Information Security Governance Tutorial

1.1 Welcome

Hello and welcome to the first domain, Information Security Governance, of the Certified Information Security Manager (CISM®) Course offered by Simplilearn. CISM is a registered trade mark of ISACA®. ISACA® is a registered trade mark of Information Systems Audit and Control Association. Domain 1 of CISM® course focuses on the elements required for effective Information Security Governance. Let us explore the objectives of this domain in the next screen.

1.2 Objectives

After completing this domain, you will be able to: • Define Information Security Governance • Discuss the effective Information Security Governance • List the Information Security Governance Metrics • Discuss how to develop an Information Security Strategy • List Information Security Strategy Objectives • Define the Current State of Security • Describe Information Security Strategy Development • Identify Strategy Resources • Recall Strategy Constraints • Develop an Action Plan to Implement Strategy • List Information Security Program Objectives Let us look at the at the tasks statements in the next screen.

1.3 Tasks Statements

To achieve the goals of the domain, the CISM candidate is expected to perform the prescribed task statements. ISACA prescribes 9 (nine) tasks within this job practice area. The tasks are: • Establish and maintain an information security strategy aligned with the goals and objectives of the organization • Establish and maintain an information security governance framework • Integrate information security governance into corporate governance • Establish and maintain information security policies • Create business cases to support investments in information security Let us look at other task statements in the next screen.

1.4 Tasks Statements (Contd.)

Other task statements are: • Identify both internal and external influences to the organization • Obtain commitment from senior management and other stakeholder’s support • Define the roles and responsibilities of information security and communicate them throughout the organization • Establish, monitor, evaluate, and report metrics of the effectiveness of the information security strategy Let us attempt a quick recall question in the next screen.

1.5 Knowledge Check

This question will help you to recall the concepts you learned. Let us look at the knowledge statements in the next screen.

1.6 Knowledge Statements

The CISM candidate must have a good understanding of each of the 15 areas delineated by the knowledge statements to perform the task statements. These form the basis for the examination. The CISM candidate should have knowledge of: • Methods to develop a strategy for information security • Relationship among information security and business goals, objectives, functions, processes, and practices • Methods to implement an information security governance framework • Fundamental concepts of governance and their relation to information security • Methods to integrate information security governance into corporate governance Let us look at the other knowledge statements in the next screen.

1.7 Knowledge Statements (Contd.)

• Methods to obtain commitment from senior management and other stakeholders’ support • Information security management roles and responsibilities • Organizational structures and lines of authority • Methods to establish new reporting and communication channels, or utilize existing ones • Methods to select, implement, and interpret metrics of the effectiveness of the information security strategy Let us look at the tasks and knowledge statements in the next screen.

1.8 Tasks and Knowledge Statement

The CISM candidate should have knowledge of: • Standards, frameworks, and best practices that are internationally recognized • Methods to develop information security policies and business cases • Strategic budgetary planning and reporting methods • Factors that influence the organization and their impact on security strategies Let us attempt a quick recall question in the next screen.

1.9 Knowledge Check

This question will help you recall the concepts you learned. Let us look at Information Security Governance in the next screen.

1.10 Information Security Governance Overview

Information is: Click each information component to know more. Defined as “data endowed with meaning and purpose,” and is the substance of knowledge. Information Technology Governance Institute (ITGI) defines information security governance as: the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly. This definition is from ISACA publication on business model for information security published in 2010. Knowledge is, in turn, captured, transported, and stored as organized information. Information plays a critical role in all aspects of our lives. Information has become an indispensable component of conducting business for virtually all organizations. In a growing number of companies, information is the business. Protection of information in many organizations means bringing it to the attention of the highest decision making level of the organization- typically, board level. Information must be protected in the same manner as any other asset an organization owns. Let us look at the importance of information security governance in the next screen.

1.11 Importance of Information Security Governance

From an organization’s perspective, information security governance is increasingly critical as dependence on information grows. Prudent and effective management of information would provide significant benefits such as: Click each benefit to know more. Provides protection from legal liabilities arising from the inaccuracy of information or lack of due care in information protection or even non-compliance with regulation. Provides assurance on policy compliance. Helps in reducing uncertainty in business operations and provides more predictability. Ensures that a framework exists on how to optimize allocations of limited security resources. Provides assurance that decisions are based on correct information Provides a foundation for effective risk management, incident management, and process improvement as well as provision of confidence and trust in dealing with third parties and customers. Ensures protection of the organization’s reputation and coming up with better and new ways in processing electronic information and provision of accountability in safeguarding information. Let us look at the outcomes of information security governance in the next screen.

1.12 Outcomes of Information Security Governance

Information security governance aims at providing direction to the senior management to implement a security program that ensures sufficient security to protect the important information of an organization. The objective of information security is to develop, implement, and manage a security program that achieves the following six basic outcomes of effective security governance: Click each outcome of effective security governance to know more: Strategic alignment: This includes aligning information security with business strategy that support the objectives of the organization such as: Provide guidance on what must be done and achieved Consider the ways of governing, technology used, and the culture of the organization Align information security with the risk and threat involved Risk management: This includes managing risk to reduce the potential impacts on information resources such as : Understanding the risk and threat involved Awareness of the impact of risk Understanding management priorities Value delivery: This includes business objectives such as: Following a set of security practices Providing complete solutions to understand the business of the organization Understanding that security is a process and not an event Resource management: This includes using information security knowledge and infrastructure to: Ensure effective knowledge is gained and is available Prepare proper security processes and practices Develop security architecture to use resources efficiently and effectively Performance measurement: Controlling and preparing report on information security processes to ensure that the following objectives are achieved: Develop a set of metrics for effective decisions at all levels in the organization Develop a process that provides a feedback on shortcomings and progress Integration: This includes integrating all important factors such as: Define all organizational assurance functions Organize all assurance functions for more security Develop formal relationships with other assurance functions Ensure that roles and responsibilities between assurance functions are interconnected A few questions will be presented in the following screens. Select the correct option and click Submit to see the feedback.

