Review Course 2015

1
2
3
4
5
 What is CISM?
• The Certified Information Security Manager
(CISM) certification is a unique management-
focused certification that has been earned by
more than 24,267 professionals since its
introduction in 2002. Unlike other security
certifications, CISM is for the individual who
manages, designs, oversees and assesses an
enterprise's information security.

6
 The number of current CISMs
CISA
More than 115,000 professionals have earned the CISA certification since it was
established in 1978. The number of current CISAs by region is:
• Asia: 21,730
• Central/South America: 2,440
• Europe/Africa: 18,880
• North America: 33,640
• Oceania: 1,950
CISM
More than 27,000 professionals have earned the CISM certification since its
introduction in 2002. The number of current CISMs by region is:
• Asia: 3,740
• Central/South America: 1,040
• Europe/Africa: 6,920
• North America: 10,730
• Oceania: 790

7
 The number of current CISMs
CGEIT
More than 6,000 professionals have earned the CGEIT certification since its inception
in 2007. The number of current CGEITs by region is:
• Asia: 920
• South/Central America: 320
• Europe/Africa: 1,580
• North America: 2,450
• Oceania: 180
CRISC
More than 18,000 professionals have earned the CRISC certification since it was
established in 2010. The number of current CRISCs by region is:
• Asia: 2,050
• Central/South America: 990
• Europe/Africa: 3,950
• North America: 8,790
8
• Oceania: 450
 CISM VS CISSP?

• Basically the main differences are CISM has 4 domains related to

Governance and risk management., while CISSP has 10 domains, one of
this domains is Information security and risk management (one of the
CISM domains). CISSP has also topics such as cryptography, networking,
physical security, operation security etc , CISSP is more technical
orientated.
CISM is more about how to implement a security policy , how to manage
risks etc.
One more thing, none of them are vendor orientated.
If you are thinking about certify those programs, it will depend on what
you are looking for.
CISO -----> CISM
Security Architect ---------> CISSP.

9
 CISM VS CISSP?

• It's all about the role. If the role is more for

management or C level then CISM would be
more applicable. If the role has hands on
work, still supervising or managing others,
CISSP would be the one. Having both is good
as well and the good thing for both of them is
that they require CPEs, vendor independent,
and requires one to keep abreast of the
security threats / countermeasures
10
11
Information Security Governance Overview

12
Chapter 1—Information Security Governance

This chapter reviews the body of knowledge and

associated tasks necessary to develop an information
security governance structure aligned with
organizational objectives.

13
1.1 Information Security Governance Overview

Concepts – Information, Security and Information Security:

 Information is data with meaning and purpose “processed data”.

 Knowledge is organized information.

 Information, including knowledge, is one of the most important assets

without which conducting business would not be possible. “Information is
the business”.

 Adequate protection of information resources must be a board-level activity

as are other critical governance functions.

 Security: is the protection from or absence of danger.

 Information security: Ensures that only authorized users (confidentiality)

have access to accurate and complete information (integrity) when required
(availability).
14
1.1 Information Security Governance Overview

Information security and IT security:

 Information security deals with all aspects of information, whether spoken,

written, printed, electronic or relegated to any other medium, regardless of
whether it is being created, viewed, transported, stored or destroyed.

 IT security is concerned with security of information within the boundaries

of the technology domain (Day by Day operation).

Thus, confidential information disclosed in an elevator conversation or sent

via postal mail would be outside the scope of IT security.

15
1.1 Information Security Governance Overview

Governance and Management, according to COBIT 5:

 Governance: ensures that stakeholders needs, conditions and options are
evaluated to determine balanced, agreed-on enterprise objectives to be
achieved; setting directions through prioritization and decision making; and
monitoring performance and compliance against agreed-on direction and
objectives. “Setting direction and objectives”.

 In most enterprises, overall governance is the responsibility of the board of

directors under the leadership of the chairperson.

 Management: plans, builds, runs and monitors activities in alignment with

the direction set by the governance body to achieve the enterprise
objectives. “Implementing activities to achieve objectives”.

 In most enterprises, management is the responsibility of the executive

management under the leadership of the chief executive officer (CEO).

16
1.1 Information Security Governance Overview
Enterprise/Corporate Governance and Information Security Governance:

 Enterprise/Corporate Governance:
is the set of responsibilities and practices exercised by the board and
executive management with the goal of providing strategic direction,
ensuring that objectives are achieved, ascertaining that risk is managed
appropriately and verifying that the organization’s resources are used
responsibly.

 Information security governance:

is a subset of corporate governance; it provides strategic direction for
security activities and ensures that objectives are achieved. It ensures that
information security risk is appropriately managed and enterprise
information resources are used responsibly.

17
1.1 Information Security Governance Overview
 Ultimately, senior management and the board of directors are accountable
for information security governance to ensure information security
governance is an integral part of enterprise governance.

 To achieve effective information security governance, management must

establish and maintain a framework to guide the development and
management of a comprehensive information security program that
supports business objectives.

 Information security program: is the overall combination of technical,

operational and procedural measures, and management structures
implemented to provide for the confidentiality, integrity and availability of
information, based on business requirements and risk analysis.

