CISM Instructor-Led Course

Module 1 Participant Guide

Information Security Governance

MODULE 1

©2022 ISACA. All rights reserved.

Overview

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

Topics

• Enterprise Governance Overview

• Organizational Culture, Structures, Roles and
Responsibilities
• Legal, Regulatory and Contractual Requirements
• Information Security Strategy
• Information Governance Frameworks and
Standards

• Strategic Planning

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

Learning Objectives
• Describe the role of governance in creating value for the enterprise.

• Explain the importance of information security governance in the context

of overall enterprise governance.

• Describe the influence of enterprise leadership, structure and culture on

the effectiveness of an information security strategy.

• Identify the relevant legal, regulatory and contractual requirements that

impact the enterprise.

• Describe the effects of the information security strategy on enterprise risk

management.

• Evaluate the common frameworks and standards used to govern an

information security strategy.

• Explain why metrics are critical in developing and evaluating the

information security strategy.
©2022 ISACA. All rights reserved
©2022 ISACA. All rights reserved.

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

Exam Relevance

17 • Module 1 in this course corresponds to

30 Domain 1 of the CISM job practice and
related questions on the certification
exam.
20
• This module represents 17% of the CISM
examination (~25 questions).
• CISM exam contains 150 questions.
33

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

Enterprise Governance Overview

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

Role of Information in the Enterprise

Information is an Information is
Information is indispensable accessible
critical to everyday component of through broad
life. conducting array of
business. technology.

Elements of
Enterprises must
IT comprises key national critical
act to protect
elements in most infrastructure may
critical
enterprises. be privately owned
information.
and operated.

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

Executives Executive
Information Systems

Senior
Decision Support Systems
Managers
Middle Management Information Systems
Managers

Workers Transaction Processing Systems

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

Governance and Management

Critical resource protection is accomplished through two important but distinct elements.

Governance Management

Sets the direction by: Ensures progress by:

 Evaluating various stakeholder  Aligning with the direction set
needs. by governance body.
 Determining balanced and  Completing activities (plan,
agreeable objectives. build, run and monitor) related to
 Monitoring progress toward the stated objectives.
or compliance with stated
objectives.

Complexity, relevance and criticality of IT mandate consideration

and support from the highest organizational levels.
©2022 ISACA. All rights reserved
©2022 ISACA. All rights reserved.

10

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

Value Creation
Additional considerations:

• Competition in the
Realize benefits at optimal resource cost while optimizing
global economy
risk.
• Dependence on
information and
Benefits can vary based on the enterprise.
supporting systems

• Compliance with laws

and regulations
Value creation can vary based on stakeholder needs.
• Advancing risk from
threats

Transform stakeholder needs into actionable strategy.

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

11

COBIT Principles for Enterprise Governance

Governance system for enterprise IT:

Built from numerous components that work together

holistically

Dynamically adjusts from environment and impact changes

Distinguishes between governance and management

activities and structures

Customized to the needs of the enterprise using design

factors.

Covers the enterprise end to end, focusing on all enterprise

technology and information processing
©2022 ISACA. All rights reserved
©2022 ISACA. All rights reserved.

12

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

Importance of IS Governance
• Information and knowledge
Governance includes elements to provide senior management with: are important assets to an
enterprise.

• Reliance on information
Assurance that their direction and and related systems
intent align to the enterprise demonstrates the criticality
security posture of information security
governance.

Structured approaches to • It is essential information

implementing a security program security is fully supported
by senior management and
the enterprise at large.
Confidence that adequate and
effective information security will
protect valuable assets.
©2022 ISACA. All rights reserved
©2022 ISACA. All rights reserved.

13

IS Governance: Objectives and Outcomes

Develop, implement and manage a security program that achieves six basic outcomes:

1 Strategic Alignment 4 Resource Optimization

2 Risk Management 5 Performance Measurement

3 Value Delivery 6 Assurance Process Integration

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

14

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

IS Scope and Charter

Clearly state information security scope and responsibilities in
the strategy and reflect these details in the policies.