1.13 Effective Information Security Governance

The board of directors and executive management is responsible for information security governance. It must not only be an integral part of enterprise governance, but also must be transparent. In addition, it must complement or encompass the IT governance framework. In an organization, executive management is responsible to consider and respond to information security issues. On the other hand, board of directors are responsible to make information security an essential part of governance. Board of directors should also ensure integration of information security with existing processes to govern other critical organizational resources. A clear organizational strategy for preservation of information is thus equally important and must be integrated to the enterprise and complement IT governance framework. Effective governance of information security will be needed in addressing legal and regulatory requirements and in exercising due care. Let us look at Business goals and objectives in the next screen.

1.14 Business Goals and Objectives

Corporate governance is a set of rules practiced by the board and executive management to provide strategic direction to achieve business goals and objectives, manage risk effectively, and ascertain proper use of available resources. Information security is a sub division of corporate governance that must ensure value addition to the organization by supporting all the business activities. An effective governance framework consists of: • A security strategy that is interrelated to the business objectives. • Governing security policies that deals with regulation, strategy, and controls. • Procedures and guidelines that comply with the policy standards. • A security organizational structure with ample resources and authority. • Traditional methods to monitor processes to ensure compliance of the rules, provide feedback on effectiveness that help the management to take appropriate decisions. Let us look at the scope and charter of information security governance in the next screen.

1.15 Scope and Charter of Information Security Governance

In the context of information security governance, it is important that the scope and responsibilities of information security are clearly set forth in the information security strategy. Information security is concerned with all aspects of information; whether spoken, written, printed, electronic, or relegated to any other medium, regardless of whether it is being created, viewed, transported, stored, or destroyed. The core principles in implementation of an effective information security governance are the following: • CEOs should conduct a yearly information security evaluation, review staff performance, and report to the board of directors. • As part of a risk management program, organizations should conduct regular risk assessments of information assets. • Policies and procedures should be implemented based on the outcome of risk assessments. • There should also be a defined security management structure to assign explicit individual roles, responsibilities, accountability, and authority. • Organizations should develop plans and initiate actions to provide adequate information security for networks, facilities, systems and information. • Organizations should treat information security as an integral part of the system life cycle. Let us continue to discuss the scope and charter of information security governance in the next screen.

1.16 Scope and Charter of Information Security Governance

• Provision of information security awareness, training, and education to personnel by the organizations, conducting periodic testing and evaluation of the effectiveness of information security policies and procedures. • The organizations should create and execute a plan for remedial action to address any information security deficiencies. • Develop and implement incident response procedures. • Organizations should establish business continuity plans, procedures, and tests to provide continuity of operations. • Use security good practices guidance, such as ISO/IEC 27002, to measure information security performance. We will attempt a quick recall question in the next screen.

1.17 Knowledge Check

This question will help you to recall the concepts you learned. We will look at the various roles of individuals in strategic alignment in the next screen.

1.18 Roles and Responsibilities—Strategic Alignment

Information security governance requires calculated direction and thrust. It also requires commitment and resources, as well as assigning responsibility to personnel for information security management. Information security governance should provide means for the board to determine whether the organizational objectives have been met. The different roles and responsibilities are outlined as follows: • Board of Directors/Senior Management whose responsibility is to set direction and provide support for overall information security governance. • Executive management who defines strategic security objectives and implement effective security governance to achieve the objectives. • Security Steering Committee (SSG) whose roles and responsibilities are to define the security strategy and integration efforts, especially efforts to integrate security with business unit activities. • Chief Information Security Officer (CISO) who develops security strategy, manage enterprise security activities, security initiatives, and liaise with business unit owners We will look at the various roles of individuals in risk management in the next screen.

1.18 Roles and Responsibilities—Strategic Alignment

Information security governance requires calculated direction and thrust. It also requires commitment and resources, as well as assigning responsibility to personnel for information security management. Information security governance should provide means for the board to determine whether the organizational objectives have been met. The different roles and responsibilities are outlined as follows: • Board of Directors/Senior Management whose responsibility is to set direction and provide support for overall information security governance. • Executive management who defines strategic security objectives and implement effective security governance to achieve the objectives. • Security Steering Committee (SSG) whose roles and responsibilities are to define the security strategy and integration efforts, especially efforts to integrate security with business unit activities. • Chief Information Security Officer (CISO) who develops security strategy, manage enterprise security activities, security initiatives, and liaise with business unit owners We will look at the various roles of individuals in risk management in the next screen.

1.19 Roles and Responsibilities

In terms of risk management, the various people involved in ensuring that risk is mitigated in information security management and their different roles and responsibilities are the following: The Board of Directors/Senior Management sets the tone for the risk appetite in the organization. The Executive management ensures that the organizational activities include a component of risk management. Security Steering Committee (SSG) identifies emerging issues, promote business unit security practices, and identify compliance issues. Chief Information Security Officer (CISO) carries out risk assessment, identify risk mitigation actions, and enforce compliance. We will look at the various roles of individuals in value delivery in the next screen.

1.20 Roles and Responsibilities—Value Delivery

The people involved in optimizing security investments for value delivery include: • Board of Directors/Senior Management whose responsibility is to ensure that costs and benefits of security activities are reported. • Executive management to ensure that all security activities are supported by business cases. • Security Steering Committee (SSG) to advise on cost effectiveness of security activities. • Chief Information Security Officer (CISO) to actively monitor utilization of security resources and optimize • Audit Executives who review the cost of a security program compared to its outcome We will attempt a quick recall question in the next screen.

1.20 Roles and Responsibilities—Value Delivery

The people involved in optimizing security investments for value delivery include: • Board of Directors/Senior Management whose responsibility is to ensure that costs and benefits of security activities are reported. • Executive management to ensure that all security activities are supported by business cases. • Security Steering Committee (SSG) to advise on cost effectiveness of security activities. • Chief Information Security Officer (CISO) to actively monitor utilization of security resources and optimize • Audit Executives who review the cost of a security program compared to its outcome We will attempt a quick recall question in the next screen.