18
1.1 Information Security Governance Overview
The information security governance framework will generally consist of:
1. A comprehensive security strategy intrinsically linked with business
objectives.
2. Governing security policies that address each aspect of strategy, controls
and regulation.
3. A complete set of standards for each policy to ensure that procedures
and guidelines comply with policy.
4. An effective security organizational structure void of conflicts of interest
with sufficient authority and adequate resources.
5. Institutionalized metrics and monitoring processes to ensure
compliance, provide feedback on effectiveness and provide the basis for
appropriate management decisions.

 Information security framework, in turn, provides the basis for the

development of a cost-effective information security program that
supports the organization’s business goals.

19
20
1.2 Importance of Information Security Governance
 The dependence of organizations on their information and the systems that
handle it, coupled with the risk, benefits and opportunities that these
resources present, have made information security governance a critical
aspect of overall governance.

 Benefits of an information security governance include:

1. Addressing the increasing potential for civil or legal liability as a result
of information inaccuracy or the absence of due care in its protection or
inadequate regulatory compliance.
2. Providing assurance of policy compliance.
3. Increasing predictability and reducing uncertainty of business
operations by lowering risk to definable and acceptable levels.
4. Providing a level of assurance that critical decisions are not based on
faulty information.

21
1.2 Importance of Information Security Governance

22
1.3 Outcomes of Information Security Governance
 The objective of information security governance is to develop, implement
and manage a security program that achieves the following 6 basic
outcomes:

1. Strategic alignment: aligning information security with business strategy

to support organizational objectives.
2. Risk management: executing appropriate measures to mitigate risk and
reduce potential impacts on information resources to an acceptable level.
3. Value delivery: optimizing security investments in support of business
objectives.
4. Resource management: using information security knowledge and
infrastructure efficiently and effectively.
5. Performance measurement: monitoring and reporting on information
security processes to ensure that objectives are achieved.
6. Integration: integrating all relevant assurance factors to ensure that
processes operate as intended from end to end.

23
Effective Information Security Governance

24
1.4 Effective Information Security Governance
 The following set of principles help guide implementation of effective
information security governance:

 CEOs should conduct an annual information security evaluation, review

the results with staff and report on performance to the board of
directors.
 Organizations should conduct periodic risk assessments of information
assets as part of a risk management program.
 Organizations should implement policies and procedures based on risk
assessments to secure information assets.
 Organizations should establish a security management structure to
assign explicit individual roles, responsibilities, authority and
accountability.
 Organizations should develop plans and initiate actions to provide
adequate information security for networks, facilities, systems and
information.

25
1.4 Effective Information Security Governance
 Organizations should treat information security as an integral part of the
system life cycle.
 Organizations should provide information security awareness, training
and education to personnel.
 Organizations should conduct periodic testing and evaluation of the
effectiveness of information security policies and procedures.
 Organizations should create and execute a plan for remedial action to
address any information security deficiencies.
 Organizations should develop and implement incident response
procedures.
 Organizations should establish plans, procedures and tests to provide
continuity of operations.
 Organizations should use security good practices guidance, such as
ISO/IEC 27002, to measure information security performance.

26
1.5 Roles and Responsibilities of Senior Management
Board of Directors/Senior Management
 Effective information security governance can be accomplished only by
senior management involvement in approving policy, and appropriate
monitoring and metrics coupled with reporting and trend analysis.

 Members of the board need to be aware of the organization’s information

assets and their criticality to ongoing business operations.

 The board should periodically be provided with the high-level results of

comprehensive risk assessments and business impact analysis (BIA).

 The tone at the top must be conducive to effective security governance. It

is unreasonable to expect lower-level personnel to abide by security
measures if they are not exercised by senior management.

27
1.5 Roles and Responsibilities of Senior Management
 A common concern for boards of directors is liability. Most organizations,
to protect themselves from shareholder lawsuits, provide specific insurance
to create a level of protection for the board in exercising its governance
responsibilities.

 In addition, there are regulations such

as the US Sarbanes-Oxley Act which
mandate the formation of audit
committees , which often make up of
members of the board of directors.

28
1.5 Roles and Responsibilities of Senior Management
Executive Management
 Executive management team is responsible for ensuring that needed
organizational functions, resources and infrastructure are available and
properly utilized to fulfill the information security activities.

 Visible executive involvement is critical to the success of an information

security program as well as to the effectiveness of its ongoing management.

 The information security manager should coordinate executive involvement

in specific activities such as quarterly information risk reviews, new
information systems go/no-go meetings, etc.

 Executive management sets the tone for information security management

within the organization. The level of their visible involvement indicates to
other managers the level of importance that they are also expected to apply
to risk management for activities within their organizations.

29
1.5 Roles and Responsibilities of Senior Management
Steering Committee
 Many organizations use a steering committee comprised of senior
representatives who are impacted by security considerations.

 It serves as an effective communications channel and ensures the

alignment of the security program with business objectives.

 Common topics, agendas and decisions for a security steering committee

include:
 Security strategy and integration efforts with business unit activities.
 Specific actions and progress relative to business unit support of
information security program functions, and vice versa.
 Emerging risk, business unit security practices and compliance issues.

