CISM EXAM

PREPARATION

Domain 3

Information Security Program

Development and Management

1
Domain 3

Develop and maintain an information security

program that identifies, manages and protects
the organization’s assets while aligning to
information security strategy and business
goals, thereby supporting an effective security
posture.

Domain 3 (cont’d)

▪ This domain reviews the diverse areas of knowledge

needed to develop and manage an information
security program.

2
Domain Objectives

▪ Ensure that the CISM Candidate has the knowledge

necessary to:
– Understand the broad requirements and activities needed
to create, manage and maintain an information security
program to implement an information security strategy.
– Define and utilize the resources required to achieve the IT
goals consistent with organizational objectives.
– Understand the people, processes and technology
necessary to execute the information security strategy.

On the CISM Exam

▪ This domain represents 27% (approximately 41

questions) of the CISM exam.

Domain 1:
Domain 4:
Information Security
Information Security
Governance, 24%
Incident
Management, 19%

Domain 3:
Information Security Domain 2:
Program Information Security
Development and Risk Management,
Management, 27% 30%

3
The Information Security Program

▪ The means by which

information risk is managed:
– Drafting and publishing
standards, guidelines and
procedures
– Designing, building,
implementing and monitoring
controls
– Providing training to the
workforce and promoting
security awareness

Purpose and Objectives

Objective of the
Information
Purpose of the Security
Program: Manager:
Support and further the To implement and
enterprise’s business execute a program that
objectives manages information risk
in a cost-effective
manner

4
Domain 3 Overview

▪ Alignment and Resource Management

▪ Standards, Awareness and Training
▪ Building Security Into Processes and Practices
▪ Security Monitoring and Reporting

Refer to the CISM Job Practice

for Task and Knowledge
Statements.

Section One

Alignment and Resource

Management

5
 Task Statements
▪ T3.1 Establish and/or maintain the information security
program in alignment with the information security
strategy.
▪ T3.2 Align the information security program with the
operations objectives of other business function (e.g.,
human resources [HR], accounting, procurement and IT)
to ensure that the information security program adds
value to and protects the business.
▪ T3.3 Identify, acquire and manage requirements for
internal and external resources to execute the
information security program.
▪ T3.4 Establish and maintain information security
processes and resources (including people and
technologies) to execute the information program in
alignment with the organization’s business goals.
11

Knowledge Statements

How does Section One relate to each of the following

knowledge statements?
Knowledge Statement Connection
K3.1 Information security supports organizational goals and needs to be
aligned with business functions and the information risk
management strategy.
K3.2 The information security manager needs to know how to define
requirements and obtain resources from within and outside of the
organization.
K3.3 The information security manager needs to be the organization’s
subject matter expert on current and emerging technologies and
concepts.
K3.5 Management of people and processes associated with information
security is a key part running a successful program.
K3.7 The information security manager should be familiar with common
third-party and international standards frameworks and practices.

12

6
 Knowledge Statements

How does Section One relate to each of the following

knowledge statements?
Knowledge Statement Connection
K3.11 Information security needs to be built into recurring processes so
it can be taken into account at all times.
K3.12 Contracts need to incorporate information security requirements
during negotiation to ensure that these are part of any final
agreement.
K3.13 Monitoring information security practices used by third parties is
the only way to ensure that agreed-upon standards are being
maintained.
K3.14 The information security manager needs a way to monitor the
overall effectiveness of the program that aligns with factors
important to senior managers.

13

Key Terms

Key Term Definition

IT steering committee An executive-management-level committee that assists in the delivery
of the IT strategy, oversees day-to-day management of IT service
delivery and IT projects, and focuses on implementation aspects.

Project management The function responsible for supporting program and project managers,
and gathering, assessing and reporting information about the conduct
of their programs and constituent projects.
Resource Any enterprise asset that can help the organization achieve its
objectives.
Segregation of duties A basic internal control that prevents or detects errors and irregularities
by assigning to separate individuals the responsibility for initiating and
recording transactions and for the custody of assets.

