Accessing the Online Content

With this book, you get unlimited access to web-based CISM exam prep tools which include practice questions, flashcards, exam tips, and more. To unlock the content, you'll need to create an account using your unique sign-up code provided with this book. Refer to the Instructions for Unlocking the Online Content section in the Preface on how to do that.

If you've already created your account using those instructions, visit this link http://packt.link/cismexamguidewebsite or scan the following QR code to quickly open the website. Once there, click the Login link in the top-right corner of the page to access the content using your credentials.

Governance is an important aspect of the certified information security manager (CISM) exam. In simple terms, governance means a set of policies, procedures, and standards used to monitor and control an activity. Enterprise governance refers to policies, procedures, and standards put in place to monitor an entire organization. Information security governance is a subset of overall enterprise governance, and its objective is to monitor and control activities related to information security.

In this chapter, you will gain an overview of information security governance and understand the impact of good governance on the effectiveness of information security projects.

You will learn about how organizational structure and culture impact information security governance and details about the various roles and responsibilities of the security function. You will also be introduced to the best practices for implementing information security governance.

This chapter will cover the following topics:

• Importance of Information Security Governance
• Organizational Culture
• Legal, Regulatory, and Contractual Requirements
• Retention of Business Records
• Organizational Structure
• Maturity Model
• Governance of Third-Party Relationships
• Information Security Governance Metrics

In simple terms, governance can be defined as a set of rules to direct, monitor, and control an organization's activities. Governance can be implemented in the form of policies, standards, and procedures. The information security governance model is primarily impacted by the complexity of an organization's structure. An organization's structure includes its objectives, vision, mission and strategy, different function units, different product lines, hierarchy, and leadership structure. A review of organizational structure helps the security manager to understand the roles and responsibilities of information security governance, as discussed in the next section.

Information is one of the most important assets for any organization and its governance is mandated by various laws and regulations. For these reasons, information security governance is of critical importance.

Figure 1.1: Information security governance

Desired Outcomes of Good Information Security Governance

A well-structured information security governance model aims to achieve the following outcomes:

• To ensure that security initiatives are aligned with the business strategy and that they support organizational objectives
• To optimize security investments and ensure the high-value delivery of business processes
• To monitor the security processes to ensure that security objectives are achieved
• To integrate and align the activities of all assurance functions for effective and efficient security measures
• To ensure that residual risks are well within acceptable limits. This gives comfort to the management

Responsibility for Information Security Governance

The responsibility for information security governance primarily resides with the board of directors, senior management, and the steering committee. They are required to make security an important part of governance by monitoring its key aspects. Information security governance is a subset of enterprise governance.

Senior management is responsible for ensuring that security aspects are integrated with business processes. The involvement of senior management and the steering committee in discussions and the approval of security projects indicates that the management is committed to aspects relating to security.

Generally, a steering committee consists of senior officials from different departments. The role of an information security steering committee is to provide oversight of the organization's security environment.

Steps for Establishing Governance

Governance is effective if it is established in a structured manner. A CISM aspirant should understand the following steps for establishing security governance:

1. First, determine the objectives of the information security program. Most often, these objectives are derived from risk management and the acceptable level of risk that the organization is willing to take. For example, an objective for a bank may be that their system should always be available for customers – that is, there should be zero downtime. In this manner, information security objectives must align with and be guided by the organization's business objectives.
2. Next, the information security manager develops a strategy and a set of requirements based on these objectives. The security manager is required to conduct a gap analysis and identify the best strategy to move to the desired state of security from its current state of security. The desired state of security is also termed the security objectives. This gap analysis becomes the basis for the strategy.
3. The final step is to create the road map and identify specific actionable steps to achieve the security objectives. The security manager needs to consider various factors, such as time limits, resource availability, security budget, and laws and regulations.

These specific actions are implemented by way of security policies, standards, and procedures.

Governance Framework

A governance framework is a structure or outline that supports the implementation of information security strategies. It provides the best practices for a structured security program. Frameworks are flexible structures that any organization can adopt as per their environment and requirements. COBIT and ISO 27001 are both examples of widely accepted and implemented frameworks for security governance.

As information security governance is a subset of the overall enterprise governance of an organization, the same framework should be used for both enterprise governance and information security governance. This ensures better integration between the two.

Top-Down and Bottom-Up Approaches

There are two possible approaches to governance: top-down and bottom-up.

In a top-down approach, policies, procedures, and goals are reviewed and approved by senior management, hence policies and procedures are directly aligned with business objectives.

A bottom-up approach may not directly address management priorities. In a bottom-up approach, operational level risks are given more importance.

