2/22/2021 Information Security Governance Part I Transcript

Information Security Governance Part I

Explore the information security strategy techniques and best practices for a governance framework to meet your organizational goals and objectives.

Objectives
identify InfoSec strategy techniques compare InfoSec relationships to key factors describe InfoSec governance frameworks recognize concepts of
governance recall standards, frameworks, and best practices define governance planning, design, and implementation work with integrating into
corporate governance specify the contributing factors for InfoSec development recognize developing business cases describe strategic budgetary
planning and reporting describe InfoSec governance

Table of Contents
1. Information Security Strategy Techniques
2. Information Security Relationship to Key Factors
3. Available InfoSec Governance Frameworks
4. Fundamental Concepts of Governance
5. Standards, Frameworks, and Best Practices
6. Governance Planning, Design, and Implementation
7. Integrating into Corporate Governance
8. Contributing Factors for InfoSec Development
9. Developing Business Cases
10. Strategic Budgetary Planning and Reporting
11. Exercise: Describe InfoSec Governance

Information Security Strategy Techniques

[Video description begins] Topic title: Information Security Strategy Techniques. The presenter is Michael Shannon. [Video description ends]

Okay let's begin our journey into the CISM, the Certified Information Security Manager, by looking at the organization behind the certification. And it
is the I-S-A-C-A often referred to as ISACA or ISACA.

[Video description begins] Who is ISACA? [Video description ends]

And it was formerly known as the Information Systems Audit and Control Association. And that's kind of what the acronym was originally, but
nowadays we just call it ISACA. It's a non profit organization, represents almost 150,000 professionals, in over 180 countries. That's right, 180

file:///C:/Disk D/CISM_CISSP_CIS_CCSP/CISM/1. Information Security Governance Part I Transcript.html 1/17

2/22/2021 Information Security Governance Part I Transcript

countries. CISM was established in the year 2002, for the purposes of supporting security management. Governance, specifically IT and information
security governance, risk management. And continuity planning, or what we call C-O-O-P, continuity of operations. There's a lot of advantages to
becoming a CISM certified practitioner,

[Video description begins] Advantages of the CISM Certification [Video description ends]

for example, it helps you establish credibility. And allows your client or your customer to have a lot more confidence in you and your organization.
It's going to enhance the expert judgement. And the subject matter expertise that you need to conduct qualitative risk management and quantitative
risk management. It's going to boost your career achievement and it's going to increase your marketability. And, by the way, that's been proven
through measurable metrics. The CISM Certification will assist you in providing corporate security governance expertise. And also, for many
organizations and their particular regulations, it can meet a variety of organizational requirements. Let's look next at becoming a CISM.

[Video description begins] Becoming a CISM [Video description ends]

What I'd like you to do however, for this particular information, not to rely on this training for all of the granular aspects of qualification experience.
Because I want you to go to their website, okay, isaca.org, because there may be some changes. They may make some modifications. The actual core
information that I'm delivering in this course, and the objectives, they're not going to change. But some of this information might, so please rely on
their .org website for all of this information, and not this particular training. However, at the time of this training production, you had to have an
equivalent of five years of total work experience. With a minimum of three years work experience or 6000 actual hours of working in the security
strategy and management in three of the following domains. 1, information security governance. 2, information risk management. 3, security program
development and management. And 4, information security incident management. All of your work experience by the way, it has to be completed
within a ten year period before you take the exam. And you'll also have to complete a verification of work experience form. Also, when you go to
their website, you'll find out that up to a maximum of three years can actually be substituted. So, for example, if you have a CISA certification from
ISACA, or maybe you're a ISC-squared CISSP. Or you have a post graduate degree, that'll allow you to substitute two years. If you have any info sec
management or general security experience, that will be a one year substitution. Also one year can be substituted if you have something like a security
plus or maybe you've completed an info sec security management program. Like, let's say you went to sans.org and went through one of their info sec
security measurement programs. So there's ways to substitute for this work experience. And please, go up to their website to make sure that you
understand all of the ins and outs of becoming a CISM. You also have to commit to adhere to the ISACA Code of Ethics.

[Video description begins] Additional CISM Requirements [Video description ends]

And due to proprietary nature of that, I'm not going to print these out here. However, if you go to www.isaca.org/ethics, you can see it's not very long.
But you need to understand those. You will be tested on those on the exam and you have to adhere to them. You have to have a passing score on the
exam. And by the way, you could take the CISM exam before you complete all the work experience. Remember, you have up to ten years to get that
work experience, but they don't recommend it. You also have to adhere to the CISM Continuing Education Policy. So you're going to want to check
that out while you're up there, as well. Every year, you have to get CE, or continuing education, credits to maintain that certification. And trust me,
you do not want to let your certification lapse. I actually did that with my CISSP. I took it back in 2002, and then I had a major change in my career
out of security and in to sharepoint and exchange. And I let it lapse, and I had to take it over again in 2015 and it's just not fun. So make sure you stay
on top of those CE credits. And then you have to send in an application within five years of passing the CISM exam.

[Video description begins] The CISM Exam [Video description ends]

file:///C:/Disk D/CISM_CISSP_CIS_CCSP/CISM/1. Information Security Governance Part I Transcript.html 2/17

2/22/2021 Information Security Governance Part I Transcript

Now I actually mentioned these four domains a little bit earlier, okay? So these are the four domains. And this particular training course is actually
made up of eight courses, so I'm dedicating two courses to each domain. You basically got part one and part two of each of these job practice
domains. So domain number 1 is information security governance, and that makes up 24% of the exam. So about a fourth of it. Then domain 2 is
information risk management, and that's the biggest percentage, okay? 30% of the exam is information risk management. Domain 3 is the information
security program development and management, also a hefty 27%. The final domain 4, which is information security incident management and
incident handling, that's only 19%. So it's the least tested part, but the least tested domain of the four. Your application fee is $50. And the exam
registration fee as of the time of this recording, which is fall of 2018, is $575 for members, $760 for non-members. And by the way, that may change
so make sure you go up and check with the website. All right, well that kind of covers the introductory stuff about CISM. Let's take a look at our first
major concept, our first major topic, and that would be governance. Governance is a process used by senior management of an organization

[Video description begins] Governance Defined [Video description ends]

to apply strategic control over the overall business proposition. Remember, your business proposition or your value proposition, may be for profit, it
may be non-profit. You could be a regular organization or you could be a business. It's implemented, governance is, through vision, through the
mission. Through charters that actually publish and describe the vision and mission. Through goals, objectives, policies, various delegations of tasks
and programs and projects, and continuous monitoring and visibility. Governance is also known as administrative or management oversight, and
governance applies to all organizational process and programs. Governance is usually established through steering committees and board meetings, as
part of a medium-to-long-term strategy. The five general governance areas are to govern the operations of the organization and protect its critical
assets. To protect the organization's market share and stock price, if applicable. Or, it's a non for profit organization, whatever the value proposition is.
To direct the conduct of employees, for example through acceptable use policies. And other policies that might apply to using technology resources,
to data handling, to communications, things like that. Governance protects the reputation of the organization and it can certify that compliance
requirements are met. Information security governance is a subset or

