CISM Certified Information Security Manager All-In-One Exam Guide, 2nd Edition (Peter H. Gregory)
CISM Certified Information Security Manager All-In-One Exam Guide, 2nd Edition (Peter H. Gregory)
CISM
®
Certified Information
Security Manager
EXAM GUIDE
Second Edition
This page intentionally left blank
ALL IN ONE
CISM
®
Certified Information
Security Manager
EXAM GUIDE
Second Edition
Peter H. Gregory
McGraw Hill is an independent entity rom ISACA® and is not afliated with ISACA in any manner. Tis study/training guide and/or material
is not sponsored by, endorsed by, or afliated with ISACA in any manner. Tis publication and accompanying media may be used in assisting
students to prepare or Te CISM exam. Neither ISACA nor McGraw Hill warrants that use o this publication and accompanying media will
ensure passing any exam.
Copyright © 2023 by McGraw Hill. All rights reserved. Except as permitted under the United States Copyright Act of 1976, no
part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system,
without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and
executed in a computer system, but they may not be reproduced for publication.
ISBN: 978-1-26-426832-0
MHID: 1-26-426832-7
The material in this eBook also appears in the print version of this title: ISBN: 978-1-26-426831-3,
MHID: 1-26-426831-9.
All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trade-
marked name, we use names in an editorial fashion only, and to the benet of the trademark owner, with no intention of infringe-
ment of the trademark. Where such designations appear in this book, they have been printed with initial caps.
McGraw Hill eBooks are available at special quantity discounts to use as premiums and sales promotions or for use in corporate
training programs. To contact a representative, please visit the Contact Us page at www.mhprofessional.com.
Information has been obtained by McGraw Hill from sources believed to be reliable. However, because of the possibility of hu-
man or mechanical error by our sources, McGraw Hill, or others, McGraw Hill does not guarantee the accuracy, adequacy, or
completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such
information.
TERMS OF USE
This is a copyrighted work and McGraw-Hill Education and its licensors reserve all rights in and to the work. Use of this work
is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the
work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit,
distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill Education’s prior consent. You
may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to
use the work may be terminated if you fail to comply with these terms.
THE WORK IS PROVIDED “AS IS.” McGRAW-HILL EDUCATION AND ITS LICENSORS MAKE NO GUARANTEES
OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED
FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK
VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, IN-
CLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICU-
LAR PURPOSE. McGraw-Hill Education and its licensors do not warrant or guarantee that the functions contained in the work
will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill Education nor its
licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any
damages resulting therefrom. McGraw-Hill Education has no responsibility for the content of any information accessed through
the work. Under no circumstances shall McGraw-Hill Education and/or its licensors be liable for any indirect, incidental, special,
punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been
advised of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such
claim or cause arises in contract, tort or otherwise.
o Rebekah, the love o my lie.
This page intentionally left blank
ABOUT THE AUTHOR
Peter H. Gregory, CISM, CISA, CRISC, CDPSE, CISSP, CIPM, DRCE, CCSK,
is a 30-year career technologist and a security leader in a regional telecommunications
company. He has been developing and managing inormation security management
programs since 2002 and has been leading the development and testing o secure I
environments since 1990. Peter has also spent many years as a sotware engineer and
architect, systems engineer, network engineer, and security engineer.
Peter is the author o more than 50 books about inormation security and technology,
including Solaris Security, CIPM Certified Information Privacy Manager All-in-One Exam
Guide, and CISA Certified Information Systems Auditor All-in-One Exam Guide. He has
spoken at numerous industry conerences, including RSA, Interop, (ISC)² Security
Congress, ISACA CACS, SecureWorld Expo, West Coast Security Forum, IP3, Source
Conerence, Society or Inormation Management, the Washington echnology Industry
Association, and InraGard. Interviews o Peter appear in SC Magazine, U.S. News &
World Report, CNET News, SearchSecurity, Information Security Magazine, CIO, The
Seattle Times, and Forbes.
Peter serves on advisory boards or cybersecurity education programs at the University
o Washington and the University o South Florida. He was the lead instructor or nine
years in the University o Washington certiicate program in applied cybersecurity, a
ormer board member o the Washington State chapter o InraGard, and a ounding
member o the Paciic CISO Forum. He is a 2008 graduate o the FBI Citizens’ Academy
and a member o the FBI Citizens’ Academy Alumni Association. Peter is an executive
member o the CyberEdBoard and the Forbes echnology Council.
Peter resides with his amily in Washington state and can be ound online at
www.peterhgregory.com.
Disclaimer
None o the inormation in this book relects the security posture or practices o any
current or ormer employer or client.
CONTENTS AT A GLANCE
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577
ix
This page intentionally left blank
CONTENTS
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
xi
CISM Certified Information Security Manager All-in-One Exam Guide
xii
Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Chapter 2 Inormation Security Strategy ................................ 37
Inormation Security Strategy Development . . . . . . . . . . . . . . . . . . 38
Strategy Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Strategy Participants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Strategy Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Strategy Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Strategy Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Inormation Governance Frameworks and Standards . . . . . . . . . . . 72
Business Model or Inormation Security ............... 73
he Zachman Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
he Open Group Architecture Framework . . . . . . . . . . . . . . 83
ISO/IEC 27001 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
NIS Cybersecurity Framework . . . . . . . . . . . . . . . . . . . . . . 85
NIS Risk Management Framework . . . . . . . . . . . . . . . . . . . 87
Strategic Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Roadmap Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Developing a Business Case . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Figure Credits
Figure 2-1 Courtesy Xhienne: SWO pt.svg, CC BY-SA 2.5, https://
commons.wikimedia.org/w/index.php?curid=2838770.
Figure 2-2 Adapted rom the Business Model or Inormation Security,
ISACA.
Figure 2-3 Adapted rom the University o Southern Caliornia Marshall
School o Business Institute or Critical Inormation Inrastructure
Protection, USA.
Figure 2-5 Courtesy he Open Group.
Figure 2-7 Courtesy High Tech Security Solutions magazine.
Figure 3-1 Source: National Institute or Standards and echnology.
Figure 6-8 Courtesy Blueoxicy at en.wikipedia.org.
Figure 7-4 Source: NASA.
Figure 7-6 Courtesy Gustavo Basso.
Figure 7-7 Courtesy John Crowley at en.wikipedia.org.
This page intentionally left blank
ACKNOWLEDGMENTS
I am immensely grateul to Wendy Rinaldi or airming the need to have this book
published on a tighter than usual timeline. My readers, including current and uture
inormation security managers, deserve nothing less.
Heartelt thanks to Wendy Rinaldi and Caitlin Cromley-Linn or proiciently manag-
ing and coordinating this project, acilitating rapid turnaround, and equipping us with
the inormation and guidance we needed to produce the manuscript.
Many thanks to Patty Mon, Nitesh Sharma, and homas Somers or managing the
editorial and production ends o the project, and to Lisa heobald or copy editing the
book and urther improving readability. I appreciate KnowledgeWorks Global Ltd. or
expertly laying out the inal manuscript pages. Also, thanks to Rick Camp and Lisa
McCoy or expert prooreading and ed Laux or indexing. Like stage perormers, they
make hard work look easy, and I appreciate their skills.
I would like to thank my ormer consulting colleague, Jay Burke, who took on the
task o tech reviewing the entire manuscript. Jay careully and thoughtully scrutinized
the entire drat manuscript and made scores o valuable suggestions that have improved
the book’s quality and value or readers. hanks also to two BCDR colleagues: Charlein
Barni, or reviewing Chapter 7, and Michael Kenney, who conirmed some concepts.
Finally, thanks to Ben Everett, a reader who inormed me o a couple o typos or ambi-
guities in the irst edition.
Many thanks to my literary agent, Carole Jelen, or her diligent assistance during this
and other projects. Sincere thanks to Rebecca Steele, my business manager and publicist,
or her long-term vision and keeping me on track.
his is the 52nd book manuscript I have written since I started writing in 1998. I’m
grateul or those who initially brought me into the publishing business, particularly Liz
Suto (author o Informix Online Performance Tuning, and my irst oicial gig as a tech
editor) and Greg Doench (executive editor at Prentice-Hall Publishers), and so many
more along the way, including Melody Layne, Mark aub, Rev Mengle, Sebastian Nokes,
Greg Croy, Katie Feltman, Katie Mohr, Lindsey Leevere, Josh Freel, Amy Fandrei, Amy
Gray, im Green, Steve Helba, and many others. hank you, all o you, or the splendid
opportunity that has enabled me to help so many readers.
I have diiculty putting into words my gratitude or my wie and love o my lie,
Rebekah, or tolerating my requent absences (in the home oice) while I developed the
manuscript. his project could not have been completed without her loyal and unailing
support and encouragement.
xix
This page intentionally left blank
INTRODUCTION
he dizzying pace o inormation systems innovation has made vast expanses o inorma-
tion available to organizations and the public. Design laws and technical vulnerabilities
oten bring unintended consequences, usually in the orm o inormation thet and disclo-
sure. Attacks rom nation-states and cybercriminal organizations are increasing dramati-
cally. he result is a patchwork o laws, regulations, and standards such as Sarbanes–Oxley,
GDPR, CCPA, Gramm–Leach-Bliley, HIPAA, PCI DSS, PIPEDA, NERC CIP, CMMC,
and scores o U.S. state laws requiring public disclosure o security breaches involving
private inormation. he relatively new Cybersecurity & Inrastructure Security Agency
(CISA) has become a prominent voice in the United States, and executive orders require
organizations to improve deenses and disclose breaches. As a result o these laws and
regulatory agencies, organizations are required or incentivized to build or improve their
inormation security programs to avoid security breaches, penalties, sanctions, lawsuits, and
embarrassing news headlines.
hese developments continue to drive demand or inormation security proessionals
and inormation security leaders. hese highly sought-ater proessionals play a crucial
role in developing better inormation security programs that reduce risk and improve
conidence in eective systems and data protection.
he Certiied Inormation Security Manager (CISM) certiication, established in
2002, has become the leading certiication or inormation security management.
Demand or the CISM certiication has grown so much that the once-per-year certi-
ication exam was changed to twice per year in 2005 and is now oered continually.
In 2005, the CISM certiication was accredited by the American National Standards
Institute (ANSI) under the international standard ISO/IEC 17024:2012 and is also
one o the ew certiications ormally approved by the U.S. Department o Deense in
its Inormation Assurance echnical category (DoD 8570.01-M). In 2018 and again in
2020, CISM was awarded the Best Proessional Certiication by SC Media. here are
now more than 50,000 proessionals with the certiication, and the worldwide average
salary or CISM holders is more than US$149,000.
Founded in 1969 as the Electronic Data Processing Auditors Association (EDPAA),
ISACA is a solid and lasting proessional organization. Its irst certiication, Certiied
Inormation Systems Auditor (CISA), was established in 1978.
xxi
CISM Certified Information Security Manager All-in-One Exam Guide
xxii
his book is one source o inormation to help you prepare or the CISM exam, but it
should not be thought o as the ultimate collection o all the knowledge and experience
that ISACA expects qualiied CISM candidates to possess. No single publication covers
all o this inormation.
his book is also a reerence or aspiring and practicing I security managers, security
leaders, and CISOs. he content required to pass the CISM exam is the same content
that practicing security managers must be amiliar with in their day-to-day work. his
book is a deinitive CISM exam study guide as well as a desk reerence or those who have
already earned their CISM certiication.
his book is also invaluable or inormation security proessionals who are not in
leadership positions today. You will gain considerable insight into today’s inormation
security management challenges. his book is also helpul or I and business manage-
ment proessionals working with inormation security leaders who need to understand
what they are doing and why.
his is an excellent guide or anyone exploring a security management career. he
study chapters explain the relevant technologies, techniques, and processes used to man-
age a modern inormation security program. his is useul i you are wondering what the
security management proession is all about.
Pay Earn
Maintenance CPEs Lose CISM
Fee Certification
Substitution of Experience
Up to two years o direct work experience can be substituted with the ollowing to meet
the ive-year experience requirement. Only one waiver is permitted.
Two Years
• Certiied Inormation Systems Auditor (CISA) in good standing
• Certiied Inormation Systems Security Proessional (CISSP) in good standing
CISM Certified Information Security Manager All-in-One Exam Guide
xxviii
• MBA or master’s degree in inormation security or a related ield; transcripts or
a letter conirming degree status must be sent rom the university attended to
obtain the experience waiver
One Year
• Bachelor’s degree in inormation security or a related ield
• Skill-based or general security certiication
• One ull year o inormation systems management experience
Here is an example o a CISM candidate whose experience and education are consid-
ered or CISM certiication: A candidate graduated in 2002 with a bachelor’s degree in
computer science. hey spent ive years working or a sotware company managing I,
and in January 2015, they began managing inormation security. In January 2017, they
took some time o work or personal reasons. In 2019, they earned their Security+ cer-
tiication and rejoined the workorce in December 2019, working as a risk manager or
a public company in its enterprise risk management department. he candidate passed
the CISM exam in June 2022 and applied or CISM certiication in September 2022.
Do they have all o the experience required? What evidence will they need to submit?
• Skills-based certification he candidate obtained their Security+ certiication,
which equates to a one-year experience substitution.
• Two years of direct experience hey can count their two ull years o inormation
security management experience in 2015 and 2016.
• One-year substitution hey cannot take into account one year o I management
experience completed between January 2002 to January 2007, because it was not
completed within ten years o their application.
• One-year direct experience he candidate would want to utilize their new risk
manager experience or work experience.
he candidate would need to send the ollowing with their application to prove the
experience requirements are met:
• Veriication o Work Experience orms illed out and signed by their supervisors
(or any superior) at the sotware company and the public company, veriying
both the security management and non–security management work conducted
• ranscripts or letters conirming degree status sent rom the university
TIP Read the CISM certiication qualiications on the ISACA web site. ISACA
changes the qualiication rules rom time to time, and I want you to have the
most up-to-date inormation available.
Introduction
xxix
ISACA Code of Professional Ethics
Becoming a CISM proessional means adhering to the ISACA Code o Proessional Eth-
ics, a ormal document outlining what you will do to ensure the utmost integrity in a way
that best supports and represents the proession. Speciically, the ISACA code o ethics
requires ISACA members and certiication holders to do the ollowing:
• Support the implementation o, and encourage compliance with, appropriate
standards and procedures or the eective governance and management o
enterprise inormation systems and technology, including audit, control, security,
and risk management.
• Perorm their duties with objectivity, due diligence, and proessional care, in
accordance with proessional standards.
• Serve in the interest o stakeholders in a lawul manner, while maintaining
high standards o conduct and character and not discrediting their proession
or the association.
• Maintain the privacy and conidentiality o inormation obtained in the course o
their activities unless disclosure is required by legal authority. Such inormation
shall not be used or personal beneit or released to inappropriate parties.
• Maintain competency in their respective ields and agree to undertake only
those activities they can reasonably expect to complete with the necessary skills,
knowledge, and competence.
• Inorm appropriate parties o the results o work perormed, including the
disclosure o all signiicant acts known to them that, i not disclosed, may
distort the reporting o the results.
• Support the proessional education o stakeholders in enhancing their
understanding o the governance and management o enterprise inormation
systems and technology, including audit, control, security, and risk management.
Failure to comply with this Code o Proessional Ethics can result in an investigation
into a member’s or certiication holder’s conduct and, ultimately, disciplinary measures,
including the oreiture o hard-won certiication(s).
You can ind the ull text and terms o enorcement o the ISACA Code o Ethics at
www.isaca.org/ethics.
Once your registration is complete, you will immediately receive an e-mail acknowl-
edging this. Next, you will need to schedule your certiication exam. he ISACA web
site will direct you to the certiication registration page, where you will select a date,
time, and (optionally) location to take your exam. When you conirm the date, time,
and location or your exam, you will receive a conirmation via e-mail. You will need the
conirmation letter to enter the test location—make sure to keep it unmarked and in a
sae place until test time.
Exam Questions
Each registrant has our hours to take the exam, with 150 multiple-choice questions
representing the our job practice areas. Each question has our answer choices; you must
select only one best answer. You can skip questions and return to them later, and you can
also lag questions you want to review later i time permits. While you are taking your
exam, the time remaining will appear on the screen.
When you have completed the exam, you’ll be directed to close the exam. At that
time, the exam will display your pass or ail status, reminding you that your score and
passing status are subject to review. You will be scored or each job practice area and then
provided one inal score. All scores are scaled. Scores range rom 200 to 800; a inal score
o 450 is required to pass.
Exam questions are derived rom a job practice analysis study conducted by ISACA.
he selected areas represent tasks perormed in a CISM’s day-to-day activities and the
background knowledge required to develop and manage an inormation security pro-
gram. You can ind more detailed descriptions o the task and knowledge statements at
www.isaca.org/credentialing/cism/cism-exam-content-outline.
Exam Coverage
he CISM exam is quite broad in its scope. It covers our job practice areas, as shown
in able 2.
NOTE You are not permitted to display the CISM moniker until you have
completed certiication. Passing the exam is not suicient to use the CISM
anywhere, including e-mail, résumés, correspondence, or social media.
NOTE You are permitted to use the CISM moniker only ater receiving your
certiication letter rom ISACA.
CISM Certified Information Security Manager All-in-One Exam Guide
xxxvi
Retaining Your CISM Certification
here is more to becoming a CISM proessional than passing an exam, submitting
an application, and receiving a paper certiicate. Becoming a CISM proessional is an
ongoing and continuous liestyle. hose with CISM certiication agree to abide by the
code o ethics, meet ongoing education requirements, and pay annual certiication
maintenance ees. Let’s take a closer look at the education requirements and explain the
costs o retaining certiication.
Continuing Education
he goal o proessional continuing education requirements is to ensure that individuals
maintain CISM-related knowledge to help them successully develop and manage secu-
rity management programs. o maintain CISM certiication, individuals must obtain
120 continuing education hours within three years, with a minimum requirement o
20 hours per year. Each CPE hour accounts or 50 minutes o active participation in
educational activities.
Activity CPE
Activity Title/Sponsor Description Date Hours Support Docs Included?
ISACA presentation/lunch PCI 2/12/2023 1 Yes (receipt)
compliance
ISACA presentation/lunch Security in 3/12/2023 1 Yes (receipt)
SDLC
Regional Conerence, RIMS Compliance, 1/15–17/2023 6 Yes (CPE receipt)
risk
BrightFly webinar Governance, 2/16/2023 3 Yes (conirmation e-mail)
risk, &
compliance
ISACA board meeting Chapter board 4/9/2023 2 Yes (meeting minutes)
meeting
Presented at ISSA meeting Risk 6/21/2023 1 Yes (meeting notice)
management
presentation
Revocation of Certification
A CISM-certiied individual may have his or her certiication revoked or the ollow-
ing reasons:
• Failure to complete the minimum number o CPEs during the period
• Failure to document and provide evidence o CPEs in an audit
Introduction
xxxix
• Failure to submit payment or maintenance ees
• Failure to comply with the Code o Proessional Ethics, which can result in
investigation and ultimately lead to revocation o certiication
I you have received a revocation notice, contact the ISACA Certiication Department
at https://support.isaca.org/ or more inormation.
Volunteer
As a nonproit organization, ISACA relies upon volunteers to enrich its programs and
events. here are many ways to help, and one or more o these volunteer opportunities
may suit you:
• Speak at an ISACA event Whether you make a keynote address or host a session
on a speciic topic, speaking at an ISACA event is a mountaintop experience. You
can share your knowledge and expertise on a particular topic with attendees, but
you’ll learn some things too.
• Serve as a chapter board member Local chapters don’t run by themselves; they
rely on volunteers—working proessionals who want to improve the lot o other
proessionals in the local community. Board members can serve in various ways,
rom inancial management to membership to events.
• Start or help a CISM study group Whether part o a local chapter or a chapter
at large, consider starting or helping a group o proessionals who want to learn
the details o the CISM job practice. I am a proponent o study groups because
study group participants make the best students: they take the initiative to take
on a big challenge to advance their careers.
• Write an article ISACA has online and paper-based publications that eature
articles on various subjects, including current developments in security, privacy,
risk, and I management rom many perspectives. I you have specialized
knowledge on some topic, other ISACA members can beneit rom this knowledge
i you write about it.
• Participate in a credential working group ISACA works hard to ensure that
its many certiications remain relevant and up to date. Experts worldwide in many
industries give o their time to ensure that ISACA certiications remain the best
in the world. ISACA conducts online and in-person working groups to update
certiication job practices, write certiication exam questions, and publish updated
study guides and practice exams. I contributed to the irst CRISC certiication
working group in 2013 when ISACA initially developed the CRISC certiication
exam; I met many like-minded proessionals, some o whom I am still in regular
and meaningul contact with.
• Participate in ISACA CommunITy Day ISACA organizes a global eort o
local volunteering to make the world a better, saer place or everyone. Learn
about the next CommunIy day at https://engage.isaca.org/communityday/.
• Write certification exam questions ISACA needs experienced subject matter
experts willing to write new certiication exam questions. ISACA has a rigorous,
high-quality process or exam questions that includes training. You could even
be invited to an in-person exam item writing workshop. You can ind out more
about how this works at www.isaca.org/credentialing/write-an-exam-question.
Introduction
xli
Please take a minute to relect upon the quality and richness o the ISACA organiza-
tion and its many world-class certiications, publications, and events. hese are all ueled
by volunteers who made ISACA into what it is today. Only through your contribution
o time and expertise will ISACA continue in its excellence or uture security, risk, pri-
vacy, and I proessionals. And one last thing you can only experience on your own:
volunteering helps others and enriches you. Will you consider leaving your mark and
making ISACA better than you ound it? For more inormation about these and many
other volunteer opportunities, visit www.isaca.org/why-isaca/participate-and-volunteer.
Summary
Becoming and being a CISM proessional is a liestyle, not just a one-time event. It takes
motivation, skill, good judgment, persistence, and proiciency to be a strong and eective
leader in inormation security management. he CISM certiication was designed to help
you navigate the security management world more easily and conidently.
Each CISM job practice area is discussed in detail in the ollowing chapters, and
additional reerence material is presented. Not only is this inormation helpul or those
o you who are studying beore taking the exam, but it is also meant to serve as a
resource throughout your career as an inormation security management proessional.
This page intentionally left blank
PART I
Information Security
Governance
Chapter 1 Enterprise Governance
Chapter 2 Inormation Security Strategy
This page intentionally left blank
Enterprise Governance
CHAPTER
1
In this chapter, you will learn about
• Organizational culture
• Types o legal and regulatory requirements
• Organization structure, roles, and responsibilities
• Ethics and codes o conduct
This chapter covers Certified Information Security Manager (CISM) job practice 1,
“Information Security Governance,” part A, “Enterprise Governance.” The entire Infor-
mation Security Governance domain represents 17 percent of the CISM examination.
Supporting Tasks in the CISM job practice that align with the Information Security
Governance / Enterprise Governance domain include:
4. Integrate information security governance into corporate governance.
8. Define, communicate, and monitor information security responsibilities
throughout the organization and lines of authority.
21. Identify legal, regulatory, organizational, and other applicable compliance
requirements.
Governance is a process whereby senior management exerts strategic control over
business functions through policies, objectives, delegation of authority, and monitor-
ing. Governance is management’s oversight of all other business processes to ensure that
business processes effectively meet the organization’s business vision and objectives.
Organizations usually establish governance through steering committees responsible
for setting long-term business strategy and making changes to ensure that business pro-
cesses continue to support business strategy and the organization’s overall needs. This
is accomplished through the development and enforcement of documented policies,
standards, procedures, and requirements. Various reporting metrics provide feedback to
business leaders on organizational performance and the results of their decisions.
3
CISM Certified Information Security Manager All-in-One Exam Guide
4
Introduction to Information Security Governance
Information security governance typically focuses on several key processes, which include
personnel management, sourcing, risk management, configuration management, change
management, access management, vulnerability management, incident management,
and business continuity planning. Another key component is establishing an effective
organizational structure and clear statements of roles and responsibilities. An effective
governance program will use a balanced scorecard, metrics, or other means to monitor
these and other key processes. Security processes will be changed to remain effective and
support ongoing business needs through continuous improvement.
Information security is a business issue, and organizations that are not yet adequately
protecting their information have a business problem. The reason for this is almost always
a lack of understanding and commitment by boards of directors and senior executives.
For many, information security is only a technology problem at the tactical level. Recent
events have brought the issue of information security to the forefront for many organi-
zations. Information security leaders are challenged with how to organize, manage, and
communicate about information security and the business impacts successfully because
of a lack of awareness or cybersecurity savviness among the organization’s executive lead-
ership and board of directors.
To be successful, information security must also be a people issue. When people at
each level in the organization—from boards of directors to individual contributors—
understand the importance and impact of information security and their own roles
and responsibilities, the organization will be in a position of reduced risk. This reduc-
tion in risk or identification of potential security events results in fewer incidents that,
when they do occur, will have a lower impact on the organization’s ongoing reputation
and operations.
Information security governance is a set of established activities that helps manage-
ment understand the state of the organization’s security program, its current risks, and its
direct activities. A goal of the security program is to continue to contribute toward the
fulfillment of the security strategy, which itself will continue to align with the business
and the business objectives. Whether the organization has a board of directors, council
members, commissioners, or some other top-level governing body, governance begins
with establishing top-level strategic objectives translated into actions, policies, processes,
procedures, and other activities downward through each level in the organization.
An organization must also have an effective IT governance program for information
security governance to succeed. IT is the enabler and force multiplier that facilitates
business processes that fulfill organization objectives. Without effective IT governance,
information security governance will not be able to reach its full potential. The result
may be that the proverbial IT bus will travel safely but to the wrong destination. This is
depicted in Figure 1-1.
While the CISM certification is not directly tied to IT governance, this implicit depen-
dence of security governance on IT governance cannot be understated. IT and secu-
rity professionals specializing in IT governance itself may be interested in the ISACA’s
Certified in the Governance of Enterprise IT (CGEIT) and the Certified in Risk and
Information Systems Control (CRISC) certifications, which specialize in this domain.
Chapter 1: Enterprise Governance
5
Figure 1-1
Vision lows
PART I
downward in Business
an organization. Vision
Business Strategy
IT Strategy
IT Security Strategy
Security Policy
Security Standards
Security Processes
Security Metrics
PART I
security controls and processes protecting IT assets, management will not be informed or
in control of these protective measures. The consequences of failure can impair, cripple,
and/or embarrass the organization’s core operations.
• Risk management Management will ensure that risk assessments are performed
to identify risks in information systems and supported processes. Follow-up actions
will be carried out to reduce the risk of system failure and compromise.
• Process improvement Management will ensure that key changes will be made
to business processes that will result in security improvements.
• Event identification Management will put technologies and processes in place
to ensure that security events and incidents will be identified as quickly as possible.
• Incident response Management will put incident response procedures into
place to help avoid incidents, reduce the impact and probability of incidents, and
improve response to incidents to minimize their impact on the organization.
• Improved compliance Management will identify all applicable laws, regulations,
and standards and carry out activities to confirm that the organization can attain
and maintain compliance.
• Business continuity and disaster recovery planning Management will define
objectives and allocate resources to develop business continuity and disaster
recovery plans.
• Metrics Management will establish processes to measure key security events such
as incidents, policy changes and violations, audits, and training.
• Resource management The allocation of workforce, budget, and other resources
to meet security objectives is monitored by management.
• Improved IT governance An effective security governance program will result
in better strategic decisions in the IT organization that keep risks at an acceptably
low level.
These and other governance activities are carried out through scripted interactions
among key business and IT executives at regular intervals. Meetings will include a discus-
sion of the impact of regulatory changes, alignment with business objectives, effectiveness
of measurements, recent incidents, recent audits, and risk assessments. Other discussions
may include changes to the business, recent business results, and any anticipated business
events such as mergers or acquisitions.
CISM Certified Information Security Manager All-in-One Exam Guide
8
There are two key results of an effective security governance program:
• Increased trust Customers, suppliers, and partners will trust the organization
to a greater degree when they see that security is managed effectively.
• Improved reputation The business community, including customers, investors,
and regulators, will hold the organization in higher regard.
Business Alignment
An organization’s information security program needs to fit into the rest of the organiza-
tion. This means that the program needs to understand and align with the organization’s
highest-level guiding principles, including the following:
• Mission Why does the organization exist? Who does it serve and through what
products and services?
• Goals and objectives What goals does the organization hope to achieve, and
when does it want to accomplish them?
• Strategy What activities need to occur to fulfill the organization’s goals and
objectives?
To be business aligned, people in the security program should be aware of several
characteristics of the organization, including the following:
PART I
The information security profession is still plagued by the reputation of “being the
department of ‘no’” or as the “department of business prevention.” This stems from
overzealous security managers who were more risk-averse than the business itself
and did not understand the organization’s need to grow, expand, and establish new
products and services. The result of this reputation is the still-present tendency for
IT and other parts of the business to avoid involvement with security professionals
out of fear that their participation will hamper their efforts.
This can lead to shadow IT (where individuals and groups bypass corporate IT
and procure their own computing services), which in many cases puts the organiza-
tion at a greater risk of data leakage. Most people within a business want to do the
right thing and complete their job activities. They do not intentionally set out to
expose sensitive data; many employees are just trying to complete their assigned
duties. For example, a person in the new accounts department receives an e-mail
from the external marketing team listing all newly signed-up accounts and fails to
recognize that the file contains sensitive cardholder data and is being shared over a
public connection.
Organizational Culture
Organizational culture is the term that describes how people within an organization treat
one another and how they get things done. Many organizations establish a set of values
that defines the norms of professional behavior. Terms such as respect, collaboration, and
teamwork are often used in these values. Some organizations publish formal value state-
ments and print them for display in lobbies, offices, and conference rooms.
CISM Certified Information Security Manager All-in-One Exam Guide
10
The way an organization’s leaders treat one another and the rest of the organization’s
employees sets an example for behavioral norms. Often, these norms reflect those formal
values, but sometimes they may differ. One could say that an organization’s stated culture
and its actual culture may vary a little or a lot. The degree of alignment itself is a reflec-
tion of an organization’s culture.
Every organization also has a risk culture, which affects how the organization deals
with risk and how it treats risk over time. This culture is developed from several sources.
First, it can come from the organization’s leadership, based on their business and man-
agement philosophies, attitudes, education, and experience. It can also come from the
organization’s governance. Remember that governance essentially comprises the rules and
regulations imposed on the organization by either external entities (in the form of laws,
for example) or internally by the organization itself. As discussed, risk tolerance and risk
appetite support the organizational risk culture.
Ethics
Most organizations, particularly professional ones, have requirements for a code of
conduct or professional ethics. This is especially true in the cybersecurity and risk man-
agement professions. These codes of ethics regulate the behavior of professionals and
ensure that those professionals maintain high standards of conduct. Most industry-
recognized professional certifications also require adherence to a code of ethics, and
ISACA is no exception.
ISACA’s Code of Professional Ethics is available at www.isaca.org/credentialing/code-of-
professional-ethics and is imposed upon all organizational members and certification holders.
Chapter 1: Enterprise Governance
11
If a professional bound to uphold those ethical standards fails to do so, ISACA implements
procedures for filing a complaint. The ISACA Code of Professional Ethics includes provi-
PART I
sions for the following (paraphrased here):
1. Supporting and complying with standards and procedures for governance and
management of information systems and technology
2. Performing duties professionally, with due diligence and care, as required by
professional standards
3. Conducting activities in a lawful manner and maintaining the high standards of
conduct and character required by the profession and ISACA
4. Ensuring privacy and confidentiality of sensitive information obtained in the
course of professional duties
5. Maintaining competency in the professional field
6. Full disclosure and impartiality regarding results of work performed to ensure
that the results of that work are not distorted
7. Supporting professional education in the areas of governance and management
of enterprise information systems and technology, to include auditing, controls,
security, and risk management
Many organizations have a formal, written policy called a code of ethics or a code
of conduct. Such a policy defines acceptable professional behavior across many areas of
business dealings, including relationships with customers, regulators, and public officials
on topics such as financial dealings, kickbacks, bribes, and personal favors. The U.S.
Foreign Corrupt Practices Act of 1977 (FCPA) prohibits individuals and organizations
from bribing foreign government officials. Other countries have similar laws, such as the
United Kingdom Bribery Act of 2010.
The resulting behavioral standard for information security professionals, then, is a
synthesis of association codes of ethics such as the ISACA Code of Professional Ethics, an
employer’s code of conduct, applicable laws, as well as each professional’s worldview that
may include concepts of good versus evil, right versus wrong, and other moral standards.
Organizational Structure,
Roles, and Responsibilities
How the business is organized can help drive how it deals with cybersecurity. Most com-
panies are managed from a functional perspective; in other words, departments and other
hierarchical structures are established to take care of specific functions that contribute
to business goals and objectives. For example, a production-driven business may have a
manufacturing or production department, an engineering department, a research and
development department, and an assembly line. Additional departments may also cover
support functions such as marketing, accounting and finance, public relations, and so on.
On the other hand, a hospital will be organized according to its specific functions, such
as the emergency department, surgery, neurology, radiology, and so on. Businesses in
other markets or areas will be organized differently as well. In any case, the organization
Chapter 1: Enterprise Governance
13
of the business is structured as its mission and business purposes dictate. Certain func-
tions are found in any business, such as information technology, information security,
PART I
privacy, and legal compliance. Each functional area has a primary mission and function,
but an important thing to consider is that all different organizational structures, from
lower-level work sections to higher-level departments and divisions, have responsibilities
regarding cybersecurity.
Each unit, whether in the lower levels of the business hierarchy or at the highest levels,
should be aware of, and responsible for, its impact on information protection and cyber-
security at its level. This innate responsibility originates from the well-known phrase,
“information security is everyone’s responsibility.” Beyond an awareness of how a worker
handles files on a laptop with tools such as e-mail and cloud storage, “information security
is everyone’s responsibility” covers everything, including the following:
Organizational Roles
Information security governance is most effective when every person in the organization
knows what is expected of them. Better organizations develop formal roles and responsi-
bilities so that personnel will have a clearer idea of their part in all matters related to the
protection of systems, information, and even themselves.
In organizational structure and behavior, a role describes expected activities that
employees are obliged to perform as part of their employment. Roles are typically associ-
ated with a job title or position title, a label assigned to each person that designates his or
her place in the organization. Organizations strive to adhere to standard position titles so
that other people in the organization, upon knowing someone’s position title, will have
at least a general idea of each person’s role in the organization.
Typical roles include the following:
• IT auditor
• Systems engineer
• Accounts receivable manager
• Individual contributor
CISM Certified Information Security Manager All-in-One Exam Guide
14
Often a position title also includes a person’s rank, which denotes a person’s seniority,
placement within a command-and-control hierarchy, span of control, or any combina-
tion. Typical ranks include the following, in order of increasing seniority:
• Supervisor
• Manager
• Senior manager
• Director
• Senior director
• Executive director
• Vice president
• Senior vice president
• Executive vice president
• President
• Chief executive officer
• Member, board of directors
• Advisor, board of directors
• Chairman, board of directors
Note that this should not be considered a complete listing of ranks. Larger organiza-
tions also include the modifiers assistant (as in assistant director), general (general man-
ager), managing (managing director), and first (first vice president).
A responsibility is a statement of activities that a person is expected to perform. Like
roles, responsibilities are typically documented in position descriptions and job descrip-
tions. Typical responsibilities include the following:
RACI Charts
PART I
Many organizations utilize RACI (Responsible, Accountable, Consulted, Informed)
charts to denote key responsibilities in business processes, projects, tasks, and other
activities. A RACI chart assigns levels of responsibility to individuals and groups.
The development of a RACI chart helps personnel determine roles for various busi-
ness activities. A typical RACI chart follows.
The same RACI chart can also be depicted in this second example:
IT IT
End Service Service Asset Internal Audit Security
Activity User Manager Desk Manager Owner COO Audit Manager Team
Request
User R A I I I
Account
Approve
User I C I I R A I C
Account
Provision
User I I R A C I
Account
Audit
User I I I C R A I
Account
This RACI chart specifies the roles carried out by several parties in the user
account access request process.
(continued)
CISM Certified Information Security Manager All-in-One Exam Guide
16
• Responsible The person or group that performs the actual work or task.
• Accountable The person who is ultimately answerable for complete,
accurate, and timely execution of the work. Often this is a person who
manages those in the Responsible role.
• Consulted One or more people or groups consulted for their opinions,
experience, or insight. People in the Consulted role may be a subject-matter
expert for the work or task, or an owner, steward, or custodian of an asset
associated with the work or task. Communication with the Consulted role
is two-way.
• Informed One or more people or groups informed by those in other roles.
Depending on the process or task, people in the Informed role may be told
of an activity before, during, or after its completion. Communication with
the Informed role is one-way.
When assigning roles to individuals and groups in a RACI chart, several aspects
must be considered, including the following:
Board of Directors
An organization’s board of directors oversees activities in the organization. Depending on
the type of organization, board members may be elected by shareholders or constituents,
or they may be appointed. This role can be either paid or voluntary in nature.
Chapter 1: Enterprise Governance
17
Activities performed by the board of directors, as well as directors’ authority, are
usually defined by a constitution, bylaws, or external regulation. The board is typi-
PART I
cally accountable to the organization’s owners or, in the case of a government body,
to the electorate.
In many cases, board members have fiduciary duty. This means they are account-
able to shareholders or constituents to act in the organization’s best interests with
no appearance of impropriety, conflict of interest, or ill-gotten profit resulting from
their actions.
In nongovernment organizations (NGOs), the board of directors is responsible for
appointing a chief executive officer (CEO) and possibly other executives. The CEO,
then, is accountable to the board of directors and carries out the board’s directives.
Board members may also be selected for any of the following reasons:
Executive Management
Executive management is responsible for carrying out directives issued by the board of
directors. Information security management includes ensuring that sufficient organiza-
tional resources are devoted to implementing a security program and developing and
maintaining security controls to protect critical assets.
Executive management must ensure that priorities are balanced. In the case of IT
and information security, these functions are usually tightly coupled but sometimes in
conflict. IT’s primary mission is to develop and operate business-enabling capabilities
through the use of information systems, while information security’s mission includes
risk management, security, privacy, and compliance. Executive management must ensure
that these two sometimes-conflicting missions are successful.
Typical IT- and security-related executive position titles include the following:
PART I
• Ratify corporate security policy Security policies developed by the
information security function should be visibly ratified or endorsed by
executive management. This may take different forms, such as formal, minuted
ratification in a governance meeting; a statement of the need for compliance
along with a signature within the body of the security policy document; a
separate memorandum to all personnel; or other visible communication to
the organization’s rank and file that stresses the importance of, and need for
compliance to, the organization’s information security policy.
• Leadership by example With regard to information security policy, executive
management should lead by example and not exhibit behavior suggesting they are
“above” security policy—or other policies. Executives should not be seen to enjoy
special privileges of the nature that suggest that one or more security policies do
not apply to them. Instead, their behavior should visibly support security policies
that all personnel are expected to comply with.
• Ultimate responsibility Executives are ultimately responsible for all actions
carried out by the personnel who report to them. Executives are also ultimately
responsible for all outcomes related to organizations to which operations have
been outsourced.
Reading between the lines, the primary mission of a security steering committee is to
identify and resolve conflicts and to maximize the effectiveness of the security program,
as balanced among other business initiatives and priorities.
PART I
Custodial Responsibilities
In many organizations, asset owners are not involved in the day-to-day activities related
to managing their assets, particularly when those assets are information systems and the
data stored within them. Instead, somebody (or several people) in the IT organization
acts as a proxy for asset owners and makes access grants and other decisions on their
behalf. While this is a common practice, it is often carried too far, resulting in the asset
owner being virtually uninvolved and uninformed. Instead, asset owners should be aware
of, and periodically review, activities carried out by people, groups, and departments
making decisions on their behalf.
In a typical arrangement, people in IT make access decisions on behalf of asset
owners. Unless there is a close partnership between these IT personnel and the asset
owners, IT personnel often do not adequately understand the business nature of assets
or the implications when certain people are given access to them. Often, far too many
personnel have access to assets, usually with higher privileges than necessary.
• Chief security officer (CSO) This position generally has the responsibilities
of a CISO, plus responsibilities for non-information assets such as business
equipment and work centers. A CSO often is responsible for workplace safety.
• Chief information risk officer (CIRO) Generally, this represents a change of
approach to the CISO position, from protection-based to risk-based.
• Chief risk officer (CRO) This position is responsible for all aspects of risk,
including information, business, compliance, and market risk. This role is separate
from IT. Note that some organizations have a chief revenue officer (also CRO);
ensure that you understand how the organization structures its leadership roles.
Many organizations do not have a CISO but instead have a director or manager of
information security who reports to someone further down in the organization chart.
CISM Certified Information Security Manager All-in-One Exam Guide
22
An organization may not have a CISO for several reasons, but, in general, the orga-
nization does not consider information security as a strategic function. In some cases,
an organization lacks a CISO because other C-level executives feel that a CISO would
hinder business development and agility. Regardless of the reason, not having a CISO
will hamper the visibility and importance of information security and often results in
information security being a tactical function concerned with primary defenses such as
firewalls, antivirus, and other tools. In such situations, responsibility for strategy-level
information security implicitly lies with some other executive, such as the CIO. This
situation often results in the absence of a security program and the organization’s general
lack of priority for and awareness of relevant risks, threats, and vulnerabilities.
The one arena where a CISO may not be required is in small to medium-sized
organizations where a full-time strategic leader may not be cost effective. It is advisable
to contract with a virtual CISO (vCISO) to assist with strategy and planning. When
organizations do not require or cannot afford a full-time person, this approach enables
the organization to benefit from the knowledge of a seasoned security professional to
assist in driving the information security program forward. This book’s technical editor
and I have served organizations in this capacity for several years.
PART I
Typically, some organizations that manage large amounts of sensitive data on customers
will employ a chief privacy officer (CPO), sometimes known as a data protection officer
(DPO). In some organizations, a CPO is required by applicable regulations such as
GDPR. In contrast, others have a CPO because they store massive amounts of personally
identifiable information (PII).
The roles of a CPO typically include the safeguarding of PII and ensuring that the
organization does not misuse PII at its disposal. Because many organizations with a
CPO also have a CISO, the CPO’s duties mainly involve oversight of the organization’s
proper handling and use of PII, leaving information protection to the CISO.
The CPO is sometimes seen as a customer advocate, and often this is the role of the
CPO, particularly when regulations require a privacy officer.
Software Development
Positions in software development are involved in the design, development, and testing
of software applications.
• Systems architect This position is usually responsible for the overall information
systems architecture in the organization. This may or may not include overall data
architecture and interfaces to external organizations.
• Systems analyst A systems analyst is involved with the design of applications,
including changes in an application’s original design. This position may develop
technical requirements, program design, and software test plans. If organizations
license applications developed by other companies, systems analysts design
interfaces for those applications.
• Software engineer/developer This position develops application software.
Depending upon their level of experience, people in this position may also design
programs or applications. Developers often create custom interfaces, application
customizations, and custom reports in organizations that utilize purchased
application software.
• Software tester This position tests changes in programs made by software
engineers/developers.
While the trend of outsourcing applications has resulted in organizations infre-
quently developing their applications from scratch, software development roles persist
in organizations. Developers are needed to create customized modules within software
CISM Certified Information Security Manager All-in-One Exam Guide
24
platforms and integrations and integration tools to connect applications and databases.
Still, most organizations have fewer developers today than they did a decade or two ago.
Data Management
Positions related to data management are responsible for developing and implementing
database designs and maintaining databases. These positions are concerned with data
within applications and data flows between applications.
• Data manager This position is responsible for data architecture and management
in larger organizations.
• Database architect This person develops logical and physical designs of data
models for applications. With sufficient experience, this person may also design
an organization’s overall data architecture.
• Big data architect This position develops data models and data analytics for
large, complex data sets.
• Database administrator (DBA) This position builds and maintains databases
designed by the database architect and databases that are included as part of
purchased applications. The DBA monitors databases, tunes them for performance
and efficiency, and troubleshoots problems.
• Database analyst This person performs tasks that are junior to the database
administrator, carrying out routine data maintenance and monitoring tasks.
• Data scientist This position applies scientific methods, builds processes, and
implements systems to extract knowledge or insights from data.
EXAM TIP The roles o data manager, database architect, big data architect,
database administrator, database analyst, and data scientist are distinct rom
data owners. Don’t conuse them on the exam. The ormer are IT department
roles or managing data models and data technology, whereas the latter (data
owner) governs the business use o and access to data in inormation systems.
Network Management
Positions in network management are responsible for designing, building, monitoring,
and maintaining voice and data communications networks, including connections to
outside business partners and the Internet.
• Network architect This position designs data and voice networks and designs
changes and upgrades to networks to meet new organization objectives.
• Network engineer This person implements, configures, and maintains network
devices such as routers, switches, firewalls, and gateways.
Chapter 1: Enterprise Governance
25
• Network administrator This position performs routine tasks in the network,
such as making configuration changes and monitoring event logs.
PART I
• Telecom engineer Those serving in this role work with telecommunications
technologies such as telecom services, data circuits, phone systems, conferencing
systems, and voicemail systems.
Systems Management
Positions in systems management are responsible for the architecture, design, building,
and maintenance of servers and operating systems. This may include desktop operating
systems as well. Personnel in these positions also design and manage virtualized environ-
ments and microsegmentation.
IT Operations
Positions in operations are responsible for day-to-day operational tasks that may include
networks, servers, databases, and applications.
• Risk manager This person is responsible for performing risk assessments and
maintaining the risk register.
• Policy manager This position is responsible for maintaining security and
privacy policy documents and related information. This person works closely
with the risk manager, identifying risks that may identify the need for new and
updated policy.
• Controls manager This position is responsible for maintaining security
controls, advising control owners on responsibilities and expectations, and
assessing controls for effectiveness.
• Third-party risk management This position is responsible for assessing new
and existing vendors and service providers, identifying and reporting on risks,
and developing mitigation strategies.
• Information governance This position is responsible for data classification
policy and serves as a governance function to manage the organization’s use
of information.
• Security awareness training This person is responsible for developing and
delivering content of various types to enable the workforce to understand their
information security and privacy responsibilities.
Chapter 1: Enterprise Governance
27
Business Resilience
PART I
Personnel in positions related to business resilience are responsible for various activities
that ensure the organization can continue operations despite disruptive events.
• Crisis communications This position is responsible for developing and
executing communications plans to keep employees, customers, regulators,
and shareholders informed of business emergencies and disruptive events. This
responsibility may lie with corporate communications, or it could be separate.
• Crisis management These positions are responsible for developing and
executing plans to manage business emergencies when they occur.
• Business continuity planning These positions are responsible for conducting
business impact analysis and criticality analysis and for developing and testing
business continuity plans.
• Disaster recovery planning These positions are responsible for developing
and testing procedures that ensure information systems’ continued operation
and recovery when disruptive events occur.
Security Operations
Positions in security operations are responsible for designing, building, and monitor-
ing security systems and security controls to ensure information systems’ confidentiality,
integrity, and availability.
• Security architect This person is responsible for designing technical security
controls, systems, and solutions in contexts such as authentication, audit logging,
intrusion detection systems (IDSs), intrusion prevention systems, access control,
antimalware, and firewalls.
• Security engineer This position is responsible for designing, building, and
maintaining security services and systems designed by the security architect.
• Security analyst This position is responsible for examining logs from firewalls
and IDSs and audit logs from systems and applications. This person may also be
responsible for issuing security advisories to others in IT.
• Forensics analyst This position is responsible for conducting forensic
investigations on information systems to identify the presence and effect of
malware, misbehavior of employees, and actions taken by intruders.
• Penetration tester This position is responsible for using tools to identify
vulnerabilities in information systems and advising system owners to develop
mitigation strategies. Most organizations outsource this function to outside
firms that perform penetration tests on a periodic (usually annual) basis.
• Access administrator This position is responsible for accepting approved
requests for user access management changes and performing the necessary
changes at the network, system, database, or application level. Often, this
position consists of personnel in network and systems management functions;
only in larger organizations is user account management performed in security or
even in a separate user access department.
CISM Certified Information Security Manager All-in-One Exam Guide
28
Security Audit
Positions in security audit are responsible for examining process design and verifying the
effectiveness of security controls.
• Security audit manager This position is responsible for audit operations and
scheduling and managing audits.
• Security auditor This position is responsible for performing internal audits of
IT controls to ensure that they are operated properly.
Service Desk
Positions at the service desk are responsible for providing frontline support services to
IT and IT customers.
• Service desk manager This position serves as a liaison between end users and
the IT service desk department.
• Service desk analyst This person is responsible for providing frontline user
support services to personnel in the organization. This is sometimes known as a
help-desk analyst.
• Technical support analyst This position is responsible for providing technical
support services to other IT personnel and IT customers.
Quality Assurance
Positions in quality assurance are responsible for evaluating IT systems and processes to
confirm their accuracy and effectiveness.
Other Roles
Other roles in IT and security organizations include the following:
PART I
• Project manager This position is responsible for creating project plans and
managing IT and security projects.
• Finance manager This person is responsible for financial planning and budget
management for IT.
General Staff
The rank and file in an organization may or may not have explicit information security
responsibilities, as determined by executive management’s understanding of the broad
capabilities of information systems and the personnel who use them.
Typically, general staff security-related responsibilities include the following:
Monitoring Responsibilities
The practice of monitoring responsibilities helps an organization confirm that the correct
jobs are being carried out in the right way. There is no single approach, but several activi-
ties provide information to management, including the following:
• Controls and internal audit Developing one or more controls around specific
responsibilities gives management greater control over key activities. An internal
audit of controls provides an objective analysis of control effectiveness.
CISM Certified Information Security Manager All-in-One Exam Guide
30
• Metrics and reporting Developing metrics for repeated activities helps
management better understand work output.
• Work measurement This is a more structured activity used to measure
repeated tasks carefully to help management better understand the volume
of work performed.
• Performance evaluation This is a traditional qualitative method used to evaluate
employee performance.
• 360 feedback Soliciting structured feedback from peers, subordinates, and
management helps subjects and management better understand characteristics
related to specific responsibilities.
• Position benchmarking This technique is used by organizations that want to
compare job titles and people holding them with those in other organizations.
There is no direct monitoring of responsibilities. Instead, benchmarking helps an
organization determine whether they have the right positions and are staffed by
competent and qualified personnel. This may be useful for organizations that are
troubleshooting employee performance.
Chapter Review
Information security governance is the top-down management and control of security
and risk management in an organization. Governance is usually undertaken through a
steering committee that consists of executives from throughout the organization. The
steering committee is responsible for setting overall strategic direction and policy, ensur-
ing that security strategy aligns with the organization’s IT and business strategy and
objectives. The directives of the steering committee are carried out through projects and
tasks that steer the security organization toward strategic objectives. The steering com-
mittee can monitor progress through metrics and a balanced scorecard.
For an information security program to be successful, it must align with the busi-
ness and its overall mission, goals and objectives, and strategy. The security program
must consider the organization’s notion of asset value, culture, risk tolerance/appetite,
legal obligations, and market conditions. A successful and aligned security program
does not lead the organization but enables and supports it to carry out its mission and
pursue its goals.
Security governance is accomplished using the same means as IT governance: it begins
with board-level involvement that sets the tone for risk appetite and is carried out through
the chief information security officer, who develops security and privacy policies, as well
as strategic security programs, including software assurance, change management, ven-
dor management, configuration management, incident management, vulnerability man-
agement, security awareness training, and identity and access management.
Security governance is used to establish roles and responsibilities for security-related
activities throughout all layers of the organization, from the board of directors to indi-
vidual staff. Roles and responsibilities are defined in job descriptions, policy and process
documents, and RACI charts.
Chapter 1: Enterprise Governance
31
The board of directors in the defined team is responsible for overseeing all activities in
an organization. Boards select and manage a chief executive officer responsible for devel-
PART I
oping a governance function to manage assets, budgets, personnel, processes, and risk.
The security steering committee is responsible for security strategic planning. The
security steering committee will develop and approve security policies and appoint
managers to develop and maintain processes, procedures, and standards, all of which
should align with one another and with the organization’s overall mission, strategy,
goals, and objectives.
The CISO develops business-aligned security strategies that support the organization’s
overall mission and goals and is responsible for the organization’s overall security pro-
gram, including policy development, risk management, and perhaps some operational
activities such as vulnerability management, incident management, access management,
and security awareness training. In some organizations, the topmost security executive
has the title of chief security officer or chief information risk officer.
The chief privacy officer is responsible for the protection and proper use of sensi-
tive personal information (often referred to as personally identifiable information). The
CPO’s information protection responsibilities are sometimes shared with the CISO,
who has overall information protection responsibilities. The chief compliance officer is
responsible for a broad range of compliance tracking and reporting.
Virtually all other roles in IT have security responsibilities, including software
development and integration, data management, network management, systems man-
agement, operations, service desk, internal audit, and all staff members.
Notes
• The addition of information security as part of fiduciary duty by board members
and executives is an important and growing trend in business today.
• Security executives and the board of directors are responsible for implementing
a security governance model encompassing information security strategy and
mandates. As a result, the industry is seeing a shift from a passive to a more active
board with regard to cybersecurity issues.
• A security program should align with the organization’s overall mission, goals,
strategy, and objectives. This means that the CISO and others should be aware
of, and involved in, strategic initiatives and the execution of the organization’s
strategic goals.
• Risk appetite is generally expressed in qualitative terms such as “very low tolerance
for risk” and “no tolerance for risk.” Different activities in an organization will
have different risk appetites.
• An organization’s definitions of roles and responsibilities may or may not be
in sync with its culture of accountability. For instance, an organization may
have clear descriptions of responsibilities documented in policy and process
documents and yet rarely hold individuals accountable when preventable security
events occur.
CISM Certified Information Security Manager All-in-One Exam Guide
32
• Ideally, an organization’s board of directors will be aware of information security
risks and may direct that the organization enact safeguards to protect itself.
However, in many organizations, the board of directors is still uninvolved in
information security matters; in these cases, it is still possible to have a successful
risk-based information security program, provided senior executives support it.
• While security steering committees are not required, organizations may find
it helpful to implement single-level or multilevel security steering groups as a
cross-functional vehicle for discovering security risks and disseminating security
organization.
• Information security is the responsibility of every person in an organization;
however, the means for assigning and monitoring security responsibilities to
individuals and groups varies widely.
Questions
1. An organization is subject to healthcare regulations that govern individual
health data protection requirements. Which of the following describes this
type of governance?
A. External
B. Internal
C. Regulatory
D. Professional
2. Your company handles credit card transaction processing as part of its business
processes. Which of the following best describes the source and type of governance
it may incur because of these business processes?
A. Internal, policies and procedures
B. External, industry standards
C. External, laws and regulations
D. Internal, industry standards
3. Which the following describes why the organization exists?
A. Organizational mission statement
B. Organizational strategy
C. External governance
D. Organizational policy
4. All of the following factors influence an organization’s culture except which one?
A. Published values
B. Policies
C. Leadership behavior
D. Behavioral norms
Chapter 1: Enterprise Governance
33
5. Which of the following roles is responsible for control assurance?
A. Business leader
PART I
B. Information security
C. Control owner
D. Internal audit
6. Security governance is most concerned with:
A. Security policy
B. IT policy
C. Security strategy
D. Security executive compensation
7. The purpose of a RACI chart is:
A. Determine who is responsible for security governance
B. Map the culture to a controls framework
C. Document the roles of persons or positions
D. Define the checks and balances in IT governance
8. While gathering and examining various security-related business records, the
security manager has determined that the organization has no security incident
log. What conclusion can the security manager make from this?
A. The organization does not have security incident detection capabilities.
B. The organization has not yet experienced a security incident.
C. The organization is recording security incidents in its risk register.
D. The organization has effective preventive and detective controls.
9. The entity that is ultimately responsible for security governance is:
A. Chief information officer
B. Chief information security officer
C. Board of directors
D. Chief risk officer
10. A business asset owner is responsible for all of the following except:
A. Periodically reviewing and approving continued access to the asset
B. Physical protection of the asset
C. Approving or denying individual access requests
D. Physical location of the asset
CISM Certified Information Security Manager All-in-One Exam Guide
34
11. Which of the following people is/are responsible for ensuring that PII is not
used improperly?
A. Chief privacy officer
B. Data governance manager
C. Asset owner
D. All employees
12. An information security manager documents all of the data retention requirements
associated with a specific set of business records. The manager should consider all
of the following sources of requirements except:
A. Data governance requirements
B. Stipulations in legal contracts
C. Applicable laws
D. Non-applicable laws
13. A new employee in an organization is reviewing organization documents to
begin learning about the organization’s culture and operations. One document
describes situations where an employee must report gifts and favors from vendor
organizations. Which of the following documents is the employee likely reading?
A. Acceptable use policy
B. Employee handbook
C. Privacy policy
D. Code of conduct
14. An acceptable use policy is likely to contain all of the following except:
A. Rules regarding the use of personally owned assets
B. Permitted uses of corporate assets
C. Data retention requirements
D. Protection of sensitive information
15. The best definition of governance is:
A. Corporate policies and procedures
B. Management control of business functions
C. Regular reporting of metrics and key performance indicators (KPIs)
D. Formal roles and responsibilities documented in a RACI chart
Answers
1. A. Laws and regulations are a form of external governance.
2. B. This describes an external source of governance in the form of industry
standards, specifically the Payment Card Industry Data Security Standard
(PCI DSS).
Chapter 1: Enterprise Governance
35
3. A. The organization develops the organizational mission statement to describe its
overall mission, which is its very reason for existence.
PART I
4. B. Of the available choices, an organization’s policies are the least likely to
influence an organization’s culture.
5. D. Internal audit is responsible for control assurance, meaning a periodic
examination of a control’s design, implementation, and records (if any), to
determine whether the control’s design and effectiveness are sound.
6. C. Security governance is the mechanism through which security strategy is
established, controlled, and monitored. Long-term and other strategic decisions
are made in the context of security governance.
7. C. The purpose of a RACI chart is to document the activities of a program,
process, or procedure and the roles of various individuals or positions, whether
each is accountable, responsible, consulted, or informed.
8. A. An organization that does not have a security incident log probably lacks the
capability to detect and respond to an incident. It is unreasonable to assume
that the organization has had no security incidents, since minor incidents occur
regularly. Claiming that the organization has effective controls is unreasonable,
as it is understood that incidents occur even when effective controls are in place
(because not all types of incidents can reasonably be prevented).
9. C. The organization’s board of directors is ultimately responsible for security
governance.
10. B. A business asset owner is typically not responsible for physically protecting the
asset. Instead, asset protection would be the responsibility of the chief security
officer or the chief information security officer.
11. A. The chief privacy officer is responsible for establishing business rules, policies,
and controls to ensure that PII is not used improperly.
12. D. It is not necessary for the information security manager to consider laws that
are not applicable to the situation. All of the other answers are relevant and must
be considered.
13. D. An organization’s code of conduct policy generally defines business ethics
rules, including receiving and offering gifts and favors to others.
14. C. An acceptable use policy (AUP) is likely to contain statements about the use
of corporate assets, personally owned assets, and information protection. Data
retention requirements are not likely to be included.
15. B. Governance is best defined as management’s control over business functions
throughout an organization.
This page intentionally left blank
Information
Security Strategy
CHAPTER
2
In this chapter, you will learn about
• Business alignment
• Security strategy development
• Security governance activities
• Inormation security strategy development
• Resources needed to develop and execute a security strategy
• Obstacles to strategy development and execution
This chapter covers Certified Information Security Manager (CISM) job practice 1,
“Information Security Governance,” part B, “Information Security Strategy.”
The entire Information Security Governance domain represents 17 percent of the
CISM examination.
Supporting Tasks in the CISM job practice that align with the Information Security
Governance / Information Security Strategy domain include:
1. Identify internal and external influences to the organization that impact the
information security strategy.
2. Establish and/or maintain an information security strategy in alignment with
organizational goals and objectives.
3. Establish and/or maintain an information security governance framework.
6. Develop business cases to support investments in information security.
7. Gain ongoing commitment from senior leadership and other stakeholders to
support the successful implementation of the information security strategy.
If for no other reason than cyber threats are ever-changing and increasingly dangerous,
all organizations need to reassess their information security programs and develop
strategies for key improvements.
37
CISM Certified Information Security Manager All-in-One Exam Guide
38
Information Security Strategy Development
Among business, technology, and security professionals, there are many different ideas
about what exactly a strategy should entail and which techniques are best used to
develop it, as well as general confusion on the topic. While a specific strategy itself may
be complex, the concept of a strategy is quite simple: it can be defined as the plan to
achieve an objective.
The effort to build a strategy requires more than saying those six words. Again, how-
ever, the idea is not complicated. The concept is this: Understand where you are now and
where you want to be. The strategy is the path you have outlined, communicated, and
documented that the organization will follow to get from where you are (current state) to
where you want to be (strategic objective).
This chapter explores strategy development in detail.
Strategy Objectives
A strategy is the plan to achieve an objective. The objective (or objectives) is the desired
future state of the organization’s security posture and level of risk.
There are, in addition, objectives of a strategy. These objectives are as follows:
• Business alignment The desired future state, and the strategy to get there,
must be in alignment with the organization and its strategy and objectives.
• Risk appetite alignment An organization’s information security program
implicitly drives an organization toward a specific level of risk, which may or
may not align with the organization’s true level of risk appetite.
• Effective risk management A security program must include a risk management
policy, processes, and procedures. Without effective risk management, decisions are
made blindly without regard to their consequences or level of risk.
• Value delivery The desired future state of a security program should include a
focus on continual improvement and increasing efficiency. No organization has
unlimited funds for security; instead, organizations need to reduce risk at the
lowest reasonable cost.
• Resource optimization Similar to value delivery, strategic goals should efficiently
utilize available resources. Among other things, this means having only the necessary
staff and tools to meet strategic objectives.
• Performance measurement Although it is important for strategic objectives
to be SMART (specific, measurable, achievable, relevant, and time-related), the
ongoing security and security-related business operations should themselves be
measurable, giving management an opportunity to drive continual improvement.
• Assurance process integration Organizations typically operate one or more
separate assurance processes in silos that are not integrated. An effective strategy
would work to break down these silos and consolidate assurance processes, reducing
hidden risks.
Chapter 2: Information Security Strategy
39
All of these should be developed in a way that makes them measurable. These compo-
nents were made to fit together in this way.
PART I
The Criticality of Business Alignment
The need for an organization’s information security program to be business aligned
cannot be overstated. The lack of business alignment could be considered a pro-
gram’s greatest failing if not corrected.
It is critical for an information security program to be aligned in terms of sup-
port for the organization’s overall goals and to utilize existing mechanisms such
as corporate governance, established business communication protocols, and pol-
icy enforcement. However, if and where dysfunction exists in the organization in
terms of culture (for instance, a casual attitude or checkbox approach toward secu-
rity or privacy), the program may position itself deliberately out of phase with the
organization to alter the culture and bring it to a better place. In another example,
rather than be satisfied with what may be low organizational maturity, security pro-
gram leaders may influence process maturity by example through the enactment of
higher-maturity processes and procedures.
As change agents, security leaders need to understand where alignment is benefi-
cial and where influence is essential. Here’s an example of the criticality of business
alignment: the information security program in a software as a service (SaaS) com-
pany needs to be fully involved in the software and systems development life cycle
in the company’s SaaS products to ensure that the products are free of exploitable
vulnerabilities that could wreak havoc via a security incident.
Strategy Participants
An information security leader needs to involve a number of key stakeholders and oth-
ers in developing a strategy that is business aligned and that has a reasonable chance to
succeed. The most important resources for the development of an information security
program strategy are the opinions, observations, and analytical abilities of a number of
key personnel in the organization, including the following:
Strategy Resources
Before a strategy can be developed, it is first necessary to understand everything that is
in place currently. A strategy describes how goals and objectives are to be met. Without
knowing the starting place of a journey, it is not possible to chart a course to the jour-
ney’s destination. Before future security capabilities can be mapped out, it’s necessary to
understand an organization’s current state and capabilities. The differences can be seen
as a gap that needs to be filled, whether that means employing tools, technologies, skills,
policies, or practices.
More than simply defining point A in a journey to point B, existing resources also
paint a picture of an organization’s current capabilities, including behaviors, skills, and
practices, and how they contribute to the organization’s current security posture.
Two types of inputs must be considered: those that will influence the development
of strategic objectives, and those that define the current state of the security program
and protective controls. The following inputs must be considered before objectives are
developed:
• Risk assessments
• Threat assessments
Chapter 2: Information Security Strategy
41
When suitable risk and threat assessments have been completed, the security strategist
can then develop strategic objectives, or, if they have been created already, validate that
PART I
the established strategic objectives will satisfactorily address risks and threats identified
in those assessments.
Next, security strategists can examine several other inputs that help them understand
the workings of the current security program, including the following:
Risk Assessments
A strategist should choose to have a risk assessment performed to reveal risks present in
the organization. This helps the strategist understand threat scenarios and their estimated
impact and frequency of occurrence. The results of a risk assessment give the strategist
valuable information on the types of resources required to bring risks down to acceptable
levels. This is vital for developing and validating strategic objectives.
Any historical record of risk assessments may give the strategist a better idea of the
maturity of the organization’s security program, as well as an indication of whether risks
in the past had been mitigated. If older risk assessments indicate significant risks that
are still present in newer risk assessments, or if risk assessments are performed only for
compliance purposes and not for making actual improvements in the organization’s
security posture, you could wonder whether the organization places much credence in
those risk assessments.
Risk assessments should drive the actual creation of strategic objectives. Otherwise,
there is a danger that strategic objectives may not include changes to an organization’s
security program and the protective measures needed to reduce significant risks.
The strategist should also request corporate risk assessments to feed into the strategy;
many times, IT risk assessments are technology focused. By reviewing and using the
corporate risk assessment, the strategist can better align the security strategy with the
organization’s business objectives.
CISM Certified Information Security Manager All-in-One Exam Guide
42
Threat Assessments
Strategists should have a threat assessment performed so that they can better understand
relevant threats. This assessment provides the strategist with information about the types
of threats most likely to have an impact on the organization, regardless of the effective-
ness of controls.
Performing a threat assessment provides an additional perspective on risk. This is
because a threat assessment focuses on external threats and threat scenarios, regardless
of the presence or effectiveness of preventive or detective controls. While vulnerabilities
may change frequently, threats are considered to be constant. Because of this, security
policies need to reflect threats that have been identified.
A threat assessment is an essential element of strategy development. Without a threat
assessment, there is a possibility that strategic objectives may fail to address important
threats. This would result in a security strategy that will not adequately protect the
organization.
A history of threat assessments gives the strategist insight into the maturity of the
organization’s security program: an absence of threat assessments may be an indication of
low maturity or scarce resources. Details in threat assessment records may reveal remedia-
tion trends if key threats are not appearing repeatedly, which would indicate that they
have not been mitigated.
Policy
An organization’s security policy, as well as its practices in relation to its policy, may say
a great deal about its desired current state. Security policy can be thought of as an orga-
nization’s internal laws and regulations with regard to the protection of important assets
(as well as personnel safety). Examination of current security policy can reveal a lot about
what behaviors are required in the organization.
The following are a few aspects of security policy:
• Breadth of coverage What subject areas are covered by the policy? Does it
include expected computer and mobile device usage behavior? Are other topics
such as vulnerability management, third-party risk, or software development
included in security policy?
• Relevance Does the policy include content on new technologies and practices?
• Policy communication How well is policy communicated to the user community,
with what frequency, and with what level of understanding by the workforce?
• Workforce transformation Does the policy address matters related to the shift to
remote work in many organizations? Topics may include remote access and VPN,
home networks, physical security, travel, and the applicability of employment laws
when employees decide to relocate to another city, state, or country.
• Policy strictness Does the policy broadly prohibit certain behaviors such as the
occasional personal use of corporate e-mail or limit or prohibit the use of external
USB data storage devices?
Chapter 2: Information Security Strategy
43
• Accountability and consequences Does the policy specify expectations
for adherence to policy or the consequences of willingly violating policy?
PART I
For instance, do policy violations include the prospect of suspension or
termination of employment?
• Compliance It is important to understand the degree to which the organization
is in compliance with its policy, including the margin of compliance. Does the
organization’s security policy reflect good practices, and does the organization meet
most or all of them? Or does its policy appear to be more of a vision statement of
how things could be in the future?
• Last management review It is important to know when an organization’s
security was last updated, reviewed, and approved by management. This speaks
to more than just the organization’s policy but also to how active its security
program has been in the recent past.
Standards
An organization’s security standards describe, in detail, the methods, techniques, tech-
nologies, specifications, brands, and configurations to be used throughout the organiza-
tion. As with security policy, it is important to understand the organization’s standards,
including the breadth of coverage, strictness, compliance, and last review and update.
These all tell the security manager the extent to which an organization’s security stan-
dards are used—if at all.
In addition to the aforementioned characteristics, it is important to know how the
organization’s standards were developed and how good they are. For instance, are there
device-hardening standards, and are they aligned to or derived from industry-recognized
standards such as those from the Center for Internet Security (CIS), National Institute for
Standards and Technology (NIST), European Union Agency for Cybersecurity (ENISA),
Defense Information Systems Agency Security Technical Implementation Guides (DISA
STIG), or another standardization body?
Similarly, it is important to know whether standards are highly detailed (configuration
item by configuration item) or whether they are principle-based. If they are the latter,
engineers may exercise potentially wide latitude when implementing these standards.
You should understand that highly detailed standards are not necessarily better than
principle-based standards; it depends on the nature of the organization, its risk tolerance,
and its maturity.
Guidelines
While an organization’s guidelines are not “the law” per se, the presence of guidelines
may signal higher than average organizational maturity. Many organizations don’t go
beyond creating policies and standards, so the presence of proper guidelines means that
the organization may have (or had in the past) sufficient resources or prioritization to
make documenting guidance on policies important enough to do.
According to their very nature, guidelines are typically written for personnel who need
a little extra guidance on how to adhere to policies.
CISM Certified Information Security Manager All-in-One Exam Guide
44
Like other types of security program documents, guidelines should be reviewed and
updated regularly. Because guidelines bridge rarely changing policy with often-changing
technologies and practices, a strategist examining guidelines should find them being
changed frequently—or they may be found to be irrelevant. But that, too, is possibly
evidence of an attempt to improve maturity or communications (or both) but with the
absence of long-term commitment.
Architecture
An organization’s architecture—its documentation of systems, networks, data flows, and
other aspects of its environment—gives the security strategist a lot of useful information
about how the organization has implemented its information systems.
Although it’s good to look for and examine network diagrams, system diagrams, data
flow diagrams, and so forth, it’s nearly as valuable to find good and consistent designs
even if they aren’t documented anywhere. I’d rather see an organization’s infrastructure as
modern, effective, and consistent versus a collection of outdated diagrams or, worse yet,
inconsistent uses of technologies and techniques throughout an organization. Whether
or not architecture diagrams exist is a concern that is similar to that regarding policies,
standards, guidelines, and other artifacts.
Equally important here is whether the architecture of technology effectively supports
the organization. Does the organization’s technology, and the way that the technology
has been implemented, adequately support the organization’s goals, objectives, and oper-
ations? Like so many other aspects of information security and IT, alignment with the
business and its goals and objectives is critical and cannot be disregarded. Making key
changes in this regard may need to be part of an overall strategy.
Another aspect of architecture is known as technical debt. This term represents two
characteristics of an organization’s infrastructure:
PART I
longer supported by their manufacturers, or have subcomponents that cannot be
easily replaced.
The concept of technical debt is a metaphor for financial debt in two aspects: First,
“interest payments” come in the form of additional effort every time the environment
requires attention. Next, “retiring the debt” requires major architectural changes and/or
replacement of many components.
Technical debt is accumulated when organizations lack personnel capable of creating
good architectural designs and also when an organization fails to upgrade end-of-life
components.
Data debt is a phenomenon similar to technical debt. The data models in an orga-
nization saddled with data debt are no longer business aligned. Often, new business
needs result in a further fracturing of once cohesive, enterprise-wide data models into an
increasing number of silos.
Controls
The presence of controls—and the control framework—speaks volumes about the orga-
nization’s security program. Controls, however, may exist only on paper and not in prac-
tice. It is useful to read about the organization’s controls, but on paper alone, they offer
little information about whether the controls are actually being implemented. It’s even
more important to know whether they are effective.
When examining control documentation, the strategist should look for details such as
control owners, the purpose and scope of controls, related process and procedure docu-
ments, and other metadata that will help the strategist understand their purpose.
Next, the strategist should look for artifacts or interview personnel to determine
whether specific controls are in place. Again, the presence of documentation alone may
not indicate whether controls are actually being implemented or whether documentation
is just more shelfware. Interviewing personnel and observing controls in action is a better
way to see whether controls are in place.
Internal and external audits, discussed later in the “Audits” section, are another way to
understand control effectiveness.
A strategist will want to understand whether the controls in place are part of a control
framework such as COBIT, ISO/IEC 27002, NIST SP 800-53, NIST SP 800-171,
HIPAA, or PCI DSS. But more than that, the strategist should know whether all controls
in the control framework are implemented—or have some been omitted? The reason for
omission may vary from irrelevance to irresponsible avoidance.
Finally, the strategist should look for additional controls that have been implemented.
This may be a sign of regulatory requirements or the result of an effective risk man-
agement program, where identified risks compelled management to enact additional
controls to mitigate risk.
CISM Certified Information Security Manager All-in-One Exam Guide
46
Skills
An inventory of skills provides the strategist with an idea of what staff members are able
to accomplish. This is useful on a few levels:
• Tenure This includes how many years of different types of experience a staff
member may have.
• Behavioral This includes leadership, management, coordination, and logistics.
• Disciplines This includes fields such as systems engineering, network
engineering, controls development, audit, risk management, and risk analysis.
• Technologies This includes skills with specific technologies such as Palo Alto
Networks firewalls, CentOS operating systems, LogRhythm, and AppScan.
Understanding skills at all of these levels helps the strategist understand the types of
work that the current staff is able to perform, where minor skills gaps exist, and where the
strategist may recommend adding staff through hiring, contracting, or professional services.
A key consideration for a strategist is the potential for a major shift in technologies.
Suppose, for example, that the organization has been using products from a particular
vendor for many years, but because of a change in leadership and a good deal offered
by a different vendor, the decision was made to migrate to the other vendor’s products.
Without fully understanding the skills and capabilities of the team, the organization
leadership can create significant risks resulting from the lack of skills required to man-
age the new products effectively. This could lead to outages, departure of key resources,
increased costs associated with consulting, and a loss of trust from the end-user com-
munity. A good way to validate whether the organization has stayed on top of such an
issue is to see whether a skills matrix exists. If so, when was the last time it was reviewed,
updated, and approved?
Metrics
Metrics indicate the state of an information security program over time. Proper metrics
help personnel see how effectively the security program is protecting the organization;
this is a key consideration for the people developing long-term strategies.
If metrics are properly established, they’ll serve as a guide for the long-term effective-
ness of security controls. This helps the strategist understand what works well and where
improvement opportunities may be. The strategist can then design end states with more
certainty and confidence than if metrics didn’t exist.
When examining metrics, a strategist needs to understand the audience. For example,
were security metrics developed for internal security operations’ use only, or were the
metrics developed for consumption by other audiences, such as internal users, senior
management, or the board of directors? Next, the strategist will want to look for evidence
that metrics were delivered to these audiences and whether metrics were ever used as a
reason for making tactical or strategic changes in the security program.
Metrics are discussed fully in Chapter 5.
Chapter 2: Information Security Strategy
47
Assets
It is often said among information security professionals, “You cannot protect what you
PART I
cannot find.” This refers to assets in an organization—namely, servers, network devices,
end-user workstations, and mobile devices—but also application software and software
tools. Because many security incidents involve the exploitation of a vulnerability (usually
with malware), organizations must have effective vulnerability management programs in
place. The life-cycle process in a vulnerability management program is as follows:
1. Identify the environment to be scanned.
2. Scan assets for vulnerabilities.
3. Identify and categorize vulnerabilities.
4. Remediate vulnerabilities (often through applying security patches but sometimes
through configuration changes or increased monitoring and alerting).
Depending on an organization’s tools and methods, typically, only known identified
assets are scanned. Unknown or unidentified assets may or may not get scanned, but even
if they do, they might get lost in the process later. Intruders are familiar with this, and they
use this to their advantage: by performing scans of their own, they can identify unpatched
systems and use them as a beachhead from which to infiltrate the organization.
Further, some organizations have a practice of avoiding scanning some assets (and
sometimes even entire subnets), either because the security team knows that some assets
are poorly managed (skewing otherwise favorable metrics) or because some assets behave
badly or even malfunction when scanned. Such practices indicate subpar asset manage-
ment and the potential for considerable risk to the business.
Risk Register
A risk register, also known as a risk ledger, can offer the strategist a great deal of insight
into risk management and risk analysis activities in the organization. Depending on the
detail available in the risk register a strategist may be able to discern the following:
Vulnerability Assessments
Strategists may choose to have a vulnerability assessment performed so that they may
better understand the current security posture of the organization’s technology infra-
structure. The vulnerability assessment may target network devices, appliances, operat-
ing systems, subsystems such as web servers and database management systems, and
applications—or any suitable combination thereof.
The results of a vulnerability assessment will tell the strategist several things about the
organization, including the following:
Insurance
The security strategist may want to know whether the organization has cybersecurity
insurance or any general insurance policy that covers some types of cyber events and
incidents. As important as having cyber insurance is, equally important is the reason the
organization purchased it. A strategist will want to explore possible reasons.
PART I
the organization’s management may have suffered an incident, prompting the
organization to purchase cyber insurance in case a similar event could happen
to them.
• Risk treatment The organization may have purchased cyber insurance
because risks were identified that the organization chose to have transferred
to another organization.
It is vitally important to understand the terms of any cyber-insurance policy. While
the amounts of benefits are important, the most important aspects of a cyber-insurance
policy are its terms and conditions. Many organizations have been known to purchase
cyber insurance only to find out later that they receive little or no relief from it because of
one or more exclusions. Cyber-insurance policies vary quite a lot, and many require poli-
cyholder organizations to have many policies, controls, and capabilities in place. Interest-
ingly enough, organizations that have the required components in their security programs
are much less likely to experience significant security incidents—but risk reduction is the
whole point of developing an information security strategy and using cyber insurance.
This is similar to automobile insurance, homeowners’ insurance, and renters’ insurance: it
is important to read and fully understand insurance policies in detail.
Here are a few key questions to consider with regard to a cyber-insurance policy:
Critical Data
Most organizations do not have an accurate notion regarding the location and use of their
critical data. Organizations usually use key business applications that store and process
critical data, but in most organizations, copies of parts of their critical data also reside in
many other places, including internal file servers, sanctioned data storage services such as
Box and Dropbox, and unsanctioned data storage services and cloud-based applications.
CISM Certified Information Security Manager All-in-One Exam Guide
50
Though this section is not about the cloud and cloud services, the existence and ease of
use of cloud services make it easy for individuals and groups in an organization to upload
critical data to these services. The fact that many cloud-based services offer low-cost and
zero-cost services encourages this phenomenon all the more. This has given rise to the
colloquial phrase “bring your own app” (BYOA) to describe this growing problem. Most
organizations have lost sight of all the locations and uses of their critical data, whether
sanctioned or not.
The strategist should seek to understand the extent to which the organization’s data in
the cloud is a part of an overall architecture, including the use of cloud regions that are
employed for resilience purposes. This will help the strategist better understand whether
the organization has a data governance function and a data management strategy.
Another component of critical data is the bring-your-own-device (BYOD) phenom-
enon, which results in sensitive business information residing on personally owned
devices, outside of the organization’s direct control. The ubiquity and openness of IT
services make it all but impossible for organizations to prevent staff members from using
personally owned devices as part of their work.
The cloud, BYOA, and BYOD underscore the lack of visibility and control over criti-
cal and sensitive data. Understanding this is important for strategists when determining
the current state of security, which, as stated, is required if a viable strategy is to be devel-
oped to take the organization to a desired future state. This is one of many categories
where a strategist will be unable to gather all desired facts about the state of security and
where experience and judgment are required to discern the state of data management.
PART I
Like other business records and activities, the strategist needs to understand the rea-
son for the existence of the security incident log. Is it intended for compliance purposes
(in which case the incident log may be sparsely populated, and there may be an absence
of corrective actions), or does the organization really want to use the log information to
learn from and even anticipate security incidents? These are the deeper questions that
the security strategist needs to discover and know.
A sparsely populated incident log may be an indication of several things, including
the following:
• Lack of/deficient SIEM A security information and event management (SIEM)
is a system that collects log data from servers, endpoints, network devices such as
firewalls, and other sources such as antivirus consoles. It correlates this log data
and produces security alerts when actionable security-related activities are taking
place. An organization without a SIEM may have little way of knowing whether
security incidents such as break-ins are occurring. Similarly, an organization with
a SIEM that is not well maintained may also have many blind spots and may be
unaware of incidents occurring in its environment.
• Training Personnel may not be trained in the recognition of security incidents.
Security incidents may be occurring but unrecognized, resulting in incidents with
greater impact and the loss of learning opportunities.
Outsourced Services
Most organizations outsource a good portion of their IT systems and services. Unlike
earlier eras when organizations had their own data centers and when most or all applica-
tions were running in-house (aka on-premises), today, the model has almost completely
flipped: organizations are moving the bulk of their business applications to cloud-based
infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service
(SaaS) environments.
The degree to which any particular organization has outsourced its business applica-
tions to the cloud is not a concerning matter. Instead, what’s important is the amount of
due care exercised in the process of outsourcing.
The practice of determining and managing risks associated with outsourcing is called
third-party risk. In lawyer-speak, these external organizations are called third parties (and
the organizations they outsource to are called fourth parties).
The third-party risk practices that the strategists are looking for include the following:
• Up-front due diligence This is an assessment of risk performed on a service
provider prior to the organization electing to use the service. This initial risk
assessment gives the organization an opportunity to enforce security-related terms
and conditions on the service provider in the legal agreement. An up-front risk
assessment may include one or more of the following:
• Relationship risk assessment The organization analyzes the strategic
importance of the service provider in terms of contract value and service
criticality.
CISM Certified Information Security Manager All-in-One Exam Guide
52
• Inherent risk assessment This is an analysis of the service provider’s financial
health and geopolitical risk.
• Control risk assessment This is an analysis of the controls that
the organization would like the service provider to use to protect the
organization’s data.
• Site visit The organization may elect to visit one or more of the service
provider’s processing sites and perhaps corporate offices.
• Risk tiering This is the practice of establishing tiers of service provider risk. Each
service provider, based on the nature of services provided to the organization, is
assigned a risk level, or tier. The due diligence activities performed for each tier are
commensurate with the risk level. For example, service providers at the highest risk
tier may be issued a lengthy questionnaire annually, and they may be required to
undergo annual penetration tests, as well as an onsite visit to confirm the presence
of key controls. Service providers at a middle tier of risk may be issued a shorter
questionnaire annually, and service providers at the lowest tier may be issued a
brief questionnaire annually. Responses to questions answered unsatisfactorily will
also vary according to risk tier. For top-tier services providers, this may involve a
detailed mitigation plan; at lower tiers, there is less concern.
• Ongoing due diligence Throughout the duration of a service provider
relationship, the organization will periodically assess each service provider to
ensure that risks discovered at the start of the relationship have not significantly
changed. An organization will carry out a number of activities, as outlined for
up-front due diligence.
PART I
zation’s security program. A careful examination of audit findings can potentially provide
significant details on control effectiveness, vulnerabilities, disaster preparedness, or other
aspects of the program—depending on the objectives of those audits.
When examining audit results, a security strategist needs to understand several things.
• Objective The objective or purpose of the audit tells the reader why the audit
took place. This often provides additional insight into why certain people,
processes, or technologies were examined while others were apparently omitted.
For example, was an audit performed because it is required by regulation or
another requirement, or was it performed voluntarily as another means of
organization improvement?
• Scope The scope of an audit tells the reader which technologies, business
processes, business locations, or other aspects of the organization were examined.
• Qualifications of auditors An audit is only as effective as its auditors are skilled
and experienced in performing audits, as well as their familiarity with the things
being audited. An IT auditor with little operational IT experience is not going to
be as effective and as insightful as an IT auditor with a background in some aspect
of IT engineering or operations.
• Audit methodologies It is important for the reader to understand the audit
methodologies used in any particular audit. For instance, did the auditor interview
personnel, examine systems and records, observe personnel performing their tasks,
or perform tasks of their own? Equally important are sampling methodologies,
including how samples are selected and who performs the selection.
The security strategist needs to consider the bigger picture: mainly, is the organization
using audit results to drive improvements in the organization, or are audit reports merely
shelfware shown to regulators on their annual visit?
Culture
The culture of an organization can tell the strategist a lot about the state of security.
Many people mistakenly believe that information security is all about technology. While
technology is part of security, the most important aspect of information security is
people. No amount of technology can adequately compensate for a person’s wrong atti-
tude and understanding about protecting an organization’s information assets. People
are absolutely key.
A strategist will want to explore a few aspects of an organization’s culture, including
the following:
Maturity
The characteristics of a security management program discussed in this section all con-
tribute to the overall maturity of the organization’s program. Although the maturity
level of the program doesn’t tell the strategist everything they need to know about the
program, the strategist’s observations of the overall program will provide a “thumb in the
air” feeling for its overall maturity.
The strategist will probably find that the maturity levels of various aspects of the orga-
nization’s security program vary widely. For instance, the organization may have mature
asset management and vulnerability management programs but be lacking in other areas
such as internal audit and security awareness.
The levels of maturity are discussed in greater detail in the next section. Maturity also
plays a part during a gap assessment, also discussed in the next section.
Chapter 2: Information Security Strategy
55
Risk Appetite
Every organization has a risk appetite, although most have not formally documented it.
PART I
A security strategist needs to understand business leaders’ implicit and explicit risk appe-
tite, which is manifested in many ways:
Strategy Development
After performing risk and threat assessments and carefully reviewing the state of the
security program through the examination of artifacts, the strategist can develop stra-
tegic objectives. Generally speaking, strategic objectives will fall into one of these
categories:
• Define and implement a SIEM to provide visibility into security and operational
events.
• Define and implement a security incident response program.
• Define and implement a security awareness learning program.
CISM Certified Information Security Manager All-in-One Exam Guide
56
Examples of objectives for improving existing capabilities include the following:
Gap Assessment
To implement a security strategy and accomplish objectives, security professionals often
spend too much time focusing on the end goal and not enough time on the starting
point. Without sufficient knowledge of the starting point, accomplishing objectives will
be more difficult, and achieving success will be less certain.
A gap assessment should focus on several aspects of a security program, including one
or more of the following:
PART I
systems. The security manager will want to look at the approach. Are security
standards a set of principles only, or do they include configuration details?
• Security procedures This includes security procedures, as well as IT and other
business procedures that have security subject matter or implications.
• Security guidelines While security guidelines are considered optional, it is
important to understand what they say about implementing security policies
and procedures. Content in security guidelines may provide important clues on
organizational culture and its views about policy.
• Security controls Although it is necessary to review control objectives and
control narratives, it is equally important to understand control effectiveness and
how well controls support existing objectives.
• Risk assessments Available risk assessments may provide insight into risks
observed in the organization. This would provide a valuable risk-based perspective
on the state of the organization in the recent—or not so recent—past.
• Internal and external audit results Audit reports are generally seen as an in-
depth view of the effectiveness of internal controls in the organization. A security
manager needs to understand how to read the audit report—as well as be able
to read between the lines—to understand specific audit methodologies used
to examine controls and report on them. Note that for some audits, auditors
are examining specific controls, whether or not they actually exist in the
organization. Understanding the scope of an audit is also important, as it may, in
some cases, be quite narrow and not provide a broad view of control risk.
• Security metrics Examining security metrics over time should give a security
manager some important information. Not only can certain details of the security
program be evaluated, but the bigger picture is also important: the metrics that
the organization chose to measure. If metrics have been in place long enough,
there may be trends that can be observed.
• Risk register An organization’s risk register can provide insight into the issues
that are considered important security issues. Depending on the details available
in the risk register, a security manager may be able to discern the various activities
and methods in place to capture content for the register.
• Risk treatment decision records When available, risk treatment records
reveal what issues warranted attention, discussion, and decisions. Coupled with
the risk register, information here can provide a record of issues tackled by the
organization’s risk management process.
• Security incident program This includes program objectives, processes,
procedures, records, tools, and practices. Further, the presence of playbooks
indicates a desire to respond quickly and effectively when an incident occurs.
CISM Certified Information Security Manager All-in-One Exam Guide
58
• Security incident records The record of security incidents can reveal a lot
about the capabilities and attitudes in the security program. A sparse record
might indicate gaps in capabilities or skills. A rich record is probably an
indication of a more mature program and personnel intent on identifying issues
so that improvements can be made.
• Third-party risk Vendor risk, also known as third-party risk, is a near-universal
problem for organizations, given the trend in outsourcing line-of-business
applications and the use of cloud-based services. Here, the security manager
needs to understand the degree of attention the organization places on third-
party risk, including the completeness of business records, the frequency of risk
and control assessments, the history of site visits, and the organization’s practice
of following up on risk issues discovered in key third parties.
• Business continuity and disaster recovery program The presence of business
continuity planning (BCP) and/or disaster recovery planning (DRP) activities is
a good indication (although not a certain one) that the organization cares enough
about its long-term viability that it wants to minimize the impact of natural and
manmade disasters. A security manager needs to understand whether BCP/DRP
records and procedures are up-to-date and to what extent the organization elects
to train its personnel and conduct tests of its plans.
• Security awareness training program A security awareness training and
communications program says a lot about an organization—namely, the extent
to which the organization acknowledges that people are a critical aspect to the
success of a program and its ability to protect itself from harm. The variety
and frequency of messaging techniques used are important aspects of a security
awareness program, but they are not as important as the program’s alignment
with the organization.
• IT and security projects Business records for recent projects speak volumes
about the organization’s value and emphasis on security. The security manager
will want to look through the list of project participants to see whether security
personnel are included. Equally important is the presence (or absence) of security
requirements—if requirements are part of bigger projects.
When examining all of this and other information about an organization’s security
program, the security strategist should bring the right measure of skepticism, because
although there is much to know about information that is found, the absence of informa-
tion may speak volumes as well. Here are some considerations:
PART I
whether documents are created for appearances only (in which case they may be
well-kept secrets, except by their owners) or whether they are widely known and
utilized. A look at these documents’ revision histories tells you part of the story,
while interviewing the right personnel completes the picture by revealing how
well their existence is known and whether they are really used.
• Scope, turf, and politics In larger organizations, the security manager
needs to understand current and historical practices with regard to roles and
responsibilities for security and security-related activities. For example, records
for a global security program may instead reflect only what is occurring in the
Americas, even though nothing found in documentation supports this.
• Reading between the lines Depending upon the organization’s culture and the
ethics of current or prior security personnel, records may not accurately reflect
what’s really happening in the security program. Records may be incomplete as a
result of overemphasis, underemphasis, distortions, or simply “looking the other
way” when situations arise.
• Off-the-books institutional knowledge (aka “tribal knowledge”) For various
reasons, certain activities and proceedings in a security program may not be
documented. For example, certain incidents may conveniently not be present in
the incident log—otherwise, external auditors might catch the scent and go on a
foxhunt, causing all manner of unpleasantries.
• Regulatory requirements When examining each aspect of a security
program, the security manager needs to understand one thing: Is the activity
being undertaken because it is required by regulations (with hell and fury from
regulators if absent) or because the organization is managing risk and attempting
to reduce the probability and/or impact of potential threats?
When performing a gap assessment, a strategist is examining the present condition of
processes, technologies, and people. But, by definition, a gap assessment is the study of
the difference between the present condition of something and the desired future state.
A common approach to determining the future state is to determine the current maturity
of a process or technology and compare that to the desired maturity level. Continue read-
ing the next section for a discussion on maturity levels.
Internal origin
S
Strengths
W
Weaknesses
O
Opportunities
T
Threats
PART I
• Level 5: Optimizing This represents a measured process that is under continuous
improvement.
Not all security strategists are familiar with maturity models. Strategists unaccus-
tomed to capability maturity models need to understand two important characteristics
of maturity models and how they are used:
• Level 5 is not the ultimate objective. Most organizations’ average maturity level
targets range from 2.5 to 3.5. There are few organizations whose mission
justifies level 5 maturity. The cost of developing a level 5 process or control is
often prohibitive and out of alignment with risks.
• Each control or process may have its own maturity level. It is neither common nor
prudent to assign a single maturity level target for all controls and processes.
Instead, organizations with skilled strategists can determine the appropriate level
of maturity for each control and process. They need not all be the same. Instead,
it is more appropriate to use a threat-based or risk-based model to determine an
appropriate level of maturity for each control and process. Some will be 2, some
will be 3, some will be 4, and a few may even be 5.
The common use of capability maturity models is the determination of the current
maturity of a process, together with analysis, to determine the desired maturity level pro-
cess by process and technology by technology. The maturity level should be in alignment
with the organization’s risk appetite.
Policy Development
The execution of a security strategy may result in additions or improvements in its secu-
rity-related capabilities. These additions or improvements may require that one or more
security policies be updated to reflect the new or improved capabilities.
While security policies are designed to be durable and not tied to specific technolo-
gies, significant changes in technologies may put security policy at odds with them. Here
is an example:
The Fast Car Company recently implemented its first security incident and event moni-
toring system that produces alerts whenever actionable security events occur. Prior to
implementing the SIEM, IT and security personnel would examine security logs every
day to see whether any security events had occurred in the past 24 hours.
Before implementing the SIEM, Fast Car Company’s security policy stated that appro-
priate personnel were required to examine security logs daily and log any actions
taken. Now that the company has a SIEM, IT and security personnel no longer need
to examine logs. The company’s policy needs to be changed so that 1) personnel are
required to respond to security alerts and 2) personnel are required to examine the
SIEM’s configuration periodically so that it will produce alerts for relevant events.
CISM Certified Information Security Manager All-in-One Exam Guide
62
Security policies are supposed to align with current capabilities and are not a vision
statement describing future capabilities. This is the case whether policies are addressing
the use of technologies or business processes. It’s generally considered unwise to develop
a security policy that requires an activity that the organization is incapable of performing.
Industries generally consider security policies as being out-of-date if they are not
examined and updated annually. This is not saying that security policies are required to
be updated annually, but they should be examined and approved annually and updated
as needed.
It is a common practice to structure the organization’s security policy using one or
more relevant standards or frameworks, though this is not generally required for most
industries. Common standards and frameworks used in this way include
• NIST SP 800-53
• NIST SP 800-171 and NIST SP 800-172
• ISO/IEC 27001 and ISO/IEC 27002
• COBIT (formerly, Control Objectives for Information and Related Technologies)
• HIPAA/HITECH (Health Insurance Portability and Accountability Act/Health
Information Technology for Economic and Clinical Health)
• PCI DSS (Payment Card Industry Data Security Standard)
• CIS CSC (Center for Internet Security Critical Security Controls)
Because security frameworks are moderately to highly technical, some organizations
develop a shorter information security policy focused on Internet hygiene and data pro-
tection for all of its workers (often called an acceptable-use policy) and a separate technical
security policy for its technology workers who design, implement, and manage informa-
tion systems and applications. This pragmatic approach helps to avoid, for instance, non-
technical office workers trying to understand and comply with cryptography and access
management policy; with such unintelligible content, workers are more likely to “tune
out” the security policy in its entirety and not benefit from the relevant parts of policy
that really matter, such as recognizing phishing scams.
The goal of a good security policy is to define the “rules of the road” for an organiza-
tion’s employees. Policies should be clear, concise, and applicable to the organization.
The policies should be developed in a collaborative manner to ensure that appropriate
information is delivered to the appropriate audience. Additionally, if policies are written
without the involvement or buy-in of the different stakeholders, an organization risks
deploying policies that it cannot adhere to or that will cause significant investment to
comply with.
Controls Development
When an organization executes or updates a security strategy, this often means that the
organization has made changes to its security-related capabilities. This, in turn, may
necessitate changes to one or more aspects of existing controls, as well as the development
of new controls and the retirement of controls that are no longer necessary.
