Information Security Governance #2A

Study Notes www.SlideShare.net/OxfordCambridge
Page 1 sur 62
Information Security Governance:
#2 Security Strategy and Objectives
A) Information Security Strategy and Objectives
Study Notes - v.1.0
+W Series - Technology Skills For Women.1
1 Men too are allowed to read this, if they wish, as the language style and the document format are universal.

Information Security Governance: #2 Security Strategy and Objectives Part A)
______________________________________________________________________________
Study Notes www.SlideShare.net/OxfordCambridge Page 2 of 62
Note for the reader:
Information Security Governance: #2 Security Strategy and Objectives will consist of 2 published
document:
A) Information Security Strategy and Objectives
B) Building an Information Security Strategy
Keywords:
information security, information security governance, information security governance
framework, information security components, information security culture, information security
behaviour, COBIT, ISO 17799, SABSA, risk management, corporate governance, IT audit,
business information risk, information security management, operational management,
compliance management, risk management, information systems security, security, governance,
theory of anomie, behavioral aspects, principal agent theory, end-user security behaviors,security
policy compliance,Certified Information Systems Security Professional, CISSP, ISC, CISO,
ISO,ISACA,CISM, information security strategy, information security program, state of security,
information security objectives, security strategy development models, information security
roadmap, skills for women, Certified Information Security Manager,

______________________________________________________________________________
1. About “+W Series - Technology Skills for Women”
Study Notes in the field of technology are put together under this category for the following
reasons:
 To encourage girls and ladies, who wish to do so, to stand up and look over the fence into
technology related topics.
 With no apprehension or fear.
 And perhaps consider embracing a career move into a technological path.
 Or simply to broaden their general knowledge; after all IT is already in most aspects of
everyday life.
 No matter the ground for the decision, their skills, their professional strengths, and their
contribution can only be something positive for any technological fields.
Enjoy!

______________________________________________________________________________
2. About this Publication
2.1. Overview
In today's digital age, the emphasis on information security has led to the need for secure
information security policies. As a result, most organizations require experts who can develop
such policies.
The Certified Information Security Manager, shortened to CISM, certification program helps you
obtain skills that are essential for developing information security strategies. The curriculum of
the CISM program includes four job practice areas.
Information Security Governance
Information Risk Management & Compliance
Information Security Program Development & Managment
Information Security Incident Management
The four CISM job practice areas are Information Security Governance, Information Risk
Management and Compliance, Information Security Program Development and Management,
and Information Security Incident Management.
The first job practice area – information security governance – focuses on directing the
development of an effective information security strategy. This direction ensures the information
security strategy achieves the security objectives of the organization, manages security risks,
and makes effective use of the available resources.

______________________________________________________________________________
Information Security Governance
Information Risk Management & Compliance
Information Security Program Development & Managment
Information Security Incident Management
This publication is the second of three items that cover the concepts of information security
governance.
It covers two important aspects of information security governance – determining the security
strategy approach and the strategy development process.
Strategy
Development
Process
Information
Security
Strategy
Determining
Security
Strategy
Approach
The security strategy approach section begins by detailing the roles and responsibilities of the
key participants involved in developing the strategy.
This section goes on to provide information about the models you can use to create the strategy.
The section concludes by describing the common pitfalls that can occur during strategy
development.
After discussing the approach required to create an effective strategy, the publication details the
strategy development process. This section of the publication helps you create a roadmap to
achieve the security objectives of the organization.

______________________________________________________________________________
Business
Case
Objectives
The section also helps you to recognize the questions the strategy should answer and the types
of objective it should cover. The actual process for developing the strategy is also described.
Apart from this, the section also helps you to identify the key elements of a business case for
information security programs.
The section then provides information on assessing the current state of the information security
and determining its desired state. The section, and the publication, concludes with the important
limitations you need to consider while developing the strategy.
2.2. Learning Objectives
 Match the key participants in developing an information security strategy with their
corresponding responsibilities
 Recognize appropriate models for developing an information security strategy
 Label examples of pitfalls that organizations may encounter as they develop an
information security strategy
 Building an Information Security Strategy :
 Recognize questions that an information strategy should answer
 Recognize two types of objectives an information security strategy should have
 Edentify the key elements of a business case for an information security program
 Rcognize key concepts related to approaches for determining the desired state of security
 Identify the aspects of security that must be assessed when determining the current state
 Identify the components of a roadmap for achieving security objectives
 Match constraints that must be considered when developing an information security
strategy to their corresponding descriptions.

______________________________________________________________________________
3. Table des matières
1. About “+W Series - Technology Skills for Women” .................................................................3
2. About this Publication ...........................................................................................................4
2.1. Overview ..................................................................................................................................4
2.2. Learning Objectives...................................................................................................................6
4. Foreword ..............................................................................................................................9
5. Defining Information Security Strategy................................................................................10
5.1. Information security strategy .................................................................................................. 10
5.2. Quizz - Information security strategy ....................................................................................... 19
5.3. Summary ................................................................................................................................ 19
6. Information Security Strategy Development Models ............................................................21
6.1. Models for strategy development............................................................................................ 21
6.2. Quizz - Strategy Development Models 1................................................................................... 23
6.3. Quizz - Strategy Development Models 2................................................................................... 26
6.4. Summary ................................................................................................................................ 27
7. Common Pitfalls of Strategy Development...........................................................................28
7.1. Pitfalls of strategy development .............................................................................................. 28
7.2. Quizz - Pitfalls of strategy development 1 ................................................................................ 31
7.3. Quizz - Pitfalls of strategy development 2 ................................................................................ 34
7.4. Quizz- Pitfalls of strategy development 3 ................................................................................. 34
7.5. Summary ................................................................................................................................ 35
8. Developing an Information Security Strategy.......................................................................36
8.1. Exercise overview.................................................................................................................... 36
8.2. Identifying roles and responsibilities........................................................................................ 36
8.3. Quizz - Identifying roles and responsibilities............................................................................. 36
8.4. Analyzing strategy definition ................................................................................................... 37
8.5. Quizz - Analyzing strategy definition ........................................................................................ 37
8.6. Aligning strategy with business goals....................................................................................... 37
8.7. Quizz - Aligning strategy with business goals............................................................................ 38
8.8. Choosing the development model ........................................................................................... 38
8.9. Quizz - Choosing the development model ................................................................................ 38
8.10. Identifying development pitfalls .......................................................................................... 38
8.11. Quizz - Identifying development pitfalls ............................................................................... 39
9. References ..........................................................................................................................40
11. Answers to Quizzes ..........................................................................................................54

______________________________________________________________________________

______________________________________________________________________________
4. Foreword
In today's business environment, companies and individuals are increasingly adopting the
Internet, portable storage media, and wireless technologies for accessing, storing, and sharing
information. The use of technology has made access to information easy and affordable, but it
has also caused an increase in problems such as theft, damage, and misuse of information.
Besides damaging the reputation of an organization, these threats can also lead to major
financial losses in business. So it's extremely important for an organization to safeguard its
critical information by using information security.
Information security is about protecting verbal, written, electronic, published, and other forms of
information that involve people and technology. This protection needs to exist regardless of
whether the information is being read, generated, processed, stored, or transferred.
The objective of information security is to ensure the safety of information, including its
confidentiality, accessibility, and integrity. Information should be protected from loss, misuse,
unauthorized access, and destruction during its life cycle or the time it is being used in an
organization.
Information security differs from IT security. IT security focuses on technology and the provision
of secure IT services. It is usually carried out at the level of the chief information officer or CIO.

______________________________________________________________________________
A.Information Security Strategy and Objectives
5. Defining Information Security Strategy
After completing this passage, you should be able to
 Match the key participants in developing an information security strategy with their
corresponding responsibilities.
5.1. Information security strategy
With the range of information sharing tools available today, control over the security of
information assets in an organization is critical. The information assets of your organization are
vulnerable to security lapses. Therefore, information security, which protects the information
assets of an organization, needs to be constantly analyzed and updated.
One way of preventing vulnerabilities and securing the information assets of your organization is
to develop an effective information security strategy. This strategy is an organization-specific
approach that is aligned with your business objectives and maintains the confidentiality, integrity,
and availability of your information assets.
An effective information security strategy helps you address the security concerns of
stakeholders across the organization. It clearly states what it offers its shareholders, employees,
customers, and communities. A strategy also specifies the kind of business the organization
intends to conduct.

______________________________________________________________________________
Safety
Strategy
Security
GOAL
The information security strategy also helps you move the security of your information assets
from their current state to the desired state. To achieve this, the security strategy helps you
develop security policies and plans that align with the organization's security objectives,
purposes, or goals.
AvailabilityIntegrity
Confidentiality
These security policies and plans help you develop security programs that safeguard information
assets within the limitations of your organization. These plans also detail the steps for monitoring
the information assets for possible security breaches and note their corrective actions.
For the information security strategy to be effective, it should be developed to achieve certain
basic high-level outcomes:

______________________________________________________________________________
Information
Security
Strategy
 strategic alignment:
Strategic alignment is one of the basics of a good information security strategy. It implies that the
strategy aligns with the organization's business objectives. Such a strategy also considers the
organizational structure, processes, threats, risks, and vulnerabilities.
 risk management:
Information assets are vulnerable to security threats and managing such risks is essential for
developing an effective strategy. Risk management involves following risk mitigation initiatives to
reduce the impact of the risks on the asset.
 value delivery:
Value delivery is achieved by estimating the cost of resources and the effort involved in
developing and implementing the strategy. Monitoring and optimizing the costs and effort help
during decision-making in the development of the strategy.
 resource management:
The information security strategy should ensure that security processes and practices are
created to manage resources and knowledge effectively. This can be done by using the
information security knowledge and infrastructure in the organization.
 performance measurement :
You need to determine whether the security strategy meets security objectives effectively by
developing specific security measures and activities. In addition, you need to ensure that the
security measures and activities are implemented, monitored, and evaluated.
 process assurance:
Using process assurance, you can ensure that a process functions as planned. Developing
assurance processes and evaluating their effectiveness makes strategy development easier.
Three key participants are involved in the development of the information security strategy:
 the board of directors or the senior management
 the executive management and steering committee, and
 the chief information security officer or the information security manager

______________________________________________________________________________
Senior
Management
Steering Committee
and Executive
Management
CISO/Steering
Committee
Business
Strategy
Risk Management/
Information Security
Strategy
- Security Action plan
- Policies
- Standards
- Trend Analysis
- Reporting
- Monitor/Metrics
- Action Plan Inputs
- Available Resources
- Constraints
Strategy Inputs
Strategy
Inputs
Security
Attributes
Security
Programs
Implement
Security
Objectives
The diagram shows the three key participants - Senior management, Steering committee and
Executive management, and CISO/Steering committee. Senior management determines the
business strategy by creating the business objectives.
The Steering committee and Executive management is responsible for risk management and the
information security strategy, which involves determining the security attributes using strategy
inputs.
The CISO/Steering committee determines the security action plan policies, and sets the
standards, ultimately creating the security programs. These programs are implemented to create
security objectives. Trend analysis, reporting, and monitoring is performed and the results are fed
back to the CISO/Steering committee.
The board of directors and the senior management play an essential role in identifying the critical
information assets in an organization that need security and the level of security they need. Their
involvement in strategy development also ensures that the information security strategy is
aligned with the business objectives and business strategies.

