Information Security Governance: Concepts, Security Management & Metrics

Contact Email Design Copyright 1994-2017 © OxfordCambridge.OrgIT Information Security (This picture: Harcourt Hill, West Oxford)
OxfordCambride.Org’s KeyPoints and Study Notes
☺ There is a publication in the format of study notes, to go with these KeyPoints.
☺ In this Study Notes publication, the KeyPoints of this current PowerPoint
presentation are developed in details.
☺ Both KeyPoints and Study Notes files bear the same.
☺ Check the Documents section of the SlideShare site to find the Study Notes.
☺ KeyPoints publications are located in the Presentations section of the
SlideShare site.

+W Series-Technology Skills For Women
Men too are allowed to read this, if they wish to do so, as the language style and the document format are universal.

To introduce the reader or the learner to
Concepts, Management, Metrics as elemements
of Information Security Governance.
Aim of Publication:

#1 Information Security Governance: Concepts &
Management Metrics (beta)
Introductory concepts @ OxfordCambridge.Org all for free and free for all.
The information gathered here is under KeyPoints format and may be use:
- Either to give the reader an overview before deciding for a full scale study of the topic.
- Or act as a study guide for learners in expanding their knowledge on the given topic.
Some recommendations, perhaps:
- Identify each KeyPoint on which you feel a need to expand your knowledge,
- Choose a good book /ebook or academic journal or Internet infos.
- And then work towards gaining that knowledge, at your own pace.
Please enjoy!

Information Security Governance - Concepts, Management, Metrics –
Introduction.
☺ The goal of information security governance is to establish and maintain a
framework to provide assurance that information security strategies are
aligned with the business objectives, and consistent with applicable laws and
regulations.
☺ Therefore, this publication looks at the role of information security
governance in an organization, the need for senior management support for
all policies and procedures that are put in place.
☺ This publication is the first of three publications dealing with the concepts
of the information security governance.

*** Structure and Flow of our KeyPoints Presentations ***

Information Security Governance - Concepts, Management, Metrics:
Learning Objectives.
After developing the KeyPoints outlined in this publication, you should mainly be able to:
 Identify the tasks within the information security governance job practice area.
 Recognize the outcomes of information security governance.
 Recognize the difference between corporate governance and information security
governance.
 Identify senior management roles with their corresponding responsibilities.
 Identify the elements of the information security business model.
 Recognize the interconnections between the elements of the information security
business model.
 Identify the optimal reporting relationship between senior management and the
information security manager.
 Understand reports about information security within an organization.
 Identify the goal of converging security-related functions.
 Identify categories of key goal indicators.

Information Security Governance - Concepts, Management, Metrics –
Summary.
☺ This publication looks at the role of information security governance in an
organization, the need for senior management support for all policies and
procedures that are put in place.
☺ You will discover the importance of information security governance in an
organization and the tasks within this practice area.
☺ It will also help you identify the senior management responsibilities related
to information security governance.
☺ Additionally, it highlights the information security business model and the
relationship between senior management and the information security
manager.
☺ Finally, it describes information security governance metrics and highlight
their need for measuring information security activities.

Information Security Governance - Concepts, Management, Metrics -
Sections List.
 (Section 1) Introduction to Information Security Governance.
 (Section 2) Senior Management and Information Security Governance.
 (Section 3) Business Model for Information Security.
 (Section 4) Practicing Information Security Governance Concepts.
 (Section 5) Corporate Support for Information Security.
 (Section 6) Information Security Convergence.
 (Section 7) Information Security Governance Metrics.
 (Section 8) Practicing Information Security Responsibilities.

(Section 0) Way the Sections are structured – Guide.

(Section 1) Introduction to Information Security Governance –
Summary.
☺ Information security governance is a set of procedures and duties
performed by the executive management and board of directors.
☺ This involves achieving information security objectives and giving planned
direction.
☺ It also ensures that the organization's information resources are used
efficiently and security risks are managed in the proper manner.
☺ Effective information security governance provides many benefits, such as
accountability for protecting information during important business
activities, reducing the impact of security incidents, and reducing risks to
tolerable levels.
☺ Effective information security governance provides six basic outcomes -
strategic alignment, value delivery, risk management, performance
measurement, resource management, and integration.

