CISM Domain 1 Update 2 New Format

Certified Information Security
Manager
CISM
CISM Examination
1 The CISM examination contains 150 questions
2 Each question contains a "Stem" which is the body of the question and four options
(answer choices). Candidates are asked to choose the correct or best answer.
3 CISM exam questions are developed to test the practical knowledge and the application
of general concepts and standards
4 A candidate will be given 4 hours (240 minutes) to complete the examination.

How to approach the Examination
1 Read each question carefully and eliminate known incorrect answers. Make the “BEST”
choice possible.
2 Identify key words or phrases in the question (e.g., MOST, BEST or FIRST) before
selecting and recording an answer.
3 Read the provided instructions carefully before attempting to answer questions.
4 Skipping over these directions or reading them too quickly could result in missing
important information and possibly answering incorrectly.
5 Answer all questions. There is no penalty for wrong answers.
6 Grading is based solely on the number of questions answered correctly.

Exam scoring and score report
Candidate scores are reported as a scaled score. A scaled score is a conversion of a

1
candidate’s raw score on the exam to a common scale.
ISACA uses and reports scores on a common scale from 200 to 800. To pass, a candidate
2 must receive a score of 450 or higher, which represents a minimum consistent standard of
knowledge as established by ISACA’s CISM Certification Working Group.
Candidates will receive a preliminary score at the end of the exam. Official scores will be
3
sent via email within 10 days.
4 Each candidate who completes the CISM exam will receive a score report. This score
report contains a sub-score for each job practice domain.
5 These can be useful in identifying those areas in which further study may be needed,
should retaking the exam be necessary.
6 Grading is based solely on the number of questions answered correctly.
How to get certified?
1 Pass the CISM examination.
Submit an application (within five years of the exam passing date) with verified evidence
2 of a minimum of at least five years of cumulative work experience performing the tasks of
a CISM professional. For more information visit ISACA website www.isaca.org
3 Adhere to the ISACA Code of Professional Ethics.
4 Each candidate who completes the CISM exam will receive a score report. This score
report contains a sub-score for each job practice domain.
5 Agree to comply with the CISM continuing education policy.
6 Comply with the Information Systems Auditing Standards.

COURSE CONTENT
24% Information Security 30% Information Security

Governance Risk Management
Information Security
27% Information Security Program 19% Incident Management
Development and Management
Domain 1
Information Security Governance

Overview
Establish and/or maintain an information security governance framework and supporting

processes to ensure that the information security strategy is aligned with organizational goals
and objectives
Objectives
• Ensure that the CISM Candidate has the knowledge necessary to:
– Understand the purpose of information security governance, what it consists of, and how to
accomplish it.
– Understand the purpose of an information security strategy, its objectives and the reasons
and steps required to develop one.
– Understand the meaning, content, creation and use of policies, standards, procedures and
guidelines and how they relate to each other.
– Develop business cases and gain commitment from senior leadership.
– Define governance metrics requirements, selection and creation.
Task Statements
• T1.1 Establish and/or maintain an information security strategy in alignment with organizational goals and objectives
to guide the establishment and/or ongoing management of the information security program.
• T1.2 Establish and/or maintain an information security governance framework to guide activities that support the
information security strategy.
• T1.3 Integrate information security governance into corporate governance to ensure that organizational goals and
objectives are supported by the information security program.
• T1.4 Establish and maintain information security policies to guide the development of standards, procedures and
guidelines in alignment with enterprise goals and objectives.
• T1.5 Develop business cases to support investments in information security.
• T1.6 Identify internal and external influences to the organization (e.g., emerging technologies, social media,
business environment, risk tolerance, regulatory requirements, third-party considerations, threat landscape) to
ensure that these factors are continually addressed by the information security strategy.
• T1.7 Gain ongoing commitment from senior leadership and other stakeholders to support the successful
implementation of the information security strategy.
• T1.8 Define, communicate and monitor information security responsibilities throughout the organization (e.g., data
owners, data custodians, end users, privileged or high-risk users) and lines of authority.
• T1.9 Establish, monitor, evaluate and report key information security metrics to provide management with accurate
and meaningful information regarding the effectiveness of the information security strategy.
Effective Info Security
An effective information security program: • Effective Information System Security needs a

• Supports what the organization is trying to do good information security Strategy
• This strategy documents the goals and objectives
• Keeps risk within acceptable levels

• Tracks success and areas of improvement of the information security program
• Changes with the organization • This forms the basis of the information security
governance. Governance is:
– Rules that runs the organization
– Consists of Policies, Standards, Guidelines
and Procedures
The Desired State
• The levels of the acceptable risk as defined by the management is often referred as “Risk Appetite”
• This forms the desired state the information system security program should achieve.
• Thus the strategy is to develop a set of programs that runs the security requirement in achieving the
desired state, which is the objective of the information security program.

– To achieve this objective, road map needs to be created to achieve the specifics
– The second step is to indentify the resources needed
– Same time constraints needs to be identified (laws and regulations, timelines, available skill
sets, etc
– Existing controls needs to be identified such as technologies, standards and procedures
The Information Security Governance
• To achieve the desired level of effectiveness information system security Senior Management
and Board of Directors must be help accountable for information security governance.
• To achieve this they must provide necessary leadership, resources, organizational structure and
good oversight and processes.