Service level An agreement, preferably documented, between a service provider and

agreement the customer(s)/user(s) that defines minimum performance targets for
a service and how they will be measured.

14

7
 Essential Program Elements

▪ Three elements of a successful security program:

1. The program must be based on a well-developed strategy
aligned with business goals
2. The program must be designed with cooperation and
support from senior managers/stakeholders
3. The program must include metrics that provide regular,
useful feedback for calibration

15

Program Goals

▪ Goals are typically specified

by governance.
– Third-party standards and
frameworks can also be used.
▪ Regardless, clear goals are
necessary to manage
success.

16

8
 Strategic Alignment

Activity

Activity Activity

Strategy
Should be
examined

17

Resource Management

▪ Lack of resources is
commonly cited obstacle to
successful information
security.
▪ Support can be gained by
tracing the program back to
the strategy.
▪ Project planning, technology
selection and skill acquisition
factor into resource
management.

18

9
 Budgeting for Information Security

▪ Expenses for security are more likely to be approved

when communicated in advance.
– Value proposition
▪ Baseline expenses should be held stable during a
budget year.
– Salaries
– Skills maintenance
– Software fees
▪ Special projects should be treated separately from
the baseline.

19

Engaging the Business

▪ A steering committee reaffirms the business’s

commitment to information security.
– Day-to-day engagement helps to create a sense of shared
responsibility
– Cultural alignment is important.
▪ Regular reports to executives can promote
awareness.

20

10
 Cross-functional Coordination

▪ Information is vulnerable
wherever it is accessed.
▪ Information security can often
be seen as burdensome,
costly, etc.
▪ Understanding how other
teams function can help you
to design security to support
them.

21

Key Relationships

Information Internal/ Facilities and

Technology IT Audit Security

Human Legal and

Procurement
Resources Privacy

Project
Management
22

11
 Information Technology

▪ Information Technology
▪ Information Security
– Wants to get things done
– Wants to secure things
– Wants to be fast and cost
– Wants to implement controls,
effective
which can slow down processes
and are costly – Maintains and monitors
controls
– Designs and directs controls

23

Internal/IT Audit

▪ Audits can produce positive outcomes.

– Findings can draw attention from senior management,
leading to greater support
▪ If policies and standards are not available, auditors
assess a program against industry practices.
▪ Proper documentation can lead to an audit that
provides relevant, useful insight.

24

12
 Facilities and Security

▪ Physical access has

huge implications for
information security.
▪ Information also includes
that on hard/paper
copies.
▪ Collaboration can
enhance the
effectiveness of the
information risk
management.

25

Good to Know

▪ Pay careful attention to who has been given authorized

access to server rooms, wiring closets and other vital links in
the information infrastructure.
▪ Aside form malicious intent to compromise these systems,
availability can be impacted by mistakes made when people
are working in these areas.
▪ In particular, access to cabling and network devices by third-
party contractors should be supervised whenever feasible.

26

13
 Human Resources

▪ Background checks
▪ Pre-employment screening
▪ Security awareness in
orientation
▪ Disciplinary actions

27

Legal and Privacy

▪ Laws and regulations regarding privacy vary across

jurisdictions.
▪ Legal considerations apply to investigations of
computer crimes.
▪ Opinions of legal and privacy professionals will help
to design effective controls.

28

14
 Procurement

▪ If information security is not connected with

purchasing technology, business units may deploy IT
tools that compromise security.
▪ Mature integrated processes include lists of
approved devices and software.
▪ At a minimum, technical purchases should be
coordinated with information security for risk
assessment.

29

Discussion Question

▪ What should an information security manager do if a business

unit wants to purchase technology that would increase risk to
the organization?

30

15
 Project Management

▪ Identifying all projects that affect information

systems/data is key.
▪ Early involvement can:
– Improve project design
– Make controls more cost-effective
▪ A distinct PMO can help to facilitate integration.

