Skip to main content

CISM-: INFORMATION SECURITY GOVERNANCE (LESSON ONE PART ONE)

     


CERTIFIED INFORMATION SECURITY MANAGER (CISM) CERTIFICATION TRAINING

DOMAIN ONE: INFORMATION SECURITY GOVERNANCE

LESSON ONE: PART ONE

DOMAIN DEFINITION

Establish &/or maintain an information security governance framework & supporting processes to ensure that the information security strategy is aligned with organization goals & objectives.

LEARNING OBJECTIVES

·        Understand the purpose of information security governance, what it consists of & how to accomplish it

·        Understand the purpose of an information security strategy, its objectives, & the reasons & steps required to develop one

·        Understand the meaning, content, creation & use of policies. Standards, procedures & guidelines & how they relate to each other

·        Develop business cases & gain commitment from senior leadership

·        Develop governance metrics requirements, selection & creation

TASK & KNOWLEDGE STATEMENTS

TASK STATEMENTS

  • ·       Establish &/or maintain an information security strategy in alignment with organizational goals & objectives to guide the establishment &/or ongoing management of the information security program
  • ·       Establish &/or maintain an information security governance framework to guide activities that support the information security strategy
  • ·       Integrate information security governance into corporate governance to ensure that organization goals & objectives are supported by the information security program
  • ·       Establish & maintain information security policies to guide the development of standards, procedures & guidelines in alignment with enterprise goal & objectives
  • ·       Develop business cases to support investment in information security
  • ·       Identify internal & external influences to the organization (e.g. emerging technology, social media, business environment, risk tolerance, regulatory requirements, third party considerations. Threat landscape) to ensure that those factors are continually addressed by the information security strategy
  • ·       Gain ongoing commitment from senior leadership & other stakeholders to support the successful implementation of the information security strategy
  • ·       Define, communicate & monitor information security responsibilities throughout the organization (e.g. data owners, data custodians, end-users, privileged or high-risk users) & lines of authority
  • ·       Establish, monitor, evaluate & report key information security metrics to provide management with accurate & meaningful information regarding the effectiveness of the information security strategy

KNOWLEDGE STATEMENTS

  • ·       Knowledge of techniques used to develop an information security strategy (e.g. SWOT [strength, weakness, opportunities, threats] analysis, gap analysis, threat research)
  • ·       Knowledge of the relationship of information security to business goals, objectives, functions, processes & practices
  • ·       Knowledge of available information security governance frameworks
  • ·       Knowledge of globally recognized standards, frameworks & industry best practice related to information security governance & strategy development
  • ·       Knowledge of the fundamental concepts of governance & how they relate to information security
  • ·       Knowledge of methods to assess, plan, design, & implement an information security governance framework
  • ·       Knowledge of methods to integrate information security governance into corporate governance
  • ·       Knowledge of contributing factors & parameters (e.g. organizational structure & culture, tone at the top, regulations) for information security policy development
    knowledge of content in, & techniques to develop business cases
  • knowledge of content in, & techniques to develop business cases
  • ·       Knowledge of strategic budgetary planning & reporting methods
  • ·       Knowledge of the internal & external influences to the organization (e.g. emerging technologies, social media, business environment, risk tolerance, regulatory requirements, third party considerations, threat landscape) & how they impact the information security strategy
  • ·       Knowledge of key information needed to obtain commitment from senior leadership & support from other stakeholders (e.g. how information security supports organization goals & objectives, criteria for determining successful implementation, business impact
  • ·       Knowledge of methods & considerations for communicating with senior leadership & other stakeholders (e.g. organization culture, channels of communication, highlighting essential aspects of information security
  • ·       Knowledge of roles & responsibilities of the information security manager
  • ·       Knowledge of organizational structures, lines of authority & escalation points
  • ·       Knowledge of information security responsibilities of staff across the organization (e.g. data owners, end-users, privileged or high-risk users)
  • ·       Knowledge of processes to monitor performance of information security responsibilities
  • ·       Knowledge of methods to establish new, or utilize existing, reporting & communication channels throughout an organization
  • ·       Knowledge of methods to select, implement & interpret key information security metrics (e.g. Key Goal Indicators [KGIs], Key Performance Indicators [KPIs], Key Risk Indicators [KRIs])

RELATIONSHIP OF TASK TO KNOWLEDGE STATEMENTS

The task statements are what the CISM candidate is expected to know how to perform

The knowledge statements describe each of the areas in which the CISM candidate must have a good understanding to perform the tasks.

