CISM MySlides 23

theknowledgeacademy
Certified
Information
Security Manager
(CISM)
New York • San Francisco • London • Sydney • Dubai • Singapore • Vancouver • Bangalore © 2022 The Knowledge Academy Ltd.
About The Knowledge Academy
The world's largest provider of classroom and online training courses
 World Class Training Solutions

 Subject Matter Experts
 Highest Quality Training Material
 Accelerated Learning Techniques
 Project, Programme, and Change Management, ITIL® Consultancy
 Bespoke Tailor Made Training Solutions
 PRINCE2®, MSP®, ITIL®, Soft Skills, and More
© 2022 The Knowledge Academy Ltd.

theknowledgeacademy
Course Syllabus
• Domain 1: Information Security
Governance
• Domain 2: Information Security Risk

Management
• Domain 3: Information Security Program

Development and Management
• Domain 4: Incident Management

theknowledgeacademy
Domain 1
Information Security Governance

theknowledgeacademy
This Domain Covers…

A: ENTERPRISE GOVERNANCE
 1A1: Organisational Culture

Domain 1:  1A2: Legal, Regulatory and Contractual
requirements
 1A3: Organisational Structures, Roles and
Information Responsibilities
B:INFORMATION SECURITY STRATEGY

Security  1B1: Information Security Strategy
Development
Governance  1B2: Information Governance Frameworks and
Standards
 1B3: Strategic Planning (e.g. budgets,
resources, business case)
© 2022 The Knowledge Academy Ltd
theknowledgeacademy
Module 1A1: Organisational Culture

About Information Security Governance
• Information security governance focuses on various key processes.
theknowledgeacademy
• Those processes are sourcing, configuration management, personnel management,

access management, risk management, incident management, change management,
vulnerability management, and business continuity planning.
• An effective governance program will use the metrics, balanced scorecard, and other
means for monitoring these key processes.
• Security processes will be changed to remain effective and to support continuous

business requirements by the process of continuous improvements.

(Continued)
theknowledgeacademy
• Information security is a collection of activities established to clearly understand the

state of the security program of the organisation, its risks, and its direct activities.
• An objective of the security program is a contribution towards the accomplishment of

the security strategy, which itself will continue the alignment to the business and
business objects.
• An organisation must also have an effective IT governance program to ensure the

success of information security governance.
• IT is the force multiplier and enabler that facilitates the business processes for fulfilling
the objectives of organisation.

(Continued)
theknowledgeacademy
• Information security governance will not Business

Vision
be able to reach its full potential without
effective IT governance. Business Strategy
Business Objectives
• The result may be that the proverbial IT IT Strategy

bus will travel with safety but to the
wrong destination. IT Security Strategy
Security Policy
Feedback
• This is represented in the given figure. Security Standards
Security Processes
Security Metrics

(Continued)
theknowledgeacademy
• Alignment of security program of an organisation with the business requirements is the

objective of security governance.
• Information security governance refers to the set of top-down activities that control the
security organisation to ensure that information security supports the organisation. The
following are some activities that flow out of healthy security governance:
Objectives Strategy Policy Priorities Standards
Program and
Processes Controls Project Metrics
Management

Reason for Security Governance
• In most industry sectors and at all levels of government, organisations are increasingly
theknowledgeacademy
depending upon their information systems.
• This has increased to the point where organisations fully depend upon the integrity and
availability of their information system for continuing business operations.
• As an information security professional, it is important that you understand the

importance of business with regard to CIA (Confidentiality, Integrity, and Availability).
• While building the structure of security governance, these three need to be considered.
• Information security governance is necessary to ensure that the incidents related to

security do not threaten the critical system and support the continuing viability of the
organisation.

Reason for Security Governance
(Continued)
theknowledgeacademy
• Among information security professionals, it is a known fact that information technology

assets, with internet access, would be compromised in minutes of being placed online.
• For the protection of these assets, the required tools, controls, and processes are as
complex as the information system which is designed for protection.
• The management will not be informed or in control of these protective measures,

without the effective top-down management of the security controls and processes that
are protective assets.

Security Governance Activities and Results
• In an effective security governance program, the senior management team of the
theknowledgeacademy
organisation will see that the information system will be adequately protected.
• The following are activities are necessary for the protection of the organisation:
Risk Management Process Improvement Event Identification
Business Continuity
Incident Response Improved Compliance and Disaster Recovery
Planning
Improved IT
Metrics Resource Management
Governance

Security Governance Activities and Results
(Continued)
theknowledgeacademy
• These activities are carried out by scripted interactions among key business and IT
executives periodically.
• Meetings will consist of a discussion of the alignment with business objects, the impact
of regulatory changes, recent incidents, the effectiveness of measurements, recent
audits, and risk assessments.
• Other discussions may consist of such things like recent business results, changes to
the business, and any anticipated business events like mergers and acquisitions. The
following are the two key results of an effective security governance program:
1 2
Improved
Increased Trust
Reputation

Risk Appetite
• ISACA had defined the risk appetite as the level of risk that is accepted by an
theknowledgeacademy
organisation willingly while in pursuit of its mission, objectives, and strategy.
• Usually, only high-risk averse organisations like insurance companies, banks, and
public utilities will define the risk appetite in actual terms.
• Other organisations are more tolerant of risk and make the risk decisions individually
on the basis of their gut feeling.
• So, many organisations are finding it important to articulate and document the risk
appetite of the organisation because of the increased influence and mandates by
customers.
• Usually, risk-averse organisations have a formal system of traceability and

accountability of risk decisions back to the head of department and business
executives.
• The CISO (Chief Information Security Officer) is rarely a person who takes the
decisions for risk treatment and is accountable for that decision. © 2022 The Knowledge Academy Ltd
Organisation Culture
• Transparency and accountability in the organisational culture have a great impact on
theknowledgeacademy
information security.
• Organisational behaviour, strategies for navigating and influencing the enterprise's

informal and formal structures to get work done, norms, attitudes, amount of
collaboration, the existence or absence of turf disputes, and geographic dispersion all
represent culture.
• Individual backgrounds, values, work ethics, experiences, filters or blind spots, and life
views that individuals bring to the workplace all have an impact on culture.
• Every enterprise has a culture, whether it was purposefully created or evolved over
time as a reflection of the leadership, and it must be taken into account when
ascertaining roles and duties.
• Information security basically includes analytical and logical activities.

(Continued)
theknowledgeacademy
• Building relationships, promoting teamwork, and influencing corporate attitudes toward

a positive security culture are more dependent on interpersonal abilities.
• A good information security programme manager will determine the need of developing
both kinds of abilities as necessary for effective management.
• Employees in their different roles must do their duties in a way that safeguards
information assets in order to build a security-aware culture.
• All employees, regardless of their role or level within the organisation, should be
capable of defining how information security associates with their job.
• To accomplish this, the security manager must organise communications, participate in

committees and projects, and pay personalised attention to the needs of end users and
managers.

General Rules of Use/ Acceptable Use Policy
theknowledgeacademy
• All participants must understand what behaviour is acceptable, what activities are
necessary, and what acts are explicitly prohibited in order to maintain a risk-aware and
secure enterprise culture.
• An acceptable usage policy is a user-friendly explanation of what employees should

and should not do.
• This policy can describe the expectations and responsibilities of all users in daily words
and in a straightforward, concise manner.
• It is essential to effectively convey and ensure that the acceptable use policy is read
and understood by all users. Regardless of job status, all new staff who will have
access to information assets should be provided with the use policy.

(Continued)
theknowledgeacademy
• The policy and standards for access control, categorisation, labelling, and handling of
documents and information, reporting requirements, disclosure limits, mobile
computing, unlawful uses, and enforcement are typically included in the rules of use for
all workers.
• They may also contain email and Internet usage policies. The usage guidelines serve
as a broad security baseline for the entire enterprise.
• It is usually required to offer supplemental or additional information to specific

enterprise groups in accordance with their duties.
• The information security manager should collaborate with the compliance department
or Human Resources (HR) to ensure that new hires understand and agree to the
acceptable use policy.

Ethics
theknowledgeacademy
• Several enterprises have implemented ethics training to provide direction on what is

lawful and proper behaviour.
• This strategy is most commonly used when personnel is required to perform sensitive
tasks such as penetration testing, monitoring user activities, and accessing sensitive
personal data.
• Personnel responsible for information security must be aware of any conflicts of

interest or behaviours that may be seen as detrimental to the enterprise.
• To ensure consistent and complete consideration, ethical conduct aims and activities
should be integrated with privacy and data protection activities and objectives.
• These activities may involve the incorporation of data ethics frameworks, which can aid
in the definition of protocols for ethical and responsible data use in the enterprise.

theknowledgeacademy
Module 1A2: Legal, Regulatory and

Contractual Requirements

Introduction
• Every enterprise encounters a broad array of obligations that emerged from
theknowledgeacademy
international and local legislation, other regulatory monitoring mandates, and contract-
specific information associated with security clauses.
• In order to create a strategy, the information security manager must acquire as much
information on these overarching criteria as feasible.
• Privacy, intellectual property, and contractual, civil, and criminal law are all inextricably
linked to information security.
• Any attempt to create and implement an effective information security strategy must be
founded on a thorough grasp of the applicable legal requirements and constraints.
• Different regions in a worldwide enterprise may be subject to conflicting laws. To solve

these issues, the global enterprise may require to develop separate security strategies
for each geographic division, or it may base policy on the most stringent criteria to
provide consistency across the enterprise.

Introduction
(Continued)
theknowledgeacademy
• Corporate legal departments usually concentrate on securities and contracts or

company stock-related issues.
• As a result, they are not always directly tracking regulatory requirements, and the
information security manager should not depend on the legal department to do so. The
impacted department is usually the most aware of legal and regulatory issues.
• To assure clarity on the enterprise's official position on the topic, the information
security manager should request legal review and interpretation of legislative
requirements that have security consequences.
• Automated governance, risk, and compliance (GRC) skills may aid in the maintenance
of a comprehensive catalogue of legal and regulatory requirements.

Requirements for Content and Retention of Business Records
theknowledgeacademy
• Because business records comprise a substantial portion of the information that will be
secured by the security strategy that will be developed, it is essential for the information
security manager to understand the underlying requirements for those records.
• As a contributor to strategy development, the information security leader must know the
business requirements for all sorts of company records.
• Representatives from the company legal department can usually assist in determining
what types of records must be safeguarded to preserve their confidentiality, integrity,
and availability.
• Legal affairs representatives can also advise on legal and regulatory requirements for
enterprise documentation.
• Due to the nature of the enterprise's activity, business requirements may surpass the
legal and regulatory standards set by competent legislating bodies.

Requirements for Content and Retention of Business Records
(Continued)
theknowledgeacademy
• Regulations like Sarbanes-Oxley have mandated varied obligatory retention

requirements for various categories and types of information, irrespective of the
storage media.
• The information security manager will be responsible for staying current with these
regulations and ensuring compliance as part of the enterprise's retention strategy.
• There may also be requirements arising from any lawful preservation order requiring an
organisation or individual to maintain specified data at the request of law enforcement
or other authorities.
• In general, archived information needs to be appropriately indexed in order to be

located and recovered.

theknowledgeacademy
Module 1A3: Organisational Structures,

Roles and Responsibilities

• A position title also includes the rank of a person, which signifies a person’s seniority, a
theknowledgeacademy
span of control, placement in a command-and-control hierarchy, and so on.
• In order of increasing seniority, typical ranks include the following:
o Supervisor o Senior vice president

o Manager o Executive vice president
o Senior manager o President
o Director o Chief executive officer
o Senior director o Member, board of directors
o Executive director o Chairman, board of directors
o Vice president

(Continued)
theknowledgeacademy
• Responsibility is a statement of activity that is expected from a person to perform.
• Typically, responsibilities are documented in job descriptions and position descriptions.
• Typical responsibilities include the following:
 Troubleshoot network faults and develop solutions.
 Perform monthly corporate expense settlement.
 Auditing of the user account terminations and developing exception reports.

Board of Directors
theknowledgeacademy
• In an organisation, the board of directors is a body of people who oversee activities in

the organisation.
• The Board of directors are accountable to constituents and shareholders to perform an

activity in the best interests of the organisations without the appearance of ill-gotten
profits, impropriety, or conflict of interest as a result of their activities.
• They are responsible for the appointment of the CEO (Chief Executive Officer), in a
non-government organisation.

Executive Management
theknowledgeacademy
• Executive management has the responsibility of carrying out the directives issued by
the board of directors.
• In information security management, it includes ensuring that there are enough

resources for the organisation for the implementation of a security program, and the
development and maintenance of security controls for the protection of critical assets.
• Executive management must provide assurance of balanced priorities.

Security Steering Committee
theknowledgeacademy
• Responsibilities of the Steering Committee include the following:
Risk Treatment Deliberation and Recommendation
Discussion and Coordination of IT and Security Projects
Discussion of New Laws, Regulations, and Requirements
Review of Recent Risk Assessments
Review of Recent Security Incidents

Business Process and Business Asset Owners
theknowledgeacademy
• Responsibilities of Business Process and Business Asset Owners include the

following:
Access Grants Access Reviews Configuration Process Definition
Functional
Access Revocation Physical Location
Definition

Data Management
theknowledgeacademy
• Data management positions are responsible for the development and implementation
of database designs, and the maintenance of databases.
• These positions are:
Database
Data Manager Data Scientist
Analyst
Database Database
Architect Administrator

Security Operations
theknowledgeacademy
• Security operations positions are responsible for building, designing, and monitoring
the security controls and security systems for the assurance of confidentiality, integrity,
and availability of information systems.
• The major security positions are:
Access
Security Architect Security Engineer Security Analyst
Administrator

Monitoring Responsibilities
• Monitoring responsibilities helps an organisation to ensure that the correct jobs are
theknowledgeacademy
being carried out in the right way.
• There are various activities which are providing information to management.
• These activities include the following:
Controls and Internal

Metrics and Reporting Work Measurement
Audit
Performance Position
360 Feedback
Evaluation Benchmarking

theknowledgeacademy
Module 1B1: Information Security Strategy

Development

Introduction
• Risk optimisation is an essential component of enterprise IT governance and
theknowledgeacademy
management.
• The information security strategy covers management actions and structures that are
distinct from governance activities.
• The information security strategy will give a plan of action for the information security
manager to meet enterprise needs, such as achieving an acceptable level of risk while
optimising resources.

Business Goals and Objectives
• Corporate governance is the practise of a set of practises and responsibilities by the
theknowledgeacademy
board of directors and senior management with the aim of providing strategic direction,
assuring that objectives are met, risk is appropriately managed, and enterprise's
resources are used responsibly.
• A strategy is a plan for attaining a goal. The objectives outlined in the plan define the
business's strategic orientation.
• Information security must support the business strategy and the activities that take
place to attain the objectives in order to be valuable to the firm.
• One of the subset of corporate governance is information security governance. It offers

strategic direction for security operations and assures that goals are met.
• It confirms that the risk of information security is correctly controlled and that enterprise
information resources are used efficiently and effectively.

Relationship of Governance Elements
theknowledgeacademy

Information Security Strategy Development Participants
theknowledgeacademy

Information Security Strategy Objectives
• An information security strategy's objectives must be described and metrics must be
theknowledgeacademy
developed to ascertain whether those objectives are being accomplished. The six
identified outcomes of security governance will often provide high-level direction. The
outcomes are as follows:
Strategic
Alignment
Effective Risk
Management Value
Delivery Resource
Optimisation Performance
Measurement Assurance
Process
Integration

(Continued)
theknowledgeacademy
• The plan must explain what each of the chosen areas means to the enterprise, how
each result might be attained, and what constitutes success.
• Sensitivity will be a more subjective decision. The unintentional revealing of sensitive

information can have a wide range of consequences that are difficult to predict.
• The data owner is the person who ascertains the classification level for data and is
usually the best source for ascertaining the potential implications of data leakage.
• The categorisation level will then serve as the foundation for security operations and
access control. Most businesses will employ three or four levels of sensitivity and
criticality, like confidential, internal, and public.
• Asset classification is a difficult process for most enterprises, but it is necessary for
existing information if security governance is to be effective, efficient, and relevant.

(Continued)
theknowledgeacademy
• When done properly, classification reduces the cost of overprotecting insignificant

information while also reducing the danger of under protecting high-value information.
• If this assignment is not completed, it will get increasingly more difficult over time.
Policies, processes, and standards must be defined concurrently in order to mandate
classification and avoid related problems from worsening.
• Over classification is a significant issue in classification implementation. It can be

especially challenging in enterprises with a blaming culture, where mistakes are not
tolerated.
• It would be impossible to develop a cost-effective security plan that is associated with

business needs before:
 Describing the needs of the business in terms of information security

(Continued)
theknowledgeacademy
 Ascertaining information security goals that will meet the needs.
 Identifying and locating information resources and assets.
 Assessing information resources and assets.
 Categorising information assets according to their importance and sensitivity.
 Implementing a procedure to make sure that every asset has a specified owner.

Ensuring Objective and Business Integration
• It is vital to specify the security objectives if an information security strategy serves as the
foundation for a plan of action to accomplish those goals.
theknowledgeacademy
• For a variety of reasons, defining long-term goals in terms of a desired level of security is
essential.
• Without a well-articulated vision of desired results for a security program, developing a

meaningful strategy is not possible.
• Without a strategy, it is impossible to develop a meaningful action plan as well as the

enterprise will continue to execute ad hoc tactical points solution with nothing to give
overall integration.
• The resulting non-integrated systems will cost more money, impossible or difficult to
secure, and be harder or impossible to manage. Various businesses wait until a
significant catastrophe occurs before allocating enough resources to solve these
problems.
• This could lead to outcomes that are much more costly than dealing with problems
appropriately from the start. © 2022 The Knowledge Academy Ltd
(Continued)
theknowledgeacademy
• Audit reports, change management activities, and steering committee conversations

are additional sources of information to direct security operations.
• For instance, the establishment of a Public Key Infrastructure (PKI) might permit high-
value transactions between dependable business partners or clients.
• By using Virtual Private Networks (VPNs), the sales force may be given access to
secure remote connectivity and be able to protect sensitive data well.
• In other words, information security enables business operations that would otherwise
be too risky to carry out or, as is commonly the case, be carried out in the hopes that
everything will work out as planned.

Business Linkages
theknowledgeacademy
• A direct connection to particular business activities and goals must be made when
formulating strategic objectives.
• These connections can begin from the viewpoint of a particular line of business,
considering specific objectives.
• A review and analysis of each component of a specific product line can show how this
strategy might function.
• A look into the process's past might turn up past mistakes that could point out system
flaws. The research may reveal ways to reduce errors, either by putting in place more
or better controls or by assuring redundancy for more trustable automated operations,
as human error accounts for the majority of system failures.

(Continued)
theknowledgeacademy
• By enhancing business processes, lowering errors, and boosting productivity, the

establishment and analysis of business links can reveal information security
vulnerabilities at the operational level, which can significantly increase the value of
information security.
• If high-level members of the key departments and business units are involved, one of
the beneficial outcomes of an information security steering group can be improving
business links continuously.
• Regular meetings with business owners to address security-related topics can help
create connections.
• This could be a chance to inform the owners of business processes about the possible
advantages that more security could bring to their system.

Avoiding Common Pitfalls and Bias
• While preparing for strategy development, it is essential to avoid a few common errors
theknowledgeacademy
that may have an undue influence on the objectives to be fulfilled and the activities
carried out to achieve corporate goals.
• Experiments and investigations have revealed a number of underlying reasons for poor
decision making. Awareness may result in solutions to mitigate the negative impacts.
Some of the most common pitfalls are:
The Status Quo

Overconfidence Optimism Anchoring
Bias
Mental The Herding

False Consesus
Accounting Instinct

The Desired State
• The phrase "desired state" refers to a complete snapshot of all appropriate conditions
theknowledgeacademy
at a specific time in the future.
• It must encompass policies, principles, processes, framework, organisational

structures, ethics, cultures, information, behaviour, services, applications,
infrastructure, skills, people, and competencies for a robust picture.
• It is impossible to define a condition of security in solely quantitative terms. As a result,

a desired state of security must be described qualitatively in terms of traits,
characteristics, and results to some extent.
• As per COBIT, it can involve high-level objectives like “protecting the interests of
individuals who rely on information, as well as the systems, processes, and
communications that manage, store, and distribute the information, against harm
caused by failures of confidentiality, availability, and integrity”.

The Desired State
COBIT
theknowledgeacademy
• COBIT gives a comprehensive framework for enterprise IT governance and

management that address IT security, risk, governance, and information security in
general.
• Because IT and related activities are involved in many elements of information security,
it can serve as a framework for ascertaining the intended state for effective information
security.
• COBIT has various emphasis areas, each of which describes a specific governance
domain, topic, or issue that can be addressed by a set of governance and management
objectives and their components.
• Small and medium-sized businesses, risk, information security, digital transformation,

cloud computing, privacy, and DevOps are examples of potential focus areas.

The Desired State
(Continued)
theknowledgeacademy
• Focus areas may include a mix of generic governance components and modifications,
as well as issues for information security governance.
• COBIT is based on two principles:
1. Principles that define the fundamental requirements of a business information and

technology governance system.
2. Principles for a governance framework that can be utilised to design an enterprise

governance system.

The Desired State
Governance System Principles
theknowledgeacademy
1. Provide 2. Holistic 3. Dynamic

Stakeholder Approach Governance System
Value
4. Governance 5. Tailored to 6. End-to-End

Distinct From Enterprise Needs Governance
Management System

The Desired State
Governance Framework Principles
theknowledgeacademy
1. Based on
2. Open and
Conceptual Model
Flexible
3. Aligned to
Major Standards

The Desired State
Business Model for Information Security
theknowledgeacademy
• To more effectively manage security, the BMIS model employs systems thinking to
elucidate complex relationships inside the company.
• The model's elements and dynamic interconnections define the boundaries of an

information security program and model how the program runs and responds to internal
and external change. BMIS sets the stage for frameworks like COBIT.
• To be fully understood, a system must be regarded holistically rather than simply as the
sum of its elements.
• This is at the heart of systems theory. A holistic approach looks at the system as a
whole and as a functional entity.
• Another principle of systems theory is that understanding one aspect of the system
allows you to understand other areas of the system.

The Desired State
Business Model for Information Security
theknowledgeacademy
Organisation
Design/Strategy
Governance
Process
People Technology
Human Factor

The Desired State
(Continued)
theknowledgeacademy
• The following are the Four Elements of BMIS Model:
1 3
Organisation
Design and People Process Technology
Strategy
2 4

The Desired State
Dynamic Interconnections
theknowledgeacademy
• The elements are linked together by dynamic interconnections, which produce a

multidirectional force that pushes and pulls as things change.
• Behaviours and actions in the dynamic interconnections might throw the model off
balance or bring it back into balance. The six dynamic interconnections are as follows:
Enablement and
Governance Culture
Support
Emergence Human Factors Architecture

The Desired State
Governance, Risk Management, and Compliance
theknowledgeacademy
• GRC is an example of the growing realisation of the need for convergence, or

assurance process integration.
• GRC refers to a strategy that enterprises can use to integrate these three areas.
• GRC, which is sometimes characterised as a single business activity, covers several

overlapping and related operations within a company, such as internal audit and
compliance programmes.
• Governance is the duty of the board of directors and senior management, and it
focuses on developing the procedures that an enterprise needs to ensure that
employees follow defined policies and processes.

Elements of a Strategy
Road Map
theknowledgeacademy
• People, procedures, technology, and other resources are typically included in a road
map to attain a stated, secure desired state.
• Its purpose is to map the pathways and steps that need to be taken to achieve the
strategy's objectives.
• The interactions and relationships between numerous strategy elements are likely to be
complex. As a result, it is advisable to think about the early stages of designing a
security architecture.
• Architectures can help define business drivers, resource relations, and process flows in
a systematic way.
• Architecture can also assist in ensuring that conceptual and contextual factors, like
business drivers and effects, are taken into account during the strategy creation stage.

Resources and Constraints
theknowledgeacademy
• COBIT defines some governance system elements as factors that collectively and
individually impact whether something will work—in this case, management and
governance of information security and enterprise IT.
• The objectives cascade drives these components (i.e., higher-level goals describe what
the different enablers must attain). The following are the components of the
governance system:
1. Principles, Policies, and Framework: The vehicle for translating desired behaviour
into practical guidance for daily management.
2. Processes: An organised set of actions and practises to attain specific goals and
produce a number of outputs in support of attaining overall objectives.

3. Organisational Structures: The primary decision-making bodies in an enterprise.
theknowledgeacademy
4. Culture, Ethics, and Behaviour: Individual and enterprise characteristics that are
usually overlooked as success elements in governance and management activities.
5. Information: Information used and produced by the enterprise. Information is

widespread across the enterprise and is essential to keep the enterprise running and
well-governed, but at the operational level, information is frequently the core product of
the enterprise itself.
6. Services, Infrastructure, and Applications: The applications, technology, and

infrastructure that give information technology processing and services to the
organisation.
7. People, Skills, and Competencies: Necessary for carrying out all tasks successfully,
reaching the right conclusions, and for taking actions appropriately.

theknowledgeacademy
Module 1B2: Information Governance

Frameworks and Standards

The Security Balanced Scorecard
• A balanced scorecard is a tool of
theknowledgeacademy
management used to measure the

effectiveness and performance of an
organisation.
Financial Key Customer Key
Measurements Measurements
• It is used to determine how well an
organisation can accomplish its strategic
objectives and missions, and how well it is
associated with overall organisational
objectives. Internal
Innovation and
Processes
Learning
• Management defines key measurements in Measurements
the balanced scorecard in each of four
perspectives:

(Continued)
theknowledgeacademy
• The balanced scorecard of each organisation will represent the unique set of
measurements that reflects the type of business, style of management, and business
model of an organisation.
• It needs to be used for the measurement of the overall progress and effectiveness of
an organisation.
• The security balanced scorecard is similar to the balanced scorecard, which can be
used to measure the results and performance of a security organisation.
• The security balanced scorecard has the same four perspectives as the balanced
scorecard.

