CISM EXAM PREP

DOMAIN 3
INFORMATION SECURITY PROGRAM DEVELOPMENT AND MANAGEMENT
DOMAIN 3

Develop and maintain an information security program that identifies, manages and
protects the organization’s assets while aligning to information security strategy and
business goals, thereby supporting an effective security posture.
This domain reviews the diverse areas of knowledge needed to develop and manage an
information security program.
DOMAIN OBJECTIVES

Ensure that the CISM Candidate has the knowledge necessary to:
• Define the broad requirements and activities needed to create, manage and maintain an
information security program to implement an information security strategy.
• Define and utilize the resources required to achieve the IT goals consistent with organizational
objectives.
• Identify the people, processes and technology necessary to execute the information security
strategy.
ON THE CISM EXAM

This domain represents 27% (approximately 41 questions) of the CISM exam.

Domain 1:
Domain 4:
Information
Information Security
Security
Incident
Governance, 24%
Management, 19%

Domain 3:
Information Security Domain 2:
Program Information Security
Development and Risk Management,
Management, 27% 30%
THE INFORMATION SECURITY PROGRAM

The means by which information risk is managed:

• Drafting and publishing standards, guidelines and procedures
• Designing, building, implementing and monitoring controls
• Providing training to the workforce and promoting security awareness
PURPOSE AND OBJECTIVES

Objective of the
Purpose of the
Information
Program
Security Manager

To implement and
Support and further execute a program
the enterprise’s that manages
business objectives information risk in a
cost-effective manner
DOMAIN 3 OVERVIEW

Alignment and Resource Management

Standards, Awareness and Training
Building Security Into Processes and Practices Refer to the CISM
Job Practice for Task
Security Monitoring and Reporting
and Knowledge
Statements
SECTION ONE
ALIGNMENT AND RESOURCE MANAGEMENT
TASK STATEMENTS

T3.1 Establish and/or maintain the information security program in alignment with the
information security strategy.
T3.2 Align the information security program with the operations objectives of other
business function (e.g., human resources [HR], accounting, procurement and IT) to
ensure that the information security program adds value to and protects the business.
T3.3 Identify, acquire and manage requirements for internal and external resources to
execute the information security program.
T3.4 Establish and maintain information security processes and resources (including
people and technologies) to execute the information program in alignment with the
organization’s business goals.
KNOWLEDGE STATEMENTS

How does Section One relate to each of the following knowledge statements?

Knowledge Statement Connection

K3.1 Information security supports organizational goals and needs to

be aligned with business functions and the information risk
management strategy.
K3.2 The information security manager needs to know how to define
requirements and obtain resources from within and outside of
the organization.
K3.3 The information security manager needs to be the
organization’s subject matter expert on current and emerging
technologies and concepts.
K3.5 Management of people and processes associated with
information security is a key part running a successful program.
K3.7 The information security manager should be familiar with
common third-party and international standards frameworks
and practices.
KNOWLEDGE STATEMENTS

How does Section One relate to each of the following knowledge statements?

Knowledge Statement Connection

K3.11 Information security needs to be built into recurring

processes so it can be taken into account at all times.
K3.12 Contracts need to incorporate information security
requirements during negotiation to ensure that these are
part of any final agreement.
K3.13 Monitoring information security practices used by third
parties is the only way to ensure that agreed-upon
standards are being maintained.
K3.14 The information security manager needs a way to monitor
the overall effectiveness of the program that aligns with
factors important to senior managers.
KEY TERMS

Key Term Definition

IT steering committee An executive-management-level committee that assists in the delivery of the IT strategy,
oversees day-to-day management of IT service delivery and IT projects, and focuses on
implementation aspects.

Project management The function responsible for supporting program and project managers, and gathering,
assessing and reporting information about the conduct of their programs and constituent
projects.
Resource Any enterprise asset that can help the organization achieve its objectives.