31

Good to Know

▪ Keep in mind that even in organizations that have a PMO,

business units often undertake their own projects when they
have sufficient internal resources to manage them. One
common reason for this is a specific desire to avoid the
perceived hassle or bureaucracy associated with formal
project management, which poses a clear problem for the
organization’s management of information risk.
▪ The information security manager can overcome this situation
by forming positive relationships throughout the business and
building a reputation as someone who enables desired
outcomes, rather than being seeing as someone who
impedes progress.

32

16
 Technical Security Management

▪ Considering the
implementation of the
information security program
is key for scoping and
budgeting.
▪ Standards should be applied
uniformly.
▪ Track and enforce SoD,
events to monitored, events
that warrant special attention,
communication needs and
roles and responsibilities

33

Continuous Improvement

▪ Organizational goals and strategy change over time.

– This requires constant review and revision.
▪ The Plan-Do-Check-Act cycle is a general purpose
continuous improvement methodology.
– It is widely accepted across business functions.

34

17
 Plan-Do-Check-Act

35

Section One

36

18
 In the Big Picture

• The information security

Section One
Alignment and Resource Management
program implements the
approved strategy for
information risk management
and promotes the pursuit of
organizational goals.
• The program is likely to be
most effective when its design
and implementation is done
collaboratively with people in
other business functions.

37

Section One

Practice Questions

19
 Practice Question

Which of the following is the BEST approach to dealing with

inadequate funding of the security program?

A. Eliminate low-priority security services.

B. Require management to accept the increased risk.
C. Prioritize risk mitigation and educate management.
D. Reduce monitoring and compliance enforcement activities.

39

Practice Question

Which of the following should be included in a good privacy

statement?

A. A notification of liability on accuracy of information

B. A notification that information will be encrypted
C. A statement of what the company will do with information it
collects
D. A description of the information classification process

40

20
 Practice Question

When developing an information security program, what is the

MOST useful source of information for determining available
human resources?

A. Proficiency test
B. Job descriptions
C. Organization chart
D. Skills inventory

41

Section Two

Standards, Awareness and Training

21
 Task Statements

▪ T3.5 Establish, communicate and maintain

organizational information security standards,
guidelines, procedures and other documentation to
guide and enforce compliance with information
security policies.
▪ T3.6 Establish, promote and maintain a program for
information security awareness and training to foster
an effective security culture.

43

Knowledge Statements

How does Section Two relate to each of the following

knowledge statements?
Knowledge Statement Connection
K3.5 Management of people and processes associated with information
security is a key part of running a successful program.

K3.6 The information security managers needs to be able to develop

standards, processes and guidelines to execute an authorized
information security program.
K3.8 Well-designed programs are effective only when they are
communicated to the workforce, and this is the information security
manger’s responsibility.

44

22
 Knowledge Statements

How does Section Two relate to each of the following

knowledge statements?
Knowledge Statement Connection
K3.9 An effective information security program requires the
accumulation and maintenance of specialized skills through both
training and experience.
K3.10 The whole population of an organization is part of its information
security program and engaging them is up to the information
security manager.
K3.16 The information security manager is often responsible for
communicating program status and security information to
stakeholders.

45

Key Terms
Key Term Definition
Awareness Being acquainted with, mindful of, conscious of and well informed on
a specific subject, which implies knowing and understanding a
subject and acting accordingly.
Education Focuses on telling people why something makes sense and providing
context on which they can exercise individual judgement.

Policy Generally, a document that records a high-level principle or course of

action that has been decided on. The intended purpose is to
influence and guide both present and future decision making to be in
line with the philosophy, objectives and strategic plans established by
the enterprise’s management teams.

Standard A mandatory requirement, code of practice or specification approved

by a recognized external standards organization, such as
International Organization for Standardization (ISO).
Training A means by which people learn what to do and how to do it.

See www.isaca.org/glossary for more key terms.

46

23
 Documentation Is Key

▪ Documentation defines a programs content and the

criteria against which its activities can be assessed.
▪ Includes:
– Policies and standards
– Procedures and guidelines
– Risk analysis and recommendations

47

Enabling Good Documentation

▪ Each document should have

an assigned owner.
– Policies should be approved by
senior managers.
– Standards should be approved
at lower levels.
▪ Technical and operational
documents should be
protected as sensitive
information.