(Continued)
theknowledgeacademy
• The four perspectives of the security balanced scorecard are mapped to key activities,
shown in below table:
Financial Customer Internal Processes Innovation and

Learning
Awareness and Lower cost of incidents Increase confidence Improve processes Improve awareness
Education
Access Control Control access Provide access Ensure proper access Improve
communication
Vulnerability Reduce vulnerabilities Protect against Manage risks Learn from incidents
Management vulnerabilities
Business Continuity Ensure continuity Provide core services Test continuity Ensure awareness
Compliance Comply with Ensure compliance Ensure compliance Review compliance

regulations
Program Ensure efficiency Include customer input Reduce reactive Continue improvement
Management processes

Architectural Approaches
• One of the subsets of Enterprise Architecture (EA) is Enterprise Information Security
theknowledgeacademy
Architecture (EISA).
• A foundational structure, or set of structures, can be described as an architecture

framework. These structures can be used to create a variety of different architectures,
such as business process architecture, also known as contextual architecture, and the
more conventional conceptual, logical, physical, functional, and operational
architectures.
• Numerous strategies have emerged, including process models, frameworks, and ad

hoc methods. This development happened as it became clear that a perspective on
architecture that was limited to IT was unable to satisfy business design and the
development of security requirements.
• Linkages to the business side of information protection and techniques for its design
are provided by a variety of architectural approaches.

Enterprise Risk Management Framework
• Several Enterprise Risk Management (ERM) models incorporate components that
theknowledgeacademy
assist in preparing for strategic planning and subsequent program development:
 The COSO ERM Integrated Framework describes fundamental enterprise risk

management components, examines key ERM concepts and principles,
recommends a standard ERM language, and gives clear guidance and direction for
enterprise risk management.
 ISO 31000:2018 specifies risk management principles, a framework, and a

procedure to assist enterprises in increasing the possibility of attaining objectives,
discovering opportunities and threats, and efficiently allocating and utilising risk
treatment resources.
 The Risk Management Code of Practice, British Standard (BS) 31100, provides a
procedure for executing and maintaining the concepts stated in ISO 31000,
involving essential functions such as identifying, responding, assessing, reporting,
and reviewing.

Information Security Management Frameworks and Models
• Numerous well-known frameworks were developed with an emphasis on information

theknowledgeacademy
security risk management.
1. ISO/IEC 27000 Series
• The 14 sections of the ISO/IEC 27001:2013 standard can be used to assess the
comprehensiveness of an organisational security strategy and assure that all important
security elements are addressed.
• It is important to build organisational standards and policies that can be traced directly
to each standard element.
• While 27002:2013 is the standard on which an enterprise may decide to be evaluated

and certified, it is also the code of practise for information security management that
supports standard implementation.

Information Security Management Frameworks and
(Continued) Models
theknowledgeacademy
• The following are the 14 Security Control Clauses of ISO/IEC 27001:2013:

A.5: Information Security Policies
A.6: Organisation of Information Security
A.7: Human Resource Security
A.8: Asset Management
A.9: Access Control
A.10: Cryptography
A.11: Physical and Environmental Security
A.12: Operations Security
A.13: Communications Security
A.14: System Acquisition, Development and Maintenance
A.15: Supplier Relationships
A.16: Information Security Incident Management
A.17: Information Security Aspects of Business Continuity Management
A.18: Compliance

2. NIST Cybersecurity Framework

theknowledgeacademy
• The NIST Cybersecurity Framework, formally known as the NIST Framework for
Improving Critical Infrastructure Cybersecurity, provides high-level guidelines for
aligning a cybersecurity programme with organisational goals.
• In response to the increased occurrence of cybersecurity threats, NIST hosted a series

of workshops to build a process for identifying possibilities for improvement in an
enterprise's information security programme.
• The framework emphasises the importance of effective risk management integration

and extensively promotes supply chain risk management improvement.
• The NIST Cybersecurity Framework does not provide any controls that can be used.

3. NIST Risk Management Framework

theknowledgeacademy
• The NIST Risk Management Framework (RMF) gives a procedure for integrating
privacy, security, and cyber supply chain risk management activities into the system
development life cycle.
• Originally designed to assist US federal agencies in evaluating and improving

information security, it has been expanded to apply to any company and is free to use.
• The RMF provides provisions for assessing the continuous efficacy and efficiency of
risk management procedures, as well as a risk-based approach to categorise relevant
assets, selection, and implementation controls to attain adequate protection.

theknowledgeacademy
Module 1B3: Strategic Planning

Workforce Composition and Skills
• Personnel security is an important aspect of an enterprise's information security
theknowledgeacademy
strategy that must be taken into account as a preventive measure for securing an
enterprise.
• Because the most damaging and costly compromises are generally the consequence
of insider activity, whether unintentional or intentional, the first line of defence should
be to try to assure the trustworthiness and integrity of new and existing people.
• The information security program will implement the mechanisms for assuring these
traits in the workforce (including in-house people and external service providers), but
needs and plans must be incorporated into the strategy.

Organisational Structure
theknowledgeacademy
• The formulation of an information security strategy will be heavily influenced by the

organisational structure.
• In designing a security plan, a flexible and dynamic structure is likely to be beneficial.
• In more constrained systems, efforts to formulate a strategy may be regarded as a

challenge to the autonomy or authority of diverse groups.
• This is becoming more common as the importance and prominence of the information
security function in the organisational hierarchy have grown.
• Although reporting to the CIO was appropriate in the past, that structure has become
insufficient for successfully managing increased risk, escalating losses, and the
sophistication of attackers. Furthermore, it frequently leads to a conflict of interest.

Centralised and Decentralised Approaches to Coordinating
theknowledgeacademy
Information Security
• The cultural mix of an enterprise will influence many aspects of strategy, involving
whether a centralised or decentralised approach is more beneficial for the security
enterprise.
• While centralisation and standardisation of security can provide many benefits, the
structure of an enterprise often renders this an inefficient approach.
• Multinational corporations that choose a centralised approach must carefully analyse

the various local legal requirements in each country in which they have a presence.
• For instance, some nations may forbid the storage or processing of business data
outside of their borders, and other governments may levy taxes, such as a withholding
tax, on any software or hardware used by entities under their jurisdiction, regardless of
where that software or hardware is physically located.

Employee Roles and Responsibilities
theknowledgeacademy
• It is crucial that the plan include a mechanism that defines all security duties and
responsibilities and incorporates them in employee job descriptions due to the
numerous tasks that employees must do.
• In the end, there is a better likelihood of accomplishing security governance goals if

employees are compensated based on their commitment to performing their job
responsibilities.
• The annual job performance and goals of an employee may contain security-related
metrics.
• To describe security roles and duties, the information security manager should
collaborate with the HR director. Each job position's specific competencies should be
identified and recorded.

Skills
theknowledgeacademy
• The skills required to implement a security strategy are a significant concern.
• Choosing a plan that employs existing abilities is likely to be the most cost-effective
option, although it may be necessary to develop new skills or outsource certain critical
functions at times.
• A skills inventory is necessary to ascertain the resources available while establishing a

security plan.
• Proficiency testing may be useful in determining whether the necessary skills are
available or may be acquired through training.

Awareness and Education
theknowledgeacademy
• Because security is frequently weakest at the end-user level, training, education, and
awareness are critical components of the overall plan.
• It is critical to evaluate the requirement for the development of methods and processes
that make policies, standards, and procedures easier to follow, implement, and
monitor.
• A periodic security awareness campaign intended for end users underlines the
importance of information security, and it is now required by law in several jurisdictions
for a variety of sectors.
• Evidence suggests that the majority of employees in most businesses are unaware of
security policies and regulations, even if they exist.

Assurance Provisions
Audits
theknowledgeacademy
• Audits, both external and internal, are one of the primary methods for ascertaining
information security deficiencies in terms of controls and compliance, and they are an
important resource in strategy creation.
• Internal audits are typically undertaken by an internal audit department that reports to
either an audit committee of the board of directors or senior management in larger
enterprises.
• External audits are often performed by an independent third party and may involve IT
and information security domains, depending on audit objectives.
• Because audits can give the information security manager valuable monitoring tools,
the security department must have access to this information.

(Continued)
theknowledgeacademy
• It is critical for the information security manager to have solid working relationships
with other assurance providers in order to facilitate the flow of information that is
required for effective security management.
• Many enterprises are required to file numerous audits and other reports with regulatory
bodies as a result of increased regulatory oversight.
• Many of these reports have implications for information security and can give helpful
intelligence and monitoring data to the information security manager.

Identify and Classify Assets
Nongovernment Classifications and
Government Classifications and
Potential Adverse Impact from a Data
Potential Adverse Impact from a
Breach
Data Breach
CONFIDENTIAL/PROPRIETARY
TOP SECRET Class 3 (Exceptionally Grave Damage)
(Exceptionally Grave Damage)
Classifications
SECRET PRIVATE
(Serious Damage) Class 2 (Serious Damage)
CONFIDENTIAL SENSITIVE
(Damage) Class 1 (Damage)
UNCLASSIFIED PUBLIC
Class 0
Label
(No Damage) (No Damage)
Data Classifications
Compliance Enforcement
theknowledgeacademy
• Security violations are a constant worry for information security managers, and it is
essential to develop methods for dealing with them as part of the strategy
development.
• Senior management buy-in and support for these procedures are crucial, particularly in
terms of enforcement.
• Management is frequently the source of the most serious compliance issues,

according to security managers. It may be difficult to enforce compliance across an
enterprise if there is a lack of dedication and compliance in management ranks.
• The most effective way to comply in an enterprise where transparency and trust are
valued and fostered by management is likely to be a system of self-reporting and
voluntary compliance based on the knowledge that security is clearly in everyone's
best interest.

Risk Assessment and Management
• A complete approach for recognising, assessing, and treating information security risk
theknowledgeacademy
should be included in the information security strategy. Strategic planning involves the
determination of how to attain risk direction in order to safeguard diverse enterprise
assets from a wide variety of threats and vulnerabilities.
• The following are the elements that must be considered in strategic planning,
and subsequent operation and implementation as a part of information security
itself:
Business Resource Outsource Threat

Impact Dependenc d Services Assessmen
Analysis y Analysis t
Other
Vulnerability Organisation
Assessment Insurance
l Support
and
Insurance

Action Plan to Implement Strategy
Gap Analysis – Basis for and Action Plan
theknowledgeacademy
• A gap analysis is necessary for several strategy components, including maturity levels,
control targets, and risk and impact objectives.
• The analysis will determine the steps required to transition from the present state to
the desired state in order to meet the set objectives.
• This exercise may need to be performed annually, or more frequently, to give

performance and target metrics, as well as information for potential mid-course
corrections in reaction to changing surroundings or other variables.
• Working backward from the endpoint to the current state to find the intermediate steps
required to achieve the objectives is a common technique for gap analysis.

Action Plan Matrix
theknowledgeacademy
• The strategy's implementation plan will necessitate mechanisms for monitoring and
measuring progress and achievement of goals.
• As with any project plan, costs and progress must be reviewed on a continuous basis to
ensure plan compliance and to allow for prompt mid-course modifications.
• There will very certainly be a number of short-term objectives, each of which will
necessitate resources and a plan of action to attain.
• A variety of ways can be employed to continuously monitor and measure progress. On

a regular basis, one or more of the methods for assessing the present state can be
used to evaluate and chart how the current state has changed.

Key Goal Indicators
theknowledgeacademy
• Developing meaningful measurements requires defining clear objectives and reaching a

consensus on targets.
• The following are some essential objectives for an information security plan:
 Meeting Sarbanes-Oxley controls testing compliance requirements.

 Finishing independent controls testing, validation, and attestation.
 Creating the required control effectiveness statement.
• The findings of the testing must be signed by the CFO and CEO and confirmed by
independent auditors. The findings must subsequently be published in the company's
public filings with the SEC.

Key Performance Indicators
theknowledgeacademy
• Indicators of critical performance parameters required to fulfil the goals include:
 Plans for control effectiveness testing.

 Progress in testing control effectiveness.
 Control effectiveness testing results.
• Appropriate testing plans that are consistent with the established goals and incorporate
the CSFs must be developed in order for tracking progress in the testing effort.
• Management will require reporting on the progress and outcomes of testing due to the
limited time available to execute the essential tests.

General Metrics Considerations
theknowledgeacademy
• Considerations for information security metrics involve confirming that what is being
assessed is, in fact, appropriate.
• In any objective sense, it is difficult to measure security, and very meaningless

indicators are frequently utilised merely because they are readily available.
• Metrics serve only one purpose: to deliver the information required to make decisions. It
is therefore vital to understand what decisions must be taken and who makes them, and
then to devise means to provide that information in an accurate and timely manner.
• Different metrics are more or less valuable for different segments of the organisation
and should be determined in consultation with business process management and
owners.

(Continued)
theknowledgeacademy
• While technical metrics are crucial to the IT security manager, senior management
usually wants a summary of information that is important from a management viewpoint
- information that normally excludes comprehensive technical data.
• This includes the following:
 Progress in accordance with the plan and budget.
 Significant changes in risk and potential consequences for business objectives.
 The outcomes of disaster recovery testing.
 Audit findings.
 Status of regulatory compliance.

(Continued)
theknowledgeacademy
• The information security manager might require more in-depth tactical data, such as:
 Metrics for policy compliance.

 An important system, process, or other changes that could modify the risk profile.
 Status of patch management.
• The majority of technical security data may be valuable in organisations with an IT

security manager. This comprises:
 Results of vulnerability scans.

 Complying with requirements for server configuration.
 Monitoring data from intrusion detection systems.
 Analysis of firewall logs.

Action Plan Intermediate Goals
theknowledgeacademy
• Once the overarching strategy has been completed, most enterprises may easily define
a variety of specific near-term targets that are in line with the overall information security
strategy.
• Prioritising corrective actions should be simply based on the BIA identification of

business-critical resources and the security status as established by the previous CMMI
gap analysis.
• If the security strategy objective is to attain CMMI level 4 certification and compliance,
then an example of near-term action may explain the following:
 The current applications being used must be identified by each business unit.
 Twenty-five percent of all data that has been kept needs to be examined to
determine who owns it and how sensitive it is.
 In order to identify important resources, each business unit must complete a BIA for
information resources. © 2022 The Knowledge Academy Ltd
(Continued)
theknowledgeacademy
 Business units must comply with regulations.
 It is necessary to specify all security positions and duties.
 Establishing a procedure to ensure business process connections.
 Each business unit must undergo a thorough risk assessment.
 The acceptable use policy must be explained to all users.
 To ensure that all policies are consistent with strategic security goals, all policies must
be evaluated and amended as appropriate.
 All policies must be subject to standards.

Information Security Program Objectives
• The strategy will result in an information security programme if it is implemented with an
theknowledgeacademy
action plan.
• The program is essentially the project plan for implementing and establishing ongoing
management of some or all of the strategy's components.
• The information security program protects persons who rely on information as well as
the procedures, systems, and communications that handle, store, and transmit it.
• Its goal is to keep them safe from harm caused by failures in availability, confidentiality,
and integrity. Concepts such as information utility and possession are emerging
definitions (the latter to cope with theft, deception, and fraud).
• The networked economy has undoubtedly increased the importance of trust and
accountability in electronic transactions.

(Continued)
theknowledgeacademy
• For most enterprises, security is achieved when:
 When needed, information is available and usable, and the systems that provide it
can withstand attacks (availability).
 Information is only observed or released to those who have a legal right to know
(confidentiality).
 Data is safeguarded against unauthorised change (integrity).
 Trusted business transactions and information exchanges between enterprise sites

or with partners (authenticity and nonrepudiation).

theknowledgeacademy
Domain 2
Information Security Risk Management

theknowledgeacademy
Domain 2: A: INFORMATION RISK ASSESSMENT
 2A1: Emerging Risk and Threat Landscape

 2A2: Vulnerability and Control Deficiency
Information Analysis
 2A3: Risk Assessment and Analysis
Security Risk B: INFORMATION RISK RESPONSE
 2B1: Risk Treatment / Risk Response Options

Management  2B2: Risk and Control Ownership
 2B3: Risk Monitoring and Reporting

theknowledgeacademy
Module 2A1: Emerging Risk and Threat

Landscape

Risk Identification
 Before an enterprise can investigate potential and emerging risks, it must first
theknowledgeacademy
understand how to identify risks.
 Risk identification is the process of determining the nature and type of viable threats
and examining the enterprise's vulnerabilities that are subject to those threats.
 The vulnerabilities that identified threats may exploit constitute an identified risk.
 Only identified risks can be assessed and treated appropriately, so risk identification is
essential to effective risk management.
 It is essential to identify all information assets, involving those held by third parties. It is
necessary to identify viable threats, both potential and actual.
 The viability of a threat is determined by two factors: The threat exists or could
reasonably be anticipated to materialise, and the threat is under control in some way.

Risk Identification
(Continued)
theknowledgeacademy
 A knowledgeable group developing a variety of risk scenarios or brainstorming

sessions is usually used to identify risks.
 These exercises consider that all significant enterprise vulnerabilities are known, as
well as the types and nature of threats that could exploit them.
 Vulnerabilities can take many different forms.
 They may be commonly understood technical weaknesses, or they could be obscured

by unmonitored procedures or business processes.

Risk Identification
(Continued) Top Down
theknowledgeacademy
Business
Risk Scenario Approaches Goals
• Identified Business Objectives
• Identify Scenarios with highest impact on achievement of
business objectives
Business
Goals
• Identify Hypothetical Scenarios

• Reduce through High-level Analysis.
Generic Risk
Scenarios
Bottom
Up

Threats
Internal Threats
theknowledgeacademy
• Internal threats are those that are initiated in the organisation.
• Internal threats are related to the employees of the organisation and the employees
may be the intentional actors of these threats.
• For the constitution of threats, the following events can take place:
o Well-meaning personnel making errors in haste.
o Disgruntled personnel deliberately bring harm to an asset.
o Well-meaning personnel is being tricked into doing something harmful.
o A trusted individual in a trusted third-party organisation doing any of these.

Threats
External Threats
theknowledgeacademy
• External threats are those threats initiated outside the organisation.
• These can include both deliberate and accidental assets, like internal threats.
• The security manager who is performing a risk assessment should understand the full
range of threat actors, along with their motivations.
• It is specifically important for organisations where specific types of threat actors or

motivations are more common.

Threats
(Continued)
theknowledgeacademy
External Threat Actors and Threat Motivations:

External Threats Actors Threat Actor Motivations
Former Employees Competitive Advantage
Current and Former Consultants Economic Espionage
Current and Former Contractors Monetary Gain
Competitors Political Gain
Hacktivists Intelligence
Government Intelligence Agencies Revenge
Terrorist Group Ego
Activist Group Curiosity
Armed Forces Unintentional Errors

Threats
Advanced Persistent Threats
theknowledgeacademy
• Advanced Persistent Threats (APIs) are highly skilled, advanced attackers with a
strong motivation to exploit systems and networks.
• The increased skills available to the hacking community, as well as the efficiency of the
tools they use, raises the risk of compromise significantly.
• Governments, organised crime, or competitors may sponsor APTs.
• The information security manager should be aware that APTs pose a significant risk to
businesses of all sizes around the world and must ensure that adequate measures are
in place to detect and identify this threat.

Threats
(Continued)
theknowledgeacademy
Typical Sources of APT
Threat What They Seek Business Impact

Intelligence agencies Political, defense or commercial trade secrets Loss of trade secrets or commercial,
competitive advantage
Criminal groups Money transfers, extortion opportunities, personal Financial loss. large-scale customer
identity Information or any secrets for potential data breach or loss of trade secrets
onward sale
Terrorist groups Production of widespread terror through death, Loss of production and services.
destruction and disruption stock market irregularities and
potential risk to human life
Activist groups Confidential information or disruption of services Major data breach or loss of service
Armed forces Intelligence or positioning to support future attacks Serious damage to facilities in the
on critical national Infrastructure event of a military conflict

Defining a Risk Management Framework
• A reference model must be used and adapted to the circumstances of the enterprise
theknowledgeacademy
when developing a systematic risk management program.
• The reference model reflects the desired state.
• There are several standards and publications available to guide information technology
and security risk management approaches.
• Examples include:
o COBIT
o NISI Managing Information Security Risk: Organisation, Mission and Information

System View.

Emerging Threats
• Unusual activity on a system, repeated alarms, slow network or system performance,
theknowledgeacademy
or new or extreme activity in logs can all be indicators of emerging threats.
• In several cases, compromised enterprises have proof of emergent threats in their logs
well before the actual compromise, but the evidence is not acted on or not noticed.
• When combined with a threat, a lack of effective monitoring can result in a breach.
• Most technologies are designed with an emphasis on function and aim, with little
regard for security implications.
• As a result, new technology is often a source of new vulnerabilities and, in some cases,
can act as a threat agent within an information system.
• The information security manager should be aware of new technologies and plan for
their introduction in the enterprise, especially if the technologies promise cost savings
or a competitive benefit.

Risk, Likelihood and Impact
• Risk is defined by the International Organisation for Standardisation (ISO) as "the effect
theknowledgeacademy
of uncertainty on objectives." This means that results can be either positive or negative.
• Risk will be evaluated primarily from a negative viewpoint, with negative risk defined as
the likelihood of an event and its consequences.
• The likelihood, also known as probability, is a measure of the frequency that an event
may arise.
• When determining risk, likelihood is used to estimate the level of risk on the basis of
the frequency of events as well as the influence of those events that may arise in a
given time duration.
• Annual Loss Expectancy (ALE) is determined by combining the likelihood or frequency

with the magnitude. The higher the frequency, the higher the likelihood and, thus, the
higher the risk.

Quantitative Risk Assessment Steps
1. AV = ASSET VALUE AV = Laptop £1500 AV = Data £1000

AV = £1500 + £1000
2. EF = EXPOSURE FACTOR (%) EF = 100% EF = 0% (to the data)
EF overall is still 60%
3. SLE = SINGLE LOSS EXPECTANCY
SLE = AV * EF SLE = £1500 SLE = £2500

Steps
4. ARO = ANNUAL RATE OCCURRENCE
5. ALE = ANNUAL LOSS EXPECTANCY ALE1 = PRE – COUNTERMEASURE (£2500)

ALE2 = POST – COUNTERMEASURE (£1500)
ALE = SLE * ARO COUNTERMEASURE (£500 PER LAPTOP)
6. COST/BENEFIT = ALE1 – ALE2 – COST OF COUNTERMEASURE £500
ROSI = COST OF COUNTERMEASURE 1

Risk Register
• A risk register must be established during the process of identifying risk and its
theknowledgeacademy
elements.
• The register must act as a central repository for all information security risks, involving
specific threats, exposures, vulnerabilities, and assets at risk. It must involve the owner
of the asset, the risk owner, and any other stakeholders.
• Because the risk register is a living repository, content must be filled out as the
assessment process begins.
• Once the efforts for risk identification, evaluation, analysis, and response have been
achieved, and other relevant information has been entered into the register, it will act
as an authoritative reference point for every risk management-related activity.
• Risk registers improve responsibility by assigning risk to risk owners and also give a
tracking mechanism to ensure risk has been mitigated in accordance with agreed-upon
action plans and timelines. There is no accountability if there is no risk register.

Risk Register
(Continued)
theknowledgeacademy
• The risk register gives an overview of the enterprise's risk profile. A risk profile is a
necessary component of active information risk management.
• It will provide a thorough overview of the overall risk to which the enterprise is exposed,
as well as other pertinent information.
• There are several approaches available to meet this requirement.

theknowledgeacademy
Module 2A2:
Vulnerability and Control Deficiency
Analysis

Introduction
• The term vulnerability, also known as weakness, is usually used to describe a binary
theknowledgeacademy
condition.
• Something is either vulnerable or not vulnerable. In most situations, assets are

vulnerable to distinct degrees.
• The extent of exposure should be considered because it influences the likelihood that a
vulnerability will be compromised.
• These differences are important when prioritising risk management efforts, ascertaining
the level of risk within a scenario, and explaining conclusions and suggestions to
management.
• Many vulnerabilities are system conditions that should be identified before they can be
addressed.

Introduction
(Continued)
theknowledgeacademy
• The goal of vulnerability identification is to discover problems before they are

discovered and exploited by an adversary, which is why an enterprise must conduct
regular vulnerability assessments and penetration tests to identify, validate, as well as
classify its vulnerabilities.
• A vulnerability assessment should consider both process and procedural flaws as well
as logical flaws. There is a risk where there are vulnerabilities.
• Various types of testing or subject matter expert estimates can be used to estimate the
degree of vulnerability. Estimates, like other types of valuations, can be quantitative or
qualitative.
• Whatever method is used, it is essential to communicate the nature of these estimates

so that management is not misled.
• Using ranges or distributions to indicate both unlikely maximums and more probable
values is an effective approach for reflecting uncertainty in values. © 2022 The Knowledge Academy Ltd
Introduction
(Continued)
theknowledgeacademy
• Understanding the other controls in place that may mitigate the overall exposure is
required to determine the ultimate relevance of a weak control.
• It would be inaccurate and unfair to portray a control as a major issue when, in fact, the
mixture of controls is quite robust.
• Several IT system flaws are discovered utilising automated scanning equipment, and
these can act as leading symbols of potential compromise.
• Process and performance vulnerabilities are more challenging to identify and may need
a thorough review and analysis.
• To be efficient, the assessment must take into account process, procedural, and
physical vulnerabilities, as well as technological flaws.