Chapter 2: Information Security Strategy
63
Controls are generally changed as a result of a risk assessment, where some unaccept-
able risk was identified and a decision made to implement a control to ensure better
PART I
outcomes. Quite possibly, a risk assessment may have compelled the organization to
make some changes in the form of security projects that were part of a strategy. When
these projects are executed and completed, controls related to the processes or technolo-
gies involved need to be changed accordingly. Here are some of the possible outcomes:
PART I
based on local conditions and indicated with speed limit signs. The key is that all users
are aware that they must obey the policy (the speed limit).
• Job descriptions
• Department charter documents
• Department policy documents
• Roles and responsibility sections of process documents
PART I
• Board of directors meetings Discussions of strategies, objectives, risks, incidents,
and industry developments keep board members informed about security in the
organization and elsewhere.
• Governance and steering committee meetings Discussions of security
strategies, objectives, assessments, risks, incidents, and developments guide
decision-makers as they discuss strategies, objectives, projects, and operations.
• Security awareness Periodic communications to all personnel help keep them
informed on changes in security policy and standards, good security practices, and
risks they may encounter, such as phishing and social engineering attacks. New hires
often get a healthy dose of security-related information that includes current security
policies and practices, acceptable use, security tools, and where to go for help.
• Security advisories Communications on potential threats helps keep affected
personnel aware of developments that may require them to take steps to protect
the organization from harm.
• Security incidents Communications internally as well as with external
parties during an incident keep incident responders and other parties informed.
Organizations typically develop security incident plans and playbooks in advance,
which include business rules on internal communications as well as with outside
parties, including customers, regulators, and law enforcement.
• Metrics Key metrics are reported upward in an organization, keeping
management, executives, and board members informed as to the effectiveness and
progress in the organization’s security program.
When building or expanding a security program, it’s best to utilize existing com-
munications channels and add relevant security content to those channels, as opposed
to building new, parallel channels. An effective security program makes the best use of
existing processes, channels, and methods in an organization.
Strategy Constraints
While the development of a new security strategy may bring hope and optimism to
the security team, there is no guarantee that changes in an organization can be imple-
mented without friction and even opposition. Instead, the security manager should
anticipate many constraints and obstacles and be prepared to maneuver around, over,
or through them.
No security manager plans to fail. However, the failure to anticipate obstacles and
constraints may result in the failure to execute even the best strategy. The presence of
an excellent strategy, even with executive support, does not mean that obstacles and
constraints will simply get out of the way. Instead, obstacles and constraints represent
the realities of human behavior, as well as structural and operational realities that may
present challenges to the security manager and the organization as a whole. There is apt
meaning to the phrase “the devil’s in the details.”
Typical constraints, obstacles, and other issues are discussed in this section.
Normalcy Bias
People at all levels can suffer from normalcy bias, a pattern of thinking in which people
believe that because a disaster or breach has never occurred, it will never occur. Normalcy
bias manifests itself in many situations, the common theme being a general lack of per-
sonal and corporate preparedness for disastrous events. This may be part of the reason that
organizations do not take information security seriously—they have never had a breach
before. Experienced information security professionals understand that an organization
claiming to have not suffered from security breaches in the past may simply be unaware
of them because of a lack of visibility into events in their environment. A common saying
Chapter 2: Information Security Strategy
69
in the information security profession is, “There are two types of organizations: those that
have been breached and those that do not yet realize they have been breached.”
PART I
Culture
Organizational culture, according to the Business Dictionary (www.businessdictionary
.com), is the collection of values and behaviors that “contribute to the unique social and
psychological environment of an organization.” In other words, it’s the way that people
think and act in an organization and how people feel as employees.
Aspects of organizational culture that are important for the security strategist to
understand include the following:
• Strong culture The culture reflects and aligns with stated organizational values.
Personnel understand and support organizational goals and objectives and need
little prodding to figure out how to be productive and provide value to the
organization and its constituents.
• Weak culture The culture is not well-aligned with the organization. As a result,
management must spend more time managing employees who are not motivated
and feel micromanaged.
• Culture of fear Workers are distrustful of management who act as tyrants,
resulting in pervasive feelings of fear and doubt.
• Healthy culture Workers and management value and respect each other, have
a strong sense of accountability, and cooperate to be successful and accomplish
organizational goals and objectives.
One might consider organizational culture as the collective consciousness of all
workers, regardless of rank. The security strategist should not expect to change the
culture significantly but should instead work with the culture when developing and
executing the information security strategy.
Organizational Structure
The security strategist must understand the organization’s command-and-control struc-
ture, which is often reflected by the organizational chart. However, there may be an
undocumented aspect to the org chart, which is actually more important: who is respon-
sible for what activities, functions, and assets. In other words, security strategists must
understand “who owns what turf ” and develop collaborative relationships with those
individuals and groups to implement a successful strategy. As with other considerations
in a security strategy, alignment with written and unwritten organizational structures is
the key to success.
Staff Capabilities
A security strategy generally represents the introduction of new capabilities, as well as
changes or upgrades to existing capabilities. A strategy cannot be expected to succeed
if the new or changed capabilities do not align with what staff members are able to do.
CISM Certified Information Security Manager All-in-One Exam Guide
70
A gap analysis to understand the present state of the organization’s security program
(discussed earlier in this chapter) needs to include staff knowledge, skills, and capabili-
ties. Where gaps are found, the strategy needs to include training or other activities to
impart the necessary skills and language to staff.
This is not limited to technical workers who design, build, and manage information
systems and applications. To the extent that all staff members are impacted by some
change introduced by the strategy, those staff members need to be informed or trained so
that they, too, will be successful.
For example, an organization that needs to improve its ability to protect sensitive
data includes the development of a data protection program in its strategy. The strategy
for data protection includes the development of a data classification scheme with data-
handling policies and procedures for data at each classification level and in each use case.
This is a high-impact endeavor that will require that many, if not all, workers in the
organization be trained in data classification and handling procedures. If new security
systems are in place that augment manual tasks, personnel will need to be trained in the
use of these tools as well.
When an organization lacks staff with specific knowledge of security techniques or
tools, organizations may look to external resources to augment internal staff. The security
strategist needs to consider the costs and availability of these resources. Consultants and
contracts in many skill areas are difficult to find; even larger firms may have backlogs of
several months as a result.
Time
As security strategies take shape, each initiative will have its own project plan with asso-
ciated timelines for executing various tasks. Realistic project planning is needed so that
everyone will know when project and strategy milestones will be completed. Project and
strategy timelines need to take into account all business circumstances, including peak
Chapter 2: Information Security Strategy
71
periods and holiday production freezes (where IT systems are maintained in a more
stable state), external events such as regulatory audits, and other significant events that
PART I
may impact schedules.
Time constraints may also involve legal and regulatory obligations, discussed next.
Acceptable Risk
A security strategist who develops an information security policy needs to be familiar
with the organization’s current risk appetite or threshold for acceptable risk.
Risk is, by its nature, difficult to quantify. Most organizations, then, have a cultural
“feel” for risk appetite that may or may not be documented. The security strategist must
be familiar with the organization’s risk appetite, in whatever formal or informal sense,
and keenly understand two important aspects of the strategy:
• Its alignment with risk appetite Initiatives in the security strategy need to
align with executive management’s risk appetite. For example, implementation of
a data loss prevention (DLP) system together with restricting the use of USB-
attached external storage may help to protect data, but this may be viewed as
excessive in some organizations. A common mistake made by security strategists
is the incorporation into strategies of new capabilities that may not be urgently
needed. This can happen, especially if a strategy is developed without soliciting
input from key stakeholders in the organization.
CISM Certified Information Security Manager All-in-One Exam Guide
72
• Its impact on risk appetite Specific initiatives within the security strategy may,
by design, “push the envelope.” A typical organization’s security strategy probably
contains initiatives to improve security capabilities that better align capabilities
with risk appetite. But because many organizations are deficient in their security
practices, the perception is that the organization is becoming less tolerant of
risk, when in fact it’s just trying to get its practices into alignment with its risk
tolerance. The appearance of lowering risk appetite may be more of a “catchup.”
Information Governance
Frameworks and Standards
It is not necessary for organizations to develop governance models from scratch: plenty of
mature models are available to adapt to individual organization needs. Like other types
of models, organizations are expected to consider tailoring a standard framework to align
with the organization and its business model, practices, and culture.
Security professionals often confuse governance frameworks with control frameworks.
While the two are related, they are distinct and different from each other. Governance
frameworks involve activities to ensure that executives are in control of the organization
and that they are adequately informed. Control frameworks involve IT, security, and
privacy controls, the detailed statements describing desired outcomes that are examined
for proper design and effectiveness.
Chapter 2: Information Security Strategy
73
NOTE In ISACA’s CISM study guide, the section on inormation governance
PART I
describes various orms o inormation security governance while ignoring
inormation governance entirely. Both will be covered in this section.
Several security governance frameworks are in use today, including the following:
Figure 2-2
The BMIS model
(Adapted rom Organization
The Business
Model for
Information
Security, ISACA) Governing
Arc
re
hit
ltu
ect
Cu
ure
Process
ce En
en & S ablin
rg up g
Eme po
rt
NOTE BMIS is described ully in the document, The Business Model for
Information Security, rom ISACA, available at www.isaca.org/bmis.
Organization The organization element in the BMIS model makes the model unique.
Most other models focus on people, process, technology, or other aspects of an orga-
nization, without considering the organization itself. BMIS defines the organization as
“a network of people interacting, using processes to channel this interaction.” This is
not unlike the executive management perspective that views the organization as a set of
elements that act together to accomplish strategic objectives. The organization includes
not only the permanent staff but also temporary workers, contractors, consultants,
and third-party organizations that also play roles in helping the organization achieve
its objectives.
Organizations are formally structured through organization charts, command-and-
control hierarchy, policies, processes, and procedures. But organizations also have an
informal, undocumented structure, which can be viewed like additional synapses that
connect people or groups across the organization in ways not intended, but that nonethe-
less help the organization achieve its objectives. This is often seen in distributed organiza-
tions, where expediency and pragmatism often rule over policy and process, particularly
in locations farther away from corporate headquarters.
People The people element in the BMIS model represents all of the people in an orga-
nization, whether full-time employees or temporary workers, contractors, or consultants.
Further, as an organization outsources its operations to other organizations, the people
in those organizations are also part of this element in BMIS. Like the other elements in
the BMIS model, people cannot be studied by themselves but instead must be considered
alongside the other elements of process, technology, and organization.
Process The process element in the BMIS model represents the formal structure of all
defined activities in the organization, which together help the organization achieve its
strategic objectives. Process defines practices and procedures that describe how activities
are to be carried out.
Chapter 2: Information Security Strategy
75
ISACA’s Risk IT framework defines an effective process as a reliable and repetitive col-
lection of activities and controls to perform a certain task. Processes take input from
PART I
one or more sources (including other processes), manipulate the input, utilize resources
according to the policies, and produce output (including output to other processes). Pro-
cesses should have clear business reasons for existing, accountable owners, clear roles and
responsibilities around the execution of each key activity, and the means to undertake
and measure performance. Individual processes have the attribute of maturity, which
qualitatively describes how well the process is designed, as well as how it is measured and
improved over time.
Technology The technology element in the BMIS model represents all of the sys-
tems, applications, and tools used by practitioners in an organization. Technology is a
powerful enabler of an organization’s processes and of its strategic objectives, although
unless tamed with process and by people, technology by itself can accomplish little for
an organization. As the BMIS model illustrates, technology in an organization does
not run by itself. Instead, people and processes are critical to any successful use of
technology. Technology can be viewed as a process enabler and as a force multiplier,
helping the organization accomplish more work in less time, for less cost, and with
greater accuracy.
Culture The culture DI connects the organization and people elements. Culture as
part of a governance model makes BMIS unique, as most other models do not consider
culture with strategic importance. BMIS defines culture as “a pattern of behaviors, beliefs,
assumptions, attitudes, and ways of doing things.”
Culture is the catalyst that drives behavior, with as much or more influence than
formal directives such as policies and standards. Culture determines the degree to which
personnel strive to conform to security policy and contribute to the protection of criti-
cal assets, or the degree to which they behave contrary to policy and put critical assets
in jeopardy. An organization’s culture is considered one of the most critical factors in
the success or failure of an information security program. By its nature, culture cannot
be legislated or controlled directly; instead, it reflects the attitudes, habits, and customs
adopted by the people in the organization.
The civil culture of the community in which the organization resides plays a large role
in shaping the organization’s culture. For this reason, establishing a single culture in an
organization with many regional or global locations is not feasible.
Of utmost importance to the security strategist is the development of a productive
security culture. Like other aspects of organizational culture, the desired security culture
cannot simply be legislated through policy but must be carefully curated and grown.
Steps to create a favorable security culture include the following:
• Policies
• Standards
• Guidelines
• Process documentation
• Resource allocation
• Compliance
Communications is vital in the governing DI. Information flows down from manage-
ment in the form of directives to influence change in business processes.
Architecture The architecture DI connects the organization and technology elements.
The purpose of the DI between organization and technology signifies the need for the
use of technology to be planned, orderly, and purposeful. The definition of architecture,
Chapter 2: Information Security Strategy
77
according to ISO/IEC 42010, “Systems and software engineering — Architecture
description,” is the fundamental concepts or properties of a system in its environment
PART I
embodied in its elements, in its relationships, and in the principles of its design and evo-
lution. The practice of architecture ensures the following:
Emergence The emergence DI connects the people and process elements. The pur-
pose of the emergence DI is to bring focus to the way people perform their work. Emer-
gence is seen as the arising of new opportunities for organizations, new processes, new
practices, and new ways of doing things. Emergence can be a result of people learning
how to do things better, faster, more accurately, or with less effort.
Emergence can be a two-edged sword. The creativity and ingenuity of people can
lead to better ways of doing things, but, on the other hand, this can lead to inconsistent
results, including errors or lapses in product or service quality. Organizations that want
to reduce work output deviation caused by emergence have a few potential remedies:
PART I
• Consistency Operating an information system should resemble other commonly
used systems. For instance, keyboard arrangement should be consistent with other
products in use.
• Typing and data entry Entering text should be straightforward and simple.
The method for entering data should be commensurate with the interface. For
instance, a small touchscreen keyboard would be a poor choice for entering large
amounts of data (such as sentences and paragraphs). Further, pointing methods
should be easy to use and intuitive.
• Display and readability Users should be able to read text and images easily.
• Error recovery Users should be able to repeat a step when they have recognized
that they have made an error.
• Sound Sounds as part of interaction should be adjustable and loud enough to be
heard. The system should not emit prolonged loud noise, such as banks of cooling
fans, if users are expected to work in proximity without hearing protection.
• Voice and biometric recognition Technologies used to recognize voice commands
and various types of biometrics should be easy to use and accurate as well.
• Ergonomics Whether portable or stationary, devices should be easy to use without
inducing strain or requiring contortions.
• Environment Information systems should be designed to operate in a variety
of environments where they would typically be used. For instance, ruggedized
laptops for use at construction sites should withstand dust, dirt, water, and
sunlight, while small portable devices should be water-resistant and not break
when dropped.
Using BMIS
Organizations employ BMIS to help them better understand how their people, pro-
cesses, and technologies help to protect the overall organization. BMIS helps the strate-
gist understand the holistic relationships between various aspects (the elements) in the
organization and the factors that influence them (the dynamic interconnections).
The structure of BMIS itself is a key factor in its success. Equally important, however,
is the ability for holistic thinking rather than detailed thinking. It is vital to understand
that BMIS shows how everything is connected to everything else. A change introduced
at any element or DI will affect other elements and DIs and will most likely affect the
adjacent elements and DIs the most. Considering, again, the structure of BMIS, refer
to Figure 2-2.
When a security analyst or strategist is pondering an incident, problem, or situation,
they identify the element or DI in the BMIS that corresponds to the subject of the
matter. Next, they identify the adjacent elements or DIs and think about the relation-
ships: these represent aspects in the organization that would be related or affected.
CISM Certified Information Security Manager All-in-One Exam Guide
80
Examining one element, noting the DI connecting it to another element, helps iden-
tify the nature of the connecting factor. Examples are covered next, which should make
these concepts clearer.
Example 1: Adverse Effects of a Policy Change A security manager wants to enact
a new policy regarding the use of personally owned mobile devices for corporate use,
including e-mail. Policy is a part of the governing DI, and the adjacent elements are
organization and process. The organization element here means that a new policy affects
the organization in some way by altering how it does things. The process element means
that one or more processes or procedures may be affected.
But what if the new mobile device policy adversely affects other processes? One would
then follow the DIs from process and see where they lead and how they lead. First, the
emergence DI connects to people. In the case of this policy, emergence includes ways in
which people follow—or don’t follow—the process. Next, following the enabling and
support DI to technology, this could indicate how other technologies may be affected by
the policy change.
Example 2: Examining Causes for Process Weakness An organization hired a secu-
rity consulting company to perform security scans of its internal network. The consult-
ing company found numerous instances of servers being several months behind in their
security patches. The organization uses a vulnerability scanning tool and is wondering
why patches are so far behind.
Thinking that technology is the problem, the investigator examines the scanning tool
to see whether it is operating properly. This would be the technology element. The tool
is seen to be operating correctly and is running up-to-date software. The investigator next
examines the BMIS model to see what DIs are connected to technology.
First, the architecture DI is examined. This prompts the investigator to think about
whether the scanning tool is able to reach all systems in the network. The investigator
confirms that it is.
Next, the human factors DI is examined. The investigator contacts the engineer who
runs the scanning tool and asks to observe the engineer’s use of the tool. The investigator
is wondering whether the engineer understands how to use the tool properly (there has
been a history of problems because the scanning tool is not easy to use). The engineer is
using the scanning tool correctly, so the investigator needs to keep looking.
Finally, the enabling and support DI is examined. This prompts the investigator to
ponder whether any business processes related to the use of the scanning tool might be a
factor. When interviewing engineers, the investigator discovers that several new networks
in the organization are not included in the scanner’s configuration.
By using the BMIS tool to understand how people, processes, and technologies relate
to one another, the investigator was able to determine the cause of the problem: the
failure of a network change process to notify security personnel caused those security per-
sonnel to not configure the scanning tool to include them. Thus, for some time, security
scans did not identify vulnerabilities present in systems in the new network segments.
The security consulting company’s scans included all of the organization’s networks,
including those that the organization did not scan itself.
Chapter 2: Information Security Strategy
81
Business
PART I
Requirements
Solution Service
Deployment Requirements
Technology Business
Selection Solution
Figure 2-3 BMIS enabling and support lie cycle (Adapted rom The University o Southern
Caliornia, Marshall School o Business, Institute or Critical Inormation Inrastructure Protection, USA)
The BMIS model for enabling and support is a life cycle, as opposed to a do-it-once
approach, as depicted in Figure 2-3.
Payroll Salesforce
(Externally Hosted) Automation
(Externally Hosted)
CRM
Aliate Sales
(Externally Hosted)
(External)
GL
acts
Up
Co
Contr
da
ntr
act
tes
HRIS Ch
es
an
New
ge
Sa
(Externally Hosted) sa
te
nd
lia
Ad
A
New ds
Emp
loyee
s
www Order Entry Orders Financials Data
Customers E-commerce
GL, AP, AR, PA Historic Warehouse
System e
nc Data
tena
M ain
Reports
Internal
Users
IT Enterprise
PART I
The Open Group Architecture Framework (TOGAF) is a life-cycle enterprise architec-
ture framework used for designing, planning, implementing, and governing an enter-
prise technology architecture. TOGAF could be considered a high-level approach for
designing enterprise infrastructure.
The phases used in TOGAF are as follows:
• Preliminary
• Architecture vision
• Business architecture
• Information systems architecture
• Technology architecture
• Opportunities and solutions
• Migration planning
• Implementation governance
• Architecture change management
• Requirements management
TOGAF is a business-driven, life-cycle management framework for enterprise archi-
tecture overall, and it certainly can be used for information security architecture as well.
Figure 2-5 depicts TOGAF visually.
ISO/IEC 27001
ISO/IEC 27001, “Information technology — Security techniques — Information
security management systems — Requirements,” is an international standard for infor-
mation security and risk management. This standard contains a requirements section
that outlines a properly functioning information security management system (ISMS),
as well as a comprehensive control framework.
ISO/IEC 27001 is divided into two sections: requirements and controls. The
requirements section describes required activities found in effective ISMSs. The con-
trols section contains a baseline set of controls that serve as a starting point for an
organization. The standard is updated periodically; as of this writing, the latest version,
ISO/IEC 27001:2013, was released in 2013. ISO has published two corrigendums and
one amendment to the 2013 standard.
CISM Certified Information Security Manager All-in-One Exam Guide
84
Figure 2-5
TOGAF Preliminary
components
(courtesy The
Open Group)
Architecture
Vision
Architecture
Business
Change
Architecture
Management
Information
Implementation Requirements
Systems
Governance Management
Architecture
Migration Technology
Planning Architecture
Opportunities
and
Solutions
PART I
•
• Physical and environmental security
• Operations security
• Communications security
• System acquisition, development, and maintenance
• Supplier relationships
• Information security incident management
• Information security aspects of business continuity management
• Compliance
NOTE Many readers o ISO/IEC 27001 gloss over the core o the standard,
the seven sections o requirements or managing an ISMS, and instead ocus
on the appendix with its list o controls. The controls in the appendix are
there or the reader’s convenience and are ully explained in the companion
standard, ISO/IEC 27002.
• Partial Cybersecurity programs may not be formalized, and risks are managed
in an ad hoc or reactive manner. There is limited awareness of cybersecurity risk
across the organization.
• Risk Informed Cybersecurity program activities are approved by management
and linked to organizational risk concerns and business objectives. However,
cybersecurity considerations in business programs may not be consistent at all
levels in the organization.
Chapter 2: Information Security Strategy
87
• Repeatable Cybersecurity program activities are formally approved and
supported by policy. Cybersecurity program capabilities are regularly reviewed
PART I
and updated based on risk management processes and changes in business
objectives.
• Adaptive There is a consistent organization-wide approach to managing
cybersecurity risk through formal policies, standards, and procedures.
Cybersecurity program capabilities are routinely updated based on previous
and current cybersecurity events, lessons learned, and predictive indicators.
The organization strives to adapt proactively to changing threat landscapes.
Note that the text of the CSF claims that these tiers are not maturity levels, but upon
reading the tier descriptions, it is difficult to come to any other conclusion.
For implementation in the private sector, the CSF can be customized into profiles.
A profile is a particular customization of the CSF core for an organization or sector; it is
based on the organization’s or sector’s unique requirements. NIST publishes profiles for
a variety of industry sectors, such as the manufacturing and petroleum industries.
• Prepare
• Categorize
• Select
• Implement
• Assess
• Authorize
• Monitor
The RMF is visually depicted in Figure 2-6.
Figure 2-6
The NIST Risk Categorize
Management
Framework
Monitor Select
Prepare
Authorize Implement
Assess
Strategic Planning
In strategic planning, one or more persons develop the steps and resources required to
achieve a desired end state. In the context of information security, strategic planning
should include the steps and resources required for principal functions of the informa-
tion security program to adequately protect the organization’s information assets and to
Chapter 2: Information Security Strategy
89
continue doing so despite changes in threats, defensive techniques, technologies, and
even the organization’s overall strategic objectives.
PART I
In the “Strategy Resources” section earlier in this chapter, I discuss the inputs that
help a security leader gain a comprehensive understanding of the current state of an
information security program. In some cases, those inputs are also the resources required
to make the necessary changes to the program to bring it closer to its desired end state.
Additional resources may be required, either to help the security leader better understand
the program’s current state or to develop or improve components that will be a part of
the new end state.
Unless only minor improvements are needed in an organization’s information security
program, it is likely that several individual steps are required to transform the program
from its current state to the desired end state. The security leader is likely to develop a
roadmap that defines and describes those steps. The leader may need to develop one or
more business case statements to obtain the necessary resources to execute the roadmap.
Both are described here.
Roadmap Development
Once strategic objectives, risk and threat assessments, and gap analyses have been com-
pleted, the security strategist can begin to develop roadmaps to accomplish each objec-
tive. A roadmap is a list of steps required to achieve a strategic objective. “Roadmap” is
an appropriate metaphor, because it represents a journey that, in the details, may not
always appear to be contributing to the objective. But in a well-designed roadmap, each
objective, milestone, initiative, and project gets the organization closer to the objective.
A roadmap is just a set of plans, but the term is often used to describe the steps that
an organization needs to take to undertake a long-term, complex, and strategic objective.
Often a roadmap can be thought of as a series of projects—some running sequentially,
others concurrently—that an organization uses to transform its processes and technology
to achieve the objective.
Figure 2-7 depicts a roadmap for an 18-month identity and access management project.
Next Phase
Planning
Skills
Assessment IDM Training Auditing & Reporting
Figure 2-7 Sample roadmap or identity and access management initiative (Courtesy o High Tech Security Solutions Magazine)
Chapter 2: Information Security Strategy
91
• Current state This is a description of the existing conditions related to
the initiative.
PART I
• Desired state This describes the future state of the relevant systems, processes,
or staff.
• Success criteria These are the defined items that the program will be
measured against.
• Requirements This is a list of required characteristics and components of the
solution that will remedy the current state and bring about the desired future state.
• Approach This describes the proposed steps that will result in the desired future
state. This section may include alternative approaches that were considered,
with reasons why they were not selected. If the initiative requires the purchase
of products or professional services, business cases may include proposals from
vendors. Alternatively, the business case may include a request for proposal
(RFP) or a request for information (RFI) that will be sent to selected vendors for
additional information.
• Plan This includes costs, timelines, milestones, vendors, and staff associated
with the initiative.
Mature organizations utilize an executive steering committee that evaluates busi-
ness cases for proposed initiatives and makes go/no-go decisions for initiatives. Business
cases are often presented to a steering committee in the form of an interactive discus-
sion, providing business leaders with the opportunity to ask questions and propose
alternative approaches.
Business cases should include the following characteristics:
• Alignment with the organization The business case should align with the
organization’s goals and objectives, risk appetite, and culture.
• Statements in business terms Problem statements, current state, and future
state descriptions should all be expressed in business terms.
Chapter Review
A strategy is a plan to achieve a defined set of objectives to enable the vision of the
organization to be successfully achieved. Objectives are the desired future states in an
organization and, in the context of information security, in the organization’s informa-
tion security program. A strategy should be business aligned, and it should deliver value,
optimize resources, and be measurable.
To be successful, an information security program must align with the business and
its overall mission, goals and objectives, and strategy. The security program must take
into account the organization’s notion of asset value, culture, risk tolerance/appetite,
legal obligations, and market conditions. A successful and aligned security program
does not lead the organization but enables and supports it as it carries out its mission
and pursues its goals.
CISM Certified Information Security Manager All-in-One Exam Guide
92
Many resources are needed for the development of a strategy, including several types
of information that reveal the current state of the organization, such as risk assessments,
vulnerability assessments, threat assessments, business impact analysis, metrics, risk reg-
ister, and incident log. Several other inputs are required that define the structure of
the security program, including policy, standards, guidelines, processes and procedures,
architecture, controls, staff skills, insurance, and outsourced services. It is critical that the
security leader understand the culture of the security team, the IT department, and the
entire organization.
To develop a strategy, the security strategist must first understand the organization’s
present state and then define one or more desired future states. A gap analysis helps the
strategist understand missing capabilities. The development of a roadmap defines the
steps to develop missing capabilities and augment existing capabilities so that the strategy
will be realized.
The security strategist may choose to use the SWOT (strengths, weaknesses, opportu-
nities, and threats) analysis model in support of strategy planning. The strategist may also
employ capability maturity models such as CMMI-DEV to help determine appropriate
future states of key security processes.
Strategy development should begin with developing or updating security policy and
controls. A security leader may choose to align the structure of security policy and con-
trols to one of several standards, such as COBIT, NIST SP 800-53, NIST SP 800-171,
ISO/IEC 27002, HIPAA/HITECH, PCI DSS, or CIS CSC. Next, standards should be
developed or updated, roles and responsibilities established, and personnel trained.
Commitment from organizational executives and owners is essential if the strategy
is to succeed. Business leaders provide the necessary resources that enable the security
leader to execute the strategy; leaders lead by example and set the tone for the level of
importance of information security and privacy.
A security strategist must be aware of potential obstacles to achieving strategic objec-
tives, including culture, organizational structure, existing staff capabilities, budgets, time,
and legal and regulatory obligations. Security leaders should be aware of the phenom-
enon of normalcy bias and be able to recognize it. A business-aligned strategy should
take these obstacles into account and minimize them if the strategy is to be approved
and achieved.
Strategy development may include understanding and establishing desired risk levels.
This may be expressed in qualitative or quantitative terms, depending upon an organiza-
tion’s maturity.
The Business Model for Information Security (BMIS), developed by ISACA, is a
guide for business-aligned, risk-based security governance. The model consists of four
elements: organization, people, process, and technology. It consists of six dynamic inter-
connections (DIs): culture (connecting organization and people elements), governing
(connecting organization and process elements), architecture (connecting organiza-
tion and technology elements), emergence (connecting people and process elements),
enabling and support (connecting process and technology elements), human factors
(connecting people and technology elements). BMIS helps the strategist understand the
dynamics between the four elements and how they may be manifested. The key takeaway
from BMIS is that everything is connected to everything else.
Chapter 2: Information Security Strategy
93
Security architecture represents the implementation of the overall strategy as well as
the details that define the role of technology and asset protection. The Open Group
PART I
Architecture Framework (TOGAF) and the Zachman Framework are two architecture
models that can be used to build a security architecture.
ISO/IEC 27001 is a renowned standard for the development and management of an
information security management system (ISMS). The NIST Cybersecurity Framework
(CSF) is a taxonomy for assessing security capabilities and maturity; it maps high-level
outcomes to several control frameworks. The NIST risk management framework (RMF),
described in NIST SP 800-37, provides a model for the risk management life cycle, which
is considered essential for organizations to identify and manage cyber risks purposefully.
In strategic planning, one or more persons develop the steps and resources required
to achieve a desired end state. In the context of information security, strategic planning
should include the steps and resources required for principal functions of the informa-
tion security program to protect the organization’s information assets adequately, and
to continue doing so despite changes in threats, defensive techniques, technologies, and
even the organization’s overall strategic objectives.
A roadmap is the list of steps required to achieve strategic objectives. Where a signifi-
cant amount of change is warranted, a roadmap may consist of a series of projects.
Often it is necessary to build a business case so that executive management will agree
to support and fund a strategy. A business case typically includes a problem statement,
followed by a description of the current state, the desired future state, requirements, an
approach, and a plan to achieve the strategy. Often a business case is reviewed by a busi-
ness or IT steering committee consisting of business stakeholders.
Notes
• A security program should align with the organization’s overall mission, goals,
and objectives. This means that the security leader and others should be aware
of, and involved in, strategic initiatives and the execution of the organization’s
strategic goals.
• Security leaders developing an information security strategy in an organization
without a program will need to rely on their past experiences, anecdotal accounts
of practices, and policies in the organization. By taking on the Listen, Learn,
Observe, Act (LOLA) approach, a security leader can gain solid insights into an
organization that will greatly increase the chances of aligning the security strategy
with the business.
• While it is important for the security strategist to understand the present
state of the organization when developing a strategic roadmap, the strategist
must proceed despite knowing that there can never be a sufficient level of
understanding. Besides, if even the most thorough snapshot has been taken,
the organization is slowly (or perhaps quickly) changing. Execution of a strategic
plan aims to accelerate changes in certain aspects of an organization that are
already slowly changing.
CISM Certified Information Security Manager All-in-One Exam Guide
94
• Security strategists should be mindful of each organization’s tolerance for change
within a given period of time. Although much progress may be warranted, a
limited amount of change can be reasonably implemented within a set time period.
• A security strategist must anticipate obstacles and constraints affecting the
achievement of strategic objectives and consider refining those objectives so that
they can be realized.
• The business model for information security is useful for understanding the
qualitative relationships among various aspects of an organization, as well as the
types of activities that relate to these aspects.
• Many organizations ruminate over the selection of a control framework. Instead,
the organization should select a framework and then make adjustments to the
framework’s controls to suit the business. A control framework should generally
be considered a starting point, not a rigid and unchanging list of controls—
except in cases where regulations stipulate that controls may not be changed.
• Capability maturity models are useful tools for understanding the maturity
level of a process and developing desired future states. The maturity of processes
in the organization will vary; it is appropriate for some processes to have high
maturity and acceptable for others to have lower maturity. The right question to
ask about each separate process is this: what is the appropriate level of maturity
for this process?
• Each organization has its own practice for the development of business cases for
the presentation, discussion, and approval of strategic initiatives.
Questions
1. What are the elements of the Business Model for Information Security (BMIS)?
A. Culture, governing, architecture, emergence, enabling and support, human
factors
B. People, process, technology
C. Organization, people, process, technology
D. Financial, customer, internal processes, innovation, and learning
2. The best definition of a strategy is:
A. The objective to achieve a plan
B. The plan to achieve an objective
C. The plan to achieve business alignment
D. The plan to reduce risk
3. As part of understanding the organization’s current state, a security strategist is
examining the organization’s security policy. What does the policy tell the strategist?
A. The level of management commitment to security
B. The compliance level of the organization
Chapter 2: Information Security Strategy
95
C. The maturity level of the organization
D. None of these
PART I
4. A security strategist has examined several business processes and has found that
their individual maturity levels range from Repeatable to Optimizing. What is the
best future state for these business processes?
A. All processes should be changed to Repeatable.
B. All processes should be changed to Optimizing.
C. There is insufficient information to determine the desired end states of
these processes.
D. Processes that are Repeatable should be changed to Defined.
5. A security strategist is seeking to improve the security program in an organization
with a strong but casual culture. What is the best approach here?
A. Conduct focus groups to discuss possible avenues of approach.
B. Enact new detective controls to identify personnel who are violating policy.
C. Implement security awareness training that emphasizes new required behavior.
D. Lock users out of their accounts until they agree to be compliant.
6. A security strategist recently joined a retail organization that operates with slim
profit margins and has discovered that the organization lacks several important
security capabilities. What is the best strategy here?
A. Insist that management support an aggressive program to improve the program
quickly.
B. Develop a risk ledger that highlights all identified risks.
C. Recommend that the biggest risks be avoided.
D. Develop a risk-based strategy that implements changes slowly over an extended
period of time.
7. Security governance is most concerned with:
A. Security policy
B. IT policy
C. Security strategy
D. Security executive compensation
8. What relationship should exist between an ERM risk register and a cyber-risk
register?
A. Cyber risks should influence ERM risks.
B. ERM risks should influence cyber risks.
C. ERM and cyber-risk registers should link bidirectionally.
D. ERM and cyber risks should not be related.
CISM Certified Information Security Manager All-in-One Exam Guide
96
9. The primary factor related to the selection of a control framework is:
A. Industry vertical
B. Current process maturity level
C. Size of the organization
D. Compliance level
10. As part of understanding the organization’s current state, a security strategist
is examining the organization’s security standards. What do the standards tell
the strategist?
A. The level of management commitment to security
B. The compliance level of the organization
C. The maturity level of the organization
D. None of these
11. While gathering and examining various security-related business records, the
security manager has determined that the organization has no security incident
log. What conclusion can the security manager make from this?
A. The organization does not have security incident detection capabilities.
B. The organization has not yet experienced a security incident.
C. The organization is recording security incidents in its risk register.
D. The organization has effective preventive and detective controls.
12. A security strategist has examined a business process and has determined that
personnel who perform the process do so consistently, but there is no written
process document. The maturity level of this process is:
A. Initial
B. Repeatable
C. Defined
D. Managed
13. A security strategist has discovered that IT does not control the usage and
acquisition of software on endpoints. What can the strategist conclude?
A. There is no EDR on endpoints.
B. There is no XDR on endpoints.
C. IT lacks an application whitelisting capability.
D. Acceptable-use policy does not address unauthorized software.
Chapter 2: Information Security Strategy
97
14. In an organization using PCI DSS as its control framework, the conclusion of a
recent risk assessment stipulates that additional controls not present in PCI DSS
PART I
but present in ISO/IEC 27001 should be enacted. What is the best course of
action in this situation?
A. Adopt ISO/IEC 27001 as the new control framework.
B. Retain PCI DSS as the control framework and update process documentation.
C. Add the required controls to the existing control framework.
D. Adopt NIST 800-53 as the new control framework.
15. What is the purpose of a gap analysis in the context of strategy development?
A. A gap analysis identifies key process and system improvement needs.
B. A gap analysis identifies vulnerable systems.
C. A gap analysis identifies ambiguous policies.
D. A gap analysis helps to identify ineffective controls.
Answers
1. C. The elements of BMIS are organization, people, process, and technology. The
dynamic interconnections (DIs) are culture, governing, architecture, emergence,
enabling and support, and human factors.
2. B. A strategy is the plan to achieve an objective. An objective is the “what” that
an organization wants to achieve, and a strategy is the “how” the objective will
be achieved.
3. D. By itself, security policy offers little information about an organization’s
security practices. An organization’s policy is only a collection of statements;
without examining business processes and business records and interviewing
personnel, a security professional cannot develop any conclusions about an
organization’s security practices.
4. C. No rules specify that the maturity levels of different processes need to be the
same or at different values relative to one another. In this example, each process
may already be at an appropriate level, based on risk appetite, risk levels, and
other considerations.
5. A. Organizational culture is powerful; it reflects how people think and work.
In this example, there is no mention that the strong culture is bad, only that
it is casual. Punishing people for their behavior may cause employees to resent
the organization, revolt against the organization, or leave the organization. The
best approach here is to work toward understanding the culture and to work
with people in the organization to figure out how a culture of security can be
introduced successfully.
CISM Certified Information Security Manager All-in-One Exam Guide
98
6. D. A security strategist needs to understand an organization’s capacity to spend
its way to lower risk. It is unlikely that an organization with low profit margins
will agree to an aggressive and expensive improvement plan. Developing a risk
register that depicts these risks may be a helpful tool for communicating risk, but
a register doesn’t provide a way to change anything. Similarly, recommending risk
avoidance may mean discontinuing the very operations that bring in revenue.
7. C. Security governance is the mechanism through which security strategy is
established, controlled, and monitored. Long-term and other strategic decisions
are made in the context of security governance.
8. C. The ERM and cyber-risk registers should influence one another. For instance,
chronic risks in the cyber-risk register should compel the creation of a new entry
in the ERM risk register.
9. A. The most important factor influencing a decision of selecting a control
framework is the industry vertical. For example, a healthcare organization
would likely select HIPAA as its primary control framework, whereas a retail
organization may select PCI DSS.
10. C. The presence of security standards indicates an organization with a higher level
of maturity than that of an organization that lacks them.
11. A. An organization that does not have a security incident log probably lacks the
capability to detect and respond to an incident. It is not reasonable to assume that
the organization has had no security incidents, since minor incidents occur with
regularity. Claiming that the organization has effective controls is unreasonable,
as it is understood that incidents occur even when effective controls are in place
(because not all types of incidents can reasonably be prevented).
12. B. A process that is performed consistently but is undocumented is generally
considered to be Repeatable.
13. C. The absence of application whitelisting is the best available answer. It can also
be said that end users are probably local administrators, a setting required for
most software programs to be installed on an endpoint.
14. C. An organization that needs to implement new controls should do so within its
existing control framework. It is not necessary to adopt an entirely new control
framework when a few controls need to be added.
15. A. In the context of strategy development, a gap analysis identifies the areas in
systems, processes, policies, and controls that are in need of improvement. The
gap analysis identifies the gaps between the present state of these areas and the
desired future state, enabling the strategist to develop plans to close each gap.
PART II
Information Security
Risk Management
Chapter 3 Inormation Security Risk Assessment
Chapter 4 Inormation Security Risk Response
This page intentionally left blank
Information Security
Risk Assessment
CHAPTER
3
In this chapter, you will learn about
• Beneits and outcomes o an inormation risk management program
• Developing a risk management strategy
• Risk assessment and risk management standards and rameworks
• The risk management lie-cycle process
• Vulnerability and threat analysis
• Integrating risk management into an organization’s practices and culture
• The components o a risk assessment: asset value, vulnerabilities, threats, and
probability and impact o occurrence
• Qualitative and quantitative risk analysis
• The risk register
• Risk management in other business processes
101
CISM Certified Information Security Manager All-in-One Exam Guide
102
it is difficult to know the probability and costs of significant loss events. Still, several
methods for measuring risk have been established that help organizations better under-
stand risks and how they can be handled. These methods include qualitative and quanti-
tative techniques used to contribute to business decisions.
• Culture
• Mission, objectives, and goals
Chapter 3: Information Security Risk Assessment
103
• Management structure
• Management support
• Industry sector
• Market conditions
• Applicable laws, regulations, and other legal obligations
• Stated or unstated risk tolerance
PART II
• Financial health
• Operating locations
Risk Objectives
A vital part of strategy development is the determination of desired risk levels. One of the
inputs to strategy development is the understanding of the current level of risk, and the
desired future state may also have an associated level of risk.
It is quite difficult to quantify risk, even for the most mature organizations. Getting
risk to a reasonable “high/medium/low” is simpler, though less straightforward, and diffi-
cult to do consistently across an organization. In specific instances, the costs of individual
controls can be known, and the costs of theoretical losses can be estimated, but doing
this across an entire risk-control framework is tedious, yet uncertain, because the prob-
abilities of occurrence for threat events amounts to little more than guesswork. Spending
too much time analyzing risks brings diminishing returns.
Still, in a general sense, a key part of a security strategy may well be the reduction of
risk (it could also be cost reduction or compliance improvement). When this is the case,
the strategist will need to employ a method for determining before-and-after risk levels
that are reasonable and credible. For the sake of consistency, a better approach would be
the use of a methodology—however specific or general—that fits with other strategies
and discussions involving risk.
CISM Certified Information Security Manager All-in-One Exam Guide
104
Risk Management Technologies
Throughout the risk management process, an organization will identify specific risks and
will often choose to mitigate those risks with specific process and technology solutions.
The categories and types of solutions include the following:
PART II
these capabilities but do so without first identifying specific, relevant risks to their orga-
nizations. Instead, they are purchasing these solutions for other reasons, often based on
the following:
• Salespeople who claim their solutions will solve the organization’s security risks
(without actually knowing what the specific risks are)
• Security managers in other organizations who purchase the same or similar solutions
(again, in the presence or absence of sound risk management)
• Articles in trade publications that explain the merits of security solutions
• Culture
• Organizational maturity
• Management structure
• Management support
• Market conditions
• Regulatory and legal requirements
Chapter 3: Information Security Risk Assessment
107
Possibly the most important factor that will enable or constrain security managers
as they develop a risk management strategy is the development of key relationships
throughout the organization. When a security manager develops and implements a risk
management strategy, he or she is acting as a change agent in the organization. The
security manager is subtly but intentionally driving key changes in the organization
through changes in people, processes, and technologies. This role as a security catalyst
is an ongoing journey that will become a way of life as the organization becomes a risk-
aware culture.
PART II
Risk Communication Risk management cannot be a secret business function; instead,
it must be introduced to the organization’s key stakeholders in a way that helps them
understand the role of risk management in the organization. Stakeholders need to under-
stand how the risk management program will work and the role they will play in it being
an effective program in helping to achieve business objectives. An important factor in the
process is helping stakeholders understand the impact that the risk management program
will have on their relationships with one another, on their autonomy, and on the organi-
zation’s well being and health, including that of their own jobs.
Successful information security risk management requires that the channels of com-
munication be open at all times and operate in all directions. Successful information
risk programs operate through transparency so that all stakeholders understand what is
happening in the program and why. Certainly, there are some matters of information
security that need to be kept confidential, but generally speaking, information about
risks should be readily available to all board members, executives, stakeholders, and
risk owners.
Risk Awareness Risk awareness activities help make business leaders, stakeholders,
and other personnel aware of the organization’s information risk management program.
Similar to security awareness programs, the goal of risk awareness is to ensure that busi-
ness leaders and decision-makers recognize that all business decisions have a risk compo-
nent and that many decisions have implications on information risk. Further, they need
to be aware of the presence of a formal information risk management program, which
includes a process and techniques for making risk-aware decisions.
There is some overlap in the content and audience of security awareness and risk
awareness programs. Primarily, security awareness applies to an entire organization,
whereas risk awareness encompasses senior personnel who are involved in the risk man-
agement process. Also, the methods for communicating this information in these two
programs are the same. Ideally, security awareness and risk awareness programs are devel-
oped side-by-side, ensuring that all audiences receive useful and actionable information
when needed.
Risk Consulting Security managers often play the role of security and risk consultant
in their organizations. As they develop trusted relationships throughout the business,
security managers are regarded as technology risk experts who are available to consult
with on a wide variety of issues. Though these mini-consulting engagements may seem
like ad hoc activities, security managers should treat them as formal service requests,
even in the absence of a service request system or formal capability. This includes being
CISM Certified Information Security Manager All-in-One Exam Guide
108
mindful of responsiveness and service levels. Here are some of the key attributes that
make a good information risk consultant:
• Ability to listen to business leaders and rephrase the key concepts or information
back to the business leaders to gain confirmation of what was heard
• Ability to assess the information and how it may impact a process or business
unit, and to identify other areas in the business that may be affected by the issue
• Have a good understanding of the business, not just the technology supporting
the business
• Program scope
• Information risk objectives
Chapter 3: Information Security Risk Assessment
109
• Information risk policy
• Risk appetite/tolerance
• Roles and responsibilities
• Risk management life-cycle process
• Risk management documentation
• Management review
PART II
Security managers in regulated industries need to understand legal and regulatory
requirements so that they can select a framework and build a program that includes all
the required activities and characteristics. If an ERM program is already in place within
the organization, the security manager should consult with the ERM team to understand
how elements from one or more frameworks will support and share information with
one another.
Integration into the Environment To be efficient and effective, the organization’s
information risk management program needs to fit neatly and easily into the orga-
nization’s existing policies, processes, and systems. The information risk management
program should complement existing structures instead of building separate structures.
The principle at work here is one of utilizing existing structures and minimizing impact
to the organization. A new or improved information risk management program will
already be disruptive to an organization in need of such a program—there is no point
in making the componentry of a program disruptive as well.
For instance, a security manager should consider acquiring risk management mod-
ules in an existing IRM platform used to manage policies and external vendors, as
opposed to purchasing a separate IRM platform for managing risk—even if a new, sepa-
rate platform might do a better job. In another example, the security manager should
consider supplementing an existing security awareness program platform with material
about information risk, as opposed to building or acquiring a completely separate secu-
rity awareness system that deals only with information risk management.
Any risk management program needs to integrate easily into the organization’s exist-
ing culture. To the greatest extent possible, a new or improved risk management program
should leverage current thinking, vocabulary, customs, and practices to fit seamlessly
into the organization. However, if the organization’s culture needs minor adjustments
with regard to information risk and information security, the new risk management
program should be “eased into” the culture as opposed to being haphazardly imposed
upon the organization.
External Environments It is critical that the security manager and executive manage-
ment understand the entities that affect the risk environment outside the organization.
Although the external environment is not within the scope of an organization’s risk
management program, many aspects of the external environment must be well under-
stood by the organization to ensure that it and its risk management program are success-
ful. These aspects include the following:
• Market conditions
• Economic conditions
• Applicable laws and regulations
• Social and political environments
• External stakeholders, including regulators, business partners, suppliers,
and customers
• External threats and threat actors
• Geopolitical factors
By being aware of these external factors, the organization can better understand their
potential influences on the organization, which in turn may influence various aspects of
the risk management program, including considerations when making risk decisions and
overall risk tolerance.
Chapter 3: Information Security Risk Assessment
111
The Three Levels of Risk Management
Modern risk management encounters a broad assortment of issues, ranging from cor-
porate culture to misconfiguration of individual servers. Conceptually, these issues are
handled in the same way, with risk identification, analysis, treatment, and closure, but
the personnel involved will often vary, and the deliberations will sound quite different.
Risk management is best divided into three tiers:
• Enterprise-level risks Risks at this level are generally associated with organization
PART II
culture and management’s adequate support of cybersecurity capabilities. Risks at
this level are conceptual in nature and often are reported to a board of directors. The
practice of risk management at this level is known as enterprise risk management, or
ERM. An organization’s ERM will often include not only cybersecurity risk, but also
risks related to competition, market share, economic, workforce matters, and more.
• Process-level risks Risks at this level are usually associated with the effectiveness
of business processes, typically those that affect cybersecurity posture. Issues at
this level typically involve security policies, standards, process design, workflow,
and workload.
• Asset-level risks Risks at this level are associated with individual systems or
small groups of systems. Generally, asset-level risks involve configuration and
small-scale architecture. Analysis is focused on technical vulnerabilities and
threats, and remediation is usually tactical.
As depicted in Figure 3-1, these three levels of risk management may be managed by
a single group or multiple groups. Though the subject matter varies between levels, the
basic principles of risk identification, risk analysis, and risk treatment apply to all.
STRATEGIC RISK
TIER 2
MISSION / BUSINESS PROCESSES
TIER 3
INFORMATION SYSTEMS
TACTICAL RISK
Figure 3-1 Multitier risk management in NIST SP 800-39 (Source: National Institute or Standards
and Technology)
CISM Certified Information Security Manager All-in-One Exam Guide
112
Risks at one tier sometimes inform adjacent tiers. For instance, a surge in asset-level
risks may indicate defects in process-level risks, or even a shift in workforce priorities.
Similarly, the presence of multiple process-level risks may be an indication of macro
issues that should be addressed at the enterprise level.
Gap Analysis
As security managers design the organization’s information risk management program,
they envision the desired end state, which is often based on one or more information risk
frameworks, as discussed earlier in this section. But when it comes to developing actual
plans for implementing components of the program, the security manager must under-
stand the current state of the program, even if there is no formal program at all. To do
this, the security manager should conduct a gap analysis to determine which character-
istics of the current state can remain, which aspects should be discarded, which should
be replaced, and which should be added.
For example, suppose a security manager examines an organization’s existing change
control process. She finds only a log of changes and e-mail attachments containing man-
agement approvals for changes. Her gap analysis reveals the lack of a change request pro-
cedure, change advisory board (CAB) calls, and roles and responsibilities. The existing
business record is usable but needs additional fields and annotations. With this informa-
tion, the security manager can now undertake (or direct) the work required to implement
change control process improvements. Or suppose a security manager identifies that the
current risk audit is conducted annually with no input from the business and process
leaders. The information is kept by the internal audit team and updated by the chief
executive officer (CEO). In this case, a gap analysis would identify several opportunities
for improvement within the program through the involvement of senior leaders.
External Support
Setting up a new information risk management program involves a great deal of
knowledge and details. Even the most experienced information security managers may
find themselves lacking in a few areas. For instance, a new security manager may have
worked previously in an organization without an existing risk management program,
or the security manager may have worked in a different industry sector in the past. Or
perhaps the organization may use tools, technologies, or processes that are unfamiliar to
the security manager. Fortunately, a wealth of information is available to security manag-
ers, which will help to supplement their existing knowledge and skills so that they can
proceed with building and running an information risk management program with more
confidence and with better assurances of positive outcomes.
Here are some of these information sources:
• Consultants Many large and numerous small security professional services firms
are equipped to provide professional advice on the establishment of a security
strategy, and they can do the actual work of designing and implementing a risk
management program. Sometimes, executive management needs affirmation
from outside experts on the need for, and the ways to implement and operate, an
information security program.
Chapter 3: Information Security Risk Assessment
113
• Security round tables Many areas have informal security round tables whose
members include chief information security officers (CISOs) and security managers.
These local networks of information risk security professionals are invaluable for
networking and advice.
• Organization chapters Several professional organizations have local chapters,
where security professionals can congregate and learn from one another and from
event speakers, including the following:
PART II
• Cloud Security Alliance (CSA)
• Information Systems Security Association (ISSA)
• InfraGard
• International Information Systems Security Certification Consortium, (ISC)²
• International Association of Privacy Professionals (IAPP)
• ISACA
• Society for Information Management (SIM)
• Society of Information Risk Analysts (SIRA)
• Published information risk management practices Several organizations, such
as the following, publish standards and/or articles describing risk management
practices, techniques, and case studies:
• (ISC)²
• ISACA
• SANS Institute
• Sources for security industry news Many organizations publish articles
and white papers on various information security and risk management topics,
including the following:
• CIO magazine
• CSO magazine
• Dark Reading
• Information Security Media Group (ISMG)
• Infosecurity Magazine
• ISACA
• (ISC)²
• SANS Institute
• SC Magazine
• TechTarget
CISM Certified Information Security Manager All-in-One Exam Guide
114
• Reports from research organizations Several organizations conduct research
and publish reports on many security-related topics:
• Ernst & Young (EY)
• Ponemon Institute
• PricewaterhouseCoopers (PwC)
• Symantec
• Verizon Business
• Advisory services Several advisory firms, including the following, publish articles,
studies, and advice for security and risk managers:
• Forrester
• Frost Sullivan
• Gartner
• IDC
• Ovum
• Training Education and training courses tailored for established security and
risk professionals are available from many universities, community colleges, and
vocational schools, as well as ISACA, (ISC)², and SANS.
• Books Some of the titles listed in The Cybersecurity Canon are focused on risk
management and go deeper into the topic than is needed for the CISM certification.
Originally curated by Palo Alto Networks, The Cybersecurity Canon is now managed
by Ohio State University (https://icdt.osu.edu/about-cybersecurity-canon).
• Conferences Regional, national, and international conferences on security
and risk management attract large numbers of security and risk professionals
and include speakers, workshops, and training. Like other events listed here,
these conferences provide numerous professional networking opportunities.
Conferences include the following:
• Black Hat
• Defcon
• Evanta (hosts several conferences)
• Gartner Security & Risk Management Summit
• ISACA Conference
• ISSA (hosts several conferences)
• RSA
• SecureWorld Expo
• Security Advisor Alliance Summit
Chapter 3: Information Security Risk Assessment
115
• Intelligence services Several organizations publish advisories on threat actors,
threats, and vulnerabilities. Some are designed to be human-readable, while others
are designed as machine-readable and intended to be fed into an organization’s
SIEM or TIP. A word of caution: Many organizations are promoting and selling
threat intelligence services today. The security manager should fully vet the services
and the specific value they will add to the organization.
PART II
The Risk Management Life Cycle
Like other life-cycle processes, risk management is a cyclical, iterative activity that is used
to acquire, analyze, and treat risks. This book focuses on information risk, but overall,
the life cycle for information risk is functionally similar to that for other forms of risk:
a new risk is introduced into the process, the risk is studied, and a decision is made
about its outcome. Like other life-cycle processes, risk management is formally defined
in policy and process documents that define scope, roles and responsibilities, workflow,
business rules, and business records.
Several frameworks and standards from U.S. and international sources define the full
life-cycle process. Security managers are generally free to adopt any of these standards,
use a blend of different standards, or develop a custom framework.
Information risk management relies upon risk assessments that consider valid threats
against the organization’s assets, considering any present vulnerabilities. Several standards
and models for risk assessments can be used. The results of risk assessments are placed
into a risk register, which is the official business record containing current and historic
information risk threats.
Risk treatment decisions about risks are made after weighing various risk treatment
options. These decisions are typically made by a business owner associated with the
affected business activity.
• Scope definition The organization defines the scope of the risk management
process itself. Typically, scope definitions include geographical or business unit
parameters. Scope definition is not part of the iterative portion of the risk
management process, although scope may be redefined from time to time.
• Asset identification and valuation The organization uses various means to
discover and track its information and information system assets. A classification
scheme may be used to identify risk and criticality levels. Asset valuation is a
key part of asset management processes, and the value of assets is appropriated
for use in the risk management processes. Asset valuation is described in detail
in Chapter 5.
CISM Certified Information Security Manager All-in-One Exam Guide
116
• Risk appetite Developed outside of the risk management life-cycle process,
risk appetite is an expression of the level of risk that an organization is willing to
accept. A risk appetite that is related to information risk is typically expressed in
qualitative means; however, organizations in financial services industries often
express risk in quantitative terms.
• Risk identification In this first step in the iterative risk management process,
the organization identifies a risk that comes from one of several sources, including
the following:
• Risk assessment This includes an overall risk assessment or a focused risk
assessment.
• Vulnerability assessment This may be one of several activities, including a
security scan, a penetration test, or a source code scan.
• Threat advisory This is an advisory from a product vendor, threat intelligence
feed, or news story.
• Risk analysis This is an analysis of risk that is focused on some other matter
that may uncover additional risks requiring attention.
• Risk analysis In the second step in a typical risk management process, the risk
is analyzed to determine several characteristics, including the following:
• Probability of event occurrence The risk analyst studies event scenarios and
calculates the likelihood that an event associated with the risk will occur. This
is typically expressed in the number of likely events per year.
• Impact of event occurrence The risk analyst studies different event scenarios
and determines the impact of each. This may be expressed in quantitative terms
(dollars or other currency) or qualitative terms (high/medium/low or a numeric
scale of 1 to 5 or of 1 to 10).
• Mitigation The risk analyst studies different available methods for mitigating
the risk. Depending upon the type of risk, there are many techniques, including
changing a process or procedure, training staff, changing architecture or
configuration, or applying a security patch.
• Recommendation After studying a risk, the risk analyst may develop a
recommended course of action to address the risk. This reflects the fact that
the individual performing risk analysis is often not the risk decision-maker.
• Risk treatment In the last step in a typical risk management process, an
individual decision-maker or committee makes a decision about a specific risk.
The basic options for risk treatment are as follows:
• Accept The organization elects to take no action related to the risk.
• Mitigate The organization chooses to mitigate the risk, which can take the
form of some action that serves to reduce the probability of a risk event or
reduce the impact of a risk event. The actual steps taken may include business
process changes, configuration changes, the enactment of a new control, or
staff training.
Chapter 3: Information Security Risk Assessment
117
• Transfer The practice of transferring risk is typically achieved through
an insurance policy, although other forms are available, including contract
assignment.
• Avoid The organization chooses to discontinue the activity associated with
the risk. This choice is typically selected for an outdated business activity that
is no longer profitable or for a business activity that was not formally approved
in the first place.
PART II
• Risk communication This takes many forms, including formal communications
within risk management processes and procedures, as well as information
communications among risk managers and decision-makers.
In addition to business processes, a risk management process has business records
associated with it. The risk register, sometimes known as a risk ledger, is the primary busi-
ness record in most risk management programs that lists risks that have been identified.
Typically, a risk register contains many items, including a description of the risk, the
level and type of risk, and information about risk treatment decisions. The risk register is
discussed in detail later in this chapter.
Figure 3-2 shows the elements of a typical risk management life cycle.
Program Scope
Risk
Identification
Asset
Valuation
Threat Advisory,
Vulnerability Risk Risk
Assessment, Assessment Analysis
etc.
Risk
Appetite
Risk
Treatment
Plan of Action
PART II
of the risk assessment and the decisions that will be made as a result of the risk
assessment. Next, the scope of the assessment must be determined and known.
This may take many forms, including geographic and business unit boundaries,
as well as the range of threat scenarios that are to be included. Also, any
assumptions and constraints pertaining to the assessment should be identified.
Further, the sources of threat, vulnerability, and impact information must be
identified. (NIST SP 800-30 includes exemplary lists of threats, vulnerabilities,
and impacts in its appendixes.)
• Step 2: Conduct assessment The organization performs the actual risk assessment.
This consists of several tasks.
A. Identify threat sources and events The organization identifies a list of threat
sources and events that will be considered in the assessment. The standard
includes the following sources of threat information. Organizations are advised
to supplement these sources with other information as needed.
• Table D-1: Threat source inputs
• Table D-2: Threat sources
• Table D-3: Adversary capabilities
• Table D-4: Adversary intent
• Table D-5: Adversary targeting
• Table D-6: Nonadversary threat effects
• Table E-1: Threat events
• Table E-2: Adversarial threat events
• Table E-3: Nonadversarial threat events
• Table E-4: Relevance of threat events
B. Identify vulnerabilities and predisposing conditions The organization
examines its environment (people, processes, and technology) to determine
what vulnerabilities exist that could result in a greater likelihood that threat
events may occur. The standard includes the following sources of vulnerability
and predisposing condition information that can be used in a risk assessment.
Like the catalog of threats, organizations are advised to supplement these lists
with additional vulnerabilities as needed.
• Table F-1: Input—vulnerability and predisposing conditions
• Table F-2: Vulnerability severity assessment scale
CISM Certified Information Security Manager All-in-One Exam Guide
120
• Table F-4: Predisposing conditions
• Table F-5: Pervasiveness of predisposing conditions
C. Determine likelihood of occurrence The organization determines the
probability that each threat scenario identified earlier will occur. The following
tables guide the risk manager in scoring each threat:
• Table G-1: Inputs—determination of likelihood
• Table G-2: Assessment scale—likelihood of threat event initiation
• Table G-3: Assessment scale—likelihood of threat event occurrence
• Table G-4: Assessment scale—likelihood of threat event resulting in
adverse impact
• Table G-5: Assessment scale—overall likelihood
D. Determine magnitude of impact In this phase, the risk manager determines
the impact of each type of threat event on the organization. These tables guide
the risk manager in this effort:
• Table H-1: Input—determination of impact
• Table H-2: Examples of adverse impacts
• Table H-3: Assessment scale—impact of threat events
• Table H-4: Identification of adverse impacts
E. Determine risk The organization determines the level of risk for each threat
event. These tables aid the risk manager in this effort:
• Table I-1: Inputs—risk
• Table I-2: Assessment scale—level of risk (combination of likelihood
and impact)
• Table I-3: Assessment scale—level of risk
• Table I-4: Column descriptions for adversarial risk table
• Table I-5: Template for adversarial risk table to be completed by risk manager
• Table I-6: Column descriptions for nonadversarial risk table
• Table I-7: Template for nonadversarial risk table to be completed by
risk manager
• Step 3: Communicate results When the risk assessment has been completed,
the results are communicated to decision-makers and stakeholders in the
organization. The purpose of communicating risk assessment results is to ensure
that the organization’s decision-makers make decisions that include considerations
for known risks. Risk assessment results can be communicated in several ways,
including the following:
• Publishing to a central location
• Briefings
Chapter 3: Information Security Risk Assessment
121
• Distributing via e-mail
• Distributing hard copies
• Step 4: Maintain assessment After a risk assessment has been completed,
the organization will maintain the assessment by monitoring risk factors
identified in the risk assessment. This enables the organization to maintain a
view of relevant risks that incorporates changes in the business environment
since the risk assessment was completed. NIST SP 800-137, “Information
PART II
Security Continuous Monitoring (ISCM) for Federal Information Systems and
Organizations,” provides guidance on the ongoing monitoring of information
systems, operations, and risks.
NIST SP 800-30 is available at https://csrc.nist.gov/publications/sp.
ISO/IEC 27005 This international standard defines a structured approach to risk
assessments and risk management. The methodology outlined in this standard is sum-
marized here:
• Step 1: Establish context Before a risk assessment can be performed, a number
of parameters need to be established, including the following:
• Scope of the risk assessment This includes which portions of an organization
are to be included, based on business unit, service, line, geography, organization
structure, or other means.
• Purpose of the risk assessment Reasons include legal or due diligence or
support of an ISMS, business continuity plan, vulnerability management plan,
or incident response plan.
• Risk evaluation criteria Determine the means through which risks will be
examined and scored.
• Impact criteria Determine how the impact of identified risks will be described
and scored.
• Risk acceptance criteria Specify the method that the organization will use
to determine risk acceptance.
• Logistical plan This includes which personnel will perform the risk assessment,
which personnel in the organization need to provide information such as control
evidence, and what supporting facilities are required, such as office space.
• Step 2: Risk assessment The risk assessment is performed.
• Asset identification Risk analysts identify assets, along with their value
and criticality.
• Threat identification Risk analysts identify relevant and credible threats that
have the potential to harm assets, along with their likelihood of occurrence.
There are many types of threats, both naturally occurring and human-caused,
and they could be accidental or deliberate. Note that some threats may affect
more than one asset. ISO/IEC 27005 contains a list of threat types, as does
NIST SP 800-30 (in Table D-2) described earlier in this section. Note that a
risk analyst may identify additional threats.
CISM Certified Information Security Manager All-in-One Exam Guide
122
• Control identification Risk analysts identify existing and planned controls.
Those controls that already exist should be examined to see whether they are
effective. The criteria for examining a control includes whether it reduces the
likelihood or impact of a threat event. The results of this examination will
conclude whether the control is effective, ineffective, or unnecessary. Finally,
when identifying threats, the risk analyst may determine that a new control is
warranted.
• Vulnerability identification Vulnerabilities that can be exploited by threat
events that cause harm to an asset are identified. Remember that a vulnerability
does not cause harm, but its presence may enable a threat event to harm an
asset. ISO/IEC 27005 contains a list of vulnerabilities. Note that a risk analyst
may need to identify additional vulnerabilities.
• Consequences identification The risk analyst will identify consequences
that would occur for each identified threat against each asset. Consequences
may be the loss of confidentiality, integrity, or availability of any asset, as well
as a loss of human safety. Depending on the nature of the asset, consequences
may take many forms, including service interruption or degradation, reduction
in service quality, loss of business, reputation damage, or monetary penalties
including fines. Note that consequences may be a primary result or a secondary
result of the realization of a specific threat. For example, the theft of sensitive
financial information may have little or no operational impact in the short
term, but legal proceedings over the long term could result in financial
penalties, unexpected costs, and loss of business.
• Step 3: Risk evaluation Levels of risk are determined according to the risk
evaluation and risk acceptance criteria established in step 1. The output of risk
evaluation is a list of risks, with their associated threats, vulnerabilities, and
consequences.
• Step 4: Risk treatment Decision-makers in the organization will select one of
four risk treatment options for each risk identified in step 3. Decision-makers
weigh the costs and benefits associated with each of these four options and decide
the best course of action for the organization.
These four options are not mutually exclusive; sometimes, a combination of
risk treatment options is the best option for an organization. For instance,
if a business application is found to accept weak passwords, the chosen risk
treatment may be a combination of security awareness training (mitigation) and
acceptance (the organization elected not to modify the application as this would
have been too expensive). Further, some treatments can address more than one
risk. For example, security awareness training may reduce several risks associated
with end-user computing and behavior.
Because some forms of risk treatment (mainly, risk reduction and risk transfer)
may require an extended period of time to be completed, risk managers usually
track ongoing risk treatment activities to completion.
Chapter 3: Information Security Risk Assessment
123
• Risk reduction (aka risk mitigation) The organization alters something in
information technology (such as security configuration, application source code,
or data), business processes and procedures, or personnel (such as training).
In many cases, an organization will choose to update an existing control or enact
a new control so that the risk reduction may be more effectively monitored
over time. The cost of updating or creating a control, as well as the impact on
ongoing operational costs of the control, will need to be weighed alongside the
value of the asset being protected, as well as the consequences associated with the
PART II
risk being treated. A risk manager remembers that a control can reduce many
risks, and potentially for several assets, so the risk manager will need to consider
the benefit of risk reduction in more complex terms.
Chapter 6 includes a comprehensive discussion on the types of controls.
• Risk retention (aka risk acceptance) The organization chooses to accept
the risk and decides not to change anything. Do note that risks should not be
accepted in perpetuity, but instead should be periodically reviewed.
• Risk avoidance The organization decides to discontinue the activity
associated with the risk. For example, suppose an organization assesses the
risks related to the acceptance of credit card data for payments and decides to
change the system so that credit card data is sent instead directly to a payment
processor so that the organization will no longer be accepting that data.
• Risk transfer The organization transfers risk to another party. The common
forms of risk transfer are insurance and outsourcing security monitoring to a
third party. When an organization transfers risk to another party, there will
usually be residual risk that is more difficult to treat. For example, while an
organization may have had reduced costs from a breach because of cyber
insurance, the organization may still suffer reputational damage in the form of
reduced goodwill.
• Step 5: Risk communication All parties involved in information risk—the
CISO (or other top-ranking information security official), risk managers,
business decision-makers, and other stakeholders—need channels of
communication throughout the entire risk management and risk treatment life
cycle. Examples of risk communication include the following:
• Announcements and discussions of upcoming risk assessments
• Collection of risk information during risk assessments (and at other times)
• Proceedings and results from completed risk assessments
• Discussions of risk tolerance
• Proceedings from risk treatment discussions and risk treatment decisions
and plans
• Educational information about security and risk
• Updates on the organization’s mission and strategic objectives
• Communication about security incidents to affected parties and stakeholders
CISM Certified Information Security Manager All-in-One Exam Guide
124
• Step 6: Risk monitoring and review Organizations are not static, and neither
is risk. The value of assets, impacts, threats, vulnerabilities, and likelihood
of occurrence should be periodically monitored and reviewed so that the
organization’s view of risk continues to be relevant and accurate. Monitoring
should include the following:
• Discovery of new, changed, and retired assets
• Changes in business processes and practices
• Changes in technology architecture
• New threats that have not been assessed
• New vulnerabilities that were previously unknown
• Changes in threat event probability and consequences
• Security incidents that may alter the organization’s understanding of threats,
vulnerabilities, and risks
• Changes in market and other business conditions
• Changes in applicable laws and regulations
ISO/IEC 27005 may be purchased from www.iso.org.
Factor Analysis of Information Risk Factor Analysis of Information Risk (FAIR) is an
analysis method that helps a risk manager understand the factors that contribute to risk,
as well as the probability of threat occurrence and an estimation of loss. FAIR is used to
help a risk manager understand the probability of a given threat event and the losses that
may occur.
In the FAIR methodology, there are six types of loss:
PART II
ISACA’s Risk IT Framework ISACA developed the Risk IT Framework to align with
its COBIT framework. While COBIT is used to manage other aspects of business infra-
structure and risk, the Risk IT Framework is explicitly used to enable organizations to
identify and manage IT risk. The framework is broken down into three major process
areas: Risk Governance (RG), Risk Evaluation (RE), and Risk Response (RR).
The RE processes in the framework cover not only assessment, but overlap with the
risk identification areas. In RE processes, business impact is framed and described and
risk scenarios are developed. Risks are assessed and analyzed as well as presented to the
organization’s management. The RE processes are divided into three areas (numbered
RE1–RE3).
Collect Data (RE1) The data collection process aligns with some of the risk identi-
fication processes previously described. During this process, risk management person-
nel develop a model for data collection, which provides for standardized data formats,
measurements, and common data definitions. Data is collected on the various aspects of
the organization and risk scenarios, including the business’s operating environment, risk
factors, threat sources and events, vulnerability data, and asset data. Data is also collected
on the effectiveness of existing controls in the organization.
Analyze Risk (RE2) In this part of the framework, the organization begins to assess and
analyze risk. First, it defines the risk analysis scope. The scope determines how broad and
deep the risk analysis efforts will be, what areas the risk analysis will cover, and which
assets will be examined for risk. To complete this part of the process, you’ll need to con-
sider all the documentation assembled up to this point: risk scenarios, asset inventories,
breakdowns of business processes, prioritization of assets, and so on. This will help frame
the risk analysis as well as determine scope.
During this step, IT risk is also estimated. This involves determining likelihood and
impact values associated with the developed risk scenarios. In addition, it involves consider-
ation of existing controls and how effective they are as currently installed and functioning.
Likelihood and impact values are considered after existing controls are considered.
Although risk response is the subject of Chapter 4, the identification and consider-
ation of possible risk response options are also part of this step of the process. The person
assessing the risk may recommend several different response options, based on the iden-
tified risk. What risk options an organization will use is determined later in the process
and typically with the input and approval of senior management. Risk response options
should be recommended that reduce risk to an acceptable level directly based on the risk
appetite and tolerance of the organization. Finally, knowledgeable peers should review
risk analyses to verify that the analysis process is sound and to validate the results.
CISM Certified Information Security Manager All-in-One Exam Guide
126
Maintain Risk Profile (RE3) A risk profile is a collection of detailed data on identified
IT risks. Risk profiles can cover a single system or asset but are also often seen as describ-
ing risks on an organization-wide basis. During this risk evaluation step, a comprehensive
document of identified risks and their characteristics, such as details regarding impact,
likelihood, and contributing factors, is developed and maintained throughout the asset
or system’s life cycle. Remember that system or asset risk profiles are usually rolled up
into a more comprehensive risk document that covers systems, assets, and business pro-
cesses across the entire organization.
IT assets are also mapped to the business and organizational processes they support
during this step; this helps translate IT risk to corresponding business risk and enables
management to see how the organization would be affected if IT risk were realized on
specific assets. It also enables the organization to develop criticality estimates of IT
resources from a business perspective. It’s worth noting that this is similar to the same
process followed during a business impact assessment (BIA). The key to understanding
how IT risk affects business operations at this point is in understanding how the capabili-
ties of IT are provided to the business processes in question and how critical IT is to a
particular business process or operation. Maintaining a risk profile also means monitor-
ing and updating risk scenarios and analysis as conditions and risk factors change. This
involves keeping the risk register up to date as well. Finally, the organization should
develop key risk indicators (KRIs) during this step, specifically focusing on IT resources.
While key risk indicators are discussed in Chapter 5, for now, you should know that they
enable the organization to monitor changes in risk for given scenarios and to modify its
risk profiles as these indicators change. Table 3-1 summarizes some of the different risk
assessment methodologies available.
PART II
ability is not the attack vector or technique—this is known as a threat.
Vulnerabilities usually take one of these forms:
PART II
Regardless of whether security responsibilities for any given aspect of operations are
the burden of the organization or the outsourcing organization, vulnerabilities need to
be identified and managed. For aspects of security that are the responsibility of the orga-
nization, the organization needs to employ normal means for identifying and managing
them. For aspects of security that are the responsibility of the outsourced organization,
that organization needs to identify and manage vulnerabilities; in many cases, the out-
sourced organization will make these activities available to their customers upon request.
Further discussion on the risks identified with third parties appears in Chapter 6.
Threat Identification
The identification of threats is a key step in a risk assessment. A threat is defined as an
event that, if realized, would bring harm to an asset and, thus, to the organization.
In the security industry, the key terms involved with risk assessments are often
misunderstood and misused. These terms are distinguished from one another in this
way: a threat is the actual action that would cause harm, not the person or group
(generically known as an actor or threat actor) associated with it. A threat is also not a
weakness that may permit a threat to occur; that is known as a vulnerability, discussed
earlier in this chapter.
Threats are typically classified as external or internal, as intentional or unintentional,
and as human-made or natural. The origin of many threats is outside the control of the
organization but not necessarily out of their awareness. A good security manager can
develop a list of threats that are likely (more or less) to occur to any given asset.
When performing a risk assessment, the security manager needs to develop a complete
list of threats for use in the risk assessment. Because it’s not always possible for a security
manager to memorize all possible threats, the security manager may turn to one or more
well-known sources of threats, including the following:
Internal Threats
Internal threats originate within the organization and are most often associated with
employees of the organization. Quite possibly, internal employees may be the intentional
actors behind these threats.
Security managers need to understand the nature of internal threats and the interac-
tion between personnel and information systems. A wide range of events can take place
that constitute threats, including the following:
• A network manager in San Francisco locks all other network personnel out of the
network on the claim that no others are competent enough to manage it.
• A securities trader at a U.K.–based brokerage firm bankrupts the firm through a
series of large unauthorized trades.
Chapter 3: Information Security Risk Assessment
131
• A systems administrator at an intelligence agency acquires and leaks thousands of
classified documents to the media.
• A Chinese national pleads guilty to conspiracy to commit economic espionage.
Despite the employee’s agreements to protect the company’s intellectual property,
the employee admits that he stole a trade secret from his employer, transferred it
to a memory card, and attempted to take it to the People’s Republic of China for
the benefit of the Chinese government.
PART II
A significant factor in employees going rogue is an access control policy that results
in individual employees having access to more information than is prudent. That said,
increasing the granularity of access controls is known to be time-consuming and costly,
and it increases the friction of doing business; few organizations tolerate this despite
identified risks.
Access controls are only one of several areas of concern. Table 3-3 contains human-
made threats that may be included in an organization’s risk assessment.
It may be useful to build a short list of threat actors (the people or groups that would
initiate a threat event), but remember that these are not the threats themselves. Building
such a list may help the security manager identify additional threat events that may not
be on the list.
Table 3-4 contains a list of internal and external natural threats.
External Threats
Like internal threats, threats that originate outside of the organization can include both
deliberate and accidental actions. External threats can also be human-made or associated
with naturally occurring events.
The security manager performing a risk assessment needs to understand the full range
of threat actors, along with their motivations. This is particularly important for organiza-
tions where specific types of threat actors or motivations are more common. For exam-
ple, certain industries such as aerospace and weapons manufacturers attract industrial
espionage and intelligence agencies, and certain industries attract hacktivists.
Chapter 3: Information Security Risk Assessment
133
Forest ire or range ire
Smoke damage rom orest ire or range ire
River lood
Landslide
Avalanche
Tornado
PART II
Hurricane
Wind storm
Hailstorm
Earthquake
Tsunami
Lightning
Epidemic
Explosion o naturally occurring substances
Solar storm
Table 3-4 Internal and External Natural Threats
Table 3-5 contains a list of external threat actors, and Table 3-6 lists the motivations
behind these actors.
Former employees
Current and ormer consultants
Current and ormer contractors
Competitors
Hacktivists
Personnel in current and ormer third-party service organizations, vendors, and suppliers
Government intelligence agencies (oreign and domestic)
Criminal organizations (including individuals)
Terrorist groups (including individuals)
Activist groups (including individuals)
Armed orces (including individuals)
Table 3-5 External Threat Actors
CISM Certified Information Security Manager All-in-One Exam Guide
134
Competitive advantage
Economic espionage
Monetary gain
Political gain
Intelligence
Revenge
Shaming
Ego
Curiosity
Unintentional errors
Table 3-6 Threat Actor Motivations
In a risk assessment, it is essential to identify all threats that have a reasonable likeli-
hood of occurrence. Those threats that are unlikely because of geographical and other
conditions are usually excluded. For example, hurricanes can be excluded for locations
far from oceans, and volcanoes can be excluded from locations where no volcanoes exist.
Threats such as meteorites and space debris are rarely included in risk assessments because
of the minute chance of occurrence.
PART II
This cat-and-mouse game could continue for months, or even years, with the adver-
sary continuing to compromise targets and study the organization’s systems—all the
while searching for specific targets—while the security manager and others would con-
tinually chase the adversary around like the carnival game of “whack a mole.”
NOTE The term “APT” is not used oten nowadays, although its deinition is
largely unchanged. APTs were discussed more oten when these techniques
were new. But today, the techniques used by a multitude o cybercriminal
organizations, along with hundreds i not thousands o talented, individual
threat actors, resemble the APTs o a dozen years ago. Today APTs are not
novel but routine.
Emerging Threats
The theater in which cyberwarfare takes place today is constantly changing and evolving.
Several forces are at work, as explained in Table 3-7, that continually “push the envelope”
in the areas of attack techniques as well as defense techniques.
Emerging threats will always represent the cutting edge of attack techniques and will
be difficult to detect and/or remediate when they are first discovered. For this reason,
emerging threats should be viewed as a phenomenon of new techniques, rather than as a
fixed set of techniques. Often, the latest attack techniques are difficult to detect because
they fall outside the span of techniques that security professionals expect to observe from
time to time. Security managers need to understand that, although defensive technologies
Phenomenon Response
Emerging technologies, including bring New targets o opportunity, many o which
your own device (BYOD), bring your own are poorly guarded when irst implemented
application (BYOA), cloud computing,
virtualization, and Internet o Things (IoT)
Improved technologies (aster processing time) More rapid compromise o cryptosystems
Improved technologies (aster network speeds) More rapid exiltration o larger data sets;
easier transport o rainbow tables used to
crack hash tables
Improved antimalware controls Attack innovation—techniques evaded
antimalware controls
Table 3-7 The Cascade o Emerging Threats
CISM Certified Information Security Manager All-in-One Exam Guide
136
continuously improve to help prevent and/or detect attacks of increasing sophistication,
attack techniques will continuously improve in their ability to evade detection by even the
most sophisticated defense techniques.
Risk Identification
During risk identification, various scenarios are studied for each asset to identify which
risks pose the greatest potential for realization. Several considerations are applied in the
identification of each risk, including the following:
• Threats All realistic threat scenarios are examined for each asset to determine
which are most likely to occur.
• Threat actors The risk manager must understand the variety of threat actors
and know which ones are more motivated to target the organization and for
what reasons. This further illuminates the likelihood that a given threat scenario
will occur.
• Vulnerabilities For all assets, business processes, and staff members being
examined, vulnerabilities need to be identified. Then various threat scenarios are
examined to determine which ones are more likely as a result of corresponding
vulnerabilities.
• Asset value The value of each asset is an important factor to include in risk
analysis. As described earlier, assets may be valued in several ways. For instance, a
customer database may have a modest recovery cost if it is damaged or destroyed;
however, if that same customer database is stolen and sold on the black market,
the value of the data may be much higher to cybercriminals, and the resulting
costs to the organization to mitigate the harm done to customers may be higher
still. Other ways to examine asset value is through the revenue derived from the
asset’s existence or use.
Chapter 3: Information Security Risk Assessment
137
• Impact The risk manager examines vulnerabilities, threats (with threat actors),
and asset value and estimates the impact of the different threat scenarios. Impact
is considered separately from asset value, because some threat scenarios have
minimal correlation with asset value but are instead related to reputation damage.
Breaches of privacy data can result in high mitigation costs and reduced business.
Breaches of hospital data can threaten patient care. Breaches in almost any IoT
context can result in extensive service interruptions and life safety issues.
PART II
Qualitative and quantitative risk analysis techniques help to distinguish higher
risks from lower risks. These techniques are discussed later in this section. Risks above
a certain level are often transferred to a risk register, where they will be processed
through risk treatment.
Likelihood
In risk assessments, likelihood is an important dimension that helps a risk manager under-
stand several aspects related to the unfolding of a threat event. The likelihood of a serious
security incident has less to do with technical details and more to do with the thought
process of an adversary. Considerations related to likelihood include the following:
Impact
In the context of information security, an impact is the actual or expected result of some
action, such as a threat or disaster. During a risk assessment, impact is perhaps the most
important attribute for a risk manager to understand in a threat scenario. A risk assess-
ment can describe all types of threat scenarios, the reasons behind them, and how they
can be minimized. If the risk manager fails to understand the impact of these scenarios,
he or she cannot determine the level of importance imposed by one threat factor versus
another, in terms of the urgency to mitigate the risk.
A wide range of possible impact scenarios include the following:
Probability
Low Medium High
Unlikely
Risk Risk Risk
PART II
Highly Insignificant Low Medium
Unlikely Risk Risk Risk
Slightly Extremely
Harmful
Harmful Harmful
Consequences
• Asset value
• Threat scenarios
• Threat probabilities
• Relevant vulnerabilities
• Existing controls and their effectiveness
• Impact
Risk analysis can also consider business criticality, if a BIA is available.
Various risk analysis techniques are discussed in the remainder of this section.
Gathering Information
A security manager needs to gather a considerable amount of information to ensure that
that the risk analysis and the risk assessment are valuable and complete. Several sources
are available, including the following:
PART II
of events that may occur, not a measure of events that do occur.
Standard quantitative risk analysis involves the development of several figures:
• Asset value (AV) The value of the asset is usually (but not necessarily) the asset’s
replacement value. Depending on the type of asset, different values may need to
be considered.
• Exposure factor (EF) The financial loss that results from the realization of a
threat is expressed as a percentage of the asset’s total value. Most threats do not
completely eliminate the asset’s value; instead, they reduce its value. For example,
if an organization’s $120,000 server is rendered unbootable because of malware,
the server will still have salvage value, even if that is only 10 percent of the asset’s
actual value. In this case, the EF would be 90 percent. Note that different threats
have different impacts on EF, because the realization of different threats will cause
varying amounts of damage to assets.
• Single loss expectancy (SLE) This value represents the financial loss when a
threat scenario occurs one time. SLE is defined as AV × EF. Note that different
threats have a varied impact on EF, so those threats will also have the same
multiplicative effect on SLE.
• Annualized rate of occurrence (ARO) This is an estimate of the number of
times that a threat will occur per year. If the probability of the threat is 1 in 50
(one occurrence every 50 years), ARO is expressed as 0.02. However, if the threat
is estimated to occur four times per year, then ARO is 4.0. Like EF and SLE, ARO
will vary by threat.
• Annualized loss expectancy (ALE) This is the expected annualized loss of asset
value due to threat realization. ALE is defined as SLE × ARO.
ALE is based upon the verifiable values AV, EF, and SLE, but because ARO is only an
estimate, ALE is only as good as ARO. Depending upon the value of the asset, the risk
manager may need to take extra care to develop the best possible estimate for ARO, based
upon whatever data is available. Sources for estimates include the following:
OCTAVE
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) is a risk
analysis approach developed by Carnegie Mellon University. The latest version, OCTAVE
Allegro, is used to assess information security risks so that an organization can obtain
meaningful results from a risk assessment.
The OCTAVE Allegro methodology uses eight steps:
• Step 1: Establish risk measurement criteria The organization identifies the most
important impact areas. The impact areas in the model are reputation/customer
confidence, financial, productivity, safety and health, fines/legal penalties,
and other. For example, reputation may be the most important impact area for
one organization, while privacy or safety may be the most important for other
organizations.
• Step 2: Develop an information asset profile The organization identifies its
in-scope information assets and develops a profile for each asset that describe its
features, qualities, characteristics, and value.
• Step 3: Identify information asset containers The organization identifies all
the internal and external information systems that store, process, and transmit
in-scope assets. Note that many of these systems may be operated by third-party
organizations.
• Step 4: Identify areas of concern The organization identifies threats that, if
realized, could cause harm to information assets. Typically, this is identified in a
brainstorming activity.
• Step 5: Identify threat scenarios This is a continuation of step 4, where threat
scenarios are expanded upon (and unlikely ones eliminated). A threat tree may be
developed that first identifies actors and basic scenarios and then is expanded to
include more details.
• Step 6: Identify risks A continuation of step 5, the consequences of each threat
scenario are identified.
• Step 7: Analyze risks This simple quantitative measurement is used to score
each threat scenario based on risk criteria developed in step 1. The output is a
ranked list of risks.
• Step 8: Select mitigation approach A continuation of step 7, the risks with
higher scores are analyzed to determine methods available for risk reduction.
Chapter 3: Information Security Risk Assessment
143
The OCTAVE Allegro methodology includes worksheets for each of these steps,
making it easy for a person or team to perform a risk analysis based on this technique.
Further information about OCTAVE Allegro is available at www.cert.org/resilience/
products-services/octave/.
Bow-Tie Analysis
A bow-tie analysis uses diagrams to analyze and explain relationships between various risk
elements, from causes (threats) to events and then to impacts (consequences). It is simi-
PART II
lar to both the fault-tree analysis and the event-tree analysis (discussed next). It looks at
the various causes of a risk event (fault tree) and analyzes the consequences of the event
(event tree). The difference, however, is that the bow-tie analysis looks at the intervening
characteristics of the events and causes, such as the path by which the cause leads to the
event and then the consequences. Figure 3-4 illustrates a bow-tie diagram. In this figure,
the adverse event is shown as the center of the bow tie, with potential causes on the left
and possible consequences on the right.
Risk Ownership
When considering the results of a risk assessment, the organization needs to assign indi-
vidual risks to individual people, typically middle- to upper-management business lead-
ers. These leaders, who should also have ownership of controls that operate within their
span of control, have budget, staff, and other resources used in daily business operations.
These are the risk owners, and, to the extent that there is a formal policy or statement on
risk tolerance or risk appetite, they should be the people making risk treatment decisions
for risks in their domain. To the extent that these individuals are accountable for opera-
tions in their part of the organization, they should also be responsible for risk decisions,
including risk treatment, in their operational areas. A simple concept to approach risk
Chapter 3: Information Security Risk Assessment
145
ownership is that if nobody owns the risk, then nobody is accountable for managing
the risk, which will lead to a great probability of the risk becoming an active issue with
negative impacts on the business, along with the possible identification of a scapegoat
who will be blamed if an event occurs. The scapegoat is usually the person responsible
for information security.
Risk Treatment
In risk treatment, management makes a choice regarding the disposition of each iden-
PART II
tified risk. Management can choose to accept the risk, mitigate the risk, transfer it to
another organization, or avoid the activity altogether. Risk treatment is described in
detail in Chapter 4.
Controls
A common outcome of risk treatment, when mitigation is chosen, is the enactment of
controls. Put another way, when an organization identifies a risk in a risk assessment, the
organization may decide to develop (or improve) a control that will mitigate the risk that
was found. Controls are measures put in place to ensure a desired outcome. Controls can
come in the form of procedures, or they can be implemented directly in a system.
Suppose an organization realized that its procedures for terminating access for depart-
ing employees were resulting in a lot of user accounts not being deactivated. The existing
control was a simple, open-loop procedure, whereby analysts were instructed to deac-
tivate user accounts. Often they were deactivating user accounts too late or not at all.
To reduce this risk, the organization modified the procedure (updated the control) by
introducing a step in which a second person would verify all account terminations on a
daily basis.
There are many categories and types of controls, as well as standard control frame-
works. These are discussed in great detail in Chapter 6.
• Both seek to discover risks and develop remedies for events that threaten business
operations and the ongoing viability of an organization.
• Both rely on risk assessments to identify risks that will require mitigation.
• Both can rely on the results of a business impact analysis to better understand the
criticality of business processes and the interdependency of processes and assets.
Risk management identifies threats that, if unchecked, could unfold into disaster sce-
narios. Many of the threat scenarios in a risk assessment are disaster situations used in
business continuity planning.
Business continuity planning is described in detail in Chapter 7.
CISM Certified Information Security Manager All-in-One Exam Guide
146
The Risk Register
A risk register is a business record that contains information about business risks and
information about their origin, potential impact, affected assets, probability of occur-
rence, and treatment. A risk register is the central business record in an organization’s
risk management program. Together with other records, the risk register serves as the
focal point of evidence that an organization is at least attempting to manage risk. Other
records include evidence of risk treatment decisions and approvals, tracking of projects
linked to risks, and risk assessments and other activities that contribute content to the
risk register.
A risk register can be stored in a spreadsheet, database, or within a governance, risk,
and compliance tool used to manage risk and other activities in the security program.
Table 3-8 shows the columns in a typical risk register.
Item Description
Entry number A unique numeric value identiying the entry, which can be in the orm o a
date, such as 20220127a (or January 27, 2022)
Status Current status o the entry: Open, Assigned, or Closed
Date entered The date the risk register entry was created
Entered by The person who created the risk register entry
Source The activity or event that compelled someone to create this entry, which
may include a risk assessment, a vulnerability assessment, a security incident,
threat intelligence, or an external party
Incident number Reerence to an incident record, i applicable
Title Short title describing the risk entry
Description Description o the risk
Threat description Description o the potential threat activity
Threat actor Description o the type o threat actor, such as worker, ormer worker,
supplier, vendor, or partner, cybercriminal, or nation-state
Vulnerability description Description o one or more vulnerabilities that increases the probability or
impact o threat realization
Third-party organization Name o the third-party organization where the risk is present, i applicable
Third-party classiication Classiication level o the third-party organization, i applicable
Business impact Business language description o the impact o threat realization
Technical impact Technical language description o the impact o threat realization, i applicable
Asset The speciic asset, asset group, or asset class aected by the risk
Asset owner The owner o the aected asset
Risk owner The owner o the risk
Control group A reerence to the aected control group, i applicable
Control A reerence to the aected control, i applicable
Table 3-8 Sample Risk Register Data Structure (continued)
Chapter 3: Information Security Risk Assessment
147
Item Description
Process A reerence to the aected process, i applicable
Untreated probability o An estimate o the probability o occurrence o the threat event associated
occurrence with the risk, usually expressed as high, medium, or low or on a numeric
scale such as 1 to 5
Untreated impact o An estimate o the impact o occurrence o the threat event associated with
occurrence the risk, usually expressed as high, medium, or low or on a numeric scale
such as 1 to 5
PART II
Untreated risk score An overall risk score that is generally a product o probability, impact, and
asset value
Treated probability o An estimate o the probability o occurrence o the threat event associated
occurrence with the risk, ater risk treatment, usually expressed as high, medium, or low
or on a numeric scale such as 1 to 5
Treated impact o An estimate o the impact o occurrence o the threat event associated with
occurrence the risk, ater risk treatment, usually expressed as high, medium, or low or
on a numeric scale such as 1 to 5
Treated risk score An overall risk score that is generally a product o probability, impact, and
asset value, ater risk treatment
Estimated cost o An estimated cost o risk treatment, expressed in dollars or the local currency
risk treatment
Estimated level o eort o An estimated level o eort o risk treatment, expressed as high, medium,
risk treatment or low or on a numeric scale such as 1 to 5 or as an estimate o a range o
man-hours:
• Less than 1 hour
• Less than 10 hours
• Less than 100 hours
• Less than 1,000 hours
• Less than 10,000 hours
Risk treatment The chosen method o risk treatment: accept, mitigate, transer, or avoid
Risk treatment approver The person or body that approved the risk treatment method
Risk treatment approval date The date that the risk treatment method was approved
Risk treatment owner The person responsible or carrying out risk treatment
Risk treatment description A description o the risk treatment
Risk treatment planned Date when risk treatment is expected to be completed
completion
Actual cost o risk treatment The actual cost o risk treatment, which would be known when risk treatment
has been completed, expressed in dollars or the local currency
Actual level o eort o risk The actual level o eort o risk treatment, which would be known when risk
treatment treatment has been completed, expressed in man-hours
Risk treatment closure date Date when risk treatment is actually completed
Next review date Date when the risk will be reviewed again (usually applies to accepted risk)
Table 3-8 Sample Risk Register Data Structure
CISM Certified Information Security Manager All-in-One Exam Guide
148
Sources of Information for the Risk Register
Awareness of risks can come from many places and through a variety of events. The infor-
mation in Table 3-8 provides some hints about the potential sources of information that
would lead to the creation of a risk register entry, which include the following:
• Risk assessment A prime source for risk register entries, a risk assessment
identifies risks in the organization’s staff (such as excessive workload, competency,
and training issues), business processes, and technology.
• Vulnerability assessment The high-level results of a vulnerability assessment
(or penetration test, code review, social engineering assessment, and so on) may
indicate overarching problems in staff, business processes, or technology at a
strategic level.
• Internal audit Internal audits and other internal control self-assessments can
identify problems in staff, business processes, or technology.
• Security incident The occurrence of a security incident may reveal the presence
of one or more risks that require attention. Note that a security incident in another
organization may highlight risks in one’s own organization.
• Threat intelligence Formal and informal subscriptions or data feeds on threat
intelligence may reveal risks that warrant attention.
• Industry development Changes in the organization’s industry sector, such as new
business activities and techniques, may reveal or magnify risks that require attention.
• New laws and regulations The passage of new laws, regulations, and applicable
standards and private legal obligations may reveal the presence of risks that require
attention. Also, note that compliance risk (the possibility that regulators or others
may impose fines or sanctions on the organization) may well be included in one or
more risk register entries, if the organization has identified such risks.
• Consultants A visit by, or conversation with, an expert security consultant
may reveal risks that were previously unknown. The consultant, who may be an
auditor or assessor or may be working in the organization on a project, may or
may not be expecting to find risks that the organization’s security manager would
want to be aware of.
PART II
program should be included in the risk register.
• Architecture
• Software development
• Change management
• Configuration management
• Incident and problem management
• Physical security
• Information risk and enterprise risk management
• Human resource management
• Project management
Architecture
IT architects and solution architects create macro- and micro-level designs for networks,
systems, applications, integrations, and other technology components. These activities
should be reviewed by security subject matter experts such as security architects to ensure
that the work of IT and solution architects do not introduce new, undesired risk to the
organization.
Software Development
Developers, in the creation and maintenance of software programs, sometimes introduce
software defects (commonly known as bugs) in their programs, resulting in unexpected
behavior. This unexpected behavior may include calculation errors or errors in the way
that information is displayed, read from storage, or written to storage. Sometimes, these
defects can be exploited by a user or attacker to trick the software program into perform-
ing unexpected or unwanted activities.