Segregation of duties A basic internal control that prevents or detects errors and irregularities by assigning to
separate individuals the responsibility for initiating and recording transactions and for the
custody of assets.

Service level agreement An agreement, preferably documented, between a service provider and the
customer(s)/user(s) that defines minimum performance targets for a service and how they
will be measured.
ESSENTIAL PROGRAM ELEMENTS

Three elements of a successful security program:

• The program must be based on a well-developed strategy aligned with business goals
• The program must be designed with cooperation and support from senior managers/stakeholders
• The program must include metrics that provide regular, useful feedback for calibration
PROGRAM GOALS

Goals are typically specified by governance.

• Third-party standards and frameworks can also be used.

Regardless, clear goals are necessary to manage

success.
STRATEGIC ALIGNMENT

Activity

Activity Activity

Strategy
Should be
examined
RESOURCE MANAGEMENT

Lack of resources is commonly cited obstacle to successful information security.

Support can be gained by tracing the program back to the strategy.
Project planning, technology selection and skill acquisition factor into resource
management.
BUDGETING FOR INFORMATION SECURITY

Expenses for security are more likely to be approved when communicated in advance.
• Value proposition

Baseline expenses should be held stable during a budget year.

• Salaries
• Skills maintenance
• Software fees

Special projects should be treated separately from the baseline.

ENGAGING THE BUSINESS

A steering committee reaffirms the business’s commitment to information security.

• Day-to-day engagement helps to create a sense of shared responsibility
• Cultural alignment is important.

Regular reports to executives can promote awareness.

CROSS-FUNCTIONAL COORDINATION

Information is vulnerable wherever it is accessed.

Information security can often be seen as burdensome, costly, etc.
Understanding how other teams function can help you to design security to support them.
KEY RELATIONSHIPS

Information Internal/ Facilities and Human

Technology IT Audit Security Resources

Legal and Project

Procurement
Privacy Management
INFORMATION TECHNOLOGY

Information Security Information Technology

• Wants to secure • Wants to get things

things done
• Wants to implement • Wants to be fast and
controls, which can cost effective
slow down processes • Maintains and
and are costly monitors controls and
• Designs directs controls
INTERNAL/IT AUDIT

Audits can produce positive outcomes.

• Findings can draw attention from senior management, leading to greater support

If policies and standards are not available, auditors assess a program against industry
practices.
Proper documentation can lead to an audit that provides relevant, useful insight.
FACILITIES AND SECURITY

Physical access has huge implications for

information security.
Information also includes that on hard/paper copies.
Collaboration can enhance the effectiveness of the
information risk management.
GOOD TO KNOW

Pay careful attention to who has been given authorized

access to server rooms, wiring closets and other vital links in
the information infrastructure.
Aside form malicious intent to compromise these systems,
availability can be impacted by mistakes made when people
are working in these areas.
In particular, access to cabling and network devices by third-
party contractors should be supervised whenever feasible.
HUMAN RESOURCES

Background checks
Pre-employment screening
Security awareness in orientation
Disciplinary actions
LEGAL AND PRIVACY

Laws and regulations regarding privacy vary across jurisdictions.

Legal considerations apply to investigations of computer crimes.
Opinions of legal and privacy professionals will help to design effective controls.
PROCUREMENT

If information security is not connected with purchasing technology, business units may
deploy IT tools that compromise security.
Mature integrated processes include lists of approved devices and software.
At a minimum, technical purchases should be coordinated with information security for
risk assessment.
 DISCUSSION QUESTION

What should an information security manager do

if a business unit wants to purchase technology
that would increase risk to the organization?
PROJECT MANAGEMENT

Identifying all projects that affect information systems/data is key.

Early involvement can:
• Improve project design
• Make controls more cost-effective

A distinct PMO can help to facilitate integration.