Key Aspects from the CISM Exam Perspective

The following are some key aspects from the exam perspective:

Figure 1.2: Key aspects from the CISM exam perspective

A Note on the Practice Questions

Throughout this book, and within the CISM certification exam itself, more than one of the answers may address the problem posed by the question. For that reason, it is very important to carefully read the question and ensure you pick the answer that represents the most important element of the solution.

Please also note, as ISACA recommends only those with "technical expertise and experience in IS/IT security and control" seek CISM certification, that this book assumes some prior experience in the field. With that in mind, you will face some questions intended to test your expected pre-existing knowledge. Do not worry if you do not get these questions right the first time; full explanations are given after every question to help you fill any gaps in your understanding.

Note

You can find the answer key and explanations for all practice and revision questions for this chapter under the section Chapter 1: Enterprise Governance of the solution set titled Answers to Practice Questions located at the end of the book.

Practice Question Set 1

1. An information security manager has been asked to determine the effectiveness of the information security governance model. Which of the following will help them decide whether the information security governance model is effective?
   1. Security projects are discussed and approved by a steering committee
   2. Security training is mandatory for all executive-level employees
   3. Security training module is available on the intranet for all employees
   4. Patches are tested before deployment
2. An information security manager is reviewing the information security governance model. The information security governance model is primarily impacted by:
   1. The number of workstations
   2. The geographical spread of business units
   3. The complexity of the organizational structure
   4. The information security budget
3. Which of the following is the first step in implementing information security governance?
   1. Employee training
   2. The development of security policies
   3. The development of security architecture
   4. The availability of an incident management team
4. Which of the following factors primarily drives information security governance?
   1. Technology requirements
   2. Compliance requirements
   3. The business strategy
   4. Financial constraints
5. Which of the following is the responsibility of the information security governance steering committee?
   1. To manage the information security team
   2. To design content for security training
   3. To prioritize information security projects
   4. To provide access to critical systems
6. Which of the following is the first step of information security governance?
   1. To design security procedures and guidelines
   2. To develop a security baseline
   3. To define the security strategy
   4. To develop security policies
7. Which of the following is the most important factor for an information security governance program?
   1. To align with the organization's business strategy
   2. To derive from a globally accepted risk management framework
   3. be able to address regulatory compliance
   4. To promote a risk-aware culture
8. Effective governance is best indicated by:
   1. An approved security architecture
   2. Certification from an international body
   3. Frequent audits
   4. An established risk management program
9. Which of the following is the effectiveness of governance best ensured by?
   1. The use of a bottom-up approach
   2. Initiatives by the IT department
   3. Compliance-oriented approach
   4. The use of a top-down approach
10. What is the prime responsibility of the information security manager in the implementation of security governance?
    1. To design and develop the security strategy
    2. To allocate a budget for the security strategy
    3. To review and approve the security strategy
    4. To train the end users
11. What is the most important factor when developing information security governance?
    1. To comply with industry benchmarks
    2. To comply with the security budget
    3. To obtain a consensus from business functions
    4. To align with organizational goals
12. What is the most effective way to build an information security governance program?
    1. To align the requirements of the business with an information security framework
    2. To understand the objectives of the business units
    3. To address regulatory requirements
    4. To arrange security training for all managers
13. What is the main objective of information security governance?
    1. To ensure the adequate protection of information assets
    2. To provide assurance to the management about information security
    3. To support complex IT infrastructure
    4. To optimize the security strategy to support the business objectives
14. The security manager notices inconsistencies in the system configuration. What is the most likely reason for this?
    1. Documented procedures are not available
    2. Ineffective governance
    3. Inadequate training
    4. Inappropriate standards
15. What is an information security framework best described as?
    1. A framework that provides detailed processes and methods
    2. A framework that provides required outputs
    3. A framework that provides structure and guidance
    4. A framework that provides programming inputs
16. What is the main reason for integrating information security governance into business activities?
    1. To allow the optimum utilization of security resources
    2. To standardize processes
    3. To support operational processes
    4. To address operational risks
17. Which of the following is the most important attribute of an effective information security governance framework?
    1. A well-defined organizational structure with necessary resources and defined responsibilities
    2. The availability of the organization's policies and guidelines
    3. Business objectives supporting the information security strategy
    4. Security guidelines supporting regulatory requirements
18. What is the most effective method to use to develop an information security program?
    1. A standard
    2. A framework
    3. A process
    4. A model

The culture of an organization and its service provider is the most important factor that determines the implementation of an information security program. An organization's culture influences its risk appetite, that is, its willingness to take risks. This will have a significant influence on the design and implementation of the information security program. A culture that favors taking risks will have a different implementation approach compared to a culture that is risk averse.

Figure 1.3: Organizational culture

Cultural differences and their impact on data security are generally not considered during security reviews. Different cultures have different perspectives on what information is considered sensitive and how it should be handled. This cultural practice may not be consistent with an organization's requirements.