Unless software developers are specifically aware of the security implications of the
use of specific functions and calculations, they may unknowingly introduce benign to
serious security defects in their programs. Some of these defects may be easily discovered
with scanning programs or other techniques, while others may remain undiscovered for
years. Often, a researcher will find security defects associated with a particular coding
Chapter 3: Information Security Risk Assessment
151
technique that is present in many programs; this can result in many organizations discov-
ering for the first time that their programs have a particular exploitable defect.
Without specific software development experience, a security manager in a smaller
organization may not have specific knowledge of the pitfalls associated with the use of
the programming language in that organization. Oftentimes, an outside security expert
with experience in software development and insecure coding is needed to assist such an
organization in discovering any weaknesses in its coding practices. In a larger organiza-
tion, assistance may be provided by one or more internal security experts who are familiar
PART II
with the languages used in development.
In addition to secure coding, organizations need to introduce several security-related
steps into their software development process:
• Threat modeling These techniques are implemented during the design phase
to anticipate potential threats and incorporate design features to block them.
• Coding standards These standards specify allowed and disallowed coding
techniques, including those more likely to introduce security defects and other
defects.
• Code reviews Performed by peers, code reviews are part of the program
development and maintenance process. A peer is more likely to find defects and
security problems than the developer who wrote the code.
• Code scanning This is performed in the developer’s IDE or executed separately
in the developers’ central software build environments.
• Application scanning This is performed on web applications to discover
exploitable defects.
• Application penetration testing Testing is performed periodically by internal
personnel or by qualified security advisory firms.
The concept of security by design is used to incorporate security and risk into every
level of product development, from inception to development, testing, implementation,
maintenance, and operations. Organizations that incorporate security by design into
their development and business processes are less likely to suffer from security incidents
than those that do not. They are also less likely to undergo frequent security changes
caused by unexpected security incidents.
Configuration Management
Configuration management is the IT function by which the configuration of components
in an IT environment is independently recorded. Configuration management is usually
supported by the automated tools used to inventory and control system configurations,
but sometimes manual means are used. A configuration management database (CMDB)
is the repository for this information.
Chapter 3: Information Security Risk Assessment
153
Configuration management can be thought of as the creation of a historical record of
the configuration of devices and systems. This historical record can sometimes be useful
during troubleshooting, in support of investigations, as personnel need to understand
in detail any changes in configuration that may have occurred in a system that could
account for an incident or problem.
Security and risk considerations in configuration management are as follows:
PART II
• Inclusion of security-related information in configuration management data
Looking into the content itself in configuration management, this brings to mind the
fact that organizations need to develop server, endpoint, and network device–hardening
standards to make them more resilient to attack. Once an organization develops a hard-
ening standard, it is implemented in some manner, such as a golden server or endpoint
image, which should also be managed and protected, whether contained in the CMDB
or not.
IT and information security need to be aware of the phenomenon of configuration
drift, where the configuration of a component or system slowly diverges from its initial
or intended state. Configuration drift often occurs in organizations that lack automation
for applying configurations to systems.
Physical Security
Physical security is mainly concerned with the development and management of con-
trols to protect physical assets, workplaces, and personnel. There is significant intersec-
tion between information security and physical security: information security relies upon
physical security controls for the protection of information processing and communica-
tions equipment. While some of this equipment resides in data centers, some also resides
in workplaces where an organization’s personnel also work. These common controls make
workplace safety a close relative to information security.
Changes in physical security technologies such as video surveillance and building
access control systems are bringing information and physical security closer together
than they have ever been before. In most organizations, however, information security
and physical security are still managed separately. In these cases, because they share many
technologies, assets, and overall objectives of protecting the organization from harm,
information and physical security personnel can form partnerships.
Information and physical security functions can be integrated together in a number of
ways, including the following:
• Ensuring that organization-wide risk and threat assessments cover both areas
adequately
• Ensuring that business continuity and disaster recovery planning adequately
covers both concerns
Chapter 3: Information Security Risk Assessment
155
• Ensuring that information and physical security risks exist on a common risk
register and are managed in a common risk management and risk treatment process
• Ensuring that information systems with high availability requirements are located
in facilities with high availability as part of their design
• Ensuring that IP-based physical security assets and systems are incorporated into
the organization’s overall technology and security architecture, with adequate
protection based on risk
PART II
• Incorporating physical facilities into the organization’s information and asset
classification program so that facilities and work centers can also be rated and
adequately protected based on classification and risk
• Incorporating physical facility access into the organization’s identity and access
management program
• Ensuring that supervisory control and data acquisition (SCADA) and industrial
control systems (ICSs) are supporting, monitoring, and controlling the
environmental systems that support information technology such as heating,
ventilation, and air-conditioning (HVAC) and that physical access control
systems are monitored in a common monitoring platform
PART II
opportunity to refine project/program objectives, architecture, and requirements.
• The impact of a project or program on the organization’s security, compliance,
and privacy must be established prior to any procurement, development, or
implementation.
• Security requirements need to be included in any activity where requirements are
developed. Like other requirements, security requirements must be verifiable.
• Security should be included as a part of approval gates if they are used in projects.
Chapter Review
Risk management is the core of an organization’s information security program. By using
risk management techniques to identify risks and understand the probability of their
occurrence and impact upon the organization, risk managers can help the organization
prioritize scarce resources to reduce risk effectively. The proper application of risk man-
agement helps an organization reduce the frequency and impact of security incidents
through improved resilience and preparation.
When implementing a risk management program, the organization must consider
several characteristics, including its risk tolerance, management structure, executive
management support, culture, and any regulatory and legal obligations.
A risk management program should include several avenues of communication so that
business leaders and stakeholders understand the program and how it is integrated into
the organization. The program should be transparent with regard to its procedures and
practices.
When building or improving a risk management program, security managers may
select one of several industry frameworks, such as ISO/IEC 27001, ISO/IEC 27005,
ISO/IEC 31010, NIST SP 800-37, NIST SP 800-39, COBIT, Risk IT, RIMS, and
FAIR. These and other frameworks offer similar components, including scope, objec-
tives, policy, risk tolerance, roles and responsibilities, the risk management life-cycle
process, and management review. To the greatest reasonable extent, a risk management
program should be integrated into the business to avoid disruption to the organization
while minimizing risk.
When planning a risk management program, the security manager and executive lead-
ership need to understand—and to some extent, define—the context of the program.
This includes the program’s scope, participants and stakeholders, and risk tolerance.
CISM Certified Information Security Manager All-in-One Exam Guide
158
The security manager must consider many aspects of the organization’s internal envi-
ronment, as well as external environments such as market and economic conditions,
external stakeholders, customers, and external threats. The security manager may need to
perform gap analyses to better understand the current state as compared to the desired
future state of the program. Security managers can fill gaps in knowledge and experi-
ence through networking with other security and risk professionals, training, periodicals,
and conferences.
The risk management life cycle consists of a set of activities that enable the discovery
and management of risks. The steps in the process include scope definition, asset
identification and valuation, risk identification, risk analysis, risk treatment, and risk
communication. Periodic risk assessments and other means contribute to continued
risk identification.
A key step in risk analysis is the identification of vulnerabilities, or weaknesses, in
people, business processes, or technology.
Another key step in risk analysis is the identification and analysis of internal
and external threats. Risk management standards such as NIST SP 800-37 contain
comprehensive lists of credible threats. Security managers need to recognize that
emerging threats often need to be considered in a risk assessment, and some may not
yet be included in current standards. Further, there are sometimes threats specific to
an industry sector.
After risks are identified, the amount of risk present can be calculated using input
from threats, threat actors, vulnerabilities, asset value, and impact. In most cases, risk
is calculated in a qualitative way, primarily because it is difficult to know the precise
(or even an approximate) probability of threat occurrence and somewhat difficult to
know the financial impact of a threat.
In quantitative risk analysis, key values are asset value, exposure factor, single loss
expectancy, annualized rate of occurrence, and annualized loss expectancy.
Industry-standard techniques are available for performing risk analysis, includ-
ing OCTAVE Allegro, bow-tie analysis, Delphi method, Bayesian analysis, event-tree
analysis, fault-tree analysis, and Monte Carlo analysis.
Risks identified in a risk assessment or risk analysis need to be evaluated, ranked,
categorized, and assigned to a risk owner. Often, an organization will enact a control to
address a risk.
Risk management and business continuity planning have several common com-
ponents and linkages. Both are concerned with business resilience and survival, and
both utilize business impact analysis to better understand the organization’s most
critical processes.
The risk register is the central business record in a risk management program. A risk
register is a catalog of all current and historical risks, along with many pieces of metadata
describing each risk in detail. A risk register may be stored in a spreadsheet, in a database,
or in a governance, risk, and compliance tool’s risk management module.
Security and risk management are incorporated into many other business activities,
including but not limited to software development, change management, configuration
management, incident and problem management, physical security, enterprise risk man-
agement, and human resource management.
Chapter 3: Information Security Risk Assessment
159
Notes
• Like other activities in information security, measuring the benefits of an
information risk management program can be difficult, mainly because it is
difficult to identify security events that did not occur because of the program.
• Understanding and changing aspects of an organization’s culture is one of the
most important success factors and also one of the most difficult. Culture is the
collective way that people in the organization think and work. It is documented
PART II
everywhere and nowhere.
• Selecting a risk management and risk assessment framework is among the
least important decisions in the development of a risk management program.
Nevertheless, organizations often get as hung up on choosing management and
assessment frameworks as they do on choosing a control framework. Consensus
on framework selection is vital for long-term success.
• The need to minimize the impact of the risk management business process
cannot be overstated. Where possible, utilize existing governance, management,
control, and communications structures already present in the organization. The
impact on decisions made in the risk management program may be significant;
the process itself need not be.
• External factors such as market conditions, competition, and the sentiment of
clients or customers are as important as internal factors such as access to capital
and culture. Organizations in some industry sectors may have an opportunity
to make security a competitive differentiator, in which case it will be more
important to establish effective security management and risk management
programs. Customers and competitors will notice.
• Security managers, when their knowledge or skills fall short on any topic,
underestimate the value of networking and soliciting advice from industry peers.
Many security professionals are willing to help, and plenty of events provide
networking opportunities to meet them.
• In a risk assessment, while listing credible threat events, first obtain the list of
threats from a standard such as NIST SP 800-30, and then add other threats that
may be relevant for the asset, organization, or geographic location.
• The term “advanced persistent threats” was developed when such threats were
novel. They no longer are new. Although use of the term has diminished, this
type of threat has become commonplace.
• Identifying all reasonable vulnerabilities during a risk assessment is not as
easy as identifying threats. You must know more about the asset or process
being examined.
CISM Certified Information Security Manager All-in-One Exam Guide
160
• In qualitative risk assessments, it’s easy to become focused on the risk scores for
various risks. Remember that risk scores are the result of basic calculations based
on very coarse threat and vulnerability ratings. Risk ratings should serve only
to distinguish very high risks from very low ones—and even then, these are just
rough approximations.
• Most organizations that are establishing a risk management program for the first
time can use spreadsheets for key business records such as the risk register and the
security incident log. As organizations become more mature, they can acquire a
governance, risk, and compliance platform that includes risk management modules.
Questions
1. A risk manager is planning a first-ever risk assessment in an organization.
What is the best approach for ensuring success?
A. Interview personnel separately so that their responses can be compared.
B. Select a framework that matches the organization’s control framework.
C. Work with executive management to determine the correct scope.
D. Do not inform executive management until the risk assessment has been
completed.
2. A security manager has completed a vulnerability scan and has identified numerous
vulnerabilities in production servers. What is the best course of action?
A. Notify the production servers’ asset owners.
B. Conduct a formal investigation.
C. Place a single entry into the risk register.
D. Put individual vulnerability entries into the risk register.
3. The concept of security tasks in the context of a SaaS or IaaS environment is
depicted in a:
A. Discretionary control model
B. Mandatory control model
C. Monte Carlo risk model
D. Shared responsibility model
4. A security manager is developing a vision for the future state of a risk management
program. Before she can develop the plan to achieve the vision, she must perform a:
A. Gap analysis
B. Risk analysis
C. Risk assessment
D. Threat assessment
Chapter 3: Information Security Risk Assessment
161
5. All of the following are techniques to identify risks except:
A. Penetration tests
B. Threat modeling
C. Vulnerability assessment
D. Risk treatment
6. The main advantage of NIST standards versus ISO standards is:
PART II
A. NIST standards are considered global standards.
B. NIST standards are not copyrighted.
C. NIST standards are available without cost.
D. NIST standards cost less to implement.
7. Which of the following statements is true about compliance risk?
A. Compliance risk can be tolerated when fines cost less than controls.
B. Compliance risk is just another risk that needs to be understood.
C. Compliance risk can never be tolerated.
D. Compliance risk can be tolerated when it is optional.
8. Misconfigured firewalls, missing antivirus, and lack of staff training are
examples of:
A. Risks
B. Threats
C. Vulnerabilities
D. Threat actors
9. A phishing attack, network scan, and social engineering are examples of:
A. Risks
B. Threats
C. Vulnerabilities
D. Threat actors
10. A security manager has been directed by executive management not to document
a specific risk in the risk register. This course of action is known as:
A. Burying the risk
B. Transferring the risk
C. Accepting the risk
D. Ignoring the risk
CISM Certified Information Security Manager All-in-One Exam Guide
162
11. A security manager is performing a risk assessment on a business application.
The security manager has determined that security patches have not been installed
for more than a year. This finding is known as a:
A. Probability
B. Threat
C. Vulnerability
D. Risk
12. A security manager is performing a risk assessment on a data center. He has
determined that it is possible for unauthorized personnel to enter the data center
through the loading dock door and shut off utility power to the building. This
finding is known as a:
A. Probability
B. Threat
C. Vulnerability
D. Risk
13. Hacktivists, criminal organizations, and crackers are all known as:
A. Threat actors
B. Risks
C. Threats
D. Exploits
14. All of the following are core elements used in risk identification except:
A. Threats
B. Vulnerabilities
C. Asset value
D. Asset owner
15. What is usually the primary objective of risk management?
A. Fewer and less severe security incidents
B. No security incidents
C. Improved compliance
D. Fewer audit findings
Answers
1. C. The best approach for success in an organization’s risk management program,
and during risk assessments, is to have support from executive management.
Executives need to define the scope of the risk management program, whether by
business unit, geography, or other means.
Chapter 3: Information Security Risk Assessment
163
2. A. Most organizations do not place individual vulnerabilities into a risk register.
The risk register is primarily for strategic issues, not tactical issues such as individual
vulnerabilities. However, if the vulnerability scan report was an indication of a
broken process or broken technology, then that matter of brokenness may qualify
as a valid risk register entry.
3. D. The shared responsibility model, sometimes known as a shared responsibility
matrix, depicts the operational model for SaaS and IaaS providers where client
organizations have some security responsibilities (such as end user access control)
PART II
and service provider organizations have some security responsibilities (such as
physical access control).
4. A. The risk manager must perform a gap analysis to understand the difference
between the current state of the risk management program and its desired future
state. Once the gap analysis is completed, it will become clear what steps must be
performed to achieve that desired future state.
5. D. Risk treatment is not a tool to identify risks. It is the process of making a decision
about what to do with an identified risk.
6. C. One of the main advantages of NIST standards is that they are available free of
charge. ISO standards are relatively expensive, ranging from US$100 to $200 for
single user copies.
7. B. In most cases, compliance risk is just another risk that needs to be understood.
This includes the understanding of potential fines and other sanctions in relation
to the costs required to reach a state of compliance. In some cases, being out of
compliance can also result in reputation damage as well as larger sanctions if the
organization suffers from a security breach because of the noncompliant state.
8. C. These are all vulnerabilities, or weaknesses that could potentially be exploited
by a threat.
9. B. These are all threats, which could be more easily carried out if targets are
vulnerable.
10. D. The refusal of an organization to formally consider a risk is known as ignoring
the risk. This is not a formal method of risk treatment because of the absence of
deliberation and decision-making. It is not a wise business practice to keep some
risk matters “off the books.”
11. C. The absence of security patches on a system is considered a vulnerability, which
is defined as a weakness in a system that could permit an attack to occur.
12. B. Any undesired action that could harm an asset is known as a threat.
13. A. These are all threat actors, or persons/entities that may carry out threats against
targets if sufficiently motivated.
CISM Certified Information Security Manager All-in-One Exam Guide
164
14. D. The identity of an asset owner does not factor into the risk identification
process. Although knowing the asset owner is important in subsequent phases of
the risk management process, it is not relevant in identifying the risk. The factors
relevant to risk identification are threats, threat actors, vulnerabilities, asset value,
and impact.
15. A. The most common objective of a risk management program is the reduction
in the number and severity of security incidents.
Information Security
Risk Response
CHAPTER
4
In this chapter, you will learn about
• Risk response options and considerations
• Responding to risk via risk treatment
• Ownership o risks, risk treatment, and controls
• Monitoring and reporting on risk
• Key risk indicators
165
CISM Certified Information Security Manager All-in-One Exam Guide
166
Risk response is the entirety of actions undertaken once the organization becomes aware
of a risk. The risk management life cycle specifies that when a risk is identified, it is first
analyzed (covered in Chapter 3). Next, a business decision, known as risk treatment,
determines what the organization will do about an identified risk. Each risk is assigned
an owner who participates in risk treatment decisions. If a control must be created or
modified to mitigate the risk, management assigns an owner to the control itself. Finally,
each risk is monitored and reports are created to track any changes in risk over time.
• Risk mitigation
• Risk transfer
• Risk avoidance
• Risk acceptance
These four actions are explained in more detail in the following sections.
The decision to ignore a known risk is different from an organization ignoring an
unknown risk, which is usually a result of a risk assessment or risk analysis that is not
properly scoped or sufficiently thorough to identify all relevant risks. The best solution
for these “unknown unknowns” is to have an external, competent firm perform an orga-
nization’s risk assessment every few years, or have the firm examine the organization’s risk
assessment thoroughly to discover opportunities for improvement, including expand-
ing the span of threats, threat actors, and vulnerabilities so that there are fewer or no
unknown risks. Now that we know the options for risk responses, we should consider the
impact of those responses.
One impact of risk treatment is that it pits available resources against the need to
reduce risk. In an enterprise environment, not all risks can be mitigated or eliminated,
because there are not enough resources to treat them all. Instead, a strategy for choosing
the best combination of solutions that will reduce risk by the greatest possible margin is
needed. For this reason, risk treatment is often more effective when all the risks and solu-
tions are considered together, instead of each one separately. Then they can be compared
and prioritized.
Chapter 4: Information Security Risk Response
167
When risk treatment is performed at the enterprise level, risk analysts and technology
architects can devise ways to bring about the greatest possible reduction in risk. This can
be achieved through the implementation of solutions that will reduce many risks for
many assets at once. For example, a firewall can reduce risks from many threats on many
assets; this will be more effective than individual solutions for each asset.
PART II
The aspect of risk treatment of utmost importance to the ongoing success of
an organization’s security management program is who makes the risk treatment
decisions:
Risk Mitigation
Risk mitigation is one of four choices that an organization can take when confronted
with a risk. Risk mitigation, aka risk reduction, involves the implementation of some
solution that will reduce an identified risk—for example, by changing a process or proce-
dure, changing how a security control functions, or adding a security control. In another
example, the risk of advanced malware being introduced onto a server can be mitigated
with advanced malware prevention software or a network-based intrusion prevention
system. Either of these solutions would constitute mitigation of some of this risk on a
given asset.
An organization usually makes a decision to implement some form of risk mitiga-
tion only after performing a cost analysis to determine whether the reduction of risk is
worth the expenditure of risk mitigation. Sometimes, however, an asset’s value is difficult
CISM Certified Information Security Manager All-in-One Exam Guide
168
to measure, or there may be a high degree of goodwill associated with the asset. For
example, the value of a customer database that contains sensitive data, including bank
account or credit card information, may itself be low; however, the impact of a breach of
this database may be higher than its book value because of the loss of business or negative
publicity that may result.
During the risk analysis phase of risk management, a risk analyst will explore one
or more potential ways of mitigating risk and will document the time, effort, and cost
involved for each. The development of multiple options helps inform those responsible
for making risk treatment decisions.
Risk mitigation may, at times, result in a task that can be carried out in a relatively
short period of time. However, risk mitigation may also involve one or more major proj-
ects that start in the future, perhaps in the next budget year or many months, quarters,
or years in the future. Further, such a project may be delayed, its scope may change, or it
may be canceled altogether. For this reason, the security manager needs to monitor risk
mitigation activities carefully to ensure that they are completed as originally planned so
that the risk mitigation is not forgotten.
Another consideration when determining the cost/benefit of mitigation is the
upstream and downstream impacts of the system(s) in question on the other systems. For
instance, can a threat actor use this system or platform to gain access to other systems? It
can be challenging to consider all these aspects when flushing out the cost versus benefits
of conducting risk mitigation activities. It is vital to keep the big picture in mind when
developing a risk mitigation plan.
Risk Transfer
Risk transfer, or risk sharing, means that some or all of the risk is being transferred to
some external entity, such as an insurance company, service provider, business process
outsourcer (BPO), or business partner. The risk transfer option is selected when an orga-
nization does not have the operational or financial capacity to accept the risk and when
risk mitigation is not the best choice.
Chapter 4: Information Security Risk Response
169
When an organization purchases an insurance policy to protect an asset against dam-
age or loss, the insurance company is assuming a part of the risk in exchange for payment
of insurance premiums; however, the intangible losses mentioned previously would still
be present. The details of a cyber-insurance policy need to be carefully examined to be
sure that any specific risk is transferrable to the policy. Cyber-insurance policies typically
have exclusions that limit or deny payment of benefits in certain situations.
Sharing offsite (co-location) assets and contractual obligations with other entities is
one way that organizations implement risk transfer; a cloud service provider can be used
PART II
within this scenario. The cloud provider may be contractually obligated to assume part
of the financial impact in the event of a breach, but be aware that there is a potential loss
of brand goodwill or other intangible assets that can be difficult to offload.
Risk transfer through a BPO results in the outsourcer having accountability for some
risk. For instance, the outsourcing of software development will require the BPO firm
to enact some controls related to a secure systems development life cycle (SDLC) and
protection of intellectual property.
In another example, a risk assessment may reveal the absence of security monitoring
of a critical system. Risk transfer, in this case, may involve the use of an external security
services provider to perform monitoring of the critical system. Here, only part of the risk
is being transferred, as the consequences of any security event that is detected (or one that
is not detected) are entirely borne by the organization.
Risk transfer typically works with only a portion of the risk; it does not reduce all of
the risk. Therefore, multiple risk response options used concurrently will likely be needed.
EXAM TIP CISM candidates need to understand that the use o a risk transer
scheme does not totally absolve an organization o its responsibilities;
organizations may still retain responsibility—and more importantly,
accountability—i there is loss o data, revenue, or customers. Additionally,
legal liabilities may also be involved.
Risk Avoidance
In risk avoidance, the organization abandons the risk-inducing activity altogether,
effectively taking the asset out of service or discontinuing the activity so that the risk
is no longer present. In another scenario, the organization may believe that the risk of
pursuing a given business activity is too great, so they may decide to avoid that par-
ticular venture.
Often, risk avoidance is selected in response to an activity that was not formally approved
in the first place. For example, a risk assessment may have identified a department’s use
of an external service provider that represented a measurable risk to the organization. The
service provider may or may not have been formally vetted in the first place. Regardless,
after the risk is identified in a risk assessment (or by other means), the organization may
choose to cease activities with that service provider; this is risk avoidance.
CISM Certified Information Security Manager All-in-One Exam Guide
170
NOTE Organizations do not oten back away completely rom an activity
because o identiied risks. Generally, this avenue is taken only when the risk
o loss is great and when the perceived probability o occurrence is high.
Risk Acceptance
Management may be willing to accept an identified risk as is, with no effort taken to
reduce it. Risk acceptance is an option in which the organization finds the presence of a
risk acceptable and determines that it requires no reduction or mitigation. Risk accep-
tance also takes place (sometimes implicitly) for residual risk, after other forms of risk
treatment have been applied.
If only risk acceptance were this simple. Further analysis of risk acceptance shows that
there are conditions under which an organization will elect to accept risk:
• The cost of risk mitigation is greater than the value of the asset being protected.
• The impact of compromise is low, or the value or classification of the asset is low.
Organizations may elect to establish a framework for risk acceptance, as shown in
Table 4-1.
After an organization accepts a risk, instead of closing the matter for perpetuity, it
should review the risk at least annually (or after a significant event that would change the
conditions surrounding the accepted risk) for the following reasons:
• The value of the asset may have changed during the year.
• The value of the business activity related to the asset may have changed during
the year.
• The potency of threats may have changed during the year, potentially leading to a
higher risk rating.
• The cost of mitigation may have changed during the year, potentially leading to
greater feasibility for risk mitigation or transfer.
PART II
Ignoring risk is a choice, although it is not considered a wise choice. Ignor-
ing a risk means doing nothing about it—not even making a decision about it. It
amounts to little more than pretending the risk does not exist. It’s off the books.
Organizations without risk management programs may be implicitly ignoring all
risks, or many of them at least. Organizations may also be practicing informal and
maybe even reckless risk management—risk management by gut feel. Without a
systematic framework for identifying risks, many are likely to go undiscovered. An
implicit refusal to identify risks and treat them properly could also be considered
ignoring risks.
PART II
probability and impact.
An old adage in information security states that an organization would not spend
$20,000 to protect a $10,000 asset. Though that may be true in some cases, there is more
to consider than just the replacement (or depreciated) value of the asset. For example,
loss of the asset could result in an embarrassing and costly public relations debacle, or
that asset may play a key role in the organization’s earning hundreds of thousands of
dollars in revenue each month.
Still, the principle of proportionality is valid and is often a good starting point for making
cost-conscious decisions on risk mitigation. The principle of proportionality is described
in generally accepted security systems principles (GASSPs), as well as in section 2.5 of the
generally accepted information security principles (GAISPs).
Residual Risk
Residual risk is the leftover risk that exists after some of the risk has been removed through
mitigation or transfer. For instance, if a particular threat had a probability of 10 percent
before risk treatment and 1 percent after risk treatment, the residual risk is that 1 percent.
This is best illustrated by the following formula:
Original Risk – Mitigated Risk – Transferred Risk – Avoided Risk = Residual Risk
It is unusual for any form of risk treatment to eliminate risk altogether; rather, various
controls are implemented or changed to remove some of the risk. Often, management
implicitly accepts the leftover risk; however, it’s a good idea to make that acceptance of
residual risk more formal by documenting the acceptance in a risk management log or a
decision log.
In addition to the risk treatment life cycle, subsequent risk assessments and other
activities will identify risks that represent residual risk from earlier risk treatment activi-
ties. Over time, the nature of residual risk may change, based on changing threats,
vulnerabilities, or business practices, resulting in an originally acceptable residual risk
that is no longer acceptable.
PART II
The only time the CISO would be the accountable party would be when risk treatment
decisions directly affect the risk management program itself, such as selecting an inte-
grated risk management (IRM) tool for managing and reporting on risk.
Organizations rarely have a single risk-appetite level across the entire business; instead,
different business functions and aspects of security will have varying levels of risk. For
example, a mobile gaming software company may have a moderate tolerance for risk con-
cerning the introduction of new products, a low tolerance for workplace safety risks, and
no tolerance for risk for legal and compliance matters. Mature organizations will develop
and publish a statement of risk appetite that expresses risk tolerance levels throughout
the business.
associated with a specific control (or lack of a control) may be rated as a low risk,
either because the probability of a risk event is low or because the impact of the
event is low. However, if a given law, regulation, or standard requires that the
control be enacted anyway, the organization must consider the compliance risk in
addition to the information security risk. The risk of noncompliance may result
in fines or other sanctions against the organization, which may (or may not) have
consequences greater than the actual risk.
PART II
The end result is that organizations often implement specific security controls
because they are required by laws, regulations, or standards—not because their risk
analysis would otherwise compel them to do so.
• Risk identification Information about the introduction of the risk into the
risk register, including a unique ID designation, the date of discovery, how it was
discovered, and by whom
• Risk description Information about the risk itself, including relevant threats,
vulnerabilities, and consequences
• Affected assets Information about assets or asset groups in the organization
that are affected by the risk, as well as the business owners of those assets
• Risk score Information about the probability and impact of threat occurrence
expressed in qualitative terms and possibly quantitative terms
• Risk treatment analysis Information about the potential impact of various risk
treatment options
• Risk treatment Information about risk treatment approved by the organization,
including the person, group, or asset owner that made the risk treatment decision;
the date that the decision was made; and the person or group responsible for
carrying out the risk treatment
This summary represents details that may appear in an organization’s risk register. Each
organization’s risk management program and methods for risk treatment will govern
what additional information may be included in a risk register.
CISM Certified Information Security Manager All-in-One Exam Guide
178
Organizations that are just getting started on information risk management may opt
to use a spreadsheet program for their first risk register. This is often a recommended low-
cost strategy. As organizations mature, they may begin to realize that many aspects of their
security program record-keeping are not scaling up with them. This compels organizations
to move their risk register and other risk management records to a governance, risk, and
compliance (GRC) tool. It should be noted that those risks may also leverage the enterprise
risk team’s tools, if such a team is in place in the organization.
Risk Ownership
Depending on how the organization is structured and how the risk management strategy
has been developed, risk ownership may be assigned to one or several different managers,
spanning multiple functional areas. This is because the risk that affects one area likely
affects other areas as well, so many different people may have responsibility for affected
areas and be required to deal with and respond to risk.
Changes in Risk
As risk managers or security managers routinely monitor risks, they should inform risk
owners of any change in risk, whether the risk increases, decreases, or changes in some
other way. This will help the risk owner continue to own the risk by being fully informed
Chapter 4: Information Security Risk Response
179
and aware of the nature of the risk as it changes over time. For instance, a risk associated
with a limitation in password length and complexity in a business application may have
been accepted years ago, but with the proliferation of attacks on systems with weak pass-
words, the risk manager may rate the risk as being more likely to occur, which may push
the risk into a higher category that will compel the business to change its risk treatment
from accept to mitigate.
Changes in Personnel
PART II
Risk or security managers need to manage risk ownership actively when personnel
changes occur in an organization. When a person designated as the owner of one or more
risks leaves the organization or is transferred elsewhere, the ownership of risk should
remain with the position and be assigned to the replacement individual. If the position
is not filled, ownership should be transferred to the next higher-up in the organization.
In such circumstances, a person may not have the same view or comfort level with
the risk(s) they have inherited. Risks that a predecessor accepted in the past may seem
too high for the new risk manager, who may want to perform risk treatment again in the
hope that mitigation or transfer will be chosen.
Control Ownership
As defined in Chapter 6 and discussed throughout this book, a control is a policy, pro-
cess, procedure, or other measure that is created to ensure desired outcomes or to avoid
unwanted outcomes. Put another way, controls exist to mitigate risk. To ensure that con-
trols become and remain effective, management should formally assign the responsibility
of ownership to each control.
Control owners should be formally assigned to be accountable for the following
activities regarding their controls:
• Any documented policies, procedures, and/or standards that define the nature of
the control are periodically reviewed and updated as required.
• Any records or other artifacts created through normal control operation are correct
and complete.
• The control is operating as intended.
• All personnel related to the control understand their individual roles and
responsibilities, to ensure that the control operates as intended.
• The control is periodically reviewed to ensure that it continues to operate as intended.
• The appropriate personnel are notified when the control is known to have failed.
• As applicable, the operation of a control is monitored and measured, and
statistics, metrics, or key performance indicators (KPIs) are recorded and kept.
• The owner represents the control in discussions with internal or external auditors
or regulators and provides any requested documentation and records.
Control owners should have the authority to make decisions about the operation of their
controls to ensure that these activities and outcomes can be assured.
CISM Certified Information Security Manager All-in-One Exam Guide
180
Some controls may have multiple instantiations and, thus, multiple control owners.
For instance, a control related to system authentication may apply to numerous informa-
tion systems managed by multiple personnel. Each of those personnel may be considered
a control owner for such a control.
Management of the framework of controls, including their scope, applicability, and
ownership, generally falls upon personnel in the information security organization. Secu-
rity personnel often will create a control matrix that includes these and other characteris-
tics of each control as a way of formally tracking control information.
NOTE Risk, asset, and control owners are not always the same person, in
the same unctional area, or even in the same organization. It’s important
that you identiy these particular owners early in the assessment process
and maintain careul coordination and communication between these and
other relevant stakeholders within the boundaries o your authority and
assessment scope. Having dierent types o owners can result in politically
sensitive issues that revolve around resourcing, responsibility, accountability,
and sometimes even blame.
PART II
program provide information about vulnerabilities in the organization’s business appli-
cations. These metrics by themselves are not useful to executives. But when the metrics
are combined with business context, tactical and transactional activities can also be por-
trayed as strategic and in business terms.
Adding remediation information can transform a metric from a number of vulner-
abilities identified (which is useless to executives) into a better metric, such as the time
to remediate critical vulnerabilities. This, however, can be transformed still further into a
KRI, such as the percentage of vulnerabilities in systems supporting revenue operations
that are remediated in less than 30 days. This is a valuable risk indicator for executives,
as it will help them more easily understand how quickly IT is patching critical vulner-
abilities in key systems.
Several other KRIs can be developed in various operational areas, including the fol-
lowing:
• Lack of awareness of the risks associated with general computing and Internet use
• Lack of training and experience in the configuration and operation of systems
and applications
• Lack of training and awareness of key business processes and procedures
• Lack of information regarding workers’ responsibilities for reporting problems
and incidents
CISM Certified Information Security Manager All-in-One Exam Guide
182
A security awareness program is an essential ingredient in every organization; informa-
tion on safe computing, security policy, security procedures, and workers’ security-related
responsibilities can be imported to all workers through training programs, messaging, and
other means. Chapter 6 contains more details on establishing and managing a security
awareness program.
Risk Documentation
Any business process that warrants the time and effort to execute deserves to be docu-
mented so that it can be performed consistently and correctly. An organization’s risk
management program should be fully documented, including the following:
• Policy and objectives, such as how risk management is run in the organization
• Roles and responsibilities, such as who is responsible for various activities
• Methods and techniques, such as how probability and impact of risks are
evaluated and scored
• Locations for data storage and archives, such as where the risk register and risk
treatment records reside
• Risk tolerance, such as how acceptable and unacceptable risks are defined
• Business rules regarding what is included in the risk register and why
• Risk treatment procedures and records
• Procedures and methods for the development of metrics and key risk indicators
• Communication and escalation protocols defined
• Review cycle defined to ensure that the program is in alignment with the business
Chapter Review
An information security program comprises all the activities used to identify and treat
risks. At tactical and strategic levels, all activities in a program fulfill this purpose.
A security program is outcomes based; when a strategy is developed, the objectives of the
strategy are desired end states or outcomes. Tasks and projects carried out in the program
bring the organization closer to these desired outcomes.
Risk treatment is the activity in risk management whereby the organization chooses
how to handle an identified risk. The four risk treatment choices are accept, mitigate,
transfer, and avoid. Risk treatment decisions should be made by the affected line-of-
business owner, executive management, or security steering committee empowered by
executive management. After risk treatment, the leftover risk is known as residual risk.
Residual risk should be processed through the risk management process as though it were
a new risk.
During risk treatment, the organization needs to consider legal and regulatory issues
to ensure that risk treatment decisions and methods of risk mitigation do not themselves
create compliance risk.
Chapter 4: Information Security Risk Response
183
The costs and benefits of risk treatment should also be considered. Although, as
the adage goes, it doesn’t make sense to spend $20,000 to protect a $10,000 asset, the
value and role of an asset need to be considered. As the adage continues, it may be a
$10,000 asset, but it may also be a critical component in the earning of $1 million in
revenue every month.
Risk appetite is the level of risk that an organization is willing to accept while in
the pursuit of its mission, strategy, and objectives. Risk treatment and risk accep-
tance decisions should be assigned to and made by associated business owners and
PART II
executives who are accountable for those decisions. The chief information security
officer facilitates and communicates the information; only in specific instances will
the CISO own a risk item.
Risk monitoring is the set of ongoing activities to detect changes in risks. Typical risk
monitoring activities include risk assessments, vulnerability assessments, internal audits,
and control self-assessments.
Key risk indicators are metrics used in a risk management program to communicate
risk trends to executive management. KRIs help an organization understand key
risks in strategic business terms. The most useful KRIs are leading indicators, which
help an organization better understand the rising and lowering probabilities of
security incidents.
Like a security awareness program, training and other forms of information dissemi-
nation to affected personnel are essential for the success of a risk management program.
A risk awareness program helps the organization better understand the purpose of the
risk management program and its part in it.
Like any formal business process, a risk management program needs to be docu-
mented. Required documentation includes policy and processes, roles and responsibili-
ties, risk tolerance/appetite, and records such as the risk register.
Notes
• Risk tolerance/appetite is difficult to quantify, and few organizations have defined
it for themselves. A lack of a formal risk tolerance statement should not be an
impediment to starting or continuing a risk management program. Instead, risk
decisions should be made one at a time.
• If a decision is made to accept a risk, the risk should remain on the risk register,
and the matter should be considered again one to two years later. Risks that are
accepted should not be accepted in perpetuity, because conditions may change in
the future that could compel management to make a different decision.
• Residual risk is often swept under the rug and forgotten.
• Any risk that is not identified, documented, and treated is, by definition, accepted.
• Risk transfer is often misunderstood, primarily because accountability is not
included in the risk transfer transaction.
CISM Certified Information Security Manager All-in-One Exam Guide
184
Questions
1. A gaming software startup company does not employ penetration testing of its
software. This is an example of:
A. High tolerance of risk
B. Noncompliance
C. Irresponsibility
D. Outsourcing
2. The categories of risk treatment are:
A. Risk avoidance, risk transfer, risk mitigation, and risk acceptance
B. Risk avoidance, risk transfer, and risk mitigation
C. Risk avoidance, risk reduction, risk transfer, risk mitigation, and risk acceptance
D. Risk avoidance, risk treatment, risk mitigation, and risk acceptance
3. When would it make sense to spend $50,000 to protect an asset worth $10,000?
A. The protective measure reduces threat impact by more than 90 percent.
B. It would never make sense to spend $50,000 to protect an asset worth $10,000.
C. The asset was required for realization of $500,000 in monthly revenue.
D. The protective measure reduced threat probability by more than 90 percent.
4. A security steering committee empowered to make risk treatment decisions has
chosen to accept a specific risk. What is the best course of action?
A. Refer the risk to a qualified external security audit firm.
B. Perform additional risk analysis to identify residual risk.
C. Reopen the risk item for reconsideration after one year.
D. Mark the risk item as permanently closed.
5. The responsibilities of a control owner include all of the following except:
A. Review the control.
B. Audit the control.
C. Document the control.
D. Maintain records for the control.
6. Accountability for the outcome of accepted risk is known as:
A. Risk acceptance
B. Risk transfer
C. Risk treatment
D. Risk ownership
Chapter 4: Information Security Risk Response
185
7. A risk committee has formally decided that a specific risk is to be mitigated through
the enactment of a specific type of control. What has the committee done?
A. Risk acceptance
B. Risk treatment
C. Redefined risk tolerance
D. Redefined risk appetite
PART II
8. A risk committee has formally decided to mitigate a specific risk. Where should
this decision be documented?
A. Risk register
B. Meeting minutes
C. Risk charter
D. Key risk indicator
9. A risk manager is contemplating risk treatment options for a particularly large risk
that exceeds the organization’s stated risk tolerance. How should risk treatment
proceed?
A. The risk should be divided into smaller risks.
B. The risk manager is empowered to make the risk treatment decision.
C. The risk manager should escalate the decision to executive management.
D. The risk should be put on hold.
10. A cybersecurity leader is recording a decision to accept a particular risk. What, if
anything, should the cybersecurity leader do concerning this accepted risk?
A. Queue the accepted risk to be redeliberated in one year.
B. Consider the risk to be accepted in perpetuity.
C. Convert the accepted risk to a residual risk.
D. Perform a risk analysis to confirm risk acceptance.
11. In a risk assessment, a risk manager has identified a risk that would cause
considerable embarrassment to the organization if it were revealed to the
workforce and the public. Executives have directed the risk manager to omit the
finding from the final report. What has executive management done in this case?
A. Delayed the risk
B. Committed a crime
C. Transferred the risk
D. Ignored the risk
CISM Certified Information Security Manager All-in-One Exam Guide
186
12. A risk manager is documenting a newly identified risk in the risk register and
has identified the department head as the risk owner. The department head
has instructed the risk manager to identify one of the lower level managers
in the department as the risk manager. What has the department head done in
this situation?
A. Abdicated his risk ownership responsibility
B. Accepted the risk
C. Delegated risk ownership to the lower level manager
D. Transferred the risk
13. The leftover risk that exists after risk mitigation has been performed is known as:
A. Residual risk
B. Open risk
C. Untreated risk
D. Accepted risk
14. A recent risk assessment has identified a data loss risk associated with the use of
unapproved software. Management has directed the removal of the unapproved
software as a result of the risk assessment. What risk decision has been made in
this situation?
A. Risk mitigation
B. Risk avoidance
C. Risk abrogation
D. Risk reduction
15. When faced with a particularly high risk, executive management has decided
to outsource the business operation associated with the risk. A legal agreement
identifies that the outsourcer accepts operational risks. What becomes of the
accountability associated with the risk?
A. Accountability is transferred to the outsourcer.
B. Accountability remains with executive management.
C. Accountability is reduced by the amount of the risk.
D. Accountability is transferred to the board of directors.
Answers
1. A. A software startup in an industry like gaming is going to be highly tolerant of
risk: time to market and signing up new customers will be its primary objectives.
As the organization achieves viability, other priorities such as security will be
introduced.
Chapter 4: Information Security Risk Response
187
2. A. The four categories of risk treatment are risk avoidance (the risk-producing
activity is discontinued), risk transfer (risks are transferred to an external party
such as an insurance company or managed services provider), risk mitigation
(risks are reduced through a control or process change), and risk acceptance
(management chooses to accept the risk).
3. C. Ordinarily, it would not make sense to spend $50,000 to protect an asset
worth $10,000, but other considerations can make it a reasonable option, such
as revenue realization or reputation damage, which can be difficult to quantify.
PART II
4. C. A risk item that has been accepted should be shelved and considered after a
period of time, such as one year. This is a better option than closing the risk item
permanently; in a year’s time, changes in business conditions, security threats,
and other considerations may compel the organization to take different action
with regard to the risk.
5. B. Control owners are responsible for documenting a control, maintaining records,
and reviewing the control to ensure that it is continuing to operate properly.
Auditing of a control is performed by another internal or an external party.
6. D. In the case of an accepted risk, risk ownership is the assignment of accountability
for the specific risk.
7. B. The risk committee has formally treated the risk through its decision to
mitigate the risk.
8. A. The risk register is the best place to document a formal risk treatment decision.
It may also be appropriate to publish meeting minutes and document the decision
in a decision log if one exists.
9. C. If a particular risk exceeds an organization’s stated risk tolerance, upper
management may be required to make or approve a risk treatment decision
for that risk.
10. A. Risks that are accepted should not be accepted in perpetuity, because conditions
may change in the future that could compel management to make a different
decision.
11. D. Ignoring the risk is the best answer to this question, but it could also be said
that executive management accepted the risk. However, since the risk was not
documented, there was no formal risk acceptance.
12. C. Ownership of the risk has been delegated to another person in the department.
This is not necessarily inappropriate, because the other person may be more
directly responsible for business operations related to the risk.
13. A. Any leftover risk that remains after risk mitigation is performed is known as
residual risk. However, if the organization does not formally address residual risk,
it may be considered accepted.
CISM Certified Information Security Manager All-in-One Exam Guide
188
14. B. Risk avoidance is the decision made in this situation. Risk avoidance is defined
as a discontinuation of the activity associated with an identified risk.
15. B. When transferring risk to another business entity, accountability remains with
those originally accountable for the business function and the associated risk.
Accountability cannot be transferred to another party.
PART III
Information Security
Risk Management
Chapter 5 Inormation Security Program Development
Chapter 6 Inormation Security Program Management
This page intentionally left blank
Information Security
Program Development
CHAPTER
5
In this chapter, you will learn about
• Resources and outcomes related to inormation security programs
• Asset, system, data, acilities, and personnel classiication
• Control and security management ramework development
• Policies, standards, guidelines, procedures, and requirements
• Metrics that tell the security management and operations story
191
CISM Certified Information Security Manager All-in-One Exam Guide
192
Establishing and modernizing an organization’s cybersecurity program is one of the
most impactful activities with long-term benefits (and consequences) a security leader
will undertake. Cybersecurity program improvements are implemented as a result of a
strategic plan, discussed in Chapter 2. Cybersecurity program development consists of
creating policies, controls, standards, requirements, guidelines, and a formal structure for
security functions described in separate charters. Security leaders can choose from one of
several frameworks that describe the structure of a security program. Security leaders use
metrics to measure events and activities, enabling senior management to see the results
of their directives.
Trends
Fueled by the sharp increase in the number and impact of ransomware attacks on private
organizations and government agencies, cybersecurity is getting more attention in the
media and boardrooms than in the past. The United States and other countries have been
issuing advisories, directives, and edicts and enacting new laws and regulations requiring
greater transparency of security incidents, and many are requiring that one or more board
members have cybersecurity experience.
Further, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 expands
on Executive Order 14208 by requiring all critical infrastructure owners and operators
(whether they contract with the federal government or not) to submit reports of cyberse-
curity incidents and ransomware payments to CISA. Also, many U.S. states have passed
privacy laws, and there is a possibility of a federal law on privacy being enacted.
While more organizations recognize cybersecurity’s strategic nature and enabling
characteristics, more security leaders are considered “real” C-level executives. How-
ever, numerous organizations still consider cybersecurity as nonstrategic and tactical.
Chapter 5: Information Security Program Development
193
Security and privacy are often not a part of the initial design of new products and
services, because security is still seen not as a business enabler but as an impediment.
But cybersecurity is regarded as unimportant, until it is. Often, only a serious security
breach will change this mindset among executives.
Outcomes
The primary outcome of a security program is the realization of its strategy, goals, and
objectives, as discussed in Chapter 2. When a strategy is aligned with the business and
its risk tolerance and operations, the organization’s security program will act as a business
enabler, allowing it to consider new business ventures while being fully aware of associ-
ated risks that can be mitigated or accepted. Like the brakes on a race car that enable it
to maneuver more quickly, an effective security program helps the organization embark
on new ventures, knowing that the security program acts as the organization’s brakes that
PART III
allow it to adjust effectively to keep it on the road.
The outcomes that should be part of any information security program include
the following:
• Strategic alignment The program needs to align with and work in harmony with
the rest of the organization. This includes being aware of—and supporting—all
new business initiatives, developing risk tolerance criteria that business leaders
agree with, and working daily with business leaders to establish mutual trust. Better
security programs utilize a security council or governance committee consisting of
stakeholders from across the business; this helps ensure that information security
activities work with the business instead of against it.
• Risk management An effective security program includes an effective risk
management program that identifies risks and facilitates desired outcomes through
appropriate risk treatment.
• Value delivery An effective information security program delivers value to the
organization. This is most often achieved by aligning security activities directed
toward risk reduction in the organization’s most critical activities. Effectively and
efficiently reducing risk to an acceptable level is another key part of value delivery.
• Resource management An information security program’s primary objective
is risk management and risk reduction. This requires resources in the form of
permanent and temporary staff, external service providers, and tools. These
resources must be managed so that they are used effectively to reduce risks in
alignment with the risk management program. Additionally, efficiently using
resources will assist security managers in “rightsizing” the information security
budget and spending. This will lead to greater confidence in the business regarding
“resource requests” from the security manager.
• Performance management As a security program is developed and implemented,
key activities need to be measured to ensure that they are operating as planned.
Security metrics are used to measure and report key activities to management.
CISM Certified Information Security Manager All-in-One Exam Guide
194
• Assurance process integration An effective information security program is
aligned with other assurance processes and programs in an organization, including
human resources, finance, legal, audit, enterprise risk management, information
technology, and operations. Further, a security program should influence these
activities to protect them adequately from harm.
Charter
A charter is a formal, written definition of the objectives of a program, its main timelines,
the sources of funding, the names of its principal leaders and managers, and the business
executives sponsoring the program. In many organizations, a program charter document
is approved by the CEO or other executive leader that gives authority to the person or
group that runs the program. The charter also demonstrates the support from the execu-
tive leadership team.
An information security program charter gives authority to the security leader to
develop and/or perform several functions, including the following:
PART III
processes, personnel, and standards in each business unit.
There is no right or wrong way to define the relationship between two or more secu-
rity programs in an organization. Rather, management needs to be aware of factors that
represent similarities and differences between parts of larger organizations that will help
them define the scope to result in effective security management throughout the organi-
zation. This is sometimes easier said than done, particularly in cases where the scope of
security programs and IT departments differ.
• Foundation technologies
• TCP/IP internals
• Operating systems internals
• Middleware
• Applications and tools
• Endpoint protection
• Antimalware
• Firewalls
PART III
• Patch and configuration management
• Host-based intrusion detection systems (HIDSs)
• Mobile device management (MDM)
• Mobile application management (MAM)
• Secure access service edge (SASE)
• Network protection
• Antimalware
• Firewalls
• Patch and configuration management
• Intrusion detection systems (IDSs/NIDSs)
• Intrusion prevention systems (IPSs)
• Web content filtering
• Cloud access security brokers (CASBs)
• Spam and phishing filtering
• Remote access and virtual private networks (VPNs)
• Data protection
• Data loss prevention (DLP)
• Backup, replication, snapshots, and vaulting
• Removable storage monitoring and management
• Encryption and digital signatures
• Fingerprinting, tagging, and watermarking
CISM Certified Information Security Manager All-in-One Exam Guide
198
• Identity and access management
• Password vaults
• Privileged access gateways
• Multifactor authentication (MFA)
• Federated identity (OAuth, FIDO Alliance, and so on)
• Event management
• Centralized logging
• Security information and event management (SIEM) systems
• Threat intelligence platforms (TIPs)
• Security orchestration, automation, and response (SOAR)
• Vulnerability management
• Security scanning
• Penetration testing
• Social engineering testing
• Systems and software development
• Dynamic application security testing (DAST)
• Static application security testing (SAST)
• Penetration testing
• Code review
• Governance, risk, and compliance
• Governance, risk, and compliance (GRC) platform
• Integrated risk management (IRM) platform
The information security leader does not need to have expertise in all of these technolo-
gies. Further, some of these technologies are managed outside of information security,
such as IT or product development. That said, information security needs to employ
risk management to identify whether controls and technologies in these and other areas
adequately reduce risk and to ensure that there are staff members in the organization who
understand their architecture, implementation, and operation.
PART III
Information Asset Identification and Classification
Assets are the things of value that an organization protects in an information security
program. They consist of tangible things, including the following:
Hardware Assets
Hardware assets may include server and network hardware, user workstations, office
equipment such as printers and scanners, and Wi-Fi access points. Depending on the
scope of the risk assessment, assets in storage and replacement components may also
be included.
Accurately identifying hardware assets can be challenging, and many organizations do
a subpar job of building and maintaining inventory information. Accounting may have
asset inventory in its accounting system, but this would not account for assets not in use
or retired assets reverted to storage. Further, asset inventory in accounting often does
not cite the business applications they support. Tools used by IT for security scans or
CISM Certified Information Security Manager All-in-One Exam Guide
200
patch management are another source of inventory information, although these are often
incomplete for many reasons. Even purpose-made asset inventory systems are plagued
with inaccuracies, because maintaining the data is not always a high priority.
An organization responsible for managing information and information systems must
know what its assets are. More than that, IT needs to acquire and track several character-
istics of every asset, including the following:
• Identification This includes the make, model, serial number, asset tag number,
logical name, and other means for identifying the asset.
• Value Initially, this may signify the purchased value, but it may also include
its depreciated value if an IT asset management program is associated with the
organization’s financial asset management program.
• Location The asset’s location needs to be specified so that its existence may
be verified in a periodic inventory.
• Security classification Security management programs almost always include
a plan for classifying the sensitivity of information and/or information systems.
Example classifications include secret, restricted, confidential, and public.
• Asset group IT assets may be classified into a hierarchy of asset groups.
For example, servers in a data center that support a large application may be
assigned to an asset group known as “Application X Servers.”
• Owner This is usually the person or group responsible for the operation of
the asset.
• Custodian Occasionally, the ownership and operations of assets will be
divided into two bodies, where the owner owns them but a custodian operates
or maintains them.
Because hardware assets are installed, moved, and eventually retired, it is important
to verify the information in the asset inventory periodically by physically verifying the
existence of the physical assets. Depending upon the value and sensitivity of systems and
data, this inventory “true-up” may be performed as often as monthly or as seldom as once
per year. Discrepancies in actual inventory must be investigated to verify that assets have
not been moved without authorization or stolen.
PART III
the cloud, eliminating the need to purchase hardware. Organizations that use
infrastructure as a service (IaaS) have virtual operating systems that are another
form of information. Even though IaaS operating systems are not purchased,
but rented or leased, there is nonetheless an asset perspective: they take time to
build and configure and therefore have a replacement cost. The value of assets is
discussed more fully later in this section.
Virtual Assets
Virtualization technology, which enables an organization to employ multiple, separate
operating systems to run on one server, is a popular practice for organizations, whether
it’s used on hardware servers located in their data centers or in hosting facilities. Organi-
zations that use IaaS are also employing virtualization technology.
IaaS and virtualization make it far easier to create and manage server assets, but main-
taining an accurate inventory of virtual server assets is even more challenging than it is for
CISM Certified Information Security Manager All-in-One Exam Guide
202
physical assets, and more discipline is required to track and manage virtual server assets
properly. Unlike physical servers, which require that different stakeholders initiate and
approve a purchase, virtual servers can be created at the click of a button, with or without
additional cost to the organization and often without approval. The term virtual sprawl,
or virtualization sprawl, reflects this tendency.
The creation/use of virtual servers and other virtual machines is not limited to manual
techniques. Virtual machines can also be created through automatic means. A typical
example of this is through a cloud services feature known as elasticity. Additional virtual
machines can be automatically created and started during heavy workloads when more
servers are needed.
Containerization is another form of virtualization where multiple software instantia-
tions execute on a running operating system. The existence of these running instances
may be a part of virtual asset inventory.
Software-defined networking (SDN), the class of technologies that facilitate the
creation and management of virtual network devices, poses the same challenge to organi-
zations. Additional devices can be created at will or by automatic means. Managing them
requires more discipline and potentially greater effort.
Asset Classification
In asset classification, an organization assigns an asset to a category representing usage or
risk. In an information security program, the purpose of asset classification is to deter-
mine, for each asset, its level of criticality to the organization.
Criticality can be related to information sensitivity. For instance, a customer infor-
mation database that includes contact and payment information would be considered
highly sensitive and could significantly impact present and future business operations in
the event of compromise.
Criticality can also be related to operational dependency. For example, a database
of virtual server images may be considered highly critical. If an organization’s server
images were to be compromised or lost, this could adversely affect its ability to continue
its operations.
These and other criticality measures form the basis for information protection, system
redundancy and resilience, business continuity planning, disaster recovery planning, and
access management. Scarce resources in the form of information protection and resilience
need to be allocated to the assets that require it the most, because it doesn’t usually make
sense to protect all assets to the same degree; instead, more valuable and critical assets
should be more fully protected than those deemed less valuable and critical. To illustrate
this point, the late McGeorge Bundy, former U.S. National Security Advisor, is known
to have said, “If we guard our toothbrushes and diamonds with equal zeal, we will lose
fewer toothbrushes and more diamonds.”
The best approach to asset classification in most organizations is to identify and
classify information assets first, followed by system classification. One area often over-
looked or not addressed to a satisfactory level is dealing with unstructured data and data
that resides outside of the organization’s approved systems.
Chapter 5: Information Security Program Development
203
Information Classification
Information classification is a process whereby different sets and collections of data in an
organization are analyzed for various types of value, criticality, integrity, and sensitivity.
There are different ways to understand these characteristics. These are some examples:
PART III
may significantly impact ongoing business operations.
• Accuracy or integrity Information in this category is required to be highly
accurate. If altered, the organization could suffer significant financial or
reputational harm. Examples include exchange rate tables, product or service
inventory data, machine calibration data, and price lists. Corruption or loss of
this type of information impacts business operations by causing incomplete or
erroneous transactions.
• Sensitivity Information of a sensitive nature is commonly associated with
individual citizens, including personal contact information, personal financial
data such as credit card and bank account numbers, and medical records.
• Reputational value Another dimension of classification, denoting the potential
loss of reputation should certain sensitive or critical information be lost or
compromised. Information such as customers’ personal information fits here.
Most organizations store information that falls into all of these categories, with degrees
of importance within them. Though this may result in a complex matrix of informa-
tion types and degrees of importance or value, the most successful organizations will
build a fairly simple information classification scheme. For instance, an organization may
develop four levels of information classification, such as the following:
• Secret
• Restricted
• Confidential
• Public
These levels of information, examples of the types of levels that fall into each category,
and instructions on handling information at each level form the heart of a typical infor-
mation classification program.
Most organizations depend on their personnel to understand the information classification
program, including correctly classifying information and handling it properly. This is why
better information classification programs have only three or four classification levels. It may
CISM Certified Information Security Manager All-in-One Exam Guide
204
be more desirable to have more classification levels, but this often results in confusion and
misclassification or mishandling of sensitive and critical data.
Drilling into further detail, following are some examples of information at each of
these levels of classification:
• Secret Merger and acquisition plans, user and system account passwords, and
encryption keys
• Restricted Credit card numbers, bank account numbers, Social Security
numbers, detailed financial records, detailed system configuration, and vulnerability
scan reports
• Confidential System documentation, end-user documentation, internal memos,
and network diagrams
• Public Marketing collateral, published financial reports, and press releases
The next step in information classification is the development of handling procedures
that instruct users in the proper acquisition, storage, transmission, and destruction of
information at every classification level. Table 5-1 shows a sample information-handling
procedure matrix.
The classification and handling guidelines shown here illustrate the differences in
various forms of information handling for different classification levels. The contents of
Table 5-1 can serve as a starting point for a data classification and handling procedure.
Organizations that develop and implement information classification programs find
that personnel will often misclassify information, either because they do not understand
the nature of the sensitivity of a particular set of data or because they may believe that
at a higher classification level they cannot store or transmit the information in a way
they think is needed. This is a classic case of people taking shortcuts in the name of
expediency, mainly when they are not aware of the possible harm that may befall the
organization as a result.
205
PART III
CISM Certified Information Security Manager All-in-One Exam Guide
206
System Classification
Once an organization is satisfied that its information classification is in order, it can
embark on system classification. Like various information assets, information systems
can also be classified according to various security and operational criteria. The purpose
for system classification is similar to the purpose for information criteria: to identify and
categorize system assets according to the classification of information stored, processed,
or transmitted by them, so that an appropriate level of protection can be determined and
implemented.
Once a system is classified according to the highest classification level of information
stored, processed, or transmitted through it, the measures used to protect the informa-
tion system may well play a role in protecting the information—or, in some cases, it will
protect only the system. Both means are utilized, and both are essential.
A typical approach to system classification and protection is this: for each level of clas-
sification and each type of system, a system-hardening standard is developed that speci-
fies the features and configuration settings to be applied to the system. These settings
help make the system resistant to attack, and in some cases, the settings will help protect
the information being stored, processed, or transmitted by the systems.
Some examples will help illustrate these points:
This final example helps to introduce the concept of zones of protection. In the archi-
tecture of typical information-processing environments, information systems directly store,
process, and transmit information at various classification levels, and the systems them-
selves are classified accordingly. The other servers and assets in the same environment that
access these servers or are accessed by them typically need to be classified at the same level.
Chapter 5: Information Security Program Development
207
Figure 5-1
Example network Internet
segmentation
scheme
Firewall
DMZ
PART III
Dev Lab
If one of these support servers were compromised by an attacker, the attacker would have
direct, and perhaps unrestricted, access to one of the assets that stores, processes, or trans-
mits sensitive or valuable data.
In a large, flat network, this logic could result in an organization classifying many or
all of its systems at the same level as the highest classified system. This could require an
organization to implement costly and complex protective and administrative measures
for large numbers of systems. For this and other reasons, organizations often employ
network segmentation, which divides a large, flat network into multiple zones, with fire-
walls and other protective measures implemented at the boundaries between these zones.
Figure 5-1 depicts a typical network segmentation scheme.
Facilities Classification
Data, asset, and systems classification can often be extended to facilities classification
in larger organizations. Facilities classification is a method for assigning classification or
risk levels to work centers and processing centers, based on their operational criticality
or other risk factors. Facilities classification aims to develop more consistent security
controls for facilities with similar risk levels. For instance, a processing center may have
extensive video surveillance and layers of multifactor physical access controls, whereas
a sales office may have minimal (if any) video surveillance and simpler access controls.
Personnel Classification
In some organizations, additional requirements are imposed on persons who have access
to particularly sensitive information. Whether this information consists of trade secrets,
government secrets, or other information, organizations may be required to meet specific
requirements such as more thorough or frequent background investigations.
CISM Certified Information Security Manager All-in-One Exam Guide
208
Because of the higher cost of these investigations (to continue this example), it makes
more sense to establish a classification scheme for personnel in the organization. For
instance, the usual classification for personnel requires a standard background investiga-
tion at the time of hire. A higher classification, required for access to specific information,
may require a more rigorous background investigation at the time of hire. The highest
classification may require this rigorous background investigation to be performed annu-
ally. Organizations in a situation like this may want to classify their employees to keep
track of the requirements for initial and ongoing background investigations to ensure
compliance with whatever applicable laws, regulations, or contracts require them.
Organizations with no legally imposed requirements for personnel classification may
still have good reasons to do so. Such circumstances may include the following:
PART III
without the “noise” of comingled lower valued assets.
Control Frameworks
Although every organization may have its unique missions, objectives, business mod-
els, risk tolerance, and so on, organizations need not invent governance frameworks
from scratch to manage their particular IT objectives. In strategy development, some
organizations may already have a suitable control framework in place, while others may
not. It is not always necessary for an organization to select an industry-standard control
Chapter 5: Information Security Program Development
211
framework, but it is advantageous to do so. These frameworks have been used in thou-
sands of companies, and they are regularly updated to reflect changing business practices,
emerging threats, and new technologies.
It is often considered a mistake to select or refuse a control framework because of the
presence or absence of a small number of specific controls. Usually, a selection is made
assuming that control frameworks are rigid and inflexible. Instead, the strategist should
select a control framework based on industry alignment and then institute a process for
developing additional controls based on the results of risk assessments. Indeed, this is
exactly the approach described in ISO/IEC 27001 and NIST CSF: start with a well-
known control framework and then create additional controls, if needed, to address risks
specific to the organization.
When assessing the use of a specific framework, the strategist may find that a specific
control area is not applicable. In such a case, rather than ignoring the section, the strategist
should document the business and technical reasons why the organization chose not to
PART III
use the control area. This will assist if a question is raised in the future as to why the
decision was made not to implement the control area. The date and those involved in the
decision should also be documented.
Several standard control frameworks are discussed in the remainder of this section:
• COBIT
• IT Infrastructure Library (ITIL) / ISO/IEC 20000
• ISO/IEC 27002
• HIPAA
• NIST SP 800-53
• NIST SP 800-171
• NIST CSF
• CIS CSC
• PCI DSS
COBIT
Developed in 1996, Control Objectives for Information and Related Technologies (now
known as COBIT) is an IT management framework developed by the IT Governance
Institute and ISACA. COBIT has four domains: Plan and Organize, Acquire and Imple-
ment, Deliver and Support, and Monitor and Evaluate. As of this writing, COBIT 2019
is the latest version.
COBIT is not primarily a security control framework but an IT process framework that
includes security processes interspersed throughout the framework. COBIT contains 37
processes. The security- and risk-related processes are as follows:
PART III
standard ISO/IEC 27001, discussed in Chapter 2.
ITIL is available from www.axelos.com/best-practice-solutions/itil (registration and
payment required).
ISO/IEC 27002
ISO/IEC 27002, “Information technology — Security techniques — Code of practice
for information security controls,” is an international standard controls framework. The
controls in ISO/IEC 27002 are fully explained, including implementation guidance.
These controls are listed in the appendix of ISO/IEC 27001 but lack any explanation
or background.
ISO/IEC 27002 is available from www.iso.org/standard/54533.html (registration and
payment required).
HIPAA
The U.S. Health Insurance Portability and Accountability Act established requirements
for protecting electronic protected health information (ePHI). These requirements apply
to virtually every corporate or government entity (known as a covered entity) that stores
or processes ePHI. HIPAA requirements fall into three main categories:
• Administrative safeguards
• Physical safeguards
• Technical safeguards
Several controls reside within each of these three categories. Each control is labeled as
Required or Addressable. Every covered entity must implement controls that are labeled
as Required. Controls labeled as Addressable are considered optional in each covered
CISM Certified Information Security Manager All-in-One Exam Guide
214
entity, meaning the organization does not have to implement an Addressable control if it
does not apply or if there is negligible risk if the control is not implemented.
A copy of HIPAA is available to view from www.gpo.gov/fdsys/pkg/CRPT-
104hrpt736/pdf/CRPT-104hrpt736.pdf.
NIST SP 800-53
Developed by the U.S. National Institute for Standards and Technology, NIST Special
Publication (SP) 800-53, “Security and Privacy Controls for Federal Information Systems
and Organizations,” is one of the most well-known and adopted security control frame-
works. NIST SP 800-53 is required for all U.S. government information systems and all
information systems in private industry that store or process information on behalf of
the federal government.
NIST SP 800-53 controls are organized into 18 categories:
• Access control
• Awareness and training
• Audit and accountability
• Security assessment and authorization
• Configuration management
• Contingency planning
• Identification and authentication
• Incident response
• Maintenance
• Media protection
• Physical and environmental protection
• Planning
• Personnel security
• Risk assessment
• System and services acquisition
• System and communications protection
• System and information integrity
• Program management
Even though the NIST 800-53 control framework is required for federal information
systems, many organizations that are not required to employ the framework have used it,
primarily because it is a high-quality control framework with in-depth implementation
guidance and also because it is available without cost.
NIST SP 800-53 is available from csrc.nist.gov/publications/detail/sp/800-53/
rev-5/final.
Chapter 5: Information Security Program Development
215
NIST SP 800-171
NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Sys-
tems and Organizations,” is a framework of requirements for the protection of controlled
unclassified information (CUI). This framework is required for all information systems
in private industry that store or process CUI on behalf of any federal government agency.
NIST SP 800-171 is organized into 13 categories:
• Access control
• Awareness and training
• Audit and accountability
• Configuration management
• Identification and authentication
PART III
• Incident response
• Maintenance
• Media protection
• Personnel security
• Physical protection
• Risk assessment
• Security assessment
• System and communications protection
The Cybersecurity Maturity Model Certification (CMMC) is a framework of
assessments and assessor certifications used to enforce compliance to NIST SP 800-171
by contractors providing services to the U.S. defense industrial base. More informa-
tion about CMMC is available from www.acq.osd.mil/cmmc/. More information about
CMMC assessments and assessors is available at https://cyberab.org/.
PCI DSS
The Payment Card Industry Data Security Standard is a control framework specifically
for protecting credit card numbers and related information when stored, processed, and
transmitted on an organization’s networks. The PCI DSS was developed in 2004 by the
PART III
PCI Standards Council, a consortium of the world’s dominant credit card brands—
namely, Visa, MasterCard, American Express, Discover, and JCB.
The PCI DSS has 12 control objectives:
• All hardware and software components fulfill a stated specific business purpose.
• All components work well together.
• There is overall structure and consistency in infrastructure throughout
the organization.
• Infrastructure resources are used efficiently.
• Infrastructure is scalable and flexible.
PART III
• Existing elements can be upgraded as needed.
• Additional elements can be added as needed.
Information security architecture exists in two main layers in an organization:
Policy Development
Security policy development is foundational of any organization’s information security
program. Information security policy defines the principles and required actions for the
organization to protect its assets and personnel properly.
The audience for security policy is the organization’s personnel—not only its
full-time and part-time employees, but also its temporary workers, including con-
tractors and consultants. Security policy must be easily accessible by all personnel so
that they can never offer ignorance as an excuse for violating policy. To this point,
many organizations require all personnel to acknowledge the existence of, and their
understanding of, the organization’s security policy at the time of hire and periodically
(usually annually) thereafter.
Chapter 5: Information Security Program Development
221
Considerations
Security policy cannot be developed in a vacuum. Instead, it needs to align with some
internal and external factors. The development of policy needs to incorporate several
considerations, including the following:
PART III
a control for every policy or a policy for every control, but policies and controls must not
contradict each other. For example, suppose a control states that no personally owned
mobile devices may connect to internal networks. In that case, the policy cannot state
that those devices may be used, provided no corporate information is stored on them.
It also makes sense for the structure of policies and controls to resemble one another.
This alignment makes it easier for personnel to become familiar with the structure and
content of policies and controls.
Standards
It is said that policy states what to do, whereas standards describe how to do it or what to
PART III
do it with. Like policies, standards should be written down, periodically examined and
updated, approved by management, and published so all personnel can find them.
The topic of standards development is discussed in greater detail in Chapter 2.
Guidelines
Guidelines are nonbinding statements or narratives that provide additional direction to
personnel regarding compliance with security policies, standards, and controls. Infor-
mation security departments often develop guidelines when they receive numerous
inquiries for help understanding certain policies or have trouble understanding how to
implement them.
Guidelines can be written as separate documents resembling whitepapers or how-to
guides, or they may be interspersed within policy or control documents. ISO/IEC 27002
is an excellent example of guidance included with each control in individual sections
entitled “guidance.”
Requirements
Requirements are formal statements that describe the characteristics of a system that is
to be changed, developed, or acquired. Requirements should flow from, and align with,
the structure and content of policies and standards. Because of their use in systems and
services development and acquisition, requirements should be published in a format that
can be easily extracted for use in specific projects.
Organizations should have a standard set of general requirements that apply to all
technologies and environments. Then, additional specific requirements should be devel-
oped that focus on each specific project or initiative.
Requirements must be specific and verifiable. Any ambiguities should be resolved, so
that all parties involved have a clear understanding of each requirement. Further, require-
ments should become the basis for a test plan, a step-by-step procedure for verifying that
a system, service, or process complies with all applicable requirements.
CISM Certified Information Security Manager All-in-One Exam Guide
224
It is unlikely that all requirements will be satisfied in large, complex projects. Thus,
project managers and subject matter experts should prioritize requirements to distinguish
those considered “must-have” versus those that are “nice to have.” Further, each bespoke
requirement that is not a part of the organization’s standard requirements should be
traceable to the person or group that requested it be included. If there are questions later
in the project about a specific requirement, the project team can easily know who wrote
and included the requirement. Those individuals can answer any questions about the
requirement to help others better understand it.
Some organizations distinguish functional requirements from nonfunctional require-
ments. Functional requirements describe the required actions and functions of a system.
Example functional requirements include the following:
• In the password reset function, the system must provide visual information
indicating the strength of the proposed new password.
• After five minutes of inactivity, the system must invoke an automatic lock and
require the user to reauthenticate to continue work.
On the other hand, a nonfunctional requirement describes the required characteristics
of a system, service, or process in terms of its components, structure, or architecture.
Example nonfunctional requirements include the following:
• The system must not contain comments, symbol tables, or other human-readable
information in its machine-readable state.
• The system must use Microsoft SQL Server as its relational database management
system.
Functional and nonfunctional requirements can further be distinguished in this way:
nonfunctional requirements define what a system is supposed to be, whereas functional
requirements define what a system is supposed to do. Arguably, some functional versus
nonfunctional requirements may be more difficult to distinguish; for instance, requiring
that a system include a specific encryption algorithm could be considered a nonfunctional
requirement, whereas requiring a system to encrypt data using a specific algorithm could
be considered a functional requirement. It matters little whether such requirements are
called functional or nonfunctional, however; rather, requirements should be consistent in
language and tone to ensure that working with them is not a difficulty in itself.
PART III
Security metrics are often used to observe technical IT security controls and pro-
cesses and determine whether they are operating properly. This helps management better
understand the impact of past decisions and can help drive future decisions. Examples of
technical metrics include the following:
Effective Metrics
For metrics to be effective, they need to be measurable. A common way to ensure the
quality and effectiveness of a metric is to use the SMART method. A SMART metric is
• Specific
• Measurable
• Attainable
• Relevant
• Timely
Additional considerations for good metrics, according to Risk Metrics That Influence
Business Decisions by Paul Proctor (Gartner, Inc., 2016), include the following:
• Leading indicator Does the metric help management predict future risk?
• Causal relationship Does the metric have a defensible causal relationship to a
business impact, where a change in the metric compels someone to act?
• Influence Has the metric influenced decision-making (or will it)?
You can find more information about the development of metrics in NIST SP 800-55
Revision 1, “Performance Measurement Guide for Information Security,” available from
https://csrc.nist.gov/publications/detail/sp/800-55/rev-1/final.
Strategic Alignment
For a security program to be successful, it must align with the organization’s mission,
strategy, goals, and objectives. A security program strategy and objectives should contain
statements that can be translated into key measurements—the program’s key perfor-
mance and risk metrics.
Consider an example. The fictitious organization CareerSearchCo, which is in the
online career search and recruiting business, has the following as its mission statement:
Be the best marketplace for job seekers and recruiters
Chapter 5: Information Security Program Development
227
Here are its most recent strategic objectives:
Integrate with leading business social network LinkedIn
Develop an API to facilitate long-term transformation into a leading career and
recruiting platform
To meet these objectives, CareerSearchCo has developed a security strategy that
includes the following:
Ensure Internet-facing applications are secure through developer training and
application vulnerability testing
Security and metrics would then include these:
Percentage of software developers not yet trained
PART III
Number of critical vulnerabilities identified
Time to remediate critical and high vulnerabilities
Based on these criteria, these metrics are all measurable, all align with the security
strategy, and are all leading indicators. If the metrics trend in an unfavorable direction, this
could indicate that a breach is more likely to occur that would damage CareerSearchCo’s
reputation and ability to earn new business contracts from large corporations.
Types of Metrics
Many activities and events in an information security program and its controls can
be measured. These measurements can be depicted in various ways, depending upon
the story being told. When building and improving an information security program,
security managers need to understand that no single metrics framework will meet every
identified goal.
Compliance
Compliance metrics are measures of key controls related to requirements in regulations,
legal contracts, or internal objectives. Compliance metrics depict the level of confor-
mance to these requirements. Organizations need to understand the business context
of compliance metrics, including the consequences of noncompliance. Security manag-
ers need to consider the tolerance for noncompliance with each metric, including the
organization’s willingness and ability to initiate corrective action when noncompliant
activities occur.
Convergence
Larger organizations with multiple business units, geographic locations, or security
functions (which can often result from mergers and acquisitions) may experience issues
related to overlapping or underlapping coverage or activities. For instance, an organiza-
tion that recently acquired another company may have some duplication of effort in the
asset management and risk management functions. In another example, local security
CISM Certified Information Security Manager All-in-One Exam Guide
228
personnel in a large, distributed organization may be performing security functions that
are also being performed on their behalf by other personnel at headquarters.
Metrics in the convergence category will be highly individualized, based on specific
circumstances in an organization. Some of the categories of metrics include the following:
Value Delivery
Metrics on value delivery focus on the long-term reduction in costs, in proportion to
other measures. Examples of value delivery metrics include the following:
Resource Management
Resource management metrics are similar to value delivery metrics; both convey an
efficient use of resources in an organization’s information security program. But because
the emphasis here is program efficiency, these are areas where resource management
metrics may be developed:
Organizational Awareness
Organizational awareness metrics help management understand the number of workers
who understand security policies and requirements. Typical metrics in organizational
awareness include the following:
Operational Productivity
Operational productivity metrics show how efficiently internal staff is used to perform
essential functions. Productivity metrics can help build business cases for the automation
of routine tasks. Example productivity metrics include the following:
PART III
Organizational Support
Organizational support metrics show the degree of support for organizational objectives.
Arguably, this is a subjective metric, because it can be difficult to produce meaningful
measurements. Though it is possible to show the achievement of key objectives, measur-
ing the degree of support that led to their achievement may be difficult: Was an achieve-
ment the result of a determined few or the whole organization?
Often, organizational support metrics take the form of project and program dash-
boards for projects and programs that support the achievement of organizational objec-
tives. However, failure to complete a project on time is not necessarily an indication
of support or the lack thereof but may reflect unanticipated obstacles or changes in
project scope.
Risk Management
Effective risk management is the culmination of the highest-order activities in an infor-
mation security program; these include risk analyses, a risk ledger, formal risk treatment,
and adjustments to the suite of security controls.
While it is difficult to measure the success of a risk management program effectively
and objectively, it is possible to take indirect measurements—much like measuring the
shadow of a tree to gauge its height. Thus, the best indicators of a successful risk manage-
ment program would be improving trends in metrics involved with the following:
Operational Performance
Operational performance metrics generally show how well personnel are performing
critical security functions. Processes measured by these metrics need to have sufficiently
detailed business records so that metrics can be objectively measured. These are some
examples of operational performance metrics:
• Elapsed time between the onset of a security incident and incident declaration
• Elapsed time between the declaration of an incident and its containment
• Elapsed time between publication of a critical vulnerability and its discovery in
the organization’s systems
• Percentage of critical systems not patched with critical patches within the service
level agreement (SLA)
• Number of changes made without change control board approval
• Amount of unscheduled downtime of critical systems for security-related reasons
Audiences
PART III
As mentioned, when building or improving a metrics program, security managers need
to consider the purpose of any particular metric and the audience to whom it is sent.
A common mistake made by security managers is the publication of metrics to various
audiences without first understanding whether any individual metric will have mean-
ing to any particular audience. For example, a metric showing the number of packets
dropped by a firewall will probably have no meaning to a member of the organization’s
board of directors—nor would a trend of this metric have any meaning. Security manag-
ers need to determine what metrics are important for various audiences and purposes and
then proceed to develop those metrics.
Some metrics will have only operational value, while others can be successfully trans-
formed into a management or strategic metric when portrayed in context. For example,
a metric on the number of malware attacks has no business context; however, a metric
showing successful malware attacks that result in business disruptions have far more
meaning to management. A metric on patch management SLAs by itself has no busi-
ness context, but if that were transformed into a metric showing that critical systems not
patched within SLAs resulted in higher than desired business risk, the metric would have
meaning to executive audiences.
Although there may be value in automated systems that keep records that can be
examined or measured later, there is often little point in developing metrics with no audi-
ence in mind. Such a pursuit would merely take time away from more valuable activities.
• Financial Key financial items measured include the cost of strategic initiatives,
support costs of key applications, and capital investment.
• Customer Key measurements include the satisfaction rate with various customer-
facing aspects of the organization.
Chapter 5: Information Security Program Development
233
Internal Innovation and
Financial Customer Processes Learning
Awareness Lower cost o Increase Improve Improve
and Education incidents conidence processes awareness
Access Control Control access Provide access Ensure proper Improve
access communication
Vulnerability Reduce Protect against Manage risks Learn rom
Management vulnerabilities vulnerabilities incidents
Business Ensure Provide core Test continuity Ensure
Continuity continuity services awareness
Compliance Comply with Ensure Ensure Review
regulations compliance compliance compliance
Program Ensure eiciency Include Reduce reactive Continue
PART III
Management customer input processes improvement
Table 5-2 Security Balanced Scorecard Domains
Chapter Review
An information security program is a collection of activities used to identify, communicate,
and address risks. The security program consists of controls, processes, and practices to
increase the resilience of the computing environment and ensure that risks are known and
handled effectively.
A charter is a formal, written definition of the objectives of a program, its main time-
lines, the sources of funding, the names of its principal leaders and managers, and the
business executives sponsoring the program.
CISM Certified Information Security Manager All-in-One Exam Guide
234
Information security programs include numerous business processes to fulfill the over-
all mission of information and information systems protection. These processes fall into
three major categories: risk and compliance, architecture, and operations.
Modern information security includes essential business processes such as risk and
policy management, but overall it is also heavily involved in IT. After all, information
security’s mission is the protection of all things IT. To scale with the power and speed of
IT, information security has its own portfolio of protective and detective technologies.
Assets are the things of value that an organization protects in an information security
program. In a typical organization, assets will consist of information and the information
systems that support and protect those information assets.
Asset classification is an activity whereby an organization assigns an asset to a cate-
gory representing usage or risk. In an information security program, the purpose of asset
classification is to determine, for each asset, its level of criticality to the organization.
Information classification is a process whereby different sets and collections of data in
an organization are analyzed for various types of value, criticality, integrity, and sensitivity.
Most organizations store information that falls into all of these categories, with degrees of
importance within them. These levels of information, together with examples of the types
of levels that fall into each category and with instructions on handling information at each
level, form the heart of a typical information classification program.
Once an organization is satisfied that its information classification is in order, it can
embark on system classification. Like various types of information assets, information
systems also can be classified according to various security and operational criteria.
In some organizations, additional requirements are imposed on persons who have
access to particularly sensitive information. Whether this information consists of trade
secrets, government secrets, or other information, organizations may be required to meet
specific requirements such as more thorough or frequent background investigations.
A key part of a risk assessment is identifying the value of an asset. Because risk analysis
is often qualitative, establishing asset valuation in qualitative terms is common. Instead
of assigning a dollar (or other currency) value to an asset, the value of an asset can be
assigned to a low-medium-high scale or a numeric scale such as 1 to 5 or 1 to 10.
Many organizations opt to surpass qualitative asset valuation and assign a dollar
(or other currency) valuation to their assets. This is common in larger or more mature
organizations that want to better understand the actual costs associated with loss events.
There are several types of frameworks in information security, and sometimes they
are confused with one another. The types include control frameworks, risk management
frameworks, architecture frameworks, and security program management frameworks.
Standard control frameworks include COBIT 2019, ISO/IEC 20000, ISO/IEC
27002, HIPAA, NIST SP 800-53, NIST SP 800-171, NIST CSF, CIS CSC, ETSI TR
103 305-1, and PCI DSS.
Information security management frameworks are business process models that
include essential processes and activities needed by most organizations. These frameworks
are risk-centric because the identification of risk is a key driver for activities in other parts
of the framework to reduce risk to acceptable levels. These frameworks include ISO/IEC
27005, ISO/IEC 31000, COBIT 2019, NIST SP 800-37, and NIST CSF.
Chapter 5: Information Security Program Development
235
Enterprise architecture (EA) is a business function and a technical model. In terms of
a business function, establishing an EA consists of activities that ensure that IT systems
meet important business needs.
Information security architecture can be thought of as a subset or special topic within
EA that is concerned with the protective characteristics found in many components in
an overall EA and specific components in an EA that provide preventive or detective
security functions.
Information security policies, standards, guidelines, and procedures are the written
artifacts that define the business and technical rules for information and information
systems protection.
Security policy development is foundational to any organization’s information secu-
rity program. Information security policy defines the principles and required actions for
the organization to protect its assets and personnel properly.
Guidelines are nonbinding statements or narratives that provide additional direc-
PART III
tion to personnel regarding compliance with security policies, standards, and controls.
Information security departments often develop guidelines when they receive numerous
inquiries for help understanding certain policies or have trouble understanding how to
implement them.
Requirements are formal statements describing the characteristics of a system to be
changed, developed, or acquired. Requirements should flow from, and align with, the
structure and content of policies and standards. Because of their use in systems and
services development and acquisition, requirements should be published in a format
that can be easily extracted for use in specific projects.
Processes and procedures are the detailed, sequenced instructions to complete routine
tasks. A process is a collection of one or more procedures that together fulfill a higher
purpose, while a procedure is a written set of instructions for a single task.
A metric is a measurement of a periodic or ongoing activity that intends to help the
organization understand the activity within the context of overall business operations.
Metrics are the means through which management can measure key processes and know
whether their strategies are working.
A formal metrics program provides qualitative and quantitative data on the effective-
ness of many elements of an organization’s security program and operations. Metrics can
be developed via the SMART method: specific, measurable, attainable, relevant, and
timely. Metrics must align with the organization’s mission, strategy, and objectives. Some
metrics can be used to report on results in the recent past, but some metrics should serve
as leading indicators or drive a call to action by the leadership team.
A common shortcoming of a metrics program is its failure to provide relevant met-
rics for various audiences. For instance, reporting the number of packets dropped by
a firewall or the number of viruses detected by antivirus to the board of directors
provides little or no value for that audience. As an organization develops its metrics
program, it must take care to develop metrics that matter for each audience. A secu-
rity balanced scorecard can also depict the high-level effectiveness of an organization’s
security program.
CISM Certified Information Security Manager All-in-One Exam Guide
236
Notes
• Whether or not it carries authority in an organization, a charter’s usefulness is
derived from its descriptions of an organization’s vision, objectives, roles and
responsibilities, and processes and procedures. A charter can help personnel
come to a common understanding of security programs and other programs.
• The three lines of defense model, used often in banking, is a good model for
formally separating and defining roles related to control development, operation,
and assurance. A similar model can be used for policy development.
• Asset identification is a cornerstone of any risk management and security
management program, yet most organizations do a poor job of it. Asset
identification is the first control in the Center for Internet Security Critical
Security Controls (CIS CSC), and there is a reason for that.
• Qualitative asset valuation is sufficient for qualitative risk assessments. But when
it’s necessary to calculate figures such as exposure factor or annual loss expectancy,
security managers will need to obtain a quantitative valuation for relevant assets.
However, precision is challenging because it is difficult to know the probability of
threat events.
• Asset inventory is increasingly difficult to manage successfully because of
virtualization and the wide use of cloud-based services.
• Enacting a data classification scheme is easy, but implementing the program is
difficult. Data classification should be extended to include system classification
(the classification of a system should be the same as the highest classified data
stored or processed on the system), asset classification, and even facilities
(work center) classification.
• Many organizations ruminate over the selection of a control framework. Instead,
the organization should select a framework and then adjust its controls to suit
the organization.
• A control framework should generally be considered a starting point, not a rigid
and unchanging set of controls—except in cases where regulations stipulate that
controls may not be changed.
• At present, because there are no well-known frameworks for information security
metrics, it is up to every organization to develop meaningful and applicable metrics
for various audiences interested in receiving them.
• The methodology for calculating return on security investment is widely discussed
but not widely practiced, mainly because it is difficult to calculate the benefit of
security controls designed to detect or prevent infrequent incidents.
Chapter 5: Information Security Program Development
237
Questions
1. An organization’s board of directors wants to see quarterly metrics on risk reduction.
What would be the best metric to present to the board?
A. Number of firewall rules triggered
B. Viruses blocked by antivirus programs
C. Packets dropped by the firewall
D. Time to patch vulnerabilities on critical servers
2. Which of the following metrics is the best example of a leading indicator?
A. Average time to mitigate security incidents
B. Increase in the number of attacks blocked by the intrusion prevention system
PART III
C. Increase in the number of attacks blocked by the firewall
D. Percentage of critical servers being patched within service level agreements
3. The primary factor related to the selection of a control framework is:
A. Industry vertical
B. Current process maturity level
C. Size of the organization
D. Compliance level
4. The purpose of a balanced scorecard is to:
A. Measure the efficiency of a security organization
B. Evaluate the performance of individual employees
C. Benchmark a process in the organization against peer organizations
D. Measure organizational performance and effectiveness against strategic goals
5. In an organization using PCI DSS as its control framework, the conclusion of a
recent risk assessment stipulates that additional controls not present in PCI DSS
but present in ISO 27001 should be enacted. What is the best course of action in
this situation?
A. Adopt ISO 27001 as the new control framework.
B. Retain PCI DSS as the control framework and update process documentation.
C. Add the required controls to the existing control framework.
D. Adopt NIST 800-53 as the new control framework.
6. A security manager has developed a scheme that prescribes required methods to
protect information at rest, in motion, and in transit. This is known as a(n):
A. Data classification policy
B. Asset classification policy
C. Data loss prevention plan
D. Asset loss prevention plan
CISM Certified Information Security Manager All-in-One Exam Guide
238
7. A security leader has developed a document that describes a program’s mission,
vision, roles and responsibilities, and processes. This is known as a:
A. Policy
B. Charter
C. Standard
D. Control
8. Management in an organization has developed and published a policy that directs
the workforce to follow specific steps to protect various types of information.
This is known as a:
A. Privacy policy
B. Data dictionary
C. Data classification policy
D. Data governance policy
9. The security leader in an organization is developing a first-ever data classification
policy. What is the best first step in this endeavor?
A. Develop the classification levels.
B. Perform a data inventory.
C. Interview end users.
D. Develop the handling procedures.
10. A security leader wants to develop a scheme whereby the most important assets
are protected more rigorously than those deemed less important. What is the best
first step in this endeavor?
A. Map classified data to systems.
B. Establish a systems inventory.
C. Interview end users.
D. Develop the protection guidelines.
11. A retail organization’s security leader wants to develop an ISMS. Which standard
is the best resource for the leader to use?
A. ISO/IEC 27001
B. ISO/IEC 27002
C. NIST SP 800-53
D. PCI DSS
12. An IT worker is reading a security-related document that provides suggestions
regarding compliance with a particular policy. What kind of a document is the
IT worker reading?
A. Procedure
B. Policy
Chapter 5: Information Security Program Development
239
C. Standard
D. Guideline
13. An IT worker is reading a security-related document that stipulates which
algorithms are to be used to encrypt data at rest. What kind of a document is
the IT worker reading?
A. Procedure
B. Requirements
C. Standard
D. Guideline
14. An IT worker is reading a document that describes the essential characteristics of
a system to be developed. What kind of a document is the IT worker reading?
PART III
A. Procedure
B. Requirements
C. Standard
D. Guideline
15. The concept of dividing the management of controls into development, operations,
and assurance is known as:
A. Controls framework
B. Split custody
C. Separation of duties
D. Three lines of defense
Answers
1. D. The metric on time to patch critical servers will be the most meaningful metric
for the board of directors. While potentially interesting at the operational level, the
other metrics do not convey business meaning to board members.
2. D. The metric of the percentage of critical servers being patched within SLAs is
the best leading indicator because it is a rough predictor of the probability of a
future security incident. The other metrics are trailing indicators because they
report on past incidents.
3. A. The most important factor influencing a decision to select a control framework
is the industry vertical. For example, a healthcare organization would likely select
HIPAA as its primary control framework, whereas a retail organization may select
PCI DSS.
4. D. The balanced scorecard is a tool used to quantify an organization’s performance
against strategic objectives. The focuses of a balanced scorecard are financial,
customer, internal processes, and innovation/learning.
CISM Certified Information Security Manager All-in-One Exam Guide
240
5. C. An organization that needs to implement new controls should do so within
its existing control framework. It is unnecessary to adopt an entirely new control
framework when a few controls need to be added.
6. A. A data classification policy is a statement that defines two or more classification
levels for data, together with procedures and standards for the protection of data at
each classification for various use cases such as storage in a database, storage on a
laptop computer, transmissions via e-mail, and storage on backup media.
7. B. A charter document, which describes many facets of a function or program, best
fits this description.
8. C. Management has created a data classification policy, which defines classification
levels and handling procedures for information in various forms at each level.
9. B. The best first step in developing a data classification policy is to develop an
inventory of data to understand the various types that are stored in use in the
organization.
10. B. The best first step is the development of an inventory of systems. After that, the
best step is the mapping of information (and its classification) stored or processed
by each system.
11. A. ISO/IEC 27001, “Information technology – Security techniques – Information
security management systems – Requirements,” defines all of the high-level
characteristics of an information security management system (ISMS). The other
answers are control frameworks, which are used to develop and organize controls.
12. D. The IT worker is reading a guideline, a document that provides nonbinding
guidance regarding compliance with a policy, control, or standard.
13. C. The IT worker is reading a standard, a document that stipulates the mandatory
use of protocols, algorithms, techniques, products, or suppliers.
14. B. The IT worker is reading a requirements document, which describes the required
characteristics of a system to be developed or acquired.
15. D. The three lines of defense model describes the separate roles in control
management as development, operations, and assurance (audit).
Information Security
Program Management
CHAPTER
6
In this chapter, you will learn about
• Controls and control design
• Managing controls throughout their lie cycle
• Assessing controls to determine eectiveness
• Reducing risk by conducting security awareness training
• Identiying and managing third-party service providers
• Communicating and reporting the state o the security program
241
CISM Certified Information Security Manager All-in-One Exam Guide
242
management (staff, professional services, budget, and equipment), decision-making at
every level, and coordination of activities through projects, tasks, and routine operations.
Control Classification
Before exploring the steps used to create and manage a control, you should understand
the characteristics, or classifications, of controls. Several types, classes, and categories of
controls are discussed in this section. Figure 6-1 depicts this control classification.
Figure 6-1
ic
at
Control
ua
m
an
to
classiication
Au
Administrative
shows types
(along the right Preventive
side o the box),
Technical
Detective
classes (at the
Physical
Recovery
Chapter 6: Information Security Program Management
243
Types of Controls
PART III
The three types of controls are physical, technical, and administrative:
• Physical These types of controls exist in the tangible, physical world. Examples
of physical controls are video surveillance, locking doors, bollards, and fences.
• Technical These controls are implemented in the form of information systems
and information system components and are usually intangible. Examples of
technical controls include encryption, computer access controls, and audit logs.
These are sometimes referred to as logical controls.
• Administrative These controls are the policies, procedures, and standards that
require or forbid certain activities, protocols, and configurations. An example
administrative control is a policy that forbids personal use of company-owned
information systems. These are sometimes referred to as managerial controls.
EXAM TIP ISACA does not expressly use the terms “type,” “class,” or “category”
in its literature or on the exam to describe and distinguish the variety o
controls and their basic characteristics. These terms are used in this book
to highlight the multidimensional nature o controls and how they can be
understood and classiied. Like other constructs, these are models that help
you better imagine how controls operate and are used.
Classes of Controls
There are six classes of controls, which speak to their relationship with unwanted outcomes:
• Detective This type of control is used to record both wanted and unwanted
events. A detective control cannot enforce an activity (whether it is desired or
undesired), but it can ensure that the appropriate security personnel are notified
of whether, and how, an event occurred. Examples of detective controls include
video surveillance and event logs.
• Deterrent This type of control exists to convince someone that they should not
perform some unwanted activity. Examples of deterrent controls include guard
dogs, warning signs, and visible video surveillance cameras and monitors.
Categories of Controls
There are two categories of controls that relate to the nature of their operation:
• Automatic This type of control performs its function with little or no human
PART III
judgment or decision-making. Examples of automatic controls include a login
page on an application that cannot be circumvented, and a security door that
automatically locks after someone walks through the doorway.
• Manual This type of control requires a human to operate it. A manual control
may be subject to a higher rate of errors than an automatic control. An example
of a manual control is a monthly review of computer users.
Control Objectives
Control objectives describe the desired states or outcomes of business operations. When
building a security program, and preferably prior to selecting a control framework,
security professionals must establish high-level control objectives.
Examples of control objective subject matter include the following:
PART III
opting instead to lease data center space from colocation providers or cloud providers.
In part, the build versus buy argument is related to an organization’s mission and core
competencies. For instance, a new social media company may decide to lease serverless
computing platforms rather than buy servers, claiming that the company specializes in
social media, not data centers, computer hardware, or operating systems.
Security leaders who need to build a set of controls will have to determine whether to
build or buy them. Each approach has pros and cons, as illustrated in Table 6-1.
Organizations generally choose to adopt existing control frameworks that are aligned
with their industry. This results in an immediate, complete set of controls that can be
implemented over a shorter period of time than would be possible if the organization
were to develop a custom set of controls.
• Gut feeling
• Using another organization’s experience
• Using a security practitioner from another organization
• Searching the Internet
• Assessing a risk in a deficient or incomplete way
A security manager could perform a comprehensive risk assessment and develop a
framework of controls based upon identified risks, and indeed this would not be consid-
ered unacceptable. However, with a variety of freely available, high-quality control frame-
works (except ISO/IEC 27002, which must be purchased), an organization could start
with a standard control framework that requires far less effort.
