ISACA CISM Topic: Domain 01 – Information Security Governance Part 2
December 14, 2022

113. Outsourced Security Providers

A lot of corporations these days are trying to find a way to reduce their costs so that they can focus on whatever their core competencies are. One way of doing that is to sometimes use third parties to take care of certain needs, which could also, you know, be security issues. Now, the reason for outsourcing again is that sometimes we can find companies that can make parts that we need cheaper than we can make them ourselves, or they can supply other parts of supporting our business where I’m not necessarily responsible for the payroll of whoever is there or their facility costs.

But we go through contracts. But there are some risks that can be avoided by outsourcing. And even today, as we see a more global business environment, we may be outsourcing to companies that are found in other nations. As a result, some of the risks that we must consider include issues such as culture. And again, culture is not a bad thing.

 It’s just that there may be a different idea of how business is done. There may be different laws and regulations that we have to account for. As an example, if part of your policy is that anyone working for your company must go through a thorough background check, yet you’re doing some outsourcing to a company that is in a nation where that might be an illegal act and they’re not allowed to do those thorough background checks, then you have to figure out a way to help mitigate that difference to be able to make it, you know, try to meet your policies and what you need for security, plus maintaining the business objectives, which is to have a cheaper supplier of parts or labor. So we consider the culture.

Obviously, even the systems and technologies may be different. Using technology as an example, the United States has some restrictions on the type of technology we can export to other countries, depending on who that country is. A lot of that has to do with cryptographic algorithms and technologies. Even for a while, I remember there being a big deal if you tried to buy a computer from a neighbouring country here in North America and bring it over the border. I mean, it was absolutely unheard of. Similarly, I couldn’t buy one in the US and ship it to them due to technological limitations as well as import and export laws.

So those are some of the risks you must consider, and you must also deal with the communications of the third party. There may be language barriers, as well as time constraints. I know in my upcoming travels I’m going to be some 12 hours away from my home company and my home office, and that’s going to cause some issues with communications as well. If I call, it will be in the middle of the morning for them, and vice versa. So all of these are parts of what we look at when we are making decisions about working with outsourced security providers or any outside third party.

114. Lesson 12: Strategy Constraints

All right, we’re going to take a look at your strategic constraints. So remember, we’re going to talk about creating a security strategy, and we want to talk about some of the constraints, some of the things you might run into that are going to maybe have some limitations or have some impact on your roadmap to get to that desired state that you’re trying to create through your security strategy.

115. Legal and Regulatory Requirements

First of all, one of the biggest things you’re going to have to deal with are any legal and regulatory requirements. Now remember, it’s not just for the jurisdiction that you are working in or that your corporation is headquartered in, but also for any of the countries or different jurisdictions that your corporation does business in. That means that you need to be familiar with any regulatory issues that deal with business, especially business abroad. There may be differences in privacy laws; certainly there are differences in tax laws. And as I said, there may even be restrictions on the type of data that can be imported and exported.

There are now many requirements in many different regulations that we see in various countries regarding data retention or the content of your business records. Sometimes we even call this rediscovery. I know that for some corporations, for some particular types of businesses, some of the regulations require having emails from all of the employees of that particular type of organisation stored for a period of seven years.

That’s a long retention of information, but it’s part of the requirement, especially if there were ever any irregularities that were starting to be investigated. That would give them seven years of history to go back on in trying to kind of work through the investigation. So, certainly, it’s important that we understand that. And of course, that’s different for different types of businesses, even within the United States. It’s different for businesses working in different countries. They all have their own set of laws and regulatory requirements, and that will be part of what we have to work with. And it is certainly a constraint that we can’t get around.

116. Physical Constraints

There may be physical constraints that you have as well. That means that there may be physical environmental factors that we just have to deal with, such as the facility’s placement, which can be of concern. So, you know, if part of your security strategy is focused on physical security, which it should be, then you have to consider: is the facility where I’m at secure? Is there anything I can’t get around that I have to deal with, or should I change my approach to achieving the desired level of security based on the facility’s location? As an example, one company that I worked with had several data centres around the country. I noticed that they liked to build their data centres next to rivers.

