Security
Reader small image

You're reading from  Certified Information Security Manager Exam Prep Guide - Second Edition

Product typeBook
Published inDec 2022
PublisherPackt
ISBN-139781804610633
Edition2nd Edition
Concepts
Information Security
Right arrow
Author (1)
Hemang Doshi
Hemang Doshi
author image
Hemang Doshi

Hemang Doshi has more than 15 years of experience in the field of system audit, IT risk and compliance, internal audit, risk management, information security audit, third-party risk management, and operational risk management. He has authored several books for certification such as CISA, CRISC, CISM, DISA, and enterprise risk management.
Read more about Hemang Doshi

Right arrow

Information Security Program Management

In this chapter, you will learn about the practical aspects of information security program management and the methods, tools, and techniques used for the management of an information security program. This chapter will help CISM aspirants understand different types of cloud computing services and study different types of controls.

The following topics will be covered in this chapter:

  • Information Security Control Design and Selection
  • Security Baseline Controls
  • Information Security Awareness and Training
  • Management of External Services and Relationships
  • Documentation
  • Information Security Program Objectives
  • Security Budget
  • Security Program Management and Administrative Activities
  • Privacy Laws
  • Cloud Computing

Information Security Control Design and Selection

Control is one of the most important elements of an information security program. A major part of security management is the development, implementation, testing, and monitoring of controls. The objective of implementing a control is to address risks by preventing, detecting, or correcting them. An effective control provides reasonable assurance that the business objectives are achieved.

Figure 6.1: Information security control design and selection

Countermeasures

Countermeasures are a type of control implemented to address specific threats. They can be either technical or non-technical. While the objective of general controls is to protect information assets from all threats, countermeasures are put in place in response to specific threats. Countermeasures are generally expensive and are implemented only when existing general controls cannot mitigate specific threats. The following are some common examples...

Security Baseline Controls

The term "baseline" refers to basic requirements. A security baseline refers to an organization's minimum basic requirements for security. The objective of implementing a security baseline throughout an organization is to ensure that controls are consistently implemented as per the acceptable risk levels. The baseline is set as per asset classification. For example, for critical applications, it is mandatory to have at least two-factor authentication, whereas for non-critical applications, it is mandatory to have at least one-factor authentication.

The following are the benefits of having a security baseline:

  • It helps to standardize the basic security requirements throughout the organization.
  • A baseline provides a point of reference against which improvements can be measured.
  • It helps to establish a uniform process of system hardening for similar types of systems.

Developing a Security Baseline

A security...

Information Security Awareness and Training

Security awareness training is the most important element of an information security program. In the absence of structured and well-defined security awareness training programs, the security program will not be able to provide the desired results. It is not possible to address the security risks only through technical security measures. It is important to address the behavior of employees through continuous awareness training and education. Compliance with the requirements of the information security policy is best ensured by education and improving the awareness of employees.

Figure 6.5: Human weakness

A security manager should consider the following aspects of security awareness training and education:

  • The most effective way to increase the effectiveness of training is to customize it as per the target audience and address the systems and procedures applicable to that particular group. For example, a system...

Management of External Services and Relationships

Today, outsourcing services to a third-party vendor is a widely accepted practice for two major reasons. One of them is the tremendous cost savings and the other is to allow the organization to benefit from the service of experts in a specific field.

CISM aspirants should be aware of the following terms with respect to outsourcing:

  • Insourced: Activities performed by the organization's own staff
  • Outsourced: Activities performed by the vendor's staff
  • Hybrid: Activities performed jointly by staff from both the organization and the vendor
  • Onsite: Staff working onsite in the IT department
  • Offsite: Staff working from remote locations in the same geographical area
  • Offshore: Staff working from remote locations in different geographical areas

Evaluation Criteria for Outsourcing

CISM aspirants should understand the evaluation criteria for outsourcing any function. Certain functions cannot...

Documentation

Structured documentation regarding risk management policies, standards, registers, and other relevant processes is of utmost importance for the effective management of risk. The need and process for documentation should be defined in the risk management policy, strategy, and program. Generally, the following aspects of risk management processes should be documented:

  • Risk register: A risk register should include details such as the following:
    • The source and nature of known risks
    • Risk owners
    • Risk ranking and severity
    • Risk score
    • Details about existing controls and additional recommendations
  • Asset inventory: An asset inventory should include details such as the following:
    • A description of assets
    • Asset owners
    • Asset classifications
  • Risk mitigation and action plan: It should include details such as the following:
    • The mitigation plan
    • The responsibility for mitigation
    • The timelines for mitigation
  • Results of risk monitoring: This should include the following:
    • The monitoring...

