Information Systems Audit and Control AssociationTitle slide for Chapter 1
The instructor should explain to the students that the review course will cover the areas that CISM exam will address. However, the course is not meant to replace the candidate’s experience in the Information Security Management field. It would be difficult to become certified only by attending this course and reading the review guide as there is no substitute for practical experience.
2003 ISACA
8 Task Statements
*
The CISM candidate will be tested on their practical understanding of each of five information security management areas, which are further defined and detailed through task and knowledge statements. These specific task and knowledge statements are covered in the CISM Review Manual 2003 and in this course.
Note to Instructor:
Please emphasize to candidates that reading and understanding this material will not guarantee them success on the CISM examination. The CISM examination will require them to answer questions and to make judgments based on the information learned in this course and on their own professional experiences. As you go through this material try to add your own experiences, and/or ask class participants to do so. In addition, recommend that candidates refer to the numerous additional information references that appear throughout the CISM Review Manual 2003, especially in areas in which they may be unfamiliar.
In summary this area includes the following task statements:
Develop the information security strategy in support of business strategy and direction.
Obtain senior management commitment and support for information security throughout the enterprise.
Ensure that definitions of roles and responsibilities throughout the enterprise include information security governance activities.
Establish reporting and communication channels that support information security governance activities.
Identify current and potential legal and regulatory issues affecting information security and assess their impact on the enterprise.
Establish and maintain information security policies that support business goals and objectives.
Ensure the development of procedures and guidelines that support information security policies.
Develop business case and enterprise value analysis that support information security program investments.
2003 ISACA
*
The CISM candidate must understand and evaluate the 8 tasks and 21 Knowledge Statements within this Information Security Governance Domain.
These tasks are covered in more detail in the slides that follow:
Objective
The objective of this job practice area is to focus on the need for a stable security governance program to be in place so all security strategies and processes can be planned, designed, implemented and maintained. Only with stable information security governance in place can an organization begin to address the threats to their survivability and profitability.
 References for additional information are provided in the CISM Review Manual 2003 to provide the candidate additional information on this topic. The candidate can find the information links there to:
- examples of cyber laws
- descriptions of the widely accepted ISO 17799
- descriptions of the widely accepted BS7799
- description of a compliance approach to security standards
- article on basing standards on economic impact to the organization
- examples of security guidelines from Australia
- link to ISACA’s COBIT page describing control objectives and guidance
- a publication on good information security practices.
Various references are provided throughout this course as well.
 
 
  
According to the CISM Certification
Board, this area will represent approximately 21% of the CISM examination
(approximately 42 questions)
*
This content area represents 21 percent of the CISM examination (approximately 42 questions)
2003 ISACA
Task 1
The alignment of the information security strategy and business strategy is supported in many standards including:
Information Systems Audit and Control Association, COBIT Organization for Economic Cooperation and Development (OECD) Security Guidelines
Institute of Chartered Accountants in England, Turnbull report
ISO/IEC 17799
BS 7799
The Information Security Forum’s Standard of Good Practice
*
Task 1: Develop the information security strategy in support of business strategy and direction.
 
It is evident that IT and business governance cannot be separated with guidance contained in documents such as:
·        Organization for Economic Cooperation and Development (OECD) Security Guidelines
·        Institute of Chartered Accountants in England, Turnbull report
·        ISO/IEC 17799
·        BS 7799
·        The Information Security Forum’s Standard of Good Practice
 
 
 
