Certified Information Security Manager Exam Prep Guide E-Book

Certified Information Security Manager Exam Prep Guide

Aligned with the latest edition of the CISM Review Manual to help you pass the exam with confidence

Hemang Doshi

BIRMINGHAM—MUMBAI

Certified Information Security Manager Exam Prep Guide

Copyright © 2021 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Vijin Boricha

Publishing Product Manager: Preet Ahuja

Senior Editor: Shazeen Iqbal

Content Development Editor: Romy Dias

Technical Editor: Nithik Cheruvakodan

Copy Editor: Safis Editing

Project Coordinator: Shagun Saini

Proofreader: Safis Editing

Indexer: Manju Arasan

Production Designer: Joshua Misquitta

First published: November 2021

Production reference: 1241121

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-80107-410-0

www.packt.com

To my mother, Jyoti Doshi, and to the memory of my father, Hasmukh Doshi, for their sacrifices and for exemplifying the power of determination.

To my wife, Namrata Doshi, for being my loving partner throughout our life journey together, and to my 6 year-old daughter, Jia Doshi, for allowing me to write this book.

To my sister, Pooja Shah, my brother-in-law, Hiren Shah, and my nephew, Phenil Shah, for their love, support, and inspiration.

To my in-laws, Chandrakant Shah, Bharti Shah, and Ravish Shah, for their love and motivation. To my mentor and guide, Dipak Mazumder, for showing me how talent and creativity evolve.

To the extremely talented editorial team at Packt, including Preet Ahuja, Neil D'mello, Shazeen Iqbal, and Romy Dias, for their wonderful support throughout the journey of writing this book.

– Hemang Doshi

Contributors

About the author

Hemang Doshi is a chartered accountant and a Certified Information System Auditor with more than 15 years' experience in the field of information system auditing/risk-based auditing/compliance auditing/vendor risk management/due diligence/system risk and control. He is the founder of CISA Exam Study and CRISC Exam Study, dedicated platforms for those studying for the CISA and CRISC certifications, respectively. He has also authored a few books on information security.

I wish to thank those people who have been close to me and supported me, especially my wife, Namrata, and my parents.

About the reviewers

When George McPherson was pulled through the ranks and pinned as a 21-year-old Sergeant in the U.S. Army over 20 years ago, he learned two things about himself. He could accomplish anything he put his mind to, and he would always pull others up if he was in a position to do so. George prides himself on integrity, an insane work ethic, attention to detail and (his greatest super-power) outside-the-box creativity. With 25 years in the technology industry, the first 18 in telecoms and the last 7 in cybersecurity, George has had the opportunity to work in industries such as the military, telecoms, local government, healthcare, and electric utilities.

George has over 20 professional certifications, including the CISM certification.

I would like to thank my beautiful wife, Audrey, whose constant support and sacrifice fuel my success.

Upen Patel is an IT professional with 20 years' experience, holding numerous professional IT certifications including CISM, CISA, CDPSE, CRISC, CCSP, CISSP, and Splunk Certified Architect. Upen attained a B.Sc. in geology from York College (CUNY), an M.Sc. in environment engineering from NYU Polytechnic Institute, and an M.Sc. in security and information assurance from Pace. Upen has held several positions, including cloud architect and security engineer, risk assessment expert, CyberArk consultant, and Splunk architecture consultant. He has worked on the implementation of many large public cloud projects on Azure and AWS and developed an automated DevRiskOps process in public. He has also implemented a large Splunk SIEM solution.

I would like to thank my family for their motivation and support.