PART III
Framework (CSF)
Health Insurance Portability Controls or the protection Medical services, including
and Accountability Act o electronic protected delivery, billing, and insurance
(HIPAA) / HITRUST CSF health inormation (ePHI)
COBIT 2019 Broadly adopted All
international controls
Committee o Sponsoring Controls or preserving All U.S. public companies and
Organizations o the Treadway the integrity o inancial private companies requiring
Commission (COSO) inormation and inancial similar controls
statement reporting
North American Electric Controls or the protection Electric utilities
Reliability Corporation o electric generation and
(NERC) Reliability Standards distribution inrastructure
Cloud Security Alliance (CSA) Controls or use by cloud- All
Cloud Controls Matrix (CCM) based service providers
(System and Organization Controls or use by inancial All
Controls Report) SOC 1 service providers
SOC 2 Controls or use by cloud- All
based service providers
Table 6-2 Commonly Used Control Frameworks
There is also nothing wrong with a security manager selecting a control framework
based on his or her familiarity and experience with a specific framework. This is valid to
a point, however: for example, selecting the PCI DSS control framework in a healthcare
delivery organization might not be the best choice.
EXAM TIP CISM candidates are not required to memorize the speciics
o COBIT or other rameworks, but a amiliarity with them will help the
candidate better understand how they contribute to eective security
governance and control.
CISM Certified Information Security Manager All-in-One Exam Guide
250
Mapping Control Frameworks
Organizations may find that more than one control framework needs to be selected and
adopted. The primary factors driving this are as follows:
• ISO/IEC 27002:2022 8.23 Audit tests and other assurance activities involving
assessment of operational systems should be planned and agreed between the tester
and appropriate management.
• NIST SP 800-53 Rev 5 AU-9 The information system protects audit information
and audit tools from unauthorized access, modification, and deletion.
These controls do not map together well at all. In the earlier version of ISO/IEC
27002, control 15.3.2 reads, “Access to information systems audit tools should be
PART III
protected to prevent any possible misuse or compromise.” Unfortunately, in the newer
revisions of these standards, for this control, the mapping has diverged and is less clear
now. Thus, mapping controls requires continual effort.
• Defense in depth
• Split custody
• Separation of duties
Although it is not necessary to include these control features, they may help improve
the effectiveness of a control.
Control Architecture The term control architecture refers to the “big picture” of con-
trols in an organization. In addition to designing and implementing individual controls,
information security managers also need to understand how controls work together to
protect information and information systems. Risk assessments and other considerations
will drive a security manager to develop a defense-in-depth architecture for high-risk areas.
For instance, a control designed to review staff terminations every week would supple-
ment and detect errors in the staff termination control.
Dealing with Changing Technology Technologies change more quickly than stan-
dard control frameworks can. For this reason, security managers need to keep a close eye
on emerging technologies and “plug in” to various business processes in the organization
to ensure that they are involved whenever new technologies or practices are introduced
into the organization.
Changes in technologies are often, by design, disruptive. This disruption starts in
markets where new products, services, and practices are developed, and it continues
inside organizations that adopt them. Disruption is the result of innovation—the
Chapter 6: Information Security Program Management
253
realization of new ideas that make organizations better in some way. Here are some
examples of disruptive technologies:
• Personal computers Starting in the early 1980s, IBM and other companies
sold PCs to organization departments that grew impatient with centralized IT
organizations that were too slow to meet their business needs.
• Cloud computing Starting in the early 2000s, many companies developed
cloud-based services for data storage and information processing. Organization
departments still waiting for corporate IT to help them went to the cloud instead,
because it was cheaper and faster. Corporate IT followed, as infrastructure as a
service (IaaS) providers made server OSs available at far less cost than before.
Disruptive technologies within the realm of cloud computing include virtualization,
containers, microsegmentation, software-defined networking, software-defined
security, identity-defined security, ransomware, and fileless malware.
PART III
• Smartphones BlackBerry was the first widely adopted corporate smartphone;
it was minimally disruptive but highly liberating for workers who could use it
to access e-mail and other functions from anywhere. Sold mainly to consumers,
Apple’s iPhone proved highly disruptive in the smartphone market, as it provided
alternative means for workers to get things done.
• Bring your own device (BYOD) Increasingly, company workers bring personal
smartphones, tablets, laptops, voice assistants, and other personally owned devices
and use them for business operations.
• Bring your own app (BYOA) Company workers sometimes use personally owned
tools and software on company information systems.
• Shadow IT Individuals, groups, departments, and business units bypass corporate
IT and procure their own computing services, typically through software as a service
(SaaS) and IaaS services, but also through BYOD.
• Work from home (WFH) The shift of global workforces to working from
home on a part-time or full-time basis changes the risk landscape for individual
workers, particularly on the topics of physical security, endpoint management,
and LAN management.
• Artificial intelligence (AI) As AI is incorporated into devices and commercial
applications, organizations will have to determine platform- and practice-specific
risks and develop controls to manage and monitor its use.
• Virtual reality (VR) VR will find itself in commercial environments, whether
for employee or customer use. Security leaders will need to identify specific
risks and develop controls and safeguards to protect employees, customers, and
sensitive information.
• Internet of things (IoT) Internet and/or LAN communications capabilities
are being introduced into numerous types of products, such as food storage and
cooking appliances, audio/visual equipment (including televisions), medical
devices, vehicles, building control systems, manufacturing equipment, laundry
equipment, and agriculture machinery. Many of these devices are being introduced
into organizational networks, often without considerations for security and privacy.
CISM Certified Information Security Manager All-in-One Exam Guide
254
Security managers understand that they cannot be everywhere at once; neither can
they be aware of all relevant activities in the organization. Individual workers, teams,
departments, and business units will adopt new services and implement new technolo-
gies without informing or consulting with information security. This underscores the
need for an annual risk assessment that will reveal emerging technologies and practices
so that they may be assessed for risk. While a backward look at technology adoption is
not ideal (because risks may be introduced at the onset of use), because security managers
are not always involved in changes in the organization, a risk assessment is sometimes the
method of last resort to discover risks already present in the business.
ISO/IEC 27002
ISO/IEC 27002, “Information technology—Security techniques—Code of practice for
information security controls,” is a world-renowned set of controls. The ISO/IEC 27002
control framework consists of 4 control categories and 93 control objectives. Table 6-3
describes these control categories and control objectives for the 2022 version, known as
ISO/IEC 27002:2022.
PART III
5.18 Access rights Ensures that access to assets is authorized per
business requirements
5.19 Inormation security in supplier Ensures proper security in supplier relationships
relationships
5.20 Addressing inormation security Formally deines security related roles and
within supplier agreements responsibilities in contracts
5.21 Managing inormation security in Ensures proper security in supplier relationships
the ICT (inormation and communication
technology) supply chain
5.22 Monitoring, review and change Ensures proper security in supplier relationships
management o supplier services when relationships change
5.23 Inormation security or use o Manages security related to the use o cloud services
cloud services
5.24 Inormation security incident Ensures eective response to inormation
management planning and preparation security incidents
5.25 Assessment and decision on Ensures categorization and prioritization
inormation security events o security events
5.26 Response to inormation Ensures eective response to inormation
security incidents security incidents
5.27 Learning rom inormation Improves response to uture incidents
security incidents
5.28 Collection o evidence Ensures proper collection and management
o evidence
5.29 Inormation security during disruption Ensures that security remains eective
during disruptions
5.30 ICT readiness or business continuity Ensures the availability o critical systems
5.31 Legal, statutory, regulatory and Ensures compliance with all legal requirements
contractual requirements
5.32 Intellectual property rights Ensures protection and compliance with
intellectual property laws
Table 6-3 ISO/IEC 27002:2022 Control Objectives (continued)
CISM Certified Information Security Manager All-in-One Exam Guide
256
Control Control Objective
5.33 Protection o records Ensures that business records are adequately
protected
5.34 Privacy and protection o PII Ensures the proper protection and use o PII
5.35 Independent review o Ensures the integrity o an organization’s inormation
inormation security security program
5.36 Compliance with policies, rules and Ensures compliance with policies, standards,
standards or inormation security and requirements
5.37 Documented operating procedures Ensures correct and secure operations o inormation-
processing acilities
6 People controls
6.1 Screening Ensures that personnel understand their
responsibilities and are suitable or their roles
6.2 Terms and conditions o employment Ensures that personnel are aware o and accomplish
their inormation security responsibilities
6.3 Inormation security awareness, Ensures that personnel are aware o and can perorm
education and training their security responsibilities
6.4 Disciplinary process Ensures that personnel understand the
consequences o violating security policy
6.5 Responsibilities ater termination or Protects the organization as part o changing
change o employment or terminating employment
6.6 Conidentiality or non-disclosure Ensures conidentiality o inormation by personnel
agreements and external parties
6.7 Remote working Ensures protection o inormation when
working remotely
6.8 Inormation security event reporting Ensures that personnel can identiy and will report
security events
7 Physical records
7.1 Physical security perimeters Prevents unauthorized access to acilities
7.2 Physical entry Ensures that only authorized personnel may
access acilities
7.3 Securing oices, rooms and acilities Ensures that only authorized personnel may access
oices and rooms in acilities
7.4 Physical security monitoring Detects physical security events
7.5 Protecting against physical and Identiies and protects against various threats
environmental threats
7.6 Working in secure areas Protects assets and inormation in secure areas
7.7 Clear desk and clear screen Reduces exposure o sensitive inormation in
work spaces
7.8 Equipment siting and protection Reduces risks associated with the location o work
and processing centers
Table 6-3 ISO/IEC 27002:2022 Control Objectives (continued)
Chapter 6: Information Security Program Management
257
Control Control Objective
7.9 Security o assets o-premises Ensures the protection o assets and inormation
when osite
7.10 Storage media Prevents unauthorized misuse o inormation
stored on media
7.11 Supporting utilities Reduces the impact o disruption o supporting
utilities such as electric power and water
7.12 Cabling security Ensures the protection o communications cabling
7.13 Equipment maintenance Ensures the proper maintenance o assets
7.14 Secure disposal or re-use Prevents leakage o inormation when disposing or
o equipment reusing assets
8 Technological controls
PART III
8.1 User endpoint devices Protects inormation rom risks associated with the
use o user endpoints
8.2 Privileged access rights Ensures that only authorized personnel and services
have privileged access
8.3 Inormation access restriction Ensures that only authorized personnel and services
may access inormation
8.4 Access to source code Prevents unauthorized access to, and modiication
o, source code
8.5 Secure authentication Ensures the security o authentication events
8.6 Capacity management Ensures that technological and personnel resources
are adequate to perorm required business unctions
8.7 Protection against malware Ensures that inormation systems are protected
against malware
8.8 Management o technical Prevents exploitation o technical vulnerabilities
vulnerabilities
8.9 Coniguration management Ensures that inormation systems have proper
security settings
8.10 Inormation deletion Ensures that inormation is retained only as long
as required
8.11 Data masking Masks sensitive inormation ields as required
8.12 Data leakage prevention Detects and prevents unauthorized disclosure
o inormation
8.13 Inormation backup Protects against accidental or deliberate loss o data
8.14 Redundancy o inormation Ensures the continuous operation o
processing acilities inormation systems
8.15 Logging Covers creation and protection o activities
8.16 Monitoring activities Monitors or anomalous events and actions taken
8.17 Clock synchronization Ensures accurate clocks to aid in event
troubleshooting
Table 6-3 ISO/IEC 27002:2022 Control Objectives (continued)
CISM Certified Information Security Manager All-in-One Exam Guide
258
Control Control Objective
8.18 Use o privileged utility programs Ensures that utility programs do not harm systems
or inormation
8.19 Installation o sotware on Ensures the integrity o inormation systems
operational systems
8.20 Networks security Ensures protection o inormation in networks
8.21 Security o network services Ensures the security o network services
8.22 Segregation o networks Develops security boundaries in networks
8.23 Web iltering Ensures protection rom malware and access to
unauthorized resources
8.24 Use o cryptography Ensures use o cryptography to protect the
conidentiality, authenticity, and/or integrity
o inormation
8.25 Secure development lie cycle Ensures the inclusion o security in development
lie-cycle processes
8.26 Application security requirements Ensures that all security requirements are identiied
and addressed
8.27 Secure system architecture and Ensures that security is a part o architecture, design,
engineering principles and operations o inormation systems
8.28 Secure coding Ensures that coding does not introduce vulnerabilities
8.29 Security testing in development Ensures that security is a part o development and
and acceptance acceptance testing
8.30 Outsourced development Ensures that security measures are required when
outsourcing development
8.31 Separation o development, test and Ensures that separate development, test, and
production environments production systems are used to protect inormation
8.32 Change management Ensures that only approved changes are made, and
that security is preserved
8.33 Test inormation Ensures that inormation used in testing is protected
8.34 Protection o inormation systems Ensures that audits and other testing does not
during audit testing impact operations
Table 6-3 ISO/IEC 27002:2022 Control Objectives
ISO/IEC 27002 is available from www.iso.org. This and most other ISO standards
are fee-based, meaning that they must be purchased and have licensing and usage restric-
tions that govern their use in an organization. Generally, these standards are purchased in
single quantities and are “single user” in nature, and they are not permitted to be stored
on file servers for use by multiple users.
Chapter 6: Information Security Program Management
259
NOTE ISO/IEC 27002 is signiicantly reorganized with the 2022 version.
Appendices in the 2022 version include orward and reverse mapping to
the 2005 version.
NIST SP 800-53
NIST SP 800-53 Rev 5, “Security and Privacy Controls for Federal Information
Systems and Organizations,” is published by the Computer Security Division of the
U.S. National Institute for Standards and Technology (NIST). A summary of controls
in NIST SP 800-53 appears in Appendix D, “Security Control Baselines,” and detailed
descriptions of all controls are found in Appendix F, “Security Control Catalog.” NIST
SP 800-53 Rev 5 is available from http://csrc.nist.gov/publications/PubsSPs.html. The
standard is available without cost or registration.
PART III
Table 6-4 lists the categories of controls in NIST SP 800-53 Rev 5.
NIST SP 800-53A is a separate standard that provides procedures for assessing
controls in NIST SP 800-53.
Category Name
AC Access Control
AT Awareness and Training
AU Audit and Accountability
CA Assessment, Authorization, and Monitoring (renamed in Rev 5)
CM Coniguration Management
CP Contingency Planning
IA Identiication and Authentication
IR Incident Response
MA Maintenance
MP Media Protection
PE Physical and Environmental Protection
PL Planning
PS Personnel Security
PT PII Processing and Transparency (new in Rev 5)
RA Risk Assessment
SA System and Services Acquisition
SC System and Communications Protection
SI System and Inormation Integrity
SR Supply Chain Risk Management (new in Rev 5)
Table 6-4 NIST SP 800-53 Rev 5 Control Categories
CISM Certified Information Security Manager All-in-One Exam Guide
260
Center for Internet Security Critical Security Controls
The Center for Internet Security (CIS) maintains a popular and respected control frame-
work called the CIS Critical Security Controls (CIS CSC). While CIS CSC currently
includes 18 control objectives, it included 20 control objectives for many years and is
still commonly known as the “CIS 20” or the “SANS Top 20.” Still occasionally referred
to as the “SANS 20 Critical Security Controls,” this control framework was originally
developed by the SANS Institute.
Regarded as a simpler set of security controls, the CIS CSC framework has been
widely adopted by organizations seeking a control framework but needing to avoid more
burdensome frameworks such as NIST SP 800-53 or ISO/IEC 27001 controls.
Table 6-5 shows the structure of the CIS CSC control framework.
PART III
execution o malicious applications, code, or scripts
on enterprise assets.
11 Data Recovery Establish and maintain data recovery practices suicient
to restore in-scope enterprise assets to a pre-incident
and trusted state.
12 Network Establish, implement, and actively manage (track,
Inrastructure report, correct) network devices, in order to prevent
Management attackers rom exploiting vulnerable network services
and access points.
13 Network Monitoring Operate processes and tooling to establish and
and Deense maintain comprehensive network monitoring and
deense against security threats across the enterprise’s
network inrastructure and user base.
14 Security Awareness Establish and maintain a security awareness program to
and Skills Training inluence behavior among the workorce to be security
conscious and properly skilled to reduce cybersecurity
risks to the enterprise.
15 Service Provider Develop a process to evaluate service providers who hold
Management sensitive data, or are responsible or an enterprise’s critical
IT platorms or processes, to ensure these providers are
protecting those platorms and data appropriately.
16 Application Sotware Manage the security lie cycle o in-house developed,
Security hosted, or acquired sotware to prevent, detect, and
remediate security weaknesses beore they can impact
the enterprise.
17 Incident Response Establish a program to develop and maintain an incident
Management response capability (e.g., policies, plans, procedures,
deined roles, training, and communications) to prepare,
detect, and quickly respond to an attack.
18 Penetration Testing Test the eectiveness and resiliency o enterprise
assets through identiying and exploiting weaknesses
in controls (people, processes, and technology), and
simulating the objectives and actions o an attacker.
Table 6-5 CIS CSC Framework (Source: The Center or Internet Security (CIS) www.cisecurity.org)
CISM Certified Information Security Manager All-in-One Exam Guide
262
The CIS CSC framework is structured in a way that makes it easy for security practi-
tioners to understand and use. Within each control category is a section entitled “Why Is
This Control Critical?” followed by the individual controls. This is followed by a section
called “Procedures and Tools” that provides additional guidance. Finally, each control
category includes a system entity relationship diagram that depicts the control’s imple-
mentation in an environment. Many consider the CIS CSC a more pragmatic and less
academic framework than NIST SP 800-53 or PCI DSS.
The CIS CSC framework includes one or more controls within each control category.
Some controls are flagged as “foundational,” meaning they are essential in any organiza-
tion. The controls not marked as “foundational” may be considered optional.
Some controls include advanced implementation guidelines. For instance, control 8.3
(“Limit use of external devices to those with an approved, documented business need.
Monitor for use and attempted use of external devices. Configure laptops, workstations,
and servers so that they will not auto-run content from removable media, like USB
tokens [thumb drives], USB hard drives, CDs/DVDs, FireWire devices, external serial
advanced technology attachment devices, and mounted network shares. Configure sys-
tems so that they automatically conduct an anti-malware scan of removable media when
inserted….”) includes in its advanced guidance, “Actively monitor the use of external
devices (in addition to logging).”
The CIS CSC framework is available from www.cisecurity.org/critical-controls.cfm
without cost, although registration may be required.
PART III
• Adaptive Risk management practices are monitored and adapted to meet
changing threats and business needs. The risk management program is fully
integrated into the organization’s business and process. The organization shares
information with external parties on a methodical basis and receives information
to prevent events. The supply chain risk management process provides high-level
risk awareness to management.
These implementation tiers are similar to maturity ratings used in the Software
Engineering Institute Capability Maturity Model (SEI-CMM) and others.
The CSF contains a methodology for establishing or making improvements to an
information security program. The steps in this methodology are similar to the structure
used in this book:
• Step 1: Prioritize and Scope The organization determines which business
units or business processes are part of the scope of a new or improving program.
• Step 2: Orient The organization identifies assets that are in scope for the program,
the risk approach, and applicable laws, regulations, and other legal obligations.
• Step 3: Create a Current Profile The organization identifies the category and
subcategory outcomes from the Framework Core (the CSF controls) that are
currently in place.
• Step 4: Conduct a Risk Assessment The organization conducts a risk assessment
covering the entire scope of the program. This is an ordinary risk assessment like
those described throughout this book, where threats (together with their likelihood
and impact) are identified for each asset or asset group.
• Step 5: Create a Target Profile The organization determines the desired future
states for each of the framework’s categories and subcategories (the controls). This
includes the desired tier level for each category and subcategory.
• Step 6: Determine, Analyze, and Prioritize Gaps The organization compares
the current profile (developed in step 3) and the target profile (step 5) and
develops a list of gaps. These gaps are analyzed and prioritized, and the necessary
resources to close gaps are identified. A cost-benefit analysis is performed, which
also helps with prioritization.
CISM Certified Information Security Manager All-in-One Exam Guide
264
• Step 7: Implement Action Plan The organization develops plans to close gaps
identified and analyzed in step 6. After action plans have been completed, controls
are monitored for compliance.
NIST CSF is available from www.nist.gov/cyberframework.
NOTE The PCI Security Standards Council release version 4.0 o the PCI DSS
standard takes eect in March 2024. The structure o the 4.0 standard is
nearly identical with the structure o the 3.2.1 standard.
PART III
The PCI Security Standards Council also offers a program of annual training and
exams for personnel who can perform PCI audits and for the organizations that employ
those people. The certifications are as follows:
• Payment Card Industry Qualified Security Assessor (PCI QSA) These are
external auditors who perform audits of merchants and service providers that are
required to undergo annual audits (as well as organizations that undertake these
audits voluntarily).
• Payment Card Industry Internal Security Assessor (PCI ISA) These are
employees of merchants and service providers required to be compliant with the
PCI DSS. The PCI Security Standards Council does not require any employees of
merchants or service providers to be certified to PCI ISA; however, the certification
does help those so certified to better understand the PCI DSS standard, thereby
leading to better compliance. Some of the credit card brands permit an ISA to
perform a PCI report on compliance (ROC) in lieu of an external QSA firm.
• Payment Card Industry Professional (PCIP) This is an entry-level certification
for IT professionals who want to learn more about the PCI DSS standard and earn
a certification that designates them as a PCI subject-matter expert.
The PCI Security Standards Council has published additional requirements and
standards, including the following:
Section Description
164.302 Applicability
164.304 Deinitions
164.306 Security standards: General rules
164.308 Administrative saeguards
164.310 Physical saeguards
164.312 Technical saeguards
164.314 Organizational requirements
164.316 Policies and procedures and documentation requirements
164.318 Compliance dates or the initial implementation o the security standards
Table 6-7 Requirement Sections in the HIPAA Security Rule
Chapter 6: Information Security Program Management
267
COBIT 2019
To ensure that a security program is aligned with business objectives, the COBIT 2019
control framework of 5 principles and 37 processes is an industry-wide standard. The
five principles are as follows:
PART III
of industry-wide consensus by managers, auditors, and IT users. Today, COBIT 2019
is accepted as a best-practices IT process and control framework. COBIT has absorbed
ISACA’s Risk IT Framework and Val IT Framework.
COBIT 2019 is available from www.isaca.org/resources/cobit.
COSO
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is
a private-sector organization that provides thought leadership through the development
of frameworks and guidance on enterprise risk management, internal control, and fraud
deterrence. Its control framework is used by U.S. public companies for management of
their financial accounting and reporting systems.
COSO is a joint initiative of the following private-sector associations:
ce
COSO ramework
s
ion
ing
lian
rat
rt
components
mp
po
e
Op
Co
Re
Control Environment
Operating Unit
Function
Entity Level
Division
Risk Assessment
Control Activities
PART III
Information & Communication
Monitoring Activities
Prior to the Northeast Blackout of 2003, NERC standards were voluntary. The Energy
Policy Act of 2005 authorized the Federal Energy Regulatory Commission (FERC) to
designate NERC standards as mandatory. NERC has the authority to enforce its stan-
dards and does so through audits; it levies fines to public utilities that are noncompliant.
Section Title
CIP-002-5.1a Cyber Security – BES (Bulk Electric System) Cyber System Categorization
CIP-003-8 Cyber Security – Security Management Controls
CIP-004-6 Cyber Security – Personnel & Training
CIP-005-6 Cyber Security – Electronic Security Perimeter(s)
CIP-006-6 Cyber Security – Physical Security o BES Cyber Systems
CIP-007-6 Cyber Security – System Security Management
CIP-008-6 Cyber Security – Incident Reporting and Response Planning
CIP-009-6 Cyber Security – Recovery Plans or BES Cyber Systems
CIP-010-3 Cyber Security – Coniguration Change Management and Vulnerability
Assessments
CIP-011-2 Cyber Security – Inormation Protection
CIP-013-1 Cyber Security – Supply Chain Risk Management
CIP-014-2 Physical Security
Table 6-9 NERC Critical Inrastructure Protection Framework Cyber Security Controls
CISM Certified Information Security Manager All-in-One Exam Guide
270
CSA Control Framework
The Cloud Security Alliance (CSA) has developed a control framework known as the
Cloud Controls Matrix (CCM) that is designed to provide security principles to cloud
vendors and to assist customers with assessments of cloud vendors.
Table 6-10 shows the structure of the CSA CCM version 4.
The CSA has developed an assurance framework known as CSA STAR that includes
two assurance levels:
• Self-assessment
• Third-party Audit
More information on CSA and CCM is available at cloudsecurityalliance.org.
Domain Description
A&A Audit & Assurance
AIS Application & Interace Security
BCR Business Continuity Management & Operational Resilience
CCC Change Control & Coniguration Management
CEK Cryptography, Encryption & Key Management
DCS Datacenter Security
DSP Data Security and Privacy Liecycle Management
GRC Governance, Risk and Compliance
HRS Human Resources
IAM Identity & Access Management
IPY Interoperability & Portability
IVS Inrastructure & Virtualization Security
LOG Logging and Monitoring
SEF Security Incident Management, E-Discovery & Cloud Forensics
STA Supply Chain Management, Transparency, and Accountability
TVM Threat and Vulnerability Management
UEM Universal Endpoint Management
Table 6-10 Domains o the Cloud Security Alliance Cloud Controls Matrix
Chapter 6: Information Security Program Management
271
In the early 1990s, the American Institute for Certified Public Accountants
(AICPA) developed the Statement on Auditing Standards No. 70 (SAS-70) standard
that opened the door for audits that could be performed by public accounting firms
on service providers, with audit reports made available to service providers’ custom-
ers. After the Sarbanes–Oxley Act (SOX) took effect in 2003, SAS-70 audits of service
providers satisfied the requirements for U.S. public companies to obtain assurance of
control effectiveness for outsourced IT service providers, particularly those that sup-
ported financial applications.
The SOC 1, SOC 2, and SOC 3 audit standards are discussed next.
System and Organization Controls 1 In 2010, the SAS-70 standard was superseded
by the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) standard
in the United States and by International Standards on Assurance Engagements No.
3402 (ISAE 3402) outside the United States. In 2017, SSAE 16 was replaced with SSAE
PART III
18. Together, SSAE 16, SSAE 18, and ISAE 3402 are commonly known as System and
Organization Controls 1 (SOC 1).
In a SOC 1 audit, the service organization specifies the controls that are to be audited.
While a service organization has complete latitude on which controls are in scope for a
SOC 1 audit, the service organization must be mindful of which controls its customers
and their internal and external auditors will expect to see in a SOC 1 audit report.
There are two basic types of SOC 1 audits:
Controls Development
The development of controls is a foundational part of any security program. To develop
controls, a security manager must have an intimate level of knowledge of the organiza-
tion’s mission, goals, and objectives, as well as a good understanding of the organization’s
degree of risk tolerance. Figure 6-3 illustrates the relationship between an organization
and the fundamentals of a security program.
As stated elsewhere in this book, the most common approach to controls development
is the selection of an established control framework, such as any of those discussed earlier
in this chapter. However, an organization is also free to develop a control framework from
scratch. Table 6-1 earlier in this chapter illustrates the pros and cons of each approach.
Chapter 6: Information Security Program Management
273
Figure 6-3 Organization
Risk
Relationship Mission, Goals
Tolerance
between an & Objectives
organization’s
mission, goals,
objectives, risk
tolerance, risk Risk
management, Management
security policies,
and security
controls
Security
Policy
PART III
Security
Controls
• Control number The index number assigned to this control, according to the
control numbering scheme adopted by the organization. This could be a simple
number (1, 2, 3) or a hierarchical number (10.5, 10.5.1, 10.5.2, 10.6).
• Mapping Any relationships of this control to one or more controls in other
control frameworks, whether the other control frameworks are specific to the
organization or are industry-standard control frameworks.
• Title The title or name of the control.
• Control objective In a control framework with high-level control objectives,
this is a statement of a desired activity.
• Narrative A detailed description of the control. Generally, this should not
include implementation details (which could vary from system to system or from
place to place), but instead should include details that help a business owner,
auditor, or IT worker understand the intent of the control. There should be enough
detail so that IT workers and other personnel can properly implement the control.
• Scope The locations, business units, departments, or systems that are affected
by the control.
• Risk A description of the risk that this control is intended to address.
• Owner The business owner (or owners) of the control.
• Affected and related business processes The business processes related to the
control, as well as the business processes affected by the control.
• Control frequency How often the control is performed, executed, or used.
• Classification Includes whether the control is automatic or manual, preventive
or detective, and other classification details.
• Measurements Includes the statistics, metrics, and key performance indicators
(KPIs) that are measured as a result of control operation.
• Testing procedure and frequency The steps required to evaluate the control
for effectiveness. Like the control narrative, this should be a general description
and not specific to any particular technology.
• Developed by The name of the person who developed the control.
• Approved by The name of the person who approved the control.
• Approval date The date of the most recent approval of the control.
• Version The version number of the control, according to whatever version
numbering system is used by the organization.
Chapter 6: Information Security Program Management
275
• Cross references Cross references to other controls, control frameworks,
systems, documents, departments, processes, risk assessments, or risk treatment.
Cross references can help personnel better understand how controls relate to
other activities or events in the organization.
• Modification history A list of the changes made to the control, including a
description, who made each change, who approved each change, and the date of
each change.
While organizations may prefer to document controls in worksheets, a better approach
is the development of individual documents for each control. This will lead to better
outcomes, because it will be easier to control versions of individual control documents.
PART III
including the metadata described here, will experience problems in the
orm o ambiguity. Control metadata is essential to ensure that management
understands how controls are to be implemented and managed.
Control Implementation
The implementation of a new control should be guided by formal processes, not unlike
those that guide systems development: a new control should have a control objective,
a design that is reviewed by stakeholders, a test plan that is carried out with results
reviewed, a formal authorization to implement the control, and IT and business change
management processes to plan its implementation.
Controls must have control owners, who are responsible for proper operation of each
control. When an organization implements new controls, control owners should be iden-
tified and trained on the operation of the controls they are responsible for. Ideally, control
ownership and training is included in the control life cycle to ensure that control owners
are identified and trained prior to the control being placed into operation.
New controls should be audited or reviewed more frequently to ensure that they are
operating as expected. Measurements of control performance and operation should
be established so that management can review actual versus expected performance. In
some cases, an organization will also audit or review controls to ensure that they are
meeting objectives.
• Event monitoring
• Vulnerability management
• Secure engineering and development
• Network protection
• Endpoint protection and management
• Identity and access management
• Security incident management
• Security awareness training
• Managed security services providers
• Data security
• Business continuity planning
Other areas of operational control that are related to business operations, IT, physical
security, and privacy are not included here.
Event Monitoring
Event monitoring is the practice of examining the security events that occur on informa-
tion systems, including applications, operating systems, database management systems,
end-user devices, and every type and kind of network device, and then providing infor-
mation about those events to the appropriate people or systems.
Prior to widespread business use of the Internet, most organizations found it sufficient
to review event logs on a daily basis. This comprised a review of the previous day’s logged
events (or the weekend’s events on a Monday) to ensure that no security incidents war-
ranted further investigation. Today, however, most organizations implement real-time
event monitoring; this means that organizations need to have systems in place that will
immediately inform the appropriate parties if any events warrant attention.
Log Reviews In a log review, an event log in an information system is examined to
determine whether any security or operational incidents have occurred in the system that
warrant action or attention. Typically, a log review involves the examination of activities
that occurred on the previous day. Most organizations conduct continuous log reviews
by sending log data into a security information and event management system (SIEM).
Centralized Log Management Centralized log management is a practice whereby
event logs on various systems are sent over the network to a central collection and storage
point, called a log server. There are two primary uses for a log server: the first is archival
storage of events that may be used at a later date in an investigation, and the second is
for the review of events on a daily basis or in real time. Generally, real-time analysis is
performed by a SIEM, discussed next.
Chapter 6: Information Security Program Management
277
Security Information and Event Management A SIEM (pronounced sim or seem)
system collects and analyzes log data from many or all systems in an organization.
A SIEM has the ability to correlate events from one or more devices to provide details
about an incident. For instance, an attacker performing a brute-force password attack on
a web server may be generating alerts on the web server itself and also on the firewall and
intrusion detection system. A SIEM would portray the incident using events from these
and possibly other devices to provide a rich depiction of the incident.
Threat Intelligence Platform Modern SIEMs can ingest threat intelligence feeds
from various external sources. This enables them to correlate events in an organization’s
systems with various threats experienced by other organizations. A threat intelligence plat-
form (TIP) can be implemented to receive and process threat intelligence information.
For example, suppose another organization is attacked by an adversary from a specific
IP address in a foreign country. This information is included in a threat intelligence feed
PART III
that arrives in your organization’s SIEM. This helps the SIEM be more aware of activity
of the same type or from the same IP address. This can help your organization be pre-
pared should similar incidents occur on your organization’s network.
Security Orchestration, Automation, and Response In the context of SIEM, orches-
tration refers to a scripted response that is automatically or manually triggered when spe-
cific events occur. This capability is performed by a security orchestration, automation,
and response (SOAR) platform that may be a stand-alone system or may exist as part
of the SIEM. Suppose, for example, that an organization has developed “run books,” or
short procedures for personnel who manage the SIEM, for actions that should be per-
formed when specific types of events occur. The organization, desiring to automate some
of these responses, implements a SOAR tool with scripts that can be run automatically
when these specific events occur. The orchestration system can be configured to run
some scripts immediately, while others can be set up and run when an analyst “approves”
them. The advantage of orchestration is twofold: first, repetitive and rote tasks are auto-
mated, relieving personnel of boredom and improving accuracy; second, response to
some types of events can be performed more quickly, thereby blunting the impact of
security incidents.
Vulnerability Management
Vulnerability management is the practice of periodically examining information systems
(including but not limited to operating systems, subsystems such as database manage-
ment systems, applications, network devices, and IoT devices) for the purpose of dis-
covering exploitable vulnerabilities, related analysis, and decisions about remediation.
Organizations employ vulnerability management as a primary activity to reduce the
likelihood of successful attacks on their IT environments.
Often, one or more scanning tools, such as the following, are used to scan target sys-
tems in the search for vulnerabilities:
• Periodic scanning One or more tools are used to scan assets in the organization
to search for vulnerabilities and discover new devices.
• Analysis of scan results A security analyst examines the results of a vulnerability
scan, validating the results to make sure there are no false positive results. This
analysis often includes a risk analysis to help the analyst understand an identified
vulnerability in the context of the asset, its role, and its criticality. Scanning tools
generally include a criticality level or criticality score for an identified vulnerability
so that personnel can begin to understand the severity of the vulnerability. Most
tools utilize the Common Vulnerability Scoring System (CVSS) method for
scoring a vulnerability.
After noting the CVSS score of a specific vulnerability, a security manager analyzes
the vulnerability to establish the contextual criticality of the vulnerability. For
example, a vulnerability in the Server Message Block (SMB) service on Microsoft
Windows servers may be rated as critical. A security manager may downgrade the
risk in the organization if SMB services are not accessible over the Internet or if
robust safeguards are already in place. In another example, a security manager
may raise the severity of a vulnerability if the organization lacks detective
controls that would alert the organization that the vulnerable component has
been attacked and compromised.
• Delivery of scan results to asset owners The security manager delivers the
report to the owners or custodians of affected assets so that those people can
begin planning remediation activities.
• Remediation Asset owners make changes to affected assets, typically through
the installation of one or more security patches or through the implementation of
one or more security configuration changes. Often, risk analysis is performed to
determine the risks associated with proposed remediation plans.
Organizations often establish service level agreements (SLAs) for the maximum times
required for remediation of identified vulnerabilities. Table 6-12 shows a typical reme-
diation SLA.
Common Vulnerability Scoring System The CVSS is an open framework that cab
be used to provide a common methodology for scoring vulnerabilities. CVSS employs
Chapter 6: Information Security Program Management
279
CVSS Score Internet-Facing Assets Internal Assets
8.01 to 10 5 days 10 days
4.01 to 8.0 10 days 15 days
2.01 to 4.0 30 days 45 days
0 to 2.0 90 days 180 days
Table 6-12 Typical Vulnerability Management Remediation SLA
PART III
can develop SLAs that determine the speed by which an organization will remediate
vulnerabilities. For more information about CVSS, visit www.first.org/cvss/.
MITRE ATT&CK Framework The MITRE ATT&CK (adversarial tactics, techniques,
and common knowledge) framework is a freely available knowledge base of threats,
attack techniques, and attack models. Developed in 2015, the framework has been
widely adopted by organizations determined to increase their understanding and prevent
cyberattacks. The ATT&CK matrix classifies threats in several areas:
• Reconnaissance
• Resource development
• Initial access
• Execution
• Persistence
• Privilege escalation
• Defense evasion
• Credential access
The ATT&CK framework breaks down these categories into several subtechniques
that help security professionals understand how various types of attacks work. The
framework can be obtained from https://attack.mitre.org/.
Vulnerability Identification Techniques Several techniques are used for identifying
vulnerabilities in target systems:
• Security scan One or more vulnerability scanning tools are used to help
identify easily found vulnerabilities in target systems. A security scan will identify
a vulnerability in one or two ways: by confirming the version of a target system
or program that is known to be vulnerability, or by making an attempt at proving
the existence of a vulnerability by testing a system’s response to specific stimulus.
CISM Certified Information Security Manager All-in-One Exam Guide
280
• Penetration test A security scan, plus additional manual tests that security
scanning tools do not employ, are used in a penetration test, which is intended
to mimic a realistic attack by an attacker who intends to break into a target
system. A penetration test of an organization’s production environment may
fall somewhat short of the techniques used by an actual attacker, however. In
a penetration test, a tester is careful not to exploit vulnerabilities that could
result in a malfunction of the target system. Often, an actual attacker will not
take this precaution unless he or she wants to attack a system without being
noticed. For this reason, it is sometimes desirable to conduct a penetration test
of nonproduction infrastructure, even though nonproduction environments are
often not identical to their production counterparts.
• Social engineering assessment This is an assessment of the judgment of
personnel in the organization to determine how well they are able to recognize
various ruses used by attackers in an attempt to trick users into performing tasks
or providing information. Several means are used, including e-mail, telephone
calls, and in-person encounters. Social engineering assessments help organizations
identify training and improvement opportunities. Social engineering attacks can
have a high impact on an organization. A particular form of social engineering,
BEC (business e-mail compromise) or wire transfer fraud, consists of a ruse by
which an attacker sends an e-mail that pretends to originate from a CEO to
the chief financial officer (CFO), claiming that a secret merger or acquisition
proceeding requires a wire transfer for a significant sum be sent to a specific
offshore account. Aggregate losses resulting from CEO fraud over the past few
years exceeds $2 billion.
PART III
• Conceptual When business executives are discussing new business capabilities,
lines of business, or even mergers and acquisitions, security managers can weigh
in on these activities with guidance in several topics, including data protection,
regulations, compliance, and risk.
• Requirements When requirements are being developed for the development
or acquisition of a new business capability, security managers can be sure to add
security, compliance, and privacy requirements to improve the likelihood that
systems, applications, and other capabilities are more likely to be secure.
• Design With proper input at the requirements stage, product designs are more
likely to be secure. Security managers’ involvement in design reviews will ensure
that initiatives are heading in the right direction.
• Engineering and development With security involvement in requirements
and design, it’s more likely that engineering and development will create secure
results. Still, when engineers and developers are aware of secure engineering and
development techniques, results will be improved from a security perspective.
• Testing When requirements are developed in a way that makes them measurable
and verifiable, testing can include verification that requirements have been met.
This will ensure that security was included properly in the engineering and
development phases.
• Sustainment Throughout its operational life cycle, periodic testing and
analysis of threat intelligence keeps security managers informed of new
vulnerabilities that require configuration changes or patches. Also, scans of
an environment after routine changes help ensure that those changes did not
introduce new vulnerabilities.
Organizations that fail to include security in each phase of their development cycles
are more likely to incur additional rework as security is retrofitted into systems and
applications, as opposed to these products being secure by design. Events such as risk
assessments and vulnerability assessments can expose the lack of security by design,
CISM Certified Information Security Manager All-in-One Exam Guide
282
resulting in rework. Organizations unaware of the principle of security by design are
often unaware that they could have performed their engineering and development for
less cost overall, when compared to the cost of rework.
Network Protection
Network protection is one of the more mature disciplines in IT and information security.
Usenet, the pre-Internet dial-up protocol for transporting e-mail and other information,
included user ID and password authentication as early as 1980. The first firewall was
developed in 1988 as the primary means for protecting systems and data from attacks
originating outside the organization. Firewalls are still considered essential, and other
types of devices and design considerations are commonly used to protect organizations’
internal networks from many types of unwanted activities.
Networks in organizations often grow organically, with incremental changes over
time designed by a succession of network engineers or architects. In all but the most
mature organizations, the details of network architecture and the reasons for various
architectural features are undocumented and lost to the annals of time. This results in
many organizations’ networks today consisting of several characteristics and features
that are poorly understood, other than knowing that they are essential to the networks’
ongoing functionality.
Firewalls Firewalls are network devices that are used to control the passage of network
traffic from one network to one or more other networks. Firewalls are typically placed
at the boundary of an organization’s network and other, external networks. Organiza-
tions also use firewalls to logically separate internal networks from each other; examples
include the following:
• A data center network is often protected from other internal networks with
a firewall.
• Development and testing networks are usually protected by firewalls.
• A special network known as a demilitarized zone (DMZ) is protected by one or
more firewalls, as shown in Figure 6-4.
Figure 6-4
A irewall Internet
protects a DMZ
network
DMZ
Firewall Network
Internal
Networks
Chapter 6: Information Security Program Management
283
Destination
Source IP Address Source Port IP Address Destination Port Permit or Deny
0.0.0.0 to 25 141.204.10.22 25 Permit
255.255.255.255
0.0.0.0 to 53 141.204.10.24 53 Permit
255.255.255.255
141.204.10.24 53 0.0.0.0 to 53 Permit
255.255.255.255
0.0.0.0 to 119 141.204.10.22 119 Permit
255.255.255.255
141.204.12.1 to 80, 443 0.0.0.0 to 80, 443
141.204.12.255 255.255.255.255
0.0.0.0 to 0 to 65535 141.204.10.1 to 0–65535 Deny
PART III
255.255.255.255 141.204.10.255 +
141.204.12.1 to
141.204.12.255
Table 6-13 Example Firewall Rules
Firewalls are managed through a user interface of some kind. At the heart of a firewall’s
configuration are its rules, a series of statements that define specific network traffic that is
to be permitted or blocked. Table 6-13 shows a set of sample firewall rules.
The rules in Table 6-13 are explained here, in order of appearance:
• Permit e-mail from the entire Internet to reach the e-mail server at
141.204.10.22 only.
• Permit DNS from the entire Internet to reach the DNS server at
141.204.10.24 only.
• Permit NNTP traffic from the entire Internet to reach time server at
141.204.10.22 only.
• Permit all users to access the entire Internet on ports 80 and 443 (HTTP and
HTTPS protocols) only.
• Deny all other traffic from the Internet on all ports from reaching any internal
system.
Application Firewalls Application firewalls are devices used to examine and control
messages being sent to an application server, primarily to block unwanted or malicious
content. Most often used to protect web servers, application firewalls block attacks that
may represent attempts by an attacker to gain illicit control of an application or steal data
that the application server accesses.
Segmentation Network segmentation is the practice of partitioning an organization’s
network into zones, with protective devices such as firewalls or stateful packet-filtering
routers controlling network traffic between the zones. Network segmentation protects
CISM Certified Information Security Manager All-in-One Exam Guide
284
Financial Office
Systems Networks
Firewall Firewall
Internal
Internet Firewall Network
Firewall Firewall
Data Payment
Development Centers Firewall
System
Intrusion Prevention Systems Intrusion prevention systems (IPSs) detect and block
malicious network traffic that may be associated with an intrusion. An IPS differs from a
firewall in one important way: an IPS examines the content of network packets to deter-
mine whether each packet should be allowed to pass through the network or be blocked.
A firewall’s decision on whether to block or permit a packet is based strictly upon its
origin, destination, and port, regardless of content.
Many IPSs also block traffic from “known-malicious” IP addresses and domains, based
upon network “reputation” data that is periodically sent to an IPS. The makers of several
IPS products include feeds of reputation data, sometimes with several updates each day.
Attackers often frequently switch their attack origins, knowing that most network engi-
neers cannot keep up with the pace of change; however, IPSs with incoming reputation
feeds help to automate the update process, resulting in improved security through more
effective blocking of traffic from known malicious sites.
Chapter 6: Information Security Program Management
285
Some IPSs can import information from a threat intel feed, which is a subscription
service about known threats. A threat intel feed often contains IP addresses associated
with known malicious sites; an IPS will automatically block traffic being transmitted to
or from those IP addresses.
In addition to blocking malicious traffic, an IPS can also permit suspect traffic, log the
event, and optionally create an alarm. This falls into the category of network traffic that
may or may not be malicious. This would serve to alert personnel who can investigate the
event and take necessary action.
IPSs require continuous vigilance. Sometimes an IPS will block traffic that is anoma-
lous but not actually harmful, and this may impede desired business activities. In such
cases, a security analyst monitoring and operating an IPS would need to “whitelist” the
traffic so that the IPS will not block it in the future. Also, when an IPS sounds an alarm
when it has permitted dubious traffic, a security analyst would need to investigate the
matter and take needed action.
PART III
Like many security systems, IPSs were initially hardware appliances. Most IPSs are
now available in the form of virtual machines that can be installed in an organization’s
public or private cloud.
Intrusion Detection Systems Intrusion detection systems (IDSs) detect malicious
network traffic that may be associated with an intrusion. An IDS is functionally similar
to an IPS in its detection capabilities, configurability, and detection rules. The primary
difference is that an IDS is strictly a detective control; aside from generating alerts, an
IDS does nothing to prevent an attack from progressing.
DDoS Protection Both appliances as well as cloud-based services are available to absorb
the brunt of a distributed denial-of-service (DDoS) attack. This capability recognizes and
filters DDoS packets, while permitting legitimate traffic to pass through to the organiza-
tion. DDoS protection is generally implemented at the Internet boundary in front of
firewalls and other devices to prevent the attack from reaching the organization’s servers.
The advantage of cloud-based DDoS protection is the absence of attack traffic on the
organization’s Internet connection.
Network Traffic Analysis Network traffic analysis (NTA) is a technique used to iden-
tify anomalous network traffic that may be a part of an intrusion or other unwanted
event. NTA is a strictly detective tool that does not prevent unwanted traffic. In all cases,
when an NTA system identifies potentially unwanted traffic, someone must take action
to identify the business nature of the traffic and take steps to block it if needed.
NTA systems work by “learning” about all of the network “conversations” that take
place between systems. Over time, the NTA system will easily recognize anomalous
traffic, which is network traffic that is novel or unique when compared to all of the
traffic that it knows about. There are a number of ways in which an NTA system will
identify traffic as anomalous:
• Traffic between two systems that rarely, if ever, have directly communicated before
• Traffic between two systems on a network port that rarely, if ever, has been
used before
CISM Certified Information Security Manager All-in-One Exam Guide
286
• Traffic between two systems at a higher volume than has been observed before
• Traffic between two systems taking place at a different time of day than has been
observed before
NTA systems generally do not examine the contents of traffic; instead, they identity
the systems, the ports used, and the volume of traffic.
To be effective, NTA systems need to be positioned at locations in a network where
large volumes of network traffic pass, such as backbone routers. But more commonly,
NTA systems utilize agents on various routers and collect the traffic centrally for analysis.
Figure 6-6 shows such an architecture.
There are two main types of NTA systems. The first is a dedicated system (an appli-
ance or virtual machine) that collects network traffic data from various points in the
network, as depicted in Figure 6-6. The second method is the use of detailed event log-
ging in core routers and firewalls that are sent to a SIEM, where NTA detection rules are
established. These two methods can achieve the same goal: detection of unusual network
traffic that may be signs of an intrusion or other unwanted event in the network.
Three standards are used for network behavior anomaly detection:
Figure 6-6
NTA systems Internet
collect data rom
several sources Edge
or analysis Router
Network
Trac
Core Core Core Collector
Core
Router Router Router Router
Anomaly
Detection
Internal Internal Internal Internal System
Network Network Network Network
Segment Segment Segment Segment
Chapter 6: Information Security Program Management
287
PART III
on some network routers and switches. A copy of all the network traffic passing
through the router or switch will be sent to the network tap. A network tap can be
connected to an IPS (which would be running in listen-only mode, since it would
not be inline in this case) or an NTA system. An advantage of a network tap is that
activities there do not interfere with the network itself.
Packet Sniffers A packet sniffer is a detective tool used by a security engineer or net-
work engineer to analyze traffic on a network. Originally external appliances, packet
sniffers today are software tools that can be installed on server and desktop operating
systems, as well as network devices. Packet sniffers are typically used when a network
engineer is troubleshooting a network issue to understand the precise nature of network
traffic flowing between devices on a network. Because even small networks can have large
volumes of traffic, packet sniffers employ rules that instruct it to display just the packets
of specific interest to the engineer.
Packet sniffers can retain specific types of packets for later analysis. For instance,
if a network engineer is troubleshooting a domain name system (DNS) problem, the
engineer can capture just the DNS packets so that she can examine the contents of
those packets, in hopes that this will lead to a solution to the problem. Because the
types of problems that an engineer may be troubleshooting can vary, packet sniffers
display packets in different ways, from Ethernet frames, to TCP/IP packets, to applica-
tion messages.
Figure 6-7 shows the popular Wireshark packet-sniffing tool running on macOS.
Wireless Network Protection When improperly managed, a wireless network can
become an avenue of attack. Older encryption protocols such as Wired Equivalent
Privacy (WEP) are highly vulnerable to eavesdropping and intrusion. Employees and
intruders may attempt to set up their own wireless network access points. Weak authen-
tication protocols may permit intruders to authenticate to wireless networks success-
fully. These and other types of attacks compel organizations to undertake a number
CISM Certified Information Security Manager All-in-One Exam Guide
288
PART III
Figure 6-8 End-user “access denied” screen rom web content ilter (Courtesy o Blueoxicy at
en.wikipidia.org)
CISM Certified Information Security Manager All-in-One Exam Guide
290
For instance, organizations sometimes elect to block traffic not only to sites associated
with malware, but also sites that contain specific content categories such as gambling,
pornography, weapons, or hate crimes. Sometimes organizations are put in the difficult
position of web censorship when employees accuse them of blocking access to sites they
want to visit, even if those sites are not business related.
Initial web content filtering products took the form of inline devices located in an
organization’s data center, thereby protecting all users connected to the internal network.
But with more organizations employing remote workers, newer web content filtering
products take the form of software agents installed on endpoints so that web content
protection takes place regardless of each user’s location.
Cloud Access Security Broker A cloud access security broker (CASB) is a security
system that monitors and, optionally, controls users’ access to Internet web sites. The
purpose of a CASB is to protect sensitive information by observing which service provid-
ers can be accessed by users and controlling or blocking access as necessary. For example,
suppose an organization has purchased a corporate account with the cloud-based file
storage company known as Box. To prevent users from storing sensitive company data
with other cloud-based file storage companies, the CASB will be configured to block all
users’ access to the other cloud-based file storage vendors.
Occasionally, employees will need to retrieve files from another organization that uses
a different cloud-based file storage service; most CASB systems permit exceptions where
individual users are permitted access to other services. In many cases, CASB systems are
aware of and can control individual actions such as file storage versus file retrieval, and
exceptions can be made so that individual users can be permitted to store or retrieve files
in unsanctioned services.
CASB functionality resembles the capabilities of web content filters. It is my belief
that CASB capabilities will be fully integrated into web content filter products, leading
to the near disappearance of stand-alone CASB solutions.
DNS Filtering A DNS filter is a content-filtering tool that works through manipula-
tion of DNS queries and replies. Like a web content filter, the purpose of a DNS filter
is the protection of an organization from malware and other unwanted content. Essen-
tially, a DNS filter functions much like a web content filter, but its functionality can be
extended to other applications and systems in addition to web browsing. For users using
web browsers, when a user attempts to view a site that is known by the DNS filter to
be malicious (or is part of a blocked category), the response to the DNS query from the
user’s workstation will direct the user’s browser to a page that informs the user that access
to the site has been blocked.
On consumer devices, end users can easily change the DNS servers from the network-
supplied default to any of several well-known public DNS servers, thereby bypassing any
local DNS filters. However, organizations can lock down the network configuration of
their devices, preventing employees from changing DNS settings and thereby preserving
protections provided by their DNS filters.
E-mail Protection: Spam and Phishing Filters E-mail has been a preferred method
for propagating malware for decades. More than 90 percent of successful network intru-
sions begin with phishing messages sent to scores of targeted users in the hopes that one
Chapter 6: Information Security Program Management
291
or more of them will open a malicious document or visit a compromised web site. The
“trendy” schemes include business e-mail compromise (where a fraudster sends e-mails
to company executives requesting them to wire large amounts of money in support of a
secret merger or acquisition) and ransomware (malware that encrypts users’ files and then
demands a ransom in exchange for file recovery). To avoid compromise, many organiza-
tions employ e-mail protection in the form of spam and phishing filters to keep those
unwanted messages from ever reaching end users.
Spam and phishing e-mail filters generally have the following characteristics:
• Built-in rules are used to determine whether any individual e-mail message should
be blocked.
• Blocked e-mails are stored in quarantine. End users can typically access their
quarantine to view messages and release (to their e-mail inbox) messages that
should not have been blocked.
PART III
• Whitelists and blacklists are centrally configurable and generally configurable by
end users. These specify which e-mail messages, as well as messages from anyone
in the domain, should always be blocked or permitted.
In organizations that give users no visibility or control over spam and phishing
blocking, end users have no visibility or control regarding blocked messages. In some
organizations, users can contact the IT service desk to request that any messages from
specific e-mail addresses be released to them. In organizations that give users full vis-
ibility and control over the handling of spam and phishing e-mails, end users may
view their quarantine, release individual messages, and manage their blacklists and
whitelists on their own.
The following terms are used in the context of unwanted e-mail messages:
PART III
• Verified and allowed user location
• Whether the user is believed to already be connected elsewhere (preventing a
compromised credentials attack)
Users may be required to reauthenticate after periods of time to ensure that the
named user is still the person using the system.
• Resource access Known users are permitted to access only the resources that
are specifically allowed. Additional policies may include:
• Time of day or day of week
• Such access requires MFA
• Only specific roles and resources may be accessed
• Potential limits on transactions or activities based on rules
• Reauthentication to perform high-value or high-risk tasks
• Logging All of the preceding activities are logged to a SIEM and/or user
behavior analytics (UBA) system for further analysis that could result in alerts
or alarms if business rules are violated. Well-known rules could be tied to a
SOAR-TIP platform that would automatically disconnect the user and the
device being used if an access violation has occurred.
ZT architecture is defined and described in NIST SP 800-207, “Zero Trust Archi-
tecture,” available from https://csrc.nist.gov/publications/detail/sp/800-207/final. The
United Kingdom’s National Cyber Security Centre (NCSC) recommends that all new
network deployments utilize ZT principles.
PART III
Organizations often maintain endpoint configuration standards that detail the opera-
tional and security configuration for its endpoints. Occasionally the security configura-
tion for endpoints will reside in a separate hardening standard document.
Malware Prevention The nature of endpoint computing and the designs of modern
operating systems mean that malware is a problem that is not going away any time soon.
On the contrary, with the advent of ransomware and destructware, malware is getting
more potent and destructive. This does not diminish the impact of older generations of
malware that give attackers the ability to access victims’ systems remotely (using remote
access Trojan, or RAT, software), search for and exfiltrate sensitive data, steal login cre-
dentials with keyloggers, relay spam and phishing messages, and participate in DDoS
attacks against other organizations.
There are many types of malware. Any individual species of malware may have one or
more of the following characteristics:
Application Whitelisting Organizations can use security tools that employ applica-
tion whitelisting, which permits only registered or recognized programs to execute on
a system. This approach can prevent malware from executing on an endpoint, and
can also be used to manage policy concerning what software is permitted to be run
on systems.
Chapter 6: Information Security Program Management
297
Endpoint Detection and Response Endpoint detection and response (EDR) represents
an expansion of protective capabilities employed on endpoints. Going further than anti-
malware, EDR solutions employ additional capabilities, such as application whitelisting,
intrusion detection, web content filtering, firewall, data loss prevention, and others, all in
an integrated solution. EDR provides more comprehensive protection than antimalware
alone. An extended detection and response (XDR) system is an EDR system with extended
capabilities, such as having additional features or being SaaS-based.
PART III
couple of times each year because of the slow emergence of computer viruses. But
over the years, more and more computer viruses have been discovered, resulting in
signature updates multiple times each day.
The creators of malware have won the battle. The techniques used to create mal-
ware include a process known as packing, whereby the malware program is packaged
into an executable (EXE) file. Today, many species of malware repackage themselves
prior to attacking each successive endpoint and employ some randomness in the
process. The result is that each infected endpoint’s virus signature is unique and will
never again be seen in the world. Signature-based antivirus software cannot deal
with that and has therefore run its course.
Virtual Desktop Infrastructure Organizations that are highly concerned with mal-
ware and other risks associated with endpoint computing can implement virtual desktop
infrastructures (VDIs). In a VDI, end-user computing takes place on highly controlled,
centralized servers, and end users’ computers are essentially functioning as terminals.
VDI reduces the risk of malware on endpoints, since endpoints with VDI have a far
smaller attack surface than a typical endpoint operating system. Further, no business data
is stored or processed on the endpoint or directly accessed by the endpoint; instead, data
resides and remains on centralized servers.
Organizations often use enterprise versions of antimalware on endpoints. Unlike
consumer-class antimalware programs that act as stand-alone applications, enterprise
versions utilize a centralized console that permits an engineer to observe and manage
antimalware running on thousands of endpoints. Enterprise consoles can be used to
reinstall antimalware when needed, run scans of file systems on demand, and change
configurations for any or all endpoints. When malware is detected, consoles can send
detailed messages to SIEM systems, alerting personnel in a security operations center
(SOC) of the incident so that appropriate action can be taken.
CISM Certified Information Security Manager All-in-One Exam Guide
298
• End users were able to install programs, install drivers, and change system
configuration at will, thereby relieving the IT service desk of having to do
these actions themselves. While this practice relieving the service desk of
drudgery, if an end user botched an install or destroyed the system’s registry,
service desk personnel had to recover the end user’s system, which sometimes
required hours of work.
• Malware often executes at the same privilege level as the end user, so when
the end user is a local administrator, malware has the run of the machine
and can do anything it needs, without restriction. This can make malware
attacks far more potent, because the malware can alter any portion of the
operating system.
Gradually, IT organizations have taken back administrative privileges from their
end users, but not without a fight. In numerous cases, end users would complain
and even revolt: they wanted to install their iTunes, personal income tax software, and
anything else they wanted. After years of having local admin rights, end users felt
entitled to do anything they pleased. Some even went so far as to say that the term
personal computer meant they could do anything and everything they wanted!
Fortunately, newer versions of Windows have improved the situation by permitting
end users without administrative privileges to perform a few “admin-like” tasks. Some
users are still not completely happy, but the number of skirmishes has been reduced.
PART III
of MFA. The advantage of MFA is that cases of user ID and password compromise do
not permit an attacker to access information unless they also have the user’s mobile
device in their possession.
The use of userids, passwords, and MFA is giving way to passwordless authentication,
where authentication consists of an end user providing a userid together with a second
factor such as a hardware token or biometric.
Often, access operations are performed by the IT department, while access reviews
and recertifications are performed by information security as a form of a check-and-
balance system. It would not make sense for IT to perform access reviews because they
would be checking their own work, and employees performing these reviews might be
tempted to cover up their mistakes.
Access Governance Access governance refers to the development of policies, business
rules, and controls concerning access to assets and information. These activities ensure
that access management operations are managed properly.
Access Operations IAM is an activity-filled discipline that involves everyday activities
such as the following:
Accumulation of Privileges
Users who work in an organization for many years may, during their tenure, hold
a number of positions in one or more departments. When a user moves from one
department to another, the user will require access to new roles or information
systems. Over many years, a user may have access to many more information systems
and roles than are needed in his or her current role. This phenomenon is known as
accumulation of privileges.
This is not an easily solved problem. When a user transfers to another department,
it makes sense that the user’s prior job-related access rights should be terminated right
away. However, several factors make this infeasible:
Segregation of Duties In the course of managing user access schemes, security man-
agers will recognize that several high-value and high-risk roles in business processes are
implemented in information systems and applications. Segregation of duties (aka separa-
tion of duties) helps ensure that no single individual possesses privileges that could result
in unauthorized activities or the manipulation or exposure of sensitive data.
Chapter 6: Information Security Program Management
301
The purpose of segregation of duties is to require that two or more people perform
high-value and high-risk activities. This makes it far more difficult for individuals to
defraud the organization. For example, segregation of duties is important to avoid a
single individual being able to request a user account and provision that user account. It’s
also important to avoid theft and other malicious activities. For example, an accounting
department can allocate roles to individuals so that no single individual has the ability to
create a vendor, request a payment to the vendor, and approve a payment to the vendor.
If this combination of access rights were granted to a single individual, it could be tempt-
ing for the employee to set up a fictitious vendor and then send payments to that vendor.
In a segregation of duties access review, the security manager examines user access
rights to various high-risk and high-value roles to determine whether any individuals
have access to more than one role within these functions. Any such findings are identified
and corrective actions are applied.
In some situations, particularly in smaller organizations, there may not be enough
PART III
personnel to separate high-value and high-risk activities between two or more persons.
In such cases, security managers should recommend that detailed activity reviews be
performed periodically to ensure that no fraudulent or erroneous activities are taking
place. In high-risk and high-value activities, activity reviews often occur anyway, but
when segregation of duties cannot be achieved, these reviews may take place more often
or be more thorough.
Privileged and High-Risk Roles Information systems and applications typically have
roles for ordinary users, as well as roles that are administrative in nature. These adminis-
trative roles are granted a number of high-risk capabilities, including the creation of user
accounts, system configuration, and alteration of records. These privileged roles often
warrant more frequent and more thorough reviews to ensure that the fewest possible
numbers of workers are granted these roles.
Activity Reviews An activity review is an examination of an information system to
determine which users have been active and which have not been active. The primary
purpose of an access review is to identify user accounts that have had no activity for an
extended period of time, typically 90 days. The rationale is that if a user has not used an
application in more than 90 days, the person probably does not require access to that
system. Removing or locking such a user’s access helps reduce risk of compromise: if the
user’s credentials were compromised, they could not be used to access the system. An
activity review is a corrective control that helps reduce accumulation of privileges.
Access Recertification Access recertification is a periodic review in which information
system owners review lists of users and their roles and determine for each user and role
whether their access is still required. Like other reviews, personnel often create a busi-
ness record showing which users and roles were examined and what corrective actions
were applied. Access recertification is a corrective control that helps reduce accumula-
tion of privileges.
User Behavior Analytics User behavior analytics (UBA), sometimes known as end user
behavior analytics (EUBA), represents an emerging technology whereby individual users’
behaviors are baselined and anomalous activity triggers events or alarms. UBA systems
CISM Certified Information Security Manager All-in-One Exam Guide
302
work by observing users’ behavior over time and creating events or alarms when user
behavior deviates from the norm. UBA is one of several forms of behavior anomaly
detection that helps organizations detect unauthorized activities performed by employees
or find attackers who have successfully compromised their user accounts.
UBA capabilities can exist in many different contexts. For example, a cloud-based
file storage service can establish baselines for each user and report on incidents where
individual users are uploading or downloading copious amounts of information. Or an
application can baseline each user’s behavior and report on anomalies such as unusually
large dollar value transactions and other atypical activity. UBA capabilities can counter
insider threats, a broad category of threats ranging from errors and poor judgment to
malice (including information theft and fraud, as well as malware on a user’s computer
performing actions unknown to the user).
User and entity behavior analytics (UEBA) is functionally similar (if not identical) to
EUBA and UBA.
• Managed SIEM
• Managed vulnerability scanning
• Managed data loss prevention
• Managed endpoint security monitoring
• Managed detection and response (MDR)
• Security incident response and forensics
Chapter 6: Information Security Program Management
303
MSSPs monitor events and incidents in dozens or hundreds of customer organizations
and have a large staff to ensure full coverage at peak workloads. Because qualified security
personnel can be difficult to attract and retain, many organizations are turning to MSSPs
to offload routine tasks and free themselves of the burden of staffing and running a SOC.
Organizations that outsource parts of their security operations to an MSSP need to be
mindful of several considerations, including the following:
PART III
monitored and comply with the SLAs for alerting and response to events.
• Access management
• Backup and recovery
• Data classification
• Data loss prevention
• Cloud access security brokers
Cryptography is an important capability often used in support of data governance and
security and is covered in the next section.
User behavior analytics is an emerging capability that supports data governance and
security. UBA is discussed earlier in this chapter.
Access Management Access management is part of the broader discipline of IAM.
This topic is described in detail earlier in this chapter in the section “Identity and Access
Management.”
Backup and Recovery Many types of events can damage information, and some
circumstances compel an organization to revert to earlier versions of information. It’s
essential that copies of stored information exist elsewhere and in a form that enables IT
personnel to load this information easily into systems so that processing can resume as
quickly as possible.
CISM Certified Information Security Manager All-in-One Exam Guide
304
CAUTION Testing backups is important; testing recoverability is critical.
In other words, perorming backups is valuable only to the extent that
backed-up data can be recovered at a uture time.
Backup to Tape and Other Media In organizations still utilizing their own IT infra-
structure, tape backup is just about as ubiquitous as power cords. From a disaster
recovery perspective, however, the issue probably is not whether the organization has
tape backup but whether its current backup capabilities are adequate in the context of
disaster recovery. There are times when an organization’s backup capability may need
to be upgraded:
NOTE Backups have always been a critical activity in IT. Ransomware has
served to highlight its importance still urther.
Chapter 6: Information Security Program Management
305
Backup Schemes Three main schemes are used for backing up data:
PART III
• Frequency of change of the data set
• Performance requirements and the impact of backup jobs
• Recovery requirements
An organization that is creating a backup scheme usually starts with the most com-
mon scheme, which is a full backup once per week and an incremental or differential
backup every day. However, as stated previously, various factors will influence the design
of the final backup scheme. Here are some examples:
• A small data set could be backed up more than once a week, while an especially
large data set may be backed up less often.
• A more rapid recovery requirement may induce the organization to perform
differential backups instead of incremental backups.
• If a full backup takes a long time to complete, it should probably be performed
during times of lower demand or system utilization.
Backup Media Rotation Organizations will typically want to retain backup media for
as long as possible to provide a greater array of choices for data recovery. However, the
desire to maintain a large library of backup media will be countered by the high cost of
media and the space required to store it. And although legal or statutory requirements
may dictate that backup media be kept for some minimum period, the organization
may be able to find creative ways to comply with such requirements without retaining
several generations of such media. Some example backup media rotation schemes are
discussed here.
• First in, first out In this scheme, there is no specific requirement for retaining
any backup media for long periods (such as one year or more). The method in the
first in, first out (FIFO) rotation scheme specifies that the oldest available backup
tape is the next one to be used. The advantage of this scheme is its simplicity.
CISM Certified Information Security Manager All-in-One Exam Guide
306
Day of Cycle
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Backup Media Storage Backup media that remains in the same location as backed-up
systems is adequate for data recovery purposes but completely inadequate for disaster
recovery purposes: any event that physically damages information systems (such as fire,
smoke, flood, hazardous chemical spill, and so on) is also likely to damage backup media
that is stored nearby. To provide disaster recovery protection, backup media must be
stored off site in a secure location. Selection of this storage location is as important as the
selection of a primary business location: in the event of a disaster, the survival of the orga-
nization may depend upon the protection measures in place at the offsite storage location.
Chapter 6: Information Security Program Management
307
EXAM TIP CISM exam questions relating to osite backups may include
details or saeguarding data during transport and storage, mechanisms
or access during restoration procedures, media aging and retention, or
other details that may aid you during the exam. Watch or question details
involving the type o media, geolocality (distance, shared disaster spectrum
such as a shared coastline, and so on) o the osite storage area and the
primary site, or access controls during transport and at the storage site,
including environmental controls and security saeguards.
The criteria for selection of an offsite media storage facility are similar to the criteria
for selection of a hot/warm/cold recovery site, discussed in Chapter 7. If a media stor-
age location is too close to the primary processing site, it is more likely to be involved in
the same regional disaster, which could result in damage to backup media. However, if
PART III
the media storage location is too far away, it may take too long for a delivery of backup
media, which would result in an unacceptably long recovery operation.
Another location consideration is the proximity of the media storage location and the
hot/warm/cold recovery site. If a hot site is being used, chances are there is some other
near real-time means (such as replication) for data to get to the hot site. But a warm or
cold site may be relying on the arrival of backup media from the offsite media storage
facility, so it may make sense for the offsite facility to be near the recovery site.
An important factor when considering offsite media storage is the method of delivery
to and from the storage location. Chances are that the backup media is being transported
by a courier or a shipping company. It is vital that the backup media arrive safely and
intact and that the opportunities for interception or loss are reduced as much as possible.
Not only can a lost backup tape make recovery more difficult, but it can also cause an
embarrassing security incident if knowledge of the loss becomes public. From a confi-
dentiality/integrity perspective, encryption of backup tapes is a good idea, although this
digresses somewhat from disaster recovery (concerned primarily with availability).
Backup media that must be kept on site should be stored in locked cabinets or store-
rooms that are separate from the rooms where backups are performed. This will help to
preserve backup media if a minor flood, relatively small fire, or other event occurs in the
room containing computers that are backed up.
• Disk storage system Data-write operations that take place in a disk storage
system (such as a SAN or NAS) can be transmitted over a network to another
disk storage system, where the same data will be written to the other disk
storage system.
• Operating system The operating system can control replication so that updates
to a particular file system can be transmitted to another server where those updates
will be applied locally on that other server.
• Database management system The database management system (DBMS)
can manage replication by sending transactions to a DBMS on another server.
• Transaction management system The transaction management system (TMS)
can manage replication by sending transactions to a counterpart TMS located
elsewhere.
• Application The application can write its transactions to two different storage
systems. This method is not often used.
• Virtualization Virtual machine images can be replicated to recovery sites to
speed the recovery of applications.
Primary-backup replication can take place from one system to another system. This
is the typical setup when data on an application server is sent to a distant storage system
for data recovery or disaster recovery purposes. Multiprimary or multimaster replication
can also be bidirectional between two or more active servers. This method is more
complicated because simultaneous transactions on different servers could conflict with
one another (such as two reservation agents trying to book a passenger in the same seat
on an airline flight). Some form of concurrent transaction control would be required,
such as a distributed lock manager.
Chapter 6: Information Security Program Management
309
In terms of the speed and integrity of replicated information, there are two types of
replication:
PART III
replicate to the remote server, subject to the available bandwidth of the network
connection between the local and remote storage systems.
Data Classification A data classification policy defines sensitivity levels and handling
procedures for protecting information. Data classification relies partly on human judg-
ment and partly on automation to prevent misuse and compromise of sensitive informa-
tion. Data classification is discussed fully in Chapter 5.
Data Loss Prevention Data loss prevention (DLP) represents a variety of capabilities
by which the movement and/or storage of sensitive data can be detected and, optionally,
controlled. DLP technology is considered a content-aware control that some organiza-
tions use to detect and even control the storage, transmission, and use of sensitive data.
There are two main types of DLP systems:
• Static DLP These tools are used to scan unstructured data storage systems for
sensitive information. They can be effective at discovering sensitive data that
personnel copy to file servers. Often, users will export sensitive data out of a
business application to a spreadsheet and store that data on a file server or cloud-
based file storage service. Sometimes this sensitive data is readable by most or all
organization personnel and even personnel outside of the organization.
• Dynamic DLP These tools reside in, or communicate with, file storage systems,
USB-attached removable storage devices, and e-mail systems, and they are used to
detect and even block the movement of sensitive data. Depending on the nature of
the data being moved, users may be warned of the activity they are undertaking or
their actions may be blocked.
CISM Certified Information Security Manager All-in-One Exam Guide
310
Implementing DLP systems is a challenging undertaking, mainly because organiza-
tions require a thorough understanding of how sensitive and critical data is stored and
used. A DLP system can inadvertently block legitimate uses of data while permitting
undesired actions.
Digital Rights Management Digital rights management (DRM) represents access con-
trol technologies used to control the distribution and use of electronic content. Still con-
sidered an emerging technology and practice, DRM exists today in rather narrow usage
models and has yet to be widely adopted in general ways. Current capabilities include
the following:
Cryptography
Cryptography is the practice of hiding information in plain sight, and encryption is the
application of cryptography that converts data into a code in an attempt to hide the
information from unintended viewers. The purpose of encryption is to make it difficult
(“impossible” is a word to be avoided here) for someone other than the intended receiver
to be able to access the information. Encryption works by scrambling the characters in a
message using a method known only to the sender and receiver, which makes the message
useless to any unintended party that intercepts the message.
Encryption plays a key role in the protection of sensitive and valuable information. In
some situations, it is not practical or feasible to prevent third parties from having logi-
cal access to data—for instance, data transmissions over public networks. Encryption is
also used as a barrier of last resort—for instance, encryption of data on backup media, to
protect the data should that media be lost or stolen.
Encryption can also be used to authenticate information that is sent from one party to
another. This means that a receiving party can verify that a specific party did, in fact, origi-
nate a message and that it is authentic and unchanged. This enables a receiver to know that
a message is genuine and that it has not been forged or altered in transit by any third party.
With encryption, best practices call for system designers to use well-known, robust
encryption algorithms. Thus, when a third-party intercepts encrypted data, the third
party can know which algorithm is being used but still not be able to read the data. What
the third party does not know is the key that is used to encrypt and decrypt the data. How
this works will be further explained in this section.
PART III
fixed-length string of characters, used to verify the integrity of a message.
• Message digest The output of a cryptographic hash function.
Figure 6-10
Important Message
Encryption and
decryption utilize
an encryption
algorithm and an
encryption key.
Key Encryption Algorithm
Ciphertext
???
Transmit
to Intruder cannot
Recipient read message.
Ciphertext
Original Message
CISM Certified Information Security Manager All-in-One Exam Guide
312
• Digital signature The result of encrypting the hash of a message with the
originator’s private encryption key, used to prove the authenticity and integrity
of a message. This is depicted in Figure 6-11.
• Algorithm A specific mathematical formula used to perform encryption,
decryption, message digests, and digital signatures.
• Decryption The process of transforming ciphertext into plaintext so that a
recipient can read it.
• Cryptanalysis An attack on a cryptosystem whereby the attacker is attempting
to determine the encryption key that is used to encrypt messages.
• Encryption key A block of characters, along with an encryption algorithm,
used to encrypt or decrypt a stream or blocks of data. An encryption key is also
used to create and verify a digital signature.
User A
Private
Key
Original Encrypted
Hash Encrypt
Message Hash
“Signature” User B
Original
Data
Original Message
Hash
Message Hash
User A
Public Compare. If equal,
Key signature is valid.
Encrypted Decrypted
Decrypt
Hash Hash
PART III
decryption, and digital signatures that uses pairs of encryption keys: a public key
and a private key.
• Key exchange A technique used by two parties to establish a symmetric
encryption key when there is no secure channel available.
• Nonrepudiation The property of encryption and digital signatures that
can make it difficult or impossible for a party to deny having sent a digitally
signed message, unless the party admits to having lost control of their private
encryption key.
Public Key Cryptosystems Public key cryptosystems are based on asymmetric, or pub-
lic key, cryptographic algorithms. These algorithms use two-part encryption keys that are
handled differently from encryption keys in symmetric key cryptosystems.
Key Pair The encryption keys used in public key cryptography are called the public key
and the private key. Each user of public key cryptosystems possesses this key pair. The
two keys require different handling and are used together but for different purposes, as
explained in the following paragraphs. When a user generates a key pair, the key pair will
physically exist as two separate files. The user is free to publish or distribute the public
key openly; it could even be posted on a public web site. This is in contrast to the private
key, which must be well protected and never published or sent to any other party. Most
public key cryptosystems utilize a password mechanism to further protect the private
key; without its password, the private key is inaccessible and cannot be used.
Message Security Public key cryptography is an ideal application for securing
messages—e-mail in particular—because users do not need to establish and communi-
cate symmetric encryption keys through a secure channel. With public key cryptography,
users who have never contacted each other can immediately send secure messages to each
other. Figure 6-12 depicts public key cryptography.
Every user is free to publish a public encryption key so that it is easily retrievable.
There are servers on the Internet where public keys can be published and made available
to anyone in the world. Public key cryptography is designed so that open disclosure of
Chapter 6: Information Security Program Management
315
User B User B
Public Private
Key Key
User A User B
a user’s public key does not compromise the secrecy of the corresponding private key: a
user’s private key cannot be derived from the public key.
PART III
When User A wishes to send an encrypted message to User B, the procedure is as follows:
1. User B publishes his public key to the Internet at a convenient location.
2. User A retrieves User B’s public key.
3. User A creates a message and encrypts it with User B’s public key and sends the
encrypted message to User B.
4. User B decrypts the message with his private key and is able to read the message.
Note that only User B’s encryption key is used in this example. This method pro-
tects the message from eavesdroppers, but it is not used to verify the authenticity of
the message.
Public key cryptography can also be used to verify the authenticity and integrity of a
message—to verify that a specific party did, in fact, create the message. The procedure
is as follows:
In this example, only the authenticity and integrity of a message are assured. The
message is not encrypted, which means that any party that intercepts the message can
read it.
Public key cryptography can be used both to encrypt and digitally sign a message, which
will guarantee its confidentiality as well as its authenticity. The procedure is as follows:
1. User A and User B publish their public encryption keys to convenient places.
2. User A retrieves User B’s public key, and User B retrieves User A’s public key.
CISM Certified Information Security Manager All-in-One Exam Guide
316
3. User A creates a message, signs it with his private key and encrypts it with User
B’s public key, and then sends the message to User B.
4. User B decrypts the message with his private key and verifies the digital signature
with User A’s public key.
Public key cryptography also supports encryption of a message with more than one
user’s public key. This permits a user to send a single encrypted message to several
recipients, which can be encrypted with each of their public keys. This method does
not compromise the secrecy of any user’s private key, since a user’s private key cannot be
derived from the public key.
Verifying Public Keys It is possible for a fraudster to claim the identity of another
person and even publish a public key that claims the identity of that person. Four
methods are available for verifying a user’s public key as genuine:
• Certificate authority (CA) A public key that has been obtained from a trusted,
reputable CA can be considered genuine.
• E-mail address Public keys used for e-mail will include the user’s e-mail address.
If the e-mail address is part of a corporate or government domain (for example,
apple.com or seattle.gov), then some level of credence can be attributed to the
successful exchange of messages with that e-mail address. However, since e-mail
addresses can be spoofed, this should be considered a weak method at best.
• Directory infrastructure A directory services infrastructure such as Microsoft
Active Directory, Lightweight Directory Access Protocol (LDAP), or a commercial
product can be used to verify a user’s public key.
• Key fingerprint Many public key cryptosystems employ a method for verifying
a key’s identity, known as the key’s fingerprint. If a user wants to verify a public
key, the user retrieves the public key and calculates the key’s fingerprint. The user
then contacts the claimed owner of the public key, who runs a function against his
private key that returns a string of numbers. The user also runs a function against
the owner’s public key, also returning a string of numbers. If both numbers match,
the public key is genuine.
NOTE When issuing a public key, it is essential that the requestor o the new
public key be authenticated, such as by viewing a government-issued ID or
by contacting the owner at a publicly listed telephone number.
Chapter 6: Information Security Program Management
317
Hashing and Message Digests Hashing is the process of applying a cryptographic
algorithm on a block of information that results in a compact, fixed-length digest. The
purpose of hashing is to provide a unique and compact “fingerprint” for the message or
file—even if the file is very large. A message digest can be used to verify the integrity of
a large file, thus assuring that the file has not been altered. Properties of message digests
that make them ideally suited for verifying integrity include the following:
PART III
One common use of message digests is on software download sites, where the
computed hash for a downloadable program is available so that users can verify that
the software program has not been altered (provided that the posted hash has not also
been compromised).
Digital Signatures A digital signature is a cryptographic operation whereby a sender
“seals” a message or file using her identity. The purpose of a digital signature is to authen-
ticate a message and to guarantee its integrity. Digital signatures do not protect the con-
fidentiality of a message, however, as encryption is not one of the operations performed.
Digital signatures work by encrypting hashes of messages; recipients verify the integrity
and authenticity of messages by decrypting hashes and comparing them to original mes-
sages. In detail, a digital signature works like this:
1. The sender publishes his public key to the Internet at a location that is easily
accessible to recipients.
2. The recipient retrieves the sender’s public key and saves it for later use.
3. The sender creates a message (or file) and computes a message digest (hash) of the
message and then encrypts the hash with his private key.
4. The sender sends the original file plus the encrypted hash to the recipient.
5. The recipient receives the original file and the encrypted hash. The recipient
computes a message digest (hash) of the original file and sets the result aside.
She then decrypts the hash with the sender’s public key. The recipient compares
the hash of the original file and the decrypted hash.
6. If the two hashes are identical, the recipient knows that (a) the message in her
possession is identical to the message that the sender sent, (b) the sender is the
originator, and (c) the message has not been altered.
The use of digital signatures was depicted earlier in this chapter in Figure 6-11.
CISM Certified Information Security Manager All-in-One Exam Guide
318
Digital Envelopes One aspect of symmetric (private key) and asymmetric (public key)
cryptography that has not yet been discussed is the performance implications of these
two types of cryptosystems. Broadly speaking, public key cryptography requires far more
computing power than private key cryptography. The practical implication of this is that
public key encryption of large sets of data can be highly compute-intensive and make
its use infeasible in some occasions. One solution to this is the use of a so-called digital
envelope that utilizes the convenience of public key cryptography with the lower overhead
of private key cryptography. This practice is known as hybrid cryptography. The procedure
for using digital envelopes works like this:
1. The sender and recipient agree that the sender will transmit a large message to
the recipient.
2. The sender selects or creates a symmetric encryption key, known as the session key,
and encrypts the session key with the recipient’s public key.
3. The sender encrypts the message with the session key.
4. The sender sends the encrypted message (encrypted with the session key) and the
encrypted session key (encrypted with the recipient’s public key) to the recipient.
5. The recipient decrypts the session key with his private key.
6. The recipient decrypts the message with the session key.
• Digital certificates This digital credential consists of a public key and a block of
information that identifies the owner of the certificate. The identification portion
of a digital certificate will follow a standard, structured format and include such
data as the owner’s name, organization name, and other identifying information,
such as e-mail address. The public key and the identifying information will reside
in a document that is itself digitally signed by a trusted CA.
• Certificate authority (CA) This business entity issues digital certificates and
publishes them in the PKI. The CA vouches for the identity of each of the digital
certificates in a PKI; the CA undergoes certain safeguards to ensure that each
digital certificate is genuine and really does belong to its rightful owner.
Chapter 6: Information Security Program Management
319
• Registration authority (RA) The RA operates within or alongside a CA to
accept requests for new digital certificates. The RA vets the request, carefully
examines it, and undergoes steps to verify the authenticity of the person making
the request. This verification may include viewing government-issued ID cards
or passports or taking other steps as needed to make sure that the request is
originating from the genuine person and not an imposter. When the RA is
satisfied that the requestor is indeed the person making the request, the RA will
issue a digital certificate. Part of the certificate issuance will be the delivery of
private encryption keys to the requesting party. This may take place in person
or over a secured electronic connection.
• Certificate revocation list (CRL) Some circumstances may require that a
user’s digital certificate be cancelled or revoked. These circumstances include
termination of employment (if a person’s certificate was issued expressly for
PART III
employment-related purposes) or loss or compromise of a user’s private key.
A CRL is an electronic list of digital certificates that have been revoked prior to
their expiration date. To be effective, any consumer of digital certificates needs
to consult a CRL to be doubly sure that a certificate remains valid.
• Certification practice statement (CPS) This published statement describes
the practices used by the CA to issue and manage digital certificates. This helps
determine the relative strength and validity of digital certificates that are issued
by the CA.
Key Management Key management comprises the various processes and procedures
used by an organization to generate, protect, use, and dispose of encryption keys over
their lifetimes. Several of the major practices are described in this section.
Key Generation An encryption key life cycle starts with its generation. While at first
glance it would appear that this process should require little scrutiny, further study
shows that this is a critical process that requires safeguards. The system on which key
generation takes place must be highly protected. If keys are generated on a system that
has been compromised or is of questionable integrity, it would be difficult to determine
whether a bystander could have electronically observed key generation. For instance,
if a keylogger or other process spying tool were active in the system when keys were
generated, key generation may have been observable and details about keys captured.
This would mean that newly minted keys have already been compromised if an outsider
knows their identities.
In many situations, it would be reasonable to require that systems used for key genera-
tion be highly protected, isolated, and used by as few people as possible. Regular integrity
checks would need to take place to make sure the system continues to be free of any
problems. Furthermore, the key generation process needs to include some randomness
(or, as some put it, entropy) so that the process cannot be easily duplicated elsewhere. If
key generation were not a random event, it could be possible to duplicate the conditions
related to a specific key and then regenerate a key with the very same value. This would
instantaneously compromise the integrity and uniqueness of the original key.
CISM Certified Information Security Manager All-in-One Exam Guide
320
Key Protection Private keys used in public key cryptosystems and keys used in sym-
metric cryptosystems must be continuously and vigorously protected. At all times, they
must be accessible only to the parties that are authorized to use them. If protection mea-
sures for private encryption keys are compromised (or suspected to be), it will be possible
for a key compromise to take place, enabling the attacker to view messages encrypted
with these keys and create new encrypted messages in the name of the key’s owner. A key
compromise is any event whereby a private encryption key or symmetric encryption key
has been disclosed to any unauthorized third party. When a key compromise occurs, it
will be necessary to re-encrypt all materials encrypted by the compromised key with a
new encryption key.
Key-Encrypting Keys Applications that utilize encryption must obtain their encryp-
tion keys in some way. In many cases, an intruder may be able to examine the applica-
tion in an attempt to discover an encryption key in hopes of decrypting communications
used by the application. A common remedy for this is the use of encryption to protect
the encryption key. This additional encryption requires a key of its own, known as a
key-encrypting key. Of course, this key also must reside someplace; often, features of the
underlying operating system may be used to protect an encryption key as well as a key-
encrypting key.
Key Custody Key custody refers to the policies, processes, and procedures regarding the
management of keys. This is closely related to key protection but is focused on who man-
ages keys and where they are kept.
Key Rotation Key rotation is the process of issuing a new encryption key and
re-encrypting data protected with the new key. Key rotation may occur when any of the
following occurs:
• Key compromise When an encryption key has been compromised, a new key
must be generated and used.
• Key expiration This happens where encryption keys are rotated on a schedule.
• Rotation of staff In some organizations, if any of the persons associated with
the creation or management of encryption keys transfers to another position or
leaves the organization, keys must be rotated.
Key Disposal Key disposal refers to the process of decommissioning encryption keys.
This may be done upon receipt of an order to destroy a data set that is encrypted with a
specific encryption key—destroying an encryption key can be as effective (and a whole
lot easier) than destroying the encrypted data itself. Key disposal can present some
Chapter 6: Information Security Program Management
321
challenges, however. If an encryption key is backed up to tape, for instance, disposal of
the key will require that backup tapes also be destroyed.
Encryption Applications Several applications utilize encryption algorithms. Many of
these are well known and in common use.
Secure Sockets Layer and Transport Layer Security Secure Sockets Layer (SSL) and
Transport Layer Security (TLS) are the encryption protocols used to encrypt web pages
requested with the Hypertext Transfer Protocol/Secure (HTTPS) protocol. Introduced
by Netscape Communications for use in its own browser, SSL and its successor, TLS,
have become de facto standards for the encryption of web pages.
SSL and TLS provide several cryptographic functions, including public key encryp-
tion, private key encryption, and hash functions. These are used for server and client
authentication (although in practice, client authentication is seldom used) and session
encryption. SSL and TLS support several encryption algorithms, including AES, RC4,
PART III
IDEA, DES, and Triple DES, and several key lengths, from 40 to 256 bits and beyond.
Weaknesses were discovered in all versions of SSL, as well as the first version of TLS. No
versions of SSL or TLS 1.0 should be used.
EXAM TIP Test-takers need to understand that all versions o SSL and the
early version o TLS are now considered deprecated and should no longer
be used. The term SSL is still commonly used, however, and it reers to the
context but not the algorithm.
Figure 6-13
Security reviews
More Rigorous
Security
Reviews
More Structured
Chapter 6: Information Security Program Management
323
Security Reviews
Sometimes known as a control review, this examination of a process, procedure, system,
program, or other object determines the state of security. A security review may be part
of an ad hoc request, or it may be part of a repeatable business process. These are some
examples of security reviews:
• Review of a firewall configuration to ensure that all expected rules are present and
that there are no unwanted rules such as “any-any”
• Review of source code as part of the software development life cycle to ensure that
the code in question is free of security defects
• Review of an employee onboarding procedure to make sure that necessary security
steps are followed
PART III
Organizations sometimes perform security reviews in advance of an audit in an
attempt to avoid encountering unexpected audit findings. A security review may also
be a pre-audit, a sort of “dry run” prior to an audit that helps ensure that personnel are
familiar with the subject matter that auditors will be asking them about during the audit.
Security reviews are generally less rigorous than security audits. Security reviews are
generally devoid of rules for evidence collection, types of testing, or sampling techniques.
For instance, a security review of a firewall configuration may glance at its rules, whereas
an audit may examine each individual rule: its purpose and meaning, who approved it,
and when it will next be reviewed.
Audits
An audit is a systematic and repeatable process whereby a competent and independent
professional evaluates one or more controls, interviews personnel, obtains and analyzes
evidence, and develops a written opinion on the effectiveness of a control. In an audit of
information systems and the processes that support them, an information systems audi-
tor interviews personnel, gathers and analyzes evidence, and delivers a written opinion
on the effectiveness of controls implemented in information systems.
There are generally two parties in an audit: the auditor and the auditee. This is true
whether the audit is formal or informal and whether it’s internal or external. In terms
of the context of an audit, there are two types: internal audit and external audit. These
have to do with who performs the audit and why. Otherwise, the methodologies and
techniques used in auditing are the same.
NOTE For a more complete discussion on audits and auditing, see CISA
Certified Information Systems Auditor All-in-One Exam Guide, Fourth Edition
(McGraw Hill, 2020).
CISM Certified Information Security Manager All-in-One Exam Guide
324
Audit Techniques Like most any business undertaking, an audit is a planned event.
Formal planning is required so that the organization successfully achieves the objectives
for an audit. The types of planning that are required include the following:
• Purpose The auditor and the auditee must establish why an audit is to be
performed. The purpose for a particular audit could be to determine the level
of compliance to a particular law, regulation, standard, or contract. Another
reason could be to determine whether specific control deficiencies identified in
past audits have been remediated. Still another reason is to determine the level
of compliance to a new law, standard, or contract that the organization may be
subject to in the future.
• Scope The auditor and the auditee must also establish the scope of the audit.
Often, the audit’s purpose will make the scope evident, but not always. Scope
may be multidimensional: it could involve a given period in which the body of
evidence includes records spanning from a start date to an end date, or it could
involve geography (systems in a particular region or locale), a technology (systems
using a specific operating system, a database, application, or other aspect), a
business process (systems that support specific processes such as accounting,
order entry, or customer support), or a segment of the organization.
• Risk analysis To know which areas require the greatest amount of attention, the
auditor needs to be familiar with the levels of risk associated with the domain being
audited. Two different perspectives of risk may be needed. First, the auditor needs
to know the relative levels of risk among the different aspects of the domain being
audited so that audit resources can be allocated accordingly. For example, if the
subject of an audit is an enterprise resource planning (ERP) system and the auditor
knows that the accounts receivable function has been problematic in the past, the
auditor will probably want to devote more resources and time on the accounts
receivable function than on others. Second, the auditor needs to know about the
absolute level of risk across the entire domain being audited. For example, if this is
an audit to determine compliance to new legislation, the overall risk could be very
high if the consequences of noncompliance are high. These aspects of risk enable
the auditor to plan accordingly.
• Audit procedures The purpose and scope of the audit may help to define the
procedures that will be required to perform the audit. For a compliance audit, for
example, there may be specific rules on sample sizes and sampling techniques, and
auditors may be required to possess specific qualifications. A compliance audit
may also specify criteria for determining whether a particular finding constitutes a
deficiency. There may also be rules for materiality and additional steps to follow if
material weaknesses are identified.
• Resources The auditor must determine what resources are needed and available
for the audit. In an external audit, the auditee (a client organization) may have a
maximum budget figure available. For an external or internal audit, the auditor
needs to determine the number of person-hours that will be required in the
audit and the various skills required. Other resources that may be needed include
Chapter 6: Information Security Program Management
325
specialized tools to gather or analyze information obtained from information
systems—for example, an analysis program to process the roles and permissions
in a database management system to identify high-risk areas. To a great degree,
the purpose and scope of the audit will determine which resources are required to
complete it.
• Schedule The auditor needs to develop an audit schedule that includes
enough time for interviews, data collection and analysis, and report generation.
Additionally, the schedule could also come in the form of a constraint, meaning
the audit must be complete by a certain date. If the auditor is given a deadline,
she will need to see how the audit activities can be made to fit within that period.
If the date is too aggressive, the auditor will need to discuss the matter with the
auditee to make required adjustments in scope, resources, or schedule.
PART III
Audit Objectives The audit objectives are the specific goals for an audit. Generally, the
objective of an audit is to determine whether controls exist and whether they are effec-
tive in some specific aspect of business operations in an organization. An audit is often
performed as a requirement of regulations, compliance, or other legal obligations. It may
also be performed in the aftermath of a serious incident or event to determine whether
any additional weaknesses are found elsewhere in the organization that could also suffer
an event. Sometimes, an organization will initiate an internal audit of relevant systems if
a competitor or other similar organization has suffered an incident; the purpose here is
to determine whether the organization is likely to suffer the same fate.
Depending on the subject and nature of the audit, the auditor may examine the con-
trols and related evidence herself, or the auditor may instead focus on the business content
that is processed by the controls. In other words, if the focus of an audit is an organiza-
tion’s accounting system, the auditor may focus on financial transactions in the system to
see how they affect financial bookkeeping. Or the auditor could focus on IT processes that
support the operation of the financial accounting system. Formal audit objectives should
make such a distinction so that the auditor has a sound understanding of the objectives.
This tells the auditor where to look and what to look at during the audit. Of course, the
type of audit being undertaken helps too.
Types of Audits The scope, purpose, and objectives of an audit will to a great extent
determine the type of audit that will be performed. Auditors need to understand each
type of audit, including the procedures that are used for each, so that the correct type
will be selected.
PART III
audit to get a better idea of its compliance to a law, regulation, standard, or other
legal obligation prior to an actual compliance audit. An organization can use the
results of a pre-audit to implement corrective measures, thereby improving the
outcome of the real audit.
• Precede the audit itself with a risk assessment to determine which processes or
controls warrant additional audit scrutiny.
• Gather information about the organization and historic events to discover risks
that warrant additional audit scrutiny.
Audit Statement of Work For an external audit, the auditor may need to develop a
statement of work or engagement letter that describes the audit purpose, scope, duration,
and costs. The auditor may require a written approval from the client before audit work
can officially begin.
Establish Audit Procedures Using information obtained regarding audit objectives
and scope, the auditor can now develop procedures for this audit. For each objective and
control to be tested, the auditor can specify the following:
Audit Communication Plan The auditor will develop a communication plan to keep
the auditor’s management, as well as the auditee’s management, informed throughout
the audit project. The communication plan may contain one or more of the following:
PART III
• For external audits, send an invoice to the auditee.
• Collect and archive all work papers. Enter their existence in a document
management system so that they can be retrieved later if needed and to ensure
their destruction when they have reached the end of their retention life.
• Update PBC documents if the auditor anticipates that the audit will be performed
again in the future.
• Collect feedback from the auditee and convey to any audit staff as needed.
Post-audit Follow-up
After a given period (which could range from days to months), the auditor should con-
tact the auditee to determine what progress the auditee has made on the remediation of
any audit findings. There are several good reasons for doing this:
• It establishes a tone of concern for the auditee organization (and an interest in its
success) and demonstrates that the auditee is taking the audit process seriously.