IT Security Information Security

• Handles security for the • Handles all aspects of

technology managing the information, in any medium,
information regardless of action

• Owns the machinery that • Is primarily concerned with

processes information security of information

• Functions as a custodian • Focuses increasing attention on

for the data owners cybersecurity related concerns

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

15

Cybersecurity
Information Security Cybersecurity

Analog Information
Network Hardware
Intellectual Property
Software
Digital
Paper Documents
Information processed
Information
Verbal Communications and stored in isolated
networks or systems
Visual Communications

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

16

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

Data Leakage Prevention DDoS Prevention Patch Management Baseline Configuration

Endpoint Hygiene
Data Protection Network Design Secure System Build
Certificate Management CI/CD integration
Container Security
Security UX
Security Architecture Cryptography "Shift Left"
Cloud Security Encryption Standards
Federated Identity Security QA
SAST Open Source Scan
Vaulting
Access Control Key and Secret Management S-SDLC API Security
MFA & SSO Source Code Scan
HSM
Identity Management
Security Engineering CIS Top 20 Controls 4th Party Risk
ISO 27001 Application Security Assets Inventory
CIS Benchmarks Vulnerability
27017
Identity & Access 27018 scan
Privileged Access Infrastructure
Management Management NIST Cybersecurity 3rd Party Risk (Network and Systems)
Framework OWASP Top 10 Data-Flow Diagram
Certifications
(WebApp & API)
Penetration test Social Engineering
Training Conferences Risk Assessment
Career Development MITRE DAST
Frameworks
ATT&CK Risk Monitoring Services
and Standards Framework
Coaches and Risk (Risk score)
Application Pen Tests
Role Models Acceptance
Peer Groups Self Study Risk Treatment Statement
Actions 1. Process Owners
Cyber Insurance

IoT Security Physical Security Infosec / Cybersecurity 2. Risk Mgmt Group PCI
Enterprise Risk Management Lines of Defense

Industry Specific HIPAA

Vulnerability Risk Register 3. Audit
Threat Hunting Management BCP/DR
Risk Appetite
Training (new skills)
GDPR
SOC1/SOC2 Central Government
SOAR SIEM Security Operation Crisis Management
Active Defense GLBA
User Education CCPA
Regional
Laws and Regulations
Detection Threat Intelligence Governance
Security Operation Centers Incident Response
NYS-DFS 23 NYCRR 500
Awareness (reinforcement) Executive Management Involvement
Breach Notification External Internal Risk Informed

Investigation Cyber security table-top

exercise Reports and Scorecards KPIs/KRIs
Containment Blue Team Policy Company's Written Policies

Red Team Contextual IOCs Intel. Sharing

Forensics
Eradication

Standard Guideline
Procedure

Compliance & Enforcement

17

Benefits of Information Security Governance

Assurance

• Policy compliance
Trust
• Critical decisions
• Risk management • Potential liability Accountability
• Process improvement • Predictability
• Incident response • Trading partners • Safeguarding information

• Continuity management • Customer relationships • Resource optimization

• Processing transactions • Reputation • Resource management

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

18

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

Organizational Culture, Structures,

Roles and Responsibilities

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

19

Organizational Culture
Information security is primarily influenced through transparency and accountability within the enterprise
culture and must be considered in determining roles and responsibilities.

Represents: Influences: Considerations:

• Organizational behavior • Backgrounds and experiences • Interpersonal and communication

skills
• Enterprise structures • Filters, bias and perceptions
• Workforce education
• Attitudes and norms • Values and work ethic
• Acceptable use policy
• Teamwork
• Notification and reporting
• Geographic location

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

20

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

Enterprise IT Archetypes
Business monarchy - A group of business executives or individual executives
(CxOs); includes committees of senior business executives (may include CIO);
excludes IT executives (Example CTO)

IT monarchy - Individuals or groups of IT executives

Feudal - Business unit leaders, key process owners or their delegates

Federal - C-level executives and business groups (e.g., business units or processes);
may also include IT executives (Example CTO) as additional participants

Duopoly - IT executives (Example CTO) and at least one other group (e.g., CxO or
business unit or process leaders)

Anarchy - Each individual business process

©2022 ISACA. owner
All rights or end user
reserved
©2022 ISACA. All rights reserved.