1.21 Knowledge Check

This question will help you to recall the concepts you learned. We will look at the various roles of individuals in resource management in the next screen.

1.22 Roles and Responsibilities—Resource Management

With regard to resource management, people involved in ensuring that the information security resources are utilized efficiently include: Board of Directors/Senior Management whose responsibility is to set the policy on resource utilization and management, Executive management who provides the metrics for knowledge capture and its efficiency, Security Steering Committee (SSG) which is responsible to provide metrics for knowledge capture and its efficiency, Chief Information Security Officer (CISO) whose responsibility is to develop, monitor, and measure knowledge capture and resource utilization, and Audit Executives who review and report how resources are utilized. We will look at the various roles of individuals in Performance management in the next screen.

1.22 Roles and Responsibilities—Resource Management

With regard to resource management, people involved in ensuring that the information security resources are utilized efficiently include: Board of Directors/Senior Management whose responsibility is to set the policy on resource utilization and management, Executive management who provides the metrics for knowledge capture and its efficiency, Security Steering Committee (SSG) which is responsible to provide metrics for knowledge capture and its efficiency, Chief Information Security Officer (CISO) whose responsibility is to develop, monitor, and measure knowledge capture and resource utilization, and Audit Executives who review and report how resources are utilized. We will look at the various roles of individuals in Performance management in the next screen.

1.23 Roles and Responsibilities

In performance management, the people involved in ensuring information security activities to achieve intended objectives are shown. They include: • Board of Directors/Senior Management, who ensures that the effectiveness of security activities are reported. • Executive management which makes sure that metrics are in place to monitor security activities, • Security Steering Committee (SSG) which advises on whether business objectives are being met by security activities. • Chief Information Security Officer (CISO) who implements metrics that monitor security activities. We will look at the various roles of individuals in integration in the next screen.

1.24 Roles and Responsibilities

With regards to integration, the people involved in ensuring information security activities are integrated to other assurance functions include: Board of Directors/Senior Management who provide a policy for end to end integration of all assurance functions, Executive management whose responsibility is to provide oversight of all assurance functions and integration plans, Security Steering Committee (SSG) who has the responsibility of directing organization efforts in assurance functions integration, Chief Information Security Officer (CISO) whose responsibility is to provide a link with other assurance functions, identify gaps, and continuously promote integration, and Audit Executives whose mandate is to review and report the effectiveness and efficiency of assurance functions integration. Let us attempt a quick recall question in the next screen.

1.25 Knowledge Check

This question will help you to recall the concepts you learned. Let us look at governance, risk, and compliance in the next screen.

1.26 Governance Risk Management and Compliance

Governance, Risk Management, and Compliance (GRC) reflects an approach that organization adopts to integrate the areas of governance, risk management, and compliance. GRC includes internal audit, compliance programs such as US Sarbanes-Oxley Act (SOX), enterprise risk management (ERM), operational risk, and incident management. Governance primarily focuses on creating mechanisms an organization uses to ensure that the personnel follow established processes and policies. Risk management develops and deploys internal controls to manage and mitigate risk throughout an organization. Compliance is a process that records and monitors the policies and procedures, and ensures that policies and standards are adequately adhered to. We will look at Business model for information security in the next screen.

1.27 The Business Model for Information Security

The Business Model for Information Security (BMIS), utilizes systems thinking to clarify complex relationships within the enterprise to effectively manage security.The Business Model for Information Security (BMIS), postulates that a system needs to be viewed holistically – not merely as a sum of its parts – to be accurately understood. The four elements of BMIS include the organization design and strategy, people, process, and technology. Click each element of BMIS to know more. The organization design and strategy is an element showing how an organization implements its goals and objectives. The people element defines the persons responsible for strategy implementation and must take into account behaviors, values, and biases. The process element identifies, measures, controls, and manages risk. They provide accountability, confidentiality, integrity, and availability of information. The technology element refers to the applications, infrastructure and tools needed to make processes more efficient. The model is best viewed as a pyramid-shaped three-dimensional structure consisting of four elements where six dynamic interconnections link the elements together. The image shows how the four elements are linked together by six dynamic interconnections. The four elements of BMIS are connected by six dynamic interconnections such that change or improper management of any one part of the model can risk the equilibrium of the model. Let us continue with the Business Model for Information Security (BMIS) in the next screen.

1.28 The Business Model for Information Security

The dynamic Interconnections that link elements together and exert a multidirectional force include Governance, Culture, Enablement and Support, Emergency, and Human Factors. Click each element of BMIS to know more. Governance is an interconnection that sets the limits, which an organization can operate in, monitor performance, describe activities, ensure compliance, and be flexible to emerging conditions. Culture influences what information is considered and interpreted within the organization. Enablement and Support ensures that people comply with security policies, procedures, and measures by making processes easy and usable. Emergency refers to patterns that appear in the life of an organization that cannot be predicted or controlled and thus might need feedback loops. Human Factors refers to gaps and interaction between people and technology. Human factors arise because of culture, experience level, and generational differences. Architecture describes an enterprise’s security practices that encapsulates people, technology, and processes. A few questions will be presented in the following screens. Select the correct option and click Submit to see the feedback.

1.29 Information Security Governance Metrics

Metrics is a term used to denote measurements based on one or more references and involves at least two points – the measurement and the reference. Information Security Governance Metrics are measures that provide a state of safety relative to a reference point. There is a strong correlation between good security management and practices and relatively fewer incidents and losses. Different metrics are required to provide information at the strategic, tactical, and operational levels. Some of the standard information security metrics include: downtime due to viruses and recovery times, number of penetrations of systems, impacts and losses, percentage of servers patched, and number of vulnerabilities uncovered. Let us continue learning about information security metrics in the next screen.

