You're reading from Certified Information Security Manager Exam Prep Guide - Second Edition

Product typeBook

Published inDec 2022

PublisherPackt

ISBN-139781804610633

Edition2nd Edition

Concepts

Information Security

Author (1)

Hemang Doshi

Importance of Information Security Governance

In simple terms, governance can be defined as a set of rules to direct, monitor, and control an organization's activities. Governance can be implemented in the form of policies, standards, and procedures. The information security governance model is primarily impacted by the complexity of an organization's structure. An organization's structure includes its objectives, vision, mission and strategy, different function units, different product lines, hierarchy, and leadership structure. A review of organizational structure helps the security manager to understand the roles and responsibilities of information security governance, as discussed in the next section.

Information is one of the most important assets for any organization and its governance is mandated by various laws and regulations. For these reasons, information security governance is of critical importance.

Figure 1.1: Information security governance

Desired Outcomes of Good Information Security Governance

A well-structured information security governance model aims to achieve the following outcomes:

To ensure that security initiatives are aligned with the business strategy and that they support organizational objectives
To optimize security investments and ensure the high-value delivery of business processes
To monitor the security processes to ensure that security objectives are achieved
To integrate and align the activities of all assurance functions for effective and efficient security measures
To ensure that residual risks are well within acceptable limits. This gives comfort to the management

Responsibility for Information Security Governance

The responsibility for information security governance primarily resides with the board of directors, senior management, and the steering committee. They are required to make security an important part of governance by monitoring its key aspects. Information security governance is a subset of enterprise governance.

Senior management is responsible for ensuring that security aspects are integrated with business processes. The involvement of senior management and the steering committee in discussions and the approval of security projects indicates that the management is committed to aspects relating to security.

Generally, a steering committee consists of senior officials from different departments. The role of an information security steering committee is to provide oversight of the organization's security environment.

Steps for Establishing Governance

Governance is effective if it is established in a structured manner. A CISM aspirant should understand the following steps for establishing security governance:

First, determine the objectives of the information security program. Most often, these objectives are derived from risk management and the acceptable level of risk that the organization is willing to take. For example, an objective for a bank may be that their system should always be available for customers – that is, there should be zero downtime. In this manner, information security objectives must align with and be guided by the organization's business objectives.
Next, the information security manager develops a strategy and a set of requirements based on these objectives. The security manager is required to conduct a gap analysis and identify the best strategy to move to the desired state of security from its current state of security. The desired state of security is also termed the security objectives. This gap analysis becomes the basis for the strategy.
The final step is to create the road map and identify specific actionable steps to achieve the security objectives. The security manager needs to consider various factors, such as time limits, resource availability, security budget, and laws and regulations.

These specific actions are implemented by way of security policies, standards, and procedures.

Governance Framework

A governance framework is a structure or outline that supports the implementation of information security strategies. It provides the best practices for a structured security program. Frameworks are flexible structures that any organization can adopt as per their environment and requirements. COBIT and ISO 27001 are both examples of widely accepted and implemented frameworks for security governance.

As information security governance is a subset of the overall enterprise governance of an organization, the same framework should be used for both enterprise governance and information security governance. This ensures better integration between the two.

Top-Down and Bottom-Up Approaches

There are two possible approaches to governance: top-down and bottom-up.

In a top-down approach, policies, procedures, and goals are reviewed and approved by senior management, hence policies and procedures are directly aligned with business objectives.

A bottom-up approach may not directly address management priorities. In a bottom-up approach, operational level risks are given more importance.

Key Aspects from the CISM Exam Perspective

The following are some key aspects from the exam perspective:

Question	Possible Answer
Which approach (that is, top-down or bottom-up) is more effective for governance?	The effectiveness of governance is best ensured by a top-down approach. In a top-down approach, policies, procedures, and goals are set by senior management and hence policies and procedures are directly aligned with business objectives. A bottom-up approach may not directly address management priorities. The effectiveness of governance is best ensured by a top-down approach.
What are the most important aspects of an information security strategy from a senior management perspective?	Business priorities, objectives, and goals.
What is a governance framework?	A governance framework is a structure that provides the outline to support processes and methods.

Figure 1.2: Key aspects from the CISM exam perspective

A Note on the Practice Questions

Throughout this book, and within the CISM certification exam itself, more than one of the answers may address the problem posed by the question. For that reason, it is very important to carefully read the question and ensure you pick the answer that represents the most important element of the solution.