For some organizations, financial data is more important than privacy data. So, it is important to determine whether the culture of the service provider is aligned with the culture of the organization. Cultural differences and their impact on data security are generally not considered during security reviews.

Acceptable Usage Policy

An acceptable usage policy (AUP) generally includes rules for access controls, information classification, incident reporting requirements, confidentiality requirements, email, and internet usage requirements. All participants must understand which behaviors and acts are acceptable and which are not. This maintains a risk-aware culture.

A well-defined and documented AUP helps spread awareness about the dos and don'ts of information security.

It is essential that the AUP is conveyed to all users, and acknowledgment should be obtained from the users that they have read and understood the AUP. For new users, an AUP should be part of their induction training.

Ethics Training

The information security manager should also consider implementing periodic training on ethics. Ethical training includes emphasizing moral principles that govern a person's behavior or the conduct of an activity. It includes guidance on what the company considers legal and appropriate behavior.

Training on ethics is of utmost importance for employees engaged in sensitive activities, such as monitoring user activities or accessing sensitive personal data.

Some examples of unethical behavior include improper influence on other employees or service providers, use of corporate information or assets for private benefit, accepting gifts or bribes, and multiple employments.

Acknowledgment should be obtained from employees on understanding ethical behavior and the code of conduct and this should be retained as part of the employment records.

Practice Question Set 2

1. A newly appointed information security manager is reviewing the design and implementation of the information security program. Which of the following elements will have a major influence on the design and implementation of the information security program?
   1. Types of vulnerabilities
   2. The culture of the organization
   3. The business objectives
   4. The complexity of the business
2. Which of the following is the most important factor to consider while developing a control policy?
   1. Protecting data
   2. Protecting life
   3. Protecting the business's reputation
   4. Protecting the business objectives
3. Which of the following risks is most likely to be ignored during an onsite inspection of an offshore service provider?
   1. Cultural differences
   2. Security controls
   3. The network security
   4. The documented IT policy
4. What does an organization's risk appetite mostly depend on?
   1. The threat landscape
   2. The size of the information security team
   3. The security strategy
   4. The organization's culture
5. What factor has the greatest impact on the security strategy?
   1. IT technology
   2. System vulnerabilities
   3. Network bandwidth
   4. Organizational goals
6. What is the most important consideration when designing a security policy for a multi-national organization operating in different countries?
   1. The cost of implementation
   2. The level of security awareness of the employees
   3. The cultures of the different countries
   4. The capability of the security tools
7. What is the most important factor in determining the acceptable level of organizational standards?
   1. The current level of vulnerability
   2. The risk appetite of the organization
   3. IT policies and processes
   4. The documented strategy
8. What is the most important factor for promoting a positive information security culture?
   1. Monitoring by an audit committee
   2. High budgets for security initiatives
   3. Collaboration across business lines
   4. Frequent information security audits

An information security manager should be cautious about adherence to laws and regulations. Laws and regulations should be addressed to the extent that they impact the organization.

Processes should be in place to scan all new regulations and determine their applicability to the organization.

The information security manager is required to determine the processes and activities that may be impacted and whether existing controls are adequate to address any new regulations. If not, further controls should be implemented to address the new regulations.

Departments affected by any new regulations are in the best position to determine the impact of new regulatory requirements on their processes, as well as the best ways to address them.

Key Aspects from the CISM Exam Perspective

The following are some key aspects from the exam perspective:

Figure 1.4: Key aspects from the CISM exam perspective

Practice Question Set 3

1. An information security steering committee has approved the implementation of a bring your own device (BYOD) policy for mobile devices. As an information security manager, what should your first step be?
   1. To ask management to stop the BYOD policy implementation, stating the associated risk
   2. To prepare a business case for the implementation of BYOD controls
   3. To make the end users aware of BYOD risks
   4. To determine the information security strategy for BYOD
2. New regulatory requirements impacting information security will mostly come from which of the following?
   1. The chief legal officer
   2. The chief audit officer
   3. Affected departments
   4. Senior management
3. Primarily, the requirements of an information security program are based on which of the following?
   1. The IT policy
   2. The desired outcomes
   3. The management perceptions
   4. The security strategy
4. Which of the following should be the first step of an information security manager who notices a new regulation impacting one of the organization's processes?
   1. To pass on responsibility to the process owner for compliance
   2. To survey the industry practices
   3. To assess whether existing controls meet the regulation
   4. To update the IT security policy
5. Privacy laws are mainly focused on which of the following?
   1. Big data analytics
   2. Corporate data
   3. Identity theft
   4. Identifiable personal data
6. The information security manager notices a regulation that impacts the handling of sensitive data. Which of the following should they do first?
   1. Determine the processes and activities that may be impacted.
   2. Present a risk treatment option to senior management.
   3. Determine the cost of control.
   4. Discuss the possible consequences with the process owner.
7. The information security manager should address laws and regulations in which way?
   1. To the extent that they impact the organization
   2. To meet the certification standards
   3. To address the requirements of policies
   4. To reduce the cost of compliance
8. What is the most important consideration for organizations involved in cross-border transactions?
   1. The capability of the IT architecture
   2. The evolving data protection regulations
   3. The cost of network bandwidth
   4. The incident management process
9. What should be the next step for the board of directors when they notice new regulations are impacting some of the organization's processes?
   1. Instruct the information security department to implement specific controls
   2. Evaluate various solutions to address the new regulations
   3. Require management to report on compliance
   4. Evaluate the cost of implementing new controls
10. Which of the following factors is the most difficult to estimate?
    1. Vulnerabilities in the system
    2. Legal and regulatory requirements
    3. Compliance timelines
    4. The threat landscape
11. What should the next step be for an information security manager upon noticing new regulations impacting some of the organization's processes?
    1. To identify whether the current controls are adequate
    2. To update the audit department about the new regulations
    3. To present a business case to senior management
    4. To implement the requirements of new regulations