[Video description begins] Information Security Governance Defined [Video description ends]

a subcomponent of corporate governance. And it often goes hand in hand or it's a companion or output of the general information technology
governance. And realize that recent studies have shown us that information security failures are often failures of global governance, okay, so it flows
down, and IT governance. NIST describes IT governance as the process of establishing and maintaining a framework. To provide assurance that
information security strategies are aligned with and support business objectives that are consistent with applicable laws and regulations. Through
adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk. And it relies on effective and
efficient IT governance. The initial steps of information security governance are for the senior management. Or what we call the C suite or the C
team, also known as executive management. To define the desired outcomes for the information security programs and initiatives. The results of IS
governance are typically expressed in terms of risk assessment, risk analysis, risk management, and risk treatment. And we'll talk more about these
terms of course. But risk treatment is also referred to as risk handling, risk tolerance, or risk appetite. Now this is a very important diagram, and it's
one that you'll probably want to

[Video description begins] Information Security Governance Flow [Video description ends]

return to and review again in your studies for this exam. And this is an information security governance flow. So if you'll notice, we start with the
vision or the mission of the organization. And that's typically expressed in one or more charter documents. That is going to be the output and then the
input to organizational business strategy. Now, strategy is a medium-to-long-term plan to reach one or more goals or objectives. And strategy also

file:///C:/Disk D/CISM_CISSP_CIS_CCSP/CISM/1. Information Security Governance Part I Transcript.html 3/17

2/22/2021 Information Security Governance Part I Transcript

involves aligning your business objectives with the organizational goals, the IT goals, and the security goals. So you can see that our organizational
business strategy leads to organizational business objectives. Now our business objectives and, again, the reason I put organizational/business is that
this could be, like I said, a for profit organization or a non profit organization, public or private. But those objectives lead to the IT strategy. The IT
strategy is a parent to the child IT security strategy, which is where we go next. The output of your IT security strategy is going to be your security
policies. Security policies have the goal of mitigating risk. And they are designed with specific threats, threat categories, and threat actors in mind.
And so these security policies basically express intent of management. And maybe other mandates from your steering committees, basically from
higher levels in the organization like your C-suite. And policies which are mandatory are going to lead to standards, security standards. And I'm sure
you're aware of security standards when you've got some experience in the security realm. Standards are protocols, technologies, and best practices
that are used by IT. To set boundaries and parameters for people, for your processes, for your procedures, for the technologies that you use. That
support the attainment of the aforementioned strategy, objectives, and policies. You may have several standards in use, and they're typically
mandatory, with the main goal of providing consistency. The standards are going to lead to our security processes and procedures. These are the
formal, well documented definitions of our modular and repeatable programs, projects, initiatives, tasks, procedures, configurations, on-going
deployment. They basically are our controls, what we call these. And they're going to instruct personnel on how to properly implement different
control types and different control categories. For example, administrative, physical, and technical controls and other types like preventative,
corrective, recovery. And then of course the output to the processes and procedures are going to be your security metrics, okay? Your measurables,
your critical success factors, your KPIs,

[Video description begins] The acronym for Critical Success Factors is CSFs. [Video description ends]

your key performance indicators, your KRIs, your key risk indicators. And obviously, we're going to be talking in much greater detail about all of
these aspects. But I want to just start out kind of giving you this template. And finally realize that our security metrics are going to contribute to an
iterative feedback process. So the outcome of these metrics, okay, our reporting, our analysis, the dashboards that we're presenting. These can lead us
back to the organizational and business strategy, where we make key changes. And then it can also allow us to make more granular changes in IT
strategy and IT security strategy.

[Video description begins] Information Security Governance Results [Video description ends]

So to wrap up this lesson, the results of information security governance should be a strategic alignment with your organizational goals and
objectives. Setting the goals and directives for information security initiatives. For example, a bring your own device initiative, or a new wireless
WPA3 initiative. To assure process implementation and integration. To execute the proper risk management activities. To deliver the value proposition
of your organization in the most secure way possible. To offer a foundation for proper information security policies, standards, and procedures.
Information security governance also results in directing new or ongoing information security management while optimizing resources. And finally,
IS Governance will help you generate performance metrics that are meaningful and key indicators. For example, KPIs and KRIs.

Information Security Relationship to Key Factors

[Video description begins] Topic title: Information Security Relationship to Key Factors. The presenter is Michael Shannon. [Video description ends]

On the CISM exam, we have knowledge area 1.2 which says, you need to understand and have knowledge of the relationship of information security
to business goals, objectives, functions, processes, and practices. So the security manager or the information security manager

file:///C:/Disk D/CISM_CISSP_CIS_CCSP/CISM/1. Information Security Governance Part I Transcript.html 4/17

2/22/2021 Information Security Governance Part I Transcript

[Video description begins] InfoSec Relationship to Key Factors [Video description ends]

should understand the relationship of information security to several areas. First of all, the organizational mission. Why does your organization or
your company exist? Who do you serve? Who are your customers? What are your products? What are your services? Are you for profit or are you
non-profit? Are you public? Are you private? Is it a government agency? Is it a healthcare sector, financial sector, manufacturing sector? What's the
overall mission and charter? Then, what are the business goals and objectives? Are there certain things that you want to accomplish through your
organizational strategy? What is your timeline? Are you working off of, let's say, a quarterly report basis as a public company? Is it an annual or a
fiscal year, or a annual year or is it a five-year plan? And what are your strategies? What are the actions you have to take to reach your goals and
objectives to fulfill your mission. Security practitioners also have to align with other factors like the culture. It's the culture that tells you how the
people in your organization typically think, their work ethic, how they relate to one another. Maybe you have an organization that has a combination
of diverse cultures and diverse backgrounds. That must be considered. What about the value of your assets, both tangible assets and intangible assets?

And by the way, you can value intangible assets. Just go up to the Internet and do a search, or go to Amazon and look up Douglas Hubbard, how to
measure a wide variety of things. He's got several books on how to measure, Douglas Hubbard. This also ties into the value of your intellectual
property, your marketing campaigns, your source code, your designs of your products, the cost of production. Just any sensitive information or
formulas you might have, as well. Do you have any patents or trademarks? What is your overall risk tolerance? This is also referred to as risk
handling, risk treatment, or your risk appetite. And again, this has to be on a global information security basis, but it can also be broken down asset by
asset, business unit by business unit. And you need to understand the market conditions, okay? If you're a company that sells a product or sells a
service, you're a commercial organization, you have to understand your marketplace. You should also know your company's weaknesses, your
company's vulnerabilities, as well as your strengths when you compare it to your competitors.