The information security manager should ensure that a security strategy is designed, developed, implemented and maintained. The security strategy often includes:
Business strategy linkages
*
A set of processes, methods, tools and techniques together constitute a security strategy. The security manager should ensure that technologies, products and services are in place for policy, architecture, authentication, authorization, administration and recovery. The security strategy also needs to consider how it will embed good security practices into every area of the business. Training and awareness are vital in the overall strategy as security is often weakest at the end-user stage. It is here, as well, that one will consider the need for the development of methods and processes that enable the policies and standards to be more easily followed and implemented.
Resources need to be assigned to track developments in these enabling technologies and the products they support. For example, privacy continues to be important and increasingly the focus of government regulation, making privacy compliance technologies an important enabling technology.
The information security manager must understand that security is not a step in the life cycle of systems or that security can be solved through technology. Rather, information security is an ongoing process that needs to be continuously managed.
 Additional information:
Ernst & Young, www.eyonline.com (Contains general security information.)
PricewaterhouseCoopers, www.pwcglobal.com/Extweb/service.nsf/docid/B0A2F4A55AED9E7E85256B10007E9B3D (Contains general security information.)
IBM, www-3.ibm.com/security (Contains general security information.)
2003 ISACA
Task 2
Senior management (board-level directors or equivalent) should have a high level of commitment to:
Achieving high standards of corporate governance
Treating information security as a critical business issue and creating a security-positive environment
Demonstrating to third parties that the organization deals with information security in a professional manner
Applying fundamental principles such as assuming ultimate responsibility for information security, implementing controls that are proportionate to risk and achieving individual accountability
Obtain senior management commitment and support for information security throughout the enterprise.
*
Task 2: Obtain senior management commitment and support for information security throughout the enterprise.
 
 
Senior management should have a high level of commitment to:
·        Achieving high standards of corporate governance
·        Treating information security as a critical business issue and creating a security-positive environment
·        Demonstrating to third parties that the organization deals with information security in a professional manner
·        Applying fundamental principles such as assuming ultimate responsibility for information security, implementing controls and achieving individual accountability
2003 ISACA
  
Providing high-level control  
*
 
·        Providing high-level control
 
 
 
Note to Instructor:
Senior management commitment is a very important point and should be stressed at this point. Ask if anyone has examples of how having this commitment has made their job easier, and the security program better. Conversely, discuss how not having this commitment has made the security program at their organization less comprehensive and effective.
2003 ISACA
 Ensure that definitions of roles and responsibilities throughout the enterprise include information security governance activities.
Security governance activities should be defined in employee job descriptions
Roles and responsibilities should be clearly defined
Employee compensation is a tool that can be used to effect behavior
Job performance reviews should include security-related measurements
Information security manager should work with human resources to define and implement security-related policy changes
*
Task 3: Ensure that definitions of roles and responsibilities throughout the enterprise include information security governance activities.
 
 
 
 
 
  Establish reporting and communication channels that support information security governance activities.
Information security manager should report to a senior person in the organization (e.g. CIO, CFO, COO, CEO)
Metrics should be established to measure the security program
Metrics should be regularly reported
Should report to senior group such as Board-level or security committee
Should also report some metrics to all employees to promote security awareness (eg. newsletters, intranet, formal classes)
Information security manager should also continue education through involvement in information security organizations
*
Task 4: Establish reporting and communication channels that support information security governance activities.
 
 
 
 
2003 ISACA
  Identify current and potential legal and regulatory issues affecting information security and assess their impact on the enterprise.
Information security manager needs to identify and assess those legal and regulatory issues affecting information security that apply to their organization
It is possible that different governing bodies may have conflicting regulations
Some sources of regulations can include but are not limited to:
COBIT
*
Task 5: Identify current and potential legal and regulatory issues affecting information security and assess their impact on the enterprise.
 
