CISM Study Notes

Overview of Onformation Security Governance

Protecting and enabling our dependance upon data endowedwith significant

meaning and purpose
IT Security adresses - Universe of risk (what risk is, how does it apply to the
business), Benifits of processes, driving factors, laws and regulations (HIPAA,
SOX etc.), and governance
Dependance upon IT is escalating changing the definition of a "Capital
Resource"

IT Security - Data in storage, data in transit, ip security, IPS, firewall, AV, ACLs
Information Security Governance - Securing fax area, background checks on staff,
making sure paper docs are shredded, CCTV, armed guards, working with law
enforcement.
IT Security is a subset of Information Security Governance!

InforSec Governance criticality increases in proportion to dependence

Increased potential for civil or legal liabilty
To provide assurance of policy compliance
Reduce uncertainty of business operations
Framework for optimising resouce allocations
Foundation for risk management, incident response, process maximisation
Improve reputation and relationships

!! 6 Key Results Of InfoSec Governance !!

1. Strategic Alignment (alignment of InfoSec in supprt of all
business/organisation objectives)
2. Risk Management (Ultimate objective - process of executing the right
measures to mitigate against risks and reduce any potential impacts on
information resources to an acceptable level)
3. Value Delivery (When investments made on security are optimised to support
organisational objectives - get maximum output/results for lowest cost
possible)
4. Resource Management (the processes that go into planning, allocating and
managing infosec resources - people, technology, logical proccess,
methodologies. Minimal reoccuring problems. Capturing and spreadng
knowlege. Standardised processes)
5. Performance Analysis (process or measuring, reporting, monitoring infosec
processes. IMPROVEMENT!! Can not manage what you can not measure.
Need standard metrics)
6. Integration (process of convergence - converging infosec process with
business processes - practical aspect of alignment)

Senior Management Responsibilities

Board of Directors/SNR Management - Answer to shareholders. Periodically
delivered high level results of risk assessment and business impact analysis. Endorse
basic security requirements and strategic alignment with business objectives.
Executive Management - Responsible for day to day high level management of
processes. Ultimately responsible! Must align with business objectives. Evaluate
whether accepatble level of impact
Steering Committee - Specialised knowlege of different areas. Compile reports, do
measuring and monitoring. Pervasive throughout the enterprise. Communicate to
executive mgmt. Change overall culture or behaviour of organisation.
CISO - Reports to exec mgmt.

INFOSEC MANAGER
- In charge of IT Security Depts - Handling complex protection of systems, critical
data, processes
- Most CISO's report to CEO, CIO, B of D, Speciality Officers
- Must have support, buy-in, commitment from Senior management
- Inforsec manager should
- Develop/Report security stratagy input
- make presentations to senior management
- construct teams/commitees and develop team leaders
- intergrate 3rd parties and vendors, consultants

InfoSec Governance Scope and Charter

Any medium whether its create, stored, destroyed etc. (not technological)
- Annual Infosec evaluation (review results with all staff, key employees etc. report
goes to exec)
- Periodic Risk Assessment (of all information objects)
- Policies and procedures
- Security management Structure
- Develop Action Plans (to ensure adequate cover)
- Intergrate into System Life Cycle
- Provide awareness training (ensure everyone is properly trained)
- conduct periodic audits (testing/evaluation - policies and procedures)
- plan for remedial action (remediate anything from gap analysis)
- develop incident response plans
- continuity of ops procedures (DR - not only for disaster, for merger or late project
etc)
- best practices implementation : ISO17799 (guidelines for security)
InfoSec Metrics

Measurement based on a reference.

Effective metrics - downtime due to DOS, trojan infection. The number of
penetrations from outside through firewall. loss of time or data due to a threat or
attack .. recovery time etc. number of vulnerabilities due to pen testing. how many
servers have we applied security patches to/not applied to. etc etc.

4 Components of Security metrics (NIST 800-55)

1. result-orientated metrics analysis (must be used for analysis or it's a waste of

time)
2. quantifiable performance metrics
3. practical security policies and procedures (based on day to day realistic
processes)
4. strong upper-level management support

KGI & KPI

Key Goal Indicator (macro)
Key Performance Indicator (micro)
!! usually done with a balanced scorecard!!
SMART
Specific
Measurable
Achievable
Repeatable
Time-bound
InfoSec Stratagey Goals and Objectives
Stratagy Defined
InfoSec Stratagy development model
Developing the Strategy