21

Ethics and Conduct Considerations

Employees should review and
acknowledge codes of ethics and
conduct. Coordinate objectives and activities
for ethical behavior with privacy and
data protection.
Signed acceptance should be kept as
a part of employee records.
Remain aware of potential conflicts of
interest or potentially negatively
Enterprises offer ethics training to perceived activities.
provide guidance on appropriate and
legal behavior. Integrate a data ethics framework to
reduce potential conflicts of interest or
negatively perceived activities.
Training is especially important when
individuals perform sensitive tasks.
Use the ISACA Code of Professional
Ethics to set an example.

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

22

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

Organizational Structure

Enterprise governance depends on responsibility and accountability from all participants.

Understanding the organizational hierarchy and structure leads to better understanding of key
stakeholders who influence the information security strategy.

Key inputs to the information security strategy include:

Operating Responsibilities
Roles
structures

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

23

Mapping Roles and Responsibilities to Skills

Role Responsibility Skills

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

24

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

RACI Chart

R A C I

Responsible Accountable Consulted Informed

Main operational Carries overall Provide input for the Informed of

stake to fulfill accountability to task achievement of
tasks and create ensure task tasks or related
Who provides input?
outcome completion deliverables
Can be delegated Cannot be shared Who receives
or shared or delegated information?
Who gets this Who accounts for
done? the success and
achievement of
Who drives the
the task?
task?
©2022 ISACA. All rights reserved
©2022 ISACA. All rights reserved.

25

Example RACI Chart

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

26

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

Common Roles in the Enterprise

Board of Directors

Senior Management

Steering Committee

Chief Information Security Officer

Business Process Owners

Workforce

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

27

Executives

Executives become the liaison between

the board and lower-level managers.

Communicate the board’s expectations down to

employees.

Break down the board’s expectations into short-

and long-term operational goals.

See goals through from implementation to

completion.
©2022 ISACA. All rights reserved
©2022 ISACA. All rights reserved.

28

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

IT Steering Committee

Long- and short-range plans of the IT

department
Reviewing:
• Major acquisitions of hardware and
software
• Sourcing strategies IT activities
• Adequacy of resources
• Allocation of resources

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

29

Risk Management Roles

Governing boards
Chief risk officer Chief information
and senior
(CRO) officer (CIO)
management

Chief information Information

System and
security officer security manager
information owners
(CISO) (ISM)

Security awareness
Business and
IT security trainers (security
functional
practitioners subject matter
managers
professionals)

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

30

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

ROLES AND RESPONSIBILITIES

 Senior/Executive Management
 CEO: Chief Decision-Maker
 CFO: Responsible for budgeting and finances
 CIO: Ensures technology supports company's objectives
 Security
 ISM: Risk Analysis and Mitigation
 CISO: stablishing and maintaining the enterprise vision, strategy, and program
 Steering Committee: Define risks, objectives and approaches
 Auditors: Evaluates business processes
 Data Owner: Classifies Data
 Data Custodian: Day to day maintenance of data
 Network Administrator: Ensures availability of network resources
 Security Administrator: Responsible for all security-related tasks,
focusing on Confidentiality and Integrity

31

RESPONSIBILITIES OF THE ISM/ CISO

 Responsible for providing C-I-A for all information assets.
 Communication of Risks to Senior Management
 Recommend best practices to influence policies, standards,
procedures, guidelines
 Establish security measurements
 Ensure compliance with government and industry regulations
 Maintain awareness of emerging threats

32

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

Successful Organizational Structure Attributes

Key factors for an effective organizational structure include understanding of:

A formally established
Defined and applied
organizational structure with a
escalation procedures
clear, documented mandate

Organizational structure
Documented and followed
performance objectives to
operating principles
identify, monitor and adjust

Defined and documented Interfaces are managed to ensure

authority levels and decision- effective communication and
making responsibilities clear assignment of responsibility.

