Information Security Governance: Concepts, Security Management & Metrics

Study Notes www.SlideShare.net/OxfordCambridge
Page 1 sur 100
Information Security Governance:
#1: Concepts, Information Security Management
and Metrics.
Study Notes [beta].
+W Series - Technology Skills For Women.1
1 Men are allowed to read too, if they wish, as the language style and the document format are universal.

Information Security Governance: Concepts, Security Management and Metrics
______________________________________________________________________________
Study Notes www.SlideShare.net/OxfordCambridge Page 2 of 100
1. About “+W Series - Technology Skills for Women”
Study Notes in the field of technology are put together under this category for the
following reasons:
 To encourage girls and ladies, who wish to do so, to stand up and look over the fence
into technology related topics.
 With no apprehension or fear.
 And perhaps consider embracing a career move into a technological path.
 Or simply to broaden their general knowledge; after all IT is already in most aspects of
everyday life.
 No matter the ground for the decision, their skills, their professional strengths, and their
contribution can only be something positive for any technological fields.
Enjoy!

______________________________________________________________________________
2. About this Publication
2.1. Overview
The goal of information security governance is to establish and maintain a framework to
provide assurance that information security strategies are aligned with the business
objectives and consistent with applicable laws and regulations.
Therefore, this publication looks at the role of information security governance in an
organization, the need for senior management support for all policies and procedures
that are put in place.
This publication is the first of three publication dealing with the concepts of the first job
practice area, information security governance.
In this publication, you will discover the importance of information security governance in
an organization and the tasks within this practice area. It will also help you identify the
senior management responsibilities related to information security governance.
Additionally, this publication will highlight the information security business model and
the relationship between senior management and the information security manager.
Finally, it will describe information security governance metrics and highlight their need
for measuring information security activities.
2.2. Learning Objectives
 Identify the tasks within the information security governance job practice area.
 Recognize the outcomes of information security governance.
 Recognize the difference between corporate governance and information security
governance.
 Identify senior management roles with their corresponding responsibilities.
 Identify the elements of the information security business model.
 Recognize the interconnections between the elements of the information security
business model.
 Identify the optimal reporting relationship between senior management and the
information security manager.
 Understand reports about information security within an organization.
 Identify the goal of converging security-related functions.
 Identify categories of key goal indicators.

______________________________________________________________________________
2.3. Keywords
Information security governance framework, information security components,
information security culture, information security behavior, COBIT, ISO 17799,
Information Technology governance, Information Security governance, Information
Security, Risk management, Corporate governance, IT audit, Business information risk,
Information security governance, Information security, Information security
management, Operational management, Compliance management, Information,
systems, security, governance, behavioral aspects, End-user security behaviors,
behaviours Security, policy compliance.

______________________________________________________________________________
3. Table des matières
1. About “+W Series - Technology Skills for Women”..................................................................2
2. About this Publication ...........................................................................................................3
2.1. Overview ....................................................................................................................................... 3
2.2. Learning Objectives ....................................................................................................................... 3
2.3. Keywords....................................................................................................................................... 4
4. Foreword ..............................................................................................................................6
5. Information Security Governance Concepts............................................................................8
5.1. Introduction to Information Security Governance......................................................................... 8
5.2. Senior Management and Information Security Governance........................................................ 19
5.3. Business Model for Information Security..................................................................................... 24
5.4. Practicing Information Security Governance Concepts ................................................................ 31
6. Information Security Management and Metrics...................................................................36
6.1. Corporate Support for Information Security................................................................................ 36
6.2. Information Security Convergence .............................................................................................. 42
6.3. Information Security Governance Metrics................................................................................... 46
6.4. Practicing Information Security Responsibilities.......................................................................... 50
7. Principles of Effective Information Security Governance.......................................................53
8. Tasks and Knowledge Statements........................................................................................55
8.1. Key Tasks and Knowledge Statements......................................................................................... 55
8.2. Key Concepts of Knowledge Statements...................................................................................... 56
9. Knowledge of a CISO: Definitions of Key Security Concepts...................................................59
10. Relationship Between Information Security Governance Outcomes and Management
Responsibilities ..........................................................................................................................61
11. References.......................................................................................................................63
13. Answers to Quizzes ..........................................................................................................77

______________________________________________________________________________
4. Foreword
In today's business environment, companies and individuals are increasingly adopting
the Internet, portable storage media, and wireless technologies for accessing, storing,
and sharing information. The use of technology has made access to information easy
and affordable, but it has also caused an increase in problems such as theft, damage,
and misuse of information. Besides damaging the reputation of an organization, these
threats can also lead to major financial losses in business. So it's extremely important
for an organization to safeguard its critical information by using information security.
Information security is about protecting verbal, written, electronic, published, and other
forms of information that involve people and technology. This protection needs to exist
regardless of whether the information is being read, generated, processed, stored, or
transferred.
The objective of information security is to ensure the safety of information, including its
confidentiality, accessibility, and integrity. Information should be protected from loss,
misuse, unauthorized access, and destruction during its life cycle or the time it is being
used in an organization.
Information security differs from IT security. IT security focuses on technology and the
provision of secure IT services. It is usually carried out at the level of the chief
information officer or CIO.

______________________________________________________________________________
Information security operates at a higher level than IT security and focuses on protecting
data, information, and knowledge. The scope of information security covers the
advantages, threats, and processes associated with information. It is carried out at the
level of executive management and is supported by the board of directors.
For example, the information exchanged by two people in their office cafeteria would not
be part of IT security, but would be included in information security.
The importance of information security highlights the need for experts who can evaluate,
design, and manage an organization's information security structure.
The Certified Information Security Manager or CISM certification program supports this
need and helps you obtain essential information security management skills. The
curriculum of the CISM program includes four job practice areas.
You're currently studying the first course of the CISM curriculum - CISM 2012:
Information Security Governance (Part 1). This course is the first of three courses that
cover the concepts of the first job practice area, information security governance.
In this course, you'll learn about the importance of information security governance in an
organization and the tasks within this practice area. The course will also help you
recognize the senior management responsibilities related to information security
governance.
Additionally, this course will explain the information security business model and the
relationship between senior management and the information security manager.
Finally, the course covers information security governance metrics and highlights their
need for measuring information security activities.

______________________________________________________________________________
5. Information Security Governance Concepts
5.1. Introduction to Information Security Governance
After learning from this topic, you should be able to:
 Identify the tasks within the information security governance job practice area;
 Recognize the outcomes of information security governance.
5.1.1. Tasks
The first domain or job practice area of an information security manager (CISM) is
information security governance. This job practice area establishes and maintains a set
of policies and procedures to ensure information security strategies are aligned with
business goals and objectives.
It also defines the roles and responsibilities of the board of directors and executive
management with regards to information security and helps them perform the following
activities:
 Achieving the organization's information security goals and objectives;
 Formulating a strategic direction for information security activities;
 Ensuring the efficient utilization of information resources, and;
 Managing the risks related to information security.
The main objective of information security governance is to ensure that a CISM
understands two aspects of information security:
The basic requirements for successful information security governance:
 A CISM should have a clear understanding of the basic requirements for the
success of information security governance.
 For example, one requirement is that information security governance must be
aligned with the organization's goals and objectives, and must cover all physical,
operational, and technical processes.

______________________________________________________________________________
The requirements for creating and executing an information security strategy:
 A CISM should know about the components required and the steps that must be
performed to create an information security strategy and develop its execution
plan.
 The information security strategy is created and executed through an information
security program.
 This program includes elements such as security policies and standards, roles and
responsibilities, training on security processes, monitoring of security aspects,
metrics, risk management, and audits.
5.1.2. Quizz – Tasks 1
Identify the statements that correctly define information security governance.
Options:
1. A set of policies and procedures that establishes a framework of information security strategies.
2. A set of rules for achieving the information security goals and objectives of trading partners.
3. A job practice area that defines the information security responsibilities of Service Desk employees.
4. A practice area that ensures efficient utilization of information resources.
Answer (see Endnotes) i
To meet your organization's information security objectives, you must be able to perform
certain tasks within the information security governance job practice area. The first four
of these tasks are as follows:
A- Establish and maintain an information security strategy in alignment with
organizational goals and objectives to guide the establishment and ongoing
management of the information security program
B- Establish and maintain an information security governance framework to guide
activities that support the information security strategy;
C- Integrate information security governance into corporate governance to ensure that
organizational goals and objectives are supported by the information security program;

______________________________________________________________________________
D- Establish and maintain information security policies to communicate management's
directives and guide the development of standards, procedures, and guidelines.
You need to perform five more tasks to establish an effective information security
governance structure:
1- Develop business cases to support investments in information security.
2- Identify internal and external influences to the organization – for example, technology,
business environment, risk tolerance, geographic location, and legal and regulatory
requirements – to ensure that these factors are addressed by the information security
strategy.
3- Obtain commitment from senior management and support from other stakeholders to
maximize the probability of successful implementation of the information security
strategy.
4- Define and communicate the roles and responsibilities of information security
throughout the organization to establish clear accountabilities and lines of authority.
5- Establish, monitor, evaluate, and report metrics – for example, key goal indicators
(KGIs), key performance indicators (KPIs), and key risk indicators (KRIs) – to provide
management with accurate information regarding the effectiveness of the information
security strategy.

______________________________________________________________________________
Each information security governance task typically maps to several knowledge
statements. These statements identify what an information security manager should
know in order to perform the associated tasks.
For example, to create an information security strategy that aligns to organizational
goals, you must have the knowledge of information security concepts and their
components, business goals and objectives, and the scope of governance.
The information security governance job practice area includes around 20 knowledge
statements (see section related to Tasks and Knowledge Statements).
5.1.3. Quizz – Tasks 2
Which tasks are included in the information security governance job practice area?
Options:
1. Design the business goals and objectives and get senior management to sign off on them.
2. Establish and maintain information security policies.
3. Define and communicate the roles and responsibilities of information security throughout the organization.
4. Minimize the organization's driving factors and their influence on information security.
5. Establish, monitor, evaluate, and report KGIs, KPIs, and KRIs.
Answer (see Endnotes) ii
5.1.4. Importance
The exponential growth of information technology has made information a key asset for
any business. In fact, for many organizations, like those involved in IT services,
information management is a source of business.
Organizations in all types of industries, such as textiles, banking services, and
telecommunications, rely heavily on information in digital form to conduct their business.

______________________________________________________________________________
According to a research by Brookings Institution, information and other intangible assets
comprise almost 80% of a company's market value. As a result, companies might
continue to exist after losing other assets such as people and equipment, but most of
them cannot bear the loss of crucial information.
As the dependency on information continues to increase, so does the potential for
criminal activity. For example, you might come across many instances of hacking and
cyber-attacks that attempt to steal or damage vital information. Apart from handling
these threats, a company also needs to ensure that its information adheres to all
relevant laws and regulations.
Considering all aspects related to information – dependency, threats, and adherence to
laws - it is necessary for an organization to address information security at the highest
level. Essentially, information security should be treated as a governance function at the
board level. The board of directors and senior management should be actively involved
in information security governance, and should be aware of their roles and
responsibilities in managing information security.
The main purpose of information security governance is to ensure the safety of
information, including its confidentiality, integrity, and availability. Information security
governance protects information from loss, misuse, unauthorized usage, and destruction
during its life cycle or the time it is being used in an organization.

______________________________________________________________________________
To implement information security governance effectively, it needs to be linked to the
goals and objectives of the organization. Additionally, it should completely protect the
information associated with all physical and technical operations. To do so, information
security governance requires strategic leadership and momentum. It also requires the
allocation of adequate resources and proper management of its activities.
Effective information security governance provides an organization with many benefits.
Some of the benefits include:
 Accountability for protecting information during important business activities:
Information security governance provides accountability for information protection during
important business activities. An example of such an activity is a merger of two
companies. During the merger, information security governance ensures that a person is
made responsible for recording and managing all critical information belonging to the
associated companies. This ensures that information is not lost or misused.
 Reduction in the impact of security incidents:
Information security governance reduces the impact of security incidents, thereby
reducing losses from such incidents and ensuring that such incidents are not disastrous.
For example, consider an IT company that has implemented information security
governance. When this company faces a high-level cyber-attack, all its information will
not be lost and it will be saved from complete destruction. This is because it has
predefined operations that quickly identify and control the attack.
 Reduction in risks to tolerable limits:
Information security governance reduces the risks associated with information security
to levels that can be defined and tolerated by the business. This is achieved by setting
up risk management processes and assessing risks periodically. A reduction in risks
ensures that the outcomes of business operations are as expected.

______________________________________________________________________________
Information security governance has more benefits for organizations:
 Protection from civil and legal liabilities:
Information security governance protects organizations from the growing possibility of
civil and legal liabilities. Such liabilities may arise because of incorrect information or a
failure to properly protect it. Information security governance eliminates both these
issues by implementing specific procedures that secure information.
 Enhancement of trust in customer relationships:
Information security governance helps you enhance customers' trust in your
organization and develop better customer relationships. When customers know that an
organization uses information security governance to protect its information, they can be
sure of the organization's capability to safeguard critical information.
 Assurance of policy compliance:
The basis of information security governance is a security policy. This policy includes
standards and guidelines that cover every aspect of information security. Implementing
a well-defined information security governance structure helps assure the stakeholders
of a business, such as management, employees, and customers that the organization's
information security procedures comply with its security policy.
 Protection of company reputation:
Information security governance helps protect a company's reputation and goodwill.
Consider a company that uses information security governance to safeguard its
information. As a result, people are assured that the company always provides correct
information that adheres to all legal and regulatory needs. People also know that any
incident related to information security will not have a major impact on the services
provided by the company. These aspects help the company to protect its reputation.
5.1.5. Quizz - Importance
Which statements demonstrate the importance of information security governance?
Options:

______________________________________________________________________________
1. It provides protection from civil and legal liabilities.
2. It reduces the impact of security-related incidents.
3. It eliminates risks in business operations.
4. It protects the confidentiality, integrity, and availability of information.
5. It assures conformance to security policy.
6. It protects physical and technical operations during important business activities.
Answer (see Endnotes) iii
5.1.6. Basic outcomes
In order to be effective, information security governance needs to provide six basic
outcomes:
 Strategic alignment.
 Value delivery.
 Risk management.
 Performance measurement.
 Resource management.
 Integration.
 Strategic alignment:
Strategic alignment means ensuring that the information security strategy meets
business goals and objectives. You can achieve strategic alignment by ensuring that
security solutions comply with business processes and cater to your company's
structure, governance style, technology, and culture.
You can also ensure that security requirements are derived from business requirements
that clearly specify the actions to be taken for organizational growth and the ways of
measuring the achievement of those actions.
Also, you can ensure that information security investment is in line with the business
strategy and the organization's profile of risks, threats, and vulnerabilities.
 Value delivery:
While strategic alignment ensures that the information security strategy is aligned with
organizational goals and objectives, value delivery indicates the optimal security
investments to support these goals and objectives.
To achieve value delivery, you need to have security practices that are directly related to
risks and their likely effects. By doing so, you can direct majority of your security efforts
toward the business areas that have the maximum impact on the organization and
provide the greatest benefits.
For example, in an IT company designing web sites, the web site development function
generates maximum revenue and is critical for the growth of the business. So the
company needs to prioritize the security of this section.

______________________________________________________________________________
You can also ensure that the information security strategy provides a complete solution
to cover the organization, such as its processes and technology. These solutions should
be standards-based, structured, formalized, and easily accessible.
Additionally, you can build an organizational understanding that information security is
not an event, but a process that needs constant improvement.
 Risk management:
Another outcome of information security governance is risk management that involves
reducing risks and their likely effects on information to an acceptable limit. As a part of
risk management, you can develop a common understanding of the organization's
profile of risks, threats, and vulnerabilities. This goes together with an awareness of risk
exposure and its possible effects on business operations. Based on these effects, you
can set priorities for risk management.
Risk management helps you mitigate risks, but it can't eliminate risks completely. Those
risks that may not be completely eliminated are called residual risks, and can be
accepted based on their potential impact. You can also implement a risk mitigation
strategy to lower the effects of residual risks to an acceptable level.
5.1.7. Quizz - Basic outcomes 1
What are the outcomes of successful implementation of information security governance in an
organization?
Options:
1. Organization-wide understanding that information security is an event.

______________________________________________________________________________
2. Acceptance of residual risks based on an understanding of their likely effects.
3. Alignment of the information security strategy with organizational goals.
4. Minimal investment in information security to sustain business objectives.
Answer (see Endnotes) iv
 Performance measurement:
In addition to managing risks, it's important that information security processes are
monitored, and that the associated results are reported to ensure that organizational
goals are met. This monitoring and reporting is called performance measurement and
requires a set of definite and approved metrics that are in line with business objectives.
These metrics should provide adequate information for effective decision-making at
various levels in the organization, namely strategic, operational, and management.
Some examples of these metrics are the number and type of security incidents, the
number of systems not meeting security requirements, and the number and type of
access violations.
Apart from metrics, there should be a proper measurement process that detects flaws in
security procedures and determines the progress made in resolving security issues.
External assessments and audits can also be conducted to obtain assurance about
security processes.
 Resource management:
Besides measuring the performance of information security processes, it is essential to
make effective use of information security infrastructure and knowledge, which is called
resource management.
The primary goals of resource management include:
 Keeping a record of security practices and processes.
 Acquiring knowledge and making it accessible.
 Building a security architecture that identifies and uses infrastructure resources
properly.
 Integration:
Developing an effective information security governance structure helps you to integrate
significant assurance functions to make sure that information security processes work as
expected.
To achieve this integration, you first need to identify the different assurance functions in
the organization. Some examples of these functions are internal and external audits,
quality assurance, IT security, and legal departments.
You then need to establish official relations with the various assurance functions and
bring them together to achieve complete security. You also need to make sure that there
is an overlap between the roles and responsibilities of the assurance functions.
For example, the IT team may be responsible for carrying out a weekly audit of all IT-
related software on user systems, while the internal audit team may be responsible for
carrying out a random monthly or bimonthly check of authorized applications installed on
user systems. So both teams perform the same responsibility, but at different times. This
helps build a double-security layer because there are two teams checking authorized
applications on user systems.

______________________________________________________________________________
You also need to plan, implement, and manage information security in a systematic way
that takes into account the assurance functions.
Linkage between IT and IS must be built from the strategy level up to ensure the
objectives are achieved.
5.1.8. Quizz - Basic outcomes 2
Identify the desired outcomes of information security governance.
Options:
1. It should provide additional assurance about security processes through external assessments.
2. It should ensure that the assurance functions in an organization are independent of each other.
3. It should ensure the effective use of information security infrastructure and knowledge.
4. It should provide metrics for measuring the achievement of business objectives.
Answer (see Endnotes) v
5.1.9. Summary
Information security governance is a set of procedures and duties performed by the
executive management and board of directors. It involves achieving information security
objectives and giving planned direction.
It also ensures that the organization's information resources are used efficiently and
security risks are managed in the proper manner.
Effective information security governance provides many benefits, such as
accountability for protecting information during important business activities, reducing
the impact of security incidents, and reducing risks to tolerable levels.
Effective information security governance provides six basic outcomes - strategic
alignment, value delivery, risk management, performance measurement, resource
management, and integration.