• This should ensure that information security governance is an integral and transparent part of
enterprise governance.
• Scores of laws and regulations demand high levels of compliance and higher levels of
accountability on the governance body.
The Importance of Information Security Governance
• Benefits of good information security governance include:
– Providing assurance of policy compliance
– Increasing predictability and reducing uncertainty of business operations by lowering risk to definable and
acceptable levels
– Providing the structure and framework to optimize allocations of limited security resources
– Providing a level of assurance that critical decisions are not based on faulty information
– Providing a firm foundation for efficient and effective risk management, process improvement, rapid incident
response and continuity management
– Providing greater confidence in interactions with trading partners
– Improving trust in customer relationships
– Protecting the organization’s reputation
– Enabling new and better ways to process electronic transactions
– Providing accountability for safeguarding information during critical business activities, such as mergers and
acquisitions, business process recovery, and regulatory response
– Effective management of information security resources
The Outcome of Information Security Governance
1. Strategic alignment:
Aligning information security with business strategy to support organization
2. Risk Management:
Executing appropriate measures to mitigate risk and reduce potential impacts on information resources to an
acceptable level
3. Value Delivery:
Optimizing security investments in support of business objectives
4. Resource Optimization:
Using information security knowledge and infrastructure efficiently and effectively
5. Performance Measurement:
Monitoring and reporting on information security processes to ensure that objectives are achieved
6. Assurance Process Integration:

Integrating all relevant assurance factors to ensure that processes operate as intended from end to end
Effective Information Security Governance
• Information security governance is the responsibility of the board of directors and senior
management.
• It must be an integral and transparent part of enterprise governance and complement or encompass
the IT governance framework
• Boards of directors will be required to make information security an intrinsic part of governance
• This includes monitoring and reporting processes to ensure that governance processes are
effective and compliance enforcement is sufficient to reduce risk to acceptable levels.
• effective information security governance is required to address legal and regulatory requirements
and is becoming mandatory in the exercise of due care
Governance and Business Goals and Objectives
• Corporate governance is the set of • Information security governance is a subset of
responsibilities and practices exercised by the corporate governance.
board and senior management with the goals • It provides strategic direction for security activities and
of: ensures that objectives are achieved.
– providing strategic direction, • It ensures that information security risk is appropriately

– ensuring that objectives are achieved managed and enterprise information resources are
– ascertaining that risk is managed used effectively and efficiently.
appropriately • To achieve effective information security governance,
– verifying that the enterprise’s resources management must establish and ensure maintenance
are used responsibly of a framework to guide the development and
• Strategy is the plan to achieve an objective. management of a comprehensive information security
program that supports the business objectives
• To be of value to the organization, information
security must support the business strategy
Components of a Governance Framework
• The governance framework will generally consist of the following:

– A comprehensive security strategy intrinsically linked with business objectives
– Governing security policies that clearly express management intent and address each aspect of strategy,
controls and regulation

– A complete set of standards for each policy to ensure that people, procedures, practices and technologies
comply with policy requirements and set appropriate security baselines for the enterprise
– An effective security organizational structure with sufficient authority and adequate resources, void of conflicts
of interest
– Defined workflows and structures that assist in defining responsibilities and accountability for information
security governance
– Institutionalized metrics and monitoring processes to ensure compliance, provide feedback on control
effectiveness and provide the basis for appropriate management decisions
• This framework provides the basis for developing a cost-effective information security program that supports the
organization’s business goals.
Relationship of Governance Elements
Strategy and Risk
• Purpose of information security: Manage information risk to an acceptable level
• Understand the risk profile
• Understand risk exposure
• Be aware of risk management priorities
• Ensure sufficient risk mitigation

• Base risk treatment decisions on potential consequences
Risk Capacity and Risk Appetite
• Risk capacity: Amount of loss an enterprise can tolerate without its continued existence being questioned.
• Risk appetite: The amount of risk that an entity is willing to accept in pursuit of its mission.
Risk Appetite Risk Acceptance
• Risk appetite is an essential element for • Risk acceptance is a formal and explicit process
virtually all aspects of information security as that affirms that the risk requires and warrants no
well as most other aspects of organizational additional response by the organization as long as
activities. it and the risk environment stay substantially the

• It will determine many aspects of strategy same and accountability for the risk is assigned to
including control objectives, control a specific owner
implementation, baseline security, cost-benefit • Risk acceptance generally should not exceed the
calculations, risk management options, severity risk appetite of the organization, but it must not
criteria determinations, required incident exceed the risk capacity (which would threaten the
response capabilities, insurance requirements continued existence of the organization).
and feasibility assessments, among others.
• Risk appetite is translated into a number of
standards and policies to contain the risk level
within the boundaries set by the risk appetite.
• These boundaries need to be regularly adjusted
or confirmed.
Scope and Charter of IS Governance
• Information security deals with all aspects of information, in any medium (e.g., written, spoken, electronic),
regardless of whether it is being created, viewed, transported, stored or disposed.
• IT security is concerned with security of information within the boundaries of the technology domain, usually in
a custodial capacity.
• IT usually is not the owner of most of the information in its systems; rather, it owns the machinery that
processes it. The information is in IT’s care, control and custody, and, therefore, IT functions as a custodian for
the data owners.
• In the context of information security governance, it is important that the scope and responsibilities of
information security are clearly set forth in the information security strategy and reflected in the policies.
• To be successful, information security to be fully supported by senior management and the various
organizational units. Without clearly defined information security responsibilities, it is impossible to determine
accountability.
Governance Risk and Compliance
• GRC is an integrated assurance process

