Skip to main content

CISM-: INFORMATION SECURITY GOVERNANCE (LESSON ONE PART ONE)

     


CERTIFIED INFORMATION SECURITY MANAGER (CISM) CERTIFICATION TRAINING

DOMAIN ONE: INFORMATION SECURITY GOVERNANCE

LESSON ONE: PART ONE

DOMAIN DEFINITION

Establish &/or maintain an information security governance framework & supporting processes to ensure that the information security strategy is aligned with organization goals & objectives.

LEARNING OBJECTIVES

·        Understand the purpose of information security governance, what it consists of & how to accomplish it

·        Understand the purpose of an information security strategy, its objectives, & the reasons & steps required to develop one

·        Understand the meaning, content, creation & use of policies. Standards, procedures & guidelines & how they relate to each other

·        Develop business cases & gain commitment from senior leadership

·        Develop governance metrics requirements, selection & creation

TASK & KNOWLEDGE STATEMENTS

TASK STATEMENTS

  • ·       Establish &/or maintain an information security strategy in alignment with organizational goals & objectives to guide the establishment &/or ongoing management of the information security program
  • ·       Establish &/or maintain an information security governance framework to guide activities that support the information security strategy
  • ·       Integrate information security governance into corporate governance to ensure that organization goals & objectives are supported by the information security program
  • ·       Establish & maintain information security policies to guide the development of standards, procedures & guidelines in alignment with enterprise goal & objectives
  • ·       Develop business cases to support investment in information security
  • ·       Identify internal & external influences to the organization (e.g. emerging technology, social media, business environment, risk tolerance, regulatory requirements, third party considerations. Threat landscape) to ensure that those factors are continually addressed by the information security strategy
  • ·       Gain ongoing commitment from senior leadership & other stakeholders to support the successful implementation of the information security strategy
  • ·       Define, communicate & monitor information security responsibilities throughout the organization (e.g. data owners, data custodians, end-users, privileged or high-risk users) & lines of authority
  • ·       Establish, monitor, evaluate & report key information security metrics to provide management with accurate & meaningful information regarding the effectiveness of the information security strategy

KNOWLEDGE STATEMENTS

  • ·       Knowledge of techniques used to develop an information security strategy (e.g. SWOT [strength, weakness, opportunities, threats] analysis, gap analysis, threat research)
  • ·       Knowledge of the relationship of information security to business goals, objectives, functions, processes & practices
  • ·       Knowledge of available information security governance frameworks
  • ·       Knowledge of globally recognized standards, frameworks & industry best practice related to information security governance & strategy development
  • ·       Knowledge of the fundamental concepts of governance & how they relate to information security
  • ·       Knowledge of methods to assess, plan, design, & implement an information security governance framework
  • ·       Knowledge of methods to integrate information security governance into corporate governance
  • ·       Knowledge of contributing factors & parameters (e.g. organizational structure & culture, tone at the top, regulations) for information security policy development
    knowledge of content in, & techniques to develop business cases
  • knowledge of content in, & techniques to develop business cases
  • ·       Knowledge of strategic budgetary planning & reporting methods
  • ·       Knowledge of the internal & external influences to the organization (e.g. emerging technologies, social media, business environment, risk tolerance, regulatory requirements, third party considerations, threat landscape) & how they impact the information security strategy
  • ·       Knowledge of key information needed to obtain commitment from senior leadership & support from other stakeholders (e.g. how information security supports organization goals & objectives, criteria for determining successful implementation, business impact
  • ·       Knowledge of methods & considerations for communicating with senior leadership & other stakeholders (e.g. organization culture, channels of communication, highlighting essential aspects of information security
  • ·       Knowledge of roles & responsibilities of the information security manager
  • ·       Knowledge of organizational structures, lines of authority & escalation points
  • ·       Knowledge of information security responsibilities of staff across the organization (e.g. data owners, end-users, privileged or high-risk users)
  • ·       Knowledge of processes to monitor performance of information security responsibilities
  • ·       Knowledge of methods to establish new, or utilize existing, reporting & communication channels throughout an organization
  • ·       Knowledge of methods to select, implement & interpret key information security metrics (e.g. Key Goal Indicators [KGIs], Key Performance Indicators [KPIs], Key Risk Indicators [KRIs])

RELATIONSHIP OF TASK TO KNOWLEDGE STATEMENTS

The task statements are what the CISM candidate is expected to know how to perform

The knowledge statements describe each of the areas in which the CISM candidate must have a good understanding to perform the tasks.