GOOD TO KNOW

Keep in mind that even in organizations that have a PMO,

business units often undertake their own projects when they
have sufficient internal resources to manage them. One
common reason for this is a specific desire to avoid the
perceived hassle or bureaucracy associated with formal
project management, which poses a clear problem for the
organization’s management of information risk.
The information security manager can overcome this situation
by forming positive relationships throughout the business and
building a reputation as someone who enables desired
outcomes, rather than being seeing as someone who
impedes progress.
TECHNICAL SECURITY MANAGEMENT

Considering the implementation of the information security program is key for scoping
and budgeting.
Standards should be applied uniformly.
Track and enforce SoD, events to monitored, events that warrant special attention,
communication needs and roles and responsibilities
CONTINUOUS IMPROVEMENT

Organizational goals and strategy change over time.

• This requires constant review and revision.

The Plan-Do-Check-Act cycle is a general purpose continuous improvement

methodology.
• It is widely accepted across business functions.
PLAN-DO-CHECK-ACT
SECTION ONE SUMMARY

Alignment and Resource Management

• The information security program implements the approved
strategy for information risk management and promotes the pursuit
of organizational goals.
• The program is likely to be most effective when its design and
implementation is done collaboratively with people in other
business functions.
SECTION ONE
PRACTICE QUESTIONS
PRACTICE QUESTION

Which of the following is the BEST approach to dealing with

inadequate funding of the security program?

A. Eliminate low-priority security services.

B. Require management to accept the increased risk.
C. Prioritize risk mitigation and educate management.
D. Reduce monitoring and compliance enforcement activities.
PRACTICE QUESTION

Which of the following should be included in a good privacy

statement?

A. A notification of liability on accuracy of information

B. A notification that information will be encrypted
C. A statement of what the company will do with information it
collects
D. A description of the information classification process
PRACTICE QUESTION

When developing an information security program, what is

the MOST useful source of information for determining
available human resources?

A. Proficiency test
B. Job descriptions
C. Organization chart
D. Skills inventory
SECTION TWO
STANDARDS, AWARENESS AND TRAINING
TASK STATEMENTS

T3.5 Establish, communicate and maintain organizational information security standards,

guidelines, procedures and other documentation to guide and enforce compliance with
information security policies.
T3.6 Establish, promote and maintain a program for information security awareness and
training to foster an effective security culture.
KNOWLEDGE STATEMENTS

How does Section Two relate to each of the following knowledge statements?

Knowledge Statement Connection

K3.5 Management of people and processes associated with

information security is a key part of running a successful
program.
K3.6 The information security managers needs to be able to develop
standards, processes and guidelines to execute an authorized
information security program.
K3.8 Well-designed programs are effective only when they are
communicated to the workforce, and this is the information
security manger’s responsibility.
KNOWLEDGE STATEMENTS

How does Section Two relate to each of the following knowledge statements?

Knowledge Statement Connection

K3.9 An effective information security program requires the

accumulation and maintenance of specialized skills through
both training and experience.
K3.10 The whole population of an organization is part of its
information security program and engaging them is up to
the information security manager.
K3.16 The information security manager is often responsible for
communicating program status and security information to
stakeholders.
KEY TERMS

Key Term Definition

Awareness Being acquainted with, mindful of, conscious of and well informed on a specific subject,
which implies knowing and understanding a subject and acting accordingly.

Education Focuses on telling people why something makes sense and providing context on which
they can exercise individual judgement.

Policy Generally, a document that records a high-level principle or course of action that has
been decided on. The intended purpose is to influence and guide both present and
future decision making to be in line with the philosophy, objectives and strategic plans
established by the enterprise’s management teams.

Standard A mandatory requirement, code of practice or specification approved by a recognized

external standards organization, such as International Organization for Standardization
(ISO).
Training A means by which people learn what to do and how to do it.

See www.isaca.org/glossary for more key terms.

DOCUMENTATION IS KEY

Documentation defines a programs content and the criteria against which its activities
can be assessed.
Includes:
• Policies and standards
• Procedures and guidelines
• Risk analysis and recommendations
ENABLING GOOD DOCUMENTATION

Each document should have an assigned owner.