(Section 1) Introduction to Information Security Governance –
HighPoints.
 Tasks at Hand.
 Importance.

(Section 1) HighPoints: Tasks at Hand.
☺ Ensure information security strategies are aligned with business goals and
objectives.
☺ Create and execute an information security strategy.
☺ Achieve the organization's information security goals and objectives.
☺ Formulate a strategic direction for information security activities.
☺ Establish and maintain information security policies to communicate
management's directives.
☺ Guide the development of standards, procedures, and guidelines.
☺ Ensure the efficient utilization of information resources.
☺ Manage the risks related to information security.

(Section 1) HighPoints: Importance.
☺ Growth of information technology has made information a key asset for any
business.
☺ Relying heavily on information in digital form to conduct their business.
☺ Information and other intangible assets comprise almost 80% of some
companies’ market value.
☺ Dependency on information continues to increase, so does potential for
criminal activity too.
☺ Necessity for organizations to address information security at highest
level.
☺ Information security should be treated as a governance function at board
level.
☺ Main purpose of information security governance: ensure safety of
information.
☺ Information security governance protects information from loss, misuse,
unauthorized usage, and destruction.
☺ Effective information security governance provides organizations with many
benefits.

(Section 1) HighPoints: Basic outcomes.
☺ To be effective, information security governance needs to provide six basic
outcomes; at least.
☺ Strategic alignment means ensuring information security strategy meets
business goals and objectives.
☺ Value delivery indicates optimal security investments to support these goals
and objectives.
☺ Risk management for reducing risks and their likely effects on information
to an acceptable limit.
☺ It's important information security processes are monitored, and
associated results are reported to ensure organizational goals are met.
☺ This monitoring and reporting is called performance measurement which
requires a set of definite and approved metrics.
☺ It is essential to make effective use of information security infrastructure
and knowledge: resource management.
☺ To integrate significant assurance functions to ensure information security
processes work as expected.

(Section 2) Senior Management and Information Security Governance –
Summary.
☺ Information security governance is a board-level activity and is an integral
part of corporate governance.
☺ Corporate governance is a set of procedures and duties performed by the
board of directors and executive management to direct and control an
organization.
☺ Information security governance involves implementing and managing
information security.
☺ For information security governance to be effective, the board of directors
or senior management must be actively involved in it.

(Section 2) Senior Management and Information Security Governance –
HighPoints.
 Corporate and Information Security Governance.
 Senior management responsibilities.

(Section 2) HighPoints: Corporate and Information Security Governance.
☺ Increasing risks to information support needs to make information security
an important part of the organization's governance structure.
☺ Board of directors should make information security governance an integral
part of corporate governance.
☺ Executive management should ensure the effective implementation of the
information security governance structure.
☺ Corporate governance is a set of procedures and duties performed by board
of directors and executive management to direct and control an
organization.
☺ Information security governance is a subset of corporate governance.
☺ Information security governance is concerned with policies and controls
related to protecting information in same organization.
☺ Corporate governance deals with issues that involve transparency in
business operations.
☺ Information security governance deals with security activities and
mitigating risks to organizational information.
☺ To ensure effectiveness of information security governance, executive
management should develop a security governance framework.

(Section 2) HighPoints: Senior management responsibilities.
☺ Information security governance is one of the primary responsibilities of
board of directors and executive management.
☺ Members of executive management implement information security
governance effectively and identify strategic information security
objectives.
☺ Executives provide leadership and continuous support to people involved in
implementing information security.
☺ Steering committee aims to involve all stakeholders influenced by security
aspects by helping to achieve organizational consent over priorities related
to information security.
☺ ISO (Information Security Officer) develops an information security
strategy and gets it approved by senior management.
☺ The ISO ensures commitment of senior management at all stages of
information security governance.
☺ (S)he establishes reporting and communication channels in entire
organization to make sure that information security governance is effective.