1.18 Roles and Responsibilities—Strategic Alignment

Information security governance requires calculated direction and thrust. It also requires commitment and resources, as well as assigning responsibility to personnel for information security management. Information security governance should provide means for the board to determine whether the organizational objectives have been met. The different roles and responsibilities are outlined as follows: • Board of Directors/Senior Management whose responsibility is to set direction and provide support for overall information security governance. • Executive management who defines strategic security objectives and implement effective security governance to achieve the objectives. • Security Steering Committee (SSG) whose roles and responsibilities are to define the security strategy and integration efforts, especially efforts to integrate security with business unit activities. • Chief Information Security Officer (CISO) who develops security strategy, manage enterprise security activities, security initiatives, and liaise with business unit owners We will look at the various roles of individuals in risk management in the next screen.

1.30 Information Security Governance Metrics

Some of the thought-provoking and awareness-raising questions that need to be answered by the information security manager while developing relevant metrics include: • What are the cost-effective security solutions and its impact on productivity? • What is the impact due to lack of security on productivity? • How secure is the organization and how much security is enough? • What is the impact due to catastrophic security breach? • How to determine if an enterprise has achieved an adequate level of security? • How to predict the risk and determine its degree? Are the objectives of security program achieved? Let us learn about effective security metrics in the next screen.

1.31 Effective Security Metrics

It is generally difficult or impossible to manage any activity that cannot be measured. The fundamental purpose of metrics, measures and monitoring is decision support. For effective security metrics, the following criteria should be utilized to ensure that metrics are useful for decision support: Click each criteria to know more. Meaningful: the metric should be understood by the recipients Cost-effective: the measurements should not be expensive to acquire and maintain Accurate: a degree of accuracy is important Repeatable: the measures should be reliable over time Actionable: the recipient of the metric should know what action to take Predictive: measurement should have a bearing on the outcomes Genuine implying that it must be clear what is actually being measured, for example, measurements that are not random or subject to manipulation. We will attempt a quick recall question in the next screen.

1.20 Roles and Responsibilities—Value Delivery

The people involved in optimizing security investments for value delivery include: • Board of Directors/Senior Management whose responsibility is to ensure that costs and benefits of security activities are reported. • Executive management to ensure that all security activities are supported by business cases. • Security Steering Committee (SSG) to advise on cost effectiveness of security activities. • Chief Information Security Officer (CISO) to actively monitor utilization of security resources and optimize • Audit Executives who review the cost of a security program compared to its outcome We will attempt a quick recall question in the next screen.

1.32 Knowledge Check

This question will help you recall the concepts you have learned. Let us learn about strategic alignment metrics in the following screen.

1.33 Strategic Alignment Metrics

Strategic alignment of information security in support of organizational objectives is a highly desirable goal, often difficult to achieve. It should be clear that the cost effectiveness of the security program is inevitably tied to how well it supports the objectives of the organization and at what cost. Strategic Alignment Metrics indicators can include: • The extent to which the security program demonstrably enables specific business activities, • Business activities that have not been undertaken or delayed because of inadequate capability to manage risk, • A security organization that is responsive to defined business requirements based on business owner surveys as well as being responsive to defined business requirements. • Organizational and security objectives that are defined and clearly understood by all involved and business activities that have not been undertaken because of inability to manage risk. The percentage of security program activities mapped to organizational objectives and validated by executive Management Let us look at risk management metrics in the next screen.

1.22 Roles and Responsibilities—Resource Management

With regard to resource management, people involved in ensuring that the information security resources are utilized efficiently include: Board of Directors/Senior Management whose responsibility is to set the policy on resource utilization and management, Executive management who provides the metrics for knowledge capture and its efficiency, Security Steering Committee (SSG) which is responsible to provide metrics for knowledge capture and its efficiency, Chief Information Security Officer (CISO) whose responsibility is to develop, monitor, and measure knowledge capture and resource utilization, and Audit Executives who review and report how resources are utilized. We will look at the various roles of individuals in Performance management in the next screen.

1.35 Knowledge Check

This question will help you to recall the concepts you learned. Let us look at value delivery metrics in the screen.

1.36 Value Delivery Metrics

Value delivery occurs when security investments are optimized in support of organizational objectives. The metrics that can be considered for value delivery metrics are: Value delivery is a function of strategic alignment of security strategy and business objectives; in other words, when a business case can be convincingly made for all security activities. Optimal investment levels are met when strategic security goals are achieved and when a risk posture that is acceptable is attained at the minimal cost. The metrics that can be considered for value delivery are: • Security activities aligned with specific strategic objectives • Security resources allocated based on the degree of risk • Confirm the automated business transactions are trusted • Create cost effective plan of action • Control cost effectiveness determined by periodic testing • Number of controls that achieve a tolerable level of risk is adequate • Ensure the cost of security is being proportional to the value of assets. Let us look at resource management metrics in the screen.

1.37 Resource Management Metrics

Information security resource management is the term used to describe the processes to plan, allocate, and control information security resources, including people, processes, and technologies, for improving the efficiency and effectiveness of business solutions. Indicators of effective resource management include: • Infrequent problem rediscovery • Effective knowledge capture and dissemination • The extent to which security-related processes are standardized • Clearly defined roles and responsibilities for information security functions • Information security functions incorporated into every project plan • Information assets and related threats covered by security resources • The proper organizational location, level of authority, and number of personnel for the information security function • Productivity of staff and other resource utilization levels • The cost of security services per seat Let us look at performance measurement metrics in the next screen.

1.38 Performance Measurement Metrics

Information security processes should be measured, monitored, and reported to ensure that organizational objectives are achieved. Methods to monitor security-related events across the organization must be developed; it is critical to design metrics that provide an indication of the performance of the security machinery and, from a management perspective, information needed to make decisions to guide the security activities of the organization. The indicators of effective performance measurement include: • The time it takes to detect and report security-related incidents • The number and frequency of subsequently discovered unreported incidents • Benchmarking comparable organizations for costs and effectiveness • The ability to determine the effectiveness/efficiency of controls • Clear indications that security objectives are being met • The absence of unexpected security events • Knowledge of impending threats and absence of unexpected security events • Effective means of determining organizational vulnerabilities • Methods of tracking evolving risk • Consistency of log review practices • Results of business continuity planning (BCP)/disaster recovery (DR) tests • The number of key controls that are monitored as well as the percentage of metrics meeting defined criteria A few questions will be presented in the following screens. Select the correct option and click Submit to see the feedback.

