Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases now! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Certified Information Security Manager Exam Prep Guide

You're reading from   Certified Information Security Manager Exam Prep Guide Gain the confidence to pass the CISM exam using test-oriented study material

Arrow left icon
Product type Paperback
Published in Dec 2022
Publisher Packt
ISBN-13 9781804610633
Length 718 pages
Edition 2nd Edition
Arrow right icon
Author (1):
Arrow left icon
Hemang Doshi Hemang Doshi
Author Profile Icon Hemang Doshi
Hemang Doshi
Arrow right icon
View More author details
Toc

Table of Contents (12) Chapters Close

Preface 1. Enterprise Governance 2. Information Security Strategy FREE CHAPTER 3. Information Risk Assessment 4. Information Risk Response 5. Information Security Program Development 6. Information Security Program Management 7. Information Security Infrastructure and Architecture 8. Information Security Monitoring Tools and Techniques 9. Incident Management Readiness 10. Incident Management Operations 11. Answers to Practice Questions

Importance of Information Security Governance

In simple terms, governance can be defined as a set of rules to direct, monitor, and control an organization's activities. Governance can be implemented in the form of policies, standards, and procedures. The information security governance model is primarily impacted by the complexity of an organization's structure. An organization's structure includes its objectives, vision, mission and strategy, different function units, different product lines, hierarchy, and leadership structure. A review of organizational structure helps the security manager to understand the roles and responsibilities of information security governance, as discussed in the next section.

Information is one of the most important assets for any organization and its governance is mandated by various laws and regulations. For these reasons, information security governance is of critical importance.

Figure 1.1: Information security governance

Figure 1.1: Information security governance

Desired Outcomes of Good Information Security Governance

A well-structured information security governance model aims to achieve the following outcomes:

  • To ensure that security initiatives are aligned with the business strategy and that they support organizational objectives
  • To optimize security investments and ensure the high-value delivery of business processes
  • To monitor the security processes to ensure that security objectives are achieved
  • To integrate and align the activities of all assurance functions for effective and efficient security measures
  • To ensure that residual risks are well within acceptable limits. This gives comfort to the management

Responsibility for Information Security Governance

The responsibility for information security governance primarily resides with the board of directors, senior management, and the steering committee. They are required to make security an important part of governance by monitoring its key aspects. Information security governance is a subset of enterprise governance.

Senior management is responsible for ensuring that security aspects are integrated with business processes. The involvement of senior management and the steering committee in discussions and the approval of security projects indicates that the management is committed to aspects relating to security.

Generally, a steering committee consists of senior officials from different departments. The role of an information security steering committee is to provide oversight of the organization's security environment.

Steps for Establishing Governance

Governance is effective if it is established in a structured manner. A CISM aspirant should understand the following steps for establishing security governance:

  1. First, determine the objectives of the information security program. Most often, these objectives are derived from risk management and the acceptable level of risk that the organization is willing to take. For example, an objective for a bank may be that their system should always be available for customers – that is, there should be zero downtime. In this manner, information security objectives must align with and be guided by the organization's business objectives.
  2. Next, the information security manager develops a strategy and a set of requirements based on these objectives. The security manager is required to conduct a gap analysis and identify the best strategy to move to the desired state of security from its current state of security. The desired state of security is also termed the security objectives. This gap analysis becomes the basis for the strategy.
  3. The final step is to create the road map and identify specific actionable steps to achieve the security objectives. The security manager needs to consider various factors, such as time limits, resource availability, security budget, and laws and regulations.

These specific actions are implemented by way of security policies, standards, and procedures.

Governance Framework

A governance framework is a structure or outline that supports the implementation of information security strategies. It provides the best practices for a structured security program. Frameworks are flexible structures that any organization can adopt as per their environment and requirements. COBIT and ISO 27001 are both examples of widely accepted and implemented frameworks for security governance.

As information security governance is a subset of the overall enterprise governance of an organization, the same framework should be used for both enterprise governance and information security governance. This ensures better integration between the two.

Top-Down and Bottom-Up Approaches

There are two possible approaches to governance: top-down and bottom-up.

In a top-down approach, policies, procedures, and goals are reviewed and approved by senior management, hence policies and procedures are directly aligned with business objectives.

A bottom-up approach may not directly address management priorities. In a bottom-up approach, operational level risks are given more importance.

Key Aspects from the CISM Exam Perspective

The following are some key aspects from the exam perspective:

Question

Possible Answer

Which approach (that is, top-down or bottom-up) is more effective for governance?

The effectiveness of governance is best ensured by a top-down approach.

In a top-down approach, policies, procedures, and goals are set by senior management and hence policies and procedures are directly aligned with business objectives. A bottom-up approach may not directly address management priorities. The effectiveness of governance is best ensured by a top-down approach.

