Security
Reader small image

You're reading from  Certified Information Security Manager Exam Prep Guide - Second Edition

Product typeBook
Published inDec 2022
PublisherPackt
ISBN-139781804610633
Edition2nd Edition
Concepts
Information Security
Right arrow
Author (1)
Hemang Doshi
Hemang Doshi
author image
Hemang Doshi

Hemang Doshi has more than 15 years of experience in the field of system audit, IT risk and compliance, internal audit, risk management, information security audit, third-party risk management, and operational risk management. He has authored several books for certification such as CISA, CRISC, CISM, DISA, and enterprise risk management.
Read more about Hemang Doshi

Right arrow

Information Security Strategy

Accessing the Online Content

With this book, you get unlimited access to web-based CISM exam prep tools which include practice questions, flashcards, exam tips, and more. To unlock the content, you'll need to create an account using your unique sign-up code provided with this book. Refer to the Instructions for Unlocking the Online Content section in the Preface on how to do that.

If you've already created your account using those instructions, visit this link http://packt.link/cismexamguidewebsite or scan the following QR code to quickly open the website. Once there, click the Login link in the top-right corner of the page to access the content using your credentials.

Barcode 3

In this chapter, you will explore the practical aspects of an information security strategy and understand how a well-defined strategy impacts the success of security projects. You will learn about the different aspects of what a security strategy is and understand...

Information Security Strategy and Plan

An information security strategy is a set of actions designed to ensure that an organization achieves its security objectives. This strategy includes what should be done, how it should be done, and when it should be done to achieve the security objectives.

A strategy is basically a roadmap of specific actions that must be completed to achieve any objective. Long-term and short-term plans are finalized based on the strategy adopted.

The primary objective of any security strategy is to support the business objectives, and the information security strategy should be aligned with the business objectives. The first step for an information security manager in creating a plan is to understand and evaluate the business strategy. This is essential to align the information security plan with the business strategy.

A strategy plan should include the desired level of information security. A strategy is only considered effective if the objectives...

Information Governance Frameworks and Standards

The governance framework is a structure or outline that supports the implementation of the information security strategy. It provides the best practices for a structured security program. Frameworks are flexible structures that any organization can adopt as per their environment and requirements. COBIT and ISO 27001 are two widely accepted and implemented frameworks for security governance.

The Objective of Information Security Governance

Information security governance is a subset of enterprise governance. The same framework should be used for both enterprise governance and security governance to enable better integration of one with the other.

The following are the objectives of security governance:

  • To ensure that security initiatives are aligned with the business strategy and that they support organizational objectives.
  • To optimize security investments and ensure the high-value execution of business processes...

The IT Balanced Scorecard

Figure 2.3: IT balanced scorecard

The objective of an IT balanced scorecard (IT BSC) is to establish, monitor, and evaluate IT performance in terms of (i) business contribution, (ii) future orientation, (iii) operational excellence, and (iv) user orientation.

CISM aspirants should understand the following aspects of a balanced scorecard:

  • The primary objective of an IT balanced scorecard is to optimize performance.
  • The three indicators of an IT balanced scorecard are (a) customer satisfaction, (b) internal processes, and (c) the ability to innovate.

    Note

    Though financial performance is an indicator of a generic balanced scorecard, it is not part of an IT BSC.

  • An IT BSC is the most effective means to aid the IT strategy committee and management in achieving IT governance through proper IT and business alignment. The success of an IT balanced scorecard depends upon the involvement of senior management in...

Information Security Programs

A program can be defined as a set of activities implemented in a structured manner to achieve a common objective. A security program includes various activities, such as implementing controls, raising awareness, monitoring, and reporting on controls and other related activities.

A security strategy is a guiding force for the implementation of a security program. The roadmap detailing the security implementation, i.e., procedure, resources, and timelines, is developed based on this strategy. Further, various implementation activities can be aligned and integrated on the basis of this strategy to achieve security objectives more effectively and efficiently.

An information security program should be aligned with the business objectives of the organization. The effectiveness of an information security program is determined based on its ability to address the risks impacting the business objectives.

Key Aspects from the CISM Exam Perspective

Following...

Enterprise Information Security Architecture

Figure 2.5: Security budget

Enterprise Architecture (EA) defines and documents the structure and process flow of the operations of an organization. It describes how different elements such as processes, systems, data, employees, and other infrastructure are integrated to achieve the organization's current and future objectives.

Security architecture is a subset of enterprise architecture. Its objective is to improve the security posture of the organization. Security architecture clearly defines the processes that a business performs and how those processes are executed and secured.

The first step for a security manager implementing the security strategy is to understand and evaluate the IT architecture and portfolio. Once they have a fair idea of the IT architecture, they can determine the security strategy.

Challenges in Designing the Security Architecture

While designing the security architecture...

Awareness and Education

Figure 2.7: Training for information security

End users are one of the most important stakeholders when considering the overall security strategy. Training, education, and awareness are of extreme importance to ensure that policies, standards, and procedures are appropriately followed.

Increasing the Effectiveness of Security Training

The most effective way to increase the effectiveness of training is to customize it as per the target audience and to address the systems and procedures applicable to that particular group. For example, a system developer needs to undergo an enhanced level of training that covers secure coding aspects. By contrast, data entry operators only need to be trained on security aspects related to their functions.

Key Aspects from the CISM Exam Perspective

Following are some of the key aspects from the perspective of the CISM exam:

...

Governance, Risk Management, and Compliance

GRC is a term used to align and integrate the processes of governance, risk management, and compliance. GRC emphasizes that governance should be in place for effective risk management and the enforcement of compliance.

Governance, risk management, and compliance are three related aspects that help achieve organizational objectives. GRC aims to lay down operations for more effective organizational processes and avoid wasteful overlaps. Each of these three disciplines impacts the organization's technologies, people, processes, and information. If GRC activities are handled independently of each other, it may result in a considerable amount of duplication and a waste of resources. The integration of these three functions helps to streamline assurance activities by addressing overlapping and duplicated GRC activities.

Though GRC can be applied in any function of an organization, it focuses primarily on financial, IT, and legal areas...

Senior Management Commitment

For effective implementation of security governance, support and commitment from senior management is the most important prerequisite. A lack of high-level sponsorship will have an adverse impact on the effectiveness of security projects.

It is very important for the information security manager to gain support from senior management. The most effective way is to ensure that the security program continues to be aligned with, and supports, the business objectives. This is critical for promoting management support. Senior management is more concerned about the achievement of business objectives and will be keen to address all risks impacting key business objectives.

Obtaining commitment from senior managers is very important to ensure appropriate investment in information security, as you will explore in the next section.

Information Security Investment

Any investment should be able to provide value to the business. The primary driver for investment...

Business Case and Feasibility Study

A business case is a justification for a proposed project. It is prepared to justify the effort and investment in a proposed project and captures the reasoning for initiating a new project or task. Generally, the business case is a precursor to the start of any new project.

The business case is a key element in the decision-making for any project. The proposed return on investment (ROI), along with any other expected benefits, is the most important consideration for decision-making in any new project.

The first step in developing a business case is to define the need for and justification of the problem.

A feasibility study or analysis is an analysis that takes various factors into account, including economic, technical, and legal factors, to ascertain the likelihood of completing the project successfully.

A feasibility study should consider how the project will impact the organization in terms of risk, costs, and benefits. It helps...

Summary

In this chapter, you learned about the various aspects of security strategy, governance frameworks, and information security programs. You also explored in detail the benefits of increasing the effectiveness of security training. This helps the CISM aspirant understand the organization's security program and architecture.

In the next chapter, you will go through the important aspects of information risk assessment.

Revision Questions

  1. The most important consideration while developing an information security strategy is:
    1. The availability of information security resources
    2. Adherence to laws and regulations
    3. Effectiveness in mitigating risk
    4. Budget allocation for information security
  2. The objectives of information security can be best described as:
    1. The requirements of the desired state
    2. The attributes of the current state
    3. The key business processes
    4. The control objectives for loss expectations
  3. The most important factor when developing risk management strategies is:
    1. Using an industry-adopted risk assessment framework
    2. Aligning with business objectives and risk appetite
    3. Technology architecture
    4. The geographical spread of business units
  4. "Systems thinking," in terms of information security, refers to:
    1. The perspective of artificial intelligence
    2. The perspective of the whole being greater than the sum of its individual parts
    3. The perspective of supporting the business objective
    4. The perspective of governance...
lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 3 of 12
Next Chapter
You have been reading a chapter from
Certified Information Security Manager Exam Prep Guide - Second Edition
Published in: Dec 2022Publisher: PacktISBN-13: 9781804610633
© 2022 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at €14.99/month. Cancel anytime

Author (1)

author image
Hemang Doshi

Hemang Doshi has more than 15 years of experience in the field of system audit, IT risk and compliance, internal audit, risk management, information security audit, third-party risk management, and operational risk management. He has authored several books for certification such as CISA, CRISC, CISM, DISA, and enterprise risk management.
Read more about Hemang Doshi

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages

Question