30
1.5 Roles and Responsibilities of Senior Management
CISO
 Increasingly, prudent management is elevating the position of the
information security officer to a C-level or executive position, as
organizations begin to understand their dependence on information and the
growing threats to it.

 Ensuring the position exists, coupled with the responsibility, authority and
required resources, demonstrates management and board of director
awareness and commitment to sound information security governance.

 These responsibilities currently range from the CISO or vice president for
security reporting to the CEO, to system administrators who have part-time
responsibility for security management who might report to the IT manager
or CIO. It may also be the CIO, chief information security officer (CISO), chief
financial officer (CFO) or, in some cases, the chief executive officer (CEO).

31
1.6 Information Security Roles and Responsibilities
Obtaining senior management commitment
 Without senior management support and an effective information security
governance structure, it is difficult for the information security manager to
know what goals to steer the program toward, to determine optimal
governance processes.

 A formal presentation is the most widely used technique the information

security manager can use to secure senior management commitment.

 Evidence of adequate level of support for information security by senior

management may include:
 Clear approval and support for formal security strategies and policies.
 Monitoring and measuring organizational performance in implementing
security policies.
 Supporting security awareness and training for all staff throughout the
organization.

32
1.6 Information Security Roles and Responsibilities
 Adequate resources and sufficient authority to implement and maintain
security activities.
 Treating information security as a critical business issue and creating a
security-positive environment.
 Demonstrating to third parties that the organization deals with
information security in a professional manner.
 Providing high-level oversight and control.
 Periodically reviewing information security effectiveness.
 Setting an example by adhering to the organization’s security policies
and practices.

 Acceptance is facilitated by the information security manager applying

common business case aspects, including:
 Aligning security objectives with business objectives, enabling senior
management to understand and apply the security policies and
procedures.
 Identifying potential consequences of failing to achieve certain security-
related objectives and regulatory compliance.
33
1.6 Information Security Roles and Responsibilities
 Identifying budget items so that senior management can quantify the
costs of the security program.
 Utilizing commonly accepted project risk/benefit or financial models,
such as total cost of ownership (TCO) or return on investment (ROI), to
quantify the benefits and costs of the security program.
 Defining the monitoring and auditing measures that will be included in
the security program.

34
1.6 Information Security Roles and Responsibilities
Establishing reporting and communication channels

 There are 4 groups requiring different communications to consider:

1. Senior Management
 Attend business strategy meetings to understand the updated business
strategies and objectives.
 Periodic one-to-one meetings to understand the business objectives
from senior managers’ perspective.
2. Business Process Owners like (HR, Operation, Qualitiy ..etc.)
 Join operation review meetings to realize the challenges and
requirements of daily operations.
 Initiate monthly one-to-one meetings held with different process owners
to gain continued support in the implementation of information security
governance and address current individual security related issues

35
1.6 Information Security Roles and Responsibilities
3. Other Management
 Line managers, supervisors and department heads charged with various
security and risk management-related functions, including ensuring
adequate security requirement awareness and policy compliance, must
be informed of their responsibilities.

4. Employees
 Timely training and education programs.
 Centralized on-board training program for new hires.
 Organizational education material on updated strategies and policies.
 Personnel instructed to access the intranet or e-mail-based notifications
for periodic reminders or ad hoc adaptations.
 Support senior management and business process owners by assigning
an information security governance coordinator within each functional
unit to obtain accurate feedback of daily practices in a timely manner.

36
1.6 Information Security Roles and Responsibilities

37
GRC

38
1.7 Governance, Risk Management and Compliance (GRC)
 GRC is a term that reflects an approach that organizations can adopt in
order to integrate Governance, risk management and compliance areas.

 It is important to recognize that effective integration of GRC processes

requires that governance is in place before risk can be effectively managed
and compliance enforced.

 While a GRC program can be used in any area of an organization, it is usually

focused on financial, IT and legal areas.
 Financial GRC is used to ensure proper operation of financial processes
and compliance with regulatory requirements.

 IT GRC seeks to ensure proper operation and policy compliance of IT

processes.

 Legal GRC may focus on overall regulatory compliance.

39
1.7 Governance, Risk Management and Compliance (GRC)

 According to Gartner, IT GRC management has the following key capabilities:

1. Controls and policy library.
2. Policy distribution and response.
3. IT controls self-assessment (CSA) and measurement.
4. IT asset repository.
5. Automated general computer control (GCC) collection.
6. Remediation and exception management.
7. Reporting.
8. Advanced IT risk evaluation and compliance dashboards.

40
1.8 Business Model for Information Security
 The Business Model for Information Security (BMIS) takes a business-
oriented approach to managing information security.

 The model utilizes systems thinking to clarify complex relationships within

the enterprise, and thus to more effectively manage security.

 The essence of systems theory is that a system needs to be viewed

holistically—not merely as a sum of its parts—to be accurately understood.

 “Systems thinking” is a widely recognized term that refers to the

examination of how systems interact, how complex systems work and why
“the whole is more than the sum of its parts.”

41
1.8 Business Model for Information Security
 The elements and dynamic interconnections that form the basis of the
model establish the boundaries of an information security program and
model how the program functions and reacts to internal and external
change.

42
1.9 Assurance Process Integration - Convergence
 Assurance activities are often fragmented and segmented in silos with
different reporting structures.