______________________________________________________________________________
5.2. Senior Management and Information Security Governance
After going through this topic, you should be able to:
 Recognize the difference between corporate governance and information security
governance.
 Match senior management roles with their corresponding responsibilities related to
information security governance.
5.2.1. Corporate and IS governance
Increasing risks to information warrant the need to make information security an
important part of an organization's governance structure. Information security
governance is a complex task that requires strategic direction, resource allocation,
identification of roles and responsibilities, and process monitoring. Information security
governance should also address legal and regulatory standards of due care.
All these requirements can be fulfilled only when senior management, including the
board of directors and executive management, provide support for information security
governance.
The board of directors should make information security governance an integral part of
corporate governance and ensure proper use of information by employees,
stakeholders, and customers. The executive management should ensure the effective
implementation of the information security governance structure.
The board of directors and executive management should also ensure that information
security governance aligns with business goals and objectives. The level of this
alignment determines the success of information security governance in protecting
information that is critical for the existence and growth of the business.
Also, business goals and objectives define the strategic direction of the organization. An
understanding of this strategic direction helps in linking information security governance
to corporate governance.
Corporate governance is a set of procedures and duties performed by the board of
directors and executive management to direct and control the organization. Corporate
governance helps the board of directors to:
 Ensure that business objectives are met.
 Provide strategic direction for business activities.
 Verify the efficient use of the organization's resources, and.
 Ensure proper handling of business risks.
While corporate governance deals with performance and control at all levels of the
organization, information security governance is a subset of corporate governance.
Information security governance is concerned with the policies and controls related to
protecting information in the organization. It helps you to:
 Ensure that information security objectives are achieved.
 Provide strategic direction for information security activities.
 Ensure the efficient use of information resources, and.
 Manage information security risks.
Corporate governance deals with issues that involve transparency in business
operations. These include timely and accurate disclosure of financial information,

______________________________________________________________________________
adherence to industry standards and regulations, protection of stakeholder rights, social
responsibility, and ethical business practices. If an organization uses unfair trade
practices or fails to comply with regulations, it can lead to public litigation and damage to
the organization's goodwill.
Consider an organization that is required to perform regular financial audits. If the
organization does not follow audit procedures, it might report incorrect financial
information to stakeholders, which is a corporate governance issue.
Information security governance, on the other hand, deals with security activities and
mitigating risks to organizational information. This includes storage, transfer, security,
and accessibility of information.
For example, business data lying unattended on an employee's table, a user gaining
unauthorized access to a computer, virus attacks, and tailgating are information security
governance issues.
To ensure the effectiveness of information security governance, the executive
management should develop a security governance framework. This framework can
then be used to create and manage an extensive and cost-effective information security
program that meets business objectives. The general components of the information
security governance framework are:
 Security strategy:
The framework should have an extensive security strategy that is aligned with business
objectives. The security strategy must take into account the scope, processes,
technology, and structure of the organization.
 Security policies:
The framework must define the security policies that are to be used to implement the
security strategy. These policies should cover all aspects of the strategy, controls, and
regulation to ensure that all information is secure.
 Standards:
The framework needs to implement a set of standards to ensure that security
procedures conform to the security policies.
 Security organizational structure:
In order to avoid conflict, the framework should create a security organizational structure
that clearly specifies the roles and responsibilities of each stakeholder. The structure
should also include sufficient authority and resources for the roles involved.
 Metrics and monitoring processes:
Structured metrics and monitoring processes are required in the framework to make
sure that the security policies are being followed. These processes also give reports
about the efficiency of the policies and help the management in decision-making.
The information security governance framework is a part of an organization's overall
governance framework. The governance framework includes corporate governance that
drives everything in the organization and mitigates risks using a risk management
strategy. This strategy includes IT and information security that exist as two related but
separate functions. IT focuses on physical security, policies, and procedures, whereas
information security is mainly concerned with controls. Regardless of the focus, all
aspects of the governance framework need to be aligned with the overall business
goals.

______________________________________________________________________________
5.2.2. Quizz - Corporate and IS governance
Which examples are related to information security governance?
Options:
1. An organization is facing negative public perception created by the media.
2. A project manager is unable to access important files associated with a project.
3. The stakeholders of a company are complaining that their interests are being compromised.
4. The assessment ratings of employees, which are meant to be confidential, are disclosed.
Answer (see Endnotes) vi
5.2.3. Senior management responsibilities
Information security governance is one of the primary responsibilities of the board of
directors and executive management. However, they alone cannot manage all the tasks
associated with protecting information. So there are other roles involved in information
security governance, namely the steering committee and the chief information security
officer or CISO.
The board of directors or senior management are responsible for including information
security governance in the corporate governance framework. They should be committed
to the cause of information security and provide strategic direction and momentum to it.
Board members should also have complete knowledge of their organization's critical
information assets. To identify these assets and the associated security risks, the board
members can conduct a risk assessment and business impact analysis. This data can
help the board members establish adequate monitoring and control procedures for the
authorized use and protection of assets.
To further contribute to the effectiveness of information security governance, board
members should review and approve the security policy, metrics, and monitoring
processes. They should also allocate sufficient resources for information security, assign
its responsibility to a committee, and find out ways of determining its success.
Board members should also follow security measures. This encourages all employees in
the organization to follow these measures. Board members can ensure that employees
not conforming to the security measures are provided with appropriate training and
awareness programs.
In addition to the board of directors, the members of executive management play an
important role in information security governance. They implement information security
governance effectively and identify strategic information security objectives. To complete
these tasks successfully, executives provide leadership and continuous support to the
people involved in implementing information security.
To help build and execute an effective information security strategy, executives ensure
the integration of the strategy with different business processes and obtain cooperation
from the process owners. The success of this integration determines the level to which
information security activities comply with business objectives. This compliance further
decides the efficiency of the information security program in providing a definite,
expected, and acceptable level of information protection.

______________________________________________________________________________
Another group associated with information security governance is the steering
committee. This committee consists of senior representatives of departments that are
directly or indirectly affected by information security policies.
For example, according to an organization's information security policy, financial records
need to be secure. This requirement directly affects the finance department. So some
people from this department need to be part of the steering committee.
The steering committee aims to involve all stakeholders influenced by security aspects.
The committee helps to achieve organizational consent over priorities related to
information security. The committee also works toward establishing a culture that is
positive for the success of information security. Additionally, the committee acts as a
communication channel between the senior management and the employees. It ensures
that the information security program continually complies with the business goals and
objectives.
5.2.4. Quizz - Senior management responsibilities 1
What are the responsibilities of the board of directors with respect to information security?
Options:
1. Involve all stakeholders influenced by security considerations.
2. Integrate information security governance with corporate governance.
3. Review and approve the security policy.
4. Act as a communication channel between the senior management and employees.
Answer (see Endnotes) vii
Another key role linked with information security governance is the CISO. Organizations
may have different names for the CISO, for example, the chief security officer or CSO,
the chief information officer, also known as CIO, or the chief financial officer, also known
as CFO. In some companies, the chief executive officer or CEO might also perform the
role of the CISO.
The power and duties of a CISO may differ from one company to another. However, the
general range of the role starts from the CISO reporting to the CEO, and ends at the
system administrators having additional responsibility for information security and
reporting to the IT manager or CIO.
The usual responsibilities of a CISO include developing an information security strategy
and getting it approved by senior management. The CISO also ensures the commitment
of senior management at all stages of information security governance. Additionally, the
CISO establishes reporting and communication channels in the whole organization to
make sure that information security governance is effective. The CISO should also be
aware of the financial and budgeting processes and ensure that the information security
program is cost effective.
The board of directors, executive management, and CISO have specific responsibilities
that map to the outcomes of effective information security governance.
To achieve strategic alignment, the board of directors should provide direction for
ensuring clear mapping of the information security strategy with business objectives.
The executive management must lay the foundation for this mapping by establishing
relevant processes. The CISO needs to create the security strategy and ensure

______________________________________________________________________________
continuous mapping of this strategy with business objectives by coordinating with
process owners. The CISO should also supervise the security program and the plans
associated with it.
Another outcome of information security governance is value delivery. For this outcome,
the board of directors needs to ensure optimal security investments by monitoring the
expenditure in security operations. The executive members should consider the security
policies and procedures and conduct business case studies for them. The CISO must
ensure that information security resources are used in an efficient way by continuously
supervising them.
In addition to ensuring value delivery, the senior management needs to reduce security
risks, which is called risk management.
To achieve this outcome, the board members identify the threats and vulnerabilities of
information security and their impact on the organization. They also supervise a security
policy for risks and make sure that all people and processes in the organization adhere
to this policy. The executive management performs continuous checks for adherence to
the risk policy. It also ascertains that risk management is a part of all actions performed
at all levels in the organization. The CISO creates policies and procedures for reducing
risks, implements the risk policy, and makes sure that different sections of the
organization evaluate potential risks and their impacts on business.
The senior management also needs to attain another outcome of information security
governance, which is resource management. For this outcome, the board members
ensure effective use of knowledge and information security resources by supervising the
policy for them. The executive members establish processes to attain knowledge and
metrics for measuring efficient utilization of resources. The CISO builds these metrics
and finds out ways of acquiring and distributing knowledge.
Besides managing resources, it's important to measure the performance of security
processes in an organization. To do this, the board of directors must implement a
system that gives them regular reports about the effectiveness of security processes.
The executive managers need to supervise the security actions and gather metrics for
measuring the efficiency of these actions. The CISO should examine the security
actions and provide appropriate guidance. The CISO should also create and execute
methods for supervising security actions and gathering metrics.
The last outcome of information security governance is process assurance. This
outcome requires the board of directors to ensure proper coordination of assurance
functions by supervising the relevant policy. The executive members supervise all
assurance functions and the plans for coordinating the activities of these functions. The
CISO interacts with all assurance providers and ensures that there are no
misunderstandings or gaps in the integration activity.
5.2.5. Quizz- Senior management responsibilities 2
Match each senior management role with the associated responsibility concerning information security
governance.
Options:
A. Board of directors.
B. Executive management.
C. Steering committee.
D. CISO.

______________________________________________________________________________
Targets:
1. Achieves organizational consensus over priorities related to information security.
2. Sets up reporting and communication channels in the whole organization.
3. Establishes processes for integrating security with business objectives.
4. Identifies information assets that need protection.
Answer (see Endnotes) viii
5.2.6. Summary
Information security governance is a board-level activity and is an integral part of
corporate governance.
Corporate governance is a set of procedures and duties performed by the board of
directors and executive management to direct and control the organization. Information
security governance involves implementing and managing information security.
For information security governance to be effective, the board of directors or senior
management must be actively involved in it. The executive management must
implement information security governance. The steering committee needs to ensure
the involvement of all stakeholders influenced by security considerations, and the CISO
should design and develop the information security strategy.
5.3. Business Model for Information Security
 Identify the elements of the information security business mode
 Recognize the interconnections between the elements of the information security
business model.

______________________________________________________________________________
5.3.1. Elements of the model
A basic outcome of information security governance is the integration of key business
processes to achieve complete security. Organizations can achieve this integration by
using the governance, risk management, and compliance approach, also known as the
GRC approach.
GRC covers many interconnected activities of an organization, such as incident
management, enterprise risk management or ERM, operational risk, internal audits,
compliance programs, and several other activities.
GRC consists of three processes:
 Governance:
Governance is the process that senior management can use to direct and control an
organization. It involves developing methods to ensure that all employees of the
organization adhere to its policies, standards, and procedures.
 Risk management:
Risk management helps you create and implement methods for mitigating risks. Using
this process, you can establish the organization's risk tolerance, recognize potential
risks and their impact on business operations, and decide the priority for mitigating the
risks based on business goals and risk tolerance.
 Compliance:
Compliance is the process using which you can supervise the controls and methods that
ensure adherence to an organization's policies, standards, and procedures.
All of the three GRC processes are interdependent and influence one another. For
example, risk management identifies risks that can be mitigated only by improving
governance and compliance. Similarly, when new governance methods are introduced,
the compliance process needs to be updated to ensure their supervision. So it's
important that these processes work together with a common goal, which means that
they should be integrated.
To integrate the GRC processes effectively, an organization needs to establish
governance before implementing risk management and enforcing compliance. This

______________________________________________________________________________
integration is vital for the success of any area in which GRC is used, including
information security governance.
In addition to GRC, information security governance uses systems theory to manage
security in an organization.
Systems theory can be defined as a network of processes, people, technologies,
relationships, events, reactions, and results that interact with each other to achieve one
common goal. By analyzing these interactions, an information security manager can
understand the working of a system in an organization and control any risks to it.
The basic idea of this theory is that you can understand a system properly only by
considering it as one whole unit and not just as a collection of some parts. Studying one
part of a system can help you understand its remaining parts.
Systems theory brings a number of benefits to information security governance. It
enables information security managers to clearly define a security system in terms of
what is included in it and what is not. This helps in planning and implementing security
solutions and enables stakeholders to understand the importance of security.
Systems theory also helps information security managers understand the impact that a
change in one part of the security system has on the other parts. This helps them
effectively handle security issues in complicated and dynamic environments.
Additionally, the theory makes it possible for information security managers to adapt to
changes in strategic directions and operations, team up with different sections of the
organization, and handle the impact of external issues.
Based on systems theory, there exists an information security business model that helps
you understand complex relationships in an organization to effectively manage
information security. This model consists of four elements that are linked with six
dynamic interconnections. These elements and connections set the limit for information
security and define its response to changes inside and outside the organization.
The four-elements of the model are:
 Organization design and strategy.
 People.
 Process.
 Technology.

______________________________________________________________________________
An organization represents a group of people, processes, and assets that have distinct
roles and work with each other to achieve a common objective.
Every organization has a strategy that determines its direction with regards to its internal
and external factors. The strategy identifies the goals and objectives to be attained and
the values and missions to be followed.
The way in which an organization implements its strategy is called its design. To design
the organizational strategy, you need resources such as knowledge, people, processes,
and equipment.
Another key element of the information security business model consists of an
organization's people or human resources. The human resources are the primary users
of the organization's assets and are also involved in implementing the organizational
strategy. As a result, most security issues concern them.
As an information security manager, you need to address security issues by considering
the values, culture, and behavior of the people inside and outside the organization.
Outside the organization, the actions of suppliers, customers, media, and stakeholders
influence its activities. The information security manager should consider this external
influence when developing an information security governance structure.
For example, the information security manager of a bank can develop guidelines on how
its customers can maintain the security of their account information. Similarly, a car
manufacturing company's security manager can define what information can be
disclosed when inviting quotations from suppliers.
Inside the organization, the information security manager needs to interact with legal
and human resource divisions to deal with various employee-related security issues:
 Employment:
The information security manager should ensure that the security issues related to
employment are fully addressed by the organization. For example, the organization
should define employees' access rights to applications, ensure that the employees are
trained on the information security aspects, and enforce restriction of movement within
the organization.
 Recruitment:
It is the responsibility of an information security manager to safeguard information
related to recruitment. This information can be in the form of interview results,
descriptions of roles and responsibilities, and details of the background checks of
selected candidates.
 Termination:
The information security manager must protect information associated with termination
of employees. The manager should ensure that data related to termination is kept
confidential and unauthorized users are not allowed access to it. After termination, all
access rights of the user should be revoked.
Every organization requires processes to ensure that its human resources perform their
tasks using an established set of procedures. The process element comprises formal
and informal methods of doing things, and it also acts as a link for all the dynamic
interconnections.

______________________________________________________________________________
Setting up processes helps an organization to define the roles and responsibilities of
each resource and identify and control risks to information. Processes also ensure that
information is available when required and protected from unauthorized access.
To make its processes effective, an organization needs to:
 Ensure that they conform to its policy and business needs.
 Ensure that they can be modified according to changing requirements.
 Conduct their regular reviews for continual improvement.
 Keep their detailed records and share them with authorized personnel.
To ensure an effective and efficient implementation of organizational processes, you
need technology. Technology is an integral element of an organization's information
security business model. It consists of all the applications, tools, and infrastructure
required to meet business goals.
Many organizations consider technology to be an effective method for managing risks to
information security. This can be true to some extent because technology can mitigate
some risks, but it also keeps evolving and has its own risks. So it is not advisable to
completely depend on technology to ensure information security.
Technology is influenced by the people using it and the culture of the organization in
which it is used. Some people do not trust it, some find it difficult to use, and some
believe it reduces their performance. Information security managers must be aware of
these possibilities and take steps to limit this occurrence.
For example, an organization's Service Desk staff may not want to use a new
application to log customer complaints. In such a case, the information security manager
must ensure that the staff are provided detailed information about how the application
will make their work simpler and enable them to work faster. The manager should also
arrange proper training on the application for the staff so that they find it easy to use.
5.3.2. Quizz - Elements of the model ix
Which element of the information security business model represents the formal and informal ways of
doing things?
Options:
1. Organization.
2. People.
3. Process.
4. Technology.
Answer (see Endnotes)
5.3.3. Interconnections between elements
The elements of the information security business model are linked through six dynamic
interconnections to ensure that each element aligns with business goals and objectives.
The six interconnections are:

______________________________________________________________________________
 Governance.
 Culture.
 Enablement and support.
 Emergence.
 Human factors.
 Architecture.
The governance interconnection links the organization and process elements. Its basic
aim is to direct and control an organization by providing strategic guidance, ensuring
that objectives are achieved, managing risks, and monitoring the efficient use of
resources.
Governance specifies the operational limit of an organization and is executed using
processes. It checks performance, defines actions, ensures compliance, and helps the
organization adapt to changing business conditions.
For example, an organization that is fully committed to information security and has
established processes to identify and manage security risks is likely to face less security
incidents. On the other hand, an organization that doesn't have a defined information
security governance structure is more vulnerable to theft, damage, or misuse of
information.
If governance connects an organization and its processes, culture links the organization
to its people. Culture represents the way people behave, what they assume and believe,
their opinions, and how they do things. Culture is present in different parts of the society,
such as families, organizations, and countries. It is formed from both internal and
external aspects and is continuously evolving. Culture develops as a set of shared
behaviors when a group of people respond to the same experience in a similar manner.
It's essential to understand the culture of an organization because it affects and is
affected by the organizational patterns. Culture also has an impact on the way in which
people understand and use information within the organization.
Another dynamic interconnection in the information security business model is
enablement and support. This interconnection links the technology and process
elements. It involves creating security policies, guidelines, and standards that support
business needs. These policies, guidelines, and standards should support changes in
organizational objectives and should lessen or remove conflicts between people.
To ensure that employees adhere to the security policies, controls, and procedures, you
need to make them simple to use. You also need to add clarity to the security measures
to assure users that their work efficiency will not be affected by these measures.
5.3.4. Quizz - Interconnections between elements 1
Match the elements of the information security business model with their dynamic interconnections. You
may use each element more than once.
Options:
A. Organization.
B. Process.
C. People.
D. Technology.

