Accessing the Online Content
With this book, you get unlimited access to web-based CISM exam prep tools which include practice questions, flashcards, exam tips, and more. To unlock the content, you'll need to create an account using your unique sign-up code provided with this book. Refer to the Instructions for Unlocking the Online Content section in the Preface on how to do that.
If you've already created your account using those instructions, visit this link http://packt.link/cismexamguidewebsite or scan the following QR code to quickly open the website. Once there, click the Login
link in the top-right corner of the page to access the content using your credentials.
Governance is an important aspect of the certified information security manager (CISM) exam. In simple terms, governance means a set of policies, procedures, and standards used to monitor and control an activity. Enterprise governance refers to policies, procedures, and standards put in place to monitor an entire organization. Information security governance is a subset of overall enterprise governance, and its objective is to monitor and control activities related to information security.
In this chapter, you will gain an overview of information security governance and understand the impact of good governance on the effectiveness of information security projects.
You will learn about how organizational structure and culture impact information security governance and details about the various roles and responsibilities of the security function. You will also be introduced to the best practices for implementing information security governance.
This chapter will cover the following topics:
In simple terms, governance can be defined as a set of rules to direct, monitor, and control an organization's activities. Governance can be implemented in the form of policies, standards, and procedures. The information security governance model is primarily impacted by the complexity of an organization's structure. An organization's structure includes its objectives, vision, mission and strategy, different function units, different product lines, hierarchy, and leadership structure. A review of organizational structure helps the security manager to understand the roles and responsibilities of information security governance, as discussed in the next section.
Information is one of the most important assets for any organization and its governance is mandated by various laws and regulations. For these reasons, information security governance is of critical importance.
A well-structured information security governance model aims to achieve the following outcomes:
The responsibility for information security governance primarily resides with the board of directors, senior management, and the steering committee. They are required to make security an important part of governance by monitoring its key aspects. Information security governance is a subset of enterprise governance.
Senior management is responsible for ensuring that security aspects are integrated with business processes. The involvement of senior management and the steering committee in discussions and the approval of security projects indicates that the management is committed to aspects relating to security.
Generally, a steering committee consists of senior officials from different departments. The role of an information security steering committee is to provide oversight of the organization's security environment.
Governance is effective if it is established in a structured manner. A CISM aspirant should understand the following steps for establishing security governance:
These specific actions are implemented by way of security policies, standards, and procedures.
A governance framework is a structure or outline that supports the implementation of information security strategies. It provides the best practices for a structured security program. Frameworks are flexible structures that any organization can adopt as per their environment and requirements. COBIT and ISO 27001 are both examples of widely accepted and implemented frameworks for security governance.
As information security governance is a subset of the overall enterprise governance of an organization, the same framework should be used for both enterprise governance and information security governance. This ensures better integration between the two.
There are two possible approaches to governance: top-down and bottom-up.
In a top-down approach, policies, procedures, and goals are reviewed and approved by senior management, hence policies and procedures are directly aligned with business objectives.
A bottom-up approach may not directly address management priorities. In a bottom-up approach, operational level risks are given more importance.
The following are some key aspects from the exam perspective:
Question |
Possible Answer |
Which approach (that is, top-down or bottom-up) is more effective for governance? |
The effectiveness of governance is best ensured by a top-down approach. In a top-down approach, policies, procedures, and goals are set by senior management and hence policies and procedures are directly aligned with business objectives. A bottom-up approach may not directly address management priorities. The effectiveness of governance is best ensured by a top-down approach. |
What are the most important aspects of an information security strategy from a senior management perspective? |
Business priorities, objectives, and goals. |
What is a governance framework? |
A governance framework is a structure that provides the outline to support processes and methods. |
Throughout this book, and within the CISM certification exam itself, more than one of the answers may address the problem posed by the question. For that reason, it is very important to carefully read the question and ensure you pick the answer that represents the most important element of the solution.
Please also note, as ISACA recommends only those with "technical expertise and experience in IS/IT security and control" seek CISM certification, that this book assumes some prior experience in the field. With that in mind, you will face some questions intended to test your expected pre-existing knowledge. Do not worry if you do not get these questions right the first time; full explanations are given after every question to help you fill any gaps in your understanding.
