserved.


The Business Case and Project
Management
The business case drives the decision process
If no longer valid, project should be review
Used at stage gates (kill points)
Reevaluation/reapproval needed when circumstances
change

76 Copyright 2016 ISACA. All rights reserved.


Communicating Value

Value can be estimated as


revenue, savings or both
An effective information
security program:
Reduces likelihood of a
significant event
Reduces the losses from an
event
Either of the two outcomes
equal savings

77 Copyright 2016 ISACA. All rights reserved.


Stakeholder Buy-in

Other groups are affected by the information


security proposal
Stakeholders may be internal/external
Failure to achieve buy-in can sabotage your
proposal

78 Copyright 2016 ISACA. All rights reserved.


Discussion Question

Who are some of the stakeholders in an organizations


information security strategy?

79 Copyright 2016 ISACA. All rights reserved.


Internal Stakeholders

Managers responsible for key business


processes
Managers responsible for revenue-producing
activities
Human resources
Legal and privacy

Note: The business case should be updated to


note requests, even if they are not accepted.

80 Copyright 2016 ISACA. All rights reserved.


External Stakeholders

Service providers
Critical vendors
Outsourcing partners
Consumers/members

Information security
may be affected by
contracts.

81 Copyright 2016 ISACA. All rights reserved.


Presenting the Strategy

Can be used to educate


and communicate
Common factors for
acceptance:
Aligning security with
business objectives
Identifying potential
consequences
Identifying budget items
Using common
risk/benefit or financial
models
Defining monitoring and
auditing measures

82 Copyright 2016 ISACA. All rights reserved.


Presenting the Strategy

Remember: You are the subject matter expert!


Be concise, but be honest
Senior management may not realize the impact of
reputational damage
Alignment is key: If the strategy is aligned with
the business, it is more likely to be approved.

83 Copyright 2016 ISACA. All rights reserved.


Section Two

84 Copyright 2016 ISACA. All rights reserved.


In the Big Picture

The information security


strategy supports the goals
and business strategy of
the organization.

Having senior leadership


Section Two approval to implement the
Gaining Management strategy is essential
Support/Approval because it provides access
to resources and helps to
remove procedural
roadblocks.

85 Copyright 2016 ISACA. All rights reserved.


Section Two

Exam Review Questions

Copyright 2016 ISACA. All rights reserved.


Review Question

Senior management commitment and support for


information security can BEST be obtained through
presentations that:

A. use illustrative examples of successful attacks.


B. explain the technical risk to the organization.
C. evaluate the organization against good security
practices.
D. tie security risk to key business objectives.

87 Copyright 2016 ISACA. All rights reserved.


Review Question

A security manager is preparing a report to obtain the


commitment of executive management to a security
program. Inclusion of which of the following items would be
of MOST value?

A. Examples of genuine incidents at similar organizations


B. Statement of generally accepted good practices
C. Associating realistic threats to corporate objectives
D. Analysis of current technological exposures

88 Copyright 2016 ISACA. All rights reserved.


Review Question

The MOST important requirement for gaining management


commitment to the information security program is to:

A. benchmark a number of successful organizations.


B. demonstrate potential losses and other impacts that can
result from a lack of support.
C. inform management of the legal requirements of due
care.
D. demonstrate support for desired outcomes.

89 Copyright 2016 ISACA. All rights reserved.


Review Question

Which of the following situations would MOST inhibit the


effective implementation of security governance?

A. The complexity of technology


B. Budgetary constraints
C. Conflicting business priorities
D. Lack of high-level sponsorship

90 Copyright 2016 ISACA. All rights reserved.


Section Three

Implementing the Security


Strategy

Copyright 2016 ISACA. All rights reserved.


Task Statements
T1.4 Establish and maintain information security
policies to guide the development of standards,
procedures and guidelines in alignment with
enterprise goals and objectives.

T1.8 Define, communicate and monitor information


security responsibilities throughout the organization
(e.g., data owners, data custodians, end users,
privileged or high-risk users) and lines of authority

T1.9 Establish, monitor, evaluate and report key


information security metrics to provide management
with accurate and meaningful information regarding
the effectiveness of information security strategy

92 Copyright 2016 ISACA. All rights reserved.


Knowledge Statements

How does Section Three relate to each of the following


knowledge statements?
Knowledge Statement Connection
K1.2 Relationships provide a lens through which to understand
information security.
K1.8 Policies require executive support to be effective, so you
need to know how to engage the people at the top in ways
that fit your organizational culture. If the executives arent
willing to follow a policy they put in place, neither will
anyone else.
K1.10 An effective program is one that the organization can
afford and that delivers useful, accountable information.

93 Copyright 2016 ISACA. All rights reserved.


Knowledge Statements

How does Section Three relate to each of the following


knowledge statements? Pg. 19 of the
Review
Manual

Knowledge Statement Connection


K1.15 Information security can require involvement at virtually
any level of an organizationfrom functional teams up to
the board of directors. Its critical to know how information
flows and who approves which levels of escalation.
K1.16 The right people need to get the right information at the
right times. Understanding the structure helps avoid
overlooking anyone who may need to know something and
also makes it easier to limit reporting of what may be
sensitive information.
K1.17 Organizations change over time, and changes to reporting
relationships and structures outside of the information
security function may not always be widely communicated.
Develop a way to monitor these changes as they occur
and build them into the governance process.

