You're reading from Certified Information Security Manager Exam Prep Guide Gain the confidence to pass the CISM exam using test-oriented study material

Product type Paperback

Published in Dec 2022

Publisher Packt

ISBN-13 9781804610633

Length 718 pages

Edition 2nd Edition

Concepts

Information Security

Author (1):

Hemang Doshi

View More author details

Table of Contents (12) Chapters

Preface

Online Exam-Prep Tools

1. Enterprise Governance FREE CHAPTER

2. Information Security Strategy

3. Information Risk Assessment

4. Information Risk Response

5. Information Security Program Development

6. Information Security Program Management

7. Information Security Infrastructure and Architecture

8. Information Security Monitoring Tools and Techniques

9. Incident Management Readiness

10. Incident Management Operations

11. Answers to Practice Questions

Organizational Culture

The culture of an organization and its service provider is the most important factor that determines the implementation of an information security program. An organization's culture influences its risk appetite, that is, its willingness to take risks. This will have a significant influence on the design and implementation of the information security program. A culture that favors taking risks will have a different implementation approach compared to a culture that is risk averse.

Figure 1.3: Organizational culture

Cultural differences and their impact on data security are generally not considered during security reviews. Different cultures have different perspectives on what information is considered sensitive and how it should be handled. This cultural practice may not be consistent with an organization's requirements.

For some organizations, financial data is more important than privacy data. So, it is important to determine whether the culture of the service provider is aligned with the culture of the organization. Cultural differences and their impact on data security are generally not considered during security reviews.

Acceptable Usage Policy

An acceptable usage policy (AUP) generally includes rules for access controls, information classification, incident reporting requirements, confidentiality requirements, email, and internet usage requirements. All participants must understand which behaviors and acts are acceptable and which are not. This maintains a risk-aware culture.

A well-defined and documented AUP helps spread awareness about the dos and don'ts of information security.

It is essential that the AUP is conveyed to all users, and acknowledgment should be obtained from the users that they have read and understood the AUP. For new users, an AUP should be part of their induction training.

Ethics Training

The information security manager should also consider implementing periodic training on ethics. Ethical training includes emphasizing moral principles that govern a person's behavior or the conduct of an activity. It includes guidance on what the company considers legal and appropriate behavior.

Training on ethics is of utmost importance for employees engaged in sensitive activities, such as monitoring user activities or accessing sensitive personal data.

Some examples of unethical behavior include improper influence on other employees or service providers, use of corporate information or assets for private benefit, accepting gifts or bribes, and multiple employments.

Acknowledgment should be obtained from employees on understanding ethical behavior and the code of conduct and this should be retained as part of the employment records.

Practice Question Set 2

A newly appointed information security manager is reviewing the design and implementation of the information security program. Which of the following elements will have a major influence on the design and implementation of the information security program?
1. Types of vulnerabilities
2. The culture of the organization
3. The business objectives
4. The complexity of the business
Which of the following is the most important factor to consider while developing a control policy?
1. Protecting data
2. Protecting life
3. Protecting the business's reputation
4. Protecting the business objectives
Which of the following risks is most likely to be ignored during an onsite inspection of an offshore service provider?
1. Cultural differences
2. Security controls
3. The network security
4. The documented IT policy
What does an organization's risk appetite mostly depend on?
1. The threat landscape
2. The size of the information security team
3. The security strategy
4. The organization's culture
What factor has the greatest impact on the security strategy?
1. IT technology
2. System vulnerabilities
3. Network bandwidth
4. Organizational goals
What is the most important consideration when designing a security policy for a multi-national organization operating in different countries?
1. The cost of implementation
2. The level of security awareness of the employees
3. The cultures of the different countries
4. The capability of the security tools
What is the most important factor in determining the acceptable level of organizational standards?
1. The current level of vulnerability
2. The risk appetite of the organization
3. IT policies and processes
4. The documented strategy
What is the most important factor for promoting a positive information security culture?
1. Monitoring by an audit committee
2. High budgets for security initiatives
3. Collaboration across business lines
4. Frequent information security audits