[Video description begins] Security Relationship to Business Goals [Video description ends]

Some other goals and objectives to making sure that security aligns with your business goals is to obviously enhance profitability. And if you're non-
for-profit organization, what you could say here is we want to deliver our value proposition or our non-profit service, and do it at a lower cost. You
want to gain market share, you want to gain on your competitors. Maybe you want your stock price, your public stock price, to go up, to increase the
valuation of your company or your organization. Security can also make it easier for you to expand into new areas, into new technologies. If you
already have the framework in place, if you already have the architecture in place, it makes it easier to be extensible and flexible and scalable with
new technologies. You can attract new clients and new customers. When they realize the commitment you have to security and privacy, it makes you
more attractive, especially if you compare yourselves to other competitors who may not put focus on managing risk and lowering risk. And beating
your competitors to the market by getting, for example, that secure code or that secure app that you're deploying through Amazon Web Services,
getting it rolled out as quickly as possible.

[Video description begins] Information Security Relationship to Processes [Video description ends]

Some other aspects of information security that can help you meet your goals is to implement good project management. For example, maybe a PMP
or a PRINCE2 implementation where your project managers evaluate, design, and develop, and then analyze your programs in a task-by-task basis.
What are your initiatives as they relate to security especially? So do you have new initiatives to help you meet new regulations or mandates?
Implementing WPA3 security in your wireless environment to help meet financial or healthcare mandates for security and privacy. Maybe you have
initiatives to move from a bring-your-own-device environment to a COPE environment, corporate owned, personally enabled. What type of

file:///C:/Disk D/CISM_CISSP_CIS_CCSP/CISM/1. Information Security Governance Part I Transcript.html 5/17

2/22/2021 Information Security Governance Part I Transcript

campaigns are you running? And these are a wide variety of campaigns, advertising campaigns, public service campaigns, social networking
campaigns. Remember your programs or your initiatives are a larger component of the underlying tasks and projects.

How does your business logic tie in? For example, if you're deploying a network solution, let's say, in the cloud Google Cloud or Amazon Web
Services, are your SharePoint services, are your web services deployed in a multi-tier model? For example, a three-tier model or a four-tier model,
where you have your front-end web servers or your SharePoint servers, but between that and your backend databases, like your SQL databases or
your MySQL databases, what are the middle tiers of business logic? And how does security play into those middle tiers? Is your organization a
vertical organization or a horizontal or flatter organization? A vertical organization is more like a traditional military, industrial-type corporation, the
ones we think of from the past, like an IBM or a Hewlett Packard or a 3Com. Where, over the last 20 years, we've seen more flatter, horizontal
organizations. You have to also analyze how you're going to deploy your security solutions in these two different types of organizations and realize,
you may have a different model on a business unit or business case basis. As a security practitioner, you will be undergoing ongoing research.

[Video description begins] Security Relationship to Objectives [Video description ends]

For example, delving in to machine-learning algorithms and automation, orchestration, artificial intelligence. Finding faster ways to develop your
product or your service, perhaps moving from a waterfall SDLC model to an agile model. Think about any upcoming mergers and acquisitions that
are happening in the next 90 days to 12 months, that can have a direct impact on security. What type of exposure do you have in your company to the
outside world, to contractors, to guests, to teleworkers, to temporary workers? Do you have contracts with the government or the military? So, what
about the exposure of your data in your data center? Are you moving that data up to the cloud? For example, Microsoft's Azure cloud or the IBM
cloud? Do you understand the shared responsibility model of protecting that data in the cloud between you as an organization and the cloud service
provider? Security doesn't often relate to marketing or market penetration. However, you must be responsible often for keeping those new marketing
campaigns a secret, your strategies for marketing new services. Make sure that intellectual property is protected, possibly using data-loss prevention
mechanisms in your email or your web mail. Security definitely plays a role in doing emerging technologies and deciding how your company is going
to leverage new social networking and new Internet solutions. For example, what's the next LinkedIn coming down the pipe? How is your
organization going to participate? And of course, security plays a key role in understanding not just the existing governance and mandates and
regulations, but what are some potential regulations. For example, in March of 2018, the EU GDPR, General Data Protection Regulation, replaced the
old Data Protection Directive 95/46/EC. And the goal here was to kind of synchronize and harmonize data privacy laws across Europe. Well, it's
definitely going to affect you as a US organization for example, or a South American organization or a Canadian organization that does business with
the EU. And so it's possible, over the last 36 to 48 months, you've been actually working and looking ahead at this as a potential regulation. That's a
prime example. In this diagram, we see several contributing factors.

[Video description begins] Contributing Factors for InfoSec Development [Video description ends]

Let's start at the lower left-hand and look at people. That's a huge factor in our organization. And the people as they relate to technology is the human
factor. As a matter of fact, as humans deal with technology, that's probably the number one source of vulnerability in your organization. People affect
your organization based on your culture. They're going to emerge with their skill set as they get involved in your processes and procedures. Notice
that organization flows down to the process and that's where your governance comes in. The processes and procedures and step-by-step practices,
these are going to enable and support your technology. And as an organization, as a steering committee or as governance, you'll be making choices
about your architectures and your frameworks. And of course, that's going to affect the underlying technology you choose. You'll also want to be able
to analyze your internal

file:///C:/Disk D/CISM_CISSP_CIS_CCSP/CISM/1. Information Security Governance Part I Transcript.html 6/17

2/22/2021 Information Security Governance Part I Transcript

[Video description begins] Information Security Relationship to Functions [Video description ends]

and external business functions. And this diagram gives you kind of an example of maybe a manufacturing organization that has the production aspect
on the left-hand side with research and development, which leads to the production and quality control. And then the distribution and logistics of their
product or service. Of course, it also involves marketing and advertising and public relations. And that basically moves into the selling area with sales
and marketing and market research. That would be an internal and external business function. And then, of course, what type of support mechanisms
do you have? Computing support, buying and purchasing or acquisition or development? Are you going to develop the product or are you going to
acquire the product? Are you going to develop the solution or are you going to acquire the solution? It'll also involve HR personnel, and how you
recruit and go out and find employees with the proper skill set. Support also involves management accountancy, chartered accountants, and
management consultancy.