94 Copyright 2016 ISACA. All rights reserved.


Knowledge Statements

How does Section Three relate to each of the


following knowledge statements?
Knowledge Statement Connection
K1.18 Avoid creating new communication methods whenever
existing methods can be adapted or expanded to include
information security. When new channels are needed,
understand how your organization expects them to be
evaluated and approved before theyre established.
K1.19 Information security covers a huge array of processes,
technologies and concerns that can be individually or
collectively monitored. Identifying the key indicators for
risk, performance and other considerations helps make
reporting more effective.

95 Copyright 2016 ISACA. All rights reserved.


Key Terms

Key Term Definition


Data custodian The individual(s) and department(s) responsible for the
storage and safeguarding of computerized data
Guideline A description of a particular way of accomplishing
something that is less prescriptive than a procedure.
Metric A quantifiable entity that allows the measurement of the
achievement of a process goal
Procedure A document containing a detailed description of the
steps necessary to perform specific operations in
conformance with applicable standards. Procedures are
defined as part of processes.

See www.isaca.org/glossary for more key terms.

96 Copyright 2016 ISACA. All rights reserved.


Policies

Directly traceable to
strategy elements
Broad enough to not
require regular revision, but
should be periodically
reviewed
Approved at the highest
level
Pave the way for effective
implementation

97 Copyright 2016 ISACA. All rights reserved.


Policies

Attributes of good policies:


Should capture the intent, expectations and direction
of management
Should state only one general security mandate
Must be clear and easily understood
Includes just enough context to be useful
Rarely number more than two dozen in total

98 Copyright 2016 ISACA. All rights reserved.


Setting Standards

Provide measurement for compliance


Govern procedure and guideline creation
Set security baselines
Reflect acceptable risk and control objectives
Act as criteria for evaluating acceptable risk
Are unambiguous, consistent and precise
Are disseminated to those governed by them
and those impacted

99 Copyright 2016 ISACA. All rights reserved.


Setting Standards

Third-party standards are


typically prescriptive to
allow for certification.
If used as a reference, your
organization may have some
flexibility when using the
standard.
Exception processes must
be developed

100 Copyright 2016 ISACA. All rights reserved.


Discussion Question

Once standards are set, what are some factors that may
determine whether or not they are followed?

101 Copyright 2016 ISACA. All rights reserved.


Training and Awareness

People need to be aware of security policies and


standards in order to be compliant.
Training and awareness go beyond publishing a
policy
Type should be appropriate to logistics, culture, etc.
Relevant to the audience

102 Copyright 2016 ISACA. All rights reserved.


Tone at the Top

Employees emulate the


behavior of management
If mangers ignore
standards and policies,
fewer people will follow
them.

103 Copyright 2016 ISACA. All rights reserved.


Controls

Influence the behaviors of people, processes


and technology in order to manage risk to
acceptable levels
Keep in mind:
Controls are not always as effective as intended
Controls may not address all outcomes
Changes in technology may render controls obsolete

104 Copyright 2016 ISACA. All rights reserved.


Discussion Question

What are some examples of how changes in technology


can bypass or negate previously effective controls?

105 Copyright 2016 ISACA. All rights reserved.


IT Controls

Constitute the majority of controls in an


organization
Control objective: A statement of the desired
result or purpose to be achieved by
implementing control procedures in a particular
IT activity.

106 Copyright 2016 ISACA. All rights reserved.


Layered Defense

Deploying controls in layers is good practice


Defense in depth
Uses:
To provide additional protection in the event of a
control failure
Because a single control is known to be inadequate
Controls tailored to specific threats may be more
cost effective

107 Copyright 2016 ISACA. All rights reserved.


Layered Defense

108 Copyright 2016 ISACA. All rights reserved.


Countermeasures

Designed to reduce a single vulnerability or a


threat
Can be passive or active
Should be considered from a strategic
perspective

109 Copyright 2016 ISACA. All rights reserved.


Non-IT Controls

Information security extends beyond IT


Include:
Secure marking, handling and storage
Efforts to prevent social engineering
Can help to mitigate risk posed by individual
judgement calls

110 Copyright 2016 ISACA. All rights reserved.


Discussion Question

One example of a non-IT control is educating people on


the importance of not writing down or sharing
passwords. What others come to mind?

111 Copyright 2016 ISACA. All rights reserved.


Procedures

A non-IT control direct precisely how something


is to be done
Responsibility of operations staff
Uses unambiguous language
Include all necessary steps
Ensure an organization can continue operations
even if regular staff are unavailable

112 Copyright 2016 ISACA. All rights reserved.


Good to Know

People tend to memorize their actions when doing


something regularly and may not refer to procedures.
This makes it harder to keep procedures up to date and
increases the probability of errors.
Checklists are helpful to promote regular use of
procedures.