 These assurance silos can include risk management, change management,

internal and external audit, privacy offices, insurance offices, human
resources (HR), legal and others.

 Evaluating business processes from start to finish (along with their controls),
regardless of which particular assurance process is involved, can mitigate
the tendency for security gaps to exist among various assurance functions.

 Recent efforts to address integration issues between assurance functions

includes: GRC, BMIS, ISO/IEC 27001.

 It is becoming more common to see CISO elevated to CEO or the functions

combined for better integration.

43
1.10 Governance and Third Party Relationships
 Third parties include:
 Service providers.
 Outsourced operations.
 Trading partners.
 Merged or acquired organizations.

 The ability to effectively manage security in theses relationships often poses

a significant challenge for information security managers.

 Information security managers must assess the impacts of any reasonably

possible security failures of any third-party, to ensure they are within a
range acceptable to management.

44
1.10 Governance and Third Party Relationships
 From information security governance perspective, there should be rules
and processes employed when dealing with third-party relationships. Such
as:
1. The responsibility of the Information security manager to address the
potential risk and impacts of 3rd party relationships should be clear and
documented.

2. There should be policies and standards as well as procedures

establishing the involvement of information security prior to the
creation of any 3rd party relationship, so that risk can be determined
and management can decide whether they are acceptable or must be
mitigated.

3. There should be a formalized engagement model between the

information security organization and those groups that establish and
manage 3rd party relationships.

45
Information Security Governance Metrics

46
1.11 Information Security Governance Metrics
 Metrics: is a term used to denote measurements based on one or more
references and involves at least two points (the measurement and the
reference).

 We should distinguish between managing the technical IT security and the

overall management of an information security program.

 Technical metrics can indicate that the infrastructure is operated properly

and that technical vulnerabilities are identified and addressed. Such
technical metrics are of little value from a strategic management or
governance standpoint.

 Downtime due to viruses, number of vulnerabilities uncovered with network

scan, and percentage of servers patches, say nothing about strategic
alignment with organization objectives, they only provide few means of
policy compliance.

47
1.11 Information Security Governance Metrics
Effective security metrics
 The fundamental purpose of metrics, measurements and monitoring is
“decision making”.

 For metrics to be useful, the information they provide must be relevant to

the roles and responsibilities of the recipient so that informed decisions can
be made.

 Criteria of effective metrics are:

 Meaningful: the metrics be understood by the recipients.
 Accurate: a reasonable degree of accuracy is essential.
 Cost-effective: it cannot be too expensive to acquire or maintain.
 Repeatable: it must be able to be acquired reliably over time.
 Predictive: measurements should be indicative of outcomes.
 Actionable: it should be clear to the recipient what action must be taken.
 Genuine: it must be clear what is actually being measured, e.g.
measurements that are not random or subject to manipulation.
48
1.11 Information Security Governance Metrics
Measuring security:
 Security is not measured in absolute sense;
rather, possibilities, attributes, effects and consequences are normally the
gauge, such as:
 Value at Risk (VAR): used to compute maximum probable loss in a
defined period (day, week, year) with a confidence level
 Return on Security Investment (ROSI): used to calculate the return on
investment based on the reduction on losses resulting from a security
control.
 Annual Loss Expectancy (ALE): provides the likely annualized loss based
on probable frequency and magnitude of security compromise. (total
expected loss/number of years in the forecast period = the average annual
loss)
These often speculative numbers can then be used as a basis for allocating or
justifying resources for security activities.

49
1.11 Information Security Governance Metrics
Measuring information security governance and management:
 Measuring information security governance and management with any
precision may be more difficult than measuring security.

 Metrics will be based on attributes, costs and subsequent outcomes of the

security program.

 A well-governed security program can be characterized by the one that

efficiently, effectively and consistently meets expectations and attains
defined objectives.

 A comprehensive security metrics analysis program should provide

justification for decisions that directly affect the security posture of an
organization, such as:
 Budget and personnel requests.
 Allocation of available resources.

50
1.11 Information Security Governance Metrics

NIST (national institute of standards and technology) publication 800-55

“Information Security Measurement Program Structure”
Good governance and good management
51
1.11 Information Security Governance Metrics
NIST publication 800-55 approach:
 The foundation of strong upper-level management support is critical, not
only for the success of the security program, but also for the implementation
of a security metrics program.

 The 2nd component of an effective security metrics program is practical

security policies and procedures backed by the authority necessary to
enforce compliance.

 The 3rd component is developing quantifiable performance metrics that are

designed to capture and provide meaningful operational data, such metrics
must be:
 Based on IT security performance goals and objectives.
 Be easily obtainable and feasible to measure.
 Be repeatable, provide relevant performance trends over time.
 Be useful for tracking performance and directing resources.

52
1.11 Information Security Governance Metrics

Types of information security metrics:

1. Governance implementation metrics.
2. Strategic alignment metrics.
3. Risk management metrics.
4. Value delivery metrics.
5. Resource management metrics.
6. Performance measurement.
7. Assurance process integration (convergence).

53
1.11 Information Security Governance Metrics
1. Governance implementation metrics

 Implementation of various aspects of information security governance will

typically involve projects and initiatives, standard project measurement
approaches can serve metrics requirements.

