An information security strategy is a set of actions designed to ensure that an organization achieves its security objectives. This strategy includes what should be done, how it should be done, and when it should be done to achieve the security objectives.

A strategy is basically a roadmap of specific actions that must be completed to achieve any objective. Long-term and short-term plans are finalized based on the strategy adopted.

The primary objective of any security strategy is to support the business objectives, and the information security strategy should be aligned with the business objectives. The first step for an information security manager in creating a plan is to understand and evaluate the business strategy. This is essential to align the information security plan with the business strategy.

A strategy plan should include the desired level of information security. A strategy is only considered effective if the objectives...

The governance framework is a structure or outline that supports the implementation of the information security strategy. It provides the best practices for a structured security program. Frameworks are flexible structures that any organization can adopt as per their environment and requirements. COBIT and ISO 27001 are two widely accepted and implemented frameworks for security governance.

The Objective of Information Security Governance

Information security governance is a subset of enterprise governance. The same framework should be used for both enterprise governance and security governance to enable better integration of one with the other.

The following are the objectives of security governance:

• To ensure that security initiatives are aligned with the business strategy and that they support organizational objectives.
• To optimize security investments and ensure the high-value execution of business processes...

Figure 2.3: IT balanced scorecard

The objective of an IT balanced scorecard (IT BSC) is to establish, monitor, and evaluate IT performance in terms of (i) business contribution, (ii) future orientation, (iii) operational excellence, and (iv) user orientation.

CISM aspirants should understand the following aspects of a balanced scorecard:

• The primary objective of an IT balanced scorecard is to optimize performance.
• The three indicators of an IT balanced scorecard are (a) customer satisfaction, (b) internal processes, and (c) the ability to innovate.

  Note

  Though financial performance is an indicator of a generic balanced scorecard, it is not part of an IT BSC.

• An IT BSC is the most effective means to aid the IT strategy committee and management in achieving IT governance through proper IT and business alignment. The success of an IT balanced scorecard depends upon the involvement of senior management in...

A program can be defined as a set of activities implemented in a structured manner to achieve a common objective. A security program includes various activities, such as implementing controls, raising awareness, monitoring, and reporting on controls and other related activities.

A security strategy is a guiding force for the implementation of a security program. The roadmap detailing the security implementation, i.e., procedure, resources, and timelines, is developed based on this strategy. Further, various implementation activities can be aligned and integrated on the basis of this strategy to achieve security objectives more effectively and efficiently.

An information security program should be aligned with the business objectives of the organization. The effectiveness of an information security program is determined based on its ability to address the risks impacting the business objectives.

Key Aspects from the CISM Exam Perspective

Following...

Figure 2.5: Security budget

Enterprise Architecture (EA) defines and documents the structure and process flow of the operations of an organization. It describes how different elements such as processes, systems, data, employees, and other infrastructure are integrated to achieve the organization's current and future objectives.

Security architecture is a subset of enterprise architecture. Its objective is to improve the security posture of the organization. Security architecture clearly defines the processes that a business performs and how those processes are executed and secured.

The first step for a security manager implementing the security strategy is to understand and evaluate the IT architecture and portfolio. Once they have a fair idea of the IT architecture, they can determine the security strategy.

Challenges in Designing the Security Architecture

While designing the security architecture...

Figure 2.7: Training for information security

End users are one of the most important stakeholders when considering the overall security strategy. Training, education, and awareness are of extreme importance to ensure that policies, standards, and procedures are appropriately followed.

Increasing the Effectiveness of Security Training

The most effective way to increase the effectiveness of training is to customize it as per the target audience and to address the systems and procedures applicable to that particular group. For example, a system developer needs to undergo an enhanced level of training that covers secure coding aspects. By contrast, data entry operators only need to be trained on security aspects related to their functions.

Key Aspects from the CISM Exam Perspective

Following are some of the key aspects from the perspective of the CISM exam:

GRC is a term used to align and integrate the processes of governance, risk management, and compliance. GRC emphasizes that governance should be in place for effective risk management and the enforcement of compliance.

Governance, risk management, and compliance are three related aspects that help achieve organizational objectives. GRC aims to lay down operations for more effective organizational processes and avoid wasteful overlaps. Each of these three disciplines impacts the organization's technologies, people, processes, and information. If GRC activities are handled independently of each other, it may result in a considerable amount of duplication and a waste of resources. The integration of these three functions helps to streamline assurance activities by addressing overlapping and duplicated GRC activities.

Though GRC can be applied in any function of an organization, it focuses primarily on financial, IT, and legal areas...

For effective implementation of security governance, support and commitment from senior management is the most important prerequisite. A lack of high-level sponsorship will have an adverse impact on the effectiveness of security projects.

It is very important for the information security manager to gain support from senior management. The most effective way is to ensure that the security program continues to be aligned with, and supports, the business objectives. This is critical for promoting management support. Senior management is more concerned about the achievement of business objectives and will be keen to address all risks impacting key business objectives.

Obtaining commitment from senior managers is very important to ensure appropriate investment in information security, as you will explore in the next section.

Information Security Investment

Any investment should be able to provide value to the business. The primary driver for investment...

A business case is a justification for a proposed project. It is prepared to justify the effort and investment in a proposed project and captures the reasoning for initiating a new project or task. Generally, the business case is a precursor to the start of any new project.

The business case is a key element in the decision-making for any project. The proposed return on investment (ROI), along with any other expected benefits, is the most important consideration for decision-making in any new project.

The first step in developing a business case is to define the need for and justification of the problem.

A feasibility study or analysis is an analysis that takes various factors into account, including economic, technical, and legal factors, to ascertain the likelihood of completing the project successfully.

A feasibility study should consider how the project will impact the organization in terms of risk, costs, and benefits. It helps...

In this chapter, you learned about the various aspects of security strategy, governance frameworks, and information security programs. You also explored in detail the benefits of increasing the effectiveness of security training. This helps the CISM aspirant understand the organization's security program and architecture.

In the next chapter, you will go through the important aspects of information risk assessment.

1. The most important consideration while developing an information security strategy is:
   1. The availability of information security resources
   2. Adherence to laws and regulations
   3. Effectiveness in mitigating risk
   4. Budget allocation for information security
2. The objectives of information security can be best described as:
   1. The requirements of the desired state
   2. The attributes of the current state
   3. The key business processes
   4. The control objectives for loss expectations
3. The most important factor when developing risk management strategies is:
   1. Using an industry-adopted risk assessment framework
   2. Aligning with business objectives and risk appetite
   3. Technology architecture
   4. The geographical spread of business units
4. "Systems thinking," in terms of information security, refers to:
   1. The perspective of artificial intelligence
   2. The perspective of the whole being greater than the sum of its individual parts
   3. The perspective of supporting the business objective
   4. The perspective of governance...