48

24
 Documentation Enablers

Source: ISACA, COBIT 5, USA, 2012

49

Maintenance and Version Control

▪ Version control is important to ensure people are

using the correct documents.
– Prior versions should be retained for reference.
– Unapproved documents should not be reviewed except
upon invitation.
▪ Changes to higher-level documents should trigger
updates to subordinate documents.

50

25
 The Human Factor

▪ Risk cannot be fully

eliminated through controls.
▪ People have influence on how
information systems are used
and can create/exploit
vulnerabilities.
▪ Security awareness training is
designed to control the
human factor.

51

Security Awareness Training

▪ Training: A means by which people learn what to do

and how to do it.
– Takes the form of rules and procedures
• Procedures should exist for all information security functions.
– Should be prescriptive and not leave anything open to
interpretation

52

26
 Security Awareness Education

▪ Education: Focuses on
telling people why
something make sense
and provides context
– Help people to exercise
judgement
▪ Policies and guidelines
provide people with
context.
▪ Because this is not
prescriptive, people should
be able to reach out for
assistance when needed.

53

Activity

Training or Education?

1. Don’t leave paper files in a place where people who may be

in you work area can find them.
2. Lock your computer whenever you leave a work area.
3. Never give out your password by phone or email.
4. Verify the identity of IT support staff before letting them
access your computer.
5. Use passwords that are at least 15 characters long, with no
fewer than three special characters.
6. Don’t use passwords that are easy to guess, such as your
birthday or child’s name.

54

27
 Activity

Training or Education?

1. Don’t leave paper files in a place where people who may be

in you work area can find them.
▪ Education: Whether files might be found is a judgement call.
2. Lock your computer whenever you leave a work area.
▪ Training: It is prescriptive and applies in all cases.
3. Never give out your password by phone or email.
▪ Training: It is prescriptive and applies in all cases

55

Activity

Training or Education?
4. Verify the identity of IT support staff before letting them
access your computer.
▪ Education: How to verify the identity is left up to individual
judgement.
5. Use passwords that are at least 15 characters long, with no
fewer than three special characters.
▪ Training: It is prescriptive and can be enforced by technical
means
6. Don’t use passwords that are easy to guess, such as your
birthday or child’s name.
▪ Both: The examples are prescriptive, but judgement is
needed to figure out whether something else in mind might be
easy to guess.
56

28
 Promoting Awareness

▪ Awareness training should be tailored to the

organization/audience.
– Senior managers, IT staff and end users have different
relationships to information systems.
▪ Different modalities for training and awareness
include:
– Computer-based training
– Email reminders
– Nondisclosure agreements
– Posters
– Simulations

57

Awareness and Ethics

▪ Information security
awareness training is a
deterrent against rising
threats.
– Ethics programs are part of this
deterrence.
▪ Proper use of information
technology should be
included in a signed ethics
statement.

58

29
 Benefits of an Engaged Workforce

▪ When information security is taken seriously,

employees are more conscious of their actions.
▪ Knowledge of rules and standards and their
consequences act as a deterrent.
▪ Awareness paired with a feeling of being treated
fairly can become a control itself.

59

Section Two

60

30
 In the Big Picture

• The information security

program is based on
documentation that
defines its parameters
and success criteria.
Section Two • Effective security
Standards, Awareness and Training
awareness training and
education promotes and
engaged workforce that
can actively help control
information risk.

61

Section Two

Practice Questions

31
 Practice Question

Which of the following is the BEST metric for evaluating the

effectiveness of security awareness training?

A. The number of password resets

B. The number of reported incidents
C. The number of incidents resolved
D. The number of access rule violations

63

Practice Question

Which of the following would be MOST effective in successfully

implementing restrictive password policies?

A. Regular password audits

B. Single sign-on system
C. Security awareness program
D. Penalties for noncompliance

64

32
 Practice Question

Which of the following change management process steps can

be bypassed to implement an emergency change?