Note
You can find the answer key and explanations for all practice and revision questions for this chapter under the section Chapter 1: Enterprise Governance of the solution set titled Answers to Practice Questions located at the end of the book.
The culture of an organization and its service provider is the most important factor that determines the implementation of an information security program. An organization's culture influences its risk appetite, that is, its willingness to take risks. This will have a significant influence on the design and implementation of the information security program. A culture that favors taking risks will have a different implementation approach compared to a culture that is risk averse.
Cultural differences and their impact on data security are generally not considered during security reviews. Different cultures have different perspectives on what information is considered sensitive and how it should be handled. This cultural practice may not be consistent with an organization's requirements.
For some organizations, financial data is more important than privacy data. So, it is important to determine whether the culture of the service provider is aligned with the culture of the organization. Cultural differences and their impact on data security are generally not considered during security reviews.
An acceptable usage policy (AUP) generally includes rules for access controls, information classification, incident reporting requirements, confidentiality requirements, email, and internet usage requirements. All participants must understand which behaviors and acts are acceptable and which are not. This maintains a risk-aware culture.
A well-defined and documented AUP helps spread awareness about the dos and don'ts of information security.
It is essential that the AUP is conveyed to all users, and acknowledgment should be obtained from the users that they have read and understood the AUP. For new users, an AUP should be part of their induction training.
The information security manager should also consider implementing periodic training on ethics. Ethical training includes emphasizing moral principles that govern a person's behavior or the conduct of an activity. It includes guidance on what the company considers legal and appropriate behavior.
Training on ethics is of utmost importance for employees engaged in sensitive activities, such as monitoring user activities or accessing sensitive personal data.
Some examples of unethical behavior include improper influence on other employees or service providers, use of corporate information or assets for private benefit, accepting gifts or bribes, and multiple employments.
Acknowledgment should be obtained from employees on understanding ethical behavior and the code of conduct and this should be retained as part of the employment records.
An information security manager should be cautious about adherence to laws and regulations. Laws and regulations should be addressed to the extent that they impact the organization.
Processes should be in place to scan all new regulations and determine their applicability to the organization.
The information security manager is required to determine the processes and activities that may be impacted and whether existing controls are adequate to address any new regulations. If not, further controls should be implemented to address the new regulations.
Departments affected by any new regulations are in the best position to determine the impact of new regulatory requirements on their processes, as well as the best ways to address them.
The following are some key aspects from the exam perspective:
Question |
Possible Answer |
Who should determine the control processes for any new regulatory requirements? |
The affected department (as they are in the best position to determine the impact of new regulatory requirements on their processes and the best way to address them) |
What is the first step of an information security manager who notices a new regulation impacting one of the organization's processes? |
To determine the processes and activities that may be impacted To assess whether existing controls meet the regulations |
What is the major focus of privacy law? |
To protect identifiable personal data |
Which factors have the greatest impact on the security strategy? |
Organizational goals and objectives |
The information security manager should ensure that an adequate record retention policy is in place and that this is followed throughout the organization. A record retention policy will specify what types of data and documents are required to be preserved, and what must be destroyed. It also specifies the number of years for which that data is required to be preserved.
Record retention should primarily be based on the following two factors:
If a record is required to be maintained for three years as per the business requirements, and for two years from a legal perspective, then it should be maintained for three years.
Organizations generally design their record retention policy in line with the relevant laws and regulations.
Electronic discovery (e-discovery) is the process of the identification, collection, and submission of electronic records in a lawsuit or investigation. The best way to ensure the availability of electronic records is to implement comprehensive retention policies. A retention policy dictates the terms for storing, backing up, and accessing the records.
The following are some key aspects from the exam perspective:
Question |
Possible Answer |
What is e-discovery? |
E-discovery is the process of identifying, collecting, and submitting electronic records in a lawsuit or investigation. |
What are the factors on which record retention is based? |
Business requirements. Legal requirements. (If both options are available, then preference should be given to business requirements as it is generally assumed that business requirements already include consideration of legal requirements.) |
The development of a security strategy is highly influenced by the organizational structure. Organizational structure pertains to the roles and responsibilities of different individuals, the reporting hierarchy, whether the organization functions in a centralized or decentralized way, and so on. A flexible and evolving organizational structure is more open to the adoption of a security strategy, whereas an organization with a more constrained structure might not adopt a security strategy.