Available InfoSec Governance Frameworks

[Video description begins] Topic title: Available InfoSec Governance Frameworks. The presenter is Michael Shannon. [Video description ends]

In this lesson, we're going to look at some information security strategy techniques, primarily three techniques that'll come up on the CISM exam.
First, SWOT analysis, then gap analysis, then threat research or threat modeling. Let's talk about SWOT first.

[Video description begins] InfoSec Security Strategy Techniques [Video description ends]

SWOT stands for strengths, weaknesses, opportunities, and threats. SWOT is basically a general analysis tool that's used as part of your strategic
planning. It's kind of an introspective look or analysis at your overall organization, strengths and weaknesses, things that are harmful, things that are
beneficial. But also things that are internally driven or things that are externally driven. So if you look at the diagram on the right-hand side, let's
imagine this is a table, a table with two columns, and a table with two rows, or two records. In the first column, we see strengths and opportunities.
We would consider those to be things that are helpful in getting to our goals and objectives, okay? Strengths are helpful, opportunities are helpful.
Strengths, however, are going to originate internally. So they're attributes or products of our business or our organization. For example, a competitive
marketing advantage, or we have several valuable patents and trademarks that we can leverage for our profitability. And then we have opportunities,
which are characteristics of our environment. They are external in origin. So think of opportunities, the opportunity to merge with some strategic
partner, or maybe acquire some new startup company and their new technology. Or the ability to rapidly modify our app, or our application, to get an
edge on our competitor, okay? So strengths and opportunities are both helpful in getting to our objective.

Weaknesses and threats, however, are detrimental. They are harmful to reaching our goals and objectives. Weaknesses are also going to originate
internally. So internal weaknesses could be things like a tendency to have data leakage, okay, or data loss through email, or web mail, or social
networking. It could be having long-term internal employees who are disgruntled represent a single point of failure, let's say in the data center, and
they're able to slowly extract or exfiltrate data to sell on the dark web. Maybe you have weaknesses in your physical security. You have a lot of people
who tailgate, or piggyback, using their access cards when they come into the building or they move between floors. So weaknesses are detrimental,
and they're of internal origin. And then we have threats, which are also harmful, but threats are external in origin. And again, in the sense of the
SWOT analysis, you might think, well, you can have internal threats. Yes, you can, but in the SWOT strategy, those are referred to as weaknesses. So
external threats would be an ex-employee who goes out and launches a ransomware campaign against our organization, or some malicious user tries
to conduct blackmail and extortion, or blackstortion, against a CIO. Or maybe it's a spear phishing attack against our finance department through

file:///C:/Disk D/CISM_CISSP_CIS_CCSP/CISM/1. Information Security Governance Part I Transcript.html 7/17

2/22/2021 Information Security Governance Part I Transcript

email, or a whaling attack through email against the CEO or the CFO, the chief financial officer, okay? So threats are detrimental, they're harmful, and
they originate externally. And so to define these, strengths are advantageous business factors.

Opportunities are environmental entities that the organization can use to its advantage. Weaknesses are attributes and vulnerabilities that represent a
distinct business advantage. And threats are vectors and threat agents, or threat actors, that can cause harm and increase risk. Security managers and
security engineers are often involved early on in the strategy phase or the design phase of the information risk management program. And they are
going to have some type of vision or mission for the end goal, or the finish line, let's put it that way. And this can be a marathon, okay? Not a sprint,
not a 50-yard dash, but a marathon. And typically, they're going to base this on information that's found and discovered using risk frameworks. Maybe
COBIT 5 as a framework, or some ISO/IEC 27000 framework, or maybe even ITIL version 3. But before you can develop any plans or initiatives, as
a security strategist, you have to have a good idea of the current state of not just your overall organization and business units or organizational units,
but the current state of the ongoing initiative, if there is one, okay? If there is no formal initiative or no program, then obviously you're going to have
to do a gap analysis to discover what types of controls, what administrative/managerial controls, physical, and technical controls you're going to have
to implement to increase the resistance or increase the difficulty to lower vulnerability, to lower risk.

Now gap analysis is a method that businesses and organizations use to determine what steps must be taken to move from its current state, which is
obviously filled with inherent risks, to a preferred future state. And that preferred future state will only leave us with what we call residual risk. And
in a best-case scenario, that residual risk is going to be treated or handled basically by just accepting it, okay? Because our programs will handle the
inherent risk through other risk handling and risk treatment methodologies. Now gap analysis is also referred to as need or needs-gap analysis, needs
analysis, or you may hear it referred to as needs assessment, and gap analysis consists of three main components. First, you're going to list, or you're
going to categorize, the characteristic factors. These are attributes, competencies, performance levels, through key performance indicators of your
present situation. And this can be done by your steering committee, it could be done by internal auditing. Perhaps you're going to use the Delphi
method, and you are going to give surveys and other types of questionnaires to key stakeholders or leaders of business units or organizational units.
And then maybe even in an anonymous way get that feedback and use that for your gap analysis. Secondly, you'll publish the factors necessary to
achieve future objectives. And this is often in the form of summaries or reports that are to go to the C-Suite or the C-team, maybe the CIO, the CISO,
and then maybe even members of the board of directors that have security expertise. Often a board of directors will bring in at least one person who
has experience maybe dealing with enterprise security. And so you're going to publish that, either in a binder or in the form of a dashboard that's
presented in a meeting, or maybe it can be posted up on your intranet. And then thirdly, the final gap analysis component is the emphasis that gaps
exist, and then discovery of how you're going to fill those gaps, okay? And remember, once we fill those gaps, all we should be left with is residual
risk that, from a treatment standpoint, we're willing to accept. So gap analysis is a very valuable tool. It's used quite often, especially in the strategy
and design phases.

The third strategy technique that CISM wants you to be aware of is threat research and modeling. And threat research and modeling is going to
support your overall threat assessment and risk assessment that's performed early on in the risk management life cycle. Threat modeling is a method
for optimizing security by identifying objectives and vulnerabilities, and then defining and implementing countermeasures to prevent or mitigate the
effects of threats and threat actors, or threat agents. And often nowadays, we're going to use machine learning algorithms, possibly automation and
artificial intelligence. We'll take the results of our threat research, and we'll put it up in big data, data warehouses or data lakes. And we'll do analysis
in the cloud, maybe Google Cloud Platform, or Amazon Web Services, or IBM Cloud, or something else. And we'll do analysis to get our results.
Threat modeling may actually entail creating private virtual sandboxes up in the cloud, or detonation chambers, where we go and we test things out.
So threat modeling often involves going through different kind of prototypes that represent our existing organization. It could tie in to gap analysis
and then use intelligent tools, especially advanced automated and orchestration tools, that we can get from these cloud service providers now to
analyze all this data.
file:///C:/Disk D/CISM_CISSP_CIS_CCSP/CISM/1. Information Security Governance Part I Transcript.html 8/17
2/22/2021 Information Security Governance Part I Transcript

So if we look at the diagram on the right-hand side, let's say that we're going to do some threat research and modeling based on an application, maybe
an enterprise-wide application, one that we developed in-house, or one that we acquired from a third-party vendor. So using SWOT or gap analysis,
we can identify our security objectives. Again, this comes from strategy, and then we'll do an overview of the application, an examination of the
application. It may be a black box, or a white box, or a gray box type of analysis. We'll then decompose the application, break it down into modular
components for deeper analysis. And then once we've decomposed the application or decoupled it, which, by the way, we can also use the cloud for
that, we identify the threats and then we identify our vulnerabilities. And so the result should be residual risk that we're willing to accept. And so that's
an example of using threat research and modeling for enterprise-wide application. So in a nutshell, three main InfoSec security strategy techniques to
be aware of on the exam, SWOT analysis, gap analysis, and threat research and modeling.