______________________________________________________________________________
Targets:
1. Governance.
2. Culture.
3. Enablement and support.
Answer (see Endnotes) x
One more interconnection in the information security business model is emergence that
links the people and process elements. It indicates patterns in the life of an organization
that emerge and develop without any clear reason, and have results that are difficult to
foresee and control. One probable solution for these patterns is to consider emergent
issues in the system design life cycle, risk management, and change control. Other
solutions include aligning these patterns with process improvement and feedback loops.
Consider this example. While performing routine tasks, an organization's information
security manager realizes that the information associated with some old projects is
missing. The manager tries to find the cause of this loss and its immediate results but is
unable to reach any conclusion.
After some time, the customer requests a change in those old projects. The organization
accepts the request but has to ask the customer to provide all project-related
information. In this way, the emergent issue of information loss causes a decline in the
organization's reputation.
The emergence interconnection links people with processes, and people are linked with
technology through the human factors interconnection that indicates the interaction and
gap between these elements. Human factors include age, cultural experience, and work
experience. Because of these factors, people might not adhere to security policies.
For example, consider a young employee who does not have any work experience and
has joined a large organization that has security policies. This person might not
understand the importance of these policies immediately and might be careless in
following them.
People might also not understand technology, or simply refuse to use it. This rejection
can pose security problems such as damage, loss, theft, leakage, and misuse of
information.
For example, consider that the employees of a newly formed company have been
instructed to install antivirus software on their computers to prevent virus attacks. Some
employees do not install the software as they do not understand how to install it. This
can lead to a virus attack on their computers, destroying all data. So it becomes
essential to provide training to all employees on the relevant technologies.
Technology is not only linked with people, but also with the organization where it is
used. The architecture interconnection establishes this link. This interconnection
includes an organization's policies, processes, people, and technology that compose the
security practices. To understand the need for information security and create a security
architecture, it's important to first have a strong business information architecture in
place.
The security architecture of an organization ensures regular and cost-effective security
in different business lines. It also enables the organization to determine security
investments in a proactive manner. The security architecture also defines the placement
of security controls and their relationships with the complete IT architecture. So an

______________________________________________________________________________
organization can implement total protection from threats in the architecture
interconnection.
5.3.5. Quizz - Interconnections between elements 2
Match each element of the information security business model to its dynamic interconnections. You
Options:
A. Technology.
B. People.
C. Organization.
D. Process.
Targets:
1. Emergence.
2. Human factors.
3. Architecture.
Answer (see Endnotes) xi
5.3.6. Summary
An organization can integrate its key business processes by using GRC that comprises
governance, risk management, and compliance. Governance must be established
before implementing risk management and enforcing compliance for effective
information security.
Apart from GRC, information security makes use of the systems theory that enables
information security managers to clearly define and develop security models.
Based on the systems theory, there is an information security business model that helps
you understand complex relationships in an organization for managing security
effectively. This model is made up of four elements that are linked with six dynamic
interconnections. The elements are organization, people, process, and technology. The
dynamic interconnections are governance, culture, enablement and support,
emergence, human factors, and architecture.
5.4. Practicing Information Security Governance Concepts
 Recognize key concepts related to information security governance.
5.4.1. Exercise overview

______________________________________________________________________________
In this exercise, you're required to recognize the key concepts of information security
governance, the management roles associated with it, and the business model for
implementing it.
This involves the following tasks:
identifying the need for information security governance
recognizing management responsibilities related to information security governance
identifying the elements and their interconnections in the information security business
model.
5.4.2. Identifying need
5.4.2.1. Quizz - Identifying need 1
What is information security governance?
Options:
1. A set of guidelines that ensures elimination of all information security risks.
2. A set of procedures performed to meet business goals of the organization.
3. A job practice area that works toward protecting all physical and technical operations.
4. A collection of rules that ensures efficient use of information security resources.
5. A domain that requires strategic direction from senior management.
Answer (see Endnotes) xii
5.4.2.2. Quizz - Identifying need 2
As a Certified Information Security Manager or CISM, you need to strengthen information security in
your organization. So you plan to develop an information security governance structure. Which
statements will you use to justify the need for information security governance to the senior
management?
Options:
1. It enhances trust in customer relationships.
2. It provides complete safety from all security-related incidents.
3. It provides protection from civil and legal liabilities.
4. It protects an organization's reputation.
5. It requires minimum investment for protecting information.
Answer (see Endnotes) xiii
5.4.2.3. Quizz- Identifying need 3
Match the outcomes of effective information security governance with their descriptions.

______________________________________________________________________________
Options:
A. Strategic alignment.
B. Resource management.
C. Integration.
D. Value delivery.
Targets:
1. Helps build an understanding that information security is a process.
2. Ensures that security solutions comply with business processes.
3. Takes the assurance functions into account while implementing information security.
4. Keeps a record of security practices and processes.
Answer (see Endnotes) xiv
5.4.3. Recognizing management roles
5.4.3.1. Quizz - Recognizing management roles 1
Match each security example with the applicable governance process. You can select each process
more than once.
Options:
A. The HR records of some employees are missing.
B. A company is earning a bad name for not following environmental regulations.
C. An employee can access all the data stored on the computers of other employees.
D. An organization is making a loss because of mismanagement of funds.
Targets:
1. Corporate governance.
2. Information security governance.
Answer (see Endnotes) xv
5.4.3.2. Quizz- Recognizing management roles 2
Don has been appointed as the chief information security officer or CISO in an organization. What tasks
should he perform to ensure proper information security governance?
Options:
1. Review and approve the security policy, metrics, and monitoring processes.
2. Create an information security strategy.
3. Ensure that the information security program is cost effective.

______________________________________________________________________________
4. Ensure the involvement of all stakeholders influenced by security considerations.
5. Supervise all assurance functions and integration plans.
Answer (see Endnotes) xvi
5.4.3.3. Quizz- Recognizing management roles 3
A company's board of directors has created a steering committee to ensure the proper functioning of
information security governance. What would be the key responsibility of this steering committee?
Options:
1. Provide strategic direction for demonstrable alignment.
2. Ensure that risk and business impact assessments are performed.
3. Ensure that roles and responsibilities include risk management in all tasks.
4. Attain organizational consent over priorities related to information security.
Answer (see Endnotes) xvii
5.4.4. Identifying elements & interconnections
5.4.4.1. Quizz - Identifying elements & interconnections 1
Which statements are correct regarding the governance, risk management, and compliance or the GRC
approach?
Options:
1. Compliance involves developing methods to ensure adherence to standards, policies, and procedures.
2. An organization should establish risk management before setting up governance and compliance.
3. All three processes in the approach are interdependent and influence one another.
4. The approach covers interconnected activities of an organization.
Answer (see Endnotes) xviii
5.4.4.2. Quizz- Identifying elements & interconnections 2
Which element of the information security business model helps create a strategy to identify goals and
values and develop a design to implement the strategy?
The information security business model contains four elements that are connected together with six
dynamic interconnections. The first and second elements are interconnected with governance. The
second and third elements are connected through emergence, and the second and fourth elements are
connected through enablement and support. The first and third elements are connected with culture, and

______________________________________________________________________________
the first and fourth elements are connected using architecture. The third element uses human factors to
connect to the fourth element.
Options:
1. Organization design and strategy.
2. People.
3. Process.
4. Technology.
Answer (see Endnotes) xix
5.4.4.3. Quizz- Identifying elements & interconnections 3
Which dynamic interconnection indicates patterns in an organization's life that develop without any
obvious reason and have results that are difficult to foresee and control?
dynamic interconnections. The organization element is linked to the people, process, and technology
elements with three different interconnections. The process element is connected to the people and
technology elements using two more interconnections. There is also an interconnection between the
people and technology elements.
Options:
1. Emergence.
2. Governance.
3. Culture.
4. Enablement and support.
5. Human factors.
6. Architecture.
Answer (see Endnotes) xx

______________________________________________________________________________
6. Information Security Management and Metrics
6.1. Corporate Support for Information Security
 Identify the optimal reporting relationship between senior management and the
information security manager.
 Label examples of reports about information security according to their intended
recipients within an organization.
6.1.1. Optimal reporting relationship
The increasing use of information technology to access, process, store, and share
information has brought several benefits and opportunities for organizations around the
world. It has helped organizations increase their profit margins, reduce costs, provide
better customer services, and streamline operations.
However, the use of information technology has also made information vulnerable to
misuse and damage. As a result, a growing number of organizations are recognizing the
need to protect information assets. Information security activities like background
checks, user awareness, security controls, and regular audits help ensure security. To
manage all such activities, organizations employ dedicated information security
managers who have the expertise to manage information assets and the IT systems that
support these assets.
Information security managers act as process owners for all ongoing activities that help
an organization protect the confidentiality, integrity, and availability of its information
assets.
They perform several responsibilities:
 Design, develop, and implement information security policies and procedures.
 Monitor compliance of policies and procedures by all stakeholders in the organization.
 Promote activities that help create information security awareness within the
organization.
 Meet legal and regulatory requirements.
 Obtain senior management commitment to information security initiatives.
Different organizations have information security managers at different levels in their
reporting hierarchy. Almost 35% of information security managers report to chief
executive officers or CEOs, 32% to chief information officers, also known as CIOs, and
28% to a board of directors.
Depending upon the reporting hierarchy, different organizations can have different titles
for the information security manager role.
For example, the title could be chief security officer, also known as CSO, or chief
information security officer (CISO for short), who reports to the company's CEO. This
reporting structure is considered optimal because it allows direct interaction between the
information security manager and the CEO.
This structure leads to direct alignment of security objectives with business goals and
facilitates quick decision-making on critical information security issues. It also provides
greater authority to the information security manager who can now communicate directly
to senior management and easily obtain their commitment.

______________________________________________________________________________
Some international professional associations focused on IT security governance would
recommend the CISO report directly to the CEO.
And in practice, most organizations are increasingly allowing a direct reporting
relationship between the CISO and the CEO; some organizations still integrate the
information security manager's role with the IT manager. In this case, the IT manager is
responsible for both information security and IT operations. Also, the IT manager
typically reports to the company's CIO, instead of reporting directly to the CEO.
Although the structure in which the IT manager acts as information security manager
may be adequate for implementing security activities in the organization, it follows the
bottom-up approach to management. It is considered suboptimal because the
information security manager cannot interact directly with the CEO.
Also, the objectives of the information security manager often conflict with the IT
manager's goals. This is because security functions are completely regulatory and IT
functions are purely operational. Security functions are concerned with designing and
developing security policies and procedures that govern the IT operations. IT functions,
on the other hand, are concerned with putting these policies and procedures into
operation.
For example, the IT Department of a company may decide to outsource the
management of the online Service Desk to an external service provider. However, the IT
Department doesn't enter into an underpinning contract with the service provider neither
does it verify the security system of the service provider. As a result, there is a risk that
the information of the customers logging their issues in the Service Desk may be
compromised. So while the IT Department was trying to cut costs by outsourcing, it
ignored the security aspect emphasized by the security function because it was not a
part of IT operations.
In some organizations, the role of information security manager could be held part-time
by middle managers who have security responsibilities in addition to their main
responsibilities. This is another example of a reporting structure that follows a bottom-up
management approach and is not considered optimal.
In this structure, the middle manager reports to one of the senior managers in the
organization. Because information security is not the main responsibility of middle and
senior managers, it may not be taken seriously. Senior managers focus more on
reducing the operational costs and consider information security a hindrance to their
activities.
For example, the CTO, also known as chief technology officer, primarily focuses on
implementation and use of technology in business operations and may find that security
issues are interfering with the implementation of technology. So if the information
security manager role is held by the operations manager reporting to the CTO, the
reporting structure is considered suboptimal.
Due to these reasons, a bottom-up management approach to information security
activities is less likely to be successful.
Without senior management support, the information security programs are likely to fail.
So, the information security manager must convince senior management about the
benefits of information security. To obtain a desirable level of information security in the
organization, senior management should be committed to performing the following
activities:
 Considering information security a critical factor for meeting business goals and

______________________________________________________________________________
developing a security environment that meets those business goals.
 Identifying risks to information security and implementing appropriate controls.
 Obtaining the confidence of customers, stakeholders, and other third parties in the
information security structure of the organization.
 Ensuring that all stakeholders, including employees and senior management, are
accountable for managing information security.
 Overseeing effective implementation of corporate governance to meet industry
standards.
 Taking responsibility for effective implementation of information security.
Senior management can establish a commitment to information security initiatives by:
 Conducting a periodic review of information security programs.
 Getting involved in the design and development of high level information security
policies.
 Controlling and supervising information security at a high level.
 Specifying information security governance metrics and monitoring policies.
 Assigning the required resources for information security
6.1.2. Quizz - Optimal reporting relationship 1
Which reporting structure between the information security manager and senior management depicts an
optimal reporting relationship structure?
In the first structure, information security manager reports to the CEO. In the second structure,
information security manager reports to the CTO, who reports to the CEO. In the third structure,
information security manager reports to the IT manager, who reports to the CIO, and the CIO reports to
the CEO.
Options:
1. Information security manager reporting to the CEO.
2. Information security manager reporting to the CTO, who reports to the CEO.
3. Information security manager reporting to the IT manager, who reports to the CIO, and the CIO reports to the
CEO.
Answer (see Endnotes) xxi
To successfully implement information security in the organization, you first create a
security program. The aim of the security program is to inform senior management
about security objectives, schedules, estimated funds, resource requirements, and any
specific deliverables.

______________________________________________________________________________
However, the program may face resistance from senior management because of a lack
of understanding of security issues or apprehensions about costs incurred and benefits
accrued.
To gain senior management commitment to the security program, you need to educate
them about the benefits of information security. You can do this by creating a formal
presentation for them, covering the critical aspects of information security. This
presentation can educate senior management on how critical security is to continued
operations.
You can also involve senior management at the beginning of the security program and
explain to them how it affects every department and business processes in the
organization. You should also convince the management to allocate sufficient funds for
the security program. This can only happen if the management understands the security
plan and believes that the information security manager is their ally.
To convince senior management of the need for information security management, you
should create a business case that covers critical aspects of the business. You should
then apply these aspects to the formal presentation. This helps gain attention and
commitment from senior management.
To promote the acceptance of the formal presentation by senior management, you
should:
 Align the security and business objectives to help senior management use the security
standards, policies, and procedures effectively in their work.
 Determine the possible effects if some of the defined security objectives and regulatory
conformances fail.
 Describe the overhead involved in the security program to help senior management
assess the expenses of the program.
 Use financial or risk and benefit models, such as total cost of ownership and return on
investment, to assess the profits and expenses of the security program.
 Identify monitoring and auditing tools to measure the effectiveness of the security
program.
In addition to senior management, you need to convince employees about the benefits
of information security. This is necessary to ensure effective information security
management.
Senior management should set an example for employees by following all security
practices. This encourages employees to adhere to the security practices. For example,
if an organization has used biometric technology for employee identity verification,
senior management should have to undergo the same process.
As an information security manager, you can conduct training programs and spread
awareness about the benefits of information security by sending regular e-mails to
employees. You can also make security activities a part of their work and involve them
in the active implementation of information security.

______________________________________________________________________________
6.1.3. Quizz - Optimal reporting relationship 2
As an information security manager, which points should you follow to promote the acceptance of the
formal presentation by senior management?
Options:
1. Align the security and business objectives.
2. Specify the tools for calculating the expenses of the security program.
3. Identify the possible effects of failure of the defined security objectives.
4. Use financial or risk and benefit models.
5. Discuss measures to reduce the overhead involved in the security program.
Answer (see Endnotes) xxii
6.1.4. Communication and reporting channels
As an information security manager, you're responsible for ensuring that all
stakeholders, including senior management and employees, are aware of the existing
information security governance structure. You should also ensure that senior
management is provided with all information necessary for maintaining information
security in the organization. To do this, it is essential that you have a well-organized
reporting and communication channel in the organization.
A proper reporting and communication channel ensures that all stakeholders receive
necessary information. This information helps the stakeholders present their views on
the information security structure and improve the existing structure.
You can achieve a well-organized communication channel by creating a formal reporting
procedure and providing periodic reports to senior management on the performance of
information security management. These reports should correspond to formal
presentations that were used to obtain support and commitment from senior
management for the security program.
The periodic reports can include:
 A comparison between the pre-implementation and post-implementation result for
business impact analysis.
 The need for renewing security plans and approving all related expenses.
 The current state of enforcing security systems as per the approved security program.
 An analysis of performance data along with independent audit reports.
 A list of possible security vulnerabilities and potential threats associated with them
 Details of periodic activities to ensure alignment of security objectives with business
processes, goals, and environment.
 Data on security threats that have been identified and prevented to demonstrate the
importance of a security program.
Apart from formal reporting, regular reporting of information security is critical for the
smooth working of security programs. However, this reporting need not be very formal.

______________________________________________________________________________
This reporting can be done to groups that deal with specific security-related issues in the
organization. The groups are:
 Business process owners:
You should conduct regular meetings with business process owners to retain their
support in implementing the information security system. During this meeting, you can
discuss various issues, such as implementation of unique security systems for each
process. Also, business process owners should attend operational review meetings to
learn about the requirements and disputes related to the day-to-day operations.
 Senior management:
It's good to meet senior management periodically to understand their perspective of
business goals. During this meeting, you can discuss the financial aspects of the
security program. Additionally, you can attend business meetings with senior
management to learn about proposed business plans and objectives. Suppose you've
implemented a physical access control system. You can provide periodic reports to
senior management on the effectiveness of the system.
 Employees:
To help employees practice security in their routine tasks, you organize adequate
training programs for them. For instance, if your organization adopts a new security
standard, you can conduct a training program to inform employees about it. If a security
policy or plan is updated, employees must be notified. To get proper feedback on
employees practicing security, you assign information security governance coordinators
for each operational unit.
 Department heads, supervisors, and line managers:
It is important to develop awareness about security requirements and policy compliance
among the department heads, supervisors, and line managers who are delegated risk
management or security functions. You should help them understand their security
responsibilities to minimize conflicts in the event of failure of a risk management or
security function.
6.1.5. Quizz - Communication and reporting channels
You are the information security manager in an organization, and you informally report to specific groups
in the organization about information security. Match examples of reports about information security with
the relevant groups within the organization.
Options:
A. Reporting about training and education programs that help practice security in daily tasks.
B. Report on new security systems implemented for specific processes.
C. Reporting about the financial aspects of the security program.
D. Reporting security responsibilities of project managers.
Targets:
1. Senior management.
2. Business process owners.
3. Employees.
4. Line managers.