The independence of the security function is the most important factor to be considered, from a practical as well as the exam perspective, while evaluating organizational functions. This can be assessed through the reporting structure of the security function.
The ultimate responsibility for the appropriate protection of an organization's information falls on the board of directors. The involvement of board members in information security initiatives can be an indicator of good governance. In the event of an incident, the company directors can be protected from liability if the board has exercised due diligence. Many laws and regulations make the board responsible in the event of data breaches. Even cyber security insurance policies require the board to exercise due diligence as a prerequisite for insurance coverage.
The security steering committee is generally composed of senior management from different business units. The security steering committee is best placed to determine the level of acceptable risk (risk capacity) for the organization. They monitor and control the security strategy. They also ensure that the security policy is aligned with the business objectives.
In the past, security functions in most organizations reported to the chief information officer (CIO). However, it has since been observed that CIOs are primarily concerned with IT performance and cost, with security as a secondary objective. During a conflict between performance and security, security is sometimes ignored.
However, with increased awareness and more experience, the responsibility for security is now entrusted to senior-level functionaries directly reporting to the chief operating officer (COO), chief executive officer (CEO), or board of directors. This ensures the independence of security functions.
Organizations' security functions can work in either a centralized or decentralized way.
In a centralized process, information security activities are handled from a central location, usually the head office of the organization. In a decentralized process, the implementation and monitoring of security activities are delegated to the local offices of the organization.
The following table shows the differentiation between centralized and decentralized processes:
Centralized Process |
Decentralized Process |
More consistency in security processes |
Less consistency |
Optimum utilization of information security resources |
Greater resource requirements. Better alignment with decentralized unit requirements |
Less alignment with the requirements of decentralized units |
Better alignment with decentralized unit requirements |
A centralized process will generally take more time to process requests due to the larger gap between the information security department and the end user |
Faster turnaround of requests compared to centralized processes |
Centralization of information security management results in greater uniformity and easier monitoring of processes. This in turn promotes better adherence to security policies.
It is very important to ensure that security-related roles and responsibilities are clearly defined, documented, and communicated throughout the organization. Each employee of the organization should be aware of their respective roles and responsibilities. Clearly defined roles also facilitate effective access rights management, as access is provided based on the respective job functions and job profiles of employees – that is, on a need-to-know basis (least privilege) only.
One of the simplest ways to define roles and responsibilities in a business or organization is to form a matrix known as a RACI chart. This stands for responsible, accountable, consulted, and informed.
This chart indicates who is responsible for a particular function, who is accountable with regard to the function, who should be consulted about the function, and who should be informed about the function. Clearly defined RACI charts make the information security program more effective.
The following defines RACI in more detail:
In the next section, you will go through the various roles that are integral to information security.
The role of board members in information security is of utmost importance. Board members need to be aware of security-related key risk indicators (KRIs) that can impact the business objectives. The intent and objectives of information security governance must be communicated from the board level down.
The current status of key security risks should be tabled and discussed at board meetings. This helps the board to determine the effectiveness of the current security governance.
Another essential reason for the board of directors to be involved in security governance is liability. Most organizations obtain specific insurance to deal with their financial liability in the event of a security incident. This type of insurance requires those bound by it to exercise due care in the discharge of their duties. Any negligence from the board in addressing the information security risk may make the insurance void.
The role of senior management is to ensure that the intent and requirements of the board are implemented in an effective and efficient manner. Senior management is required to provide ongoing support to information security projects in terms of budgets, resources, and other infrastructure. In some instances, there may be disagreement between IT and security. In such cases, senior management can take a balanced view after considering performance, cost, and security. The role of senior management is to map and align the security objectives with the overall business objectives.
The role of a business process owner is to take ownership of the security-related risks impacting their business processes. They need to ensure that information security activities are aligned and support their respective business objectives. Further, they need to monitor the effectiveness of security measures on an ongoing basis.