• Policies should be approved by senior managers.
• Standards should be approved at lower levels.

Technical and operational documents should be

protected as sensitive information.
DOCUMENTATION ENABLERS

Source: ISACA, COBIT 5, USA, 2012

MAINTENANCE AND VERSION CONTROL

Version control is important to ensure people are using the correct documents.
• Prior versions should be retained for reference.
• Unapproved documents should not be reviewed except upon invitation.

Changes to higher-level documents should trigger updates to subordinate documents.

THE HUMAN FACTOR

Risk cannot be fully eliminated through controls.

People have influence on how information systems
are used and can create/exploit vulnerabilities.
Security awareness training is designed to control
the human factor.
SECURITY AWARENESS TRAINING

Training: A means by which people learn what to do and how to do it.

• Takes the form of rules and procedures
• Procedures should exist for all information security functions.
• Should be prescriptive and not leave anything open to interpretation
SECURITY AWARENESS EDUCATION

Education: Focuses on telling people why something

make sense and provides context
• Help people to exercise judgement

Policies and guidelines provide people with context.

Because this is not prescriptive, people should be
able to reach out for assistance when needed.
 ACTIVITY

Training or Education?
1. Don’t leave paper files in a place where people who may be in you work
area can find them.
2. Lock your computer whenever you leave a work area.
3. Never give out your password by phone or email.
4. Verify the identity of IT support staff before letting them access your
computer.
5. Use passwords that are at least 15 characters long, with no fewer than three
special characters.
6. Don’t use passwords that are easy to guess, such as your birthday or child’s
name.
 ACTIVITY

Training or Education?
1. Don’t leave paper files in a place where people who may be in you work
area can find them.
Education: Whether files might be found is a judgement call.
2. Lock your computer whenever you leave a work area.
Training: It is prescriptive and applies in all cases.
3. Never give out your password by phone or email.
Training: It is prescriptive and applies in all cases
 ACTIVITY

Training or Education?
4. Verify the identity of IT support staff before letting them access your
computer.
Education: How to verify the identity is left up to individual judgement.
5. Use passwords that are at least 15 characters long, with no fewer than three
special characters.
Training: It is prescriptive and can be enforced by technical means
6. Don’t use passwords that are easy to guess, such as your birthday or child’s
name.
Both: The examples are prescriptive, but judgement is needed to figure out
whether something else in mind might be easy to guess.
PROMOTING AWARENESS

Awareness training should be tailored to the organization/audience.

• Senior managers, IT staff and end users have different relationships to information systems.

Different modalities for training and awareness include:

• Computer-based training
• Email reminders
• Nondisclosure agreements
• Posters
• Simulations
AWARENESS AND ETHICS

Information security awareness training is a deterrent against rising threats.

• Ethics programs are part of this deterrence.

Proper use of information technology should be included in a signed ethics statement.

BENEFITS OF AN ENGAGED WORKFORCE

When information security is taken seriously, employees are more conscious of their
actions.
Knowledge of rules and standards and their consequences act as a deterrent.
Awareness paired with a feeling of being treated fairly can become a control itself.
SECTION TWO SUMMARY

Standards, Awareness and Training

• The information security program is based on documentation that
defines its parameters and success criteria.
• Effective security awareness training and education promotes and
engaged workforce that can actively help control information risk.
SECTION TWO
PRACTICE QUESTIONS
PRACTICE QUESTION

Which of the following is the BEST metric for evaluating the

effectiveness of security awareness training?

A. The number of password resets

B. The number of reported incidents
C. The number of incidents resolved
D. The number of access rule violations
PRACTICE QUESTION

Which of the following would be MOST effective in

successfully implementing restrictive password policies?

A. Regular password audits

B. Single sign-on system
C. Security awareness program
D. Penalties for noncompliance
PRACTICE QUESTION

Which of the following change management process steps

can be bypassed to implement an emergency change?