INTRODUCTION

Governance is broadly defined as the rules that run the organization including policies, standards & procedures that are used to set the direction & control the organization’s activities.

Governance is the process by which government are selected, held accountable, monitored, & replaced. Corporate governance involves a set of relationship among the organization’s management, board, shareholders, & other stakeholders.

Corporate governance also provides the structure through which the objectives of the organization are set & the means of attaining those objectives are met, & the ability to monitor performance levels is determined

Information security governance is the system by which the information security activities of a particular organization are directed & controlled (refence: www.cyber-news.com).

Security governance is supported by such documents as:

  • ·        Organization for Economic Co-operation & Development (OECD)
  • ·        Institute of Chartered Accountant in England
  • ·        ISO/IEC 17799 (ISO 27002)
  • ·        British Standard 77 99 (ISO 27001)
  • ·        Information Systems Audit & Control Association (ISACA), Control Objectives for Information & Related Technology (COBIT)
  • ·        National Institute of Standards & Technology (NIST) Special Publication (SP) 800-55, 800-26, 800-12

Information security governance needs to be integrated into the overall enterprise governance structure to ensure that the organization goals are supported by the information security program

The governance framework is an outline or skeleton of interlinked items that support a particular approach to a specific objective as stated in the strategy. Several governance frameworks maybe suitable for an organization to implement. Including COBIT 5 (Control Objectives for Information & Related Technology) & ISO/IEC 27000 (International Organization for Standardization [ISO], International Electronic Commission [IEC])

 The framework will serve to integrate & guide activities needed to implement the information security strategy. Information security governance is a subset of corporate governance & must be consistent with the enterprise’s governance. If enterprise governance is structured using a particular framework, it would make sense to use the same framework for information security governance to facilitate integration.

SECURITY POLICIES

Security policies are designed to mitigate risk & are usually developed in response to an actual or perceived threat.

Policies state management intent & direction at a high level. With the development of an information security strategy, the policies have to be developed or modified to support strategy objectives.

STANDARDS

Standards are developed or modified to set boundaries for people, processes, procedures & technology to maintain compliance with policies & support the achievement of the organization’s goals & objectives.

Labels:

Comments

Post a Comment

Popular posts from this blog

INTRODUCTION TO ETHICAL HACKING

  Technology Brief Information Security Overview Information security ensures the confidentiality, integrity, & availability. An organization without security policies & appropriate security rules are at great risk, & the confidential information & data related to that organization are not secure in the absence of these security policies. An organization along well-defined security policies & procedures helps in protecting the assets of that organization from unauthorized access & disclosures. Essential Terminologies HACK VALUE – This is a value that denotes attractiveness, interest or something that is worthy. ZERO-DAY ATTACK – This refers to threats & vulnerabilities that can exploit the victim before the developer identify or address & release patch for that vulnerability. VULNERABILITY – IT refers to a week point, loophole or a cause in any system, software, or network which can be helpful & utilized by the attackers to go t...
Post a Comment
Read more

CERTIFIED ETHICAL HACKER v10

  C|EHv10 CERTIFICATION DESCRIPTION The Certified Ethical Hacker (C|EHv10) certification program is a trusted & respected ethical hacking certification program that any information security professional will need. Certified Ethical Hacker (C|EH) didn’t gain the reputation & value it has by being easy to attain. It’s challenging examination that tests more than just simple memorization. It’s worth has elevated it as one of the top certifications a technician can attain. This certification actually means something to employers because they know the effort it takes to attain it. C|EH is used as a hiring standard & is a core sought after certification by many of the Fortune 500 organizations, governments, cybersecurity practices, & a cyber staple in education across many of the most prominent degree programs in top universities around the globe. Hundreds of thousands of InfoSec Professionals as well as career Starter have challenged the exam & for thos...
Post a Comment
Read more