______________________________________________________________________________
Answer (see Endnotes) xxiii
6.1.6. Summary
To secure sensitive data and IT systems, every organization needs an information
security manager. Different organizations can have different titles for this role – CSO,
CISO, or information security manager. To have a successful security program in the
organization, you need to ensure that senior management is committed to the program.
To obtain senior management support, you can create a formal presentation covering
important aspects of information security. You can also use business cases to ensure
better understanding of information security. Additionally, you should ensure that
employees also support the security program.
After obtaining senior management commitment, you should provide periodic reports to
senior management about the current state of the information security program. To
ensure that all stakeholders are aware of information security programs, you should
create formal and informal information reporting structures for specific groups, including
senior management, employees, process owners, and other management.
6.2. Information Security Convergence
 Identify the goal of converging security-related functions.
6.2.1. Converging security-related functions
It is common in organizations that different security-related activities fall under different
types of security functions. For example, information security and physical security are
distinct security functions in an organization. When you combine these security functions
under a common head, the process is called security convergence.
Security convergence is the integration of the organization's assurance processes, such
as change management, risk management, human resources, audits, and compliance,
so that security is not segmented across various functions.
The main objective of security convergence is to reduce the gaps that result from the
segmentation of various security-related functions in an organization. These gaps arise
because the security functions are generally interdependent. For example, information
security is generally affected by the physical aspects or physical security of the
organization.
Suppose an organization has a strong access control, such as a biometric system and
guards, that don't let an intruder enter the building. This physical security measure
prevents unauthorized access to the building and safeguards the organization’s critical
data. So a breach in physical security may adversely affect information security.
But with advanced technologies, critical data can also be accessed remotely. So
physical security alone is not enough to secure information. Strong information security
also needs to be implemented to secure critical data or applications in the organization.
Although physical security and information security are interdependent, they do not have
common goals. Physical security functions may focus on authorizing physical access to
an organization, whereas information security functions may focus on securing network
or information data.

______________________________________________________________________________
If information and physical security work in isolation, security gaps are bound to arise.
For example, proper physical security measures may be taken for authorized physical
access to the building, but measures to prevent unauthorized remote access are not
taken. In this case, critical business data is still at stake. To avoid these gaps, physical
and information security need to work in close coordination. To ensure coordination
between all security functions, including physical and information security, you need to
implement security convergence.
Security convergence prevents any security overlaps across different functions. This
reduces the number of security functions, making it easier to follow and manage and
providing a streamlined security process. Security convergence also ensures well-
defined roles and responsibilities to reduce issues such as ineffective communication
and duplication of work.
Additionally, security convergence takes care of all assurance functions while
implementing a security strategy. This helps evaluate all phases of the business
process, irrespective of the assurance process used, and minimizes the gaps that result
from segmented security functions. It also aligns the security objectives to business
goals.
There are three organizations that strongly support convergence – ASIS, the Information
Systems Security Association (also known as ISSA), and the ISACA. These
organizations have established the Alliance for Enterprise Security Risk Management,
(sometimes called AESRM), to encourage security professionals to converge security
functions within their own organizations.
Security professionals merge security functions because several issues exist when
security is fragmented in the organization. These include:
 Focusing on specific risks associated with a particular area and ignoring the
interdependency of risks in the organization.
 Sub-optimizing the cost required to deal with the risks in the organization.
 Using different assurance processes and terminology in different reporting structures
in the organization.
 Introducing security gaps while aligning business goals with segmented security
functions.
Another reason to implement security convergence is the influence of several factors on
the operations of any organization. The following factors demonstrate the importance of
adopting security governance:
 Growing technologies are obscuring the boundaries between information and physical
security functions.
 Organizations are expanding at a fast pace that makes them complex.
 New compliance and regulatory authorities introducing complex compliance and
security guidelines.
 A risk-based approach is required to maximize resource utilization and minimize
security risks.
 An increase in the information-based and intangible assets requires security
convergence.

______________________________________________________________________________
There is a considerable amount of overlap between information security and physical
security in emerging technologies. For example, a biometric system used as an access
control device requires both information and physical security. This is because it is a
physical device that demands physical security and it is used to validate user ID or voice
and so requires information security. Because it is critical to ensure that the biometric
device as well as the biometric information is secure, it makes sense to combine the two
security functions instead of keeping them separate.
Also, due to this overlap, the functional boundaries between information and physical
securities become less distinct and require security convergence. This provides a wider
view of vulnerabilities and their management. Also, it enables you to prioritize risks at
organizational level so that funds can be allocated to high priority risks.
With new technologies and practices, organizations are expanding at a fast pace and
are involving increased numbers of third-party stakeholders. For example, IT
organizations use external service providers to perform functions such as providing
subject matter expertise. To generate profit by outsourcing services, you need to deal
with the security implications that may result due to the use of outsourcing-specific
functions.
This requires adding another organizational layer to the organization chart, which makes
it relatively complex. When third-party stakeholders are involved, information sharing is
needed, and implementing security convergence helps coordinate actions to manage
risks.
Organizations today deal with several security threats. These threats lead to
complicated business transactions. When the complexity of business transactions
increases, it becomes difficult to keep to defined regulatory and compliance guidelines,
because they may not address new threats. For example, an existing security structure
may cover guidelines for identifying risks, but may not cover guidelines to prevent these
risks. So it is important to have just the right focus on all regulatory and compliance
guidelines so that they address all existing and emerging security issues. This is
possible if security managers view and assess the organizational risks at a global level.
This demands security convergence.
With complex organizational charts and business transactions, it is difficult to maximize
security resources and minimize associated risks. To achieve effective allocation of
security resources, you need to follow a risk-based approach with a transparent security
strategy. With this approach, you can use the security strategy to clearly specify the
risks that need to be focused upon. Using security convergence with this risk-based
approach, senior management can budget for most critical risks that reduce the overall
cost of implementing security and increase the efficiency of security resources.
Compared to physical assets, information-based assets and intangible assets are
increasing rapidly in almost all organizations these days. Even physical assets, such as
DVDs, USB-stick, smartphones and computers, store a lot of business information. This
requires information security to be an integral part of physical security, and so the two
security functions need to be merged. Merging these functions provides a broader view
of security that makes it easier to prioritize and minimize risks.
If, instead of using security convergence, you follow a fragmented approach to security,
then the possible security incidents can increase financial risk, reputation risk, and risk
to public good.
For example, even if a bank has strong IS security functions in place, unauthorized
users can easily attempt a theft if physical security is weak. Such users can enter the
organization in the absence of a security guard and install devices on a computer to
access critical business information. This can be prevented if physical security is

______________________________________________________________________________
integrated with IS security, so that any breach in security can immediately be
communicated to the relevant authorities.
So you should follow a holistic approach to security instead of the fragmented approach.
The holistic approach focuses on factors such as organizational structure, processes,
and cultures in addition to assets. This requires a management change that gives
people the authority to prevent possible risks.
Security convergence is not only focused on integrating the processes in an
organization, but also aligns security activities with business goals to deliver shareholder
value.
An effective approach to security convergence should bring together people, technology,
and processes in the organization. This makes the business secure and enables the
organization to deal with any security incidents by quickly detecting, responding, and
recovering from them. This way, it becomes an evolving and ongoing way of doing
business for everyone in the organization.
6.2.2. Quizz - Converging security-related functions
Identify the goals of security convergence.
Options:
1. To prevent any security overlaps across different functions.
2. To segment security across various functions.
3. To integrate the organization's assurance processes.
4. To focus on the specific risks associated with physical security.
Answer (see Endnotes) xxiv
6.2.3. Summary
Security convergence helps you bridge the gaps resulting from the segmentation of
security-related functions. This is achieved by integrating different assurance processes
in the organization. Security convergence also prevents security overlaps across
different functions, ensures well-defined roles and responsibilities, and takes care of all
assurance functions while implementing a security strategy. Additionally, it aligns the
security activities with business goals to deliver shareholder value.
Without security convergence, an organization may ignore the interdependency of risks,
sub-optimize the cost of dealing with risks, and allow the use of inconsistent language
and terminology across different reporting structures.
Several factors have necessitated the adoption of security convergence. For example,
technological development is obscuring the boundaries between information and
physical security functions. Also, rapid expansion of organizations is creating complex
structures that require convergence of all security functions. Security convergence is
also necessary because of new business threats, the need to create a systematic
approach to minimize risks and maximize resource utilization, and an increase in
information-based assets.

______________________________________________________________________________
6.3. Information Security Governance Metrics
 Identify categories of key goal indicators.
6.3.1. Key Goal Indicators
Metrics refer to standard measures that help evaluate the performance of a specific
attribute based on a reference point. This reference point indicates the desired outcome
of an activity.
For effective information security governance in an organization, it is good to have
security metrics that can measure the performance of security activities.
The main purpose of any metric is to support the decision-making process. Effective
security metrics should provide information specific to the roles and responsibilities of
security functions so that senior management can use them while making decisions.
Security metrics also determine the extent to which information is secure in an
organization. They help you assess if you need to make any changes or improvements
in the existing security strategy or the security program to achieve desired outcomes.
Presenting appropriate metrics not only helps you gain senior management support, but
also enables you to obtain sufficient budget and resources to support your security
program.
Using criteria to determine if a metric is appropriate for a task is necessary. Criteria are
used to make sure metrics are:
 Meaningful – Recipients will understand the metric.
 Accurate – A suitable degree of accuracy must be used.
 Cost-Effective – Metrics should not outbalance what they are measuring.
 Repeatable – Metrics should be reusable to attain reliable results.
 Predictive – The measurements attained should reveal usable outcomes.
 Actionable – Outcomes of the metric should provide clear actions for resolution.
 Genuine – The measurements must not be fixed and free of manipulation.
6.3.2. Quizz - Key Goal Indicators 1
Which is the definition of a metric?
Options:
1. A term that denotes protection from risks.
2. A measure based on a reference point.
3. A measure for the roles and responsibilities of senior management.
4. A best practice to establish information security governance.
Answer (see Endnotes) xxv

______________________________________________________________________________
In most organizations, the management focuses on gathering technical metrics, such as
the number of antivirus programs, type of firewalls used, capacity of data storage
systems, types of system access control, and number of users accessing a server.
These metrics provide information on the IT security infrastructure but don't help in the
overall management of the information security program. Technical metrics can help in
resolving day-to-day operational issues related to the use of security infrastructure, but
don't provide any information on how well information security risks are managed.
Additionally, technical metrics fail to address key information security objectives, such as
the extent of security required to meet business goals and the cost effectiveness of
current security programs. These metrics don't provide information on the degree of
risks facing information assets, the impact of security on productivity, or the types of
security policies required to mitigate risks to acceptable levels.
While technical metrics focus on the operational aspects of the IT infrastructure, security
metrics provide valuable information about security aspects. These include metrics such
as the number of security breaches, incidents logged, vulnerabilities detected during
virus scans, downtime due to server failure or virus attacks, and recovery period. While
these metrics may indicate the effectiveness of security infrastructure to some extent,
they don't provide any information to help management make decisions on
strengthening information security.
Some organizations also conduct regular audits and comprehensive risk assessment
programs to identify gaps in information security. While these measures can help in
identifying the previously existing information security infrastructure, they alone can't
help management make security decisions.
Although it may not be possible to ensure absolute information security, you can get
valuable information about security measures by using other metrics. These metrics
help estimate security in terms of effects and outcomes, probabilities, and attributes:
 Return on security investment, also known as ROSI:
ROSI is a financial measure for information security. It helps minimize financial losses
and maximize returns by investing in security, such as using a security control. Using
ROSI, you can assess the expenses of and profits from implementing a security
program and justify the investments in the security program.
 Value at risk, referred to as VAR:
VAR is a method used to calculate the maximum loss possible in a specific period due
to a security gap. The accuracy of the loss or information security risk calculated using
VAR is 95 percent or 99 percent. Sometimes, the value of risk calculated using VAR
exceeds the value of risk at the acceptable level. This is an indication that organizations
need to invest more in information security.
 Annual loss expectancy, or ALE:
To determine the annual financial loss expected from a specific security threat, you
calculate ALE. ALE represents the financial value required to prevent a specific threat.
You can calculate ALE by multiplying the annual probability of the security threat with
possible financial loss due to the same threat on a particular event.
Although so many security metrics and activities are available, none of these metrics or
activities provides any detailed information about the management of risks, alignment of
security objectives with business objectives, or progress of the security program. Neither
do they provide enough information that can be used to make concrete security

______________________________________________________________________________
decisions in the organization or determine exactly how secure the organization is. This
generates the need for effective information security governance metrics.
Effective information security governance metrics use technical data to measure how
close the information security governance program is to its defined objectives. The main
components of information security governance metrics are high-level senior
management support, measurable performance metrics, security policies and
procedures with commitment from the enforcing authority, and result-oriented metrics
analysis.
The two most useful types of metric are key goal indicators, also known as KGIs, and
key performance indicators, also known as KPIs. KGIs specify what is to be achieved or
the desired outcome, and KPIs provide the measure of performance. The KGIs and
KPIs help figure out if the defined objectives are met. They can also provide information
about achieving process and service goals.
Some examples of performance indicators include the presence of minimum unexpected
security events, the existence of ways to track emerging risks, knowledge of threats that
are likely to occur, and the ability to figure out the efficiency of controls.
Attaining specific goals or the conformation of time projections and budget estimates are
initiatives and projects that can be used to measure if governance goals are being met.
There are several KGIs that act as reference points and help you assess the
effectiveness of your information security strategy:
 Alignment of security and business objectives.
 Risk management.
 Resource management.
An organization's business goals are key reference points for measuring the cost
effectiveness of information security activities. To validate the alignment of security
activities with business goals, you need to develop a security strategy that uses
business language to define security objectives. These security objectives should cover
all phases from planning to implementation of processes, procedures, policies,
standards, and technology.
To check if the strategy is effective, you should evaluate all security controls involved in
it in the reverse order, ensuring that each control meets a business requirement. If any
control does not map to a business requirement, it should be cross-checked to check if it
is crucial and might need to be removed from the security strategy.
Suppose a bank's security objective is to prevent fraud. This objective directly aligns to
the bank's business objective of protecting client interests and investments.
When security activities are aligned with business goals, it helps deliver value to
business by optimizing the cost of security and using controls that meet acceptable risk
levels. The value delivery indicates the cost effectiveness of security activities that are
closely tied to business goals.
Key indicators of alignment of security activities with business goals are:
 Security programs that assist specific business units.
 Risk management levels sufficient to not hinder business activities.
 Business owner surveys that are the basis for the security organization mandate.
 Executive Management validation of security program mappings to business
objectives.

______________________________________________________________________________
 Awareness testing of the understanding of all members involved with both security and
organizational objectives.
 A security steering committee comprised of the key executives to ensure continual
alignment of security activities and business goals.
Another key goal indicator of security metrics is risk management. Risk management is
the process that manages and minimizes risks in an organization with the intent of
achieving defined business goals. It is a part of information security governance.
When implementing a risk management program, it may not be possible to measure its
strength. However, you can find out if the program is proceeding as expected and
resources are allocated appropriately by setting the objectives and expectations from
the risk management program. If the program achieves the defined objectives
consistently, it is considered successful. A successful risk management program
provides measures to reduce the harmful effects of security incidents on the
organization to a level acceptable for business goals.
Consider that your risk management objective is to minimize the impact of computer
security incidents in your organization. To do so, you implement several security
measures, such as installation of antivirus programs and assigning unique IDs to each
user. If you find that the number of computer security incidents is reduced to defined
levels, the established security measures are considered effective and meet the risk
management objectives.
You can assess the effectiveness of a risk management program by using the following
risk management indicators:
 Risk management objectives that are defined to minimize potential risks.
 Processes that are defined to reduce the impact of security incidents over time.
 Business Impact Assessments of all systems that are vital for achieving business
goals.
 Security programs that are established to achieve acceptable risk levels.
In addition to managing risks, you need to manage information security resources,
including people, processes, and technologies, for effective information security. The
purpose of resource management is to minimize costs and maximize efficient utilization
of resources. Using inconsistent controls and poorly defined processes increases
administrative and training costs and indicates inefficient resource management. You
should develop security metrics that are aligned to resource management objectives.
If an organization has an effective resource management, it is indicated by:
 Absence of frequent problem rediscovery.
 Distinct assignment of information security functions to appropriate roles and
responsibilities.
 Use of security resources to safeguard information assets from threats.
 Use of standardized processes to reduce cost.
 Integration of information security functions into every project plan.

______________________________________________________________________________
6.3.3. Quizz - Key Goal Indicators 2
You are the information security manager in an organization, and you want to define the KPIs and KGIs
before implementing a security program. Match the various KPIs with the corresponding categories of
KGIs.
Options:
A. Security programs mapped to organizational goals.
B. Use of standardized processes.
C. Business Impact Assessments of all vital systems.
Targets:
1. Risk management.
2. Resource management.
3. Alignment of security activities and business objectives.
Answer (see Endnotes) xxvi
6.3.4. Summary
Security metrics are a means of measuring security or risks based on the desired
outcomes of the security program. A good metric is specific, measurable, and attainable.
Effective security metrics provide information specific to roles and responsibilities, so
that senior management can use it for decision making.
Generally, measures like security metrics, technical metrics, vulnerability scans, and
audit and risk assessment activities help you understand how secure the organization is.
Additionally, you can use metrics like ROSI, VAR, and ALE to measure various security
aspects. However, none of these metrics provides enough information to make concrete
security decisions. This generates the need for effective information security governance
metrics that use technical data to measure how close the information security
governance program is to the defined objectives.
The best information security governance metrics include KGIs and KPIs. KGIs specify
what is to be achieved or the desired outcome and KPIs provide the measure of
performance.
6.4. Practicing Information Security Responsibilities
 Recognize key concepts related to information security management.
6.4.1. Exercise overview
In this topic, you'll learn to recognize key concepts related to information security
management. This involves recognizing the optimal reporting relationships, identifying
key security metrics, and converging security-related functions.
6.4.2. Achieving effective information security

______________________________________________________________________________
You are an information security manager in an organization and want to have effective
information security in the organization. For this, you want to implement the best
reporting structure, develop metrics to assess the effectiveness of information security
strategy, and converge security-related functions in the organization.
6.4.3. Quizz - Achieving effective information security 1
The senior management in your organization is headed by a president. The IT managers, senior project
managers, chief technology officer, and other functional managers report to the president. You want to
establish a reporting structure that helps you avoid any conflict of interest and achieve effective
Select the position description for your role that indicates the best reporting structure.
Options:
1. Information security manager reporting to the IT manager.
2. Information security manager reporting directly to the president.
3. Information security manager reporting to a senior project manager.
4. Information security manager reporting to the chief technology officer.
Answer (see Endnotes) xxvii
Your organization provides online banking services to its customers and its goal is to protect customers'
account information and provide safe transaction modes. You want to implement an information security
strategy in the organization, and for that you want to use several metrics to assess the effectiveness of
your information security strategy.
Match each category of metrics to its examples.
Options:
A. Alignment of security and business goals.
B. Risk management.
C. Resource management.
Targets:
1. Conduct regular Business Impact Assessments of the failure of servers that support online transactions.
2. Create a standardized process for safe online transactions.
3. Establish strong encryption programs for online transactions.
Answer (see Endnotes) xxviii

______________________________________________________________________________
You also want to converge security-related functions in the organization to bridge the gaps that result by
segmenting these functions.
What are the keys to effective information security convergence?
Options:
1. Aligns security activities with business goals.
2. Brings together people, technology, and processes in the organization.
3. Helps you to create different reporting structures for each information security activity.
4. Confines the view of security for easy management of risks.
Answer (see Endnotes) xxix

______________________________________________________________________________
7. Principles of Effective Information Security Governance
 Know about the twelve principles of effective information security governance.
Figure: Information security business model.
The Corporate Governance Task Force of the National Security Partnership, a U.S.
entity, has created twelve principles for implementing effective information security
governance. These core principles reflect the elements and interconnections of the
information security business model.
The principles are as follows:
 Organizations must ensure that employees consider information security to be an
important part of the system life cycle.
 As a risk management function, organizations must assess risks to information assets
at regular intervals.
 For protecting information assets, organizations must implement policies and
processes based on the assessment of risks.
 To ensure proper protection of networks, facilities, systems, and information,
organizations must create plans and initiate appropriate actions.
 Chief executive officers, or CEOs, must assess information security once a year, study
the results with their employees, and submit the performance report to the board of
directors.
 In order to clearly define the roles, responsibilities, authority, and accountability of
employees for information security, organizations must set up a security management
structure.
 Organizations must devise and implement plans for managing any gaps in information
security.