1.39 Developing an Information Security Strategy

To develop an effective information security strategy, it is important to consider and understand a number of factors. Such factors include prevalent standards and frameworks and these can be ranked in more specific format in ascending order as: • SOX, HIPAA, GLBA, FISMA, Others • Regulations • COSO, OCEG, Others • Governance framework • COBIT, ITIL/ISO 20000, CMM, Others • Control objectives: • ISO 17799/27001, NIST 800-53, Others • Controls Let us look at the common pitfalls in developing an information security strategy in the next screen.

1.40 Common Pitfalls in Developing an Information Security Strategy

Some of the various pitfalls in developing an information security program include: Click each tab to know more about the common pitfalls in developing an information security program. Overconfidence: People have a tendency to be overconfident of their own abilities. Optimism: Over optimism leads to disastrous impact on strategies based on estimates of what may happen. Biased assimilation: People generally are biased toward familiar and known approaches despite their inadequacy or ineffectiveness. Anchoring: Anchoring has serious consequences in developing strategies when future outcomes are anchored based on past experiences. Herding instinct: It is a fundamental human trait to follow and look for validation of others. False consensus: People have the tendency to overestimate others’ views and experiences that can lead to ignoring or minimizing important threats or weaknesses in the plans. Confirmation bias: People have the tendency to seek opinions and facts that support their own beliefs. Mental Accounting: It is the tendency of people to categorize and treat money differently depending on where it comes from, where it is kept, and how it is spent. Selective recall: People tend to remember only facts and experiences that support current assumptions. Biased evaluation: People tend to accept evidence that supports their own hypotheses. Group think: Pressure for agreement in team-based cultures. Let us look at Information Security Strategy Objectives in the next screen.

1.41 Information Security Strategy Objectives

The objectives of developing an information security strategy must be defined and metrics developed to determine if those objectives are being achieved. Typically, the six defined outcomes of security governance will provide high-level guidance. The six outcomes are: Strategic alignment, Effective risk management, Value delivery, Resource management, Performance measurement, Process assurance integration The strategy will need to consider what each of the selected areas will mean to the organization, how they might be achieved, and what will constitute success. We will attempt a quick recall question in the next screen.

1.42 Knowledge Check

This question will help you to recall the concepts you learned. Let us as look at the goals of information security strategy in the next screen.

1.43 Goals of Information Security Strategy

Information strategic goals are to be aligned with the strategic business and IT goals. The information security manager must also consider organizational business and technical environment. The goals include: protecting the organization's information assets; implementing security policies and procedures; reviewing the strategies periodically; deploying information security solutions to address business requirement or need; and establishing a security organization to roll-out security initiatives regarding a new business requirement. Long term objectives need to be defined in terms of desired outcomes. These objectives should be stated in terms of addressing risk. Let us look at how to determine the current state of security in the next screen.

1.44 Determining Current State of Security

A current state evaluation of information security must also be determined using the same methodologies or combination of methodologies employed to determine strategy objectives or the desired state. In other words, whatever combination of methodologies, such as COBIT, CMM, or the balanced scorecard, is used to define the desired state must also be used to determine the current state. This provides an apples-to-apples comparison between the two, providing the basis for a gap analysis that will delineate what is needed to achieve the objectives. One of the first steps to proceed with the information security strategy is an evaluation of the current state of organization's information security. Similar techniques and frameworks to determine “desired state” can be used. This allows comparison between the “current state” and “desired state” and arrive at a gap analysis. The current state of risk can also be assessed through a comprehensive risk assessment. Business Impact Assessment (BIA): BIA provides critical information needed to develop an effective information security strategy. The difference between acceptable levels of impact and current level of potential impacts must be addressed by the strategy. Desired state illustrates a snapshot of all relevant conditions at a particular point in the future. It includes processes, people and technologies and should be defined in qualitative terms of characteristics, attributes, and outcomes. Let us learn about the COBIT framework in the next screen.

1.45 COBIT

The Control Objectives for Information and related Technology (COBIT) framework examines effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability aspects of the high-level control objectives. COBIT principles include the following: • Meeting stakeholder needs • Applying a single integrated framework • Covering the enterprise end to end • Separating governance from management We will attempt a quick recall question in the next screen.

1.46 Knowledge Check

This question will help you to recall the concepts you learned. Let us look at the maturity level of Capability Maturity Model in the next screen.

1.47 Capability Maturity Model

The desired state of security may be defined as achieving a specific level in the Capability Maturity Model (CMM). The model consists of grading each defined area of security on a scale of 0 to 5, based on the organization’s maturity of the processes. The maturity levels can be described: 0 – Nonexistent in which organization is not interested in security at all 1 - Ad hoc in which organization considers risk on an irregular basis 2 - Repeatable but intuitive in which organization understands the importance of risk and need for security 3 - Defined process in which organization implements risk management policy and or security awareness 4 - Managed and measurable in which organization implements risk assessment standard procedure, roles and responsibilities to the individuals 5 – Optimized in which organization pro-actively implements, monitors, and manages the process We will look at the balanced scorecard in the next screen.

1.48 Balanced Scorecard

The balanced scorecard is a management system that enables organizations to define their vision and strategy, and how they translate them into action. It provides the means with which feedback for the internal business processes as well external outcomes are communicated to ensure continuous improvements in strategic performance and results. The balanced scorecard, when fully deployed, transforms strategic planning from a theoretical exercise into a day-to-day activity for an organization. Let us attempt a quick recall question in the next screen.

1.49 Knowledge Check

This question will help you to recall the concepts you learned. Let us look at architectural approaches in the next screen.

1.50 Architectural Approaches

Enterprise Information Security Architecture (EISA) is a subset of enterprise architecture. An architecture framework can be described as a foundational structure, or set of structures, which can be used for developing a broad range of different architectures, including business process architecture— sometimes referred to as the contextual architecture as well as the more traditional conceptual, logical, physical, functional, and operational architectures. There are a number of architectural approaches, which include: The Open Group Architecture Framework (TOGAF) Zachman Enterprise Architecture Framework Extended Enterprise Architecture Framework (EA2F) Let us learn more about the ISO 27000 series in the next screen.