Fundamental Concepts of Governance

[Video description begins] Topic title: Fundamental Concepts of Governance. The presenter is Michael Shannon. [Video description ends]

As security practitioners, it's very important to understand our risk handling and risk treatment posture, and how our information security ties into the
overall global governance of our organization. Senior management and executive management will use security governanced to

[Video description begins] Fundamental Concepts of Governance [Video description ends]

direct the results of the information security program and initiatives. Governance will choose the appropriate security frameworks and architecture.
For example, CIS-CSE, ISO/IEC 27002, or NIST 800-53. Management should generate a road map to identify the necessary assets and resources to
meet security goals. Security governance is a smaller, yet integrated aspect of the larger corporate governance. Now earlier, I mentioned using
mechanisms and strategies like gap analysis, SWOT analysis, threat research and modeling. But what if, for example, you don't have the resources to
do threat modeling up in the cloud? You don't have the ability in your organization, based on your budget, to do, let's say, big data analysis. Well, you
can rely on expert judgement to help you with your security governance. For example, you could rely on professional organization chapter meetings
and roundtables in your local area, like ISSA, Information Systems Security Association, or CSA, the Cloud Security Alliance. You can used
published best practices from ISACA, SANS.org, and ISC2. There is security industry news, for example, Information Security Magazine, Dark
Reading, or SC Magazine. There are research reports typically put out on an annual basis from companies like Verizon, PricewaterhouseCoopers,
PWC, Ernst and Young, EY, and Symantec. There's advisory services and consulting firms like Forrester and Gartner. You can attend conferences, for
example the BlackHat, or Defcon, or the RSA conference. And then finally, you could also rely on intelligence services. So there's plenty of resources
out there to provide input to your security governance. Remember, governance has an enterprise-wide scope.

[Video description begins] Characteristics of Effective Security Governance [Video description ends]

Your leaders should be responsible and held accountable. Your security initiative should be a risk-based cost of doing business, so that sufficient
resources are allocated. You want to make sure that roles, responsibility, and segregation of duties are well defined. Governance is policy-based along
with the development life cycle. The SDLC can be a software development life cycle or a systems development life cycle. Your staff should be well
trained and cognizant. And governance is measurable, planned, uses meaningful metrics, well managed, and internally and externally audited on a
regular basis. Enterprise security governance is a sub-component of IT governance.

[Video description begins] Enterprise Security Governance [Video description ends]

file:///C:/Disk D/CISM_CISSP_CIS_CCSP/CISM/1. Information Security Governance Part I Transcript.html 9/17

2/22/2021 Information Security Governance Part I Transcript

And it's the systematic guidance and direction of IT security by an organization. And this is well-defined in ISO 38500. Governance is often
improperly referred to as security management or security administration. But remember, governance is a much larger component. It determines a
framework for roles, responsibilities, and accountability. Governance assures alignment of your security initiatives with your business or
organizational goals, mission, and vision. And governance offers initial and ongoing oversight, typically through steering committees and round
tables, to deliver continual improvement.

Standards, Frameworks, and Best Practices

[Video description begins] Topic title: Standards, Frameworks, and Best Practices. The presenter is Michael Shannon. [Video description ends]

Okay, in this lesson we're going to get an introduction to standards, frameworks, and best practices. And let's begin with frameworks because the
frameworks and the architectures that you choose are going to drive the standards, and the procedures, and policies, and best practices that you use.
Now, a framework, as we see over here in the picture, your information security strategy is only as solid as your foundation and your framework. And
the framework or architecture determines and enforces the methodologies you use, the technologies, the mechanisms, the techniques, the algorithms,
the overall granular approach that you take to delivering security. Frameworks allow you to simplify working with several complex technologies.
They also allow you to better receive new technology and to be able to rapidly change with new initiatives, for example, frameworks are typically
extensible. So, for example, if you look at a framework like PKI, Public Key Infrastructure, it's going to be extensible for new changes that are made
in the X509 V3 certificate. 802.1X, which is also referred to as PNAC, Port-based Network Access Control, is also extensible because of its reliance
on EAP, Extensible Authentication Protocol. So a newer variance, let's say, like EAP- TTLS, for example. And IPSec, of course, which is now built
into IP version 6. And they have your extension headers which makes that IPSec framework extensible.

So, typically, frameworks kind of collect and gather together many discrete systems, different algorithms and mechanisms, and it allows you to kind
of bring together your initiative as one whole. Now here's a list of several frameworks you need to be aware of. And by the way, you won't be having
to go into great detail on the exam. But you need to understand that COBIT, and we're using COBIT 5 now, is the Control Objectives for Information
and Related Technology. This is a framework for auditing and assurance, risk management, information security, regulations, security compliance, IT
compliance. Basically, the overall governance of your IT enterprise. There's also the ISO, which is the International Organization of Standardization.
And that standards body, that international body, is made up of representatives from all different types of national standards organizations. And so you
have the ISO 27000 series, for example, ISO 27005 2008, ISO 27001, 27002. There's also OCTAVE, which is the Operationally Critical Threat,
Asset, and Vulnerability Evaluation. That was developed at Carnegie Mellon University, National Institute of Standards and Technology.