(Section 3) Business Model for Information Security – Summary.
☺ Organizations can integrate their key business processes by using GRC
(Governance, Risk management, Compliance).
☺ Governance must be established before implementing Risk management and
enforcing Compliance for effective information security.
☺ Apart from GRC, information security makes use of the systems theory
that enables information security managers to clearly define and develop
security models.
☺ Based on the systems theory, there is an information security business
model that helps to understand complex relationships in organizations for
managing security effectively.
☺ This model is made up of four elements that are linked with six dynamic
interconnections.
☺ Elements are: organization, people, process, technology.
☺ Dynamic interconnections are: governance, culture, enablement and support,
emergence, human factors, architecture.

(Section 3) Business Model for Information Security – HighPoints
 Elements of the model.
 Interconnections between elements.

(Section 3) HighPoints: Elements of the model.
☺ GRC covers many interconnected activities of an organization: e.g. incident
management, enterprise risk management, ERM, operational risk, internal
audits, compliance programs, several other activities.
☺ GRC consists of three processes: Governance, Risk Management, Compliance.
☺ Risk management helps to create and implement methods for mitigating
risks.
☺ Compliance is the process to supervise the controls and methods that
ensure adherence to organizational policies, standards, and procedures.
☺ All of the three GRC processes are interdependent and influence one
another.
☺ In addition to GRC, information security governance uses Systems Theory
to manage security within organizations.
☺ Continues …

(Section 3) HighPoints: Elements of the model … continued.
☺ Systems Theory can be defined as a network of processes, people,
technologies, relationships, events, reactions, and results that interact with
each other to achieve one common goal.
☺ Systems Theory brings a number of benefits to information security
governance.
☺ Based on Systems Theory, there is an Information Security Business Model
that helps understanding complex relationships in organizations to
effectively manage information security.
☺ The four elements of the model: Organization Design and Strategy, People,
Process.

(Section 3) HighPoints: Interconnections between elements.
☺ The elements of Information Security Business Model are linked through
six dynamic interconnections to ensure each element aligns with business
goals and objectives.
☺ They are: Governance, Culture, Enablement and Support, Emergence, Human
Factors, Architecture.
☺ The governance interconnection links the organization and process elements.
☺ Governance connects an organization and its processes, but Culture links the
organization to its people.
☺ Enablement and Support links the technology and process elements, as it
involves creating security policies, guidelines, and standards that support
business needs.
☺ Emergence links the people and process elements, as it indicates patterns in
the life of organizations that emerge and develop without clear reason,
which have results that are difficult to foresee and control.
☺ Continues …

(Section 3) HighPoints: Interconnections between elements. …
continued.
☺ People are linked with technology through Human Factors interconnection
indicating the interaction and gap between these elements.
☺ Technology is also with the organization where it is used; the Architecture
interconnection establishes this link.
☺ To understand the need for information security and create a security
architecture, it's important to have a strong business information
architecture in place.

(Section 4) Practicing Information Security Governance Concepts –
Summary.
☺ This section comprises a series of exercises, to practice recognizing key
concepts of information security governance, the management roles
associated with it, and the business model for implementing it.
☺ This involves few tasks: identifying need for information security
governance; recognizing management responsibilities related to information
security governance; identifying elements and their interconnections in the
information security business model.

(Section 4) Practicing Information Security Governance Concepts –
HighPoints.
 Quizz - Identifying need.
 Quizz - Recognizing management roles.
 Quizz - Identifying elements & interconnections.

(Section 5) Corporate Support for Information Security – Summary.
☺ To have a successful security program in the organization, ISM needs to
ensure that senior management is committed to the program.
☺ To obtain senior management support, you can create a formal presentation
covering important aspects of information security.
☺ ISM can use business cases to ensure better understanding of information
security.
☺ Additionally, (s)he should ensure that employees also support the security
program.
☺ After obtaining senior management commitment, ISM should provide
periodic reports to senior management about the current state of
information security program.
☺ (S)he ensures all stakeholders are aware of information security programs,
via formal and informal information reporting structures for specific groups
(senior management, employees, process owners, other management).