Security Control Baselines
 Policies, processes, standards, practices, and organisational structures are all part of
theknowledgeacademy
the information security risk management framework, which also includes controls.
 It is intended to give reasonable assurance that the business goals are attained and
the potential consequences of undesired events are adequately addressed.
 The framework should consider people, procedures, and technology, as well as the
enterprise's physical, contractual, technical, and procedural elements.
 To be effective, it must consider the enterprise's strategic, operational, programmatic,

and tactical elements.
 Safeguards are any practice, process, procedure, or other instrumentation that

decreases risk via the precautionary measure to protect a business asset.
 Safeguards are proactive controls because they are applied and utilised to prevent an
event from occurring.

Security Control Baselines
(Continued)
theknowledgeacademy
 Intrusion Prevention Systems (IPs), Employee background checks, and turnstile gates
are instances of proactive controls or safeguards.
 Countermeasures involve procedures, practices, processes, or other instrumentation

utilised to respond to a past event.
 When a threat or vulnerability is identified, countermeasures are typically implemented.
 Countermeasures can be implemented and integrated in a variety of ways, ranging

from modifying architecture or reengineering procedures to decreasing or eradicating
internal threats to technical vulnerabilities, to developing an employee awareness
programme to target social engineering and promote early detection and reporting of
security incidents.

Events Affecting Security Baselines
 A variety of factors may change the risk, probability, or impact equation, requiring a
theknowledgeacademy
change in baseline security.
 The collective ability of controls to protect the enterprise's information assets

determines baseline security.
 Baseline security is basically managed by the least restrictive aspect of collective

standards and is the enterprise's minimum level of security. Control objectives must
also reflect baseline security levels.
 Any incident can be attributed to either a lack of control or control failure.
 Any significant incident needs a risk assessment and a root cause analysis of the
failure, which may need increasing or altering baseline security by changing
appropriate policies, procedures, processes, standards, or controls.

Events Affecting Security Baselines
(Continued)
theknowledgeacademy
 Information security managers must monitor and assess events that affect security
baselines and, as a result, might influence the security posture of the enterprise.
 Based on this evaluation, the information security manager should determine whether
the enterprise's security strategy, roadmap, and test plans need to be altered to
address changing risks.
 Security baselines may be changed for a variety of reasons.

theknowledgeacademy
Module 2A3: Risk Assessment and Analysis

Introduction
 Risk management involves a set of processes that considers the end-to-end
theknowledgeacademy
requirements of recognising, examining, evaluating, and keeping risk at acceptable

levels.
 These involve weighing policy alternatives with interested parties, taking risk
assessment and other factors into account, and selecting suitable prevention and
control options with acceptable costs and influences on the enterprise's capability to
operate efficiently.
 Risk management functions typically involve the execution of the following processes:
Recommen
Perform d Risk Accept Communica
Establish Identify
Risk Treatment Residual te About
Scope and Assets and
Assessmen or Risk and Monitor
Boundaries Valuation
t Response Risk

Introduction
(Continued)
theknowledgeacademy
Continuous Risk Management Steps

Risk Appetite
Identify and
Assess Risk
Regular Review is Required Because

• Risk Changes Over Time
Proactive • Countermeasures Might Not be
Develop Risk
Monitoring Followed/appropriate Management
• Countermeasures Might have Opened Plan
New Risk
Implement Risk
Management
Plan
Introduction
(Continued)
theknowledgeacademy
Information Security Risk Management Process
Context
Establishment
Risk
Monitoring and Review

Communication and
Assessment
Risk Identification
Consultation
Risk Analysis
Risk Evaluation
Risk Treatment

Determining the Risk Management Context
 In business terms, risk management should provide a balance between benefits and
theknowledgeacademy
costs.
 The scope of risk management activities and the environment in which risk
management operates is defined by the context, which involves the organisational
structure, culture, principles, people, infrastructure, and skills.
 Determining the risk management context includes specifying the:
 Enterprise's scope and the procedures or activities to be evaluated.
 The entire scope of risk management activities.
 Roles and responsibilities, not only for the various parts of the enterprise involved in
the risk management process but also for risk and control ownership.
 Organisational culture in the form of risk-aversion or aggression.

(Continued)
theknowledgeacademy
 The risk-evaluation criteria should be determined and agreed upon. Whether or not risk
treatment is needed is usually determined by technical, operational, regulatory,
financial, legal, social, or environmental criteria or a mixture of these.
 The criteria must be consistent with the scope and analysis of the enterprise's internal
policies and processes, and they should support the enterprise's objectives and goals.
 Important criteria to consider include:
 Impact: The types of outcomes that will be considered.
 Likelihood: The likelihood of a negatively influencing the event occurring.
 Cost-benefit Analysis: To ascertain the best strategy for mitigating versus

transferring the influence of a risk event.

(Continued)
theknowledgeacademy
 Risk Appetite/Risk Tolerance: The rules that ascertain whether the risk level is
such that additional treatment activities are needed.
 These criteria may require to be modified later in the risk management process as a
result of changing circumstances or as a result of the risk assessment and evaluation
process itself.

Operational Risk Management
 The risk of loss caused by ineffective, inefficient, inadequate, or failed procedures,
theknowledgeacademy
people, and systems, as well as external events, is referred to as operational risk.
 Business interruption is a major concern, and averting it must be a primary principle of

risk management.
 Most of the time, incident management is sufficient for managing materialised risk,
minimising significant disturbance to operations and potential influences.
 In some cases, incidents will escalate to tragedies, requiring business continuity and
disaster recovery.
 In either case, the understanding and ability to address appropriate problems

sufficiently to assure the enterprise's survival serves as a backstop to limit risk and
assure it is managed.

Risk Management Integration with IT Life Cycle
Management Processes
• It is essential for information security management to ensure that risk identification,
theknowledgeacademy
evaluation, analysis, assessment, and response activities are integrated into life cycle
processes.
• The necessity to minimise an enterprise's negative influence and to establish a solid basis
for decision-making are the primary reasons enterprises implement a risk management
process for their IT systems.
• Risk management must be fully integrated into the System Development Life Cycle (SDLC)
for it to be effective. The SDLC of an information technology system has five phases:
initiation, development or acquisition, implementation, operation or maintenance, and
disposal.
• In some cases, an IT system may be in multiple phases at the same time. However,
regardless of the SDLC phase for which the assessment is performed, the risk management
methodology is the same.
• Risk management is an iterative procedure that can be conducted throughout every major
phase of the SDLC. © 2022 The Knowledge Academy Ltd.
theknowledgeacademy
(Continued)
• Other business areas and activities may already have change management processes in
place.
• One advantage is that many enterprises now have change management processes in place
that cover the whole enterprise.
• The information security manager should be familiar with these change management
activities and assure that security is properly integrated with business operations so that
changes are not made without considering the implications for the enterprise's information
assets' overall security.
• One way to help assure this is for information security management to join the change
management committee and assure that all changes are subject to security review and
approval and that proposed changes satisfy policy and standard requirements.
• Any proposed variations must be identified and documented for further investigation.
theknowledgeacademy
(Continued)
• While the normal focus of change management is on hardware and software changes and
security influence, the change management process must extend far beyond system owners
and the IT population.
• Change management must involve facilities management for data centre infrastructure and
any other area that may have an influence on overall information security.
• Change management's impact on system and facility maintenance windows must be

addressed by facilities personnel and business continuity management.
• Changes in these areas are frequently not documented in a timely manner. It is possible that
facilities do not have current single-line drawings and blueprints.

theknowledgeacademy
(Continued)
The IT Risk Management Life Cycle
IT Risk
Identification
Risk and Control

IT Risk
Monitoring and
Assessment
Reporting
Risk Response
and Mitigation

Risk Scenarios
 In generally, risk can be characterised or related to the following:
theknowledgeacademy
Consequences,
Resulting Asset/ Resource
Actor Type Of Threat Results or Frequency
Event
Impact

Risk Scenarios
(Continued)
theknowledgeacademy
Risk Scenario Components

Risk Assessment Process
 Risk assessment, in conjunction with either an information asset or a business impact
theknowledgeacademy
analysis classification procedure to ascertain sensitivity or criticality, is used as a base

for identifying relevant and cost-effective countermeasures or controls to mitigate
identified risk.
 Business value is usually expressed as sensitivity or criticality. The majority of risk

assessment approaches have four distinct phases. These are some examples:
1 2 3 4
Risk Identification Risk Analysis Risk Evaluation Risk Assessment

Risk Assessment Process
Risk Driven Approach
theknowledgeacademy

Risk Assessment and Analysis Methodologies
 The information security manager has access to a variety of risk management models
theknowledgeacademy
and assessment approaches. The approach chosen must be specified by the best
form, fit, and function.
 Depending on the enterprise and the specific requirements, approaches such as the
Holistic Approach to Risk Management (HARM), Factor Analysis of Information Risk
(FAIR), risk factor analysis, and value at risk (VAR) may be more appropriate.
 Risk scenarios in the COBIT approach include the process of identifying risk, followed
by analysis. The next step is to evaluate the risk to see if it exceeds acceptable levels.
 These three steps enable the risk assessment to produce a suggestion for the best risk
response, or risk treatment.
 Priorities for response are determined by a cost-benefit and risk-level analysis, with
high cost-benefit and high likelihood.

Risk Assessment and Analysis Methodologies
NIST Risk Assessment Methodology

theknowledgeacademy

Other Risk Assessment Approaches
• Developments in recent decades have resulted in significant enhancements in defining
theknowledgeacademy
the bounds of probable risk.
• Yet, few effectively address information risk.
• A few of these advancements are being executed in the field of information security,
and it is likely that more refined techniques and methods will continue to be developed.
Factor Analysis for Information Risk (FAIR)

• FAIR is a well-known industry approach for decomposing risk and understanding its
elements.
• The approach provides a reasoned, detailed analysis process that is intended to

supplement other assessment approaches with the goal of increasing accuracy.

FAIR Methodology
theknowledgeacademy

Holistic Approach to Risk Management (HARM)
theknowledgeacademy
• HARM is a methodology that is designed and developed to support as well as

normalise an enterprise's approach relative to conducting risk analysis.
• The following are the Core Processes of HARM

Risk Analysis
 Risk analysis is the process of calculating and determining potential probability and
theknowledgeacademy
resulting outcomes.
 This step involves ascertaining threat actor abilities and motivations, as well as the
efficiency of existing controls and the extent to which they may affect a specific
identified risk. Risk analysis includes:
 Extensive investigation of the risk sources (threats and vulnerabilities) identified

during the risk identification phase.
 The degree to which information assets are vulnerable to potential threats and their
impact on likelihood. The potential negative effects of successfully attacking the
assets.
 The likelihood of those consequences occurring, as well as the factors that influence
them.
 Inclusion of existing controls or procedures that tend to decrease negative risk or

improve positive outcomes. © 2022 The Knowledge Academy Ltd
Risk Analysis
Risk Mapping Indicating Risk Appetite Bands
theknowledgeacademy

Risk Evaluation
• During the risk evaluation phase, decisions are made about how the enterprise reacts
theknowledgeacademy
to and prioritises risk based on the foregoing analysis, with assistance made for the
probable margin of error, which can be significant if reliable data is unavailable.
• This is done within the context of the enterprise's defined tolerance criteria, risk
appetite, and capacity creating a method to advise on a reasonable and suitable risk
response.
• Acceptance is the most likely treatment option if the risk meets the acceptable risk
criteria.
• If the risk exceeds the acceptable level and is not within the tolerance range, the most
likely treatment will be some form of mitigation.
• Mitigation options include changing or adding controls or reengineering business

processes to make a process less risky.
• A system redesign can reduce technical risk, or risk sharing may be the most cost-
effective alternative. © 2022 The Knowledge Academy Ltd
Risk Evaluation
(Continued)
theknowledgeacademy
• If there are no cost-effective alternatives for mitigating extreme risk, management may
take the decision that the activity is not worth the risk, or it may decide to take the risk if
the advantages outweigh the risks.
• Typically, risk transfer is chosen for risks with a lower likelihood but a high influence.
• Control risk should be considered if the risk is mitigated through the use of controls.
• If the results are ambiguous, inaccurate, or misleading, the risk assessment may lead
to a decision to conduct additional analysis.

Risk Ranking
• The risk practitioner utilises the results of risk assessment to prioritise risks so that the
theknowledgeacademy
risk owner can direct risk response efforts.
• The risk ranking is derived from a mixture of all risk elements, such as threat
recognition and the characteristics and abilities of a threat source, the severity of a
vulnerability, the likelihood of occurrence when considering the effectiveness of
controls, control risk, and the influence to the enterprise should the risk be realised.
• When these are added together, they indicate the level of risk associated with a threat.

theknowledgeacademy
Module 2B1: Risk Treatment / Risk

Response Options

Risk Treatment/Risk Response Options
 After identifying the risk, the next step in the risk management process is to take a
theknowledgeacademy
decision regarding what to do about what was identified.
 Risk treatment pits available resources against the requirement of risk reduction.
 Not all risks can be mitigated or eliminated because there is not a sufficient amount of
resources to treat them all in the enterprise environment.
 Risk analysts and technology architects can devise ways to bring about the greatest
possible risk reduction when risk treatment is performed at the enterprise level.
 It can be achieved by implementing solutions that will reduce many risks.

Determining Risk Capacity and Acceptable Risk
(Risk Appetite)
theknowledgeacademy
 Every enterprise has a specific risk capacity, which is defined as the maximum amount of
loss that an enterprise can tolerate without jeopardising its continued existence.
 The risk appetite of an enterprise is determined by its owners or board of directors, subject
to the absolute maximum imposed by this risk capacity.
 Risk appetite is described as the amount of risk that an entity is willing to accept in the
pursuit of its mission on a broad scale.
 As part of strategic planning, the board of directors may delegate risk appetite setting to
senior management in some cases.
 Acceptable risk appetite or risk determination, as well as assessment criteria, are important
to almost all elements of information security and most other elements of organisational
activities.

Determining Risk Capacity and Acceptable Risk
(Risk Appetite)
theknowledgeacademy
(Continued)
 Many aspects of strategy, such as control objectives, baseline security, control execution,
cost-benefit calculations, severity criteria determination, risk management options, required
incident response abilities, insurance requirements, and feasibility assessments, will be
determined by risk appetite.
 Risk appetite is translated into several standards and policies that must be adjusted or
confirmed on a regular basis in order to keep the risk level within the boundaries set by the
risk appetite.
 The risk may be accepted within the boundaries, a formal and explicit process that confirms
that the risk requires and warrants no additional response by the enterprise as long as the
specific risk and risk environment remain substantially the same and accountability for the
risk is assigned to a specific owner.
 Risk acceptance should not exceed the enterprise's risk appetite, but it should also not
exceed the risk capacity. © 2022 The Knowledge Academy Ltd.
Risk Response Options
 For risk treatment, the following are the four primary ways:
theknowledgeacademy
Risk Risk
Mitigation Transfer
Risk
Risk
Acceptanc
Avoidance
e

Risk Acceptance Framework
 A risk acceptance framework can be a useful tool for defining the criteria for risk
theknowledgeacademy
acceptance and the level at which management acceptance is carried out.
Risk Level Level Required for Acceptance

Low Risk acceptance possible by business unit level (e.g., manager)
Medium Risk acceptance possible at the division level (e.g., director)
High Risk acceptance possible at the department level (e.g., CFO, COO, CIO)
Severe Risk acceptance only at board/governing body level.

Risk reduction is necessary during monitoring and rigorous controls .
Management notification process is necessary.

Inherent and Residual Risk
 The risk exposure or level without considering the actions that management might take
theknowledgeacademy
or has taken is referred to as inherent risk.
 The risk that stays after controls are executed is referred to as residual risk. Risk can
never be eradicated because a certain level of residual risk always exists even when
appropriate controls are implemented.
 It must be noted that lowering one risk invariably raises another, hopefully of a lower
magnitude.
 The goal is to assure that residual risk is similar to the enterprise's acceptable risk
criteria or satisfies risk tolerance criteria.
 Risk tolerance is defined as the allowable variation from acceptable risk, which is
typically expressed as a percentage or range.
 Acceptable residual risk must be the result of meeting the defined control objectives
and be equivalent to the enterprise's defined security baselines.
Inherent and Residual Risk
(Continued)
theknowledgeacademy
 Management can use residual risk reported by a subsequent risk assessment to

recognise areas where more control is needed to further mitigate risk.
 An information security strategy establishes acceptable levels of risk.
 Residual risk above an acceptable level must be treated further, with the option of
additional mitigation through the execution of more stringent controls.
 Risk levels below the acceptable level must be assessed to determine whether the
controls in place are still necessary and whether they can be reduced in cost by
removing or modifying them.

Impact
 Every risk management activity is intended to lower the impacts to acceptable levels in
theknowledgeacademy
order to create or preserve value for the organisation.
 An impact occurs when a threat exploits a vulnerability and causes a loss.
 Vulnerabilities and threats that do not have an impact are usually insignificant and are
not regarded as a risk.
 In commercial enterprises, the effect is usually quantified as a short-term direct

financial loss or a long-term ultimate financial loss.
 Instances of such losses can contain:
 Direct loss of money or Illegal or civil liability.
 Loss of reputation/goodwill/image.
 Decrease of share value or conflict of interest for staff, customers, or shareholders.

Controls
 Any technology, procedure, practise, policy, standard, or process that acts to regulate
theknowledgeacademy
activity in order to mitigate or lower risk is referred to as a control.
 It could be administrative, technical, managerial, or legal in nature. As it is common to

find a variety of controls in various parts of a typical process, it is essential to
understand the whole risk mitigation procedure from beginning to end.
 While layering controls is a good idea, utilising too many controls to address the same
risk is wasteful and often decreases productivity. It is essential to assure that the
various controls are not all exposed to the same risk, as this would defeat the objective
of layering them.
 Risk assessments must be conducted from the beginning to the end of a process in
order to be effective and reasonably accurate.
 This strategy will facilitate on understanding of whether upstream controls reduce or

eliminate some risk, thereby eradicating the requirement for subsequent controls. It will
also assist in determining whether there is redundant or duplicate control.
Legal and Regulatory Requirements
 Legal and regulatory requirements must be taken into account in terms of risk and
theknowledgeacademy
influence. Senior management should do this in order to determine the suitable level of
compliance and priority.
 Legal general counsel must evaluate regulations to specify the exposure the enterprise
subject as a result of the regulation and the current level at which the enterprise can
demonstrate compliance.
 If the enterprise is found to be noncompliant, the regulations should be evaluated to

specify the level of risk they pose to the enterprise.
 Because enforcement actions are typically initiated against those who are least
compliant, the enterprise must consider the level of enforcement and its relative
position in relation to its peers.
 The possible financial and reputational consequences of full compliance, partial

compliance, and non-compliance should also be considered.

Legal and Regulatory Requirements
(Continued)
theknowledgeacademy
 These evaluations serve as the base for senior management to specify the nature and
scope of relevant compliance activities for the enterprise.
 The information security manager should be aware that senior management may
decide that risking sanctions is slightly expensive than attaining compliance, or that
compliance is not warranted because enforcement is limited, or even non-existent.
 This is a management decision that must be weighed against risk and impact.

Costs and Benefits
 When planning controls, an organisation must consider the costs and advantages.
theknowledgeacademy
 If the costs of specific controls outweigh the benefits of mitigating a particular risk, the
enterprise may decide to accept the risk instead of incurring the cost of mitigation.
 Cost-benefit analysis provides a financial perspective on risk and specifies the cost of
protecting what is essential.
 Yet, cost-benefit analysis is also about making wise decisions on the basis of the costs
of risk mitigation versus potential losses. Both ideas are directly related to good
governance practises.
 Most information security crime and loss metrics, however, are not as well established
as traditional robbery and theft statistics.
 Employee productivity impacts, revenue losses, and direct cost loss events are three
common measures of potential losses.

theknowledgeacademy
Module 2B2: Risk and Control Ownership

Risk Ownership and Accountability
 Ownership and accountability are required for risk. After a risk has been identified,
theknowledgeacademy
analysed, and evaluated, its owner must be identified as a manager or senior official
within the organisation.
 A risk owner is responsible for accepting risk based on the organisation's tolerance
criteria and risk appetite, and they should be able to choose the appropriate risk
response based on analyses and guidance provided by the information security
manager.
 This accountability includes approving controls when risk mitigation is the preferred risk
response.
 The idea is to establish a direct link so that all risk is addressed through appropriate
treatment and all controls are justified by the risk that requires their existence.
 Due to the shared relationship between risk and controls, the owner of a risk should
also own any controls associated with that risk and be held accountable for ensuring
their effectiveness.
Risk Ownership and Accountability
(Continued)
theknowledgeacademy
 Risk owners may be required to prepare standard reports on the status of risk, any
incidents that may have occurred, the level of rink currently encountered by the
enterprise, and the tested effectiveness of controls in areas where there are regulations
or laws that apply to risk.
Relationship Between Risk and Control

Risk
Influence Links Informs

s
Control

Risk Owner
 The risk owner is the person to whom the enterprise has delegated the accountability
theknowledgeacademy
and authority for making risk-based decisions, as well as the person who bears the loss
related to realised risk plan.
 Strategically, senior management is the risk owner who is ultimately responsible for risk
response across the enterprise. From an operational and management standpoint,
directors, vice presidents, managers, and so on have the power and accountability and
must be held responsible for making risk-related decisions as part of routine
operations.
 Confusion occurs in relation to risk associated with information technology, as it is

ordinary in enterprises to attempt to place responsibility and accountability for that risk
with the IT department.
 While IT personnel act as stewards/custodians of systems that support business

operations, risk ownership falls to the person in the organisation who needs and
consumes those services to carry out their business functions.

Control Owner
 The control owner is the person to whom the enterprise has delegated control-related
theknowledgeacademy
decision-making authority and responsibility.
 The control owner and the risk owner are usually the same people because any
changes or removal of a control will impact the risk being treated, probably causing the
risk to exceed the defined risk appetite.
 Control ownership, like risk ownership, falls to individuals within the enterprise who
have the authority to make control decisions and will be held responsible for how risk is
managed.
 Although IT staff may act as custodians/stewards of controls, it is ultimately the

business unit that bears responsibility if control is ineffective in properly treating risk. In
some cases, the business unit will not be the control owner.
 Technology controls involving intrusion detection/prevention systems, email filters, End-

point detection, and data loss prevention platforms are typically enterprise-wide
controls that are configured and handled by the enterprise's security operations staff.
theknowledgeacademy
Module 2B3: Risk Monitoring and

Reporting

Risk Monitoring
 Continuous risk monitoring, evaluation, assessment, and reporting are an essential part
theknowledgeacademy
of the risk management life cycle.
 On a regular basis, the results and status of this ongoing analysis must be documented
and reported to senior management.
 Senior management will usually be less interested in technical details and will instead
want an overview of the current situation and indicators of any impending or immediate
threat that needs attention.
 Security dashboards, stoplight charts, and heat charts are generally used to display an
overall evaluation of the security posture. Other representations of security status, like
spider charts or bar graphs, may be more effective at conveying trends, depending on
the recipients.
 The information security manager is accountable for managing the reporting process to
assure that it occurs, regardless of the form of reporting, and that the results are
sufficiently analysed and acted on in a timely manner.
Key Risk Indicators
 One approach that is gaining popularity is the use of key risk indicators to report and
theknowledgeacademy
monitor risk (KRIs). KRIs are measures that indicate when an enterprise is exposed to
risk that exceeds a predefined risk level.
 These indicators are generally developed based on experience and emerge from
trends in factors known to increase risk. They can range from increased absenteeism
or turnover in key employees to an increase in security events or incidents.
 KRIS can give early warnings about potential issues or areas of particular risk. As a
means of ongoing monitoring, a variety of risk indicators can be developed for various
parts of an enterprise.
 Aside from experience, KRIs can be chosen based on sources such as industry
benchmarks, external threat-reporting services, or any other factor that can be
monitored and indicates changes in risk to the enterprise.

Key Risk Indicators
(Continued)
theknowledgeacademy
 The following considerations are involved in identifying useful risk indicators:
 Involvement of all stakeholders in the enterprise. The operational or the strategic

side of risk should not be focused solely by risk indicators.
 To achieve insight, balancing the selection of risk indicators.
 To the root cause of events rather than only focusing on symptoms, confirming that
the chosen indicators drill down.

Reporting Changes in Risk
 The risk assessment must be update to confirm its continuous accuracy as
theknowledgeacademy
modifications happens in an enterprise.
 The primary responsibility of the information security manager is to report changes to

the suitable levels of the management at the right time.
 To represent a risk status with the related and appropriate stakeholders and with top
management on the overall risk profile of the enterprise, involving modifications in risk
level and status of any open risk, the information security manager should have regular
meetings.
 Also, the security program should contain a procedure in that a substantial security
event or breach will trigger a report to top management and a reassessment of risk and
suitable controls because all security incidents or events are the consequence of the
loss of or deficiency of, controls.
 For evaluating security events based on affect tp the enterprise, the information
security manager should have defined procedure.
Risk Communication, Awareness and Consulting
 It is essential to create and communicate awareness of the issues across the

theknowledgeacademy
enterprise at every step of the risk management procedure for risk management to
become part of culture of the enterprise.
 Communication should contain consultation with all related stakeholders and

concentrate on growth of a typical understanding of the goals and necessities of the
risk management program.
 This procedure will permit deviations in perceptions and needs to be addressed and
identified more effectively.