______________________________________________________________________________
Senior
Management
Steering Committee
and Executive
Management
CISO/Steering
Committee
Business
Strategy
Risk Management/
Strategy
- Policies
- Standards
- Trend Analysis
- Reporting
- Monitor/Metrics
- Constraints
Strategy Inputs
Strategy
Inputs
Security
Attributes
Security
Programs
Implement
Security
Objectives
The responsibilities of these participants extend to approving security policies, monitoring
strategy implementation, and measuring and reporting the implementation progress.
Apart from endorsing the security policies and plans, these participants also need to follow them
diligently, so they can inspire the rest of the organization.
The executive management needs to lead and support the implementation of the information
security strategy. Involvement of the executive management provides the required momentum for
the organization to continue with the implementation. It also ensures timely availability of
resources to meet the security objectives.

______________________________________________________________________________
Senior
Management
Steering Committee
and Executive
Management
CISO/Steering
Committee
Business
Strategy
Risk Management/
Strategy
- Policies
- Standards
- Trend Analysis
- Reporting
- Monitor/Metrics
- Constraints
Strategy Inputs
Strategy
Inputs
Security
Attributes
Security
Programs
Implement
Security
Objectives
Most organizations also create a steering committee that includes senior executives representing
all groups that have a stake in information security. Such a committee brings all stakeholders
together and provides a reliable communication channel among stakeholders. The steering
committee ensures that the information security strategy is aligned to business objectives and is
implemented uniformly across the organization.
Senior
Management
Steering Committee
and Executive
Management
CISO/Steering
Committee
Business
Strategy
Risk Management/
Strategy
- Policies
- Standards
- Trend Analysis
- Reporting
- Monitor/Metrics
- Constraints
Strategy Inputs
Strategy
Inputs
Security
Attributes
Security
Programs
Implement
Security
Objectives

______________________________________________________________________________
Some steering committees have a subcommittee – a risk council or a committee – dedicated to
risk management. This is because managing risks is an important aspect of information security
and needs to be focused on. This subcommittee proactively identifies risks, segregates them
based on priority, and identifies the serious risks.
The steering committee and the executive management require a few strategic inputs for
developing the security strategy:
 details of the comparison between the current and desired state of information security.
 the organization's business processes and requirements.
 results of the risk assessment.
 results of the business impact analysis, and.
 regulatory requirements.
Senior
Management
Steering Committee
and Executive
Management
CISO/Steering
Committee
Business
Strategy
Risk Management/
Strategy
- Policies
- Standards
- Trend Analysis
- Reporting
- Monitor/Metrics
- Constraints
Strategy Inputs
Strategy
Inputs
Security
Attributes
Security
Programs
Implement
Security
Objectives
These days, organizations consider information security to be extremely important and have a
chief information security officer, also known as CISO. This is in addition to an information
security manager or director.
In most organizations, the chief information officer or CIO; chief security officer, also known as
CSO; chief financial officer or CFO, or the chief executive officer, (CEO for short), is chosen as
the CISO.

______________________________________________________________________________
Senior
Management
Steering Committee
and Executive
Management
CISO/Steering
Committee
Business
Strategy
Risk Management/
Strategy
- Policies
- Standards
- Trend Analysis
- Reporting
- Monitor/Metrics
- Constraints
Strategy Inputs
Strategy
Inputs
Security
Attributes
Security
Programs
Implement
Security
Objectives
Having a C-level officer in the information security hierarchy ensures that security initiatives are
implemented at all levels. It also ensures the alignment of the security activities with the business
objectives of the organization. This is because high-level positions have the essential authority,
responsibilities, and resources to make decisions and ensure successful strategy
implementation.
Senior
Management
Steering Committee
and Executive
Management
CISO/Steering
Committee
Business
Strategy
Risk Management/
Strategy
- Policies
- Standards
- Trend Analysis
- Reporting
- Monitor/Metrics
- Constraints
Strategy Inputs
Strategy
Inputs
Security
Attributes
Security
Programs
Implement
Security
Objectives

______________________________________________________________________________
A CISO or an information security manager creates an action plan based on the information
security strategy that has been developed. The action plan details the security plans to be
implemented, which are in line with the security objectives of the organization.
Senior
Management
Steering Committee
and Executive
Management
CISO/Steering
Committee
Business
Strategy
Risk Management/
Strategy
- Policies
- Standards
- Trend Analysis
- Reporting
- Monitor/Metrics
- Constraints
Strategy Inputs
Strategy
Inputs
Security
Attributes
Security
Programs
Implement
Security
Objectives
To create an action plan, you compare the current state of information security in the
organization with the desired state. Based on the results of this comparison, you can determine
the security requirements and priorities for the action plan. While creating the action plan, you
also need to consider the resources that will become available and the limitations on these
resources.
Apart from the action plan, during the strategy implementation you also create security policies
that are aligned with the organization's security objectives. In addition, you need to create
security standards that map to these security policies. These standards regulate the
implementation process and procedures and set acceptable limits. You also need to clearly
define roles and responsibilities for implementing the information security strategy.
But rolling out security policies and standards is effective only when you provide adequate
awareness and education about security policies. So you need to create comprehensive security
policies to ensure smooth implementation of the security strategy.
For a successful implementation of the information security strategy, you also need to
continuously monitor and measure its implementation. This is possible only if you have well-
defined metrics for the strategy implementation. You can use the results of these metrics for
reporting and analysis. These reports and analysis can help realign the implementation, if
required. The CISO and the steering committee are responsible for the realignment initiatives.

______________________________________________________________________________
Senior
Management
Steering Committee
and Executive
Management
CISO/Steering
Committee
Business
Strategy
Risk Management/
Strategy
- Policies
- Standards
- Trend Analysis
- Reporting
- Monitor/Metrics
- Constraints
Strategy Inputs
Strategy
Inputs
Security
Attributes
Security
Programs
Implement
Security
Objectives
5.2. Quizz - Information security strategy
Match the key participants involved in developing an information security strategy with their
responsibilities. You may use each participant more than once.
Options:
A. Senior management
B. Executive management
C. Steering committee
D. CISO
Targets:
1. Business strategy
2. Risk management
3. Security action plan
Answer (see Endnotes) i
5.3. Summary
Information security is used to protect the information assets of an organization. To implement
information security, organizations adopt an information security strategy that is aligned with their
business goals and objectives. The six high-level outcomes of effective information security
governance guide the development of a successful strategy. These high-level outcomes are
strategic alignment, risk management, value delivery, resource management, performance
measurement, and process assurance.

______________________________________________________________________________
Development and implementation of the information security strategy involves participants from
all levels. The key participants in the development process are the board of directors or the
senior management, the executive management and steering committee, and the chief
information security officer or the information security manager.
The board of directors or the senior management ensures that the information security strategy
and its implementation activities are aligned with the business objectives and business strategy.
They also help identify the information assets to be safeguarded and the extent of security
required. The steering committee and the executive management implement the strategy and
handle risk management. The CISO and information security manager create security action
plans, security programs, and security policies.

______________________________________________________________________________
6. Information Security Strategy Development Models
After completing this passage, you should be able to:
 Recognize appropriate models for developing an information security strategy.
6.1. Models for strategy development
You can use various approaches to develop the information security strategy of an organization.
Traditional models used for developing the strategy rely heavily on forecasting the outcomes of
information security strategy implementation based on the organization's goals or mission or
vision statements.
Some of these models are based on the assumption that the future outcome of the
implementation can be predicted using past events that happened in the organization.
Traditional Model
Our Values
Our Goal
Our Objectives
Mission Statement
Information
Security
Strategy
The traditional model begins with a mission statement. It involves three steps. Step one, leads to
step two, which leads to the final step, that’s step three.
Because traditional models are not based on current data or industry requirements, they are not
adaptive to changes in the organization. To make traditional models adaptable, you should
regularly monitor the key performance indicators, also known as KPIs, and the assumptions
made during strategy development. Alternatively, you can use adaptive models such as the
McKinsey model.