• It helps to establish a dialogue whereby the auditor can help auditee management
work through any needed process or technology changes as a result of the audit.
• It helps the auditor better understand management’s commitment to the audit
process and to continuous improvement.
• For an external auditor, it improves goodwill and the prospect for repeat business.
Audit Evidence Evidence is the information collected by the auditor during the audit.
The contents and reliability of the evidence obtained are used by the auditor to reach
conclusions on the effectiveness of controls and control objectives. The auditor needs to
understand how to evaluate various types of evidence and how (and if ) it can be used to
support audit findings.
The auditor will collect many kinds of evidence during an audit, including observa-
tions, written notes, correspondence, independent confirmations from other auditors,
internal process and procedure documentation, and business records. When an auditor
CISM Certified Information Security Manager All-in-One Exam Guide
330
examines evidence, he needs to consider several characteristics about the evidence, which
will contribute to its weight and reliability. These characteristics include the following:
Gathering Evidence The auditor must understand and be experienced in the methods
and techniques used to gather evidence during an audit, including the following:
• Real tasks The auditor should request to see some functions actually being
carried out.
• Skills and experience The auditor should ask each interviewee about his or
her career background to determine the interviewee’s level of experience and
career maturity.
• Security awareness The auditor should observe personnel to determine whether
they are following security policies and procedures.
• Segregation of duties The auditor should observe personnel to determine whether
adequate segregation of duties is in place.
An experienced auditor will have a well-developed “sixth sense,” an intuition about
people that can be helpful in understanding the people who execute procedures.
Chapter 6: Information Security Program Management
331
Sampling Sampling techniques are used when it is not feasible to test an entire popula-
tion of transactions. The objective of sampling is to select a portion of a population so
that the characteristics observed will reflect the characteristics of the entire population.
Several methods can be used for sampling:
PART III
characteristic and how many do not. For example, an auditor may test a list of
terminated user accounts to see how many were terminated within 24 hours
and how many were not. This is used to statistically determine the rate at which
terminations are performed within 24 hours among the entire population.
• Variable sampling This technique is used to statistically determine the
characteristic of a given population to answer the question “how much?”
For example, an auditor who wants to know the total value of an inventory
can select a sample and then statistically determine the total value in the entire
population based on the total value of the sample.
• Stop-or-go sampling This technique is used to permit sampling to stop at the
earliest possible time.
• Discovery sampling The auditor uses this technique to try to identify at least
one exception in a population. When he is examining a population where even a
single exception would represent a high-risk situation (such as embezzlement or
fraud), the auditor will recommend a more intensive investigation to determine
whether additional exceptions exist.
• Stratified sampling Here, the event population will be divided into classes, or
strata, based upon the value of one of the attributes. Then samples are selected
from each class, and results are developed from each class or combined into a
single result. An example of where this could be used is a selection of purchase
orders (POs), where the auditor wants to make sure that some of the extremely
high-value and low-value POs will be selected to determine whether there is any
statistical difference in the results in different classes.
• Cover letter
• Introduction
• Summary
• Description of the audit
• Listing of systems and processes examined
• Listing of interviewees
• Listing of evidence obtained
• Explanation of sampling techniques
• Description of findings and recommendations
When the auditor is creating the report, she must make sure that it is balanced, reason-
able, and fair. The report should not just be a list of everything that was wrong; it should
also include a list of controls that were found to be operating effectively. The auditor also
needs to take care when describing recommendations, realizing that any organization
is capable of only so much change in a given period. If the audit report contains many
findings, the auditor should realize that the organization may not be able to remediate all
Chapter 6: Information Security Program Management
333
of them in an elegant manner. Instead, the organization will need to understand which
findings should be remediated first—the audit report should provide this guidance.
NOTE It is typically not the auditor’s role to describe how an audit inding
should be remediated. Deciding the methods used to apply remediation is
the role o auditee management.
PART III
scale. This helps illustrate the audit findings that are the most important and those that
are less important, in the auditor’s opinion. The auditor can also report on cases where an
ineffective control is mitigated (fully or partially) by one or more compensating controls.
For example, a system may not have the ability to enforce password complexity (such as
requiring upper- and lowercase letters, plus numbers and special characters), but this can
be compensated through the use of longer than usual passwords and perhaps even more
frequent expiration.
Internal Audit Internal audits focus on the organization’s controls, processes, or systems
and are carried out by personnel who are a part of the organization. Many organizations
have one or more people in an internal audit function. Organizations that are serious
about their commitment to an effective security program will commit resources to the
internal audit function. Recognizing that external resources are far more costly, internal
auditors become more familiar with internal processes and systems and can examine them
more frequently and provide better feedback to others in the organization.
In U.S. public companies and in many other organizations, internal audit (IA) depart-
ments report to the organization’s audit committee or board of directors (or a similar
“governing entity”). The IA department often has close ties with and a “dotted line”
reporting relationship to finance leadership in order to manage day-to-day activities.
An internal audit department will launch projects at the request and/or approval of the
governing entity and, to a degree, members of executive management.
Some regulations and standards require organizations to conduct internal audits as
part of required compliance efforts; examples include Sarbanes–Oxley and ISO/IEC
27001. These regulations and standards play a large role in internal audit work. For
example, public companies, banks, and government organizations are all subject to a
great deal of regulation, much of which requires regular information systems controls
testing. Management, as part of their risk management strategy, also requires this testing.
External reporting of the results of internal auditing is sometimes necessary. Similarly,
organizations that are ISO/IEC 27001 certified are required to carry out regular internal
audit work to ensure that controls continue to be effective.
CISM Certified Information Security Manager All-in-One Exam Guide
334
A common internal audit cycle consists of several categories of projects:
TIP The Institute o Internal Auditors (IIA) has excellent guidance or audit
planning at www.theiia.org.
Cyclical Controls Testing In cyclical controls testing, the organization conducts internal
audits on its internal controls. A great deal of effort has recently been expended getting
organizations to execute a controls testing life cycle. Most frequently, these practices
are supporting the integrity of controls in financially relevant processes. Public corpora-
tions are required to comply with SOX Section 404, requirements, and U.S. government
organizations have been subject to OMB Circular A-123, compliance with the Federal
Information Security Management Act (FISMA), and other similar requirements. Coun-
tries outside of the United States have instituted similar controls testing requirements
for publicly traded companies and governmental organizations. Many industries, such
as banking, insurance, and healthcare, are likewise required to perform control testing
because of industry-specific regulations. Organizations that elect to maintain ISO/IEC
27001 certification are required to perform internal control testing.
Organizations often employ GRC tools to assist with tracking controls testing. These
systems track the execution and success of control tests performed as part of a testing
cycle and can frequently manage archival of supporting evidence.
Chapter 6: Information Security Program Management
335
Establishing Controls Testing Cycles Young or growing organizations may not have
established or documented internal controls testing cycles. Internal auditors, working in
conjunction with individuals focused on manual controls, will participate in the estab-
lishment of controls testing. The auditor produces documentation of controls through a
series of meetings with management. During the process, auditors will develop process
and controls documentation and confirm their accuracy with control owners through the
performance of control walk-throughs.
These engagements are likely to occur when companies prepare to go public. Such
companies need to comply with SOX Section 404, requirements, which involve docu-
menting controls and performing a test of existence, also known as a “test set of 1”
or a “walk-through,” for each identified key control. Private companies will maintain
SOX-equivalent documentation to retain the option of seeking public financing or when
lenders or private investors require it. Many organizations will find external resources to
assist in the documentation and testing of applicable internal controls.
PART III
External Audit An external audit is performed by auditors who are not employees of
the organization. There are three principal reasons that an organization will undergo an
external audit versus an internal audit:
• Objective What is the purpose of the audit? This includes whether it is required
by regulations, laws, or standards such as SOX, A-123, ISO/IEC 27001, ISO/IEC
27002, CMMC, or PCI DSS.
• Scope What business units, departments, systems, processes, and personnel are
the subject of the audit?
• Time What is the time period for the audit? This generally involves the acquisition
of evidence in the form of business records associated with controls that auditors will
want to examine.
• Resources What resources will be required for the audit? For external audits,
this includes office space for one or more auditors, access to workspaces, and
access to networks and systems for the acquisition of evidence.
CISM Certified Information Security Manager All-in-One Exam Guide
336
• Schedule When will the audit start? When will specific activities take place
during the audit? When is it expected to be completed?
• Audit firm and auditor qualifications Has the firm or auditor conducted the
type of audit before? If so, how many audits have they done and in what business
segments was the audit conducted? Organizations should assess the quality of the
firm and the people conducting the audit when using external audit firms.
• Audit methodology What sampling techniques and other details will be used
by the auditors?
• Personnel What internal personnel will be needed for the audit? This includes
process and system owners that auditors will want to interview, plus any
administrators or coordinators who will manage the scheduling of internal
personnel as well as meeting spaces.
Organizations undergoing any particular audit for the first time generally plan much
further ahead. In many cases, a pre-audit will get a preliminary idea of the results that will
be achieved in the actual audit. Organizations planning a pre-audit need to ensure that
the same techniques used in the pre-audit will be used in the audit. This is a common
mistake in a pre-audit. If the pre-audit is less rigorous and thorough than the audit, the
organization may have a false sense of confidence in a favorable audit outcome; they will
be surprised that the audit went poorly while the pre-audit was seemingly successful.
Organizations should ensure that personnel are ready for the audit. In particular,
personnel who have never worked with external auditors need to be coached as follows:
• Personnel should answer only questions that auditors ask. Personnel should be
trained in the skill of active listening so that they understand what the auditor is
asking, prior to giving an answer.
• Personnel should not express their opinions about the subject matter. Determination
of the effectiveness of a control is the auditor’s job, not that of the control owner or
other person providing information.
• Personnel should not volunteer additional information. Doing so will cause
confusion and potential delays in completion of the audit.
The purpose of audit seeding is generally the creation of an audit issue that
will permit management to prioritize an initiative to improve the business. For
example, suppose external auditors are examining access controls, an area where a
security manager has had difficulty obtaining funds to make key improvements.
While in a discussion with auditors, the security manager may choose to illumi-
nate particular actions, inactions, or other situations in access control processes or
technology that the auditor may not have otherwise noticed.
Persons who are considering audit seeding must have a thorough understanding
of the subject matter, the controls being tested, the procedures and technologies in
play, the auditing methodology in use, and a bit of grit. Audit seeding may be con-
sidered a daring move that may have unforeseen results. Finally, people considering
audit seeding must not make auditors feel they are being manipulated, because this
could have greater consequences. Instead, the technique is used by management
PART III
simply to make auditors aware of an important aspect of a control being audited.
Control Self-Assessment
The control self-assessment (CSA) is a methodology used by an organization to review
key business objectives, risks related to achieving these objectives, and the key controls
designed to manage those risks. The primary characteristic of a CSA is that the organiza-
tion takes initiative to self-regulate rather than engage outsiders, who may be experts in
auditing but not in the organization’s mission, goals, objectives, and culture.
CSA Advantages and Disadvantages Like almost any business activity, CSAs have a
number of advantages and disadvantages that a security manager and others should be
familiar with. This will help the organization make the most of this process and avoid
some common problems.
The advantages of a CSA include the following:
• Risks can be detected earlier, since subject-matter experts are involved earlier.
• Internal controls can be improved in a timely manner.
• CSA leads to greater ownership of controls through involvement in their assessment
and improvement.
• CSA leads to improved employee awareness of controls through involvement in
their assessment and improvement.
• CSA may help improve relationships between departments and auditors.
Some of the disadvantages of a CSA include the following:
The CSA Life Cycle Like most continuous-improvement processes, the CSA process is
an iterative life cycle. The phases in a CSA are as follows:
• Identify and assess risks Operational risks are identified and analyzed.
• Identify and assess controls Controls to manage risks are identified and assessed.
If any controls are missing, new controls are designed.
• Develop questionnaire or conduct workshop An interactive session is
conducted, if possible, for discussion of risks and controls. If personnel are
distributed across several locations, a conference call can be convened or a
questionnaire may be developed and sent to them.
• Analyze completed questionnaires or assess workshop If a workshop was held,
the workshop results are assessed to see what good ideas for remediation emerged. If
a questionnaire was distributed, the results are analyzed to see the deficiencies that
were identified and the ideas for risk remediation that were identified.
• Control remediation Using the best ideas from the workshop or questionnaire,
controls are designed or altered to improve risk management.
• Awareness training This activity is carried out through every phase of the life
cycle to keep personnel informed about the activities in the various phases.
Figure 6-14 illustrates the CSA life cycle.
Identify and
Control Assess Risks
Remediation
Identify and
Awareness
Assess
Analyze Training
Controls
Completed
Questionnaires
Assess Develop
Workshop Questionnaire
Conduct
Workshop
NOTE The security manager and internal auditor should be involved in CSAs
to ensure that the process is not hijacked by eiciency zealots who try to
remove the controls rom processes because they do not understand their
PART III
purpose or signiicance.
Auditors and Self-Assessment Auditors should be involved in the CSAs that various
departments conduct. The role of an auditor should be that of an objective subject-
matter expert who can guide discussions in the right direction so that controls will
receive the right kind of development and improvements over time. Auditors should
resist having too large a role in CSAs. Responsibility for control development and matu-
ration should lie within the department that owns the CSA. However, if a department
is new at conducting a CSA, it may take some time before staff are confident and com-
petent enough to take full ownership and responsibility for the process.
• Corporate workers All use computers, and most use mobile devices for e-mail
and other functions.
• Retail floor managers These people work in retail store locations and use
computers daily in their jobs.
• Retail floor cashiers All work in retail store locations and do not use computers,
but they do collect payments by cash, check, and credit card.
• Retail floor workers All work in retail store and warehouse locations and do
not use computers.
• Third-party personnel Any persons from outside companies that regularly
access the organization’s networks, systems, or data should be included in portions
PART III
of security awareness training that are relevant to their tasks and duties.
The security manager of the retail organization should package security awareness
training so that each audience receives relevant training. Corporate workers and retail
floor managers should probably receive full-spectrum training because they all use
computers. Retail floor managers should also receive the same training delivered to
retail floor workers and cashiers, because they also work at retail locations and super-
vise these personnel. Cashiers need training on fraud techniques (counterfeit currency,
currency counting fraud, and matters related to credit card payments such as skim-
ming). Retail floor workers probably need no Internet or computer-related security
awareness training but can instead receive training on topics related to physical security
and workplace safety.
Technical Workers
Technical workers in an organization, typically IT personnel, should be trained in secu-
rity techniques that are relevant to their positions. Technical workers are responsible for
architecture, system and network design, implementation, and administration. Without
security training, these workers’ lapses in judgment may result in significant vulnerabili-
ties that could lead to compromises.
Software Developers
Software developers typically receive little or no education on secure software develop-
ment in colleges, universities, and tech schools. The art of secure coding is new to many
software developers. Security training for software developers helps them to be more
aware of common mistakes, including the following:
Third Parties
Security awareness training needs to be administered to all personnel who have access
to an organization’s data through any means. Often this includes personnel who are
employees of other organizations, so this means that some of those workers need to
participate in the organization’s security awareness training. In larger organizations, the
curriculum for third-party personnel may need to be altered somewhat because portions
of the security awareness training content may not be applicable to outsiders.
New Hires
New employees, as well as consultants and contractors, should be required to attend
security awareness training as soon as possible. There is a risk that new employees could
make mistakes early in their employment and prior to their training, as they would not
be familiar with all the security practices in the organization. Better organizations link
Chapter 6: Information Security Program Management
343
access control with security awareness training: New employees are not given access to
systems until after they have successfully completed their security awareness training.
This gives new workers added incentive to complete their training quickly, since they
want to be able to access corporate applications and get to work.
Annual Training Most security awareness programs include annual refresher train-
ing for all workers. Required by some regulations, such training is highly recom-
mended, because it helps workers maintain focus on security and Internet safety and
helps them avoid common mistakes. Further, because both protective techniques and
attack techniques change quickly, annual refresher training keeps workers abreast of
these developments.
Training takes time, and people tend to put it off for as long as possible. This is easy
to understand, because training takes time away from other important work tasks. Still,
the security manager and the organization must ensure that as many workers as possible
PART III
complete the training. Workers can be offered incentives to complete their training: for
example, all workers who complete their training in the first week can be entered into a
random drawing for gift cards or other prizes.
Organizations generally choose one of several options for annual training, including:
Benefits of Outsourcing
Organizations that are considering outsourcing operations to third parties need to weigh
the benefits and costs carefully to determine whether the effort to outsource will result in
measurable improvement in their processing, service delivery, and/or finances.
Outsourcing can offer an organization many benefits:
PART III
workers with specialized skills often turn to third parties with highly skilled
personnel who can benefit a variety of client organizations.
• Economies of scale Specialized third parties can often achieve better economies of
scale through discipline and mature practices than organizations are able to achieve.
• Objectivity Some functions are better provided by outsiders. Personnel within
an organization may have trouble being objective about some activities, such as
process improvement and requirements definitions; in that case, a third-party
may offer better solutions. Also, auditors frequently must be from an outside firm
to achieve sufficient objectivity and independence.
• Reduced costs When outsourcing involves third parties with offshore
personnel, an organization may be able to lower its operating costs and improve
its competitive market position through currency exchange rates and differences
in standard pay.
When an organization is making an outsourcing decision, it needs to consider these
advantages together with risks, as discussed in the next section.
Risks of Outsourcing
In the 1990s, when many organizations rushed to outsource development and support
functions to organizations located in other countries, they did so with unrealistic short-
term gains in mind and without adequately considering all the real costs and risks of
outsourcing. This is not to say that outsourcing to third parties is bad, but many organi-
zations made outsourcing decisions without fully understanding them.
While outsourcing to third parties can bring many tangible and intangible benefits
to an organization, it is not without certain risks and disadvantages. Naturally, when an
organization employs third parties to perform some of its functions, it relinquishes some
control to those third parties.
CISM Certified Information Security Manager All-in-One Exam Guide
346
The risks of outsourcing to third parties include the following:
• Higher than expected costs Reduced costs were the main driver for offshore
outsourcing that began in the 1990s. However, many organizations failed to
anticipate the actual operational realities and/or the cost savings. For instance,
after U.S.-based organizations outsourced to overseas operations, IT personnel had
to make many more expensive trips than expected. Also, changes in international
currency exchange rates can transform this year’s bargain into next year’s high cost.
• Theft of intellectual property Outsourcing product manufacturing to certain
third-world countries has resulted in systematic theft of intellectual property,
made manifest by the presence of nearly identical products. Some countries
consider the theft of intellectual property as an entitlement, contrary to the rule
of law in other countries.
• Poor quality The work product produced by a third party may be lower than
was produced when the function was performed in-house.
• Poor performance The third-party service may not perform as expected. The
capacity of networks or IT systems used by third parties may cause processing
delays or longer than acceptable response times.
• Loss of control An organization that is accustomed to being in control of its
workers may experience a loss of control. Making small adjustments to processes
and procedures may be more time-consuming or may increase costs.
• Employee integrity and background It may be decidedly more difficult to
determine the integrity of employees in a third-party organization, particularly
when the organization is located in another country. Some countries, even where
outsourcing is popular, lack nationwide criminal background checks and other
means for making a solid determination on an employee’s background and integrity.
• Loss of competitive advantage If the services performed by the third party
are not flexible enough to meet the organization’s needs, this can result in the
organization losing some of its competitive advantage. For example, suppose
an organization outsources its corporate messaging (e-mail and other messaging)
to a third-party service provider. Later, the organization wants to enhance its
customer communication by integrating its service application with e-mail.
The e-mail service provider may be unable or unwilling to provide the necessary
integration, which will result in a loss of competitive advantage.
• Loss of tribal knowledge Development and operations of any portion of
IT produces tribal knowledge—the knowledge accumulated by the personnel
doing the work. While many details of architecture, design, implementation,
and operations may be documented in more mature organizations, some
portion of the information often goes undocumented, remaining in the
memories of the personnel involved. For services that are outsourced, that
tribal knowledge is largely absent, as the organization’s personnel are not
involved in day-to-day details.
Chapter 6: Information Security Program Management
347
• Errors and omissions The third party may make serious errors or fail to
perform essential tasks. For instance, a third party may suffer a data security
breach that results in the loss or disclosure of sensitive information. This can be
a disastrous event when it occurs within an organization’s four walls, but when it
happens to a third party, the organization may find that the lack of control will
make it difficult to take the proper steps to contain and remedy the incident. If a
third party experiences a security breach or similar incident, it may be putting its
interests first and only secondarily watching out for the interests of its customers.
• Vendor failure The failure of a third party to deliver may result in increased
costs and delays in service or product delivery.
• Differing mission and goals An organization’s employees are going to be loyal
to its mission and objectives. However, employees of a third party may have little
or no interest in the hiring organization’s interests; instead, they will be loyal to
PART III
the third party organization’s values, which may at times be in direct conflict.
For example, a third party may place emphasis on maximizing billable hours,
while the hiring organization emphasizes efficiency. These two objectives are in
conflict with each other.
• Difficult recourse If an organization is dissatisfied with the performance or
quality of the third party, contract provisions may not sufficiently facilitate a
remedy. If the third-party operation is in a different country, applying remediation
in the court system may also be futile.
• Lowered employee morale If an organization chooses to outsource some
operations to a third party, employees who remain may be upset because some
of their colleagues may have lost their jobs as a result of the outsourcing. Further,
remaining employees may believe that their own jobs may soon be outsourced
or eliminated. They may also believe that their organization is more interested in
saving money than in taking care of its employees. Personnel who have lost their
jobs may vent their anger at the organization through a variety of harmful actions
that can threaten assets or other workers.
• Audit and compliance An organization that outsources part of its operation
that is in scope for applicable laws and regulation may find it more challenging to
perform audits and achieve compliance. Audit costs may rise, as auditors need to
visit the third parties’ work centers. Requiring the third party to make changes
to achieve compliance may be difficult or expensive.
• Applicable laws Laws, regulations, and standards in headquarters and offshore
countries may impose requirements on the protection of information that may
complicate business operations or enterprise architecture.
• Cross-border data transfer Governments around the world are paying attention
to the flow of data, particularly the sensitive data of its citizens. Many countries
have passed laws that attempt to exert control over data about their citizens when
the data is transferred out of their jurisdiction.
CISM Certified Information Security Manager All-in-One Exam Guide
348
• Time zone differences Communications will suffer when an organization
outsources some of its operations to offshore third parties that are several time
zones distant. It will be more difficult to schedule telephone conferences when
there is very little overlap between workers in each time zone. It will take more
time to communicate important issues and to make changes.
• Language and cultural differences When outsourcing crosses language and
cultural barriers, it can result in less-than-optimal communication and results.
The outsourcing organization will express its needs through its own language and
culture, but the third party will hear those needs through its own language and
culture. Both sides may be thinking or saying, “They don’t understand what we
want” and “We don’t understand what they want.” This can result in unexpected
differences in work products produced by the outsourcing firm. Delays in project
completion or delivery of goods and services can occur as a result.
• Legal One of the most important allies to the security manager, the organization’s
legal department negotiates purchase and service contracts with third parties. Thus,
legal will have a collection of contracts that can identify third parties. Security
managers need to understand, however, that legal does not handle contracts for
every third party, because some suppliers and vendors do not use contracts. Many
online service providers, for example, use simple “click-through” agreements that
do not go through the organization’s legal department.
Chapter 6: Information Security Program Management
349
• Procurement The procurement function is a critical part of an organization’s
TPRM program. Larger purchases are frequently negotiated by a procurement
function or team. Like the legal team, procurement may have a collection
(and perhaps even a list) of third parties it has negotiated business deals with.
• Accounts payable Sometimes the only way to learn about some third parties’
involvement is to find out what third parties are being paid for the products or
services they provide. Typically, the accounts payable function will remit funds
only to organizations that are registered as vendors in the organization’s financial
accounting system.
• Information technology (IT) The IT department may have established data
connections to certain third parties; it may have specific firewall rules associated
with system access granted to third parties; and it may have logical connections
between its internal identity and access management (IAM) system and some
PART III
third parties. Finally, information systems including firewalls, intrusion detection/
prevention systems, web content filters, and CASB systems can provide a wealth of
information, particularly about third-party services that are offered free of charge.
Free online services are so numerous that many organizations are challenged to
identify them until they utilize a CASB system (even then, a few may go unnoticed).
• Facilities The facilities department may be aware of third parties not discovered
by other means, because of its function: maintaining and supplying processing
center locations and work locations. The facilities department likely has several
third-party relationships with organizations that do not access IT systems. This is
one reason why facilities should be involved in the initial search.
• Department heads and business unit leaders An organization’s department
heads and business unit leaders are certainly going to be aware of key third-
party relationships, including key suppliers, service providers, and sources of
temporary workers.
• Location-specific leaders The saying goes, “The farther away one is from
corporate headquarters, the more that business is conducted by expediency
than by policy.” In other words, workers in satellite offices are more apt to
conduct business with unique, local-to-them third parties that may not be
identified otherwise. Security managers may need to tread lightly here so that
their quest for information about third parties does not represent a threat to
their ongoing internal business relationships and operations.
When conducting an initial inventory, a security manager will, along the way, dis-
cover other sources that can identify third-party relationships. Security managers should
realize that an initial effort at identifying third parties will probably not identify every
one, but most will be identified. Security personnel should be on the lookout for third-
party relationships that have not been identified so that they may be brought into the
TPRM program.
When building an initial inventory of third parties, the security manager may opt
to use a spreadsheet program to track them, adding columns to identify how each
third party was identified and those that list criteria used to classify third parties.
CISM Certified Information Security Manager All-in-One Exam Guide
350
However, managing third parties by spreadsheet may quickly become a burdensome task.
Several vendors and service providers have created purpose-built applications that can be
used to manage third parties, including the following (in alphabetical order):
• Allgress
• CyberGRX
• Diligent (formerly Galvanize)
• KY3P
• Lockpath
• Prevalent
• RSA Archer
• ServiceNow
NOTE Because TPRM is a rapidly growing and changing ield, the number
and types o service vendors providing products that help manage third
parties will requently change.
PART III
Network security Org Org Provider Provider
Security policy Org Shared Shared Shared
Physical security Org Provider Provider Provider
Table 6-15 An Example Cloud Services Security Shared Responsibility Model
Note that the values in Tables 6-14 and 6-15 are not absolutely consistent across
different service providers. Instead, these tables serve to illustrate the nature of shared
responsibilities between a service organization and its customers. The specific respon-
sibilities for operations and security between an organization and any specific service
provider can vary somewhat. It is vital that an organization clearly understand its precise
responsibilities for each third-party relationship so that no responsibilities are overlooked
or neglected; otherwise, risks may be introduced to the organization’s operations and/
or security. The organization is ultimately responsible for ensuring that specific areas are
addressed, because if a breach occurs, the organization will be held responsible in the eye
of shareholders, board of directors, and customers.
TPRM has been the subject of many standards and regulations that compel organiza-
tions to be proactive in discovering risks present in the operations of their critical third-
party relationships. Historically, many organizations were not voluntarily assessing their
critical third parties. Statistical data about breaches over several years has revealed that
more than half of all breaches are caused by inappropriately managed third parties. This
statistic illuminates the magnitude of the third-party risk problem and has resulted in
the enactment of laws and regulations in many industries that now require organiza-
tions to build and operate effective TPRM programs in their organizations. This has
also garnered innovation in the form of new tools, platforms, and services that help
organizations manage third-party risk more effectively.
Onboarding
Onboarding is the process by which an organization begins a business relationship with
a third party. Before utilizing the products or services from a third party, the organiza-
tion should perform up-front due diligence to understand the level of risk involved in
the relationship. Often, an organization will establish a risk level using criteria discussed
earlier in this section and will then perform an assessment utilizing questionnaires and
other methods according to the scheme shown in Tables 6-17 and 6-18. These activities
will uncover issues that may require remediation and/or specific statements in the initial
legal agreement between the organization and the third party.
Legal Agreement
Before services can commence, the organization and the third party will negotiate a legal
agreement that describes the services provided, service levels, quality, pricing, and other
terms. Based on the details discovered in the assessment phase, the organization can
develop a section in the legal agreement that addresses security and privacy, which will
typically cover these subjects:
• Security and/or privacy program The third party must have a formal security
and/or privacy program including but not limited to governance, compliance,
policy, risk management, annual risk assessment, internal audit, vulnerability
management, incident management, secure development, security awareness
training, data protection, and third-party risk.
• Security and/or privacy controls The third party must have a control framework,
including linkages to risk management and internal audit.
• Vulnerability management The third party will have policies and procedures for
formally identifying and managing vulnerabilities in their systems and processes.
• Vulnerability assessments The third party will undergo penetration tests or
vulnerability assessments of its service infrastructure and applications, performed
by a competent security professional services firm of the organization’s choosing
(or a company that the organization and third party jointly agree upon), with
reports made available to the organization upon request.
Chapter 6: Information Security Program Management
353
• External audits and certifications The third party is required to undergo
annual SOC 1 and/or SOC 2 Type 2 audits, ISO 27001 certifications, HITRUST
certifications, PCI DSS reports on compliance (ROCs), CMMC audits, or other
industry-recognized and applicable external audits, with reports made available to
the organization upon request.
• Security incident response The third party must have a formal security incident
capability that includes testing and training.
• Security incident notification The third party will notify the organization
in the event of a suspected and confirmed breach, within a specific time frame,
typically 24 hours. The language around “suspected” and “confirmed” needs to
be developed carefully so that the third party cannot sidestep this responsibility.
• Right to audit The third party will permit the organization to conduct an
audit of the third-party organization without cause. If the third party will not
PART III
permit this, the organization may insist on the right to audit in the event of a
suspected or confirmed breach or other circumstances. Further, the contract
should include the right for a competent security professional services firm
to perform an audit of the third-party security environment on behalf of the
organization (useful for several reasons, including geographic location and that
the external audit firm will be more objective). The cost of the audit is usually
paid for by the organization, and in some cases the organization will provide
credits or compensation for the time incurred by the third party’s team.
• Periodic review The third party will permit an annual onsite review of its
operations and security. This can give the organization greater confidence in
the third party’s security and operations.
• Annual due diligence The third party will respond to annual questionnaires
and evidence requests as part of the organization’s third-party risk program.
• Cyber insurance The third party must carry a cyber-insurance policy with
minimum coverage levels and will comply with all requirements in the policy
to ensure payout in the event of a security event. A great option is to have the
organization be a named beneficiary on the policy, in case a widespread breach
results in a large payout to many customers.
• Restrictions on outsourcing Restrict the third party from outsourcing core
functions to other organizations.
Organizations with many third parties may consider developing a standard security
clause that includes all of these provisions. Then, when a new contract is being considered,
the organization’s security team can perform its up-front examination of the third party’s
security environment and make adjustments to the security clause as needed.
Organizations will often identify one or more shortcomings in the third party’s security
program that it is unwilling or unable to remediate right away. In this case, the organiza-
tion can compel the third party to enact improvements in a reasonable period of time after
the start of the business relationship. For example, suppose a third-party service provider
CISM Certified Information Security Manager All-in-One Exam Guide
354
does not have an external audit, such as a SOC 1 or SOC 2 audit, but agrees to undergo
such an audit one year in the future. Or perhaps a third-party service provider that has
never had external penetration testing performed could be compelled to begin performing
penetration testing at regular intervals. Alternatively, the third party could be required to
undergo a penetration test and be required to remediate all issues deemed Critical and
High before the organization will begin using the third party’s services.
PART III
or systems that are operationally critical, as described in prior criteria).
• Contractual obligations Whether the vendor is required to establish and
maintain a security program, security controls, vulnerability management,
incident response, or other activities should be considered. Third parties may
be rated a higher risk if few or no security requirements are imposed upon
them in a contract. While effective third-party risk management seeks to add
appropriate security clauses to contracts, security managers may occasionally
encounter contracts with third parties where no clauses were included.
No matter what criteria are used in contracting with third-party vendors, organiza-
tions typically use criteria to identify the most critical vendors and other third parties.
Generally, organizations will classify third parties into three levels of criticality. Table 6-16
depicts a typical third-party risk classification scheme. Based on levels of importance, each
organization will construct a unique risk tiering scheme.
Organizations can use a system similar to Table 6-16 in a number of ways. First, each
third party can be scored based on how many of the low, medium, or high categories are
met. Or each third party can be assigned a risk level if any single criterion is met at that
level. Organizations are cautioned to refrain from overcomplicating tiering or scoring
criteria: the objective is to arrive at no more than three, or perhaps four, tier classifica-
tions for each vendor. The reason for this is related to third-party assessments, discussed
in the next section.
These and other factors can influence the overall risk to the organization, which can
manifest in various ways, including degradations in overall security, failures to meet pro-
duction or quality targets, and even business failure.
Once an organization has established its third-party risk classification and has begun
to identify its third parties and their respective risk tiering, third parties can be assessed.
Before assessments can be performed, however, the organization needs to develop a scheme
Chapter 6: Information Security Program Management
357
by which assessments take place. In the preceding section, third parties are classified into
three or four risk levels. The manner in which assessments are performed depends upon
which risk level any particular third party is assigned. Several techniques can be used to
assess third parties, including the following:
PART III
• Site visit If an organization is not satisfied with the use of questionnaires
and confirmation, the organization can send security personnel (or, ironically,
outsource this activity to a third party) to conduct a site visit of the third party’s
work locations and information processing centers. Although this is the costliest
confirmation method, organizations may improve their confidence in the third
party by conducting their own onsite assessment.
• External attestations Organizations can compel third parties to undergo
external audits or attestations. Established standards such as SOC 1, SOC 2,
SSAE 18, ISAE 3402, HITRUST, PCI DSS, CMMC, and ISO/IEC 27001
are examples of control and audit standards that can be used to understand
the effectiveness of a third party’s IT controls.
• External business intelligence Organizations often turn to external business
intelligence services such as Dunn & Bradstreet or Lexis Nexus. Such services
collect information on the financial health of companies, which can help
organizations better understand risk factors related to the health and ongoing
viability of its third parties. For example, if an organization learns that a particular
vendor is under financial stress (perhaps because of problems with its products or
services adversely affecting sales), this will raise concern that a partnership could
result in degradations in product or service quality, as well as degradations in
information protection efforts and effectiveness.
• External cyber intelligence Organizations are beginning to utilize the services
of a growing number of companies that gather intelligence on third-party service
providers, which sell this information on a subscription basis. These services
perform a variety of functions, including security scans and scans of the dark web
for signs of an unreported breach. These cyber-intelligence services often perform
these services at costs lower than those incurred by organizations that conduct
these activities with their own security staff.
CISM Certified Information Security Manager All-in-One Exam Guide
358
• Security scans and penetration tests Organizations can perform security scans
or penetration tests on the infrastructure and/or applications of its third parties.
Alternatively, organizations can require the third parties to commission these
activities from qualified security consulting firms and make the results available
to organizations. These activities serve to bolster (or erode) confidence in a third
party’s ability to manage its infrastructure and applications, including running an
effective vulnerability management program.
• Intrusive monitoring Organizations can sometimes compel a third party to
permit the organization to view or receive internal controls data in real time.
For instance, an organization could provide a security system to the third
party to be installed in its network; the system would provide some form of
real-time security intelligence to the organization to give it confidence that
the third party’s environment is free of active threats. Or a third party could
make certain internal information available to the organization from its own
internal security systems. The types of information that can be made available
include security and event log data from operating systems, firewalls, intrusion
detection/prevention systems, internal vulnerability scan data, network packet
header capture, or network full packet capture. These activities, called intrusive
monitoring, represent an intrusion of the organization’s visibility into the third
party’s environment.
As stated earlier, not all third parties are assessed in the same way. Instead, organiza-
tions can establish schemes for assessing vendors according to their risk levels. Table 6-17
depicts such a scheme.
PART III
Organizations also need to determine how frequently to perform their assessments of
third parties. Table 6-18 shows a sample scheme of assessment frequency.
Some organizations have hundreds to thousands of third-party service providers that
require assessments, with the largest organizations having tens of thousands of third
parties. Risk tiering is performed precisely because organizations work with so many
third parties, and the various types of assessments are time-consuming and expensive to
perform. This is why the most thorough assessments are performed only on those that
represent the highest risk.
• Security policy
• Security controls
• Security awareness training records
• New-hire checklists
• Details on employee background checks (not necessarily actual records but a
description of the checks performed)
• Nondisclosure and other agreements required to be signed by employees
(not necessarily signed copies but blank copies)
• Vulnerability management process
• Secure development process
CISM Certified Information Security Manager All-in-One Exam Guide
360
• Copy of general insurance and cyber-insurance policies
• Incident response plan and evidence of testing
Because a large organization’s third-party providers access, store, and process data in
a variety of different ways, the organization may choose to send out different versions
of questionnaires appropriate to one or more categories of risk or business operation, to
ensure that the majority of questions asked are relevant. Otherwise, large portions of a
questionnaire may be irrelevant, which could be frustrating to third parties, which would
rightfully complain of wasted time and effort.
Organizations often send different questionnaires according to the third party’s risk
level. For example, third parties deemed to be of the highest risk would be sent extensive
questionnaires that include requests for many pieces of evidence, medium-risk third par-
ties would be sent less lengthy questionnaires, and low-risk third parties would be sent
short questionnaires. Although this practice avoids overburdening low-risk third parties
with extensive questionnaires, it also reduces the burden on the organization, because
someone has to review the questionnaires and attached evidence. An organization with
hundreds of low-risk third-party contracts should avoid being overburdened with analyz-
ing hundreds of questionnaires, each with hundreds of questions, if possible.
Risk Treatment
Organizations that carefully examine the information provided from the third parties
may discover some unacceptable practices or situations. In these cases, the organization
can analyze the matter and decide on a course of action. For instance, suppose a highly
critical third party indicates that it does not perform annual security awareness train-
ing for its employees, and the organization finds this unacceptable. To remedy this, the
organization analyzes the risk (in a manner not unlike any risk found internally) and
decides on a course of action: it contacts the third party in an attempt to compel them
to institute annual training.
Sometimes, a deficiency in a third party is not so easily resolved. For example, suppose
a third party that has been providing services for many years indicates in its annual ques-
tionnaire that it does not use encryption on the most sensitive data it stores. At the onset
of the business relationship, this was not a common practice, but it has since become a
common practice in the organization’s industry. The service provider, when confronted
with this, explains that it is not operationally feasible to implement encryption of stored
data in a manner acceptable to the organization, mainly for financial reasons, and because
of the significant cost impact on its operations, the third party would have to increase its
prices. In this example, the organization and the third party would need to discover the
best course of action to ensure that the organization can determine an acceptable level of
risk and associated cost.
• Service level agreement The SLA should provide details on every avenue of work
performance and communication, including escalations and problem management.
• Quality Depending upon the product or service, this may translate into an error
or defect rate, a customer satisfaction rate, or system performance.
• Security policy and controls Whether the outsourcing firm is safeguarding
the organization’s intellectual property, keeping business secrets, or protecting
PART III
information about its employees or customers, the contract should spell out the
details of the security controls that it expects the outsourcing firm to perform.
The organization should also require periodic third-party audits and the results
of those audits. The contract should contain a “right to audit” clause that allows
the outsourcing organization to examine the work premises, records, and work
papers on demand.
• Business continuity The contract should require the outsourcing firm to have
reasonable measures and safeguards in place to ensure resilience of operations
and the ability to continue operations with minimum disruption in the event of
a disaster.
• Employee integrity The contract should define how the outsourcing firm will
vet its employees’ backgrounds so that it is not inadvertently hiring individuals
with a criminal history and so employees’ claimed education and work experience
are genuine.
• Ownership of intellectual property If the outsourcing firm is producing
software or other designs, the contract must define ownership of those work
products and whether the outsourcing firm may reuse any of those work
products for other engagements.
• Roles and responsibilities The contract should specify in detail the roles and
responsibilities of each party so that each will know what is expected of them.
• Schedule The contract must specify when and how many items of work
products should be produced.
• Regulation The contract should require both parties to conform to all applicable
laws and regulations, including but not limited to intellectual property, data
protection, and workplace safety.
• Warranty The contract should specify terms of warranty for the workmanship
and quality of all work products so that there can be no ambiguity regarding the
quality of goods or services performed.
CISM Certified Information Security Manager All-in-One Exam Guide
362
• Dispute and resolution The contract should contain provisions that define the
process for handling and resolving disputes.
• Payment The contract should specify how and when the outsourcing provider
will be paid. Compensation should be tied not only to the quantity but also to
the quality of work performed. The contract should include incentive provisions
for additional payment when specific schedule, quantity, or quality targets are
exceeded. The contract should also contain financial penalties that are enacted
when SLA, quality, security, audit, or schedule targets are missed.
The terms of an outsourcing contract should adequately reward the outsourcing firm
for a job well done, which should include the prospect of earning additional contracts
as well as referrals that will help it to earn outsourcing contracts from other customers.
Security Incidents
If a security incident occurs in a third-party organization, responding to the incident is
more complex, mainly because two or more organizations and their respective security
teams are involved. A security incident at a third-party organization is also an incident
in its customers’ organizations, and each needs to respond to it. If a third-party organiza-
tion’s systems are breached, the third-party must respond and perform all of the steps of
incident response, such as notifying affecting parties, including its customers.
Customers of third-parties have their own incident response to perform. However,
customers are usually not permitted to access detailed event logs or perform forensic
analysis on the third-party provider. Often, customers have to wait until the third party’s
investigation has concluded. Because this can be frustrating to its customers, third parties
can keep their customers informed periodically until the event is closed.
This topic is explored in detail in Chapter 8.
Chapter 6: Information Security Program Management
363
Information Security Program
Communications and Reporting
Communications are the lifeblood of an effective information security program. Lack-
ing effective communications, the security program will have difficulty interacting with
executive management for the exchange of objectives, risk information, and metrics.
Ineffective communications will hamper virtually all other security-related activities and
processes. This section explores the various internal and external parties with whom secu-
rity managers communicate and collaborate.
Security Operations
Security operations are associated with much of the action-oriented activities in an infor-
mation security program, through its monitoring and response processes. Communica-
PART III
tions and reporting from security operations may include the following:
Risk Management
Risk management, the risk analysis and risk treatment function that deals with emerging
risk, should periodically produce management reports so that executive leaders can stay
informed on many aspects of cyber risk in the organization. Risk management reporting
CISM Certified Information Security Manager All-in-One Exam Guide
364
consists of a periodic snapshot of the risk register, including changes in overall secu-
rity posture, new risks, changes in existing risks, and those risks that have been treated.
Reporting would also include tracking of risk remediation and whether it is being per-
formed on schedule and within budget.
Trends in risk management reporting could include risk treatment decisions by risk
magnitude, indicating whether an organization’s risk appetite is increasing, decreasing,
or staying the same, and the time taken to complete remediation. Reporting may be
misleading if it includes only the numbers of items in the risk register and the number of
items being selected for risk treatment.
Internal Partnerships
No security manager can hope to accomplish much if they work alone. Effective infor-
mation security and information risk is a team sport, and each player on the team can
help the security manager in different ways. Further, communication with other cor-
porate departments and business units helps to keep the security manager informed on
matters of importance.
An effective way to build those partnerships while increasing the effectiveness of the
program is to “deputize” team members from other groups. For example, the security
manager can partner with administrative assistants, who will lead the data retention pro-
gram in their respective departments. Or the security manager may designate a person in
another business unit (BU) to serve as the information security liaison to share guidance
with the BU and report possible risks or issues that impact information security in the
organization. None of this is possible unless proper training is provided to the other team
members, and time must be allocated for them to fulfil those added duties.
Legal
In most organizations, the legal department functions as the organization’s de facto
business risk office, through the negotiation of contract terms with service providers,
customers, and other parties. Legal generally always attempts to tip risk in favor of
the organization.
Legal and information security can collaborate on the security clauses in almost any
contract with customers, suppliers, service providers, and other parties. When other par-
ties send contracts that contain security clauses, the security manager should examine
those clauses to ensure that the organization is able to meet all requirements. Similarly,
when the organization is considering doing business with another party, the security
manager can work with the legal department to make sure that the organization is ade-
quately protected by requiring the other party to take certain steps to protect the orga-
nization’s information.
Sometimes an organization will enter into a business relationship without informing
or consulting with the security manager, who often would want to perform a risk assess-
ment to identify any important risks that should be known. The best arrangement is for
legal to inform the security manager of every new contract it receives so that the security
manager can attempt to identify risks at this late stage.
Chapter 6: Information Security Program Management
365
Human Resources
As the steward for information and many activities regarding employees and other work-
ers, human resources (HR) is another important ally of information security. HR can
bolster the organization’s security in many ways, including the following:
PART III
formally acknowledge receipt of, and pledge conformance to, security policy
and other policies. HR will provision human resource information systems
(HRISs), which in many organizations are integrated into their identity and
access management systems. HR ensures that new employees are assigned to the
correct job title and responsibilities, as in some cases this automatically results
in new employees receiving “birthright” access to specific information systems
and applications.
• Internal transfers HR is responsible for coordinating internal transfers, as
employees change from one position or department to another. Internal transfers
are somewhat different from promotions; in an internal transfer, an employee
may be moving to an entirely different department, where they will need to have
access to completely different information systems and applications. Notifying
security and IT personnel of internal transfers is important so that employees’
former roles in information systems and applications can be discontinued at the
appropriate time, avoiding the phenomena known as accumulation of privileges,
where employees with long tenure accumulate access rights to a growing number
of roles in information systems and applications, thereby increasing various risks.
• Offboarding HR is responsible for processing the termination, or offboarding,
of employees who are leaving the organization for any reason. HR is responsible for
ensuring that security, IT, and other departments are notified of the termination so
that all access rights can be terminated at the appropriate time. (This is especially
important in a dismissal situation, where the organization must “surgically remove”
access at precisely the right moment to avoid the risk of the terminated employee,
in the heat of the moment, from exacting revenge on the organization through
sabotage and other acts.) HR is also responsible for collecting assets issued to a
departing employee such as laptop or tablet computers, mobile devices, and related
peripherals. HR may also require departing employees to sign nondisclosure and/or
noncompete agreements.
CISM Certified Information Security Manager All-in-One Exam Guide
366
• Training In many organizations, HR is the focal point for most or all training
for employees and for keeping records of training. Security awareness training,
which may be administered by HR, is vital. HR in many organizations is also
the focal point for coordinating various communications to employees on topics
including training and security reminders.
• Investigations HR conducts investigations into matters such as employee
misconduct. Where such misconduct involves any improper use of information
systems or computers, HR will partner with information security, which may
conduct a forensic investigation to establish a reliable history of events and
establish a chain of custody should the matter develop into legal proceedings
such as a lawsuit.
• Discipline HR is the focal point for formal disciplinary actions against
employees. From an information security perspective, this includes matters of
violations of security policy and other policies. Generally, the security manager
will present facts and, if requested, an opinion about such matters, but HR
is ultimately responsible for selecting the manner and degree of disciplinary
action, whether that includes verbal and written warnings, demotion, time
off without pay, reduction in compensation, forfeiture of a bonus, removal of
privileges, or dismissal.
Facilities
The facilities function provides stewardship of the workplace to ensure that there is ade-
quate space and support for workers in all office locations. The communication between
facilities and information security includes the following subject matter:
NOTE Although personnel security is cited last in this list, the saety o
personnel should be the highest priority in any organization.
PART III
Information Technology
Information technology and information security represents perhaps the most strategic
partnership that the security manager will establish and develop. Many key functions are
performed by IT that have security ramifications, requiring effective collaboration and
communication between these two teams. These functions include the following:
Systems Development
Systems development includes software development, systems development, integration,
and other activities concerned with the development or acquisition of information sys-
tems for use internally or by customers or partners.
Under guidance from the security manager, systems development will manage the
entire product development life cycle, with security as an integral part at each stage
in the process. Communications and collaboration between systems development and
information security include the following topics:
• Security and privacy by design Several activities ensure that all new offerings,
components, features, and improvements incorporate security and privacy as
part of the design process. This can help the organization avoid issues later in the
development process that may be more costly to remediate.
• Secure development Secure coding ensures that all new and changed software
is free of exploitable defects that could result in security incidents.
• Security testing Several activities fall under the security testing function,
including code-scanning tools used by each developer’s integrated development
environment (IDE), unit and system testing to confirm the correct implementation
of all security requirements, static application security testing (SAST) scanning
tools that are run as part of a nightly build process, and dynamic application
security testing (DAST) scanning tools that identify security defects in running
applications.
Chapter 6: Information Security Program Management
369
• Code reviews Peer reviews of security-related changes to software source code
include security-sensitive functions such as authentication, session management,
data validation, and data segregation in multitenant environments. Some
organizations incorporate code reviews for changes to all software modules.
• Security review of open source software Some organizations perform reviews
of various kinds of some or all open source modules to ensure they are not
introducing unwanted security defects into the software application.
• Developer training Periodic training for developers includes techniques on
secure development, which helps developers avoid common mistakes that result
in security defects that must be fixed later.
• Protection of the development process This includes controls to ensure
that only authorized developers may access source code (and this may include
restrictions on the quantity of source code that a developer can check out at any
PART III
given time), security scans of source code upon check-in, and protection of all
source code.
Procurement
Larger organizations have procurement or purchasing departments that negotiate prices
and business terms for new purchases of hardware, software, and services, as well as
renewals for subscriptions and services. The security manager should consider a busi-
ness relationship with procurement departments. The procurement manager can be sure
to notify the security manager whenever any new purchase of hardware and software
products or related services is being considered. This enables the security manager to
begin any needed due diligence related to the product or service being considered and
can weigh in with messaging concerning risks and any needed controls or compensating
controls to keep risk within accepted tolerances.
Internal Audit
Virtually all U.S. public companies, and many private companies, have an internal
audit (IA) function whose main mission is assurance through independent audits of
policies and controls. Although IA departments cannot stipulate how controls, policies,
and processes should be designed and operated, IA can still be a collaborative partner on
controls, policies, and processes by telling IT, information security, and others whether
those controls, policies, and processes can be audited as designed.
External Partnerships
Successful information security is possible only when the security manager communicates
and has established relationships with key external organizations. Those key organiza-
tions can be identified according to the organization’s industry sector, relevant regulations,
information systems in use, geographic locations, and similar considerations.
Law Enforcement
A roof is best repaired on a sunny day. Similarly, security managers should communi-
cate and cultivate relationships with key law enforcement agencies and relevant per-
sonnel in those agencies before there is an urgent matter at hand. Organizations and
law enforcement can develop a relationship in which trusted information sharing can
take place; then, when an emergency such as a security breach occurs, law enforcement
will be familiar with the organization and its key personnel and will be able to respond
appropriately.
Organizations may benefit by developing relationships with the following agencies:
• United States The Federal Bureau of Investigation (FBI), Secret Service (for
organizations dealing in large volumes of credit card transactions), Cybersecurity
and Infrastructure Security Agency (CISA), and city and state police cybercrime
units, plus InfraGard (www.infragard.org/), a public–private partnership between
the FBI and private organizations
• Canada The Royal Canadian Mounted Police (RCMP) and city and provincial
cybercrime units
• United Kingdom Security Service (aka MI5, Military Intelligence, Section 5)
and city and county cybercrime units
• Globally International Criminal Police Organization (Interpol)
Chapter 6: Information Security Program Management
371
NOTE Some agencies conduct public and business outreach to inorm
businesses about local crime trends and methods o asset protection, and
many law enorcement agencies conduct a periodic “citizens’ academy,” which
provides an insider look at the agencies and their mission and practices.
The FBI Citizens’ Academy (www.bi.gov/about/community-outreach) is
noteworthy in this regard.
PART III
mood and talk about work or non-work-related matters.)
Standards Organizations
Numerous standards organizations exist in the information security industry, and a mul-
titude of others exist in all other industry sectors. In the information security industry
itself, being involved in standards organizations avails the security manager of “insider”
information such as “sneak previews” of emerging and updated standards, as well as
learning opportunities and even conferences and conventions. These organizations
include the following:
• PCI Security Standards Council Involved with protection of credit card data
for banks, issuers, processors, and merchants; well-known for PCI DSS and other
standards (www.pcisecuritystandards.org)
• Cloud Security Alliance Creates security standards frameworks for cloud-based
service providers (https://cloudsecurityalliance.org/)
• Information Security Forum (ISF) Publishes “Standard of Good Practice for
Information Security” (www.securityforum.org)
• International Organization for Standardization (ISO) and International
Electrotechnical Commission (IEC) Development of international standards
on numerous topics including security management and IT service management
(www.iso.org and www.iec.ch)
• National Institute for Standards and Technology (NIST) Offers a vast library
of special publications on cybersecurity (https://csrc.nist.gov/publications/sp)
Professional Organizations
The information security profession is challenging, not only because of the conse-
quences of ineffective security programs but also because of the high rate of innovation
that takes place. Professional organizations such as the following help to fill the need for
CISM Certified Information Security Manager All-in-One Exam Guide
372
valuable information through training, professional certifications, local chapter organi-
zations, and conferences:
PART III
purpose of relationship building. A new vendor may offer a product that is a competitor
of a product already used in the security manager’s organization, or the vendor may offer
a product or service that the organization does not currently use. These relationships
help the security manager understand the capabilities that she could utilize in the future.
Compliance Management
Compliance is the state of conformance to applicable policies, standards, regulations, and
other requirements. It is the process by which the security manager determines whether
the organization’s information systems, processes, and personnel conform to those
things. When a security manager develops or adopts a control framework and identifies
applicable regulations and legal requirements, he then sees to it that controls and other
measures are implemented. Then, as part of the risk management life cycle, he examines
those controls, processes, and systems to determine whether they are in compliance with
internal and external requirements. As discussed throughout this book, these activities
include external audits, internal audits, reviews, and control self-assessments.
As they do with other life cycle processes, security managers need to report on the
organization’s compliance with policies, standards, regulations, and other cybersecurity
related legal obligations. Only then can management understand the organization’s com-
pliance posture and be aware of any compliance issues that warrant attention.
Compliance or Security
Security consultants who work with numerous client organizations often observe
the ways that organizations treat asset protection. Organizations seem to fall into
one of two categories:
Security professionals often disagree on many topics, but generally they agree on
this: being compliant is not the same things as being secure.
Applicability
Security managers often find that compliance is complicated by multiple, overlapping
standards, regulations, and other legal requirements, each of which may be applicable
to various portions of the organization. To understand the coverage of these require-
ments, the security manager can develop a compliance matrix such as the one shown
in Table 6-19.
Properly determining applicability helps the security manager better understand what
is required of individual information systems and the processes they support. Any orga-
nization would be overspending without necessarily reducing risk if it simply applied
the requirements from all regulations and other legal obligations to all of its information
systems. The result may be a more consistent application of controls but certainly a more
expensive application as well. For most organizations, the resources required to develop
the means of compliance to applicable regulations is less than the resources required to
apply all required controls by all regulations to all systems.
Compliance Risk
As the security manager performs risk assessments and populates the risk register with risk
matters requiring discussion and treatment, the security manager should not overlook
compliance risk. Compliance risk is associated with any general or specific consequences of
the failure to be compliant with an applicable law or other legal obligation.
• Sensitive data exposure The risk register indicates that such sensitive data
could be misused by internal personnel, and it may be discovered by a malicious
outsider. The costs associated with a forensic investigation, along with potential
mitigation costs such as payment for credit monitoring for victims, would be
included in the total cost incurred by the organization should this information
be compromised.
• Fines and sanctions The risk register notes that the organization could face fines
and other sanctions should the organization’s PCI regulators (namely, banks and
payment processors) learn of this. The fines and other sanctions are the potential
unplanned costs that the organization may incur upon regulators’ discovery of this.
PART III
Compliance Enforcement
As the security manager reviews the results of internal and external audits, control self-
assessments, and other examinations of systems and processes, she will need to weigh
not only the direct risks associated with any negative findings but also the compliance
risk. The security manager can apply both of these considerations in any discussions and
proceedings during which others in the organizations are contemplating their response
to these compliance items.
As a part of a metrics program, the security manager will report on the state of compli-
ance to senior management. Matters of compliance will be reflected in metrics as areas
of higher risk, whether these are risks of breach and/or risks of compliance to external
regulations with potentially public consequences.
Compliance Monitoring
Rules, regulations, and standards are ever-changing. Information security organizations
must find a way to stay current with regard to these changes, so that the organization
can proactively plan and anticipate changes that must be made to maintain an acceptable
compliance posture. Information security departments often collaborate with corporate
legal departments that consume subscription services that inform the organization of
changes in laws and regulations. Otherwise, organizations would need to spend consider-
able time researching applicable laws to be aware of important changes.
Technical Architecture
Monitoring and reporting on technical architecture can help the organization under-
stand the progress being made on the theme of security by design. However, security
managers reporting on trends in technical architecture need to understand that some
types of measurements may be misunderstood. For instance, one could expect that the
number of incidents related to the technical environment should decrease as more of the
environment is aligned with better architecture models such as zero trust. However, at
the same time, event detection capabilities could also improve, yielding an increase in the
number of events. This could be interpreted as the new architecture being more vulner-
able, but it could also be an indication of improvements in event visibility, meaning that
a greater number of undetected events were occurring in older environments.
Personnel Management
In all but the smallest organizations where the security manager acts alone, personnel
management is an important aspect of information security management. In many orga-
nizations, information security is staffed with a team ranging from two to dozens of
people. The security manager is responsible for all aspects of the security team, starting
with identifying and hiring candidates, assigning and supervising work, developing new
skills, and developing the security team’s “culture within a culture.” All of this requires
intentional communication and monitoring.
PART III
the difference between roles and responsibilities. A role is a designation that denotes an
associated set of responsibilities, knowledge, skills, and attitudes. Example roles include
security manager, security engineer, and security analyst. A responsibility is a stated expec-
tation of activities and performance. Example responsibilities include running weekly
security scans, performing vendor risk assessments, and approving access requests.
As a security manager analyzes all the required activities in a security team, she may
take the approach of listing all the activities, along with estimates of the number of hours
per week or hours per month required to perform them. Next, she will group these activi-
ties according to subject matter, skill levels, and other considerations. As the associated
workloads are tallied, the number of people required will become evident. Then, these
groups of responsibilities can be given roles, followed by job titles.
Most security managers, however, do not have an opportunity to build and staff a
program from scratch; instead, they are inheriting an existing program from a previous
manager. Still, these activities can serve to delineate all required activities, calculate or
observe levels of effort, and confirm that roles and responsibilities are assigned to the
right personnel who have the required skills and experience to carry them out properly.
Job Descriptions
A job description is a formal description of a position in an organization and usually
contains a job title, work experience requirements, knowledge requirements, and respon-
sibilities. Job descriptions are used when an organization is seeking to fill a new or vacant
position. The job description will be included in online advertisements to attract poten-
tial candidates. In most organizations, HR is the steward of job descriptions. However,
when positions become vacant or new positions are opened, HR often will consult with
the hiring manager to ensure that the contents of a job description are still accurate and
up-to-date.
Job descriptions are also a tool used in professional development. Managers and
leadership can develop career paths that represent a person’s professional growth through
a progression of promotions or transfers into other positions. Job descriptions are a
primary means for a worker to understand what another position is like; interviewing
CISM Certified Information Security Manager All-in-One Exam Guide
378
people who are already in a desired position is another means for gaining insight into a
position that someone aspires to. A small but effective way to drive a culture of security
is to add in specific language regarding the responsibilities that each role plays in pro-
tecting the organization’s data and systems used in storing, processing, and transmitting
that data.
Culture
As discussed in Chapter 1, culture is the collective set of attitudes, practices, communica-
tion, communication styles, ethics, and other behavior in an organization. Culture can
be thought of as the collective consciousness of the workers in an organization. It’s hard
to describe an organization’s culture because it has to be experienced to be understood.
Security managers seek to understand an organization’s culture so that they may be
better and more effective change agents. In organizations that do not regard informa-
tion security as an important activity, security managers must work to understand the
culture and make subtle changes to improve awareness of information security in a form
that most workers can understand. Security awareness training, with its attendant mes-
saging from executives, is often regarded as a catalyst for making those subtle changes
to the culture.
Security managers and their teams occasionally find they need to develop a “culture
within a culture.” The rest of an organization with a laissez-faire attitude toward security
may have some catching up to do, but the security team already “gets it”—the ever-
conscious awareness of day-to-day activities and whether they are handling and protect-
ing data and systems properly.
NOTE With our codes o ethics rom ISACA and other security proessional
organizations, we are obligated to conduct ourselves according to a higher
standard, which is a part o the reason or the culture within a culture.
Professional Development
Dedicated and committed technologists have a built-in thirst for knowledge and for
expanding their boundaries. Information security professionals should have this thirst
“on steroids,” because the velocity of change is higher than that in other aspects of infor-
mation technology. Cyber-criminal organizations are innovating their malware and other
attack techniques, manifested through breaches using increasingly novel methods; secu-
rity tools vendors are innovating their detective and protective wares; security organiza-
tions are continually improving many aspects of security management, including control
frameworks, auditing techniques, and security awareness messaging. It’s been said that
information security professionals must spend four hours each week reading up on these
and other new developments just to keep from falling behind. Security managers need to
be aware of the present knowledge and skills that each security team member possesses
today, what skills are needed in the team in the future, and the professional growth aspi-
rations that drive each team member. Several avenues for professional development are
discussed here.
Chapter 6: Information Security Program Management
379
Career Paths A career path is the progression of job responsibilities and job titles that a
worker will attain over time. Generally, a worker who is aware of a potential career path
within their organization is more likely to remain in the organization. Workers who feel
trapped and unable to advance are more likely to consider a position in another organiza-
tion. With the security employment market as tight as it is, any organization that neglects
the topics of professional development and career paths runs the risk of losing good
people. Security managers should be aware of any career paths that have been published
by their organizations; however, since many organizations don’t develop formal career
paths, security managers will want to work one-on-one with each security staff member
to determine what their individual career paths will look like.
There are many fields of specialty in information security, including the following:
• Risk management
Risk analysis
PART III
•
• Information systems auditing
• Penetration testing
• Red / blue / purple team
• Malware analysis
• Security engineering
• Security architecture
• Secure development
• Mobile device security
• Telecommunications and network security
• Social engineering
• Security awareness training
• Forensics
• Cryptography
• Business continuity planning and disaster recovery planning
• Identity and access management
• Identity and access governance
• Data governance and classification
• Threat intelligence
• Third-party risk
• Privacy
Many IT equipment vendors and IT security tools vendors offer security certifications
that represent expertise in various categories of information security. Nearly every major
security tools manufacturer has one or more certifications that can be earned. Here is a
small sampling:
PART III
• Metasploit Pro Certified Specialist from Rapid7
• WhiteHat Certified Secure Developer (WCSD)
Training Another important way to retain talent is to provide training for security
staff. Again, because security professionals can be afflicted with boredom, they are
happiest when they are learning new things. Security managers may fear that if they
provide too much training, personnel might leave for greener pastures—but what may
happen if they don’t provide enough training? Their personnel would almost certainly
feel trapped and be compelled to leave with even more fervor.
Typical organizations provide one week of security training for security professionals.
Ideally this means that a security professional is able to attend a one-week conference of
her choice. Other companies will pay for web-based training or a number of one-day
training courses. One week of training is considered the minimum required for security
professionals to stay current in their chosen field. Additional training will be required for
security professionals who want to move into a specialty area. Many employers reimburse
college and university tuition, often with a yearly cap. This can provide a means for secu-
rity personnel who want to pursue an undergraduate or graduate degree in information
security and related fields.
Personnel-Related Reporting
Reporting that is related to personnel management and development may include the
following:
Budget
Budgeting is an essential part of long-term planning for information security and argu-
ably a more difficult undertaking than it is for many other departments. Although the
development of an information security strategy (in terms of the capabilities needed)
is somewhat more straightforward, obtaining management support for the funding
required to realize the strategy can be quite difficult. When executive management
does not understand the strategic value of information security, the prospect of fund-
ing activities that result in existing business capabilities or capacity seems far different
from funding information security, which results in no changes in business capabilities
or capacity.
Chapter 6: Information Security Program Management
383
The activities that the security manager needs to include in budgets include the
following:
PART III
• Maintenance of documents and records
• Team building and recognition
• Contingencies
Often, security managers undertake a detailed analysis on the work required for each
function in information security. For instance, a security manager may track time spent
on routine processes as well as anticipated but unplanned activities such as incident
response and investigations.
IT Service Management
IT service management (ITSM) is the set of activities that occur to ensure that the delivery
of IT services is efficient and effective, through active management and the continuous
improvement of processes. ITSM consists of several distinct activities:
• Service desk
• Incident management
• Problem management
• Change management
• Configuration management
• Release management
• Service-level management
• Financial management
• Capacity management
• Service continuity management
• Availability management
Each of these activities is described in detail in this section.
CISM Certified Information Security Manager All-in-One Exam Guide
384
ITSM is defined in the IT Infrastructure Library (ITIL) process framework, a well-
recognized standard. The content of ITIL is managed by AXELOS. ITSM processes can
be audited and registered to the international ISO/IEC 20000:2011 standard.
Service Desk
Often known as the help desk, the IT service desk handles incidents and service
requests on behalf of customers by acting as a single point of contact. The service desk
performs end-to-end management of incidents and service requests (at least from the
perspective of the customer) and is also responsible for communicating status reports
to the customer.
The service desk can also serve as a collection point for other ITSM processes, such as
change management, configuration management, service-level management, availability
management, and other ITSM functions. A typical service desk function consists of
frontline analysts who take calls from users. These analysts perform basic triage and are
often trained to perform routine tasks such as password resets, troubleshoot hardware
and software issues, and assist users with questions and problems with software pro-
grams. When analysts are unable to assist a user, the matter is typically escalated to a
subject-matter expert who can provide assistance.
Incident Management
ITIL defines an incident as “an unplanned interruption to an IT Service or reduction
in the quality of an IT service. Failure of a configuration item that has not yet affected
service is also an incident—for example, failure of one disk from a mirror set.” ISO/IEC
20000-1:2011 defines an incident as an “unplanned interruption to a service, a reduction
Chapter 6: Information Security Program Management
385
in the quality of a service or an event that has not yet impacted the service to the cus-
tomer.” Thus, an incident may be any of the following:
• Service outage
• Service slowdown
• Software bug
PART III
Regardless of the cause, incidents are a result of failures or errors in any component or
layer in IT infrastructure. In ITIL terminology, if the incident has been experienced and
its root cause is known, it is considered a known error. If the service desk is able to access
the catalog of known errors, this may result in more rapid resolution of incidents, result-
ing in less downtime and inconvenience. The change management and configuration
management processes are used to make modifications to the system to fix the problem
temporarily or permanently. If the root cause of the incident is not known, the incident
may be escalated to a problem, which is discussed in the next section.
Problem Management
When several incidents have occurred that appear to have the same or a similar root
cause, a problem is occurring. ITIL defines a problem as “a cause of one or more inci-
dents.” ISO/IEC 20000-1:2011 defines a problem as the “root cause of one or more
incidents” and continues by stating, “The root cause is not usually known at the time a
problem record is created and the problem management process is responsible for further
investigation.”
The overall objective of problem management is a reduction in the number and sever-
ity of such incidents. Problem management can also include some proactive measures,
including system monitoring to measure system health and capacity management, which
will help management forestall capacity-related incidents.
Examples of problems include the following:
Change Management
Change management involves using a set of processes to ensure that all changes performed
in an IT environment are controlled and performed consistently. ITIL defines change
management as follows: “The goal of the change management process is to ensure that
standardized methods and procedures are used for efficient and prompt handling of
all changes, in order to minimize the impact of change-related incidents upon service
quality, and consequently improve the day-to-day operations of the organization.”
The main purpose of change management is to ensure that all proposed changes to
an IT environment are vetted for suitability and risk and to ensure that changes will not
interfere with one another or with other planned or unplanned activities. To be effective,
each stakeholder should review all changes so that every perspective of each change is
properly reviewed.
A typical change management process is a formal “waterfall” process that includes the
following steps:
1. Proposal or request The person or group performing the change issues a change
proposal, which contains a description of the change, the change procedure,
the IT components that are expected to be affected by the change, a verification
procedure to ensure that the change was applied properly, a back-out procedure in
the event the change cannot be applied (or failed verification), and the results of
tests that were performed in a test environment. The proposal should be distributed
to all stakeholders several days prior to its review.
2. Review Typically in a meeting or discussion about the proposed change, the
personnel who will be performing the change discuss the change and answer
any of the stakeholders’ questions. Because the change proposal was distributed
earlier, each stakeholder should have had an opportunity to read about the
proposed change in advance of the review. Stakeholders can discuss any aspect of
the change during the review. They may agree to approve the change, or they may
request that it be deferred or that some aspect of the proposed change be altered.
3. Approval When a change has been formally approved in the review step, the
person or group responsible for change management recordkeeping will record the
approval, including the names of the individuals who consented to the change. If,
however, a change has been deferred or denied, the person or group that proposed
the change will need to make alterations to the proposed change so that it will be
acceptable, or they can withdraw the change altogether.
Chapter 6: Information Security Program Management
387
4. Implementation The actual change is implemented per the procedure
described in the change proposal. Then the personnel identified as the change
implementers perform the actual change to the IT systems identified in the
approved change procedure.
5. Verification After the implementers have completed the change, they will
perform the verification procedure to make sure that the change was implemented
correctly and that it produces the desired result. Generally, this will involve one
or more steps, including the gathering of evidence (and directions for confirming
correct versus incorrect change) that shows the change was performed correctly.
This evidence will be filed with other records related to the change and may be
useful in the future, especially if the change is suspected to be the root cause of
any problems encountered in the system where this change is made.
6. Post-change review Some or all changes in an IT organization will be reviewed
PART III
after the change is implemented. The personnel who made the change discuss it
with other stakeholders to learn more about the change and whether any updates
to future changes may be needed.
These activities should be part of a change control board (CCB) or change advisory
board (CAB), a group of stakeholders from IT and every group that is affected by
changes in IT applications and supporting infrastructure.
Emergency Changes
Although most changes can be planned in advance using the change management pro-
cess described here, there are times when IT systems need to be changed right away. Most
change management processes include a process for emergency changes that details most
of the steps in the nonemergency change management process, but they are performed
in a different order. The steps for emergency changes are as follows:
1. Emergency approval When an emergency situation arises, the staff members
attending to the emergency should seek management approval for the proposed
change via phone, in person, or in writing (typically, e-mail). If the approval was
granted by phone or in person, e-mail or other follow-up is usually performed.
Who can approve these emergency changes should be designated in advance.
CISM Certified Information Security Manager All-in-One Exam Guide
388
2. Implementation The staff members perform the change.
3. Verification Staff members verify that the change produced the expected result.
This may involve other staff members from other departments or end users.
4. Review The emergency change is formally reviewed, which may be performed
alongside nonemergency changes with the change control board, the same group
of individuals who discuss nonemergency changes.
As with nonemergency changes, emergency changes should be recorded and available
for future reference.
Configuration Management
Configuration management (CM) is the process of recording and maintaining the
configuration of IT systems. Each configuration setting is known in ITSM parlance as a
configuration item (CI). CIs usually include the following:
Release Management
Release management is the ITIL term used to describe the portion of the SDLC where
changes in applications are placed into production service. Release management is used to
control the changes that are made to software programs, applications, and environments.
PART III
The release process is used for several types of changes to a system, including the
following:
• Incidents and problem resolution Casually known as bug fixes, these types
of changes occur in response to an incident or problem, where it has been
determined that a change to application software is the appropriate remedy.
• Enhancements New functions in an application are created and implemented.
These enhancements may have been requested by customers, or they may be a
part of the long-range vision on the part of the designers of the software program.
• Subsystem patches and changes Changes in lower layers in an application
environment may require a level of testing that is similar to what is used when
changes are made to the application itself. Examples of changes are patches,
service packs, and version upgrades to operating systems, database management
systems, application servers, and middleware.
The release process is a sequential process—that is, each change that is proposed to a
software program will be taken through each step in the release management process. In
many applications, changes are usually assembled into a “package” for process efficiency
purposes: it is more effective to discuss and manage groups of changes than it would be
to manage individual changes.
The steps in a typical release process are preceded by a typical SDLC process:
1. Feasibility study Activities that seek to determine the expected benefits of a
program, project, or change to a system.
2. Requirements definition Each software change is described in terms of a feature
description and requirements. The feature description is a high-level explanation
of a change to software that may be described using business terms. Requirements
are the detailed statements that describe a change in enough detail for a developer
to make changes and additions to application code that will provide the desired
functionality. Often, end users will be involved in the development of requirements
so that they may verify that the proposed software change is really what they desire.
CISM Certified Information Security Manager All-in-One Exam Guide
390
3. Design After requirements have been developed, a programmer/analyst
or application designer will create a formal design. For an existing software
application, this will usually involve changes to existing design documents and
diagrams, but for new applications, the design will need to be created from scratch
or copied from similar designs and modified. Regardless, the design will have a
sufficient level of detail to permit a programmer or software engineer to complete
development without having to discern the meaning of requirements or design.
4. Development When requirements and design have been completed, reviewed,
and approved, programmers or software engineers begin development. This involves
actual coding in the chosen computer language with approved development tools,
as well as the creation or update to ancillary components, such as a database design
or application programming interface (API). Developers will often perform their
own unit testing, where they test individual modules and sections of the application
code to make sure that it works properly.
5. Testing When the developers have finished coding and unit testing, a more
formal and comprehensive test phase is performed. Here, analysts, dedicated
software testers, and perhaps end users will test all of the new and changed
functionality to confirm that it is performing according to requirements.
Depending on the nature of the changes, some amount of regression testing is also
performed, where functions that were confirmed to be working properly in prior
releases are tested again to make sure that they continue to work as expected.
Testing is performed according to formal, written test plans that are designed to
confirm that every requirement is fulfilled. Formal test scripts are used, and the
results of all tests should be recorded and archived. The testing that users perform
is usually called user acceptance testing (UAT). Often, automated test tools are used,
which can make testing more accurate and efficient. After testing is completed, a
formal review and approval are required before the process is allowed to continue.
6. Implementation Next, the software is implemented on production systems.
Developers hand off the completed software to operations personnel, who install
it according to instructions created by developers. This could also involve the use
of tools to make changes to data and database design to accommodate changes
in the software. When changes are completed and tested, the release itself is
prepared and deployed.
a. Release preparation When UAT and regression testing have been completed,
reviewed, and approved, a release management team will begin to prepare the
new or changed software for release. Depending upon the complexity of the
application and of the change itself, release preparation may involve not only
software installation but also the installation or change to database design, and
perhaps even changes to customer data. Hence, the software release may involve
the development and testing of data conversion tools and other programs that
are required so that the new or changed software will operate properly. As with
testing and other phases, full records of testing and implementation of release
preparation details need to be captured and archived.
Chapter 6: Information Security Program Management
391
b. Release deployment When release preparation is completed (and perhaps
reviewed and approved), the release is installed on the target systems. Personnel
deploying the release will follow the release procedure, which may involve
the use of tools that will make changes to the target system at the operating
system, database, or other level; any required manipulation or migration
of data; and the installation of the actual software. The release procedure
will also include verification steps that will be used to confirm the correct
installation of all components.
7. Post-implementation A post-implementation review examines matters of
system adequacy, security, return on investment (ROI), and any issues encountered
during implementation.
PART III
Many organizations utilize a “gate process” approach in their release management process,
in which each step of the process undergoes formal review and approval before the next
step is allowed to begin. For example, suppose a formal design review will be performed
and attended by end users, personnel who created requirements and feature description
documents, developers, and management. If the design is approved, development may
begin. But if questions or concerns are raised in the design review, the design may need to
be modified and reviewed again before development is allowed to begin.
Agile processes utilize gates as well, although the flow of Agile processes is often
parallel rather than sequential. The concept of formal reviews is the same, regardless of
the SDLC process in use.
Service-Level Management
Service-level management is composed of the set of activities that confirms whether the
IT department is providing adequate service to customers. This is achieved through
continuous monitoring and periodic review of IT service delivery.
An IT department often plays two different roles in service-level management: As a
provider of service to its own customers, the department will measure and manage the
services that it provides directly. Also, many IT departments directly or indirectly manage
services that are provided by external service providers. Thus, many IT departments
are both service provider and customer, and often the two are interrelated, as depicted
in Figure 6-15.
Financial Management
Financial management for IT services consists of several activities, including the following:
• Budgeting
• Capital investment
• Expense management
• Project accounting and project ROI
CISM Certified Information Security Manager All-in-One Exam Guide
392
Figure 6-15
The dierent External
Services to Service
perspectives o Internal IT Provider
the delivery o IT Department
services
Services delivered directly
from external service provider
to customer.
Internal
IT Services provided from
Department external service provider to
customer with local IT department
involvement or value-add.
Services
to
Customers Customers
IT financial management is the portion of IT management that takes into account the
financial value of IT services that support organizational objectives.
Capacity Management
Capacity management is a set of activities that confirms there is sufficient capacity in
IT systems and IT processes to meet service needs. Primarily, an IT system or process
has sufficient capacity if its performance falls within an acceptable range, as specified in
SLAs. Capacity management is not just a concern for current needs; it must also be con-
cerned about meeting future needs. This is attained through several activities, including
the following:
PART III
Service Continuity Management
Service continuity management is the set of activities that is concerned with the ability of
the organization to continue providing services, primarily in the event that a natural or
manmade disaster has occurred. Service continuity management is ITIL parlance for the
more common terms business continuity planning and disaster recovery planning.
Business continuity is discussed in Chapter 7.
Availability Management
The goal of availability management is the sustainment of IT service availability in sup-
port of organizational objectives and processes. The availability of IT systems is governed
by the following:
Asset Management
Asset management is the collection of activities used to manage the inventory, classifica-
tion, use, and disposal of assets. It is a foundational activity, without which several other
activities could not be effectively managed, including vulnerability management, device
hardening, incident management, data security, and some aspects of financial manage-
ment. Asset management is discussed fully in Chapter 5.
Continuous Improvement
Continuous improvement represents the desire to increase the efficiency and effectiveness
of processes and controls over time. It could be said that continuous improvement is a
characteristic of an organization’s culture. The pursuit of continuous improvement is a
roundabout way of pursuing quality.
A requirement in ISO/IEC 27001 certification requires that management promote
continual improvement and that security policy include a commitment to the continual
improvement of the information security management system (ISMS). ISO/IEC 27001
also requires that management review the ISMS to identify opportunities for continual
improvement. The standard also explicitly requires organizations to “continually improve
the suitability, adequacy, and effectiveness of its information security management system.”
NIST SP 800-53 Rev 5, “Security and Privacy Controls for Federal Information
Systems and Organizations,” similarly requires that an organization’s risk management
program incorporate a feedback loop for continuous improvement. Control SA-15 (6)
states that the organization must “require the developer of the system, system compo-
nent, or system service to implement an explicit process to continuously improve the
development process.”
The NIST Cyber Security Framework cites the requirement for continuous improve-
ment throughout the standard. For instance, in the seven steps for creating an infor-
mation security program, NIST CSF asserts in section 3.2 that “these steps should be
repeated as necessary to continuously improve cybersecurity.”
Chapter Review
Controls are the procedures, mechanisms, systems, and other measures designed to
reduce risk through compliance to policies. An organization develops controls to ensure
that its business objectives will be met, risks will be reduced, and errors will be prevented
or corrected.
Controls and control frameworks are used to enforce desired outcomes. Controls need
to be carefully considered, as each consumes resources. Security managers need to under-
stand the various types of controls (such as preventive, detective, deterrent, manual,
automatic, and so on) so that the correct types of controls can be implemented.
Chapter 6: Information Security Program Management
395
Controls are classified in multiple dimensions so that security professionals can better
understand and work with them. Control type descriptors include physical, technical,
administrative, preventive, detective, manual, automatic, compensating, and recovery.
An organization’s general computing controls (GCCs) are general in nature and
often implemented in different ways on different information systems, based upon
their individual capabilities and limitations, as well as applicability.
A control framework is a collection of controls that is organized into logical catego-
ries. Well-known control frameworks such as ISO/IEC 27002, NIST SP 800-53, and
CIS CSC are intended to address a broad set of information risks common to most
organizations. A crosswalk maps two or more control frameworks together.
Before a control can be designed, the security manager needs to have some idea of
the nature of risks that a control is intended to address. In a running risk management
program, a new risk may have been identified during a risk assessment that led to the
creation of an additional control.
PART III
After a control has been designed, it should be put into service and then managed
throughout its life. Depending upon the nature of the control, this could involve opera-
tional impact in the form of changes to business processes and/or information systems.
Changes with greater impact will require greater care so that business processes are not
adversely affected.
Controls should include metadata that describes the purpose, applicability, scope,
classification, measurements, testing procedures, cross references, and more.
The implementation of a new control should be guided by formal processes, not unlike
that of systems development: a new control should have a control objective, a design that
is reviewed by stakeholders, a test plan that is carried out with results reviewed, a formal
authorization to implement the control, and IT and business change management pro-
cesses to plan its implementation.
Controls that have been placed into service will transition into routine operations.
Control owners will operate their controls and try to be aware of any problems, espe-
cially early on. Whether controls are automatic or manual, preventive or corrective, their
owners are responsible for ensuring that their controls operate correctly in every respect.
It is essential for security managers to understand the technology underpinnings of
controls to ensure effective design and operation.
Any organization that implements controls to address risks should periodically exam-
ine those controls to determine whether they are working as intended and as designed.
SOC 1 and SOC 2 audits provide assurances of effective control design (Type I and
Type II) and implementation (Type II only) in third-party service providers.
An essential function in information security management is the set of activities that
determines whether security safeguards are in place and working properly. These activi-
ties range from informal security reviews to formal and highly structured security audits.
An audit is a systematic and repeatable process whereby a competent and independent
professional evaluates one or more controls, interviews personnel, obtains and analyzes
evidence, and develops a written opinion on the effectiveness of a control.
A control self-assessment (CSA) methodology is used by an organization to review
key business objectives, risks related to achieving these objectives, and the key controls
designed to manage those risks.
CISM Certified Information Security Manager All-in-One Exam Guide
396
Personnel are the primary weak point in information security, mainly because of
lapses in judgment, inattentiveness, fatigue, work pressure, or a shortage of skills.
Personnel are generally considered the largest and most vulnerable portion of an orga-
nization’s attack surface.
Third-party risk management is a critical activity that attempts to identify risks in
third-party organizations that have access to critical or sensitive data or that perform
critical operational functions. Various techniques are needed to identify and manage
risks, because many third parties are less than transparent about their internal operations
and risks.
Third parties are assessed mainly through the use of questionnaires and requests for
evidence that are sent to them by organizations. Most organizations depend on large
numbers of third-party services, so they employ a risk tier scheme to identify the third
parties that are the most critical to the organization. Third parties at a higher level of risk
undergo more frequent and rigorous risk assessments, while those at lower levels undergo
less frequent and less rigorous risk assessments.
The management of business relationships with third parties is a life-cycle process.
The life cycle begins when an organization contemplates the use of a third party to aug-
ment or support the organization’s operations in some way. The life cycle continues dur-
ing the ongoing relationship with the third party and concludes when the organization
no longer requires the third party’s services.
Communications is the lifeblood of an effective information security program. Lacking
effective communications, the security manager will have difficulty interacting with execu-
tive management for the exchange of objectives, risk information, and metrics. Ineffective
communications will hamper virtually all other security-related activities and processes.
Security programs include a variety of administrative activities that are vital to its suc-
cess. One important success factor is the development of strategic partnerships with many
internal departments within an organization, as well as external organizations and agencies.
These partnerships enable the security manager to better influence internal events, learn
more about external events, and obtain assistance from outside entities as needed.
IT service management represents a collection of operational activities designed to
ensure the quality of IT services and includes several business processes such as service
desk, incident management, problem management, change management, configuration
management, release management, service-level management, financial management,
capacity management, service continuity management, and availability management.
Notes
• The most common approach to controls development is the selection of an already-
established control framework, such as those discussed in this chapter. However, an
organization is also free to develop a control framework from scratch.
• In a typical security program, the security manager will select a control framework
as a starting point and then add, change, or remove controls over time as a result of
the risk management process. The initial control framework should be considered
only a starting point and not the set of controls that the organization is required to
manage permanently.
Chapter 6: Information Security Program Management
397
• Security managers prefer preventive controls but will sometimes need to settle on
detective controls.
• The selection of a control framework is less important than the risk management
process that will, over time, mold it into the controls that need to exist.
• Many organizations ruminate over the selection of a control framework. Instead,
each organization should select a framework and then make adjustments to its
controls to suit the business needs. A control framework should generally be
considered a starting point, not a rigid and unchanging list of controls—except
in cases where regulations stipulate that controls may not be changed.
• Many organizations need to implement multiple control frameworks in response
to applicable regulations and other obligations. In such cases, security managers
should consider mapping them into a single control framework.
PART III
• To the extent than an organization is dependent upon IT for its operations, the
organization is equally dependent upon effective cybersecurity to protect its IT.
• Data backup has always been critical, but the rise in ransomware attacks is
highlighting the value of backups for business owners.
• Audit planning is multifaceted and includes scope, purpose, methodology,
and audience.
• To be effective, security awareness training needs to be relevant and engaging.
• Third-party risk management is best thought of as an extension of an organization’s
risk management program, with special procedures for conducting risk assessments
of third-party organizations that store, process, or transmit sensitive or critical data
on behalf of the organization or that perform critical operations.
• Classifying third parties into risk-based tiers helps to allocate scarce resources by
focusing rigorous assessments on third parties based on risk.
• The maturity of an information security program will determine the ability for
meaningful reporting to be developed.
• Without effective IT service management, no security manager can hope that
information security will become truly effective.
• There is always room for improvement.
Questions
1. The most important factor in the selection of a control framework is:
A. Organization maturity
B. Industry relevance
C. Risk tolerance
D. Risk appetite
CISM Certified Information Security Manager All-in-One Exam Guide
398
2. The life-cycle process that influences controls over time is known as:
A. Third-party risk management
B. External audit
C. Risk management
D. Internal audit
3. The main reason that preventive controls are preferred over detective controls is:
A. Preventive controls stop unwanted events from occurring.
B. Preventive controls are less expensive to implement.
C. Preventive controls are less expensive to audit.
D. Detective controls are, by definition, ineffective.
4. An organization wants to protect itself from the effects of a ransomware attack.
What is the best data protection approach?
A. Periodically scan data for malware.
B. Replicate data to a cloud-based storage provider.
C. Replicate data to a secondary storage system.
D. Back up data to offline media.
5. The best definition of general computing controls is:
A. Controls that are general in nature and implemented across all systems
B. The basic safeguards required by Sarbanes–Oxley
C. Policies that apply to all systems and applications
D. Controls that are required to be audited annually
6. Which of the following is the best reason for adopting a standard control framework?
A. Controls can be enacted without time-consuming risk assessments.
B. Audits can begin earlier.
C. Audit results will be more favorable.
D. The organization will be considered more progressive.
7. All of the following statements about ISO/IEC 27002 are correct except:
A. ISO/IEC 27002 can be crosswalked to NIST SP 800-53.
B. ISO/IEC 27002 is a well-known international standard.
C. ISO/IEC 27002 is available free of charge.
D. Copies of ISO/IEC 27002 must be purchased.
Chapter 6: Information Security Program Management
399
8. A security manager in a healthcare clinic is planning to implement HIPAA and
PCI DSS controls. Which of the following approaches should be taken?
A. Choose either HIPAA or PCI DSS and use those controls to protect both ePHI
and cardholder data.
B. Enact individual HIPAA and PCI DSS controls per a risk assessment.
C. Define the applicability of HIPAA and PCI DSS to those portions of the
business where ePHI and cardholder data are used.
D. Apply HIPAA and PCI DSS to the entire organization.
9. Which of the following statements correctly describes the link between risk
management and controls?
A. Risk treatment sometimes calls for the enactment of a new control.
PART III
B. Controls define the scope of risk assessments.
C. Controls define the scope of risk management.
D. There is no link between risk management and controls.
10. What organization is the governing body for the PCI DSS standard?
A. ISO
B. NIST
C. PCI Security Standards Council
D. VISA and MasterCard
11. Which of the following solutions is most suitable for the following control
statement: “Safeguards prevent end users from visiting hazardous web sites”?
A. Cloud access security broker
B. Web content filter
C. Virtual private network
D. Antimalware
12. The philosophy of system and data protection that relies on continual evaluation
is known as:
A. Data loss prevention
B. Trust but verify
C. Transitive Trust
D. Zero Trust
CISM Certified Information Security Manager All-in-One Exam Guide
400
13. A review of users’ access to specific information systems is best known as:
A. An audit
B. An activity review
C. A recertification
D. A corrective control
14. The information security department has sent a questionnaire and requests for
evidence to a control owner. This activity is best known as a(n):
A. Control self-assessment
B. Audit
C. Review
D. Investigation
15. The most favored practice for security awareness training is:
A. Training at the time of hire
B. Training at the time of hire and annually thereafter
C. Annual training
D. Reading assignments
Answers
1. B. Organizations looking to select a control framework as a starting point for
controls should select a framework that aligns with the organization’s industry.
For instance, a healthcare organization may start with HIPAA, while a global
manufacturer would likely select ISO/IEC 27002.
2. C. The risk management life cycle, over time, will have the greatest influence on
an organization’s controls. Newly discovered risks can be managed through the
enactment of new controls, for example.
3. A. Preventive controls, when available and feasible, are preferred over detective
controls, because they prevent unwanted events from occurring. Detective
controls, on the other hand, do not prevent events from occurring.
4. D. Backing up data to offline media is the best of these choices. For the most
part, ransomware targets live data storage. Often, data replication capabilities
result in the replication of the encryption to secondary storage systems.
5. A. General computing controls, or GCCs, are general in nature and applied
across most or all information systems and applications. GCC’s are also known as
ITGC’s, or IT General Controls.
6. A. An organization that starts with a standard control framework can enact
controls immediately. Without a standard control framework, time-consuming
risk assessments would need to be conducted to identify risk areas, followed by
control development.
Chapter 6: Information Security Program Management
401
7. C. ISO/IEC 27002, as well as other ISO standards, are not available free of charge
and must be purchased for individual users or with a site license.
8. C. The best approach for enacting controls in a hybrid environment such as this is
to define the scope of applicability for HIPAA controls and for PCI DSS controls.
HIPAA controls shall apply to systems and processes that process electronic
protected healthcare information (ePHI), and PCI DSS controls shall apply to
systems and processes that process cardholder data.
9. A. In the risk management life cycle, risk assessments are performed and new risks
are identified. In risk treatment, sometimes the agreed-upon course of action is the
enactment of a new control to mitigate a new risk.
10. C. The PCI Security Standards Council, a consortium of the world’s leading credit
card brands (VISA, MasterCard, American Express, Discover, and JCB), is the
governing body for the PCI DSS standard and related standards such as PA DSS.
PART III
11. B. A web content filter is the best solution for a control that protects users from
visiting hazardous web sites.
12. D. Zero Trust (ZT) is the philosophy that focuses on system and data protection,
where trust is not granted implicitly but must be continually evaluated at all layers.
13. B. An activity review is a study of users’ access to individual applications or
systems to determine whether they access those applications or systems in a
given period of time. Users who do not access those applications or systems are
candidates for access removal from those systems.
14. A. In a control self-assessment (CSA), a control owner is requested to answer
questions about a control and provide evidence such as a written procedure
and records.
15. B. The best practice for security awareness training consists of training at the time
of hire and annually thereafter. It is important for new workers to be trained on
security protocols and expectations, with periodic reminders to ensure continual
awareness and awareness of new protocols and threats.
This page intentionally left blank
PART IV
Incident Management
Chapter 7 Incident Management Readiness
Chapter 8 Incident Management Operations
This page intentionally left blank
Incident Management
Readiness
CHAPTER
7
In this chapter, you will learn about
• Similarities and dierences between security incident response, business continuity
planning, and disaster recovery planning
• Perorming a business impact analysis and criticality analysis
• Developing business continuity and disaster recovery plans
• Classiying incidents
• Testing response plans and training personnel
405
CISM Certified Information Security Manager All-in-One Exam Guide
406
Our world is full of surprises, including events that disrupt our plans and activities.
In the context of IT and business, several unexpected events can cause significant disrup-
tion to business operations, even to the point of threatening the ongoing viability of the
organization itself. These events include:
• Natural disasters
• Human-made disasters
• Malicious acts
• Cyberattacks
• Changes with unintended consequences
Organizations cannot, for the most part, specifically anticipate these events. Any of
these events may inflict damage on information systems, office equipment, and work
centers, making it necessary for the organization to act quickly to continue business
operations using alternative means. In the case of a cyberattack, it may or may not be
possible to reverse the effects of the attack, eradicate whatever harm was caused to infor-
mation systems, and continue operations on those systems. But in some cases, it may
be necessary for the organization to continue information processing on other systems
until the primary systems can be expunged of their attacker and the damage that has
been inflicted.
Incident management readiness begins with upfront analyses of business processes
and their dependence upon business assets, including information systems. This analysis
includes a big-picture prioritization of business processes and an up-close examination
of business processes and information systems. This is followed by the development of
contingency plans, response plans, and restoration plans. A natural by-product of all of
this effort is improved resilience of business processes and information systems—even if
disruptive events never occur—because overall weaknesses in processes and systems are
identified, leading to steps to make tactical improvements.
This chapter explores the available methods and techniques for responding to these
disruptive events and returning business operations to their normal, pre-event state.
Chapter 8 continues with discussions of incident management tools, techniques, inci-
dent containment, recovery, and post-incident activities.
to discover the techniques used by the attacker to compromise systems so that any vul-
nerabilities can be remediated, thereby preventing similar attacks in the future. Busi-
ness continuity response is required so that the organization can operate critical business
processes without primary processing systems, and disaster recovery planning is needed
to recover its systems and resume normal operations as quickly as possible. Figure 7-1
depicts the relationship between incident response, BCP, and DRP.
PART IV
confidentiality, integrity, and availability (CIA) to become confidentiality, integ-
rity, availability, and safety (CIAS), because many connected devices are directly or
indirectly related to life safety. When you consider capabilities such as Bluetooth-
equipped pacemakers, IV pumps on the network, self-driving cars, autopilots, GPS
navigation, robotic surgery, and other technologies, it is becoming clear that a
computer intrusion can have far-ranging effects that go beyond threats to data.
Security incident response, business continuity, and disaster recovery all require
advance planning so that the organization will have discussed, documented, and out-
lined the responses required for various types of incidents in advance of their occurrence.
Disaster
Onset
Recovery Objectives
Figure 7-1 Relationship between incident response, business continuity planning, and disaster
recovery planning
CISM Certified Information Security Manager All-in-One Exam Guide
408
Risk assessments are the foundation of planning for all three disciplines, because it is
necessary for organizations to discover relevant risks and establish priorities during a
response. Additionally, by taking this proactive approach, the team will have a framework
to lean on for incidents that may not have been considered otherwise.
The improvement of systems and processes is an important byproduct of planning for
security incident response, business continuity, and disaster recovery. Primarily, planning
efforts reveal improvement opportunities that, when implemented, will result in informa-
tion systems being more secure and resilient. These improvements generally mean that
incidents are either less likely to occur or that they will have less impact on the organization.
PART IV
• Distributed denial-of-service (DDoS) attack Similar to a DoS attack, a DDoS
attack emanates simultaneously from hundreds or thousands of computers that
comprise a botnet. A DDoS attack can be difficult to withstand because of the
volume of incoming messages, as well as the large number of attacking systems.
• Encryption or destruction of critical information A ransomware or wiper
attack can result in encrypted or destroyed information.
• Disclosure of sensitive information Any sensitive information may be disclosed
to any unauthorized party.
• Information system theft Laptop computers, mobile devices, and other
information-processing and storage equipment can be stolen, which may
directly or indirectly lead to further compromises. If the stolen device contains
retrievable sensitive information or the means to access sensitive information
stored elsewhere, then what started out as a theft of a tangible asset may expand
to become a compromise of sensitive information as well.
• Information system damage A human intruder or automated malware may
cause temporary or irreversible damage to information or an information system.