 
Sources for some of these regulations include but are not limited to:
·        ISO/IEC 17799
·        BS 7799
- (Continued on next slide)
Task 5 (continued)
Some sources of regulations can include but are not limited to (continued):
HIPAA 
Copyright and Patent laws, for each country that an organization performs business
Office of the Comptroller (OCC), Circular 235 and Thrift Bulletin 30. Security Statutes (Cover areas of computer fraud, abuse and misappropriation of computerized assets) for example, the Federal Computer Security Act.
Federal Financial Institutions Examination Council (FFIEC) guidelines, which replaced previously issued Banking Circulars BC-177, BC-226, etc.
COSO
*
Continued from previous slide:
Sources for some of these regulations include but are not limited to:
·        HIPAA
·        Copyright and Patent laws, for each country that an organization performs business
·        Office of the Comptroller (OCC), Circular 235 and Thrift Bulletin 30. Security Statutes (Cover areas of computer fraud, abuse and misappropriation of computerized assets) for example, the Federal Computer Security Act.
·        Federal Financial Institutions Examination Council (FFIEC) guidelines, which replaced previously issued Banking Circulars BC-177, BC-226, etc.
·        COBIT
·        COSO
·        Foreign Corrupt Practices Act (FCPA)
Vital Records Management Statutes,
Specifications for the retention and disposition of corporate electronic and hardcopy records, e.g., IRS Records Retention requirements.
2003 ISACA
Task 5 (continued)
Some sources of regulations can include but are not limited to (continued):
Foreign Corrupt Practices Act (FCPA)
Vital records management statutes
*
See previous pages for speaker notes.
Note to Instructor: This would be a good spot to ask the group if they have experienced other sources of regulations. The instructors can provide information from their experience as well.
Also ask the group if theses sources perform enforcement activities (fines, audits) or if they are more geared towards a dissemination of prudent business practices. Ask for the group’s experiences with any of these bodies.
2003 ISACA
  Establish and maintain information security policies that support business goals and objectives.
Process needs to be established for the development and maintenance of security policies
Should become a vital part of overall governance
Need to be continuously monitored and updated
Good practices demonstrate that a security template be established
Examples and supporting information for policies can be found:
ISO/IEC 17799
BS 7799
Task 6: Establish and maintain information security policies that support business goals and objectives.
 
In developing security policies, it is good practice to use an established template. Developing a policy from scratch may omit certain areas inadvertently. There is a wealth of sources that can be tapped for input into a security policy including:
·        ISO/IEC 17799
·        BS 7799
 Steps for establishing and maintaining information security policies can include:
Implementing a process for the development and maintenance of security policies
Identifying the personnel responsible for various aspects of the security policy including approval
Researching existing organizational policies such as personnel and physical security policies
Developing the policy based on templates that already exist
Implementing a review of the security policy into the organization’s change management process
*
 
Steps for establishing and maintaining security policies can include:
·        Implementing a process for the development and maintenance of security policies
·        Identifying the personnel responsible for various aspects of the security policy including approval
·        Researching existing organizational policies such as personnel and physical security policies
·        Developing the policy based on templates that already exist
·        Implementing a review of the security policy into the organization’s change management process
·        Developing an awareness program to educate the organizations employees on relevant aspects of the security policy
Note to instructor: Start a discussion stressing the importance of security policies and the difficulty (but common practice) of implementing technology solutions without strong and comprehensive security policies. Discuss how it is possible to implement a technology solution that fixes a security symptom without addressing the core vulnerability.
2003 ISACA
  Ensure the development of procedures and guidelines that support information security policies.
Technical and nontechnical procedures guidelines should be built to support information security policies including, technical:
Backup and recovery
Monitoring of policy compliance
*
Task 7: Ensure the development of procedures and guidelines that support information security policies.
There are procedures and guidelines that should be built to support information security policies. These can include technical procedures and guidelines regarding the components of an information technology environment including:
·        Backup and recovery
·        Monitoring of policy compliance
2003 ISACA
Technical and nontechnical procedures guidelines should be built to support information security policies including, nontechnical:
Review procedures
Authorization procedures
An overall process including the following should be established regarding security policies and the overall security program:
Assess
Design
Implement
Maintain
In addition, nontechnical procedures and guidelines should be considered such as:
·        Review procedures
·        Authorization procedures
 
 
 
 
2003 ISACA
  Develop business case and enterprise value analysis that support information security program investments.
Information security manager should seek to justify security projects value through methods such as:
Return On Investment (ROI)
Will likely need to present justification to senior management
*
Task 8: Develop business case and enterprise value analysis that support information security program investments.
 
 
 
Recently, the advances in single sign-on and user access provisioning technologies and procedures have resulted in savings in time and cost over traditional manual administration techniques. There are a number of examples that compare the costs of traditional processes against the newer procedures, and these can be used in the business case that most information security managers need to develop.
2003 ISACA
  Several organizations including universities have begun to promote return on security investment methodologies. One example is below:
(R-E) + T = ALE
“T” is the cost of the intrusion detection tool
“E” is the dollar savings gained by stopping any number of intrusions through the introduction of an intrusion detection tool.
“R” is the cost per year to recover from any number of intrusions.
*
One example of ROSI comes from University of Idaho researchers who developed this formula for calculating the ROI of using intrusion detection as a security defense:
(R-E) + T = ALE
“T” is the cost of the intrusion detection tool.
“E” is the dollar savings gained by stopping any number of intrusions through the introduction of an intrusion detection tool.
“R” is the cost per year to recover from any number of intrusions.
 