The information security manager should ensure that an adequate record retention policy is in place and that this is followed throughout the organization. A record retention policy will specify what types of data and documents are required to be preserved, and what must be destroyed. It also specifies the number of years for which that data is required to be preserved.

Figure 1.5: Record retention

Record retention should primarily be based on the following two factors:

• Business requirements
• Legal requirements

If a record is required to be maintained for three years as per the business requirements, and for two years from a legal perspective, then it should be maintained for three years.

Organizations generally design their record retention policy in line with the relevant laws and regulations.

Electronic Discovery

Electronic discovery (e-discovery) is the process of the identification, collection, and submission of electronic records in a lawsuit or investigation. The best way to ensure the availability of electronic records is to implement comprehensive retention policies. A retention policy dictates the terms for storing, backing up, and accessing the records.

Key Aspects from the CISM Exam Perspective

The following are some key aspects from the exam perspective:

Figure 1.6: Key aspects from the CISM exam perspective

Practice Question Set 4

1. Which of the following has the most influence while planning business record retention?
   1. Potential changes in storage capacity
   2. Potential changes in regulatory requirements
   3. Potential changes in business strategy
   4. Potential changes in application systems and media
2. Which of the following is the most important consideration in business record retention?
   1. Strategic objectives
   2. Regulatory and legal requirements
   3. Storage capacity
   4. Level of control implemented
3. Due to changes in the business strategy, certain information now no longer supports the purpose of the business. What should be done with this information?
   1. It should be analyzed under the retention policy
   2. It should have restricted access
   3. It should be frequently backed up
   4. It should be evaluated by a business impact analysis
4. As an information security manager, you have been asked to design a strategy to minimize the impact of an e-discovery in the event of litigation. What is the most effective method to achieve this?
   1. Keeping backups of sensitive data
   2. Limiting access to sensitive data
   3. Not storing sensitive data
   4. Implementing comprehensive retention policies

The development of a security strategy is highly influenced by the organizational structure. Organizational structure pertains to the roles and responsibilities of different individuals, the reporting hierarchy, whether the organization functions in a centralized or decentralized way, and so on. A flexible and evolving organizational structure is more open to the adoption of a security strategy, whereas an organization with a more constrained structure might not adopt a security strategy.

The independence of the security function is the most important factor to be considered, from a practical as well as the exam perspective, while evaluating organizational functions. This can be assessed through the reporting structure of the security function.

Board of Directors

The ultimate responsibility for the appropriate protection of an organization's information falls on the board of directors. The involvement of board members in information security initiatives can be an indicator of good governance. In the event of an incident, the company directors can be protected from liability if the board has exercised due diligence. Many laws and regulations make the board responsible in the event of data breaches. Even cyber security insurance policies require the board to exercise due diligence as a prerequisite for insurance coverage.

Security Steering Committee

The security steering committee is generally composed of senior management from different business units. The security steering committee is best placed to determine the level of acceptable risk (risk capacity) for the organization. They monitor and control the security strategy. They also ensure that the security policy is aligned with the business objectives.

Reporting of Security Functions

In the past, security functions in most organizations reported to the chief information officer (CIO). However, it has since been observed that CIOs are primarily concerned with IT performance and cost, with security as a secondary objective. During a conflict between performance and security, security is sometimes ignored.

However, with increased awareness and more experience, the responsibility for security is now entrusted to senior-level functionaries directly reporting to the chief operating officer (COO), chief executive officer (CEO), or board of directors. This ensures the independence of security functions.

Organizations' security functions can work in either a centralized or decentralized way.