• Convergence can exist independently across different
business functions
• Information security is often a part of GRC Governance

• It is important to recognize that effective integration of GRC
processes requires that governance is in place before risk
can be effectively managed and compliance enforced.
• It is usually focused on financial, IT and legal areas.
• Financial GRC is used to ensure proper operation of financial
Risk
processes and compliance with regulatory requirements Compliance
Management
• In a similar fashion, IT GRC seeks to ensure proper operation
and policy compliance of IT processes.
• Legal GRC may focus on overall regulatory compliance.
The Assurance Process - Convergence
• The assurance function is traditionally segmented to treat security in silo’s. Thus there are separate
assurance functions for Operations, IT, Governance, Finance, HR etc., to name a few.
• With almost end to end automation now a days, the necessity is felt to converge the assurance function as
the auditee also feels the stress in answering many audit requirements.
• Information security is back bone of all the security related initiatives. Of course information security cannot
be achieved by only looking at technical controls. Physical and environmental control also plays a vital role in
securing information processing assets.
Tracking Roles
Practice Question
• Business goals define the strategic direction of the organization. Functional goals define the tactical
direction of a business function. Security goals define the security direction of the organization. What is
the MOST important relationship between these concepts?
A. Functional goals should be derived from security goals.

B. Business goals should be derived from security goals.
C. Security goals should be derived from business goals.
D. Security and business goals should be defined independently from each other.
Practice Question
• An organization's information security strategy should be based on:

A. managing risk relative to business objectives.
B. managing risk to a zero level and minimizing insurance premiums.
C. avoiding occurrence of risks so that insurance is not required.

D. transferring most risk to insurers and saving on control costs.
Roles and Responsibilities
• • Senior Management
Board of Directors
– Need to be aware of information assets – Ensure needed functions/resources are
available
– Provided with high-level results of risk
– Ensure resources are properly utilized
assessments and BIAs.

– Exercise due care in protecting key assets – Promote cooperation, arbitrate when
needed and set priorities
• Steering committee
– Comprised of senior representatives of groups Chief Information Security Officer:
impacted by information security • Many not be an official position
– Ensures alignment of security program with – Trends have shown most organizations
business objectives have a CISO in charge of the security
• Common topics: program
– Security strategy and integration efforts – Some organizations have a CSO over
information security and physical security.
– Specific actions and progress related to business
unit support of information security program • Most often reports to the CEO, followed by the
functions CIO and board
– Emerging risk, business unit security practices – Conflicts of interest may arise if the CISO
and compliance issues reports to the CIO because security is
often seen as a constraint on IT
Risk Management Roles and Responsibilities
• Chief Risk Officer • Information Security Manager

– Generally responsible for all non- – Responsible for Information Risk
information risk and overall ERM Management and organization information
• Chief Information Officer security programs

– Responsible for IT planning, budgeting • Systems and Information Owners
and performance – Responsible for ensuring proper controls
• Chief Information Security Officer to address CIA
– Similar functions as information security • IT Security Practitioners
manager with more strategic and – Responsible for proper implementation of
management elements; IT strategy security requirements in their IT Systems
• IT Security Awareness Trainers and SME’s
Senior Management Commitment
• Addressing information security issues at board/senior management meetings
• Clear approval and support for formal security strategies and policies
• Monitoring and measuring organizational performance in implementing security policies
• Periodically reviewing information security effectiveness
• Providing high-level oversight and control

• Supporting security awareness and training for all staff throughout the organization
• Adequate resources and sufficient authority to implement and maintain security activities
• Treating information security as a critical business issue and creating a security-positive environment
• Demonstrating to third parties that the organization deals with information security in a professional manner
• Setting an example by adhering to the organization’s security policies and practices
• The CISO should ensure adequate trainings and workshops to the senior managers to make them understand the
importance of the program.
The Business Case Preparing a Business Case
• Provides a formal proposal for a project • Elements of a feasibility study
– Likely costs – Project scope
– Benefits – Current analysis
• Should have enough detail to explain the – Requirements
why of a project and what it will deliver – Recommended approach

back. – Evaluation
• Provides the information required for an – Formal review
organization to decide whether a project
• The business case should have sufficient detail
should proceed.
to describe the justification for setting up and
• The essential consideration is the value
• continuing a project and provide the reasons
proposition, or the cost-benefit analysis of
moving forward with the project for the project by answering the question, “Why
should this project be undertaken?”
Business Case and Project Management
• The business case drives the decision • The formal presentation to senior management is used as a
process means to educate and communicate key aspects of the
– If no longer valid, project should be overall security program. Key points include:
review – Aligning security objectives with business objectives,

– Used at stage gates (kill points) enabling senior management to understand and apply
the security policies and procedures
– Reevaluation/reapproval needed
when circumstances change – Identifying potential consequences of failing to achieve
certain security-related objectives and regulatory
compliance
– Identifying budget items so that senior management can
quantify the costs of the security program
– Using commonly accepted project risk/benefit or
financial models, such as total cost of ownership (TCO)
or ROI, to quantify the benefits and costs of the security
program
– Defining the monitoring and auditing measures that will
be included in the security program
Practice Question
• While implementing information security governance an organization should FIRST:

• A. adopt security standards.
• B. determine security baselines.
• C. define the security strategy.