Risk Awareness
theknowledgeacademy
 Awareness is a strong mean in building the culture, shaping values and affecting the
manners of the members of an enterprise.
 The risk and security awareness program should contain communication of security
and risk information, regular testing as a measure for awareness, and a medium for
staff to report security and risk issues.
 The operational teams of an enterprise are usually the first to be aware of any
abnormal activities or problems.
 Each team member can assist recognising vulnerabilities, suspect activity and potential
attacks.
 This may allow a more rapid reaction and more suitable containment of a risk when an
attack occurs.

(Continued)
theknowledgeacademy
 This is acknowledge by the risk awareness that risk is an essential part of the business.
It aims to confirm the following:
 Risk is well known and understood.
 Information risk is recognisable.
 Employees identify that organisational risk can impact on them personally.
 The enterprise uses and recognises the available tools to manage risk.

Documentation
 Readily and applicable available documentation about risk management standards,
theknowledgeacademy
policies, infrastructure, services, and applications, in addition to further suitable risk-

related issues, is needed to effectively manage risk.
 Decisions regarding the extent and nature of documentation includes related benefits
and costs. The risk management policy, program and strategy describe the
documentation required.
 Documentation should include the following at each stage of the risk management
procedure:
Information Decision
Objectives Audience Assumptions
Resources Criteria

Documentation
 The following should be included in a Typical Documentation of Risk
theknowledgeacademy
Management:
 A risk register.
 Likelihood and results of compromise.
 Vulnerability of internal and external factors.
 An inventory information of assets, concluding telecommunication and IT assets.
 A risk action and mitigation plan.
 Audit and monitoring documents.

theknowledgeacademy
Domain 3
Information Security Program

Development and Management
theknowledgeacademy

Domain 3: A: INFORMATION SECURITY PROGRAM
DEVELOPMENT
Information  3A1: Information Security Program Resources
 3A2: Information Asset Identification and
Security Program Classification
 3A3: Industry Standards and Frameworks for
Information
Development and  3A4: Information Security Policies, Procedures,
and Guidelines
 3A5: Information Security Program Metrics
Management
theknowledgeacademy
This Domain Covers (Continued)…

Domain 3: B: INFORMATION SECURITY PROGRAM
MANAGEMENT
Information  3B1: Information Security Control Design and
Selection
Security Program  3B2: Information Security Control Implementation

and Integrations
 3B3: Information Security Control Testing and
Development and Evaluation

 3B4: Information Security Awareness and
Training
Management  3B5: Management of External Services

 3B6: Information Security Program
Communications and Reporting

theknowledgeacademy
Module 3A1: Information Security

Program Resources

Introduction
• The information security manager normally hass access to various organisational
theknowledgeacademy
resources to support continuous alignment and consistent management of the

information security program.
• Implementation of these resources also helps the governance framework principles by

assisting to confirm that the program:
 It relied upon a conceptual model with specified key relationships and components.
 Implements a flexible and open strategy that can be modified based on adjustments
and priorities from key stakeholders while keeping consistency and integrity.
 Supports continued alignment with applicable frameworks, regulations and

standards.

• Implementation of the strategy in the most cost-effective manner possible while
theknowledgeacademy
increasing the support of the business functions and decreasing operational operation is
the objective the information security program.
• The primary task will be revolving high-level strategy into physical and logical reality
through a series of initiatives and projects for a well developed security strategy.
• Another prospect is that more useful resolutions may become available during program
development or eventually.
• A great deal of design and planning will be needed to accomplish working project plans
whether a procedure has been developed in significant detail or only to the conceptual
level.
• Collaboration in the development of plans is essential to achieve cooperation and

consensus from diverse stakeholders and to decrease subsequent operational and
implementation problems.

Defining Objectives
theknowledgeacademy
• A situation in which no information security activity is present is rarely faced by an

information security manager in an enterprise. It is critical component in developing the
security program as this may require a substantial amount of effort.
• It is important to determine the details that drive the business requirement for the
information security program. The following are the primary drivers for an information
security program:
• The growing necessities for regulatory compliance

• Cost and higher frequency relating to security incident
• Problems over reputational harm
• Adoption of industry best standards and practices
• Business objectives or procedures that may grow organisational risk

Information Security Program Concepts
• If security governance has not been implemented and/or a strategy has not been
theknowledgeacademy
developed, it will still be necessary to define overall objectives for security activities.
• It will still be essential to define overall objectives for security activities if security
governance has not been executed or a strategy has not been developed.
• Ready-made goals can involve conforming to a certain set of standards or acquiring a

defined maturity level relied on the CMMI model. Any security program will likely include
developing, executed and designing controls, whether physical, technical, or
procedural. Metrics must be considered as these controls are monitored and developed.
• Procedure to determine control failure and measure control effectiveness will be

necessary. Execution will generally includes a series of initiatives and projects. It usually
includes skills of project management, involving budgeting, utilising, scheduling time
management skills, user acceptance testing (CAT) and quality assurance.
• Many projects include complex or unusual technical components and may need precise
specification, engineering efforts and design.
Management and Process Concepts
theknowledgeacademy
• Managing and implementing a security program will need the information security
manager to have knowledge of a number of management and procedure concepts
involving:
 Architectures
 Budgeting, costing and financial issues
 Business case development
 Business process reengineering
 Communications
 Contingency planning
 Control design and development
 Control implementation and testing
 Control monitoring and metrics
 Control objectives
 Critical thinking
 Documentation
 Personnel issues
Technology Resources
theknowledgeacademy
• An information security program includes a sort of technologies in addition to policies,

people and processes.
• Including the applicability and viability of available solutions in the terms of the goals
and objectives of the program, the information security manager must be qualified to
take decision with respect of technology.
• It is crucial that the information security manager understand here a given technology
fits into the detection, containment, prevention, recovery and reaction framework and
the it will serve to execute strategic components. The information security manager
should be similar with the following:
 Antimalware/ antivirus systems

 Application security methodologies

Scope and Charter of an Information Security Program
theknowledgeacademy
 Authorisation and authentication mechanisms

 Archiving and backup methods such as redundant array of low-cost disks
 Management techniques and cloud-based resource provisioning
 Cyberthreat information sharing techniques and methodologies
 Data integrity controls
 Data leak prevention methods
 Digital signatures
 Access and identity management systems
 Firewalls
 Remote access methodologies
 Vulnerability penetration and scanning testing tools
 Web security techniques
 Wireless security methods

Technology Resources
theknowledgeacademy
• The information security manager will to determine the responsibilities, charter and the
scope of the program whether forming a new security program or coming into a current
one.
• The security manager will find it hard to determine what to manage or how well a given
security function is meeting objectives without clearly defined responsibilities.
• It is essential to understand the location of information security function fits into the
whole organisational structure in terms of the chain of command.
• Numerous security program functions will already be accepted practice, if a program

has been functioning and established well.

(Continued)
theknowledgeacademy
• It would be sensitive to use any time available to achieve insight into the existing
situation if the prior manager is available for orientation.
• On developing the correct relationships than on any particular expertise, security is

often politically charged and success may hinge more.
• It is also essential to achieve a thorough knowledge of the current state of security

functions in the enterprise.
• Reviews of recent incidents, audits and other related reports will be useful.

Common Information Security Program Challenges
• Expanding, initiating or refining a security program will usually consequence in a

theknowledgeacademy
surprising array of unexpected conditions for the information security manager. These
involves:
 Due to changes in areas of the responsibility introduced by the program, organisational

resistance.
 An insight that increased security will decrease access needed for job functions.
 Subjective metrics overreliance.
 Strategy failure.
 Expectations of procedural compliance without ensuring oversight.
 Delaying security initiatives, inadequate project management.
 Previously hidden, damaged or buggy security software.
 Poor monitoring or management of vendor third-party security activities.
 Deficiency of program alignment with business objectives and goals.

Management Support
theknowledgeacademy
• Lack of management support is most common in smaller enterprises or businesses of

any size that are not in high-security industries.
• Because such enterprises are not required to address information security, they
frequently regard it as a minor issue that adds cost with little value.
• Management may require direction on what actions are expected, as well as information
on approaches taken by industry peers to address information security.
• Even if initial education does not result in an immediate increase in support, ongoing
education should be carried out to raise awareness of security needs. The information
security programme strategy must include provisions for managing changes and
updates.
• Management support necessitates an ongoing dialogue with a review of objectives and

strategy on a regular basis.
Funding
theknowledgeacademy
• One of the most challenging and frustrating issues the information security must
address is inadequate funding for information security initiatives. While this problem
may be a sign of an underlying deficiency of management support, there are usually
other aspects the information security manager is capable to influence.
• Some funding-related problems that may require to be handled by the information

security manager contain:
 Management not identifying the importance of security investments.

 As a low-value cost centre, security being viewed.
 Management not comprehending where current money is going.
 The organisational requirement for a security investment not being apprehended.
 The need for more attention of industry directions in security investment

Staffing
theknowledgeacademy
• The root cause of funding problems is usually insufficient staff to meet security program
requirements. Barriers to acquiring adequate staffing levels might incorporate:
 Inadequate knowledge of what activities new resources will do.
 Examining the requirement or advantage of new resource activities.
 Deficiency of awareness of existing staff utilisation activities or levels.
 Trust that current staff are underutilised.
 Expect to analyse outsourcing alternatives.

Common Information Security Program Constraints
Physical
theknowledgeacademy
• A variety of environmental and physical aspects may affect or constrain an information

security program.
• The prominent ones contain space, environmental hazards, capacity and availability of
infrastructure.
• The program and security strategy should make certain that conditions are made for the
consideration of adequate infrastructure capacity and environmental hazards.
• Contemplation should contain physical needs for recovery in the case of a disaster.

Culture
theknowledgeacademy
• The internal culture of enterprise must be considered while developing a security

program.
• The culture in that the enterprise works must also be considered. A program that is at
probabilities with cultural standards may encounter resistance and may be hard to
execute successfully.
Organisational Structure
• Organisational structure will have a critical affect on how a management strategy can
be developed, executed and translated into an information security program.
• Cooperation between these functions is essential and generally needs senior

management buy-in and involvement.

Costs
theknowledgeacademy
• The implementation and development of a strategy consumes resources involving

money and time.
• The most cost-effective method to execute a program is an essential consideration.

Enterprises often explain spending established on a project's worth.
• With safety projects, however, control of precise compliance and risk with regulations
are generally the primary drivers.
Personnel
• A security strategy must assess what resistance may be experience during execution.
Resistance to important changes, along with probable displeasure against new
restriction possibly viewed as making tasks more time-consuming or difficult, should be
expected.

Resources
theknowledgeacademy
• An adequate method must evaluate available budgets; the total cost of ownership
(TCO) of additional and new technologies; and the manpower needs of implementation,
design, maintenance, operation and eventual disarm.
• Generally, the TCO must be developed for the whole life cycle of processes, personnel,
and technologies.
Capabilities
• The resources available to execute a procedure should involve the known abilities of
the enterprise, involving skills and expertise.
• A method that depends on shown abilities is more likely to achieve than one that does
not.

Time
theknowledgeacademy
• Time is a main limitation in implementing and developing a strategy. There may be

adherence deadlines that must be support or met for specific strategic functions, such
as a merger, that must be assisted.
• There may be windows of opportunity for certain business activities that require distinct
timelines for execution of particular strategies.
Technology
• Technological complexness may restrain the execution of a protection strategy
compatible across the enterprise.
• There may be unsupported systems and existing legacy that are impotent to support the
security control execution until they are inactivated. Exemption procedured may be
developed to manage and assess the risk occurring from these constraints.

theknowledgeacademy
Module 3A2: Information Asset

Identification and Classification

Information Asset Identification and Valuation
• Identifying and inventory information assets and determining the value or inaccurate
theknowledgeacademy
value is an essential step for the information security program.
• This is required because the business value is a portion of the risk determination. The
valuation process, which includes connecting all values in a typical financial form, is
straightforward for some assets.
• The consequences or impact of breaking personally identifiable information (PII) can be

regulatory sanctions.
• Other possible effects can occur if the individuals suffering identity theft losses file
lawsuits for injuries, or if lawyers file class-action lawsuits on behalf of a lot of victims.
• Incorrect terms of services and products or information directed to wrong investor

decisions can result in substantial failures as a result of different legal actions.

Information Asset Identification and Valuation
(Continued)
theknowledgeacademy
• Types of distinct information assets that must be allocated a value and protected
involve, but are not limited to the following:
 Proprietary processes and information of all kinds, containing information that can harm
the enterprise.
 Future projections and current financial records.
 Merger plans or acquisition.
 Strategic marketing plans.
 Trade secrets.
 Patent-related information.
 Privacy-related information, involving protected health information (PHI) and PII.
 Customer data, concluding payment card information (PCI).

Information Asset Valuation Strategies
• Due to complexity of agreeing on related mission importance and priorities, some
theknowledgeacademy
enterprises may avoid asset valuation.
• Many enterprises do not have an exact list of information assets, and the struggle to
categorise and inventory their assets can seem to be a daunting task. The
accurateness of the valuation is not as essential as having a constant strategy to
prioritise efforts.
• Values within the similar order of importance as the real loss are adequate for planning
objectives. Media reports include many well-documented failure strategies and loss
amounts on which to establish a valuation.
• Information asset valuation methodologies incorporate multiple variables, involving the

level of technological complexity and the level of possible consequential and direct
financial loss.
• Quantitative valuation methodologies are typically the most accurate but can be quite
difficult once downstream and actual effects have been analysed.
Information Asset Classification
• Information asset classification is needed to determine the criticality of information
theknowledgeacademy
assets and relative sensitivity, periodically directed to collectively as business value.
• As a result of unauthorised disclosure, sensitivity is based on the possible damage to

the enterprise. It gives the basis for safety efforts, user access control and business
continuity planning.
• The foremost step in the classification process is to confirm the information asset list is
done, involving the identification of the location and purpose of each asset.
• A great benefit of information asset classification is the fact that connecting security to
business goals decreases the risk of either under-protection or expensive
overprotection of information assets.
• Providing the same high level of protection to all assets can be very costly, if the
enterprise is risk-averse and needs a high level of security,

Methods to Determine Criticality of Assets and
Impact of Adverse Events
theknowledgeacademy
 Several approaches exist to determine the criticality and sensitivity of information

resources and the effect of negative events. A BIA is a typical process to identify the
effect of adverse events.
 The information security manager may use the methodologies outlined within MST,
COBIT and other frameworks that are representatives of the resources. It is essential,
however, to confirm that concerns contain both the direct impact and any downstream
outcomes.
 The foremost step to determining
information asset significance is to
crack the organisational or corporate
structure into departments or
business units.
Top Layer of Business Risk

Structure © 2022 The Knowledge Academy Ltd.
theknowledgeacademy
(Continued)
 Identifying the critical organisational functions is the next step. The focus for each
business department or unit is to define what tasks are essential to the unit in attaining
its goals.
Critical Function Layer of Business Risk

Structure © 2022 The Knowledge Academy Ltd.
theknowledgeacademy
(Continued)
Aligning Assets to the Critical Function Layer

theknowledgeacademy
(Continued)
Asset Vulnerabilities

theknowledgeacademy
Module 3A3: Industry Standards and

Frameworks for Information Security

Enterprise Information Security Architectures
• An enterprise information security architecture (EISA) can be a strong tool for the
theknowledgeacademy
implementation, integration and development of a strategy.
• Being an integral part of enterprise architecture, the effectiveness of an EISA depends

on it. The loss of enterprises to adopt the concept of security architecture seems to
have several recognisable causes.
• Even though technical security has significantly improved, the lack of architecture has
resulted over time in functionally less security integration and increasing vulnerability
across the enterprise.
• This deficiency of integration donates to the raising problem in handling enterprise

security efforts effectively.

(Continued)
theknowledgeacademy
• The following are the Objectives of Information Architecture Approaches:
 Give overarching coherence, cohesiveness and structure.

 Act as a program development road map.
 Confirm strategic alignment between security and business.
 Enable and support attainment of business strategy.
 Implement security strategy and policies.
 Confirm traceability back to distinct business requirements, key principles and business
strategy.
 Provide a class of abstraction independent of distinct preferences and technologies.
 Within the enterprise, establish a common language for information security.
 Permit many people, and supporters, to work jointly to accomplish objectives.

(Continued)
theknowledgeacademy
• TOGAF handles the following corresponding areas of specialisation, named

architecture domains:
1. Business architecture, that describes the business governance, strategy, key

business and organisation procedures of the enterprise.
2. Data architecture, that defines the structure of an enterprise's physical and logical
data assets and the related data management resources.
3. Applications architecture, that gives a blueprint for the individual application systems
to be used, the relations among the application systems, and their relationships to
the centre business procedures of the enterprise with the frameworks for services to
be revealed as business functions for integration
4. Technical architecture that defines the software, network and hardware

infrastructure needed to sustain the deployment of core mission-critical applications.
(Continued)
theknowledgeacademy
The TOGAF Architecture Development Method

Enterprise Architecture Domains

theknowledgeacademy
• There are generally taken subsets of general enterprise architecture:
• A business architecture describes the business governance, organisation, strategy and

critical business procedures.
• A data architecture defines the structure of an enterprise's physical and logical data
management resources and data assets.
• An architecture of application gives a blueprint for the individual application system to

be used, their interconnection and their relations to the enterprise's core business
procedures.
• A technology architecture represents the component relationships, hardware and

software infrastructure and architectural principles planned to support the use of core,
mission-critical applications.

Objectives of Information Security Architectures

theknowledgeacademy
• To give a framework for successfully managing complexity, one of the main functions of
architecture as a tool.
• As a project increases in complexity and size, numerous design and designer

influences must work as a team to make something that has the impression of being
made by a single design authority.
• As the complexness of the business environment evolves, many business operations

and support processes must combine seamlessly to give adequate management and
services for the business, its partners and customers. Architecture gives a way to
handle that complexity.

Information Security Management Frameworks
• A conceptual representation of an information security management structure is the

theknowledgeacademy
information security management framework.
• The technical, operational, managerial, administrative, and educational components of

the programme should be described, as well as the organisational units and leadership
in charge of each one, the control or management goal that each component should
achieve, the interfaces and information exchange between the components, and the
concrete results of each component.
• Other outcomes of an effectual security management framework concentrate on

shorter-term necessities.
• Both directly and indirectly, these objectives include demonstrating the following:
 The program adds strategic and tactical value to the enterprise.

(Continued)
theknowledgeacademy
 The program is being worked efficiently and with consideration for cost problems.
 Information security capabilities and knowledge are increasing as an outcome of the

program.
 Management has a clear knowledge of information security benefits, needs, activities

and drivers.
 The program encourages goodwill and cooperation among organisational units.
 There is the assistance of information security stakeholders' understanding of their

responsibilities, expectations and roles.
 The program contains conditions for the continuity of business of the enterprise.

Control Objectives for Information and Related Technologies (COBIT)

theknowledgeacademy
• COBIT allows IT and information to be managed and governed entirely for the
enterprise, managing the IT and business functional areas of responsibility, and
thinking the information-related interests of internal and external stakeholders.
• COBIT is relied on two sets of principles: 1) principles that defines the central
necessities of a governance system for enterprise information and technology, 2)
principles for a framework that can be employed to create a governance system for the
enterprise.
• COBIT involves multiple focus locations that define particular governance topics,
issues and domains that can be directed by a group of governance and management
goals and their elements.

ISO/IEC 27001:2013
theknowledgeacademy
• Based on the British Standard, this standard has been slightly expanded to include the
following control areas:
A.5 Information Security Policies
A.6 Information Security Organisation
A.7 Human Resource Activity
A.8 Asset Management
A.9 Access Control
A.10 Cryptography
A.11 Environmental and Physical Security
A.12 Operations Security
A.13 Communications Security
A.14 System Development and Maintenance
A.15 Supplier Relationships
A.16 Information Security Incident Management
A.17 Information Security Aspects of Business Continuity Management
A.18 Compliance

NIST Cybersecurity Framework

theknowledgeacademy
• Formally titled the NIST Framework for Enhancing Critical Infrastructure Cybersecurity,
this model gives high-level advice for aligning a cybersecurity program with enterprise
goals. The framework underlines the requirement for adequate risk management
integration and it greatly supports progress in supply chain risk management.
• The MST Cybersecurity Framework does not give commands to be used. Examination
of the gaps in conditions allows the use of controls-based frameworks to enhance
information security risk management. The following are the Components of the MST
Cybersecurity Framework:
Framework
The Framework Framework
Implementation
Core Profile
Tiers

NIST Risk Management Framework

theknowledgeacademy
• The system development life cycle can be integrated with security, privacy, and cyber
supply chain risk management tasks using the KIST Risk Management Framework
(RMF).
• The RMF includes provisions for monitoring the ongoing efficacy and efficiency of risk
management procedures as well as a risk-based method for categorising pertinent
assets, choosing and implementing controls to ensure adequate protection, and
categorising relevant assets. The following are the RMF steps:
Prepare Categorise Select Implement
Monitor Authorise Assess

Information Security Frameworks Components
Technical Components
theknowledgeacademy
• Information security is generally included in all of the technical IT elements of an

enterprise, containing giving and keeping proper security standards, examining
strategies for policy compliance, designing and implementing suitable security metrics,
and giving general oversight.
• It is important that all technology elements have an recognised owner and that there
are no orphan methods. This is required to confirm accountability and responsibility for
keeping all systems in adherence with security policies and for proper treatment and
ownership of associated risk to acceptable levels.
• The extensive majority of the enterprise's information will reside with IT and will be a
major priority of the information security framework, from an information security
perspective.
• The information security function must sufficiently regulate the IT function and give
direction to confirm policy compliance adequate to acquire acceptable risk levels
constant with the information security strategy goals. © 2022 The Knowledge Academy Ltd
Operational Components
theknowledgeacademy
• Operational elements of a security program are the administrative activities and

ongoing management that should be conducted to give the needed level of security
assurance.
• These operational components contain items like business operation security practices,
SOPs, administration and maintenance of security technologies.
• They are usually performed on a daily to weekly timeline. The information security
manager should give current management of the operational information security
elements.

Management Components
theknowledgeacademy
• Management components generally contain strategic implementation activities such as

standards modification or development, oversight of initiatives, program
implementation or policy reviews.
• These activities usually take place less often than operational components, possibly on
a timeline measured in years, months or quarters.
• Management policies, necessities and objectives are key in shaping the information
security program, that, in turn, describes what must be managed.
• To be the basis for changing security policies and modifying and developing standards,
periodic or ongoing analysis of risk, assets, threats and organisational impact must
continue.

Administrative Components
theknowledgeacademy
• The information security manager in responsible of such an operation should confirm

that HR, financial and other management functions are adequate.
• Financial administration functions commonly consist of timeline planning, TCO

management/analysis, ROI management/analysis, purchasing/acquisition and stock
management.
• The information security manager must create a working rapport with the finance
department of the enterprise to confirm a strong working relationship, support, and
keeping with financial procedures and policies.
• HR management functions generally involve organisational planning, job description

management, hiring and recruitment, payroll and time tracking administration,
performance management, employee development and education, and termination
management.

Educational and Informational Components

theknowledgeacademy
• Employee awareness and education about security risk is often merged with initial
training and employee orientation.
• General organisational procedures and policies, such as adequate use policies and
employee observe policies, should be administered and communicated at the HR level
of the enterprise.
• At the business unit level, responsibilities and issues that are distinct to role of an
employee or enterprise should be administrated and communicated.
• Interactive education techniques, like role-playing and online testing, are usually more
adequate than a cleanly informational approach.
• The information security manager should cooperate with business and HR departments
to recognise information security education requirements.

theknowledgeacademy
Module 3A4: Information Security Policies,

Procedures, and Guidelines

Policies
• Policies are the prominent statements of expectations, direction and management
theknowledgeacademy
intent.
• For extended periods, well-developed policies in a mature enterprise can stay fairly
static.
• Policies must be lined up with and support the planned security objectives of the
enterprise.
• For the situations in which policy compliance cannot be obtained, an exception

procedure must be established.
• The exception procedure must contain formally documented governance oversight

admitting approval of the risk made by not adhering to the information security policy.

Policies
Policy Development
theknowledgeacademy
• To modify or create standards and policies as required, one of the most essential
aspects of the action plan to implement the strategy.
• The road map must demonstrate the sequence and steps, milestones and
dependencies.
• To implement the strategy following the road map the action plan is essentially a project
plan.
• Each of the related 14 domains and major subsections must be the subject of one or
more policies, if the objective is ISO/IEC 27001:2013 compliance.
• This can be effectively accomplished with about two dozen particular policies for large
organisations in practice. The finished strategy gives the basis for modification or
creation of existing policies.

Standards
• Standards are employed to determine whether systems, procedures, processes meet
theknowledgeacademy
requirements of policy.
• It is demonstrated by metrics whether a procedure concedes with a standard or not.
• Boundaries are set in terms of permitted limits on people, technologies and processes.
• To confirm security while maximising procedural options, standards must be carefully

crafted to give only the required limits.
• Multiple standards will normally exist for each policy, relying on the classification level
or security domain.
• For example, the password standard would be more restraining when retrieving high-
security domains.