 
 
Note: The above detailed calculation is for informational purposes only and no such calculation will be contained in the CISM examination.
Note to Instructor: Provide an example to the group of how developing a sound business case for one of your security projects helped gain the approval for the project.
2003 ISACA
Information security policies and procedures are required to protect and organizations information
Information security manager is responsible to understand:
the business need for security
its importance to the organization
*
 
Information technology security is a subset of information security and tends to focus on technical mechanisms necessary to protect electronic data.
2003 ISACA
2003 CISM Review Course
Knowledge Statement 1 (cont)
The information security manager should be aware of generally accepted security concepts including:
Confidentiality
Integrity
Availability
*
 
The information security manager should be aware of generally accepted security concepts including:
·        Confidentiality
·        Integrity
·        Availability
Knowledge of the relationship between information security and business operations
The relationship needs to be in place and maintained and can be developed through activities such as:
Understanding the business mission
Obtaining upper management understanding and support
Developing security procedures and guidelines that align with the business objectives of the organization
Establishing a security governance process
*
Knowledge of the relationship between information security and business operations
The relationship between information security and business operations needs to be in place and maintained. This relationship can be developed through activities such as:
·        Understanding the business mission
·        Obtaining upper management understanding and support
·        Developing security procedures and guidelines that align with the business objectives of the organization
·        Establishing a security governance process
 
Information Security Governance: Guidance for Boards of Directors and Executive Management, IT Governance Institute, 2001, www.itgovernance.org
2003 ISACA
Knowledge Statement 3
Knowledge of techniques used to secure senior management commitment and support of information security management
Formal presentations are most used technique
Used to educate and communicate key security program aspects
Should employ common business practices including:
Aligning security objectives with business objectives
Identifying budget items so that senior management can quantify the costs of the security program
Utilizing commonly accepted project risk/benefit models, such as TCO or ROI
*
Knowledge of techniques used to secure senior management commitment and support of information security management
 
The formal presentation to senior management often is used as a means to educate and communicate key aspects of the overall security program. This acceptance is facilitated by the information security manager applying common business case aspects during the acceptance process. These can include:
·        Aligning security objectives with business objectives enabling senior management to understand and apply the security policies and procedures
·        Identifying budget items so that senior management can quantify the costs of the security program
·        Utilizing commonly accepted project risk/benefit models, such as total cost of ownership (TCO) or return on investment (ROI), to quantify the benefits and costs of the security program
·        Defining the monitoring measures that will be included in the security program
·        Utilizing methods such as balanced business scorecards provides senior management a means of analyzing the progress of the security program
·        Requiring that risk management be integrated into the operation of the security program
·        Ensuring that clear accountabilities/responsibilities are defined
 
Should employ common business practices including (continued):
Utilizing methods such as balanced business scorecards
Requiring that risk management be integrated into the operation of the security program
Ensuring that clear accountabilities/responsibilities are defined
*
 The formal presentation to senior management often is used as a means to educate and communicate key aspects of the overall security program. This acceptance is facilitated by the manager applying common business case aspects during the acceptance process. These can include:
·        Aligning security objectives with business objectives enabling senior management to understand and apply the security policies and procedures
·        Identifying budget items so that senior management can quantify the costs of the security program
·        Utilizing commonly accepted project risk/benefit models, such as total cost of ownership (TCO) or return on investment (ROI), to quantify the benefits and costs of the security program
·        Defining the monitoring measures that will be included in the security program
·        Utilizing methods such as balanced business scorecards provides senior management a means of analyzing the progress of the security program
·        Requiring that risk management be integrated into the operation of the security program
·        Ensuring that clear accountabilities/responsibilities are defined
 
 
IT Governance Institute, Board Briefing on IT Governance, Rolling Meadows, Illinois, 2001, www.itgi.org/resources.htm , (provides senior level guidance on IT Governance)
2003 ISACA
Knowledge of methods of integrating information security governance into the overall enterprise governance framework
Two factors are in evidence in most organizations today:
1.      The level of change occurring has never been
greater.
vulnerabilities has never been greater.
Senior positions including Chief Security Officer are becoming commonplace
*
Knowledge of methods of integrating information security governance into the overall enterprise governance framework
Two factors are in evidence in most organizations today:
1.      The level of change occurring has never been greater.
 