A. Documentation
B. Authorization
C. Scheduling
D. Testing

65

Section Three

Building Security Into Processes and

Practices

33
 Task Statements

▪ T3.7 Integrate information security requirements into

organizational processes (e.g., change control,
mergers and acquisitions, system development,
business continuity, disaster recovery) to maintain
the organization’s security strategy.
▪ T3.8 Integrate information security requirements into
contracts and activities of third parties (e.g., joint
ventures, outsourced providers, business partners,
customers) and monitor adherence to established
requirements in order to maintain the organization’s
security strategy.

67

Knowledge Statements

How does Section Three relate to each of the following

knowledge statements?
Knowledge Statement Connection
K3.4 Once control objectives are defined, the information security
manager needs to know how to design and implement the actual
controls.
K3.5 Management of people and processes associated with
information security is a key part of running a successful
program.
K3.7 The information security manager should be familiar with
common third-party and international standards, frameworks and
practices.

68

34
 Knowledge Statements

How does Section Three relate to each of the following

knowledge statements?
Knowledge Statement Connection
K3.10 The whole population of an organization is part of its information
security program, and engaging them is up to the information
security manager.
K3.11 Information security needs to be built into recurring processes so
it can be taken into account at all times.
K3.12 Contracts need to incorporate information security requirements
during negotiation to ensure that these are part of any final
agreement.

69

Key Terms
Key Term Definition
Cloud computing Convenient, on-demand network access to a shared pool of
resources that can be rapidly provisioned and released with
minimal management effort or service provider interaction.

Compensating control An internal control that reduces the risk of an existing or

potential control weakness resulting in errors and omissions.

Corrective control Designed to correct errors, omissions and unauthorized uses

and intrusions, once they are detected.
Detective control Exists to detect and report when errors, omissions and
unauthorized uses or entries occur.
Deterrent control Reduces threat by affecting the behavior of threat actors.

See www.isaca.org/glossary for more key terms.

70

35
 Key Terms
Key Term Definition
Fail-safe Describes the design properties of a computer system that
allow it to resist active attempts to attack or bypass it (e.g.,
door unlocks).
Fail-secure Describes a control that fails in a closed state (e.g., firewall
blocks all traffic).
Integration The process of building security considerations into business
processes.
Preventative control An internal control that is used to avoid undesirable events,
errors and other occurrences that an enterprise has
determined could have a negative material effect on a
process or end product.

See www.isaca.org/glossary for more key terms.

71

Security Architecture

▪ Information security
architecture is a subset the
overall information
architecture.
▪ Includes:
– Platforms
– Networks
– Middleware-supporting
applications
▪ Leverage existing
infrastructure where possible.

Source: The Open Group, TOGAF Version 9.1, United

Kingdom, 2011

72

36
 Architecture as a Road Map

▪ Architecture acts as a road map integrating smaller

projects and services into a single overall strategy.
▪ Identifying connections between business functions
helps to define control objectives.
▪ Where multiple systems require common treatment,
combinations of technologies can be used to provide
control points.

73

Designing Controls

▪ Controls:
– Reduce risk to an acceptable
level
– Do not necessarily eliminate the
risk
▪ A top-down perspective can
be useful for layered defense.
▪ Residual risk for any control
target is the result of the
effects of layered controls.

74

37
 Control Categories

▪ Preventative: Reduces or eliminates specific

instances of vulnerability by making the behavior
impossible.
▪ Corrective: Reduce impact by offsetting the impact of
consequences after the fact.
▪ Detective: Warn of violations or attempted violations.
▪ Compensating: Reduce the risk of a control
weakness through layering.
▪ Deterrent: Reduce threat through warnings and
notices that influence behavior.

75

Control Types and Effect

76

38
 Activity

▪ What are some examples of each of the five types of

controls?

77

Implementation Methods

▪ Managerial (administrative): Apply to processes and

behaviors
▪ Technical (logical): Apply to information systems,
software and networks
▪ Physical: Apply to facilities and areas within them

▪ Note: Controls of any effect category can be

implemented using any of the three implementation
methods.