A steering committee comprises the senior management of an organization. The role of a steering committee is as follows:
The roles, responsibilities, and scope of a steering committee should be clearly defined.
The chief information security officer (CISO) is a senior-level officer who has been entrusted with making security-related decisions and is responsible for implementing security programs. The CISO should be an executive-level officer directly reporting to the CEO. The role of the CISO is fundamentally regulatory, whereas the role of the CIO is to generally focus on IT performance.
The COO is the head of operational activities in the organization. Operational processes are reviewed and approved by the COO. The COO has a thorough knowledge of the business operations and objectives and is most likely the sponsor for the implementation of security projects as they have a strong influence across the organization. Sponsoring means supporting the project financially or through products or services. Although the CISO should provide security advice and recommendations, the sponsor should be the COO for effective ground-level implementation.
The data custodian is a staff member who is entrusted with the safe custody of data. The data custodian is different from the data owner, though in some cases, both data custodian and data owner may be the same individual. A data custodian is responsible for managing the data on behalf of the data owner in terms of data backup, ensuring data integrity, and providing access to data for different individuals on the basis of the approval of the data owner. From a security perspective, a data custodian is responsible for ensuring that appropriate security measures are implemented and are consistent with organizational policy.
A well-defined communication channel is of utmost importance in the management of information security. A mature organization has dedicated systems to manage risk-related communication. This should be a two-way system, wherein management can reach all employees and at the same time employees can reach a designated risk official to report identified risks. This will help in the timely reporting of events, as well as disseminating important security information. In the absence of an appropriate communication channel, the identification of events may be delayed.
The following list consists of some of the indicators of a successful security culture:
Understanding the roles and responsibilities as covered in this section will help the security manager to implement an effective security strategy.
The following are some key aspects from the exam perspective:
Question |
Possible Answer |
What is the best course of action when there is disagreement on the security aspects between the IT team and the security team? |
To refer the matter to senior management along with any necessary recommendations |
What is the immediate benefit of well-defined roles and responsibilities? |
Better accountability |
Who has the ultimate responsibility for legal and regulatory requirements? |
The board of directors and the senior management (when the board delegates them the responsibility) |
What is the best way to prioritize information security projects? |
Security projects should be assessed and prioritized based on their impact on the organization |
Who has the responsibility to enforce the access rights of employees? |
The data custodian/security administrators |
What is the most important factor on which the data retention policy is based? |
The business requirements |
What is the prime responsibility of an information security manager? |
To manage the risks to information assets |
Which models are used to determine the extent and level of maturity of processes? |
|
What is the major concern if database administrators (DBAs) have access to DBA-related logs? |
The unauthorized modification of logs by the DBA |
What is the main objective of integrating security-related roles and responsibilities? |
To address security gaps that exist between assurance functions |
What is the role of the information owner with regard to the data classification policy? |
To determine the level of classification for their respective data |
What is the role of the information security manager with regard to the data classification policy? |
To define and ratify the data classification process |
What is the best way to ensure that responsibilities are carried out? |
Assign accountability |
Who is responsible for complying with the organization's security policies and standards? |
|
What is the principle of proportionality for providing system and data access? |
The principle of proportionality requires that access be proportionate to the criticality of the assets and access should be provided on a need-to-know basis |
What is the segregation of duties? |
|
What is a compensatory control? |
|
What is the principle of least privilege? |
The principle of least privilege ensures that access is provided only on a need-to-know basis, and it should be restricted for all other users |
CISM aspirants are expected to understand the basic details of a maturity model.
A maturity model is a tool that helps the organization assess the current effectiveness of a process and determine what capabilities they need to improve their performance.
Capability maturity models (CMMs) are useful to determine the maturity level of governance processes. The following list defines the different maturity levels of an organization:
The CMM uses a scale of 0 to 5 based on process maturity level. It is the most common method applied by organizations to measure their existing state and then determine the desired one.
Maturity models identify the gaps between the current state of the governance process and the desired state. This helps the organization to determine the remediation steps required for improvement. A maturity model calls for continuous improvement in the governance framework. This requires continuous evaluation, monitoring, and improvement to move toward the desired state from the current state.