A. Documentation
B. Authorization
C. Scheduling
D. Testing
SECTION THREE
BUILDING SECURITY INTO PROCESSES AND PRACTICES
TASK STATEMENTS

T3.7 Integrate information security requirements into organizational processes (e.g.,

change control, mergers and acquisitions, system development, business continuity,
disaster recovery) to maintain the organization’s security strategy.
T3.8 Integrate information security requirements into contracts and activities of third
parties (e.g., joint ventures, outsourced providers, business partners, customers) and
monitor adherence to established requirements in order to maintain the organization’s
security strategy.
KNOWLEDGE STATEMENTS

How does Section Three relate to each of the following knowledge statements?

Knowledge Statement Connection

K3.4 Once control objectives are defined, the information

security manager needs to know how to design and
implement the actual controls.
K3.5 Management of people and processes associated with
information security is a key part of running a successful
program.
K3.7 The information security manager should be familiar with
common third-party and international standards,
frameworks and practices.
KNOWLEDGE STATEMENTS

How does Section Three relate to each of the following knowledge statements?

Knowledge Statement Connection

K3.10 The whole population of an organization is part of its

information security program, and engaging them is up to
the information security manager.
K3.11 Information security needs to be built into recurring
processes so it can be taken into account at all times.
K3.12 Contracts need to incorporate information security
requirements during negotiation to ensure that these are
part of any final agreement.
KEY TERMS

Key Term Definition

Cloud computing Convenient, on-demand network access to a shared pool of resources that
can be rapidly provisioned and released with minimal management effort or
service provider interaction.

Compensating control An internal control that reduces the risk of an existing or potential control
weakness resulting in errors and omissions.

Corrective control Designed to correct errors, omissions and unauthorized uses and intrusions,
once they are detected.
Detective control Exists to detect and report when errors, omissions and unauthorized uses or
entries occur.
Deterrent control Reduces threat by affecting the behavior of threat actors.

See www.isaca.org/glossary for more key terms.

KEY TERMS

Key Term Definition

Fail-safe Describes the design properties of a computer system that allow it to resist
active attempts to attack or bypass it (e.g., door unlocks).

Fail-secure Describes a control that fails in a closed state (e.g., firewall blocks all traffic).

Integration The process of building security considerations into business processes.

Preventative control An internal control that is used to avoid undesirable events, errors and other
occurrences that an enterprise has determined could have a negative material
effect on a process or end product.

See www.isaca.org/glossary for more key terms.

SECURITY ARCHITECTURE

Information security architecture is a

subset the overall information
architecture.
Includes:
• Platforms
• Networks
• Middleware-supporting applications

Leverage existing infrastructure where

possible.

Source: The Open Group, TOGAF Version 9.1, United Kingdom, 2011
ARCHITECTURE AS A ROAD MAP

Architecture acts as a road map integrating smaller projects and services into a single
overall strategy.
Identifying connections between business functions helps to define control objectives.
Where multiple systems require common treatment, combinations of technologies can be
used to provide control points.
DESIGNING CONTROLS

Controls:
• Reduce risk to an acceptable level
• Do not necessarily eliminate the risk

A top-down perspective can be useful for layered defense.

Residual risk for any control target is the result of the effects of layered controls.
CONTROL CATEGORIES

Preventative
• Reduces or eliminates specific instances of vulnerability by making the behavior impossible.

Corrective
• Reduce impact by offsetting the impact of consequences after the fact.

Detective
• Warn of violations or attempted violations.

Compensating
• Reduce the risk of a control weakness through layering.

Deterrent
• Reduce threat through warnings and notices that influence behavior.
CONTROL TYPES AND EFFECT
 ACTIVITY

What are some examples of each of the five

types of controls?
IMPLEMENTATION METHODS

Managerial
Technical (logical) Physical
(administrative)
• Apply to processes and • Apply to information • Apply to facilities and
behaviors systems, software and areas within them
networks

Note: Controls of any effect category can be implemented using any of the three implementation methods.
MANUAL VS. AUTOMATED CONTROLS

Automated controls are generally preferred to manual controls.