______________________________________________________________________________
 Organizations must assess the efficiency of the information security policies and
processes on a regular basis.
 To assess the performance of information security, organizations must use security
best practices guidance, such as ISO 17799.
 Organizations must ensure that employees completely understand information security
by providing them proper training.
 To ensure continuity of operations, organizations must develop plans, processes, and
tests.
 Organizations must create and execute incident response procedures.

______________________________________________________________________________
8. Tasks and Knowledge Statements
 map of tasks and knowledge statements in information security governance and the
key concepts in each knowledge statement.
To develop an effective information security governance structure, you must be aware of
the key tasks in it and the knowledge statements associated with each task.
8.1. Key Tasks and Knowledge Statements
Task Statement Knowledge Statements
Establish and maintain an information security
strategy that aligns with organizational goals and
objectives. This will guide the creation and continued
management of the information security program.
Know the methods that will help develop an information security
strategy.
Be aware of the relationship between information security and
business goals, objectives, functions, and practices.
Establish and maintain an information security
governance framework. This will help direct activities
that are essential for the implementation of the
information security strategy.
Know the methods that will help implement an information
security governance framework.
Know the basic concepts of governance and their relationship to
Be aware of internationally recognized information security
governance and strategy development standards, frameworks,
and best practices.
Integrate information security governance into
corporate governance. This helps ensure that the
information security program supports organizational
goals and objectives.
Know the basic concepts of governance and their relationship to
Know how to integrate information security governance and
corporate governance.
and best practices.
Ensure all information security policies reflect
management's directives and align to standards,
procedures, and guidelines.
Know how to develop information security policies.
Develop business cases that secure financial backing
for information security.
Understand the methods that are used to develop business
cases.
Know the methods used to plan and report on a strategic
budget.
Identify internal and external influences to the
organization to ensure that the information security
strategy addresses them.
and best practices.
Understand that technology, the business environment, risk
tolerance, geographic location, and legal and regulatory
requirements, amongst others, are internal and external
influences that may impact the organization's information
security strategy.

______________________________________________________________________________
Task Statement Knowledge Statements
Get the commitment from senior management and
other stakeholders. This will increase the likelihood
that the information security strategy is implemented
successfully.
Know how to get senior management and other stakeholders to
commit and support information security.
Define the roles and responsibilities of information
security throughout the organization and ensure
everyone is aware of their own, and others',
accountabilities and lines of authority.
Be aware of the roles and responsibilities of information security
management.
Understand the organization's organizational structures and
lines of authority.
Establish, monitor, evaluate, and report metrics.
Metrics provide management with the information they
need to determine the effectiveness of the information
security strategy.
Understand the methods used to create new – or use existing –
reporting and communication channels within an organization.
Know how to select, implement, and interpret metrics such as
key goal indicators (KGIs), key performance indicators (KPIs),
and key risk indicators (KRIs).
8.2. Key Concepts of Knowledge Statements
Knowledge Statement Key Concepts
Know the methods that will help develop an
information security strategy.
Drivers for strategy, such as threats, exposures, risk, and
impacts
Organizational objectives that determine the requirements for a
security strategy
Relationships between strategic elements
Strategy and information security road map
Strategy as the basis for policy that relates closely to control
objectives
Strategy resources and constraints
The rationale for strategy development
The relationship to objectives which is the basis for strategy
development
Be aware of the relationship between information
security and business goals, objectives, functions,
and practices.
Methods that determine acceptable risk
Methods that help convert organizational objectives to security
policies
Methods to determine the effectiveness of information security
governance
Organizational benefits due to information security
Risk mitigation strategies
The link between organizational objectives and security strategy
requirements
The link between security strategy and control objectives
The link between security strategy and organizational functions
The relationship between information security governance and
enterprise governance
Know the methods that will help implement an
information security governance framework.
Effective governance criteria
The governance structure development process
The implementation of governance
The link between governance and organizational objectives
The link between governance, strategy, and controls
The link between information security governance and enterprise

______________________________________________________________________________
governance
The purpose of governance
Know the basic concepts of governance and their
relationship to information security.
Methods that determine acceptable risk
Methods that determine the effectiveness of information security
governance
Organizational benefits due to information security
Risk mitigation strategies
The link between information security and the organization's
objectives
governance
The link between information security program objectives and
organizational objectives
The link between security strategy and organizational functions
The link between security strategy and control objectives
The outcomes of information security that support organizational
objectives
Be aware of internationally recognized information
security governance and strategy development
standards, frameworks, and best practices.
The purpose of a standard
How and when standards are used
Common attributes of international standards
The link between governance, ISO standards, and COBIT
governance
The link between governance and organizational objectives
Methods of implementing governance
Know how to integrate information security
governance and corporate governance.
Activities to improve integration of governance activities
Assessment of information security governance and enterprise
governance integration
Possible consequences as a result of failing to integrate
governance activities
Know how to develop information security policies. Policy development basis
Policy and strategy
Policies and control development
The link between policies and architecture
Understand the methods that are used to develop
business cases.
Business case recipients and presentation
Content of a business case
Feasibility aspects of a business case
Financial implications of a business case
The business case purpose
Know the methods used to plan and report on a
strategic budget.
Budgeting
Concepts of general management and administration
Financial reporting
Understand that technology, the business
environment, risk tolerance, geographic location, and
legal and regulatory requirements, amongst others,
are internal and external influences that may impact
the organization's information security strategy.
Differences in drivers across business sectors
Regulatory drivers and their impacts
Risk drivers and risk tolerance
The culture of organizational reactions and responses

______________________________________________________________________________
Know how to get senior management and other
stakeholders to commit and support for information
security.
Assessment of senior management's commitment
Strategies to cope with a lack of commitment from senior
management
Strategies to gain senior management's commitment
The basis for securing senior management's commitment
The result of poor management support
Be aware of the roles and responsibilities of
information security management.
Different roles and responsibilities of information security
management
The impact of organizational structure on information security
management
The impact of other influences on the roles and responsibilities
Understand the organization's organizational
structures and lines of authority.
Organizational structure and governance
Responsibilities
Understand the methods used to create new – or use
existing – reporting and communication channels
within an organization.
Information that a security manager should receive, from whom
and when
Information that requires regular communication
Recipients of information and when information needs to be
reported
The development of communication channels
The integration of other assurance processes with information
security
The use of metrics to show an information security program's
trends and problem areas
Types of events that must be communicated immediately
Types of information that the information security manager needs
to communicate
Know how to select, implement, and interpret metrics
such as KGIs, KPIs, and KRIs.
KGIs
KPIs
KRIs
Strategic and management metrics

______________________________________________________________________________
9. Knowledge of a CISO: Definitions of Key Security Concepts
 Know about the key security concepts and technologies that a CISO should be aware
of.
To ensure the effectiveness of information security governance, a CISO needs to have a
thorough understanding of certain key security concepts.
Key Security Concept Definition
Access control Access control refers to procedures, policies, and deployment mechanisms that deny or allow
access to information systems, resources, and physical access to premises.
Architecture Architecture is the design of a structure that includes the elements it is made up of and the
interactions between them.
Attacks Attacks are different kinds of security compromises.
Auditability Auditability is the level to which you can track and audit transactions using a system.
Authentication Authentication involves verifying a user's identity and determining the user's right to access
computerized information.
Authorization Authorization is the permission granted to a user to access resources for approved actions.
Availability Availability indicates the power to access and use information whenever required.
Business dependency
analysis
Business dependency analysis specifies the level to which an organization's business
depends on a resource.
Business impact
analysis
Business impact analysis involves assessing the results of a security compromise.
Confidentiality Confidentiality involves ensuring that important and valuable information is not disclosed
without permission.
Controls Controls are the procedures or actions that you can use to mitigate risks.
Countermeasures Countermeasures are the procedures or actions that you can use to reduce vulnerability.
Criticality Criticality indicates the significance of a resource to the business.
Data classification Data classification is the process by which you can find the sensitivity and importance of
information.
Exposures Exposures are areas of an organization that might be affected by threats.
Gap analysis Gap analysis involves finding the gaps between the objective and the actual condition.
Governance Governance implies providing direction to activities and managing them.
Identification Identification is the method for verifying an object or a person.
Impact Impact is the result of a risk that has materialized.
Integrity Integrity indicates the validity, completeness, and correctness of information.
Layered security Layered security is the in-depth protection for controlling compromise.
Management Management refers to the supervision of activities for ensuring the achievement of objectives.

______________________________________________________________________________
Key Security Concept Definition
Nonrepudiation Nonrepudiation is the assurance that a party cannot refuse that it originated some data, that
there is evidence about the origin and integrity of data, and that the evidence can be verified
by a third party.
Policies Policies are high-level statements that indicate the intent and direction of an organization's
senior management.
Residual risk Residual risk is the risk that is left after implementing controls and countermeasures.
Risk Risk is the possibility of a threat taking advantage of a vulnerability.
Security metrics Security metrics describe the ways of making a quantitative and periodic assessment of
security performance.
Sensitivity Sensitivity is the impact level of an unauthorized disclosure.
Standards Standards indicate the permitted limits of procedures and actions for meeting the policy.
Strategy Strategy refers to the steps to be performed for attaining an objective.
Threats Threats are events or actions that can lead to harmful results.
Vulnerabilities Vulnerabilities are weaknesses that can be exploited by threats.
Enterprise architecture Enterprise architecture is the systematic logic for IT infrastructure and business processes.
Security domains Security domains are logical areas that are surrounded by various levels of security.
Trust models Trust models map security controls and functions to various security levels.
A CISO should also have a conceptual understanding of security technologies such as
firewalls, antivirus, antispam, encryption, biometrics, and forensics. Other security
technologies include user account administration, intrusion detection and intrusion
prevention, privacy compliance, remote access, digital signature, public key
infrastructure, or PKI, and virtual private networks, also called VPNs.
Some more security technologies that a CISO should know are Secure Sockets Layer or
SSL, secure electronic transfer or SET, monitoring technologies, electronic data
interchange, or EDI, electronic funds transfer, also called as EFT, identity and access
management, known as IAM, single-sign on, or SSO, and system information and event
management, referred as SIEM.

______________________________________________________________________________
10. Relationship Between Information Security Governance Outcomes
and Management Responsibilities
 Know about the relationship between information security governance outcomes and
management responsibilities.
Board of
Directors
Executive
Management
Steering
Committee
CISO Audit Executives
Strategic
Alignment
The board of
directors needs
to exhibit
demonstrable
alignment
The executive
management
establishes
processes to
integrate security
with business
objectives
The steering
committee
reviews and
supports efforts
for security
strategy and
gathers support
for integration
from business
owners
The CISO creates
the security
strategy, supervises
the security
program and
initiatives, and
coordinates with
business process
owners for
continuous
alignment
The audit
executives assess
the degree of
alignment and
create reports of
the results
Risk
Management
The board of
directors
ascertain risk
tolerance,
supervise the risk
policy, and
ensure regulatory
compliance
The executives
make sure that all
roles and
responsibilities
involve risk
management in all
activities, and
supervise
regulatory
compliance
The steering
committee
determines
emerging risks,
supports
business unit
security
practices, and
detects
compliance
issues
The CISO
ascertains that risk
and business
impact
assessments are
conducted, creates
risk mitigation
strategies, and
implements policy
and regulatory
compliance
processes
The audit
executives assess
the corporate risk
management
practices and report
the results
Value
Delivery
The board
members
continuously
monitor the costs
incurred by
security activities
The executive
management
conducts business
case studies of
security initiatives
The steering
committee
evaluates the
adequacy of
security
initiatives to
support business
functions and
provides relevant
advice
The CISO
supervises the
utilization and
effectiveness of
security resources
The audit
executives assess
the efficiency of
value delivery and
report the results
Performance
Measurement
The board of
directors
implements a
system that helps
them find out the
effectiveness of
security initiatives
The executive
management
gathers metrics for
security activities
and monitors the
activities
The steering
committee
evaluates
whether security
initiatives meet
business
objectives and
provides
The CISO creates
and executes
monitoring and
metrics
approaches, and
guides and
supervises security
activities
The audit
executives assess
the efficiency of
performance
measurements and
report the results

______________________________________________________________________________
Board of
Directors
Executive
Management
Steering
Committee
CISO Audit Executives
appropriate
advice
Resource
Management
The board
supervises a
policy of
knowledge
management and
resource
utilization
The executive
members make
sure that there are
processes in place
for capturing
knowledge and
efficiency metrics
The steering
committee
assesses the
processes for
capturing and
distributing
knowledge
The CISO
determines ways of
capturing and
distributing
knowledge, and
creates metrics for
measuring
effectiveness
The audit
executives assess
the efficiency of
resource
management and
report the results
Integration The board
members
supervise a
policy of
assurance
process
integration
The executive
management
supervises all
assurance functions
and integration
plans
The steering
committee
determines
important
business
processes and
assurance
providers, and
directs efforts
toward
assurance
integration
The CISO
coordinates with
other assurance
providers, and
detects and
removes overlaps
and gaps
The audit
executives assess
the effectiveness of
assurance
processes
performed by
different
management areas
and report the
results

______________________________________________________________________________
11. References
 CISM Review Manual, W. Krag Brotby, Editor, ISACA, 9781604202137.
 Information Security Governance: Guidance for Information Security Managers, W.
Krag Brotby, ISACA, 9781933284736.
 Information Security Management Handbook, Harold F. Tipton and Micki Krause, CRC
Press, 9780849374951.
 https://www.slideshare.net/TISAProTalk/prinya-acis-slide-for-swpark-it-information-
security-human-resource-development-plan-for-aec-2015tisa-ptotalk-22554

______________________________________________________________________________
12. Information Security Governance Glossary
A
acceptable interruption window: See AIW.
acceptable use policy: A set of clear rules and responsibilities on the extent of use, which guides users accessing the
organization's resources.
access control: A set of measures that restricts unauthorized access to an organization's resources.
access control list: See ACL.
access right: A permission or privilege that allows a user to use or modify data as specified by the data owner and the
information security policy.
Accountability: The responsibility of a particular event or an activity assigned to a user or a party.
ACL: Abbreviation for access control list, a list of permissions assigned by an administrator for accessing a system or
application.
Activation: The process of initiating a system, a service or an agreement and making it functional.
administrative control: A set of guidelines for processes that improve the functioning of a system or a service and help it
to remain within standards.
aggregated risk: A collection of risks that occur when a single threat or many threats simultaneously affects many minor
vulnerabilities. When measured individually, the effects of these risks may be modest. But when all risks combine, they
can have devastating effects on the organization.
AIW: Abbreviation for acceptable interruption window, the duration for which a computer or a service can remain
inaccessible without hampering the achievement of business objectives.
ALE: Abbreviation for Annual Loss Expectancy, the annual expected financial loss to an information asset from a threat.
alert situation: A situation in an emergency procedure that occurs after the time taken for unsuccessful resolutions goes
beyond a predetermined limit. An alert situation usually triggers escalation.
alternate facility: An optional location with resources to implement an emergency or a backup process if the main facility
is not available.
alternate process: An optional process created for performing critical business processes from the time a process fails
until the time it returns to normal.
Analysis of Technical Components and Architecture: An evaluation of the technical components of the technical
security architecture to determine how individual components contribute to the organization's overall security.
Anchoring: An incorrect tendency to base present estimates or forecasts on a value previously presented. Anchoring may
lead to the failure of an organizational strategy.
annual loss expectancy: See ALE.
annualized rate of occurrence: See ARO.
antivirus software: An application that protects a computer from damages that may be caused by a computer virus,
worm, or malicious code. It identifies potential threats or infected files and takes action against them, usually by deleting or
quarantining the affected files.
application control: A process of monitoring and managing manually or automatically performed activities so that all
records are valid, complete and correct.
application layer: A layer of the Open Systems Interconnection model that allows effective communication between two
applications in a network.
application-level controls: A control activity supported by the technology for specific business information processing.