Implemented delegation of Regular evaluations result in the

authority provisions required continuous improvement
of the organizational structure.

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

33

Legal, Regulatory and Contractual

Requirements

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

34

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

Regulatory and Compliance Requirements

Information security is intertwined with privacy, intellectual property, and law

Because laws and regulations vary across Treat compliance as any other risk:
the globe, enterprises may need to:
• Extent of compliance is a business
• Establish different security strategies decision made by senior management
based on the regions they operate
• Use automated GRC tools to help
• Set policy based on most restrictive maintain a comprehensive catalog of
requirements for consistency legal and regulatory requirements

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

35

Third-Party Contracts

Outsourcing of Data and

Scope of Contracts
Business Processes

Service Level
Legal Requirements
Agreement

Management of
Legal Liability
Outsourcing

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

36

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

BPO Service Classification

Onsite Offshore Onshore Nearshore

Different
Within the Remote Remote Same Remote Same
geographical
enterprise location location country location continent
area

37

Other Sourcing Strategies

Take
advantage of
May require Combination of
Use of internal Essential to Will require the benefits
Geographical Ease of the acquisition service
IT staff and daily business staff training that each
proximity communication of additional delivery
services operations and education sourcing
resources options
alternative
provides

Insourcing Hybrid

38

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

Sourcing Approach

Develop strong
Develop project Perform due
sourcing
team diligence
strategy

Develop
Request for requirement Evaluate RFP
proposal definition and Responses
RFP

Develop
Negotiate Develop contract
contract transition plan governance
framework

39

IT Resource Planning: Outsourcing

Asset management
Contract management
Relationship management
Manage
SLAs/OLAs

Due diligence
Baselining and benchmarking
Govern Governance processes

Governance enterprise
Scope reviews
Roles and responsibilities
Allocate

40

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

Content and Retention Requirements

Underlying content and retention requirements are an important input to the
information security strategy. Work with the legal department to determine:

Types of records to Strategy for locating

be protected to and retrieving
Underlying legal and
ensure their information for law
regulatory
confidentiality, enforcement, civil or
requirements
integrity and criminal
availability investigations

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

41

Information Security Strategy

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

42

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

Enterprise Governance vs Information Security

Governance
Risk optimization is a key element of the governance and management of enterprise IT.

Enterprise Governance Information Security Governance

Exercise of responsibilities and Subset of enterprise governance that:

practices to: • Provides strategic direction for
• Provide strategic direction security activities
• Ensure objectives are achieved • Ensures that objectives are
• Determine appropriate risk achieved
management • Ensures that information security
• Verify responsible use of resources risk is appropriately managed
• Effective and efficient use of
enterprise information resources

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

43

Relationship of Governance Elements

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

44

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

Information Security Strategy Overview

Reduce risk to
Provides plan of Controls used to
acceptable levels Provide business
action to detect anomalies
while optimizing process
accomplish must consider
resources and assurance and
enterprise goals nontechnical
addressing legal maximize
and outlines attacks from
or regulatory success
structures insiders
requirements

Integrate with Demonstrate

Considers
current support for
response to
governance business
complex and
processes for objectives of
destructive IS
other critical enterprise and
issues, such as
enterprise maximize
insider threats
resources stakeholder value

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

45

Maturity Models

Include methods to ensure an

Understand the
integrated and repeatable
current maturity level
approach to governance and
of the enterprise
management

Optimize value by Guide the enterprise

fostering more enterprise toward more
cooperation and optimized business
collaboration results

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

46

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

Information Security Strategy Development

Business
Provides and enables: Goals and
Objectives
Information
Information
Security
Security
Plan of action to Strategy
Strategy
Objectives
accomplish
enterprise needs Strategy
Development

Objective
The
and
Desired
Business
State
Achieve acceptable Integration
level of risk while
optimizing resources Current
Conditions

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

47

Information Security Strategy Objectives

Strategic Alignment
What are the strategies and goals of program?
• Define strategy objectives
Effective Risk Management
• Develop metrics to measure progress
Value Delivery

Resource Optimization
Strategy addresses: Requires

• Meaning of selected areas

Performance Measurement
• Outcome achievement
Assurance Process
• Success criteria
Integration

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

48

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

Information Valuation and Classification

After relevant information is located and identified, it must be
classified by criticality and sensitivity or business value.