______________________________________________________________________________
Traditional Model
Our Values
Our Goal
Our Objectives
Mission Statement
Adaptive Model
Step 3
Step 1
Step 2
The adaptive model consists of three phases in a circular diagram, with stage one leading to step
two, leading to step three, and then continuing with step1.
Using the McKinsey model means that the information security strategy should ensure that
organizations plan and implement a wide variety of security initiatives that address changes in
the business environment.
In addition, the organization needs to ensure that support to such commitment continues.
According to the McKinsey model, an organization needs to regularly monitor and realign its
initiatives to achieve better performance and improve shareholder value.
In the McKinsey model, organization initiatives are constantly updated based on the latest trends
in the market. It doesn't rely blindly on taking risks based on past events. This makes the model
adaptive.
In the McKinsey model, to ensure that security initiatives are carefully managed, they need to be:
 distributed equally across the organization's core business activities to manage new
challenges
 reviewed and updated regularly based on the changes in the business environment, and

______________________________________________________________________________
 directed towards initiating new businesses
An organization can also ensure that the security initiatives improve the shareholder value. This
is possible, when the organization's initiatives clearly target specific security aspects. The
initiatives should also improve customer satisfaction and so improve shareholder value.
The McKinsey model, being more adaptable, is best suited for organizations that need to
manage a lot of changes.
6.2. Quizz - Strategy Development Models 1
Your organization provides IT services based on cutting-edge technologies. Your team is in
charge of developing an information security strategy and you've suggested the McKinsey model.
Identify the reason for choosing the McKinsey model over traditional models.
Options:
1. Adapts to changes in the environment
2. Predicts the outcomes based on the organization's mission
3. Relies on the organization's past events to predict strategy implementation outcome
4. Takes initiatives that demonstrate commitment towards security
Answer (see Endnotes) ii
Another model that you can use for creating an information security strategy is the Sherwood
Applied Business Security Architecture, (SABSA in short). This model reinforces the importance
of analyzing business requirements from a security perspective while developing a security
architecture. This ensures that your organization's business goal is met without any compromise.
The SABSA model specifies how the elements of the information security architecture are
related.
This model contains layers, each representing the view of key participants who develop the
information security architecture. The layers also encapsulate the people, processes, policies,
and technology involved in the security architecture.

______________________________________________________________________________
There are six layers in the SABSA model:
 Business View – also called the Contextual Security Architecture
 Architect's View – also called the Conceptual Security Architecture
 Designer's View – also called the Logical Security Architecture
 Builder's View – also called the Physical Security Architecture
 Tradesman's View – also called the Component Security Architecture, and
 Service Manager's View – also called the Security Service Management Architecture
In practice, security service management issues can occur in any of the first five layers. And
security service management can be interpreted appropriately in each of these five layers. So
you can also place the Security Service Management Architecture layer vertically across these
layers.
To create a complete security architecture for your organization with the SABSA model, you can
use the SABSA matrix.
This matrix is created by asking six standard questions – What, Why, How, Who, Where, and
When – about the information security strategy. Each of these questions corresponds with the six
views in the model.
The Business View layer asks what, the Architect's View layers asks why, the Designer's View
layer asks how, the Builder's View layer asks who, the Tradesman's View layer asks where, and
the Service Manager's View layer asks when.

______________________________________________________________________________
Contextual Architecture: The Business View
Contextual Architecture: The Architect’s Vision
Logical Architecture: The Designer’s View
Physical Architecture: The Builder’s View
Component Architecture: The Tradesman’s View
Service Architecture: The Service Manager’s View When?
What?
Why?
How?
Who?
Where?
The following standard questions used in each matrix cover all details for creating the complete
security architecture:
 What are the assets the security architecture is trying to protect?
 Why is the architecture protecting the assets?
 How is the architecture planning to protect the assets?
 Who are involved in protecting the assets?
 Where does the organization apply security initiatives for protecting the assets?
 When does the organization apply security initiatives for protecting the assets?
In the Business View layer, you deal with the analysis and definition of business requirements
that the security architecture needs to address. Analyzing these requirements while designing the
initiative is essential for any organizational initiative to meet its planned outcome.
During the analysis, you answer the six standard questions from the perspective of the Business
View. This enables you to determine the business context in which you must design, create, and
operate the security architecture.
This layer helps protect business assets and manages risks. It does so by creating business
security processes that will be implemented by the governance and management structures. The
architecture of this layer is implemented in all applicable business locations and takes care of
business time dependencies such as transaction throughput, lifetimes, and deadlines.
In the Architect's View layer, you create an overall concept that can be used to meet business
requirements. This is also where you define the principles and basic concepts for using the
appropriate logical and physical elements in lower layers.
The Architect's View layer protects business attributes using control and enablement objectives.
To do this, it uses high-level security strategies and framework. The senior management uses
these strategies to implement security in the logical and physical security domains. Their scope is
defined using a risk management framework applicable to the entire life cycle.
The Designer's View layer deals with the design process, which in IT perspective is systems
engineering. In this layer, the business is compared to a system with components and sub-
systems. Here you define, important security elements and the logical flow of control and the
relationship between them.

______________________________________________________________________________
You also implement risk management policies to protect information assets specifying logical
security services and their role in the complex security system. And you identify individual
entities, security domains, and a schema of their relationships. Here you also specify the
timelines for the related activities to be implemented.
In the Builder's View layer, logical descriptions designed in the previous layer are translated into
an actual implementation for building the security system. This layer protects business data
assets, such as data structures, by implementing risk management practices. To protect the
assets, it uses security mechanisms and the physical systems that host them.
In the Tradesman's View layer, you deal with the construction of security information systems.
During this construction, you assemble products, install them, and, finally, integrate them. The
components that you use in the construction include hardware items, software items, and
standards and specifications for the information system's interface.
The Service Manager's View layer provides the framework to manage the operation of the
security architecture. It involves activities such as maintaining the architecture in a working
condition and reviewing its performance to ensure it meets business requirements. In this layer,
you typically deal with the security aspect of system operations and service management.
6.3. Quizz - Strategy Development Models 2
Your organization uses the SABSA model for developing its information security strategy and
security architecture. The organization is analyzing the business requirements from the security
perspective.
Contextual Architecture: The Business View
Contextual Architecture: The Architect’s Vision
Logical Architecture: The Designer’s View
Physical Architecture: The Builder’s View
Component Architecture: The Tradesman’s View
Service Architecture: The Service Manager’s View
The SABSA model has six layers – Business View, Architect's View, Designer's View, Builder's
View, Tradesman's View, and Service Manager's View.
Which layer in the SABSA model deals with this analysis?
Options:
1. Business View
2. Architect's View
3. Designer's View
4. Builder's View
5. Tradesman's View
6. Service Manager's View
Answer (see Endnotes) iii

______________________________________________________________________________
6.4. Summary
Organizations can choose various approaches to develop an information security strategy.
Traditional models rely on forecasting the outcomes of the implementation based on the
organization's goals, mission and vision statements, or past events. However, these are not
adaptive. So adaptive models such as the McKinsey model were created.
The McKinsey model emphasizes regular reorientation of organization initiatives toward
achieving better performance and improving shareholder value. This model is more adaptive
because initiatives are constantly reviewed and updated to meet emerging market needs.
Another model organizations can use for creating the strategy is the SABSA model. This model
reinforces the importance of analyzing business requirements from a security perspective while
developing the security architecture. The SABSA model is a six-layered model. Each layer
represents the view of key participants involved in developing the information security
architecture. The six layers are Business view, Architect's view, Designer's view, Builder's view,
Tradesman's view, and Service Manager's view.

______________________________________________________________________________
7. Common Pitfalls of Strategy Development
After completing this passage, you should be able to
 Label examples of pitfalls that organizations may encounter as they develop an
information security strategy.
7.1. Pitfalls of strategy development
Designing and creating an information security strategy requires research and analysis. Without
analysis, even if contributors are experienced and the model used is appropriate, you might
design a weak strategy. And a weak strategy, cannot help an organization move to the desired
state of information security.
Information
Security
Strategy
Strategy development is organization-specific and its success depends on an organization's
initiatives. Strategy failure is often caused by lack of a detailed analysis that hinders the decision-
making process.
There are seven common pitfalls that can affect decision making:
 overconfidence
 optimism
 anchoring
 status quo bias
 mental accounting
 herding instinct, and
 false consensus
Overconfidence is one of the most common pitfalls of decision-making. Overconfident decision-
makers blindly believe that they can make accurate estimations. While a practical approach is to
specify a range of outcomes, overconfident decision-makers insist on quoting a specific estimate.
This is especially dangerous when strategic outcomes are based on such estimates.
This might lead to strategy failure because the decision-maker did not anticipate or plan for a
range of possibilities. Overconfident decision-makers often overlook the need for risk
management and mitigation.

______________________________________________________________________________
Another common cause of poor decisions is optimism. Forecasts based only on optimism and not
on detailed analysis can go wrong. Furthermore, if you predict strategy implementation outcomes
based on overconfidence and over optimism, your predictions can fail.
Predictions based on optimism should be accepted only after all possible risks are analyzed and
planned for. Risk analysis and management ensures very little is left to chance and you are only
hoping for the best having done everything essential for information security.
Anchoring refers to the tendency of people to base decisions on an aspect, a trait, or a piece of
information, which are called anchors.
With anchoring, decision-making for strategy design is based on a single aspect instead of
considering the situation as a whole. In strategy design, anchoring without detailed analysis to
understand the complete situation can lead to failures.

______________________________________________________________________________
For example, an information security strategy design that focuses only on e-mail security is likely
to fail. This is because other security aspects, such as web security and authorized access, might
be ignored.
The status quo bias is another common pitfall of decision-making. It refers to the reluctance of
people to change their belief in known ideas and experiment with unknown ideas. In fact, the
status quo bias makes you reluctant to try unknown things even if problems exist with known
strategies. In the context of strategy development, this can translate to sticking to known
practices and procedures even if they are faulty.
In addition, researchers claim that people tend to make decisions that avoid losses. This is
because they are more worried about a possible loss than considering a possible gain from
experimenting with an unknown strategy.
Strategy designs can also be affected by the endowment effect, which refers to a bias related to
the status quo bias. This bias suggests that people value what they have or know more than it's
probably worth and they are willing to do anything to retain it.