What are the most important aspects of an information security strategy from a senior management perspective?

Business priorities, objectives, and goals.

What is a governance framework?

A governance framework is a structure that provides the outline to support processes and methods.

Figure 1.2: Key aspects from the CISM exam perspective

A Note on the Practice Questions

Throughout this book, and within the CISM certification exam itself, more than one of the answers may address the problem posed by the question. For that reason, it is very important to carefully read the question and ensure you pick the answer that represents the most important element of the solution.

Please also note, as ISACA recommends only those with "technical expertise and experience in IS/IT security and control" seek CISM certification, that this book assumes some prior experience in the field. With that in mind, you will face some questions intended to test your expected pre-existing knowledge. Do not worry if you do not get these questions right the first time; full explanations are given after every question to help you fill any gaps in your understanding.

Note

You can find the answer key and explanations for all practice and revision questions for this chapter under the section Chapter 1: Enterprise Governance of the solution set titled Answers to Practice Questions located at the end of the book.

Practice Question Set 1

  1. An information security manager has been asked to determine the effectiveness of the information security governance model. Which of the following will help them decide whether the information security governance model is effective?
    1. Security projects are discussed and approved by a steering committee
    2. Security training is mandatory for all executive-level employees
    3. Security training module is available on the intranet for all employees
    4. Patches are tested before deployment
  2. An information security manager is reviewing the information security governance model. The information security governance model is primarily impacted by:
    1. The number of workstations
    2. The geographical spread of business units
    3. The complexity of the organizational structure
    4. The information security budget
  3. Which of the following is the first step in implementing information security governance?
    1. Employee training
    2. The development of security policies
    3. The development of security architecture
    4. The availability of an incident management team
  4. Which of the following factors primarily drives information security governance?
    1. Technology requirements
    2. Compliance requirements
    3. The business strategy
    4. Financial constraints
  5. Which of the following is the responsibility of the information security governance steering committee?
    1. To manage the information security team
    2. To design content for security training
    3. To prioritize information security projects
    4. To provide access to critical systems
  6. Which of the following is the first step of information security governance?
    1. To design security procedures and guidelines
    2. To develop a security baseline
    3. To define the security strategy
    4. To develop security policies
  7. Which of the following is the most important factor for an information security governance program?
    1. To align with the organization's business strategy
    2. To derive from a globally accepted risk management framework
    3. be able to address regulatory compliance
    4. To promote a risk-aware culture
  8. Effective governance is best indicated by:
    1. An approved security architecture
    2. Certification from an international body
    3. Frequent audits
    4. An established risk management program
  9. Which of the following is the effectiveness of governance best ensured by?
    1. The use of a bottom-up approach
    2. Initiatives by the IT department
    3. Compliance-oriented approach
    4. The use of a top-down approach
  10. What is the prime responsibility of the information security manager in the implementation of security governance?
    1. To design and develop the security strategy
    2. To allocate a budget for the security strategy
    3. To review and approve the security strategy
    4. To train the end users
  11. What is the most important factor when developing information security governance?
    1. To comply with industry benchmarks
    2. To comply with the security budget
    3. To obtain a consensus from business functions
    4. To align with organizational goals
  12. What is the most effective way to build an information security governance program?
    1. To align the requirements of the business with an information security framework
    2. To understand the objectives of the business units
    3. To address regulatory requirements
    4. To arrange security training for all managers
  13. What is the main objective of information security governance?
    1. To ensure the adequate protection of information assets
    2. To provide assurance to the management about information security
    3. To support complex IT infrastructure
    4. To optimize the security strategy to support the business objectives
  14. The security manager notices inconsistencies in the system configuration. What is the most likely reason for this?
    1. Documented procedures are not available
    2. Ineffective governance
    3. Inadequate training
    4. Inappropriate standards
  15. What is an information security framework best described as?
    1. A framework that provides detailed processes and methods
    2. A framework that provides required outputs
    3. A framework that provides structure and guidance
    4. A framework that provides programming inputs
  16. What is the main reason for integrating information security governance into business activities?
    1. To allow the optimum utilization of security resources
    2. To standardize processes
    3. To support operational processes
    4. To address operational risks
  17. Which of the following is the most important attribute of an effective information security governance framework?
    1. A well-defined organizational structure with necessary resources and defined responsibilities
    2. The availability of the organization's policies and guidelines
    3. Business objectives supporting the information security strategy
    4. Security guidelines supporting regulatory requirements
  18. What is the most effective method to use to develop an information security program?
    1. A standard
    2. A framework
    3. A process
    4. A model
lock icon The rest of the chapter is locked
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime