Cism Flashcards

Business strategy

the Security Manager

Security administrators

notifications

clear alignment with the goals and objectives of the organization

1. A set of policies and procedures that establishes a framework of information security strategies 2. A practice area that ensures efficient utilization of information resources

to ensure the safety of information including its Confidentiality, Integrity and Availability. Information security governance protects information from loss, misuse, unauthorized usage, and destruction during its life cycle or the time it is being used in an organization.

- accountability for protecting information during important business activities - reduction of the impact of security incidents - reduction in risks to tolerable limits - protection from civil and legal liabilities - enhancement of trust in customer relationships - assurance of policy compliance - protection of company reputation

- strategic alignment - value delivery - risk management - performance measurement - resource management - integration

Optimized so that they support business objectives.

- keeping a record of security practices and processes - acquiring knowledge and making it accessible - building a security architecture that identifies and uses infrastructure resources properly

Corporate governance is a set of procedures and duties performed by the board of directors and executive management to direct and control the organization. Corporate governance helps the board of directors to • ensure that business objectives are met • provide strategic direction for business activities • verify the efficient use of the organization's resources, and ensure proper handling of business risks

While corporate governance deals with performance and control at all levels of the organization, information security governance is a subset of corporate governance. Information security governance is concerned with the policies and controls related to protecting information in the organization. It helps you to • ensure that information security objectives are achieved • provide strategic direction for information security activities • ensure the efficient use of information resources, and manage information security risks

- security strategy - security policies - standards - security organizational structure - metrics and monitoring

Consists of senior representatives of departments that are directly or indirectly affected by information security policies. The steering committee aims to involve all stakeholders influenced by security aspects.

The Board of Directors

The Steering Committe

The CISO

Executive Management

Governance, Risk Management, Compliance

- Governance is the process that senior management can use to direct and control an organization. It involves developing methods to ensure that all employees of the organization adhere to its policies, standards, and procedures. - Risk management helps you create and implement methods for mitigating risks. Using this process, you can establish the organization's risk tolerance, recognize potential risks and their impact on business operations, and decide the priority for mitigating the risks based on business goals and risk tolerance. - Compliance is the process using which you can supervise the controls and methods that ensure adherence to an organization's policies, standards, and procedures.

Systems Theory is a network of processes, people, technologies, relationships, events, reactions, and results that interact with each other to achieve one common goal. By analyzing these interactions, an information security manager can understand the working of a system in an organization and control any risks to it.

• organization design and strategy • people • process • technology

• governance • culture • enablement and support • emergence • human factors • architecture

The governance dynamic interconnection links the organization and process elements. It involves guiding and controlling an organization.

The culture dynamic interconnection links the organization and people elements. It represents people's beliefs, opinions, and behaviors.

The enablement and support dynamic interconnection links the technology and process elements. It involves creating security policies, guidelines, and standards to support business requirements.

The emergence interconnection links the people and process elements. It indicates patterns in an organization's life that appear and grow without any evident reason, and have results that are difficult to forecast and control.

The human factors interconnection links the people and technology elements, and indicates the relationship and gap between these elements.

The architecture interconnection links the organization and technology elements. It completely covers an organization's policies, processes, people, and technology that compose the security practices.

- strategic alignment - risk management - value delivery - resource management - performance measurement - process assurance

1. The BOD or the senior management 2. the executive management and steering committee 3. the CISO or ISM

The senior management ensures that the organization's information security strategy is aligned with its business strategy and objectives. The executive management and steering committee are actively involved in risk management. It involves managing the threats to information assets during strategy implementation. To implement an information security strategy, the CISO and information security managers need to create detailed security action plans. The CISO specifies the security plans to be implemented.

- distributed equally across the organization's core business activities to manage new challenges - reviewed and updated regularly based on the changes in the business environment, and - directed towards initiating new businesses

SABSA. Sherwood Applied Business Security Architecture.

- Business View - also called the Contextual Security Architecture - Architect's View - also called the Conceptual Security Architecture - Designer's View - also called the Logical Security Architecture - Builder's View - also called the Physical Security Architecture - Tradesman's View - also called the Component Security Architecture, and - Service Manager's View - also called the Security Service Management Architecture

- define the goals and objectives of the security program - create a business case - describe the desired state of the organization's security - determine the current state of the organization's security, and - establish an action plan to move from the current state to the desired state

Which resources are vital to the success of your business? Which of them should be confidential? Which are for internal use only? Which should be available for the public? For your goals to answer these key questions, you need to • recognize and track information assets • categorize information assets based on criticality and sensitivity, and • determine the principles and procedures for effectively categorizing, storing, retaining, and removing information assets

A business case contains your justifications and arguments for implementing a security program. A typical business case should include all the details of the security program such as the cost of implementing it, return on investment, benefits of the program, the actual risk and success factors, and the Total Cost of Ownership, TCO

The desired state of security depicts all relevant conditions related to an organization's information security that might arise in the future. For example the desired state of security for a recently established IT company would be the establishment of a fully automated security system that protects the company from external threats.

COBIT 5 is an information security governance model that provides a set of processes, agreed measures, and best practices, mainly for the control and governance of information technology. It outlines a set of processes that align IT with the business. It serves as a bridge between business objectives, technology, and control requirements, and ensures maximum benefits from IT.

The current state of security, which encompasses people, processes, and technologies, provides the security baseline from where you can implement the roadmap to reach the desired security state. This security baseline also provides the metrics that you can use to measure the progress made in achieving the desired state of security.

A roadmap is a set of actions or steps that you must execute in order to achieve the security strategy objectives. An effective roadmap should close the gaps between the current and desired states of security in your organization.

- policies - guidelines - standards - procedures - training - personnel security - awareness and education - compliance enforcement - audits

Policies Procedures Standards Guidelines

Policies are the foundation of a security strategy. They are high-level statements that embrace the organization's goals and objectives for a specific area. They describe the management's intent and expectations from the security strategy.

Procedures include step-by-step instructions to carry out a policy. For example, a Password Policy defines how often you need to change your password. A Password Management procedure, on the other hand, lists the procedure to create a new password and the steps to ensure that this is done correctly.

A standard is written in conjunction with a policy. For example, an organization may have a policy defining the use of wireless technology. This policy may be accompanied by a wireless standard that details the specific configuration setup and protocols required for connecting secure networks.

Guidelines contain information such as suggestions, dependencies, and examples that clarifies procedures and helps execute these procedures. Guidelines are used as a precursor for what may eventually become a policy issue.

Internal audits evaluate an organization's internal controls and operations. These audits are conducted by a department or a team setup specifically for this purpose. Internal audits support compliance requirements and function as independent risk assessors.

External audits are often conducted by the Finance department and do not involve information security. However, external audits provide an objective view of the organization's overall security and are often a requirement for most organizations.

Risk mitigation Risk avoidance Risk transference Risk acceptance

The balanced scorecard is most effective for evaluating the degree to which information security objectives are being met. The balanced business scorecard can track the effectiveness of how an organization executes it information security strategy and determine areas of improvement.