• D. establish security policies.
Practice Question
• The FIRST step in developing an information security management program is to:

• A. identify business risk that affects the organization.
• B. establish the need for creating the program.
• C. assign responsibility for the program.

• D. assess adequacy of existing controls.
Communication Channels
• To ensure effective and efficient • The presentations should at a minimum contain:

implementation of Information Security – Status of the implementation of the system
Program, proper communication channels based on the approved strategy
should be established. – Overall BIA result comparison (prior to and after
• This should include consistent and reliable implementation)

reporting from various parts of the – Statistics of detected and prevented threats as
organization. a means of demonstrating value
• These along with along with other metrics – Identifying the weakest security links in the
serve as the early warning system for organization and potential consequences of
potential threats and emerging security compromise
issues. – Performance measurement data analysis
• Communication channels may be formal or supported with independent, external
informal. assessment or audit reports, if available
• Periodic presentation to the senior – Addressing ongoing alignment for critical
management is necessary to make them business objectives, operation processes or
understand the state of the information corporate environments
security program. – Requiring the approval for renewed plans, as
well as related budget items
Communication Channels
• In addition to the formal presentations, four other • Other management
groups needs different communications: – Inform line managers, supervisors and department
• Senior management heads charged with various security and risk
– Attend business strategy meetings to become management-related functions, including ensuring
adequate security requirement awareness and policy
more aware and understand the updated

business strategies and objectives. compliance, of their responsibilities.
– Hold periodic one-to-one meetings with senior • Employees
management to understand the business – Offer timely training and education programs.
objectives from its perspective. – Initiate a centralized on-board training program for
• Business process owners new hires.
– Join operation review meetings to realize the – Distribute organizational education material on
challenges and requirements of daily updated strategies and policies.
operations and their dependencies. – Instruct personnel to access the intranet or email-
– Initiate monthly one-to-one meetings with based notifications for periodic reminders or ad hoc
different process owners to gain continued adaptations.
support in the implementation of information – Support senior management and business process
security governance and address current owners by assigning an
individual security related issues. – information security governance coordinator within
each functional unit to obtain accurate feedback of
daily practices in a timely manner.
Governance of Third Party Relationships
• The governance of third parties include:
– Service providers
– Outsourced operations
– Trading partners
– Merged or acquired organizations

• To ensure that the organization is adequately protected, the information security manager must assess the
impacts of any of the reasonably possible security failures of any third party that may become involved with
the organization.
• Policies, standards and procedures establishing the involvement of information security should be developed
prior to the creation of any third-party relationship
• there should be a formalized engagement model between the information security organization and those
groups that establish and manage third-party relationships for the organization.
Metrics and Measurement
Metrics allow the measurement of the From a management perspective, technical metrics cannot
achievement of a process goal. Security metrics provide answers to questions such as:
should tell us about the state or degree of • How secure is the organization?
• How much security is enough?
security relative to a reference point.

• How do we know when we have achieved an adequate
It is important to keep in mind that technical level of security?
metrics are only useful for the tactical • What are the most cost-effective security solutions?
operational management of technical security • How do we determine the degree of risk?
systems, such as intrusion detection systems, • How well can risk be predicted?
proxy servers, firewalls, etc. They say nothing • Is the security program achieving its objectives?
about strategic alignment or governance. • What impact is lack of security having on productivity?
• What impact would a catastrophic security breach have?
• What impact will security solutions have on productivity?
Metrics and Measurement
• Metrics should be SMART:

– Specific
– Measurement
– Attainable
– Relevant
– Timely
• Avoid measuring something simply
because it can be measured.
Metrics at Strategic Level
• The requirement of a good strategic level metric is evaluation of a
• Key goal indicators (KGIs) and key specific control being able to be tracked to a specific business
performance indicators (KPIs) can be requirement. Any control that cannot be tracked directly back to a
useful for process or service goals. specific business requirement is suspect and should be analyzed for
• High-level metrics related to implementing relevancy and possible elimination.
a strategy include: • Indicators of alignment include:
– The extent to which the security program demonstrably enables