This may result in an interruption in the availability of information, as well as
permanent loss of information.
• Information corruption A human intruder or automated malware such as a
worm or virus may damage information stored on a system. This damage may
or may not be readily noticed.
CISM Certified Information Security Manager All-in-One Exam Guide
410
• Misconfiguration An error made by an IT worker can result in data loss or
system malfunction.
• Sabotage A human intruder or automated malware attack may disrupt or
damage information, information systems, or facilities in a single organization,
several organizations in a market sector, or an entire nation.
These examples should give you an idea of the nature of a security incident. Not all
represent cataclysmic events. Other types of incidents may also be considered security
incidents in some organizations.
Here is how the kill chain is used: For each phase, analysts examine their detec-
tive and preventive capabilities that are relevant to the types of activities that an
intruder would be performing. This helps an organization better understand ways
in which they could detect or prevent an attack in each of its phases.
PART IV
developing an incident response plan must first thoroughly understand the organiza-
tion’s business processes and underlying information systems and then discover resource
requirements, dependencies, and failure points. A security manager may first develop a
high-level incident response plan, which is usually followed by the development of sev-
eral incident response playbooks, the step-by-step instructions to follow when specific types
of security incidents occur.
Executive support is essential in incident response plan development, particularly for
escalations and communications. Executives need to be comfortable knowing that low-
severity incidents are competently handled without their being notified every time, for
instance. Also, executives need to know that they will be notified using established pro-
tocols when more serious incidents occur.
Objectives
Similar to any intentional activity, organizations need to establish their objectives prior to
undertaking an effort to develop security incident response plans. Otherwise, it may not
be clear whether business needs are being met. Following are some objectives that may
be applicable to many organizations:
Maturity
When undertaking any effort to develop or improve business processes, an organization
should consider its current and desired levels of maturity. As a quick reminder, the levels
of maturity according to the Capability Maturity Model Integration for Development
(CMMi-DEV) are as follows:
1. Initial. This represents a process that is ad hoc, inconsistent, unmeasured, and
unrepeatable.
2. Repeatable. This represents a process that is performed consistently and with the
same outcome. It may or may not be well documented.
3. Defined. This represents a process that is well defined and documented.
4. Managed. This represents a quantitatively measured process with one or
more metrics.
5. Optimizing. This represents a measured process that is under continuous
improvement.
In addition to the objectives listed previously, a security manager should seek to
understand the organization’s existing level of maturity and its desired level. Increasing
the maturity level of any process or program takes time, and hastening maturity may be
unwise. For example, if an organization’s current maturity for incident response is Initial
and the long-term desired level is Managed, a number of improvements over one or more
years may be required to reach a Managed maturity level.
Resources
Security incident response requires resources; security managers should keep this in mind
when developing incident response plans. Each stage of incident response, from detec-
tion to closure, requires the involvement of personnel with different skill sets, as well
as various tools that enable personnel to detect an incident, analyze it, contain it, and
eradicate it. Various types of incidents require various tools and skills.
Personnel Personnel are the heart of security incident response. Effective security
incident response requires personnel with a variety of skills, including the following:
• Incident detection and analysis Security operations center (SOC) analysts
and other personnel use a variety of monitoring tools that alert them when
actionable events occur. These personnel receive alerts and proceed to analyze
an incident by drilling into the details. These same people may also undertake
threat hunting, proactively searching systems and networks for signs of
reconnaissance, malicious command-and-control (C&C) traffic, and intrusion.
Chapter 7: Incident Management Readiness
413
This function is often outsourced to managed security service providers (MSSPs)
that run large 24/7/365 operations, monitoring hundreds or even thousands of
client organizations’ networks.
• Network, system, and application subject matter experts (SMEs) With
expertise in the network devices, systems, and applications related to alerts, these
personnel can help SOC analysts and others better understand the meaning behind
incidents and their consequences.
• Malware analysis and reverse engineering These personnel use tools to
identify and analyze malware to better understand what it does on a system and
how it communicates with other systems. This helps the organization decide how
to contain the incident and defend itself against similar attacks in the future.
• Forensics These persons use tools and techniques to collect evidence that helps
the organization better understand the nature of the incident. Some evidence
may be protected by a chain of custody in anticipation of later legal proceedings.
• Incident command and control These personnel have expertise in overall
security incident response and take charge during an incident. Generally, this
type of coordination is required only in high-impact incidents involving multiple
parties in an organization, as well as external entities such as customers, regulators,
PART IV
and law enforcement.
• Crisis communications These personnel are skilled in internal communications
as well as communications with external parties, including regulators, shareholders,
customers, and the public.
• Legal / privacy One or more people in an organization’s legal department
will read and interpret applicable laws and make decisions related to external
communications with customers, regulators, law enforcement, shareholders, and
other parties.
• Business unit leaders Also referred to as department heads, these personnel will
be called to make critical business decisions during an incident. Examples include
decisions to take systems offline or transfer work to other processing centers.
• Executives The top leaders in the organization who need to be consistently
informed and who will be called upon to ratify or make important decisions.
• Law enforcement Personnel in external agencies may be able to assist in
incident investigation.
Most of these responsibilities require training, which is discussed later in this chapter.
Outsourcing Incident Response Incident response sometimes involves the use of
forensic tools and techniques by trained and experienced incident response personnel.
Larger organizations may have one or more such personnel on staff, though most orga-
nizations cannot justify the expense of hiring them full-time. Many organizations opt
to utilize forensic experts on an on-demand or contract basis, typically in the form of
incident monitoring and incident response retainers.
CISM Certified Information Security Manager All-in-One Exam Guide
414
Incident Response Tools and Techniques There are many forms of security incident
detection, prevention, and alerting tools essential in incident response. These tools and
techniques are discussed fully in Chapter 8.
Gap Analysis
Prior to the development of a security incident response plan, the security manager
must determine the current state of the organization’s incident response capabilities,
as well as the desired end state (for example, a completed security incident response
plan with specific capabilities and characteristics). A gap analysis is the best way for the
security manager to understand what capabilities and resources are lacking. Once gaps
are known, a strategy for developing security incident response plans will consist of the
creation or acquisition of all necessary resources and personnel.
A gap analysis in the context of security incident response program development is the
same gap analysis activity described in more detail in Chapter 2.
Plan Development
A security incident response plan is a document that defines policies, roles, responsibilities,
and actions to be taken in the event of a security incident. Often, a response plan also
defines and describes roles, responsibilities, and actions that are related to the detection
of a security incident. This portion of an incident response plan is vital, considering the
high velocity and high impact of certain types of security incidents.
A security incident response plan typically includes these sections:
• Policy
• Roles and responsibilities
• Incident detection capabilities
• Playbooks
• Communications
• Recordkeeping
Playbooks Recognizing that there are many types of security incidents, each with its
own impacts and issues, many organizations develop a collection of incident response
playbooks that provide step-by-step instructions for incidents likely to occur in the orga-
nization. A set of playbooks may include procedures for the following incidents:
PART IV
does not absolve an organization from its responsibilities to detect and respond to secu-
rity incidents, however, and this makes incident detection and response more complex.
As a result, organizations need to develop incident response playbooks that are specific to
various incident types at each third party to ensure that the organization will be able to
detect and respond to an incident effectively.
Incident response related to a third-party application or infrastructure often requires
that the organization and each third party understand their respective roles and respon-
sibilities for incident detection and response. For example, software-as-a-service (SaaS)
applications often do not make event and log data available to customers. Instead, orga-
nizations must rely on those third parties to develop and manage their incident detection
and response capabilities properly, including informing affected customers of an incident
in progress. Depending on the architecture of a SaaS solution, both the SaaS provider
and the customer may have their own steps to take during incident response, and some
of those steps may require coordination or assistance from the other party. Joint exercises
between companies and critical SaaS providers help build confidence that their incident
response plans will work.
Periodic Updates All security incident management documents need to be periodi-
cally reviewed by all of the responsible parties, SMEs, and management to ensure that all
agree on the policies, roles and responsibilities, and steps required to detect, contain, and
recover from an incident. Generally, organizations should review and update documents
at least once per year, as well as any time a significant change is made in an organization
or its supporting systems.
CISM Certified Information Security Manager All-in-One Exam Guide
416
• Service outage
• Service slowdown
• Software bug
When IT incidents are combined with security incidents, an organization will be
prepared to respond to most any type of IT or security incident.
PART IV
of the various business units and departments with regard to critical organizational
priorities. Executive-level BIAs can provide broad insight to issues with regard to
departments and their role in critical business processes. If, instead, BIAs began
at the department level, it would be difficult to gauge the relative importance of
one department’s top-criticality processes compared to another department’s top-
criticality processes. Only with insight from top executives can each department be
analyzed in the context of the organization’s overall business priorities.
Figure 7-2 BIA sample intake orm or gathering data about key processes
TIP Use o an intake orm is not the only accepted approach when
gathering inormation about critical processes, dependencies, and systems.
It’s also acceptable to conduct one-on-one interviews or group interviews
with key users and IT personnel to identiy critical processes, dependencies,
and systems. I recommend the use o an intake orm (whether paper-based
or electronic), even i the interviewer uses it hersel as a ramework or
note-taking.
• Three thousand users in France and Italy will be unable to access customer records,
resulting in degraded customer service.
• All users in North America will be unable to read or send e-mail, resulting in
productivity slowdowns.
Statements of impact for business processes might cite the business functions that
would be affected. Here are some example statements of impact:
• Accounts payable and accounts receivable functions will be unable to process, impacting
PART IV
the availability of services and supplies and resulting in reduced revenue.
• Legal department will be unable to access contracts and addendums, resulting in lost
or delayed revenue.
Statements of impact for revenue-generating and revenue-supporting business func-
tions could quantify financial impact per unit of time (be sure to use the same units of
time for all functions so that they can be easily compared with one another). Here are
some examples:
• Inability to place orders for appliances will cost the rate of $12,000 per hour.
• Delays in payments will cost $1,875 per hour in interest charges.
As statements of impact are gathered, it may make sense to create several columns in
the main worksheet so that like units (names of functions, numbers of users, financial
figures) can be sorted and ranked later. The statements of impact should be reviewed
for relevance. Although business unit leaders are not trying to elevate their importance,
some may believe their system is critical to the organization, even though it may make
up only a small percentage of the organization’s overall revenue. When reviewed, the
information in the statements of impact should be considered relative to the totality of
impact to the organization.
When the BIA is completed, the following information will be available about each
process and system:
Criticality Analysis
When all of the BIA information has been collected and charted, a criticality analysis can
be performed. Criticality analysis is a study of each system and process, a consideration of
the impact on the organization if it is incapacitated, the likelihood of incapacitation, and
the estimated cost of mitigating the risk or impact of incapacitation. In other words, it’s
a somewhat special type of a risk analysis that focuses on key processes and systems. The
criticality analysis should also include a vulnerability analysis (aka vulnerability assess-
ment), an examination of a process or system to identify vulnerabilities that, if exploited,
could incapacitate or harm the process or system.
In the context of a BIA, a vulnerability analysis need not be at the level of detail of
a security scan to find missing patches or security misconfiguration. Instead, this type
of a vulnerability analysis seeks to find characteristics in a process or system, such as
the following:
• Single points of failure, such as only one staff member who knows how to perform
a key procedure.
• System not backed up.
• System lacks resilient architecture features, such as dual power supplies.
• Procedure uses hard copy records and cannot be performed remotely.
• No training material is available for workers.
The criticality analysis also needs to include, or reference, a threat analysis, a risk
analysis that identifies every threat that has a reasonable probability of occurrence, plus
one or more mitigating controls or compensating controls, and new probabilities of
occurrence with those mitigating/compensating controls in place. In case you’re hav-
ing a little trouble imagining what this looks like (I’m writing the book and I’m having
trouble seeing this!), take a look at Table 7-2, which is a lightweight example of what
I’m talking about.
In Table 7-2, notice the following:
• Multiple threats are listed for a single asset. Only nine threats are included, and for
all the threats but one, only a single mitigating control is listed. For the extended
power outage threat, two mitigating controls are included.
Chapter 7: Incident Management Readiness
421
Mitigation Mitigated
System Threat Probability Mitigating Control Cost Probability
Application Denial o service 0.1% High-perormance $60,000 0.01%
Server iltering router
Malware 1% Antivirus $200 0.1%
Storage ailure 2% RAID 5 $30,000 0.01%
Administrator 15% Coniguration $20,000 1%
error management tools
Hardware 5% Server cluster $15,000 1%
CPU ailure
Application 5% Source code $10,000 2%
sotware bug reviews
Extended 10% UPS $22,000 2%
power outage Electric generator $70,000 0.5%
Flood 2% Relocate data center $1,800,000 0.1%
Earthquake 1% Switch to alternate $300,000 0.2%
processing center
Table 7-2 Example Threat Analysis Identiying Threats and Controls or Critical Systems and Processes
PART IV
• Cost of downtime wasn’t listed. For systems or processes with a cost per unit of
time for downtime, this should be included, along with some calculations to
show the payback for each control.
• Some mitigating controls can benefit more than one system. This may not be
obvious in this example, but many systems can benefit from a UPS and an
electric generator, so the cost for these mitigating controls can be allocated
across many systems, thereby lowering the cost for each system. Another similar
example, though not included in the analysis example, is a high-availability
storage area network (SAN) located in two different geographic areas; though
initially expensive, the SAN can be used by many applications storage, and all
will benefit from replication to the counterpart storage system.
• Threat probabilities are arbitrary. The probabilities are for a single occurrence in
an entire year, so, for example, 5 percent means the threat will be realized once
every 20 years.
• The length of the outage was not included. This should be included, particularly if
you are quantifying downtime per hour or other units of time.
Obviously, a vulnerability analysis, threat analysis, and the corresponding criticality
analysis can get complicated. The rule here should be this: the complexity of the vulner-
ability, threat, and criticality analyses should be proportional to the value of the assets
(or revenue, or both). For example, in a company at which application downtime is
measured in thousands of dollars per minute, it’s probably worth taking a few weeks
or even months to work out all of the likely scenarios, a variety of mitigating controls,
CISM Certified Information Security Manager All-in-One Exam Guide
422
and to work out which ones are the most cost-effective. On the other hand, for a system
or business process with a far less costly outage impact, a lot less time may be spent on
the supporting analyses.
EXAM TIP Test-takers should ensure that any question dealing with BIA
and criticality analysis places the business impact analysis irst. Without this
analysis, criticality analysis is impossible to evaluate in terms o likelihood
or cost-eectiveness in mitigation strategies. The BIA identiies strategic
resources and provides a value to their recovery and operation, which is, in
turn, consumed in the criticality analysis phase. I presented with a question
identiying BCP at a particular stage, make sure that any answers you select
acilitate the BIA and then the CA beore moving on toward objectives
and strategies.
NOTE Like MTD, MTO is not a target, but when MTO is set, recovery targets
such as recovery time objective (RTO), recovery point objective (RPO), service
delivery objective (SDO), recovery consistency objective (RCO), and recovery
capacity objective (RCapO) can be established.
PART IV
the maximum tolerable data loss that results from the disaster. Following are the key
recovery targets:
• Recovery time objective (RTO) The maximum period that elapses from the
onset of a disaster until the resumption of service
• Recovery point objective (RPO) The maximum data loss from the onset of
a disaster
• Recovery capacity objective (RCapO) The minimum acceptable processing
or storage capacity of an alternate process or system, as compared to the primary
process or system
• Service delivery objective (SDO) The agreed upon level or quality of service
at an alternate processing site
• Recovery consistency objective (RCO) The consistency and integrity of
processing in a recovery system, as compared to the primary processing system
Once these objectives are known, the business continuity team can develop contin-
gency plans to be followed when a disaster occurs, and the disaster recovery team can
begin to build system recovery capabilities and procedures that will help the organization
to realize these recovery targets economically.
Recovery Time Objective The RTO establishes a measurable interval of time during
which the necessary activities for recovering or resuming business operations must take
place. Various business processes in an organization will have different RTO targets, and
some business processes will have RTOs that vary according to business cycles on a daily,
weekly, monthly, or annual basis. For instance, point-of-sale terminals may have a short
RTO during peak business hours, a longer RTO during less busy hours, and a still longer
CISM Certified Information Security Manager All-in-One Exam Guide
424
RTO when the business is closed. Similarly, financial and payroll systems will have RTOs
that are shorter during times of critical processing, such as payroll cycles and financials
at the end of the month. RTOs, data classification, and asset classification are all inter-
related. Business processes with shorter RTOs are likely to have data and assets that are
classified as more operationally critical.
When establishing RTOs, security managers typically interview personnel in middle
management as well as senior and executive management. Personnel at different levels
of responsibility will have different perspectives on the criticality of business functions.
Ultimately, executive management will prioritize business functions across the entire
organization. As a result, any particular business function prioritized at one level by a
middle manager may be classified as higher or lower by executives. Ultimately, executive
prioritization will prevail. For example, a middle manager in the accounting department
may assert that accounts payable is the most critical business activity because external
service providers will stop providing service if they are not paid. But executives, who have
control over the entire organization, stipulate that customer service is the most critical
business function since the organization’s future revenue depends on the quality of care
customers receive every day.
RTOs are established by conducting a BIA, which helps the security manager under-
stand the criticality of business processes, their resource dependencies and interdepen-
dencies, and the costs associated with interruptions in service. RTOs are a cornerstone
objective in BCP. Once RTOs are established for a particular business function, con-
tingency plans that support the RTO can be established. While shorter RTOs are most
often associated with higher costs, organizations generally seek a break-even point where
the cost of recovery is the same as the cost of interruption for the period of time associ-
ated with the RTO.
NOTE For a given organization, it’s probably best to use one unit o measure
or recovery objectives or all systems. This will help you avoid any errors
that would occur during a rank-ordering o systems, so that two days do not
appear to be a shorter period than our hours.
Recovery Point Objective Generally, the RPO equates to the maximum period of
time between backups or data replication intervals. It is generally measured in minutes
or hours, and like RTO, shorter RPO targets typically are associated with higher costs.
The value of a system’s RPO is usually a direct result of the frequency of data backup or
replication. For example, if an application server is backed up once per day, the RPO is
going to be at least 24 hours (or one day, whichever way you like to express it). Maybe it
will take three days to rebuild the server, but once data is restored from backup tape, no
more than the last 24 hours of transactions are lost. In this case, the RTO is three days,
and the RPO is one day.
RPOs represent a different aspect of service quality, as any amount of data loss repre-
sents required rework. For example, if an organization receives invoices that are entered
into the accounts payable system, an RPO of four hours means that up to four hours of
rekeying would be required in the event of an incident or disaster.
Chapter 7: Incident Management Readiness
425
RPOs are key objectives in BCP. When RPOs are established, contingency plans can
be developed that will help the organization meet its RPO targets.
Recovery Capacity Objective The RCapO is generally expressed as a percentage. If
any incident or disaster results in the organization switching to a temporary or recovery
process or system, the capacity of that temporary or recovery process or system may be
less than that used during normal business operations. For example, in the event of a
communications outage, cashiers in a retail location will hand-write sales receipts, which
may take more time than the use of point-of-sale terminals. The manual process may
mean cashiers can process 80 percent as much work; this is the RCapO.
For economic reasons, an organization may elect to build a recovery site that has
less processing or storage capacity than the primary site. Management may agree that a
recovery site with reduced processing capacity is an acceptable trade-off, given the rela-
tively low likelihood that a failover to a recovery site would occur. For instance, an online
service may choose to operate its recovery site at 80 percent of the processing capacity
of the primary site. In management’s opinion, the relatively low decrease in capacity is
worth the cost savings.
In an emergency situation, management may determine that a disaster recovery server
in another city with, say, 60 percent of the capacity of the original server is adequate. In
that case, the organization could establish two RTO targets: one for partial capacity and
PART IV
one for full capacity. In other words, the organization needs to determine how quickly
a lower-capacity system should be running and when a full-capacity system should
be running.
Service Delivery Objective Depending on the nature of the business process in ques-
tion, SDO may be measured in transaction throughput, service quality, response time,
available capabilities and features, or something else that is measurable.
Recovery Consistency Objective Recovery consistency objective (RCO) is a measure
of the consistency and integrity of processing at a recovery site, as compared to the
primary processing site.
RCO is calculated as 1 – (number of inconsistent objects) / (number of objects).
A system that has been recovered in a disaster situation may no longer have 100 percent
of its functionality. For instance, an application that lets users view transactions that are
more than two years old may, in a recovery situation, contain only 30 days’ worth of
data. The RCO decision is usually the result of a careful analysis of the cost of recover-
ing different features and functions in an application environment. In a larger, complex
environment, some features may be considered critical, while others are less so.
For example, suppose an organization’s online application is used to calculate the
current and future costs of a household budget. While the primary site uses inputs and
performs calculations based upon 12 external data sources, the recovery site performs
calculations based on only 8 external data sources. Economic considerations compelled
management to accept the fact that the recovery site will calculate results based upon
fewer inputs, and that this is an acceptable trade-off between higher licensing fees for
the use of some external sources and small variations in the results shown to users of
the site.
CISM Certified Information Security Manager All-in-One Exam Guide
426
The RCO comes into play in organizations that decide to scale back the replication
of features and functionality at a recovery site versus the primary processing site. For
instance, a recovery site may lack detailed reporting capabilities because of the cost of
software or service licensing. An organization may have to pay for a second, expensive
license for a recovery site that would rarely be used. Instead, management may decide
that users or customers can go without those or other functions at a recovery site, instead
focusing on core functions.
NOTE SDO, RTO, RPO, and RCapO are related to one another. Organizations
are ree to construct recovery target models in ways that work or them.
One organization may start with SDOs and derive appropriate RTO, RPO,
and RCapO targets, while others may start with RTO and RPO and igure out
their SDOs.
Business Continuity
Emergency Operations
Normal Normal
Operations Operations
Damage
Salvage Restoration Recovery
Assessment
Disaster
Disaster Recovery Recovered
Onset
Recovery Objectives
PART IV
costly and disruptive. The fact is that any size organization, from a one-person home
office to a multinational conglomerate, can successfully undertake BCP projects that will
bring about immediate benefits and take some of the sting out of disruptive events that
do occur.
Organizations can benefit from BCP projects even if a disaster never occurs. The steps
in the BCP development life cycle process bring immediate benefit in the form of pro-
cess and technology improvements that increase the resilience, integrity, and efficiency
of those processes and systems. BCP generally is managed outside of the information
security function. Further, BCP is generally external to IT, because BCP is focused on the
continuity of business processes, not on the recovery of IT systems.
Disasters
In a business context, disasters are unexpected and unplanned events that result in the
disruption of business operations. A disaster could be a regional event spread over a wide
geographic area or an event that occurs within the confines of a single room. The impact
of a disaster will also vary, from a complete interruption of all company operations to a
mere slowdown. (This question invariably comes up: When is a disaster a disaster? This
is somewhat subjective, like asking, “When is a person sick?” Is it when she is too ill to
report to work or when she just has a sniffle and a scratchy throat? I’ll discuss disaster
declaration later in this chapter in the section “Developing Continuity Plans.”)
CISM Certified Information Security Manager All-in-One Exam Guide
428
Types of Disasters BCP professionals broadly classify disasters as natural or human-
made, although the origin of a disaster does not figure very much into how we respond
to it. Let’s examine the types of disasters.
Natural Disasters Natural disasters occur in the natural world with little or no assis-
tance from humans. They are a result of the natural processes that occur in, on, and
above the earth. Here are examples of natural disasters:
• Tornadoes These violent rotating columns of air can cause catastrophic damage to
buildings, houses, roads, and utilities when they reach the ground. Most tornadoes
PART IV
can have wind speeds of 40 to 110 mph and travel along the ground for a few miles.
Some tornadoes can exceed 300 mph and travel for dozens of miles.
• Windstorms While generally less intense than hurricanes and tornadoes,
windstorms can nonetheless cause widespread damage, including damage to
buildings, roads, and utilities. Widespread electric power outages are common
when windstorms uproot trees that fall into power lines.
• Lightning These atmospheric discharges of electricity occur during thunderstorms
but also during dust storms and volcanic eruptions. Lightning can start fires and also
damage buildings and power transmission systems, causing power outages.
• Ice storms When rain falls through a layer of colder air, raindrops freeze onto
whatever surface they strike, resulting in widespread power outages after heavy
ice coats power lines, causing them to collapse. A notable example is the Great
Ice Storm of 1998 in eastern Canada, which resulted in millions being without
power for as long as two weeks and in the virtual immobilization of the cities of
Montreal and Ottawa.
• Hail This form of precipitation consists of ice chunks ranging from 5 to
150 mm in diameter. An example of a damaging hailstorm is the April 1999
storm in Sydney, Australia, where hailstones up to 9.5 cm in diameter damaged
40,000 vehicles, 20,000 properties, and 25 airplanes and caused one direct fatality.
The storm caused $1.5 billion in damage.
• Tsunamis A series of waves that usually result from the sudden vertical
displacement of a lake bed or ocean floor can also be caused by landslides,
asteroids, or explosions. A tsunami wave can be barely noticeable in open, deep
CISM Certified Information Security Manager All-in-One Exam Guide
430
Figure 7-5
Damage to
structures caused
by the 2011
Japan tsunami
water, but as it approaches a shoreline, the wave can grow to a height of 50 feet
or more. Recent notable examples are the 2004 Indian Ocean tsunami and the
2011 Japan tsunami. Figure 7-5 shows coastline damage from the Japan tsunami.
• Pandemic Infectious diseases may spread over a wide geographic region,
even worldwide. Pandemics have regularly occurred throughout history and are
likely to continue occurring, despite advances in sanitation and immunology.
A pandemic is the rapid spread of any type of disease, including typhoid,
tuberculosis, bubonic plague, or influenza. Pandemics include the 1918–1920
Spanish flu, the 1956–1958 Asian flu, the 1968–1969 Hong Kong “swine” flu,
the 2009–2010 swine flu, and the COVID-19 pandemic, which began at the
end of 2019. Figure 7-6 shows a field hospital during the pandemic.
• Extraterrestrial impacts This category includes meteorites and other objects
that fall from the sky from way, way up. Sure, these events are extremely rare, and
most organizations don’t even include these events in their risk analysis, but I’ve
included them here for the sake of rounding out the types of natural events.
Chapter 7: Incident Management Readiness
431
PART IV
Figure 7-6 A ield hospital in Brazil during the 2019 COVID pandemic (Image courtesy o
Gustavo Basso)
Figure 7-7 Empty grocery store shelves exhibiting the lack o available baby ormula.
PART IV
• Direct damage Events such as earthquakes, floods, and fires directly damage
an organization’s buildings, equipment, or records. The damage may be severe
enough that no salvageable items remain, or it may be less severe, and some
equipment and buildings may be salvageable or repairable.
• Utility interruption Even if an organization’s buildings and equipment are
undamaged, a disaster may affect utilities such as power, natural gas, or water,
which can incapacitate some or all business operations. Significant delays in
refuse collection, for example, can result in unsanitary conditions.
• Transportation A disaster may damage or render transportation systems such
as roads, railroads, shipping, or air transport unusable for a period, causing
interruptions in supply lines and personnel transportation.
• Services and supplier shortage Even if a disaster does not directly affect an
organization, critical suppliers affected by a disaster can cause problems for
business operations. For instance, a regional baker that cannot produce and ship
bread to its corporate customers will soon result in sandwich shops without a
critical resource.
• Staff availability A community-wide or regional disaster that affects businesses
is likely to affect homes and families as well. Depending upon the nature of
a disaster, employees will place a higher priority on the safety and comfort of
family members. Also, workers may not be able or willing to travel to work if
transportation systems are affected or if there is a significant materials shortage.
Employees may also be unwilling to travel to work if they fear for their personal
safety or that of their families.
CISM Certified Information Security Manager All-in-One Exam Guide
434
• Customer availability Disasters may force or dissuade customers from traveling
to business locations to conduct business, as many of the factors that keep employees
away may also keep customers away.
BCP Policy A formal BCP effort must, like any strategic activity, flow from the exis-
tence of a formal policy and be included in the overall governance model discussed
throughout this chapter. BCP should be an integral part of the IT control framework,
not lie outside of it. Therefore, BCP policy should include or cite specific controls that
ensure that key activities in the BCP life cycle are performed appropriately. BCP policy
should also define the scope of the BCP strategy, so the specific business processes (or
departments or divisions within an organization) that are included in the BCP effort
must be defined. Sometimes the scope will include a geographic boundary. In larger
organizations, it is possible to “bite off more than you can chew” and define too large a
scope for a BCP project, so limiting the scope to a smaller, more manageable portion of
the organization can be a good approach.
Chapter 7: Incident Management Readiness
435
Testing
Test Test
Recovery Debrief
Procedures
Train Business
Personnel Impact
Analysis
Training
Analysis
Policy
Establish Controls
Recovery Criticality
Teams Analysis
Development
PART IV
Figure 7-8 The BCP process lie cycle
Personnel Safety Procedures When a disaster strikes, measures to ensure the safety
of personnel are the first priority. If the disaster has occurred or is about to occur in a
building, personnel may need to be evacuated as soon as possible. Arguably, however, in
some situations, evacuation is exactly the wrong thing to do; for example, if a hurricane
or tornado is bearing down on a facility, the building itself may be the best shelter for
personnel, even if it incurs some damage. The point here is that personnel safety proce-
dures need to be carefully developed, and possibly more than one set of procedures will
be needed, depending on the event.
PART IV
• Emergency shelter is available in extreme weather conditions
• Emergency food and drinking water are available when personnel must shelter
in place.
• Periodic tests are conducted to ensure that evacuation procedures will be adequate
in the event of a real emergency.
TIP Depending on the level o eort that takes place in the opening
minutes and hours o disaster response, the consequences o declaring
a disaster when none exists may or may not be signiicant. In the spirit o
continuous improvement, any organization that has had a ew alse alarms
PART IV
should seek to improve its disaster declaration criteria. Well-trained and
experienced personnel can usually avoid requent alse alarms.
• Injured, ill, or deceased Some regional disasters will inflict widespread casualties
that will include some proportion of response personnel. Those who are injured,
who are ill (in the case of a pandemic, for instance, or who are recovering from a
sickness or surgery when the disaster occurs), or who are killed by the disaster are
clearly not going to be showing up to help out.
• Caring for family members Some types of disasters may cause widespread
injury or require mass evacuation. In some situations, many personnel will be
caring for family members whose immediate needs for safety will take priority
over the needs of the organization.
• Unavailable transportation Because some disasters result in localized or
widespread damage to transportation infrastructure, many people who are willing
to be on-site to help with emergency operations will be unable to travel to the site.
CISM Certified Information Security Manager All-in-One Exam Guide
440
• Out of the area Some personnel may be away on business travel or on vacation
and be unable to respond. However, these situations may provide opportunities
in disguise; unaffected by the physical impact of the disaster, these individuals
may be able to help out in other ways, such as communicating with suppliers,
customers, or other personnel.
• Communications Some types of disasters, particularly those that are localized
(versus widespread and obvious to an observer), require that disaster response
personnel be contacted and asked to help. If a disaster strikes after hours, some
personnel may be unreachable if they do not have a mobile phone with them or
are out of range.
• Fear Some types of disasters (such as a pandemic, terrorist attack, or flood) may
instill fear for safety on the part of response personnel who will disregard the call
to help and stay away from the site.
Each function will be working with personnel in many other functions, including
unfamiliar people. An entire response and recovery operation may resemble an entirely
new organization in unfamiliar settings and with an entirely new set of rules. Typically,
teams work best when members are familiar with and trust one another. In a response and
recovery operation, the stress level is very high because the stakes—survival—are higher,
and teams may be composed of people who have little experience with one another and
these new roles. This additional stress will bring out the best and worst in people, as
illustrated in Figure 7-9.
Emergency Response and Command and Control (Emergency Management) The
priorities of “first responders” during a disaster include evacuating or sheltering per-
sonnel, first aid, triage of injured personnel, and possibly firefighting. During disaster
response operations, someone has to be in charge. Resources may be scarce, and many
matters will vie for attention. Someone needs to fill the role of decision-maker to keep
disaster response activities moving and to handle situations that arise. This role may
need to be rotated among various personnel, particularly in smaller organizations, to
counteract fatigue.
TIP Although the irst person on the scene may be the person in charge
initially, as more personnel show up and the nature o the disaster and
response solidiies, qualiied assigned personnel will take charge and
leadership roles may then be passed among key personnel.
Chapter 7: Incident Management Readiness
441
Figure 7-9 Stress is compounded by the pressure o disaster recovery and the ormation o new
teams in times o chaos.
PART IV
Scribe It’s vital that one or more people document the important events continu-
ally during disaster response operations. From decisions, to discussions, to status, to
roll call, these events must be recorded so that the details of disaster response can be
pieced together afterward. This will help the organization better understand how disaster
response unfolded, how decisions were made, and who performed which actions—all of
which will help the organization be better prepared for future events.
Internal Communications In many disaster scenarios, personnel may be stripped of
many or all of their normal means of communication, such as desk phones, voicemail,
e-mail, smartphones, and instant messaging. However, during a disaster, communications
are vital, especially when nothing is going according to plan. Good communication ensures
that the statuses of various activities can be sent to command and control and priorities and
orders can be sent to disaster response personnel. Many organizations establish means for
emergency communications, including the following:
• Broadcast alerts Sent via text, voice, or mobile app, these help inform large
numbers of personnel about events affecting the organization.
• Emergency radio communications When wireless and wireline communications
are not functioning, emergency communication via radio enables personnel in
different locations to pass along important information.
CISM Certified Information Security Manager All-in-One Exam Guide
442
External Communications People outside of the organization also need to stay
informed when a disaster strikes. Many parties may want or need to know the status of
business operations during and after a disaster:
• Customers
• Suppliers
• Partners
• Law enforcement and public safety authorities (including first responders)
• Insurance companies
• Shareholders
• Neighbors
• Regulators
• Media
These different audiences need different messages, as well as messages in different
forms. For instance, notifications to the public may be sent through media outlets,
whereas notifications to customers may be sent through e-mail or surface mail.
Legal and Compliance Several needs may arise during a disaster that require the atten-
tion of inside or outside legal counsel. Disasters present unique situations, such as the
following, that may require legal assistance:
• Interpretation of regulations
• Interpretation of contracts with suppliers and customers
• Management of matters of liability to other parties
TIP Typical legal matters need to be resolved beore the onset o a disaster,
and this inormation should be included in disaster response procedures.
Remember that legal sta members may be unavailable during the disaster.
PART IV
Physical Security Following a disaster, the organization’s usual physical security con-
trols may be compromised. For instance, fencing, walls, and barricades may be dam-
aged, or video surveillance systems may be disabled or have no electric power. These and
other failures could lead to an increased risk of loss or damage to assets and personnel
until those controls can be repaired. Also, security controls in temporary quarters such
as hot/warm/cold sites and temporary work centers may be less effective than those in
primary locations.
Supplies During emergency and recovery operations, personnel will require drink-
ing water, writing tablets, writing utensils, smartphones, portable generators, and
extension cords, among other items. The supplies function may be responsible for
acquiring these items and replacement assets such as servers and network equipment
for a cold site.
Transportation When workers are operating from a temporary location, and if
regional or local transportation systems have been compromised, many arrangements
for all kinds of transportation may be required to support emergency operations. These
can include transportation of replacement workers, equipment, or supplies by truck,
car, rail, sea, or air. This function could also be responsible for arranging for temporary
lodging for personnel.
Work Centers When a disaster event results in business locations being unusable, work-
ers may need to work in temporary locations. These work centers will require a variety
of amenities to permit workers to be productive until their primary work locations are
again available.
CISM Certified Information Security Manager All-in-One Exam Guide
444
Network This technology function is responsible for damage assessment to the
organization’s voice and data networks, building/configuring networks for emergency
operations, or both. This function may require extensive coordination with external
telecommunications service providers, which, by the way, may be suffering the effects
of a local or regional disaster as well.
Network Services This function is responsible for network-centric services such as the
Domain Name System (DNS), Simple Network Management Protocol (SNMP), net-
work routing, and authentication.
Systems This function is responsible for building, loading, and configuring the serv-
ers and systems that support critical services, applications, databases, and other func-
tions. Personnel may have other resources such as virtualization technology to enable
additional flexibility.
Database Management Systems For critical applications that rely upon database
management systems (DBMSs), this function is responsible for building databases on
recovery systems and for restoring or recovering data from backup media, replication
volumes, or e-vaults onto recovery systems. Database personnel will need to work with
systems, network, and applications personnel to ensure that databases are operating
properly and are available as needed.
Data and Records This function is responsible for access to and re-creation of elec-
tronic and paper business records. This business function supports critical business
processes, works with database management personnel, and, if necessary, works with
data-entry personnel to rekey lost data.
Applications This function is responsible for recovering application functionality on
application servers. This may include reloading application software, performing con-
figuration, provisioning roles and user accounts, and connecting the application to data-
bases and network services, as well as other application integration issues.
Access Management This function is responsible for creating and managing user
accounts for network, system, and application access. Personnel with this responsibility
may be especially susceptible to social engineering and may be tempted to create user
accounts without proper authority or approval.
Information Security and Privacy Personnel in this capacity are responsible for ensur-
ing that proper security controls are being carried out during recovery and emergency
operations. They will be expected to identify risks associated with emergency operations
and to require remedies to reduce risks. Security personnel will also be responsible for
enforcing privacy controls so that employee and customer personal data will not be com-
promised, even as business operations are affected by the disaster.
Offsite Storage This function is responsible for managing the effort of retrieving
backup media from offsite storage facilities and for protecting that media in transit to the
scene of recovery operations. If recovery operations take place over an extended period
Chapter 7: Incident Management Readiness
445
(more than a couple of days), data at the recovery site will need to be backed up and sent
to an offsite media storage facility to protect that information should a disaster occur at
the hot/warm/cold site (and what bad luck that would be!).
User Hardware In many organizations, little productive work is done when employ-
ees don’t have access to their workstations, printers, scanners, copiers, and other office
equipment. Thus, a function is required to provide, configure, and support the variety
of office equipment required by end users working in temporary or alternate locations.
This function, like most others, will have to work with many other personnel to ensure
that workstations and other equipment are able to communicate with applications and
services as needed to support critical processes.
Training During emergency operations, when response personnel and users are work-
ing in new locations (and often on new or different equipment and software), some may
need to be trained to enable them to restore their productivity as quickly as possible.
Training personnel should be familiar with many disaster response and recovery proce-
dures so that they can help people in those roles understand what is expected of them.
This function will also need to be able to dispense emergency operations procedures to
these personnel.
Restoration This function comes into play when IT is ready to migrate applications
PART IV
running on hot/warm/cold site systems back to the original (or replacement) process-
ing center.
Contract Information This function is responsible for understanding and interpreting
legal contracts. Most organizations are a party to one or more legal contracts that require
them to perform specific activities, provide specific services, and communicate status if
service levels have changed. These contracts may or may not have provisions for activities
and services during disasters, including communications regarding any changes in service
levels. This function is vital not only during the disaster planning stages but also during
actual disaster response. Customers, suppliers, regulators, and other parties need to be
informed according to specific contract terms.
Recovery Procedures Recovery procedures are the instructions that key personnel use
to bootstrap services (such as IT systems and other business-enabling technologies) that
support the critical business functions identified in the BIA and criticality analysis. The
recovery procedures should work hand-in-hand with the technologies that may have
been added to IT systems to make them more resilient.
An example is useful here. Acme Rocket Boots determines that its order-entry busi-
ness function is highly critical to the ongoing viability of the business and sets recovery
objectives to ensure that order entry would be continued within no more than 48 hours
after a disaster. Acme determines that it needs to invest in storage, backup, and replication
technologies to make a 48-hour recovery possible. Without these investments, IT systems
supporting order entry would be down for at least ten days until they could be rebuilt
from scratch. Acme cannot justify the purchase of systems and software to facilitate an
auto-failover of the order-entry application to hot-site disaster recovery servers; instead,
CISM Certified Information Security Manager All-in-One Exam Guide
446
the recovery procedure would require that the database be rebuilt from replicated data on
cloud-based servers. Other tasks, such as installing recent patches, would also be necessary
to make recovery servers ready for production use. All of the tasks required to make the
systems ready constitute the body of recovery procedures needed to support the business
order-entry function.
This example is, of course, an oversimplification. Actual recovery procedures could
take dozens of pages of documentation, and procedures would also be necessary for
network components, end-user workstations, network services, and other supporting IT
services required by the order-entry application. And those are the procedures needed
just to get the application running again. More procedures would be needed to keep the
applications running properly in the recovery environment.
Continuing Operations Procedures for continuing operations have more to do with
business processes than they do with IT systems. However, the two are related, because
the procedures for continuing critical business processes have to fit hand in hand with
the procedures for operating supporting IT systems that may also (but not necessarily)
be operating in a recovery or emergency mode.
Let me clarify that last statement. It is entirely conceivable that a disaster could strike
an organization with critical business processes that operate in one city but that are sup-
ported by IT systems located in another city. A disaster could strike the city with the criti-
cal business function, which means that personnel may have to continue operating that
business function in another location, on the original, fully featured IT application. It is
also possible that a disaster could strike the city with the IT application, forcing it into
an emergency/recovery mode in an alternate location while users of the application are
operating in a business-as-usual mode. And, of course, a disaster could strike both loca-
tions (or a disaster could strike in one location where both the critical business function
and its supporting IT applications reside), throwing both the critical business function
and its supporting IT applications into emergency mode. Any organization’s reality could
be even more complex than this: just add dependencies on external application service
providers, applications with custom interfaces, or critical business functions that operate
in multiple cities. If you wondered why disaster recovery and business continuity plan-
ning were so complicated, perhaps your appreciation has grown just now.
Restoration Procedures When a disaster has occurred, IT operations need to take up
residence in an alternate processing site temporarily while repairs are performed on the
original processing site. Once those repairs are completed, IT operations would need to
be transitioned back to the main (or replacement) processing facility. You should expect
that the procedures for this transition will also be documented (and tested—testing is
discussed later in this chapter).
PART IV
• Being out of the area
• Lack of communications
• Fear, related to the disaster and its effects
• Drinking water
• Food rations
• First-aid supplies
• Blankets
• Flashlights
• Battery- or crank-powered radio
• Out-of-band communications with internal and external parties (beepers, walkie-
talkies, line-of-sight systems, and so on)
Local emergency response authorities may recommend other supplies be kept at a work
location as well.
Communications Communication within organizations, as well as with customers,
suppliers, partners, shareholders, regulators, and others, is vital under normal busi-
ness conditions. During a disaster and subsequent recovery and restoration operations,
these communications are more important than ever, while many of the usual means
for communications may be impaired.
Identifying Critical Personnel A successful disaster recovery operation requires avail-
able personnel who are located near company operations centers. Although the primary
response personnel may consist of the individuals and teams responsible for day-to-day
corporate operations, others need to be identified. In a disaster, some personnel will be
unavailable for many reasons (discussed earlier in this chapter).
Key personnel, as well as multiple backups, need to be identified. Backup personnel
can consist of employees who have familiarity with specific technologies, such as operat-
ing system, database, and network administration, and who can cover for primary per-
sonnel if needed. Sure, it would be desirable for these backup personnel also to be trained
in specific recovery operations, but at the least, if these personnel can access specific
detailed recovery procedures, having them on a call list is probably better than having no
available personnel during a disaster.
Notifying Critical Suppliers, Customers, and Other Parties Along with employees,
many other parties need to be notified in the event of a disaster. Outside parties need
to be aware of the disaster and basic changes in business conditions. During a regional
disaster such as a hurricane or earthquake, nearby parties will certainly be aware of the
situation. However, they may not be aware of the status of business operations immedi-
ately after the disaster: a regional event’s effects can range from complete destruction of
buildings and equipment to no damage at all and normal conditions. Unless key parties
are notified of the status, they may have no other way to know for sure.
The people or teams responsible for communicating with these outside parties will
need to have all of the individuals and organizations included in a list of parties to contact.
Chapter 7: Incident Management Readiness
449
This information should be included in emergency response procedures. Parties that need
to be contacted may include the following:
• Key suppliers This may include electric and gas utilities, fuel delivery, and
materials delivery. In a disaster, an organization will often need to impart special
instructions to one or more suppliers, requesting delivery of extra supplies or
requesting temporary cessation of deliveries.
• Key customers In many organizations, key customer relationships are valued
above most others. These customers may depend on a steady delivery of products
and services that are critical to their own operations; in a disaster, they may have
a dire need to know whether such deliveries will be able to continue or not and
under what circumstances.
• Public safety Police, fire, and other public safety authorities may need to be
contacted, not only for emergency operations such as firefighting but also for
any required inspections or other services. It is important that “business office”
telephone numbers for these agencies be included on contact lists, as 911 and
other emergency lines may be flooded by calls from others.
• Insurance adjusters Most organizations rely on insurance companies to protect
their assets in case of damage or loss in a disaster. Because insurance adjustment
PART IV
funds are often a key part of continuing business operations in an emergency, it’s
important that appropriate personnel are able to reach insurers as soon as possible
after a disaster has occurred.
• Regulators In some industries, organizations are required to notify regulators
of certain types of disasters. Though regulators may be aware of noteworthy
regional disasters, they may not immediately know an event’s specific effects on
an organization. Further, some types of disasters are highly localized and may not
be newsworthy, even in a local city.
• Media Media outlets such as newspapers and television stations may need to be
notified as a means of quickly reaching the community or region with information
about the effects of a disaster on organizations.
• Shareholders Organizations are usually obliged to notify their shareholders of
any disastrous event that affects business operations. This may be the case whether
the organization is publicly or privately held.
• Stakeholders Organizations will need to notify other parties, including employees,
competitors, and other tenants, if one or more multitenant facilities is lost.
Setting Up Call Trees Disaster response procedures need to include a call tree, a
method by which the first personnel involved in a disaster begin notifying others in the
organization, informing them of the developing disaster, and enlisting their assistance.
Just as the branches of a tree originate at the trunk and are repeatedly subdivided, a
call tree is most effective when each person in the tree can make just a few phone calls.
Not only will the notification of important personnel proceed more quickly, but each
person will not be overburdened with many calls. Remember that many personnel may
be unavailable or unreachable. Therefore, a call tree should be structured with sufficient
CISM Certified Information Security Manager All-in-One Exam Guide
450
Emergency Responders
flexibility as well as assurance that all critical personnel can be contacted. Figure 7-10
shows an example call tree.
An organization can also use an automated outcalling system to notify critical person-
nel of a disaster. Such a system can play a prerecorded message or request that personnel
call an information number to hear a message. Most outcalling systems keep a log of
which personnel have been successfully reached. An automated calling system should not
be located in the same geographic region, because a regional disaster could damage the
system or make it unavailable during a disaster. The system should be Internet-accessible
so that response personnel can access it to determine which personnel have been notified
and to make any needed changes before or during a disaster.
NOTE A wallet card has no reliance on energy or technology and may still
be valuable in extreme disaster scenarios.
Chapter 7: Incident Management Readiness
451
Emergency Contacts
Joe Phillips, VP Ops 213-555-1212 h, 415-555-1212 m
Marie Peterson, CFO 206-555-1212 h, 425-555-1212 m
Mark Woodward, IT Ops 360-555-1212 h, 253-555-1212 m
Gary Doan, VP Facilities 509-555-1212 h, 702-555-1212 m
Je Patterson, IT Networks 760-555-1212 h, 310-555-1212 m
________________________________________________________________________________
Documentation at orgname.box.net. Userid=wunderground, password=L0c43Dupt1te
Emergency conerence bridge, 1-800-555-1212, host code 443322, PIN 1948
Disaster declaration criteria: 8 hr outage anticipated on critical systems, 2 core members vote,
then initiate call tree procedure to notiy other response personnel
________________________________________________________________________________
O-site media storage vendor 719-555-1212
Telecommunications and network service provider 312-555-1212
Local civil deense authorities 714-555-1212
Local health authorities 702-555-1212
Local law enorcement authorities 512-555-1212
Local hospitals 808-555-1212, 913-555-1212
National weather service hotline 602-555-1212
Regional transportation authority hotline 312-555-1212
Local building inspectors 414-555-1212
PART IV
Figure 7-11 Example o a wallet card or core team participants with emergency contact
inormation and disaster declaration criteria
Figure 7-11 shows an example wallet card. Organizations may also issue digital ver-
sions of wallet cards for people to store on mobile devices.
Electronic Contact Lists Arguably, most IT personnel and business leaders have smart-
phones and other mobile devices with onboard storage that is available even when cellular
carriers are experiencing outages. Copies of contact lists and even disaster response pro-
cedures can be stored in smartphones to keep this information handy during a disaster.
Transportation Some types of disasters may make certain modes of transportation
unavailable or unsafe. Widespread natural disasters, such as earthquakes, volcanoes, hur-
ricanes, and floods, can immobilize virtually every form of transportation, including
highways, railroads, boats, and airplanes. Other types of disasters may impede one or
more types of transportation, which could result in overwhelming demand for the avail-
able modes. High volumes of emergency supplies may be needed during and after a
disaster, but damaged transportation infrastructure often makes the delivery of those
supplies difficult.
Components of a Business Continuity Plan The complete set of business continuity
plan documents will include the following:
Response and recovery procedures can be made available in several ways to personnel
during a disaster, including the following:
• Hard copy While many have grown accustomed to the paperless office, disaster
recovery and response documentation is one type of information that should be
available in hard-copy form. Copies, even multiple copies, should be available for
each responder, with a copy at the workplace and another at home, and possibly
even a set in the responder’s vehicle.
• Soft copy Traditionally, soft-copy documentation is kept on file servers, but
as you might expect, those file servers may be unavailable in a disaster. Soft
copies should be available on responders’ portable devices (laptops, tablets, and
smartphones). An organization can also consider issuing documentation on
memory sticks and cards. Depending upon the type of disaster, it can be difficult
PART IV
to know what resources will be available to access documentation, so making it
available in more than one form will ensure that at least one copy of it will be
available to the personnel who need access to it.
• Alternate work/processing site Organizations that utilize a hot/warm/cold site
for the recovery of critical operations can maintain hard copies and/or soft copies
of recovery documentation there. This makes perfect sense; personnel working
at an alternate processing or work site will need to know what to do, and having
those procedures on site will facilitate their work.
• Online Soft copies of recovery documentation can be archived on an Internet-
based site that includes the ability to store data. Almost any type of online service
that includes authentication and the ability to upload documents could be suitable
for this purpose.
• Wallet cards It’s unreasonable to expect to publish recovery documentation
on a laminated wallet card. As described earlier in this chapter, they could
be used to store the contact information for core response team members as
well as a few other pieces of information, such as conference bridge codes,
passwords to online repositories of documentation, and so on. An example
wallet card appears in Figure 7-11.
PART IV
• Disaster Recovery Certified Expert (DRCE)
• Disaster Recovery Certified Specialist (DRCS)
• The BIA and criticality analysis help to prioritize which business processes
(and, therefore, which IT systems) are the most important.
• Key recovery targets specify how quickly specific IT applications are to be recovered.
This guides DRP personnel as they develop new IT architectures that make IT
systems compliant with those objectives.
• Testing of disaster recovery plans can be performed in coordination with tests
of business continuity plans to simulate real disasters and disaster response
more accurately.
The relationships between BCP and DCP were discussed in detail earlier in this
chapter and depicted in Figure 7-3.
CISM Certified Information Security Manager All-in-One Exam Guide
456
Disaster Response Teams’ Roles and Responsibilities
Disaster recovery plans need to specify the teams that are required for disaster response,
as well as each team’s roles and responsibilities. Table 7-3 describes several teams and their
roles. Because of variations in organizations’ disaster response plans, some of these teams
will not be needed in some organizations.
Team Responsibilities
Emergency management Coordinates activities o all other response teams
First responders Usually outside personnel such as police, ire, and rescue who help
to extinguish ires, evacuate personnel, and provide emergency
medical aid
Communications Coordinates communication among teams and between teams
and outside entities
Damage assessment Examines equipment, supplies, urnishing, and assets to determine
what can be used immediately in support o critical processes and
what will need to be handed o to salvage teams
Salvage Examines equipment, supplies, urnishings, and other assets to
determine what can be salvaged or immediate or long-term reuse
Network engineering Establishes and maintains electronic (voice and data) communications
in support o critical services during a disaster
Systems engineering Establishes and maintains systems as needed to support critical
applications and services
Database engineering Establishes and maintains DBMSs as needed to support critical
applications, and perorms data recovery using local or remotely
stored media as needed
Application support Establishes and maintains critical applications in support o critical
business processes
Application development Makes changes to critical applications as needed during the
recovery eort
End-user computing Establishes and maintains end-user computing acilities (desktop
computers, laptop computers, mobile devices, and so on) as needed
in support o critical applications and services
Systems operations Perorms routine and nonroutine tasks such as backups to keep
critical applications running
Transportation Coordinates transportation o personnel to recovery sites
Relocation Acquires housing and other resources needed by personnel who are
working at remote operations centers
Security Coordinates physical and logical security activities to ensure the
continuous protection o sta, assets, and inormation
Finance Facilitates the availability o inancial resources as needed to
commence and continue emergency response operations
Table 7-3 Disaster Response Teams’ Roles and Responsibilities
Chapter 7: Incident Management Readiness
457
NOTE Some roles in Table 7-3 may overlap with responsibilities deined in
the organization’s BCP. Disaster recovery and business continuity planners
should work together to ensure that the organization’s overall response to
disaster is appropriate and does not overlook vital unctions.
Recovery Objectives
During the BIA and criticality analysis phases of a business continuity and disaster recov-
ery project, the speed with which each business activity (with its underlying IT systems)
needs to be restored after a disaster is determined. The primary recovery objectives, as
discussed in detail earlier in this chapter, are as follows:
• RTO
• RPO
• RCO
• RCapO
PART IV
recovery system speciications in terms o capacity, integrity, or unctionality.
• A server’s CPU or memory fails and is replaced and restarted in two hours. No data
is lost. The RTO is two hours, and the RPO is zero.
• The storage system supporting an application suffers a hardware failure that results
in the loss of all data. Data is recovered from a snapshot on another server taken
every six hours. The RPO is six hours in this case.
• The database in a transaction application is corrupted and must be recovered.
Backups are taken twice per day. The RPO is 12 hours. However, it takes 10 hours
to rebuild indexes on the database, so the RTO is closer to 22 to 24 hours since the
application cannot be returned to service until indexes are available.
CISM Certified Information Security Manager All-in-One Exam Guide
458
TIP When publishing RTO and RPO igures to customers, it’s best to
publish the worst-case igures: “I our data center burns to the ground, our
RTO is X hours and the RPO is Y hours.” Saying it that way would be simpler
than publishing a chart that shows RPO and RTO igures or various types
o disasters.
Organizations that publish RCO and RCapO targets will need to include the practical
meaning of these targets, whether they represent an exact match of capacity and integrity
or some reduction. For example, if an organization’s recovery site is engineered to process
80 percent of the transaction volume of the primary site, an organization should consider
stating that processing capacity at a recovery site may be reduced.
Time
PART IV
iterative process. The project team will develop a strategy to reach speciic
targets or a speciic cost; senior management could well decide that the
cost is too high and may increase RPO and/or RTO targets accordingly.
Similarly, the project team could also discover that it is less costly to achieve
speciic RPO and RTO targets, and management could respond by lowering
those targets. This is illustrated in Figure 7-13.
Develop technical
architecture and
processes to support
recovery targets
Are
technologies Y
too expensive? Start over
Implement technologies
and processes to support
recovery targets
Site Recovery Options In a worst-case disaster scenario, the site where information
systems reside is partially or wholly destroyed. In most cases, the organization cannot
afford to wait for the damaged or destroyed facility to be restored, because this could take
weeks or months. If an organization can take that long to recover an application, you’d
have to wonder whether it is needed. The assumption must be that in a disaster scenario,
the organization will recover critical applications at another location. This other location
is called a recovery site. There are two dimensions to the process of choosing a recovery
site: the speed at which the application will be recovered at the recovery site and the loca-
tion of the recovery site itself.
As you might expect, speed costs: Developing the ability to recover more quickly costs
more money and resources. If a system is to be recovered within a few minutes or hours,
the costs will be much higher than if the organization can recover the system in five days.
Various types of facilities are available for rapid or not-too-rapid recovery. These facili-
ties are called hot sites, warm sites, cold sites, and cloud sites. As the names suggest, hot sites
permit rapid recovery, while cold sites provide a much slower recovery. The costs associ-
ated with these are also somewhat proportional, as illustrated in Table 7-5.
Hot Sites A hot site is an alternate processing center where backup systems are already
running and in some state of near-readiness to assume production workload. The systems
at a hot site most likely have application software and database management software
Chapter 7: Incident Management Readiness
461
Table 7-5 Site Type Speed to Recovery Cost
Relative Costs o Hot 0 to 24 hours $$$$
Recovery Sites
Warm 24 hours to 7 days $$$
Cold More than 7 days $$
Mobile 2 to 7 days $$$ to $$$$
Cloud 0 to 7 days $$
Reciprocal 0 to 7 days $$ to $$$$
already loaded and running, perhaps even at the same patch levels as the systems in the
primary processing center. A hot site is the best choice for systems whose RTO targets
range from zero to several hours, perhaps as long as 24 hours.
A hot site may consist of leased rack space (or even a cage for larger installations) at
a co-location center. If the organization has its own processing centers, a hot site for a
given system would consist of the required rack space to house the recovery systems.
Recovery servers will be installed and running, with the same version and patch level for
the operating system, DBMS (if used), and application software.
Systems at a hot site require the same level of administration and maintenance as the
PART IV
primary systems. When patches or configuration changes are made to primary systems,
they should be made to hot-site systems at the same time or very shortly afterward.
Because systems at a hot site need to be at or very near a state of readiness, a strategy
needs to be developed regarding a method for keeping the data on hot standby systems
current. Systems at a hot site should also have full network connectivity. A method for
quickly directing network traffic toward the recovery servers needs to be worked out in
advance so that a switchover can be accomplished. All this is discussed in the “Recovery
and Resilience Technologies” section later in this chapter.
The organization sends one or more technical staff members to the hot site to set up
systems; once the systems are operating, much or all of the system- and database-level
administration can be performed remotely. In a disaster scenario, however, the organiza-
tion may need to send the administrative staff to the site for day-to-day management
of the systems. This means that workspace for these personnel needs to be identified so
that they can perform their duties during the recovery operation.
TIP Hot-site planning needs to consider work (desk) space or on-site
personnel. Some co-location centers provide limited work areas that
are oten shared and oer little privacy or phone discussions. Also,
transportation, hotel, and dining accommodations need to be arranged,
possibly in advance, particularly i the hot site is in a dierent city rom the
primary site.
Warm Sites A warm site is an alternate processing center where recovery systems are
present but at a lower state of readiness than recovery systems at a hot site. For example,
while the same version of the operating system may be running on the warm site system,
CISM Certified Information Security Manager All-in-One Exam Guide
462
it may be a few patch levels behind primary systems. The same could be said about the
versions and patch levels of DBMSs (if used) and application software.
A warm site is appropriate for an organization whose RTO figures range from roughly
one to seven days. In a disaster scenario, recovery teams would travel to the warm site
and work to get the recovery systems to a state of production readiness and to get systems
up-to-date with patches and configuration changes to bring the systems into a state of
complete readiness. A warm site is also used when the organization is willing to take the
time necessary to recover data from tape or other backup media. Depending upon the
size of the databases, this recovery task can take several hours to a few days.
The primary advantage of a warm site is that its costs are lower than for a hot site,
particularly in the effort required to keep the recovery system up-to-date. The site may
not require expensive data replication technology, but instead, data can be recovered
from backup media.
Cold Sites A cold site is an alternate processing center where the degree of readiness for
recovery systems is low. At the least, a cold site is nothing more than an empty rack or
allocated space on a computer room floor. It’s just an address in someone’s data center
or co-location site where computers can be set up and used at some future date. Often,
cold sites contain little or no equipment. When a disaster or other highly disruptive event
occurs in which the outage is expected to exceed 7 to 14 days, the organization will order
computers from a manufacturer or perhaps have computers shipped from some other
business location to arrive at the cold site soon after the disaster event has begun. Then
personnel would travel to the site and set up the computers, operating systems, databases,
network equipment, and so on, and get applications running within several days.
The advantage of a cold site is its low cost. The main disadvantage is the time and
effort required to bring it to operational readiness in a short period, which can be costly.
But for some organizations, a cold site is exactly what is needed.
Table 7-6 shows a comparison of hot, warm, cold, and cloud-based recovery sites and
a few characteristics of each.
PART IV
This type of arrangement is less common but is used by organizations that use main-
frame computers and other high-cost systems.
NOTE With the wide use o Internet co-location centers, reciprocal sites have
allen out o avor. Still, they may be ideal or organizations with mainrame
computers that are otherwise too expensive to deploy to a cold or warm site.
Geographic Site Selection An important factor in the process of recovery site selection
is the location of the site. The distance between the main processing site and the recovery
site is vital and may figure heavily into the viability and success of a recovery operation.
A recovery site should not be located in the same geographic region as the primary site,
because the site may be involved in the same regional disaster that affects the primary
site and may be unavailable for use. By “geographic region,” I mean a location that will
likely experience the effects of the same regional disaster that affects the primary site.
No arbitrarily chosen distance (such as 100 miles) guarantees sufficient separation. In
some locales, 50 miles is plenty of distance; in other places, 300 miles is too close—it
all depends on the nature of disasters that are likely to occur. Information on regional
disasters should be available from local disaster preparedness authorities or from local
disaster recovery experts.
Disaster Recovery for SaaS Services Many organizations’ principal business applica-
tions are SaaS-based, so the organization pays a monthly or yearly fee and uses software
hosted by a service provider. At first glance, one may believe that DRP for SaaS services is
entirely the responsibility of the SaaS provider. For the most part, this is true. There are,
CISM Certified Information Security Manager All-in-One Exam Guide
464
Figure 7-14 SaaS
SaaS
Direct Primary
DR Site
connectivity Site
scenarios
or disaster Primary
DR
recovery with Connection
Connections
SaaS providers
Organization Organization
(Source: Peter Primary DR
Gregory) Site Site
however, some issues that organizations need to consider as a part of their DRP, includ-
ing the following:
PART IV
contract to verify the presence and effectiveness of all key controls in place at the
recovery facility.
• Security and environmental controls The organization needs to know what
security and environmental controls are in place at the disaster recovery facility.
Considerations for a Distributed Workforce During and after the COVID-19 pan-
demic, many organizations began hiring out-of-area personnel who worked from their
homes most or all of the time. Organizations still operating data centers may find that
few IT workers are located near primary or alternate processing centers. This “just-in-
time” approach may be suitable for normal business operations, but disaster scenarios
may result in few personnel being available for any necessary onsite work. For this reason,
it’s essential that disaster recovery plans be written for an audience with less familiarity
with the organization’s operations and practices, because it is possible that outsiders (such
as contractors) will be performing some salvage and recovery tasks. For organizations
with numerous remote employees, sufficient capacity for remote access (VPN) is essen-
tial to support business operations running on an emergency footing.
Acquiring Additional Hardware Many organizations elect to acquire their own server,
storage, and network hardware for disaster recovery purposes. How an organization will
go about acquiring hardware will depend on its high-level recovery strategy:
• Does the technology help the information system achieve the RTO, RPO, and
RCapO targets?
• Does the cost of the technology meet or exceed budget constraints?
• Can the technology be used to benefit other information systems (thereby lowering
the cost for each system)?
• Does the technology fit well into the organization’s current IT operations?
• Will operations staff require specialized training to use the technology for recovery?
• Does the technology contribute to the simplicity of the overall IT architecture, or
does it complicate it unnecessarily?
These questions are designed to help determine whether a specific technology is a good
fit, from technology, process, and operational perspectives.
RAID Redundant Array of Independent Disks (RAID) is a family of technologies used
to improve the reliability, performance, or size of disk-based storage systems. From a
PART IV
disaster recovery or systems resilience perspective, the feature of RAID that is of par-
ticular interest is its reliability. RAID is used to create virtual disk volumes over an array
(pun intended) of disk storage devices and can be configured so that the failure of any
individual disk drive in the array will not affect the availability of data on the disk array.
RAID is usually implemented on a hardware device called a disk array, which is a chas-
sis in which several hard disks can be installed and connected to a server. The individual
disk drives can usually be “hot-swapped” in the chassis while the array is still operating.
When the array is configured with RAID, a failure of a single disk drive will have no
effect on the disk array’s availability to the server to which it is connected. A system
operator can be alerted to the disk’s failure, and the defective disk drive can be removed
and replaced while the array is still fully operational.
Several options, or levels, of RAID configuration are available:
• RAID 0 This is known as a striped volume, in which a disk volume splits data
evenly across two or more disks to improve performance.
• RAID 1 This creates a mirror, where data written to one disk in the array is also
written to a second disk in the array. RAID 1 makes the volume more reliable
through the preservation of data, even when one disk in the array fails.
• RAID 4 This level employs data striping at the block level by adding a dedicated
parity disk, which permits the rebuilding of data in the event one of the other
disks fails.
• RAID 5 This is similar to RAID 4 block-level striping, except that the parity
data is distributed evenly across all of the disks instead of being dedicated on
one disk. Like RAID 4, RAID 5 allows for the failure of one disk without
losing information.
CISM Certified Information Security Manager All-in-One Exam Guide
468
• RAID 6 This is an extension of RAID 5, in which two parity blocks are used
instead of a single parity block. RAID 6 can withstand the failure of any two disk
drives in the array instead of a single disk, as is the case with RAID 5.
Storage systems are hardware devices that are entirely separate from servers—their only
purpose is to store a large amount of data. They are highly reliable through the use of
redundant components and the use of one or more RAID levels. Storage systems gener-
ally come in two forms:
• Storage area network (SAN) This stand-alone storage system can be configured
to contain several virtual volumes and can be connected to several servers through
fiber-optic cables. The servers’ operating systems will often consider this storage to
be “local,” as though it consisted of one or more hard disks present in the server’s
own chassis.
• Network-attached storage (NAS) This stand-alone storage system contains
one or more virtual volumes. Servers access these volumes over the network
using the Network File System (NFS) or Server Message Block/Common
Internet File System (SMB/CIFS) protocols, common on Unix and Windows
operating systems, respectively.
Replication During replication, data that is written to a storage system is also copied
over a network to another storage system. The result is the presence of up-to-date data
that exists on two or more storage systems, each of which could be located in a different
geographic region. Replication can be handled in several ways and at different levels in
the technology stack:
• Disk storage system Data-write operations that take place in a disk storage
system (such as a SAN or NAS) can be transmitted over a network to another disk
storage system, where the same data will be written to the other disk storage system.
• Operating system The operating system can control replication so that updates
to a particular file system can be transmitted to another server, where those updates
will be applied locally.
• Database management system The DBMS can manage replication by sending
transactions to a DBMS on another server.
• Transaction management system The transaction management system
(TMS) can manage replication by sending transactions to a counterpart TMS
located elsewhere.
Chapter 7: Incident Management Readiness
469
• Application The application can write its transactions to two different storage
systems. This method is not often used.
• Virtualization Virtual machine images can be replicated to recovery sites to
speed the recovery of applications.
Replication can take place from one system to another system, called primary-backup
replication, and this is the typical setup when data on an application server is sent to a
distant storage system for data recovery or disaster recovery purposes. Replication can
also be bidirectional between two active servers; this is known as multiprimary or multi-
master replication. This method is more complicated, because simultaneous transactions
on different servers could conflict with one another (such as two reservation agents try-
ing to book a passenger in the same seat on an airline flight). Some form of concurrent
transaction control would be required, such as a distributed lock manager.
In terms of the speed and integrity of replicated information, there are two types
of replication:
PART IV
rate of the remote transaction.
• Asynchronous replication Writing data to the remote storage system is not
kept in sync with updates on the local storage system. Instead, there may be a
time lag, and you have no guarantee that data on the remote system is identical
to that on the local storage system. Performance is improved, however, because
transactions are considered complete when they have been written to the local
storage system only. Bursts of local updates to data will take a finite period to
replicate to the remote server, subject to the available bandwidth of the network
connection between the local and remote storage systems.
NOTE Replication is oten used or applications where the RTO is smaller
than the time necessary to recover data rom backup media. For example,
i a critical application’s RTO is established to be two hours, recovery rom
backup tape is probably not a viable option unless backups are perormed
every two hours. While more expensive than recovery rom backup media,
replication ensures that up-to-date inormation is present on a remote
storage system that can be put online in a short period.
Server Clusters A cluster is a collection of two or more servers that appear as a single
server resource. Clusters are often the technology of choice for applications that require a
high degree of availability and a very small RTO, measured in minutes. When an applica-
tion is implemented on a cluster, even if one of the servers in the cluster fails, the other
server (or servers) in the cluster will continue to run the application, usually with no user
awareness that such a failure occurred.
CISM Certified Information Security Manager All-in-One Exam Guide
470
End
Users
Active
Server
Database
Server SAN
Passive
Network
Server
Database
Server SAN
Passive
Server
Database
Server
Cluster
Application
Server
Cluster
There are two typical configurations for clusters, active/active and active/passive.
In active/active mode, all servers in the cluster are running and servicing application
requests. This is often used in high-volume applications where many servers are required
to service the application workload. In active/passive mode, one or more servers in the
cluster are active and servicing application requests, while one or more servers in the
cluster are in a “standby” mode; they can service application requests but won’t do so
unless one of the active servers fails or goes offline for any reason. A failover occurs when
an active server goes offline and a standby server takes over. Figure 7-15 shows a typical
server cluster architecture.
A server cluster is typically implemented in a single physical location, such as a data
center. However, in a geographic cluster, or geocluster, a cluster can be implemented where
great distances separate the servers in the cluster. Servers in a geocluster are connected
through a WAN connection. Figure 7-16 shows a typical geographic cluster architecture.
Server Server
WAN WAN
Network Network Network
Equipment Equipment
SAN SAN
Data Replication
PART IV
These services are usually operated on servers, which may require clustering
and/or replication of their own, so that the application will be able to continue
functioning in the event of a disaster.
NOTE Business continuity and disaster recovery plans work together to get
critical business unctions operating again ater a disaster. Because o this,
business continuity and disaster recovery teams need to work closely when
developing their respective response procedures to ensure that all activities
are covered, but without unnecessary overlap.
Disaster recovery plans should consider all the likely disaster scenarios that may occur
to an organization. Understanding these scenarios can help the team take a more prag-
matic approach when creating response procedures. The added benefit is that not all
disasters result in the entire loss of a computing facility. Most are more limited in their
scope, although all of them can still result in a complete inability to continue operations.
Some of these scenarios are as follows:
Backup to Tape and Other Media In organizations still utilizing their own IT infra-
structure, tape backup is just about as ubiquitous as power cords. From a disaster recov-
ery perspective, however, the issue probably is not whether the organization has tape
backup, but whether its current backup capabilities are adequate in the context of disas-
ter recovery. An organization’s backup capability may need to be upgraded if:
PART IV
• Confidence in the backup technology is low.
Many organizations may consider tape backup as a means of restoring files or data-
bases when errors have occurred, and they may have confidence in their backup system
for that purpose. However, the organization may have somewhat less confidence in its
backup system and its ability to recover all of its critical systems accurately and in a
timely manner.
Although tape has been the default medium since the 1960s, many organizations use
hard drives for backup: hard disk transfer rates are far higher, and a disk is a random-
access medium, whereas tape is a sequential-access medium. A virtual tape library (VTL)
is a type of data storage technology that sets up a disk-based storage system with the
appearance of tape storage, permitting existing backup software to continue to back data
up to “tape,” which is really just more disk storage.
E-vaulting is another viable option for system backup. E-vaulting permits organiza-
tions to back up their systems and data to an offsite location, which could be a storage
system in another data center or a third-party service provider. This accomplishes two
important objectives: reliable backup and offsite storage of backup data.
Backup schemes, backup media rotation methods, and backup media storage are
discussed in Chapter 6.
Incident Classification/Categorization
No two security incidents or disasters are alike: some may threaten the very survival
of an organization, while others are minor, bordering on insignificant. The degree and
type of response must be appropriate for the severity of the incident in terms of mobi-
lization, speed, and communications. Further, an incident may or may not have an
CISM Certified Information Security Manager All-in-One Exam Guide
474
Incident
Severity Incident Impact Description and Examples
1 Aects a single Policy violation
individual Compromise o a unction
2 Aects a workgroup Compromise or interruption o an important unction
3 Aects a department or Compromise o intellectual property o a critical unction
business unit
4 Aects the entire Signiicant compromise o intellectual property or
organization internally interruption o a critical unction
5 Aects the entire Signiicant compromise o personally identiiable
organization publicly inormation or multiple critical unctions
Table 7-8 Example Single-Dimensional Incident Severity Plan
Severity Sensitivity
Classification Impact to Operations Classification Description
1 No impact to operations A No impact on inormation
2 Minor impact on B Compromise o a
operations small volume o
critical inormation
3 Critical unction impaired C Compromise o a
moderate volume o
critical inormation
4 Critical unction D Compromise o a
unavailable or large volume o
signiicantly impaired critical inormation
5 Critical unctions E Loss or damage to
unavailable all critical inormation
Table 7-9 Example Two-Dimensional Incident Severity Plan
Chapter 7: Incident Management Readiness
475
The purpose of classifying incidents by severity level provides guidance on several
aspects of response:
PART IV
Organizations do not perform incident response plans every day. While low-severity
plans may be performed from time to time, high-severity plans may be used rarely,
perhaps only once every several years. Organizations that want to have confidence in
their incident response plans need to train personnel in their use and test their response
plans from time to time to ensure that they will work as expected.
Although security incident response, business continuity plans, and disaster recovery
plans are related to one another in some scenarios, it is important to distinguish each
from the others. Each has a specific purpose, but in some scenarios, two or all three of
these plans may be activated at once.
PART IV
the information they read in procedure documents.
All of the test levels that need to be performed to verify the quality of response plans
are also training opportunities for personnel. The development and testing of disaster-
related plans and procedures provide a continuous learning experience for all of the per-
sonnel involved.
• Walk-through
• Simulation
• Parallel test
• Cutover test
TIP Usually, an organization should perorm the less intensive tests irst to
identiy the most obvious laws, ollowed by tests that require more eort.
Test Preparation
Each type of test requires advance preparation and recordkeeping. Preparation will
consist of several items:
PART IV
• Participants The organization will identify personnel who will participate in an
upcoming test. It is important to identify all relevant skill groups and department
stakeholders so that the test will include a full slate of contributors. This would
also include key vendors/partners to support their systems.
• Schedule The availability of each participant needs to be confirmed so that the
test will include participation from all stakeholders.
• Facilities For all but the document review test, proper facilities, such as a large
conference room or training room, should be identified and set up. If the test
takes several hours, one or more meals and refreshments may be needed as well.
• Scripting The simulation test requires some scripting, usually in the form of one
or more documents that describe a developing scenario and related circumstances.
Scenario scripting can make parallel and cutover tests more interesting and valuable,
but this can be considered optional.
• Recordkeeping For all tests except the document review, one or more
people should take good notes that can be collected and organized after the
test is completed.
• Contingency plan The cutover test involves the cessation of processing on
primary systems and the resumption of processing on recovery systems. This is
the highest risk plan, and things can go wrong. Develop a contingency plan to
get primary systems running again in case something goes wrong during the test.
Table 7-10 shows these preparation activities.
CISM Certified Information Security Manager All-in-One Exam Guide
480
Document
Review Walk-through Simulation Parallel Test Cutover Test
Participants Yes Yes Yes Yes Yes
Schedule Yes Yes Yes Yes Yes
Facilities Yes Yes Yes Yes
Scripting Yes Optional Optional
Recordkeeping Yes Yes Yes Yes Yes
Contingency plan Yes
Table 7-10 Preparation Activities or Disaster Recovery Business Continuity Tests
Document Review A document review test reviews some or all disaster recovery and
business continuity plans, procedures, and other documentation. Individuals typically
review these documents on their own, at their own pace, but within established time
constraints or deadlines. The purpose of this test is to review the accuracy and com-
pleteness of document content. Reviewers should read each document with a critical
eye, point out any errors, and annotate the document with questions or comments that
can be returned to the document’s author (or authors), who can make any necessary
changes. If significant changes are needed in one or more documents, the project team
may want to include a second document review before moving on to more resource-
intensive tests.
The owner or document manager for the organization’s BCP and DRP project should
document which people review which documents and perhaps include the review cop-
ies or annotations. This practice will create a complete record of the activities related to
the development and testing of important DRP and BCP documents. It will also help
to capture the true cost and effort of the development and testing of BCP capabilities in
the organization.
Walk-through A walk-through is similar to a document review but includes only the
BCP documents. However, where a document review is carried out by individuals work-
ing on their own, a walk-through is performed by an entire group of individuals in a live
discussion. A walk-through is usually facilitated by a leader who guides the participants
page by page through each document. The leader may read sections of the document
aloud, describe various scenarios where information in a section may be relevant, and
take comments and questions from participants.
A walk-through is likely to take considerably more time than a document review. One
participant’s question on some minor point in the document could spark a worthwhile
and lively discussion that could last from a few minutes to an hour. The group leader
or another person should take careful notes to record any deficiencies are discovered in
any of the documents, as well as issues to be handled after the walk-through. The leader
should be able to control the pace of the review so that the group does not get unneces-
sarily hung up on minor points. Some discussions may need to be cut short or tabled for
a later time or for an offline conversation among interested parties.
Chapter 7: Incident Management Readiness
481
Even if major revisions are required in recovery documents, it will probably be infeasi-
ble to conduct another walk-through with the updated documents. Follow-up document
reviews are probably warranted, however, to ensure that they were updated appropriately,
at least in the opinion of the walk-through participants.
PART IV
ments. A simulation could be an elaborate and choreographed walk-through test, where
a facilitator reads from a script and describes a series of unfolding events in a disaster such
as a hurricane or an earthquake. This type of simulation could be viewed as a sort of play-
acting, where the script is the emergency response documentation. After stimulating the
imagination of simulation participants, participants may find it easier to imagine what
disaster recovery and business continuity procedures would be like if an actual disaster
occurs. It will help tremendously if the facilitator has actually experienced one or more
disaster scenarios to add more realism when describing events.
To make the simulation more credible and valuable, the chosen scenario should have a
reasonable chance of actually occurring in the local area. Good choices would include an
earthquake in San Francisco or Los Angeles, a volcanic eruption in Seattle, or an avalanche
in Switzerland. A poor choice would be a hurricane or tsunami in Central Asia, because
these events would never occur there. A simulation can also go a few steps further. For
instance, the simulation can take place at an established emergency operations center,
the same place where emergency command and control would operate in a real disaster.
Also, the facilitator could change some of the participants’ roles to simulate the absence
of certain key personnel to see how the remaining personnel may conduct themselves in
a real emergency.
NOTE Not all organizations perorm cutover tests, because they take a lot o
resources to set up and they are risky. Many organizations ind that a parallel
test is suicient to determine whether backup systems are accurate, and the
risk o an embarrassing incident is almost zero with a parallel test.
PART IV
As with any well-organized project, success is in the details. The road to success is
littered with big and little mistakes, and the things that are identified in every sort of
disaster recovery test need to be detailed so that the next iteration of the test will provide
better results. Here are some key metrics that can be reported:
• Obtain documentation that describes current business strategies and objectives. Obtain
high-level documentation (such as strategy, charter, and objectives) for the business
continuity program and determine whether and how the program aligns with
business strategies and objectives.
• Obtain the most recent BIA and accompanying threat analysis, risk analysis, and
criticality analysis. Determine whether these documents are current and complete,
and whether they support the business continuity strategy. Also determine whether
the scope of these documents covers those activities considered strategic according
to high-level business objectives. Finally, determine whether the methods in these
documents represent good practices for these activities.
Business
Objectives
Business Impact
Assessment (BIA)
Response
and Recovery
Documentation
PART IV
3. Determine whether all documents are clear and easy to understand, not just for
primary responders, but for alternate personnel who may have specific relevant
skills but less familiarity with the organization’s critical applications. In some
disaster scenarios, primary responders may be unavailable to carry out disaster
response activities.
4. Examine documentation related to the declaration of a disaster and the initiation
of disaster response. Determine whether the methods for declaration are likely to
be effective in a disaster scenario.
5. Obtain emergency contact information, and contact some of the personnel to
determine whether the contact information is accurate and up-to-date. Also
check to see that all response personnel are still employed in the organization and
are in the same or similar roles in support of disaster response efforts.
6. Contact some or all of the response personnel who are listed in emergency contact
lists. Interview them to see how well they understand their disaster response
responsibilities and whether they are familiar with disaster response procedures.
Ask each interviewee whether they have a copy of these procedures, and ask
whether their copies are current.
7. Determine whether a process exists for the formal review and update of business
continuity documentation. Examine records to see how frequently, and how
recently, documents have been reviewed and updated.
8. Determine whether response personnel receive any formal or informal training
on response and recovery procedures. Determine whether personnel are required
to receive training and whether any records are kept that show which personnel
received training and at what time.
CISM Certified Information Security Manager All-in-One Exam Guide
486
9. Determine whether business continuity planners perform tests, walk-throughs,
and exercises of plans, and whether retrospectives or after-action reviews of tests
are performed to identify opportunities for improvement.
• Ask the interviewee to summarize his or her professional experience and training
and current responsibilities in the organization.
• Ask whether he or she is familiar with the organization’s business continuity and
disaster recovery programs.
Chapter 7: Incident Management Readiness
487
• Determine whether he or she is among the key response personnel expected to
respond during a disaster.
• Ask whether the interviewee has been issued a copy of any response or recovery
procedures. If so, ask to see those procedures to determine whether they are
current versions. Ask if the interviewee has additional sets of procedures in any
other locations (residence, for example).
• Ask whether he or she has received any training. Request evidence of this training
(certificate, calendar entry, notes, and so on).
• Ask whether the interviewee has participated in any tests or evaluations of
recovery and response procedures. Ask whether the tests were effective, whether
management takes the tests seriously, and whether any deficiencies in tests resulted
in any improvements to test procedures or other documents.
PART IV
following questions:
• Does the contract support the organization’s requirements for delivery of services
and supplies, even in the event of a local or regional disaster?
• Does the service provider have its own disaster recovery capabilities that will ensure
its ability to deliver critical services during a disaster?
• Is recourse available should the supplier be unable to provide goods or services
during a disaster?
Finally, the examiner or auditor should determine whether the organization can con-
tinue its own critical business process should a key service provider experience its own
disaster. The service provider may elect to activate an alternate processing center; will the
organization’s systems be able to connect to the service provider’s disaster recovery systems
easily and continue functioning as expected? Are there instructions for connecting systems
to the service provider’s disaster recovery systems?
PART IV
the procedures used to prepare and bring cloud-based systems to operational
readiness. Examine procedures and configurations to see whether they are likely to
support the organization successfully during a disaster.
• Determine whether any documentation exists regarding the relocation of key
personnel to the alternate processing site. Check that the documentation specifies
which personnel are to be relocated and what accommodations and supporting
logistics are provided. Determine the effectiveness of these relocation plans.
• Determine whether backup and offsite (or replication or e-vaulting) storage
procedures are being followed. Examine systems to ensure that critical IT
applications are being backed up and that proper media are being stored offsite
(or that the proper data is being replicated or e-vaulted). Determine whether data
recovery tests are ever performed and, if so, whether the results of those tests are
documented and problems are properly dealt with.
• Evaluate procedures for transitioning processing from the alternate processing
facility back to the primary processing facility. Determine whether these procedures
are complete and effective, and whether they have been tested.
• Determine whether a process exists for the formal review and update of
business continuity documentation to ensure continued alignment with DRP.
Examine records to see how frequently, and how recently, documents have
been reviewed and updated. Determine whether this is sufficient and effective
by interviewing key personnel to understand whether significant changes to
applications, systems, networks, or processes are reflected in recovery and
response documentation.
CISM Certified Information Security Manager All-in-One Exam Guide
490
• Determine whether response personnel receive any formal or informal training
on response and recovery procedures. Determine whether personnel are required
to receive training, and whether any records are kept that show which personnel
received training and at what time.
• Examine the organization’s change control process. Determine whether the process
includes any steps or procedures that require personnel to decide whether any
change has an impact on disaster recovery documentation or procedures.
• Obtain the location of the offsite storage or e-vaulting facility. Determine whether
the facility is located in the same geographic region as the organization’s primary
processing facility.
• If possible, visit the facility and examine its physical security controls as well as
its safeguards to prevent damage to stored information in a disaster. Consider the
entire spectrum of physical and logical access controls. Examine procedures and
records related to the storage and return of backup media and other information
that the organization may store there. If it is not possible to visit the facility,
obtain copies of audits or other attestations of controls effectiveness.
• Take an inventory of backup media and other information stored at the facility.
Compare this inventory with a list of critical business processes and supporting
IT systems to determine whether all relevant information is, in fact, stored at
PART IV
the facility.
• Determine how often the organization performs its own inventory of the facility
and whether steps to correct deficiencies are documented and remedied.
• Examine contracts, terms, and conditions for offsite storage providers or e-vaulting
facilities, if applicable. Determine whether data can be recovered to the original
processing center and to alternate processing centers within a period that will
ensure that disaster recovery can be completed within RTOs.
• Determine whether the appropriate personnel have current access codes or license
keys for offsite storage or e-vaulting facilities and whether they have the ability to
recover data from those facilities.
• Determine what information, in addition to backup data, exists at the facility.
Information stored offsite should include architecture diagrams, design
documentation, operations procedures, and configuration information for all
logical and physical layers of technology and facilities supporting critical IT
applications, operations documentation, application source code, and software
build systems.
• Obtain information related to the manner in which backup media and copies
of records are transported to and from the offsite storage or e-vaulting facility.
Determine the adequacy of controls protecting transported information.
• Obtain records supporting the transport of backup media and records to and
from the storage facility. Examine samples of records and determine whether
they match other records, such as backup logs.
CISM Certified Information Security Manager All-in-One Exam Guide
492
NOTE Organizations need to balance the time practicing backup procedures
with procedures used to perorm dierent types o recovery scenarios.
• Obtain addresses and other location information for alternate processing facilities.
These will include hot sites, warm sites, cold sites, cloud-based services, and
alternate processing centers owned or operated by the organization. Note that
exact locations of cloud services are often unavailable for security reasons.
• Determine whether alternate facilities are located within the same geographic
region as the primary processing facility and note whether the alternate facility
will also be adversely affected by a disaster that strikes the primary facility.
• Perform a threat analysis on the alternate processing site. Determine which threats
and hazards pose a significant risk to the organization and its ability to carry out
operations effectively during a disaster.
• Determine the types of natural and human-made events likely to take place at
the alternate processing facility. Determine whether there are adequate controls
to mitigate the effect of these events.
• Examine all environmental controls and determine their adequacy. This should
include environmental controls (HVAC), power supply, uninterruptible power
supply (UPS), power distribution units (PDUs), switchgear, and electric generators.
Also, examine fire detection and suppression systems, including smoke detectors,
pull stations, fire extinguishers, sprinklers, and inert gas suppression systems.
• If the alternate processing facility is a separate organization, obtain the legal
contract and all exhibits. Examine these documents and determine whether the
contract and exhibits support the organization’s recovery and testing requirements.
Chapter Review
Security incident management, disaster recovery planning, and business continuity
planning all support a central objective: resilience and rapid recovery when disruptive
events occur.
A security incident occurs when the confidentiality, integrity, or availability of
PART IV
information or information systems has been or is in danger of being compromised.
The proliferation of connected devices makes life safety an additional consideration in
many organizations.
An organization that is developing security incident response plans needs to deter-
mine high-level objectives so that response plans will meet these objectives.
With the proliferation of outsourcing to cloud-based service providers, many security
incidents now take place in third-party organizations, which requires additional planning
and coordination so that any incident response involving a third party is effective.
BCP and DCP work together to ensure the survival of an organization during and
after a cyberattack, natural disaster, or human-made disaster.
The business impact analysis identifies the impact of various disaster scenarios and
determines the most critical processes and systems in an organization. The BIA helps an
organization focus its BCP and DRP on the most critical business functions. Statements
of impact help management better understand the results of disruptive events in busi-
ness terms. In a criticality analysis, each system and process is studied to consider the
impact on the organization if it is incapacitated, the likelihood of incapacitation, and
the estimated cost of mitigating the risk or impact of incapacitation.
Maximum tolerable downtime and maximum tolerable outage inform the develop-
ment of recovery targets, including recovery time objective, recovery point objective,
and recovery capacity objective, to help an organization understand how quickly various
business processes should be recovered after a disaster. Recovery speed is an important
factor as the cost of recovery varies widely.
Business continuity plans define the methods the organization will use to continue
critical business operations after a disaster has occurred. Disaster recovery plans define
the steps that will be undertaken to salvage and recover systems damaged by a disaster.
CISM Certified Information Security Manager All-in-One Exam Guide
494
Both BCP and DRP activities work toward the restoration of capabilities in their original
(or replacement) facilities.
The safety of personnel is the most important consideration in any disaster recovery plan.
DRP is concerned with system resilience matters, including data backup and replica-
tion, the establishment of alternate processing sites (hot, warm, cold, cloud, mobile,
or reciprocal), and the recovery of applications and data. The complexity of a disaster
recovery plan necessitates reviews and testing to ensure that the plan is effective and will
be successful during an actual disaster.
Recovery targets established during the BIA directly influence disaster recovery plans
through the development of suitable infrastructure and response plans.
Security incident response plans, business continuity plans, and disaster recovery
plans all need to be evaluated and tested to ensure their suitability. Organizations need
to identify and train incident responders to ensure that they will understand how to
respond to incidents properly and effectively.
Notes
• Understanding the computer intrusion kill chain model can help an organization
identify opportunities to make their systems more resilient to intruders.
• The development of custom playbooks that address specific types of security
incidents will ensure a more rapid and effective response to an incident. High-
velocity incidents such as data wipers and ransomware require a rapid, almost-
automated, response.
• Organizations must carefully understand all of the terms and exclusions in any
cyber-insurance policy to ensure that no exclusions would result in a denial of
benefits after an incident.
• With so many organizations using cloud-based services, it’s especially important
that organizations understand, in detail, their own roles and responsibilities as
well as those of each cloud service provider. This will ensure that the organization
can build effective incident response should an incident occur at a cloud-based
service provider.
• Recovery objectives such as recovery time objective and recovery point objective
serve as signposts for the development of risk mitigation plans and business
continuity plans. Eventually, plans in support of these objectives must be
developed and tested, usually in the context of business continuity planning.
Questions
1. Which of the following recovery objectives is associated with the longest
allowable period for a service outage?
A. Recovery tolerance objective (RTO)
B. Recovery point objective (RPO)
Chapter 7: Incident Management Readiness
495
C. Recovery capacity objective (RCapO)
D. Recovery time objective (RTO)
2. A security manager is developing a strategy for making improvements to the
organization’s incident management process. The security manager has defined
the desired future state. Before specific plans can be made to improve the process,
the security manager should perform a:
A. Training session
B. Penetration test
C. Vulnerability assessment
D. Gap analysis
3. A large organization operates hundreds of business applications. How should the
security manager prioritize applications for protection from a disaster?
A. Conduct a business impact analysis.
B. Conduct a risk assessment.
C. Conduct a business process analysis.
D. Rank the applications in order of criticality.
PART IV
4. The types of incident response plan testing are:
A. Document review, walk-through, and simulation
B. Document review and simulation
C. Document review, walk-through, simulation, parallel test, and cutover test
D. Document review, walk-through, and cutover test
5. An organization has developed its first-ever business continuity plan. What is the
first test of the continuity plan that the business should perform?
A. Walk-through
B. Simulation
C. Parallel test
D. Cutover test
6. An organization is experiencing a ransomware attack that is damaging critical
data. What is the best course of action?
A. Security incident response
B. Security incident response followed by business continuity plan
C. Concurrent security incident response and business continuity plan
D. Business continuity plan
CISM Certified Information Security Manager All-in-One Exam Guide
496
7. What is the most important consideration when selecting a hot site?
A. Time zone
B. Geographic location in relation to the primary site
C. Proximity to major transportation
D. Natural hazards
8. An organization has established a recovery point objective of 14 days for its most
critical business applications. Which recovery strategy would be the best choice?
A. Mobile site
B. Warm site
C. Hot site
D. Cold site
9. What technology should an organization use for its application servers to provide
continuous service to users?
A. Dual power supplies
B. Server clustering
C. Dual network feeds
D. Transaction monitoring
10. An organization currently stores its backup media in a cabinet next to the
computers being backed up. A consultant told the organization to store backup
media at an offsite storage facility instead. What risk did the consultant most
likely have in mind when he made this recommendation?
A. A disaster that damages computer systems can also damage backup media.
B. Backup media rotation may result in loss of data backed up several weeks in
the past.
C. Corruption of online data will require rapid data recovery from offsite storage.
D. Physical controls at the data processing site are insufficient.
11. A major earthquake has occurred near an organization’s operations center. Which
of the following should be the organization’s top priority?
A. Ensuring that an automatic failure to the recovery site will occur because
personnel may be slow to respond
B. Ensuring that visitors know how to evacuate the premises and that they are
aware of the locations of sheltering areas
C. Ensuring that data replication to a recovery site has been working properly
D. Ensuring that backup media will be available at the recovery site
Chapter 7: Incident Management Readiness
497
12. An organization wants to protect its data from the effects of a ransomware attack.
What is the best data protection approach?
A. Periodically scan data for malware.
B. Replicate data to a cloud-based storage provider.
C. Replicate data to a secondary storage system.
D. Back up data to offline media.
13. An auditor is evaluating an organization’s disaster recovery plan. Which of the
following artifacts should be examined first?
A. Business impact analysis
B. After-action reviews
C. Test results
D. Training records
14. An organization’s top executives are growing tired of receiving reports about minor
security incidents. What is the best course of action?
A. Enact controls to stop the incidents from occurring.
B. Discontinue informing executives about incidents.
PART IV
C. Develop an incident severity schedule.
D. Review regulatory requirements for incident disclosure.
15. An organization has established a recovery time objective of four hours for its most
critical business applications. Which recovery strategy would be the best choice?
A. Mobile site
B. Warm site
C. Hot site
D. Cold site
Answers
1. D. RTO is the maximum period of time from the onset of an outage until the
resumption of service.
2. D. When the desired end state of a process or system is determined, a gap
analysis must be performed so that the current state of the process or system
can also be known. Then specific tasks can be performed to reach the desired
end state of the process.
3. A. A business impact analysis (BIA) is used to identify the business processes
to identify the information systems that are most critical for the organization’s
ongoing operations.
CISM Certified Information Security Manager All-in-One Exam Guide
498
4. A. The types of security incident response plan testing are a document review, a
walk-through, and a simulation. Parallel and cutover tests are not part of security
incident response planning or testing but are used for disaster recovery planning.
5. A. The best choice of tests for a first-time business continuity plan is a document
review or a walk-through. Since this is a first-time plan, other tests are not the
best choices.
6. C. If an organization’s critical data has been damaged or destroyed by a ransomware
incident, the organization should invoke its business continuity plan alongside its
security incident response plan. This may help the organization restore services to
its customers more quickly.
7. B. An important selection criterion for a hot site is the geographic location in
relation to the primary site. If they are too close together, a single disaster event
may involve both locations.
8. D. An organization that has a 14-day recovery time objective (RTO) can use
a cold site for its recovery strategy. Fourteen days is enough time for most
organizations to acquire hardware and recover applications.
9. B. An organization that wants its application servers to be available continuously
to its users needs to employ server clustering so that at least one server will always
be available to service user requests.
10. A. The primary reason for employing offsite backup media storage is to mitigate
the effects of a disaster that could otherwise destroy computer systems and their
backup media.
11. B. The safety of personnel is always the top priority when any disaster event
has occurred. While important, the condition of information systems is a
secondary concern.
12. D. The best approach for protecting data from a high-velocity attack such as
ransomware is to back up the data to offline media that cannot be accessed by
end users. Replicating data to another storage system may only serve to replicate
damaged data to the secondary storage system, making recovery more difficult
or expensive.
13. A. The auditor should first examine business impact analysis documents, as these
define the priority of critical business processes as well as recovery targets.