 Key goal indicators (KGI) and key performance indicators (KPI) can be used to
provide information about the achievement of process or service goals, and
can determine whether organizational milestones and objectives are being
met.

 E.g., achieving specific milestones or objectives, budget and timeline

conformance.

54
1.11 Information Security Governance Metrics
 KPI: is a measure that determines how well the process is performing in
enabling the goal to be reached. A KPI is a lead indicator of whether a goal
will likely be reached, and a good indicator of capability, practices and skills.
It measures an activity goal, which is an action that the process owner must
take to achieve effective process performance. “mean time to repair”.

 KGI: is a measure that tells management, after the fact, whether an IT

process has achieved its business requirements or NO. Shows how well the
results and goals are being achieved.
“Achieving targeted ROI or business value benefits”.

55
1.11 Information Security Governance Metrics
2. Strategic alignment metrics

 The cost effectiveness of the security program is tied to how well it supports
the objectives of an organization and at what cost.

 Without organizational objectives as a reference point, any other gauge,

including the so-called best practices, may be inadequate.

 The best overall indicator that security activities are in alignment with
business objectives is the development of a security strategy that defines
security objectives in business terms and ensures that the objectives are
directly articulated from planning to implementation of policies, standards,
procedures, processes and technology.

56
1.11 Information Security Governance Metrics
3. Risk management metrics

 The key goal of information security is to reduce the adverse impacts on the
organization to an acceptable level. Therefore, a key metric is the adverse
impacts of information security incidents experienced by the organization.

 Examples of indicators of appropriate risk management can include:

 A defined organizational risk appetite, or a risk tolerance in terms
relevant to the organization.
 Defined mitigation objectives for identified significant risk.
 A tested business continuity/disaster recovery plan.

57
1.11 Information Security Governance Metrics
4. Value Delivery metrics

 Value delivery is a function of strategic alignment of security strategy and

business objectives
 Value delivery occurs when security investments are optimized in support of
organizational objectives.

 Optimal investment levels occur when strategic goals for security are
achieved and an acceptable risk posture is attained at the lowest possible
cost.

58
1.11 Information Security Governance Metrics
 Key indicators (KGIs and KPIs) can include:
 The cost of security in relation to the value of assets.
 Security resources that are allocated by degree of assessed risk and
potential impact.
 Control effectiveness that is determined by periodic testing.
 The utilization of controls; controls that are rarely used are not likely to
be cost effective.
 The number of controls to achieve acceptable risk and impact levels;
fewer effective controls can be expected to be more cost effective than a
greater number of less effective controls.

59
1.11 Information Security Governance Metrics
5. Resource Management metrics

 Information security resource management is the term used to describe the

processes to plan, allocate and control information security resources,
including people, processes and technologies, for improving the efficiency
and effectiveness of business solutions.

 As with other organizational assets and resources, they must be managed

properly.

 Knowledge must be captured, disseminated and available when needed.

 Controls and processes must be standardized, when possible, to reduce

administrative and training costs.

60
1.11 Information Security Governance Metrics
6. Performance Measurement

 Methods to monitor security-related events across the organization must be

developed; it is critical to design metrics that provide an indication of the
performance of the security technology.

 Indicators of effective performance measurement can include:

 The time it takes to detect and report security-related incidents.
 The number and frequency of subsequently discovered unreported
incidents.
 The absence of unexpected security events.
 Consistency of log review practices.
 Results of business continuity planning (BCP)/disaster recovery (DR) tests.

61
1.11 Information Security Governance Metrics
6. Assurance Process Integration (Convergence)

 Organizations should consider an approach to information security

governance that includes an effort to integrate assurance functions.

 This will serve to increase security effectiveness and efficiency by reducing

duplicated efforts and gaps in protection.

 KGIs can include:

 No gaps in information asset protection.
 The elimination of unnecessary security overlaps.
 Well-defined roles and responsibilities.

62
Information Security Strategy Overview

63
1.12 Information Security Strategy Overview
 In The Concept of Corporate Strategy, 2nd Edition, Kenneth Andrews
describes corporate strategy as:

“the pattern of decisions in a company that determines and reveals its

objectives, purposes, or goals, produces the principal policies and plans for
achieving those goals, and defines the range of business the company is to
pursue, the kind of economic and human organization it is or intends to be,
and the nature of the economic and noneconomic contribution it intends to
make to its shareholders, employees, customers, and communities”.

• Remember A ‘you are what you do’ perspective

64
1.12 Information Security Strategy Overview
 “Business Strategy” provides a road map to achieving the “Business
Objectives.”

 It should provide inputs into “Risk Management” plans and the “Information
Security Strategy”, to promote ALIGNMENT OF INFORMATION SECURITY
WITH BUSINESS GOALS.

 The objective of the security strategy is the desired state defined by business
and security attributes.

 The strategy provides the basis for an action plan comprised of one or more
security programs that, as implemented, achieve the security objectives.

 The strategy and action plans must contain provisions for monitoring as well
as defined metrics to determine the level of success.

 This provides feedback to the CISO and steering committee to allow for
midcourse correction and ensure that security initiatives are on track to meet
defined objectives. 65
1.13 Developing Information Security Strategy

66
Information Security Strategy Objectives

67
1.14 Information Security Strategy Objectives
 The objectives of developing an information security strategy must be
defined. Metrics should be developed to determine if those objectives are
being achieved.

