CISM PREP

Topic 1
Information Security Governance
Mentor Introduction

• Jeremy Koster
• 17 years in Information / Cyber Security
• Qualifications and Industry Certifications
• Experience
• Lecturing for IT Masters and CSU for 8 years
House Keeping
Webinars
• Zoom – Video Hop
• Thursday 8:30pm AEST

The Forum
• Lively and respectful discussions are encouraged
• Weekly readings
• Weekly discussion questions

The Exam
• 20 multiple choice questions
• 10 shorts answer questions
• 2 long answer questions

Enquiries and questions

• Course topics – Mentor
• Student Administration for everything else
CISM

ISACA Certified Information Security Manger - CISM

De-facto standard for Cybersecurity Management
Four domains:
• Information Security Governance
• Information Risk Management and Compliance
• Information Security Program Development and Management
• Information Security Incident Management
Content focuses on decision makers and business goals
The Cyber Security Manager
Industry names
• Cyber Security
• Information Security
• IT Security
• Information assurance
Interface between the business and security issues
Challenges:
• Making friends
• Leading the horse to water – executive support
• Extended influence
• Limited budgets – security costs money
• Moving from reactive to proactive
The Cyber Security Practice
 Governance 

 Management 

Warriors (Technical Critics (Review and Visionaries

Operations) Compliance) (Strategy and
- Security Testing - Project Review Architecture)
- Monitoring - Auditing - Network Controls
- Incident Response - PCI, ISO, COBIT - IT Controls
- Security Program
Information security governance

Key focus processes:

• Personnel management
• Sourcing
• Risk management
• Configuration management
• Change management
• Access management
• Vulnerability management
• Incident management
• Business continuity management
Security is a business issue

• Business relies on the security of systems and information

• Not just a technology problem
• Lack of understanding at a leadership level
• Every changing landscape and threat scenarios
• Fear of breach is driving awareness
• Regulation is increasing ramifications
• There is an element of luck / bad luck
• More needs to be done to make security a valued activity
Business vision flows down
 The purpose of information security governance

Align the information security program with the business

objectives.
Successful information security governance leads to:
• Objectives
• Strategy
• Policy
• Priorities
• Standards
• Processes
• Controls
• Program and project management
• Metrics and reporting
Security governance activities and results

• Risk management
• Process improvement
• Event identification
• Incident response
• Improved compliance
• Business continuity and disaster recovery planning
• Metrics
• Resource management
• Improved IT governance
Security governance activities and results

• Risk management
• Process improvement
ti o n
u ta
Rep Trust
• Event identification
• Incident response
• Improved compliance a nd
• Business continuity and disaster recovery planning
• Metrics
• Resource management
• Improved IT governance
Business alignment

• Mission
• Goals and objectives
• Strategy

• Culture
• Asset value
• Risk tolerance
• Legal obligations
• Market conditions
Roles and responsibilities

• Security is everyone's responsibility

• There is no business without trusting staff
• Be clear on different roles and their part to play
• RACI charts
• Responsible
• Accountable
• Consulted
• Informed
Governance roles and responsibilities

• Board of Directors and Senior Management

– Lack of oversight is a liability

• Senior Management
– Strategic security objectives
– Functions, resources and supporting infrastructure

• Business Process Owners

– Support of business processes = success

• Steering Committee
– Strategy delivery and integration efforts
– Emerging risk and compliance issues

• Chief Information Security Officer

– Responsibility to make security decisions and take action
Cyber security roles and responsibilities

It can only succeed with leadership commitment

• Obtain clear approval for security strategy and
roadmap
• Measure compliance to policies

Establish Reporting and communication channels

• Reporting mapped to endorsed security program
• Implementation progress
• Status of risks and threats
• Compliance level objectives
Metrics

Metrics can be a mythical art form

Cannot answer overarching questions
• How secure are we?
• How much security is enough ?

Effective metrics
• Meaningful
• Accurate
• Cost-effective (automated)
• Repeatable
• Predictive
• Actionable
• Genuine
Metrics and standards

• ISO/IEC 27004 – 2009/2016

• COBIT 5 – Enabling Processes
• CIS – 2010 / V7
• NIST SP 800-55 Revision1 – 2008
Business model for information security

• People
• Process
• Technology
• ORGANISATION
• Culture
• Governing
• Architecture
Current Climate
Information Security Strategy

• Aligning security activity with business

objectives
• Where are we now?
• Where do we want to be?
• What actions are required to achieve
the desired security posture
• Desired risk level
Information Security Strategy Common Pitfalls

• Overconfidence – in accurate estimates

• Optimism – in forecasts
• Anchoring – on the first presented number
• The status quo bias – change reluctance
• Mental accounting – creative money
• The herding instinct – follow the popular idea
• False consensus – over-estimate shared view
The Goal of a Security Strategy

Protect organisational assets and value

• Which assets?
• How much protection?
• Against what or who?
Information Security Strategy Objectives

• What are we trying to achieve?

• Secure the organisation?
• May seem obvious but needs to be stated
• Determine asset (information and function):
– Location
– Value
– Classification
– Owner
Information Security Strategy – The Desired State

The target security posture

At a point of time in the future
Frameworks
• COBIT 5 Process Assessment Model
• Capability Maturity Model
• Balanced Score Card
Information Security Strategy Roadmap

• The path to achieve long term goals

• Broken down to short term projects
• Checkpoints and metrics
• Process and architecture improvements to stop
back-sliding
• Retrospective clean-up over time
Information Security Strategy Resources

Policies – high level statements about

behaviour and management intent
Standards – statements about
boundaries
Procedures – Operating procedures
Guidelines – Helpful for use with
procedures and new technologies
Controls
IT Controls
Non-IT Controls
Countermeasures
Layered-defenses – defense in depth
• Prevention
• Containment
• Detection and notification
• Reaction
• Evidence collection and tracking
• Recovery and restoration
Organisational Structure, Skills and Knowledge
• CIO, COO or CEO?
• Changing structure
• Where will security get the least pressure?
• Centralised or decentralised?
• Designation of roles and responsibility
• Skills and education of security staff
• Awareness and education of all staff
Audits and Compliance
• Audit findings
- Internal
- External
• Compliance enforcement
- Fines = buy-in
- Voluntary compliance
• Threat assessment
- Linked to policy development
Strategy Constraints

• Legal and regulatory

• Record retention
• E-discovery
- Subpoenas
- Warrants
• Physical – space and capacity
Strategy Constraints Cont.

• Personnel
• Resources
• Capabilities
- Expertise and skills
• Time
• Risk acceptance and tolerance
• Management perception and urgency
Review / discussion questions
1. Why is executive engagement and buy-in crucial for addressing risk in an
organisation?

2. Why do we determine the desired state before analysing the current state?

3. What is the difference between resource management metrics and risk

management metrics?

4. Why is it necessary to have an information security policy?

5. How can personnel be a constraint as well as a resource for the information

security strategy?