INTRODUCTION

Governance is broadly defined as the rules that run the organization including policies, standards & procedures that are used to set the direction & control the organization’s activities.

Governance is the process by which government are selected, held accountable, monitored, & replaced. Corporate governance involves a set of relationship among the organization’s management, board, shareholders, & other stakeholders.

Corporate governance also provides the structure through which the objectives of the organization are set & the means of attaining those objectives are met, & the ability to monitor performance levels is determined

Information security governance is the system by which the information security activities of a particular organization are directed & controlled (refence: www.cyber-news.com).

Security governance is supported by such documents as:

  • ·        Organization for Economic Co-operation & Development (OECD)
  • ·        Institute of Chartered Accountant in England
  • ·        ISO/IEC 17799 (ISO 27002)
  • ·        British Standard 77 99 (ISO 27001)
  • ·        Information Systems Audit & Control Association (ISACA), Control Objectives for Information & Related Technology (COBIT)
  • ·        National Institute of Standards & Technology (NIST) Special Publication (SP) 800-55, 800-26, 800-12

Information security governance needs to be integrated into the overall enterprise governance structure to ensure that the organization goals are supported by the information security program

The governance framework is an outline or skeleton of interlinked items that support a particular approach to a specific objective as stated in the strategy. Several governance frameworks maybe suitable for an organization to implement. Including COBIT 5 (Control Objectives for Information & Related Technology) & ISO/IEC 27000 (International Organization for Standardization [ISO], International Electronic Commission [IEC])

 The framework will serve to integrate & guide activities needed to implement the information security strategy. Information security governance is a subset of corporate governance & must be consistent with the enterprise’s governance. If enterprise governance is structured using a particular framework, it would make sense to use the same framework for information security governance to facilitate integration.

SECURITY POLICIES

Security policies are designed to mitigate risk & are usually developed in response to an actual or perceived threat.

Policies state management intent & direction at a high level. With the development of an information security strategy, the policies have to be developed or modified to support strategy objectives.

STANDARDS

Standards are developed or modified to set boundaries for people, processes, procedures & technology to maintain compliance with policies & support the achievement of the organization’s goals & objectives.

Comments

Popular posts from this blog

CERTIFIED ETHICAL HACKER v10

  C|EHv10 CERTIFICATION DESCRIPTION The Certified Ethical Hacker (C|EHv10) certification program is a trusted & respected ethical hacking certification program that any information security professional will need. Certified Ethical Hacker (C|EH) didn’t gain the reputation & value it has by being easy to attain. It’s challenging examination that tests more than just simple memorization. It’s worth has elevated it as one of the top certifications a technician can attain. This certification actually means something to employers because they know the effort it takes to attain it. C|EH is used as a hiring standard & is a core sought after certification by many of the Fortune 500 organizations, governments, cybersecurity practices, & a cyber staple in education across many of the most prominent degree programs in top universities around the globe. Hundreds of thousands of InfoSec Professionals as well as career Starter have challenged the exam & for thos...

THE C|EHv10 (PRACTICAL) EXAM

  The C|EH (Practical) is a 6-hours practical exam built to exacting specifications by subject matter experts in the Ethical Hacking field. Professionals that posses the C|EH credential will be able to sit for an exam that will test their limits in unearthing vulnerabilities across major: ü Operating Systems ü Databases ü Networks To those who meet & exceed the skills level set, they will earn the new industry required certification – the C|EH (Practical) certification. C|EH (Practical) is available fully proctored (meaning you are being invigilated), online with remote facilities globally. The combined benefit of a practical exam that is fully proctored anywhere in the world will provide organizations with a skills-validated & trusted credential when employing cybersecurity professionals. With its global availability, organizations can now quickly train, test & deploy a cyber-ready workforce effectively. You can check EC-Council website for applic...

THE CISSP EXAM

The CISSP exam is described as being “AN INCH DEEP & A MILE WIDE” The CISSP exam covers 8 security domains making up the CISSP CBK (Common Body of Knowledge). The CISSP exam evaluate expertise across 8 security domains. Domain means topics you need to master based on your professional experience & education. Passing the exam proves you have the advanced knowledge & technical skills to effectively design, implement & manage a best-in-class cybersecurity program. The CISSP exam questions are not very detailed & do not require you to be an expert in every subject, but the questions require you to be familiar with many different security subjects. The CISSP exam comes in 2 versions depending on the language in which the test is written. As at 18th December 2017, the CISSP exam comes in 2 different versions. The English version is now Computer Adaptive Test (CAT). The number of questions you are asked ranges from 100 to 150. Do not forget that 25 question...