______________________________________________________________________________
Mental accounting is the reason behind some management members categorizing money
differently from others. This can lead to situations in which essential expenses are categorized as
unnecessary and vice versa.
For example, an organization might prefer to spend more on buying new antivirus software than
to conduct awareness workshops across the organization on how to avoid virus attacks. Another
organization might, however, decide to spend money and effort on conducting workshops rather
than buying the software.
vs
7.2. Quizz - Pitfalls of strategy development 1
During strategy development discussions, stakeholders state that some employees might not
read the security policy completely. However, the information security officer reassures everyone
that approximately 85% of employees read the policy before accepting it.
Identify the pitfall indicated by this situation.
Options:
1. Overconfidence
2. Optimism
3. Anchoring
4. Status quo bias
Answer (see Endnotes) iv
The tendency of people to follow others is called the herding instinct. It is probably caused by the
human tendency to want to obtain the approval of their peer group and thus accept the general
trend to gain acceptance. Often, the herding instinct can lead to a sudden sensitization in
organizations to a specific security aspect or practice.

______________________________________________________________________________
At the decision-making level, this can lead to opting for an incompatible security strategy just
because it was selected by many other organizations.
False consensus is the attitude of senior management to blindly assume that a specific idea,
behavior, or view of theirs is accepted by everyone.
But the senior management might not have any data to support their assumption. In addition,
false consensus can cause people to underestimate risks or overestimate the validity of a view or
an idea. These can lead to poor decisions during strategy design.
Apart from these common pitfalls, four other factors can also lead senior management to
misdirect the decision-making process:

______________________________________________________________________________
 Confirmation bias:
Confirmation bias is the human nature of consciously retrieving information that supports their
beliefs and views. Senior management can sometimes have a confirmation bias while developing
a security strategy. It may lead them to obtain information that reinforces only their views and
overlooks potential risks and problems. This can lead to inadequate decisions during strategy
design and development.
 Selective recall:
If members of the senior management prefer to reiterate facts and information that support only
their views and beliefs during strategy design, it is called selective recall. This leads the
management to think that their assumptions are right.
 Biased evaluation:
Senior management sometimes resorts to biased evaluation during strategy development in an
effort to develop a more acceptable security strategy. Biased evaluation refers to selectively
collecting and accepting evidence that supports the management's assumptions. It also ignores
or rejects evidence against the assumptions. This is dangerous because it can undermine
existing threats and lead to poor decisions.
 Groupthink:
Often decisions in teams, such as the senior management, can be based on groupthink. This is
when members of the senior management team accept a decision just because most members
agree or to ensure there is minimal conflict within the group. In fact, groupthink often forces
members to accept decisions without proper analysis or detailed evaluation.
Lack of detailed analysis and the failure to address the common pitfalls and other factors are the
cause of most strategy failures.
To avoid strategy failure, senior management should be open to suggestions from various
stakeholders and people involved in information security. Getting everyone's consent ensures
their cooperation in strategy design and implementation.

______________________________________________________________________________
7.3. Quizz - Pitfalls of strategy development 2
The senior management in your organization wants to implement a security policy to block file
sharing applications. This is because, most organizations in the industry are implementing this.
The management assumes that all stakeholders will agree to this policy implementation.
What is the type of pitfall the management team is failing to avoid?
Options:
1. Mental accounting
2. False consensus
3. Herding instinct
4. Anchoring
Answer (see Endnotes) v
7.4. Quizz- Pitfalls of strategy development 3
Match the factors and pitfalls, which affect decision making in strategy development with their
corresponding examples.
Options:
A. Selective recall
B. Biased evaluation
C. Groupthink
D. Status quo bias
Targets:
1. Stakeholders remember incidents that support the proposed security policy
2. During a review of the proposed strategy, management members accept only views
supporting the strategy
3. Management members accept a proposal in a team meeting without voicing their individual
concerns

______________________________________________________________________________
4. Stakeholders didn't want the new security policy immediately as they felt it might affect
productivity
Answer (see Endnotes) vi
7.5. Summary
Strategy development is organization-specific and its success depends on how well decision-
makers analyze the situation.
Analysis of various strategy failures has revealed that seven common pitfalls lead to the failure of
decision-making. These pitfalls include overconfidence, optimism, anchoring, status quo bias,
mental accounting, herding instinct, and false consensus. In addition to these pitfalls, four factors
can mislead the decision-makers. These are confirmation bias, selective recall, biased
evaluation, and groupthink.

______________________________________________________________________________
8. Developing an Information Security Strategy
After completing this passage, you should be able to:
 Assess the effectiveness of a given management team's efforts to develop an information
security strategy.
8.1. Exercise overview
In this exercise, you're required to assess the effectiveness of a team's efforts to develop an
information security strategy.
This involves the following tasks:
 identifying roles and responsibilities
 analyzing strategy definition
 aligning strategy with business goals
 choosing the development model, and
 identifying development pitfalls
8.2. Identifying roles and responsibilities
LondonCambridge Financial Services (LCFS) is an upcoming financial services company offering
payroll processing services to its clients. Recently, there was a security incident involving the
leaking of confidential information in one of its client organizations.
Because of this incident, the company wants to form a team to develop an effective information
security strategy. You've been assigned the role of the information security manager on this
team. You need to help the organization select team members from various levels.
The objective of the team is to come up with an information security strategy, implement it, and
prevent future confidentiality breaches.
8.3. Quizz - Identifying roles and responsibilities
You need to help your organization build a team for developing an information security strategy.
What are the mandatory roles that need to be represented in the team?
Options:
1. Senior management

______________________________________________________________________________
2. Steering committee
3. Share holders
4. Executive management
5. Risk committee
Answer (see Endnotes) vii
You've helped your organization form the team for developing an information security strategy.
This team now consists of the senior management, the executive management, and you – the
information security manager.
8.4. Analyzing strategy definition
After detailed discussions, your team arrives at the definition of the information security strategy for
the organization.
You want to step back and analyze the effectiveness and accuracy of the team's information security
strategy.
8.5. Quizz - Analyzing strategy definition
You are now checking if the definition of the information security strategy is effective and
accurate.
What are the features that you need to check for in the information security strategy definition?
Options:
1. It lists the businesses the organization is to pursue
2. It details the security objectives, purposes, and goals of the organization
3. It details the financial contribution the organization needs to make to customers and
stakeholders
4. It helps you address the security concerns of stakeholders
Answer (see Endnotes) viii
8.6. Aligning strategy with business goals
You've checked the information security strategy definition developed by the team and are
convinced that it is effective and accurate. However, you aren't sure if the strategy is aligned with the
business goals of your organization.
The two most important business goals of the organization are establishing service continuity and
availability and improving customer orientation, and service.

______________________________________________________________________________
8.7. Quizz - Aligning strategy with business goals
Which group or individual is responsible for ensuring the alignment of the information security
strategy with the business goals of the organization?
Options:
2. Information security officer
4. Risk committee
Answer (see Endnotes) ix
8.8. Choosing the development model
The team is functional and has successfully designed and implemented various security initiatives in
the organization.
The implementation is monitored regularly and various course correction plans are made whenever
required. This ensures that all security initiatives are aligned with business objectives and the
security architecture of the organization.
8.9. Quizz - Choosing the development model
Which of these features of the development model followed by the team has assured the success
of the strategy implementation?
Options:
1. Predicts the outcome of strategy implementation using past events
2. Defines strategy implementation outcome using the mission of the organization
3. Defines security initiatives targeting specific security aspects
4. Creates security initiatives that address changes in the business environment
Answer (see Endnotes) x
8.10. Identifying development pitfalls
A report of a recent fire accident in one of your client organizations reaches the team. The team
becomes aware of the security measures the client organization is taking to avoid such incidents
in the future.
After the incident, the strategy development team wants to direct all its effort and time toward
fireproofing information assets. A lot of resources are also allocated to spread awareness about
fire safety.

______________________________________________________________________________
8.11. Quizz - Identifying development pitfalls
In strategy discussions, the executive management repeatedly insists on identifying the fire
marshals on the premises and conducting fire drills every month.
What are the types of pitfall the management team are failing to avoid?
Options:
1. Herding instinct
3. Anchoring
4. False consensus
Answer (see Endnotes) xi

______________________________________________________________________________
9. References
 CISM Review Manual, W. Krag Brotby, Editor, ISACA, 9781604202137.
 Information Security Governance: Guidance for Information Security Managers, W. Krag
Brotby, ISACA, 9781933284736.
 Information Security Management Handbook, Harold F. Tipton and Micki Krause, CRC
Press, 9780849374951.
 https://www.slideshare.net/TISAProTalk/prinya-acis-slide-for-swpark-it-information-
security-human-resource-development-plan-for-aec-2015tisa-ptotalk-22554

______________________________________________________________________________
10. Information Security Governance Glossary
A
acceptable interruption window: See AIW.
acceptable use policy: A set of clear rules and responsibilities on the extent of use, which guides users accessing the
organization's resources.
access control: A set of measures that restricts unauthorized access to an organization's resources.
access control list: See ACL.
access right: A permission or privilege that allows a user to use or modify data as specified by the data owner and the
information security policy.
Accountability: The responsibility of a particular event or an activity assigned to a user or a party.
ACL: Abbreviation for access control list, a list of permissions assigned by an administrator for accessing a system or
application.
Activation: The process of initiating a system, a service or an agreement and making it functional.
administrative control: A set of guidelines for processes that improve the functioning of a system or a service and help it
to remain within standards.
aggregated risk: A collection of risks that occur when a single threat or many threats simultaneously affects many minor
vulnerabilities. When measured individually, the effects of these risks may be modest. But when all risks combine, they
can have devastating effects on the organization.
AIW: Abbreviation for acceptable interruption window, the duration for which a computer or a service can remain
inaccessible without hampering the achievement of business objectives.
ALE: Abbreviation for Annual Loss Expectancy, the annual expected financial loss to an information asset from a threat.
alert situation: A situation in an emergency procedure that occurs after the time taken for unsuccessful resolutions goes
beyond a predetermined limit. An alert situation usually triggers escalation.
alternate facility: An optional location with resources to implement an emergency or a backup process if the main facility
is not available.
alternate process: An optional process created for performing critical business processes from the time a process fails
until the time it returns to normal.
Analysis of Technical Components and Architecture: An evaluation of the technical components of the technical
security architecture to determine how individual components contribute to the organization's overall security.
Anchoring: An incorrect tendency to base present estimates or forecasts on a value previously presented. Anchoring may
lead to the failure of an organizational strategy.
annual loss expectancy: See ALE.
annualized rate of occurrence: See ARO.
antivirus software: An application that protects a computer from damages that may be caused by a computer virus,
worm, or malicious code. It identifies potential threats or infected files and takes action against them, usually by deleting or
quarantining the affected files.
application control: A process of monitoring and managing manually or automatically performed activities so that all
records are valid, complete and correct.
application layer: A layer of the Open Systems Interconnection model that allows effective communication between two
applications in a network.
application-level controls: A control activity supported by the technology for specific business information processing.

