Professional Documents
Culture Documents
PREPARATION
Pre-Course Question 1
1
Pre-Course Question 2
Pre-Course Question 3
2
Pre-Course Question 4
Domain 1
3
Domain 1
Domain 1 (cont’d)
4
Domain Objectives
Domain 1:
Domain 4:
Information Security
Information Security
Governance, 24%
Incident
Management, 19%
Domain 3:
Information Security Domain 2:
Program Information Security
Development and Risk Management,
Management, 27% 30%
10
5
Governance vs. Management
▪ Governance ▪ Management
– Purpose is to set goals – Purpose is plan, build,
– “Do the right thing” execute and monitor
activities to achieve
goals
– “Do the thing right”
11
6
Effective Information Security
13
Domain 1 Overview
14
7
Section One
Task Statements
▪ T1.1 Establish and/or maintain an information security
strategy in alignment with organizational goals and
objectives to guide the establishment and/or ongoing
management of the information security program.
16
8
Knowledge Statements
17
Knowledge Statements
18
9
Key Terms
Strategy
20
10
Outcomes of Information Security
Governance
▪ Six basic outcomes of a security program:
– Strategic alignment
– Risk management
– Value delivery
– Resource optimization
– Performance measurement
– Assurance process integration
21
Risk Appetite
22
11
Strategy and Risk
23
Discussion Question
24
12
Governance, Risk and Compliance
▪ GRC is an integrated
assurance process
Governance ▪ Convergence can
exist independently
across different
business functions
▪ Information security
Risk Compliance is often a part of
GRC
25
▪ Overconfidence/Optimism
▪ Anchoring
▪ Status quo bias
▪ Mental accounting
▪ Herding instinct
▪ False consensus
– Confirmation bias
– Groupthink
26
13
Start with the Goals
27
Asset Classification
28
14
Focus on Data
29
Valuation of Data
30
15
Current Vs. Desired State
31
Good to Know
32
16
Building the Strategy
33
Part of
Governance Management
security
tools tools
architecture
34
17
Strategy Constraints
▪ Legal
▪ Physical
▪ Ethics
▪ Culture
▪ Costs
▪ Personnel
▪ Organizational structure
▪ Resources
▪ Capabilities
▪ Time
▪ Risk appetite
35
36
18
Physical Constraints
37
▪ Ethics
– Perception of the enterprise’s behavior
– Influenced by location and culture
▪ Culture
– Internal culture
– Local culture
38
19
Costs
39
▪ Personnel
– Resistance to changes can impact the success of strategy
implementation
▪ Organizational structure
– Impacts how a governance strategy can be implemented
– Cooperation is needed
– Senior management buy-in helps to ensure cooperation
40
20
Resources, Capabilities and Time
▪ Resources
– Consider available budgets, TCO and personnel
requirements
▪ Capabilities
– Expertise and skills
▪ Time
– Deadlines/Windows of opportunity
41
Risk Appetite
42
21
Ongoing Assessment
43
Discussion Question
44
22
Strategy and Framework
• A framework is a scaffold of
interlinked items
• Strategy is the starting point
of the framework
• Ensures that information security
is focused on the right goals
45
46
23
Relationship of Governance Elements
47
Third-party Resources
48
24
SABSA Security Architecture Matrix
49
Source: The Open Group; TOGAF, Version 9.1., United Kingdom 2011
50
25
Building Consistency
51
Section One
52
26
In the Big Picture
53
Section One
27
Review Question
55
Review Question
A. technology constraints.
B. regulatory requirements.
C. litigation potential.
D. business strategy.
56
28
Review Question
57
Review Question
58
29
Section Two
Gaining Management
Support/Approval
Task Statements
▪ T1.5 Develop business cases to support investments in
information security.
60
30
Knowledge Statements
61
Knowledge Statements
62
31
Key Terms
Risk tolerance The acceptable level of variation that management is willing to allow
for any particular risk as the enterprise pursues its objectives
63
Commitment is Key
64
32
Selling the Strategy
65
▪ Workshops or briefings
can set the stage for
strategy implementation.
▪ Try to anticipate
issues/concerns
managers already have
66
33
Roles and Responsibilities
67
▪ Steering committee
– Comprised of senior representatives of groups impacted by
information security
– Ensures alignment of security program with business
objectives
▪ Common topics:
– Security strategy and integration efforts
– Specific actions and progress related to business unit
support of information security program functions
– Emerging risk, business unit security practices and
compliance issues
68
34
Roles and Responsibilities
69
Good to Know
70
35
Tracking Roles
71
Activity
72
36
Activity Answers
Information Board of Chief Chief Business
Security Directors Information Executive Process
Manager Officer Officer Owner
Define target C R A I
IT capabilities.
Conduct a gap R A R
analysis.
Define the C A C
strategic plan
and road map.
Communicate I I R R I
the IT strategy
and direction.
73
74
37
Preparing a Business Case
75
76
38
Communicating Value
77
Stakeholder Buy-in
78
39
Discussion Question
79
Internal Stakeholders
80
40
External Stakeholders
▪ Service providers
▪ Critical vendors
▪ Outsourcing partners
▪ Consumers/members
81
82
41
Presenting the Strategy
83
Section Two
84
42
In the Big Picture
85
Section Two
43
Review Question
87
Review Question
88
44
Review Question
89
Review Question
90
45
Section Three
Task Statements
▪ T1.4 Establish and maintain information security policies
to guide the development of standards, procedures and
guidelines in alignment with enterprise goals and
objectives.
92
46
Knowledge Statements
K1.10 An effective program is one that the organization can afford and
that delivers useful, accountable information.
93
Knowledge Statements
94
47
Knowledge Statements
95
Key Terms
96
48
Policies
97
Policies
98
49
Setting Standards
99
Setting Standards
100
50
Discussion Question
▪ Once standards are set, what are some factors that may
determine whether or not they are followed?
101
102
51
Tone at the Top
103
Controls
104
52
Discussion Question
105
IT Controls
106
53
Layered Defense
107
Layered Defense
108
54
Countermeasures
109
Non-IT Controls
110
55
Discussion Question
111
Procedures
112
56
Good to Know
113
Guidelines
114
57
Metrics and Measurement
115
116
58
Metrics at the Strategic Level
117
118
59
Value Delivery Metrics
119
120
60
Performance Measurement
121
122
61
Section Three
123
124
62
Section Three
Review Question
A. risk management.
B. compliance.
C. IT management.
D. governance.
126
63
Review Question
127
Review Question
128
64
Review Question
129
Domain 1
Summary
65
Summary
131
Questions
132
66