Centralized vis-à-vis Decentralized Security Functioning

In a centralized process, information security activities are handled from a central location, usually the head office of the organization. In a decentralized process, the implementation and monitoring of security activities are delegated to the local offices of the organization.

The following table shows the differentiation between centralized and decentralized processes:

Figure 1.7: Differences between centralized and decentralized processes

Centralization of information security management results in greater uniformity and easier monitoring of processes. This in turn promotes better adherence to security policies.

Practice Question Set 5

1. Which of the following is a characteristic of a centralized information security management process?
   1. Processes are costlier to manage compared to decentralized processes
   2. Better adherence to policy compared to decentralized processes
   3. Better alignment with business unit requirements compared to decentralized processes
   4. Faster turnaround of requests compared to decentralized processes
2. Who should determine the acceptable level of information security risk?
   1. Legal department
   2. CISO
   3. Audit department
   4. Steering committee
3. As an information security manager, how do you characterize a decentralized information security process?
   1. Consistency in information security processes
   2. Better compliance with policy
   3. Better alignment with decentralized unit requirements
   4. Optimum utilization of information security resources

Information Security Roles and Responsibilities

It is very important to ensure that security-related roles and responsibilities are clearly defined, documented, and communicated throughout the organization. Each employee of the organization should be aware of their respective roles and responsibilities. Clearly defined roles also facilitate effective access rights management, as access is provided based on the respective job functions and job profiles of employees – that is, on a need-to-know basis (least privilege) only.

RACI Chart

One of the simplest ways to define roles and responsibilities in a business or organization is to form a matrix known as a RACI chart. This stands for responsible, accountable, consulted, and informed.

This chart indicates who is responsible for a particular function, who is accountable with regard to the function, who should be consulted about the function, and who should be informed about the function. Clearly defined RACI charts make the information security program more effective.

The following defines RACI in more detail:

• Responsible: This is the person who is required to execute a particular job function.
• Accountable: This is the person who is required to supervise a job function.
• Consulted: This is the person who gives suggestions and recommendations for executing a job function.
• Informed: This is the person who should be kept updated about the progress of the job function.

In the next section, you will go through the various roles that are integral to information security.

Board of Directors

The role of board members in information security is of utmost importance. Board members need to be aware of security-related key risk indicators (KRIs) that can impact the business objectives. The intent and objectives of information security governance must be communicated from the board level down.

The current status of key security risks should be tabled and discussed at board meetings. This helps the board to determine the effectiveness of the current security governance.

Another essential reason for the board of directors to be involved in security governance is liability. Most organizations obtain specific insurance to deal with their financial liability in the event of a security incident. This type of insurance requires those bound by it to exercise due care in the discharge of their duties. Any negligence from the board in addressing the information security risk may make the insurance void.

Senior Management

The role of senior management is to ensure that the intent and requirements of the board are implemented in an effective and efficient manner. Senior management is required to provide ongoing support to information security projects in terms of budgets, resources, and other infrastructure. In some instances, there may be disagreement between IT and security. In such cases, senior management can take a balanced view after considering performance, cost, and security. The role of senior management is to map and align the security objectives with the overall business objectives.

Business Process Owners

The role of a business process owner is to take ownership of the security-related risks impacting their business processes. They need to ensure that information security activities are aligned and support their respective business objectives. Further, they need to monitor the effectiveness of security measures on an ongoing basis.

Steering Committee

A steering committee comprises the senior management of an organization. The role of a steering committee is as follows:

• To ensure that security programs support the business objectives
• To evaluate and prioritize the security programs
• To evaluate emerging risks, security practices, and compliance-related issues

The roles, responsibilities, and scope of a steering committee should be clearly defined.

Chief Information Security Officer

The chief information security officer (CISO) is a senior-level officer who has been entrusted with making security-related decisions and is responsible for implementing security programs. The CISO should be an executive-level officer directly reporting to the CEO. The role of the CISO is fundamentally regulatory, whereas the role of the CIO is to generally focus on IT performance.

Chief Operating Officer

The COO is the head of operational activities in the organization. Operational processes are reviewed and approved by the COO. The COO has a thorough knowledge of the business operations and objectives and is most likely the sponsor for the implementation of security projects as they have a strong influence across the organization. Sponsoring means supporting the project financially or through products or services. Although the CISO should provide security advice and recommendations, the sponsor should be the COO for effective ground-level implementation.

Data Custodian

The data custodian is a staff member who is entrusted with the safe custody of data. The data custodian is different from the data owner, though in some cases, both data custodian and data owner may be the same individual. A data custodian is responsible for managing the data on behalf of the data owner in terms of data backup, ensuring data integrity, and providing access to data for different individuals on the basis of the approval of the data owner. From a security perspective, a data custodian is responsible for ensuring that appropriate security measures are implemented and are consistent with organizational policy.