______________________________________________________________________________
ARO: Abbreviation for annualized rate of occurrence, the number of times a threat to an information asset is likely to
occur in a year.
assurance process integration: Integration of an information security program with other assurance processes in an
organization, including human resource management, risk management, IT security, legal compliance, auditing, and
implementation of physical security.
Attack: An event in which access to information is forced, usually without any authorization.
Audit: A process that checks the functioning of controls and strategies and their adherence to the accepted standards.
audit trail: A collection or log of records regarding activities performed on a computer along with user details.
Auditability: A feature of data transactions that helps to follow and evaluate these transactions through a system.
Authentication: A process of checking the identity of a user or a computer and their access rights.
Authorization: An approval that provides permission to access resources that are required for approved tasks.
Availability: The state of a resource or any information in which it is ready for use when required. Availability is usually
expressed as the percentage of time that a resource, such as a computer or a server, is functional.
B
backup center: An alternate facility that helps perform information technology or information security related functions
when the main site is not available.
BCM: See business continuity management.
BIA: Abbreviation for business impact analysis. Also known as business impact assessment, a process that identifies the
adverse effect on a business that may be caused by a lost resource.
Biometrics: An access control mechanism that uses a person's behavioral or physiological attributes for identification or
authentication.
BMIS: Abbreviation for Business Model for Information Security, a model that manages information security with a
business-oriented approach.
board of directors: Also known as senior management. A team of experienced people that provides guidance, approval,
and evaluation of information security.
business case: Documentation used to explain why investment should be made in a particular area. A business case
combines several weighted measures to rate a project or task. The measures relate to financial performance, customer
measurements, internal operations, and learning and growth over the lifetime or a project or task.
business continuity management: Abbreviated to BCM, a process that reduces effects of interruptions, restores
services, and protects crucial business processes.
business dependency analysis: A process that studies the level of dependency of a business on a resource.
business dependency assessment: In information asset classification. A process that allows identification of resources
important for the functioning of a business process. Business dependency assessment helps allocate protective activities.
business impact analysis: See BIA.
business impact assessment:See BIA.
Business Model for Information Security: See BMIS.
business process assurance:An outcome of effective security management that is the information security manager's
responsibility. The information security manager interacts with different assurance providers and incorporates their
activities with information security activities.
C

______________________________________________________________________________
CA: Abbreviation for certificate authority, an application that issues digital certificates to any registered entities.
cascading risk: A group of risks that occur when one risk creates a chain of events that results in several risks. This may
result in major failures, leading to heavy losses for the organization.
certificate authority: See CA.
chain of custody: A process that checks and ensures the authenticity and completeness of evidence in a legal
proceeding.
change management: A proactive, holistic process to manage the change between organizational states. Change
management focuses on human aspects of the change process, such as culture change, rewards, team building, and
communication.
chief information officer: Abbreviation for CIO, the person responsible for planning the funding and performance aspects
of information technology along with its security.
chief security officer: See CSO.
CISO:Acronym for chief information security officer, see information security manager.
cloud computing:A network of remote computers hosted over the Internet to store, manage, and process data. A third-
party service provider offers cloud-based resources in which resources such as networks, servers, storage, and
applications are distributed across various pooled servers at remote datacenters, and often across multiple datacenters in
different locations. See IaaS, PaaS, and SaaS
COBIT: Acronym for Control Objectives for Information and related Technology. A set of internationally approved
objectives that provide guidelines for IT control, published and updated by the IT Governance Institute.
code of ethical conduct: A contract that Security personnel should be made aware of and adhere to regarding ethical
issues – specifically issues surrounding the protection, use, and storage of information.
cold site:A type of offsite backup facility that includes only basic requirements, such as flooring, air conditioning, and
wiring, to operate as an information processing facility. However, this site takes a long time to be activated and requires
the business to provide other equipment.
Committee of Sponsoring Organizations: See COSO.
community cloud: A type of cloud computing, where the cloud (network) offers an infrastructure that several
organizations with common interests and IT infrastructure requirements can share.
compensatory controls: A control mechanism which adds control steps to lessen the effect of the risk, when the risk
increases.
Compliance: A control area that checks an organization's adherence to legal and security standards or requirements.
Compliance Department: An organizational department that manages regulatory compliance policies and standards.
This department may be independent or it may form part of the Legal Department.
compliance enforcement: An activity of the information security program that ensures constant adherence to security
policies and standards.
Confidentiality:A process of safeguarding critical or private data from being accessed without permission or misused.
configuration management:A process that enables organizations to manage changes to a complex system, such as an
information system, so that the system maintains its performance and integrity over its lifetime.
Control Objectives for Information and related Technology: See COBIT.
Controls: A set of strategies that helps mitigate risks and achieve business objectives.
corporate governance: A set of policies that helps the board of directors guide and manage an organization.
corrective controls: A proactive measure to quickly recover from data loss or any other damage caused by a security
breach. Disaster recovery methods, such as data backup and recovery, are examples of corrective controls.
COSO:Abbreviation for Committee of Sponsoring Organizations of the Treadway Commission; a team of people that
guides and provides internal control for all organizations.

______________________________________________________________________________
Countermeasures: A set of processes that decreases the chances of a threat occurring.
critical success factor: Abbreviated to CSF. One of the factors that helps achieve Sarbanes-Oxley compliance by
managing controls, determining tests for effectiveness, and assigning resources to implement this testing.
Criticality: A measure of the impact of a computer or a service failure on the organization.
CSF: See critical success factor.
CSO:Abbreviation for chief security officer, see information security manager.
D
DAC: Acronym for discretionary access control. A type of access control that restricts data access for a user or a
computer, but allows users or computers to transfer their access permission to each other.
data classification:A process of dividing data into levels based on its sensitivity and criticality. These levels indicate
how important the data is to the organization.
data warehouse:An electronic system that stores and manages a large amount of data with the help of advanced
searching and filtering techniques.
database management systems: A technology that stores data in the form of records and specifies the level of access
that a user has to the system.
decoy server: See honeypot.
defense in depth: A technique of protecting information with layers of controls, in which all layers are not affected by the
same threat or risk.
Degauss:A process of removing magnetic disturbances or fields around magnetic recording media by applying different
degrees of alternate current to it.
demilitarized zone: See DMZ.
detective controls: Controls that help you identify any hindrances or threats to information security. Examples include
intrusion detection methods, checksums, and security audits.
deterrent controls: Controls that discourage hackers and malicious users from breaching the information security setup.
Examples include punitive action against unauthorized use, and preventive control techniques such as access cards and
user authentication.
digital code signing: A process in which a digitally signed computer code is used to ensure integrity.
disaster declaration: A statement that communicates the implementation of the disaster recovery plan to the required
stakeholders.
disaster recovery plan: A preset strategy that helps to restart the operation of an interrupted service with the help of
resources and processes.
discretionary access control: See DAYC.
DMZ: Abbreviation for demilitarized zone, an additional zone between the Internet and a private network that doesn't allow
external users to access internal data.
DNS: Abbreviation for domain name system, a service that provides translation between an IP address and a web
address. The translation depends upon a hierarchical naming system.
domain name system:See DNS.
dual control: A process that uses more than one person to protect a computer resource from single-entity access.
due care:The appropriate level of concern that is required from a person of a particular level in the relevant situation.
due diligence: The appropriate level of thoroughness that is required for an evaluation or an analysis.
Duplicate Information Processing Facilities: A set of facilities dedicated to recovery sites that are used like a primary
site.

______________________________________________________________________________
dynamic interconnection:A factor that controls different elements of the BMIS model and maintains the balance of the
model.
E
EF: Abbreviation for exposure factor, a possibility of event occurrence equal to the percentage of information asset loss
caused by a threat.
Encryption: A control mechanism that uses an algorithm to encode data so that only authorized users can read the
transmitted information.
end user: A person who uses a computer that is maintained by somebody else.
enterprise governance: A set of guidelines implemented by the board of directors and executive management. These
guidelines provide guidance, help to achieve objectives, ensure proper management of risks, and verify judicious use of
resources.
enterprise information security architecture: The structure of an organization's information security systems.
enterprise risk management: A process of managing risks, controlling their impact, and achieving business objectives.
ERM: Abbreviation for enterprise risk management.
executive management: A team of people that provides continuous support and guidance in the process of setting
objectives and implementing effective security governance.
Exposure: The extent of the negative impact that a weakness in a resource or a service can cause.
exposure factor: See EF.
F
Factor Analysis of Information Risk: See FAIR.
FAIR: Acronym for Factor Analysis of Information Risk. A risk assessment methodology that splits a risk into several
components and analyzes each component in detail. This method involves detailed analysis of both the risk and its control
measure.
Firewall: A security technology that forms a boundary and protects a computer or a network from unauthorized external
access.
G
gap analysis: A process, often applied to security, which examines the difference between existing and expected
conditions.
Governance: A process in which continuous control and direction is provided by people with experience and expertise.
governance, risk management, and compliance: See GRC.
GRC: Abbreviation for governance, risk management, and compliance. In information security governance, a
methodology that organizations use to bring together governance, risk management, and compliance.
Guideline: A suggestion or a best practice that supports a user while performing a procedure. A guideline, unlike a
standard, is not mandatory.
H
Hashing: A mechanism that converts any length of input string into a standard length string to ensure that the transmitted
message is not corrupted.