 The following 6 defined outcomes of security governance will provide high-

level guidance:
 Strategic alignment
 Effective risk management
 Value delivery
 Resource management
 Performance measurement
 Process assurance integration

 The strategy will need to consider what each of the selected areas will mean
to the organization, how they might be achieved, and what will constitute
success.

68
1.14 Information Security Strategy Objectives
 The following should be considered when developing the information
security strategy:
1. The Goal.
2. Defining Objectives.
3. The Desired State. (what you want to be?)
4. Risk Objectives.

69
1.14 Information Security Strategy Objectives
1. The Goal
 The first and difficult, question that must be answered by an organization
seeking to develop an information security strategy is—what is the goal?

 The goal of information security is to protect the organization’s information

assets.

 However, that answer assumes knowledge of 2 things (identifying

information assets and the degree of protection).

 Information assets must be cataloged or classified by criticality and

sensitivity.

 This is a crucial step in developing a practical and useful information security

strategy and a cost-effective security program.

70
1.14 Information Security Strategy Objectives
 One approach commonly used is to create a few rough levels of value—for
example, from 0 (zero-value information) to 5 (critical information).

 Information of zero value can then be archived for a specified period, notices
sent to business owners and, if there are no objections, destroyed.

 Information deemed a five (critical) then becomes the priority for protection
efforts.

 Another approach that may be useful and substantially easier to perform is a

business dependency evaluation used as an indication of value.

 This process starts by defining critical business processes and then

determines what information is used and created, then prioritize the
protection efforts.

71
1.14 Information Security Strategy Objectives
2. Defining Objectives
 Defining long-term objectives in terms of a “desired state” of security is
necessary. Without a well-articulated vision of desired outcomes for a
security program, it will not be possible to develop a meaningful strategy.

 A review of the organization’s strategic business plans is likely to uncover

opportunities for information security activities that can be directly
supportive of, or enabling, a particular avenue of business. Examples:

 Implementation of a PKI can enable high-value transactions between

trusted trading partners or customers.

 Deploying VPNs may provide the sales force with secure remote
connectivity, enabling improved performance.

72
1.14 Information Security Strategy Objectives
3. The Desired State
 The “desired state” is a complete snapshot of all relevant conditions at a
particular point in the future, including people, processes and technologies.

 A number of useful approaches are available to provide a framework to

achieve a well-defined “desired state” for security.

 It may be useful to combine several different standards and frameworks to

provide a multidimensional view into the desired state.

 Example of most accepted approaches are:

 COBIT 5 (Control Objectives for Information and Related Technology)
 COBIT 5 Process Assessment Model
 Capability Maturity Model (CMM)
 Balanced Scorecard (BSC)
 Architecture Approaches (as TOGAF)
 ISO/IEC 27000 Series

73
1.14 Information Security Strategy Objectives
4. Risk Objectives:
 A major input into defining the desired state will be the organization’s
approach to risk and its risk appetite.

 Risk appetite: is the level of risk that an organization is prepared to accept,

before action is deemed necessary to reduce it.

 Without a reasonably clear determination of acceptable risk, it is difficult to

determine whether information security is meeting its objectives and
whether the appropriate level of resources has been deployed.

 Risk always carries a cost, whether controlled or not.

74
1.14 Information Security Strategy Objectives
 The diagram below illustrates the balance of the cost of controls against the
cost of losses, showing the optimal level of control.

75
Determining Current State of Security

76
1.15 Determining Current State of Security
 A current state evaluation of information security must also be determined
using the same methodologies or combination of methodologies employed
(such as COBIT, CMM or the balanced scorecard) to determine strategy
objectives, or the desired state.

 This provides an apples-to-apples comparison between the current state and

desired state, providing the basis for a gap analysis that will define what is
needed to achieve the objectives.

CURRENT RISK
 The current state of risk must also be assessed through a comprehensive risk
assessment.

 Just as risk objectives must be determined as a part of the desired state, so

must the current state of risk be determined to provide the basis for a gap
analysis of what risk exists and to what extent risk must be addressed by the
strategy.
77
1.15 Determining Current State of Security
Business Impact Analysis/Assessment
 The current state evaluation should also include a thorough BIA of critical
systems and processes to help round out the current state picture.

 BIA provides the information needed to develop an effective strategy to

provide business process assurance and minimize the impacts of adverse
events.

 The difference between acceptable levels of impact and current level of

potential impacts must be addressed by the strategy.

78
Information Security Strategy Development

79
1.16 Information Security Strategy Development
 A good security strategy should address and mitigate risk while complying
with the legal, contractual and regulatory requirements of the business, as
well as provide demonstrable support for the business objectives of the
organization and maximize value to the stakeholders. The security strategy
also needs to address how the organization will embed good security
practices into every business process and area of the business.

 To develop a strategy is to move from the current state to the desired state.

 Knowing where one is and where one is going provides the essential starting
point for strategy development; it provides the framework for creating a road
map.

80
1.16 Information Security Strategy Development
 Achieving the desired state is usually a long-term goal consisting of a series
of projects and initiatives.