______________________________________________________________________________
ARO: Abbreviation for annualized rate of occurrence, the number of times a threat to an information asset is likely to
occur in a year.
assurance process integration: Integration of an information security program with other assurance processes in an
organization, including human resource management, risk management, IT security, legal compliance, auditing, and
implementation of physical security.
Attack: An event in which access to information is forced, usually without any authorization.
Audit: A process that checks the functioning of controls and strategies and their adherence to the accepted standards.
audit trail: A collection or log of records regarding activities performed on a computer along with user details.
Auditability: A feature of data transactions that helps to follow and evaluate these transactions through a system.
Authentication: A process of checking the identity of a user or a computer and their access rights.
Authorization: An approval that provides permission to access resources that are required for approved tasks.
Availability: The state of a resource or any information in which it is ready for use when required. Availability is usually
expressed as the percentage of time that a resource, such as a computer or a server, is functional.
B
backup center: An alternate facility that helps perform information technology or information security related functions
when the main site is not available.
BCM: See business continuity management.
BIA: Abbreviation for business impact analysis. Also known as business impact assessment, a process that identifies the
adverse effect on a business that may be caused by a lost resource.
Biometrics: An access control mechanism that uses a person's behavioral or physiological attributes for identification or
authentication.
BMIS: Abbreviation for Business Model for Information Security, a model that manages information security with a
business-oriented approach.
board of directors: Also known as senior management. A team of experienced people that provides guidance, approval,
and evaluation of information security.
business case: Documentation used to explain why investment should be made in a particular area. A business case
combines several weighted measures to rate a project or task. The measures relate to financial performance, customer
measurements, internal operations, and learning and growth over the lifetime or a project or task.
business continuity management: Abbreviated to BCM, a process that reduces effects of interruptions, restores
services, and protects crucial business processes.
business dependency analysis: A process that studies the level of dependency of a business on a resource.
business dependency assessment: In information asset classification. A process that allows identification of resources
important for the functioning of a business process. Business dependency assessment helps allocate protective activities.
business impact analysis: See BIA.
business impact assessment: See BIA.
Business Model for Information Security: See BMIS.
business process assurance: An outcome of effective security management that is the information security manager's
responsibility. The information security manager interacts with different assurance providers and incorporates their
activities with information security activities.
C

______________________________________________________________________________
CA: Abbreviation for certificate authority, an application that issues digital certificates to any registered entities.
cascading risk: A group of risks that occur when one risk creates a chain of events that results in several risks. This may
result in major failures, leading to heavy losses for the organization.
certificate authority: See CA.
chain of custody: A process that checks and ensures the authenticity and completeness of evidence in a legal
proceeding.
change management: A proactive, holistic process to manage the change between organizational states. Change
management focuses on human aspects of the change process, such as culture change, rewards, team building, and
communication.
chief information officer: Abbreviation for CIO, the person responsible for planning the funding and performance aspects
of information technology along with its security.
chief security officer: See CSO.
CISO:Acronym for chief information security officer, see information security manager.
cloud computing:A network of remote computers hosted over the Internet to store, manage, and process data. A third-
party service provider offers cloud-based resources in which resources such as networks, servers, storage, and
applications are distributed across various pooled servers at remote datacenters, and often across multiple datacenters in
different locations. See IaaS, PaaS, and SaaS
COBIT: Acronym for Control Objectives for Information and related Technology. A set of internationally approved
objectives that provide guidelines for IT control, published and updated by the IT Governance Institute.
code of ethical conduct: A contract that Security personnel should be made aware of and adhere to regarding ethical
issues – specifically issues surrounding the protection, use, and storage of information.
cold site:A type of offsite backup facility that includes only basic requirements, such as flooring, air conditioning, and
wiring, to operate as an information processing facility. However, this site takes a long time to be activated and requires
the business to provide other equipment.
Committee of Sponsoring Organizations: See COSO.
community cloud: A type of cloud computing, where the cloud (network) offers an infrastructure that several
organizations with common interests and IT infrastructure requirements can share.
compensatory controls: A control mechanism which adds control steps to lessen the effect of the risk, when the risk
increases.
Compliance: A control area that checks an organization's adherence to legal and security standards or requirements.
Compliance Department: An organizational department that manages regulatory compliance policies and standards.
This department may be independent or it may form part of the Legal Department.
compliance enforcement: An activity of the information security program that ensures constant adherence to security
policies and standards.
Confidentiality:A process of safeguarding critical or private data from being accessed without permission or misused.
configuration management:A process that enables organizations to manage changes to a complex system, such as an
information system, so that the system maintains its performance and integrity over its lifetime.
Control Objectives for Information and related Technology: See COBIT.
Controls: A set of strategies that helps mitigate risks and achieve business objectives.
corporate governance: A set of policies that helps the board of directors guide and manage an organization.
corrective controls: A proactive measure to quickly recover from data loss or any other damage caused by a security
breach. Disaster recovery methods, such as data backup and recovery, are examples of corrective controls.
COSO:Abbreviation for Committee of Sponsoring Organizations of the Treadway Commission; a team of people that
guides and provides internal control for all organizations.

______________________________________________________________________________
Countermeasures: A set of processes that decreases the chances of a threat occurring.
critical success factor: Abbreviated to CSF. One of the factors that helps achieve Sarbanes-Oxley compliance by
managing controls, determining tests for effectiveness, and assigning resources to implement this testing.
Criticality: A measure of the impact of a computer or a service failure on the organization.
CSF: See critical success factor.
CSO:Abbreviation for chief security officer, see information security manager.
D
DAC: Acronym for discretionary access control. A type of access control that restricts data access for a user or a
computer, but allows users or computers to transfer their access permission to each other.
data classification:A process of dividing data into levels based on its sensitivity and criticality. These levels indicate
how important the data is to the organization.
data warehouse:An electronic system that stores and manages a large amount of data with the help of advanced
searching and filtering techniques.
database management systems: A technology that stores data in the form of records and specifies the level of access
that a user has to the system.
decoy server: See honeypot.
defense in depth: A technique of protecting information with layers of controls, in which all layers are not affected by the
same threat or risk.
Degauss:A process of removing magnetic disturbances or fields around magnetic recording media by applying different
degrees of alternate current to it.
demilitarized zone: See DMZ.
detective controls: Controls that help you identify any hindrances or threats to information security. Examples include
intrusion detection methods, checksums, and security audits.
deterrent controls: Controls that discourage hackers and malicious users from breaching the information security setup.
Examples include punitive action against unauthorized use, and preventive control techniques such as access cards and
user authentication.
digital code signing: A process in which a digitally signed computer code is used to ensure integrity.
disaster declaration: A statement that communicates the implementation of the disaster recovery plan to the required
stakeholders.
disaster recovery plan: A preset strategy that helps to restart the operation of an interrupted service with the help of
resources and processes.
discretionary access control: See DAYC.
DMZ: Abbreviation for demilitarized zone, an additional zone between the Internet and a private network that doesn't allow
external users to access internal data.
DNS: Abbreviation for domain name system, a service that provides translation between an IP address and a web
address. The translation depends upon a hierarchical naming system.
domain name system:See DNS.
dual control: A process that uses more than one person to protect a computer resource from single-entity access.
due care:The appropriate level of concern that is required from a person of a particular level in the relevant situation.
due diligence: The appropriate level of thoroughness that is required for an evaluation or an analysis.
Duplicate Information Processing Facilities: A set of facilities dedicated to recovery sites that are used like a primary
site.

______________________________________________________________________________
dynamic interconnection:A factor that controls different elements of the BMIS model and maintains the balance of the
model.
E
EF: Abbreviation for exposure factor, a possibility of event occurrence equal to the percentage of information asset loss
caused by a threat.
Encryption: A control mechanism that uses an algorithm to encode data so that only authorized users can read the
transmitted information.
end user: A person who uses a computer that is maintained by somebody else.
enterprise governance: A set of guidelines implemented by the board of directors and executive management. These
guidelines provide guidance, help to achieve objectives, ensure proper management of risks, and verify judicious use of
resources.
enterprise information security architecture: The structure of an organization's information security systems.
enterprise risk management: A process of managing risks, controlling their impact, and achieving business objectives.
ERM: Abbreviation for enterprise risk management.
executive management: A team of people that provides continuous support and guidance in the process of setting
objectives and implementing effective security governance.
Exposure: The extent of the negative impact that a weakness in a resource or a service can cause.
exposure factor: See EF.
F
Factor Analysis of Information Risk: See FAIR.
FAIR: Acronym for Factor Analysis of Information Risk. A risk assessment methodology that splits a risk into several
components and analyzes each component in detail. This method involves detailed analysis of both the risk and its control
measure.
Firewall: A security technology that forms a boundary and protects a computer or a network from unauthorized external
access.
G
gap analysis: A process, often applied to security, which examines the difference between existing and expected
conditions.
Governance: A process in which continuous control and direction is provided by people with experience and expertise.
governance, risk management, and compliance: See GRC.
GRC: Abbreviation for governance, risk management, and compliance. In information security governance, a
methodology that organizations use to bring together governance, risk management, and compliance.
Guideline: A suggestion or a best practice that supports a user while performing a procedure. A guideline, unlike a
standard, is not mandatory.
H

______________________________________________________________________________
Hashing: A mechanism that converts any length of input string into a standard length string to ensure that the transmitted
message is not corrupted.
Honeypot: Also known as a decoy server. A server that protects computers against unauthorized access and attacks by
detecting and monitoring such users.
hot site: An offsite backup facility that has all the required hardware and software resources and is ready to be used as an
alternate facility.
hybrid cloud: A type of cloud computing that's a combination of at least one private and one public cloud – for example
through a partnership between a private and a public cloud service provider.
I
IaaS: Abbreviation for Infrastructure as a Service. A cloud computing model that can provide storage, processing,
networks, and other essential computing resources. IaaS enables customers to operate any required software and
operating systems.
IDS: Abbreviation for intrusion detection system, an automated system that monitors network and host activities for
suspicious activity that may indicate an attack.
Impact: An outcome when a threat exploits a vulnerability and leads to loss of information assets.
impact analysis: An examination of information resources to study their criticality to the organization, which helps in
strategizing recovery.
IMT: Abbreviation for incident management team. A group of experts that help the organization identify and manage
information security incidents. This group usually consists of an information security manager, steering committee, and
dedicated and temporary team members. The information security manager usually leads the team.
Incident: An unplanned interruption, such as a server breakdown or unauthorized intrusion, which adversely affects
business continuity.
incident management and response: A process that involves detecting incidents that threaten an organization's
information assets, preventing their occurrence, and taking corrective actions to control and limit damage.
incident management charter: A document that establishes the IMT and describes its roles and responsibilities when
managing and responding to information security incidents.
incident management metrics: Criteria used to measure the efficiency and effectiveness of the incident management
and response process.
incident management team: See IMT.
incident response plan:A plan that identifies the steps to be taken and the resources to be used if an event has an
adverse impact on the organization's information assets.
incident response team: See IRT.
information risk: Potential problems that could put organizational data at risk, including the potential loss or inappropriate
exposure of information.
information risk management: A process that manages risks related to information security with the help of
management policies and processes.
information security governance: A set of practices implemented by the board and executive management. Besides
providing guidance, achieving objectives, ensuring proper management of risks, and verifying judicious use of resources,
these practices also protect data.

______________________________________________________________________________
Information Security Incident Management: The fourth job practice area of CISM, which describes the activities of the
information security manager, to maintain operations, minimize the impact of risk, and restore normal operations after
system failures, disruptions, incidents of misuse, or other unforeseen events.
information security investments: Incentives used to measure the effectiveness of an information security program –
typically by comparing the budgeted costs of work scheduled and work performed against the actual cost of the program.
information security management framework: A conceptual representation of the structure used to manage information
security.
information security manager: Also known as the chief information security officer, vice president of security, or chief
security officer. An executive level of authority, present in every organization, with expertise in planning and budgeting.
information security program: A collection of technical and operational measures that maintains the confidentiality,
integrity, and availability of information.
information security program development: A process of creating a program that implements an information security
strategy by coordinating activities, projects and initiatives.
Information Security Program Development and Management: The third job practice area of CISM, which describes
the activities of the information security manager, to ensure the information security program is developed and managed in
line with the organization's overall goals.
information security program resources: The resources used to develop an information security program and achieve
a specific level of security.
Integration: in information security governance, an outcome that ensures seamless operation among all processes by
combining all factors affecting the operation.
Integrity: The complete nature of information that ensures its correctness and validity.
Internet service provider: See ISP.
interruption window: The period of time that a business can endure from the failure of a service or an application to its
restoration. Beyond this duration, losses will adversely affect the business.
intrusion detection: A security technology that monitors activities on a computer to identify an attack or access without
permission.
intrusion detection system: See IDS.
IRT: Abbreviation for incident response team. A team that focuses on responding to incidents. The team usually includes
incident handlers, investigators, forensic experts, and physical security experts.
ISO/IEC 17799: A standard that is approved by International Organization for Standardization, which defines the
confidentiality, integrity, and availability of information.
ISO/IEC 27001: An international standard based on ISO/IEC 17799, which includes a set of principles on information
security management.
ISO/IEC 27001:2005: In IT security, a standard that specifies practices and objectives for controls.
ISP: Abbreviation for Internet service provider, a third-party supplier that provides organizations or home users with a
connection to the Internet.
K
key goal indicator: See KGI.
key performance indicator: See KPI.
key risk indicator: See KRI.
KGI: Abbreviation for key goal indicator. A project metric that defines what goals have to be accomplished.

______________________________________________________________________________
KPI: Abbreviation for key performance indicator, a performance factor that indicates if the process objectives are being
achieved.
KRI: Abbreviation for key risk indicator, an indicator that registers when the risk level of an organization exceeds a certain
defined level.
M
MAC:Acronym for mandatory access control. A type of access control that restricts data access depending on different
security requirements and permissions required for the data.
management support technologies:A set of supporting technologies that provide management features and automate
security procedures.
mandatory access control:See MAC.
Maximum Tolerable Downtime:See MTD.
Maximum Tolerable Outage:See MTD.
maximum tolerable outages:See MTO.
Metrics:Technical and statistical measures used to determine whether the controls implemented as part of an information
security program are functioning properly and meeting an organization's security objectives.
mirror sites:A set of sites similar to primary sites, which are used as load-sharing information processing facilities.
mobile site:A type of offsite backup facility that is portable and can be transported to any location to act as an information
processing facility.
monitoring policy:A set of rules that describes the recording and interpretation of information about computer, network,
and application use.
MTD: Abbreviation for Maximum Tolerable Downtime, also known as Maximum Tolerable Outage or MTO. The maximum
period of time for which the organization can support processing in an alternate mode. Various factors will determine the
MTO, including increasing backlogs of deferred processing. This, in turn, is affected by the SDO if it is less than that
required during normal operations.
MTO: Abbreviation for maximum tolerable outages, the maximum period of time for which an organization can support
operations in an alternate mode.
N
National Institute of Standards and Technology or NIST risk assessment methodology: A technique used to assess
risks in the system development life cycle or SDLC. NIST risk assessment methodology uses a nine-step process to
identify and evaluate risks to an organization: identifying system characteristics, identifying threats, identifying
vulnerability, analyzing control measures, determining the probability of threat occurrence, analyzing the impact of risk
on business, determining the risk, recommending risk control measures, and documenting the risk assessment reports.
native control technologies: A set of new and comprehensive security features that are incorporated with business
information systems.
Nonrepudiation: A feature that provides proof of the origin of data, which can then be verified by another person or
stakeholder. Usually, the origin of data is with a particular party or a person.
O
Open Shortest Path First: See OSPF.

______________________________________________________________________________
operational controls: Controls that deal with an organization's everyday operations, helping to ensure that all objectives
are achieved.
OSPF: Abbreviation for Open Shortest Path First. A link-state IP routing protocol in networking that selects the best router
to each known subnet. It provides quick convergence and the ability to scale large networks.
Overconfidence: A reason that causes an organizational strategy to fail because of undue confidence while estimating
figures or alternatives.
P
PaaS: Abbreviation for Platform as a Service, a cloud computing model that helps organizations deploy their software on a
provider's infrastructure using tools and languages supported by the provider.
packet filtering: A feature that provides or denies access to data packets entering or leaving a network depending on a
set of rules.
penetration testing: A process where the effectiveness of a security defense is checked in a live environment by
introducing mock attackers.
performance measurement: In information security governance, an outcome that reviews the operation of information
security processes, identifies weaknesses, and provides feedback.
plan-do-check-act model: A methodology used to manage and continually improve the quality of an information security
program based on four processes: Plan, Do, Check, and Act.
Policy: A high-level statement documenting a management decision about principles, courses of action, and business
strategies. A policy encompasses the organization's philosophy and strategy relating to the subject matter, and describes
how policy compliance will be checked and measured, the consequences for violating policy, and how exceptions will be
handled.
policy compliance: Ensuring that individuals and groups comply with organizational policies.
Port : 1. A connection between a CPU and a peripheral device. 2. A virtual space that allows organized connection
between remote services and a host.
PRA: Abbreviation for Probabilistic Risk Assessment. A method of risk assessment used in industries that use complex
technological operations such as oil and gas production, nuclear power, and aeronautics. PRA takes into consideration
the severity of the risk and chances of the risk occurring. The outcomes of the risk are assigned numerical values. The
total risk is calculated by adding together the products of severity and chances of occurrence.
preventive controls: Controls that don't allow hindrances to materialize including access control enforcement, encryption,
and authentication.
principle of least privilege: A strategy that involves dividing access to resources, so that those requiring little access
have minimum system privileges.
Privacy: A state of a computer or a network in which there is no scope for intrusion or information disclosure without
permission.
privacy officer: A person responsible for ensuring the appropriate protection of information and managing compliance
with the privacy regulations. The role this person fulfils may be independent or form part of the Compliance Department.
private cloud: A type of cloud computing, where the cloud (network) is reserved for use by one organization that requires
a high level of control over its data and security.
Probabilistic Risk Assessment: See PRA.
Procedure: A linear list of steps that helps users to perform operations while adhering to standards.
project management: The task of managing resources to achieve the goals of a particular project and meet the
organization's objectives.

______________________________________________________________________________
public cloud: A type of cloud computing, where the cloud (network) is available for use to the general public or to large
industry groups, which may reserve part of the cloud.
public/private-key encryption: Also known as asymmetric encryption, a type of encryption algorithm that uses a key pair,
where one is a public key and the other is a private key. Only the person with the private key can encrypt data.
Q
qualitative risk analysis: A process that is used when there is a lack of adequate numerical data. This analysis describes
risks, their impact, causes, and likelihood of occurrence. It helps you to identify aspects of risk that are not tangible, for
example image, reputation, and culture.
quality management: The task of ensuring that results consistently meet the expectations of the customer. A business
initiative aimed at ensuring that an information security program is managed and controlled in a way that yields
appropriate results and delivers value to an organization.
quantitative risk analysis:A process that gives numerical values to the impact of a risk and the likelihood of the risk
occurring. This analysis also uses several statistical models, such as Monte Carlo simulation, to calculate these values.
R
RACI chart: A responsibility matrix that charts work objectives, or tasks, down one column and the names of people who
are responsible for each task across the top. One of four letters identifies the nature of each person's involvement using
the letters R for Responsible, A for Accountable, C for Consult, or I for Inform.
RAID: Acronym for Redundant Array of Inexpensive Disks. A set of interdependent disk drives that provides a large
amount of storage space and helps improve performance.
reciprocal agreement: A contract in which two or more organizations with similar infrastructure mutually agree to provide
processing time to each other during an emergency.
Recovery point objective:See RPO.
recovery sites:Locations that an organization can use to continue operations in the event that an incident prevents this at
the primary business site.
recovery time objective: See RTO.
Redundant Array of Inexpensive Disks: See RAID.
release management: A holistic process that considers resource planning, management, and other technical and non-
technical aspects when changes are applied to an IT service. Release management uses formal procedures and checks
to protect the live environment and its services.
residual risk: The possibility of a risk occurring after countermeasures and controls are implemented.
Resilience: The ability of a computer or a service to successfully tolerate problems caused by events.
resource dependency analysis: An analysis that determines the applications used to perform basic activities in a
business and also what resources are required to perform these activities.
resource management:In information security governance, an outcome that manages knowledge and infrastructure
resources to ensure their availability, documentation, and judicious use.
RFA: Abbreviation for Risk Factor Analysis. A risk assessment methodology that identifies the fundamental reasons that
eventually hamper a project. These reasons are mostly related to time, budget, scope, and performance constraints in a
project. The prime consideration in RFA is the possible impact that risks will have on organizational operations and assets,
and not the possibility of occurrence.

______________________________________________________________________________
Risk: A phenomenon that occurs after a weakness is exposed to a threat and compromises the organization's information
assets.
risk acceptance: The decision to accept a risk if its elimination is impractical or uneconomical. Every organization has a
defined level of risk acceptance.
risk acceptance framework: A framework that defines the authority that decides whether or not the risk should be
accepted. This is done on the basis of the severity level of the risk – low, medium, high, and severe.
risk assessment: A process that measures a risk in terms of the qualitative and quantitative affect it has on the business.
risk avoidance: A process that helps to bypass a risk in an organized manner and thereby helps manage the risk.
risk communication and monitoring: A set of ongoing activities in the risk management process. Monitoring involves
timely assessment and evaluation of risks, while communication helps provide security alerts to stakeholders such as
senior management, process owners, employees, and customers.
Risk Factor Analysis: See RFA.
risk log: See risk register.
risk management: in information security governance, an outcome that manages risks. This is done by identifying risk
mitigation strategies and limiting their impact to a manageable level.
risk management strategy: An integrated business approach that manages risks and associated mitigation strategies.
risk mitigation: The process in which risks are managed by using countermeasures and controls.
risk register: A risk management document, also known as a risk log, which records the source and nature of risk,
existing controls, recommended controls, and the reasons why recommended controls should be implemented.
risk transfer: A process of passing a risk on to another organization. An example of a risk transfer is an insurance policy.
risk treatment: A systematic process of implementing strategies to deal with identified risks and reducing their impact on
business to acceptable levels. Risk treatment options include risk avoidance, risk transfer, risk mitigation, and risk
acceptance.
route filtering: A technology that defines a set of network addresses for a network device, so that the network traffic
levels only via that route.
RPO: Abbreviation for recovery point objective, the time when data should be restored just before an outage occurs.
RTO: Abbreviation for recovery time objective, the duration of time within which a business function must be recovered
after a disaster has occurred.
S
SaaS: Abbreviation for Software as a Service, a cloud computing model that enables information security managers to
lease software and applications from a third-party provider that deploys the software virtually.
SABSA model: Abbreviation for Sherwood Applied Business Security Architecture model, a framework that describes
how an information security manager should collate all the necessary information that's needed to develop an enterprise
information security architecture that can meet an organization's info security needs.
SDO: Abbreviation for service delivery objective, the level of service expected while the alternate mode is operational
during the unavailability of a service or a resource.
secret key cryptography: See symmetric key encryption.
security baseline: A baseline for security that defines the minimum level of security that is required for an organization.
security controls: Safeguards to counteract security risks and minimize their impact on an organization.
security domains: A set of logical areas that are divided depending on varying levels of security.
security metrics: A set of specifications and benchmarks that measure security performance.

______________________________________________________________________________
security policy: A policy that guides and supports information security and checks its alignment with business objectives
and standards.
Semi-quantitative risk analysis: A process that helps to assign approximate values to those risks that have already been
assessed by qualitative analysis. Since these values are not real, the risk is calculated with a formula that combines all
the values and assigns the risk rates for the assets. A grid can be used for this purpose, which makes rating easier. Based
on these values and the grid, the team of experts prioritizes the risks and plans to mitigate them.
senior management: See board of directors.
Sensitivity: A measure of the adverse effect created by information disclosure without permission.
service delivery objective: See SDO.
service level agreement: See SLA.
single loss expectancy: See SLE.
SLA: Abbreviation of service level agreement. A contract entered into by an organization with a third-party service
provider. It clearly defines the agreed level of services to be delivered by the service provider.
SLE: Abbreviation for single loss expectancy, the product of the asset value multiplied by the exposure factor.
social engineering: The process of extracting confidential information from users by tricking them.
Spoofing: An attack that results from a weak protocol design in which the sending address of a network transmission can
be falsified.
Standard: An approved benchmark for the performance of a user, a service, or a device to follow and thereby achieve
consistency.
standards compliance: Ensuring that individuals and groups comply with organizational standards – which reinforce the
organization's policies.
steering committee: A team of people that funds and manages various projects. An information security program is an
example of such a project.
strategic alignment: In information security governance, an outcome that plans information security according to the
business strategy used for achieving organizational objectives.
supplemental control technologies: An additional set of security features with components that aren't built in the
information system environment. It provides features that native components cannot.
symmetric key encryption: Also known as secret key cryptography, a type of encryption algorithm in which the same key
is used for encrypting and decrypting data.
system development life cycle: Abbreviated to SDLC, the five phases of an information system development process –
initiation, development or acquisition, implementation, operation or maintenance, and disposal.
T
TCO: Abbreviation for total cost of ownership, a cost incurred because of the risks or benefits of the project.
TCP/IP and IPSec: A network protocol that divides the sent data into headers and data. A header enables network
devices to route packets, while the data is read as streams.
technical controls: Controls that use technology to protect an organization's information from loss, damage, or
inappropriate access.
technical security architecture: the combination of native controls, supplemental controls, and management support
technologies.
The Standard of Good Practice for Information Security: A catalog that specifies best practices for information security
management as well as requirements for resources and responsibilities.

______________________________________________________________________________
Threat: An event that may harm an organization's information assets, human resources, and operations.
threat analysis: The process of identifying threats, their levels, their impact, and the possibility of their occurrence.
threat assessment: A means of identifying potential security threats, and outline possible prevention techniques.
total cost of ownership: See TCO.
traffic or packet filtering: An access control mechanism that uses predefined rules for providing access to the network
by examining the headers of the incoming and outgoing packets.
training needs assessment: A means of identifying the knowledge areas and skills required by employees, and their
current competency is these area.
Transparency: A mechanism in which all users understand the working of system controls so that each one can ensure
that they are working as expected.
Triage: A process of prioritizing, sorting, and categorizing events or incidents that are logged by the IMT.
two-factor authentication: A procedure of verification that uses two independent methods.
U
UAT: See user acceptance testing.
user acceptance testing: Abbreviated to UAT, a testing plan that can create unexpected risks for security elements.
V
value at risk: See VAR.
value delivery: In information security governance, an outcome that makes the best use of security investments made
according to business objectives.
VAR: Abbreviation for value at risk, a measure of risk based on historical data of the probability distribution of loss on an
asset for a given time period.
vendor management: The need to protect information that organizations share with third-party service providers if the
organization relies on or makes use of third-party service providers to fulfil some or all of their security needs.
vice president of security: See information security manager.
virtual private network: See VPN.
VPN: Abbreviation for virtual private network, a type of network that uses the public telecommunications to transmit data
while providing privacy and security.
Vulnerability: A weakness in an organization's information systems, processes, human resources, or security controls.
vulnerability analysis: A security review to detect vulnerabilities in an environment.
vulnerability assessment: A tool that identifies and reduces vulnerability in controls and thereby evaluates the
effectiveness of risk management.
W
warm site: An offsite backup facility that has complete infrastructure except for partial configurations of some hardware
resources, and may give poor performance.
web server: A type of server that hosts web pages for users connected to the Internet.
Worm: A malicious computer program that is self-replicating and doesn't depend on user action to spread.

______________________________________________________________________________
13. Answers to Quizzes
i
Quizz – Tasks 1
Identify the statements that correctly define information security governance.
Options:
1. A set of policies and procedures that establishes a framework of information security strategies
2. A set of rules for achieving the information security goals and objectives of trading partners
3. A job practice area that defines the information security responsibilities of Service Desk employees
4. A practice area that ensures efficient utilization of information resources
Answer (see Endnotes) i
Option 1: This option is correct. Information security governance is a set of policies and procedures for
establishing information security strategies and ensuring their alignment with business goals and
objectives.
Option 2: This option is incorrect. Information security governance is a set of rules for achieving the
information security goals and objectives of the organization in which it is implemented, and not those of
its trading partners. This governance area also involves managing risks related to information security.
Option 3: This option is incorrect. The information security governance job practice area defines the
roles and responsibilities of the board of directors and executive management for ensuring effective
Option 4: This option is correct. Information security governance is a job practice area for ensuring that
information resources are used efficiently and formulating strategic directions for information security
activities.
Correct answer(s):
1. A set of policies and procedures that establishes a framework of information security strategies.
4. A practice area that ensures efficient utilization of information resources.
ii
Quizz – Tasks 2
Which tasks are included in the information security governance job practice area?
Options:
1. Design the business goals and objectives and get senior management to sign off on them

______________________________________________________________________________
2. Establish and maintain information security policies
3. Define and communicate the roles and responsibilities of information security throughout the organization
4. Minimize the organization's driving factors and their influence on information security
5. Establish, monitor, evaluate, and report KGIs, KPIs, and KRIs
Option 1: This option is incorrect. The information security governance area does not involve designing
the business goals and objectives for an organization. It requires you to create an information security
governance strategy that aligns with organizational goals and objectives.
Option 2: This option is correct. One task in the information security governance area is to establish and
maintain information security policies to communicate management's directives and guide the
development of standards, procedures, and guidelines.
Option 3: This option is correct. The information security governance area involves defining and
communicating the roles and responsibilities of information security throughout the organization to
establish clear accountabilities and lines of authority.
Option 4: This option is incorrect. To meet the information security objectives of your organization, you
need to determine, and not minimize, its driving factors, such as technology, business environment, and
geographic location.
Option 5: This option is correct. The information security governance area involves establishing,
monitoring, evaluating, and reporting KGIs, KPIs, and KRIs to provide management with accurate
information regarding the effectiveness of the information security strategy.
Correct answer(s):
2. Establish and maintain information security policies
3. Define and communicate the roles and responsibilities of information security throughout the
organization
5. Establish, monitor, evaluate, and report KGIs, KPIs, and KRIs
iii
Quizz - Importance
Which statements demonstrate the importance of information security governance?
Options:
1. It provides protection from civil and legal liabilities
2. It reduces the impact of security-related incidents
3. It eliminates risks in business operations
4. It protects the confidentiality, integrity, and availability of information
5. It assures conformance to security policy
6. It protects physical and technical operations during important business activities

______________________________________________________________________________
Option 1: This option is correct. Information security governance protects organizations from civil and
legal liabilities by eliminating the issues of incorrect information and lack of information protection.
Option 2: This option is correct. Information security governance reduces the impact of security
incidents by using predefined operations that quickly identify and control such incidents.
Option 3: This option is incorrect. Information security governance reduces the risks associated with
information security to levels that can be defined and tolerated. It can't eliminate business risks
completely.
Option 4: This option is correct. Information security governance protects information, including its
confidentiality, integrity, and availability during its life cycle or the time it is being used in an organization.
Option 5: This option is correct. The basis of information security governance is a security policy. So, in
order to be effective, security governance has to conform to this policy.
Option 6: This option is incorrect. Information security governance protects information during important
business activities, such as mergers, acquisitions, and regulatory response.
Correct answer(s):
2. It reduces the impact of security-related incidents
4. It protects the confidentiality, integrity, and availability of information
5. It assures conformance to security policy
iv
Quizz - Basic outcomes 1
What are the outcomes of successful implementation of information security governance in an
organization?
Options:
1. Organization-wide understanding that information security is an event
2. Acceptance of residual risks based on an understanding of their likely effects
3. Alignment of the information security strategy with organizational goals
4. Minimal investment in information security to sustain business objectives
Option 1: This option is incorrect. The value delivery outcome of information security governance
involves developing a common understanding in an organization that information security is not an
event, but a process that needs constant improvement.

______________________________________________________________________________
Option 2: This option is correct. In risk management, residual risks can be accepted based on an
understanding of their likely effects. Alternatively, a risk mitigation strategy can be used to lower the
effects of residual risks.
Option 3: This option is correct. The strategic alignment outcome of information security governance
requires the information security strategy to be in line with organizational goals and objectives. This
involves deriving security requirements from business requirements.
Option 4: This option is incorrect. As an important task in value delivery, investments in information
security should be optimized, and not minimized, so that they support business objectives.
Correct answer(s):
2. Acceptance of residual risks based on an understanding of their likely effects
3. Alignment of the information security strategy with organizational goals
v
Quizz - Basic outcomes 2
Identify the desired outcomes of information security governance.
Options:
1. It should provide additional assurance about security processes through external assessments
2. It should ensure that the assurance functions in an organization are independent of each other
3. It should ensure the effective use of information security infrastructure and knowledge
4. It should provide metrics for measuring the achievement of business objectives
Option 1: This option is correct. Performance measurement involves obtaining additional assurance
about security processes through external assessments and audits.
Option 2: This option is incorrect. The integration outcome of information security governance involves
integrating all significant assurance functions to make sure that information security processes work as
expected.
Option 3: This option is correct. Resource management involves using information security
infrastructure and knowledge effectively to keep a record of security practices and processes.
Option 4: This option is incorrect. Performance measurement of information security processes requires
clear, definite, and approved metrics. These metrics should be aligned with business objectives.
Correct answer(s):
1. It should provide additional assurance about security processes through external assessments
3. It should ensure the effective use of information security infrastructure and knowledge

______________________________________________________________________________
vi
Quizz - Corporate and IS governance
Which examples are related to information security governance?
Options:
1. An organization is facing negative public perception created by the media
2. A project manager is unable to access important files associated with a project
3. The stakeholders of a company are complaining that their interests are being compromised
4. The assessment ratings of employees, which are meant to be confidential, are disclosed
Option 1: This option is incorrect. This example is not related to information and is concerned with
general organizational management. So it comes under corporate governance.
Option 2: This option is correct. This example indicates a problem regarding the availability of
information, and so it comes under information security governance.
Option 3: This option is incorrect. This example is related to corporate governance because it is not
concerned with information and is about general business management.
Option 4: This option is correct. This example is associated with information security governance
because it denotes a problem regarding the confidentiality of information.
Correct answer(s):
2. A project manager is unable to access important files associated with a project
4. The assessment ratings of employees, which are meant to be confidential, are disclosed
vii
Quizz - Senior management responsibilities
What are the responsibilities of the board of directors with respect to information security?
Options:
1. Involve all stakeholders influenced by security considerations
2. Integrate information security governance with corporate governance
3. Review and approve the security policy
4. Act as a communication channel between the senior management and employees

______________________________________________________________________________
Option 1: This option is incorrect. The steering committee should perform the task of involving all
stakeholders influenced by security considerations.
Option 2: This option is correct. The board of directors are responsible for including information security
governance in the corporate governance framework. They also need to show continuous commitment
toward information security.
Option 3: This option is correct. The board of directors should review and approve the security policy,
metrics, and monitoring processes.
Option 4: This option is incorrect. The steering committee acts as a communication channel between
the senior management and employees.
Correct answer(s):
2. Integrate information security governance with corporate governance
3. Review and approve the security policy
viii
Quizz- Senior management responsibilities 2
Match each senior management role with the associated responsibility concerning information security
governance.
Options:
A. Board of directors
B. Executive management
C. Steering committee
D. CISO
Targets:
1. Achieves organizational consensus over priorities related to information security
2. Sets up reporting and communication channels in the whole organization
3. Establishes processes for integrating security with business objectives
4. Identifies information assets that need protection
The steering committee is responsible for achieving organizational consent over priorities related to
information security and ensuring the involvement of all stakeholders influenced by security
considerations.
The CISO needs to establish reporting and communication channels in the whole organization to make
sure that information security governance is effective.

______________________________________________________________________________
The executive management should establish processes for integrating security with business objectives
and provide proper leadership and continuous support to the people working to implement information
security.
The board of directors are responsible for identifying information assets that need to be protected and
assigning appropriate priorities and protection levels for them.
Correct answer(s):
Target 1 = Option C
Target 2 = Option D
Target 3 = Option B
Target 4 = Option A
ix
Quizz - Elements of the model
Which element of the information security business model represents the formal and informal ways of
doing things?
Options:
1. Organization
2. People
3. Process
4. Technology
Option 1: This option is incorrect. The organization element is essentially a group of people, processes,
and assets that have different roles and work with each other to achieve a common objective.
Option 2: This option is incorrect. The people element represents an organization's human resources
and the security issues related to them.
Option 3: This option is correct. The process element comprises formal and informal methods of doing
things. It is created from an organization's strategy and signifies its operational aspect.
Option 4: This option is incorrect. The technology element consists of all the applications, tools, and
infrastructure that help to improve processes.
Correct answer(s):
3. Process

______________________________________________________________________________
x
Quizz - Interconnections between elements
Match the elements of the information security business model with their dynamic interconnections. You
Options:
A. Organization
B. Process
C. People
D. Technology
Targets:
1. Governance
2. Culture
3. Enablement and support
The governance dynamic interconnection links the organization and process elements. It involves
guiding and controlling an organization.
The culture dynamic interconnection links the organization and people elements. It represents people's
beliefs, opinions, and behaviors.
The enablement and support dynamic interconnection links the technology and process elements. It
involves creating security policies, guidelines, and standards to support business requirements.
Correct answer(s):
Target 1 = Option A, Option B
Target 2 = Option A, Option C
Target 3 = Option B, Option D
xi
Quizz - Interconnections between elements 2
Match each element of the information security business model to its dynamic interconnections. You
Options:
A. Technology

______________________________________________________________________________
B. People
C. Organization
D. Process
Targets:
1. Emergence
2. Human factors
3. Architecture
The emergence interconnection links the people and process elements. It indicates patterns in an
organization's life that appear and grow without any evident reason, and have results that are difficult to
forecast and control.
The human factors interconnection links the people and technology elements, and indicates the
relationship and gap between these elements.
The architecture interconnection links the organization and technology elements. It completely covers an
organization's policies, processes, people, and technology that compose the security practices.
Correct answer(s):
Target 2 = Option A, Option B
xii
Quizz - Identifying need 1
What is information security governance?
Options:
1. A set of guidelines that ensures elimination of all information security risks
2. A set of procedures performed to meet business goals of the organization
3. A job practice area that works toward protecting all physical and technical operations
4. A collection of rules that ensures efficient use of information security resources
5. A domain that requires strategic direction from senior management
Option 1: This option is incorrect. Information security governance is a set of guidelines for reducing
information security risks and handling them in a proper way, but it cannot eliminate all risks.

______________________________________________________________________________
Option 2: This option is correct. Information security governance is a set of security procedures that
align with the business goals of the organization. This involves deriving security requirements from
business requirements.
Option 3: This option is incorrect. Information security governance is a job practice area that does not
protect the physical and technical operations, but protects the information associated with them.
Option 4: This option is correct. Information security governance is a collection of rules for making
efficient use of the resources allocated for protecting information. This saves the organization from
unnecessary expenditure.
Option 5: This option is correct. Information security has gained prime importance because of the
dependency on information. So the information security governance domain requires strategic direction
from the board of directors and executive management.
Correct answer(s):
2. A set of procedures performed to meet business goals of the organization
4. A collection of rules that ensures efficient use of information security resources
5. A domain that requires strategic direction from senior management
xiii
Quizz- Identifying need 2
As a Certified Information Security Manager or CISM, you need to strengthen information security in
your organization. So you plan to develop an information security governance structure. Which
statements will you use to justify the need for information security governance to the senior
management?
Options:
1. It enhances trust in customer relationships
2. It provides complete safety from all security-related incidents
4. It protects an organization's reputation
5. It requires minimum investment for protecting information
Option 1: This option is correct. Information security governance improves trust in customer
relationships. This happens because customers are assured of the security of information handled by
the organization.
Option 2: This option is incorrect. Information security governance does not provide complete safety
from information security-related incidents, but it does reduce their impact.
Option 3: This option is correct. Information security governance protects an organization from civil and
legal liabilities by eliminating the issues of incorrect information and lack of information protection.

______________________________________________________________________________
Option 4: This option is correct. Information security governance protects an organization's reputation
because people are assured that the company always provides correct information.
Option 5: This option is incorrect. Information security governance involves making optimal, and not
minimal, security investments.
Correct answer(s):
1. It enhances trust in customer relationships
4. It protects an organization's reputation
xiv
Quizz- Identifying need 3
Match the outcomes of effective information security governance with their descriptions.
Options:
A. Strategic alignment
B. Resource management
C. Integration
D. Value delivery
Targets:
1. Helps build an understanding that information security is a process
2. Ensures that security solutions comply with business processes
3. Takes the assurance functions into account while implementing information security
4. Keeps a record of security practices and processes
Value delivery helps build an organizational understanding that information security is not an event but a
process that needs constant improvement.
Strategic alignment ensures that security solutions comply with business processes and cater to the
structure, governance style, technology, and culture of the organization.
Integration takes the assurance functions into account while implementing information security, so that
security processes work as expected.
Resource management keeps a record of security practices and processes. It also aims to acquire
knowledge and make it accessible.
Correct answer(s):
Target 1 = Option D

______________________________________________________________________________
Target 2 = Option A
Target 3 = Option C
Target 4 = Option B
xv
Quizz - Recognizing management roles 1
Match each security example with the applicable governance process. You can select each process
more than once.
Options:
A. The HR records of some employees are missing
B. A company is earning a bad name for not following environmental regulations
C. An employee can access all the data stored on the computers of other employees
D. An organization is making a loss because of mismanagement of funds
Targets:
1. Corporate governance
2. Information security governance
The issues of a company's declining reputation and an organization making a loss are not directly
related to information, and are concerned with general organizational management. So these issues are
associated with corporate governance.
The issues of missing HR records and an employee being able to access the data of other employees
are directly related to the security of information. So these issues are associated with information
security governance.
Correct answer(s):
xvi
Quizz- Recognizing management roles 2
Don has been appointed as the chief information security officer or CISO in an organization. What tasks
should he perform to ensure proper information security governance?
Options:

______________________________________________________________________________
1. Review and approve the security policy, metrics, and monitoring processes
2. Create an information security strategy
3. Ensure that the information security program is cost effective
4. Ensure the involvement of all stakeholders influenced by security considerations
5. Supervise all assurance functions and integration plans
Option 1: This option is incorrect. The board of directors needs to review and approve the security
policy, metrics, and monitoring processes.
Option 2: This option is correct. A CISO needs to develop an information security strategy and get it
approved by senior management.
Option 3: This option is correct. A CISO needs to make sure that the information security program is
cost effective. For this, the CISO should be aware of the financial and budgeting processes.
Option 4: This option is incorrect. The steering committee needs to ensure the involvement of all
stakeholders influenced by security considerations.
Option 5: This option is incorrect. The executive management needs to supervise all assurance
functions and integration plans.
Correct answer(s):
2. Create an information security strategy
3. Ensure that the information security program is cost effective
xvii
Quizz- Recognizing management roles 3
A company's board of directors has created a steering committee to ensure the proper functioning of
information security governance. What would be the key responsibility of this steering committee?
Options:
1. Provide strategic direction for demonstrable alignment
2. Ensure that risk and business impact assessments are performed
3. Ensure that roles and responsibilities include risk management in all tasks
4. Attain organizational consent over priorities related to information security
Option 1: This option is incorrect. The board of directors needs to provide strategic direction and
momentum for demonstrable alignment.

______________________________________________________________________________
Option 2: This option is incorrect. The CISO needs to ensure that risk and business impact
assessments are carried out and build strategies for mitigating risks.
Option 3: This option is incorrect. The executive management needs to ensure that risk management is
included in all the tasks associated with different roles and responsibilities.
Option 4: This option is correct. The steering committee needs to achieve organizational consensus
over priorities related to information security. It also needs to act as a communication channel between
the senior management and the employees.
Correct answer(s):
4. Attain organizational consent over priorities related to information security
xviii
Quizz - Identifying elements & interconnections 1
Which statements are correct regarding the governance, risk management, and compliance or the GRC
approach?
Options:
1. Compliance involves developing methods to ensure adherence to standards, policies, and procedures
2. An organization should establish risk management before setting up governance and compliance
3. All three processes in the approach are interdependent and influence one another
4. The approach covers interconnected activities of an organization
Option 1: This option is incorrect. Governance involves developing methods to ensure adherence to an
organization’s standards, policies, and procedures. Compliance involves supervision of those methods.
Option 2: This option is incorrect. To integrate the three processes effectively, an organization should
establish governance before implementing risk management and enforcing compliance.
Option 3: This option is correct. The governance, risk management, and compliance processes are
interdependent and affect each other. This makes it necessary for them to be integrated.
Option 4: This option is correct. GRC covers many interconnected activities of a company such as
incident management, operational risk, internal audit, and compliance programs.
Correct answer(s):
3. All three processes in the approach are interdependent and influence one another
4. The approach covers interconnected activities of an organization

______________________________________________________________________________
xix
Quizz- Identifying elements & interconnections 2
Which element of the information security business model helps create a strategy to identify goals and
values and develop a design to implement the strategy?
dynamic interconnections. The first and second elements are interconnected with governance. The
second and third elements are connected through emergence, and the second and fourth elements are
connected through enablement and support. The first and third elements are connected with culture, and
the first and fourth elements are connected using architecture. The third element uses human factors to
connect to the fourth element.
Options:
1. Organization design and strategy
2. People
3. Process
4. Technology
Option 1: The organization design and strategy element represents a group of people, processes, and
assets that have distinct roles and work with each other to achieve a common objective. It involves
creating a strategy to identify the goals and values of an organization and making a design to implement
the strategy.
Option 2: The element you just selected represents people or the human resources of an organization
and the security issues related to them.
Option 3: The element you just selected represents process that comprises formal and informal
methods of doing things. It also acts as a link for all the dynamic interconnections.
Option 4: The element you just selected represents technology that consists of all the infrastructure,
applications, and tools required to improve processes.
Correct answer(s):
1. Organization design and strategy
xx
Quizz- Identifying elements & interconnections 3
Which dynamic interconnection indicates patterns in an organization's life that develop without any
obvious reason and have results that are difficult to foresee and control?

______________________________________________________________________________
dynamic interconnections. The organization element is linked to the people, process, and technology
elements with three different interconnections. The process element is connected to the people and
technology elements using two more interconnections. There is also an interconnection between the
people and technology elements.
Options:
1. Emergence
2. Governance
3. Culture
4. Enablement and support
5. Human factors
6. Architecture
Option 1: The emergence interconnection indicates patterns that appear without any explicit reason and
display results that are hard to manage. One solution for these patterns is to consider them in the
system design life cycle, risk management, and change control.
Option 2: The interconnection you just selected is the governance interconnection that involves directing
and controlling an organization.
Option 3: The interconnection you just selected is the culture interconnection that represents the way
people behave, what they assume and believe, what opinions they have, and how they do things.
Option 4: The interconnection you just selected is the enablement and support interconnection that
involves creating security policies, guidelines, and standards in support of business needs.
Option 5: The interconnection you just selected is the human factors interconnection that indicates the
interaction and gap between the people and technology elements.
Option 6: The interconnection you just selected is the architecture interconnection that fully
encapsulates an organization's policies, processes, people, and technology consisting of security
practices.
Correct answer(s):
1. Emergence
xxi
Quizz - Optimal reporting relationship 1
Which reporting structure between the information security manager and senior management depicts an
optimal reporting relationship structure?

______________________________________________________________________________
In the first structure, information security manager reports to the CEO. In the second structure,
information security manager reports to the CTO, who reports to the CEO. In the third structure,
information security manager reports to the IT manager, who reports to the CIO, and the CIO reports to
the CEO.
Options:
1. Information security manager reporting to the CEO
2. Information security manager reporting to the CTO, who reports to the CEO
3. Information security manager reporting to the IT manager, who reports to the CIO, and the CIO reports to the
CEO
Option 1: The reporting structure you selected is the optimal structure. When the information security
manager reports to the CEO, the structure is considered optimal because there is direct communication
between the information security manager and the CEO. The structure facilitates quick decision-making
on critical issues and provides greater authority to the information security manager.
Option 2: The reporting structure you selected is not an optimal structure. When the information security
manager reports to the CTO, there may be a conflict of interest between the CTO and the information
security manager. A CTO primarily focuses on implementing technology in business operations and may
find that security issues interfere with the implementation of technology. As a result, the CTO may not
give priority to information security.
Option 3: The reporting structure you selected is not an optimal structure. When the information security
manager reports to the IT manager, it is considered suboptimal because information security becomes a
part-time responsibility for the IT manager and the manager may not focus on making all information
secure.
Correct answer(s):
1. Information security manager reporting to the CEO
xxii
Quizz - Optimal reporting relationship 2
As an information security manager, which points should you follow to promote the acceptance of the
formal presentation by senior management?
Options:
1. Align the security and business objectives
2. Specify the tools for calculating the expenses of the security program
3. Identify the possible effects of failure of the defined security objectives
4. Use financial or risk and benefit models
5. Discuss measures to reduce the overhead involved in the security program

______________________________________________________________________________
Option 1: This option is correct. You should align the security and business objectives to help senior
management use the security standards, policies, and procedures effectively in their work.
Option 2: This option is incorrect. You should help senior management calculate the expenses of the
security program by describing the overhead involved in the security program. Additionally, you should
identify auditing and monitoring tools for evaluating the effectiveness of the program.
Option 3: This option is correct. You should determine the possible effects if some of the defined
security objectives and regulatory conformances fail. This helps senior management understand the
importance of information security.
Option 4: This option is correct. You should use financial or risk and benefit models, such as total cost
of ownership and return on investment, to assess the profits and expenses of the security program.
Option 5: This option is incorrect. You should describe the overhead involved in the security program to
help senior management assess the expenses of the program.
Correct answer(s):
1. Align the security and business objectives
3. Identify the possible effects of failure of the defined security objectives
4. Use financial or risk and benefit models
xxiii
Quizz - Communication and reporting channels
You are the information security manager in an organization, and you informally report to specific groups
in the organization about information security. Match examples of reports about information security with
the relevant groups within the organization.
Options:
A. Reporting about training and education programs that help practice security in daily tasks
B. Report on new security systems implemented for specific processes
C. Reporting about the financial aspects of the security program
D. Reporting security responsibilities of project managers
Targets:
1. Senior management
2. Business process owners
3. Employees
4. Line managers

______________________________________________________________________________
You should meet senior management periodically to learn about proposed business plans and
objectives. During this meeting, you can discuss with senior management the financial aspects of the
security program.
You should conduct meetings with different process owners to report on any new security systems
introduced in their processes.
You should organize adequate training and education programs for existing and new employees to help
them practice security in their routine tasks.
Project managers are part of line management and should have the knowledge of their security
responsibilities.
Correct answer(s):
Target 1 = Option C
Target 2 = Option B
Target 3 = Option A
Target 4 = Option D
xxiv
Quizz - Converging security-related functions
Identify the goals of security convergence.
Options:
1. To prevent any security overlaps across different functions
2. To segment security across various functions
3. To integrate the organization's assurance processes
4. To focus on the specific risks associated with physical security
Option 1: This option is correct. Security convergence prevents any security overlaps across different
security functions and ensures well-defined roles and responsibilities.
Option 2: This option is incorrect. Security convergence doesn't segment security across various
functions. It aims to bridge the gap between different security-related functions.
Option 3: This option is correct. One of the goals of security convergence is to integrate the
organization's assurance processes so that different security functions are aligned to the overall security
objectives.

______________________________________________________________________________
Option 4: This option is incorrect. The goal of security convergence is not to focus on a single security
function. It aims to bring together all security functions, including physical, IT, and information security.
Correct answer(s):
1. To prevent any security overlaps across different functions
3. To integrate the organization's assurance processes
xxv
Quizz - Key Goal Indicators
Which is the definition of a metric?
Options:
1. A term that denotes protection from risks
2. A measure based on a reference point
3. A measure for the roles and responsibilities of senior management
4. A best practice to establish information security governance
Option 1: This option is incorrect. Security is a term that denotes protection against risks.
Option 2: This option is correct. A metric refers to a standard measure that is based on a source or a
reference point. This reference point acts as the desired outcome of an activity.
Option 3: This option is incorrect. An effective security metric provides information specific to the roles
and responsibilities of a security function so that senior management can use it while making decisions.
Option 4: This option is incorrect. A metric is not a best practice and doesn't help you establish
information security governance. To establish information security governance, you use information
security management.
Correct answer(s):
2. A measure based on a reference point
xxvi
Quizz - Key Goal Indicators 2
You are the information security manager in an organization, and you want to define the KPIs and KGIs
before implementing a security program. Match the various KPIs with the corresponding categories of
KGIs.
Options:

______________________________________________________________________________
A. Security programs mapped to organizational goals
B. Use of standardized processes
C. Business Impact Assessments of all vital systems
Targets:
1. Risk management
2. Resource management
3. Alignment of security activities and business objectives
Carrying out Business Impact Assessments of all vital systems in the organization or defining risk
management objectives to minimize potential risks in the organization are indications that risks are being
managed in the organization.
An organization that has effective resource management uses standardized processes to reduce costs
and security resources that protect information assets from threats and vulnerabilities.
If an organization's security programs are mapped to organizational goals, it indicates alignment of
security activities with business goals.
Correct answer(s):
Target 1 = Option C
Target 2 = Option B
Target 3 = Option A
xxvii
Quizz - Achieving effective information security 1
The senior management in your organization is headed by a president. The IT managers, senior project
managers, chief technology officer, and other functional managers report to the president. You want to
establish a reporting structure that helps you avoid any conflict of interest and achieve effective
Select the position description for your role that indicates the best reporting structure.
Options:
1. Information security manager reporting to the IT manager
2. Information security manager reporting directly to the president
3. Information security manager reporting to a senior project manager
4. Information security manager reporting to the chief technology officer

______________________________________________________________________________
Option 1: This option is incorrect. When the information security manager reports to the IT manager, the
objectives of the information security manager may conflict with the interests of the IT manager, because
the IT managers consider information security as a constraint on IT operations.
Option 2: This option is correct. The structure with the information security manager reporting to the
president is considered best because it aligns the information security objectives with business goals. In
this structure, you can communicate directly with the senior management and convince them about the
importance of security initiatives.
Option 3: This option is incorrect. There is an inherent conflict of interest when the information security
manager reports to a senior project manager because the project managers don't consider security as
their primary responsibility. So this is not an optimal reporting structure.
Option 4: This option is incorrect. The chief technology officer is mainly concerned with the
implementation and use of technology, whereas the objectives of the information security manager are
more aligned with business than technology. So this reporting structure is considered suboptimal.
Correct answer(s):
2. Information security manager reporting directly to the president
xxviii
Your organization provides online banking services to its customers and its goal is to protect customers'
account information and provide safe transaction modes. You want to implement an information security
strategy in the organization, and for that you want to use several metrics to assess the effectiveness of
your information security strategy.
Match each category of metrics to its examples.
Options:
A. Alignment of security and business goals
B. Risk management
C. Resource management
Targets:
1. Conduct regular Business Impact Assessments of the failure of servers that support online transactions
2. Create a standardized process for safe online transactions
3. Establish strong encryption programs for online transactions

______________________________________________________________________________
Conducting regular Business Impact Assessment of critical systems, such as servers that support online
transactions, is a risk management activity. This will help you assess the risks associated with the
unplanned interruptions due to server failures and minimize its adverse impact to acceptable levels.
Creating a standardized online transaction process helps you indicate the effectiveness of resource
management. Information security objectives can be achieved if security processes are standardized
and roles are clearly defined.
Establishing strong encryption programs for online transactions will help you align the information
security objective with the business goals of protecting customer's account information and providing
safe transaction modes.
Correct answer(s):
Target 1 = Option B
Target 2 = Option C
Target 3 = Option A
xxix
You also want to converge security-related functions in the organization to bridge the gaps that result by
segmenting these functions.
What are the keys to effective information security convergence?
Options:
1. Aligns security activities with business goals
2. Brings together people, technology, and processes in the organization
3. Helps you to create different reporting structures for each information security activity
4. Confines the view of security for easy management of risks
Option 1: This option is correct. Security convergence is effective if it focuses on integrating the
processes in an organization and aligns security activities with business goals to deliver shareholder
value.
Option 2: This option is correct. An effective approach to security convergence brings together people,
technology, and processes in the organization to make the business secure. It also enables the
organization to deal with any security incidents by quickly detecting and resolving the incidents.
Option 3: This option is incorrect. Security convergence helps you integrate all security-related functions
and creates a common reporting structure for all information security activities so that these activities
can be managed easily.

______________________________________________________________________________
Option 4: This option is incorrect. Security convergence should provide a broader view of security that
makes it easier to prioritize and minimize risks. This is done by merging physical and information
security, which helps integrate all assurance processes regarding security.
Correct answer(s):
1. Aligns security activities with business goals.
2. Brings together people, technology, and processes in the organization.

Information Security Governance: Concepts, Security Management & Metrics

In this document

More Related Content

What's hot

Similar to Information Security Governance: Concepts, Security Management & Metrics

More from OxfordCambridge

Recently uploaded

Information Security Governance: Concepts, Security Management & Metrics