 
 
 
Organizations who have not dedicated an officer position focused on information security have often identified someone who is responsible for information security. This person often then reports directly to an officer of the company, often the CIO or the chief financial officer (CFO). This is an appropriate reporting structure in that the CFO is responsible for the integrity and financial condition of the organization.
2003 ISACA
Knowledge of practices associated with an overall policy directive that captures senior management-level direction and expectations for information security in laying the foundation for information security management within an organization
Senior management should understand various directives in a security policy including defining:
direction and expectations before implementing security policies and procedures
need for maintenance of the security program
need for monitoring, risk management and crisis management
*
 
 
 
The information security manager should focus on the overall senior management approval and sponsorship of the security strategy before implementing detailed security procedures.
2003 ISACA
Information security steering group provides the information security manager with regular contact with the organization’s business leaders
Enables information security manager to make contact with various levels of the organization providing a communication vehicle for security topics
Provides the information security manager with information about organizational changes
*
Knowledge of an information security steering group function
 
 
 
 
The security steering group usually is responsible for establishing and maintaining a security organization and for developing a cost-effective and integrated security program that supports the accomplishment of the organizations objectives and priorities.
2003 ISACA
Common key roles include:
Reporting directly to a senior functional executive (EVP, COO, CFO, CIO) or CEO
Overseeing and coordinating efforts across the company
Identifying key corporate security initiatives and standards (e.g., virus protection, security monitoring, intrusion detection and access control to facilities)
Working with outside consultants, as appropriate, for independent security audits
Identifying protection goals and objectives consistent with corporate strategic plan
*
Knowledge of information security management roles, responsibilities, and organizational structure
The information security manager’s roles and responsibilities will vary from organization to organization due to the size and complexity of that given organization. However, key roles and responsibilities should at least include:
·        Reporting directly to a senior functional executive (EVP, COO, CFO, CIO) or CEO.
·        Overseeing and coordinating efforts across the company, including engineering, network infrastructure, human resources, IT, legal and other groups
·        Identifying key corporate security initiatives and standards (e.g., virus protection, security monitoring, intrusion detection, access control to facilities, and remote access policies)
·        Working with outside consultants, as appropriate, for independent security audits
·        Identifying protection goals and objectives consistent with corporate strategic plan
·      (continued on following page)
Managing development and implementation of global security policy, standards, guidelines and procedures to ensure ongoing maintenance of security
Assisting with the investigation of security breaches and assist with disciplinary and legal matters Coordinating implementation plans of security products
*
·       Identifying protection goals and objectives consistent with corp. strategic plan
·        Identifying key security program elements
·        Managing development and implementation of global security policy, standards, guidelines and procedures to ensure ongoing maintenance of security
·        Assisting with the investigation of security breaches and assist with disciplinary and legal matters associated with such breaches as necessary
·        Coordinating implementation plans of security products
 
 
Note to Instructor: So that the audience can get a feel for the various roles and responsibilities that an information security manger may have, ask the group to discuss how many of them have the responsibilities listed on these slides. Ask how many of them have additional responsibilities, and list them.
Have a discussion about whether or not the information security manager could have too many roles and responsibilities and what some of the solutions for that may be.
2003 ISACA
Knowledge of areas of governance (e.g., risk management, data classification management, network security, system access)
Strong governance areas can include:
Risk management
*
Knowledge of areas of governance (e.g., risk management, data classification management, network security, system access)
The information security manager must integrate various aspects of governance to ensure a strong security environment. These areas can include:
·        Risk management
 
The information security manager should have strong management and communication skills as well as the ability to prioritize various tasks based on their importance to the overall organization.
2003 ISACA
Knowledge of centralized and decentralized approaches to coordinating information security
An organization’s cultural makeup often decides whether it is centralized or decentralized
Both forms, however, need to have:
Be closely aligned with the business objectives
Be sponsored and approved from senior management
Have monitoring in place
Have organizational continuance procedures
*
Knowledge of centralized and decentralized approaches to coordinating information security
 