Classification Valuation
Provides the basis for applying protective Difficult to determine with precision:
measures proportional to business value:
Create levels of value (0-5)
• Sensitivity is a subjective call
• Assign values to prioritize protection efforts
and determine required levels of protection
Conduct business dependency evaluation
• Mitigates cost of overprotecting or under-
protecting information
• Develop policies, standards and processes
concurrently to mandate classification

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

49

Ensuring Objective and Business Integration

State IS strategy objectives in specific goals that support business activities:

Develop and analyze

business linkages to uncover
operational level IS issues Analysis may reveal
possibilities for reducing errors
Review strategic business
plans to uncover support
Control access to production
opportunities for IS activities
systems to prevent
unauthorized access
Ensure direct linkages
between business activities
and goals Improve business linkages over
time through an information
Consider information steering committee
streams critical to ensuring
continuous operations
©2022 ISACA. All rights reserved
©2022 ISACA. All rights reserved.

50

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

Desired State
Denotes a complete snapshot of all relevant conditions at a future point

Principles, Organizational Culture, ethics Information

policies and structures and behavior
frameworks

Processes Services, People, skills

infrastructure and
and applications competencies

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

51

The Desired State

Qualitative measures are useful in defining a

desired state:

• High-level objectives may not provide

enough clarity

• Established approaches provide

frameworks to achieve a well-defined
desired state

• Evaluate for fit, form and function

• Combine different standards and

frameworks for a multidimensional view

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

52

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

IS Strategy Development Participants

Senior Management Business
Business Strategy Objectives

Steering Committee and Security

Executive Management Risk Management/Information Security Strategy Attributes

Security
CISO/Steering Security Action Plan Policies, Standards Programs
Committee

Strategy Inputs:
Implement
• Current state and desired
security state
Action Plan Inputs
• Business processes and Available
requirements Resources and Security Objectives
• Risk assessment Constraints Monitor/Metrics

• Business impact analysis Reporting

• ©2022
Regulatory requirements ISACA. All rights reserved
Trend Analysis
©2022 ISACA. All rights reserved.

53

Aligning Security Strategy with Business

Requirements

Defining Locating and Classifying Implementing a

Determining the Valuating information
business identifying process to
objectives of information assets as to
requirements information ensure that all
information assets and criticality and
for information assets and assets have a
security resources sensitivity
security resources defined owner

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

54

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

Avoiding Common Pitfalls and Bias

Pitfalls Bias
Overconfidence Confirmation bias
Optimism Selective recall
Anchoring Biased assimilation
Status quo bias Biased evaluations
Mental accounting Groupthink
Herding instinct
False consensus
©2022 ISACA. All rights reserved
©2022 ISACA. All rights reserved.

55

Key Governance Considerations and Elements

Current and Current and Personnel
desired states planned projects and budgets

Road Map

Resources

Constraints

Information Business process re-

security engineering activities
objectives©2022 ISACA. All rights reserved
©2022 ISACA. All rights reserved.