______________________________________________________________________________
Honeypot: Also known as a decoy server. A server that protects computers against unauthorized access and attacks by
detecting and monitoring such users.
hot site: An offsite backup facility that has all the required hardware and software resources and is ready to be used as an
alternate facility.
hybrid cloud: A type of cloud computing that's a combination of at least one private and one public cloud – for example
through a partnership between a private and a public cloud service provider.
I
IaaS: Abbreviation for Infrastructure as a Service. A cloud computing model that can provide storage, processing,
networks, and other essential computing resources. IaaS enables customers to operate any required software and
operating systems.
IDS: Abbreviation for intrusion detection system, an automated system that monitors network and host activities for
suspicious activity that may indicate an attack.
Impact: An outcome when a threat exploits a vulnerability and leads to loss of information assets.
impact analysis: An examination of information resources to study their criticality to the organization, which helps in
strategizing recovery.
IMT: Abbreviation for incident management team. A group of experts that help the organization identify and manage
information security incidents. This group usually consists of an information security manager, steering committee, and
dedicated and temporary team members. The information security manager usually leads the team.
Incident: An unplanned interruption, such as a server breakdown or unauthorized intrusion, which adversely affects
business continuity.
incident management and response: A process that involves detecting incidents that threaten an organization's
information assets, preventing their occurrence, and taking corrective actions to control and limit damage.
incident management charter: A document that establishes the IMT and describes its roles and responsibilities when
managing and responding to information security incidents.
incident management metrics: Criteria used to measure the efficiency and effectiveness of the incident management
and response process.
incident management team: See IMT.
incident response plan:A plan that identifies the steps to be taken and the resources to be used if an event has an
adverse impact on the organization's information assets.
incident response team: See IRT.
information risk: Potential problems that could put organizational data at risk, including the potential loss or inappropriate
exposure of information.
information risk management: A process that manages risks related to information security with the help of
management policies and processes.
information security governance: A set of practices implemented by the board and executive management. Besides
providing guidance, achieving objectives, ensuring proper management of risks, and verifying judicious use of resources,
these practices also protect data.
Information Security Incident Management: The fourth job practice area of CISM, which describes the activities of the
information security manager, to maintain operations, minimize the impact of risk, and restore normal operations after
system failures, disruptions, incidents of misuse, or other unforeseen events.
information security investments: Incentives used to measure the effectiveness of an information security program –
typically by comparing the budgeted costs of work scheduled and work performed against the actual cost of the program.

______________________________________________________________________________
information security management framework: A conceptual representation of the structure used to manage information
security.
information security manager: Also known as the chief information security officer, vice president of security, or chief
security officer. An executive level of authority, present in every organization, with expertise in planning and budgeting.
information security program: A collection of technical and operational measures that maintains the confidentiality,
integrity, and availability of information.
information security program development: A process of creating a program that implements an information security
strategy by coordinating activities, projects and initiatives.
Information Security Program Development and Management: The third job practice area of CISM, which describes
the activities of the information security manager, to ensure the information security program is developed and managed in
line with the organization's overall goals.
information security program resources: The resources used to develop an information security program and achieve
a specific level of security.
Integration: in information security governance, an outcome that ensures seamless operation among all processes by
combining all factors affecting the operation.
Integrity: The complete nature of information that ensures its correctness and validity.
Internet service provider: See ISP.
interruption window: The period of time that a business can endure from the failure of a service or an application to its
restoration. Beyond this duration, losses will adversely affect the business.
intrusion detection: A security technology that monitors activities on a computer to identify an attack or access without
permission.
intrusion detection system: See IDS.
IRT: Abbreviation for incident response team. A team that focuses on responding to incidents. The team usually includes
incident handlers, investigators, forensic experts, and physical security experts.
ISO/IEC 17799: A standard that is approved by International Organization for Standardization, which defines the
confidentiality, integrity, and availability of information.
ISO/IEC 27001: An international standard based on ISO/IEC 17799, which includes a set of principles on information
security management.
ISO/IEC 27001:2005: In IT security, a standard that specifies practices and objectives for controls.
ISP: Abbreviation for Internet service provider, a third-party supplier that provides organizations or home users with a
connection to the Internet.
K
key goal indicator: See KGI.
key performance indicator: See KPI.
key risk indicator: See KRI.
KGI: Abbreviation for key goal indicator. A project metric that defines what goals have to be accomplished.
KPI: Abbreviation for key performance indicator, a performance factor that indicates if the process objectives are being
achieved.
KRI: Abbreviation for key risk indicator, an indicator that registers when the risk level of an organization exceeds a certain
defined level.

______________________________________________________________________________
M
MAC:Acronym for mandatory access control. A type of access control that restricts data access depending on different
security requirements and permissions required for the data.
management support technologies:A set of supporting technologies that provide management features and automate
security procedures.
mandatory access control:See MAC.
Maximum Tolerable Downtime:See MTD.
Maximum Tolerable Outage:See MTD.
maximum tolerable outages:See MTO.
Metrics:Technical and statistical measures used to determine whether the controls implemented as part of an information
security program are functioning properly and meeting an organization's security objectives.
mirror sites:A set of sites similar to primary sites, which are used as load-sharing information processing facilities.
mobile site:A type of offsite backup facility that is portable and can be transported to any location to act as an information
processing facility.
monitoring policy:A set of rules that describes the recording and interpretation of information about computer, network,
and application use.
MTD: Abbreviation for Maximum Tolerable Downtime, also known as Maximum Tolerable Outage or MTO. The maximum
period of time for which the organization can support processing in an alternate mode. Various factors will determine the
MTO, including increasing backlogs of deferred processing. This, in turn, is affected by the SDO if it is less than that
required during normal operations.
MTO: Abbreviation for maximum tolerable outages, the maximum period of time for which an organization can support
operations in an alternate mode.
N
National Institute of Standards and Technology or NIST risk assessment methodology: A technique used to assess
risks in the system development life cycle or SDLC. NIST risk assessment methodology uses a nine-step process to
identify and evaluate risks to an organization: identifying system characteristics, identifying threats, identifying
vulnerability, analyzing control measures, determining the probability of threat occurrence, analyzing the impact of risk
on business, determining the risk, recommending risk control measures, and documenting the risk assessment reports.
native control technologies: A set of new and comprehensive security features that are incorporated with business
information systems.
Nonrepudiation: A feature that provides proof of the origin of data, which can then be verified by another person or
stakeholder. Usually, the origin of data is with a particular party or a person.
O
Open Shortest Path First: See OSPF.
operational controls: Controls that deal with an organization's everyday operations, helping to ensure that all objectives
are achieved.
OSPF: Abbreviation for Open Shortest Path First. A link-state IP routing protocol in networking that selects the best router
to each known subnet. It provides quick convergence and the ability to scale large networks.
Overconfidence: A reason that causes an organizational strategy to fail because of undue confidence while estimating
figures or alternatives.

______________________________________________________________________________
P
PaaS: Abbreviation for Platform as a Service, a cloud computing model that helps organizations deploy their software on a
provider's infrastructure using tools and languages supported by the provider.
packet filtering: A feature that provides or denies access to data packets entering or leaving a network depending on a
set of rules.
penetration testing: A process where the effectiveness of a security defense is checked in a live environment by
introducing mock attackers.
performance measurement: In information security governance, an outcome that reviews the operation of information
security processes, identifies weaknesses, and provides feedback.
plan-do-check-act model: A methodology used to manage and continually improve the quality of an information security
program based on four processes: Plan, Do, Check, and Act.
Policy: A high-level statement documenting a management decision about principles, courses of action, and business
strategies. A policy encompasses the organization's philosophy and strategy relating to the subject matter, and describes
how policy compliance will be checked and measured, the consequences for violating policy, and how exceptions will be
handled.
policy compliance: Ensuring that individuals and groups comply with organizational policies.
Port : 1. A connection between a CPU and a peripheral device. 2. A virtual space that allows organized connection
between remote services and a host.
PRA: Abbreviation for Probabilistic Risk Assessment. A method of risk assessment used in industries that use complex
technological operations such as oil and gas production, nuclear power, and aeronautics. PRA takes into consideration
the severity of the risk and chances of the risk occurring. The outcomes of the risk are assigned numerical values. The
total risk is calculated by adding together the products of severity and chances of occurrence.
preventive controls: Controls that don't allow hindrances to materialize including access control enforcement, encryption,
and authentication.
principle of least privilege: A strategy that involves dividing access to resources, so that those requiring little access
have minimum system privileges.
Privacy: A state of a computer or a network in which there is no scope for intrusion or information disclosure without
permission.
privacy officer: A person responsible for ensuring the appropriate protection of information and managing compliance
with the privacy regulations. The role this person fulfils may be independent or form part of the Compliance Department.
private cloud: A type of cloud computing, where the cloud (network) is reserved for use by one organization that requires
a high level of control over its data and security.
Probabilistic Risk Assessment: See PRA.
Procedure: A linear list of steps that helps users to perform operations while adhering to standards.
project management: The task of managing resources to achieve the goals of a particular project and meet the
organization's objectives.
public cloud: A type of cloud computing, where the cloud (network) is available for use to the general public or to large
industry groups, which may reserve part of the cloud.
public/private-key encryption: Also known as asymmetric encryption, a type of encryption algorithm that uses a key pair,
where one is a public key and the other is a private key. Only the person with the private key can encrypt data.
Q