 
 
However, in both centralized and decentralized approaches, there are some similarities. Security needs to be assessed and measured against the need for security based on business objectives. There will be different approaches and techniques used depending on whether a centralized or decentralized approach will be used, but the overall responsibilities and objectives of security will not change. They still must:
Be closely aligned with the business objectives
Be sponsored and approved from senior management
Have monitoring in place
Have organizational continuance procedures
2003 ISACA
Knowledge of legal and regulatory issues associated with Internet business, global transmissions and transborder data flows (e.g., privacy, tax laws and tariffs, data import/export restrictions, restrictions on cryptography, warranties, patents, copyrights, trade secrets, national security)
Information security manager should work closely with legal counsel to understand legal security implications
Different jurisdictions employ different laws covering electronic commerce and information
*
Knowledge of legal and regulatory issues associated with Internet business, global transmissions and transborder data flows (e.g., privacy, tax laws and tariffs, data import/export restrictions, restrictions on cryptography, warranties, patents, copyrights, trade secrets, national security)
 
 
 
 
Knowledge Statement 11
Knowledge of common insurance policies and imposed conditions (e.g., crime or fidelity insurance, business interruptions)
Insurance as a tool to assist in the preservation of critical information
The security program should meet the objectives set out in various insurance policies that the organization has in force
*
Knowledge of common insurance policies and imposed conditions (e.g., crime or fidelity insurance, business interruptions)
Insurance is an important part of any organization’s risk management environment. There are two aspects of insurance that the information security manager should be aware of:
The use of insurance as a tool to assist in the preservation of critical information
 
 
 
2003 CISM Review Course
Knowledge Statement 11 (cont)
Some insurance types that information security managers should be aware of include:
Business interruption
*
Some insurance types that information security managers should be aware of include:
- Business interruption - Critical data loss
- Legal liability to others - Professional liability
- Network security property loss - Web content liability
- Crisis communication
Objectives of information security program – The information security program shall be designed to:
Ensure security and confidentiality of customer information
Protect against any anticipated threats or hazards to the security or integrity of such information
Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
Assess risk – The insured:
Identifies reasonably foreseeable internal or external threats that could result in unauthorized disclosure, misuse, alteration or destruction of customer information or customer information systems
Assesses the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information
Assesses the sufficiency of policies, procedures, customer information systems and other arrangements in place to control risks.
*
 
Objectives of information security program – The information security program shall be designed to:
- Ensure the security and confidentiality of customer information
- Protect against any anticipated threats or hazards to the security or integrity of such information
- Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
Assess risk – The insured:
- Identifies reasonably foreseeable internal or external threats that could result in unauthorized disclosure, misuse, alteration or destruction of customer information or customer information systems
- Assesses the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information
- Assesses the sufficiency of policies, procedures, customer information systems and other arrangements in place to control risks.
2003 ISACA
Manage and control risk – The insured:
Designs its information security program to control the identified risks, commensurate with the sensitivity of the information as well as the complexity and scope of the licensee’s activities
Trains staff, as appropriate, to implement the licensee’s information security program
*
 
Manage and control risk – The insured:
- Designs its information security program to control the identified risks, commensurate with the sensitivity of the information as well as the complexity and scope of the licensee’s activities
- Trains staff, as appropriate, to implement the licensee’s information security program
 
CIO Magazine, www.cio.com (Search for articles on insurance availability regarding technology.)
Note to Instructor: Discuss with the group their experiences with the insurance industry and if they feel that the insurance industry is proactively addressing the information security risk topic.
Discuss whether or not anyone has had experience in filing a claim for a loss of information due to cyber theft and to discuss the process and whether or not the claim was successful.
2003 ISACA
Knowledge Statement 12
Knowledge of the requirements for the content and retention of business records and compliance
Two main aspects to understand about the content and retention of business records and compliance:
What are the business requirements for its business records?
What are the legal and regulatory requirements?
Bodies that may impose retention requirements are:
- Legal - Medical - Tax
*
Knowledge of the requirements for the content and retention of business records and compliance
There are two main aspects a information security manager must understand regarding the content and retention of business records and compliance within their organization:
- What are the business requirements for its business records?
- What are the legal and regulatory requirements?
 