I mean, they had two along the Mississippi, and they had one along the river in the Columbia, in Portland, Oregon. And I thought to myself, “Okay, well, I don’t know what the history of those rivers is.” I know I hear about the Mississippi flooding all the time. So I’m hoping that the facility placement was still part of their plan, that they were on high enough ground, or whatever.

But that is one of the constraints. One company I worked with that was based in a city in Florida involved having several million dollars’ worth of equipment in these facilities to be able to produce some particular types of information. And as I was driving to get to that location, I started in what was a very beautiful part of a city on the Gulf coast of Florida. And as I was driving closer and closer, I began to notice more and more barred businesses and metal shutters on businesses. And then I started seeing more and more bars on houses. And I’m thinking, okay, where am I going if people have to lock themselves in their homes for safety? And then I finally get to this building that is barred up like crazy.

And I’m thinking, okay, apparently they’ve probably had to think about some strategies for being in a high-crime area and figuring out how to protect their personal equipment and property. And they most certainly had. But again, that’s where facility placement can be an issue and add some constraints because we can’t just always get up and move things. And, of course, as we’ve already mentioned, there are environmental factors to consider, as I alluded to with flooding and earthquakes. And again, your strategy could simply be constrained based on even the infrastructure’s capacity. The infrastructure capacity means, look, you may have a new server or a new set of servers you need to bring in, but you just have no more rack space, and you have noplace to expand and knock out a wall to make the server room larger to be able to do that expansion. And certainly we don’t want to take these new servers and just put them under the receptionist’s desk. So you may have some other constraints, even power supply constraints, that you have to deal with.

117. The Security Strategy

Now, in terms of your security strategy, there are some additional areas to consider. Areas that could again form some sort of constraint It might be ethics. Now, when we talk about ethics, it could just be the nature of the business that you do that maybe there are groups that are not necessarily really happy with your corporation. We frequently hear about companies with the word “big” in front of them, with the remark that this makes them sound evil. Again, it’s perception, it’s ethics, and it’s the way you do business. And maybe your company has some other issues that it deals with.

Obviously, the culture Now, the culture we described already has multinational types of facilities. But culture can also be the way people are used to doing business. They may be resistant to change, whether we come down to the personnel for that part of it or not. The organisational structure may have to undergo changes depending on the goals of your security strategy. Costs, of course, are another constraint with which we must contend when dealing with limited resources.

Again, do I have people with the skill sets that I need? Do I have enough people, period? Do I have the facilities, the time, and the capabilities? And, of course, we must also understand what is the risk tolerance. Because as we’re coming up with a security strategy, our goal is to be more secure, which in a way means we’re trying to lower the risk of something happening, but we can’t eliminate all risks. And so we also have to know what the company’s appetite is, what they are willing to accept, and can we reach that tolerance level through this strategy?

118. Lesson 13: Action Plan to Implement Strategy

Now let’s take a look at the action plan you would use to implement your strategy. So, in order to implement a security strategy, we must often go through one or more projector initiatives. And really, what we’re saying is, you know, here we are in our current state, here’s our desired state, and we realise that I just can’t make that big leap to get right to that desired state. and that I may have to have several projects. In fact, maybe I have to run several projects in parallel because I need both of them up and running to a certain point before moving on to the next step.

And so what we’re saying is that we’re going to eventually be creating a roadmap. And a part of this roadmap is that we’re going to have these different initiatives, these different projects, and not only can they help us get to that location, but they can also, as we’ll see, provide a way of letting us know if we’re on target to have basically achievement points that we can measure and see where we’re going as far as the security strategy. Now, to get from where I am in my current state to my desired state, we often conduct what’s called an analysis of the gaps between those two states because that can often help us determine the actual road that we want to take to get from current to desired.

119. Gap Analysis Part1.

One of the types of tools we can use to get from the current state to the desired state is to do a gap analysis. In fact, we might say that a gap analysis should be required so that we can compare the current state to the end point, or the goal, of the strategy. Now we could use a number of models to do the gap analysis. We might base it on maturity levels, control objectives, or risk and impact objectives. Now again, these are things that could have come from the initial studies. As far as the analysis goes, if I know that I have a certain control that can do the job of what I want in terms of desired security, I’m going to need to change its configuration. Well, in that case, I have a controlled objective.