______________________________________________________________________________
qualitative risk analysis: A process that is used when there is a lack of adequate numerical data. This analysis describes
risks, their impact, causes, and likelihood of occurrence. It helps you to identify aspects of risk that are not tangible, for
example image, reputation, and culture.
quality management: The task of ensuring that results consistently meet the expectations of the customer. A business
initiative aimed at ensuring that an information security program is managed and controlled in a way that yields
appropriate results and delivers value to an organization.
quantitative risk analysis:A process that gives numerical values to the impact of a risk and the likelihood of the risk
occurring. This analysis also uses several statistical models, such as Monte Carlo simulation, to calculate these values.
R
RACI chart: A responsibility matrix that charts work objectives, or tasks, down one column and the names of people who
are responsible for each task across the top. One of four letters identifies the nature of each person's involvement using
the letters R for Responsible, A for Accountable, C for Consult, or I for Inform.
RAID: Acronym for Redundant Array of Inexpensive Disks. A set of interdependent disk drives that provides a large
amount of storage space and helps improve performance.
reciprocal agreement: A contract in which two or more organizations with similar infrastructure mutually agree to provide
processing time to each other during an emergency.
Recovery point objective:See RPO.
recovery sites:Locations that an organization can use to continue operations in the event that an incident prevents this at
the primary business site.
recovery time objective: See RTO.
Redundant Array of Inexpensive Disks: See RAID.
release management: A holistic process that considers resource planning, management, and other technical and non-
technical aspects when changes are applied to an IT service. Release management uses formal procedures and checks
to protect the live environment and its services.
residual risk: The possibility of a risk occurring after countermeasures and controls are implemented.
Resilience: The ability of a computer or a service to successfully tolerate problems caused by events.
resource dependency analysis: An analysis that determines the applications used to perform basic activities in a
business and also what resources are required to perform these activities.
resource management:In information security governance, an outcome that manages knowledge and infrastructure
resources to ensure their availability, documentation, and judicious use.
RFA: Abbreviation for Risk Factor Analysis. A risk assessment methodology that identifies the fundamental reasons that
eventually hamper a project. These reasons are mostly related to time, budget, scope, and performance constraints in a
project. The prime consideration in RFA is the possible impact that risks will have on organizational operations and assets,
and not the possibility of occurrence.
Risk: A phenomenon that occurs after a weakness is exposed to a threat and compromises the organization's information
assets.
risk acceptance: The decision to accept a risk if its elimination is impractical or uneconomical. Every organization has a
defined level of risk acceptance.
risk acceptance framework: A framework that defines the authority that decides whether or not the risk should be
accepted. This is done on the basis of the severity level of the risk – low, medium, high, and severe.
risk assessment: A process that measures a risk in terms of the qualitative and quantitative affect it has on the business.
risk avoidance: A process that helps to bypass a risk in an organized manner and thereby helps manage the risk.

______________________________________________________________________________
risk communication and monitoring: A set of ongoing activities in the risk management process. Monitoring involves
timely assessment and evaluation of risks, while communication helps provide security alerts to stakeholders such as
senior management, process owners, employees, and customers.
Risk Factor Analysis: See RFA.
risk log: See risk register.
risk management: in information security governance, an outcome that manages risks. This is done by identifying risk
mitigation strategies and limiting their impact to a manageable level.
risk management strategy: An integrated business approach that manages risks and associated mitigation strategies.
risk mitigation: The process in which risks are managed by using countermeasures and controls.
risk register: A risk management document, also known as a risk log, which records the source and nature of risk,
existing controls, recommended controls, and the reasons why recommended controls should be implemented.
risk transfer: A process of passing a risk on to another organization. An example of a risk transfer is an insurance policy.
risk treatment: A systematic process of implementing strategies to deal with identified risks and reducing their impact on
business to acceptable levels. Risk treatment options include risk avoidance, risk transfer, risk mitigation, and risk
acceptance.
route filtering: A technology that defines a set of network addresses for a network device, so that the network traffic
levels only via that route.
RPO: Abbreviation for recovery point objective, the time when data should be restored just before an outage occurs.
RTO: Abbreviation for recovery time objective, the duration of time within which a business function must be recovered
after a disaster has occurred.
S
SaaS: Abbreviation for Software as a Service, a cloud computing model that enables information security managers to
lease software and applications from a third-party provider that deploys the software virtually.
SABSA model: Abbreviation for Sherwood Applied Business Security Architecture model, a framework that describes
how an information security manager should collate all the necessary information that's needed to develop an enterprise
information security architecture that can meet an organization's info security needs.
SDO: Abbreviation for service delivery objective, the level of service expected while the alternate mode is operational
during the unavailability of a service or a resource.
secret key cryptography: See symmetric key encryption.
security baseline: A baseline for security that defines the minimum level of security that is required for an organization.
security controls: Safeguards to counteract security risks and minimize their impact on an organization.
security domains: A set of logical areas that are divided depending on varying levels of security.
security metrics: A set of specifications and benchmarks that measure security performance.
security policy: A policy that guides and supports information security and checks its alignment with business objectives
and standards.
Semi-quantitative risk analysis: A process that helps to assign approximate values to those risks that have already been
assessed by qualitative analysis. Since these values are not real, the risk is calculated with a formula that combines all
the values and assigns the risk rates for the assets. A grid can be used for this purpose, which makes rating easier. Based
on these values and the grid, the team of experts prioritizes the risks and plans to mitigate them.
senior management: See board of directors.
Sensitivity: A measure of the adverse effect created by information disclosure without permission.

______________________________________________________________________________
service delivery objective: See SDO.
service level agreement: See SLA.
single loss expectancy: See SLE.
SLA: Abbreviation of service level agreement. A contract entered into by an organization with a third-party service
provider. It clearly defines the agreed level of services to be delivered by the service provider.
SLE: Abbreviation for single loss expectancy, the product of the asset value multiplied by the exposure factor.
social engineering: The process of extracting confidential information from users by tricking them.
Spoofing: An attack that results from a weak protocol design in which the sending address of a network transmission can
be falsified.
Standard: An approved benchmark for the performance of a user, a service, or a device to follow and thereby achieve
consistency.
standards compliance: Ensuring that individuals and groups comply with organizational standards – which reinforce the
organization's policies.
steering committee: A team of people that funds and manages various projects. An information security program is an
example of such a project.
strategic alignment: In information security governance, an outcome that plans information security according to the
business strategy used for achieving organizational objectives.
supplemental control technologies: An additional set of security features with components that aren't built in the
information system environment. It provides features that native components cannot.
symmetric key encryption: Also known as secret key cryptography, a type of encryption algorithm in which the same key
is used for encrypting and decrypting data.
system development life cycle: Abbreviated to SDLC, the five phases of an information system development process –
initiation, development or acquisition, implementation, operation or maintenance, and disposal.
T
TCO: Abbreviation for total cost of ownership, a cost incurred because of the risks or benefits of the project.
TCP/IP and IPSec: A network protocol that divides the sent data into headers and data. A header enables network
devices to route packets, while the data is read as streams.
technical controls: Controls that use technology to protect an organization's information from loss, damage, or
inappropriate access.
technical security architecture: the combination of native controls, supplemental controls, and management support
technologies.
The Standard of Good Practice for Information Security: A catalog that specifies best practices for information security
management as well as requirements for resources and responsibilities.
Threat: An event that may harm an organization's information assets, human resources, and operations.
threat analysis: The process of identifying threats, their levels, their impact, and the possibility of their occurrence.
threat assessment: A means of identifying potential security threats, and outline possible prevention techniques.
total cost of ownership: See TCO.
traffic or packet filtering: An access control mechanism that uses predefined rules for providing access to the network
by examining the headers of the incoming and outgoing packets.
training needs assessment: A means of identifying the knowledge areas and skills required by employees, and their
current competency is these area.

______________________________________________________________________________
Transparency: A mechanism in which all users understand the working of system controls so that each one can ensure
that they are working as expected.
Triage: A process of prioritizing, sorting, and categorizing events or incidents that are logged by the IMT.
two-factor authentication: A procedure of verification that uses two independent methods.
U
UAT: See user acceptance testing.
user acceptance testing: Abbreviated to UAT, a testing plan that can create unexpected risks for security elements.
V
value at risk: See VAR.
value delivery: In information security governance, an outcome that makes the best use of security investments made
according to business objectives.
VAR: Abbreviation for value at risk, a measure of risk based on historical data of the probability distribution of loss on an
asset for a given time period.
vendor management: The need to protect information that organizations share with third-party service providers if the
organization relies on or makes use of third-party service providers to fulfil some or all of their security needs.
vice president of security: See information security manager.
virtual private network: See VPN.
VPN: Abbreviation for virtual private network, a type of network that uses the public telecommunications to transmit data
while providing privacy and security.
Vulnerability: A weakness in an organization's information systems, processes, human resources, or security controls.
vulnerability analysis: A security review to detect vulnerabilities in an environment.
vulnerability assessment:A tool that identifies and reduces vulnerability in controls and thereby evaluates the
effectiveness of risk management.
W
warm site: An offsite backup facility that has complete infrastructure except for partial configurations of some hardware
resources, and may give poor performance.
web server: A type of server that hosts web pages for users connected to the Internet.
Worm: A malicious computer program that is self-replicating and doesn't depend on user action to spread.