Communication Channel

A well-defined communication channel is of utmost importance in the management of information security. A mature organization has dedicated systems to manage risk-related communication. This should be a two-way system, wherein management can reach all employees and at the same time employees can reach a designated risk official to report identified risks. This will help in the timely reporting of events, as well as disseminating important security information. In the absence of an appropriate communication channel, the identification of events may be delayed.

Indicators of a Security Culture

The following list consists of some of the indicators of a successful security culture:

• The involvement of the information security department in business projects
• End users are aware of the identification and reporting of incidents
• There is an appropriate budget for information security programs
• Employees are aware of their roles and responsibilities regarding information security

Understanding the roles and responsibilities as covered in this section will help the security manager to implement an effective security strategy.

Key Aspects from the CISM Exam Perspective

The following are some key aspects from the exam perspective:

Figure 1.8: Key aspects from the CISM exam perspective

Practice Question Set 6

1. The information security team is mapping job descriptions to relevant data access rights. This is based on:
   1. The principle of accountability
   2. The principle of proportionality
   3. The principle of integration
   4. The principle of the code of ethics
2. As an information security manager, you are reviewing the function of the data custodian. The data custodian is primarily responsible for:
   1. Approving access to the data
   2. The classification of assets
   3. Enhancing the value of data
   4. Ensuring all security measures are in accordance with the organizational policy
3. You are an information security manager for a bank. One of your critical recommendations is not accepted by the IT head. What should your next course of action be?
   1. Refer the matter to an external third party for resolution
   2. Request senior management to discontinue the relevant project immediately
   3. Ask the IT team to accept the risk
   4. Refer the matter to senior management along with any necessary recommendations
4. As an information security manager, you strongly recommend having well-defined roles and responsibilities from an information security perspective. The most important reason for this recommendation is:
   1. Adherence to security policies throughout the organization
   2. Well-structured process flows
   3. The implementation of SoD
   4. Better accountability
5. What is the prime role of an information security manager in a data classification process?
   1. To define and ratify the data classification process
   2. To map all data to different classification levels
   3. To provide data security, as per the classification
   4. To confirm that data is properly classified
6. Which of the following is the area of most concern for the information security manager?
   1. That there are vacant positions in the information security department
   2. That the information security policy is approved by senior management
   3. That the steering committee only meets on a quarterly basis
   4. That security projects are reviewed and approved by the data center manager
7. An information security manager should have a thorough understanding of business operations with the prime objective of which of the following?
   1. Supporting organizational objectives
   2. Ensuring regulatory compliance
   3. Concentrating on high-risk areas
   4. Evaluating business threats
8. In a big multi-national organization, the best approach to identify security events is to do which of the following?
   1. Conduct frequent audits of the business processes
   2. Deploy a firewall and intrusion detection system
   3. Develop communication channels across the organization
   4. Conduct vulnerability assessments of new systems
9. Legal and regulatory liability is the responsibility of which of the following?
   1. The chief information security officer
   2. The head of legal
   3. The board of directors and senior management
   4. The steering committee
10. What is the best way to gain support from senior management for information security projects?
    1. Lower the information security budget
    2. Conduct a risk assessment
    3. Highlight industry best practices
    4. Design an information security policy
11. Prioritization of information security projects is best conducted based on which of the following?
    1. The turnaround time of the project
    2. The impact on the organization's objectives
    3. The budget of the security project
    4. The resource requirements for the project
12. Who is responsible for enforcing the access rights of employees?
    1. The process owner
    2. The data owner
    3. The steering committee
    4. The security administrators
13. Who is responsible for information classification?
    1. The data administrator
    2. The information security manager
    3. The information system auditor
    4. The data owner
14. What is the data retention policy primarily based on?
    1. Indus\try practices
    2. Business requirements
    3. Regulatory requirements
    4. Storage requirements
15. What is the most important security aspect for a multi-national organization?
    1. The local security program should comply with the corporate data privacy policy
    2. The local security program should comply with the data privacy policy of the location where the data is collected
    3. The local security program should comply with the data privacy policy of the country where the headquarters are located
    4. The local security program should comply with industry best practices
16. The ultimate accountability for the protection of sensitive data lies with which of the following?
    1. The security administrators
    2. The steering committee
    3. The board of directors
    4. The security manager
17. The most likely authority to sponsor the implementation of new security infrastructure for business processes is which of the following?
    1. The CISO
    2. The COO
    3. The head of legal
    4. The data protection officer
18. Who should determine the requirements for access to data?
    1. The security officer
    2. The data protection officer
    3. The compliance officer
    4. The business owner
19. The responsibility for establishing information security controls in an application resides with which of the following?
    1. The information security steering committee
    2. The data owner
    3. The system auditor
    4. The system owner

CISM aspirants are expected to understand the basic details of a maturity model.

