CISM 15e Domain 3
CISM 15e Domain 3
CISM 15e Domain 3
DOMAIN 3
INFORMATION SECURITY PROGRAM DEVELOPMENT AND MANAGEMENT
DOMAIN 3
Develop and maintain an information security program that identifies, manages and
protects the organization’s assets while aligning to information security strategy and
business goals, thereby supporting an effective security posture.
This domain reviews the diverse areas of knowledge needed to develop and manage an
information security program.
DOMAIN OBJECTIVES
Ensure that the CISM Candidate has the knowledge necessary to:
• Define the broad requirements and activities needed to create, manage and maintain an
information security program to implement an information security strategy.
• Define and utilize the resources required to achieve the IT goals consistent with organizational
objectives.
• Identify the people, processes and technology necessary to execute the information security
strategy.
ON THE CISM EXAM
Domain 1:
Domain 4:
Information
Information Security
Security
Incident
Governance, 24%
Management, 19%
Domain 3:
Information Security Domain 2:
Program Information Security
Development and Risk Management,
Management, 27% 30%
THE INFORMATION SECURITY PROGRAM
Objective of the
Purpose of the
Information
Program
Security Manager
To implement and
Support and further execute a program
the enterprise’s that manages
business objectives information risk in a
cost-effective manner
DOMAIN 3 OVERVIEW
T3.1 Establish and/or maintain the information security program in alignment with the
information security strategy.
T3.2 Align the information security program with the operations objectives of other
business function (e.g., human resources [HR], accounting, procurement and IT) to
ensure that the information security program adds value to and protects the business.
T3.3 Identify, acquire and manage requirements for internal and external resources to
execute the information security program.
T3.4 Establish and maintain information security processes and resources (including
people and technologies) to execute the information program in alignment with the
organization’s business goals.
KNOWLEDGE STATEMENTS
How does Section One relate to each of the following knowledge statements?
How does Section One relate to each of the following knowledge statements?
IT steering committee An executive-management-level committee that assists in the delivery of the IT strategy,
oversees day-to-day management of IT service delivery and IT projects, and focuses on
implementation aspects.
Project management The function responsible for supporting program and project managers, and gathering,
assessing and reporting information about the conduct of their programs and constituent
projects.
Resource Any enterprise asset that can help the organization achieve its objectives.
Segregation of duties A basic internal control that prevents or detects errors and irregularities by assigning to
separate individuals the responsibility for initiating and recording transactions and for the
custody of assets.
Service level agreement An agreement, preferably documented, between a service provider and the
customer(s)/user(s) that defines minimum performance targets for a service and how they
will be measured.
ESSENTIAL PROGRAM ELEMENTS
Activity
Activity Activity
Strategy
Should be
examined
RESOURCE MANAGEMENT
Expenses for security are more likely to be approved when communicated in advance.
• Value proposition
If policies and standards are not available, auditors assess a program against industry
practices.
Proper documentation can lead to an audit that provides relevant, useful insight.
FACILITIES AND SECURITY
Background checks
Pre-employment screening
Security awareness in orientation
Disciplinary actions
LEGAL AND PRIVACY
If information security is not connected with purchasing technology, business units may
deploy IT tools that compromise security.
Mature integrated processes include lists of approved devices and software.
At a minimum, technical purchases should be coordinated with information security for
risk assessment.
DISCUSSION QUESTION
Considering the implementation of the information security program is key for scoping
and budgeting.
Standards should be applied uniformly.
Track and enforce SoD, events to monitored, events that warrant special attention,
communication needs and roles and responsibilities
CONTINUOUS IMPROVEMENT
A. Proficiency test
B. Job descriptions
C. Organization chart
D. Skills inventory
SECTION TWO
STANDARDS, AWARENESS AND TRAINING
TASK STATEMENTS
How does Section Two relate to each of the following knowledge statements?
How does Section Two relate to each of the following knowledge statements?
Awareness Being acquainted with, mindful of, conscious of and well informed on a specific subject,
which implies knowing and understanding a subject and acting accordingly.
Education Focuses on telling people why something makes sense and providing context on which
they can exercise individual judgement.
Policy Generally, a document that records a high-level principle or course of action that has
been decided on. The intended purpose is to influence and guide both present and
future decision making to be in line with the philosophy, objectives and strategic plans
established by the enterprise’s management teams.
Documentation defines a programs content and the criteria against which its activities
can be assessed.
Includes:
• Policies and standards
• Procedures and guidelines
• Risk analysis and recommendations
ENABLING GOOD DOCUMENTATION
Version control is important to ensure people are using the correct documents.
• Prior versions should be retained for reference.
• Unapproved documents should not be reviewed except upon invitation.
Training or Education?
1. Don’t leave paper files in a place where people who may be in you work
area can find them.
2. Lock your computer whenever you leave a work area.
3. Never give out your password by phone or email.
4. Verify the identity of IT support staff before letting them access your
computer.
5. Use passwords that are at least 15 characters long, with no fewer than three
special characters.
6. Don’t use passwords that are easy to guess, such as your birthday or child’s
name.
ACTIVITY
Training or Education?
1. Don’t leave paper files in a place where people who may be in you work
area can find them.
Education: Whether files might be found is a judgement call.
2. Lock your computer whenever you leave a work area.
Training: It is prescriptive and applies in all cases.