Information Security Program Objectives

The security manager should understand the following objectives of the security program while implementing it:

  • Providing maximum support to business functions
  • Minimizing operational disruptions
  • Implementing the strategy in the most cost-effective manner

After establishing the objectives, key goal indicators (KGIs) to reflect these objectives should be developed. After developing the KGIs, the next step is to determine the current state of security. The current state is compared with the established objectives and any gaps identified are addressed to improve the security processes.

Key Aspects from the CISM Exam Perspective

The following are some key aspects from the exam perspective:

Security Budget

Budgeting plays a significant role in the effective implementation of an information security program. The availability of adequate security personnel and other security resources is dependent on the security budget. An information security manager should be familiar with the budgeting process and methods used by the organization.

Primarily, the security budget is derived from and supported by the information security strategy. Before seeking approval for the budget, the security manager should ensure that senior management has approved the strategy and that there is consensus from the other business units. This is a key element in a successful budget proposal.

Apart from routine expenditure, the budget should also consider unanticipated costs. Generally, in the area of incident response, it is difficult to predict expenditure. A security manager may require the obtaining of external services to support the incident response processes, where the organization does...

Security Program Management and Administrative Activities

Information security program management includes activities to direct, monitor, and control procedures related to information security. It includes both short-term and long-term planning for the achievement of the organization's security objectives. A security manager should ensure that the security program supports the requirements of management. In most organizations, a security manager is responsible for executing the security program. An information security steering committee that consists of senior leadership from the relevant functions of the organization is responsible for ensuring that the security objectives are aligned with the business objectives. Senior management represented in the security steering committee is in the best position to support and advocate the information security program. The role of the steering committee, as well as the security manager, is of utmost importance to ensure that security resources...

Privacy Laws

Privacy is the right of an individual to demand the utmost care of their personal information that has been shared with any organization or individual. Individuals can demand the use of their information to be appropriate, legal, and only for the specific purpose for which the information was provided.

Figure 6.13: Privacy laws

ISACA describes several privacy principles that can be considered as a framework for privacy audits. The following are some of the privacy principles:

  • Organizations should obtain appropriate consent before the transfer of personal information to another jurisdiction.
  • Organizations should specify the purposes for which personal information is being collected.
  • Organizations are required to retain personal information only as long as necessary.
  • Organizations should have appropriate security safeguards for protecting personal information.
  • Organizations should have an appropriate process for...

Cloud Computing

Cloud computing is the process of utilizing servers hosted on the internet for storing and processing data instead of on a personal computer or a local server. Cloud computing enables users to access computer resources through the internet from any location without worrying about the physical availability of the resources. The following are some characteristics of cloud computing:

  • It provides the capability for organizations to access data or applications from anywhere, anytime, and on almost any device.
  • It provides the capability for organizations to scale their IT resources as per the business requirements at the optimum cost.
  • It provides the capability to monitor, control, and report the usage of resources.

Resources such as storage, processing power, memory, network bandwidth, and virtual machines (VMs) can be used through cloud computing.

Cloud Computing – Deployment Models

The following sections will cover the important details...

Summary

In this chapter, you learned about the practical aspects of information security program management. This chapter will help a CISM candidate understand the important methods, tools, and techniques needed to manage a security program in an effective and efficient manner.

The next chapter will cover information security infrastructure and architecture.

Revision Questions

  1. Ethics training is primarily meant for:
    1. Employees engaged in monitoring activities
    2. Employees engaged in designing training modules
    3. Employees engaged in assessing user access
    4. Employees engaged in managing the risk of the organization
  2. Which of the following is influenced by an effective information security awareness program?
    1. Inherent risk
    2. Residual risk
    3. Acceptable risk
    4. Business objectives
  3. The most effective way to promote a security culture is:
    1. To promote the advantages of a good security culture through influential people
    2. To increase the security budget
    3. To mandate online security training for each employee
    4. To upload the security policy on the organization's intranet
  4. The area of most concern for a security manager when an organization is storing sensitive data with a third-party cloud service provider is:
    1. High cost of maintenance
    2. Unavailability of proper training to end users
    3. Unavailability of services due to network failure
    4. The possibility of disclosure...
lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 7 of 12
Next Chapter
You have been reading a chapter from
Certified Information Security Manager Exam Prep Guide - Second Edition
Published in: Dec 2022Publisher: PacktISBN-13: 9781804610633
© 2022 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at €14.99/month. Cancel anytime

Author (1)

author image
Hemang Doshi

Hemang Doshi has more than 15 years of experience in the field of system audit, IT risk and compliance, internal audit, risk management, information security audit, third-party risk management, and operational risk management. He has authored several books for certification such as CISA, CRISC, CISM, DISA, and enterprise risk management.
Read more about Hemang Doshi

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages

Question

Possible Answer

A security policy should be closely aligned with:

Organizational needs

...