• Analysis is needed to confirm if this is the case.

High volume of data may require automation.

SIEM software can help to create useful reports out of automation.
GOOD TO KNOW

The term “countermeasure” is sometimes used

interchangeably with “control,” but it actually refers to a target
control effect intended to apply to a specific threat. The
effects of countermeasures may be detective, preventative,
corrective or any combination of the three, and may be
implemented using any of the three methods discussed.
FAIL STATES

Controls should be designed in ways that result in

clearly established states of failure:
• Fail safe: Allow all activity when they fail
• Fail secure: Prevent all activity when they fail

Biometric systems often experience the following:

• False acceptance rate (FAR)
• False rejection rate (FRR)
INFORMATION SECURITY INTEGRATION

Information security requirements need to be integrated into other organizational

processes.
• Integration makes it easier to implement and maintain controls.

The information security manager should understand:

• Management concepts
• Process concepts
• Technology concepts
CONTINUITY AND RECOVERY

Disaster recovery
• IT function aimed at recovering major infrastructure

Business continuity
• Business function that plans and organizes means to continue operations

Security should be integrated into these processes.

INCIDENT MANAGEMENT/RESPONSE

Incident response is closely intertwined with disaster recovery and business continuity.
The goal is to identify and contain incidents to prevent interruptions and restore services.
Important to keep the following in mind:
• Maximum allowable downtime
• Maximum tolerable outage
• Recovery point objectives
• Recovery time objectives
SOFTWARE DEVELOPMENT

There are three software development

environments:
• Development
• Testing
• Production

Segregation of duties is important.

• Integrating security can address this risk.
 DISCUSSION QUESTION

Why is it so important that the developers of code

not be able to move their compiled programs into
production?
VENDOR MANAGEMENT

Vendor relationships are a concern for information security.

• Frequently outsourced activities include monitoring and IT security activities.

Verify that vendors’ performance aligns with the organization’s goals and strategy.
OUTSOURCING AGREEMENTS

Agreements should not create unacceptable risk.

Remember: Risk transference does not eliminate
responsibility.
Note areas related to privacy and/or legal or
regulatory compliance.
THIRD-PARTY ACCESS

Third-party access should be:

• Based on justification
• Granted based on the principles of least privilege, need-to-know, need-to-do
• Subject to risk assessment
• Logged

Access should not be granted until a contract is signed.

SLA will clearly define access requirements.
CLOUD COMPUTING

Cloud computing is a utility model.

Processing and data are done in “the cloud.”
Five characteristics of cloud computing:
• On-demand self-service
• Broad network access
• Resource pooling
• Elasticity
• Measured service
COMMON CLOUD SERVICE MODELS

Infrastructure Platform as a
as a Service Service
(IaaS) (PaaS)

Software as
Big Data
a Service
analytics
(SaaS)
CLOUD DEPLOYMENT MODELS

Private Cloud Community Cloud

CLOUD DEPLOYMENT MODELS

Public Cloud Hybrid Cloud

SECURITY ADVANTAGES OF THE
CLOUD
Provision of services include bundled functions for
security and information assurance.
Cloud computing providers typically have invested in
a more robust security posture than customers.
A data breach is the foremost risk for a cloud
provider.
Incident response procedures are generally faster
and more practiced.
GOOD TO KNOW

“Economies of scale” is a business term that means things

get cheaper as they are purchased in larger quantities. If
there are two groups dedicated to the same task, the larger
group will be able to do it more cheaply.
Cloud computing providers are focused on their IT and
security functions as lines of business, while these functions
are support functions in most organizations, so cloud
providers benefit from economies of scale.
SECURITY CONCERNS IN THE CLOUD

How the cloud provider’s security posture is maintained may be confidential.