 Large, complex projects should be break-down into a series of shorter-term

projects that can be accomplished in a reasonable time period given the
inevitable resource constraints and budget cycles.

 Shorter-term projects aligned with the long-range objectives can serve to

provide checkpoints and opportunities for midcourse corrections. They can
also provide metrics to validate the overall strategy.

81
Information Security Strategy resources and constrains

82
1.17 Strategy Resources
1. Policies and standards:
 Policies and standards are considered tools of governance and management,
respectively, and procedures and guidelines the purview of operations.

 There is broad range of interpretation of policy, standards, procedures and

guidelines. The definitions used by ISACA are in agreement with the major
standards bodies.

 Policies:
 High-level statements of management intent, expectations and direction.
Policies in a mature organization can, for the most part, remain fairly
static.
 An example of a policy statement on access control could be:
“Information resources shall be controlled in a manner that effectively
prevents unauthorized access.”
 Policies can be considered the “constitution” of security governance and
must be clearly aligned with the strategic security objectives of the
organization.
83
1.17 Strategy Resources
 Standards:
 Standards in this context are the metrics, allowable boundaries or the
process used to determine whether procedures, processes or systems
meet policy requirements. They are the “law” to the “constitution” of
policy.

 They provide the measuring stick for policy compliance and a sound basis
for audits. They govern the creation of procedures and guidelines.

 A standard for passwords used for access control could be: Passwords for
medium and low security domains shall be composed of no less than eight
characters consisting of a mixture of upper and lower case letters, and at
least one number and one punctuation mark.

 Standards must change as requirements and technologies change.

 Multiple standards will usually exist for each policy.

84
1.17 Strategy Resources

 Procedures:
 Procedures are the responsibility of operations, including security
operations.

 Procedures must be clear and include all necessary steps to accomplish

specific tasks, as well as steps required when unexpected results occur.
“step by step instructions”.

 Procedures’ terms must be exact. For example, the words “must,” “will”
and “shall” will be used for any task that is mandatory. The word “should”
must be used to mean a preferred action that is not mandatory. The terms
“may” or “can” must only be used to denote a purely optional action.

 Procedures for passwords would include the detailed steps required for
setting up password accounts, and for changing or resetting passwords.

85
1.17 Strategy Resources

 Guidelines:
 Guidelines for executing procedures are also the responsibility of
operations.

 Guidelines should contain information that will be helpful in executing the

procedures.

 This can include dependencies, suggestions and examples, narrative

clarifying the procedures, background information that may be useful,
tools that can be used, etc.

86
1.17 Strategy Resources
Technologies:
 Technology is one of the cornerstones of an effective security strategy.

 The information security manager must be familiar with how these

technologies can serve as controls in achieving the desired state of security.

 Technology, however, cannot compensate for management, cultural or

operational deficiencies, and the information security manager is cautioned
to not place excessive reliance on these mechanisms.

Refer to the CISM Review Manual for an illustrative table about how to achieve
effective defences against security incidents, by combining policies, standards
and procedures with technology.

87
1.17 Strategy Resources
Organizational Structure:

 Reporting structures for information security managers vary widely.

 According to the “Global State of Information Security survey” conducted in

2011:
 The percentage of CISOs reporting to CIO has decreased from 38% in 2007
to 23% in 2010.

 During the same period, the percentage reporting directly to the board of
directors has increased from 21% to 32% and 36% now report to the CEO.

88
1.17 Strategy Resources
Awareness and education:

 Training, education and awareness are vital in the overall strategy since
security is often weakest at the end-user level.

 In most organizations, evidence indicates that the majority of personnel are

not aware of security policies and standards, even where they do exist.

 Since security relies heavily on individual compliance, it is important that a

robust security awareness program be in place and is an element that must
be considered in strategy development.

 A recurring security awareness program aimed at end users reinforces the

importance of information security and is now required by law, in some
jurisdictions, for a number of sectors.

89
1.17 Strategy Resources
Audits:

 Audits—both internal and external—are one of the main processes used to

determine information security deficiencies from a controls and compliance
standpoint.

 Since audits can provide powerful monitoring tools for the information
security manager, it is important to ensure that the security department has
access to audit test results as part of strategy considerations.

90
1.17 Strategy Resources
Compliance enforcement:

 Security managers often find that the greatest compliance problems arise
with management. If there is a lack of commitment and compliance in
management ranks, it may be difficult, to enforce compliance across an
organization.

 The most effective approach to compliance in an organization is likely to be a

system of self-reporting and voluntary compliance based on the
understanding that security is clearly in everyone’s best interest.

 This approach usually also requires that these processes be carefully thought
out, clearly communicated and cooperatively implemented.

 Determining how to accomplish this is an element of strategy.

91
1.17 Strategy Resources
Threat assessment:

 A threat: is anything (e.g., object, substance, human) that is capable of acting

against an asset in a manner that can result in harm. A potential cause of an
unwanted incident. (ISO/IEC 13335).

 A vulnerability: a weakness in the design, implementation, operation or

internal controls in a process that could be exploited to violate system
security.