Standards
Standards Development
theknowledgeacademy
• Standards are extremely effective security management tools. They define the
permitted boundaries for technology and system procedures and practises, as well as
for people and events.
• They are the legislation to the policy constitution when properly applied. They serve as
a yardstick for policy compliance and a solid foundation for audits. Standards are the
primary tool for executing good security governance, and the information security
manager must own them.
• Additional standards and norms governing format, content, and mandatory approvals
must be established. Standards must be communicated to those who are regulated by
them as well as those who are affected by them.
• Processes for review and change must also be developed. Exception processes must
be designed for standards that are not easily achievable due to technological or other
constraints.
Procedures
• Procedures fall under the purview of operations, including security operations, however
theknowledgeacademy
they are included here for clarification.
• Procedures must be clear and include all procedures required to complete certain jobs.
They must define the expected outcomes, displays, and prerequisite circumstances for
execution. Procedures must also include the procedures to take if unexpected findings
arise.
• Procedures and terminology must be precise and unambiguous. For example, the
phrases "must" and "shall" are used for any necessary task.
• The word "should" must be used to refer to a desired but not required action. The
words "may" or "can" must only be used to indicate completely discretionary action.
• Discretionary tasks should only be included in procedures if absolutely essential, as

they dilute the procedures' signals.

Guidelines
• Operations is in charge of developing processes and executing them. Guidelines
theknowledgeacademy
should include information that will be useful in carrying out procedures, such as policy
and standard clarification, dependencies, ideas and examples, narratives defining the
procedures, background information that may be valuable, and instruments that can be
employed.
• Guidelines can be beneficial in a variety of other situations, but they are discussed here
in the context of information security governance.
• Policies, procedures, standards, and guidelines should be cross-referenced so that

they may be easily understood, referred to when needed, and kept up to date.
• It is usually a good idea to have an intranet or another mechanism to keep them so that
the proper audience may access them when needed.

theknowledgeacademy
Module 3A5: Information Security

Program Metrics

Introduction
• A metric is defined as a quantifiable element that permits the achievement of a process
theknowledgeacademy
goal to be measured.
• Security is defined as the absence or prevention of harm. As a result, security metrics

should inform us about the state or degree of safety in comparison to a reference point.
• Technical metrics can be used to manage the tactical operational aspects of technical
security systems.
• They can show that the infrastructure is in good working order and that technical
vulnerabilities have been found and resolved.
• They provide few indicators of policy compliance or whether objectives for acceptable
levels of potential effect are being met, and they provide little information on whether
the information security program is on track and achieving the anticipated results.

Effective Security Metrics
• Any action that cannot be measured is difficult or impossible to manage. The primary
theknowledgeacademy
goal of metrics, measures, and monitoring is to aid in decision making. The key to good
metrics is to employ a set of criteria to identify which of the virtually limitless number of
metrics candidates is the most appropriate. Good metrics include:
 Specific—based on a well-defined purpose; clear and concise.
 Measurable—capable of being measured; quantifiable (objective), rather than

subjective.
 Achievable—Realist; founded on essential aims and ideals.
 Relevant—Inextricably linked to a specific action or aim.
 Timely—based on a certain time period.

Governance Implementation Metrics
theknowledgeacademy
• Implementing an information security governance plan and structure can be time-

consuming. Relevant metrics must be in place during the execution of an information
security program.
• The total security program's performance will be too far downstream to offer timely
information on implementation, thus another solution will be required.
• KGIs and KPIs can be used to offer information on the achievement of process or
service goals, as well as to identify whether organisational milestones and objectives
are accomplished.
• Because diverse components of governance are frequently implemented through

projects or initiatives, traditional project measurement methodologies can meet metrics
needs.

Strategic Alignment Metrics
theknowledgeacademy
• Strategic alignment of information security in support of organisational objectives is

critical to the information security program's eventual success in bringing value to the
firm.
• It should be obvious that the cost-effectiveness of the security program is inextricably

linked to how well it meets the enterprise's objectives and at what cost.
• The development of a security strategy that defines security objectives in business

terms and ensures that the objectives are directly articulated from planning to
implementation of policies, standards, procedures, processes, and technology is the
best overall indicator that security activities are in alignment with business (or
organisational) objectives.
• The litmus test is the ability to reverse-engineer a specific control to a specific business
requirement.

Risk Management Metrics
theknowledgeacademy
• Risk management is the main goal of all information security activities and
organisational assurance efforts. A successful risk management program is one that
meets expectations and achieves set objectives while keeping risk at levels acceptable
to management in an efficient, effective, and consistent manner. Indicators of effective
risk management may include:
 Organisational risk appetite and tolerance described in enterprise-relevant terms.

 The comprehensiveness of an overall security plan and program for attaining acceptable risk
levels.
 The number of identified major risk mitigation targets.
 Procedures for managing or mitigating negative consequences.
 A systematic, ongoing risk management procedure covers all business-critical systems.
 Periodic risk assessment trends reflecting progress toward stated goals.
 Impacts trends.

Value Delivery Metrics
theknowledgeacademy
• When security investments are optimised in support of organisational goals, value

delivery occurs. When strategic security goals are met and an acceptable risk posture
is obtained at the lowest possible cost, optimal investment levels are reached.Key
performance indicators (KGIs and KPIs) include:
 Security activities aimed at achieving specified strategic goals in a cost-effective manner.

 The cost of security is proportionate to the asset's worth.
 Security resources are distributed based on the level of evaluated risk and potential impact.
 Protection expenses that are pooled based on revenue or asset valuation.
 Controls that are well-designed, based on established control objectives, and that attain and
fully utilise those control objectives.
 A sufficient and suitable number of controls to achieve acceptable levels of risk and effect.

Resource Management Metrics
theknowledgeacademy
• Information security resource management refers to the processes that are used to
organise, assign, and govern information security resources, such as people,
processes, and technology, in order to improve the efficiency and effectiveness of
business solutions. The following are some indicators of effective resource
management:
 Infrequent rediscovery of issue solutions.

 Capture and sharing of knowledge that is effective.
 The level of standardisation of security-related processes.
 Clearly defined information security roles and responsibilities.
 Every project plan includes information security.
 The proportion of information assets and related threats that have been appropriately
addressed by security efforts.
 The appropriate organisational location, level of authority, and personnel number for the
information security function.
 Employee Productivity.
Performance Measurement
theknowledgeacademy
• To guarantee that organisational goals are met, information security processes must be
measured, monitored, and reported on. Effective performance measurement indicators
include:
 The time required to detect and report security occurrences.

 The amount and frequency of unreported occurrences that were later uncovered.
 Comparable enterprise cost and effectiveness benchmarking.
 The capacity to assess control effectiveness/efficiency.
 Unmistakable evidence that security objectives are being met.
 The outcomes of internal/external audits.
 The absence of unanticipated or unreported security incidents.
 Understanding of evolving and emerging dangers.
 A reliable method for identifying organisational vulnerabilities.
 Methods for monitoring changing riskLog review processes must be consistent.
 Business continuity planning/disaster recovery test results.

Security Program Metrics and Monitoring
• Several metrics considerations must be examined during the information security
theknowledgeacademy
programme management process.
• Unmonitored key controls represent an unacceptable danger and should be avoided.

Enterprise security entails far more than specific technical measures such as firewalls,
passwords, intrusion detection, and disaster recovery plans.
• The ability to measure and quantify is a key principle of systems engineering.

Measurement supports correct design, precise execution to specifications, and efficient
management operations such as goal setting, progress tracking, benchmarking, and
prioritisation.
• In essence, measurement is a crucial prerequisite for the success of a security

program. An effective security program includes the design and planning, execution,
and continuous management of the people, processes, and technology that impact all
elements of company security.

Metrics Tailored to Enterprise Needs
• The information security governance process should result in a set of enterprise-
theknowledgeacademy
specific goals for the information security program.
• Metrics for information security programes that directly correspond to these control
objectives are critical for program management.
• It should be obvious that developing meaningful security management metrics will be

impossible without the basis of governance to set goals and create points of
comparison.
• That is, measurements that lack a reference point in the form of objectives or goals are
not metrics and are unlikely to be effective in program guiding.
• Metrics ultimately serve only one purpose: decision assistance. It measures to offer
information on which to build educated judgments on what it is attempting to achieve.

Strategic
theknowledgeacademy
• Strategic metrics are frequently a synthesis of other management indicators designed

to indicate that the security program is on track, on goal, and within budget to
accomplish the desired results.
• The information required at the strategic level is primarily navigational in nature (i.e.,
determining whether the security program is headed in the right direction to achieve the
defined objectives leading to the desired outcomes).
• Both of the information security manager and senior management require this
information in order to provide adequate oversight.

Management
theknowledgeacademy
• Management (or tactical) metrics are those required to run the security program, such
as policy and standard compliance, incident management and response effectiveness,
and personnel and resource utilisation.
• At the security management level, information on compliance, developing risk,

resource usage, alignment with corporate goals, and other subjects is necessary to
make the decisions required for effective management.
• The information security manager also necessitates a summary of technological

metrics to ensure that the machinery is operating properly and within acceptable
ranges, just as the driver of a car wants to know that there is fuel in the tank and that
the oil pressure and water temperature are within acceptable limits.

Operational
theknowledgeacademy
• The most popular technical and procedural metrics are operational metrics, which
include open vulnerabilities and patch management status. Purely technical metrics are
particularly important for IT security managers and system administrators. There are
various other considerations for development, including:
Manageable Meaningful Actionable Unambiguous Reliable
Accurate Timely Predictive Geniune

theknowledgeacademy
Module 3B1: Information Security Control

Design and Selection

Introduction
 Controls are a method of risk management.
theknowledgeacademy
 They include many of the previous elements (such as policies, procedures, guidelines,
practises, and organisational structures) and are the primary elements to consider
when developing an information security program.
 Controls are executed to attain specific goals, and they collaborate to enable
stakeholder goals through the strategic program plan.
 Control objectives aid in the alignment and achievement of security and privacy goals.
 Control objectives are defined as a statement of the desired outcome or purpose of

executing control procedures in a specific process.

Managing Risk Through Controls
 Physical, technical, and administrative controls are all possible. The selection of
theknowledgeacademy
controls should be based on several factors, including assuring their effectiveness, cost
or potential restriction of business activities, and optimal form of control.
IT Controls
 As information and technology play such an important role in the operations of many
businesses, IT controls account for the majority of the controls they require. While
technical controls are included, many IT controls are both technical and administrative
in nature.
Non-IT Controls
 The information security manager should be aware that information security controls for
non-IT-related information processes, such as secure marking, handling, and storage
requirements for physical information, and considerations for dealing with and
preventing social engineering, must also be developed. Environmental controls should
be considered so that otherwise secure systems are not simply stolen, as has
happened in some well-publicised cases. © 2022 The Knowledge Academy Ltd
Layered Defences
theknowledgeacademy
 Defence in depth, or layering defences, is an important concept in developing an

effective information security strategy or architecture.
 The layers should be designed in such a way that the failure of one layer does not
result in the failure of the next layer. The number of layers required will be determined
by asset sensitivity and criticality, defence reliability, and degree of exposure.
 Excessive reliance on a single control is likely to lead to overconfidence. A company

that relies solely on a firewall, for example, may still be vulnerable to a variety of attack
methods.
 A human firewall, which can serve as an additional layer of defence, can be created
through education and awareness. Another defensive layer can be created by
segmenting the network.

Technologies
theknowledgeacademy
 Several security technologies have been developed over the last few decades to
address the ever-increasing threats to information resources.
 One of the pillars of an effective security strategy is technology.
 The information security manager must understand how technologies can be used as
controls to achieve the desired level of security.
 However, technology cannot compensate for management, cultural, or operational

shortcomings, and the information security manager should not rely too heavily on it.

Controls and Countermeasures
 To achieve control objectives, the information security program must include both
theknowledgeacademy
general and system-level controls in its design.
 General, or common, controls are control activities that, as part of the security
infrastructure, support the entire enterprise in a centralised fashion.
 Because infrastructure is frequently shared by different departments within the same

enterprise, the term general controls is frequently used to refer to all controls in the
infrastructure.
 Control activities in support of an operating system, network security, and facility

security are examples. These controls typically include centralised user administration
policies, standards, and procedures, as well as technical elements like access controls,
firewalls, and intrusion detection systems (IDSs).
 Subordinate system-level activities can then inherit these general controls to achieve
control objectives.

Control Categories
 Controls should be implemented across several control categories to support the
theknowledgeacademy
development of a defence-in-depth strategy and to ensure comprehensive

achievement of control objectives, including:
Preventive Detective Corrective Compensating Deterrent

Control Design Considerations
 Controls and countermeasures are most effective when based on a top-down, risk-
theknowledgeacademy
based approach to assure comprehensive and practical design.
 This is due to the fact that control objectives are largely determined by management's
defined acceptable risk levels. The controls must be designed to achieve the objectives
of acceptable risk levels.
 As a result, the control objectives serve as both the design objective and the
subsequent control metric for effectiveness.
 Control objectives must be defined during program development and apply to physical,
administrative, and technical controls.
 Control objectives necessitate the use of a variety of control types. A technical control,
such as a firewall, may necessitate a physical protection control, a configuration
procedural control, and administrative oversight.

Control Methods
 Security controls include administrative, technical, and physical controls, as well as the
theknowledgeacademy
use of technical and nontechnical methods. Technical controls are safeguards built into
computer hardware, software, or firmware.
 Management and operational controls, such as security policies, standards, operational

procedures and personnel, and physical and environmental security, are examples of
nontechnical controls.
Category Description
Managerial Controls pertaining to a process's oversight, reporting, procedures, and operations. Policies,
processes, balancing, employee development, and compliance reporting are examples of
these.
Technical Controls are provided by technology, a piece of equipment, or a device. Firewalls, network or
host-based intrusion detection systems, passwords, and antivirus software are some
examples. To function properly, a technical control requires proper managerial controls.
Physical Locks, fences, closed-circuit television (CCTV), and other devices installed to physically
restrict access to a facility or hardware. Physical controls necessitate maintenance,
monitoring, and the ability to assess and respond to an alert in the event of a problem.

Control Methods
Countermeasures
theknowledgeacademy
 In addition to the general safeguards provided by standard controls, the information

security manager may require a control against a specific threat on occasion. A
countermeasure is a type of control.
 Countermeasures frequently provide targeted protection, making them more effective

but less efficient than broader, more general safeguards—though not always less cost-
effective, depending on the original and residual ALE associated with the threat being
countered.
 Countermeasures are controls that are put in place in response to a known threat.
They can be preventive, investigative, or corrective in nature, or any combination of the
three. Nontechnical countermeasures can also be used, like offering a reward for
information leading to the arrest of hackers.
 Countermeasures used to address specific threats or vulnerabilities are frequently

costly, both operationally and financially, and can become a distraction from core
security operations. © 2022 The Knowledge Academy Ltd
Control Methods
Physical and Environmental Controls
theknowledgeacademy
 All efforts to protect information are built on a strong physical barrier that protects the
physical media on which the information is stored. Physical security is often provided
as part of facilities management in many businesses.
 The physical security organisation may establish requirements building by building and
enforce those requirements through a combination of physical security technology and
manual procedures.
 An information security manager must validate technology choices in support of

physical security processes and ensure that adequate physical security policies and
standards are developed.
 Physical and environmental controls are a subset of general controls that are used by
all computing facilities and personnel. Furthermore, some technologies include features
that enable physical mechanisms to override logical controls.

Control Methods
Control Technology Categories
theknowledgeacademy
 Consider operational authority and the types of controls available when determining the
types of control technologies that must be considered by the information security
manager.
 As the majority of technical controls are under the direct control of the IT department, it
is necessary to consider how security will be maintained. IT and the security
department may share operational authority in some cases.
 In terms of the types of controls available, technologies typically fall into one of three
categories:
1 2 3
Native Supplemental Support
Control Control Control
Technologies Technologies Technologies

Control Methods
Technical Control Components and Architecture
theknowledgeacademy
 Dealing with a wide range of technical components previously classified as native

control technologies, supplementary control technologies, and management support
technologies is part of information security management.
 The technical security architecture is made up of native control and support

technologies. This construct can be applied to individual business applications or to the
enterprise as a whole, with the goal of revealing how individual technical components
interact to give overall enterprise or application security.
 This comprehensive view of technical component capabilities avoids the point-solution

approach that leads to poor overall security. Technical security architecture analysis
must be closely coordinated with threat and risk factor reviews and analysis.
 The information security manager should assure that the technical security architecture
components are in sync with the enterprise's risk and threat postures as well as its
business requirements.
theknowledgeacademy

Implementation and Integration

Introduction
 Controls are the foundation of strategy execution. Executing a strategy entails
theknowledgeacademy
designing, developing, testing, and implementing various types of controls in variety

of combinations.
 The strategy's development includes determining acceptable risk and risk tolerance.
 Control objectives, which define the main requirements for the controls, are determined
using acceptable risk levels.
 Controls must also meet some or all of the criteria outlined in the preceding section.
 Controls that affect all aspects of an enterprise, including people, technology, and
processes, are required for effective information security.
 To achieve the control objectives, a combination of controls is frequently required. The

control options are virtually limitless, which adds to the difficulty.

Introduction
(Continued)
theknowledgeacademy
 Access control, for example, is a preventive control that prevents unauthorised access
that could harm systems. Because it detects unauthorised access, intrusion detection
is a detective control.
 Backup and restoration procedures are a corrective measure that allows a system to
be recovered if the damage is severe enough that data is lost or irreparably damaged,
resulting in impact.
 Compensating controls (for example, insurance) are similar to corrective controls in

that they compensate for an impact caused by a compromise.
 Security products frequently include a variety of control combinations. A firewall is a

common control that filters network traffic to limit which protocols (or ports) can be used
to enter or exit an internal network, as well as which addresses or address ranges are
allowed as a source and destination.

Introduction
(Continued)
theknowledgeacademy
 This is a preventive control because it prevents unauthorised access to specific

network ports, protocols, or destinations.
 The same firewall may have more advanced features, such as the ability to scan
inbound network traffic for malware and send alerts to an operations centre if
suspicious traffic passes through the device. This is a control for detectives.
 The firewall may also include a feature that lets operations to redirect incoming traffic to
a backup site if it is discovered that a virus has reduced capacity at the primary site
after responding to the virus alert.
 Because it allows the systems to resume normal operations, this is a recovery or

corrective control.
 As a deterrent control against unauthorised access, the proxy service that runs on the
firewall may be capable of displaying a warning banner.
Introduction
(Continued)
theknowledgeacademy
 Controls must be automated as much as possible so that bypassing them is technically

impossible. Common control practises that make it difficult for users to circumvent
controls include the following mechanisms:
1 2 3 4
Access Principle of
(Logical) Secure Least Compartmentalising to
Control Failure Privilege Minimise Damage
5 6 7 8
Segregation of
Transparency Trust Zero Trust
Duties (Sod)

Baseline Controls
 Defined baseline security controls must be required for all new system development.
theknowledgeacademy
As part of the system documentation, baseline security requirements must be defined

and documented, typically in standards.
 Adequate traceability of security requirements must be assured and supported

throughout the life cycle. Authentication functions, logging, role-based access control,
and data transmission confidentiality mechanisms are a few examples.
 The information security manager should understand the enterprise's risk tolerance
and must consult industry and regional sources to establish a baseline set of security
functions that are appropriate for organisational policies and acceptable risk levels.
 Based on vulnerability, threat, and risk analysis, additional controls may be warranted,
and these controls must be involved in the requirements-gathering process.
 During the design and development phases, the information security team may be
consulted to assess how well solution options meet acceptable risk requirements.

Baseline Controls
(Continued)
theknowledgeacademy
 There is almost never a perfect solution, and there will always be trade-offs between
security requirements, performance, costs, and other demands.
 To achieve control objectives, the information security manager must be diligent in

identifying and communicating solution deficiencies, as well as developing mitigating or
compensating controls.
 To ensure that coding practises and security logic are adequate, the information
security manager should use internal or external resources to review them during
development.
 The information security manager must coordinate testing of originally established

functional security requirements as well as testing system interfaces for vulnerabilities
during the quality and acceptance phases.

theknowledgeacademy

Testing and Evaluation

Introduction
 Following the implementation of controls, the next step is to assess the extent to which
theknowledgeacademy
they attain their intended purpose.
 The goal, as with other elements of the security strategy and program, is to make sure
that the layers of controls implemented achieve the agreed-upon acceptable level of
risk, rather than to ensure that the controls completely eliminate any risk.
 Throughout the operation of the security program, testing and evaluation of the various
management, technical, and physical controls will be ongoing, including system-
specific controls that will be continuously assessed throughout the system life cycle.
 As changes arise to risk objectives, the threat landscape, and system operation
change, the evaluation procedure should evolve to assure that control objectives, such
as cost-effectiveness and mission alignment, are met.

Control Strength
 The type of control being evaluated (preventive, detective, manual, automated, etc.)
theknowledgeacademy
and the quantitative and qualitative compliance testing results can be used to
determine control strength.
 Although an automated control is usually preferable to a manual control, a thorough

examination may indicate that a manual control is superior. Alerts and automatic
reports may be generated by an automated control design.
 Yet, a careful examination of the procedure may reveal that there is no evidence of
review and that subsequent response actions, including resolution, cannot be
measured. The control fails in this scenario.
 However, if handwritten notes with initials and dates are recorded within IDS log reports
on a daily basis, and if the same notes contain analysis, action plans, ticket numbers,
and resolution, then the manual control is far more effective than the automated one.
 Of course, no final conclusion about the strength of the control can be reached until it
has been thoroughly tested.
Control Strength
(Continued)
theknowledgeacademy
 A control's strength can be measured in terms of its inherent (or design) strength and
likelihood of effectiveness. Balancing the books to account for all cash and dividing
accounting accountabilities within numerous employees are two examples of inherently
strong controls.
 Accessing sensitive areas or materials requires dual control, which is an example of an

inherently strong control by design.
 Risk mitigation must be linked to supported business functions in order to demonstrate

value and alignment with business objectives.
 This assures that information security and IT governance initiatives are automatically
followed, and that cost justification for the treatment procedure is self-explanatory and
easily available.

Control Recommendations
 Control elements to consider when evaluating control strength include whether the
theknowledgeacademy
controls are preventive or detective, manual or automated, formal (documented in

procedure manuals with evidence of operation) or ad hoc.
 Controls that could mitigate or eliminate the identified risk (as appropriate to the
enterprise's operations) to an acceptable level are provided during this step of the
process.
 When recommending controls and alternative solutions to achieve control objectives,

the following factors should be considered:
 Effectiveness of recommended options

 Compatibility with other impacted systems, processes and controls
 Relevant legislation and regulation
 Organisational policy and standards
 Organisational structure and culture
 Operational impact
 Safety and reliability
 Measurement © 2022 The Knowledge Academy Ltd
Control Recommendations
(Continued)
theknowledgeacademy
 Control recommendations are the outcomes of the risk assessment and analysis
process, and they serve as input to the risk treatment process.
 The recommended procedural and technical security controls are evaluated, prioritised,
and implemented during the risk treatment process.
 To determine which are required and appropriate for a specific enterprise, a cost-
benefit analysis for the proposed controls should be performed to demonstrate that the
costs of implementing the controls can be justified by a reduction in the level of risk or
impact.
 The control implementation process should seek input from the appropriate business
unit owner for effective results.

Control Testing and Modification
 Changes in the technical or operational environment can frequently alter the protective
theknowledgeacademy
effect of controls or introduce new vulnerabilities that existing controls are not designed
to address.
 Control testing is required in most publicly traded companies and must be executed as
a regular practise in all businesses to assure that procedural controls are carried out
consistently and effectively.
 Technical or operational controls changes should be made with caution. Changes to

technical controls must be made in accordance with change control procedures and
with the approval of stakeholders.
 The information security manager must conduct an analysis of the proposed control
environment to determine if there are any new or recurring vulnerabilities in the design
and to assure that the control is designed properly.
 Following implementation, acceptance testing should be performed to assure that the

mechanisms enforce the prescribed policies.
theknowledgeacademy
Module 3B4: Information Security

Awareness and Training

Security Awareness Training and Education
• By addressing the behavioural aspect of security through education and regular

theknowledgeacademy
application of awareness techniques, an active security awareness program can

significantly minimise risk.
• Common user security problems, such as password selection, appropriate use of

computing resources, email and online browsing safety, and social engineering, should
be addressed through security awareness programes.
• Education and understanding of the necessity of the information security programme is

a key part of achieving compliance with the program.
• Employee awareness should begin when they join the company and continue on a
regular basis.
• All enterprise personnel and, when applicable, third-party users must get proper
training and regular updates on the importance of enterprise security policies,
standards, and procedures.

Developing an Information Security Awareness Program
• The information security manager should adopt a rigorous approach to developing and
theknowledgeacademy
conducting the education and awareness programme, taking into account factors such
as:
 Who is the target audience?
 What is the desired message?
 What is the intended outcome?
 What communication mechanism will be used?
 What is the organisational structure and culture?

Role Based Training
• While broad training on organisational policies and practises is required for all
theknowledgeacademy
employees and third-party partners, the security program should also include training
relevant to the duties of those in security-specific work tasks, including leadership
roles. Particular considerations include:
1. Executive, leader, and manager training to help them understand their roles in
defining risk expectations.
2. Training for persons in positions of authority should emphasise specific approaches

for safeguarding precious resources.
3. Physical security personnel training focuses on those who are responsible for
physical security, including environmental variables that support the confidentiality,
integrity, and availability of critical organisational assets.

Role Based Training
• To confirm that all relevant workers receive the right training, a systematic approach to
theknowledgeacademy
assessing and tracking course delivery and results should be implemented. Consider
the following when conducting such tracking:
1 2 3
Automation
Coverage Grading and
Deployment

theknowledgeacademy
Module 3B5: Management of External

Services

Governance of Third-Party Relationships
• The rules and practises used when dealing with third-party relationships are an
theknowledgeacademy
important feature of information security governance. These parties are:
1. Service providers
2. Outsourced operations
3. Trading partners
4. Merged or acquired enterprises
• The capacity to manage security effectively in these partnerships is a big problem for
the information security manager.
• There may be incompatibilities in technology between the organisations, process

variations that may not integrate smoothly, or insufficient levels of baseline security.
• Concerns may also be raised about incident response, business continuity, and
catastrophe recovery capabilities.