1.51 ISO IEC 27000 Series

ISO standards aims to ensure that all relevant security elements are addressed in an organizational security strategy. The 14 areas of ISO/IEC 27002 identified by ISO can provide a useful framework to gauge comprehensiveness include: • Security policy • Asset management • Physical and environmental security • Access control • Compliance • Information security acquisition, development, and maintenance • Cryptography • Organizing information security • Supplier relationships • Communications security • Information security incident management • Business continuity management • Human resource security • Operations security Let us look at risk objectives in the next screen.

1.52 Risk Objectives

A major input into defining the desired state will be the organization’s approach to risk and its risk appetite, that is, what management considers as acceptable risk. This is another critical step since defined acceptable risk devolves into the control objectives or other risk mitigation measures that are employed. Control objectives are instrumental in determining the type, nature, and extent of controls and countermeasures the organization employs to manage risk. The organization's approach to risk and its risk appetite is a major input in defining the Desired State. Management would decide on: • The level of acceptable risk • Whether the operational risk can be traded-off • The cost of risk, whether controlled or not, can be expressed in Annual Loss Expectation (ALE) • The controls and/or other risk mitigation measures employed based on acceptable risk • The mitigation and/or countermeasures the organization requires to manage risk to an acceptable level. • Acceptability of some risks that can be quantified using business continuity approach • Developing the right strategy will need an iterative approach based on analysis of costs to achieve Desired state • Desired State and acceptable risk levels. A few questions will be presented in the following screens. Select the correct option and click Submit to see the feedback.

1.53 Information Security Strategy Development

Development of a strategy to achieve long-term objectives and the road map to get there, coupled with short-term intermediate goals, will provide the basis for sound policy and standards development in support of the effort. For strategy to be well developed, it must combine the elements of strategy development as well as strategy resources. The starting point and destination have to be defined for a security strategy. It is important to provide a road map of what is to be achieved. This is the defined, desired state that includes: people, technologies, processes, and other resources. Let us look at strategy resources in the next screen.

1.54 Strategy Resources

There are various strategic resources that are needed in developing an information security strategy. These resources can be considered the mechanisms, processes, and systems that are available, in some optimal mix, to achieve the desired state of security over time. They typically include Policies and Standard where policies should capture the intent, expectations, and direction of management while standards are specific requirements that an enterprise must comply with. Procedures provide the steps to achieve specific tasks, while guidelines provide further information in the implementation of procedures. An effective Enterprise Information security Architecture (EIA) will ensure that proper controls are implemented within the enterprise and cover its processes, infrastructure, and technologies. Controls can either be IT controls as well as Non-IT controls. COBIT focuses on IT controls, which constitute the majority of controls required in many organizations.These controls should define countermeasures as well as provide layered defense. Countermeasures are the protection that reduce the level of vulnerability to threats. We will continue looking at strategy resources in the next screen.

1.55 Strategy Resources

Technology is one of the cornerstones of an effective security strategy.Technologies can be seen as a strategy resource, which when implemented should provide a defense in depth. Technologies should be able to prevent, detect, or contain threats. In addition, it should be possible to react to incidents, collect evidence, as well as recover from threats. Personnel resource involves the personnel security that protects the organization from the insiders. Organizational Structure is a strategy resource in which the information security manager should consider the approaches implemented in the organization, whether centralized or decentralized. Employee roles and responsibilities is an important strategy resource in which information security roles and responsibilities should be included as part of employees’ job description. With the many tasks today’s employees must complete, it is important that the strategy includes a mechanism that defines all security roles and responsibilities, and incorporates them in employee job descriptions. Another component of strategy resource is skills. A security strategy that will utilize the available skills is a cost effective option, but in some cases skills might have to be sourced externally. A skills inventory is important to determine the resources available in developing a security strategy. Proficiency testing may be useful to determine if the requisite skills are available or can be achieved through training. We will continue looking at strategic resources in the next screen.

1.56 Strategy Resources

Awareness and education are important considerations in strategy resources. The overall strategy should include training, education, and awareness because security awareness at the end-user level is typically the weakest. Carrying out awareness reinforces the importance of information security. Audits—both external and internal audits—are one of the main processes used to verify and determine deficiencies in an information security strategy implementation from controls and compliance standpoint. Compliance enforcement ensures the information security strategy encompasses a culture of self-reporting and voluntary compliance. Security violations are an on-going concern for information security managers, and it is important that procedures for handling them are developed. Threat Assessment is where we consider all threats - types, nature, and extent of impact irrespective of the existence of a current vulnerability. While threat assessment is performed as a part of overall risk assessment, it is an important element for strategic consideration by itself. Vulnerability assessment includes comprehensive assessment of vulnerabilities in processes, technologies, and facilities. The process of developing a strategy will offer opportunities to address many of these vulnerabilities in a prudent, proactive approach. We will continue learning about strategic resources in the next screen.

1.57 Strategy Resources

Risk assessment and management include risk identification, analysis, measurement, and prioritization. Formally assessing risk is accomplished by determining the viable threats to information resources that an organization faces. The combination of the frequency and magnitude and the extent of the organization’s vulnerability will determine the relative level of risk. Strategy resources include the option of addressing some risk with insurance where risk treatment will include insurance for high impact and rare risks such as floods, hurricanes, or fire, embezzlement, or liability lawsuits. Business impact assessment which analyzes and addresses the potential adverse impacts on the business functions of the organization, identifies business critical and sensitive information and systems. Business impact is the “bottom line” of risk. Risk that cannot result in an appreciable impact is not important. A BIA must also be considered as a requirement to determine the criticality and sensitivity of systems and information. Resources dependency analysis considers resources critical to business operations and factors that can affect its availability to the security governance. Resource dependency is similar to disaster recovery planning (DRP) and considers the systems, hardware, and software required to perform specific organizational functions. Resource dependency can provide another perspective on the criticality of information resources. For outsourced services ensure appropriate backup plans are in place to mitigate risk of failure by a service provider. The security strategy should consider outsourced security services carefully to ensure that they either are not a critical single point of failure and that there is a viable backup plan in the event of service provider failure. Other organizational support should be sought from other assurance providers in variety of departments such as legal, compliance, audit, procurement, insurance, disaster recovery, physical security, training, project office, and human resources when developing a security strategy. Let us attempt a quick recall question in the next screen.

