Gain in-depth knowledge for passing your exam with Exam-Labs CISM: Certified Information Security Manager certification video training course. The most trusted and reliable name for studying and passing with VCE files which include Isaca CISM practice test questions and answers, study guide and exam practice test questions. Unlike any other CISM: Certified Information Security Manager video training course for your certification exam.

Domain 01 - Information Security Governance

36. Lesson 4: Information Security Manager

In this lesson, we're going to take a look at the Information Security Manager and talk about what the function of that position should be. Now, most organisations have acknowledged that there is a position of information security manager, whether or not it has that formal title. Certainly, the responsibilities of that position are assigned to one or more groups of individuals. Now, your organisations are designed to create a central Information Security Department. And with that, then I would have the information security manager be in charge of running that department.

37. Responsibilities

Our reporting structure for information security is now one of our responsibilities. And the way in which it is reported varies widely from company to company. A lot of recent surveys have shown that reporting is often done just to the Chief Information Officer, which might be adequately functional but can still be seen as suboptimal as far as the reporting method. Now, here's the reason why, as a Chief Information Officer, you are working with the IT department, and together you're under pressure to help increase performance and cut costs. And sometimes that means security suffers as a result of those priorities. Well, when you think about it, security and its operations are at odds with each other. They are different functions. And when you think of it, security is a regulatory function. It is an operational department. The CIO often looks at issues of security as being restrictions on the IT operation. Therefore, you could almost claim a conflict of interest about the CIO taking the information reported to them about security and moving it up further to the CEO. We're at the position of the CEO or board of directors. You're overseeing the entirety of the company. And so that means that we should see more reporting; issues dealing with security should be reported to the CEO. Not because we want to overstep the management office of the CIO, but because, again, think of it as separate functions from IT and security. And security, of course, as we've already known, has an interaction that, number one, is designed to be in tune with the business objectives and the different parts of the business through the different business units.

38. Senior Management Commitment Part1

When we talk about senior management commitment again, we return to the philosophy that we should be using what's called "top-down." The importance of security issues needs to be approved by the upper management, which may also mean that we have to sometimes educate the upper management on them. What are the issues of security now? To gain higher levels of security, senior management needs to be committed to things like a high standard of corporate governance; they should be treating information security as a critical part of their business issues or business functions. We also use it to show third parties that our organisation is dealing with security in a professional manner, helping to build reputation and trust. We also want to use principles such as assuming ultimate responsibility for security as a part of what senior management looks at.

39. Senior Management Commitment Part2

Now, senior management can demonstrate commitment tosecurity by being directly involved in thehighlevel information security arrangements such as thecreation of the security policy. That means they should have a high level of oversight and control. They should help ensure that you have sufficient resources to be able to implement the security policy. They have to have ways of measuring compliance and how well it's running. That means they would have to define metrics and monitor them. They will also have the responsibility of auditing your security effectiveness. Again, it's one thing to gather information about how it appears to be running as opposed to actually testing it. So both together are an important part of making sure we've met compliance and, really thinking about it, that we're getting the money out of our countermeasures. And of course, they're also involved in making sure that not only are the people that work for them following security policies and practices, but they are doing it as well, so they don't look at themselves as exceptions. Again, I think of a company that I saw where there was a person in charge of a large part of the facility, a manufacturing facility for an overall large company, a position of very high importance, just practically below sea level. The sea level being at those sea levels—I didn't mean like the ocean. And what happened was that this person, who was part of the upper management, executive management, wasn't following the rules of security, was using email inappropriately against corporate policies, and they terminated that person's employment. We're talking about a salary in the mid-six-figure range being lost because they didn't follow up. But there was certainly a demonstration from management that the policies were important, that they certainly were enforcing those policies, and that people weren't immune to it just because of how high up they were in the corporation. I'm thinking that probably shook things up over there and caused a lot of other people to say maybe I need to be careful about what I'm doing and follow the proper procedures. By the way, it was for no other reason than thiscompany has got a lot of patents, a lot of tradesecrets, a lot of manufacturing things that they do. They are distinct from everyone else. And their risk was of peopleletting that information slip out. So they examined all emails to ensure that their secrets were not simply leaking through their network.

40. Obtaining Senior Management Commitment Part1

Now, we should also seek to obtain your senior management's commitment. That means we might use a formal presentation to help secure that commitment and gain their support for security policy standards and strategy. And in a way, we can use this presentation as a way of educating senior management about what the security policies are or what the goal of our security management is going to be.