Third Party Service Providers
• A typical firm makes extensive use of information resources to support its business
theknowledgeacademy
processes. When outsourcing, the information security manager must examine

numerous factors, involving:
 Ensuring that suitable controls and processes are in place to support outsourcing.
 Ensuring that proper information risk management terms are included in the
outsourcing contract.
 Ensuring that a risk assessment is completed for the outsourced process.
 Ensuring that enough due diligence is completed prior to contract signature.
 Day-to-day management of information risk for outsourced services.
 Ensuring that major changes to the relationship are identified and that updated risk
assessments are conducted as needed.
 Ensuring that right procedures are followed when ending relationships.

Outsourcing and Service Providers
theknowledgeacademy
• Third-party providers of security services and outsourced IT or business operations that

must be integrated into the overall information security program are the two forms of
outsourcing that an information security manager may encounter.
• Outsourcing is primarily motivated by economic considerations. As a result, early

involvement by the information security manager is critical to ensuring that individuals
making these decisions do not jeopardise security for the sake of cutting costs.
• It is also likely that when the business grows, it may want more services, which may
necessitate substantially greater fees from the outsourcer.

(Continued)
theknowledgeacademy
• This could happen if the organisation determines that the constraints imposed by
outsourcing are unacceptable, or if the costs connected with a new arrangement are
prohibitively expensive. Other essential and potentially negative factors to consider
while examining outsourcing possibilities are:
 Loss of critical skills.

 Lack of transparency into security processes.
 New access and an additional control risk.
 The third-party vendor's viability.
 Incident management complexity.
 Distinctions in culture and ethics.
 Unexpected expenses and service deficiencies.

Outsourcing Challenges
• Outsourced information resources may bring additional obstacles to an information
theknowledgeacademy
security manager, such as external firms that may be hesitant to share technical
specifics on the nature and scope of their information protection measures.
• From the standpoint of risk management, it is critical that incident management and
response, business continuity planning/disaster recovery planning, and testing include
all critical outsourced services and operations.
• Key clauses that should be included in a third-party contract include, but are not limited
to:
 Right to source code in the event of provider default.

 Requirement that the vendor comply with industry and regulatory obligations on time.
 The right to inspect the vendor's books and premises.
 The right to inspect the vendor's processes.
 Described SOPs
 The ability to examine the skill sets of vendor resources
 Advance notice if the deployed resources are to be altered
Outsourcing Contracts
• Contracts serve two purposes: 1) to guarantee that the parties to the agreement are
theknowledgeacademy
aware of their responsibilities and rights within the relationship; and 2) to give a way to
resolve problems after the contract is in effect.
• The information security manager should be aware with specific security and
information protection provisions within that framework.
• The most prevalent type of security provision is one that addresses secrecy or
nondisclosure. The information security manager must identify the particular amount of
destruction required.
• The contract may also require either or both parties to maintain security procedures to
guarantee that the systems and information used in the agreement are adequately
protected.
• The contract should explain what is meant by "suitable," as well as the conditions for
demonstrating the effectiveness of those safeguards.

Third-Party Access
• Under any circumstances, third-party access to the information security manager's
theknowledgeacademy
enterprise's processing facilities should be controlled based on risk assessment and

clearly described in a SLA.
• Access should be granted using the least privilege, need-to-know, and need-to-do
criteria. Third-party access must be based on clearly defined means of access, access
permissions, and levels of functionality, and access must need the asset owner's
agreement.
• Access usage should be fully logged and examined on a regular basis by the security
manager. The frequency of reviews should be determined by considerations such as:
o The importance of the information to which access privileges are granted.

o The importance of the privileges granted.
o Contract duration.

theknowledgeacademy
Module 3B6: Information Security

Program Communications and Reporting

Program Management Evaluation
• Certain conditions necessitate the information security manager assessing the present
theknowledgeacademy
state of an existing information security program.
• It is also critical for the information security manager to reevaluate the program's
efficacy in light of changes in organisational demands, settings, and limits on a regular
basis.
• The findings of such an analysis should be shared with the information security
steering committee or other stakeholders for discussion and formulation of necessary
program improvements.
• While the information security manager must decide the most appropriate scope for
current state assessment, the following section offers many essential topics for
consideration.

Program Objectives
theknowledgeacademy
• The information security manager must assess the program's documented security
objectives. Important considerations include:
 Has an information security plan and roadmap for development been developed?
 Have appropriate risk and impact criteria been established?
 Are policies, standards, and processes complete and up to date?
 Are program objectives in sync with governance objectives?
 Are the objectives measurable, reasonable, and tied to specified deadlines?
 Do the program objectives correspond to the organisation's goals, initiatives, compliance
requirements, and operational environment?
 Is there agreement on program goals? Were goals developed collaboratively?
 Have measures been implemented to track program performance and shortfalls?
 Is there a regular assessment of objectives and accomplishments by management?

Compliance Requirements
theknowledgeacademy
• Compliance criteria alignment and fulfilment are two of the most apparent indicators of
security management status. Because numerous standards specify
program management requirements, the information security manager must compare
the management program—framework and components—to mandatory and optional
compliance standards. Important considerations include:
 Has management established the level of compliance that the organisation will pursue, as
well as the timetables and milestones?
 Is close cooperation between the compliance and information security groups facilitated? Are
the requirements for information security compliance well defined?
 Does the information security program incorporate compliance requirements precisely into its
policies, standards, procedures, operations, and success metrics?
 Do the technical, operational, and management components of the program correspond to
the components required by regulatory standards?

Program Management
theknowledgeacademy
• The level of management support and the overall depth of the existing program are
revealed by evaluating program management components. Consider the following
programme management components:
 Is the program itself thoroughly documented? Have essential policies, standards, and
procedures been reduced to simple operational instructions and given to those responsible?
 Do those in positions of responsibility understand their roles and responsibilities?
 Are the duties and responsibilities of members of senior management, boards, and so on
defined? Do these organisations recognise and act on their responsibilities?
 Are information security duties reflected in company managers' objectives and included in
their performance evaluations?
 Have policies and standards been finalised, formally approved, and disseminated?

Security Operations Management
theknowledgeacademy
• The success with which the information security programme implements security
operational operations, both within the security organisation and in other organisational
units, must be evaluated by the information security manager. Among the most
important considerations are:
 Are security requirements and processes addressed in security, technology, and business unit
standard operating procedures?
 Do security-related SOPs mandate accountability, process transparency, and management
oversight?
 Do security-related operations such as configuration management, access management,
security system maintenance, event analysis, and incident response have established SOPs?
 Is a timetable of routinely conducted procedures (for example, technical configuration review)
in place? Is it possible to keep track of scheduled activities in the program?

Technical Security Management
theknowledgeacademy
• The management of the technological security environment is crucial to guaranteeing

the effective implementation of information processing systems and security
procedures. In addition to reviewing the current technical environment, the information
security manager should think about the following aspects when it comes to managing
technical security concerns:
 Are there technological standards for configuring specific networks, systems, apps, and other
technology components for security?
 Are there standards that address architectural security challenges like as topology,
communication protocols, and crucial system compartmentalisation?
 Do high-level policies and requirements support and enforce standards? Are standards
developed in collaboration with technical, operations, and security personnel?
 Are technical standards applied consistently? Do mechanisms exist to evaluate and report on
technical standard compliance on a regular basis? Is there a systematic method in place to
handle exceptions?
 Are important controls continuously monitored? Do controls provide failure notifications?
Resource Levels
theknowledgeacademy
• The information security manager must examine the program's financial, human, and
technical resources.
• Deficiencies must be discovered and escalated to high management or the steering

committee. Consider the following:
Financial Resources HR Technical Resources

The Plan-Do-Check-Act Cycle
• The information security program is built around the effective and efficient management
theknowledgeacademy
of controls that are established and executed to address or minimise threats, risks,
vulnerabilities, and impacts.
• The total quality management (TQM) system's concepts and procedures are well
suited to the unique reliance on effective, efficient management of a business process
such as information security.

Security Reviews and Audits
• The manager of an information security program must have a consistent, standardised
theknowledgeacademy
strategy to analysing and evaluating the state of various parts of the program during its
creation and management.
• Using a consistent strategy will provide trend information over time and can act as a
metre for program improvements. This is possible through a security assessment
procedure similar to an audit. Security reviews, like regular auditing procedures, have:
Objective Scope Constraint Approach Result

Audits
theknowledgeacademy
• Auditors identify, examine, test, and assess the effectiveness of controls in the
professional field of information systems auditing.
• An audit team gathers documentation that 1) maps controls to control objectives, 2)

indicates what the team performed to test those controls, and 3) relates those test
findings to the final evaluation while executing an audit.
• Work papers are documents that may or may not be presented with the final report.
• A framework or external standard, such as COBIT or ISO/IEC 27001 and 27002,

provides a structure for control goals, allowing an audit team to arrange its assessment
of existing controls.

Auditors
theknowledgeacademy
• The information security manager must establish effective working relationships with
auditors, both internal and external. Internal and external auditing operations must be
included into the information security program.
• Procedures for scheduling, observing personnel activities, and providing configuration

data from technical systems should be set in advance. In some situations, an auditor's
finding of a flaw may not apply to the information security manager's unique
organisation.
• If issues are discovered during an audit, the information security manager should
collaborate with the auditors to determine the related risk, mitigating variables, and
acceptable control objectives.
• The findings of the audit give robust, impartial input for the steering committee and
management to utilise in evaluating the performance of the information security
program.
Compliance Monitoring and Enforcement
• Compliance enforcement mechanisms must be considered throughout program
theknowledgeacademy
creation to ensure eventual effectiveness and manageability once the program is

implemented.
• Compliance enforcement refers to any activity inside the information security program
that is aimed to ensure compliance with the enterprise's security policies, standards,
and procedures.
• Enforcement processes should be created with the assumption that control activities
are in place to support control objectives.
• Control selection is frequently influenced by the ease of monitoring and enforcement.
• These procedures add another layer of control to guarantee that the procedures
defined by management are followed.

Policy Compliance
theknowledgeacademy
• Policies serve as the foundation for all accountability for security duties across the
company.
• Policies must be comprehensive enough to cover all instances in which information is

handled, while also being flexible enough to enable for new processes and procedures
to grow for different technologies while remaining compliant.
• It is the responsibility of the information security manager to guarantee that there are
no orphan systems or systems without policy compliance owners during the
assignment process.
• A policy exception process is frequently mentioned in information security management

literature.
• This is a technique for business units or departments to analyse a policy and decide
not to implement it based on a variety of considerations.
Standards Compliance
theknowledgeacademy
• Standards define the possibilities for systems, processes, and behaviours that
nevertheless adhere to policy.
• Based on the criticality and sensitivity of the resources, the standards must be created
to ensure that all systems of the same type within the same security domain are
configured and operated in the same manner.
• It is also possible that a business scenario justifies a variation from established

standards while remaining within the policy's goal.
• Standards exceptions, like policy exceptions, must entail risk assessment and
acceptance by competent management. If exceptions must go through the change
management process (if one exists), analysing the risk of the change will be a standard
element of the procedure.

Resolutions of Compliance Issues
theknowledgeacademy
• Noncompliance issues can pose a danger to the organisation, thus it is critical to

design specialised methods to deal with them effectively and efficiently. A method for
identifying criticality and then establishing a risk-based response mechanism benefits
the security manager. Noncompliance concerns and other deviations can be found
through a variety of approaches, including: • routine monitoring • audit reports • security
reviews • vulnerability scans • due diligence work.
Compliance Enforcement
• Conformity enforcement is a continuous collection of activities aimed at bringing policy
and, by default, standards requirements that are not being met into compliance.
• Legal and internal audit divisions are frequently in charge of evaluating business plans
and operations, respectively.

Monitoring Approaches
• The security manager must devise a consistent, dependable mechanism for
theknowledgeacademy
determining the program's overall continuous effectiveness. One method is to conduct

risk assessments on a regular basis and track progress over time.
• Another common approach for determining system vulnerabilities is the use of external
and internal scanning and penetration testing, albeit this will only reveal the efficacy of
one aspect of the whole program.
Monitoring Security Activities in Infrastructure and Business

Applications
• Because an enterprise's vulnerability to security breaches is likely to exist at all times,
the information security manager should undertake continuous monitoring of security
operations.
• Continuous DDS and firewall monitoring can provide real-time information on efforts to
penetrate perimeter defences. Training help desk staff to escalate suspicious reports
that could indicate a breach or an attack can act as an effective monitoring and early
warning system. © 2022 The Knowledge Academy Ltd
Monitoring Approaches
Determining Success of Information Security Investments
theknowledgeacademy
• Processes must be in place for the information security manager to determine the
overall efficacy of security investments and the extent to which objectives have been
met.
• The information security manager should confirm that KPIs are created and agreed
upon during the design and implementation of the security program, and that a method
to assess progress against those indicators is implemented.
• In addition to the original procurement and implementation costs, it is critical to account

for:
 Costs to administer controls

 Training costs
 Maintenance costs
 Monitoring costs
 Update fees
 Fees for consultants or help desks © 2022 The Knowledge Academy Ltd
Measuring Information Security Management Performance
• The information security manager should understand how to develop processes and
theknowledgeacademy
systems that allow the information security program's successes and shortfalls to be
assessed. Measuring success entails creating quantifiable objectives, recording the
most relevant metrics, and assessing results on a regular basis to identify areas of
success and improvement potential.
Measuring Information Security Risk and Loss

• The basic goal of an information security program is to ensure that risk is effectively
managed and that the consequences of unfavourable events are within acceptable
boundaries.
• It is nearly impossible to achieve absolute security while maintaining system usability.
• Determining if the security program is operating at an appropriate level—balancing

operational efficiency with adequate safety—can be handled from a variety of angles.

Measuring Support of Organisational Objectives

theknowledgeacademy
• The information security program must support the primary goals of the organisation.
The information security steering committee and executive management might assess
the following qualitative measures:
 Is there a written link between significant organisational milestones and the

information security program's objectives?
 How many information security objectives in support of organisational goals were

completed?
 Were there organisational goals that were not fulfilled because information security
objectives were not met?
 How strong is the agreement that programme objectives are full and suitable among
business units, upper management, and other information security stakeholders?

Measuring Operational Productivity

theknowledgeacademy
• There are no endless resources in an information security program. The information

security manager must maximise operational productivity, especially given the
increasing development of IT firms.
• Security management automation solutions can operate as labour multipliers,

significantly increasing the completion of operational duties.
• When used in a time-based comparison analysis, productivity measurements are most

useful.
• Productivity is a measure of the amount of work produced per unit of resource. The
information security manager should establish regular targets for boosting the
program's productivity through specialised activities.

Measuring Security Cost-Effectiveness

theknowledgeacademy
• Financial constraints are a common cause of security failings, including inability to

prepare for continuing maintenance requirements, thus the information security
programme must be financially sustainable.
• This procedure starts with precise cost forecasting and budgeting. The success of this
operation is often determined by comparing budget utilisation to initial forecasts, which
can assist in identifying difficulties with security cost planning.
• The information security manager should create systems to monitor the continuous
cost-efficiency of security components, which is typically performed by tracking cost-
result ratios, in addition to budgeting effectiveness.
• By assessing the overall cost of producing a certain output, this approach creates cost-
efficiency goals for new technologies and improvement goals for existing technologies.

Measuring Organisational Awareness

theknowledgeacademy
• Personnel actions, even in a well controlled technical setting, might pose hazards that
can only be managed via education and awareness.
• Employees are the most widely used for tracking organisational awareness. The
information security manager should collaborate with the human resources department
to develop metrics for measuring organisational awareness success.
• Employee testing is another way to assess the effectiveness of an awareness

campaign. To assess the success of training, the information security manager should
provide instruments such as brief online or paper assessments that are conducted
soon after training.

Measuring Effectiveness of Technical Security Architecture

theknowledgeacademy
• One of the most visible aspects of an information security programme is generally the
technical security architecture.
• The information security manager must develop quantitative metrics of the technical
control environment's efficacy.
• For reporting and analysis, technical security metrics can be classified by protected
resource and geographic location. The following are some examples of technical
security effectiveness metrics:
1. Network access control devices resist probe and attack attempts; qualify based on asset or
resource targeted, source geography, and attack kind.
2. Internal network probe and attack attempts identified by intrusion detection systems;
differentiate by internal versus external source, resource targeted, and attack type.
3. The number and type of real compromises; categorise by attack severity, attack type, effect
severity, and attack source
Measuring Effectiveness of Management Framework and Resources

theknowledgeacademy
• Efficient information security management maximises the output of the components

and procedures that it employs. Mechanisms for collecting process input, recognising
difficulties and opportunities, tracking implementation consistency, and effectively
conveying changes and information all contribute to program effectiveness. Tracking
the program's progress in this area includes the following methods:
 Monitoring the occurrence of issues.

 Monitoring the extent to which operational knowledge is captured and disseminated.
 Standardising process execution.
 Clearly and comprehensively documenting information security duties and responsibilities.
 Including information security needs in all project plans.
 Improving the program's productivity and cost-effectiveness.
 Keeping track of overall security resource consumption and trends.
 Alignment with and support for company goals.

Measuring Operational Performance

theknowledgeacademy
• Measuring, monitoring, and reporting on information security processes assist the

information security manager in ensuring that the program's operational components
properly support control objectives. Security operational performance metrics include:
 Detection, escalation, isolation, and containment of incidents.

 Time elapsed between vulnerability discovery and resolution.
 The number, frequency, and severity of occurrences found after the fact.
 Average time between vulnerability patch vendor release and application.
 The percentage of systems that have been audited within a specific time frame.
 The number of changes released without full change control approval.

Ongoing Monitoring and Communication
• Monitoring considerations are numerous when designing or operating a security
theknowledgeacademy
program, regardless of its scope. In addition to countless other design issues, new or
updated controls necessitate ways for determining if they are performing as intended.
• Procedural and process controls are often just as important as operational controls,
although they are more complex to install. Monitoring the security of information
systems is an essential operational component of any information security program.
The following are some examples of commonly observed event types:
 Inability to gain access to resources.

 Processing errors that may suggest meddling with the system.
 Power outages, racing conditions, and design or other flaws.
 Modifications to system configurations, including security controls.
 Unrestricted system access and activity.
 Fault detection in technical security components.

theknowledgeacademy
Domain 4
Incident Management
theknowledgeacademy

A: INCIDENT MANAGEMENT READINESS
Domain 4:  4A1: Incident Response Plan

 4A2: Business Impact Analysis (BIA)

Incident 

4A3: Business Continuity Plan (BCP)
4A4: Disaster Recovery Plan (DRP)
4A5: Incident Classification/Categorisation

Management 4A6: Incident Management Training, Testing and
Evaluation

theknowledgeacademy
This Domain Covers (Continued)…

B: INCIDENT MANAGEMENT OPERATIONS
Domain 4:  4B1: Incident Management Tools and

Technologies
Incident  4B2: Incident Investigation and Evaluation

 4B3: Incident Containment Methods
 4B4: Incident Response Communications
 4B5: Incident Eradication and Recovery
Management  4B6: Post – Incident Review Practices

theknowledgeacademy
Module 4A1: Incident Response Plan

Introduction
• A risk management incident management program focuses on the planning,
theknowledgeacademy
preparedness, and identification of occurrences that depart from normal, scheduled

operations.
• The desired outcome is to:
 Lessen an enterprise's effect.
 Recover and resume operations at acceptable levels.
• The speed with which an enterprise can recognise, assess, respond to, and recover
from an event decreases the enterprise's effect and, ultimately, the incident's expenses.
• This usually leads to senior management realising that the organisation requires an
effective and quick method of responding to an issue.

Relationship Between Incident Management and
Incident Response
theknowledgeacademy
• There are subtle distinctions and complexities between incident management and incident
response functions.
• The ability to give and ensure the start-to-finish management of an issue within the company
is referred to as incident management.
• This entails determining how tasks and processes interact with one another, how information
is transmitted (internally and externally), and what actions must be coordinated in order to
properly manage an incident.
• The processes, methods, and activities undertaken when responding to an incident are
referred to as incident response, and they focus on the detection, triage, containment,
eradication, and recovery steps taken to restart normal, planned operations.
• In a nutshell, incident management encompasses all of the processes, practises, and

activities that occur before to, during, and after an incident.

Goals of Incident Management and Incident Response
• Incidents can arise from a variety of sources, including large-scale cyberattacks, losses
theknowledgeacademy
caused by natural catastrophes, the loss of critical individuals, workplace accidents, or

any other unforeseen bad occurrences caused by a shift in the threat landscape.
• Efforts must include managing and responding to occurrences involving information

security, regardless of the media (logical, physical, or human). The approach taken is
based upon a number of factors, including:
 Constituency to be Served: Who will make use of this capability?
 Enterprise Mission, Goals and Objectives: Is the strategy properly matched with
the organisation?
 Service to be provided: What services are being committed to address the needs
of constituents?

(Continued)
theknowledgeacademy
 Organisational Model and the Relationship with Various Stakeholders: Who

holds the enterprise accountable and responsible?
 Funding for Start-up Costs and ongoing Operations: How will this capability be
supported financially?
 Resources needed by the Computer Security Incident Response Team

(CSIRT): What resources are required to provide the necessary capabilities to the
constituents served?
• Incident management encompasses all steps taken prior to, during, and after an
information security incident occurs.
• Incident management encompasses program management (planning, training, testing),

operational (processes, procedures, protocols), and tactical (evidence gathering, triage,
initial analysis) techniques, as well as individual activities.
(Continued)
theknowledgeacademy
• With the following goals in mind, incident management methods must be devised to
limit the effects of an incident and enable efficient and successful recovery:
• Contribute to the broader enterprise strategy.
• Provide an effective technique of dealing with the problem in order to minimise the impact
on the organisation.
• Provide management with enough information to make informed decisions.
• Maintain or restore enterprise service continuity in accordance with business continuity and
disaster recovery policies.
• Act as a first line of defence against following attacks.
• Increase deterrence by utilising technology, investigation, and prosecution.

Incident Handling and Management Life Cycle
• Incident handling is a service that encompasses all of the processes or tasks connected
theknowledgeacademy
with dealing with events and incidents. It performs several functions:
 Detection and Reporting: Receiving and reviewing event information, incident

reports, and alerts.
 Triage: The steps performed to categorise, prioritise, and assign events and
incidents in order to maximise the usefulness of limited resources.
 Analysis: The attempt to determine what happened, the impact and threat, the
harm that ensued, and the appropriate recovery or mitigation procedures.
 Incident Response: The measures done to address or mitigate an incident,

coordinate and disseminate information, and develop follow-up strategies to prevent
recurring occurrences.

Incident Handling and Management Life Cycle
Progression of a Disaster
theknowledgeacademy

Incident Management and Incident Response Plans
• Effective incident management ensures that incidents are recognised, detected,
theknowledgeacademy
recorded, and managed in order to minimise their consequences.
• Incidents must be recorded so that incident response actions may be followed,

information can be provided to facilitate planning efforts, and no component of an
incident is neglected mistakenly.
• The recording is necessary in order to correctly document material, which may include
forensic data that can be utilised to pursue disciplinary or legal possibilities.
• Incidents must be categorised in order to be properly prioritised and routed to the

appropriate resources.
• Incident management comprises initial support operations that allow new occurrences
to be evaluated against known defects and difficulties in order to quickly identify any
previously identified workarounds.

Incident Management and Incident Response Plans
(Continued)
theknowledgeacademy
• Incident management establishes a framework for investigating, diagnosing, resolving,

and closing problems.
• Throughout the incident's life cycle, the procedure guarantees that it is owned, tracked,
and monitored.
• Major occurrences may necessitate a response that goes above and beyond what is
given by the standard incident process, necessitating the activation of C/DR
capabilities.
• The final step in an incident-handling process is incident response, which includes the
planning, coordination, and execution of appropriate containment, eradication, and
recovery activities and may involve the development of recommendations or lead to
follow-on initiatives identified during the lessons learned.

Importance of Incident Management
• As enterprises rely more on information processes and systems, and significant
theknowledgeacademy
disruption to those operations has unacceptably severe consequences, the importance

of good incident management and response has expanded.
• Some of the elements that increase the importance of excellent incident management
are as follows:
 The increasing incidence and mounting losses caused by information security

events.
 An increase in software or system vulnerabilities that affect major areas of an

enterprise's infrastructure and have an impact on operations.
 Security controls that fail to prevent incidents.

Importance of Incident Management
(Continued)
theknowledgeacademy
 Legal and regulatory requirements necessitate the establishment of incident

management capabilities.
 Threat factors' sophistication and capability are increasing.
 Persistent advanced threats (APTs).
 Taking advantage of poorly managed IT procedures and practices.
 A rise in zero-day attacks.

Outcomes of Incident Management
• The following are the outcomes of effective incident management and response:
theknowledgeacademy
 The enterprise can efficiently deal with unexpected threats to disrupt the business
(e.g., recovery time objective [RTO] and recovery point objective [RPO]).
 The enterprise will have adequate detection and monitoring capabilities to ensure
that issues are identified as soon as possible.
 Well-defined severity and declaration criteria, as well as established escalation and

notification mechanisms, will be in place.
 Personnel will be taught in incident recognition, severity criterion application, and

proper reporting and escalation procedures.

Outcomes of Incident Management
(Continued)
theknowledgeacademy
 The enterprise will have responsiveness that demonstrate a clear support for the
business plan by being sensitive to the criticality and sensitivity of the resources
safeguarded.
 The enterprise will serve to proactively manage incident risk in a cost-effective manner,
as well as to provide integration of security-related organisational functions to maximise
effectiveness.
 The enterprise will give monitoring and metrics to assess the performance of incident
management and response capabilities, and it will test its capabilities on a regular
basis to confirm that information and plans are up to date, current, and available when
needed.