56

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

Road Map

Defines the routes and steps that must be taken

to navigate to the objectives of the strategy:

• Includes people, processes, technologies and

other resources

Due to the complexity, consider developing a

security architecture:

• Provides a structured approach to defining

business drivers, resource relationships and
process flows

• Helps ensure that contextual and conceptual

elements are considered during strategy
development

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

57

Road Map

Short-term
Chart the road projects aligned
Long-term goal Broken down into map, with long-range
consisting of a smaller projects understanding Some objectives objectives can
series of projects accomplished on that there is not a will change over provide
and initiatives a reasonable steady state of time checkpoints,
timeline information opportunities to
security adapt and metrics
to validate

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

58

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

Resources

Proactive Operational Reactive

• Policies • Procedures • Personnel Security

• Standards • Guidelines • Education
• Architectures • Roles and • Training
• Personnel Security Responsibilities • Audit
• All Assessments • Organizational • Compliance
and Analysis Structure enforcement
• Training

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

59

Constraints
Some constraints could be addressed when
defining the desired state.
Legal Others will arise from developing the road
Physical map and action plan, including:

Ethics
Magnitude Legacy
of Effort Systems
Culture

Personnel

Organizational structure

Resources
Existing Emerging
Capabilities Technologies Technologies
or Processes
Time

Risk appetite

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

60

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

Information Governance Frameworks

and Standards

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

61

Goals of Applying Frameworks

Develop a cost-effective Guide development of a Create a set of activities

information security comprehensive to provide assurance
program that supports information security that information assets
the enterprise business program that supports are protected relative to
goals business objectives their value

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

62

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

Framework Elements

Comprehensive security Governing security policies

strategy linked to business to address strategy, controls
objectives and regulation

Governance Effective security

Standards for each policy Framework organizational structure

Defined workflows and Metrics and monitoring

structures processes for feedback

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

63

Applying Frameworks to Strategies

SOX, HIPAA, GLBA, FISMA, others

• Relationships exist between IT, IS, controls Regulations

and architecture.
More Specific

COSO, OCEG, others

More General

• Links occur at various levels

Governance Framework
• Strategy is where information security
integrates into IT to achieve objectives
COBIT, ITIL/ISO 20000, CMM, others
• A combination of methods can be employed
Control Objectives
to describe the desired state
ISO 17799/27002, NIST 800-52, others

Controls

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

64

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

Other Frameworks and Approaches

Enterprise Risk Information Security/ Balanced

Architectural
Management Cybersecurity Scorecard
Frameworks
Frameworks Frameworks

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

65

Architectural Frameworks
Describe a method for Evolved to better Provide linkages to and
designing the target address business design design of the business
state of the enterprise in and development of side of information
terms of blocks security requirements protection

Architectural approaches inclusive of business processes:

Zachman Extended
Enterprise Enterprise
COBIT TOGAF
Architecture Architecture
Framework Framework

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

66

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

Definitions
• Framework
• Provide guidance on how to build Individual architectures that will be
useful to a diverse set of individuals
• Architecture
• Conceptual Construct
• Tool to help individuals understand complex items
• It expresses enterprise structure (form) and behaviour (function)
• Security Program
• It is a framework made of many entities working together to provide a
protection level for an environment
• A security program should work in layers
• Security via obscurity is not a healthy protective mechanism

67

COBIT
• It’s a model for IT Governance
• Is a framework for governance and management developed by ISACA
• It’s a holistic approach with key principles
• Meeting stakeholder needs
• Covering the enterprise end to end
• Applying a single integrated framework
• Enabling a holistic approach
• Separating governance from management
• Its ultimately linked to the stakeholders
• It deals at the operational level
• Majority of security compliance audit practices are based on COBIT
• Latest Version is COBIT 2019

68

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

69

NIST 800-53
• Developed by NIST
• Outlines the controls that (US) agencies need to put into place to be
compliant with the FISMA Act
• There are many control categories addressed by this
• They are management, operational, technical controls prescribed for
an information system to protect CIA
• As COBIT is for Private compliance needs, NIST is for US Government
compliance needs

70

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

71

• Information Technology Infrastructure Library (ITIL) is

the de facto standard for best practices for IT service
management
• 5 Service Management Publications:
Strategy
ITIL
•

• Design
• Transition
• Operation
• Continual Improvement

• **While the Publications of ITIL are not testable,

it's purpose and comprehensive approach are
testable.