14. C. It is apparent that the security incident response plan does not have severity
levels. One property of severity levels is the frequency and level of internal
communications. For instance, executives are spared from being informed about
minor incidents while they occur. Higher severity incidents include notifications
to managers higher in the organization, and more frequent notifications.
15. C. An organization that has a four-hour recovery time objective (RTO) should
use a hot site for its recovery strategy. Only a hot site would be able to perform
primary processing within that period of time.
Incident Management
Operations
CHAPTER
8
In this chapter, you will learn about
• The steps o security incident response
• Incident response tools and techniques
• Attorney–client privilege
• Crisis management and communications
• Post incident review and reporting
• Planning
• Detection
• Initiation
• Analysis
• Containment
499
CISM Certified Information Security Manager All-in-One Exam Guide
500
• Eradication
• Recovery
• Remediation
• Closure
• Post-incident review
• Retention of evidence
Planning
This step involves the development of written response plans, guidelines, and proce-
dures to be followed when an incident occurs. These procedures are created after the
organization’s practices, processes, and technologies are well understood. This helps to
ensure that incident response procedures align with security policy, business operations,
the technologies in use, as well as practices regarding organizational architecture, devel-
opment, management, and operations. The plans, guidelines, and procedures should
identify and include key external partners. The planning cannot be conducted in a
vacuum, because many organizations rely on partners for key business functions.
Detection
Detection represents the moment in which an organization is initially aware that a
security incident is taking place or has taken place. Because a variety of events can
characterize a security incident, an organization can become aware of an incident in
several ways, including the following:
Initiation
This is the phase in which response to the incident begins. Typically, it includes decla-
ration of an incident, followed by notifications sent to response team members so that
response operations may begin. Depending upon the severity of the incident, notifica-
tions may be sent to business executives.
Chapter 8: Incident Management Operations
501
Analysis
In this phase, response team members collect and analyze available data to understand
the incident’s cause, scope, and impact. This may involve the use of forensic analysis
tools to understand activities on individual systems. During this phase, partners or
vendors may be engaged to collect information from their systems to determine the
extent of the compromise.
Containment
Incident responders perform or direct actions that halt, or contain, the progress or
advancement of an incident. The steps required to contain an incident will vary accord-
ing to the means used by the attacker. Techniques include blocking command and control
traffic or taking storage systems offline. Senior leadership is usually involved in approving
the containment actions of the team. In some cases, a mature incident response program
will already have rules of engagement so the technical teams know which actions are
approved and which need input from senior leadership.
Eradication
In this phase of incident response, responders take steps to remove the source of the
incident. This could involve removing malware or physically removing an intruder.
PART IV
Recovery
When the incident has been evaluated and eradicated, there is often a need to recover
systems or components to their pre-incident state. This can include restoring data or
configurations or replacing damaged or stolen equipment.
Remediation
This activity involves any necessary changes that will reduce or eliminate the possibility
of a similar incident occurring in the future. This may take the form of process or
technology changes.
Closure
Closure occurs when eradication, recovery, and remediation have been completed.
Incident response operations are officially closed.
Post-incident Review
Shortly after the incident closes, incident responders and other personnel meet to discuss
the incident: its cause, impact, and the organization’s response. Discussion can range
from lessons learned to possible improvements in technologies and processes to improve
defense and response further.
Retention of Evidence
Incident responders and other personnel direct the retention of evidence and other mate-
rials used or collected during the incident. This may include information used in legal
proceedings such as prosecution, civil lawsuits, and internal investigations. A chain of
custody may be required to ensure the integrity of evidence.
CISM Certified Information Security Manager All-in-One Exam Guide
502
NOTE Several standards guide organizations toward a structured and
organized incident response, including NIST SP 800-61, “Computer Security
Incident Handling Guide.”
PART IV
expertise in computer and/or network forensics who seek to determine the
cause of an incident and methods that can be used to contain and eradicate it.
Because some security incidents may result in subsequent legal proceedings,
forensic analysts employ evidence preservation techniques and establish a chain
of custody to ensure that evidence is not altered.
• Containment, eradication, remediation, and recovery These personnel
take measures to halt an incident’s progress and recover affected systems to their pre-
incident states. While containment, eradication, remediation, and recovery are four
distinct steps in incident response, they are often performed by the same personnel.
• Business continuity and emergency operations A significant incident
may result in considerable downtime or other business disruption, as one or
more critical systems may be affected by an incident and taken out of service.
An organization may need to invoke business continuity and/or emergency
operations to continue critical business operations.
NOTE Remember that, despite the noise and disruption caused by a serious
incident, normal business operations need to continue uninterrupted in
the organization.
• Logging Events on individual systems and network devices often provide direct
or indirect indications of intrusions and other incidents. Logs stored in a central
server make this capability more powerful, as events from different systems and
devices can appear together, providing a more comprehensive view of events.
• Log analysis and correlation A SIEM provides log analysis and correlation
to help security personnel realize when unwanted events are occurring or have
occurred in the past.
• Alerting A SIEM or other log processing system can be configured to produce
alerts when specific incidents occur, proactively notifying security personnel that
something requires attention.
• Threat hunting Specialized tools are available to facilitate proactive threat hunting.
• Threat intelligence Many organizations subscribe to one or more cyber-threat
intelligence feeds that help make personnel aware of actionable threats, enabling
them to confirm that protective and detective measures are in place. Some threat
intel feeds are meant to be fed directly into a SIEM, which will correlate threats
with identified vulnerabilities to direct personnel to improve defenses. Other
threat intel feeds are intended to be human-readable. This functionality is often
packaged in a threat intelligence platform (TIP).
• Malware prevention Antivirus and advanced antimalware solutions on mobile
devices, laptops, and servers detect the presence of malware and can often block
or disrupt its activities. Malware detection and prevention capabilities can also be
provided by firewalls, IPSs, web filters, and spam/phishing filters.
• Network intrusion prevention IPSs analyze the details and contents of
network traffic that passes through them, detecting—and often blocking—an
initial intrusion or the command-and-control (C&C) traffic generated by
malware that has successfully compromised a system. A typical IPS is configured
to block specific traffic automatically and produce alerts when this occurs, but
it will permit certain traffic. Network intrusion detection will alert personnel of
suspected attacks, without doing anything to stop them.
• Web content filter Many organizations employ systems that provide protection
from the hazards of users browsing malicious and fraudulent web sites. Web
content filters can be used to block access to known malicious sites as well as
sites associated with various types of inappropriate content. For example, an
organization can block users’ from accessing sites that focus on pornography,
weapons, hate crimes, or online gambling. Some web content filters can examine
the contents of traffic and can block malware from reaching end-user devices.
Chapter 8: Incident Management Operations
505
• File integrity monitoring (FIM) FIM systems periodically scan file systems
on servers and workstations and report any changes. Although changes may
result from periodic maintenance, they can also be indicators of compromise.
A typical FIM system sends alerts to a SIEM to notify SOC analysts of a
potential intrusion.
• File activity monitoring (FAM) FAM systems monitor directories and files on
servers or workstations to detect unusual activities that may indicate compromise.
A typical FAM system sends alerts to a SIEM, where SOC analysts will be watching
for alerts.
• Forensic analysis These tools are used to study the events that have occurred on
a system, examine the contents of file systems and memory, and analyze malware
to understand its structure and actions. Their use requires forensic skills and
experience, as they usually don’t reveal what happened, but instead show detailed
information to a forensic examiner, who determines which elements to examine to
uncover the relevant chain of events. Forensic analysis is used to examine a malware
attack and chronicle the events of an employee accused of misbehavior.
• Video surveillance This is needed for incidents involving human activity—
usually the comings and goings of personnel and intruders and any items they
are carrying with them.
PART IV
• Recordkeeping Decisions, steps undertaken, and communications need to
be recorded so that incident responders can understand the activities that have
taken place during incident response and provide a backward look during post-
incident review.
Threat Hunting
The practice of threat hunting is used proactively to look for signs of intrusions. Rather
than passively monitoring systems, threat hunters use tools to hunt for indicators of
compromise (IOCs). The objective of threat hunting is the earliest possible detection
of intrusions. When an intrusion is detected early, its impact on the organization may
be low, particularly if an attack is detected prior to the intruder achieving her attack
objective. Threat hunting is often carried out by organizations with mature event moni-
toring programs. In other words, organizations considering threat hunting should do
so only after achieving a moderate to high level of maturity in their monitoring tools
and practices.
• Becoming keenly aware of the specific risk factors leading to costly incidents
• Thoroughly vetting organizations’ security programs and capabilities, using
lengthy questionnaires and requests for specific artifacts such as security policies
and even detailed configuration information
• Creating policies with more detailed terms, conditions, and exclusions
• Charging organizations higher premiums with limitations in benefits if an
organization is deemed to have substandard security practices and safeguards
in place, or denying them coverage at any price
• Becoming deeply involved in security incident response, sometimes by directing
one of a short list of security professional services firms to perform computer and
network forensics
It is becoming increasingly difficult to obtain cyber-insurance as insurance companies
are becoming more stringent on requirements such as multifactor authentication and
antimalware. It is imperative that an organization be aware of the fine print of its cyber-
security policy; otherwise, the organization may find the policy is worthless when it’s
PART IV
time to file a claim.
Incident Detection
The detection phase marks the start of an organization’s awareness of a security inci-
dent. In many cases, some time elapses between the beginning of an actual incident
and the moment that the organization is aware of it; this period is known as dwell time.
The ability to detect an intrusion or incident requires event visibility, which is typically
achieved through event log collection and analysis tools (usually a SIEM system), together
with other tools that monitor and detect activities in networks, servers, and endpoints.
CISM Certified Information Security Manager All-in-One Exam Guide
508
An organization can be made aware of an incident in a number of ways, including but
not limited to the following:
False Alarms
Some people are concerned with the prospect of declaring an incident when no inci-
dent is taking place—in other words, a false alarm. Organizations need to under-
stand that a false alarm from time to time may be acceptable, especially considering
that the opposite problem of not recognizing and declaring an incident may be far
more harmful to the organization. It’s better to roll the fire trucks and later discover
that the alarm was caused by a faulty smoke detector than to use valuable time
PART IV
confirming the presence of a fire, which could result in more property damage and
threat to human life.
Incident Analysis
In the analysis phase of security incident response, response team members evaluate and
rank available information to reveal the nature and criticality of the incident. This phase
may include the use of forensic examination techniques that permit the examiner to
determine how an incident was able to occur.
Forensic Investigations
After a security incident has occurred, the organization may determine that an inves-
tigation is needed to determine the incident’s cause and effects. A forensic investigator
gathers, studies, and retains information that may be needed in a court of law should the
CISM Certified Information Security Manager All-in-One Exam Guide
510
incident result in legal proceedings. Because the information collected in an investiga-
tion may later be used in a legal proceeding, a forensic investigator must understand the
requirements regarding the chain of custody and other evidence protection activities that
ensure that evidence can be used in court.
Chain of Custody The key to an effective and successful forensic investigation is the
establishment of a sound chain of custody. A chain of custody documents, in precise
detail, how and when evidence is protected against tampering through every step of the
investigation. Any irregularities in the information acquisition and analysis process will
likely be looked at unfavorably in legal proceedings, possibly resulting in the organization
failing to convince judicial authorities that the event occurred as described.
Chain of custody is driven primarily by the prospect of future legal proceedings for
reasons that could include the following:
• Data acquisition Data must be acquired for forensic analysis. Subject data
may reside on a computer’s hard drive, SSD, or RAM; in mobile device memory;
in an application’s audit log; or on a network device. Several tools are available
for forensic data acquisition, including media copiers, which acquire a copy of
a computer’s hard drive, live memory, USB memory stick, or removable media
such as an external hard drive, SSD, or CD/DVD-ROM.
Chapter 8: Incident Management Operations
511
• Data extraction If data is being acquired from a running system or a third
party, a forensics analyst must use a secure method to acquire the data and
demonstrate the integrity of the process used to do so. This shows the data’s
source and proves that data was not altered during the extraction process.
• Data protection Once data is extracted, the forensic investigator must take
particular steps to ensure its integrity. Computers used for forensic analysis must be
physically locked to prevent unauthorized access, and they must not be connected
to any network that would allow for the introduction of malware or other agents
that could alter acquired data and influence the investigation’s outcome.
• Analysis and transformation Often, tools are required to analyze acquired data
and search for specific clues. Also, data must frequently be transformed from its
native state into a state that is human- or tool-readable; in many cases, computers
store information in a binary format that is not easily read and interpreted by
humans. For example, the NTUSER.DAT file used in Windows is a binary
representation of the HKEY_LOCAL_USER branch of the system’s registry.
This file cannot be directly read but requires tools to transform it into a human-
readable form.
PART IV
NOTE Decisions on the use o orensic proceedings must be made early
during an incident. Employing orensic procedures can consume signiicant
resources that may slow down incident response. Senior executives,
including internal or external legal counsel, should make the call on the
use o orensic proceedings and should do so as early as possible ater an
incident is initiated.
Most organizations do not have the luxury of owning computer forensics tools and
having expert(s) on staff. Instead, when an incident requiring forensics occurs, a outside
forensic investigator is brought in to conduct the forensics portion of the investigation.
The forensic investigator will bring her own systems for acquiring live memory and hard
drive/SSD images and tools for examining the data she obtains.
Organizations that want to have one or more forensic investigators available can
purchase a retainer, an agreement that provides access to a pool of investigators and
includes an SLA on their remote or onsite availability. Without a retainer, the costs to
hire an investigator may be higher, and the organization may have to wait longer for an
investigator to become available.
Some law firms also have in-house or retained forensics experts to assist in investiga-
tions. The outside law firm can operate under attorney–client privilege, which would
also protect the information obtained by the forensic investigator and her final report.
Forensics Certifications
Organizations considering hiring, training, or retaining forensics experts should
look for one or more of the following nonvendor forensics certifications:
Privacy Breaches
A breach of privacy is a unique type of security incident. In a privacy breach, an
attacker may steal or compromise sensitive or private data about employees, customers,
or other persons. The steps taken during incident response will be largely the same as
those for breaches of other types of information. There are, however, two differences
to keep in mind:
• Incident handlers must handle privacy data according to the organization’s security
and privacy policies.
• The organization may be required to notify affected people during or soon after
the incident.
Organizations that store or process information within the scope of privacy laws
should include a security incident categorization that covers privacy incidents. Security
incident plans or playbooks should include specific information that directs incident
responders to perform all necessary steps, including notifications and disclosures.
Chapter 8: Incident Management Operations
513
Incidents Involving a Service Provider
With many organizations outsourcing one or more principal business applications to
external service providers, organizations need to develop plans that include the procedure
to follow when an incident or breach occurs in a service provider’s environment.
An organization that provides software as a service (SaaS) will likely detect an inci-
dent such as a malware attack or an intrusion when it occurs. The legal agreement
between the organization and the SaaS provider should stipulate the circumstances in
which the SaaS provider will notify affected customers. For the most part, the SaaS
provider will perform most or all phases of security incident response, but that does not
mean that the customer organization has nothing to do. A breach in a SaaS organization
is still a breach, and the customer organization must have an incident response plan that
considers such circumstances.
Organizations will have to rely mainly on the SaaS provider’s incident response to
proceed and close the incident. However, the customer organization will need to be
informed along the way, as it will need to pursue damage control, including notification
of affected parties. Organizations are fully accountable when a breach occurs in a service
provider’s organization. The organization selected the service provider and is accountable
for all outcomes, including breaches. Chapter 6 explores the topic of third-party risk
management in detail.
PART IV
Incident Containment Methods
Incident containment includes the steps taken to prevent the incident from spreading
further. Containment requires knowledge of the particulars of the incident and is most
successful after the incident is examined and its techniques identified in the assessment
phase. Containment is distinct from eradication, which is the removal of threats or threat
actors from the environment. When containment has been completed, the threat still
exists, but it cannot further proceed because containment measures have been taken.
Many cyberattacks can be contained by curtailing their network communications.
If the attacker’s communication connections have been severed to prevent reestablish-
ing or resuming communications, often the attack can be considered to be contained.
Based upon the nature of the intrusion, containment may involve network changes
in a firewall, IPS, or edge router to black-hole communications from the attacker’s
network. Indeed, one of the main functions of an IPS is to block communications
with known domains and IP address ranges known to be malicious. But for an attack
originating from a malicious network not yet identified by an IPS, the organization can
quickly implement a rule to block the IP address, range, or entire country’s range of
IP networks, as appropriate.
Many forms of malware, including ransomware, utilize C&C communications from
the computer they have attacked, to servers controlled by the malware operator. Well-
managed IPS systems block C&C traffic from known adversaries and can recognize
new, unclassified commands and proactively block traffic. However, security incident
responders also realize that some forms of malware are not completely incapacitated
when their C&C traffic is disrupted; they still may be able to operate independently,
CISM Certified Information Security Manager All-in-One Exam Guide
514
and may even continue to explore an organization’s network and even infect additional
systems. This is another reason why isolating affected systems is so important. Similarly,
if the malware’s C&C is DNS-based, incident responders may be able to block C&C
traffic effectively by preventing DNS lookups to the domains identified as malicious.
When an attack has been identified, and once the organization has collected available
information about the attack, the attack can be effectively contained by severing most
or all network communications from the target system. This may, however, also impair
incident responders from carrying out subsequent eradication and restoration steps if
they cannot communicate with the system.
Other techniques are available in the containment phase. For instance, if the attacker
can compromise systems through privilege escalation, locking the affected user or system
account may prevent the attacker from successfully compromising additional systems.
Also, if ransomware actively encrypts files on a network share, blocks authentication on
the network share, or removes the network share altogether, removing affected systems
from the network effectively contains the attack.
In such cases, if disaster recovery cannot rapidly recover the system, this will also
precipitate the activation of a business continuity plan (BCP), which may include
one or more contingency plans for continuing to operate critical business processes
without one or more supporting systems in place. For instance, if the attacker com-
promised a retail store’s point-of-sale back office server, and if point-of-sale systems
cannot function without that server, the retail store may have to resort to manual
methods of completing customer purchase transactions.
PART IV
team believes that corporate e-mail and/or instant messaging is compromised, an entirely
different system should be used for communication until the incident has been closed.
Attorney–Client Privilege
Some organizations utilize their legal counsel as a central point of communications
during a security incident. When done properly, this may permit an organization to
shield communications and other proceedings from discovery in the event of a law-
suit. This practice is known as attorney–client privilege. Consult with legal counsel
to understand the applicability and procedures for this approach.
Regulatory Requirements
Internal secrecy must be balanced with regulatory requirements for reporting security
incidents to regulators and affected parties. Organizations must have a detailed under-
standing of regulatory requirements and proceed accordingly. However, security leaders
and incident responders must determine how to describe incidents without providing
details that could enable other attackers to understand specific weaknesses that could be
exploited in further attacks.
PART IV
nomenclature from “security incident” to “security event” helps protect an organiza-
tion from prematurely disclosing the matter.
• Incident number
• Incident date
• Incident name
• Short description
• Incident context and severity
• URL or other pointer to the repository containing incident details
Access to the incident log should be restricted to few personnel on a need-to-know
basis.
Metrics
An organization’s security incident response program can be managed and improved
only to the extent that key metrics are established to measure the program’s performance.
Metrics that can be developed and reported include the following:
Reporting
Like any management report, the information security manager must identify target
audiences and tailor reporting for those audiences based on the types of information of
interest to them. Reports may include metrics, key risk indicators (KRIs), and key perfor-
mance indicators (KPIs) that help management better understand whether the incident
response program is effective at detecting and responding to incidents.
PART IV
For instance, security incident reporting for a board of directors may contain a list of
significant incidents (if any), as well as metrics showing the trends of incidents over time.
This reporting should inform the audience of basic facts, including:
Incident Recovery
The recovery phase of security incident response focuses on restoring affected systems and
assets to their pre-incident state. Recovery is performed after eradication is completed;
this means that any malware or other tools used by the intruder have been removed.
Chapter 8: Incident Management Operations
521
The state of a system entering the recovery phase is described as free of all tools, files, and
agents used by the intruder. There are two basic approaches to recovery:
PART IV
Incident Remediation
I stated that recovery is the action of returning a system or asset to its pre-incident state,
but you must understand a slight, but critical, nuance: we don’t want to restore the sys-
tem to its exact pre-incident state, but to a state where the system functions as before the
incident, but with one or more immediate safeguards to prevent recurrence of the same
or similar attack. This is where recovery leads to remediation. Incident responders under-
stand that the intruder may not be satisfied that he was eradicated from target systems.
If any of the same vulnerabilities still exist, the intruder may attempt to re-establish a
foothold to resume the intrusion in support of its original objective.
A critical step in incident response is remediation of any vulnerabilities exploited dur-
ing the incident. This includes but is not limited to technical vulnerabilities that may
have permitted malware exploits to work; it also includes any supporting technologies,
business processes, or personnel training that may have helped to prevent the incident
from occurring if they had been in place before the incident. For instance, if an end user’s
system was successfully attacked with ransomware because that system’s endpoint detec-
tion and response (EDR) solution was not installed or functioning correctly, remediation
of the system will include steps to ensure that the EDR is working correctly.
A key part of the investigation into the security incident must include an identifica-
tion and detailed analysis of the factors or vulnerabilities that led to the incident’s occur-
rence. The key question that incident responders and investigators should ask is what
weakness(s) permitted the attack or intrusion to succeed, and what should be done to
the system to prevent the same or similar attack from succeeding in the future? In this
context, remediation is more about fixing whatever was broken that permitted the attack
or intrusion, rather than re-engineering overall defenses. The latter is generally addressed
in a post-incident review that includes recommendations for long-term improvements.
CISM Certified Information Security Manager All-in-One Exam Guide
522
A broader issue of learning from the incident is addressed later, in the section
“Post-incident Review.”
Closure
After an incident has been identified, its causes eradicated, and any affected systems
remediated and recovered, the incident can be closed. Mainly this is a “back to business
as usual” declaration. Some activities are necessary for full closure:
Post-incident Review
When all incident response proceedings have concluded, the organization should
consider reviewing the incident that has taken place. A post-incident review should
include a frank, open discussion that identifies what went well during the incident
response and what could have been handled or performed better. A typical post-incident
review should cover the following:
PART IV
instead on the response itself and potential improvements to detective, preventive, and
response controls and procedures.
Chapter Review
Security incident management, disaster recovery planning, and business continuity
planning all support a central objective: resilience and rapid recovery when disruptive
events occur.
As a result of a security incident event, the confidentiality, integrity, or availability
of information or information systems has been or is in danger of being compromised.
Although important, the condition of information systems is a secondary concern.
Human safety is always the top priority when any disaster event has occurred.
The phases of incident response are planning, detection, initiation, analysis, contain-
ment, eradication, recovery, remediation, closure, and post-incident review. Planning
consists of the development of incident response policies, roles and responsibilities, pro-
cedures, as well as testing and training.
Security incident response requires incident detection capabilities that enable an orga-
nization to be aware of an incident as it occurs. Without incident detection capabilities,
an organization may not know about an intrusion for many weeks or months, if ever.
A primary capability in incident response is event visibility, which is usually provided
through a security information and event management (SIEM) system.
Many organizations outsource security event monitoring to a third-party managed
security services provider. Organizations also often outsource incident response to security
professional services firms by purchasing an incident response retainer, a prepaid arrange-
ment. Remember that outsourcing the activity does not mean that the organization trans-
fers the risk or responsibility of the incident response program or its impact on the business.
CISM Certified Information Security Manager All-in-One Exam Guide
524
With the proliferation of outsourcing to cloud-based service providers, many
security incidents now occur on systems managed by a third-party provider. This
requires additional planning and coordination on the part of the organization, so that
incident response involving a third party is effective. The organization may need to
incorporate the third party’s incident response plan into its existing plan.
Business continuity planning and disaster recovery planning work together to ensure
the survival of an organization during and after a natural or human-made disaster.
Notes
• Developing custom playbooks that address specific types of security incidents
will ensure a more rapid and effective response to a security incident. High-
velocity incidents such as data wipers and ransomware require a rapid, almost
automatic response.
• Organizations must be careful to understand all of the terms and exclusions in
any cyber-incident insurance policy to ensure that no exclusions would result in
denial of benefits after an incident.
• With so many organizations using cloud-based services, organizations must
understand, in detail, their roles and responsibilities and that of each cloud service
provider. This is necessary for the organization to build effective incident response
should an incident occur at a cloud-based service provider.
• Threat hunting and cyber-threat intelligence can help an organization more
effectively anticipate and detect an incident as it unfolds. This helps reduce
potentially damaging effects through prevention.
• Many organizations outsource the forensic examination and analysis portion of
security incident response, because personnel with these skills are difficult to find
and the tools required are expensive.
• When responding to a security incident, organizations should consider establishing
attorney–client privilege and chain of custody early on, in case disciplinary or legal
proceedings may follow.
Questions
1. The types of incident response plan testing are:
A. Document review, walk-through, and simulation
B. Document review and simulation
C. Document review, walk-through, simulation, parallel test, and cutover test
D. Document review, walk-through, and cutover test
Chapter 8: Incident Management Operations
525
2. The length of time between incident occurrence and incident detection is known as:
A. Dwell time
B. Lag time
C. Lead time
D. Propagation
3. The purpose of attorney–client privilege during an investigation is:
A. To improve the results of the investigation
B. To obtain better forensic examination services
C. To protect investigation proceedings from a discovery order
D. To improve the integrity of investigation proceedings
4. The purpose of chain of custody procedures is:
A. To prove the ownership of investigation data
B. To determine the cause of an incident
C. To prove the integrity of investigation data
D. To determine who is responsible for an incident
PART IV
5. An organization has developed its first-ever business continuity plan. Which of
the following is the best first choice to test of the continuity plan that the business
should perform?
A. Walk-through
B. Simulation
C. Parallel test
D. Cutover test
6. An organization is experiencing a ransomware attack that is damaging critical data.
What is the best course of action?
A. Security incident response
B. Security incident response followed by business continuity plan
C. Concurrent security incident response and business continuity plan
D. Business continuity plan
7. An organization has just experienced a major earthquake at its operations center.
Which of the following should be the organization’s top priority?
A. Ensure that an automatic failure to the recovery site will occur as personnel
may be slow to respond.
B. Ensure that visitors and personnel know how to evacuate the premises and are
aware of the location of sheltering areas.
C. Ensure that data replication to a recovery site has been working properly.
D. Ensure that backup media will be available at the recovery site.
CISM Certified Information Security Manager All-in-One Exam Guide
526
8. The purpose of a SIEM is:
A. To centrally log event data
B. To correlate events and generate alerts
C. To track remediation of known vulnerabilities
D. To scan systems and devices for new vulnerabilities
9. An organization lacks personnel and tools to conduct forensic analysis. What is
the best way for the organization to acquire this capability?
A. Purchase advanced antimalware tools.
B. Purchase a SIEM.
C. Purchase an incident response retainer.
D. Hire a full-time computer forensics specialist.
10. An organization wants to protect itself from the effects of a ransomware attack.
What is the best data protection approach?
A. Periodically scan data for malware.
B. Replicate data to a cloud-based storage provider.
C. Replicate data to a secondary storage system.
D. Back up data to offline media.
11. Security personnel are conducting forensic analysis concerning the malicious
wrongdoing of a former employee. How should the proceedings of the forensic
analysis be protected?
A. Backup to write-once media
B. Double locked
C. Chain of custody
D. Role-based access control
12. An incident responder has declared a security incident, prompting the mobilization
by other incident responders and notification to senior management. Later, the
responders determined that no security incident was taking place. What is the best
course of action?
A. Train the incident responder who declared the incident.
B. Discipline the incident responder who declared the incident.
C. Stand down and cease incident response activities.
D. Continue with incident response until its conclusion.
Chapter 8: Incident Management Operations
527
13. An organization has detected a ransomware attack that has destroyed information
on several end-user workstations and is now destroying information on a central
file server. Incident responders have taken the file server offline. What action
should the organization take next?
A. Inform the organization that the file server is unavailable.
B. Stop incident response procedures and activate business continuity and disaster
recovery plans.
C. Wait until the security incident is over, and then activate business continuity
and disaster recovery plans.
D. Activate business continuity and disaster recovery plans to be performed
concurrently.
14. An organization currently stores its backup media in a cabinet next to the computers
being backed up. A consultant advised that the organization should store backup
media at an offsite storage facility. What risk did the consultant most likely have
in mind when making this recommendation?
A. A disaster that damages computer systems can also damage backup media.
B. Backup media rotation may result in loss of data backed up several weeks in
PART IV
the past.
C. Corruption of online data will require rapid data recovery from off-site storage.
D. Physical controls at the data processing site are insufficient.
15. An organization with a cyber-insurance policy detected an active ransomware attack.
What should be the organization’s top priority?
A. Contain and close the incident, and then notify the cyber-insurance company.
B. Immediately notify the cyber-insurance company of the attack.
C. Notify the cyber-insurance company if the organization pays the ransom.
D. Activate a chain of custody to product the organization from the cyber-
insurance company.
Answers
1. A. The types of security incident response plan testing are document review,
walk-through, and simulation. Parallel and cutover tests are not part of security
incident response planning or testing and are used for disaster recovery planning.
2. A. Dwell time refers to the period between the occurrence of a security incident
and the organization’s awareness of the incident.
3. C. The purpose of attorney–client privilege is the protection of correspondence
and exhibits, including those in an investigation. If an organization that has
experienced a security incident believes it may be defending itself in a lawsuit, the
organization can choose to protect its investigation (including actions performed
by a third-party firm) and its proceedings so that the organization will not be
required to turn over that information during the lawsuit.
CISM Certified Information Security Manager All-in-One Exam Guide
528
4. C. The purpose of chain of custody procedures is to demonstrate the integrity of
the investigation—namely, that no information has been altered, including the
contents of any computer memory and hard drives.
5. A. The best choice of tests for a first-time business continuity plan is a document
review or a walk-through. Because this is a first-time plan, none of the other tests
is the best first choice.
6. C. If a ransomware incident has damaged an organization’s critical data, it should
invoke its business continuity plan alongside its security incident response plan.
This may help the organization restore services to its customers more quickly.
7. B. Human safety is always the top priority when any disaster event has occurred.
Although important, the condition of information systems is a secondary concern.
8. B. A SIEM is a central event log processing system that correlates events among
various devices. It produces alerts that may represent intrusions and other types
of security incidents.
9. C. An organization lacking personnel and tools to conduct computer forensics
should purchase an incident response retainer. With a retainer, forensics experts
are available on-call to respond to an incident. Although an organization can
consider hiring one or more people with these skills, a job search can take several
months, and people with these skills command high salaries.
10. D. The best approach for protecting data from a high-velocity attack such
as ransomware is to back up the data to offline media that end users cannot
access. Replicating data to another storage system may only serve to replicate
damaged data to the secondary storage system, making recovery more difficult
or expensive.
11. C. The results from a forensic investigation, particularly in cases in which legal
proceedings are possible, should be protected through a chain of custody. In this
example, the organization may believe that the former employee is considering
filing a lawsuit.
12. C. If a security incident is declared and personnel realize that no incident is actually
taking place, incident response activities may cease. An after-action review may be
warranted to identify any improvements in declaration procedures to reduce the
likelihood of false positives in the future.
13. D. The organization should immediately activate business continuity and disaster
recovery plans, so that the organization can quickly resume critical business
operations and recover the affected server as soon as possible.
14. A. The primary reason for employing offsite backup media storage is to mitigate
the effects of a disaster that could otherwise destroy computer systems and their
backup media.
15. B. The organization should notify the cyber-insurance company right away. Often,
cyber-insurance companies will assist their policyholders only if they are notified
of an attack immediately.
PART V
This book comes complete with TotalTester Online customizable practice exam software
with 300 practice exam questions.
System Requirements
The current and previous major versions of the following desktop browsers are recom-
mended and supported: Chrome, Microsoft Edge, Firefox, and Safari. These browsers
update frequently, and sometimes an update may cause compatibility issues with the
TotalTester Online or other content hosted on the Training Hub. If you run into a prob-
lem using one of these browsers, please check your browser’s security settings or try using
another browser until the problem is resolved.
Privacy Notice
McGraw Hill values your privacy. Please be sure to read the Privacy Notice available dur-
ing registration to see how the information you have provided will be used. You may view
our Corporate Customer Privacy Policy by visiting the McGraw Hill Privacy Center.
Visit the mheducation.com site and click Privacy at the bottom of the page.
531
CISM Certified Information Security Manager All-in-One Exam Guide
532
Access To register and activate your Total Seminars Training Hub account, simply
follow these easy steps.
1. Go to this URL: hub.totalsem.com/mheclaim
2. To register and create a new Training Hub account, enter your e-mail address,
name, and password on the Register tab. No further personal information
(such as credit card number) is required to create an account.
If you already have a Total Seminars Training Hub account, enter your e-mail
address and password on the Log in tab.
3. Enter your Product Key: p79s-kr6d-4dxt
4. Click to accept the user license terms.
5. For new users, click the Register and Claim button to create your account.
For existing users, click the Log in and Claim button.
You will be taken to the Training Hub and have access to the content for this book.
Duration of License Access to your online content through the Total Seminars Train-
ing Hub will expire one year from the date the publisher declares the book out of print.
Your purchase of this McGraw Hill product, including its access code, through a retail
store is subject to the refund policy of that store.
The Content is a copyrighted work of McGraw Hill, and McGraw Hill reserves all
rights in and to the Content. The Work is © 2023 by McGraw Hill.
Restrictions on Transfer The user is receiving only a limited right to use the Content
for the user’s own internal and personal use, dependent on purchase and continued
ownership of this book. The user may not reproduce, forward, modify, create deriva-
tive works based upon, transmit, distribute, disseminate, sell, publish, or sublicense the
Content or in any way commingle the Content with other third-party content without
McGraw Hill’s consent.
Limited Warranty The McGraw Hill Content is provided on an “as is” basis. Neither
McGraw Hill nor its licensors make any guarantees or warranties of any kind, either
express or implied, including, but not limited to, implied warranties of merchantability or
fitness for a particular purpose or use as to any McGraw Hill Content or the information
therein or any warranties as to the accuracy, completeness, correctness, or results to be
obtained from, accessing or using the McGraw Hill Content, or any material referenced in
such Content or any information entered into licensee’s product by users or other persons
and/or any material available on or that can be accessed through the licensee’s product
(including via any hyperlink or otherwise) or as to non-infringement of third-party rights.
Any warranties of any kind, whether express or implied, are disclaimed. Any material or
data obtained through use of the McGraw Hill Content is at your own discretion and
risk and user understands that it will be solely responsible for any resulting damage to its
computer system or loss of data.
Appendix: About the Online Content
533
Neither McGraw Hill nor its licensors shall be liable to any subscriber or to any user or
anyone else for any inaccuracy, delay, interruption in service, error or omission, regardless
of cause, or for any damage resulting therefrom.
In no event will McGraw Hill or its licensors be liable for any indirect, special or
consequential damages, including but not limited to, lost time, lost money, lost profits or
good will, whether in contract, tort, strict liability or otherwise, and whether or not such
damages are foreseen or unforeseen with respect to any use of the McGraw Hill Content.
TotalTester Online
TotalTester Online provides you with a simulation of the CISM exam. Exams can be
taken in Practice Mode or Exam Mode. Practice Mode provides an assistance window
with hints, references to the book, explanations of the correct and incorrect answers, and
the option to check your answer as you take the test. Exam Mode provides a simula-
tion of the actual exam. The number of questions, the types of questions, and the time
allowed are intended to be an accurate representation of the exam environment. The
option to customize your quiz allows you to create custom exams from selected domains
or chapters, and you can further customize the number of questions and time allowed.
To take a test, follow the instructions provided in the previous section to register and
activate your Total Seminars Training Hub account. When you register, you will be taken
to the Total Seminars Training Hub. From the Training Hub Home page, select your
certification from the Study drop-down menu at the top of the page to drill down to the
TotalTester for your book. You can also scroll to it from the list of Your Topics on the
Home page, and then click on the TotalTester link to launch the TotalTester. Once you’ve
launched your TotalTester, you can select the option to customize your quiz and begin
testing yourself in Practice Mode or Exam Mode. All exams provide an overall grade and
PART V
a grade broken down by domain.
Technical Support
For questions regarding the TotalTester or operation of the Training Hub, visit
www.totalsem.com or e-mail [email protected].
For questions regarding book content, visit www.mheducation.com/customerservice.
This page intentionally left blank
GLOSSARY
535
CISM Certified Information Security Manager All-in-One Exam Guide
536
administrative controls Controls in the form of policies, processes, procedures, and
standards.
advanced persistent threat (APT) A class of threat actor that uses an array of
reconnaissance and attack techniques to establish a long-term presence within a target
organization.
after-action review (AAR) See post-incident review.
algorithm In cryptography, a specific mathematical formula used to perform
encryption, decryption, message digests, and digital signatures.
allowable interruption window (AIW) See maximum tolerable downtime (MTD).
annualized loss expectancy (ALE) The expected loss of asset value resulting from
threat realization. ALE is defined as single loss expectancy (SLE) × annualized rate of
occurrence (ARO).
annualized rate of occurrence (ARO) An estimate of the number of times that a
threat will occur every year.
antiforensics Any of several techniques whose objective is to make it more difficult for
a forensic examiner to identify and understand a computer intrusion.
antimalware Software that uses various means to detect and block or prevent malware
from carrying out its purpose. See also antivirus software.
antivirus software Software that is designed to detect and remove computer viruses.
appliance A type of computer with preinstalled software that requires little or no
maintenance.
application firewall A device used to control packets being sent to an application
server, primarily to block unwanted or malicious content.
application whitelisting A mechanism that permits only registered or recognized
executables to execute on a system. See also whitelist.
APT See advanced persistent threat (APT).
architecture standard A standard that defines current and potentially future
technology framework at one or more levels within the enterprise, including database,
system, and network.
assessment An examination of a business process or information system to determine
its state and effectiveness.
asset inventory The process of confirming the existence, location, and condition of
assets; also, the results of such a process.
asset management The processes used to manage the inventory, classification, use,
and disposal of assets.
Glossary
537
asset value (AV) The value of an IT asset, which is usually (but not necessarily) the
asset’s replacement value.
assets The collection of property of value that is owned by an organization.
asymmetric encryption A method for encryption, decryption, and digital signatures
that uses pairs of encryption keys consisting of a public key and a private key.
asynchronous replication A type of replication by which writing data to the remote
storage system is not kept in sync with updates on the local storage system. There may be
a time lag, and there is no guarantee that data on the remote system is identical to that
on the local storage system. See also replication.
attack surface A metaphor often used to depict a greater or lesser extent of attackable
systems, services, and personnel in an organization; or the attackable programs, services,
and features in a running operating system.
attack vector The path or method used by an attacker to break into an IT system.
attestation of compliance A written statement that serves as an assertion of compliance
to a requirement, standard, or law, often signed by a high-ranking official or executive.
attorney–client privilege As defined by Black’s Law Dictionary, “a client’s right
privilege to refuse to disclose and to prevent any other person from disclosing confidential
communications between the client and the attorney.” In the context of information
security, certain business proceedings can be protected with attorney–client privilege as a
means of preventing those proceedings from being made available during legal discovery.
audit A formal review of one or more processes, controls, or systems to determine their
PART V
state against a standard.
audit logging A feature in an application, operating system, or database management
system in which events are recorded in a separate log.
audit methodology A set of audit procedures used to accomplish a set of audit
objectives.
audit objective The purpose or goals of an audit. Generally, the objective of an audit
is to determine whether controls exist and are effective in some specific aspect of business
operations in an organization.
audit plan A formal document that guides the control and execution of an audit. An
audit plan should align with audit objectives and specify audit procedures to be used.
audit procedures The step-by-step instructions and checklists required to perform
specific audit activities. Procedures may include a list of people to interview and questions
to ask, evidence to request, audit tools to use, sampling rates, where and how evidence
will be archived, and how evidence will be evaluated.
CISM Certified Information Security Manager All-in-One Exam Guide
538
audit program The formalized and approved plan for conducting audits over a
long period.
audit report The final, written product of an audit that includes a description of the
purpose, scope, and type of audit performed; people interviewed; evidence collected;
rates and methods of sampling; and findings on the existence and effectiveness of
each control.
audit scope The business units, departments, processes, procedures, systems, and
applications that are the subject of an audit.
authentication The process of asserting one’s identity and providing proof of that
identity. Typically, authentication requires a user ID (the assertion) and a password
(the proof ). However, authentication may also require stronger means of proof, such
as a digital certificate, token, smart card, or biometric. See also multifactor authentica-
tion (MFA).
automatic control A control that is enacted through some automatic mechanism that
requires little or no human intervention.
availability management The IT function that consists of activities concerned with
the availability of IT applications and services. See also IT service management (ITSM).
background check The process of verifying an employment candidate’s employment
history, education records, professional licenses and certifications, criminal background,
and financial background.
background verification See background check.
back-out plan A procedure used to reverse the effect of a change or procedure that was
not successful.
backup The process of copying important data to another media device to protect the
data in the event of a hardware failure, error, or software bug that causes damage to data.
backup media rotation Any scheme used to determine how backup media is to
be reused.
basic input/output system (BIOS) The firmware on a computer that tests the
computer’s hardware and initiates the bootup sequence; superseded by unified extensible
firmware interface (UEFI). See also unified extensible firmware interface (UEFI).
bare-metal restore The process of recovering a system by reformatting main storage,
reinstalling the operating system, and restoring files.
biometrics Any use of a machine-readable characteristic of a user’s physical body
that uniquely identifies the user. Biometrics can be used for multifactor authentication.
Types of biometrics include voice recognition, fingerprint, hand scan, palm vein scan,
iris scan, retina scan, facial scan, and handwriting. See also authentication, multifactor
authentication (MFA).
Glossary
539
block cipher An encryption algorithm that operates on blocks of data.
board of directors A body of elected or appointed people who oversee the activities
of an organization.
bot A type of malware in which agents are implanted by other forms of malware and
are programmed to obey remotely issued instructions. See also botnet.
botnet A collection of bots that are under the control of an individual. See also bot.
bring your own app (BYOA) A practice whereby workers use personally owned
applications for company business.
bring your own bottle (BYOB) A stipulation in a dinner invitation that implies
alcoholic beverages will not be served and that guests are free to bring their own.
bring your own device (BYOD) A practice whereby workers use personally owned
devices (typically laptop computers and mobile devices) to conduct company business.
bring your own software (BYOS) See bring your own app (BYOA).
browser isolation Any of several techniques of isolating a browser application
from the operating system it runs on, as a method of protecting the operating system
from attacks.
budget A plan for allocating resources over a certain time period.
bug See software defect.
business alignment The effective use of information technology (IT), cybersecurity,
PART V
and privacy to achieve business objectives.
business case An explanation of the expected benefits to the business that will be
realized as a result of a program or project.
business change management A formal process by which changes to business
processes are planned, tested, and controlled.
business continuity planning (BCP) The process of developing a formalized set of
activities required to ensure the continuation of critical business processes.
business e-mail compromise A type of fraud where a perpetrator, impersonating
an organization’s CEO or other executive, sends phishing e-mails to other company
executives and directs them to perform some high-value transaction, such as wiring
large amounts of money to a bank account, typically in support of a secret merger or
acquisition. See also phishing, spear phishing, whaling.
business impact analysis (BIA) A study used to identify the criticality of business
processes, dependencies upon resources, and the impact that different disaster scenarios
will have on ongoing business operations.
CISM Certified Information Security Manager All-in-One Exam Guide
540
call tree A method for ensuring the timely notification of key personnel, such as after
a disaster.
capability maturity model A model used to measure the relative maturity of an
organization or of its processes.
Capability Maturity Model Integration for Development (CMMI-DEV) A maturity
model used to measure the maturity of a software development process.
capacity management The IT function that consists of activities that confirm that
sufficient capacity is available in IT systems and IT processes to meet service needs.
Primarily, an IT system or process has sufficient capacity if its performance falls within
an acceptable range, as specified in service level agreements (SLAs). See also IT service
management (ITSM), service level agreement (SLA).
cardholder data (CHD) As defined by the PCI Security Standards Council: “At a
minimum, cardholder data consists of the full PAN (Primary Account Number, aka
credit card number). Cardholder data may also appear in the form of the full PAN plus
any of the following: cardholder name, expiration date and/or service code.” See also
Payment Card Industry Data Security Standard (PCI DSS).
career path The progression of responsibilities and job titles that a worker will attain
over time.
catfishing See social engineering.
centralized log management The practice of aggregating event logs from various
systems into a single logical storage location to facilitate automated analysis. See also log
server, system information and event management system (SIEM).
CEO fraud See business e-mail compromise.
certificate authority (CA) A trusted party that stores digital certificates and public
encryption keys.
certificate revocation list (CRL) An electronic list of digital certificates that have been
revoked prior to their expiration date.
certification practice statement (CPS) A published statement that describes the
practices used by the CA to issue and manage digital certificates.
chain of custody Documentation that shows the acquisition, storage, control, and
analysis of evidence. The chain of custody may be needed if the evidence is to be used in
a legal proceeding.
change advisory board (CAB) See change control board (CCB).
change control See change management.
change control board (CCB) The group of stakeholders from IT and business
who propose, discuss, and approve changes to IT systems. Also known as a change
advisory board.
Glossary
541
change management The IT function used to control changes made to an
IT environment. See also IT service management (ITSM).
change request A formal request for a change to be made in an environment. See also
change management.
change review A formal review of a requested change. See also change management,
change request.
charter See program charter.
chief information risk officer (CIRO) The typical job title for the topmost information
security executive in an organization. Generally, this represents a change of approach
to the CISO position, from protection-based to risk-based. See also chief information
security officer (CISO).
chief information security officer (CISO) The typical job title for the topmost
information security executive in an organization.
chief risk officer (CRO) The typical job title for the topmost risk executive in an
organization.
chief security officer (CSO) The typical job title for the topmost security executive in
an organization.
ciphertext A message, file, or stream of data that has been transformed by an
encryption algorithm and rendered unreadable.
CIS Controls A control framework maintained by the Center for Internet Security
(CIS).
PART V
clone phishing The practice of obtaining legitimate e-mail messages, exchang-
ing attachments or URLs for those that are malicious, and sending the altered e-mail
messages to target users in hopes that messages will trick users on account of their genu-
ine appearance.
cloud Internet-based computing resources.
cloud access security broker (CASB) A system that monitors and, optionally, controls
users’ access to, or use of, cloud-based resources.
cloud computing A technique of providing a dynamically scalable and usually
virtualized computing resource as a service.
cluster A tightly coupled collection of computers used to solve a common task. In a
cluster, one or more servers actively perform tasks, while zero or more computers may be
in a “standby” state, ready to assume active duty should the need arise.
COBIT A governance framework for managing information systems and security.
COBIT is published by ISACA. See also ISACA.
code of conduct See code of ethics.
CISM Certified Information Security Manager All-in-One Exam Guide
542
code of ethics A statement that defines acceptable and unacceptable professional
conduct.
cold site An alternate processing center where the degree of readiness for recovery
systems is low. At the least, a cold site is nothing more than an empty rack or allocated
space on a computer room floor.
command-and-control (C&C) Network traffic associated with a system compromised
with malware. Command-and-control traffic represents communication between the
malware and a central controlling entity.
Committee of Sponsoring Organizations of the Treadway Commission
(COSO) A private sector organization that provides thought leadership, control
frameworks, and guidance on enterprise risk management.
common vulnerability scoring system (CVSS) An open framework for communicat-
ing the quantitative characteristics and impacts of IT vulnerabilities.
compensating control A control that is implemented because another control cannot
be implemented or is ineffective.
compliance Activities related to the examination of systems and processes to ensure
that they conform to applicable policies, standards, controls, requirements, and
regulations; also, the state of conformance to applicable policies, standards, controls,
requirements, and regulations.
compliance audit An audit to determine the level and degree of compliance to a law,
regulation, standard, contract provision, or internal control. See also audit.
compliance risk Risk associated with any general or specific consequences of not
being compliant with a law, regulation, standard, contract provision, or internal control.
configuration drift The phenomenon whereby the configuration of a system will
slowly diverge from its intended state.
configuration item A configuration setting in an IT asset. See also configuration
management.
configuration management The IT function wherein the configuration of
components in an IT environment is independently recorded. Configuration
management is usually supported by automated tools used to inventory and control
system configurations. See also IT service management (ITSM).
configuration management database (CMDB) A repository for every component in
an environment that contains information on every configuration change made on those
components.
configuration standard A standard that defines the detailed configurations that are
used in servers, workstations, operating systems, database management systems, applica-
tions, network devices, and other systems.
Glossary
543
contact list A list of key personnel and various methods for contacting them, often
used in a response document. See also response document.
containerization A form of virtualization whereby an operating system permits the
existence of multiple isolated user spaces, called containers. See also virtualization.
containment The act of taking steps to prevent the further spread of an incident.
content delivery network (CDN) Also known as a content distribution network, a
globally distributed network of servers in multiple data centers designed to optimize the
speed and cost of delivery of content from centralized servers to end users.
content distribution network See content delivery network (CDN).
continuity of operations plan (COOP) The activities required to continue critical and
strategic business functions at an alternate site. See also response document.
continuous improvement The cultural desire to increase the efficiency and effective-
ness of processes and controls over time.
continuous log review A process whereby the event log for one or more systems is
being continuously reviewed in real-time to determine whether a security or operational
event warranting attention is taking place. See also security information and event
management (SIEM).
contract A binding legal agreement between two or more parties that may be
enforceable in a court of law.
control A safeguard enacted to ensure compliance with a policy, to ensure desired
outcomes or to avoid unwanted outcomes.
PART V
control architecture The overall design of a set of controls.
control existence An audit activity whereby the auditor seeks to determine whether
an expected control is in place.
control framework A collection of controls, organized into logical categories.
control objective A foundational statement that describes desired states or outcomes
from business operations.
control review A review of the operation and/or design of a control.
control risk The risk that a significant or material error exists that will not be prevented
or detected by a control.
control self-assessment (CSA) A methodology used by an organization to review
key business objectives, risks, and controls. Control self-assessment is a self-regulation
activity that may or may not be required by applicable laws or regulations.
CISM Certified Information Security Manager All-in-One Exam Guide
544
controlled unclassified information (CUI) Sensitive information that U.S. laws,
regulations, or government policies require government agencies and private organizations
to protect.
corrective action An action that is initiated to correct an undesired condition.
corrective control A control that is used after an unwanted event has occurred.
countermeasure Any activity or mechanism that is designed to reduce risk.
covered entity Any organization that stores or processes electronic protected health
information (ePHI). See also Health Insurance Portability and Accountability Act
(HIPAA).
credential harvesting Any of several techniques of covertly obtaining user or
administrative logon credentials for the purpose of attacking a system. See also keylogger.
crisis communications The subset of an overall public relations function used to
inform internal and external parties of the proceedings of business emergencies.
crisis management The process an organization uses to respond to various business
emergencies.
criticality analysis A study of each system and process to determine the impact on the
organization if it is incapacitated, the likelihood of incapacitation, and the estimated cost
of mitigating the risk or impact of incapacitation.
crosswalk A mapping of control frameworks to one another, or a mapping of policies,
standards, or controls to one another.
cryptanalysis An attack on a cryptosystem whereby the attacker is attempting to
determine the encryption key that is used to encrypt messages.
cryptography The practice of using techniques to hide information from
inappropriate viewers.
culture The collective attitudes, practices, communication, communication styles,
ethics, and other behaviors in an organization.
custodian A person or group delegated to operate or maintain an asset.
cutover The step in the software development life cycle where an old, replaced system
is shut down and a new, replacement system is started.
cutover test A test of disaster recovery and/or business continuity response plans, in
which personnel shut down production systems and operate recovery systems to assume
actual business workload. See also disaster recovery plan.
cyber insurance, cyber-risk insurance An insurance policy designed to compensate
an organization for unexpected costs related to a security breach.
Glossary
545
cybersecurity framework (CSF) See NIST CSF.
cybersecurity maturity model certification (CMMC) An assessment framework
for meeting the security requirements in NIST SP 800-171 for contractors in the U.S.
defense industrial base.
cyclical controls testing A life-cycle process in which selected controls are examined
for effectiveness.
damage assessment The process of examining assets after a disaster to determine the
extent of damage.
data acquisition The act of obtaining data for later use in a forensic investigation.
data classification Policy that defines sensitivity levels and handling procedures for
information.
data debt The state of being hampered by data models of older vintages that are
no longer business aligned, often resulting in the fracturing of data into an increasing
number of silos. See also technical debt.
data governance Management’s use of policies, metrics, and monitoring to enforce
proper and appropriate access and use of data.
data loss prevention (DLP) system A hardware or software system that detects and,
optionally, blocks the movement or storage of sensitive data.
data protection officer (DPO) See chief privacy officer.
data restore The process of copying data from backup media to a target system for the
PART V
purpose of restoring lost or damaged data.
data security Those controls that seek to maintain confidentiality, integrity, and
availability of information.
decryption The process of transforming ciphertext into plaintext so that a recipient
can read it.
denial of service (DoS) An attack on a computer or network with the intention of
causing disruption or malfunction of the target.
desktop computer A nonportable computer used by an individual end user and
located at the user’s workspace.
desktop virtualization Software technology that separates the physical computing
environment from the software that runs on an endpoint, effectively transforming an
endpoint into a display terminal. See also virtualization.
destructware See wiper.
detective control A control that is designed to detect events.
CISM Certified Information Security Manager All-in-One Exam Guide
546
deterrent control A control that is designed to deter people from performing
unwanted activities.
Diffie–Hellman A popular key exchange algorithm. See also key exchange.
digital certificate An electronic document that contains an identity that is signed
with the public key of a certificate authority (CA).
digital envelope A method that uses two layers of encryption. A symmetric key is
used to encrypt a message; then, a public or private key is used to encrypt the sym-
metric key.
digital rights management (DRM) Any technology used to control the distribution
and use of electronic content.
digital signature The result of encrypting the hash of a message with the originator’s
private encryption key; used to prove the authenticity and integrity of a message.
directory A centralized service that provides information for a particular function.
disaster An unexpected and unplanned event that results in the disruption of business
operations.
disaster declaration criteria The conditions that must be present to declare a disaster,
triggering response and recovery operations.
disaster declaration procedure Instructions to determine whether to declare a
disaster and trigger response and recovery operations. See also disaster declaration criteria.
disaster recovery and business continuity requirements Formal statements that
describe required recoverability and continuity characteristics that a system or process
must support.
disaster recovery plan The activities required to restore critical IT systems and other
critical assets, whether in alternate or primary locations, following a disaster event.
See also response document.
disaster recovery planning (DRP) Activities related to the assessment, salvage, repair,
and restoration of facilities and assets after a disaster.
discovery sampling A sampling technique whereby at least one exception is sought in
a population. See also sampling.
disk array A chassis in which several hard disks can be installed and connected to
a server.
distributed denial of service (DDoS) A denial-of-service (DoS) attack that originates
from many computers. See also denial of service (DoS).
DNS filter A network system or device used to protect systems from malicious content
through manipulation of the results of DNS queries. See also web content filter.
Glossary
547
document review A review of some or all disaster recovery and business continuity
plans, procedures, and other documentation. Individuals typically review these documents
on their own, at their own pace, but within established time constraints or deadlines.
documentation The inclusive term that describes charters, processes, procedures,
standards, requirements, and other written documents.
Domain Name System (DNS) A TCP/IP application layer protocol used to translate
domain names (such as www.isecbooks.com) into IP addresses.
drift See configuration drift.
dwell time The period of time that elapses from the start of a security incident to the
organization’s awareness of the incident.
dynamic application security testing (DAST) Tools used to identify security defects
in a running software application.
eavesdropping The act of secretly intercepting and, optionally, recording a voice or
data transmission.
elasticity The property of infrastructure as a service (IaaS) whereby additional virtual
assets can be created or withdrawn in response to rising and falling workloads.
electric generator A system consisting of an internal combustion engine powered by
gasoline, diesel fuel, or natural gas that spins an electric generator to supply electricity
for as long as several days, depending upon the size of its fuel supply and whether it can
be refueled.
electronic protected health information (ePHI) As initially defined by HIPAA, any
PART V
information or data in electronic form that concerns the health, health status, and medical
treatment of a human patient. See also Health Insurance Portability and Accountability
Act (HIPAA).
elliptic curve A public key cryptography algorithm used for encrypting and decrypt-
ing information.
e-mail A network-based service used to transmit messages between individuals
and groups.
emergency communications plan A plan included in a response document that
describes the types of communications imparted to many parties, including emergency
response personnel, employees in general, customers, suppliers, regulators, public safety
organizations, shareholders, and the public. See also response document.
emergency response The urgent activities that immediately follow a disaster,
including evacuation of personnel, first aid, triage of injured personnel, and possibly
firefighting.
employee handbook See employee policy manual.
CISM Certified Information Security Manager All-in-One Exam Guide
548
employee policy manual A formal statement of the terms of employment, facts about
the organization, benefits, compensation, conduct, and policies.
employment agreement A legal contract between an organization and an employee,
which may include a description of duties, roles and responsibilities, confidentiality,
compliance issues, and reasons and methods for termination.
encryption The act of hiding sensitive information in plain sight. Encryption works
by scrambling the characters in a message using an encryption key known only to the
sender and receiver, making the message useless to anyone who intercepts the message.
encryption key A block of characters used in combination with an encryption
algorithm to encrypt or decrypt a stream or block of data.
end-user behavior analytics (EUBA) See user behavior analytics (UBA).
endpoint A general term used to describe any of the types of devices used by end users,
including mobile phones, smartphones, terminals, tablet computers, laptop computers,
and desktop computers.
endpoint detection and response (EDR) The set of capabilities on an endpoint that
work together to detect and respond to cyberattacks.
enterprise architecture Activities that ensure important business needs are met by
IT systems; the model that is used to map business functions into the IT environment
and IT systems in increasing levels of detail.
enterprise risk management (ERM) The methods and processes used by an organiza-
tion to identify and manage broad business risks.
evacuation procedure Instructions to evacuate a work facility safely in the event of a
fire, earthquake, or other disaster.
e-vaulting The practice of backing up information to an offsite location, often a third-
party service provider.
event An occurrence of relevance to a business or system.
event monitoring The practice of examining the events that occur in information
systems, including operating systems, subsystems such as database management systems,
applications, network devices, and end-user devices.
event visibility A capability that permits an organization to be aware of activities that
may signal a security or other type of incident.
evidence Information gathered by the auditor that provides proof that a control exists
and is being operated.
exploitation The process of exploiting a vulnerability in a target system to take control
of the system.
Glossary
549
exposure factor (EF) The financial loss that results from the realization of a threat,
expressed as a percentage of the asset’s total value.
extended detection and response (XDR) A term representing a newer generation
of endpoint detection and response (EDR) products. See also endpoint detection and
response (EDR).
facilities classification A method for assigning classification or risk levels to work
centers and processing centers, based on their operational criticality or other risk factors.
See also data classification, systems classification.
feasibility study An activity that seeks to determine the expected benefits of a program
or project.
fiduciary A person who has a legal trust relationship with another party.
fiduciary duty The highest standard of care that a fiduciary renders to a beneficiary.
file A sequence of zero or more characters that is stored as a whole in a file system.
A file may be a document, spreadsheet, image, sound file, computer program, or data
that is used by a program. See also file system.
file activity monitoring (FAM) A program that monitors the use of files on a server or
an endpoint as a means for detecting indicators of compromise.
file integrity monitoring (FIM) A program that periodically scans file systems on
servers and workstations as a means of detecting changes to file contents or permissions
that may be indicators of compromise.
file server A server used to store files in a central location, usually to make them
PART V
readily available to many users.
file system A logical structure that facilitates the storage of data on a digital storage
medium such as a hard disk drive (HDD), solid-state drive (SSD), CD/DVD-ROM,
or flash memory device.
fileless malware Malware that resides in a computer’s memory instead of in the
file system.
financial audit An audit of an accounting system and accounting department
processes and procedures to determine whether business controls are sufficient to ensure
the integrity of financial statements. See also audit.
financial management Management for IT services that consists of several activities,
including budgeting, capital investment, expense management, project accounting, and
project ROI. See also IT service management (ITSM), return on investment (ROI).
fingerprint See biometrics, key fingerprint.
CISM Certified Information Security Manager All-in-One Exam Guide
550
firewall A device that controls the flow of network messages between networks. Placed
at the boundary between the Internet and an organization’s internal network, firewalls
enforce security policy by prohibiting all inbound traffic except for the specific few types
of traffic that are permitted to a select few systems.
first in, first out (FIFO) A backup media rotation scheme by which the oldest backup
volumes are used next. See also backup media rotation.
Foreign Corrupt Practices Act of 1977 (FCPA) A U.S. law that forbids persons and
organizations from bribing foreign government officials.
forensic audit An audit that is performed in support of an anticipated or active legal
proceeding. See also audit.
forensics The application of techniques and tools during an investigation of a
computer or network-related event.
fraud The intentional deception made for personal gain or to damage another party.
gap analysis An examination of a process or system to determine differences between
its existing state and a desired future state.
general computing controls (GCCs) Controls that are general in nature and
implemented across most or all information systems and applications.
general data protection regulation (GDPR) The European law that took effect in
2018 that protects the privacy of European Union residents.
geofencing A network-based protective measure whereby an organization blocks
incoming network traffic originating from one or more geographic areas.
governance Management’s control over policy and processes.
governance, risk, and compliance (GRC) system See integrated risk management
(IRM) system.
grandfather-father-son A hierarchical backup media rotation scheme that provides
for longer retention of some backups. See also backup media rotation.
groupthink A human behavior rooted in the desire to conform to group consensus
and excluding the consideration of alternate ideas.
guidelines Nonbinding statements or narratives that provide additional information
to personnel regarding compliance with security policies and standards.
hacker Someone who interferes with or accesses a computer or system without
authorization.
hard disk drive (HDD) A storage device using magnetic storage on rapidly rotating
disks. See also solid-state drive (SSD).
Glossary
551
hardening The technique of configuring a system so that only its essential services
and features are active and all others are deactivated, making it more resilient to attack
and compromise. This helps to reduce the attack surface of a system to its essential
components only.
hardening standard A document that describes the security configuration details of a
system or class of systems. See also configuration standard, hardening.
hardware monitoring Tools and processes used to continuously observe the health,
performance, and capacity of one or more computers.
hash function A cryptographic operation on a block of data that returns a fixed-length
string of characters, used to verify the integrity of a message.
Health Insurance Portability and Accountability Act (HIPAA) A 1996 U.S. law
requiring the enactment of controls to protect electronic protected health informa-
tion (ePHI).
HITRUST A healthcare industry control framework and certification that serves as an
external attestation of an organization’s IT controls.
host-based intrusion detection system (HIDS) An intrusion detection system
installed on a system that watches for anomalies that could be signs of intrusion. See also
intrusion detection system (IDS).
hot site An alternate processing center where backup systems are already running and
in some state of near-readiness to assume production workload. The systems at a hot site
most likely have application software and database management software already loaded
and running, perhaps even at the same patch levels as the systems in the primary process-
PART V
ing center. See also cold site, warm site.
human-made disaster A disaster that is directly or indirectly caused by human
activity, through action or inaction. See also disaster.
human resource information system (HRIS) An information system used to manage
information about an organization’s workforce.
human resource management (HRM or HR) Activities regarding the acquisition,
onboarding, support, and termination of workers in an organization.
human resources (HR) The department in most organizations that is responsible for
employee onboarding, offboarding, internal transfers, training, and signing important
documents such as security policy.
hybrid cryptography A cryptosystem that employs two or more iterations or types of
cryptography.
hybrid virus See multipartite virus.
CISM Certified Information Security Manager All-in-One Exam Guide
552
Hypertext Transfer Protocol (HTTP) A TCP/IP application layer protocol used to
transmit web page contents from web servers to users who are using web browsers.
Hypertext Transfer Protocol Secure (HTTPS) A TCP/IP application layer protocol
that is similar to HTTP in its use for transporting data between web servers and browsers.
HTTPS is not a separate protocol but is an extension of HTTP that is encrypted with
SSL or TLS. See also Hypertext Transfer Protocol (HTTP), Secure Sockets Layer (SSL),
Transport Layer Security (TLS).
hypervisor Virtualization software that facilitates the operation of one or more
virtual machines.
identity and access management (IAM) The activities and supporting systems used
to manage workers’ identities and their access to information systems and data.
identity management The activity of managing the identity of each employee,
contractor, temporary worker, and, optionally, customer, for use in a single environment
or multiple environments.
image A binary representation of a fully installed and configured operating system and
applications for a server or an end user’s computer.
impact The actual or expected result from some action such as a threat or disaster.
impact analysis The analysis of a threat and the impact it would have if it were realized.
incident Any event that is not part of the standard operation of a service and that
causes, or may cause, interruption to or a reduction in the quality of that service.
incident declaration The process of determining that a security incident is taking
place so that incident responders can begin the task of managing it.
incident log A business record containing a list of security incidents that have occurred
in an organization.
incident management The IT function that analyzes service outages, service
slowdowns, security incidents, and software bugs, and seeks to resolve them to restore
normal service. See also IT service management (ITSM), security incident management.
incident prevention Proactive steps taken to reduce the probability or impact of
security incidents.
incident responder A worker in an organization who has responsibility for respond-
ing to a security incident.
incident response plan Written procedures to be followed in response to a security
incident.
incident response retainer A legal agreement between an organization and a security
professional services firm that arranges for the security firm to render assistance to the
organization in the event of a security incident.
Glossary
553
incident response team Personnel who are trained in incident response techniques.
indicator of compromise (IoC) An observation on a network or in an operating system
that indicates evidence of a network or computer intrusion.
industrial control system (ICS) A control system used to monitor and manage
physical machinery in an industrial environment. See also supervisory control and data
acquisition (SCADA).
information and communications technology (ICT) A term signifying information
processing and communications systems.
information classification See data classification.
information governance Governance activities that provide management with
visibility and control over the use of information.
information privacy The right of personal information to be free and safe from
unauthorized disclosure, use, and distribution.
information privacy policy An organization’s policy statement that defines how the
organization will protect, manage, and handle private information.
information risk Paraphrased from the ISACA Risk IT Framework, information risk
is the business risk associated with the use, ownership, operation, involvement, influence,
and adoption of information within an enterprise.
information security management The aggregation of policies, processes,
procedures, and activities to ensure that an organization’s security policy is effective.
PART V
information security management system (ISMS) The collection of activities for
managing information security in an organization, as defined by ISO/IEC 27001.
information security policy A statement that defines how an organization will classify
and protect its important assets.
infrastructure The collection of networks, network services, devices, facilities, and
system software that facilitates access to, communications with, and protection of
business applications.
infrastructure as a service (IaaS) A cloud computing model in which a service
provider makes computers and other infrastructure components available to subscribers.
See also cloud computing.
inherent risk The risk that material weaknesses are present in existing business
processes with no compensating controls to detect or prevent them.
initialization vector (IV) A random number that is needed by some encryption
algorithms to begin the encryption process.
CISM Certified Information Security Manager All-in-One Exam Guide
554
insider threat Any scenario whereby an employee or contractor knowingly, or
unknowingly, commits acts that result in security incidents or breaches.
integrated audit An audit that combines an operational audit and a financial audit.
See also financial audit, operational audit.
integrated development environment (IDE) A software application that facilitates
the writing, updating, testing, and debugging of application source code.
integrated risk management (IRM) system A software application used to track key
aspects of an organization’s risk management program. Formerly known as a governance,
risk, and compliance (GRC) system.
intellectual property A class of assets owned by an organization, including the
organization’s designs, architectures, software source code, processes, and procedures.
internal audit A formal audit of an organization’s controls, processes, or systems,
carried out by personnel who are part of the organization. See also audit.
internal audit (IA) The organization’s internal department that performs audits of
processes and controls.
Internet The global network that interconnects TCP/IP networks.
Internet hygiene The practice of security awareness while accessing the Internet with
a computer or mobile device to reduce the possibility of attack.
Internet of things (IoT) Physical objects that are connected to data networks for the
purpose of data acquisition and/or control. See also industrial control systems (ICS),
supervisory control and data acquisition (SCADA).
intrusion detection and prevention system (IDPS) See intrusion prevention
system (IPS).
intrusion detection system (IDS) A hardware or software system that detects
anomalies that may be signs of an intrusion.
intrusion kill chain The computer intrusion model developed by Lockheed-Martin
that depicts a typical computer intrusion. The phases of the kill chain are reconnais-
sance, weaponization, delivery, exploitation, installation, command and control, and
actions on objective.
intrusion prevention system (IPS) A hardware or software system that detects and
blocks malicious network traffic that may signal an intrusion.
intrusive monitoring Any technique used by an organization to actively monitor
activities within a third party’s IT environment.
IS audit An audit of an IS department’s operations and systems. See also audit.
Glossary
555
ISACA The global organization that develops and administers numerous certifica-
tions, including Certified Information Security Manager (CISM); Certified Informa-
tion Systems Auditor (CISA); Certified in Risk, Information Security, and Control
(CRISC); Certified Data Privacy Solutions Engineer (CDPSE); and Certified in the
Governance of Enterprise IT (CGEIT). Formerly known as the Information Systems
Audit and Control Association.
ISACA audit standards The minimum standards of performance related to secu-
rity, audits, and the actions that result from audits. The standards are published by
ISACA and updated periodically. ISACA audit standards are considered mandatory.
See also ISACA.
ISAE 3402 (International Standard on Assurance Engagement) An external audit
of a service provider, performed according to rules established by the International
Auditing and Assurance Standards Board (IAASB).
ISO/IEC 20000 An ISO/IEC (International Organization for Standardization/
International Electrotechnical Commission) standard for IT service management
(ITSM). See also IT service management (ITSM).
ISO/IEC 27001 An ISO/IEC standard for information security management.
ISO/IEC 27002 An ISO/IEC standard for information security controls.
IT General Controls (ITGCs) See General computing controls.
IT Infrastructure Library (ITIL) See IT service management (ITSM).
IT service management (ITSM) The set of activities that ensures the delivery of
PART V
IT services is efficient and effective, through active management and the continuous
improvement of processes.
job description A written description of an employee’s job title, work experience
requirements, knowledge requirements, and responsibilities.
job title See position title.
judgmental sampling A sampling technique whereby items are chosen based upon an
auditor’s judgment, usually based on risk or materiality. See also sampling.
key See encryption key.
key compromise Any unauthorized disclosure of or damage to an encryption key.
See also key management.
key custody The policies, processes, and procedures regarding the management of
encryption keys. See also key management.
key disposal The process of decommissioning encryption keys. See also key
management.
CISM Certified Information Security Manager All-in-One Exam Guide
556
key encrypting key An encryption key that is used to encrypt another encryption key.
key exchange A technique used by two parties to establish a symmetric encryption
key when no secure channel is available.
key fingerprint A short sequence of characters used to authenticate a public key.
key generation The initial generation of an encryption key. See also key management.
key goal indicator (KGI) A measure of progress in the attainment of a strategic goal in
the organization.
key length The size (measured in bits) of an encryption key. Longer encryption keys
require greater effort to attack a cryptosystem successfully.
key management The various processes and procedures used by an organization to
generate, protect, use, and dispose of encryption keys over their lifetime.
key performance indicator (KPI) A measure of the performance and quality of a busi-
ness process, used to reveal trends related to efficiency and effectiveness of key processes
in the organization.
key protection All means used to protect encryption keys from unauthorized
disclosure and harm. See also key management.
key risk indicator (KRI) A measure of information risk, used to reveal trends related to
levels of risk of security incidents in the organization.
key rotation The process of issuing a new encryption key and reencrypting data
protected with the new key. See also key management.
keylogger A hardware device or a type of malware that records a user’s keystrokes and,
optionally, mouse movements and clicks, which sends this data to the keylogger’s owner.
kill chain See intrusion kill chain.
laptop computer A portable computer used by an individual user.
learning management system (LMS) An on-premise or cloud-based system that
makes online training and testing facilities available to an organization’s personnel.
Some LMSs automatically maintain records of training enrollment, test scores, and
training completion.
least privilege The security principle whereby an individual user should have the least
access privileges, or authorizations, required to perform necessary work tasks.
Lightweight Directory Access Protocol (LDAP) A TCP/IP application layer protocol
used as a directory service for people and computing resources.
load balancing Balancing workload or traffic among multiple resources.
Lockheed-Martin kill chain See intrusion kill chain.
Glossary
557
log correlation The process of combining log data from many devices to discern
patterns that may be indicators of operational problems or compromise.
log review An examination of the event log in an information system to determine
whether any security events or incidents have occurred. See also continuous log review.
log server A system or device to which event logs from other systems are sent for pro-
cessing and storage. See also centralized log management, security information and event
management (SIEM).
macro virus Malicious software that is embedded within another file, such as a docu-
ment or spreadsheet.
malware The broad class of programs designed to inflict harm on computers, net-
works, or information. Types of malware include viruses, worms, Trojan horses, spyware,
and rootkits.
man-made disaster See human-made disaster.
managed security service provider (MSSP) An organization that provides security
monitoring and/or management services for customers.
manual control A control that requires a human to operate it.
maximum acceptable outage (MAO) See maximum tolerable outage (MTO).
maximum tolerable downtime (MTD) A theoretical time period, measured from the
onset of a disaster, after which the organization’s ongoing viability would be at risk.
maximum tolerable outage (MTO) The maximum period of time that an organiza-
PART V
tion can tolerate operating in recovery (or alternate processing) mode.
message digest The result of a cryptographic hash function.
methodology standard A standard that specifies the practices used by the
IT organization.
metric A measurement of a periodic or ongoing activity for the purpose of understand-
ing the activity within the context of overall business operations.
microsegmentation A design characteristic of a network in which each network node
resides on its own segment, resulting in improved network security and efficiency.
mitigating control See compensating control.
MITRE ATT&CK A framework used for classifying and understanding various types
of cyberattacks.
mobile device A portable computer in the form of a smartphone, tablet computer, or
wearable device.
CISM Certified Information Security Manager All-in-One Exam Guide
558
mobile site A portable recovery center that can be delivered to almost any location in
the world.
monitoring The continuous or regular evaluation of a system or control to determine
its operation or effectiveness.
multifactor authentication (MFA) Any means used to authenticate a user that is
stronger than the use of a user ID and password. Examples include digital certificates,
tokens, smart cards, or biometrics.
multipartite virus A computer virus that employs multiple simultaneous attack and/
or presence components to aid in a more effective attack and persistence.
natural disaster A disaster that occurs in the natural world with little or no assistance
from humankind. See also disaster.
need-to-know The principle of access management that permits subjects to have
access to information or information systems only if they have a specific need to
access them.
NetFlow A network diagnostic tool developed by Cisco Systems that collects all
network metadata, which can be used for network diagnostic or security purposes.
See also network traffic analysis (NTA).
network access control (NAC) An approach for network authentication and
access control that determines whether devices will be permitted to attach to a LAN or
wireless LAN.
network attached storage (NAS) A stand-alone storage system that contains one or
more virtual volumes. Servers access these volumes over the network using the Network
File System (NFS) or Server Message Block/Common Internet File System (SMB/CIFS)
protocols, common on Unix and Windows operating systems, respectively.
network segmentation The practice of dividing a network into two or more zones,
with protective measures such as firewalls between the zones.
network tap A connection on a network router or network switch. A copy of all of the
network traffic passing through the router or switch is also sent to the network tap. Also
known as a span port.
network traffic analysis (NTA) A technique used to identify anomalies in network
traffic that may be a part of an intrusion or other unwanted event.
NIST 800 Series A collection of documents published by the U.S. National Institute
for Standards and Technology (NIST).
NIST CSF A risk management methodology and controls framework developed by the
U.S. National Institute for Standards and Technology (NIST).
Glossary
559
nonfunctional requirement Required characteristics of a system, service, or pro-
cess in terms of its components, structure, or architecture. See also functional require-
ment, requirement.
nonrepudiation The property of encryption and digital signatures that can make
it difficult or impossible for a party to deny having previously sent a digitally signed
message—unless they admit to having lost control of their private encryption key.
North American Reliability Corporation (NERC) The organization that maintains
resilience and security controls for use by public utilities.
North American Reliability Council Critical Infrastructure Protection (NERC
CIP) The standards and requirements defined by the North American Reliability
Council for the protection of the electric power generation and distribution grid.
object In the context of access management, a file, database, record, system, or device
that a subject may attempt to access. See also subject.
occupant emergency plan Activities required to care for occupants safely in a busi-
ness location during a disaster. See also response document.
offsite media storage The practice of storing media such as backup tapes at an offsite
facility located away from the primary computing facility.
onboarding The process undertaken when an organization hires a new worker or
when it begins a business relationship with a third party.
open source software Computer software released in a manner in which the owner
grants users the right to use, change, and distribute software and its source code.
PART V
operational audit An audit of IS controls, security controls, or business controls to
determine control existence and effectiveness. See also audit.
operational risk The risk of loss resulting from failed controls, processes, and systems;
internal and external events; and other occurrences that impact business operations and
threaten an organization’s survival.
Operationally Critical Threat Asset and Vulnerability Evaluation (OCTAVE)
A qualitative risk analysis methodology developed at Carnegie Mellon University.
orchestration In the context of SIEM, the scripted, automated response that is auto-
matically or manually triggered when specific events occur. See also security information
and event management (SIEM).
organization chart A diagram that depicts the manager–subordinate relationships in
an organization or in part of an organization.
out of band Communications that take place separately from the main communica-
tions channel.
CISM Certified Information Security Manager All-in-One Exam Guide
560
outsourcing A form of sourcing (obtaining goods or services) whereby an employer
uses onsite or offsite contract employees or organizations to perform a function.
owner A person or group responsible for the management and/or operation of an asset.
ownership In the context of information security and privacy, the concept of an
individual’s or group’s accountability for the integrity and effectiveness of policies,
procedures, or controls.
packet sniffer A device or program installed on a network-attached system to capture
network traffic.
parallel test An actual test of disaster recovery or business continuity response plans
intended to evaluate the ability of personnel to follow directives in emergency response
plans to set up an actual disaster recovery business processing or data processing capability.
In a parallel test, personnel operate recovery systems in parallel with production systems
to compare the results between the two to determine the capabilities of recovery systems.
password An identifier that is created by a system manager or a user; a secret combina-
tion of letters, numbers, and other symbols that is known only to the person who uses it.
password complexity The characteristics required of user account passwords to
ensure their security. For example, a password may not contain dictionary words and
must contain uppercase letters, lowercase letters, numbers, and symbols.
password length The minimum and maximum number of characters permitted for a
password associated with a computer account.
password reset The process of changing a user account password and unlocking the
account so that the user may resume using the account.
password reuse The act of reusing a prior password for a user account. Some informa-
tion systems can prevent password reuse in case any prior passwords were compromised
with or without the user’s knowledge.
passwordless authentication An authentication method that uses a public identifier,
such as a userid or e-mail address, together with a second factor, such as a hardware token
or biometric, for system access.
patch management The process of identifying, analyzing, and applying patches
(including security patches) to systems.
Payment Card Industry Data Security Standard (PCI DSS) A security standard
whose objective is the protection of credit card numbers in storage, while processed, and
while transmitted. The standard was developed by the PCI Security Standards Council,
a consortium of credit card companies including Visa, MasterCard, American Express,
Discover, and JCB.
personally identifiable information (PII) Information that can be used on its own or
combined with other information to identify a specific person.
Glossary
561
phishing A social-engineering attack on unsuspecting individuals whereby e-mail
messages that resemble official communications entice victims to visit imposter web sites
that contain malware or request credentials to sensitive or valuable assets. See also busi-
ness e-mail compromise, spear phishing, whaling.
physical control Controls that employ physical means.
plaintext An original, unencrypted message, file, or stream of data that can be read by
anyone who has access to it.
platform as a service (PaaS) A cloud computing delivery model whereby the service
provider supplies the platform on which an organization can build and run software.
playbook Step-by-step instructions for security incidents likely to affect an
organization.
policy A statement that specifies what must be done (or not done) in an organization.
A policy usually defines who is responsible for monitoring and enforcing it.
population A complete set of entities, transactions, or events that are the subject of
an audit.
position title A label that designates an employee’s place or role in an organization.
post-incident review A formal review of a security incident, disaster recovery, or busi-
ness continuity event in which all of the proceedings are reviewed to determine whether
any improvements need to be made to detection, response, or recovery operations.
pre-audit An examination of business processes, controls, and records in anticipation
of an upcoming audit. See also audit.
PART V
preventive control A control intended to prevent unwanted events from happening,
such as a computer login screen or a key card system used to control physical access to a
computer or facility, respectively.
privacy See information privacy.
privacy policy See information privacy policy.
private cloud A cloud infrastructure that is dedicated to a single organization.
private key cryptosystem A cryptosystem based on a symmetric cryptographic
algorithm that requires that both parties possess a common encryption key that is used
to encrypt and decrypt messages.
privileged access management Management of administrative access to informa-
tion, systems, and devices. See also access management.
procurement The process of making a purchase of hardware, software, and services;
also, the name of the department that performs this activity.
CISM Certified Information Security Manager All-in-One Exam Guide
562
probability The chances that an event or incident may occur.
probability analysis The analysis of a threat and the probability of its realization.
problem An incident—often multiple incidents—that exhibits common symptoms
and whose root cause is not known.
problem management The IT function that analyzes chronic incidents, seeks to
resolve them, and enacts proactive measures in an effort to avoid problems. See also IT
service management (ITSM).
procedure A written sequence of instructions used to complete a task.
process A collection of one or more procedures used to perform a business function.
See also procedure.
program An organization of many large, complex activities; it can be thought of as a
set of projects that work to fulfill one or more key business objectives or goals.
program charter A formal definition of the objectives of a program, its main time-
lines, its sources of funding, the names of its principal leaders and managers, and the
business executives who are sponsoring it.
program management The management of a group of projects that exist to fulfill a
business goal or objective. See also program.
project A coordinated and managed sequence of tasks that results in the realization of
an objective or goal.
project management The process of leading and managing a team to control, mea-
sure, and manage the activities in a project.
project plan The collection of documents that describe the stages and oversight of
a project. A project plan outlines the sponsor, stakeholders, goals, milestones, tasks,
resources, risks, constraints, and timelines needed to accomplish the stated objective(s).
project planning The activities related to the development and management of
a project.
protocol analyzer A device connected to a network that views network communica-
tions at a detailed level.
public cloud A cloud infrastructure used by multiple organizations.
public key cryptography See asymmetric encryption.
public key infrastructure (PKI) A centralized function used to store and publish
public encryption keys and other information.
qualitative risk analysis A risk analysis methodology whereby risks are classified on
a nonquantified scale, such as from High to Medium to Low, or a simple numeric scale
such as 1 to 5.
Glossary
563
quantitative risk analysis A risk analysis methodology whereby risks are estimated in
the form of actual costs and/or probabilities of occurrence.
quarantine A holding place for e-mail messages that have been blocked by a spam or
phishing filter.
questionnaire A list of questions sent to a party to assess their control effectiveness
and risk.
rank A part of a person’s position title that denotes seniority or span of control in an
organization. See also position title.
ransomware Malware that performs some malicious action, requiring payment from
the victim to reverse the action. Such actions include data erasure, data encryption, and
system damage.
reciprocal site A data center operated by another organization. Two or more
organizations with similar processing needs will draw up a legal contract that obligates
one or more of the organizations to house another party’s systems temporarily in the
event of a disaster.
reconnaissance Any activity in which a would-be intruder or researcher explores a
potential target system or network, generally to learn of its makeup, to determine a
potentially successful attack strategy.
records Documents describing business events such as meeting minutes, contracts,
financial transactions, decisions, purchase orders, logs, and reports.
recovery capacity objective (RCapO) The processing and/or storage capacity of an
PART V
alternate process or system, compared to the normal process or site. RCapO is usually
expressed as a percentage.
recovery consistency objective (RCO) A measure of the consistency and integrity of
processing at a recovery site, compared to the primary processing site. RCO is calculated
as 1 – (number of inconsistent objects) / (number of objects).
recovery control A control used following an unwanted event to restore a system or
process to its pre-event state.
recovery point objective (RPO) The period of acceptable data loss following an
incident or disaster, usually measured in hours or days.
recovery procedure Instructions that key personnel use to bootstrap services that
support critical business functions identified in the business impact assessment (BIA).
recovery site An alternate location used for information processing when a primary
site is incapacitated.
recovery strategy A high-level plan for resuming business operations after a disaster.
CISM Certified Information Security Manager All-in-One Exam Guide
564
recovery time objective (RTO) The period from the onset of an outage until the
resumption of service, usually measured in hours or days.
Redundant Array of Independent Disks (RAID) A family of technologies used to
improve the reliability, performance, or size of disk-based storage systems.
reference architecture A template solution developed for a particular purpose,
intended to be used repeatedly as needed.
registration authority (RA) An entity that works within or alongside a certificate
authority (CA) to accept requests for new digital certificates.
release management The IT function that controls the release of software programs,
applications, and environments. See also IT service management (ITSM).
release process The IT process whereby changes to software programs, applications,
and environments are requested, reviewed, approved, and implemented.
remote access A service that permits a user to establish a network connection from a
remote location to access network resources remotely.
remote access Trojan (RAT) Malware that permits the attacker to access and control
a target system remotely.
remote destruct The act of commanding a device, such as a laptop computer or
mobile device, to destroy stored data. Remote destruct is sometimes used when a device
is lost or stolen to prevent anyone from being able to read data stored on the device.
remote monitoring (RMON) A protocol used to monitor network traffic. Also known
as remote network monitoring.
remote work The practice of an employee working in a location other than the
organization’s work premises. See also work from home (WFH).
reperformance An audit technique whereby an IS auditor repeats actual tasks
performed by auditees to confirm they were performed properly.
replication An activity whereby data that is written to a storage system is also copied
over a network to another storage system and written, resulting in the presence of up-to-
date data that exists on two or more storage systems, each of which could be located in a
different geographic region.
request for change (RFC) See change request.
request for information (RFI) A formal process by which an organization solicits
information regarding solution proposals from one or more vendors. This is usually
used to gather official information about products or services that may be considered
in the future.
Glossary
565
request for proposal (RFP) A formal process by which an organization solicits solu-
tion proposals from one or more vendors to evaluate vendor proposals and make a selec-
tion. The process usually includes formal requirements and desired terms and conditions.
requirements Formal statements that describe required (and desired) characteristics
of a system that is to be developed, changed, or acquired.
residual risk The risk that remains after being reduced through risk treatment options.
response document A document that outlines the required actions of personnel after
a disaster strikes. It includes the business recovery plan, occupant emergency plan, emer-
gency communication plan, contact lists, disaster recovery plan, continuity of operations
plan, and security incident response plan.
Responsible, Accountable, Consulted, Informed (RACI) chart A tool used to assign
roles to individuals and groups according to their responsibilities.
responsibility A stated expectation of activities and performance.
retainer agreement A contract in which an organization pays in advance for profes-
sional services such as external legal counsel and security incident response.
return on investment (ROI) The ratio of money gained or lost as compared to an
original investment.
return on security investment (ROSI) The return on investment based on the reduc-
tion of security-related losses compared to the cost of related controls.
right to audit A clause in a contract that grants one party the right to conduct an audit
of the other party’s operations.
PART V
risk Generally, the fact that undesired events can happen that may damage property
or disrupt operations; specifically, an event scenario that can result in property damage
or disruption.
risk acceptance The risk treatment option whereby management chooses to accept
the risk as is.
risk analysis The process of identifying and studying risks in an organization.
risk appetite The organization’s overall acceptable level of risk for a given business
venture.
risk assessment An activity where risks, in the form of threats and vulnerabilities, are
identified for each asset.
risk avoidance The risk treatment option involving a cessation of the activity that
introduces an identified risk.
CISM Certified Information Security Manager All-in-One Exam Guide
566
risk awareness Programmatic activities whose objective is to make business leaders,
stakeholders, and other personnel aware of the organization’s information risk manage-
ment program. See also security awareness.
risk capacity The objective amount of loss that an organization can tolerate without
its continued existence being called into question.
risk ledger See risk register.
risk management Management activities used to identify, analyze, treat, and
monitor risks.
risk mitigation The risk treatment option involving the implementation of a solution
that will reduce an identified risk.
risk monitoring Ongoing activities, including control effectiveness assessments and
risk assessments to observe changes in risk.
risk owner A person designated as being responsible for the outcome of a particular
risk; typically, the owner of the asset or process that is the subject of a risk.
risk register A business record containing business risks and information about their
origin, potential impacts, affected assets, probabilities of occurrence, and treatments.
risk response See risk treatment.
risk sharing See risk transfer.
risk tolerance The organization’s level of acceptable variation from the risk appetite.
risk transfer The risk treatment option involving the act of transferring risk to another
party, such as an insurance company or service provider.
risk treatment The decision to manage an identified risk: mitigate the risk, avoid the
risk, transfer the risk, or accept the risk.
roadmap The list of steps required to achieve a strategic objective.
role A set of user privileges in an application; also, a formal designation assigned to an
individual by virtue of a job title or other label.
rollback A step in the software development life cycle in which system changes need
to be reversed, returning the system to its previous state.
root cause analysis Analysis of a problem to identify the underlying origins, not
merely factors or symptoms. See also problem management.
sabotage Deliberate damage of an organization’s asset.
salvage The process of recovering components or assets that still have value after
a disaster.
Glossary
567
sample A portion of a population of records that is selected for auditing.
sampled flow (sFlow) An industry-standard protocol for monitoring networks.
sampling A technique used to select a portion of a population for auditing when it is
not feasible to audit or test an entire population.
sandbox A security mechanism often used by antimalware programs to separate
running programs. See also antimalware.
SANS 20 Critical Security Controls, aka SANS Top 20 Controls See CIS Controls.
Sarbanes-Oxley Act (SOX) A 2002 U.S. law requiring public corporations to enact
business and technical controls, perform internal audits of those controls, and undergo
external audits.
scanning tool A security tool used to scan files, processes, network addresses, systems,
or other objects, often for the purpose of identifying assets or vulnerabilities that may be
present in assets.
secure coding The practice of developing program source code that is free of security
defects. See also secure development training.
secure development training Training for software developers on the techniques of
writing secure code and avoiding security defects that could be exploited by adversaries.
Secure Multipurpose Internet Mail Extensions (S/MIME) An e-mail security
protocol that provides sender and recipient authentication and encryption of message
content and attachments.
PART V
Secure Shell (SSH) A TCP/IP application layer protocol that provides a secure channel
between two computers, whereby all communications between them are encrypted. SSH
can also be used as a tunnel to encapsulate and thereby protect other protocols.
Secure Sockets Layer (SSL) An encryption protocol used to encrypt web pages
requested with the HTTPS URL. This has been deprecated by Transport Layer
Security (TLS). See also Hypertext Transfer Protocol Secure (HTTPS), Transport
Layer Security (TLS).
security architecture The overall strategy as well as the details that define the role of
technology and asset protection in an organization. See also The Open Group Architecture
Framework (TOGAF), Zachman Framework.
security audit A formal review of security controls, processes, or systems to determine
their state. See also audit.
security awareness A formal program used to educate employees, users, customers,
or constituents on required, acceptable, and unacceptable security-related behaviors.
See also risk awareness.
CISM Certified Information Security Manager All-in-One Exam Guide
568
security by design The concept of product and systems development that incorpo-
rates security into the design of the system rather than as an afterthought.
security governance Management’s control over an organization’s security program.
security incident An event during which the confidentiality, integrity, or availability
of information (or an information system) has been compromised.
security incident log A business record consisting of security incidents that
have occurred.
security incident management The process by which a framework of programs and
activities is created and managed to ensure that an organization is able to detect, respond,
and contain a security incident quickly.
security incident response A formal, planned response enacted when a security
incident has occurred. See also security incident.
security information and event management (SIEM) A system that collects logs
from hardware devices, operating systems, network devices, and software applications;
correlates log data; and produces alerts that require attention.
security operations center (SOC) An IT function wherein personnel centrally
monitor and manage security functions and devices, watch for security anomalies and
incidents, and take actions as warranted.
security orchestration and response (SOAR) A processing platform used to automate
routine tasks, usually as a result of a security event that has been detected by a SIEM.
security policy See information security policy.
security review An examination of a process, procedure, system, program, or other
object to determine the state of security.
segregation of duties The concept of ensuring that no single individual possesses
excess privileges that could result in unauthorized activities such as fraud or the manipu-
lation or exposure of sensitive data.
semiquantitative risk analysis A risk analysis methodology whereby risks are classi-
fied on a simple numeric scale, such as 1 to 5.
separation of duties See segregation of duties.
server A centralized computer used to perform a specific task.
service continuity management The IT function that consists of activities concerned
with the organization’s ability to continue providing services, primarily in the event of
a natural or human-made disaster. See also IT service management (ITSM), business
continuity planning (BCP), disaster recovery planning (DRP).
Glossary
569
service delivery objective (SDO) The level or quality of service that is required after
an event, compared to normal business operations.
service desk The IT function that handles incidents and service requests on behalf of
customers by acting as a single point of contact. See also IT service management (ITSM).
service level agreement (SLA) An agreement that specifies service levels in terms of
the quantity of work, quality, timeliness, and remedies for shortfalls in quality or quantity.
service level management The IT function that confirms whether IT is providing
adequate service to its customers. This is accomplished through continuous monitoring
and periodic review of IT service delivery. See also IT service management (ITSM).
shadow IT The phenomenon wherein individuals, groups, departments, and business
units bypass corporate IT and procure their own computing services, typically through
SaaS and IaaS services. See also cloud, infrastructure as a service (IaaS), software as a
service (SaaS).
shared responsibility model A model that depicts responsibilities shared between
service providers and customers, typically in a cloud environment.
simulation A test of disaster recovery, business continuity, or security incident
response procedures in which the participants take part in a “mock disaster” or inci-
dent to add some realism to the process of thinking their way through emergency
response documents.
single loss expectancy (SLE) The financial loss that results from the realization of a
threat. SLE is defined as asset value (AV) × exposure factor (EF). See also asset value (AV),
exposure factor (EF).
PART V
single point of failure An element or device in a system or network that lacks redun-
dancy; when it fails for any reason, this causes the entire network or system to experience
an outage.
skills matrix A chart that includes names of staff members and their relevant skills
as axes, with indicators on which staff members have which skills, and with what levels
of proficiency.
smart card A small, credit-card–sized device that contains electronic memory, used
with a smart card reader in two-factor authentication to grant access.
smartphone A mobile phone equipped with an operating system and software
applications.
smishing Phishing in the context of Short Message Service (SMS) messaging.
See also phishing.
snapshot A continuous auditing technique that involves the use of special audit
modules embedded in online applications that sample specific transactions. The module
copies key database records that can be examined later.
CISM Certified Information Security Manager All-in-One Exam Guide
570
sniffer See packet sniffer.
social engineering The act of using deception to trick an individual into revealing
secrets or performing actions.
software as a service (SaaS) A software delivery model whereby an organization
obtains a software application for use by its employees and the software application is
hosted by the software provider, as opposed to the customer organization.
software defect A defect introduced into a program that results in unexpected
behavior. Commonly known as a bug.
Software Engineering Institute Capability Maturity Model (SEI-CMM) A model
used to determine the maturity of security processes. See also Capability Maturity Model
Integration for Development (CMMI-DEV).
software-defined networking (SDN) A class of capabilities in which network infra-
structure devices such as routers, switches, and firewalls are created, configured, and
managed as virtual devices in virtualization environments.
solid-state drive (SSD) A solid-state device used for persistent data storage, generally
a replacement for a hard-disk drive. See also hard disk drive (HDD).
SOX See Sarbanes–Oxley Act (SOX).
spam Unsolicited and unwanted e-mail.
spam filter A central program or device that examines incoming e-mail and removes
all messages identified as spam.
span port See network tap.
spear phishing Phishing that is specially crafted for a specific target organization or
group. See also business e-mail compromise, phishing, whaling.
spim Spam or phishing in the context of instant messaging. See also phishing, smish-
ing, spam.
spyware A type of malware in which software performs one or more surveillance-type
actions on a computer, reporting back to the spyware owner. See also malware.
standard A statement that defines the technologies, protocols, suppliers, and methods
used by an IT organization.
statement of impact A description of the impact a disaster scenario will have on a
business or business process.