Incident Management Resources
• An incident management and response strategy may be developed using a variety of
theknowledgeacademy
internal and external resources. These resources in a typical enterprise may include,
but are not limited to, the following:
Facilities Insurance
Compliance Office HR Internal Audit
Management Provider
IT Department Law Enforcement Legal Department Local Government Physical Security
Sales and
Privacy Offer Public Relations Risk Management Training Partners
Marketing

Policies and Standards
• Policies, standards, and procedures must be well-defined to support the incident
theknowledgeacademy
response plan (IRP). It is critical to have a defined set of policies, standards, and
processes in order to:
 Ensure that incident management actions are in line with the mission of the incident
management team (IMT).
 Establish realistic expectations.
 Advise on operational requirements.
 Maintain service consistency and dependability.
 Understand the duties and responsibilities.
 Establish requirements for identified alternate personnel for all critical functions.

Incident Management Objectives
• The primary goal is to respond to and contain security issues while restoring regular
theknowledgeacademy
operations as rapidly as feasible.
• Failure to do so frequently results in a disaster declaration and the necessity for

recovery efforts.
• This may entail relocating to a different location to resume activities as stated in the
BC/DR plans.
• The goals of incident management are as follows:
 Handle events as they occur so that the exposure can be limited or eliminated,
allowing recovery to occur within recovery time goals (RTOs) and recovery point
objectives (RPOs).

Incident Management Objectives
(Continued)
theknowledgeacademy
 Restore regular operation of systems and business processes.
 Avoid reoccurring incidents by documenting and learning from previous ones.
 Implement proactive steps to prevent/reduce the likelihood of future events.
 Implement safeguards to protect and minimise the impact on assets in the case of an
incident.

Strategic Alignment
• Incident management, like many other support tasks, must be integrated with an
theknowledgeacademy
enterprise's strategic plan. The following elements may assist in achieving this
alignment:
Constituency Organisational
Structure
Resources
Mission
Funding
Services
Management Support

Response and Recovery Plan
• Enterprises should have a systematic, targeted, and coordinated strategy to incident
theknowledgeacademy
response, including an incident response plan (IRP) that lays out the steps for
developing the incident response capability.
• Each enterprise requires a plan that addresses its specific needs, which are related to
the mission, size, structure, and operations of the enterprise.
• The strategy should specify the resources and management assistance that are
required. The following items should be included in the IRP:
1. Mission.
2. Goals and Strategies.
3. Senior Management’s Approval.
4. Approach to incident response inside an organisation.

Response and Recovery Plan
(Continued)
theknowledgeacademy
5. Personnel with key decision-making roles and responsibilities.
6. Communication inside the enterprise and with other enterprises.
7. Metrics for evaluating the effectiveness of incident response capacity.
8. Roadmap for developing the capability for responding to incidents.
9. What role the program plays in the larger enterprise.

The Role of Information Security Manager in Incident
Management
theknowledgeacademy
• The enterprise's size, industry, applicable regulatory requirements, and the maturity of BC,
DR, and incident response capabilities will all have an impact on the information security
manager's role in BC, DR planning, and incident response.
• Responding to situations involving information security is normally the responsibility of the

information security manager.
• In enterprises, the information security manager may be involved in all aspects of backup
and recovery (BC), disaster recovery (DR), and incident response.
• This includes helping the business units complete their business impact analyses (BIAs),
collaborating with the IT department to find suitable backup and recovery solutions,
coordinating incident response efforts as events become more serious, and providing the
regular information security services the business needs.

Assurance Process Integration
theknowledgeacademy
• Successful risk management outcomes depend on

effective incident management and response capabilities.
• Any risk that manifests and isn't stopped by the

enterprise's internal controls is considered an incident,
which needs to be managed and dealt with in order to
prevent it from turning into a catastrophe.

Value Delivery
• In addition to the technological controls used to prevent or respond to occurrences,
theknowledgeacademy
incident management also entails a number of procedures that can strike the ideal
balance between containment, prevention, and restoration.
• For incident management to be effective, it should:
 Work as seamlessly as feasible with business procedures and structures.
 Enhance enterprises' ability to manage risk and provide assurance to stakeholders.
 Complement the business continuity plan (BCP).
 Integrate into an enterprise's broader strategy and endeavour to safeguard and

secure vital business functions and assets.
 Act as a safety net and optimise risk management efforts

Resource Management
• Time, people, budget, and other aspects are all considered in resource management in
theknowledgeacademy
order to fulfil objectives efficiently within given resource limits.
• Incident management and response operations require resources, which must be

handled effectively.
• This is accomplished by adequate oversight, resource monitoring, and regular

reporting. When achieving all objectives is not possible, good resource management
ensures that the most critical priorities are handled first.
• Effective triage capabilities in incident response guarantee that limited resources are
deployed most effectively to restrict and limit harm.
• This is based on swiftly identifying compromised assets that must be addressed

immediately, assets that are unaffected and can wait, and assets that can be restored
most efficiently with the available resources.

Defining Incident Management Procedures
theknowledgeacademy
• There is not a single, rigid set of incident management

practises that applies to all enterprises. However, there are a
few basic practises that the majority of enterprises follow and
tailor to suit their unique requirements.

Detailed Plan of Action for Incident Management
• The following process is described in the incident management methodology defined
theknowledgeacademy
by CMU/SEI:

Current State of Incident Response Capability
• Survey of senior management, business managers and IT representatives - Uses
theknowledgeacademy
input from senior management, business line managers and technology

representatives, employee surveys and focus groups to gather information to help
determine the past performance and perception of the IMT and its process capabilities.
• Self Assessment - The IMT conducts self-assessment against a set of criteria to

develop an understanding of present skills. This is the simplest way because it does
not necessitate the participation of several parties. The disadvantage of this strategy is
that it may only provide a restricted picture of present capabilities as well as other
characteristics that stakeholders may find significant.
• External Assessment or Audit - This is the most complete option, including

interviews, surveys, simulation, and other assessment approaches. This option is
typically utilised by a company that already has an appropriate incident management
capability but is looking to improve it or reengineer the processes. These strategies will
assist in establishing whether the existing state is effective and, if not, in determining
the intended state of incident response capabilities.

Current State of Incident Response Capability
Threats
theknowledgeacademy
• Threats are defined as any incident that has the potential to harm an enterprise's
assets, operations, or staff. There are several threats to be considered, such as:
Environmental Technical Human Driven
Vulnerability
• A vulnerability is a flaw in a system, technology, process, person, or control that can be
exploited and lead to compromise. Risk originates from a weakness that adversaries
can exploit. One part of risk management is managing vulnerabilities in order to keep
risk within acceptable boundaries set by the enterprise's risk appetite and tolerance
criteria.

Developing and Incident Response Plan
• The incident response plan (IRP) is the operational component of incident
theknowledgeacademy
management. The plan specifies the actions, personnel, and activities that will be
carried out if anticipated circumstances result in the loss of data, information systems,
or processes.
• The incident response team should be formed, managed, and maintained as part of the
plan.
Elements of and Incident Response Plan
Preparation Identification Containment
Eradication Recovery Lessons Learned

Developing and Incident Response Plan
Gap Analysis
theknowledgeacademy
• A gap analysis gives information on the gap between present incident response
capabilities and the target level defined by top management. When the two levels are
compared, advances in capabilities, skills, and technology can be found, including:
 Processes that must be improved in order to become more efficient and effective
 Resources required to meet the incident response capability's objectives
• The gap analysis report produced can be used for planning purposes to establish the
measures required to close the gaps between the present and intended states.
• It can also be used to determine the most effective technique for achieving the goals
and prioritising efforts. Priorities should be determined by the areas with the largest
potential impact and the best cost-benefit ratio.

Incident Management Response Teams
• Before an incident occurs, the plan must identify teams and outline their assigned
theknowledgeacademy
duties. To put the business recovery strategies into action, key decision-making,
technical, and end-user team leaders must be identified and trained.
• Depending on the size of the business, the team could be made up of just one person.
The involvement of these teams is determined by the severity of the service disruption
and the sorts of assets lost, compromised, damaged, or endangered.
• This will make it easier to estimate the amount of the effort and activate the right team
combination. The following are some examples of the kind of teams that are frequently
required:
 Emergency Action Team: First responders who have been designated to deal with
fires or other emergency response circumstances.

Incident Management Response Teams
(Continued)
theknowledgeacademy
 Damage Assessment Team: Qualified personnel who analyse the level of asset
damage and make an initial decision as to what is a total loss vs what is restorable or
salvageable.
 Emergency Management Team: In charge of coordinating the actions of the other

recovery teams and making critical decisions.
 Relocation Team: Coordination of the process of transferring from the impacted

location to an alternative site or the restored original location.
 Security Team: When the organisation does not define a designated/formal capacity,
the security team frequently becomes the de facto CSIRT. It is in charge of monitoring
the security of systems and communication links, containing any ongoing security
threats, fixing any security issues that limit the rapid recovery of systems, and assuring
the appropriate installation and operation of every security software package.

Organising, Training and Equipping the Resource Staff
• Training the emergency response teams is not only necessary, but also important. To
theknowledgeacademy
ensure that team members are comfortable with their jobs and responsibilities, the
information security manager should create reasonable, real-world event scenarios and
test the reaction and recovery plans.
• The teams will determine the resources needed for reaction and recovery during this
phase. Training has the extra benefit of discovering and changing unclear procedures
to achieve clarity, as well as determining recovery resources that may be insufficient or
ineffective.
• IMT members must complete the following training programme:
• Induction to the IMT

• Mentoring Team Members regarding Roles, Responsibilities and Procedures
• One-the-Job Training
• Formal Training

Incident Notification Process
• A security incident notification mechanism that is both effective and timely is a crucial
theknowledgeacademy
component of any security program. When possible, implement notification methods

that allow an automated detection system or monitor to send email or phone
messages. When accidents occur, the following roles are most likely to require
information:
 Application development
 Business process owners
 Cybersecurity
 HR
 IT department
 Legal/general counsel
 Network operations
 Physical and information security
 Privacy department
 PR/corporate communications
 Risk management
 Senior management
 Threat intelligence team
Challenges in Developing an Incident Management Plan
• There may be unexpected challenges while designing and maintaining an event

theknowledgeacademy
management plan as a result of:
1. Lack of Management Buy-in and Organisational Consesus
2. Mismatch to Organisational Goals and Structure
3. IMT Member Turnover
4. Lack of Communication Process
5. Complex and Broad Plan

theknowledgeacademy
Module 4A2: Business Impact Analysis

Introduction
• A BIA is used to assess the impact of losing the availability of any resource on an
theknowledgeacademy
enterprise.
• It identifies the lowest resources required to restore and prioritises the recovery of
processes and supporting systems.
• The BIA is frequently mentioned in the context of BC and DR. Other methodologies, in
addition to the BIA, may be used to assess possible impact.
• The bottom line of risk is impact, and the range of severity in terms of the enterprise
must be identified in order to offer the necessary information and lead risk
management actions.
• Although high likelihood events with little or no individual impact are not always cause
for concern, they should not be discounted without first comprehending the event's
significance within the wider system it supports.

Elements of Business Impact Analysis
• The manner in which BIAs are conducted differs by enterprise. However, there are
theknowledgeacademy
some similarities. BIAs, in general:
 Explain the business mission of each specific business/cost centre.

 Determine the functions that define each business function.
 Identify dependencies, such as necessary inputs from other procedures.
 Determine the subsequent operations based on the function.
 Determine key processing cycles (in terms of time intervals) for each function.
 Calculate the impact of each sort of occurrence on business operations.
 Determine the amount of time required for recuperation (i.e., RTO).
 Determine the resources and activities required to restore an acceptable level of
operation.
 To determine RPOs, determine the quantity of data that can be lost and must be
recreated.
 Consider possible workarounds, such as manual or PC-based operation or workload
shifting.
 Estimate how long it will take to recover from each type of occurrence in respect to the
RTO.
Benefits of Conducting a Business Impact Analysis
• Conducting BIAs yields several significant benefits, including:
theknowledgeacademy
 Increasing awareness of the amount of possible loss and other negative

consequences that could emerge from specific types of mishaps caused by the loss
of a specific function, including catastrophic events that could jeopardise the
business's life.
 Prioritising restoration activities and comprehending recovery choices
 Understanding the interdependence of diverse functions
 Raising enterprise-wide knowledge of response management

theknowledgeacademy
Module 4A3: Business Continuity Plan

Integrating Incident Response with Business Continuity
• Effective integration of incident response and BC/DR planning necessitates careful

theknowledgeacademy
consideration of the relationships between RTO, RPO, SDO, and MTO, as the
transition from incident response to disaster recovery operations for any solution other
than mirrored or duplicate processing sites will take time.
• DR has traditionally included a strategy to recover an IT-processing facility or a

business unit's plan to recover an operating facility.
• With the continuing expansion and widespread acceptance of cloud services, there is a
shift away from perceiving IT as a facility and toward viewing IT as a capability.
• The incident management and recovery plan must be compatible with and support the
enterprise's overall IT plan.

Methods for Providing Continuity of Network Services
• Among the methods for providing network service continuity are:

theknowledgeacademy
Long-Haul
Alternative
Redundancy Diverse Routing Network
Routing
Diversity
Last-Mile Circuit Telephone

Voice Recovery
Protection Recovery

High-Availability Considerations
• The loss or disruption of servers that manage sensitive and vital business activities
theknowledgeacademy
could have disastrous consequences for an organisation.
• Plans should include operational failover solutions to avoid servers falling down for an
extended amount of time.
• Server recovery should be part of the DRP. The employment of universal power
supplies (UPSs) and failover systems to prevent power failures of varied levels is one
way for offering failover or fault-tolerant capabilities.
• Direct attached storage (DAS) is a data storage and availability solution in which the
storage device (for example, a disc drive) is physically connected to a server or client.
To access the DAS, each user must have direct access to the server that houses the
storage device.
• A network-attached storage (NAS) appliance is a dedicated network-attached data storage

equipment that has its own operating system. An existing Ethernet network is used for file
storage and user access.
Insurance
• The IRP should include information about the enterprise's insurance arrangements,
theknowledgeacademy
such as general coverage, cyber insurance, or information technology-related

insurance.
• Current insurance policies for information systems processing typically require a multi-
peril policy tailored to provide several forms of IT coverage. Typically, an organisation
cannot insure against failure to comply with legal and regulatory requirements or any
other violation of the law. There are several types of coverage available, including:
IT Equipment and Professional and

Media Reconstruction Cybersecurity
Facilities Commercial Liability
Valuable Papers and

Extra Expense Business Interruption Errors and Omissions
Records

theknowledgeacademy
Module 4A4: Disaster Recovery Plan

Disaster
• Disasters are unforeseen and unplanned occurrences leading to company disturbance.
theknowledgeacademy
• A disaster could be a regional event spread over a broad geographic region, or it could
happen within a single room boundaries.
• The effect of a disaster will also differ, from a full disruption to a mere slowdown in all
business activities.
• The types of Disaster are as follows:
 Natural Disasters
 Human-Caused Disasters

Business Continuity and Disaster Recovery Procedures
• When developing reaction and recovery plans, various factors must be considered,
theknowledgeacademy
including available resources, expected services, and the categories, types, and
intensity of threats encountered by the company.
• The state of monitoring and detection capabilities must be known, as well as the level
of risk that the enterprise is ready to take.
• An effective recovery plan strategy strikes the most cost-effective balance between risk
management, incident management and response, and BC/DR planning.
• Business continuity is defined by ISACA as "the prevention, mitigation, and recovery

from disruption“. While BCP goals include incident prevention and mitigation, the DRP
focuses on what must be done to restore operations after an incident has occurred.
• A BCP is a continuous process that is actively implemented in business-as-usual

settings, whereas a DRP is reactive in nature and is implemented only when a
specified set of conditions is met.

Recovery Operations
• Once the enterprise is in recovery mode, the BC teams should keep an eye on the
theknowledgeacademy
restoration progress at the primary site.
• This is done to determine whether it is safe to return and to run tests to determine
whether the primary data centre and facilities are accessible, operational, and capable
of operating at regular capacity and processing load.
• The teams in charge of shifting to the alternate location and making it operational
repeat the process to return to the primary site.
• When the primary facility and data processing capabilities have been fully restored, the
recovery teams will notify the BC leader, who will then declare normalcy in cooperation
with the crisis management team and shift operations back to the primary site.

Recovery Operations
(Continued)
theknowledgeacademy
• If the primary site is completely destroyed or severely damaged, the enterprise may
make a strategic decision to convert the alternative recovery site to the primary
operations site or to identify, acquire, and establish another site where operations will
eventually be restored and which will serve as the primary site.
• This is especially true if the organisation subscribes to a third-party disaster recovery

site, as the costs of functioning from such a site for a lengthy period of time may prove
prohibitively expensive.
• Enterprises establishing a BCP should address the processes, roles, and

responsibilities involved in identifying an incident, declaring a disaster, and managing
operations in a disaster mode, but it should also define processes to restore operations
at the primary site and announce the return to normalcy.

Evaluating Recovery Strategies
• There are several techniques for retrieving crucial information resources. The best
theknowledgeacademy
strategy is likely to be one that addresses probable occurrences with acceptable

recovery periods at a reasonable cost.
• The overall cost of a recovery capacity includes the expense of preparing for potential
interruptions as well as the cost of implementing these in the event of an occurrence.
• The effects of disruptions can be mitigated to some extent by various types of business
interruption insurance, which should be regarded as a strategy alternative.
• Depending on the size and scale of the enterprise, as well as the state of recovery
planning, the information security manager should understand that developing an
incident management and response plan is likely to be a challenging and time-
consuming task.
• It may be necessary to develop numerous alternative strategies, each with its own set
of capabilities and costs, before presenting them to management for a final selection.

Addressing Threats
• Some proactive tactics to consider in incident management while responding to threats
theknowledgeacademy
include:
1. Eliminate or Neutralise a Threat: Although eradicating or neutralising a threat may

appear to be the greatest option, it is often unrealistic when dealing with external
threats. It may be possible to eradicate a threat if it is internal and specialised.
2. Minimise the likelihood of a Threat’s Occurrence: The best alternative is often to

reduce or eliminate vulnerabilities or exposure to reduce the possibility of a threat
occurring. This goal can be attained by putting in place the necessary physical,
environmental, and security controls.
3. Minimise the Effects of a Threat if an Incident Occurs: There are several

approaches to mitigate the effects of an incident, including good incident management
and response, insurance, redundant systems with automated failover, and other
compensating or remedial procedures.

Recovery Sites
• The most acceptable possibilities for a recovery site must be based on the likelihood of
theknowledgeacademy
severe outages occurring, the nature and amount of the impact on the enterprise's
capacity to continue operations, and total cost. Longer and more expensive outages or
calamities that disrupt the primary physical facility are likely to necessitate offsite
backup options. Offsite backup facilities that can be considered include:
Hot Sites Warm Sites Cold Sites Mobile Sites
Disaster
Reciprocal
Duplicate Sites Mirror Sites Recovery as a
Agreements
Service

Basis for Recovery Site Selection
• The following factors should be considered when choosing a site for a response and
theknowledgeacademy
recovery strategy:
AIW RTO RPO SDO
Nature of the
Proximity
MTO Locations Probable
Factors
Disruptions

Response and Recovery Strategy Implementation
• A detailed reaction and recovery plan should be established based on the response
theknowledgeacademy
and recovery strategy decided by management. It should handle all aspects of disaster
recovery. Several elements should be addressed when constructing the plan, including:
• Pre-incident readiness
• Evacuation procedures
• How to claim a Disaster
• If the incident response fails, the procedures to disaster recovery are taken
• Recognise the business processes and IT resources that must be restored
• Individuals having decision-making authority and duties in the plan should be identified
• Identification of the persons (and alternatives) in charge of each plan function
• Identifying contact information
• A step-by-step breakdown of the recovery alternatives
• Identifying the various resources needed for recovery and ongoing activities
• Making certain that other logistics, such as worker transfer and temporary housing, are
taken into account

theknowledgeacademy
Module 4A5: Incident

Classification/Categorisation

Introduction
theknowledgeacademy
Incident Incident
Classification Categorisation

Escalation Process for Effective Incident Management
• A set of actions should be stated in the sequence to be executed for every believable
theknowledgeacademy
and actionable event. Every action specified should identify the person responsible,
alternatives in the event of unavailability, and an expected time for completion.
• When all of the activities have been successfully executed, the process should proceed
in the part devoted to the emergency's conclusion. The following entities and personnel
may receive an alert notification, but are not limited to:
Backup Business General Insurance

Customers HR
Facilities Partners Counsel Companies
Network Privacy Risk

Internal Audit Public Relations Regulators
Operations Department Management

Help/Service Desk Processes for Identifying Security Incidents
• The information security manager should develop protocols for help/service desk
theknowledgeacademy
workers to discern between a regular inquiry and a potential security issue.
• The help/service desk is likely to receive the first reports indicating a security issue.
Prompt recognition of an ongoing event and prompt referral to appropriate parties are
crucial for limiting the damage caused by such incidents.
• Proper training also helps to lessen the likelihood that the help/service desk may be
successfully targeted in a social engineering attack aimed to get account access, such
as a perpetrator posing as a user who has been locked out and requires immediate
access to the system.
• In addition to spotting potential security incidents, help/service desk workers should be

aware of the necessary reporting and escalation procedures.

theknowledgeacademy
Module 4A6: Incident Management

Training, Testing and Evaluation

Incident Management Roles and Responsibilities
• An enterprise's incident management capacity serves as the first responder to a
theknowledgeacademy
number of incidents, including information processing and processes.
• It responds to and handles incidents in order to contain and reduce damage, limit
disruptions to business processes, and promptly restore operations.
• Incidents that are poorly managed have the potential to become disasters.
• Understanding the hierarchy and organisational structure associated with the various
incident management positions is critical.
• To avoid miscommunication during a crisis, each position must be clearly defined and
conveyed.
• The duties connected with incident management will differ from company to company.

(Continued)
theknowledgeacademy
• Typical responsibilities in incident management activities include, but are not limited to,
the following:
o Affected Business Unit Representation

o Corporate Communication
o Executive Sponsor
o General Counsel
o Human Resources
o Lead Investigator
o Incident Coordinator
o Lead Investigator
o Security Analysis
o Technology Analysts
o Public Relations
o Threat Intelligence Analysts

Senior Management Commitment
theknowledgeacademy
• A business case can demonstrate that, in many cases, effective event management
and response are less expensive than attempting to develop controls for all possible
conditions.
• Tested incident management and response may also provide the firm with more
revenue opportunities by allowing for higher levels of acceptable risk based on a shown
capacity and capability to handle security issues.
• Sufficient incident response, combined with effective information security, is likely to

provide the most cost-efficient risk management strategy and may be the most wise
resource management decision.
• These elements should be included in the business case, which will be utilised to
acquire the necessary senior management commitment to ensure the program's
success.

Responsibilities
theknowledgeacademy
• The information security manager is responsible for a variety of incident management

tasks, including:
 Creating incident management and response plans for information security

incidents.
 Effectively and efficiently handling and organising information security incident

response actions.
 Validating and reporting logical, physical, or administrative safeguard or

countermeasure solutions.
 All aspects of information security incident management and response planning,

budgeting, and programme creation.

Incident Management Metrics and Indicators
Responsibilities
theknowledgeacademy
• The criteria used to measure the efficacy and efficiency of the incident management
function include incident management metrics, measures, and indicators.
• Metrics based on key performance indicators (KPIs) and programme goals (KGIs)
established for incident management should be submitted to top management as
rationale for ongoing support and funding.
• They allow senior management to understand the enterprise's incident management

competence as well as areas of risk that must be addressed. The following are
examples of common incident management metrics criteria:
 Total number of incidents reported

 Total number of incidents discovered
 Number of incident-free days

(Continued)
theknowledgeacademy
 The average time it takes to resolve an event

 Total number of events resolved successfully
 Incidents that were not effectively resolved
 Proactive and preventative actions have been implemented
 The total number of employees that have received security awareness training
 Total damage caused by reported and identified occurrences if incident response was
ineffective or non-existent
 Total savings from possible incidents resolved
 Total resources used to respond to occurrences
 Time between detection and notification

Recovery Time Objectives
theknowledgeacademy
• As part of the overall risk evaluation, the information security manager must
understand RTOs and how they apply to the enterprise's information resources.
• The RTO will be determined by the enterprise's business demands, which are typically
described as the amount of time required to restore an acceptable level of regular
operations. The SDO establishes the acceptable level.
• The information security manager should keep in mind that the RTO may change
depending on the month or year.
• Financial data may not be as important at the start of the month, when the new fiscal
month begins. RTOs are defined by doing a BIA in tandem with constructing a BCP.
• Because the interconnectivity of systems and their dependencies affects the order of
restoration, most or all systems associated to important business processes will require
a BIA.
(Continued)
theknowledgeacademy
• A divisional supervisor's essential information asset may not be critical in the eyes of
the vice president of operations, who is able to integrate the total organisational risk in
the RTO evaluation.
• The information security manager should recognise the importance of both

perspectives and work toward an RTO that takes both into account.
• The outcome will be incorporated into the BCP, as will the extent of the services to be
restored and the priority order for system recovery. In the end, top management makes
the final choice.
• Senior management is in the best position to arbitrate the needs and requirements of
the various aspects of the business, such as the regulatory requirements to which the
enterprise is subject, and to decide that what processes are the most crucial to the
business's continuing existence, in addition to determining acceptable costs.