It provides best practices for organization and the

means in which to implement those practices

72

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

73

Zachman Architecture Framework

• First architecture Framework
• This is not a security oriented
framework
• Uses six basic communication
interrogatives intersecting with
different perspectives
• Important rule is that each row should
describe the enterprise in its entirety
from that rows’ perspective

74

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

Zachman Architecture Framework

75

The Open Group Architecture

(TOGAF)
• Has its origins from US DoD
• Provides an approach to design, implement, and
govern an enterprise Information architecture
• Used to develop the following architecture types
• Business Architecture
• Data Architecture
• Applications Architecture
• Technology Architecture
• Uses Architecture Development Method to create
Individual architectures
• ADM is an iterative and cyclic process that allows
requirements to be continuously reviewed and
updated

76

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

77

Enterprise Security Architecture

• Subset of Enterprise Architecture
• Defines information security strategy that consists of layers of
solutions, process, and procedures
• It ensures that security efforts align with business practices in a
standardized and cost-effective manner
• For a successful ESA the following must be understood and followed
• Strategic alignment
• Business enablement
• Process enhancement
• Security effectiveness

78

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

79

Balanced Scorecard
Financial

Goals Measures
Strategic planning and
management system to
communicate and align strategy,
prioritize, and measure
performance. Customer Process
Information
• Develops metrics
Goals Measures Goals Measures

• Collects data
• Analyzes data
Learning

Goals Measures
©2022 ISACA. All rights reserved
©2022 ISACA. All rights reserved.

80

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

Balanced Scorecard Model

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

81

Strategic Planning

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

82

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

Strategic, Tactical, Operational

vs
Timeline

1 Year 1 Year 1 Year 1 Year 1 Year

1 Year Month Quarter Week

83

Strategic Planning

• Trustworthiness and integrity of personnel

Workforce and • Flexible or evolving organizational structure
organizational structure • Centralized vs decentralized approaches

Assurance of compliance
• Audit
with mandatory • Compliance
requirements

Activities to accomplish • Gap analysis

responsibilities • Define metrics and intermediate goals

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

84

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

Workforce Composition and Skills

Define all security

roles, responsibilities
Employee
and competencies Roles
Incorporate in
employee job Determine available
descriptions resources using skills
inventory
Include security- Skills
related measurements Conduct proficiency
during performance testing to determine
reviews current skills or target
training opportunities

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

85

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

86

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

Awareness Training and Continuing Education

Security is often weakest at the end-user level, making
training and education vital to the overall strategy.

Awareness Training Continuous Education

• Programs for end users reinforce • Determine appropriate skills and areas of
importance of enterprise information improvement needed to protect enterprise.
security
• Target specific systems, processes,
• Must be considered in strategy policies, enterprise norms and security
development context

• Ensure security policy compliance is easy • Integrate into existing programs and
to follow and manage initiatives to close gaps and align security
with the business

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

87

Assurance Provisions
Compliance
Audits Enforcement

Essential resource to Develop procedures to handle

develop strategy Communication security violations

Determine deficiencies from Gaining senior management

control and compliance standpoint support is critical
Oversight
Focus on policy compliance of
people, processes and technology Provide ways to self-report

Requirements to file audit reports Reporting

with regulatory agencies Encourage voluntary compliance

Reports contain useful intelligence Prioritize compliance requirements

regarding monitoring information on areas of greatest risk and impact
©2022 ISACA. All rights reserved
©2022 ISACA. All rights reserved.

88

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

Action Plan to Implement Strategy

Gap Analysis Required for various components of the strategy previously discussed, such as
maturity levels, each control objective, and each risk and impact objective.

Action Plan Metrics The plan of action to implement the strategy requires methods to monitor and
measure progress and the achievement of milestones.

Intermediate Goals A variety of specific near-term goals that align with the overall information security
strategy can readily be defined after the overall strategy has been completed.