I can say, “Look, this gap between current and desired needs to go through this process.” Obviously, maturity levels vary. We discussed a variety of maturity models, including some that I had never considered in terms of security. Someone will just say, “Oh, that looks like a hole we should patch all the way up to being completely well planned.” Hopefully we’ll use one that’s very well planned. The highest maturity level we can achieve, and part of the risk assessment and risk analysis was to understand what we discovered were the threats, the likelihoods of those threats, and the magnitude of those threats. And during that study, what can we do to mitigate those? And those might have objectives that we’re including in the plan, all of which we would use through the gap analysis. So again, the gap analysis is trying to help us outline the steps that we need to take to get to that security strategy. And we sometimes refer to it as attempting to obtain or creating a roadmap to achieve the desired level of security. 

120. Gap Analysis Part2

Now. Another way of approaching a gap analysis is to say, “Let’s go backwards.” Let’s start from the desired state and work our way back to where we are so that as we’re going back to the starting point, we can look at the steps that are there along the way and leave ourselves a few breadcrumbs. It comes from saying, “Okay, I can see where we are—from where we want to be to where we’re starting.”

We can kind of see the path that we used, so we can reverse that path and use that as my roadmap to get there. Again, the capability model, maturity model, or other methods might be utilised to help you get to the endpoint. Or, to put it another way, once you get from the end point back to the beginning to get from the current state to the eventual goal of the desired state of security. 

121. Gap Analysis Part3

Number one, as we look at a gap analysis, are some of the areas that you should look at because these will help us guide our way toward creating even the roadmap. We have to have senior management’s acceptance. We have to remember that as we’re doing this analysis, the strategy that we’re trying to develop has to be linked to the business objectives. Our policies should be consistent with our strategy. And remember that policies might hold some of the constraints because many of the policies may be in accordance with the legal and regulatory requirements that we have to follow. and those are things we cannot change. So they need to be consistent with our strategy as well. as well along the way. We are going to have a lot of people helping us.

And so there needs to be a clear assignment of roles and responsibilities. And in fact, even after we’re finished, we still need those roles and responsibilities because it’s important that we maintain that desired state and that everybody understands where they are in maintaining security, why the policies are set up the way they are, and what their responsibilities are going to be.

To help maintain, monitor, and manage that current state or that desired state of security, all operations are probably going to need procedures. I shouldn’t say probably; they should remember that procedures are the step-by-step way of how we do things. And the goal of a procedure is to make sure that we’re doing it in the same order and in the same way all the time so that we have consistency in our operations and that we don’t have people deviating off course, which may cause bad information or misconfigurations of designs for security purposes. So let’s go over those steps. We need to know that our assets have been clearly classified for criticality.

Because again, that’s hopefully the main focus of what we’re going to look at: those assets that are very critical to our company. We need to look to see that we have the right controls that are going to get us to that desired state—that we have a method to evaluate and monitor. In fact, you might just say that if you have a choice of controls, and when I say controls, I realise it could be a targeted control, something we call a countermeasure. I just keep using the term “firewall.” It’s an easy concept to use. As an example, I may have several vendor firewalls that I can choose from.

But if the ability for me to get information from that device for my evaluation and monitoring of how things are working is very complex, then it may not be my best choice because part of being a good controller is having the ability to evaluate it, monitor it, and know how it’s working. So sometimes an overly complex control might not be the best choice, even if it sounds like it has all the bells and whistles that you need to get to your desired state. And of course, the other part is that we should have a tested business continuity plan and disaster recovery plan.

122. Policy Development Part1

Now, as we talk about policy development, we realise that your IT policy might have to undergo changes in the execution of your strategy. First of all, remember that the policy is a high-level overview. It’s a few sentences that are designed to capture the intent, the expectations, and the direction of management, as well as state what compliance we might have with regulatory conditions. Having said that, it does not provide us with all of the standards or procedures; it is simply, as stated, a statement of intent about where we want to go. In addition, you may have included some of the objectives in your strategy to gain ISO compliance.