______________________________________________________________________________
11. Answers to Quizzes
1.1. i Quizz - Information security strategy
Match the key participants involved in developing an information security strategy with their
responsibilities. You may use each participant more than once.
Options:
A. Senior management
B. Executive management
C. Steering committee
D. CISO
Targets:
1. Business strategy
2. Risk management
3. Security action plan
Answer
The senior management ensures that the organization's information security strategy is
aligned with its business strategy and objectives.
The executive management and steering committee are actively involved in risk management.
It involves managing the threats to information assets during strategy implementation.
To implement an information security strategy, the CISO and information security managers
need to create detailed security action plans. The CISO specifies the security plans to be
implemented.
Correct answer(s):
Target 1 = Option A
Target 2 = Option B, Option C
Target 3 = Option D

______________________________________________________________________________
1.2. ii Quizz - Strategy Development Models 1
Your organization provides IT services based on cutting-edge technologies. Your team is in
charge of developing an information security strategy and you've suggested the McKinsey model.
Identify the reason for choosing the McKinsey model over traditional models.
Options:
2. Predicts the outcomes based on the organization's mission
3. Relies on the organization's past events to predict strategy implementation outcome
4. Takes initiatives that demonstrate commitment towards security
Answer (see Endnotes)
Option 1: This option is correct. The McKinsey model is an adaptive model and is suitable for
organizations that deal with a lot of changes.
Option 2: This option is incorrect. The traditional models predict outcomes based on the
mission and vision statement. This is not done in the McKinsey model.
Option 3: This option is incorrect. The traditional models rely on past events to predict the
outcome. This is not done in the McKinsey model.
Option 4: This option is incorrect. Although this statement is true of the McKinsey model, in
the given scenario the emphasis is on dealing with cutting-edge technologies.
Correct answer(s):
1.3. iii Quizz - Strategy Development Models 2
Your organization uses the SABSA model for developing its information security strategy and
security architecture. The organization is analyzing the business requirements from the security
perspective.
The SABSA model has six layers – Business View, Architect's View, Designer's View, Builder's
View, Tradesman's View, and Service Manager's View.
Which layer in the SABSA model deals with this analysis?
Options:
1. Business View
2. Architect's View
3. Designer's View
4. Builder's View
5. Tradesman's View
6. Service Manager's View

______________________________________________________________________________
Option 1: The Business View layer – also called the Contextual Security Architecture – helps
you to analyze and define the business requirements that the security architecture needs to
address.
Option 2: The Architect's View layer – also called the Conceptual Security Architecture –
enables you to create an overall concept for the organization to meet its business
requirements.
Option 3: The Designer's View layer – also called the Logical Security Architecture – helps
systems engineering.
Option 4: The Builder's View layer – also called the Physical Security Architecture – guides
the actual implementation of the security system by translating the logical descriptions.
Option 5: The Tradesman's View layer – also the called Component Security Architecture –
helps you construct the security information systems by assembling, installing, and integrating
products.
Option 6: The Service Manager's View layer – also the called Security Service Management
Architecture – provides the framework required for managing security architecture operations.
Correct answer(s):
1. Business View
1.4. iv Quizz - Pitfalls of strategy development 1
During strategy development discussions, stakeholders state that some employees might not
read the security policy completely. However, the information security officer reassures everyone
that approximately 85% of employees read the policy before accepting it.
Identify the pitfall indicated by this situation.
Options:
1. Overconfidence
2. Optimism
3. Anchoring
4. Status quo bias
Option 1: This option is correct. In this scenario, the information security officer is trying to
accurately estimate the number of employees who've read the security policy. However, the
officer doesn't have any data to back up the estimate and so this is an instance of
overconfidence.

______________________________________________________________________________
Option 2: This option is incorrect. The pitfall in this scenario is not optimism. The information
security officer is not just hoping that most of the employees would have read through the
security policy. The officer is instead trying to make an accurate estimate.
Option 3: This option is incorrect. The pitfall in this scenario is not anchoring. This scenario
does not deal with decisions taken based on a specific aspect, trait, or piece of information.
The scenario deals with the information security officer trying to make an accurate estimate.
Option 4: This option is incorrect. The pitfall in this scenario is not status quo bias. This
scenario does not deal with a reluctance to change a belief in known ideas and experiment
with the unknown. The scenario deals with the information security officer trying to make an
accurate estimate.
Correct answer(s):
1. Overconfidence
1.5. v Quizz - Pitfalls of strategy development 2
The senior management in your organization wants to implement a security policy to block file
sharing applications. This is because most organizations in the industry are implementing this.
The management assumes that all stakeholders will agree to this policy implementation.
What is the type of pitfall the management team is failing to avoid?
Options:
2. False consensus
3. Herding instinct
4. Anchoring
Option 1: This option is incorrect. Mental accounting involves management members
categorizing money differently from others. This scenario does not deal with categorizing
money.
Option 2: This option is correct. Making decisions based on the assumption that all the
members approve of the decision is called false consensus.
Option 3: This option is correct. The tendency to join the herd, in this case the other
organizations in the industry, is called the herding instinct.
Option 4: This option is incorrect. The pitfall in this scenario is not anchoring. This is because
the scenario does not deal with decisions taken based on a specific aspect, trait, or piece of
information.
Correct answer(s):

______________________________________________________________________________
2. False consensus
3. Herding instinct
1.6. vi Quizz- Pitfalls of strategy development 3
Match the factors and pitfalls, which affect decision making in strategy development with their
corresponding examples.
Options:
A. Selective recall
B. Biased evaluation
C. Groupthink
D. Status quo bias
Targets:
1. Stakeholders remember incidents that support the proposed security policy
2. During a review of the proposed strategy, management members accept only views
supporting the strategy
3. Management members accept a proposal in a team meeting without voicing their individual
concerns
4. Stakeholders didn't want the new security policy immediately as they felt it might affect
productivity
This is an instance of selective recall because stakeholders recall only incidents that support
the new proposal.
This is an instance of biased evaluation because management members express bias towards
views supporting the strategy.
This is an instance of groupthink because members accept the proposal to ensure that there is
a consensus instead of voicing their concerns.
This is an instance of status quo bias because the stakeholders are reluctant to adapt to the
new policy and are looking for reasons to put off its implementation.
Correct answer(s):
Target 1 = Option A
Target 2 = Option B
Target 3 = Option C
Target 4 = Option D

______________________________________________________________________________
1.7. vii Quizz - Identifying roles and responsibilities
You need to help your organization build a team for developing an information security strategy.
What are the mandatory roles that need to be represented in the team?
Options:
2. Steering committee
3. Share holders
5. Risk committee
Option 1: This option is correct. The team should include either senior management or a
board of directors. They are primarily responsible for identifying critical information assets and
their required level of security.
Option 2: This option is incorrect. Some organizations don't include a steering committee. If
present, the committee is responsible for ensuring uniform implementation of the strategy
across the entire organization and its alignment with business objectives.
Option 3: This option is incorrect. Shareholders are interested in the outcomes form the
information security strategy, specifically its ability to support the business goals, and maintain
or increase the profitability of the organization.
Option 4: This option is correct. The executive management is a mandatory role to be
represented in the team. This role is responsible for strategy development leads, and supports
strategy implementation.
Option 5: This option is incorrect. In some organizations, steering committees can have a risk
committee, which is dedicated to risk management. This role is not mandatory.
Correct answer(s):
1.8. viii Quizz - Analyzing strategy definition
You are now checking if the definition of the information security strategy is effective and
accurate.
What are the features that you need to check for in the information security strategy definition?
Options:
1. It lists the businesses the organization is to pursue

______________________________________________________________________________
3. It details the financial contribution the organization needs to make to customers and
stakeholders
Option 1: This option is incorrect. An information security strategy only defines the range of
business the company is to pursue and does not go into the specifics.
Option 2: This option is correct. An effective and accurate information security strategy
determines and reveals the organization's security objectives, purposes, and goals.
Option 3: This option is incorrect. An information security strategy only details the kind of
contributions it wants to make to its employees. It does not state the specific details of the
financial contribution it intends to make.
Option 4: This option is correct. An effective and accurate information security strategy
enables you to deal with the security concerns of the stakeholders across the organization.
Correct answer(s):
1.9. ix Quizz - Aligning strategy with business goals
Which group or individual is responsible for ensuring the alignment of the information security
strategy with the business goals of the organization?
Options:
2. Information security officer
4. Risk committee
Option 1: This option is correct. The involvement of senior management in strategy
development ensures that the strategy is aligned with the organization's business goals,
objectives and strategies.
Option 2: This option is incorrect. The information security officer is primarily responsible for
implementing the security initiatives at all levels, using security plans and policies.
Option 3: This option is incorrect. The executive management is primarily responsible for
developing an information strategy, and leading and supporting its implementation.

______________________________________________________________________________
Option 4: This option is incorrect. The risk committee, if present in an organization, is
responsible for managing security risks.
Correct answer(s):
1.10. x Quizz - Choosing the development model
Which of these features of the development model followed by the team has assured the success
of the strategy implementation?
Options:
1. Predicts the outcome of strategy implementation using past events
2. Defines strategy implementation outcome using the mission of the organization
Option 1: This option is incorrect. The development approach followed by the team doesn't
predict outcomes based on past events. Instead, it monitors and measures their progress
before predicting the outcomes.
Option 2: This option is incorrect. The development approach followed by the team doesn't
define the outcome using the mission of the organization. Instead, it monitors and measures
the progress before predicting the outcomes.
Option 3: This option is correct. The development approach followed by the team is based on
the organization's security architecture and, therefore, defines security initiatives.
Option 4: This option is correct. The development approach followed by the team is adaptive
and, therefore, creates security initiatives that address changes in the business environment.
Correct answer(s):
1.11. xi Quizz - Identifying development pitfalls
In strategy discussions, the executive management repeatedly insists on identifying the fire
marshals on the premises and conducting fire drills every month.
What are the types of pitfall the management team are failing to avoid?
Options:
1. Herding instinct

______________________________________________________________________________
3. Anchoring
4. False consensus
Option 1: This option is correct. The tendency to join the herd, in this case the client
organization where the security incident occurred, is called as herding instinct.
Option 2: This option is incorrect. Mental accounting involves management team members
categorizing money differently from others.
Option 3: This option is correct. Anchoring deals with decisions taken based on a specific
aspect, trait, or piece of information – in this case the fire accident.
Option 4: This option is incorrect. False consensus involves making decisions based on the
assumption that all members approve of the decision.
Correct answer(s):
1. Herding instinct
3. Anchoring

Information Security Governance #2A

More Related Content

Similar to Information Security Governance #2A

More from OxfordCambridge

Recently uploaded

Information Security Governance #2A