Professional Documents
Culture Documents
PREPARATION
Domain 3
1
Domain 3
Domain 3 (cont’d)
2
Domain Objectives
Domain 1:
Domain 4:
Information Security
Information Security
Governance, 24%
Incident
Management, 19%
Domain 3:
Information Security Domain 2:
Program Information Security
Development and Risk Management,
Management, 27% 30%
3
The Information Security Program
Objective of the
Information
Purpose of the Security
Program: Manager:
Support and further the To implement and
enterprise’s business execute a program that
objectives manages information risk
in a cost-effective
manner
4
Domain 3 Overview
Section One
5
Task Statements
▪ T3.1 Establish and/or maintain the information security
program in alignment with the information security
strategy.
▪ T3.2 Align the information security program with the
operations objectives of other business function (e.g.,
human resources [HR], accounting, procurement and IT)
to ensure that the information security program adds
value to and protects the business.
▪ T3.3 Identify, acquire and manage requirements for
internal and external resources to execute the
information security program.
▪ T3.4 Establish and maintain information security
processes and resources (including people and
technologies) to execute the information program in
alignment with the organization’s business goals.
11
Knowledge Statements
12
6
Knowledge Statements
13
Key Terms
Project management The function responsible for supporting program and project managers,
and gathering, assessing and reporting information about the conduct
of their programs and constituent projects.
Resource Any enterprise asset that can help the organization achieve its
objectives.
Segregation of duties A basic internal control that prevents or detects errors and irregularities
by assigning to separate individuals the responsibility for initiating and
recording transactions and for the custody of assets.
14
7
Essential Program Elements
15
Program Goals
16
8
Strategic Alignment
Activity
Activity Activity
Strategy
Should be
examined
17
Resource Management
▪ Lack of resources is
commonly cited obstacle to
successful information
security.
▪ Support can be gained by
tracing the program back to
the strategy.
▪ Project planning, technology
selection and skill acquisition
factor into resource
management.
18
9
Budgeting for Information Security
19
20
10
Cross-functional Coordination
▪ Information is vulnerable
wherever it is accessed.
▪ Information security can often
be seen as burdensome,
costly, etc.
▪ Understanding how other
teams function can help you
to design security to support
them.
21
Key Relationships
Project
Management
22
11
Information Technology
▪ Information Technology
▪ Information Security
– Wants to get things done
– Wants to secure things
– Wants to be fast and cost
– Wants to implement controls,
effective
which can slow down processes
and are costly – Maintains and monitors
controls
– Designs and directs controls
23
Internal/IT Audit
24
12
Facilities and Security
25
Good to Know
26
13
Human Resources
▪ Background checks
▪ Pre-employment screening
▪ Security awareness in
orientation
▪ Disciplinary actions
27
28
14
Procurement
29
Discussion Question
30
15
Project Management
31
Good to Know
32
16
Technical Security Management
▪ Considering the
implementation of the
information security program
is key for scoping and
budgeting.
▪ Standards should be applied
uniformly.
▪ Track and enforce SoD,
events to monitored, events
that warrant special attention,
communication needs and
roles and responsibilities
33
Continuous Improvement
34
17
Plan-Do-Check-Act
35
Section One
36
18
In the Big Picture
37
Section One
Practice Questions
19
Practice Question
39
Practice Question
40
20
Practice Question
A. Proficiency test
B. Job descriptions
C. Organization chart
D. Skills inventory
41
Section Two
21
Task Statements
43
Knowledge Statements
44
22
Knowledge Statements
45
Key Terms
Key Term Definition
Awareness Being acquainted with, mindful of, conscious of and well informed on
a specific subject, which implies knowing and understanding a
subject and acting accordingly.
Education Focuses on telling people why something makes sense and providing
context on which they can exercise individual judgement.
23
Documentation Is Key
47
48
24
Documentation Enablers
49
50
25
The Human Factor
51
52
26
Security Awareness Education
▪ Education: Focuses on
telling people why
something make sense
and provides context
– Help people to exercise
judgement
▪ Policies and guidelines
provide people with
context.
▪ Because this is not
prescriptive, people should
be able to reach out for
assistance when needed.
53
Activity
Training or Education?
54
27
Activity
Training or Education?
55
Activity
Training or Education?