78

39
 Manual vs. Automated Controls

▪ Automated controls are

generally preferred to manual
controls.
– Analysis is needed to confirm if
this is the case.
▪ High volume of data may
require automation.
▪ SIEM software can help to
create useful reports out of
automation.

79

Good to Know

▪ The term “countermeasure” is sometimes used

interchangeably with “control,” but it actually refers to a target
control effect intended to apply to a specific threat. The effects
of countermeasures may be detective, preventative,
corrective or any combination of the three, and may be
implemented using any of the three methods discussed.

80

40
 Fail States

▪ Controls should be designed in ways that result in

clearly established states of failure:
– Fail safe: Allow all activity when they fail
– Fail secure: Prevent all activity when they fail
▪ Biometric systems often experience the following:
– False acceptance rate (FAR)
– False rejection rate (FRR)

81

Information Security Integration

▪ Information security requirements need to be

integrated into other organizational processes.
– Integration makes it easier to implement and maintain
controls.
▪ The information security manager should
understand:
– Management concepts
– Process concepts
– Technology concepts

82

41
 Continuity and Recovery

▪ Disaster recovery: IT function

aimed at recovering major
infrastructure
▪ Business continuity: Business
function that plans and
organizes means to continue
operations
▪ Security should be integrated
into these processes.

83

Incident Management/Response

▪ Incident response is closely intertwined with disaster

recovery and business continuity.
▪ The goal is to identify and contain incidents to
prevent interruptions and restore services.
▪ Important to keep the following in mind:
– Maximum allowable downtime
– Maximum tolerable outage
– Recovery point objectives
– Recovery time objectives

84

42
 Software Development

▪ There are three software

development
environments:
– Development
– Testing
– Production
▪ Segregation of duties is
important.
– Integrating security can
address this risk.

85

Discussion Question

▪ Why is it so important that the developers of code not be able

to move their compiled programs into production?

86

43
 Vendor Management

▪ Vendor relationships are a concern for information

security.
– Frequently outsourced activities include monitoring and IT
security activities.
▪ Verify that vendors’ performance aligns with the
organization’s goals and strategy.

87

Outsourcing Agreements

▪ Agreements should not create

unacceptable risk.
▪ Remember: Risk transference
does not eliminate
responsibility.
▪ Note areas related to privacy
and/or legal or regulatory
compliance.

88

44
 Third-party Access

▪ Third-party access should be:

– Based on justification
– Granted based on the principles of least privilege, need-to-
know, need-to-do
– Subject to risk assessment
– Logged
▪ Access should not be granted until a contract is
signed.
▪ SLA will clearly define access requirements.

89

Cloud Computing

▪ Cloud computing is a utility

model.
▪ Processing and data are done
in “the cloud.”
▪ Five characteristics of cloud
computing:
– On-demand self-service
– Broad network access
– Resource pooling
– Elasticity
– Measured service

90

45
 Common Cloud Service Models

▪ Infrastructure as a Service (IaaS)

▪ Platform as a Service (PaaS)
▪ Software as a Service (SaaS)
▪ Big Data analytics

91

Cloud Deployment Models

Private Cloud Community Cloud

92

46
 Cloud Deployment Models

Public Cloud Hybrid Cloud

93

Security Advantages of the Cloud

▪ Provision of services include bundled functions for

security and information assurance.
▪ Cloud computing providers typically have invested in
a more robust security posture than customers.
▪ A data breach is the foremost risk for a cloud
provider.
▪ Incident response procedures are generally faster
and more practiced.

94

47
 Good to Know

▪ “Economies of scale” is a business term that means things get

cheaper as they are purchased in larger quantities. If there
are two groups dedicated to the same task, the larger group
will be able to do it more cheaply.
▪ Cloud computing providers are focused on their IT and
security functions as lines of business, while these functions
are support functions in most organizations, so cloud
providers benefit from economies of scale.

95

Security Concerns in the Cloud

▪ How the cloud provider’s security posture is

maintained may be confidential.
▪ The outsourcing organization remains accountable
for compliance.
▪ Consider legal/regulatory concerns that cross
national boundaries.