Well, that means that you should have your policies address any of the relevant domains or subsections of the certification that you’re trying to achieve. Again, so that the policy is giving direction as to where we are trying to get to in that desired state, which might also be ISO compliance. And it depends on what that compliance certification is because they do have it broken down into different subsections and different domains of what we’re trying to achieve to get certain ratings.

Now, your policies should be linked to the strategy elements. Now, if they’re not, then we’ve got a problem because the strategy is a way of trying to help enforce or make sure the policy is followed. However, in order to get to the statement of what it desires, what its intent is, the policy must have an underlying strategy. In other words, the strategy and the elements complement each other. If they’re not linked to the policy, then either we’ve got the wrong policy or we’ve got the wrong strategy.

123. Policy Development Part2

Now, policies are the primary elements of governance, and as such, they must be properly created. Unless, of course, any of them are ruled invalid by executive management. Now, for the attributes of a good policy, things like showing compliance with the strategy—again, trying to link those things together—each single policy having one security mandate Now, notice I said one security mandate. It doesn’t mean that I have one policy that suddenly says, “We’re going to get this domain, this domain, this domain, each of which may break it down for us.” Now, the policy should also be clear and easily understood. They should be brief because, again, they don’t outline the standards that we have to follow. They aren’t going to have the procedures put into the policy. It’s just that our guidelines, the blueprint we’re following to get to our desired destination, should also reflect common business practices. 

124. Standards Development

Now, standards are really used for security management tools to set the permissible bounds for procedures and practises regarding our technological systems. Now, we can look at a standard as a way of enforcing or supporting the actual policy. Now, when we talk about permission boundaries, that doesn’t necessarily mean something that’s good or bad. It’s just boundaries that we set because we are attempting to achieve a desired state of security. One that I like to use as a quick example is that you might have a standard for internet usage while you’re at work.

That standard might say, “Look, you’re not allowed to go to any social networking sites,” meaning no Twitter, no Facebook, no MySpace. And people may complain; they may say, “This is horrible.” I’ve got to keep updated. I’ve got to do everything right. So a part of that is that we have to make sure that the standards are communicated to those who have to follow them; we have to make sure that we let them understand that it’s not a penalty.

It’s not that we’re trying to take away parts of their lives, but try to communicate the reasons for trying to get to a certain desired state of security and what issues can come through social sites like that. As an example, we all know that the applications on Facebook are not necessarily reviewed by Facebook, which means that they may advertise them, you may click on them, but those applications may do things you don’t want, such as sharing your information, sharing your friend’s information, and taking your photographs, as long as you understand that.

And most people don’t read those types of policies on a site like that. And I’m not saying that’s good or bad. I’m just saying I know it’s there because I bothered to read the privacy statements and understand how it works. So knowing that information, that makes me think maybe it’s a good standard that I say, “No, you don’t get to those sites from any place inside of our corporation.” So now the standards are the responsibility of the information security manager.

They are the ones who help create and certainly enforce the standards. Now, there also need to be cases where there is a plan for exceptions to the standards. That’s an important consideration because new things happen all the time. And I don’t necessarily want somebody to be on such automatic pilot that they can’t see that new deviation, that they can’t see that new exception, and say, “Wow, this is something I know is not in our standards.” And I may have to take action or hold an event, hopefully reporting those who are outside of the standards but appear to be following the intent of what we’re trying to achieve in policy. 

125. Training and Awareness

As I previously stated, training and awareness should be considered as part of your action plan and implementation of your security strategy. Those who receive the training will hopefully see the link between the standards and the policies. And the goal is for them to understand why certain standards are in place the way they are now. Training and awareness can be a continuous process for your standards and policies, especially as those things evolve. We need to evolve the training that people have and their awareness of those changes so that everybody is on the same page.