The process performance and capabilities approach also provides a detailed perspective of the maturity levels, just like the maturity model.
The following are some key aspects from the exam perspective:
Question |
Possible Answer |
Which models are used to determine the extent and level of processes? |
|
What is the best way to determine the continuous improvement of the risk management process? |
The adoption of the maturity model |
In today's world, most organizations are heavily reliant on third parties to achieve one or more business objectives. The primary reason to obtain the services of a third party is to benefit from expert services in a cost-effective manner. These third parties can be service providers, trading partners, group companies, and so on.
These third parties are connected to the systems of the organization and have access to its data and other resources. To protect the organization, it is very important for an information security manager to assess the risk of such third-party relationships and ensure that relevant controls are in place.
Policies and requirements of information security should be developed before the creation of any third-party relationship.
Furthermore, the security manager should understand the following challenges of third-party relationships:
Effective governance is highly dependent on the culture of the organization. The next section discusses this in more detail.
A metric is a measurement of a process to determine how well the process is performing. Security-related metrics indicate how well the controls can mitigate the risks. For example, a system uptime metric helps in understanding whether a system is available to a user as per the requirements.
Based on effective metrics, an organization evaluates and measures the achievement and performance of various processes and controls. The main objective of a metric is to help the management in decision-making. A metric should be able to provide relevant information to the recipient so that informed decisions can be made.
Technical metrics help us to understand the functioning of technical controls such as IDSs, firewalls, and antivirus software. They are useful for tactical operational management. However, these metrics have little value from a governance standpoint.
Management is more concerned about the overall security posture of the organization. Full audits and comprehensive risk assessments are a few of the activities that help management to understand security from a governance perspective.
Good metrics should be SMART, that is, specific, measurable, attainable, relevant, and timely, as detailed below:
The following are some key aspects from the exam perspective:
Questions |
Possible Answer |
What is the prime objective of a metric? |
Decision-making takes place based on effective metrics. Organizations evaluate and measure the achievements and performance of various processes and controls using metrics. Effective metrics are primarily used for security-related decision-making. |
In this chapter, you learned about the importance of assurance functions, that is, governance, risk, and compliance, and how their integration is key to effective and efficient information security management. You also learned how organizations can use the maturity model to improve their processes and explored the importance of the commitment of senior management toward the security of an organization. The next chapter will cover the practical aspects of information security strategy.
Where there is an eBook version of a title available, you can buy it from the book details for that title. Add either the standalone eBook or the eBook and print book bundle to your shopping cart. Your eBook will show in your cart as a product on its own. After completing checkout and payment in the normal way, you will receive your receipt on the screen containing a link to a personalised PDF download file. This link will remain active for 30 days. You can download backup copies of the file by logging in to your account at any time.
If you already have Adobe reader installed, then clicking on the link will download and open the PDF file directly. If you don't, then save the PDF file on your machine and download the Reader to view it.
Please Note: Packt eBooks are non-returnable and non-refundable.
Packt eBook and Licensing When you buy an eBook from Packt Publishing, completing your purchase means you accept the terms of our licence agreement. Please read the full text of the agreement. In it we have tried to balance the need for the ebook to be usable for you the reader with our needs to protect the rights of us as Publishers and of our authors. In summary, the agreement says:
If you want to purchase a video course, eBook or Bundle (Print+eBook) please follow below steps:
Our eBooks are currently available in a variety of formats such as PDF and ePubs. In the future, this may well change with trends and development in technology, but please note that our PDFs are not Adobe eBook Reader format, which has greater restrictions on security.
You will need to use Adobe Reader v9 or later in order to read Packt's PDF eBooks.
Packt eBooks are a complete electronic version of the print edition, available in PDF and ePub formats. Every piece of content down to the page numbering is the same. Because we save the costs of printing and shipping the book to you, we are able to offer eBooks at a lower cost than print editions.
When you have purchased an eBook, simply login to your account and click on the link in Your Download Area. We recommend you saving the file to your hard drive before opening it.
For optimal viewing of our eBooks, we recommend you download and install the free Adobe Reader version 9.