RTO and its Relation to Business Continuity Planning and
theknowledgeacademy
Contingency Planning Objectives and Processes

• Understanding the RTO for information systems and their associated data is required
for an enterprise to create and execute an adequate BC program.
• The enterprise can create and identify contingency strategies that will meet the RTOs
of the information resources, once the RTOs are known.
• System proprietors consistently favour shorter RTOs, but the tradeoffs in price may not
be certified.
• When necessary, near-instantaneous recovery can be performed via technologies like

mirroring of information systems, ensuring that the systems are always readily
available in the case of a disruption.
• If the RTO for a given resource is longer, then the cost of recovery is less in general.

Recovery Point Objectives
theknowledgeacademy
• In case of operation disruption, the RPO is determined based on the acceptable data
loss.
• It demonstrates the most current point in period to which it is sufficient to recover the
data, that is generally the latest backup. In case of interruption, RPO effectively
quantifies the allowable amount of data loss.
• It may be preferable to decrease the time between backups to stop a problem where
recovery becomes impossible because of the volume of data to be recovered,
depending on the volume of data.
• Additionally, it is likely that the time needed to restore a significant amount of data
prevents the RTO from being achieved.
• While this is generally the scope of DR and BC planning, it is an essential factor when
creating a risk management strategy.
Service Delivery Objectives
theknowledgeacademy
• To meet business requirements until normal operations can be resumed, SDOs are
defined as the minimum level of service that must be restored after an event.
• By RPOs and RTOs, SDOs will be affected and must be examined in any risk
management strategy and execution. More levels of service will typically need greater
resources and more current RPOs.
Maximum Tolerable Outage

• The maximum period an enterprise can work in alternative mode is referred as MTO.
• The factors may affect the MTO, such as accessibility of a recovery site which might
located remotely, limited operational capacity of the recovery site, and availability of
fuel to use emergency generators.

(Continued)
theknowledgeacademy
• The RTO will be affected by the variable, that in turn affects the RPO. To minimise risk
of inadequate recovery to the enterprise, the relationship between the MTO, RPO, and
RTO must be considered from a risk management perspective.
Allowable Interruption Window

• AIW is the portion of period the usual functions can be down before the enterprise
faces greater financial problems that endanger its existence.
• To minimise the risk to the enterprise in the event of a disaster, the MTO should in any
event be as long as the AIW.

Performance Measurement
• For achieving the defined objectives and expanding cost-effectiveness, the
theknowledgeacademy
performance measurements for incident management and response focus on it.
• CPIs and 'KGIs for the action should be specified and decided on by stakeholders and
approved by senior management.
• The standard range of KGIs contains the successful handling of circumstances whether
by live testing or beneath existing conditions.
• By successfully handling incidents that endangers business operations within the

RTOs, key performance measures can be identified.

Updating Recovery Plans
• The response and recovery plans also need to change as the enterprises constantly
theknowledgeacademy
change and evolve.
• A process must be established by the information security manager in which recovery

plans are updated as changes arise in an enterprise.
• Considering the recovery and response plan necessities in the change management
process within an enterprise is an important part of adequate response management.
• To reflect continuing recognition of changing requirements, strategies and plans for

recovery and response should be updated and reviewed according to a schedule.

Updating Recovery Plans
(Continued)
theknowledgeacademy
• Along with others not listed, the following factors may affect neccessities and the
requirement for the plan to be updated:
 A method that is suitable at one point in period may not be sufficient as the
requirements of an enterprise modification.
 New applications may be acquired or developed.
 Modifications in business process may change the value of essential applications or

result in other applications being considered crucial.
 Modifications in the software or hardware environment may make existing conditions

outdated or unsuitable.
 Modifying physical and environmental events may also require to be assessed.

Testing Incident Response and Business
Continuity/Disaster Recovery Plans
theknowledgeacademy
• All aspects of the MP should be tested regularly in order to confirm success in incident
response.
• The following factors should be focused by testing:
1. Identifying gaps
2. Verifying assumptions
3. Testing timelines
4. Determining the effectiveness of strategies
5. Evaluating the personnel performance
6. Determining the currency and accuracy of plan information

Periodic Testing of the Response and Recovery Plans
• It is important to understand and integrate these functions' scope and capabilities as

theknowledgeacademy
well as their exact relationship.
• The full scope of incident management responsibilities, including the escalation and the
involvement of, or handover to, the disaster management and recovery operation if it is
the duty of another group, must be tested up to the point of a disaster declaration,
regardless of the structure.
• Periodic testing of the response and recovery plans should be carried out by the
information security manager with help from the recovery team's structure.
• The following factors should be involved in testing:
 Development of test objectives.

 Execution of the test.
 To improve the effectiveness of testing processes and the response and recovery plans, developments of
recommendations.
 To ensure the implementation of the recommendations, implementing a follow-up process.
Testing for Infrastructure and Critical Business Applications
• Testing response and recovery plans must contain both critical and infrastructure
theknowledgeacademy
applications, although not required at the same time.
• With securing the systems not only during normal operations but also during disaster
events, the information security manager is tasked with enterprises depending heavily
on IT.
• The information manager can recognise important applications the enterprise needs
and the infrastructure needed to support them, based on the business impact
information and risk assessment.
• The information security manager needs to conduct accurate recovery tests for
ensuring that these are recovered in a timely fashion.

Types of Tests
theknowledgeacademy
• To increase confidence and lower

risk to the business, testing should
begin simply and gradually become
more complex, stretching the goals
and success criteria of earlier
iterations.
• After individual plans have been

tested separately with satisfactory
results, full-interruption tests should
be conducted annually at a
minimum.

Test Results
• There are particular results that should be anticipated as a result of conducting a test.
theknowledgeacademy
• A recovery test should seek to, at a minimal, achieve the given tasks:
• Confirm the entirety and precision of the response and recovery plan.
• Consider the performance of the personnel included in the practice.
• Evaluate the ascertained level of training and awareness of people who are not part of the
recovery/response team.
• Consider the coordination between the team members and external suppliers and
vendors.
• Count the capacity and ability of the backup site to conduct defined processing.
• Evaluate the critical records recovery capability.
• Consider the quantity and state of equipment and supplies that have been reposition to
the recovery site.
• Count the general implementation of operational and information systems processing
activities connected to maintaining the business entity.

Recovery Test Metrics
• In addition to assessing the effectiveness of the plan, the resulting metrics should also
theknowledgeacademy
be used to enhance it.
• The following general types of metrics typically apply, although specific measurements
depend on the test and the enterprise:
Percentage or
Time Amount Accuracy Plans
Number

theknowledgeacademy
Module 4B1: Incident Management Tools

and Technologies

Incident Management Systems
• The unsubstantial amount of activities and information in progressively difficult systems
theknowledgeacademy
has urged the growth of automated incident management systems in past years.
• Many manual processes are automated by these systems that provide filtered
information that can recognise potential technical incidents and alert the IMT. An
effective SIEM will be able to do the following:
• Correlate and consolidate inputs from various sources.

• Recognise potential incidents or incidents.
• Notify staff.
• Arrange incidents based on impact of business.
• Follow incidents until they are closed.
• Give notifications and status tracking.
• Integration with major IT management systems.
• Execute good practices.

Endpoint Detection and Response
theknowledgeacademy
• Endpoint security has been historically reactive, identifying perceived or potential

security threats utilising signatures for known attack patterns.
• EDR focuses on recognising threats, malware which are designed to avoid traditional
security defences while trying to be predictive in nature.
• Some king cyberthreat intelligence with machine learning abilities in conjunction with
threat detection and file analysis will leverage by most EDR solutions.
• EDR solutions generally make a historical audit path in which user /system manners
and security events are captured for follow-on examination by security analysts.
• EDR solutions also support in root cause analysis and not only in incident response
efforts.

Extended Detection and Response
theknowledgeacademy
• A developed version of EDR, XDR takes a holistic strategy to endpoint response and
detection.
• XDR not only gives an enterprise information security teams a suitable view across the
endpoints but also conducts examination of servers, the networks and cloud.
• XDR creates on the abilities of EDR, machine learning, artificial intelligence capabilities
and leveraging automation to give context about security events.
Managed Detection and Response

• MDR is a hybrid mixture of service provider and technology. The value is for those
circumstances that lack both appropriate skills and expertise or have restricted
resources required to appropriately observe possible attack vectors.
• Generally the service provider will be liable for giving instrumentation.

Incident Response Technology Foundations
• The following security concepts must be included in IRTs:
theknowledgeacademy
1 2 4
Security
Security Vulnerabilitie
Principles s/Weaknesses The Internet
5 6 7
Programming
Operating Systems Malicious Code Skills

Personnel
• An IMT usually comprises of an information security manager, advisory board or
theknowledgeacademy
steering committee, and supporting group members.
• Team members may be recognised ad hoc, reliable full-time IMT support or committed
currently during incidents.
• The arrangement of team members set and how they will support the IMT will differ
from enterprise to enterprise.
• The team is usually lead by the information security manager. In bigger enterprises, it
may be more adequate to employ a particular IRT leader manager that concentrates on
answering to incidents.
• The SSG also authorises exceptions and deviations to normal practice. The primary
tasks in the IMT/IRT are performed by dedicated team members.

Personnel
• Incident handlers examine incident data, specify the effect of the incident and suggest
theknowledgeacademy
the proper measures to restrict the damage to the enterprise and recover normal
services. Usually, the team will cooperate with general users, complementary groups,
and business managers.
• The Following are the IRT Models that have proven to work:
1. Central IRT
2. Distributed IRT
3. Coordinating IRT
4. Outsourced IRT

Personnel
theknowledgeacademy
Position Roles Responsibilities

Security Steering Group (SSG) Utmost structure of an enterprise’s 1. For overall incident management and response
functions connected to information concept, takes responsibility.
security 2. Permits incident management team charter.
3. Take final decisions .
Information Security Manager IMT leader and main interface to 1. Maintains and develops response capability and
SSG incident management.
2. Manages incidents and risks effectively.
Incident Response Manager Incident response team leader 1. Supervision of incident response tasks.
2. To effectively perform incident response tasks,
coordinates resources.
3. Represents incident lesson learned and response
plan to SSG members.

Personnel
(Continued)
theknowledgeacademy

Incident Handler IRT/IMT team member 1. To contain exposures from an incident, performs
incident response tasks.
2. Documenting steps taken where implementing the
IRP.
Investigator IRT/IMT team member 1. Conducts investigation tasks for a particular

incident.
2. Search root cause of an incident.
IT Security Specialist IRT/IMT team member, IT security 1. As a part of the IRP, performs in-depth and
subject matter expert complex IT security-related tasks.
2. Performs IT security audits/assessment as a part
of vulnerability management and proactive
measure.

Personnel
(Continued)
theknowledgeacademy

Business Manager Business function owners, 1. Takes decisions on matters connected to
information system/assets owners information systems/assets.
2. Give clear knowledge of business affect in BIA
procedure or in IRP.
IT Representatives/Specialists IT services subject matter expert 1. Give support to IRT/IMT while solving an incident.
2. Keep information system in a good condition per
company good practices and policies.
Human Resources (HR) HR area subject matter expert 1. When there is a need to investigate an employee
suspected of causing an incident, provides help in
incident response/management .
2. Integration of HR policy to support incident
response/management

Skills
• The following are the personal skills:
theknowledgeacademy
Ability to Follow
Communication Leadership Skills Presentation Skills Procedures and Team Skills
Policies
Self- Time
Integrity Coping with Stress Problem Solving
Understanding Management

Awareness and Education
• While security incidents and high-profile breaches have raised the security awareness
theknowledgeacademy
of most people, end users are the foremost line of protection in controlling safety
breaches.
• Therefore, it is important for the information security manager to confirm that an

enduring awareness campaign underlines the significance of being aware in order to
decrease vulnerability to actions that may lead to a security breach.
• A skills assessment is suitable to determine whether the necessary skill is available in

the enterprise for the IRT. In some cases, appropriate education or training may be in
service to give the required skills.
• When a circumstance occurs in which in-house knowledge is inadequate, the technical

specialists can be reached on to serve the gap in skill.

Audits
• Internal and external audits are conducted to identify adherence with standards,
theknowledgeacademy
policies, and procedures that are defined by an enterprise.
• Within the enterprise, internal audits are performed by specialists and are generally
intended to improve risk and incident management and support compliance
requirements.
• External audits include a third party that conducts the tasks. While most external audits
are employed as part of required conditions, they are normally exploit as part of
business association.
• Both types of audits can be suitable in studying incident management and response
capabilities and plans.
• Periodic audits of the procedures and processes determined in the methods can give
validation that security will not be compromised in policy compliance, legal
requirements and the event of an incident are addressed properly.

Outsourced Security Providers
• It could be more cost-effective to outsource incident management capabilities,
theknowledgeacademy
particularly for smaller enterprises.
• These enterprises might not have the internal resources to offer the requisite IMT/IRT
expertise in a sufficient manner. If incident management is outsourced to the same
vendor as IT operations, businesses who outsource their IT operations may profit from
close integration.
• When security functions are partially or fully outsourced, the information

security manager should consider the following:
 Comparing the enterprise's incident reference numbers with the agents for every
relevant incident.
 Integration of the change management functions of the enterprise with the vendor’s.
 Need from the vendor for regular review of incidents that happens on a regular basis

theknowledgeacademy
Module 4B2: Incident Investigation and

Evaluation

Introduction
• The information security manager must be aware of the modest difference between the
theknowledgeacademy
two as not every event is an incident.
• An event is something that occurs at a typical time or place : a door opening, an

account logon, an automated procedure ending.
• These all are events that have shortage on any context that happen little to no
reference.
• The related to the event or contextual data adjacent required to be examined to

determine if the event was in fact abnormal or normal.
• Proper actions can be taken once legitimacy of and event is known. The escalation and
initiation of an event to an incident is performed by the prmary investigation and then
assessing the affect to the enterprise.

Executing Response and Recovery Plans
• Untested plans could end up failing to function as expected.
theknowledgeacademy
• It is also reasonable to assume that the event management and response teams will
face more turmoil, confusion, and issues the more serious the incident.
• An attack that takes down IT systems or a building collapse are both examples of
incidents.
• All reasonably possible events must be expected, planned for, and tested in order to
give a reasonable confidence that the enterprise will be preserved under predicable
conditions.
Ensuring Execution as Required

• A facilitator is required to oversee task execution, communicate with top management,
and direct tasks within the response and recovery plans to ensure they are carried out
as intended.

Executing Response and Recovery Plans
(Continued)
theknowledgeacademy
• In the overall process of carrying out the reaction and recovery plans, developing
appropriate response and recovery methods and alternatives is a crucial step.
• It is crucial to test the plans to make sure they can be carried out as needed.
• An impartial observer should be chosen by the information security manager to track

development and record any exceptions that arise during testing and a real occurrence.

theknowledgeacademy
Module 4B3: Incident Containment

Methods

Incident Containment Methods
• Containment contains all the tasks, steps and activities taken in the attempt of reducing
theknowledgeacademy
or limiting the effect of an incident.
• Containment is a tactical and short-term action that is intended purely to prevent the
bleeding, not necessarily to recognise or rectify the root cause that permitted the
incident to happen.
• The following are the common containment activities conducted during a

security incident:
 Escalation and notification to suitable stakeholders.

 Memory analysis and captures
 Enterprise-wide password modifications of all accounts
 Updating firewall rule sets to drop/block/deny traffic
 Updation of IDS signatures
 Log review, analysis and collection
 Forensically image affected systems
 Malware reversal engineering
 Terminating the device from the network
theknowledgeacademy
Module 4B4: Incident Response

Communication

Introduction
• Given the number of employs related with reacting to an incident, creating an
theknowledgeacademy
authoritative source for communicating is compulsory.
• Due to lacking or misunderstanding proper context and insight, speculation may be

taken for facts or facts downplayed often.
• There will be various communication methods and channels that ought to be defined
primary to an incident being announced.
• Several communication channels must be established during an incident, as decisions

on whether to communicate with enterprise staff, external third parties, and affected
business partners as communications will require to happen between the LMT
manager and senior management.
• Every communication channel required to be clearly understood, conveyed and defined

to all impacted members to confirm the appropriate messages are communicated to
their audiences.

Notification Requirements
• Notification requirements are central parts of the incident and IRP management.
theknowledgeacademy
• The IRP should contain a directory of main IRT members, end users, information
systems owners, decision-making personnel, and others mandated to create and bring
response measures.
• The following individuals should be included in the directory:
 Representatives of software and equipment vendors.

 Contacts within companies designated to give equipment, services and supplies.
 Contacts at recovery facilities, containing predefined network communications rerouting services
or hot site representatives.
 Contacts at offsite media storage services and the contacts in the company that are allowed to
recover media from the offsite service.
 Insurance company agents.
 Contact information for regulatory bodywork.
 Law enforcement contacts

Communication Networks
• The plan must include details of the telecommunication network required to recover
theknowledgeacademy
business operations of the enterprise.
• Telecommunication networks are liable to the same raw disasters as data bases but
are also weak to disruptive events distinctive to telecommunications.
• These include errors, central switching office disasters, communication software

glitches, cable cuts, and security breaches from hacking and a host of additional
human errors.
• Wide area networks, LANs, third-party providers, and telephone voice circuits are
included in telecommunications capabilities.
• Essential capability needs should be recognised for the diverse thresholds of outage,
such as 2 hours, 8 hours or 24 hours, for every telecommunications ability.
• Continuous power supplies (UPSs) should be acceptable to give backup for both
computer and telecommunications equipment.
theknowledgeacademy
Module 4B5: Incident Eradication and

Recovery

Eradication Activities
• The following are the consideration included in common eradication activities
theknowledgeacademy
conducted during a security incident:
 Root cause analysis

 Removal and clean-up of artefacts gone behind from the incident
 Implementation of any outstanding patches
 DNS null routing of completely qualified domain names and malicious IP addresses
 Additional modifications to DDSs and firewalls as required
 Scanning for added indicators of compromise
 Eliminating malicious software
 Wipe rebuilding affected systems
 Recovering from backups

Recovery
• Recovery efforts track after the successful eradication and containment stages of the
theknowledgeacademy
incident response process life cycle.
• The focus changes to confirming that the business can successfully return to
operations after the incident has been properly addressed and root cause problems
remediated, that means restoring affected systems to normal. To prevent same events
from happening, the activities should be implemented and planned during the recovery
phase.
• Typical recovery activities conducted after a security incident has been successfully
eliminated contains the following:
 Validating and testing security baseline.

 Monitoring networks for IoCs and indicators of attack
 Actively researching for recognised adversary antiques across the enterprise
 Transferring affected systems back into production once retrieved and affirmed to meet
the security baseline.

theknowledgeacademy
Module 4B6: Post-incident Review

Practices

Introduction
• Understanding the purpose and structure of post-incident reviews and follow-up
theknowledgeacademy
procedures allows the information security manager to improve the security programme
on a continuous basis.
• A consistent methodology must be adopted within the information security enterprise so

that when a problem is discovered, an action plan is developed to decrease/mitigate it.
• The most valuable part of the effort is the follow-up process in incident response. After
the business has successfully retrieved, activities may contain, but are not limited to,
the given:
• Incident documenting
• Stakeholder feedback and review
• Completing the report for senior management
• Recognising changes required
• Recognising process issues
• Updating procedures as required

Identifying Causes and Corrective Actions
• Security incidents can be the conclude of internally initiated attacks, failures or
theknowledgeacademy
externally initiated attacks in security controls that have been executed. An incident
review team should be appointed by the information security manager for a systematic
review of security incidents.
• The root causes of numerous system centres, such as, are nonexistent or weak
vulnerability assessment and patch management efforts.
• The purpose of the examination should be answers of the following questions:
 Who is included?
 What was occurred?
 Location of the attack originated
 Reason of the attack
 What was the time frame?
 How did the attack happened?
 What was the attacker’s motivation?

Documenting Events
• The information security manager should have processes in place to develop a clear
theknowledgeacademy
record of events during and after any actual or potential security incident.
• This information will allow the investigation of events and can be given to a forensics
team or authorities if required.
• To make sure that this record-keeping happens, one or more people must be
specifically charged with incident documentation and evidence preservation.
• Documentation of any event with potential security implications can give clarity on
whether an incident was an accident, a mistake, or a deliberate attack.
• A major incident is usually chaotic. Good documentation is essential for post-incident

investigation and forensics, and it may also be useful in incident resolution.

Establishing Legal Procedures to Assist Post-Incident Activities
• Creating a complete IRP is an essential foremost step to confirm an effective and

theknowledgeacademy
efficient reaction to a security incident and the unavoidable wave of regulatory and
legal landmines.
• A customised to the enterprise and has been vetted, tested and developed by key
internal stakeholders and legal counsel is a suitable IRP.
• The check-the-box strategy is not helpful while it may be easy to pull a standards IRP
form from the intermit when an incident actually happens. The IRP should:
 Recognition of a responders' core team that will managed the response.
 Give a method for documenting the events directing to and pursuing the discovery of
a compromise.
 Set an immediate and clear communication plan that contains communications to

third parties , internal contacts, customers, media and the advisors.
 Establish key decision points. © 2022 The Knowledge Academy Ltd

Requirements for Evidence
• It should be understood by the information security manager that any contamination of
theknowledgeacademy
evidence following an incident can stop an enterprise charging a perpetrator and

restrict its options.
• Disconnecting power from a compromised computer is typically advised to preserve as

much data on the hard drive as possible.
• This strategy is mainly recommended for law enforcement relying on the risk of the
evidence being compromised.
• This can happen as a consequence of the system exchange files overwriting evidence,
malware or an intruder removing evidence of compromise. There is the risk of tainting
evidence.
• Sudden power loss and data in memory loss may result in corruption of critical
information on the hard disk as it is one argument against disconnecting power.

Legal Aspects of Forensic Evidence
• For evidence to be permitted in legal activities, it must have been obtained in a
theknowledgeacademy
forensically sound manner and its chain of custody preserved.
• For acquisition of evidence by properly trained independent personnel, the information

security manager in charge of an incident must have documented and established
processes. The following are the necessary documents to preserve legally allowable
evidence:
 Chain of custody.
 Checklists to obtain technicians.
 Exact activity log templates for obtaining technicians.
 An updated case log.
 Signed confidentiality/nondisclosure forms for all technicians concerned in retrieving
evidence.
 Investigation template of report.

Congratulations
Congratulations on completing this course!
Contact Us
[email protected]
www.theknowledgeacademy.com/tickets
https://uk.trustpilot.com/review/theknowledgeacademy.com
theknowledgeacademy

CISM MySlides 23

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CISM MySlides 23

Uploaded by

Copyright:

Available Formats

theknowledgeacademy

 World Class Training Solutions

© 2022 The Knowledge Academy Ltd.

• Domain 2: Information Security Risk

• Domain 3: Information Security Program

• Domain 4: Incident Management

© 2022 The Knowledge Academy Ltd.

Information Security Governance

This Domain Covers…

 1A1: Organisational Culture

B:INFORMATION SECURITY STRATEGY

Module 1A1: Organisational Culture

© 2022 The Knowledge Academy Ltd.

• Those processes are sourcing, configuration management, personnel management,

• Security processes will be changed to remain effective and to support continuous

© 2022 The Knowledge Academy Ltd

• Information security is a collection of activities established to clearly understand the

• An objective of the security program is a contribution towards the accomplishment of

• An organisation must also have an effective IT governance program to ensure the

© 2022 The Knowledge Academy Ltd

• Information security governance will not Business

• The result may be that the proverbial IT IT Strategy

© 2022 The Knowledge Academy Ltd

• Alignment of security program of an organisation with the business requirements is the

Objectives Strategy Policy Priorities Standards

© 2022 The Knowledge Academy Ltd

depending upon their information systems.

• As an information security professional, it is important that you understand the

• Information security governance is necessary to ensure that the incidents related to

© 2022 The Knowledge Academy Ltd

• Among information security professionals, it is a known fact that information technology

• The management will not be informed or in control of these protective measures,

© 2022 The Knowledge Academy Ltd

Risk Management Process Improvement Event Identification

© 2022 The Knowledge Academy Ltd

© 2022 The Knowledge Academy Ltd

organisation willingly while in pursuit of its mission, objectives, and strategy.

• Usually, risk-averse organisations have a formal system of traceability and

• Organisational behaviour, strategies for navigating and influencing the enterprise's

• Information security basically includes analytical and logical activities.

© 2022 The Knowledge Academy Ltd

• Building relationships, promoting teamwork, and influencing corporate attitudes toward

• To accomplish this, the security manager must organise communications, participate in

© 2022 The Knowledge Academy Ltd

• An acceptable usage policy is a user-friendly explanation of what employees should

© 2022 The Knowledge Academy Ltd

• It is usually required to offer supplemental or additional information to specific

© 2022 The Knowledge Academy Ltd

• Several enterprises have implemented ethics training to provide direction on what is

• Personnel responsible for information security must be aware of any conflicts of

© 2022 The Knowledge Academy Ltd

Module 1A2: Legal, Regulatory and

© 2022 The Knowledge Academy Ltd.

• Different regions in a worldwide enterprise may be subject to conflicting laws. To solve

© 2022 The Knowledge Academy Ltd

• Corporate legal departments usually concentrate on securities and contracts or

© 2022 The Knowledge Academy Ltd

© 2022 The Knowledge Academy Ltd

• Regulations like Sarbanes-Oxley have mandated varied obligatory retention

• In general, archived information needs to be appropriately indexed in order to be

© 2022 The Knowledge Academy Ltd

Module 1A3: Organisational Structures,

© 2022 The Knowledge Academy Ltd.