41. Obtaining Senior Management Commitment Part2

Now, one way we can look to see whether or not senior management has accepted what we've pointed out to them or presented to them can be illustrated by ensuring that the security objectives are actually going to be aligned with business objectives so that we see an understanding of the consequences for failing to achieve a security-related objective or maybe even regulatory compliance. Hopefully, we can identify budget items that quantify the cost of the security program, as well as the benefits of security, by using terms like total cost of ownership or return on investment. Again, these are things that we can do as presentation items to help them gain acceptance. Also, defining a method for auditing the security programme is part of our presentation. Again, we need to get their approval, and if we get their approval and hopefully their commitment,

42. Establishing Reporting and Communication Channels Part1

Now, obviously, reporting, as we've already mentioned, is an important part of the process. So we need to have established reporting and communication channels. That means there should be regular reporting to the board of directors or to the executive management regarding information security governance units. Now remember, they may not care about the exact details of every single line item or every log entry, but certainly we can look at it and give them information like the status on the implementation of security. Perhaps during the development process of our security program, where we're doing risk assessments and business impact assessments. We provide them and communicate with them the results of the BIA, giving them statistics of the detected or even prevented threats, pointing out the weakest links in security, and having performance measurement data as well as audit reports to show us where we are and maybe help us with a gap analysis of where we're trying to go with that program. showing the security support for the business objectives. And remember, that's an important aspect. aspect that the goal is the success of the business, the objectives of the business, showing that our security is trying to support those objectives, and of course, getting the approval for renewed plans.

43. Establishing Reporting and Communication Channels Part2

Now, some of the following communication channels are very crucial and important to the success of security. There are four groups that should be involved in communications: the senior management, of course; they should attend your business strategy meetings. They should become more aware of the updated business strategies and objectives. The business process owners are those who should be made aware of the challenges and requirements of daily operations and the dependencies on other management options or parts of the company, which may include things like your line managers or supervisors or other department heads that may have some responsibility for security policies. Now, if you think about it, I may have a data entry group business unit that is a customer of information technology, and it's important that we understand there is some responsibility for the accuracy of the data of their logins and everything else and how that works with the rest of the security policy. And of course, the employees who are not in management need to be trained about security programs. This should be included in any new hire training program.

44. Lesson 5: Scope and Charter of Information Security Governance

Now, in this lesson, we're going to take a look at the scope and charter of information security governance. Now, remember that when we talk about security, we're dealing with information of a variety of sorts. It can be spoken information, written, printed,as well as all the electronic. And again, we tend to sometimes focus on electronic and information security. Now, we should also consider that security should beincluded through the entire lifespan of that information. That means even if we're going to dispose, let's say, of a hard drive, we should have a policy in place to deal with the proper destruction of written forms, the way they're shredded or destroyed, and the recordings that we make. Now, the following could be considered a core set of principles that should be implemented for your effective security governance, such as, number one, your CEO should be conducting annual audits. Now, again, you're asking, okay, so a core set of principles for security governance Remember, we're talking about security for all types of information throughout their entire lifecycle. So auditors should likewise be looking at each of those stages. The company conducting risk assessments should then implement policies and procedures that are based on those assessments. In fact, if you don't have an idea of what your risk is, you can't really create an effective policy that's going to be meaningful or help with the security of your corporation. We should assign explicit individual roles, responsibilities, authority, and accountability to those that are involved in the security process. And technically, everybody is going to be involved in some form or another, which involves employee training. Now, in the case of a breach of security, we should have procedures in place on how we respond to those incidents. And we should also consider, as I said before, the entire data lifecycle for all of the information security processes because it's at all of them that we could be vulnerable.

45. Assurance Process Integration and Convergence

Now we talk about the assurance of the process, integration, and convergence. As I said before, there's going to be a lot of different business units, and how they organise the processes that they work with might be thought of as being in different silos. If you think of a silo, this long, cylindrical building that contains information products and doesn't spill out into the other products, think of those as the business units. Now you can think of human resources and management, research and development, even your promotional departments—they all have their own acronyms, their own languages, and their own unique things they do for business. And we have to think about, again, security as being an overlap and not a separation of these different departments. So that means that we have to find a way to be able to integrate these together. It's a part of the convergence. Now, examples of silos, as I said, might be risk management being in its own little silo, not talking to those people who are involved in change management. Well, if you make changes as you need to for repairs to hardware or security access control in implementing new protocols or upgrading an operating system, that's part of change management. Well with those changes, guess what? There is going to be a change in risk, which means risk management should be working together with change management. Those doing auditing should be working with everybody involved in risk and change management and all aspects of the business when it comes to security, so that everybody understands where we're at. Obviously human resources Now, by human resources, I don't necessarily mean hiring people, which is a part of the process. As we introduce new people, we may introduce new risks, but we also introduce new resources as far as what people are capable of and what their expertise area is, so having them as resources can help us with security. And even the legal departments have their own ideas of what they do. As a result, the silos, as previously stated, require a method to ensure some overlap, some communications, the ability to converge, the concept of the entire security process, integration as a whole, rather than individual pieces where there may be gaps in between those pieces, and those gaps could be just huge vulnerabilities waiting to be exploited.

Pay a fraction of the cost to study with Exam-Labs CISM: Certified Information Security Manager certification video training course. Passing the certification exams have never been easier. With the complete self-paced exam prep solution including CISM: Certified Information Security Manager certification video training course, practice test questions and answers, exam practice test questions and study guide, you have nothing to worry about for your next certification exam.

Hide