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

89

CMMI Methods for Gap Analysis

Strategy Elements Security Elements Awareness and

Compliance Elements
• Security strategy with • Effective controls • Adequate security
senior management that are designed, awareness and
acceptance and implemented and training of all users
support maintained • Addressing of security
• Security policies that • Effective security issues with third-party
are complete and metrics and service providers
consistent with monitoring processes • Timely resolution of
strategy in place noncompliance issues
• Complete standards • Tested business and other variances
for all relevant, continuity/disaster
consistently recovery plan
maintained policies
©2022 ISACA. All rights reserved
©2022 ISACA. All rights reserved.

90

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

Action Plan Metrics

Defining Metrics Monitoring Metrics

• Ensure that what is being measured is relevant to • Consider how metrics will be used for ongoing
provide information necessary to make decisions monitoring and measurement of progress

• Define the decisions made and who makes them • Determine current state to track changes and
progress over time
• Collaborate with business process owners and
management to determine relevant metrics • Use CMMI method to define current state and
objectives
• Supply appropriate metrics timely and accurately.
• Can use process assessment model to perform
ongoing gap analysis and progression toward goals

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

91

Other Progress Indicators

KGI

KPI
CSF

• Identify control • Define clear • Indicators of key or

processes, objectives and critical performance
procedures, achieving factors necessary
structures and consensus on the to achieve the
technologies to goals, including: objectives include:
develop an • Sarbanes-Oxley • Control
appropriate testing • Independent effectiveness
regime control testing testing plans
• Determine • Required • Progress in
resources and statement of controls
testing procedures control effectiveness
to successfully effectiveness testing
complete required • Results of testing
tests control
effectiveness

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

92

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

Tactical Metrics

Strategic Information Technical Security Data

• Progress according to • Vulnerability scan results
plan and budget
• Server configuration
• Significant changes in standards compliance
risk and possible impacts
to business objectives • Intrusion detection
system (IDS) monitoring
• Results of disaster results
recovery testing
• Firewall log analysis
• Audit results

• Regulatory compliance
status

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

93

Creating Useful Security Metrics

Important to remember when developing IS

management metrics:
Timeline
• Avoid information of little value that can
result in gathering too much information Identify

• Develop processes to distill technical data

to a more effective form Contain

• Analyze available metrics to determine

Recover
their relevance

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

94

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

Action Plan Intermediate Goals

Specific near-term goals that align with the overall information
security strategy can be defined after the overall strategy is
completed.

Near-term goals and milestones are required as part of the

action plans

Based on the BIA determination of business-critical resources

and state of security as determined by the CMMI gap analysis

Aids prioritization of remedial activities to achieve goals.

Long term desired state must also be clearly defined to ensure

alignment between shorter term goals and end goals

The strategy and long-range plan should serve to integrate

near-term tactical activities

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

95

Risk Management and Assessment

Information Security
Strategy

Information
Identify Treat
Security Risk

Assess

Information
©2022 ISACA.Security Models
All rights reserved
©2022 ISACA. All rights reserved.

96

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

Risk Management and Assessment

Formal riskassessment
Formal risk assessment is accomplished
is accomplished by: by:

1. Identifying viable threats to information resources

2. Consider likelihood of identified threats materializing

and the magnitude

3. Determine extent of organizational weaknesses and

exposure to identified threats

Identifying viable Considering likelihood Determining enterprise

threats to information and magnitude of exposure to
resources identified threats identified weaknesses
materializing and threats

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

97

Risk Management Factors

Business Impact Resource Analysis Outsourced

Analysis Services

Threat Vulnerability Insurance Support and

Assessment Assessment Assurance Providers

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

98

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

Module Summary

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

99

Summary

• Enterprise Governance Overview

• Organizational Culture, Structures, Roles and

Responsibilities

• Legal, Regulatory and Contractual Requirements

• Information Security Strategy

• Information Governance Frameworks and Standards

• Strategic Planning

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

100

©2022. ISACA. All Rights Reserved

 CISM Instructor-Led Course
Module 1 Participant Guide

Module Complete

©2022 ISACA. All rights reserved

©2022 ISACA. All rights reserved.

101

©2022. ISACA. All Rights Reserved