 While threat assessment is performed as a part of overall risk assessment, it

is an important element for strategic consideration by itself. Reasons:
 One reason is that risk treatment options should consider the most cost-
effective approach for addressing any particular risk. For example,
mitigation measures can even address threat directly, they can reduce or
eliminate vulnerabilities, or they can address and compensate for impacts.

The most cost-effective choice is facilitated by separately analyzing threat

and vulnerability, as well as impact. 92
1.17 Strategy Resources
Vulnerability assessment:

 In most organizations, technical vulnerability assessments using automated

scans are common but by themselves are of limited value for security
strategy development.

 Comprehensive vulnerability assessments are important and should include

vulnerabilities in processes, technologies and facilities.

 The process of developing a strategy will offer opportunities to address many

of these vulnerabilities in a prudent, proactive approach.

93
1.17 Strategy Resources
Risk assessment and management:
 Risk: the combination of the probability of an event and its consequence. Risk
has traditionally been expressed as Threats x Vulnerabilities = Risk.

 Risk assessment: a process used to identify and evaluate risk and potential
effects. Risk assessment includes assessing the critical functions necessary
for an organization to continue business operations, defining the controls in
place to reduce organization exposure and evaluating the cost for such
controls. Risk analysis often involves an evaluation of the probabilities of a
particular event.

 While both threat and vulnerability assessments can be useful in their own
right, in considering the elements of security strategy, assessing the overall
risk to the organization is also required.

 While threats and vulnerabilities that pose no risk to the organization may
not be immediately significant, the ever-changing risk landscape makes it
likely that this will not continue to be the case.
94
1.17 Strategy Resources
Business impact assessment:

 Business impact is the “bottom line” of risk. Risk that cannot result in an
appreciable impact is not important.

 Business impact assessments (BIAs) are an important component of

developing a strategy that addresses potential adverse impacts to the
organization.

 A BIA must also be considered as a requirement to determine the criticality

and sensitivity of systems and information.

 As such, it will provide the basis for developing an approach to information

classification and addressing business continuity requirements.

95
1.18 Strategy Constraints
Legal and regulatory requirements:

 An effective information security strategy must be built on a solid

understanding of the pertinent legal requirements and restrictions.

 Different regions in a global organization may be governed by conflicting

legislation.

 There are also a number of legal and regulatory issues associated with
Internet business, global transmissions and trans border data flows (e.g.,
privacy, tax laws and tariffs, data import/export restrictions, restrictions on
cryptography, warranties, copyrights, trade secrets, national security),
resulting in constraints and boundaries on security strategies.

 The global organization may need to establish different security strategies for
each regional division, or it can base policy on the most restrictive
requirements in order to be consistent across the enterprise.

96
1.18 Strategy Constraints
Ethics:

 The perception of ethical behavior by an organization’s customers and the

public at large can have a major impact on an organization and affect its
value.

Culture:

 Internal culture of the organization must be taken into account in developing

a security strategy.

 A strategy that is at odds with cultural norms may encounter resistance, and
this may make successful implementation difficult.

97
1.18 Strategy Constraints
Organizational Structure:

 Organizational structure will have a significant impact on how a governance

strategy can be devised and implemented.

 Often, various assurance functions exist in “silos” that have different

reporting structures and authority. Cooperation between these functions is
important and typically requires senior management buy-in and involvement.

98
1.18 Strategy Constraints
Costs:

 The development and implementation of a strategy consumes resources,

including time and money.

 The strategy needs to consider the most cost-effective way it can be

implemented.

 A cost-benefit analysis may be to justifying expenditures and should be

considered when developing a security strategy.

 A traditional approach is to consider the value of avoiding specific risk, by

estimating the potential losses incurred by a specific event and multiplying
by the probability of it occurring in a given year (ALE). Thus, the cost of the
controls required to prevent such event can be compared to the ALE to
determine the ROI.

99
1.18 Strategy Constraints
Time:

 Time is a major constraint in developing and implementing a strategy.

 There may be compliance deadlines that must be met, or support for certain
strategic operations such as a merger, must be accommodated.

Risk acceptance and tolerance:

 The level of acceptable risk and the risk tolerance of the organization play a
major role in developing an information security strategy.

 One method is to develop recovery time objectives (RTOs) for critical systems.
The shorter the RTO, the greater the cost and the lower the risk tolerance.

100
1.19 Action Plan to Implement Strategy
 Implementing an information strategy will typically require one or more
projects or initiatives – action plan or roadmap.

 The following should be considered for the development of an action

plan/roadmap to implement an information security strategy:

1. Gap analysis—basis for an action plan.

2. Policy development.
3. Standards development.
4. Training and awareness.
5. Action plan metrics.

101
1.20 Information Security Program Objectives
 The objective of the information security program is to protect the interests
of those relying on information and the processes, systems and
communications that handle, store and deliver the information from harm,
resulting from failures of availability, confidentiality and integrity.

 Implementing the strategy with an action plan will result in an information

security program.

 For most organizations, the security objective is met when:

 Information is available and usable when required, and the systems that
provide it can appropriately resist attacks (availability).
 Information is observed by or disclosed to only those who have a right to
know (confidentiality).
 Information is protected against unauthorized modification (integrity).
 Business transactions, as well as information exchanges between
enterprise locations or with partners, can be trusted (authenticity and
nonrepudiation).

102
103