96

48
 The Cloud in Perspective

▪ The benefits of the cloud

means most organizations will
use it as a solution at some
point.
– Cost is the primary driver.
▪ Keep in mind post-
implementation movement to
a new provider can be
expensive.
▪ Hybrid model may be useful if
certain functions are retained
in-house.

97

Section Three

98

49
 In the Big Picture

• Information security needs to

be integrated with all
organizational functions and
processes that affect
organizational data.
Section Three
Building Security Into Processes and • Third-party vendors, including
Practices cloud service providers,
become part of the
organizational risk context
when they have access to or
manage organizational data.

99

Section Three

Practice Questions

50
 Practice Question

Assuming that the value of information assets is known, which of

the following gives the information security manager the MOST
objective basis for determining that the information security
program is delivering value?

A. Number of controls
B. Cost of achieving control objectives
C. Effectiveness of controls
D. Test results of controls

101

Practice Question

What is the MOST important contractual element when

contracting with an outsourcer to provide security
administration?

A. The right-to-terminate clause

B. Limitations of liability
C. The service level agreement
D. The financial penalties clause

102

51
 Practice Question

What is the PRIMARY purpose of installing an intrusion

detection system?

A. To identify weaknesses in network security

B. To identify patterns of suspicious access
C. To identify how an attack was launched on the network
D. To identify potential attacks on the internal network

103

Section Four

Security Monitoring and Reporting

52
 Task Statements

▪ T3.9 Establish, monitor and analyze program

management and operational metrics to evaluate the
effectiveness and efficiency of the information
security program.
▪ T3.10 Compile and present reports to key
stakeholders on the activities, trends and overall
effectiveness of the information security program and
the underlying business processes in order to
communicate security performance.

105

Knowledge Statements

How does Section Four relate to each of the following

knowledge statements?
Knowledge Statement Connection
K3.14 The information security manager needs a way to
monitor the overall effectiveness of the program that
aligns with factors important to senior managers.
K3.15 The information security manager needs to know what is
working well and what isn’t, so deficiencies can be
corrected.
K3.16 The information security manager is often responsible for
communicating program status and security information
to stakeholders.

106

53
 Key Terms
Key Term Definition
Continuous An approach to monitoring that gathers data on a very
monitoring frequent or real-time basis.
Effectiveness An assessment of how well something produces expected
outcomes.
Efficiency An assessment of the value delivered by something effective.

Metric A quantifiable entity that allows the measurement of the

achievement of a process goal.
Monitoring Tracking behavior or results over time.

See www.isaca.org/glossary for more key terms.

107

Control Assessment

▪ Controls are applied to reduce

risk to acceptable levels.
▪ Control are deployed on a
cost-effective basis, not
technical feasibility.
▪ Monitoring and analyzing
controls is vital to information
security.

108

54
 Effectiveness and Efficiency

▪ Effectiveness: ▪ Efficiency
– Whether a control – Whether a control’s
produces expected effectiveness is
outcomes provided at a good
▪ Examples: value
– Reliable performance ▪ Examples:
– Implementation that is – Effects on other
difficult to bypass productive work
– Unnecessary
redundancy

109

Good to Know

▪ “Efficiency” in business is also called “cost effectiveness.” An

inefficient control can be effective, but an ineffective control
cannot be efficient, because something ineffective is
inherently not a good value.

110

55
 Factors that Influence Controls

▪ Where and how a control is implemented can have

an effect.
– Deploying a firewall on a single system is less efficient
than deploying it on a whole network.
– It may be necessary to deploy a firewall less efficiently to
achieve the desired level of risk.
▪ An accurate assessment requires a clear
understanding of why a control exists and what it is
meant to protect.

111

Testing and Modification

▪ All proposed changes to

controls should be reviewed
prior to being made.
▪ This includes controls
implemented in procedures as
well as technical controls.
▪ All stakeholders should be
represented in change
management.