(Section 5) Corporate Support for Information Security – HighPoints.
 Optimal reporting relationship.
 Communication and reporting channels.

(Section 5) HighPoints: Optimal reporting relationship.
☺ Increasing use of information technology to access, process, store, and
share information brought several benefits and opportunities for
organizations.
☺ However, using information technology has also made information more
vulnerable to misuse and damage.
☺ Firms are recognizing the need to protect information assets, and manage
such activities by employing dedicated Information Security Managers.
☺ Information Security Managers act as process owners for ongoing activities
that help organizations protect confidentiality, integrity, availability of
their information assets.
☺ Organizations have information security managers at different levels in the
reporting hierarchy. A good percentage of information security managers
report to chief executive officers (CEOs), another to chief information
officers (CIOs), and some to a board of directors.
☺ For an information security manager role, the title could be chief security
officer (CSO), or chief information security officer (CISO), who reports to
the company's CEO.
☺ Continues …

(Section 5) HighPoints: Optimal reporting relationship. … continued.
☺ Such reporting structure is considered optimal because it allows direct
interaction between information security managers and CEOs.
☺ This structure leads to direct alignment of security objectives with
business goals.
☺ In some structures the IT manager acts as information security manager
may be adequate for security activities implementation.
☺ Nevertheless, it’s considered suboptimal because information security
managers cannot interact directly with CEOs.
☺ Also, objectives of the information security manager often conflict with the
IT manager's goals.
☺ More importantly, without senior management support, information security
programs are likely to fail.
☺ To gain senior management commitment to the security program,
information security managers need to educate them about benefits of
information security.
☺ In addition to senior management, there is a need to convince employees
about the benefits of information security, too.

(Section 5) HighPoints: Communication and reporting channels.
☺ An information security manager is responsible for ensuring that all
stakeholders (senior management, employees) are aware of existence of
information security governance structure.
☺ Proper reporting and communication channels ensure all stakeholders
receive necessary information.
☺ Information security managers need to achieve well-organized
communication channels.
☺ Creating a formal reporting procedure and providing periodic reports to
senior management on the performance of information security management
is a must.
☺ Aside formal reporting, regular reporting of information security is critical
for the smooth working of security programs; but not be very formal.
☺ Target groups are those dealing with specific security-related issues in the
organization: business process owners, senior management, employees,
department heads, supervisors, line managers.

(Section 6) Information Security Convergence – Summary.
☺ Security convergence helps to bridge gaps resulting from the segmentation
of security-related functions; and this is achieved by integrating different
assurance processes within organization.
☺ It prevents security overlaps across different functions, while ensuring
well-defined roles and responsibilities.
☺ Security convergence aligns the security activities with business goals to
deliver shareholder value.
☺ It aligns the security activities with business goals to deliver shareholder
value.
☺ Without security convergence, organizations may ignore interdependency of
risks, sub-optimize the cost of dealing with risks, and allow use of
inconsistent language and terminology across different reporting
structures.
☺ Several factors have contributed to the adoption of security convergence:
technological development is obscuring the boundaries between information
and physical security functions.
☺ Security convergence is necessary because of new business threats, the
need to create a systematic approach to minimize risks and maximize
resource utilization, and an increase in information-based assets.

(Section 6) Information Security Convergence – HighPoints.
 Understanding security converge.
 Benefits of security convergence.
 Overlapping of information security and physical security.
 Merging information security functions.
 Holistic approach to security.