[Video description begins] The acronym of National Institute of Standards and Technology is NIST. [Video description ends]

And it offers many solutions, including a risk-assessment framework that's documented in special publication 800-30. There's ISACA, which is what
we're here for, the CISM. And they have what's called RISK IT, which is actually a part of COBIT. And all of these frameworks have similar
approaches, but they differ in their high-level goals. And that includes, of course, ITIL, Information Technology Infrastructure Library version 3.
Begins with service strategy which leads to service design, then service transition, to service operation, and finally continual improvement. Now I did
define policies early on in this training, but let's kind of go a little bit deeper here. Policies, simply defined, are the overall formally expressed goals
and directions of executive or senior management. So that's who drives your policies. They represent higher-level plans for how management is going
to secure the organizational assets and resources, both tangible and intangible assets.

file:///C:/Disk D/CISM_CISSP_CIS_CCSP/CISM/1. Information Security Governance Part I Transcript.html 10/17

2/22/2021 Information Security Governance Part I Transcript

Policies define what activities and resource usage are acceptable, and what things are not acceptable. So for example, a very common section of a
policy is the AUP, the Acceptable Use Policy. They extend the actions that are derived from risk assessment and risk analysis. And policies help
define which security controls are going to be deployed. And policies are almost always mandatory. Next we have standards. And standards are
developed and modified in order to set the security domain boundaries for all of your enterprise entities. That includes the people, the processes, the
technologies, and the procedures. Standards assist in compliance with higher-layer policies. Each standard is mandatory and it typically maps to
several standards, some of the ones that we mentioned earlier. Standards help support your enterprise objectives and goals. And they're often
combined with the technical, administrative, and physical controls to deliver confidentiality, integrity, and availability. Finally, we have best practices,
and these are also referred to as guidelines

[Video description begins] The acronym of Confidentiality, Integrity, and Availability is CIA. [Video description ends]

or maybe recommendations. These guidelines and best practices are recommended actions for processes used by users, your IT staff, security
operations, and other stakeholders. They often come in handy, especially for those gray areas where maybe specific standards don't apply. And they
represent general methodologies and techniques that provide the essential flexibility, especially to handle unforeseen circumstances. Keep in mind that
best practices are not mandatory. They're not enforced by policy. They're fundamentally high-priority recommendations.

Governance Planning, Design, and Implementation

[Video description begins] Topic title: Governance Planning, Design, and Implementation. The presenter is Michael Shannon. [Video description
ends]

In this lesson, we're going to look at two main topics. First we're going to look at the outcomes of a solid governance design, specifically IT and
information security governance. And then we're going to kind of breakdown those four ways to treat risk, also known as Risk Handling, Risk
Appetite, and get a deeper understanding. Now, let's talk about the outcomes of governance design.

[Video description begins] Governance Planning, Design, and Implementation [Video description ends]

First off you're going to have an aligned strategy. Aligning your information security mandate with whatever your organization or strategy is,
basically, to support the goals of the organization. You want to make sure that your security solutions that you select are going to be a good synergy
with your enterprise processes. Your governance style, your mission, the culture of your organization, the technologies you use, for example
proprietary versus open source, and the structure of your organization. For example, are you a kind of functional, managed organization, or are you a
projectized organization? And then the second outcome is just having managed risk. Implementing the proper mechanisms to countermeasure risk, the
controls necessary to reduce impact or magnitude on resources. And then delivery of value. This is the synergy or the marriage with your value
proposition. The bottom line is whatever investments you make in security controls, you want to get the most of them, you want to get the best bang
for your buck. You want complete solutions, not partial solutions. They need to be properly prioritized and with continued improvement as the
primary goal. You want to optimize your resources, using your InfoSec knowledge and your infrastructure to the best of your ability. Making sure that
you're capturing knowledge and best practices, documenting all of your security practices and processes. And making sure that you develop strategies,
frameworks, and architectures to best utilize your infrastructure. Of course you want to measure performance. So you want to have measurable and
meaningful metrics, key performance indicators, key risk indicators, as well as identifying your critical success factors. And you want to assure
process integration. How can you coordinate all of the different business functions so that security is at the heart of the operations?

file:///C:/Disk D/CISM_CISSP_CIS_CCSP/CISM/1. Information Security Governance Part I Transcript.html 11/17

2/22/2021 Information Security Governance Part I Transcript

[Video description begins] Determining Risk Capacity [Video description ends]

Now, I've already mentioned these four categories of risk. I'm going go deeper into these. First we have avoiding risk, then we have mitigating risk,
then we have transferring risk, and then accepting risk. Let's break these down one at a time. First we have what's called risk avoidance,

[Video description begins] Avoiding Risk [Video description ends]

which is one of the ways that we treat or handle or manage risk. Basically risk avoidance means not conducting or taking part in an action that could
result in an unacceptable loss. So, for example, we're not going to allow mobile devices to be turned on at work. Somebody wants to use their mobile
phone, they have to go outside of the building on break. Maybe you're a retailer, a brick and mortar retailer, and you're not going to accept checks,
okay? Only cards and cash. Or maybe you don't conduct your own credit card transactions, maybe you go through a third party broker, like PayPal,
for example. If you avoid risk all together, keep in mind it could result in you missing out on some opportunity. So, for example, if your retail
organization decides not to sell the products online, you could be missing out on market share. And in today's marketplace, it's not always feasible to
avoid risk because of the need to compete and to take on new technologies and new solutions. Mitigating risk is known as reducing risk, or
optimization.

[Video description begins] Mitigating Risk [Video description ends]

From a quantitative risk analysis standpoint, we will call this increasing the level of difficulty, or increasing resistance in the organization. These are
counter measures and controls that reduce your risk exposure, or reduce the likelihood or severity of loss, primary loss and secondary loss. For
example, through law suits or regulatory fines. Risk is mitigated at various levels as part of a defense-in-depth or layered security strategy, both
physical and logical. Remember risk will still exist, there's still going to be residual risk, but the impact is reduced. There's also transferring risk and
this is also referred to as risk sharing.

[Video description begins] Transferring Risk [Video description ends]

Here you're going to pass the risk or the burden of loss off to a third-party. You could do this through outsourcing to another company, for example
moving your on-premise data center up into the cloud. Let's say, for example, Amazon Web Services, where you take advantage of their shared
responsibility model for security. Where their infrastructure is a service or their platform is a service, you get to gain from their underlying
infrastructure security. And possibly by using their managed services, you get the benefits of their security, of operating systems, serverless code,
microservices, as well as automation and orchestration services. Or you could go to an insurance company like AIG, The Travellers, Chubb, The
Hartford. And you could purchase either a cyber insurance policy or add to your existing business insurance policy to cover cyber breaches, data
breaches, and other types of activities. Typically, the buyer of insurance is still legally responsible for the transferred losses, keep that in mind. And
then we have accepting risk, okay?