1.58 Knowledge Check

This question will help you to recall the concepts you learned. Let us learn about strategic constraints in the next screen.

1.59 Strategy Constraints

Several constraints must be considered when developing a security strategy. They will set the boundaries for the options available to the information security manager and should be thoroughly defined and understood before initiating strategy development. The constraints include: Legal and regulatory requirements Physical constraints Ethics Culture Organization Structure Resource Funding Personnel Resources Capabilities Time Risk acceptance and tolerance Let us learn about action plans in strategy implementation in the next screen.

1.60 Action Plan in Strategy implementation

Implementing an information strategy will typically require one or more projects or initiatives. An analysis of the gaps between the current state and the desired state for each defined metric identifies the requirements and priorities needed for an overall plan or road map to achieve the objectives and close the gaps. The Action Plan analyzes the gap between the current state and the desired state of security and initiates activities required to reach the desired state. The activities include: policy development, standards development, and training and awareness. We will look at policy development in the next screen.

1.61 Policy Development

One of the most important aspects of the action plan to execute the strategy is to create or modify, as needed, policies and standards. Policies are one of the primary elements of governance and each policy should state only one general security mandate. The road map should show the steps and the sequence, dependencies, and milestones. The action plan is essentially a project plan to implement the strategy following the road map. The attributes of a good information security policy put into consideration include: • Policy must be formed from articulation information security strategy that is well-defined • Policy must be traceable to strategy elements. • Policy should capture the intent, expectations, and direction of management • Policy must be brief, easily understood by all affected parties, and validated by the organization. • Policy must be communicated throughout the organization It is the responsibility of the CISO to implement the Information security policy. The Policy declares the security goals and objectives of an enterprise. We will attempt a quick recall question in the next screen.

1.62 Knowledge Check

This question will help you to recall the concepts you learned. Let us learn about standard development in the next screen.

1.63 Standards Development

Standards are powerful information security management tools. They set the permissible bounds for procedures and practices of technology and systems, and for people and events. Standards are the predominant tool for implementing effective security governance and must be owned by the information security manager. Standards are specific requirements that an enterprise must comply with. They ensure successful implementation of the policies. • They set the boundaries and measurement for implementation of the policies without unnecessarily restricting procedural options. • Standards must be unambiguous, consistent, and precise regarding scope and audience. • Standards serve to interpret policies and it is important that they reflect the intent of policy. • Standards must exist for the creation of standards and policies regarding format, content, and required approvals. We will look at training and awareness in the next screen.

1.64 Training and Awareness

An effective action plan to implement information security strategy must consider an on-going program of security awareness and training. • To ensure awareness of new or modified policies, all impacted personnel must be trained appropriately in order for them to see the connection between the policies and standards and their daily tasks. • This information should be tailored to individual groups to ensure that it is relevant and must be presented in terms that are clear and understood by the intended audience. For example, presenting new standards on hardening servers is not likely to be meaningful to the shipping department. • In addition to providing information to those impacted by changes, it is important to ensure that staff involved in the various aspects of implementing the strategy are also appropriately trained. This includes understanding the objectives of the strategy (KGIs), the processes that will be used, and performance metrics for the various activities (KPIs). We will learn about action plan metrics in the next screen.

1.65 Action Plan Metrics

The plan of action to implement the strategy will require methods to monitor and measure progress, and the achievement of milestones. As with any project plan, progress and costs must be monitored on an on-going basis to determine conformance with the plan and to allow for midcourse corrections on a timely basis. Key Goal Indicator (or KGI) is a measure that helps to identify the goals that need to be accomplished. Key Performance Indicator (or KPI) is a performance measurement that indicates whether defined performance goals and objectives are being achieved. A KPI is a lead indicator of whether a goal is likely to be reached, and a good indicator of capability, practices, and skills. To achieve compliance, certain steps must be accomplished to successfully meet the required objectives. Some examples are identification of controls, determining appropriate tests, and committing resources for these tests. The COBIT Framework expresses the objectives for IT in terms of the information criteria that the business needs to achieve the business objectives, which will usually be expressed in terms of: Availability of systems and services, Absence of integrity and confidentiality risks, Cost-efficiency of processes and operations, and Confirmation of reliability, effectiveness, and compliance. Let us learn about information security program objectives in the next screen.

1.66 Information Security Program Objectives

Implementing the strategy with an action plan will result in an information security program. The program is, essentially, the project plan to implement and establish on-going management of some part or parts of the strategy. The objective of the information security program is to shield the interests of those who rely on information and the processes, systems and communications that handle, store, and make available the information from harm that might result from failures of availability, confidentiality, and integrity. Click each objective to know more. • Availability ensures that information, when required, is available and usable. Availability also ensures that the systems providing information are capable to resist attacks appropriately. • Confidentiality ensures that information is accessible to only those with appropriate rights. • Integrity ensures that information is protected against unauthorized modification • Authenticity and nonrepudiation ensures that exchange of information and business transactions with partners or between different locations of the enterprise can be trusted. A few questions will be presented in the following screens. Select the correct option and click Submit to see the feedback.