– Alignment with business goals and specific business activities
objectives – Business activities that have not been undertaken or have been
– Management of risk to acceptable delayed because of inadequate
levels – capability to manage risk
– Effective management of resources – A security organization that is responsive to defined business
requirements based on business
– Performance and value delivery
– owner input
– Organizational and security objectives that are defined and
clearly understood by all involved in
– security and related assurance activities measured by
awareness testing
– The percentage of security program activities mapped to
organizational objectives and validated by senior management
– A security steering committee consisting of key executives with
a charter to ensure ongoing
– alignment of security activities and business strategy
Risk Management Metrics
• A successful risk management program can be defined as one that efficiently, effectively and
consistently meets expectations and attains defined objectives in maintaining risk at levels acceptable
to management.
• Indicators of appropriate risk management include:
– Defined risk appetite and tolerance

– Process for management of adverse impacts
– Trends in periodic risk assessment and impacts
– Completeness of asset inventory
– Ratio of security incidents from known to unknown security risks
Value Delivery Metrics
• Value delivery occurs when security investments are optimized in support of organizational
objectives.
• KGIs and KPIs include:
– The cost of security being proportional to the value of assets
– Security resources that are allocated by degree of assessed risk and potential impact
– Protection costs that are aggregated as a function of revenues or asset valuation
– An adequate and appropriate number of controls to achieve acceptable risk and impact levels
– Policies in place that require all controls to be periodically reevaluated for cost, compliance and
effectiveness
– The use and effectiveness of controls
Resource Management Metrics
• Indicators of effective resource management include:

– Infrequent problem solution rediscovery
– Effective knowledge capture and dissemination
– Clearly defined roles and responsibilities

– The percentage of information assets and related threats adequately addressed by security
activities
– The proper organizational location, level of authority and number of personnel for the information
security function
– Resource utilization levels
– Staff productivity
– Per-seat cost of security services
Performance Measurement
• Measuring, monitoring and reporting on information security processes is required to ensure that
organizational objectives are achieved
• Indicators of effective performance measurement include:
– The time required to detect and report security events
– The number and frequency of unreported incidents

– Benchmarking comparable organizations for costs and effectiveness
– Knowledge of evolving and impending threats
– Methods of tracking evolving risk
– Consistency of log review practices
– Results of BCP/DR tests
– Extent to which key controls are monitored
Assurance Process Integration
• Organizations should consider an approach to information security governance that includes an effort
to integrate assurance functions.
• KGIs include:
– No gaps in information asset protection
– The elimination of unnecessary security overlaps

– The seamless integration of assurance activities
– Well-defined roles and responsibilities
– Assurance providers understanding the relationship to other assurance functions
– All assurance functions being identified and considered in the strategy
– Effective communication and cooperation between assurance functions
Information Security Strategy
• The objective of the security strategy is the desired state defined by business and security
attributes.
• The strategy provides the basis for an action plan composed of one or more security programs
that, as implemented, achieve the security objectives.
• The action plan(s) must be formulated based on available resources and constraints, including
consideration of relevant legal and regulatory requirements.
• The strategy and action plans must contain provisions for monitoring as well as defined metrics
to determine the level of success.
• This provides feedback to the CISO and steering committee to allow for midcourse correction
and ensure that security initiatives are on track to meet defined objectives.
Practice Questions
• "Sensitive data must be protected to prevent loss, theft, unauthorized access and/or unauthorized
disclosure" is a statement that would MOST likely be found in a:
• A. guideline.
• B. policy.
• C. procedure.
• D. standard.
Practice Questions
• The PRIMARY objective for information security program development should be:
• A. creating an information security strategy.
• B. establishing incident response procedures.
• C. implementing cost-effective security solutions.

• D. reducing the impact of the risk in the business.
Developing Information Security Strategy
• The process of developing an effective information security strategy requires a thorough

understanding and consideration of a number of elements.
• In addition, it is also important for the information security manager to be aware of the common
failures of strategic plans to avoid the pitfalls and achieve the desired outcomes.
• Pitfalls in strategy development:

– Overconfidence/Optimism
– Anchoring
– Status quo bias
– Mental accounting
– Herding instinct
– False consensus
• Confirmation bias
• Groupthink
Pitfall in Strategy Development
• Confirmation bias—Seeking opinions and facts that support one’s own beliefs
• Selective recall—Remembering only facts and experiences that reinforce current assumptions
• Biased assimilation—Accepting only facts that support an individual’s current position or perspective
• Biased evaluation—Easy acceptance of evidence that supports their one’s hypotheses while
contradictory evidence is challenged and, almost invariably, rejected. Critics are often charged with
hostile motives or their competence is impugned.
• Groupthink—Pressure for agreement in team-based cultures
Information Security Strategy Objectives
• The objectives of developing an information security strategy must be defined and metrics developed
to determine if those objectives are being achieved. Typically, the six defined outcomes of security
governance will provide high-level guidance. The six outcomes are:
– Strategic alignment
– Effective risk management

– Value delivery
– Resource optimization
– Performance measurement
– Assurance process integration
Start With the Goals
• What is the goal?
– Typically to assure the reliability of information-related business processes
• Often unaware of what information exists within the enterprise, criticality, etc.
– Impact cost-effectiveness
• Goals help set objectives, which drive strategy
– Should tie to enterprise goals
Asset Classification
• Classification provides the basis for applying protective measures in proportion to the business value, resulting in
more cost-effective controls
• Initial classification can be time consuming
– For large organizations, this can amount to terabytes of useless data and literally thousands of outdated and
unused applications accumulated over decades.