(Section 6) HighPoints: Understanding security convergence.
☺ It is not uncommon in organizations that different security-related
activities come under different types of security functions.
☺ Information security and physical security are distinct security functions in
an organization. When you combine these functions under a common head,
the process is called security convergence.
☺ Security convergence is integrating the organization's assurance processes:
such as change management, risk management, human resources, audits,
compliance.
☺ The main objective of security convergence is to reduce the gaps resulting
from the segmentation of various security-related functions in an
organization.
☺ These gaps arise because the security functions are generally
interdependent.
☺ There are professional organizations that support convergence – ASIS
(Information Systems Security Association, known also under ISSA),
ISACA (Information Systems Audit and Control Association).
☺ They established the Alliance for Enterprise Security Risk Management
(AESRM), to encourage security professionals to converge security
functions within their organizations.

(Section 6) HighPoints: Benefits of security convergence.
☺ Gaps arise due to security functions being generally interdependent.
☺ Security convergence prevents security overlaps across different
functions; and reduces the number of security functions, thus making it
easier to follow and manage and providing a streamlined security process.
☺ Security convergence also ensures well-defined roles and responsibilities to
reduce issues like ineffective communication and duplication of work.
☺ Moreover, security convergence takes care of all assurance functions while
implementing a security strategy.
☺ In turn, this helps evaluate the phases of the business process, and
minimizes the gaps resulting from segmented security functions.
☺ Also, it aligns the security objectives to business goals.
☺ When information sharing is involved, implementing security convergence
helps coordinate actions to manage risks.

(Section 6) HighPoints: Overlapping of information security and physical
security.
☺ Information security is generally affected by the physical aspects of
security (physical security) of organizations.
☺ Physical security measures prevent unauthorized access to an organization’s
critical data.
☺ With advanced technologies, critical data can also be accessed remotely;
thus physical security alone is insufficient to secure information.
☺ Strong information security is also needed to secure critical data and
applications in organizations.
☺ While physical security and information security are interdependent, they
have different goals; physical security functions focus on authorizing
physical access to organizations, whereas information security functions
focus on securing network and information data.

(Section 6) HighPoints: Merging information security functions.
☺ If information and physical security work in isolation, security gaps are
bound to occur.
☺ Would proper physical security measures be taken for authorized physical
access to buildings, while measures to prevent unauthorized remote access
are not taken, critical business data is at risk then.
☺ To prevent such gaps, physical and information security functions need to
work in close coordination.
☺ And to ensure coordination between all security functions, implementing
security convergence is required.
☺ AESRM (Alliance for Enterprise Security Risk Management) encourages
security professionals to converge security functions.
☺ Security professionals merge security functions because several issues
exist when security is fragmented in organizations.
☺ Due to this overlap, the functional boundaries between information and
physical securities become less distinct and require security convergence.

(Section 6) HighPoints: Holistic approach to security.
☺ When complexity of business transactions increases, it becomes difficult to
keep to defined regulatory and compliance guidelines.
☺ Therefore, security managers must view and assess organizational risks at a
global level, hence the demand for security convergence.
☺ With complex organizational charts and business transactions, it became
difficult to maximize security resources and minimize associated risks.
☺ Therefore, applying security convergence with a risk-based approach, one
can budget for most critical risks that reduce the overall cost of
implementing security and increase the efficiency of security resources.
☺ Instead of using security convergence, security professional would follow a
fragmented approach to security, then the possible security incidents would
increase financial risk, reputation risk, and risk to public good.
☺ On the contrary, a holistic approach focuses on factors (organizational
structure, processes, and cultures) in addition to assets.
☺ Continues …

(Section 6) HighPoints: Holistic approach to security. . … continued.
☺ Of course, this requires a management change that gives people the
authority to prevent possible risks.
☺ An effective approach to security convergence should bring together
people, technology, processes in any organization.
☺ This way, business becomes secure and organizations are enables to deal
with any security incidents by quickly detecting, responding, and finally
recovering from them.

(Section 7) Information Security Governance Metrics – Summary.
☺ Security metrics help measuring security or risks based on the desired
outcomes of the security program.
☺ A good metric is specific, measurable, and attainable.
☺ Effective security metrics provide information specific to roles and
responsibilities, so that senior management can use it for decision making.
☺ Measures like security metrics, technical metrics, vulnerability scans, and
audit and risk assessment activities help to understand the level of security
in organizations.
☺ Additionally, information security professional can use metrics (ROSI, VAR,
ALE) to measure various security aspects.
☺ However, these metrics alone don’t provide enough information to make
concrete security decisions.
☺ This leads to the need for effective information security governance
metrics, which use technical data to measure how close the information
security governance program is to the defined objectives.
☺ The best information security governance metrics include KGIs, KPIs.
☺ KGIs specify what is to be achieved or the desired outcome while KPIs
provide the measure of performance.

(Section 7) Information Security Governance Metrics – HighPoints.
 Need for security metrics.
 Technical metrics.
 Security metrics.
 Other metrics.
 Effective information security governance metrics.
 Organizational business goals
 Risk management.
 Manage information security resources.

(Section 7) HighPoints: The need for metrics.
☺ Metrics refer to standard measures that help evaluate the performance of
a specific attribute based on a reference point. This reference point
indicates the desired outcome of an activity.
☺ The main purpose of any metric is to support the decision-making process.
☺ For effective information security governance, it is good to have security
metrics that can measure the performance of security activities.
☺ Effective security metrics should provide information specific to the roles
and responsibilities of security functions so that senior management can use
them while making decisions.
☺ Presenting appropriate metrics not only helps to gain senior management
support, but also enables information security managers to obtain sufficient
budget and resources to support your security program.
☺ Using criteria to determine if a metric is appropriate for a task is
necessary and criteria are used to make sure metrics are meaningful,
accurate etc.

(Section 7) HighPoints: Technical metrics.
☺ Usually, management focuses on gathering technical metrics: the number of
antivirus programs, type of firewalls used, capacity of data storage systems
etc.
☺ Such metrics provide information on the IT security infrastructure but are
no help in the overall management of the information security program.
☺ Indeed, Technical metrics can help IT personnel in resolving day-to-day
operational issues related to the use of security infrastructures, but don't
provide information on how well information security risks are managed.
☺ Moreover, technical metrics fail to address key information security
objectives.

(Section 7) HighPoints: Security metrics.
☺ Security metrics provide valuable information about security aspects.
☺ These would include metrics such as the number of security breaches,
incidents logged, vulnerabilities detected during virus scans, downtime due
to server failure or virus attacks, and recovery period.
☺ If these metrics might indicate the effectiveness of security
infrastructure to some extent, they wouldn't provide any information for
helping management make decisions on strengthening information security.
☺ Many organizations also conduct regular audits and comprehensive risk
assessment programs to identify gaps in information security.
☺ Although these measures could help in identifying the previously existing
information security infrastructure, they alone won't help management
make security decisions.

(Section 7) HighPoints: Other metrics.
☺ While it may not be possible to ensure absolute information security,
information security managers might get valuable information about
security measures by using other metrics.
☺ These other metrics could help estimate security in terms of effects and
outcomes, probabilities, and attributes.
☺ They are: Return on Security Investment(ROSI), Value At Risk ( VAR),
Annual Loss Expectancy (ALE).

(Section 7) HighPoints: Effective information security governance
metrics.
☺ Although many security metrics and activities are available, none provides
any detailed information about the management of risks, alignment of
security objectives with business objectives, or progress of the security
program.
☺ Neither do these metrics or activities provide enough information that can
be used to determine exactly how secure the organization is.
☺ This generates the need for effective information security governance
metrics.
☺ Effective information security governance metrics use technical data to
measure how close the information security governance program is to its
objectives.
☺ The main components of information security governance metrics are high-
level senior management support, measurable performance metrics, security
policies and procedures with commitment from the enforcing authority, and
result-oriented metrics analysis.
☺ The two most useful types of metric are key goal indicators (KGIs), and key
performance indicators (KPIs.)
☺ KGIs and KPIs help identify if the defined objectives are met, and also
provide information about achieving process and service goals.

(Section 7) HighPoints: Organizational business goals
☺ Organizations’ business goals are key reference points for measuring the
cost effectiveness of information security activities.
☺ In order to validate the alignment of security activities with business goals,
information securities need to develop a security strategies that uses
business language to define security objectives.
☺ Such security objectives will cover all phases from planning to
implementation of processes, procedures, policies, standards, technology.
☺ When security activities are aligned with business goals, that helps deliver
value to business by optimizing the cost of security and using controls that
meet acceptable risk levels.
☺ Then the value delivery indicates the cost effectiveness of security
activities that are closely tied to business goals.
☺ There are Key Indicators for alignment of security activities with business
goals.

(Section 7) HighPoints: Risk management.
☺ Risk management stands as another key goal indicator (KGI) of security
metrics.
☺ This KGI is the process that manages and minimizes risks in an organization
with the intent of achieving defined business goals.
☺ Risk management is a part of information security governance, and when
implementing a risk management program, it may not be possible to measure
its strength.
☺ When implementing a risk management program, it may not be possible to
measure its strength.
☺ However, you can find out if the program is proceeding as expected and
resources are allocated appropriately by setting the objectives and
expectations.
☺ A successful risk management program provides measures to reduce the
harmful effects of security incidents on the organization to a level
acceptable for business goals.
☺ Risk management objective is to minimize the impact of computer security
incidents in organizations, and to do so, information security managers
ensure several security measures are implemented (e.g. installation of
antivirus programs, etc.).

(Section 7) HighPoints: Manage information security resources.
☺ In addition to managing risks, information security managers need to
organize information security resources (people, processes, technologies)
for effective information security.
☺ Resource management’s purpose is to minimize costs and maximize efficient
utilization of these resources.
☺ Inconsistent controls and poorly defined processes likely increase
administrative and training costs while indicating inefficient resource
management.
☺ Information security managers must develop security metrics that are
aligned to resource management objectives.
☺ Effective resource management in organizations is visible with signs of:
absence of frequent problem rediscovery, usage of security resources to
safeguard information assets from threats, etc.

(Section 8) Practicing Information Security Responsibilities – Summary.
☺ Learn to recognize key concepts related to information security
management.
☺ This involves recognizing the optimal reporting relationships, identifying key
security metrics, and converging security-related functions.

(Section 8) Practice - Achieving effective information security –
HighPoints.
 Achieving effective information security.
 Context for Quizzes.
 Quizz 1. (See more in Study Notes).

(Section 8) HighPoints: Context for Quizzes.
☺ Valentina an information security manager in an organization and want to
have effective information security in the organization.
☺ For this, she wants to implement the best reporting structure, develop
metrics to assess the effectiveness of information security strategy, and
converge security-related functions in the organization.

(Section 8) HighPoints: Quizz 1.
☺ The senior management in your organization is headed by a president. The
IT managers, senior project managers, chief technology officer, and other
functional managers report to the president.
☺ Valentina wants to establish a reporting structure that helps you avoid any
conflict of interest and achieve effective information security.
☺ Select the position description for Valentina’s role that indicates the best
reporting structure (See more in Study Notes).

☺ The organization provides online banking services to its customers and its
goal is to protect customers' account information and provide safe
transaction modes.
☺ Valentina wants to implement an information security strategy in the
organization, and for that she wants to use several metrics to assess the
effectiveness of her information security strategy.
☺ Match each category of metrics to its examples (See more in Study Notes).

☺ Valentina also want to converge security-related functions in the
organization to bridge the gaps that result by segmenting these functions.
☺ What are the keys to effective information security convergence? (See
more in Study Notes).

We shall always be on SlideShare!

Information Security Governance: Concepts, Security Management & Metrics

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (6)

Similar to Information Security Governance: Concepts, Security Management & Metrics

Similar to Information Security Governance: Concepts, Security Management & Metrics (20)

More from Marius FAILLOT DEVARRE

More from Marius FAILLOT DEVARRE (20)

Recently uploaded

Recently uploaded (20)

Information Security Governance: Concepts, Security Management & Metrics

Editor's Notes