4. Verify the identity of IT support staff before letting them
access your computer.
▪ Education: How to verify the identity is left up to individual
judgement.
5. Use passwords that are at least 15 characters long, with no
fewer than three special characters.
▪ Training: It is prescriptive and can be enforced by technical
means
6. Don’t use passwords that are easy to guess, such as your
birthday or child’s name.
▪ Both: The examples are prescriptive, but judgement is
needed to figure out whether something else in mind might be
easy to guess.
56
28
Promoting Awareness
57
▪ Information security
awareness training is a
deterrent against rising
threats.
– Ethics programs are part of this
deterrence.
▪ Proper use of information
technology should be
included in a signed ethics
statement.
58
29
Benefits of an Engaged Workforce
59
Section Two
60
30
In the Big Picture
61
Section Two
Practice Questions
31
Practice Question
63
Practice Question
64
32
Practice Question
A. Documentation
B. Authorization
C. Scheduling
D. Testing
65
Section Three
33
Task Statements
67
Knowledge Statements
68
34
Knowledge Statements
69
Key Terms
Key Term Definition
Cloud computing Convenient, on-demand network access to a shared pool of
resources that can be rapidly provisioned and released with
minimal management effort or service provider interaction.
70
35
Key Terms
Key Term Definition
Fail-safe Describes the design properties of a computer system that
allow it to resist active attempts to attack or bypass it (e.g.,
door unlocks).
Fail-secure Describes a control that fails in a closed state (e.g., firewall
blocks all traffic).
Integration The process of building security considerations into business
processes.
Preventative control An internal control that is used to avoid undesirable events,
errors and other occurrences that an enterprise has
determined could have a negative material effect on a
process or end product.
71
Security Architecture
▪ Information security
architecture is a subset the
overall information
architecture.
▪ Includes:
– Platforms
– Networks
– Middleware-supporting
applications
▪ Leverage existing
infrastructure where possible.
72
36
Architecture as a Road Map
73
Designing Controls
▪ Controls:
– Reduce risk to an acceptable
level
– Do not necessarily eliminate the
risk
▪ A top-down perspective can
be useful for layered defense.
▪ Residual risk for any control
target is the result of the
effects of layered controls.
74
37
Control Categories
75
76
38
Activity
77
Implementation Methods
78
39
Manual vs. Automated Controls
79
Good to Know
80
40
Fail States
81
82
41
Continuity and Recovery
83
Incident Management/Response
84
42
Software Development
85
Discussion Question
86
43
Vendor Management
87
Outsourcing Agreements
88
44
Third-party Access
89
Cloud Computing
90
45
Common Cloud Service Models
91
92
46
Cloud Deployment Models
93
94
47
Good to Know
95
96
48
The Cloud in Perspective
97
Section Three
98
49
In the Big Picture
99
Section Three
Practice Questions
50
Practice Question
A. Number of controls
B. Cost of achieving control objectives
C. Effectiveness of controls
D. Test results of controls
101
Practice Question
102
51
Practice Question
103
Section Four
52
Task Statements
105
Knowledge Statements
106
53
Key Terms
Key Term Definition
Continuous An approach to monitoring that gathers data on a very
monitoring frequent or real-time basis.
Effectiveness An assessment of how well something produces expected
outcomes.
Efficiency An assessment of the value delivered by something effective.
107
Control Assessment
108
54
Effectiveness and Efficiency
▪ Effectiveness: ▪ Efficiency
– Whether a control – Whether a control’s
produces expected effectiveness is
outcomes provided at a good
▪ Examples: value
– Reliable performance ▪ Examples:
– Implementation that is – Effects on other
difficult to bypass productive work
– Unnecessary
redundancy
109
Good to Know
110
55
Factors that Influence Controls
111
112
56
Metrics and Monitoring
113
Strategic Metrics
114
57
Management Metrics
115
Operational Metrics
116
58
Metric Attributes
117
Discussion Question
118
59
Continuous Monitoring
119
Performance Management
120
60
Section Four
121
122
61
Section Four
Practice Questions
Practice Question
124
62
Practice Question
125
Practice Question
126
63
Domain 3
Summary
Summary
128
64
Summary
129
Summary
130
65
Summary
131
Questions
132
66