– Does not get easier over time
– Reluctance of the management to allocate resource for this as they feel this non value added activity
• Best approach is to start as soon as possible
– Classify new assets when they are created
– Monitor for changes over time
– Classification should be proportional to the value of the assets so cost effective controls can be applied
– Non classification will result in wasteful protection of non critical or sensitive information
Valuation of Data
• Information security has traditionally focused on IT systems.
• Business process owners regard IT systems as tools, while data produced has value
• Integration with corporate governance becomes easier with a data focus
• Criticality of data can be derived from criticality of processes that use that data.
• Sensitivity can be derived by determining consequences of data leakage.

– Sensitivity of data may be subjective.
– Certain types of data may be considered
sensitive by law or regulation.
– Valuation of data may be qualitative or quantitative.
– Business dependency analysis can be used as an indication of value
Current Vs Desired State
• Desired State
– Ideal information security environment
– Frameworks/standards helpful to identify outcomes
– Defined desired state makes it easier to identify path from current state
– Risk objectives such as risk appetite and risk tolerance and the organization’s risk culture
• Current State
– What is actually occurring
– Help to identify where the environment falls short of the desired
– Business Impact Analysis can be used a tool to determine the current state
Building the Strategy
• Strategy provides a road map to move from the current state to the desired state
• Path could be long depending on distance between current and desired state
• Should identify:
– Available resources
– Available methods
– Constraints
Resources
• Policies • Training
• Standards • Awareness and Education
• Procedures • Audits
• Guidelines • Compliance enforcement
• Architecture(s) • Threat assessment

• Controls—physical, technical, • Vulnerability assessment
procedural • BIA
• Countermeasures • Risk analysis
• Layered defenses • Resource dependency analysis
• Technologies • Third-party service providers
• Personnel security • Other organizational support and assurance
• Organizational structure providers
• Roles and responsibilities • Facilities
• Skills • Environmental security
Strategy Constraints
• Legal
• Physical
• Ethics
• Culture
• Costs
• Personnel
• Organizational structure
• Resources
• Capabilities
• Time
• Risk appetite
Legal and Regulatory Requirements Physical Constraints
• Information security linked to privacy, IP and law
• Include capacity, space, environmental
• Security strategies for different regions may be hazards, etc.
required
• Safety of personnel should also be
• Retention requirements
considered
• E-discovery • Often ignored and can lead to
• Treat as any other risk interruptions or breaches
• Disaster recovery should be considered
Ethics and Culture Costs
• Ethics • Justify spending based on a project’s
– Perception of the enterprise’s behavior value.
– Influenced by location and culture • Cost-benefit/financial analysis most
• Culture widely accepted

– Internal culture • ALE
– Local culture • ROI
Personnel and Organization Resources Capabilities
Structure and Time
• Personnel • Resources
– Resistance to changes can impact the – Consider available budgets, TCO and
success of strategy implementation personnel requirements

• Organizational structure • Capabilities
– Impacts how a governance strategy can – Expertise and skills
be implemented • Time
– Cooperation is needed – Deadlines/Windows of opportunity
– Senior management buy-in helps to
ensure cooperation
Risk Appetite Ongoing Assessment
• The information security strategy needs to be

• Risk acceptance and risk tolerance
dynamic.
play a major role
• Update assessments regularly.
• Difficult to measure
• RTOs/RPOs
Strategic Resources
Policies Standards Controls

Management Part of security

Governance tools
tools architecture
“Constitution” “Laws” “Enforcement”

Practice question
• It is essential for the board of directors to be involved with information security activities primarily because of
concerns regarding:
• A. technology.
• B. liability.
• C. compliance.
• D. strategy.
Practice question
• The FIRST step to create an internal culture that embraces information security is to:
• A. implement stronger controls.
• B. conduct periodic awareness training.
• C. actively monitor operations.

• D. gain endorsement from executive management.
Policies
• Directly traceable to strategy elements • Attributes of good policies:
• Broad enough to not require regular revision, but – Should capture the intent, expectations
should be periodically reviewed and direction of management
• Approved at the highest level – Should state only one general security
• Pave the way for effective implementation mandate

– Must be clear and easily understood
– Includes just enough context to be useful
– Rarely number more than two dozen in
total
Setting Standards
• Provide measurement for compliance • Third-party standards are typically prescriptive to
• Govern procedure and guideline creation allow for certification.
• Set security baselines – If used as a reference, your organization
• Reflect acceptable risk and control objectives may have some flexibility when using the
• Act as criteria for evaluating acceptable risk standard.