112

56
 Metrics and Monitoring

▪ Monitoring: Provides data,

but needs standards for
comparison
▪ Metrics: Provide a
standard against which to
measure performance
▪ Understand what
decisions need to be
made and what sort of
information is useful in
making these decisions

113

Strategic Metrics

▪ Often a compilation of other management metrics

designed to indicate that the security program is:
– On track
– On budget
▪ Needed information should be navigational
– Is the security program headed in the right direction?
– Needed by the information security manager and senior
management

114

57
 Management Metrics

▪ Provide information on:

– Compliance
– Emerging risk
– Overall resource utilization
– Alignment with business goals
▪ Can be aggregated in a summary for higher-level
reporting

115

Operational Metrics

▪ Technical and procedural

metrics
– Vulnerability scans
– Patch management reports
– Administrator account records
– Summary logs
▪ Summaries and aggregate
data can be used as the basis
for management metrics.

116

58
 Metric Attributes

▪ Metrics should be:

– Manageable
– Meaningful
– Actionable
– Unambiguous
– Reliable
– Accurate
– Timely
– Predictive
– Genuine

117

Discussion Question

▪ What factors influence the timeliness of a metric as an

indicator?

118

59
 Continuous Monitoring

▪ Threats and vulnerabilities are present 24/7, even

when the organization is not actively pursuing its
goals.
▪ Continuous monitoring promotes timely detection of
threat events and may allow for reduction or
elimination of consequences.

119

Performance Management

▪ Senior managers may be interested in the degree to

which the program:
– Aligns with the information security strategy
– Complies with standards
▪ Measurable objectives help with this.
▪ Operational productivity measurements can help
verify that risk is being managed cost effectively.

120

60
 Section Four

121

In the Big Picture

• Metrics are standards against

Section Four
Security Monitoring and Reporting
which measured values can
be assessed, and their
purpose is to deliver
information on which
decisions can be based.
• Technical metrics are used to
control technical IT security
functions, while management
metrics can be used to assess
the overall state of the
security program.

122

61
 Section Four

Practice Questions

Practice Question

Which of the following is one of the BEST metrics an information

security manager can employ to effectively evaluate the results
of a security program?

A. Number of controls implemented

B. Percent of control objectives accomplished
C. Percent of compliance with the security policy
D. Reduction in the number of reported security incidents

124

62
 Practice Question

Which of the following metrics would be the MOST useful in

measuring how well information security is monitoring violation
logs?

A. Penetration attempts investigated

B. Violation log reports produced
C. Violation log entries
D. Frequency of corrective actions taken

125

Practice Question

Which of the following should be reviewed to ensure that

security controls are effective?

A. Risk assessment policies

B. Return on security investment
C. Security metrics
D. User access rights

126

63
 Domain 3

Summary

Summary

▪ A successful information security program is aligned

with and supports organizational objectives, is
designed with cooperation and support from
management and stakeholders and uses effective
metrics to provide feedback and guide the program.
▪ Cost and resource utilization are driving factors in
the information security program, and activities must
be evaluated in these terms.
▪ Integration of critical business functions into the
information security function is key to its ongoing
success.

128

64
 Summary

▪ Documentation defines a program’s content and the

criteria against which its activities can be assessed,
so it must be regularly reviewed and kept up to date.
▪ Information security awareness is key to a security
program’s success because it address the human
factor.
▪ Awareness and education are used to ensure that
people are doing the correct things and exercising
sound judgement.

129

Summary

▪ The information security architecture provides a road

map for programs and activities related to
information security, including controls.
▪ Controls can be categorized as compensating,
corrective, detective, deterrent and preventative.
They can be identified by managerial, technical or
physical implementation.
▪ Information security considerations should be taken
into account in software development, vendor
management and outsourcing agreements.

130

65
 Summary

▪ Cloud computing has implications for information

security, especially in vendor management. Keep in
mind that the cloud service provider has some
provisions for risk, but the outsourcing organization
is still accountable in case of a breach.
▪ The effectiveness and efficiency of the information
security program and controls need to be monitored.
▪ Metrics provide the information stakeholders need to
make business decisions.

131

Questions

132

66