Table of Contents

Preface

Section 1: Information Security Governance

Chapter 1: Information Security Governance

Introducing information security governance

The responsibility of information security governance4

Governance framework5

Key aspects from the CISM exam perspective 6

Questions 7

Understanding governance, risk management, and compliance

Key aspects from the CISM exam perspective 14

Questions 15

Discovering the maturity model

Key aspects from the CISM exam perspective 16

Questions 16

Getting to know the information security roles and responsibilities

Board of directors18

Senior management19

Business process owners19

Steering committee 19

Chief information security officer20

Chief operating officer20

Data custodian20

Communication channel 20

Indicators of a security culture21

Key aspects from the CISM exam perspective 21

Questions 22

Finding out about the governance of third-party relationships

The culture of an organization 37

Compliance with laws and regulations 37

Key aspects from the CISM exam perspective 38

Questions 38

Obtaining commitment from senior management

Information security investment 47

Strategic alignment 47

Key aspects from the CISM exam perspective 48

Questions 48

Introducing the business case and the feasibility study

Feasibility analysis 57

Key aspects from the CISM exam perspective 57

Questions 57

Understanding information security governance metrics

The objective of metrics 63

Technical metrics vis-à-vis governance-level metrics63

Characteristics of effective metrics 63

Key aspects from the CISM exam perspective 64

Questions 64

Summary

Chapter 2: Practical Aspects of Information Security Governance

Information security strategy and plan

Information security policies70

Key aspects from the CISM exam perspective 71

Practice questions 72

Information security program

Key aspects from the CISM exam perspective 88

Practice questions 88

Enterprise information security architecture

Challenges in designing security architectures91

Benefits of security architectures92

Key aspects from the CISM exam perspective 92

Practice questions 92

Organizational structure

Board of directors 93

Security steering committee93

Reporting of the security function93

Centralized vis-à-vis decentralized security functioning 94

Key aspects from the CISM exam perspective 95

Practice questions 95

Record retention

Electronic discovery 97

Key aspects from the CISM exam perspective 97

Practice questions 98

Awareness and education

Increasing the effectiveness of security training99

Key aspects from the CISM exam perspective 99

Summary

Section 2: Information Risk Management

Chapter 3: Overview of Information Risk Management

Risk management overview

Phases of risk management 104

The outcome of the risk management program105

Key aspects from the CISM exam's perspective 105

Questions 105

Risk management strategy

Risk capacity, appetite, and tolerance107

Risk communication 108

Risk awareness 109

Tailored awareness program 109

Training effectiveness 109

Awareness training for senior management 109

Key aspects from the CISM exam's perspective 110

Questions110

Implementing risk management

Risk management process 113

Integrating risk management in business processes 114

Prioritization of risk response 114

Defining a risk management framework 114

Defining the external and internal environment 115

Determining the risk management context115

Gap analysis 115

Cost-benefit analysis 116

Other kinds of organizational support 116

Key aspects from the CISM exam's perspective 117

Questions119

Risk assessment and analysis methodologies

Phases of risk assessment 139

Risk assessment

Asset identification 140

Asset valuation 140

Aggregated and cascading risk 141

Identifying risk141

Threats and vulnerabilities 143

Risk, likelihood, and impact 144

Risk register 145

Risk analysis145

Annual loss expectancy 148

Value at Risk (VaR)148

OCTAVE 148

Other risk analysis methods149

Evaluating risk150

Risk ranking 151

Risk ownership and accountability 151

Risk treatment options 151

Understanding inherent risk and residual risk 152

Security baseline 153

Key aspects from the CISM exam's perspective 154

Questions155

Summary

Chapter 4: Practical Aspects of Information Risk Management

Information asset classification

Benefits of classification 180

Understanding the steps involved in classification 180

Success factors for effective classification 181

Criticality, sensitivity, and impact assessment 182

Business dependency assessment 182

Risk analysis 182

Business interruptions 182

Key aspects from the CISM exam's perspective 183

Questions 184

Asset valuation

Determining the criticality of assets 194

Key aspects from the CISM exam's perspective 194

Questions 195

Operational risk management

Recovery time objective (RTO)200

Recovery Point Objective (RPO)200

Difference between RTO and RPO 200

Service delivery objective (SDO)202

Maximum tolerable outage (MTO)203

Allowable interruption window (AIW)203

Questions203

Outsourcing and third-party service providers

Evaluation criteria for outsourcing204

Steps for outsourcing205

Outsourcing – risk reduction options205

Provisions for outsourcing contracts206

The role of the security manager in monitoring outsourced activities206

Service-level agreement 206

Right to audit clause207

Impact of privacy laws on outsourcing 207

Sub-contracting/fourth party207

Compliance responsibility208

Key aspects from the CISM exam's perspective 208

Questions 209

Risk management integration with the process life cycle

System development life cycle 221

Key aspects from the CISM exam's perspective 222

Questions 222

Summary

Chapter 5: Procedural Aspects of Information Risk Management

Change management

The objective of change management 226

Approval from the system owner226

Regression testing 226

Involvement of the security team 226

Preventive control226

Key aspects from a CISM exam perspective 227

Questions 227

Patch management

Key aspects from a CISM exam perspective 233

Questions 233

Security baseline controls

Benefits of a security baseline 236

Developing a security baseline 236

Key aspects from a CISM exam perspective 236

Questions 237

Risk monitoring and communication

Risk reporting 239

Key risk indicators240

Reporting significant changes in risk 240

Key aspects from a CISM exam perspective 241

Questions 241

Security awareness training and education

Key aspects from a CISM exam perspective 254

Questions 254

Documentation

Summary

Section 3: Information Security Program Development Management

Chapter 6: Overview of Information Security Program Development Management

Information security program management overview

Outcomes of an information security program 269