113 Copyright 2016 ISACA. All rights reserved.


Guidelines

Contain information that will be helpful in


executing procedures
Enable use of individual judgement
Can be helpful when an outcome needs to be
achieved, but the how does not matter

114 Copyright 2016 ISACA. All rights reserved.


Metrics and Measurement

Security metrics tell us about the state of


security relative to a reference point
Technical metrics of little value from a strategic
standpoint

115 Copyright 2016 ISACA. All rights reserved.


Metrics and Measurement

Metrics should be SMART:


Specific
Measurement
Attainable
Relevant
Timely
Avoid measuring
something simply because
it can be measured.

116 Copyright 2016 ISACA. All rights reserved.


Metrics at the Strategic Level

Key goal indicators (KGIs) and key performance


indicators (KPIs) can be useful for process or
service goals.
High-level metrics related to implementing a
strategy include:
Alignment with business goals and objectives
Management of risk to acceptable levels
Effective management of resources
Performance and value delivery

117 Copyright 2016 ISACA. All rights reserved.


Risk Management Metrics

Indicators of appropriate
risk management include:
Defined risk appetite and
tolerance
Process for management
of adverse impacts
Trends in periodic risk
assessment and impacts
Completeness of asset
inventory
Ratio of security incidents
from known to unknown
security risks

118 Copyright 2016 ISACA. All rights reserved.


Value Delivery Metrics

KGIs and KPIs include:


The cost of security being proportional to the value of
assets
Security resources that are allocated by degree of
assessed risk and potential impact
Protection costs that are aggregated as a function of
revenues or asset valuation
An adequate and appropriate number of controls to
achieve acceptable risk and impact levels
Policies in place that require all controls to be
periodically reevaluated for cost, compliance and
effectiveness
The use and effectiveness of controls

119 Copyright 2016 ISACA. All rights reserved.


Resource Management Metrics
Indicators of effective resource
management include:
Infrequent problem solution
rediscovery
Effective knowledge capture and
dissemination
Clearly defined roles and
responsibilities
The percentage of information
assets and related threats
adequately addressed by security
activities
The proper organizational location,
level of authority and number of
personnel for the information
security function
Resource utilization levels
Staff productivity
Per-seat cost of security services

120 Copyright 2016 ISACA. All rights reserved.


Performance Measurement

Indicators of effective performance


measurement include:
The time required to detect and report security events
The number and frequency of unreported incidents
Benchmarking comparable organizations for costs
and effectiveness
Knowledge of evolving and impending threats
Methods of tracking evolving risk
Consistency of log review practices
Results of BCP/DR tests
Extent to which key controls are monitored

121 Copyright 2016 ISACA. All rights reserved.


Auditing and Compliance

Audits can be useful as a means of identifying


shortfalls.
Senior managers tend to believe audit reports.
Audit reports indicate what has already
happened.
Useful for insight
Cannot be used as the only means of identifying
problems

122 Copyright 2016 ISACA. All rights reserved.


Section Three

123 Copyright 2016 ISACA. All rights reserved.


In the Big Picture

The success of an
information security
strategy depends on the
behavior of people,
processes and technology.
Section Three
Implementing the Security Strategy Security is dynamic and
regular monitoring and
auditing are needed.

124 Copyright 2016 ISACA. All rights reserved.


Section Three

Exam Review Questions

Copyright 2016 ISACA. All rights reserved.


Review Question

The enactment of policies and procedures for preventing


hacker intrusions is an example of an activity that belongs
to:

A. risk management.
B. compliance.
C. IT management.
D. governance.

126 Copyright 2016 ISACA. All rights reserved.


Review Question

Which of the following choices would be the MOST


significant key risk indicator?

A. A deviation in employee turnover


B. The number of packets dropped by the firewall
C. The number of viruses detected
D. The reporting relationship of IT

127 Copyright 2016 ISACA. All rights reserved.


Review Question

Which person or group should have final approval of an


organizations information technology (IT) security policies?

A. Business unit managers


B. Chief information security officer
C. Senior management
D. Chief information officer

128 Copyright 2016 ISACA. All rights reserved.


Review Question

Which of the following is the PRIMARY reason to change


policies during program development?

A. The policies must comply with new regulatory and legal


mandates.
B. Appropriate security baselines are no longer set in the
policies.
C. The policies no longer reflect management intent and
direction.
D. Employees consistently ignore the policies.

129 Copyright 2016 ISACA. All rights reserved.


Domain 1

Summary

Copyright 2016 ISACA. All rights reserved.


Summary

Effective information security governance


requires alignment with business goals.
Senior management commitment to the
information security strategy is key to success.
Security is dynamic, so metrics are key to
determining success and monitoring is required
to indicate any issues.

131 Copyright 2016 ISACA. All rights reserved.


Questions

132 Copyright 2016 ISACA. All rights reserved.

Anda mungkin juga menyukai