[Video description begins] Accepting Risk It is also referred to as risk retention. [Video description ends]

And this is a decision where the organization basically says we accept the risk that we have discovered through our GAP analysis, through our SWOT
analysis, through our threat modelling. And then basically we're not going to reduce our activities, we're not going to make any major changes to our
business operations, we're not going to introduce any type of mitigating controls. Now this is not as simple as it sounds, okay? You're basically
accepting the potential magnitude of primary and secondary loss once you assess the risk. And by not implementing any safeguards or controls, you
are basically maintaining your same resistance level or difficulty level. And you have to take into consideration that the asset value, whether it's
file:///C:/Disk D/CISM_CISSP_CIS_CCSP/CISM/1. Information Security Governance Part I Transcript.html 12/17
2/22/2021 Information Security Governance Part I Transcript

tangible or intangible, has changed over the course of your fiscal year. Have you introduced any new business activities or any new technologies over
the course of your audit? And this may be viable for small organisations, but for medium to large organisations the potency and the potential of these
threats could lead to disastrous consequences. Often, justification in writing is necessary when the cost of protecting the asset is actually more than the
value of the asset.

Integrating into Corporate Governance

[Video description begins] Topic title: Integrating into Corporate Governance. The presenter is Michael Shannon. [Video description ends]

Okay, in this short lesson, I really want to define one key term for the CISM. And that term is something known as GRC. A lot of organizations will
kind of refer to a combination of governance and risk management and compliance together as GRC.

[Video description begins] Integrating into Corporate Governance [Video description ends]

So GRC, as you can see in this diagram, can incorporate your global corporate governance as well as risk management as it pertains to information
security. And then information security leads to IT security. So information security is going to represent all aspects of information in the
organization. Regardless of the medium that's being used. Whether it's data in transit, data at rest or data in use. You can look at information, you
know, whether it's being generated, purchased, transported, disposed of, viewed, all of those things. Now that's information security. But IT,
information technology, is really only concerned with security in the IT realm. As it relates to technical engineers and technical custodians and
managers of information technology. Not necessarily the owners of data and the owners of processes. Now there are areas that are going to intersect
both information security and IT security. For example, cyber security initiatives would be a great instance of where those two things would overlap.
But regardless, they would all come under the corporate governance umbrella. So we know that governance comes from our board of directors and

[Video description begins] Governance, Risk Management, and Compliance [Video description ends]

senior executive management. And GRC is basically governance, risk management, and

[Video description begins] The acronym of Risk Management is RM. [Video description ends]

compliance as an area of integration conducted as a single corporate initiative. So governance involves generating tools and strategies to ensure that
people follow established policies and procedures. Of course, rick management, which we'll look at in much greater detail coming up in the next
course, manages risk to those acceptable levels. By assessing, identifying, and analyzing risk potential, risk impact, otherwise known as magnitude,
and the priority using various controls. And then compliance involves monitoring and reporting on the policies, procedures, and mechanisms
necessary to adhere to regulations and mandates that are sent down from various authorities.

Contributing Factors for InfoSec Development

[Video description begins] Topic title: Contributing Factors for InfoSec Development. The presenter is Michael Shannon. [Video description ends]

file:///C:/Disk D/CISM_CISSP_CIS_CCSP/CISM/1. Information Security Governance Part I Transcript.html 13/17

2/22/2021 Information Security Governance Part I Transcript

In this lesson, I want to focus on one specific question that'll probably show up on your CISM exam. And this is some information that's derived from
the Official Review Manual, 15th edition. And what we see here are ten different contributing factors

[Video description begins] Contributing Factors for InfoSec Development [Video description ends]

for information security development. I really want you to remember these on the exam. We've already talked about these in different ways, in
different approaches. I've also shown you a diagram that visually describes this. But remember, the contributing factors are going to be your
governance, which is your global governance, and then IT governance, and then security governance. The design of your organization, okay? Is it
vertical, is it horizontal, is it a flat organization? Is it a functional managed organization? Is it a projectized organization? What is your corporate
mission, and vision, and strategy? What are the people in your company? Who are they? What are their skill sets? What is the, again, it relates, if you
go across to culture, okay, personnel and culture. Also personnel ties into, are your assets in-house assets and part of your hired employees? Or are
you relying on outsourcing? Are you relying on temp workers? Are you relying on contractors? So information security development is much more
difficult when you're dealing with outsourced personnel and when you're dealing with contractors and temporary workers. Your processes that you go
through, they must all be implemented using a security lifecycle.

Your architectures that you choose, your frameworks, obviously the technology that you choose, as well as the emergence. The emergence of new
technology, the emergence of new solutions, as well as emergence of new products and new services that are going to support your value proposition.
And then, what kind of support do you have? Do you have an internal service desk that's going to be supporting your customers, your internal
customers and external customers? Do you have a technical support team? Do you have a Change Authority Board? Maybe you're using an ITIL
Version 3 implementation for that. So this list of ten things are all contributing factors that you need to remember for the exam. And here's that
diagram I showed you earlier. And again, kind of focus on the relationship between four of these main components. At the top we have our
organization, and then kind of at the center are our processes, our policies, our procedures, our practices. And then, of course, it's people and
technology at the bottom that support this entire development of information security.

Developing Business Cases

[Video description begins] Topic title: Developing Business Cases. The presenter is Michael Shannon. [Video description ends]

Let's look at a couple of topics that are going to for sure come up on the exam. The first being, the developing of your business case. And then we're
going to look at feasibility studies. Because a feasibility study has to be done before you can even decide if you're going to pursue the business case.
Now, as far as ASAC is concerned, they define a business case as basically documenting the rationale for making a business investment. That's used
to support decisions of the organization, how they are to proceed with the investment. And as a operational tool to support management, executive
management specifically, in the way that they invest through a complete economic life cycle.

[Video description begins] Developing Business Cases [Video description ends]

So you want to reach your business objectives and drive initiatives if the business case warrants it. In a lot of organizations, before you can even
engage in an infosec project, it has to be justified with a business case. Which is typically a written document. Business cases offer the data needed for
choosing projects. For example, whatever that your business problem that you're trying to solve. I mentioned that we're going to look at feasibility
studies here in a minute. But also, is your goal to increase revenue, or is your goal in a non-profit organization to improve efficiency? Are you going
to be doing this in a functional management capacity, or are you a highly projectized organization? Obviously we're going to look at factors like
file:///C:/Disk D/CISM_CISSP_CIS_CCSP/CISM/1. Information Security Governance Part I Transcript.html 14/17
2/22/2021 Information Security Governance Part I Transcript

budget, risk and of course measurables like key performance indicators. So your business case obviously has to focus on your value proposition and
it'll involve a cost benefit analysis usually. And as I mentioned, the initial business case is often generated from a feasibility study. Now some
organizations, by the way, they will make the business case development actually one of the first things that's done in the life cycle, okay? Maybe the
actual first phase of a program or a project. A business case should be a detailed justification for a project.