A maturity model is a tool that helps the organization assess the current effectiveness of a process and determine what capabilities they need to improve their performance.

Capability maturity models (CMMs) are useful to determine the maturity level of governance processes. The following list defines the different maturity levels of an organization:

• Level 0: Incomplete: On this level, the process is not implemented or does not achieve its intended purpose.
• Level 1: Performed: On this level, the process can achieve its intended purpose.
• Level 2: Managed: On this level, the process can achieve its intended purpose. Also, the process is appropriately planned, monitored, and controlled.
• Level 3: Established: Along with what is required for a Level 2 process, there is a well-defined, documented, and established process to manage the process.
• Level 4: Predictable: On this level, the process is predictable and operates within the defined parameters and limits to achieve its intended purpose.
• Level 5: Optimized: This is the level at which the process is continuously improved to meet the current as well as projected goals.

The CMM uses a scale of 0 to 5 based on process maturity level. It is the most common method applied by organizations to measure their existing state and then determine the desired one.

Maturity models identify the gaps between the current state of the governance process and the desired state. This helps the organization to determine the remediation steps required for improvement. A maturity model calls for continuous improvement in the governance framework. This requires continuous evaluation, monitoring, and improvement to move toward the desired state from the current state.

The process performance and capabilities approach also provides a detailed perspective of the maturity levels, just like the maturity model.

Key Aspects from the CISM Exam Perspective

The following are some key aspects from the exam perspective:

Figure 1.9: Key aspects from the CISM exam perspective

Practice Question Set 7

1. As an information security manager, you recommend adopting a maturity model for the organization's information security governance framework. The most important reason for this recommendation is:
   1. Continuous evaluation, monitoring, and improvement
   2. The return on technology investment
   3. Continuous risk mitigation
   4. Continuous KRI monitoring
2. What best indicates the level of information security governance?
   1. A defined maturity model
   2. The size of the security team
   3. The availability of policies and procedures
   4. The number of security incidents
3. What is the most effective indicator of the level of security governance?
   1. The annual loss expectancy
   2. The maturity level
   3. A risk assessment
   4. An external audit

In today's world, most organizations are heavily reliant on third parties to achieve one or more business objectives. The primary reason to obtain the services of a third party is to benefit from expert services in a cost-effective manner. These third parties can be service providers, trading partners, group companies, and so on.

These third parties are connected to the systems of the organization and have access to its data and other resources. To protect the organization, it is very important for an information security manager to assess the risk of such third-party relationships and ensure that relevant controls are in place.

Policies and requirements of information security should be developed before the creation of any third-party relationship.

Furthermore, the security manager should understand the following challenges of third-party relationships:

• The cultural differences between an organization and the service provider
• Technology incompatibilities
• The business continuity arrangements of the service provider may not be aligned with the requirements of the organization
• Differences in incident management processes
• Differences in disaster recovery capabilities

Effective governance is highly dependent on the culture of the organization. The next section discusses this in more detail.

A metric is a measurement of a process to determine how well the process is performing. Security-related metrics indicate how well the controls can mitigate the risks. For example, a system uptime metric helps in understanding whether a system is available to a user as per the requirements.

Figure 1.10: Information security governance metrics

The Objective of Metrics

Based on effective metrics, an organization evaluates and measures the achievement and performance of various processes and controls. The main objective of a metric is to help the management in decision-making. A metric should be able to provide relevant information to the recipient so that informed decisions can be made.

Technical Metrics vis-à-vis Governance-Level Metrics

Technical metrics help us to understand the functioning of technical controls such as IDSs, firewalls, and antivirus software. They are useful for tactical operational management. However, these metrics have little value from a governance standpoint.

Management is more concerned about the overall security posture of the organization. Full audits and comprehensive risk assessments are a few of the activities that help management to understand security from a governance perspective.

Characteristics of Effective Metrics

Good metrics should be SMART, that is, specific, measurable, attainable, relevant, and timely, as detailed below:

• Specific: The metric should be specific, clear, and concise.
• Measurable: The metric should be measurable so that it can be compared over a period.
• Attainable: The metric should be realistic and achievable.
• Relevant: The metric should be linked to specific risks or controls.
• Timely: The metric should be able to be monitored on a timely basis.