• Are unambiguous, consistent and precise • Exception processes must be developed
• Are disseminated to those governed by them and
those impacted
Procedures Guidelines
• A non-IT control direct precisely how • Contain information that will be helpful in
something is to be done executing procedures
• Responsibility of operations staff • Enable use of individual judgment
– Uses unambiguous language • Can be helpful when an outcome needs

– Include all necessary steps to be achieved, but the how does not
• Ensure an organization can continue matter
operations even if regular staff are
unavailable
Framework and Architecture Strategy and Framework
• Frameworks are closely associated with • A framework is a scaffold of interlinked items

enterprise architecture
• Strategy is the starting point of the
– Goals = conceptual architecture
framework
– Framework = logical architecture
• Physical architecture implements the logical • Ensures that information security is focused
architecture through policies, standards and on the right goals
controls
Third party resources
• Variety of resources available to use as a basis

– COBIT, CMMI, ISO, etc.
• Frameworks define relationships

• May derive benefit from certified compliance with third-party standards (e.g., ISO)
Building Consistency Controls
• Integration ensures consistency. • Influence the behaviors of people, processes and

• When adding information security to an existing technology in order to manage risk to acceptable
governance structure, it is not necessary to use levels
a different framework. •
Keep in mind:
• If no general framework is used, find a – Controls are not always as effective as
framework that is comprehensive and can be intended
used across the organization – Controls may not address all outcomes
– Changes in technology may render controls
obsolete
IT Controls Non-IT Controls
• Constitute the majority of controls in an
organization • Information security extends beyond IT
• Control objective: “A statement of the desired • Include:
result or purpose to be achieved by – Secure marking, handling and storage
implementing control procedures in a particular – Efforts to prevent social engineering

IT activity.” • Can help to mitigate risk posed by individual
judgment calls
Countermeasures Layered Defense
• Designed to reduce a single vulnerability or a • Deploying controls in layers is good practice

threat – Defense in depth
• Can be passive or active • Uses:
• Should be considered from a strategic – To provide additional protection in the event

perspective of a control failure
– Because a single control is known to be
inadequate
• Controls tailored to specific threats may be more
cost effective
Layered Defense
Practice Question
• It is MOST important that information security architecture be aligned with which of the following?
• A. Industry good practices
• B. Business goals and objectives
• C. Information technology plans

• D. International information security frameworks
Practice Question
Which of the following is the PRIMARY reason to change policies during program development?
A. The policies must comply with new regulatory and legal mandates.
B. Appropriate security baselines are no longer set in the policies.

C. The policies no longer reflect management intent and direction.
D. Employees consistently ignore the policies.
Personnel
• Trustworthiness and dependability of personnel

• Background checks
• Development of appropriate email policy and investigation & background verification policy
• Policies must be reviewed by HR and Legal for adequacy and Management for culture and approach.
Organization Structure
• Flexible and evolving structure is good for • Whatever may be the structure, the
implementing infosec strategy. responsibilities and objectives will remain same
• Infosec department reporting void of conflict of as they must be:
interest. CISO reporting to CEO or COO would be – Be closely aligned with the business
appropriate. objectives
• Centralized or decentralized nature of security also – Be sponsored and approved by senior
plays a role. management
• Centralized approach needs consideration of local – Have monitoring in place
requirement in case of multinational diversity. Local – Have reporting and crisis management in
laws may not allow storage of data outside their place
boundaries. Policies must be tailored to local needs. – Have organizational continuance
• Decentralized approach has advantages in security procedures
is being closer to the user as they understand local – Have risk management in place
issues better.
– Have appropriate security awareness and
• Disadvantage of decentralized approach may be
training programs
that the quality of the security service may vary and
standardization might be difficult due to the training
levels available locally.
Other requirements… Awareness and Education
• Employee roles and responsibilities:

• Security is often weakest in the end user level.
– Security requirements must be integrated
• People need to be aware of security policies and
into the jobs descriptions / roles and
standards in order to be compliant.
responsibilities of the employees.
• Training and awareness go beyond publishing a

– This ensures better chances of strategy
policy
success.
– Type should be appropriate to logistics, culture,
• Employee Skills:
etc.
– Strategy must be chosen that utilizes the
– Relevant to the audience
existing skills within an organization for
better chances of success.
– Proficiency testing may be useful to
determine if the requisite skills are available
or can be achieved through training.
Auditing and Compliance Threat and Vulnerability Assessment
• Audits can be useful as a means of • Threat assessment helps in understanding

identifying shortfalls. viable threats.
• Senior managers tend to believe audit • A threat profile development helps to develop
reports. an infosec policy tailored to assessed

• Audit reports indicate what has already threats.
happened. • Vulnerability assessments should go beyond
– Useful for insight traditional technical scans.
– Cannot be used as the only means of • They must consider gaps in processes,
identifying problems procedures, policies, technologies, facilities,
SLA’s legal and regulatory exposures.
• Vulnerability assessments must be done
holistically at an entity level covering all types
of exposures.
Risk Assessment and Management
• Conducting a threat and vulnerability assessment alone is not sufficient to have a

comprehensive infosec strategy.
• A proper risk management and risk assessment exercise to be done to identify, assess, treat
and monitor and report the risk to be developed.
Outsourcing service providers
• From an information security point of view, outsourcing arrangements can present risk that may be
difficult to quantify and potentially difficult to mitigate.
• Providers may operate on different standards and can be difficult to control.
• The security strategy should consider outsourced security services carefully to ensure that they either
are not a critical single point of failure or there is a viable backup plan in the event of service provider
failure.
• Risk posed by outsourcing can also materialize as the result of mergers and acquisitions.
• Typically, significant differences in culture, systems, technology and operations between the parties
present a host of security challenges that must be identified and addressed.
Practice Question
• Which of the following is characteristic of decentralized information security management across a

geographically dispersed organization?
• A. More uniformity in quality of service
• B. Better adherence to policies

• C. Better alignment to business unit needs
• D. More savings in total operating costs
Practice Question
• The MOST important characteristic of good security policies is that they:

• A. state expectations of IT management.
• B. state only one general security mandate.
• C. are aligned with organizational goals.

• D. govern the creation of procedures and guidelines.
Practice Question
• Which of the following is MOST likely to be discretionary?

• A. Policies
• B. Procedures
• C. Guidelines
• D. Standards
Practice Question
• Which of the following are seldom changed in response to technological changes?
• A. Standards
• B. Procedures
• C. Policies
• D. Guidelines
Practice Question
• The enactment of policies and procedures for preventing hacker intrusions is an example of an activity
that belongs to:
• A. risk management.
• B. compliance.
• C. IT management.
• D. governance.
Practice Question
• Information security should:

• A. focus on eliminating all risks.
• B. balance technical and business requirements.

• C. be driven by regulatory requirements.
• D. be defined by the board of directors.
Practice Question
• An information security strategy presented to senior management for approval MUST incorporate:
• A. specific technologies.
• B. compliance mechanisms.
• C. business priorities.
• D. detailed procedures.
Practice Question
• In implementing information security governance, the information security manager is PRIMARILY

responsible for:
• A. developing the security strategy.
• B. reviewing the security strategy.

• C. communicating the security strategy.
• D. approving the security strategy.
Practice Question
• Which of the following is the MOST important information to include in a strategic plan for information
security?
• A. Information security staffing requirements
• B. Current state and desired future state

• C. IT capital investment requirements
• D. Information security mission statement
Practice Question
• Which of the following steps should be FIRST in developing an information security plan?
• A. Perform a technical vulnerabilities assessment.
• B. Analyze the current business strategy.

• C. Perform a business impact analysis.
• D. Assess the current levels of security awareness.
Practice Question
• Who is ultimately responsible for the organization's information?

• A. Data custodian
• B. Chief information security officer
• C. Board of directors
• D. Chief information officer
Practice Question
• Information security frameworks can be MOST useful for the information security manager because
they:
• A. provide detailed processes and methods.
• B. are designed to achieve specific outcomes.

• C. provide structure and guidance.
• D. provide policy and procedure.

CISM Domain 1 Update 2 New Format

Uploaded by

Copyright:

Available Formats

CISM Domain 1 Update 2 New Format

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CISM Domain 1 Update 2 New Format

Uploaded by

Copyright:

Available Formats

Certified Information Security

1 The CISM examination contains 150 questions

4 A candidate will be given 4 hours (240 minutes) to complete the examination.

5 Answer all questions. There is no penalty for wrong answers.

6 Grading is based solely on the number of questions answered correctly.

Candidate scores are reported as a scaled score. A scaled score is a conversion of a

1 Pass the CISM examination.

3 Adhere to the ISACA Code of Professional Ethics.

5 Agree to comply with the CISM continuing education policy.

6 Comply with the Information Systems Auditing Standards.

24% Information Security 30% Information Security

Information Security Governance

Establish and/or maintain an information security governance framework and supporting

An effective information security program: • Effective Information System Security needs a

• Keeps risk within acceptable levels

desired state, which is the objective of the information security program.

good oversight and processes.

6. Assurance Process Integration:

– providing strategic direction, • It ensures that information security risk is appropriately

• The governance framework will generally consist of the following:

controls and regulation

• Ensure sufficient risk mitigation

Risk Capacity and Risk Appetite

activities. it and the risk environment stay substantially the

• GRC is an integrated assurance process

• Information security is often a part of GRC Governance

A. Functional goals should be derived from security goals.

• An organization's information security strategy should be based on:

C. avoiding occurrence of risks so that insurance is not required.

assessments and BIAs.

• Chief Risk Officer • Information Security Manager

• Chief Information Officer security programs

• Providing high-level oversight and control

why of a project and what it will deliver – Recommended approach

review – Aligning security objectives with business objectives,

• While implementing information security governance an organization should FIRST:

• C. define the security strategy.

• The FIRST step in developing an information security management program is to:

• C. assign responsibility for the program.

• To ensure effective and efficient • The presentations should at a minimum contain:

• This should include consistent and reliable implementation)

more aware and understand the updated

– Merged or acquired organizations

security relative to a reference point.

• Metrics should be SMART:

– The extent to which the security program demonstrably enables

– Defined risk appetite and tolerance

• Indicators of effective resource management include:

– Clearly defined roles and responsibilities

– The number and frequency of unreported incidents

– The elimination of unnecessary security overlaps

• C. implementing cost-effective security solutions.

• The process of developing an effective information security strategy requires a thorough

• Pitfalls in strategy development:

– Effective risk management

unused applications accumulated over decades.

• Sensitivity can be derived by determining consequences of data leakage.

• Architecture(s) • Threat assessment

• Culture widely accepted