Please also note, as ISACA recommends only those with "technical expertise and experience in IS/IT security and control" seek CISM certification, that this book assumes some prior experience in the field. With that in mind, you will face some questions intended to test your expected pre-existing knowledge. Do not worry if you do not get these questions right the first time; full explanations are given after every question to help you fill any gaps in your understanding.

Note

You can find the answer key and explanations for all practice and revision questions for this chapter under the section Chapter 1: Enterprise Governance of the solution set titled Answers to Practice Questions located at the end of the book.

Practice Question Set 1

An information security manager has been asked to determine the effectiveness of the information security governance model. Which of the following will help them decide whether the information security governance model is effective?
1. Security projects are discussed and approved by a steering committee
2. Security training is mandatory for all executive-level employees
3. Security training module is available on the intranet for all employees
4. Patches are tested before deployment
An information security manager is reviewing the information security governance model. The information security governance model is primarily impacted by:
1. The number of workstations
2. The geographical spread of business units
3. The complexity of the organizational structure
4. The information security budget
Which of the following is the first step in implementing information security governance?
1. Employee training
2. The development of security policies
3. The development of security architecture
4. The availability of an incident management team
Which of the following factors primarily drives information security governance?
1. Technology requirements
2. Compliance requirements
3. The business strategy
4. Financial constraints
Which of the following is the responsibility of the information security governance steering committee?
1. To manage the information security team
2. To design content for security training
3. To prioritize information security projects
4. To provide access to critical systems
Which of the following is the first step of information security governance?
1. To design security procedures and guidelines
2. To develop a security baseline
3. To define the security strategy
4. To develop security policies
Which of the following is the most important factor for an information security governance program?
1. To align with the organization's business strategy
2. To derive from a globally accepted risk management framework
3. be able to address regulatory compliance
4. To promote a risk-aware culture
Effective governance is best indicated by:
1. An approved security architecture
2. Certification from an international body
3. Frequent audits
4. An established risk management program
Which of the following is the effectiveness of governance best ensured by?
1. The use of a bottom-up approach
2. Initiatives by the IT department
3. Compliance-oriented approach
4. The use of a top-down approach
What is the prime responsibility of the information security manager in the implementation of security governance?
1. To design and develop the security strategy
2. To allocate a budget for the security strategy
3. To review and approve the security strategy
4. To train the end users
What is the most important factor when developing information security governance?
1. To comply with industry benchmarks
2. To comply with the security budget
3. To obtain a consensus from business functions
4. To align with organizational goals
What is the most effective way to build an information security governance program?
1. To align the requirements of the business with an information security framework
2. To understand the objectives of the business units
3. To address regulatory requirements
4. To arrange security training for all managers
What is the main objective of information security governance?
1. To ensure the adequate protection of information assets
2. To provide assurance to the management about information security
3. To support complex IT infrastructure
4. To optimize the security strategy to support the business objectives
The security manager notices inconsistencies in the system configuration. What is the most likely reason for this?
1. Documented procedures are not available
2. Ineffective governance
3. Inadequate training
4. Inappropriate standards
What is an information security framework best described as?
1. A framework that provides detailed processes and methods
2. A framework that provides required outputs
3. A framework that provides structure and guidance
4. A framework that provides programming inputs
What is the main reason for integrating information security governance into business activities?
1. To allow the optimum utilization of security resources
2. To standardize processes
3. To support operational processes
4. To address operational risks
Which of the following is the most important attribute of an effective information security governance framework?
1. A well-defined organizational structure with necessary resources and defined responsibilities
2. The availability of the organization's policies and guidelines
3. Business objectives supporting the information security strategy
4. Security guidelines supporting regulatory requirements
What is the most effective method to use to develop an information security program?
1. A standard
2. A framework
3. A process
4. A model

You have been reading a chapter from

Certified Information Security Manager Exam Prep Guide - Second Edition

Published in: Dec 2022Publisher: PacktISBN-13: 9781804610633

A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.

undefined

Unlock this book and the full library FREE for 7 days

Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of

Start free trial

Renews at €14.99/month. Cancel anytime

Author (1)

Hemang Doshi

Hemang Doshi has more than 15 years of experience in the field of system audit, IT risk and compliance, internal audit, risk management, information security audit, third-party risk management, and operational risk management. He has authored several books for certification such as CISA, CRISC, CISM, DISA, and enterprise risk management.
Read more about Hemang Doshi

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages