Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases now! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Certified Information Security Manager Exam Prep Guide

You're reading from   Certified Information Security Manager Exam Prep Guide Gain the confidence to pass the CISM exam using test-oriented study material

Arrow left icon
Product type Paperback
Published in Dec 2022
Publisher Packt
ISBN-13 9781804610633
Length 718 pages
Edition 2nd Edition
Arrow right icon
Author (1):
Arrow left icon
Hemang Doshi Hemang Doshi
Author Profile Icon Hemang Doshi
Hemang Doshi
Arrow right icon
View More author details
Toc

Table of Contents (12) Chapters Close

Preface 1. Enterprise Governance 2. Information Security Strategy FREE CHAPTER 3. Information Risk Assessment 4. Information Risk Response 5. Information Security Program Development 6. Information Security Program Management 7. Information Security Infrastructure and Architecture 8. Information Security Monitoring Tools and Techniques 9. Incident Management Readiness 10. Incident Management Operations 11. Answers to Practice Questions

Organizational Culture

The culture of an organization and its service provider is the most important factor that determines the implementation of an information security program. An organization's culture influences its risk appetite, that is, its willingness to take risks. This will have a significant influence on the design and implementation of the information security program. A culture that favors taking risks will have a different implementation approach compared to a culture that is risk averse.

Figure 1.3: Organizational culture

Figure 1.3: Organizational culture

Cultural differences and their impact on data security are generally not considered during security reviews. Different cultures have different perspectives on what information is considered sensitive and how it should be handled. This cultural practice may not be consistent with an organization's requirements.

For some organizations, financial data is more important than privacy data. So, it is important to determine whether the culture of the service provider is aligned with the culture of the organization. Cultural differences and their impact on data security are generally not considered during security reviews.

Acceptable Usage Policy

An acceptable usage policy (AUP) generally includes rules for access controls, information classification, incident reporting requirements, confidentiality requirements, email, and internet usage requirements. All participants must understand which behaviors and acts are acceptable and which are not. This maintains a risk-aware culture.

A well-defined and documented AUP helps spread awareness about the dos and don'ts of information security.

It is essential that the AUP is conveyed to all users, and acknowledgment should be obtained from the users that they have read and understood the AUP. For new users, an AUP should be part of their induction training.

Ethics Training

The information security manager should also consider implementing periodic training on ethics. Ethical training includes emphasizing moral principles that govern a person's behavior or the conduct of an activity. It includes guidance on what the company considers legal and appropriate behavior.

Training on ethics is of utmost importance for employees engaged in sensitive activities, such as monitoring user activities or accessing sensitive personal data.

Some examples of unethical behavior include improper influence on other employees or service providers, use of corporate information or assets for private benefit, accepting gifts or bribes, and multiple employments.

Acknowledgment should be obtained from employees on understanding ethical behavior and the code of conduct and this should be retained as part of the employment records.

Practice Question Set 2

  1. A newly appointed information security manager is reviewing the design and implementation of the information security program. Which of the following elements will have a major influence on the design and implementation of the information security program?
    1. Types of vulnerabilities
    2. The culture of the organization
    3. The business objectives
    4. The complexity of the business
  2. Which of the following is the most important factor to consider while developing a control policy?
    1. Protecting data
    2. Protecting life
    3. Protecting the business's reputation
    4. Protecting the business objectives
  3. Which of the following risks is most likely to be ignored during an onsite inspection of an offshore service provider?
    1. Cultural differences
    2. Security controls
    3. The network security
    4. The documented IT policy
  4. What does an organization's risk appetite mostly depend on?
    1. The threat landscape
    2. The size of the information security team
    3. The security strategy
    4. The organization's culture
  5. What factor has the greatest impact on the security strategy?
    1. IT technology
    2. System vulnerabilities
    3. Network bandwidth
    4. Organizational goals
  6. What is the most important consideration when designing a security policy for a multi-national organization operating in different countries?
    1. The cost of implementation
    2. The level of security awareness of the employees
    3. The cultures of the different countries
    4. The capability of the security tools
  7. What is the most important factor in determining the acceptable level of organizational standards?
    1. The current level of vulnerability
    2. The risk appetite of the organization
    3. IT policies and processes
    4. The documented strategy
  8. What is the most important factor for promoting a positive information security culture?
    1. Monitoring by an audit committee
    2. High budgets for security initiatives
    3. Collaboration across business lines
    4. Frequent information security audits
lock icon The rest of the chapter is locked
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime