Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Information Security Governance #2A

515 views

Published on

This publication covers two important aspects of information security governance: determining the security strategy approach and the strategy development process.

Published in: Technology
  • DOWNLOAD FULL BOOKS INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Information Security Governance #2A

  1. 1. Study Notes www.SlideShare.net/OxfordCambridge Page 1 sur 62 Information Security Governance: #2 Security Strategy and Objectives A) Information Security Strategy and Objectives Study Notes - v.1.0 +W Series - Technology Skills For Women.1 1 Men too are allowed to read this, if they wish, as the language style and the document format are universal.
  2. 2. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 2 of 62 Note for the reader: Information Security Governance: #2 Security Strategy and Objectives will consist of 2 published document: A) Information Security Strategy and Objectives B) Building an Information Security Strategy Keywords: information security, information security governance, information security governance framework, information security components, information security culture, information security behaviour, COBIT, ISO 17799, SABSA, risk management, corporate governance, IT audit, business information risk, information security management, operational management, compliance management, risk management, information systems security, security, governance, theory of anomie, behavioral aspects, principal agent theory, end-user security behaviors,security policy compliance,Certified Information Systems Security Professional, CISSP, ISC, CISO, ISO,ISACA,CISM, information security strategy, information security program, state of security, information security objectives, security strategy development models, information security roadmap, skills for women, Certified Information Security Manager,
  3. 3. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 3 of 62 1. About “+W Series - Technology Skills for Women” Study Notes in the field of technology are put together under this category for the following reasons:  To encourage girls and ladies, who wish to do so, to stand up and look over the fence into technology related topics.  With no apprehension or fear.  And perhaps consider embracing a career move into a technological path.  Or simply to broaden their general knowledge; after all IT is already in most aspects of everyday life.  No matter the ground for the decision, their skills, their professional strengths, and their contribution can only be something positive for any technological fields. Enjoy!
  4. 4. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 4 of 62 2. About this Publication 2.1. Overview In today's digital age, the emphasis on information security has led to the need for secure information security policies. As a result, most organizations require experts who can develop such policies. The Certified Information Security Manager, shortened to CISM, certification program helps you obtain skills that are essential for developing information security strategies. The curriculum of the CISM program includes four job practice areas. Information Security Governance Information Risk Management & Compliance Information Security Program Development & Managment Information Security Incident Management The four CISM job practice areas are Information Security Governance, Information Risk Management and Compliance, Information Security Program Development and Management, and Information Security Incident Management. The first job practice area – information security governance – focuses on directing the development of an effective information security strategy. This direction ensures the information security strategy achieves the security objectives of the organization, manages security risks, and makes effective use of the available resources.
  5. 5. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 5 of 62 Information Security Governance Information Risk Management & Compliance Information Security Program Development & Managment Information Security Incident Management This publication is the second of three items that cover the concepts of information security governance. It covers two important aspects of information security governance – determining the security strategy approach and the strategy development process. Strategy Development Process Information Security Strategy Determining Security Strategy Approach The security strategy approach section begins by detailing the roles and responsibilities of the key participants involved in developing the strategy. This section goes on to provide information about the models you can use to create the strategy. The section concludes by describing the common pitfalls that can occur during strategy development. After discussing the approach required to create an effective strategy, the publication details the strategy development process. This section of the publication helps you create a roadmap to achieve the security objectives of the organization.
  6. 6. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 6 of 62 Business Case Objectives The section also helps you to recognize the questions the strategy should answer and the types of objective it should cover. The actual process for developing the strategy is also described. Apart from this, the section also helps you to identify the key elements of a business case for information security programs. The section then provides information on assessing the current state of the information security and determining its desired state. The section, and the publication, concludes with the important limitations you need to consider while developing the strategy. 2.2. Learning Objectives  Match the key participants in developing an information security strategy with their corresponding responsibilities  Recognize appropriate models for developing an information security strategy  Label examples of pitfalls that organizations may encounter as they develop an information security strategy  Building an Information Security Strategy :  Recognize questions that an information strategy should answer  Recognize two types of objectives an information security strategy should have  Edentify the key elements of a business case for an information security program  Rcognize key concepts related to approaches for determining the desired state of security  Identify the aspects of security that must be assessed when determining the current state  Identify the components of a roadmap for achieving security objectives  Match constraints that must be considered when developing an information security strategy to their corresponding descriptions.
  7. 7. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 7 of 62 3. Table des matières 1. About “+W Series - Technology Skills for Women” .................................................................3 2. About this Publication ...........................................................................................................4 2.1. Overview ..................................................................................................................................4 2.2. Learning Objectives...................................................................................................................6 4. Foreword ..............................................................................................................................9 5. Defining Information Security Strategy................................................................................10 5.1. Information security strategy .................................................................................................. 10 5.2. Quizz - Information security strategy ....................................................................................... 19 5.3. Summary ................................................................................................................................ 19 6. Information Security Strategy Development Models ............................................................21 6.1. Models for strategy development............................................................................................ 21 6.2. Quizz - Strategy Development Models 1................................................................................... 23 6.3. Quizz - Strategy Development Models 2................................................................................... 26 6.4. Summary ................................................................................................................................ 27 7. Common Pitfalls of Strategy Development...........................................................................28 7.1. Pitfalls of strategy development .............................................................................................. 28 7.2. Quizz - Pitfalls of strategy development 1 ................................................................................ 31 7.3. Quizz - Pitfalls of strategy development 2 ................................................................................ 34 7.4. Quizz- Pitfalls of strategy development 3 ................................................................................. 34 7.5. Summary ................................................................................................................................ 35 8. Developing an Information Security Strategy.......................................................................36 8.1. Exercise overview.................................................................................................................... 36 8.2. Identifying roles and responsibilities........................................................................................ 36 8.3. Quizz - Identifying roles and responsibilities............................................................................. 36 8.4. Analyzing strategy definition ................................................................................................... 37 8.5. Quizz - Analyzing strategy definition ........................................................................................ 37 8.6. Aligning strategy with business goals....................................................................................... 37 8.7. Quizz - Aligning strategy with business goals............................................................................ 38 8.8. Choosing the development model ........................................................................................... 38 8.9. Quizz - Choosing the development model ................................................................................ 38 8.10. Identifying development pitfalls .......................................................................................... 38 8.11. Quizz - Identifying development pitfalls ............................................................................... 39 9. References ..........................................................................................................................40 11. Answers to Quizzes ..........................................................................................................54
  8. 8. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 8 of 62
  9. 9. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 9 of 62 4. Foreword In today's business environment, companies and individuals are increasingly adopting the Internet, portable storage media, and wireless technologies for accessing, storing, and sharing information. The use of technology has made access to information easy and affordable, but it has also caused an increase in problems such as theft, damage, and misuse of information. Besides damaging the reputation of an organization, these threats can also lead to major financial losses in business. So it's extremely important for an organization to safeguard its critical information by using information security. Information security is about protecting verbal, written, electronic, published, and other forms of information that involve people and technology. This protection needs to exist regardless of whether the information is being read, generated, processed, stored, or transferred. The objective of information security is to ensure the safety of information, including its confidentiality, accessibility, and integrity. Information should be protected from loss, misuse, unauthorized access, and destruction during its life cycle or the time it is being used in an organization. Information security differs from IT security. IT security focuses on technology and the provision of secure IT services. It is usually carried out at the level of the chief information officer or CIO.
  10. 10. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 10 of 62 A.Information Security Strategy and Objectives 5. Defining Information Security Strategy After completing this passage, you should be able to  Match the key participants in developing an information security strategy with their corresponding responsibilities. 5.1. Information security strategy With the range of information sharing tools available today, control over the security of information assets in an organization is critical. The information assets of your organization are vulnerable to security lapses. Therefore, information security, which protects the information assets of an organization, needs to be constantly analyzed and updated. One way of preventing vulnerabilities and securing the information assets of your organization is to develop an effective information security strategy. This strategy is an organization-specific approach that is aligned with your business objectives and maintains the confidentiality, integrity, and availability of your information assets. An effective information security strategy helps you address the security concerns of stakeholders across the organization. It clearly states what it offers its shareholders, employees, customers, and communities. A strategy also specifies the kind of business the organization intends to conduct.
  11. 11. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 11 of 62 Safety Strategy Security GOAL The information security strategy also helps you move the security of your information assets from their current state to the desired state. To achieve this, the security strategy helps you develop security policies and plans that align with the organization's security objectives, purposes, or goals. AvailabilityIntegrity Confidentiality These security policies and plans help you develop security programs that safeguard information assets within the limitations of your organization. These plans also detail the steps for monitoring the information assets for possible security breaches and note their corrective actions. For the information security strategy to be effective, it should be developed to achieve certain basic high-level outcomes:
  12. 12. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 12 of 62 Information Security Strategy  strategic alignment: Strategic alignment is one of the basics of a good information security strategy. It implies that the strategy aligns with the organization's business objectives. Such a strategy also considers the organizational structure, processes, threats, risks, and vulnerabilities.  risk management: Information assets are vulnerable to security threats and managing such risks is essential for developing an effective strategy. Risk management involves following risk mitigation initiatives to reduce the impact of the risks on the asset.  value delivery: Value delivery is achieved by estimating the cost of resources and the effort involved in developing and implementing the strategy. Monitoring and optimizing the costs and effort help during decision-making in the development of the strategy.  resource management: The information security strategy should ensure that security processes and practices are created to manage resources and knowledge effectively. This can be done by using the information security knowledge and infrastructure in the organization.  performance measurement : You need to determine whether the security strategy meets security objectives effectively by developing specific security measures and activities. In addition, you need to ensure that the security measures and activities are implemented, monitored, and evaluated.  process assurance: Using process assurance, you can ensure that a process functions as planned. Developing assurance processes and evaluating their effectiveness makes strategy development easier. Three key participants are involved in the development of the information security strategy:  the board of directors or the senior management  the executive management and steering committee, and  the chief information security officer or the information security manager
  13. 13. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 13 of 62 Senior Management Steering Committee and Executive Management CISO/Steering Committee Business Strategy Risk Management/ Information Security Strategy - Security Action plan - Policies - Standards - Trend Analysis - Reporting - Monitor/Metrics - Action Plan Inputs - Available Resources - Constraints Strategy Inputs Strategy Inputs Security Attributes Security Programs Implement Security Objectives The diagram shows the three key participants - Senior management, Steering committee and Executive management, and CISO/Steering committee. Senior management determines the business strategy by creating the business objectives. The Steering committee and Executive management is responsible for risk management and the information security strategy, which involves determining the security attributes using strategy inputs. The CISO/Steering committee determines the security action plan policies, and sets the standards, ultimately creating the security programs. These programs are implemented to create security objectives. Trend analysis, reporting, and monitoring is performed and the results are fed back to the CISO/Steering committee. The board of directors and the senior management play an essential role in identifying the critical information assets in an organization that need security and the level of security they need. Their involvement in strategy development also ensures that the information security strategy is aligned with the business objectives and business strategies.
  14. 14. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 14 of 62 Senior Management Steering Committee and Executive Management CISO/Steering Committee Business Strategy Risk Management/ Information Security Strategy - Security Action plan - Policies - Standards - Trend Analysis - Reporting - Monitor/Metrics - Action Plan Inputs - Available Resources - Constraints Strategy Inputs Strategy Inputs Security Attributes Security Programs Implement Security Objectives The responsibilities of these participants extend to approving security policies, monitoring strategy implementation, and measuring and reporting the implementation progress. Apart from endorsing the security policies and plans, these participants also need to follow them diligently, so they can inspire the rest of the organization. The executive management needs to lead and support the implementation of the information security strategy. Involvement of the executive management provides the required momentum for the organization to continue with the implementation. It also ensures timely availability of resources to meet the security objectives.
  15. 15. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 15 of 62 Senior Management Steering Committee and Executive Management CISO/Steering Committee Business Strategy Risk Management/ Information Security Strategy - Security Action plan - Policies - Standards - Trend Analysis - Reporting - Monitor/Metrics - Action Plan Inputs - Available Resources - Constraints Strategy Inputs Strategy Inputs Security Attributes Security Programs Implement Security Objectives Most organizations also create a steering committee that includes senior executives representing all groups that have a stake in information security. Such a committee brings all stakeholders together and provides a reliable communication channel among stakeholders. The steering committee ensures that the information security strategy is aligned to business objectives and is implemented uniformly across the organization. Senior Management Steering Committee and Executive Management CISO/Steering Committee Business Strategy Risk Management/ Information Security Strategy - Security Action plan - Policies - Standards - Trend Analysis - Reporting - Monitor/Metrics - Action Plan Inputs - Available Resources - Constraints Strategy Inputs Strategy Inputs Security Attributes Security Programs Implement Security Objectives
  16. 16. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 16 of 62 Some steering committees have a subcommittee – a risk council or a committee – dedicated to risk management. This is because managing risks is an important aspect of information security and needs to be focused on. This subcommittee proactively identifies risks, segregates them based on priority, and identifies the serious risks. The steering committee and the executive management require a few strategic inputs for developing the security strategy:  details of the comparison between the current and desired state of information security.  the organization's business processes and requirements.  results of the risk assessment.  results of the business impact analysis, and.  regulatory requirements. Senior Management Steering Committee and Executive Management CISO/Steering Committee Business Strategy Risk Management/ Information Security Strategy - Security Action plan - Policies - Standards - Trend Analysis - Reporting - Monitor/Metrics - Action Plan Inputs - Available Resources - Constraints Strategy Inputs Strategy Inputs Security Attributes Security Programs Implement Security Objectives These days, organizations consider information security to be extremely important and have a chief information security officer, also known as CISO. This is in addition to an information security manager or director. In most organizations, the chief information officer or CIO; chief security officer, also known as CSO; chief financial officer or CFO, or the chief executive officer, (CEO for short), is chosen as the CISO.
  17. 17. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 17 of 62 Senior Management Steering Committee and Executive Management CISO/Steering Committee Business Strategy Risk Management/ Information Security Strategy - Security Action plan - Policies - Standards - Trend Analysis - Reporting - Monitor/Metrics - Action Plan Inputs - Available Resources - Constraints Strategy Inputs Strategy Inputs Security Attributes Security Programs Implement Security Objectives Having a C-level officer in the information security hierarchy ensures that security initiatives are implemented at all levels. It also ensures the alignment of the security activities with the business objectives of the organization. This is because high-level positions have the essential authority, responsibilities, and resources to make decisions and ensure successful strategy implementation. Senior Management Steering Committee and Executive Management CISO/Steering Committee Business Strategy Risk Management/ Information Security Strategy - Security Action plan - Policies - Standards - Trend Analysis - Reporting - Monitor/Metrics - Action Plan Inputs - Available Resources - Constraints Strategy Inputs Strategy Inputs Security Attributes Security Programs Implement Security Objectives
  18. 18. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 18 of 62 A CISO or an information security manager creates an action plan based on the information security strategy that has been developed. The action plan details the security plans to be implemented, which are in line with the security objectives of the organization. Senior Management Steering Committee and Executive Management CISO/Steering Committee Business Strategy Risk Management/ Information Security Strategy - Security Action plan - Policies - Standards - Trend Analysis - Reporting - Monitor/Metrics - Action Plan Inputs - Available Resources - Constraints Strategy Inputs Strategy Inputs Security Attributes Security Programs Implement Security Objectives To create an action plan, you compare the current state of information security in the organization with the desired state. Based on the results of this comparison, you can determine the security requirements and priorities for the action plan. While creating the action plan, you also need to consider the resources that will become available and the limitations on these resources. Apart from the action plan, during the strategy implementation you also create security policies that are aligned with the organization's security objectives. In addition, you need to create security standards that map to these security policies. These standards regulate the implementation process and procedures and set acceptable limits. You also need to clearly define roles and responsibilities for implementing the information security strategy. But rolling out security policies and standards is effective only when you provide adequate awareness and education about security policies. So you need to create comprehensive security policies to ensure smooth implementation of the security strategy. For a successful implementation of the information security strategy, you also need to continuously monitor and measure its implementation. This is possible only if you have well- defined metrics for the strategy implementation. You can use the results of these metrics for reporting and analysis. These reports and analysis can help realign the implementation, if required. The CISO and the steering committee are responsible for the realignment initiatives.
  19. 19. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 19 of 62 Senior Management Steering Committee and Executive Management CISO/Steering Committee Business Strategy Risk Management/ Information Security Strategy - Security Action plan - Policies - Standards - Trend Analysis - Reporting - Monitor/Metrics - Action Plan Inputs - Available Resources - Constraints Strategy Inputs Strategy Inputs Security Attributes Security Programs Implement Security Objectives 5.2. Quizz - Information security strategy Match the key participants involved in developing an information security strategy with their responsibilities. You may use each participant more than once. Options: A. Senior management B. Executive management C. Steering committee D. CISO Targets: 1. Business strategy 2. Risk management 3. Security action plan Answer (see Endnotes) i 5.3. Summary Information security is used to protect the information assets of an organization. To implement information security, organizations adopt an information security strategy that is aligned with their business goals and objectives. The six high-level outcomes of effective information security governance guide the development of a successful strategy. These high-level outcomes are strategic alignment, risk management, value delivery, resource management, performance measurement, and process assurance.
  20. 20. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 20 of 62 Development and implementation of the information security strategy involves participants from all levels. The key participants in the development process are the board of directors or the senior management, the executive management and steering committee, and the chief information security officer or the information security manager. The board of directors or the senior management ensures that the information security strategy and its implementation activities are aligned with the business objectives and business strategy. They also help identify the information assets to be safeguarded and the extent of security required. The steering committee and the executive management implement the strategy and handle risk management. The CISO and information security manager create security action plans, security programs, and security policies.
  21. 21. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 21 of 62 6. Information Security Strategy Development Models After completing this passage, you should be able to:  Recognize appropriate models for developing an information security strategy. 6.1. Models for strategy development You can use various approaches to develop the information security strategy of an organization. Traditional models used for developing the strategy rely heavily on forecasting the outcomes of information security strategy implementation based on the organization's goals or mission or vision statements. Some of these models are based on the assumption that the future outcome of the implementation can be predicted using past events that happened in the organization. Traditional Model Our Values Our Goal Our Objectives Mission Statement Information Security Strategy The traditional model begins with a mission statement. It involves three steps. Step one, leads to step two, which leads to the final step, that’s step three. Because traditional models are not based on current data or industry requirements, they are not adaptive to changes in the organization. To make traditional models adaptable, you should regularly monitor the key performance indicators, also known as KPIs, and the assumptions made during strategy development. Alternatively, you can use adaptive models such as the McKinsey model.
  22. 22. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 22 of 62 Traditional Model Our Values Our Goal Our Objectives Mission Statement Adaptive Model Step 3 Step 1 Step 2 The adaptive model consists of three phases in a circular diagram, with stage one leading to step two, leading to step three, and then continuing with step1. Using the McKinsey model means that the information security strategy should ensure that organizations plan and implement a wide variety of security initiatives that address changes in the business environment. In addition, the organization needs to ensure that support to such commitment continues. According to the McKinsey model, an organization needs to regularly monitor and realign its initiatives to achieve better performance and improve shareholder value. In the McKinsey model, organization initiatives are constantly updated based on the latest trends in the market. It doesn't rely blindly on taking risks based on past events. This makes the model adaptive. In the McKinsey model, to ensure that security initiatives are carefully managed, they need to be:  distributed equally across the organization's core business activities to manage new challenges  reviewed and updated regularly based on the changes in the business environment, and
  23. 23. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 23 of 62  directed towards initiating new businesses An organization can also ensure that the security initiatives improve the shareholder value. This is possible, when the organization's initiatives clearly target specific security aspects. The initiatives should also improve customer satisfaction and so improve shareholder value. The McKinsey model, being more adaptable, is best suited for organizations that need to manage a lot of changes. 6.2. Quizz - Strategy Development Models 1 Your organization provides IT services based on cutting-edge technologies. Your team is in charge of developing an information security strategy and you've suggested the McKinsey model. Identify the reason for choosing the McKinsey model over traditional models. Options: 1. Adapts to changes in the environment 2. Predicts the outcomes based on the organization's mission 3. Relies on the organization's past events to predict strategy implementation outcome 4. Takes initiatives that demonstrate commitment towards security Answer (see Endnotes) ii Another model that you can use for creating an information security strategy is the Sherwood Applied Business Security Architecture, (SABSA in short). This model reinforces the importance of analyzing business requirements from a security perspective while developing a security architecture. This ensures that your organization's business goal is met without any compromise. The SABSA model specifies how the elements of the information security architecture are related. This model contains layers, each representing the view of key participants who develop the information security architecture. The layers also encapsulate the people, processes, policies, and technology involved in the security architecture.
  24. 24. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 24 of 62 There are six layers in the SABSA model:  Business View – also called the Contextual Security Architecture  Architect's View – also called the Conceptual Security Architecture  Designer's View – also called the Logical Security Architecture  Builder's View – also called the Physical Security Architecture  Tradesman's View – also called the Component Security Architecture, and  Service Manager's View – also called the Security Service Management Architecture In practice, security service management issues can occur in any of the first five layers. And security service management can be interpreted appropriately in each of these five layers. So you can also place the Security Service Management Architecture layer vertically across these layers. To create a complete security architecture for your organization with the SABSA model, you can use the SABSA matrix. This matrix is created by asking six standard questions – What, Why, How, Who, Where, and When – about the information security strategy. Each of these questions corresponds with the six views in the model. The Business View layer asks what, the Architect's View layers asks why, the Designer's View layer asks how, the Builder's View layer asks who, the Tradesman's View layer asks where, and the Service Manager's View layer asks when.
  25. 25. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 25 of 62 Contextual Architecture: The Business View Contextual Architecture: The Architect’s Vision Logical Architecture: The Designer’s View Physical Architecture: The Builder’s View Component Architecture: The Tradesman’s View Service Architecture: The Service Manager’s View When? What? Why? How? Who? Where? The following standard questions used in each matrix cover all details for creating the complete security architecture:  What are the assets the security architecture is trying to protect?  Why is the architecture protecting the assets?  How is the architecture planning to protect the assets?  Who are involved in protecting the assets?  Where does the organization apply security initiatives for protecting the assets?  When does the organization apply security initiatives for protecting the assets? In the Business View layer, you deal with the analysis and definition of business requirements that the security architecture needs to address. Analyzing these requirements while designing the initiative is essential for any organizational initiative to meet its planned outcome. During the analysis, you answer the six standard questions from the perspective of the Business View. This enables you to determine the business context in which you must design, create, and operate the security architecture. This layer helps protect business assets and manages risks. It does so by creating business security processes that will be implemented by the governance and management structures. The architecture of this layer is implemented in all applicable business locations and takes care of business time dependencies such as transaction throughput, lifetimes, and deadlines. In the Architect's View layer, you create an overall concept that can be used to meet business requirements. This is also where you define the principles and basic concepts for using the appropriate logical and physical elements in lower layers. The Architect's View layer protects business attributes using control and enablement objectives. To do this, it uses high-level security strategies and framework. The senior management uses these strategies to implement security in the logical and physical security domains. Their scope is defined using a risk management framework applicable to the entire life cycle. The Designer's View layer deals with the design process, which in IT perspective is systems engineering. In this layer, the business is compared to a system with components and sub- systems. Here you define, important security elements and the logical flow of control and the relationship between them.
  26. 26. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 26 of 62 You also implement risk management policies to protect information assets specifying logical security services and their role in the complex security system. And you identify individual entities, security domains, and a schema of their relationships. Here you also specify the timelines for the related activities to be implemented. In the Builder's View layer, logical descriptions designed in the previous layer are translated into an actual implementation for building the security system. This layer protects business data assets, such as data structures, by implementing risk management practices. To protect the assets, it uses security mechanisms and the physical systems that host them. In the Tradesman's View layer, you deal with the construction of security information systems. During this construction, you assemble products, install them, and, finally, integrate them. The components that you use in the construction include hardware items, software items, and standards and specifications for the information system's interface. The Service Manager's View layer provides the framework to manage the operation of the security architecture. It involves activities such as maintaining the architecture in a working condition and reviewing its performance to ensure it meets business requirements. In this layer, you typically deal with the security aspect of system operations and service management. 6.3. Quizz - Strategy Development Models 2 Your organization uses the SABSA model for developing its information security strategy and security architecture. The organization is analyzing the business requirements from the security perspective. Contextual Architecture: The Business View Contextual Architecture: The Architect’s Vision Logical Architecture: The Designer’s View Physical Architecture: The Builder’s View Component Architecture: The Tradesman’s View Service Architecture: The Service Manager’s View The SABSA model has six layers – Business View, Architect's View, Designer's View, Builder's View, Tradesman's View, and Service Manager's View. Which layer in the SABSA model deals with this analysis? Options: 1. Business View 2. Architect's View 3. Designer's View 4. Builder's View 5. Tradesman's View 6. Service Manager's View Answer (see Endnotes) iii
  27. 27. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 27 of 62 6.4. Summary Organizations can choose various approaches to develop an information security strategy. Traditional models rely on forecasting the outcomes of the implementation based on the organization's goals, mission and vision statements, or past events. However, these are not adaptive. So adaptive models such as the McKinsey model were created. The McKinsey model emphasizes regular reorientation of organization initiatives toward achieving better performance and improving shareholder value. This model is more adaptive because initiatives are constantly reviewed and updated to meet emerging market needs. Another model organizations can use for creating the strategy is the SABSA model. This model reinforces the importance of analyzing business requirements from a security perspective while developing the security architecture. The SABSA model is a six-layered model. Each layer represents the view of key participants involved in developing the information security architecture. The six layers are Business view, Architect's view, Designer's view, Builder's view, Tradesman's view, and Service Manager's view.
  28. 28. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 28 of 62 7. Common Pitfalls of Strategy Development After completing this passage, you should be able to  Label examples of pitfalls that organizations may encounter as they develop an information security strategy. 7.1. Pitfalls of strategy development Designing and creating an information security strategy requires research and analysis. Without analysis, even if contributors are experienced and the model used is appropriate, you might design a weak strategy. And a weak strategy, cannot help an organization move to the desired state of information security. Information Security Strategy Strategy development is organization-specific and its success depends on an organization's initiatives. Strategy failure is often caused by lack of a detailed analysis that hinders the decision- making process. There are seven common pitfalls that can affect decision making:  overconfidence  optimism  anchoring  status quo bias  mental accounting  herding instinct, and  false consensus Overconfidence is one of the most common pitfalls of decision-making. Overconfident decision- makers blindly believe that they can make accurate estimations. While a practical approach is to specify a range of outcomes, overconfident decision-makers insist on quoting a specific estimate. This is especially dangerous when strategic outcomes are based on such estimates. This might lead to strategy failure because the decision-maker did not anticipate or plan for a range of possibilities. Overconfident decision-makers often overlook the need for risk management and mitigation.
  29. 29. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 29 of 62 Another common cause of poor decisions is optimism. Forecasts based only on optimism and not on detailed analysis can go wrong. Furthermore, if you predict strategy implementation outcomes based on overconfidence and over optimism, your predictions can fail. Predictions based on optimism should be accepted only after all possible risks are analyzed and planned for. Risk analysis and management ensures very little is left to chance and you are only hoping for the best having done everything essential for information security. Anchoring refers to the tendency of people to base decisions on an aspect, a trait, or a piece of information, which are called anchors. With anchoring, decision-making for strategy design is based on a single aspect instead of considering the situation as a whole. In strategy design, anchoring without detailed analysis to understand the complete situation can lead to failures.
  30. 30. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 30 of 62 For example, an information security strategy design that focuses only on e-mail security is likely to fail. This is because other security aspects, such as web security and authorized access, might be ignored. The status quo bias is another common pitfall of decision-making. It refers to the reluctance of people to change their belief in known ideas and experiment with unknown ideas. In fact, the status quo bias makes you reluctant to try unknown things even if problems exist with known strategies. In the context of strategy development, this can translate to sticking to known practices and procedures even if they are faulty. In addition, researchers claim that people tend to make decisions that avoid losses. This is because they are more worried about a possible loss than considering a possible gain from experimenting with an unknown strategy. Strategy designs can also be affected by the endowment effect, which refers to a bias related to the status quo bias. This bias suggests that people value what they have or know more than it's probably worth and they are willing to do anything to retain it.
  31. 31. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 31 of 62 Mental accounting is the reason behind some management members categorizing money differently from others. This can lead to situations in which essential expenses are categorized as unnecessary and vice versa. For example, an organization might prefer to spend more on buying new antivirus software than to conduct awareness workshops across the organization on how to avoid virus attacks. Another organization might, however, decide to spend money and effort on conducting workshops rather than buying the software. vs 7.2. Quizz - Pitfalls of strategy development 1 During strategy development discussions, stakeholders state that some employees might not read the security policy completely. However, the information security officer reassures everyone that approximately 85% of employees read the policy before accepting it. Identify the pitfall indicated by this situation. Options: 1. Overconfidence 2. Optimism 3. Anchoring 4. Status quo bias Answer (see Endnotes) iv The tendency of people to follow others is called the herding instinct. It is probably caused by the human tendency to want to obtain the approval of their peer group and thus accept the general trend to gain acceptance. Often, the herding instinct can lead to a sudden sensitization in organizations to a specific security aspect or practice.
  32. 32. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 32 of 62 At the decision-making level, this can lead to opting for an incompatible security strategy just because it was selected by many other organizations. False consensus is the attitude of senior management to blindly assume that a specific idea, behavior, or view of theirs is accepted by everyone. But the senior management might not have any data to support their assumption. In addition, false consensus can cause people to underestimate risks or overestimate the validity of a view or an idea. These can lead to poor decisions during strategy design. Apart from these common pitfalls, four other factors can also lead senior management to misdirect the decision-making process:
  33. 33. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 33 of 62  Confirmation bias: Confirmation bias is the human nature of consciously retrieving information that supports their beliefs and views. Senior management can sometimes have a confirmation bias while developing a security strategy. It may lead them to obtain information that reinforces only their views and overlooks potential risks and problems. This can lead to inadequate decisions during strategy design and development.  Selective recall: If members of the senior management prefer to reiterate facts and information that support only their views and beliefs during strategy design, it is called selective recall. This leads the management to think that their assumptions are right.  Biased evaluation: Senior management sometimes resorts to biased evaluation during strategy development in an effort to develop a more acceptable security strategy. Biased evaluation refers to selectively collecting and accepting evidence that supports the management's assumptions. It also ignores or rejects evidence against the assumptions. This is dangerous because it can undermine existing threats and lead to poor decisions.  Groupthink: Often decisions in teams, such as the senior management, can be based on groupthink. This is when members of the senior management team accept a decision just because most members agree or to ensure there is minimal conflict within the group. In fact, groupthink often forces members to accept decisions without proper analysis or detailed evaluation. Lack of detailed analysis and the failure to address the common pitfalls and other factors are the cause of most strategy failures. To avoid strategy failure, senior management should be open to suggestions from various stakeholders and people involved in information security. Getting everyone's consent ensures their cooperation in strategy design and implementation.
  34. 34. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 34 of 62 7.3. Quizz - Pitfalls of strategy development 2 The senior management in your organization wants to implement a security policy to block file sharing applications. This is because, most organizations in the industry are implementing this. The management assumes that all stakeholders will agree to this policy implementation. What is the type of pitfall the management team is failing to avoid? Options: 1. Mental accounting 2. False consensus 3. Herding instinct 4. Anchoring Answer (see Endnotes) v 7.4. Quizz- Pitfalls of strategy development 3 Match the factors and pitfalls, which affect decision making in strategy development with their corresponding examples. Options: A. Selective recall B. Biased evaluation C. Groupthink D. Status quo bias Targets: 1. Stakeholders remember incidents that support the proposed security policy 2. During a review of the proposed strategy, management members accept only views supporting the strategy 3. Management members accept a proposal in a team meeting without voicing their individual concerns
  35. 35. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 35 of 62 4. Stakeholders didn't want the new security policy immediately as they felt it might affect productivity Answer (see Endnotes) vi 7.5. Summary Strategy development is organization-specific and its success depends on how well decision- makers analyze the situation. Analysis of various strategy failures has revealed that seven common pitfalls lead to the failure of decision-making. These pitfalls include overconfidence, optimism, anchoring, status quo bias, mental accounting, herding instinct, and false consensus. In addition to these pitfalls, four factors can mislead the decision-makers. These are confirmation bias, selective recall, biased evaluation, and groupthink.
  36. 36. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 36 of 62 8. Developing an Information Security Strategy After completing this passage, you should be able to:  Assess the effectiveness of a given management team's efforts to develop an information security strategy. 8.1. Exercise overview In this exercise, you're required to assess the effectiveness of a team's efforts to develop an information security strategy. This involves the following tasks:  identifying roles and responsibilities  analyzing strategy definition  aligning strategy with business goals  choosing the development model, and  identifying development pitfalls 8.2. Identifying roles and responsibilities LondonCambridge Financial Services (LCFS) is an upcoming financial services company offering payroll processing services to its clients. Recently, there was a security incident involving the leaking of confidential information in one of its client organizations. Because of this incident, the company wants to form a team to develop an effective information security strategy. You've been assigned the role of the information security manager on this team. You need to help the organization select team members from various levels. The objective of the team is to come up with an information security strategy, implement it, and prevent future confidentiality breaches. 8.3. Quizz - Identifying roles and responsibilities You need to help your organization build a team for developing an information security strategy. What are the mandatory roles that need to be represented in the team? Options: 1. Senior management
  37. 37. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 37 of 62 2. Steering committee 3. Share holders 4. Executive management 5. Risk committee Answer (see Endnotes) vii You've helped your organization form the team for developing an information security strategy. This team now consists of the senior management, the executive management, and you – the information security manager. 8.4. Analyzing strategy definition After detailed discussions, your team arrives at the definition of the information security strategy for the organization. You want to step back and analyze the effectiveness and accuracy of the team's information security strategy. 8.5. Quizz - Analyzing strategy definition You are now checking if the definition of the information security strategy is effective and accurate. What are the features that you need to check for in the information security strategy definition? Options: 1. It lists the businesses the organization is to pursue 2. It details the security objectives, purposes, and goals of the organization 3. It details the financial contribution the organization needs to make to customers and stakeholders 4. It helps you address the security concerns of stakeholders Answer (see Endnotes) viii 8.6. Aligning strategy with business goals You've checked the information security strategy definition developed by the team and are convinced that it is effective and accurate. However, you aren't sure if the strategy is aligned with the business goals of your organization. The two most important business goals of the organization are establishing service continuity and availability and improving customer orientation, and service.
  38. 38. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 38 of 62 8.7. Quizz - Aligning strategy with business goals Which group or individual is responsible for ensuring the alignment of the information security strategy with the business goals of the organization? Options: 1. Senior management 2. Information security officer 3. Executive management 4. Risk committee Answer (see Endnotes) ix 8.8. Choosing the development model The team is functional and has successfully designed and implemented various security initiatives in the organization. The implementation is monitored regularly and various course correction plans are made whenever required. This ensures that all security initiatives are aligned with business objectives and the security architecture of the organization. 8.9. Quizz - Choosing the development model Which of these features of the development model followed by the team has assured the success of the strategy implementation? Options: 1. Predicts the outcome of strategy implementation using past events 2. Defines strategy implementation outcome using the mission of the organization 3. Defines security initiatives targeting specific security aspects 4. Creates security initiatives that address changes in the business environment Answer (see Endnotes) x 8.10. Identifying development pitfalls A report of a recent fire accident in one of your client organizations reaches the team. The team becomes aware of the security measures the client organization is taking to avoid such incidents in the future. After the incident, the strategy development team wants to direct all its effort and time toward fireproofing information assets. A lot of resources are also allocated to spread awareness about fire safety.
  39. 39. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 39 of 62 8.11. Quizz - Identifying development pitfalls In strategy discussions, the executive management repeatedly insists on identifying the fire marshals on the premises and conducting fire drills every month. What are the types of pitfall the management team are failing to avoid? Options: 1. Herding instinct 2. Mental accounting 3. Anchoring 4. False consensus Answer (see Endnotes) xi
  40. 40. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 40 of 62 9. References  CISM Review Manual, W. Krag Brotby, Editor, ISACA, 9781604202137.  Information Security Governance: Guidance for Information Security Managers, W. Krag Brotby, ISACA, 9781933284736.  Information Security Management Handbook, Harold F. Tipton and Micki Krause, CRC Press, 9780849374951.  https://www.slideshare.net/TISAProTalk/prinya-acis-slide-for-swpark-it-information- security-human-resource-development-plan-for-aec-2015tisa-ptotalk-22554
  41. 41. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 41 of 62 10. Information Security Governance Glossary A acceptable interruption window: See AIW. acceptable use policy: A set of clear rules and responsibilities on the extent of use, which guides users accessing the organization's resources. access control: A set of measures that restricts unauthorized access to an organization's resources. access control list: See ACL. access right: A permission or privilege that allows a user to use or modify data as specified by the data owner and the information security policy. Accountability: The responsibility of a particular event or an activity assigned to a user or a party. ACL: Abbreviation for access control list, a list of permissions assigned by an administrator for accessing a system or application. Activation: The process of initiating a system, a service or an agreement and making it functional. administrative control: A set of guidelines for processes that improve the functioning of a system or a service and help it to remain within standards. aggregated risk: A collection of risks that occur when a single threat or many threats simultaneously affects many minor vulnerabilities. When measured individually, the effects of these risks may be modest. But when all risks combine, they can have devastating effects on the organization. AIW: Abbreviation for acceptable interruption window, the duration for which a computer or a service can remain inaccessible without hampering the achievement of business objectives. ALE: Abbreviation for Annual Loss Expectancy, the annual expected financial loss to an information asset from a threat. alert situation: A situation in an emergency procedure that occurs after the time taken for unsuccessful resolutions goes beyond a predetermined limit. An alert situation usually triggers escalation. alternate facility: An optional location with resources to implement an emergency or a backup process if the main facility is not available. alternate process: An optional process created for performing critical business processes from the time a process fails until the time it returns to normal. Analysis of Technical Components and Architecture: An evaluation of the technical components of the technical security architecture to determine how individual components contribute to the organization's overall security. Anchoring: An incorrect tendency to base present estimates or forecasts on a value previously presented. Anchoring may lead to the failure of an organizational strategy. annual loss expectancy: See ALE. annualized rate of occurrence: See ARO. antivirus software: An application that protects a computer from damages that may be caused by a computer virus, worm, or malicious code. It identifies potential threats or infected files and takes action against them, usually by deleting or quarantining the affected files. application control: A process of monitoring and managing manually or automatically performed activities so that all records are valid, complete and correct. application layer: A layer of the Open Systems Interconnection model that allows effective communication between two applications in a network. application-level controls: A control activity supported by the technology for specific business information processing.
  42. 42. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 42 of 62 ARO: Abbreviation for annualized rate of occurrence, the number of times a threat to an information asset is likely to occur in a year. assurance process integration: Integration of an information security program with other assurance processes in an organization, including human resource management, risk management, IT security, legal compliance, auditing, and implementation of physical security. Attack: An event in which access to information is forced, usually without any authorization. Audit: A process that checks the functioning of controls and strategies and their adherence to the accepted standards. audit trail: A collection or log of records regarding activities performed on a computer along with user details. Auditability: A feature of data transactions that helps to follow and evaluate these transactions through a system. Authentication: A process of checking the identity of a user or a computer and their access rights. Authorization: An approval that provides permission to access resources that are required for approved tasks. Availability: The state of a resource or any information in which it is ready for use when required. Availability is usually expressed as the percentage of time that a resource, such as a computer or a server, is functional. B backup center: An alternate facility that helps perform information technology or information security related functions when the main site is not available. BCM: See business continuity management. BIA: Abbreviation for business impact analysis. Also known as business impact assessment, a process that identifies the adverse effect on a business that may be caused by a lost resource. Biometrics: An access control mechanism that uses a person's behavioral or physiological attributes for identification or authentication. BMIS: Abbreviation for Business Model for Information Security, a model that manages information security with a business-oriented approach. board of directors: Also known as senior management. A team of experienced people that provides guidance, approval, and evaluation of information security. business case: Documentation used to explain why investment should be made in a particular area. A business case combines several weighted measures to rate a project or task. The measures relate to financial performance, customer measurements, internal operations, and learning and growth over the lifetime or a project or task. business continuity management: Abbreviated to BCM, a process that reduces effects of interruptions, restores services, and protects crucial business processes. business dependency analysis: A process that studies the level of dependency of a business on a resource. business dependency assessment: In information asset classification. A process that allows identification of resources important for the functioning of a business process. Business dependency assessment helps allocate protective activities. business impact analysis: See BIA. business impact assessment:See BIA. Business Model for Information Security: See BMIS. business process assurance:An outcome of effective security management that is the information security manager's responsibility. The information security manager interacts with different assurance providers and incorporates their activities with information security activities. C
  43. 43. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 43 of 62 CA: Abbreviation for certificate authority, an application that issues digital certificates to any registered entities. cascading risk: A group of risks that occur when one risk creates a chain of events that results in several risks. This may result in major failures, leading to heavy losses for the organization. certificate authority: See CA. chain of custody: A process that checks and ensures the authenticity and completeness of evidence in a legal proceeding. change management: A proactive, holistic process to manage the change between organizational states. Change management focuses on human aspects of the change process, such as culture change, rewards, team building, and communication. chief information officer: Abbreviation for CIO, the person responsible for planning the funding and performance aspects of information technology along with its security. chief security officer: See CSO. CISO:Acronym for chief information security officer, see information security manager. cloud computing:A network of remote computers hosted over the Internet to store, manage, and process data. A third- party service provider offers cloud-based resources in which resources such as networks, servers, storage, and applications are distributed across various pooled servers at remote datacenters, and often across multiple datacenters in different locations. See IaaS, PaaS, and SaaS COBIT: Acronym for Control Objectives for Information and related Technology. A set of internationally approved objectives that provide guidelines for IT control, published and updated by the IT Governance Institute. code of ethical conduct: A contract that Security personnel should be made aware of and adhere to regarding ethical issues – specifically issues surrounding the protection, use, and storage of information. cold site:A type of offsite backup facility that includes only basic requirements, such as flooring, air conditioning, and wiring, to operate as an information processing facility. However, this site takes a long time to be activated and requires the business to provide other equipment. Committee of Sponsoring Organizations: See COSO. community cloud: A type of cloud computing, where the cloud (network) offers an infrastructure that several organizations with common interests and IT infrastructure requirements can share. compensatory controls: A control mechanism which adds control steps to lessen the effect of the risk, when the risk increases. Compliance: A control area that checks an organization's adherence to legal and security standards or requirements. Compliance Department: An organizational department that manages regulatory compliance policies and standards. This department may be independent or it may form part of the Legal Department. compliance enforcement: An activity of the information security program that ensures constant adherence to security policies and standards. Confidentiality:A process of safeguarding critical or private data from being accessed without permission or misused. configuration management:A process that enables organizations to manage changes to a complex system, such as an information system, so that the system maintains its performance and integrity over its lifetime. Control Objectives for Information and related Technology: See COBIT. Controls: A set of strategies that helps mitigate risks and achieve business objectives. corporate governance: A set of policies that helps the board of directors guide and manage an organization. corrective controls: A proactive measure to quickly recover from data loss or any other damage caused by a security breach. Disaster recovery methods, such as data backup and recovery, are examples of corrective controls. COSO:Abbreviation for Committee of Sponsoring Organizations of the Treadway Commission; a team of people that guides and provides internal control for all organizations.
  44. 44. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 44 of 62 Countermeasures: A set of processes that decreases the chances of a threat occurring. critical success factor: Abbreviated to CSF. One of the factors that helps achieve Sarbanes-Oxley compliance by managing controls, determining tests for effectiveness, and assigning resources to implement this testing. Criticality: A measure of the impact of a computer or a service failure on the organization. CSF: See critical success factor. CSO:Abbreviation for chief security officer, see information security manager. D DAC: Acronym for discretionary access control. A type of access control that restricts data access for a user or a computer, but allows users or computers to transfer their access permission to each other. data classification:A process of dividing data into levels based on its sensitivity and criticality. These levels indicate how important the data is to the organization. data warehouse:An electronic system that stores and manages a large amount of data with the help of advanced searching and filtering techniques. database management systems: A technology that stores data in the form of records and specifies the level of access that a user has to the system. decoy server: See honeypot. defense in depth: A technique of protecting information with layers of controls, in which all layers are not affected by the same threat or risk. Degauss:A process of removing magnetic disturbances or fields around magnetic recording media by applying different degrees of alternate current to it. demilitarized zone: See DMZ. detective controls: Controls that help you identify any hindrances or threats to information security. Examples include intrusion detection methods, checksums, and security audits. deterrent controls: Controls that discourage hackers and malicious users from breaching the information security setup. Examples include punitive action against unauthorized use, and preventive control techniques such as access cards and user authentication. digital code signing: A process in which a digitally signed computer code is used to ensure integrity. disaster declaration: A statement that communicates the implementation of the disaster recovery plan to the required stakeholders. disaster recovery plan: A preset strategy that helps to restart the operation of an interrupted service with the help of resources and processes. discretionary access control: See DAYC. DMZ: Abbreviation for demilitarized zone, an additional zone between the Internet and a private network that doesn't allow external users to access internal data. DNS: Abbreviation for domain name system, a service that provides translation between an IP address and a web address. The translation depends upon a hierarchical naming system. domain name system:See DNS. dual control: A process that uses more than one person to protect a computer resource from single-entity access. due care:The appropriate level of concern that is required from a person of a particular level in the relevant situation. due diligence: The appropriate level of thoroughness that is required for an evaluation or an analysis. Duplicate Information Processing Facilities: A set of facilities dedicated to recovery sites that are used like a primary site.
  45. 45. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 45 of 62 dynamic interconnection:A factor that controls different elements of the BMIS model and maintains the balance of the model. E EF: Abbreviation for exposure factor, a possibility of event occurrence equal to the percentage of information asset loss caused by a threat. Encryption: A control mechanism that uses an algorithm to encode data so that only authorized users can read the transmitted information. end user: A person who uses a computer that is maintained by somebody else. enterprise governance: A set of guidelines implemented by the board of directors and executive management. These guidelines provide guidance, help to achieve objectives, ensure proper management of risks, and verify judicious use of resources. enterprise information security architecture: The structure of an organization's information security systems. enterprise risk management: A process of managing risks, controlling their impact, and achieving business objectives. ERM: Abbreviation for enterprise risk management. executive management: A team of people that provides continuous support and guidance in the process of setting objectives and implementing effective security governance. Exposure: The extent of the negative impact that a weakness in a resource or a service can cause. exposure factor: See EF. F Factor Analysis of Information Risk: See FAIR. FAIR: Acronym for Factor Analysis of Information Risk. A risk assessment methodology that splits a risk into several components and analyzes each component in detail. This method involves detailed analysis of both the risk and its control measure. Firewall: A security technology that forms a boundary and protects a computer or a network from unauthorized external access. G gap analysis: A process, often applied to security, which examines the difference between existing and expected conditions. Governance: A process in which continuous control and direction is provided by people with experience and expertise. governance, risk management, and compliance: See GRC. GRC: Abbreviation for governance, risk management, and compliance. In information security governance, a methodology that organizations use to bring together governance, risk management, and compliance. Guideline: A suggestion or a best practice that supports a user while performing a procedure. A guideline, unlike a standard, is not mandatory. H Hashing: A mechanism that converts any length of input string into a standard length string to ensure that the transmitted message is not corrupted.
  46. 46. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 46 of 62 Honeypot: Also known as a decoy server. A server that protects computers against unauthorized access and attacks by detecting and monitoring such users. hot site: An offsite backup facility that has all the required hardware and software resources and is ready to be used as an alternate facility. hybrid cloud: A type of cloud computing that's a combination of at least one private and one public cloud – for example through a partnership between a private and a public cloud service provider. I IaaS: Abbreviation for Infrastructure as a Service. A cloud computing model that can provide storage, processing, networks, and other essential computing resources. IaaS enables customers to operate any required software and operating systems. IDS: Abbreviation for intrusion detection system, an automated system that monitors network and host activities for suspicious activity that may indicate an attack. Impact: An outcome when a threat exploits a vulnerability and leads to loss of information assets. impact analysis: An examination of information resources to study their criticality to the organization, which helps in strategizing recovery. IMT: Abbreviation for incident management team. A group of experts that help the organization identify and manage information security incidents. This group usually consists of an information security manager, steering committee, and dedicated and temporary team members. The information security manager usually leads the team. Incident: An unplanned interruption, such as a server breakdown or unauthorized intrusion, which adversely affects business continuity. incident management and response: A process that involves detecting incidents that threaten an organization's information assets, preventing their occurrence, and taking corrective actions to control and limit damage. incident management charter: A document that establishes the IMT and describes its roles and responsibilities when managing and responding to information security incidents. incident management metrics: Criteria used to measure the efficiency and effectiveness of the incident management and response process. incident management team: See IMT. incident response plan:A plan that identifies the steps to be taken and the resources to be used if an event has an adverse impact on the organization's information assets. incident response team: See IRT. information risk: Potential problems that could put organizational data at risk, including the potential loss or inappropriate exposure of information. information risk management: A process that manages risks related to information security with the help of management policies and processes. information security governance: A set of practices implemented by the board and executive management. Besides providing guidance, achieving objectives, ensuring proper management of risks, and verifying judicious use of resources, these practices also protect data. Information Security Incident Management: The fourth job practice area of CISM, which describes the activities of the information security manager, to maintain operations, minimize the impact of risk, and restore normal operations after system failures, disruptions, incidents of misuse, or other unforeseen events. information security investments: Incentives used to measure the effectiveness of an information security program – typically by comparing the budgeted costs of work scheduled and work performed against the actual cost of the program.
  47. 47. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 47 of 62 information security management framework: A conceptual representation of the structure used to manage information security. information security manager: Also known as the chief information security officer, vice president of security, or chief security officer. An executive level of authority, present in every organization, with expertise in planning and budgeting. information security program: A collection of technical and operational measures that maintains the confidentiality, integrity, and availability of information. information security program development: A process of creating a program that implements an information security strategy by coordinating activities, projects and initiatives. Information Security Program Development and Management: The third job practice area of CISM, which describes the activities of the information security manager, to ensure the information security program is developed and managed in line with the organization's overall goals. information security program resources: The resources used to develop an information security program and achieve a specific level of security. Integration: in information security governance, an outcome that ensures seamless operation among all processes by combining all factors affecting the operation. Integrity: The complete nature of information that ensures its correctness and validity. Internet service provider: See ISP. interruption window: The period of time that a business can endure from the failure of a service or an application to its restoration. Beyond this duration, losses will adversely affect the business. intrusion detection: A security technology that monitors activities on a computer to identify an attack or access without permission. intrusion detection system: See IDS. IRT: Abbreviation for incident response team. A team that focuses on responding to incidents. The team usually includes incident handlers, investigators, forensic experts, and physical security experts. ISO/IEC 17799: A standard that is approved by International Organization for Standardization, which defines the confidentiality, integrity, and availability of information. ISO/IEC 27001: An international standard based on ISO/IEC 17799, which includes a set of principles on information security management. ISO/IEC 27001:2005: In IT security, a standard that specifies practices and objectives for controls. ISP: Abbreviation for Internet service provider, a third-party supplier that provides organizations or home users with a connection to the Internet. K key goal indicator: See KGI. key performance indicator: See KPI. key risk indicator: See KRI. KGI: Abbreviation for key goal indicator. A project metric that defines what goals have to be accomplished. KPI: Abbreviation for key performance indicator, a performance factor that indicates if the process objectives are being achieved. KRI: Abbreviation for key risk indicator, an indicator that registers when the risk level of an organization exceeds a certain defined level.
  48. 48. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 48 of 62 M MAC:Acronym for mandatory access control. A type of access control that restricts data access depending on different security requirements and permissions required for the data. management support technologies:A set of supporting technologies that provide management features and automate security procedures. mandatory access control:See MAC. Maximum Tolerable Downtime:See MTD. Maximum Tolerable Outage:See MTD. maximum tolerable outages:See MTO. Metrics:Technical and statistical measures used to determine whether the controls implemented as part of an information security program are functioning properly and meeting an organization's security objectives. mirror sites:A set of sites similar to primary sites, which are used as load-sharing information processing facilities. mobile site:A type of offsite backup facility that is portable and can be transported to any location to act as an information processing facility. monitoring policy:A set of rules that describes the recording and interpretation of information about computer, network, and application use. MTD: Abbreviation for Maximum Tolerable Downtime, also known as Maximum Tolerable Outage or MTO. The maximum period of time for which the organization can support processing in an alternate mode. Various factors will determine the MTO, including increasing backlogs of deferred processing. This, in turn, is affected by the SDO if it is less than that required during normal operations. MTO: Abbreviation for maximum tolerable outages, the maximum period of time for which an organization can support operations in an alternate mode. N National Institute of Standards and Technology or NIST risk assessment methodology: A technique used to assess risks in the system development life cycle or SDLC. NIST risk assessment methodology uses a nine-step process to identify and evaluate risks to an organization: identifying system characteristics, identifying threats, identifying vulnerability, analyzing control measures, determining the probability of threat occurrence, analyzing the impact of risk on business, determining the risk, recommending risk control measures, and documenting the risk assessment reports. native control technologies: A set of new and comprehensive security features that are incorporated with business information systems. Nonrepudiation: A feature that provides proof of the origin of data, which can then be verified by another person or stakeholder. Usually, the origin of data is with a particular party or a person. O Open Shortest Path First: See OSPF. operational controls: Controls that deal with an organization's everyday operations, helping to ensure that all objectives are achieved. OSPF: Abbreviation for Open Shortest Path First. A link-state IP routing protocol in networking that selects the best router to each known subnet. It provides quick convergence and the ability to scale large networks. Overconfidence: A reason that causes an organizational strategy to fail because of undue confidence while estimating figures or alternatives.
  49. 49. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 49 of 62 P PaaS: Abbreviation for Platform as a Service, a cloud computing model that helps organizations deploy their software on a provider's infrastructure using tools and languages supported by the provider. packet filtering: A feature that provides or denies access to data packets entering or leaving a network depending on a set of rules. penetration testing: A process where the effectiveness of a security defense is checked in a live environment by introducing mock attackers. performance measurement: In information security governance, an outcome that reviews the operation of information security processes, identifies weaknesses, and provides feedback. plan-do-check-act model: A methodology used to manage and continually improve the quality of an information security program based on four processes: Plan, Do, Check, and Act. Policy: A high-level statement documenting a management decision about principles, courses of action, and business strategies. A policy encompasses the organization's philosophy and strategy relating to the subject matter, and describes how policy compliance will be checked and measured, the consequences for violating policy, and how exceptions will be handled. policy compliance: Ensuring that individuals and groups comply with organizational policies. Port : 1. A connection between a CPU and a peripheral device. 2. A virtual space that allows organized connection between remote services and a host. PRA: Abbreviation for Probabilistic Risk Assessment. A method of risk assessment used in industries that use complex technological operations such as oil and gas production, nuclear power, and aeronautics. PRA takes into consideration the severity of the risk and chances of the risk occurring. The outcomes of the risk are assigned numerical values. The total risk is calculated by adding together the products of severity and chances of occurrence. preventive controls: Controls that don't allow hindrances to materialize including access control enforcement, encryption, and authentication. principle of least privilege: A strategy that involves dividing access to resources, so that those requiring little access have minimum system privileges. Privacy: A state of a computer or a network in which there is no scope for intrusion or information disclosure without permission. privacy officer: A person responsible for ensuring the appropriate protection of information and managing compliance with the privacy regulations. The role this person fulfils may be independent or form part of the Compliance Department. private cloud: A type of cloud computing, where the cloud (network) is reserved for use by one organization that requires a high level of control over its data and security. Probabilistic Risk Assessment: See PRA. Procedure: A linear list of steps that helps users to perform operations while adhering to standards. project management: The task of managing resources to achieve the goals of a particular project and meet the organization's objectives. public cloud: A type of cloud computing, where the cloud (network) is available for use to the general public or to large industry groups, which may reserve part of the cloud. public/private-key encryption: Also known as asymmetric encryption, a type of encryption algorithm that uses a key pair, where one is a public key and the other is a private key. Only the person with the private key can encrypt data. Q
  50. 50. Information Security Governance: #2 Security Strategy and Objectives Part A) ______________________________________________________________________________ Study Notes www.SlideShare.net/OxfordCambridge Page 50 of 62 qualitative risk analysis: A process that is used when there is a lack of adequate numerical data. This analysis describes risks, their impact, causes, and likelihood of occurrence. It helps you to identify aspects of risk that are not tangible, for example image, reputation, and culture. quality management: The task of ensuring that results consistently meet the expectations of the customer. A business initiative aimed at ensuring that an information security program is managed and controlled in a way that yields appropriate results and delivers value to an organization. quantitative risk analysis:A process that gives numerical values to the impact of a risk and the likelihood of the risk occurring. This analysis also uses several statistical models, such as Monte Carlo simulation, to calculate these values. R RACI chart: A responsibility matrix that charts work objectives, or tasks, down one column and the names of people who are responsible for each task across the top. One of four letters identifies the nature of each person's involvement using the letters R for Responsible, A for Accountable, C for Consult, or I for Inform. RAID: Acronym for Redundant Array of Inexpensive Disks. A set of interdependent disk drives that provides a large amount of storage space and helps improve performance. reciprocal agreement: A contract in which two or more organizations with similar infrastructure mutually agree to provide processing time to each other during an emergency. Recovery point objective:See RPO. recovery sites:Locations that an organization can use to continue operations in the event that an incident prevents this at the primary business site. recovery time objective: See RTO. Redundant Array of Inexpensive Disks: See RAID. release management: A holistic process that considers resource planning, management, and other technical and non- technical aspects when changes are applied to an IT service. Release management uses formal procedures and checks to protect the live environment and its services. residual risk: The possibility of a risk occurring after countermeasures and controls are implemented. Resilience: The ability of a computer or a service to successfully tolerate problems caused by events. resource dependency analysis: An analysis that determines the applications used to perform basic activities in a business and also what resources are required to perform these activities. resource management:In information security governance, an outcome that manages knowledge and infrastructure resources to ensure their availability, documentation, and judicious use. RFA: Abbreviation for Risk Factor Analysis. A risk assessment methodology that identifies the fundamental reasons that eventually hamper a project. These reasons are mostly related to time, budget, scope, and performance constraints in a project. The prime consideration in RFA is the possible impact that risks will have on organizational operations and assets, and not the possibility of occurrence. Risk: A phenomenon that occurs after a weakness is exposed to a threat and compromises the organization's information assets. risk acceptance: The decision to accept a risk if its elimination is impractical or uneconomical. Every organization has a defined level of risk acceptance. risk acceptance framework: A framework that defines the authority that decides whether or not the risk should be accepted. This is done on the basis of the severity level of the risk – low, medium, high, and severe. risk assessment: A process that measures a risk in terms of the qualitative and quantitative affect it has on the business. risk avoidance: A process that helps to bypass a risk in an organized manner and thereby helps manage the risk.

×