Key Aspects from the CISM Exam Perspective

The following are some key aspects from the exam perspective:

Figure 1.11: Key aspects from the CISM exam perspective

Practice Question Set 8

1. As an information security manager, your decisions should be primarily based on:
   1. Market research
   2. Predictive analysis
   3. Industry standards
   4. Effective metrics
2. Which of the following metrics is considered to have the most important strategic value?
   1. A privileged access management process
   2. Trends in incident occurrence
   3. System downtime analysis
   4. Results of penetration tests
3. What is the most important metric that indicates organizational risk?
   1. The expected annual loss
   2. The number of security incidents
   3. The number of unplanned business interruptions
   4. The number of open vulnerabilities
4. What is the most essential attribute for a metric?
   1. Metrics should be easy to implement
   2. Metrics should be meaningful to the process owner
   3. Metrics should be qualitative
   4. Metrics should be able to support regulatory requirements
5. What is the most important attribute of a key risk indicator?
   1. A KRI should be flexible and adaptable
   2. A KRI should be arrived at by consistent methodologies and practices
   3. A KRI should be easy to understand
   4. A KRI should be convenient for the process owner to use
6. What is the best indicator to determine the effectiveness of the security strategy?
   1. The strategy helps to improve the risk appetite of the organization
   2. The strategy helps to implement countermeasures for all the threats
   3. The strategy helps to minimize the annual losses
   4. The strategy helps to achieve the control objectives
7. The information security manager has been asked to implement a particular security standard. Which of the following is the most effective to monitor this?
   1. The key success factor
   2. The key objective indicator
   3. The key performance indicator
   4. The key goal indicator

In this chapter, you learned about the importance of assurance functions, that is, governance, risk, and compliance, and how their integration is key to effective and efficient information security management. You also learned how organizations can use the maturity model to improve their processes and explored the importance of the commitment of senior management toward the security of an organization. The next chapter will cover the practical aspects of information security strategy.

1. The effectiveness of SoD is best ensured by which of the following?
   1. Implementing strong password rules
   2. Making available a security awareness poster on the intranet
   3. Frequent information security training
   4. Reviewing access privileges when an operator's role changes
2. What is the prime responsibility of an information security manager?
   1. To manage the risk to information assets
   2. To implement the security configuration for IT assets
   3. To conduct disaster recovery testing
   4. To close identified vulnerabilities
3. To determine the extent of sound processes, the maturity model is used. Another approach is to use which of the following?
   1. The Monte Carlo method
   2. Process performance and capabilities
   3. Vulnerability assessments
   4. Risk analysis
4. Information system access should be primarily authorized by which of the following?
   1. The information owner
   2. The system auditor
   3. The CISO
   4. The system administrator
5. The information security manager observes that the incident log is stored on a production database server. Which of the following is a major concern?
   1. The unavailability of log details if the server crashes
   2. The unauthorized modification of logs by the database administrator
   3. Log capturing makes the transaction process slow
   4. Critical information may not be captured in the log files
6. Appointing a CISO indicates which of the following?
   1. The organization wants to enhance the role of senior management
   2. The organization is committed to its responsibility for information security
   3. The board of directors wants to pass on their accountability
   4. The organization wants to improve its technology architecture
7. The main objective of integrating security-related roles and responsibilities is which of the following?
   1. To address the security gaps that exist between assurance functions
   2. To address the unavailability of manpower
   3. To address the gap in business continuity and disaster recovery
   4. To address the complications in system development processes
8. Which of the following is the best compensating control when the same employee is responsible for updating servers, maintaining the access control, and reviewing the logs?
   1. To verify that only approved changes are made
   2. To conduct penetration tests
   3. To conduct risk assessments
   4. Reviews of log files conducted by the manager
9. What is the responsibility of the information owner when complying with the information classification scheme?
   1. To implement security measures to protect their data
   2. To determine the level of classification for their data
   3. To arrange backups of their data
   4. To delegate the processes of information classification to the system administrator
10. The effectiveness of the organization's security measures is the final responsibility of which of the following?
    1. The security administrator
    2. The CISO
    3. Senior management
    4. The information security auditor
11. What is the best way to ensure that responsibilities are carried out?
    1. Signed non-disclosure agreements
    2. Heavy penalties for non-compliance
    3. Assigned accountability
    4. Documented policies
12. Who is responsible for complying with the organization's security policies and standards?
    1. The CISO
    2. Senior management
    3. The compliance officer
    4. All organizational units
13. Continuous improvement of the risk management process is most likely ensured by which of the following?
    1. The regular review of implemented security controls
    2. Implementing an information classification policy
    3. The adoption of a maturity model
    4. Regular audits of risk management processes
14. Information security is the responsibility of which of the following?
    1. All personnel
    2. IT personnel
    3. Security personnel
    4. Operational personnel
15. Who should security policies be finally approved by?
    1. Operation managers
    2. The CISO
    3. Senior management
    4. The chief technical officer (CTO)
16. Confidentiality of information can be best ensured by which of the following?
    1. Implementing an information classification policy
    2. Implementing SoD
    3. Implementing the principle of least privilege
    4. Implementing information security audits
17. As an information security manager, how do you characterize a decentralized information security process?
    1. Consistency in information security processes
    2. Better compliance with policy
    3. Better alignment with decentralized unit requirements
    4. Optimum utilization of information security resources