126. Action Plan Metrics

Measurements are important. So we do have some action plan metrics, and in fact, it’s an important method of monitoring and measuring the progress of the implementation of the strategy. That means again that we said that on the roadmap from where we are starting at current security to that desired state, there may be several projects or initiatives on the way in between, and maybe they will make milestones where we can look and see, “Hey, we’ve reached a certain point in the road, and here’s how long it took us.” Here’s the budget and the cost. It’s a way of checking up to see if we’re on plan and if we’re managing that project very well.

And in fact, on the way there, when we get to that first stop in the road, we may actually have some deviations that we can find through the use of metrics and what we’ve measured that might adjust slightly. The plan that we’re going to go ahead with Monitoring can now be done through a number of different methods.

There’s a balanced scorecard method; there’s the compatibility maturity model. We have other key performance indicators that you may have chosen on the way to the final destination. There may be some critical success factors or key goal indicators that we have to deal with. But again, we are creating our own checkpoints so that we can assess where we are, how well we got there, and if we’re on target.

127. General Metric Considerations Part1

Now, your general metric considerations mean that your measurements, whatever they are, should be relevant to the strategy. The main goal of the metric is to provide information with which I can make decisions, not just to make a pretty chart or to give somebody something to do. Metrics are classified into three types: tactical, operational, or both. But they have to have meaning.

128. General Metric Considerations Part2

There may be some metrics that exclude the evaluation from a technical perspective, but they should also be included. Now, most often, those are going to be things that deal with monetary gains and budgetary constraints that, you know, our executive board is going to want to see, but they’re not technically technical. We go, it’s a nice way of saying it all right, so it could be progress in comparison to the plan and budget, or it could be the results of disaster recovery testing. We may show them the audit results or even the status of regulatory compliance.

129. General Metric Considerations Part3

From a technical perspective, there may be more information that’s needed, such as things like policy compliance metrics or changes to a process system that might change the risk profile. We also may have patch management issues or other things that we have to look at. And again, if you think about it, on the way to that desired state of security, we may have introduced new changes through an updated patch management system for our Windows servers and the operating system. And that may cause us to pause and consider whether we need to reevaluate risk or even the roadmap in light of some of those changes, which are normal business practices. 

130. General Metric Considerations Part4

From a technical standpoint, you may also want to include your vulnerability, scan results, server configuration standards, and any type of monitoring results from security devices such as intrusion detection and firewalls. Logs, or any other security device log, provide information that can be used to help us understand where we are in our security profile. 

131. CMM4 Statements

Now, there are some intermediate goals that we will look at as far as some of the objectives for the capability maturity model. One of the things Of course, the intermediate goals are things like identifying the current applications that are in use, reviewing about 25% of the stored information so you can determine ownership, criticality, and sensitivity, and making sure that each business unit is conducting. Their own business impact analysis shows that each business unit is achieving regulatory compliance. That your security roles and responsibilities have defined risk assessments performed by each business unit, that we have proper training and education for the policies, and then we can link the policies with the security strategy as we talked about to make sure that they are both supporting each other.

132. Objectives for CMM4

Now, there are some intermediate goals that we will look at as far as some of the objectives for the capability maturity model. One of the things Of course, the intermediate goals are things like identifying the current applications that are in use, reviewing about 25% of the stored information so you can determine ownership, criticality, and sensitivity, and making sure that each business unit is conducting. Their own business impact analysis shows that each business unit is achieving regulatory compliance. That your security roles and responsibilities have defined risk assessments performed by each business unit, that we have proper training and education for the policies, and then we can link the policies with the security strategy as we talked about to make sure that they are both supporting each other.

133. Domain 01 Review

Well, as we take a look at this first domain, we covered a lot of areas, and the goals were really kind of broken down into several sections. You know, we talked about developing an information security strategy that’s aligned with your business goals and objectives and making sure that we align the information security strategy with your corporate governance to be able to develop a business case that justifies the investment in information security.

We talked about identifying current and potential legal and regulatory requirements that may affect information security to identify the drivers that are affecting the organization. We looked at ways of obtaining senior management’s commitment to information security and even establishing the internal and external reporting and communication channels that help us in supporting information security.

Leave a Reply

How It Works

Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!