[Video description begins] Business Cases Attributes [Video description ends]

It should be a key element of decision making throughout the life cycle. And like I said, a lot of organizations, this happens early on. But you do want
to return in an iterative fashion back to earlier phases of the life cycle. To make sure that, one, you are sticking with the original plan. And two, that
you're actually fulfilling the projected business case. So you're going to do some formal review at what we call kill points or stage gates. So if you do
a formal review, let's say two phases in and you realize, you know what, we're going way over budget or we've got too much scope creep. Then it may
be time to just kind of shelve this particular initiative. But the business case often results in a formal presentation to senior management, to the C-
Suite, the C-Team executive management. To align your objectives, to recognize consequences before they happen, to identify the budgetary
components and costs. To evaluate established models that you could use and possibly looking at some new models that you might want to use. And
of course you want to define the tools you are going to use for internal auditing, for visibility and monitoring. And possibly looking at reporting tools
that you'll use to deliver dashboards and summaries and other output. To senior management, executive management and even possibly steering
committees, working groups or the board of directors themselves. Now, the business case almost

[Video description begins] Feasibility Study [Video description ends]

always will include results of a feasibility study that's been performed. So here are the five phases of a feasibility study. First, you're going to establish
the scope of the project or the scope of the program. So, for example, let's say we're going to do a complete upgrade of our wireless environment.
We're going to go to a 802.11 something environment, a newer initiative. Maybe we're going to implement WPA3 with some extensible authentication
protocols, okay? So maybe a new wireless initiative based on some of the vulnerabilities and attacks that have been released over the last couple of
years. So once you define the scope of the project, you'll do current gap analysis. This is where the gap analysis and the SWOT, S-W-O-T, analysis
can really come in. Once you analyze and get some results, you'll want to lay out your requirements or your needs. And this is obviously where the
budgetary issues and the cost issues come in. What type of personnel do you need? Do you need to bring in some external contractors or external
expertise? Once you determine all of your requirements and needs, you'll then go and evaluate the feasibility of this particular program. And then
you'll finalize and agree upon some approach that you're going to take. To actually meet the goals and the objectives of senior or executive
management.

Strategic Budgetary Planning and Reporting

[Video description begins] Topic title: Strategic Budgetary Planning and Reporting. The presenter is Michael Shannon. [Video description ends]

I want to talk a little more specifically about budget as it relates to information security planning and even reporting. Because obviously, you need to
be reporting at every phase of the life cycle to make sure that you're staying on budget, that you're staying within your cost, based on your cost
analysis.

[Video description begins] Strategic Budgetary Planning and Reporting [Video description ends]

file:///C:/Disk D/CISM_CISSP_CIS_CCSP/CISM/1. Information Security Governance Part I Transcript.html 15/17

2/22/2021 Information Security Governance Part I Transcript

So this is a key aspect of your information security program management, and it's going to be driven by your information security strategy. It's a key
part of long term and medium planning for information security. And it can be difficult because not all of us who maybe have specialties in security
and in risk management, we're not always great people when it comes to dealing with budgets and dealing with finances. So we want to make sure
that we are bringing in that skill set that we need from the certain people in executive management. Like maybe chief financial officers, and
comptrollers, and people in the finance department to make sure they we're able to deliver a strategic value within budget. So it should be addressed
as part of the feasibility study of your business case. Taking into consideration the salaries and benefits for your staff and personnel, any temporary
workers or contractors. What type of training and awareness needs to be done for the initiative? What are the cost of equipment, cost of software?
What are the cost for technical support and upgrades and licensing? Do you need to allocate space in your data center? Do you need to make sure that
you have availability for virtualization?

Or maybe you're using software-defined networking and you want to look at the cost of moving from a more physical environment to a more
virtualized environment. What are your ongoing maintenance costs? And that's maintenance of everything, including documentations and records.
And then of course, making sure that you look for all possible contingencies, and that involves preparation. You need to be able to defend your budget
and defend instances of getting off budget or instances of scope creep or instances of overrides or instances of budgetary overruns, because sometimes
they're necessary. We don't always stay on budget and sometimes we have to go over budget. We have to increase the cost of doing business. We need
to be able to defend that because sometimes it's just absolutely necessary. We might actually perform a detail analysis of the work necessary for every
particular function or task or project as it relates to information security. For example, spending the time that we're going to take to deal with
incidence response or incident handling or a forensic investigation.

[Video description begins] Elements of InfoSec Program Budget [Video description ends]

Some of the key elements of our information security program budget are obviously personnel and staffing and employees. And that includes, of
course, temporary workers and contractors and outsourcing. The equipment that we're going to be using, our hardware and software, including
licencing and subscriptions. Contractor fees, consultants fees, facilities, any training that we need to go through, maybe going on to conferences, for
example, we mentioned that earlier. Cost of traveling, travel cost, of course, on going maintenance, documentation cost, reporting cost. And again,
remember, those contingencies, those unexpected costs, and like I said, be prepared to defend those if necessary if the overrun or the additional cost
justifies the means.

Exercise: Describe InfoSec Governance

[Video description begins] Topic title: Exercise: Describe InfoSec Governance. The presenter is Michael Shannon. [Video description ends]

All right, how about an exercise? In this exercise, you'll name the four contributing factors for information security development. List the four
elements of SWOT analysis. List the four methods for handling risk or risk treatment. List four main goals that security can protect. And finally, name
five contributing factors for development of information security. Pause the video, go get the answers, and then come back and we'll compare.

[Video description begins] Solution. Contributing Factors for InfoSec Development. [Video description ends]

First, I asked you to name the four contributing factors for information security development. Hopefully, you said organization, process, people and
technology.

file:///C:/Disk D/CISM_CISSP_CIS_CCSP/CISM/1. Information Security Governance Part I Transcript.html 16/17

2/22/2021 Information Security Governance Part I Transcript

[Video description begins] Information Security Strategy Techniques [Video description ends]

Next, I asked for the four elements of SWOT analysis. And these are strengths, weaknesses, opportunities and threats. Next, I asked you to list the
four methods for handling risk.

[Video description begins] Determining Risk Capacity [Video description ends]

Hopefully, you said avoiding risk, mitigating risk, transferring risk, and accepting risk. Next, I asked you to list four main business goals that security
can protect.

[Video description begins] Security Relationship to Business Goals [Video description ends]

If you said any four of these, enhance profitability, gain market share, increase stock price, expand to new areas, attract new customers, or beat
competitors to market, any four of those, and you got the right answer. Finally, I asked you to name five contributing factors

[Video description begins] Contributing Factors for InfoSec Development [Video description ends]

for development of information security. If you said any five of these, governance, organizational design, corporate strategy, personnel, processes,
architecture, technology, culture, support and emergence, any five of those, and you got the right answer. Excellent.

file:///C:/Disk D/CISM_CISSP_CIS_CCSP/CISM/1. Information Security Governance Part I Transcript.html 17/17