1.67 Case Study1 US Financial Institution

In this case study, let us look at a series of events that happened in a major US financial institution. Click each event to know more. On a Sunday evening when the bank was closed, low-level personnel monitoring the network operation center (or NOC) of the financial institution noticed unusual network activity. Puzzled and uncertain about what they were seeing, and with no instructions to the contrary, they decided to watch the event rather than risk disturbing management on a weekend. No severity criteria, notification requirements, or escalation processes had been developed by the organization. By early morning on Monday, traffic continued to increase at the main facility. Then suddenly, traffic dramatically began to grow at the mirror site, located hundreds of miles away. Despite having been warned of the risk by a security consultant, the IT manager (when questioned by the author of this case study), stated with a degree of pride that the totally flat network had been designed for high performance and he was confident that his experienced team could handle any adverse eventuality. By 7 a.m. on Monday, the NOC personnel were sufficiently concerned to notify the IT managers about the problem and that the monitors showed the network was becoming saturated. An hour later when the external computer incident response team (CIRT) arrived, the network was totally inoperative and the team determined that the Slammer worm had compromised the network. The CIRT team manager informed the IT manager that Slammer was memory resident and that to resolve the issue the entire network and mirror facility would require restarting. The manager informed that he is not authorized to shut down the system and the CIO would be required to issue that instruction. At that time, the CIO could not be located. The current emergency phone and pager numbers were kept in a new emergency paging system that required network access. When asked what the disaster recovery plan (DRP) had to say regarding declaration criteria, three different plans were produced. The plans had been prepared by different teams in different parts of the organization, unbeknown to each other. None contained declaration criteria or specified roles, responsibilities, or authority. We will next look at the results of the events in the next screen.

1.68 Case Study 1 US Financial (contd.)

The final resolution ultimately required the CEO, who was traveling overseas and also not immediately available, to issue instructions the next Tuesday morning to shut down the nonfunctioning network. Work of over thirty thousand people was hampered and the institution could not operate for one and a half days. The postmortem team estimated the final direct costs to exceed fifty million US dollars. Stonewalling and lack of cooperation from most employees hampered the postmortem. The employees feared of being found at fault in the blame-oriented organizational culture. We will next observe the problems that led to the events in the next screen.

1.69 Case Study 1 US Financial (contd.)

In an independent view of the incident, following problems were found: • There were literally hundreds of deficient processes and a dysfunctional culture. • Better governance would have ensured that in the absence of the CEO, the network manager could have made a decision. • Metrics indicated a problem to those monitoring the NOC. However, the metrics were not sufficiently meaningful for the employees to make any active decisions, much less the correct ones. The issue could have been resolved quickly in the initial stages of the incident before it became a problem if the metrics were better or the personnel had greater proficiency. Let us look at the conclusions that can be reached from this case study in the next screen.

1.70 Case Study 1 US Financial (contd.)

The conclusions relevant to metrics and governance are that: Incomprehensible information is just useless data. This case also illustrates that even if the metrics and monitoring that provide decision support are of high quality, they are useless to someone not empowered to make decisions. As a consequence, to develop useful metrics, it must be clear who makes what decisions and which information is required to make the decisions. From this analysis, it is apparent that management metrics will typically require different types of information from different sources. These information must then be collated to create information needed to make decisions about what actions are required. This case is demonstrative of the necessity for organizations to develop and implement both information security governance and the concomitant requirement to develop useful metrics. Let us look at another case study in the next screen.

1.71 Case Study2 TeliaSonera

TeliaSonera, is one of the leading telecom company formed with the merger of Swedish-owned Telia and Finnish-owned Sonera. Currently, TeliaSonera, has become one of the leading telecom companies with millions of customers in Europe and Asia. There were several problems during the merger of Telia and Sonera. Click each problem to know more. • Security teams of both companies had to work together to create security policies and practices for the new company. They also had to create a governance plan to cover all levels of the organization. • The company had to speak the same tone throughout all levels in the organization. • Information security had to be seen as an element of learning and not a punishment. Let us look at the steps that TeliaSonera took to develop an acceptable security governance in the next screen.

1.72 Case Study 2 TeliaSonera (contd.)

The steps involved in developing an acceptable security governance include: • One, the company had to implement the will and tone of management. This was expressed through an information security policy • Two, to ensure that policies are being adhered to, the controls had to be put in place. • Three, providing a mechanism so that an action can be taken in exception cases. • Four, awareness program had to be carried out throughout the organization to ensure that employees were aware and could support what management was trying to achieve. Let us look at how the company ensured that procedures were being adhered to in the next screen.

1.73 Case Study 2 TeliaSonera (contd.)

The company could periodically carryout security reviews to ensure that procedures were being adhered to. The reviews cover: • Controls • Change management • Skills • network design and • Security assurance. In conclusion, TeliaSonera implemented an information security governance framework that covered all levels of the organization, and by doing so, the level of security awareness was raised and fewer incidents got reported. Let us have a quick recap of what we have learned in this lesson in the next screen.

1.75 Summary

Here is a quick recap of what we have learned. We have learned that: • Information security governance is a set of responsibilities and practices exercised by the top management with the aim of providing strategic direction, ensuring objectives are achieved, ascertaining that risk is managed appropriately. • Effective information security governance assists in promoting good business practices, addressing regulatory and legal requirements. • Executive management should influence resource allocation and act as a champion of change in creating an organizational environment. • Governance, Risk Management and Compliance (GRC) is an approach that organizations adopt to integrate the areas of governance, risk management, and compliance. • Metrics is a term used to denote measurements based on one or more references and involves at least two points – the measurement and the reference. • Information security metrics should cover the following six areas, such as strategic alignment, risk management, value delivery, resource management, performance measurement, and assurance process integration. Let us continue with the recap in the next screen.

1.76 Summary (contd.)

• Current state can be assessed through a business impact analysis while desired state illustrates a snapshot of all relevant conditions at a particular point in the future. • Information strategic goals are to be aligned with the strategic business and IT goals; also consider organizational business and technical environment. • The first step in carrying out an information security strategy is to evaluate the current state of the enterprise’s information security. • A set of information security objectives combined with available processes, methods, tools, and techniques creates the means to construct a security strategy. • There must be an action plan to analyze the gap between the current and desired state and initiatives required to reach the desired state. • Key Goal Indicator (KGI) and Key Performance Indicator (KPI) help to identify the goals and performance measures that need to be accomplished.

1.77 concludes

You have come to the end of this lesson. Next, you will learn about Information Risk Management and Compliance.

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Name*
Email*
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Email*
Phone Number*
Company*
Job Title*