3. Never give out your password by phone or email.
Training: It is prescriptive and applies in all cases
ACTIVITY
Training or Education?
4. Verify the identity of IT support staff before letting them access your
computer.
Education: How to verify the identity is left up to individual judgement.
5. Use passwords that are at least 15 characters long, with no fewer than three
special characters.
Training: It is prescriptive and can be enforced by technical means
6. Don’t use passwords that are easy to guess, such as your birthday or child’s
name.
Both: The examples are prescriptive, but judgement is needed to figure out
whether something else in mind might be easy to guess.
PROMOTING AWARENESS
When information security is taken seriously, employees are more conscious of their
actions.
Knowledge of rules and standards and their consequences act as a deterrent.
Awareness paired with a feeling of being treated fairly can become a control itself.
SECTION TWO SUMMARY
A. Documentation
B. Authorization
C. Scheduling
D. Testing
SECTION THREE
BUILDING SECURITY INTO PROCESSES AND PRACTICES
TASK STATEMENTS
How does Section Three relate to each of the following knowledge statements?
How does Section Three relate to each of the following knowledge statements?
Cloud computing Convenient, on-demand network access to a shared pool of resources that
can be rapidly provisioned and released with minimal management effort or
service provider interaction.
Compensating control An internal control that reduces the risk of an existing or potential control
weakness resulting in errors and omissions.
Corrective control Designed to correct errors, omissions and unauthorized uses and intrusions,
once they are detected.
Detective control Exists to detect and report when errors, omissions and unauthorized uses or
entries occur.
Deterrent control Reduces threat by affecting the behavior of threat actors.
Fail-safe Describes the design properties of a computer system that allow it to resist
active attempts to attack or bypass it (e.g., door unlocks).
Fail-secure Describes a control that fails in a closed state (e.g., firewall blocks all traffic).
Preventative control An internal control that is used to avoid undesirable events, errors and other
occurrences that an enterprise has determined could have a negative material
effect on a process or end product.
Source: The Open Group, TOGAF Version 9.1, United Kingdom, 2011
ARCHITECTURE AS A ROAD MAP
Architecture acts as a road map integrating smaller projects and services into a single
overall strategy.
Identifying connections between business functions helps to define control objectives.
Where multiple systems require common treatment, combinations of technologies can be
used to provide control points.
DESIGNING CONTROLS
Controls:
• Reduce risk to an acceptable level
• Do not necessarily eliminate the risk
Preventative
• Reduces or eliminates specific instances of vulnerability by making the behavior impossible.
Corrective
• Reduce impact by offsetting the impact of consequences after the fact.
Detective
• Warn of violations or attempted violations.
Compensating
• Reduce the risk of a control weakness through layering.
Deterrent
• Reduce threat through warnings and notices that influence behavior.
CONTROL TYPES AND EFFECT
ACTIVITY
Managerial
Technical (logical) Physical
(administrative)
• Apply to processes and • Apply to information • Apply to facilities and
behaviors systems, software and areas within them
networks
Note: Controls of any effect category can be implemented using any of the three implementation methods.
MANUAL VS. AUTOMATED CONTROLS
Disaster recovery
• IT function aimed at recovering major infrastructure
Business continuity
• Business function that plans and organizes means to continue operations
Incident response is closely intertwined with disaster recovery and business continuity.
The goal is to identify and contain incidents to prevent interruptions and restore services.
Important to keep the following in mind:
• Maximum allowable downtime
• Maximum tolerable outage
• Recovery point objectives
• Recovery time objectives
SOFTWARE DEVELOPMENT
Verify that vendors’ performance aligns with the organization’s goals and strategy.
OUTSOURCING AGREEMENTS
Infrastructure Platform as a
as a Service Service
(IaaS) (PaaS)
Software as
Big Data
a Service
analytics
(SaaS)
CLOUD DEPLOYMENT MODELS
The benefits of the cloud means most organizations will use it as a solution at some
point.
• Cost is the primary driver.
A. Number of controls
B. Cost of achieving control objectives
C. Effectiveness of controls
D. Test results of controls
PRACTICE QUESTION
T3.9 Establish, monitor and analyze program management and operational metrics to
evaluate the effectiveness and efficiency of the information security program.
T3.10 Compile and present reports to key stakeholders on the activities, trends and
overall effectiveness of the information security program and the underlying business
processes in order to communicate security performance.
KNOWLEDGE STATEMENTS
How does Section Four relate to each of the following knowledge statements?
Continuous monitoring An approach to monitoring that gathers data on a very frequent or real-time
basis.
Effectiveness An assessment of how well something produces expected outcomes.
Effectiveness: Efficiency
• Whether a control produces expected • Whether a control’s effectiveness is
outcomes provided at a good value
Examples: Examples:
• Reliable performance • Effects on other productive work
• Implementation that is difficult to bypass • Unnecessary redundancy
GOOD TO KNOW
An accurate assessment requires a clear understanding of why a control exists and what
it is meant to protect.
TESTING AND MODIFICATION
Summaries and aggregate data can be used as the basis for management metrics.
METRIC ATTRIBUTES
Manageable Genuine
Timely Meaningful
Accurate Actionable
Reliable
Unambiguous
Predictive
DISCUSSION QUESTION