The outsourcing organization remains accountable for compliance.
Consider legal/regulatory concerns that cross national boundaries.
THE CLOUD IN PERSPECTIVE

The benefits of the cloud means most organizations will use it as a solution at some
point.
• Cost is the primary driver.

Keep in mind post-implementation movement to a new provider can be expensive.

Hybrid model may be useful if certain functions are retained in-house.
SECTION THREE SUMMARY

Building Security Into Processes and Practices

• Information security needs to be integrated with all organizational
functions and processes that affect organizational data.
• Third-party vendors, including cloud service providers, become
part of the organizational risk context when they have access to or
manage organizational data.
SECTION THREE
PRACTICE QUESTIONS
PRACTICE QUESTION

Assuming that the value of information assets is known,

which of the following gives the information security manager
the MOST objective basis for determining that the information
security program is delivering value?

A. Number of controls
B. Cost of achieving control objectives
C. Effectiveness of controls
D. Test results of controls
PRACTICE QUESTION

What is the MOST important contractual element when

contracting with an outsourcer to provide security
administration?

A. The right-to-terminate clause

B. Limitations of liability
C. The service level agreement
D. The financial penalties clause
PRACTICE QUESTION

What is the PRIMARY purpose of installing an intrusion

detection system?

A. To identify weaknesses in network security

B. To identify patterns of suspicious access
C. To identify how an attack was launched on the network
D. To identify potential attacks on the internal network
SECTION FOUR
SECURITY MONITORING AND REPORTING
TASK STATEMENTS

T3.9 Establish, monitor and analyze program management and operational metrics to
evaluate the effectiveness and efficiency of the information security program.
T3.10 Compile and present reports to key stakeholders on the activities, trends and
overall effectiveness of the information security program and the underlying business
processes in order to communicate security performance.
KNOWLEDGE STATEMENTS

How does Section Four relate to each of the following knowledge statements?

Knowledge Statement Connection

K3.14 The information security manager needs a way to

monitor the overall effectiveness of the program that
aligns with factors important to senior managers.
K3.15 The information security manager needs to know
what is working well and what isn’t, so deficiencies
can be corrected.
K3.16 The information security manager is often
responsible for communicating program status and
security information to stakeholders.
KEY TERMS

Key Term Definition

Continuous monitoring An approach to monitoring that gathers data on a very frequent or real-time
basis.
Effectiveness An assessment of how well something produces expected outcomes.

Efficiency An assessment of the value delivered by something effective.

Metric A quantifiable entity that allows the measurement of the achievement of a

process goal.
Monitoring Tracking behavior or results over time.

See www.isaca.org/glossary for more key terms.

CONTROL ASSESSMENT

Controls are applied to reduce risk to acceptable

levels.
Control are deployed on a cost-effective basis, not
technical feasibility.
Monitoring and analyzing controls is vital to
information security.
EFFECTIVENESS AND EFFICIENCY

Effectiveness: Efficiency
• Whether a control produces expected • Whether a control’s effectiveness is
outcomes provided at a good value

Examples: Examples:
• Reliable performance • Effects on other productive work
• Implementation that is difficult to bypass • Unnecessary redundancy
GOOD TO KNOW

“Efficiency” in business is also called “cost effectiveness.” An

inefficient control can be effective, but an ineffective control
cannot be efficient, because something ineffective is
inherently not a good value.
FACTORS THAT INFLUENCE CONTROLS

Where and how a control is implemented can have an effect.

• Deploying a firewall on a single system is less efficient than deploying it on a whole network.
• It may be necessary to deploy a firewall less efficiently to achieve the desired level of risk.