 
Depending upon an organizations location and industry, regulatory bodies have requirements that an organization must comply with including:
- Legal
- Medical
- Tax
Knowledge Statement 13
Knowledge of the process for linking policies to enterprise business objectives
Information security manager should ensure that security policies align with the enterprise business objectives including:
Determining whether or not information security investment is proportionate with the organization’s risk profile and business objectives
Determining the information/data classification of the organization so that security policies can be implemented to protect them
*
Knowledge of the process for linking policies to enterprise business objectives
The information security manager should understand how to ensure that security policies align with the enterprise business objectives. Practices to ensure this happens can include:
- Determining whether or not information security investment is proportionate with the organization’s risk profile and business objectives
- Determining the information/data classification of the organization so that security policies can be implemented to protect them
Determining whether or not the security policies are appropriately designed and implemented to protect the organization’s information.
Note to Instructor: Discuss with the group the value of linking security policies to business objectives. Ask the group to list the positives and what some of the negatives might be if the two were not linked (such as spending precious security dollars on an area that is not vitally important to the organization).
2003 ISACA
Knowledge Statement 14
Knowledge of the function and content of essential elements of an information security program (e.g., policy statements, procedures and guidelines)
Information security program should include the following essential elements:
Policy Statement
*
Knowledge of the function and content of essential elements of an information security program (e.g., policy statements, procedures and guidelines)
The information security manager should understand the essential elements of an information security program so that they can be properly managed and administered. An information security program can include the following essential elements:
- Policy statement – High-level statements of the security policy
 
 
2003 CISM Review Course
Knowledge Statement 14 (cont)
In addition to understanding the essential elements of an information security policy, the information security manager also should be familiar with the content of the policy. Key areas of the information security policy can include:
Management support and commitment
Access authorization
*
 
 
In addition to understanding the essential elements of an information security policy, the information security manager also should be familiar with the content of the policy. Key areas of the security policy can include:
- Management support and commitment
- Access authorization
Additional information:
 
2003 ISACA
Knowledge of techniques for developing an information security process improvement model for sustainable and repeatable information security policies and procedures
The following techniques can be employed to ensure sustainable and repeatable information security policies and procedures:
- Senior management support - Awareness
The information security manager should have knowledge of techniques to enable information security process improvements. The following techniques can be employed to ensure sustainable and repeatable information security policies and procedures:
Senior management support – Provides the governance support to enable a sustainable information security environment
Awareness – Provides for widespread acknowledgement that security is important to the organization. Since security often relies on individual compliance, it is important that a robust security awareness program be in place.
Responsibility – Provides accountability for executing the security program’s tasks
Assessment, self-assessments through internal audit, constant monitoring through manual and automated procedures and third-party assessments, all provide the information security manager with information about the security program’s status. These procedures also provide the information security manager information on vulnerabilities that need to be addressed.
Communication – Provides the information security manager with timely regular information about the security program’s status.
 
Knowledge of information security process improvement and its relationship to traditional process management
Any strong organizational initiative needs strong project and process management techniques, including Information security management
The information security manager administers a wide range of tasks and has multiple responsibilities regarding a successful security environment
*
 
 
 
Knowledge of information security process improvement and its relationship to security architecture development and modeling
Security is a continuous process
Through mechanisms set up to manage change, the information security manager will receive regular updates regarding areas where the security procedures need to be updated
Updates may include changes to the security architecture
Security models can be used to determine the impact on the overall security strategy before they are implemented.
*
Knowledge of information security process improvement and its relationship to security architecture development and modeling
 
One example of a commonly used model is the PDCA (Plan, Do, Check, Act) model referenced in BS 7799 Part 2, ISO 9000 and 14000.  
2003 ISACA
Knowledge of information security process improvement and its relationship to security infrastructure
Two methods commonly are used when changes to security infrastructure are employed:
Modifying the security procedure on a test system
Running the security procedure in test mode
*
Knowledge of information security process improvement and its relationship to security infrastructure
 
Two methods commonly are used when changes to security infrastructure are employed:
- Modifying the security procedure on a test system
- Running the security procedure in test mode
 