Statements on Standards for Attestation Engagements No. 16 (SSAE 16) An audit
standard superseded by SSAE No. 18. See also Statements on Standards for Attestation
Engagements No. 18 (SSAE 18).
Glossary
571
Statements on Standards for Attestation Engagements No. 18 (SSAE 18) A stan-
dard for audits performed on a financial service provider. An SSAE 18 audit is performed
according to rules established by the American Institute of Certified Public Accountants
(AICPA). See also System and Organization Controls 1 (SOC 1).
static application security testing (SAST) The process of using tools to scan software
source code to identify security defects.
statistical sampling A sampling technique in which items are chosen at random; each
item has a statistically equal probability of being chosen. See also sampling.
steganography Any technique that hides data within another data file.
stop-or-go sampling A sampling technique used to permit sampling to stop at the
earliest possible time. This technique is used when the auditor thinks there is low risk or
a low rate of exceptions in the population. See also sampling.
storage area network (SAN) A stand-alone storage system that can be configured to
contain several virtual volumes and connected to many servers through fiber-optic cables.
strategic objective A corporate objective that is a part of a high-level strategy.
strategic planning Activities used to develop and refine long-term plans and objectives.
strategy The plan required to achieve an objective.
stratified sampling A sampling technique in which a population is divided into
classes, or strata, based upon the value of one of the attributes. Samples are then selected
from each class. See also sampling.
PART V
stream cipher A type of encryption algorithm that operates on a continuous stream of
data, such as a video or audio feed.
strong authentication See multifactor authentication (MFA).
subject In the context of access management, a user, program, system, or device that
may attempt to access an object. See also object.
supervisory control and data acquisition (SCADA) A control system used to monitor
and manage physical machinery in an industrial environment. See also industrial control
system (ICS).
supply chain attack An indirect attack on an organization that occurs after an
attacker infiltrates an organization’s trusted supplier. See also third-party risk manage-
ment (TPRM).
symmetric encryption A method of encryption and decryption that requires both
parties to possess a common encryption key.
CISM Certified Information Security Manager All-in-One Exam Guide
572
synchronous replication A type of replication in which data is written to a local and a
remote storage system as a single operation, guaranteeing that data on the remote storage
system is identical to data on the local storage system. See also replication.
System and Organization Controls 1 (SOC 1) An external audit of a service provider.
A SOC 1 audit is performed according to the SSAE 18 standard established by the
American Institute of Certified Public Accountants (AICPA). See also Statements on
Standards for Attestation Engagements No. 18 (SSAE 18).
System and Organization Controls 2 (SOC 2) An external audit of a service provider
on one or more of the following trust principles: security, availability, processing integrity,
confidentiality, and privacy. A SOC 2 audit is performed according to audit standards
established by the American Institute of Certified Public Accountants (AICPA).
System and Organization Controls 3 (SOC 3) An external audit of a service provider
on one or more of the following trust principles: security, availability, processing integrity,
confidentiality, and privacy.
systems classification A method for assigning classification or risk levels to informa-
tion systems, based on their operational criticality, the classification of data they store or
process, or other risk factors. See also data classification.
tablet A mobile device with a touchscreen interface. See also mobile device.
technical control A control that is implemented in IT systems and applications.
technical debt The state of being hampered by information systems of older vintages
that are often unsupported, and older or poorer architecture that is no longer business
aligned. See also data debt.
technology standard A standard that specifies the software and hardware technolo-
gies used by the IT organization.
telework See remote work.
termination The process of discontinuing the employment of an employee or a
contractor.
terrorist A person or group who perpetrates violence for political, ideological, or
religious reasons.
test plan A step-by-step procedure for verifying that a system, service, or process
complies with all applicable requirements. See also requirements.
The Open Group Architecture Framework (TOGAF) A life-cycle enterprise
architecture framework used to design, plan, implement, and govern an enterprise
security architecture.
third party An external organization that provides goods or services to an organization.
Glossary
573
third-party risk management (TPRM) The practice of identifying risks associated
with the use of outsourced organizations to perform business processes.
threat An event that, if realized, would bring harm to an asset.
threat assessment An examination of threats and the likelihood and impact of
their occurrence.
threat hunting The proactive search for intrusions, intruders, and indicators of
compromise.
threat intel feed A subscription service containing information about known threats.
It can be in the form of human-readable or machine-readable information.
threat intelligence Information about security tools, tactics, and trends of intrusions
that can help an organization determine how best to protect itself from intrusion.
threat intelligence platform (TIP) A system that receives and processes threat
intelligence data sent by various sources.
threat management Activities undertaken by an organization to learn of relevant
security threats so that the organization can take appropriate action to counter the threats.
threat modeling Techniques implemented during the software design phase to
anticipate potential threats and incorporate design features to mitigate them.
three lines of defense A functional model that defines roles related to the
development, operation, and assurance of controls and policies.
Towers of Hanoi A complex backup media rotation scheme, based on the Towers of
PART V
Hanoi puzzle, that provides for more lengthy retention of some backup media. See also
backup media rotation.
Towers of Sauron A collection of towers, including Dol Guldur, Orthanc, Cirith
Ungol, Minas Tirith, Minas Morgul, and Barad-dûr, all located in Middle-earth.
total cost of ownership (TCO) A financial estimate of all of the costs associated with
a process or system.
training The process of educating personnel; also, to impart information or provide an
environment where personnel can practice a new skill.
Transport Layer Security (TLS) An encryption protocol used to encrypt web pages
requested with the HTTPS URL. This is a replacement for Secure Sockets Layer (SSL).
See also Hypertext Transfer Protocol Secure (HTTPS), Secure Sockets Layer (SSL).
tribal knowledge Undocumented knowledge of procedures, practices, design, state,
and use of information systems.
CISM Certified Information Security Manager All-in-One Exam Guide
574
unified extensible firmware interface (UEFI) The firmware on a computer that
tests the computer’s hardware and initiates the bootup sequence. UEFI is considered a
successor to BIOS. See also basic input/output system (BIOS).
uninterruptible power supply (UPS) A system that filters incoming power spikes and
other noise and supplies power for short periods through a bank of batteries.
user A business or person that uses an information system.
user activity review An examination of an information system to determine which
users have been active and which have not been active.
user behavior analytics (UBA) A process whereby user behavior is baselined and
anomalous activities trigger events or alarms.
user and entity behavior analytics (UEBA) See user behavior analytics (UBA).
userid, user ID An identifier created by a system manager and issued to a user for the
purpose of identification or authentication.
variable sampling A sampling technique used to study the characteristics of a popu-
lation to determine the numeric total of a specific attribute from the entire population.
See also sampling.
vendor management See third-party risk management (TPRM).
vendor standard A standard that specifies which suppliers and vendors are used for
various types of products and services.
virtual machine A software implementation of a computer, usually an operating
system or another program running within a hypervisor. See also hypervisor.
virtual private network (VPN) A logical network connection that connects
systems and devices, often used by a remote worker to access resources in an internal-
use-only network.
virtualization Software technology that separates the physical computing environ-
ment from the software that runs on a system, permitting several operating system
instances to operate concurrently and independently on a single system.
virus A type of malware in which fragments of code attach themselves to executable
programs and are activated when the program they are attached to is run.
vulnerability A weakness that may be present in a system and may be exploited by
a threat.
vulnerability analysis See vulnerability assessment.
vulnerability assessment An assessment whose objective is to identify vulnerabilities
in target assets.
Glossary
575
vulnerability management A formal business process used to identify and mitigate
vulnerabilities in an IT environment.
walk-through A review of some or all disaster recovery and business continuity plans,
procedures, and other documentation, performed by an entire group of individuals in a
live discussion.
war room A meeting room or other place where incident responders gather to coordi-
nate incident response activities.
warm site An alternate processing center where recovery systems are present but at a
lower state of readiness than recovery systems at a hot site. For example, the same version
of the operating system may be running on the warm site system, but it may be a few
patch levels behind primary systems. See also cold site, hot site.
watering hole attack An attack on one more organizations, performed by an attacker
introducing malicious code on a web site that personnel in target organizations are
thought to frequent.
weaponization The process of creating or obtaining malware that is to be delivered to
a target as a part of a computer intrusion.
web application firewall (WAF) A firewall that examines the contents of information
in transit between a web server and its users to identify and block malicious content that
could represent an attack on the web server.
web-based application An application design in which the database and all business
logic are stored on central servers, and user workstations use only web browsers to access
the application.
PART V
web content filter A central program or device that monitors and, optionally, filters
web communications, often used to control the sites (or categories of sites) that users
are permitted to access from the workplace. Some web content filters can also protect an
organization from malware.
web proxy filter See web content filter.
web server A server that runs specialized software that makes static and dynamic
HTML pages available to users.
whaling Spear phishing that targets executives and other high-value and high-
privilege individuals in an organization. See also business e-mail compromise, phishing,
spear phishing.
whitelist In a security system, a list of identifiers that should always be permitted,
regardless of their other characteristics. See also application whitelisting.
whole-disk encryption The practice of encrypting the main storage on a server,
workstation, or mobile device.
CISM Certified Information Security Manager All-in-One Exam Guide
576
Wi-Fi Protected Access version 2 (WPA2) An encryption protocol that protects Wi-Fi
network traffic from attack.
Wi-Fi Protected Access version 3 (WPA3) An encryption protocol that replaces
WPA2.
wiper Malware designed to wipe the hard drive of a system.
wiperware See wiper.
Wired Equivalent Privacy (WEP) A now-deprecated encryption protocol used by
Wi-Fi networks. See also Wi-Fi Protected Access version 2.
work from home (WFH) An arrangement whereby employees perform work from
their places of residence rather than at a business work location. This arrangement can be
part-time, full-time, temporary, or permanent. See also remote work.
workforce transformation A major change in the management of a workforce or the
work patterns of a workforce.
worm A type of malware containing stand-alone programs capable of human-assisted
and automatic propagation.
Zachman framework An enterprise architecture framework used to describe an
IT architecture in increasing levels of detail.
zero-day A previously unknown vulnerability in an information system. Also known
as 0-day.
zero trust (ZT) security model A network architecture model in which user and
device access must be verified and validated continually.
INDEX
577
CISM Certified Information Security Manager All-in-One Exam Guide
578
analysis control frameworks, 252
BIA. See business impact analysis (BIA) information technology, 367
chain of custody, 510 program development, 218–220
forensic. See forensic investigations risk management integration with, 150
and analysis security strategy, 44–45
incident response, 501 zero-trust, 292–293
incidents, 509–513 ARO (annualized rate of occurrence), 141
risk. See risk assessment and analysis Artificial intelligence (AI) as disruptive
Risk IT framework, 125 technology, 253
risk management process, 116 assessment
risk register, 177 CSA life cycle, 338
analysis documents for business continuity gap, 56–59
plans, 452 ISO/IEC 27005, 121–122
annual training for awareness, 343 NIST SP 800-30, 119–121
annualized loss expectancy (ALE), 141–142 risk. See risk assessment and analysis
annualized rate of occurrence (ARO), 141 risk register, 148
antimalware third parties, 356–360
endpoint protection, 296 vulnerability. See vulnerability assessment
metrics, 225 asset identification and classification, 199
antivirus software classification, 202–208
death of, 297 hardware, 199–200
endpoint protection, 296 information, 201
appearance issues in gap assessment, 59 risk management process, 115
appetite, risk subsystem and software, 200
business alignment, 9 valuation, 209–210
risk management process, 116 virtual, 201–202
risk response, 174–175 asset-level risks, 111
security strategy, 38, 55, 71–72 asset management
applicability in compliance management, 374 business process and asset owners, 20
application firewalls, 283 ITSM, 394
application scanning, 151 asset value (AV)
application servers business alignment, 8
clusters, 470 identification, 136
continuity plans, 444 quantitative risk analysis, 141
threat analysis, 421 risk management process, 115
applications assets
encryption, 321 facilities, 367
replication, 308, 469 risk register, 177
testing, 393 security strategy, 47
whitelisting, 296 assistants, 14
approaches in business cases, 91 assurance process integration
approvals in change management, 386–387 program development, 194
Approved Scanning Vendors (ASV), 265 security strategy, 38
approvers for controls, 274 ASV (Approved Scanning Vendors), 265
APTs (advanced persistent threats), asymmetric encryption, 313
134–135 asynchronous replication, 309, 469
architectures attestations for third parties, 357
availability management, 393 attorney–client privilege, 516
BMIS model, 76–77 attribute sampling for audit evidence, 331
Index
579
audiences awareness
awareness training, 340–343 audit evidence, 330
metrics, 231 risk management programs, 107
policy development, 221 risk response, 181–182
audit rights in TPRM, 353 security strategy, 54, 65–66
auditors awareness training
partnerships, 371 audiences, 340–343
self-assessment, 339 communications, 343–344
audits content filters, 340
controls, 322–323 CSA life cycle, 338
disaster recovery sites, 465 gap assessment, 58
evidence, 329–331 objectives, 339–340
external, 335–336 reporting, 375–376
gap assessment, 57
internal, 333–335, 369 B
methodology, 327–329 background checks in human resource
monitoring, 29 management, 156
objectives, 325 backups, 303–304. See also recovery
outsourcing, 347 disaster recovery plans,
results, controls, 242 472–473
results, reporting, 332–333 encryption, 307
results, seeding, 336–337 media storage, 306–307
risk register, 148 records, 308
security strategy, 53 replication, 308–309
statements of work, 328 rotation, 305–306
techniques, 324–325 schemes, 305
third-party reports, 332 tape, 304
TPRM, 353 balanced scorecards (BSCs), 232–233
types, 325–327 bare-metal restores, 521
AUPs (acceptable use policies), 10, 322 Bayesian analysis, 143
authentication BCDR (business continuity and disaster
encryption, 310 recovery) programs, 50
identity and access management, 299 BCI (Business Continuity Institute), 454
Information security architecture, 219 BCM Institute (Business Continuity
multifactor, 174, 299 Management Institute), 455
zero-trust architecture, 292–293 BCPs. See business continuity plans (BCPs)
authorized persons in incident response BEC (business e-mail compromise),
plans, 516 280, 291
automatic controls, 245 behavioral skills, 46
automation BIA. See business impact analysis (BIA)
BMIS model, 77 bias, normalcy, 68–69
security operations, 363 big data architects, 24
AV. See asset value (AV) biometric recognition in BMIS model, 79
availability management in ITSM, 393–394 blacklists for e-mail, 291
availability principle in SOC 2, 271 block ciphers, 313
avalanches, 428 BMIS (Business Model for Information
avoidance, risk Security), 73
description, 117 elements and dynamic interconnections,
ISO/IEC 27005, 123 74–79
risk response, 169–170 working with, 79–81
CISM Certified Information Security Manager All-in-One Exam Guide
580
boards of directors considerations, 447–451
roles, 16–18 development overview, 436
security strategy, 39 disaster declaration procedures,
security strategy meetings, 67 437–439
book value in asset valuation, 209 disasters, 427–434
books for risk management, 114 evaluating, 484–487
bow-tie analyses, 143 gap assessment, 58
breaches maintaining, 453–454
privacy, 512 overview, 406–408, 426–427
third-party, 49 personnel safety procedures, 436–437
breadth of coverage policies in security policies, 434–435
strategy, 42 process, 434
bring your own app (BYOA) risk management, 145
as disruptive technology, 253 roles, 27
security strategy, 50 testing, 478–483
bring your own device (BYOD) business e-mail compromise (BEC),
as disruptive technology, 253 280, 291
security strategy, 50 business experience of boards of directors, 17
broadcast alerts, 441 business impact analysis (BIA)
BSCs (balanced scorecards), 232–233 big picture, 417
budgets criticality analysis, 420–422
program management, 382–383 executive level, 417
security strategy, 70 key processes and systems inventory,
build vs. buy control decisions, 247 417–418
bulletins for awareness training key recovery targets, 423–426
communication, 344 maximum tolerable downtime, 422
business alignment maximum tolerable outage, 422–423
criticality, 39 security strategy, 50
gap assessment, 56 statements of impact, 419–420
information security governance, 8–9 business intelligence in third parties, 357
security strategy, 38 business leaders in security strategy, 40
business analysts, 29 Business Model for Information Security
business cases, developing, 89–91 (BMIS), 73
business continuity elements and dynamic interconnections,
containment methods, 514–515 74–79
responsibilities, 503 working with, 79–81
security governance, 7 business operations as asset, 201
third-party remediation, 361 business partners, communication with, 370
training, 476–477 business prevention, security as, 9
business continuity and disaster recovery business processes
(BCDR) programs, 50 detection techniques, 128
Business Continuity Institute (BCI), 454 owner responsibilities, 20–21
Business Continuity Management Institute business recovery plans, 452
(BCM Institute), 455 business resilience roles, 27
business continuity plans (BCPs) business terms in business cases, 91
availability to personnel, 452–453 business unit leaders
best practices, 454–455 communication with, 369–370
COBIT controls, 435 incident response plans, 413
components, 451–452 TPRM programs, 349
Index
581
buy vs. build control decisions, 247 Center for Internet Security (CIS)
BYOA (bring your own app) Critical Security Controls framework,
as disruptive technology, 253 216–217, 249, 260–262
security strategy, 50 standards, 43
BYOD (bring your own device) centralized log management, 276
as disruptive technology, 253 certificate authorities (CAs), 316, 318
security strategy, 50 certificate revocation lists (CRLs), 319
certificates in public key infrastructure, 318
C certification practice statements (CPSs), 319
CABs (change advisory boards), 387 certifications
call trees for disaster communication, forensics, 512
449–450 incident response, 476
Canada, law enforcement agencies in, 370 PCI Security Standards Council, 265
Capability Maturity Model Integration for professional development, 379–381
Development (CMMi-DEV) professional organizations, 372
incident response plans, 412 Certified Cloud Security Professional
security strategy, 60–61 (CCSP), 380
capacity, risk, 174–175 Certified Computer Examiners (CCEs), 476
capacity management in ITSM, 392–393 Certified Data Privacy Solutions Engineers
career paths in professional development, 379 (CDPSEs), 380
CAs (certificate authorities), 316, 318 Certified Digital Forensics Examiners
CASBs (cloud access security brokers), 290 (CDFEs), 512
cashiers, awareness training for, 341 Certified Ethical Hackers (CEHs), 380
categories Certified Forensic Computer Examiners
CIS CSC controls, 216 (CFCEs), 512
controls, 84, 245 Certified in Risk and Information Systems
CSF functions, 86 Control (CRISC) certification, 4, 380
HIPAA requirements, 213 Certified in the Governance of Enterprise IT
incidents, 473–475 (CGEIT), 4
information security processes, 195 Certified Information Security Managers
ISO/IEC 27002, 254–256 (CISMs), 380
NIST SP 800-53, 214, 259–260 Certified Information Systems Auditors
NIST SP 800-171, 214–215 (CISAs), 380
operational activities, 276 Certified Information Systems Security
retail workers, 341 Professionals (CISSPs), 380
risk management, 104–105 Certified Secure Software Lifecycle
strategic objectives, 55 Professionals (CSSLPs), 380
causal relationships in metrics, 226 CFCEs (Certified Forensic Computer
CCBs (change control boards), 387 Examiners), 512
CCEs (Certified Computer Examiners), 476 CGEIT (Certified in the Governance of
CCM (Cloud Controls Matrix), 249, 270 Enterprise IT), 4
CCOs (chief compliance officers), 23 chain of custody in forensic investigations, 510
CCSP (Certified Cloud Security change advisory boards (CABs), 387
Professional), 380 change and change management
CDFEs (Certified Digital Forensics availability management, 393
Examiners), 512 capacity management, 392
CDPSEs (Certified Data Privacy Solutions configuration management link, 389
Engineers), 380 controls, 63
CEHs (Certified Ethical Hackers), 380 ITSM, 386–388
CISM Certified Information Security Manager All-in-One Exam Guide
582
change and change management (cont.) system, 206–207
organizational inertia, 72 vendor, 354–356
project and program management, 382 clients for incident reporting, 508
resistance to, 68, 72 clone phishing, 291
risk management integration with, 152 closure
risk ownership, 178–179 activities, 522
change control boards (CCBs), 387 incident response, 501
changing technologies in control frameworks, cloud
252–253 business titles, 26
charters in program development, 194 cloud-based information assets, 201
charts, RACI, 15–16 as disruptive technology, 253
CHFIs (Computer Hacking Forensic service providers, 350–351
Investigators), 512 cloud access security brokers (CASBs), 290
chief compliance officers (CCOs), 23 Cloud Controls Matrix (CCM), 249, 270
chief information officers (CIOs), 18 Cloud Security Alliance (CSA)
chief information risk officers (CIROs), 21–22 Cloud Controls Matrix, 249, 270
chief information security officers (CISOs), description, 371–372
18, 21–22 cloud sites
chief privacy officers (CPOs), 23 disaster recovery plans, 463
chief risk officers (CROs), 21–22 hardware, 466
chief security officers (CSOs), 21–22 clusters in disaster recovery plans, 469–470
chief technical officers (CTOs), 18 CM (configuration management)
CIAS (confidentiality, integrity, availability, endpoint protection, 294–295
and safety), 407 ITSM, 388–389
CIOs (chief information officers), 18 risk management integration with,
ciphers, 313 152–153
ciphertext, 311 CMDBs (configuration management
CIROs (chief information risk officers), 21–22 databases), 388
CIS (Center for Internet Security) CMMC (Cybersecurity Maturity Model
Critical Security Controls framework, Certification) framework, 215
216–217, 249, 260–262 CMMi-DEV (Capability Maturity Model
standards, 43 Integration for Development)
CIs (configuration items) in ITSM, 388 incident response plans, 412
CISAs (Certified Information Systems security strategy, 60–61
Auditors), 380 COBIT 2019. See Control Objectives for
CISMs (Certified Information Security Information and Related Technology
Managers), 380 (COBIT 2019) framework
CISOs (chief information security officers), Code of Professional Ethics, 10–11
18, 21–22 coding
CISSPs (Certified Information Systems reviews, 151, 369
Security Professionals), 380 scanning, 151
civil disturbances, 431 standards, 151
classification cold sites
assets, 202–208 backup storage, 307
controls, 242–245, 274 disaster recovery plans, 462
facilities, 207 hardware, 465–466
hardware assets, 200 command and control
incidents, 473–475 disasters, 440–441
information, 203–205 incident response plans, 413
personnel, 207–208 intrusion kill chain model, 410
Index
583
commanders incident responsibilities, 502 compliance and compliance management
Committee of Sponsoring Organizations of applicability, 374
the Treadway Commission (COSO) audits, 326
control framework, 249 disasters, 442
private-sector associations, 267–269 insurance, 48
Common Vulnerability Scoring System metrics, 227
(CVSS), 278–279 monitoring, 375
communication and reporting outsourcing, 347
affiliates and key business partners, 370 overview, 373–374
audits, 328–329, 332, 369 policies, 43
awareness training, 343–344, 375–376 risk, 176–177, 374–375
budgets, 382–383 vs. security, 373–374
business continuity plans, 452 components in risk management frameworks,
business unit managers, 369–370 108–109
compliance management, 373–375 compromised keys, 320
crisis management, 515–516 computer account abuse, 408
disaster recovery sites, 465 Computer Hacking Forensic Investigators
disasters, 440–442, 448 (CHFIs), 512
external partnerships, 370–373 conceptual stage in security involvement, 281
facilities, 366–367 conduct assessment in NIST SP 800-30, 119
incident response, 515–519 conferences for risk management support, 114
incident response plans, 416–417, confidential information classification,
516–517 203–205
incident responsibilities, 502–503 confidentiality, integrity, availability, and
information technology, 367–368 safety (CIAS), 407
internal partnerships, 364–370 confidentiality principle in SOC 2, 271
ISO/IEC 27005, 123 configuration
monitoring, 30 faults, 127
NIST SP 800-30, 120–121 standards, 64
personnel management, 376–382 configuration items (CIs) in ITSM, 388
policies, 42 configuration management (CM)
post-incident reviews, 522–523 endpoint protection, 294–295
procurement, 369 ITSM, 388–389
project and program management, 382 risk management integration with, 152–153
risk management, 107, 363–364 configuration management databases
risk management support, 114 (CMDBs), 388
risks, 117, 180–182 conflicts of interest in RACI charts, 16
security governance, 6 consequences identification in ISO/IEC
security operations, 363 27005, 122
security strategy, 66–67 consequences of policies in security strategy, 43
systems development, 368–369 consequential financial cost in asset
technical architecture, 376 valuation, 209
third-party audits, 332 consistency in BMIS architecture, 77, 79
compensating controls, 244 constraints in security strategy, 68–72
compensation in project and program consultants
management, 382 RACI charts, 16
competitive advantage in outsourcing, 346 risk management programs, 107–108
competitive differentiation in resource risk management support, 112
expenditures, 232 risk register, 148
CISM Certified Information Security Manager All-in-One Exam Guide
584
contact lists NIST SP 800-53, 214, 259
business continuity plans, 452 NIST SP 800-171, 215
disaster communications, 451 overview, 248
disaster recovery plans, 472 PCI DSS, 217, 264–266
containerization for cloud services, 202 risk mitigation, 168
containment security strategy, 63
incident response, 501 selecting, 248–249
incident responsibilities, 503 service organization, 270–272
methods, 513–515 standards, 64
content working with, 251–252
audit reports, 332–333 Control Objectives for Information and
awareness training, 340 Related Technology (COBIT 2019)
content filters framework
incident response tools, 505 business continuity plans, 435
web, 289–290 control framework, 249
context management framework, 218
ISO/IEC 27005, 121 overview, 212–213
risk management programs, 109–110 principles, 267
contingencies risk management frameworks, 108
BCP and DRP plans tests, 479–480 control self-assessment (CSA), 337–338
disaster recovery plans, 459 control testing and evaluation, 321
continuing operations audits. See audits
business continuity plans, 452 monitoring, 322
disasters, 446 reviews, 322–323
continuous improvement, 394 controls
contract information for disasters, 445 alignment in policy development, 221
contractors BMIS model, 77
employee benefits, 156 build vs. buy decisions, 247
in workforce, 29 categories, 245
contractual obligations classes, 243–245
enterprise governance, 11–12 classification, 242–243
vendor classification, 355 developing, 272–275
control assurance in three lines of defense disaster recovery sites, 465
model, 196 effectiveness evaluation, 333
control deficiency analysis, 127–129 event monitoring, 276–277
control frameworks, 210–212 frameworks. See control frameworks
Center for Internet Security, 260–262 gap assessment, 57
changing technologies, 252–253 general computing, 246–247
COBIT, 212–213, 267 implementation, 275
COSO, 267 monitoring activities, 29
Critical Security Controls, 216–217 network protection. See network protection
CSA, 270 objectives, 245–246
HIPAA, 213–214, 266 operations, 196, 275–276
ISO/IEC 27002, 213, 254–259 outsourcing issues, 346
ISO/IEC 27005, 122 overview, 145
ITIL / ISO/IEC 20000, 213 ownership in risk response, 179–180
mapping, 250–251 purpose, 242
NERC, 267–269 risk assessment for third parties, 52
NIST CSF. See Cybersecurity secure engineering, 280–282
Framework (CSF) security governance, 6
Index
585
security strategy, 45, 62–63 Critical Security Controls framework (CSC),
self-assessment, 337–339 216–217
standards, 72–88 criticality
third-party remediation, 361 business alignment, 39
three lines of defense model, 196 business impact analysis, 420–422
TPRM, 352 CRLs (certificate revocation lists), 319
types, 243 CROs (chief risk officers), 21–22
vulnerability management, 277–282 cross-border data transfer in outsourcing, 347
controls analysts, 25 cross references to controls, 275
controls managers, 26 crosswalks, 250
convergence in metrics, 227–228 cryptography
core of NIST Cybersecurity Framework, 215 key management, 319–321
core teams in disaster declaration, 438 overview, 310
corporate workers, awareness training for, 341 private key cryptosystems, 313–314
corrective actions, risk implications associated public key cryptosystems, 314–318
with, 154 public key infrastructure, 318–319
corrective controls, 244 terms and concepts, 311–313
corruption of data incidents, 409 CSA (Cloud Security Alliance)
COSO (Committee of Sponsoring Cloud Controls Matrix, 249, 270
Organizations of the Treadway Commission) description, 371–372
control framework, 249 CSA (control self-assessment), 337–338
private-sector associations, 267–269 CSC (Critical Security Controls framework),
costs 216–217
asset valuation, 209 CSF. See Cybersecurity Framework (CSF)
BMIS architecture, 77 CSOs (chief security officers), 21–22
efficiency metrics, 230–231 CSSLPs (Certified Secure Software Lifecycle
MSSP control of, 506 Professionals), 380
outsourcing, 345–346 CTOs (chief technical officers), 18
quantitative risk analysis, 141 cultural differences in outsourcing, 348
risk response, 172–173 culture
security strategy, 70 acceptable use policies, 10
covered entities in HIPAA, 213 BMIS model, 75–76
CPOs (chief privacy officers), 23 business alignment, 8
CPSs (certification practice statements), 319 constraints, 69
creation cost in asset valuation, 209 organizational, 9–11
CRISC (Certified in Risk and Information personnel management, 378
Systems Control) certification, 4, 380 security strategy, 53–54
crisis communications current state in business cases, 91
incident response plans, 413 custodial responsibilities, 21
management, 515–516 custodians of hardware assets, 200
role, 27 custody of keys, 320
criteria customer availability in disasters, 434
disaster declaration, 438 customer data in vendor classification, 354
risk evaluation, 121 customer information as asset, 201
risk measurement, 142 customer metrics in balanced scorecards, 232
success, 91 customer notifications in disasters, 448–449
vendor classification, 354–355 customer priorities in disaster recovery sites, 465
critical data in security strategy, 49–50 customer requirements in insurance, 48
critical personnel for disasters, 448 customers, incident reporting by, 508
CISM Certified Information Security Manager All-in-One Exam Guide
586
cutover tests data management roles, 24
BCP and DRP, 482–483 data managers, 24
training, 477 data protection in forensic investigations, 511
CVSS (Common Vulnerability Scoring data scientists, 24
System), 278–279 data sovereignty in disaster recovery sites, 465
Cyber Incident Reporting for Critical database administrators (DBAs), 24
Infrastructure Act, 192 database analysts, 24
cyber insurance database architects, 24
MSSPs, 506 database management servers, 206
security strategy, 48–49 database management systems (DBMSs)
TPRM, 353 disasters, 444
cyber intelligence in third parties, 357 replication, 308, 468
“Cyber-Risk Oversight 2020,” 18 vulnerability detection techniques, 128
Cybersecurity Canon, 114 dates in controls development, 274
Cybersecurity Framework (CSF) DBAs (database administrators), 24
activities, 262–264 DDoS (distributed denial-of-service) attacks
components, 215–216 incidents, 409
control framework, 249 protection against, 285
highlights, 86–87 deception in antimalware, 296
overview, 85–86 declaration of incidents
purpose, 218 business continuity plans, 437–439
steps, 87–88 disaster recovery plans, 471
Cybersecurity Maturity Model Certification responsibilities, 502
(CMMC) framework, 215 decryption, 312
cyclical controls, testing, 334–335 dedicated personnel in MSSPs, 505
cyclone damage, 428 defense-in-depth architecture, 252
Defense Information Systems Agency Security
D Technical Implementation Guides
damage assessment in disasters, 442 (DISA STIG), 43
damaged files, recovering, 521 delivery phase in intrusion kill chain model, 410
data acquisition Delphi method, 143
forensic investigations, 510 demilitarized zones (DMZs), 206, 282–284
Risk IT framework, 125 denial-of-service (DoS) attacks, 409
data communications for disaster recovery department heads in TPRM programs, 349
sites, 465 departments in awareness training, 343
data debt, 45 deployment in release management, 391
data encryption in endpoint protection, 295 descriptions in risk register, 177
data entry in BMIS model, 79 design
data extraction in forensic investigations, 511 architecture issues, 44
data flow diagrams (DFDs), 81–82 control frameworks, 251–252
data governance faults in, 127
access management, 303 release management, 390
backup and recovery, 303–309 security involvement, 281
cryptography, 311–321 desired state in business cases, 91
data classification, 309 destruction
data loss prevention, 309–310 backups, 308
data issues in disasters, 444 of data in incidents, 409
data loss prevention (DLP), 309–310 destructware, 295–296
details in controls development, 274–275
Index
587
detection results, 490
Cybersecurity Framework, 86, 262 roles, 27
incident phase, 507–508 RTO and RPO, 457–459
incident response, 500 SaaS services, 463–464
incident responsibilities, 502 security governance, 7
detective controls, 244 site recovery options, 460–465
deterrent controls, 244 strategies, 459–460
developer controls, 274 team roles and responsibilities, 456–457
development step in release management, 390 testing, 478–483
device authentication in zero-trust disasters
architecture, 292 business continuity plans, 427–434
device management in information security communication in, 440–442
architecture, 220 containment methods, 514–515
device validation in zero-trust architecture, 293 continuing operations, 446
DFDs (data flow diagrams), 81–82 effects, 433–434
differential backups, 305 human-caused, 431–432
digital certificates and envelopes in public key natural, 428–431
infrastructure, 318 recovery procedures, 445–447
digital rights management (DRM), 310 responsibilities, 439–445
digital signatures, 312, 317 training for, 476–477
direct connectivity in SaaS services, 464 discipline in human resources, 366
direct damage from disasters, 433 disciplines in security strategy skills, 46
directory infrastructure in public key disclosure of sensitive information, 409
cryptosystems, 316 discovery sampling for audit evidence, 331
DIs (dynamic interconnections) in BMIS disk storage systems for replication, 308, 468
model, 74–79 display in BMIS model, 79
DISA STIG (Defense Information Systems disposal of keys, 320–321
Agency Security Technical Implementation disputes in third-party remediation, 362
Guides), 43 distributed denial-of-service (DDoS) attacks
disaster declaration procedures incidents, 409
business continuity plans, 437–439 protection against, 285
disaster recovery plans, 471 distributed lock managers, 469
incident responsibilities, 502 distributed workforce in disaster recovery
Disaster Recovery Institute International (DRI plans, 465
International), 455 distribution of policy development, 222–223
disaster recovery plans (DRPs) DLP (data loss prevention), 309–310
alternate processing facilities, 492 DMZs (demilitarized zones), 206, 282–284
business continuity plans, 452 DNS (domain name system) filtering, 290
data backup and recovery, 472–473 document reviews
developing, 471–472 BCP and DRP tests, 480
distributed workforce, 465 incident response plans, 477
evaluating, 488–492 training, 477
gap assessment, 58 documentation
hardware, 465–466 BCP and DRP tests, 483
inputs, 455 business continuity plans, 451–453,
offsite storage, 491–492 485–486
overview, 406–408 chain of custody, 510
recovery and resilience technologies, 467–471 risk, 182
recovery objectives, 457 risk ownership, 178
CISM Certified Information Security Manager All-in-One Exam Guide
588
domain expertise of MSSPs, 505 elliptic curve cryptography (ECC), 316
domain name system (DNS) filtering, 290 emergence in BMIS model, 77–78
DoS (denial-of-service) attacks, 409 emergency changes, 387–388
DRI International (Disaster Recovery Institute emergency communications plans in BCPs, 452
International), 455 emergency contact lists, 472
DRM (digital rights management), 310 emergency management, 440–441
DRPs. See disaster recovery plans (DRPs) emergency operations responsibilities, 503
due diligence emergency radio communications, 441
onboarding, 352 emergency supplies, 447–448
outsourced services, 51–52 emerging threats, identifying, 135–136
TPRM, 353–354 employee integrity factor in third-party
duties remediation, 361
RACI charts, 16 employees, incident reporting by, 508
segregation of, 300–301 empowerment in security strategy, 54
dwell time enabling and support DI in BMIS model, 78
incident detection, 507 encryption
reducing, 508 applications, 321
dynamic data loss prevention, 309 backups, 307
dynamic interconnections (DIs) in BMIS cryptography. See cryptography
model, 74–79 endpoint protection, 295
incidents, 409
E key management, 219
e-mail end user behavior analytics (EUBA),
awareness training communication, 343 301–302
protecting, 290–292 end users, incident reporting by, 508
public key cryptosystems, 316 endpoint detection and response (EDR), 297
e-vaulting for backups, 304 endpoint protection and management, 293
EA (enterprise architecture), 218–220 configuration management, 294–295
earthquake damage, 428 EDR, 297
EC-Council Certified Incident Handlers local administrators, 298
(ECIHs), 476 malware, 295–296
EC-Council (International Council of targets, 294
Electronic Commerce Consultants), 372 VDIs, 297
ECC (elliptic curve cryptography), 316 whitelisting, 296
economies of scale for outsourcing, 345 engineering stage in security involvement, 281
EDR (endpoint detection and response), 297 enhancements in release management, 389
EF (exposure factor) in quantitative risk ENISA (European Union Agency for
analysis, 141 Cybersecurity), 43
effective metrics, 226 enterprise architecture (EA), 218–220
effective processes in BMIS model, 75 enterprise governance, 3
effective risk management, 38 legal, regulatory, and contractual
effectiveness evaluation for controls, 333 requirements, 11–12
efficiency in BMIS architecture, 77 notes, 31–32
elasticity in cloud services, 202 organizational culture, 9–11
electronic contact lists for disasters, 451 organizational roles. See organizational roles
electronic protected health information questions, 32–35
(ePHI), 213 review, 30–31
elements in BMIS model, 74–75 security, 4–9
Index
589
enterprise-level risks, 111 monitoring, 276–277
enterprise risk management (ERM) probability in quantitative risk analysis, 140
description, 111 security operations, 363
risk management integration with, 155 visibility in incident detection, 507
Entry-Level Cybersecurity Certification, 380 evidence
envelopes in public key cryptosystems, 318 audits, 329–331
environment gap assessment, 58
BMIS model, 79 retaining in incident response, 501
risk management programs, 110 third parties, 359–361
environmental controls in disaster recovery executive management
sites, 465 incident response plans, 413
ePHI (electronic protected health responsibilities, 18–19
information), 213 security strategy, 39
equipment existing strategy in gap assessment, 56
disaster recovery sites, 464–465 experience in outsourcing, 345
facilities, 366 expiration of keys, 320
eradication exploitation phase in intrusion kill chain
incident response, 501 model, 410
incident responsibilities, 503 exposure factor (EF) in quantitative risk
process, 519–520 analysis, 141
ergonomics in BMIS model, 79 extended detection and response (XDR)
ERM (enterprise risk management) systems, 297
description, 111 external attestations for third parties, 357
risk management integration with, 155 external audits
error recovery in BMIS model, 79 compliance, 326, 375
errors and omissions in outsourcing, 347 reasons, 335–336
escalation in incident response plans, reports, 57
416–417 statements of work, 328
ETA (event-tree analysis), 143 TPRM, 353
ethics in organizational culture, 10–11 external communications
EUBA (end user behavior analytics), 301–302 disasters, 442
European Telecommunications Standards incident responsibilities, 503
Institute (ETSI) post-incident reviews, 523
CYBER standard, 218 external environments in risk management
Technical Report control framework, 249 programs, 110
European Union Agency for Cybersecurity external legal counsel, 506
(ENISA), 43 external partnerships
evaluation law enforcement, 370–371
alternate processing facilities, 492 professional organizations, 371–372
business continuity plans, 484–487 regulators and auditors, 371
control effectiveness, 333 security product vendors, 373
disaster recovery plans, 488–492 security professional services vendors,
incident response, 492–493 372–373
ISO/IEC 27005, 121–122 standards organizations, 371
offsite storage, 491–492 external services
risk, 144 cloud providers, 350–351
event-tree analysis (ETA), 143 outsourcing, 345–348
events overview, 344–345
cost in quantitative risk analysis, 141 third parties. See third parties
identification in security governance, 7 TPRM life cycle, 351–354
CISM Certified Information Security Manager All-in-One Exam Guide
590
external support in risk management, 112–113 fingerprints, 316
external threat intelligence in security fire disasters, 432
operations, 363 firewalls
external threats, identifying, 132–134 metrics, 225
extraterrestrial impacts, 430 network protection, 282–284
first in, first out (FIFO) backup strategy, 305
F flexibility in BMIS architecture, 77
facilities flood damage, 428
alternate processing, 402 floor managers, awareness training for, 341
as asset, 199 follow-ups for audits, 329
for BCP and DRP tests, 479–480 forecasting data for threats, 136
classification, 207 Foreign Corrupt Practices Act of 1977
communication with, 366–367 (FCPA), 11
TPRM programs, 349 forensic investigations and analysis
Factor Analysis of Information Risk (FAIR), audits, 326
124–125 certifications, 512
failover in server clusters, 470 chain of custody, 510
fairs for awareness training communication, 344 incident ranking and rating, 509
false alarms incident response, 505
disaster declaration, 439 incident response plans, 413
incident initiation, 509 incident responsibilities, 503
FAM (file activity monitoring), 505 techniques and considerations,
fault-tree analysis (FTA), 143 510–511
FCPA (Foreign Corrupt Practices Act of forensics analysts, 27
1977), 11 fourth parties in SaaS services, 464
fear culture, 69 frameworks
feasibility studies for release management, 389 Business Model for Information Security,
Federal Emergency Management Agency 73–81
(FEMA), 454 control. See control frameworks
fiduciary responsibility information governance, 72–88
boards of directors, 17 ISO/IEC 27001, 83–85
resource expenditures, 232 management, 218
FIFO (first in, first out) backup strategy, 305 mitigation, 168
file activity monitoring (FAM), 505 NIST CSF. See Cybersecurity Framework
file integrity monitoring (FIM), 505 (CSF)
fileless malware, 296 Open Group Architecture Framework,
filters 83–84
DNS, 290 policy development, 62
phishing, 290–292 risk management programs, 108–109
web content, 289–290, 504 standards, 64
FIM (file integrity monitoring), 505 Zachman, 81–82
finance managers, 29 frequency of control use, 274
financial audits, 325 FTA (fault-tree analysis), 143
financial management, 391–393 full backups, 305
financial metrics in balanced scorecards, 232 function definitions by asset owners, 20
finding talent, 376–377 functional requirements in program
fines, risk of, 375 development, 224
Index
591
G governance
activities and results, 7–8
GAISPs (generally accepted information
BMIS model, 76
security principles), 173
business alignment, 8–9
gap analysis and assessment
data. See data governance
Cybersecurity Framework, 263
defined, 3
incident response plans, 414
enterprise. See enterprise governance
risk management, 112
frameworks and standards, 72–88
security strategy, 56–59
information security strategy.
GASF (GIAC Advanced Smartphone
See security strategy
Forensics) certification, 512
introduction, 4–6
GASSPs (generally accepted security systems
reasons, 6–7
principles), 173
governance meetings for security strategy, 67
gate processes in release management, 391
governance, risk, and compliance (GRC)
GCCs (general computing controls), 246–247
risk registers, 178
GCFAs (GIAC Certified Forensic Analysts), 476
roles, 26
GCFEs (GIAC Certified Forensic
Gramm-Leach-Bliley Act (GLBA), 176
Examiners), 512
grandfather-father-son backup strategy, 306
GCIHs (GIAC Certified Incident
GRC (governance, risk, and compliance)
Handlers), 476
risk registers, 178
general computing controls (GCCs), 246–247
roles, 26
generally accepted information security
GREM (GIAC Reverse Engineering
principles (GAISPs), 173
Malware), 476
generally accepted security systems principles
groups for hardware assets, 200
(GASSPs), 173
guards for facilities, 367
generation of keys, 319
guest processing for facilities, 366
geographic clusters in disaster recovery
guidelines
plans, 470
gap assessment, 57
geographic site selection in SaaS services, 463
program development, 223
GIAC Advanced Smartphone Forensics
security strategy, 43–44
(GASF) certification, 512
GIAC Certified Forensic Analysts (GCFAs), 476
GIAC Certified Forensic Examiners
H
(GCFEs), 512 hail damage, 429
GIAC Certified Incident Handlers hard copies for business continuity
(GCIHs), 476 plans, 453
GIAC (Global Information Assurance hard disk drives
Certification), 380 backups, 304
GIAC Network Forensic Analysts encryption, 295
(GNFAs), 476 hardening
GIAC Reverse Engineering Malware information technology, 367
(GREM), 476 standard documents in endpoint
GLBA (Gramm-Leach-Bliley Act), 176 protection, 295
Global Information Assurance Certification hardware
(GIAC), 380 assets, 199–200
GNFAs (GIAC Network Forensic configuration items, 388
Analysts), 476 disaster recovery plans, 465–466
goals disasters, 445
business alignment, 8–9 hash functions, 311, 317
outsourcing, 347 hazardous materials spills, 432
CISM Certified Information Security Manager All-in-One Exam Guide
592
HCI (human–computer interaction) IDPS (intrusion detection/prevention system)
in BMIS model, 78 metrics, 225
Health Insurance Portability and IDSs (intrusion detection systems), 285
Accountability Act (HIPAA) IEC (International Electrotechnical
control framework, 213–214, 249 Commission), 371
sections, 266 IG (information governance), 87–88
healthy cultures, importance of, 69 ignoring risk, 171
high risk roles in identity and access image management in endpoint protection, 294
management, 301 impact
HITRUST CSF control framework, 249 business impact analysis, 419–420
hot sites identifying, 137
backup storage, 307 ISO/IEC 27005 criteria, 121
disaster recovery plans, 460–461 NIST SP 800-30 determination, 120
hardware, 466 risk, 138–139
HR (human resources), 365–366 risk management process, 116
HRM (human resource management), 155–156 risk response, 172
human-caused disasters, 431–432 implementation
human resource information system change management, 387–388
(HRIS), 156 controls, 275
human resource management (HRM), Cybersecurity Framework tiers, 215
155–156 release management, 390–391
human resources (HR), 365–366 improvements from security governance, 7
human–computer interaction (HCI) Improving Critical Infrastructure
in BMIS model, 78 Cybersecurity executive order, 85
hybrid cryptography, 318 incident management
hygiene in risk likelihood, 137 capacity management link, 393
change management link, 388
I configuration management link, 388
IAM. See identity and access management ITSM, 384–385, 416
(IAM) parts, 302
ice storms, 429 risk management integration with,
identification 153–154
chain of custody, 510 incident management operations
Cybersecurity Framework, 86, 262 communications, 515–517
hardware assets, 200 containment methods, 513–515
NIST SP 800-30, 119 incident analysis, 509–513
risk, 116, 136–137 incident detection, 507–508
risk register, 177 incident eradication, 519–520
third parties, 348–350 incident initiation, 509
vulnerability management, 279–280 metrics and reporting, 517–519
identity and access management (IAM) notes, 524
access governance, 299 overview, 499
access operations, 299–300 phases, 499–502
access recertification, 301 post-incident review practices, 522–523
accumulation of privilege, 300 questions, 524–528
activity reviews, 301 recovery, 520–521
high risk roles, 301 remediation, 521–522
overview, 300–301 review, 523–524
segregation of duties, 300–301 roles and responsibilities, 502–503
user behavior analytics, 301–302 tools and techniques, 503–507
Index
593
incident management readiness monitoring by MSSPs, 505–507
business continuity plans. See business ranking and rating, 509
continuity plans (BCPs) remediation, 521–522
business impact analysis, 417–426 response. See incident response; incident
disaster recovery plans. See disaster recovery response plans
plans (DRPs) risk register, 148
incident classification and categorization, security operations, 363
473–475 security steering committees
incident response, 492–493 responsibilities, 20
incident response plans, 406–417 security strategy, 67
notes, 494 third parties, 362
overview, 405–406 increased trust in security governance, 8
questions, 494–498 incremental backups, 305
review, 493–494 indicators of compromise (IOCs), 506
training, 475–477 industry development in risk register, 148
incident response inertia, organizational, 72
evaluating, 492–493 infinite regress, 52
overview, 408–410 influence, metrics for, 226
playbooks, 411 information assets, 201
release management, 389 information classification, 203–205
security governance, 7 information exposure and theft, 408–409
TPRM, 353 information gathering in risk assessment and
training, 475–477 analysis, 139–140
incident response plans information governance (IG), 87–88
communications, 416–417, 516–517 information governance position, 26
developing, 411–417 information security and privacy, 444
escalation, 416–417 Information security architecture, 218–220
gap analysis, 414 Information Security Forum (ISF), 371
maturity, 412 information security governance. See governance
objectives, 411–412 information security program management.
overview, 406–410 See program management
playbooks, 414–415 information security risk assessment.
resources, 412–414 See risk assessment and analysis
testing, 477–483 information security risk response.
third-party incidents, 415 See risk response
updates, 415 information security strategy.
incident response retainers (IRRs), 506 See security strategy
incidents information sources for risk register, 148
analysis, 509–513 information system theft and damage from
classification and categorization, 473–475 incidents, 409
closure, 522 information systems (IS) audits, 326
detection, 507–508 Information Systems Security Association
forensic investigations, 509–512 (ISSA), 372
gap assessment, 57–58 information systems view in
initiation, 509 NIST SP 800-39, 118
insurance company notifications, 49 information technology (IT)
logs in security strategy, 50–51 communication, 367–368
managing. See incident management; gap assessment, 58
incident management operations; operations roles, 25
incident management readiness TPRM programs, 349
CISM Certified Information Security Manager All-in-One Exam Guide
594
information technology (IT) personnel, internal data in vendor classification, 354
incident reporting by, 508 internal environments in risk management
informed people in RACI charts, 16 programs, 110
Inherent risk assessment for third parties, 52 internal partnerships
initial assessment in TPRM life cycle, 352 human resources, 364–365
initialization vectors (IVs) in cryptography, 313 legal issues, 364
initiation, incident overview, 364
response, 500 internal processes in balanced scorecards, 233
steps, 509 internal threats, identifying, 130–132
innovation and learning in balanced internal transfers in human resources, 365
scorecards, 233 internal web sites for awareness training
insider threats in user behavior analytics, 302 communication, 344
installation phase in intrusion kill chain International Council of Electronic
model, 410 Commerce Consultants (EC-Council), 372
institutional knowledge in gap assessment, 59 International Electrotechnical Commission
insurance (IEC), 371
coverage reviews, 487 International Information Systems Security
security strategy, 48–49 Certification Consortium (ISC)², 372
TPRM, 353 International Organization for
insurance adjusters for disasters, 449 Standardization (ISO), 371
insurance companies for incident response, 506 Internet hygiene, 339
integrated audits, 326 Internet of things (IoT) as disruptive
integration technology, 253
assurance process, 38, 194 Internet Protocol Security (IPsec), 321
controls, 272 Internet time servers, 206
risk management programs, 109, 150–157 interviews
SaaS services, 464 of personnel for business continuity plans,
integrity 486–487
information classification, 203 risk analysis information gathering, 139
outsourcing issue, 346 intrusion detection/prevention system (IDPS)
third-party remediation, 361 metrics, 225
intellectual property intrusion detection systems (IDSs), 285
as asset, 201 intrusion kill chain model, 410–411
outsourcing theft, 346 intrusion prevention systems (IPSs), 284–285
third-party remediation, 361 intrusive monitoring by third parties, 358
intelligence inventory of key processes and systems
AI, 253 inventory in business impact analysis,
risk management support, 115 417–418
third parties, 357 investigations for human resources, 366
threat, 148, 277, 363, 504 investor representation on boards of
internal audits directors, 17
monitoring, 29 IOCs (indicators of compromise), 506
overview, 333–335 IoT (Internet of things) as disruptive
reports, 57 technology, 253
risk register, 148 IPsec (Internet Protocol Security), 321
internal communications IPSs (intrusion prevention systems),
disasters, 441 284–285
incident responsibilities, 503 IRRs (incident response retainers), 506
post-incident reviews, 522 IS (information systems) audits, 326
Index
595
ISACA iterative risk treatment, 173–174
BMIS, 73–74 ITGCs (IT general controls), 246–247
certifications, 372 ITIL (IT Infrastructure Library) process
COBIT 2019, 218 framework, 213, 384
Code of Professional Ethics, 10–11 ITSM. See IT service management (ITSM)
data security definition, 303 IVs (initialization vectors) in cryptography, 313
governance description, 76
risk appetite description, 9, 174 J
Risk IT framework, 75, 125–126 job descriptions, 377–378
ISC2 (International Information Systems job titles, 13
Security Certification Consortium), 372 judgmental sampling in audit evidence, 331
ISF (Information Security Forum), 371
ISO (International Organization for K
Standardization), 371
ISO/IEC 20000 standard, 213 key business partners, communication with, 370
ISO/IEC 27001 standard key goal indicators (KGIs), 225
risk management frameworks, 108 key performance indicators (KPIs), 225
sections, 83–85 key personnel
security management framework, 218 availability in disasters, 447
ISO/IEC 27002 standard interviewing, 486–487
control framework, 249–251 key processes inventory in business impact
description, 213 analysis, 417–418
objectives, 254–259 key recovery targets in business impact
ISO/IEC 27005 standard analysis, 423–426
methodologies, 121–124 key risk indicators (KRIs)
risk management frameworks, 108 metrics, 225
ISO/IEC 31010 standard, 108 overview, 180–181
ISSA (Information Systems Security keyloggers, 296
Association), 372 keys in cryptography, 312–313
encryption applications, 321
IT. See information technology (IT)
exchanging, 313–314
IT general controls (ITGCs), 246–247
generating, 319
IT Infrastructure Library (ITIL) process
information security architecture, 219
framework, 213, 384
key-encrypting keys, 320
IT service management (ITSM)
activities, 383–384 key pairs, 314
asset management, 394 managing, 319–321
availability management, 393–394 protecting, 320
capacity management, 392–393 KGIs (key goal indicators), 225
change management, 386–388 knowledge reviews, post-incident, 523
configuration management, 388–389 known risks, 166
financial management, 391–392 known unpatched weaknesses, 127
importance, 384 KPIs (key performance indicators), 225
incident management, 384–385 KRIs (key risk indicators)
incident management link, 416 metrics, 225
problem management, 385–386 overview, 180–181
release management, 389–391
service continuity management, 393 L
service desk, 384 landslide damage, 428
service-level management, 391–392 language differences in outsourcing, 348
last management reviews, security policy for, 43
CISM Certified Information Security Manager All-in-One Exam Guide
596
law enforcement likelihood of risk
communication with, 370–371 considerations, 137–138
incident reporting by, 508 NIST SP 800-30, 120
incident response plan communications, live exercises for training and awareness, 66
516–517 live fire tests for incident response plans, 478
incident response plans, 413 local administrators for endpoint protection
laws and management, 298
outsourcing issues, 347 location of hardware assets, 200
risk register, 148 location-specific leaders in TPRM
security steering committees programs, 349
responsibilities, 19 log servers, 276
leadership logical controls, 243
executive management responsibilities, 19 logistical plans in ISO/IEC 27005, 121
security strategy, 40, 53 logs
leading indicators analysis and correlation in incident
KRIs, 181 response, 504
metrics, 226 reviews for controls, 276
learning curves in organizational inertia, 72 security strategy, 50–51
legal agreements zero-trust architecture, 293
human resource management, 156 long-term strategies in capacity
TPRM life cycle, 352–353 management, 392
legal counsel losses in Factor Analysis of Information
attorney–client privilege, 516 Risk, 124
external, 506
incident responsibilities, 503 M
legal departments macros in endpoint protection, 295
incident response, 511 maintaining business continuity plans,
incident response plans, 413 453–454
internal partnerships, 364 malware
third parties relation, 348 description, 409
legal issues endpoint protection, 295–296
disasters, 442 incident response plans, 413
risk response, 175–176 incident response tools, 504
legal requirements managed security services providers (MSSPs)
business alignment, 8 incident management, 302–303
enterprise governance, 11–12 incident monitoring, 505–507
external audits, 335 management
security strategy, 71 commitment in security strategy, 67–68
levels in risk management, 111–112 frameworks, 218
life cycles security strategy reviews, 43
BCP, 434–435 managerial controls, 243
BMIS, 81 managing, meaning of, 14
CSA, 337–338 mandatory protective measures in risk
governance, 88 response, 175
human resources, 155–156 mandatory risk assessments in risk
risk management, 115–126 response, 176
TPRM programs, 351–354 manual controls, 245
vulnerability management programs, 47 mapping controls, 250–251, 274
life safety, 407 market conditions in business alignment, 8
lightning damage, 429 materials shortages, 431
Index
597
maturity MITRE ATT&CK framework, 279
incident response plans, 412 mobile sites in disaster recovery plans, 463
security strategy, 54 modification history for controls, 275
maximum tolerable downtime (MTD), 422 monetary value in information
maximum tolerable outage (MTO), classification, 203
422–423 monitoring
media managers, 25 audits, 29
media notification for disasters, 449 compliance management, 375
mediation in CSA life cycle, 338 controls, 276–277, 322
memorable content for awareness training, 340 incidents, 505–507
message digests, 311, 317 information security architecture, 220
message security, 314–316 information technology, 368
methodologies ISO/IEC 27005, 124
audits, 53, 327–329 metrics, 226
CSA, 337 NIST SP 800-39, 118
CVSS, 278–279 responsibilities, 29–30
Cybersecurity Framework, 263–264 risks, 180–182
external audits, 336 third parties, 358
FAIR, 124–125 monitors for awareness training
OCTAVE, 143 communication, 344
risk analysis, 143 Monte Carlo analysis, 144
risk management, 117–119 morale issues in outsourcing, 347
standards, 64 motivation in risk likelihood, 137
metrics MSS analysts, incident reporting by, 508
audiences for, 231 MSSPs (managed security services providers)
balanced scorecards, 232–233 incident management, 302–303
controls, 274 incident monitoring, 505–507
gap assessment, 57 MTD (maximum tolerable downtime), 422
incident response, 517–519 MTO (maximum tolerable outage), 422–423
monitoring, 30 multifactor authentication (MFA)
program development, 225–233 identity and access management, 299
security governance, 6–7 requiring, 174
security strategy, 46, 67 multimaster replication, 308
types, 227–231 multimedia content for training and
MFA (multifactor authentication) awareness, 66
identity and access management, 299 multiprimary replication, 308, 469
requiring, 174
misconfiguration, incidents from, 410 N
mission/business process view in NAC (network access control), 292
NIST SP 800-39, 118 NACD (National Association of Corporate
missions Directors), 18
business alignment, 8 narratives for controls, 274
outsourcing, 347 NAS (network-attached storage) in disaster
mitigation recovery plans, 468
cost-benefit considerations, 172–173 National Association of Corporate Directors
ISO/IEC 27005, 123 (NACD), 18
OCTAVE, 142 National Bureau of Standards, 211–212
risk analysis, 116 National Cyber Security Centre (NCSC), 293
risk response, 167–168 National Fire Protection Agency (NFPA), 454
CISM Certified Information Security Manager All-in-One Exam Guide
598
National Incident Management System web content filters, 289–290
(NIMS), 454 wireless, 287–288
National Institute for Standards and zero-trust architecture, 292–293
Technology (NIST) standards, 43, 118 network segmentation, 207
BCP practices, 454 network traffic analysis (NTA), 285–286
CSF activities, 262–264 networks
CSF components, 215–216 connectivity and services in disaster
CSF control framework, 249 recovery plans, 471
CSF highlights, 86–87 device vulnerabilities, 128
CSF overview, 85–86 disasters, 444
CSF purpose, 218 intrusion prevention, 504
CSF steps, 87–88 new hires, awareness training for, 342–343
publications, 371 NFPA (National Fire Protection Agency), 454
Risk Management Framework, 85 NIMS (National Incident Management
SP 800-30, 119 System), 454
SP 800-37, 108 NIST. See National Institute for Standards and
SP 800-39, 108, 118 Technology (NIST) standards
SP 800-53, 214, 249–251, 259 nonfunctional requirements in program
SP 800-171, 215 development, 224
SP 800-207, 293 nonrepudiation in cryptography, 313
natural disasters, 428–431 nonstatistical sampling of audit evidence, 331
NCSC (National Cyber Security Centre), 293 normalcy bias, 68–69
NERC (North American Electric Reliability North American Electric Reliability
Corporation) Standards Corporation (NERC) Standards
control framework, 249 control framework, 249
infrastructure, 267–269 infrastructure, 267–269
net present value (NPV) in asset valuation, 209 notifications for disasters, 448–449
NetFlow standard, 286 NPV (net present value) in asset valuation, 209
network access control (NAC), 292 NTA (network traffic analysis), 285–286
network administrators, 25 numbering controls, 274
network architects, 24
network-attached storage (NAS) in disaster O
recovery plans, 468 objectives
network engineers, 24 audits, 325, 327
network management roles, 24–25 awareness training, 339–340
network protection business alignment, 8–9
CASB, 290 controls, 245–246, 274
DDoS, 285 controls self-assessment, 339
DNS filtering, 290 disaster recovery plans, 457
e-mail, 290–292 incident response plans, 411–412
firewalls, 282–284 security governance, 5
IDSs, 285 security strategy, 38–39
IPSs, 284–285 objectivity
NAC, 292 audits, 53, 335
NTA, 285–286 outsourcing, 345
overview, 282 occupant emergency plans in business
packet sniffers, 287 continuity plans, 452
segmentation, 283–284 OCTAVE (Operationally Critical Threat,
span ports, 287 Asset, and Vulnerability Evaluation), 142–143
Index
599
offboarding in human resources, 365 organization chapters for risk management
offsite storage support, 113
disasters, 444–445 organization element in BMIS model, 74
evaluating, 491–492 organization view in NIST SP 800-39, 118
onboarding organizational awareness metrics, 228–229
purpose, 365 organizational controls in ISO/IEC 27002,
TPRM life cycle, 352 254–256
ongoing due diligence for outsourced organizational culture, 9–10
services, 52 acceptable use policies, 10
online documents for business continuity ethics, 10–11
plans, 453 organizational inertia in security strategy, 72
The Open Group Architecture Framework organizational roles
(TOGAF), 83–84 boards of directors, 16–18
open source software for systems business process and business asset owners,
development, 369 20–21
operating systems business resilience, 27
configuration management, 388 chief compliance officers, 23
replication, 308, 468 chief information officers, 21–22
vulnerability detection techniques, 128 chief privacy officers, 23
operational audits, 325 custodial responsibilities, 21
operational criticality data management, 24
information classification, 203 executive management, 18–19
vendor classification, 354 general staff, 29
operational efficiency changes in risk governance, risk, and compliance, 26
response, 172 IT operations, 25
operational maturity in vulnerability miscellaneous, 28
assessments, 48 monitoring responsibilities, 29–30
operational partnerships, 303 network management, 24–25
operational performance metrics, 230 overview, 12–14
operational productivity metrics, 229 quality assurance, 28
Operationally Critical Threat, Asset, and RACI charts, 15–16
Vulnerability Evaluation (OCTAVE), security audit, 28
142–143 security operations, 27
operations security steering committees, 19–20
controls, 275–276 service desk, 28
disaster recovery plans, 472 software development, 23–24
incident management. See incident systems management, 25
management operations organizational structure in security strategy, 69
operations analysts, 25 organizational support metrics, 229
operations managers, 25 out-of-band key exchange method, 313
opportunities outages, 431
SWOT analysis, 60 outcomes in program development, 193–194
training and awareness, 66 outdated components in architecture, 45
optional protective measures in risk outside experts in security strategy, 40
response, 175 outsourcing
orchestration benefits, 345
security operations, 363 incident response, 413–414
SOAR, 277 risks, 345–346
security strategy services, 51–52
CISM Certified Information Security Manager All-in-One Exam Guide
600
ownership PCI DSS (Payment Card Industry Data
controls, 274 Security Standard)
hardware assets, 200 description, 249
risk, 144–145, 178–180 objectives, 217
risk response, 179–180 structure, 264–266
risk treatments, 167 PCI Forensic Investigator (PFI), 265
PCI ISA (Payment Card Industry Internal
P Security Assessor), 265
P2PE (Point-to-Point Encryption), 266 PCI QSA (Payment Card Industry Qualified
PA DSS (Payment Application Data Security Security Assessor), 265
Standard), 265 PCI Security Standards Council, 371
packet sniffers, 287–288 PCIP (Payment Card Industry
packing malware, 297 Professional), 265
pandemics, 430–431 PCIs (Professional Certified Investigators), 476
parallel tests peer pressure in security tooling, 198–199
BCP and DRP, 482 penetration testers, 27
training, 477 penetration tests
partial tier in Cyber Security Framework, software development, 151
86, 263 third parties, 358
participants in BCP and DRP tests, vulnerability detection, 280
479–480 people controls in ISO/IEC 27002, 256
partnerships people element in BMIS model, 74
external, 370–373 performance
internal, 364–370 monitoring, 30
operational, 303 outsourcing issues, 346
security product vendors, 373 personnel management, 381
passwordless authentication, 299 program development, 193
patch management security strategy, 38
information technology, 368 periodic measurements in capacity
vulnerability management, 280 management, 392
Payment Application Data Security Standard periodic reviews in TPRM, 353
(PA DSS), 265 periodic scanning in vulnerability
Payment Card Industry Data Security management, 278
Standard (PCI DSS) permanent records for training and
description, 249 awareness, 66
objectives, 217 personal computers as disruptive
structure, 264–266 technology, 253
Payment Card Industry Forensic Investigator personnel
(PFI), 265 as asset, 199
Payment Card Industry Internal Security business continuity plans availability to,
Assessor (PCI ISA), 265 452–453
Payment Card Industry (PCI) Security changes in, 179
Standards Council, 371 classification, 207–208
Payment Card Industry Professional critical, in disasters, 448
(PCIP), 265 external audits, 336
Payment Card Industry Qualified Security facility safety for, 367
Assessor (PCI QSA), 265 incident reporting by, 508
payments in third-party remediation, 362 incident response plans, 412–413
interviewing, 486–487
Index
601
MSSPs, 505 policy managers, 26
safety procedures in business continuity ports, span, 287
plans, 436–437 position benchmarking, 30
vulnerability detection techniques, 128 position titles, 13–14, 22
personnel management, 376 post-audit follow-ups, 329
culture, 378 post-change reviews, 387
job descriptions, 377–378 post-implementation in release
professional development, 378–381 management, 391
reporting in, 381–382 post-incident reviews
roles and responsibilities, 377 incident response, 501
talent finding and retaining, 376–377 practices, 522–523
personnel observations for audit evidence, 330 posters for awareness training
phishing filters, 290–292 communication, 344
physical access in vendor classification, 355 pre-audits, 327
physical controls, 243 predisposing conditions in NIST SP 800-30,
physical location of assets, 20 119–121
physical records controls in ISO/IEC 27002, presentation in chain of custody, 510
256–257 preservation in chain of custody, 510
physical security preventive controls, 243–244
disasters, 443 previous strategy in gap assessment, 56
risk management integration with, primary-backup replication, 308, 469
154–155 principle of proportionality in total cost of
vulnerability detection techniques, 128 ownership, 173
PIN Transaction Security (PTS), 266 principles
PKI (public key infrastructure), 318–319 business alignment, 8
plaintext, 311 COBIT, 267
planned changes in capacity management, 392 COSO, 267–268
plans importance of information security, 18
audit communication, 328 risk identification, 111
audits, 327 SOC 2, 271
business cases, 91 prior incidents, insurance costs related to, 49
business continuity. See business continuity prior results in business continuity plans, 486
plans (BCPs) priorities in security governance, 5
disaster recovery. See disaster recovery privacy
plans (DRPs) breaches, 512
incident response. See incident response business continuity plans, 444
plans CPOs, 23
playbooks for incident response plans, 414–415 incident response plans, 413
Point-to-Point Encryption (P2PE), 266 SOC 2 principle, 271
policies TPRM programs, 352
business continuity plans, 434–435 privacy by design, 368
executive management responsibilities, 19 private key cryptosystems, 313
gap assessment, 56 privilege accumulation
Information security architecture, 219 description, 300
program development, 220–223 from internal transfers, 365
security governance, 5 privileged roles, 301
security strategy, 42–43, 61–62 proactive incident management, 302
third-party remediation, 361 proactive issue remediation for third parties,
training and awareness, 66 360–362
CISM Certified Information Security Manager All-in-One Exam Guide
602
proactive support from insurance program development, 191–192
companies, 49 architectures, 218–220
probability asset identification and classification,
quantitative risk analysis, 140 199–210
risk analysis, 140–141, 149, 421 charters, 194
risk likelihood, 137–139 control frameworks, 210–217
risk management process, 116 guidelines, 223
threat changes, 172 management frameworks, 218
threat forecasting, 136 metrics, 225–233
problem management notes, 236
capacity management link, 393 outcomes, 193–194
change management link, 388 policy development, 220–223
configuration management link, 388 processes and procedures, 224–225
ITSM, 385–386 questions, 237–240
risk management integration with, requirements, 223–224
153–154 resources, 192–199
problem resolution in release management, 389 review, 233–235
problem statements in business cases, 89 scope, 195
procedures security governance, 6
audits, 324, 328 security processes, 195–196
gap assessment, 57 standards, 223
program development, 224–225 technologies, 196–198
security strategy, 44, 65 trends, 192–193
process-level risks, 111 program management
processes awareness training, 339–344
antimalware observation of, 296 communication and reporting.
balanced scorecards, 233 See communication and reporting
BMIS model, 74–75, 77 continuous improvement, 394
business process and business asset control testing and evaluation. See control
owners, 20 testing and evaluation
program development, 195–196, 224–225 controls. See controls
security governance, 6–7 data governance. See data governance
security strategy, 44, 65 endpoint protection and management,
systems development, 369 293–298
processing integrity principle in SOC 2, 271 external services. See external services
Proctor, Paul, 226 identity and access management,
procurement 298–302
communication for, 369 incident management, 302
TPRM programs, 349 introduction, 241–242
Professional Certified Investigators (PCIs), 476 ITSM. See IT service management (ITSM)
professional development, 378 MSSPs, 302–303
career paths, 379 network protection. See network protection
certifications, 379–381 notes, 396–397
training, 381 questions, 397–401
professional organizations for partnerships, review, 394–396
371–372 programming language standards, 64
profiles in CSF, 215, 263 project documents in business continuity
program charters in gap assessment, 56 plans, 451
Index
603
project management R
communications in, 382
RACI (Responsible, Accountable, Consulted,
human resources, 157
Informed) charts, 15–16
security governance, 6
radio communications for disasters, 441
project managers, 29
RAID (Redundant Array of Independent
proportionality principle in total cost of
Disks), 467–468
ownership, 173
rank and file individuals for security
proposals in change management, 386
strategy, 40
protect activity in CSF, 262
ranks
protection function in NIST CSF, 86
incidents, 509
protection of private keys, 320
position titles, 14, 22
protective measures in risk response, 175
risk, 144
protocol standards, 64
ransomware
PTS (PIN Transaction Security), 266
endpoint protection, 295
public information classification, 203–205
incidents, 409
public key cryptosystems, 313
insurance, 49
digital envelopes, 318
RAs (registration authorities), 319
digital signatures, 317
rating incidents, 509
elliptic curve cryptography, 316
RATs (remote access Trojans), 296
hashing and message digests, 317
RCapO (recovery capacity objective) in
key pairs, 314
business impact analysis, 423, 425
key verification, 316
RCO (recovery consistency objective), 423–426
public key infrastructure (PKI), 318–319
reacquisition cost in asset valuation, 209
public opinion issues in incident response plan
readability in BMIS model, 79
communications, 517
recertification of access in IAM, 301
public safety issues in disasters, 449
reciprocal sites in disaster recovery plans, 463
published information in risk management
recommendations for risk management
practices, 113
process, 116
reconnaissance in intrusion kill chain
Q model, 410
QA managers, 28 recordkeeping
QC managers, 28 BCP and DRP tests, 479–480
qualifications of auditors, 53, 336 incident response, 505, 518
Qualified Integrators and Resellers (QIR), 266 records
qualitative asset valuation, 209 backing up, 308
qualitative risk analysis, 140 change management, 387
quality assurance roles, 28 disaster plans, 444
quality issues recovery. See also backups
outsourcing, 346 approaches, 520–521
third-party remediation, 361 business impact analysis targets, 423–426
quantitative asset valuation, 209–210 Cybersecurity Framework, 262
quantitative risk analysis, 140–141 disaster procedures, 445–446
quarantines, e-mail, 291 DRPs. See disaster recovery plans (DRPs)
questionnaires incident response, 501
CSA life cycle, 338 incident responsibilities, 503
key processes inventory, 417–418 maintaining plans, 453–454
onboarding, 352 recovery capacity objective (RCapO) in
risk analysis, 143 business impact analysis, 423, 425
third parties, 357–360 recovery consistency objective (RCO), 423–426
quizzes for training and awareness, 66
CISM Certified Information Security Manager All-in-One Exam Guide
604
recovery controls, 244 replication
recovery function in NIST CSF, 86 backups, 308–309
recovery point objective (RPO) disaster recovery plans, 468–469
disaster recovery plans, 457–458 reports. See communication and reporting
overview, 423–425 reputation concerns in security governance, 8
pricing, 458 reputational value in information
recovery time objective (RTO) classification, 203
disaster recovery plans, 457–458 requests in change management, 386
overview, 423–424 requirements
pricing, 458 business cases, 91
recruitment in human resources, 365 program development, 223–224
redeployment cost in asset valuation, 209 regulatory. See regulations and regulatory
Redundant Array of Independent Disks requirements
(RAID), 467–468 release management, 389
redundant network connections, 471 security involvement stage, 281
registration authorities (RAs), 319 security steering committees
regulations and regulatory requirements responsibilities, 19
controls, 242 research organization reports for risk
enterprise governance, 11–12 management support, 114
external audits, 335 researchers, incident reporting by, 508
gap assessment, 59 residual risk
incident response plan communications, 516 risk registers, 150
resource expenditures, 232 risk response, 173
risk register, 148 resilience
risk response considerations, 175–176 BMIS architecture, 77
security steering committees business, 27
responsibilities, 19 disaster recovery plan technologies, 467–471
security strategy, 71 post-incident reviews, 523
third-party remediation, 361 resistance to change, 68, 72
regulators resolution in third-party remediation, 362
disaster notifications for, 449 resource access
partnerships with, 371 boards of directors, 17
relationship risk assessment for third parties, 51 zero-trust architecture, 293
release management, 389–391 resource optimization in security strategy, 38
relevant content in awareness training, 340 resources and resource management
relevant policies in security strategy, 42 audits, 324–325, 335
remediation incident response plans, 412–414
incident response, 501 metrics, 228
incident responsibilities, 503 program development, 192–199
incidents, 521–522 security governance, 7
third parties, 360–362 response documents in business continuity
vulnerability management, 278 plans, 452
remote access Trojans (RATs), 296 response function in CSF, 86, 262
remote control, endpoint protection for, response reviews, post-incident, 523
294–295 responsibilities
remote destruction, endpoint protection for, 295 disaster recovery plans, 471
Remote Monitoring (RMON), 286 disasters, 439–446
repeatability tier in CSF, 87, 263 DRP teams, 456–457
replacement cost in asset valuation, 209 executive management, 19
Index
605
incident response, 502–503 controls, 242
meaning, 14 external support, 112–115
monitoring, 29–30 gap analysis, 112
personnel management, 377 gap assessment, 57
RACI charts, 16 importance, 102–103
security steering committees, 19 integration into other processes, 150–157
security strategy, 65 levels, 111–112
third-party remediation, 361 mandatory, 176
Responsible, Accountable, Consulted, NIST SP 800-39, 118
Informed (RACI) charts, 15–16 notes, 159–160
responsive issue remediation with third objectives, 103
parties, 362 outcomes, 103
responsive security incident management, 302 questions, 160–164
restoration. See recovery review, 157–158
restore service actions, risk implications risk identification, 136–137
associated with, 154 risk impact, 138–139
restricted information classification, 203–205 risk likelihood, 137–138
results risk management life cycle, 115–126
audits, 332–333, 336–337 risk management programs, 103–110
disaster recovery plans, 490 risk register, 146–150
security governance, 7–8 security strategy, 41
resumption plans in business continuity techniques and considerations, 139–145
plans, 452 technologies, 104–105
retail floor cashiers, awareness training for, 341 threat identification, 129–136
retail floor managers, awareness training for, 341 vulnerability and control deficiency
retaining talent, 376–377 analysis, 127–129
retention of evidence, 501 risk determination in NIST SP 800-30, 120
return on security investment (ROSI), 231–232 risk framing step in NIST SP 800-39, 118
reverse engineering in incident response risk identification, 136–137
plans, 413 risk informed tier in CSF, 86, 263
RIMS Risk Maturity Model, 108 Risk IT framework, 125–126
risk risk management
compliance management, 374–375 business continuity planning, 145
controls, 274 communications and reporting, 363–364
CSA life cycle, 338 integration into other processes,
evaluation and ranking, 144 150–157
impact, 138–139 metrics, 229–230
likelihood, 137–138 program development, 193
outsourcing, 345–346 security governance, 7
ownership, 144–145 technologies, 104–105
security steering committees Risk Management Framework (RMF), 85
responsibilities, 19 risk management life cycle, 115
risk appetite methodologies, 117–126
business alignment, 9 process, 115–117
risk management process, 116 risk management methodologies, 117
security strategy, 38, 55, 71–72 Factor Analysis of Information Risk,
risk assessment and analysis, 101–102 124–125
audits, 324 ISACA Risk IT framework, 125–126
business continuity plans, 145 ISO/IEC 27005, 121–124
control frameworks, 251 NIST, 118–121
CISM Certified Information Security Manager All-in-One Exam Guide
606
risk management programs iterative, 173–174
context, 109–110 options evaluation, 116–117
frameworks, 108–109 risk register, 177
implementing, 105–106 third parties, 360
outcomes, 103 risk treatment records in gap assessment, 57
strategies, 106–108 RMF (Risk Management Framework), 85
risk managers, 26 RMON (Remote Monitoring), 286
Risk Metrics That Influence Business Decisions roadmap development in strategic planning, 89
(Proctor), 226 roles
risk monitoring step in NIST SP 800-39, 118 disaster recovery plans, 471
risk profiles in Risk IT framework, 126 disasters, 439–446
risk registers DRP teams, 456–457
analysis contributions, 149 human resource management, 156
elements, 177–178 incident response, 502–503
gap assessment, 57 organizational. See organizational roles
information sources, 148 personnel management, 377
residual risk, 150 security strategy, 65
security strategy, 47–48 third-party remediation, 361
strategic vs. tactical risks, 148–149 root-cause analysis, 154
structure, 146–147 rootkits, 296
risk response, 165–166 ROSI (return on security investment),
acceptance, 170–171 231–232
avoidance, 169–170 rotation
cost and benefits, 172–173 backup media, 305–306
ignoring, 171 keys, 320
iterative risk treatment, 173–174 round tables for risk management support, 113
legal and regulatory considerations, 175–176 RPO (recovery point objective)
mitigation, 167–168 disaster recovery plans, 457–458
monitoring and reporting, 180–182 overview, 423–425
NIST SP 800-39, 118 pricing, 458
notes, 183 RTO (recovery time objective)
options evaluation, 171–172 disaster recovery plans, 457–458
options overview, 166–167 overview, 423–424
questions, 184–188 pricing, 458
residual risk, 173 rules
review, 182–183 e-mail, 291
risk and control ownership, 178–180 firewalls, 283
risk appetite, capacity, and tolerance,
174–175 S
risk register, 177–178 S/MIME (Secure Multipurpose Internet Mail
transfer, 168–169 Extensions), 321
risk tiering SaaS services, 463–464
outsourced services, 52 sabotage incidents, 410
TPRM programs, 354–356 salvage operations, 443
risk tolerance in business alignment, 8–9 sampling audit evidence, 331
risk treatment sanctions, risk, 375
actions, 166–167 sandboxes for antimalware, 296
insurance, 49 SANS organization, 372
ISO/IEC 27005, 122 SANs (storage area networks), 468
Index
607
Sarbanes-Oxley Act, 17 security engineers, 27
SAS-70 (Statement on Auditing Standards security events, 432
No. 70), 271–272 security governance
scalability activities and results, 7–8
BMIS architecture, 77 BMIS model, 76
private key cryptosystems, 313 business alignment, 8–9
scans data. See data governance
information technology, 368 defined, 3
third parties, 358 enterprise. See enterprise governance
vulnerability management, 278–280 frameworks and standards, 72–88
schedules information security strategy.
audits, 325, 336 See security strategy
BCP and DRP tests, 479–480 introduction, 4–6
third-party remediation, 361 reasons, 6–7
scope security guards, 367
audits, 53, 324, 327, 335 security incident, legal term, 517
controls, 63, 274 security incidents. See incidents
program development, 195 security industry news sources for risk
risk management process, 115 management support, 113
scribes security information and event management
disaster documentation, 441 (SIEM)
incident responsibilities, 503 controls, 277
scripting in BCP and DRP tests, 479–480 incident logs, 51
SDN (software-defined networking), 202 security leaders in security strategy, 40
SDO (service delivery objective), 423, 425 security managers
secret information classification, 203–205 executive management opinion of, 22
secure engineering for controls, 280–282 risk treatment involvement, 167
secure key exchange, 314 security maturity, vulnerability detection
Secure Multipurpose Internet Mail Extensions assessments for, 48
(S/MIME), 321 security operations
Secure Shell (SSH), 321 communications and reporting, 363
Secure Sockets Layer (SSL), 321 roles, 27
security security orchestration, automation, and
BMIS architecture, 77 response (SOAR) platform, 277
as business prevention, 9 security policies
vs. compliance, 373–374 gap assessment, 56
security analysts, 27 structure, 221–222
security and privacy with disasters, 444 security principle in SOC 2, 271
security architects, 27 security processes in program development,
security audit managers, 28 195–196
security auditors, 28 security professional services vendors,
security awareness buy-in, 54 partnerships with, 372–373
security awareness training security program charters in gap assessment, 56
gap assessment, 58 security projects, security steering committees
trainers, 26 responsibilities for, 19
security by design in software development, 151 security risk assessment. See risk assessment
security cost efficiency metrics, 230–231 and analysis
security directors, executive management security round tables for risk management
opinion of, 22 support, 113
CISM Certified Information Security Manager All-in-One Exam Guide
608
security scans security teams, 40
third parties, 358 Security+ certification, 380
vulnerability management, 279–280 seeding audit results, 336–337
security steering committees responsibilities, segmentation, network, 207, 283–284
19–20, 167 segregation of duties
security strategy audit evidence, 330
architecture, 44–45 identity and access management,
assets, 47 300–301
audits, 53 RACI charts, 16
business impact analysis, 50 SEI (Software Engineering Institute), 60
capability maturity models, 60–61 self-assessment
communications and reporting, 66–67 auditors, 339
constraints, 68–72 controls, 337–339
controls, 45 semiquantitative risk analysis, 140
controls development, 62–63 sensitive customer data in vendor
critical data, 49–50 classification, 354
culture, 53–54 sensitive data exposure risk, 375
developing, 55–68 sensitive internal data in vendor
gap assessment, 56–59 classification, 354
governance frameworks, 72–88 sensitivity in information classification, 203
guidelines, 43–44 server clusters in disaster recovery plans,
insurance, 48–49 469–470
introduction, 37 Server Message Block (SMB) service, 278
management commitment, 67–68 service continuity management in ITSM, 393
maturity, 54 service delivery objective (SDO),
metrics, 46 423, 425
notes, 93–94 service desk, 384
objectives, 38–39 service desk analysts, 28
outsourced services, 51–52 service desk managers, 28
participants, 39–40 service level agreements (SLAs)
policies, 42–43 incident response, 416
policy development, 61–62 managed security services providers, 303
processes and procedures, 44, 65 third-party remediation, 361
questions, 94–98 service-level management
resources, 40–55 capacity management link, 393
review, 91–93 ITSM, 391–392
risk appetite, 55 service organization controls, 270–272
risk assessments, 41 service outages, 431
risk registers, 47–48 service providers
roles and responsibilities, 65 audits, 326–327
security incident logs, 50–51 contract reviews, 487
skills, 46 incidents involving, 513
standards, 43 service shortages in disasters, 433
standards development, 64–65 serviceable components in availability
strategic planning, 88–91 management, 393
SWOT analysis, 59–60 sFlow standard, 286
threat assessments, 42 shadow ITs
training and awareness, 65–66 description, 9
vulnerability assessments, 48 as disruptive technology, 253
Index
609
shareholder notification for disasters, 449 social engineering assessments, 280
SIEM (security information and event soft copies for business continuity plans, 453
management) software
controls, 277 as asset, 199–200
incident logs, 51 configuration items, 388
signature-based antivirus software, vulnerability detection techniques, 128
death of, 297 software-defined networking (SDN), 202
signatures software developers, awareness training for,
antimalware, 296 341–342
cryptography, 312–317 software development
simulations Information security architecture, 220
BCP and DRP tests, 481 risk management integration with, 150–151
incident response plans, 477–480 roles, 23–24
training, 477 Software Engineering Institute (SEI), 60
single loss expectancy (SLE), 141 software engineers/developers, 23
site recovery options software testers, 23
cloud sites, 463 solid-state drives (SSDs) for backups, 304
cold sites, 462 sound considerations in BMIS model, 79
disaster recovery plans, 460 spam protection, 290–292
geographic site selection, 463 span ports, 287
hot sites, 460–461 spear phishing, 291
mobile sites, 463 spim, 291
reciprocal sites, 463 spyware, 295
third-party sites, 464–465 SSCP (Systems Security Certified
warm sites, 461–462 Practitioner), 380
site visits to third parties, 52, 357 SSDs (solid-state drives) for backups, 304
skills SSH (Secure Shell), 321
for attacks, 138 SSL (Secure Sockets Layer), 321
audit interviews, 330 staff availability in disasters, 433
outsourcing, 345 staff capabilities in security strategy, 69–70
RACI charts, 16 staff development, 381
staff, in security strategy, 46 staffing shortages, MSSPs for, 505
SLAs (service level agreements) stakeholder notification for disasters, 449
incident response, 416 standards, 43
managed security services providers, 303 coding, 151
third-party remediation, 361 configuration, 64
SLE (single loss expectancy), 141 controls, 64, 72–88
SMART metrics, 226 gap assessment, 57
smartphones as disruptive technology, 253 information governance, 72–88
SMB (Server Message Block) service, 278 Information security architecture, 219
SMEs (subject matter experts) in incident NIST. See National Institute for Standards
response plans, 413 and Technology (NIST) standards
smishing, 291 policy development, 62
sniffers, 287–288 program development, 223
SOAR (security orchestration, automation, security governance, 6
and response) platform, 277 security strategy, 43, 64–65
SOC. See System and Organization Controls standards organizations, partnerships with, 371
(SOC) Statement on Auditing Standards No. 70
SOC analysts, incident reporting by, 508 (SAS-70), 271–272
CISM Certified Information Security Manager All-in-One Exam Guide
610
statements of impact in business impact supplier shortages in disasters, 433
analysis, 419–420 supplies in disasters, 443
static data loss prevention, 309 surveillance of facilities, 366
statistical sampling for audit evidence, 331 sustainment stage in security involvement, 281
steering committees SWOT (strengths, weaknesses, opportunities,
responsibilities, 19–20 and threats) analysis, 59–60
risk treatment responsibilities, 167 symmetric encryption, 313
security strategy meetings, 67 synchronous replication, 309, 469
stop-or-go sampling for audit evidence, 331 System and Organization Controls (SOC)
storage audit reports, 332
backups. See backups audit standards, 271–272
disasters, 444–445 compliance risk, 374
evaluating, 491–492 description, 249
storage area networks (SANs), 468 system classification, 206–207
storage engineers, 25 system monitoring in information
strategic alignment technology, 368
metrics, 226–227 system operations procedures in disaster
program development, 193 recovery plans, 472
strategic planning system recovery procedures in disaster recovery
business cases, 89–91 plans, 472
roadmap development, 89 systems access in vendor classification, 355
security strategy, 88–91 systems administrators, 25
strategic risks, 148–149 systems analysts, 23
strategies systems architects, 23, 25
business alignment, 8 systems development, communication with,
disaster recovery plans, 459–460 368–369
information security. See security strategy systems engineers, 25
risk management programs, 106–108 systems function in disasters, 444
security governance, 5 systems hardware as asset, 199
stratified sampling in audit evidence, 331 systems inventory in business impact analysis,
stream ciphers, 313 417–418
strengths, weaknesses, opportunities, and systems management roles, 25
threats (SWOT) analysis, 59–60 systems operators, 25
strictness of policies, 42 Systems Security Certified Practitioner
strong culture, 69 (SSCP), 380
structure
audit reports, 332–333 T
PCI DSS, 264–266 tactical risks, 148–149
risk register, 146–147 talent, finding and retaining, 376–377
security policy, 221–222 tape backups
subject matter experts (SMEs) in incident disaster recovery plans, 473
response plans, 413 overview, 304
subjects for audits, 327 taps, network, 287
subsystem assets, 200 tasks for audit evidence, 330
subsystem patches and changes in release TCO (total cost of ownership), 172–173
management, 389 teams
success criteria in business cases, 91 disaster recovery plans, 456–457
supplier notifications for disasters, 448–449 security strategy, 40
Index
611
technical architecture TPRM programs. See third-party risk
for communications and reporting, 376 management (TPRM) programs
metrics, 230 vulnerability identification by, 129
technical controls, 243 third-party breaches, insurance coverage for, 49
technical debt in architecture, 44 third-party risk
technical support analysts, 28 gap assessment, 58
technical workers, awareness training security strategy, 51
for, 341 third-party risk management (TPRM)
technologies programs, 26, 344
BMIS model, 75 cloud service providers, 350–351
disaster recovery plans, 467–471 life cycle, 351–354
ISO/IEC 27002 controls, risk tiering and vendor classification,
257–258 354–356
program development, 196–198 third-party identification, 348–350
risk management, 104–105 threat advisories, 116
skills for, 46 threat agents in FAIR, 124–125
technology change issues in capacity threat hunting
management, 392 incident response plans, 412
telecom engineers, 25 incident response tools, 504
temps, 29 MSSPs, 506
tenure in skills, 46 threat identification
terrorism, 432 actors, 136
test and review documents in business advanced persistent threats, 134–135
continuity plans, 452 emerging, 135–136
testing external, 132–134
backups, 304 forecasting data, 136
controls, 63, 274 internal, 130–132
cyclical controls, 334–335 ISO/IEC 27005, 121
disaster recovery sites, 465 overview, 129–130
incident response plans, 477–483 threat intelligence
release management, 390 incident response tools, 504
security involvement, 281 IPSs, 285
systems development, 368 risk register, 148
text in BMIS model, 79 security operations, 363
theft of intellectual property, 346 threat intelligence platforms (TIPs), 277
third parties threat modeling for software development, 151
assessing, 356–360 threat probability changes in risk response, 172
audit reports by, 332 threats
awareness training for, 341–342 assessments, 42
disaster recovery sites, 464–465 business impact analysis, 420–421
identifying, 348–350 SWOT analysis, 60
incidents involving, 362, 415 360 feedback, 30
information technology, 368 three lines of defense model, 196
issue remediation, 360–362 time issues in security strategy, 70–71
questionnaires and evidence, time periods for external audits, 335
359–360 time servers, 206
risk treatments, 360 time zone differences in outsourcing, 348
CISM Certified Information Security Manager All-in-One Exam Guide
612
TIPs (threat intelligence platforms), 277 Trojans, 295–296
titles tropical cyclones, 428
cloud, 26 trust improvements in security governance, 8
controls, 274 TSP (Token Service Providers), 266
position, 13–14 tsunamis, 429–430
ranks, 22 turnover in personnel management, 381
TLS (Transport Layer Security), 321
TMSs (transaction management systems) for U
replication, 308, 468 UAT (user acceptance testing) in release
TOGAF (The Open Group Architecture management, 390
Framework), 83–84 UBA (user behavior analytics), 301–302
Token Service Providers (TSP), 266 UEBA (user and entity behavior analytics), 302
tolerance, risk, 174–175 UIs (user interfaces) in BMIS model, 78
tornado damage, 429 undefined responsibilities in risk treatments, 167
total cost of ownership (TCO), 172–173 understandable content for awareness
Towers of Hanoi backup strategy, 306 training, 340
TPRM. See third-party risk management undisclosed unpatched weaknesses, 127
(TPRM) programs undiscovered weaknesses, 128
training United Kingdom, law enforcement agencies
awareness. See awareness training in, 370
disasters, 445 United Kingdom Bribery Act, 11
gap assessment, 58 unknown risks, 166
human resource management, 156 unpatched weaknesses, 127
human resources, 366 unsupported components in architecture, 45
incident logs, 51 up-front due diligence for third-party
incident management, 475–477 risk, 51
post-incident reviews about, 523 updates for incident response plans, 415
professional development, 381 use case development, 363
risk management support, 114 user acceptance testing (UAT) in release
risk response, 181–182 management, 390
security strategy, 65–66 user and entity behavior analytics (UEBA), 302
systems development, 369 user authentication in zero-trust
transaction management systems (TMSs) architecture, 293
for replication, 308, 468 user behavior analytics (UBA), 301–302
transfer, risk user hardware requirements in disasters, 445
description, 117 user interfaces (UIs) in BMIS model, 78
ISO/IEC 27005, 123 utility interruptions and outages, 431, 433
risk response, 168–169
transfers, internal, 365 V
transformation of data in forensic
validation in zero-trust architecture, 293
investigations, 511
Transport Layer Security (TLS), 321 valuation of assets, 200, 209–210
transportation accidents, 432 value delivery
transportation issues in disasters, 433, metrics, 228
443, 451 program development, 193
treatment. See risk treatment security strategy, 38
trends in program development, 192–193 variable sampling for audit evidence, 331
tribal knowledge VDIs (virtual desktop infrastructures), 297
gap assessment, 59 velocity factor in risk likelihood, 137
outsourcing, 346 vendor managers, 28
Index
613
vendors W
failures, 347
walk-throughs
security products, 373
BCP and DRP tests, 480–481
standards, 64
training, 477
TPRM classification of, 354–356
wallet cards
verification
business continuity plans, 453
change management, 387–388
disasters, 450–451
public keys, 316
war damage, 432
versions of controls, 274
warm sites
vice presidents, executive management
backup storage, 307
opinion of, 22
disaster recovery plans, 461–462
video monitors for awareness training
hardware, 465
communication, 344
warranties in third-party remediation, 361
video surveillance in incident response, 505
weak culture, 69
virtual assets, 199, 201–202
weaknesses
virtual desktop infrastructures (VDIs), 297
SWOT analysis, 59
virtual reality (VR) as disruptive
undiscovered, 128
technology, 253
weaponization in intrusion kill chain
virtual sprawl, 202
model, 410
virtualization in replication, 308, 469
web content filters
viruses
incident response tools, 504
antivirus software, 296
overview, 289–290
endpoint protection, 295
web sites for awareness training
visibility consideration in risk likelihood, 137
communication, 344
voice recognition in BMIS model, 79
WFH (work from home) as disruptive
voicemail for awareness training
technology, 253
communication, 344
whaling, 291
volcanos, 428
whitelists
VR (virtual reality) as disruptive
applications, 296
technology, 253
e-mail, 291
vulnerabilities
whole-disk encryption, 295
business impact analysis, 420
wildfires, 428–429
forms, 127–128
windstorms, 429
identification, 122, 136
wiperware, 409
ISO/IEC 27005, 122
wire transfer fraud, 280
third-party, 129
wireless network protection,
vulnerability assessment
287–288
NIST SP 800-30, 119
Wireshark packet-sniffing tool,
risk management process, 116
287–288
risk register, 148
work centers for disasters, 443
security strategy, 48
work from home (WFH) as disruptive
TPRM, 352
technology, 253
vulnerability management
work measurement, monitoring, 30
controls, 277–282
work sites in business continuity
security operations, 363
plans, 453
TPRM, 352
CISM Certified Information Security Manager All-in-One Exam Guide
614
workforce in disaster recovery plans, 465 X
workforce transformation policies in security
XDR (extended detection and response)
strategy, 42
systems, 297
workplace access control, 366
workshops in CSA life cycle, 338
worms, endpoint protection for, 295
Z
wrap-up for audits, 329 Zachman Framework, 81–82
zero-trust (ZT) network architecture, 292–293