An accurate assessment requires a clear understanding of why a control exists and what
it is meant to protect.
TESTING AND MODIFICATION

All proposed changes to controls should be

reviewed prior to being made.
This includes controls implemented in procedures as
well as technical controls.
All stakeholders should be represented in change
management.
METRICS AND MONITORING

Monitoring: Provides data, but needs standards for comparison

Metrics: Provide a standard against which to measure performance
Understand what decisions need to be made and what sort of information is useful in
making these decisions
STRATEGIC METRICS

Often a compilation of other management metrics

designed to indicate that the security program is:
• On track
• On budget

Needed information should be navigational

• Is the security program headed in the right direction?
• Needed by the information security manager and senior
management
MANAGEMENT METRICS

Provide information on:

• Compliance
• Emerging risk
• Overall resource utilization
• Alignment with business goals

Can be aggregated in a summary for higher-level reporting

OPERATIONAL METRICS

Technical and procedural metrics

• Vulnerability scans
• Patch management reports
• Administrator account records
• Summary logs

Summaries and aggregate data can be used as the basis for management metrics.
METRIC ATTRIBUTES

Manageable Genuine

Timely Meaningful

Accurate Actionable

Reliable
Unambiguous
Predictive
 DISCUSSION QUESTION

What factors influence the timeliness of a metric

as an indicator?
CONTINUOUS MONITORING

Threats and vulnerabilities are present 24/7, even

when the organization is not actively pursuing its
goals.
Continuous monitoring promotes timely detection of
threat events and may allow for reduction or
elimination of consequences.
PERFORMANCE MANAGEMENT

Senior managers may be interested in the degree to which the program:

• Aligns with the information security strategy
• Complies with standards

Measurable objectives help with this.

Operational productivity measurements can help verify that risk is being managed cost
effectively.
SECTION FOUR SUMMARY

Security Monitoring and Reporting

• Metrics are standards against which measured values can be
assessed, and their purpose is to deliver information on which
decisions can be based.
• Technical metrics are used to control technical IT security
functions, while management metrics can be used to assess the
overall state of the security program.
SECTION FOUR
PRACTICE QUESTIONS
PRACTICE QUESTION

Which of the following is one of the BEST metrics an

information security manager can employ to effectively
evaluate the results of a security program?

A. Number of controls implemented

B. Percent of control objectives accomplished
C. Percent of compliance with the security policy
D. Reduction in the number of reported security incidents
PRACTICE QUESTION

Which of the following metrics would be the MOST useful in

measuring how well information security is monitoring
violation logs?

A. Penetration attempts investigated

B. Violation log reports produced
C. Violation log entries
D. Frequency of corrective actions taken
PRACTICE QUESTION

Which of the following should be reviewed to ensure that

security controls are effective?

A. Risk assessment policies

B. Return on security investment
C. Security metrics
D. User access rights
DOMAIN 3
SUMMARY
SUMMARY

A successful information security program is aligned with and

supports organizational objectives, is designed with
cooperation and support from management and stakeholders
and uses effective metrics to provide feedback and guide the
program.
Cost and resource utilization are driving factors in the
information security program, and activities must be
evaluated in these terms.
Integration of critical business functions into the information
security function is key to its ongoing success.
SUMMARY

Documentation defines a program’s content and the criteria

against which its activities can be assessed, so it must be
regularly reviewed and kept up to date.
Information security awareness is key to a security program’s
success because it address the human factor.
Awareness and education are used to ensure that people are
doing the correct things and exercising sound judgement.
SUMMARY

The information security architecture provides a road map for

programs and activities related to information security,
including controls.
Controls can be categorized as compensating, corrective,
detective, deterrent and preventative. They can be identified
by managerial, technical or physical implementation.
Information security considerations should be taken into
account in software development, vendor management and
outsourcing agreements.
SUMMARY

Cloud computing has implications for information security,

especially in vendor management. Keep in mind that the
cloud service provider has some provisions for risk, but the
outsourcing organization is still accountable in case of a
breach.
The effectiveness and efficiency of the information security
program and controls need to be monitored.
Metrics provide the information stakeholders need to make
business decisions.
THANK YOU