 
 
 
Both of these types of testing provide the information security manager the ability to model changes to the security infrastructure and to monitor their effects on the system.
Note to Instructor: Discuss whether or not anyone has had system performance adversely affected by a security implementation. Discuss the results and how it could have been avoided.  
2003 ISACA
Knowledge of generally accepted international standards for information security management and related process improvement models
Generally accepted international standards for security management and process improvement models exist
The information security manager should be aware of these and adopt them to the organization
*
Knowledge of generally accepted international standards for information security management and related process improvement models
 
Information Systems Audit and Control Association, Standards, www.isaca.org/stand1.htm (Provides a list of standards, guidelines and procedures)
 
2003 ISACA
Knowledge of the key components of cost-benefit analysis and enterprise transformation/migration plans (e.g.: architectural alignment, organizational positioning, change management, benchmarking, market/competitive analysis)
Knowledge of cost-benefit analysis and enterprise transformation/migration plans gives the manager input for the security investment business case 
Information regarding enterprise transformation/migration plans can be gained through the security steering committee
*
Knowledge of cost-benefit analysis and enterprise transformation/migration plans will provide the information security manager the understanding needed when building a business case for the organization’s information security.
 
 
 
Knowledge of methodology for business case development and computing enterprise value proposition
Information security manager needs to demonstrate how information security is a critical enterprise value
Information security manager should perform a risk assessment and business impact
Identify vulnerabilities
Present to senior management
Knowledge of methodology for business case development and computing enterprise value proposition
 
 
 
 
 
Once the analysis is completed, the cost to implement the information security procedures and the organization to support it, should be researched and quantified. The information security manager now has the information needed to build a business case summarizing the results. The business case needs to be presented to senior management and authorization of the security program needs to be achieved.
2003 ISACA
Note to the instructor:
This slide introduces a few of the more commonly used terms likely to appear on the exam.
Because understanding terminology is an important part of correcly answering questions on the exam, it is recommended that the instructor go through these terms and others found in the CISM Review Manual 2003.
Authentication:The act of verifying the identity of a system entity (e.g., a user, a system, a network node) and the entity’s eligibility to access computerized information. Designed to protect against fraudulent logon activity. Authentication can also refer to the verification of the correctness of a piece of data.
Availability relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities.
Confidentiality concerns the protection of sensitive information from unauthorized disclosure.
Information security governance: The management structure, organization, responsibility and reporting processes surrounding a successful information security program.
Integrity: The accuracy and completeness of information as well as to its validity in accordance with business values and expectations
Non-repudiation: The assurance that a party cannot later deny originating data, that it is the provision of proof of the integrity and origin of the data which can be verified by a third party. Non-repudiation may be provided by a digital signature.
2003 ISACA
The PRIMARY responsibility of the information security steering committee is:
A. direction setting and performance monitoring.
B. information security policy development.
C. information security control implementation.
D. provision of information security training for employees.
*
CISM exam questions are developed with the intent of measuring and testing practical knowledge. All questions are multiple choice and are designed for one best answer. Every CISM question has a stem (question) and four options (answer choices). The candidate is asked to choose the correct or best answer from the options. The stem may be in the form of a question or incomplete statement. In some instances, a scenario or description problem may also be included. These questions normally include a description of a situation and require the candidate to answer two or more questions based on the information provided. Many times a CISM examination question will require the candidate to choose the most likely or best answer. In every case the candidate is required to read the question carefully, eliminate known incorrect answers and then make the best choice possible. Knowing the format in which questions are asked and how to study to gain knowledge of what will be tested will go a long way toward answering them correctly.
Note to Instructor:
The sample question contained below is designed to depict the type of question format on the CISM examination.
The PRIMARY responsibility of the information security steering committee is:
A. direction setting and performance monitoring.
B. information security policy development.
C. information security control implementation.
D. provision of information security training for employees.
Suggested Answer: A
*
This is an opportunity to summarize the material covered in this chapter and to answer candidate questions.
Note to Instructor: Begin the discussion by asking the group to reflect on their own organizations and based on the information contained in this chapter on information security governance, how their organizations would measure. Are there organizations meeting most criteria, average, or need work?