The starting point of a security program270

Information security charter270

Support from senior management 270

Defense in depth 271

Key aspects from a CISM exam perspective 272

Questions 272

Information security program objectives

Key aspects from a CISM exam perspective276

Questions 276

Information security framework components

Framework – success factor278

Key aspects from a CISM exam perspective280

Questions280

Defining an information security program road map

Gap analysis284

Value of a security program284

Security program integration with another department 285

Key aspects from a CISM exam perspective285

Questions286

Policy, standards, and procedures

Reviewing and updating documents290

Key aspects from a CISM exam perspective 290

Questions 291

Security budget

Key aspects from a CISM exam perspective 296

Questions 296

Security program management and administrative activities

Information security team298

Acceptable usage policy 299

Documentation 299

Project management 300

Program budgeting 300

Plan – do – check – act 301

Security operations 301

Key aspects from a CISM exam perspective 302

Questions 303

Privacy laws

Questions313

Summary

Chapter 7: Information Security Infrastructure and Architecture

Information security architecture

Key learning aspects from the CISM exam perspective 317

Questions 317

Architecture implementation

Key aspects from the CISM exam perspective 319

Questions 320

Access control

Mandatory access control323

Discretionary access control324

Role-based access control324

Degaussing (demagnetizing)324

Key aspects from the CISM exam perspective 325

Questions 325

Virtual private networks

VPNs – technical aspects 332

Advantages of VPNs332

VPNs – security risks 332

Virtual desktop infrastructure environment 332

Key aspects from the CISM exam perspective 333

Questions 333

Biometrics

Biometrics – accuracy measure336

Biometric sensitivity tuning 337

Control over the biometric process338

Types of biometric attacks339

Questions 339

Factors of authentication

Password management 346

Key aspects from the CISM exam perspective 347

Questions 347

Wireless network

Enabling encryption 351

Enabling MAC filtering351

Disabling the SSID351

Disabling DHCP351

Common attack methods and techniques for a wireless network 352

Key aspects from the CISM exam perspective352

Questions 353

Different attack methods

Key aspects from the CISM exam perspective360

Questions 362

Summary

Chapter 8: Practical Aspects of Information Security Program Development Management

Cloud computing

Cloud computing – deployment models376

Types of cloud services 377

Cloud computing – the security manager's role378

Key aspects from a CISM exam perspective 380

Questions 380

Controls and countermeasures

Countermeasures 383

General controls and application-level controls 383

Control categories 384

Failure mode – fail closed or fail open385

Continuous monitoring 385

Key aspects from a CISM exam perspective 385

Questions 386

Penetration testing

Aspects to be covered within the scope of the test394

Types of penetration tests 394

White box testing and black box testing 395

Risks associated with penetration testing 395

Key aspects from a CISM exam perspective 396

Questions396

Security program metrics and monitoring

Objective of metrics 401

Monitoring 401

Attributes of effective metrics 401

Information security objectives and metrics 402

Useful metrics for management 402

Key aspects from a CISM exam perspective 403

Questions 403

Summary

Chapter 9: Information Security Monitoring Tools and Techniques

Firewall types and their implementation

Types of firewalls412

Types of firewall implementation415

Placing firewalls 416

Source routing 417

Firewall and the corresponding OSI layer417

Key aspects from the CISM exam's perspective 417

Questions 418

IDSes and IPSes

Intrusion detection system428

Intrusion prevention system432

Difference between IDS and IPS432

Honeypots and honeynets 432

Key aspects from the CISM exam's perspective 432

Questions 433

Digital signature

Creating a digital signature444

What is a hash or message digest?444

Key aspects from the CISM exam's perspective447

Questions 447

Elements of PKI

PKI terminologies455

The process of issuing a PKI456

CA versus RA456

Single point of failure 457

Functions of RA457

Key aspects from the CISM exam's perspective457

Questions 458

Asymmetric encryption

Symmetric encryption vis a vis asymmetric encryption 462

Encryption keys463

Using keys for different objectives464

Key aspects from the CISM exam's perspective 466

Questions467

Summary

Section 4: Information Security Incident Management

Chapter 10: Overview of Information Security Incident Manager

Incident management overview

Objectives of incident management 474

Phases of the incident management life cycle 474

Incident management, business continuity, and disaster recovery 475

Incident management and service delivery objective476

Maximum tolerable outage (MTO) and allowable interruption window (AIW)476

Key aspects from the CISM exam’s perspective 477

Practice questions478

Incident response procedure

The outcome of incident management 493

The role of the information security manager 494

Security Information and Event Management (SIEM)494

Key aspects from the CISM exam’s perspective 496

Practice questions 496

Incident management metrics and indicators

Key performance indicators and key goal indicators 498

Metrics for incident management 498

Reporting to senior management 499

The current state of the incident response capabilities

History of incidents 500

Threats and vulnerabilities 500

Threats 500

Vulnerability 501

Developing an incident response plan

Elements of an IRP501

Gap analysis 504

Business impact analysis 504

Escalation process 505

Help desk/service desk process for identifying incidents 506

Incident management and response teams 507

Incident notification process 507

Challenges in developing an incident management plan508

Key aspects from the CISM exam’s perspective 508

Practice questions 509

Summary

Chapter 11: Practical Aspects of Information Security Incident Management

Business continuity and disaster recovery procedures

Phases of recovery planning 525

Recovery sites525

Continuity of network services 530

Insurance 531

Key aspects from the CISM exam's perspective 531

Practice questions 532

Testing incident response, BCP, and DRP

Types of test544

Effectiveness of tests545

Category of tests545

Recovery test metrics 546

Success criteria for the test547

Key aspects from the CISM exam's perspective 548

Practice questions548

Executing response and recovery plans

Key aspects from the CISM exam's perspective 554

Practice questions 555

Post-incident activities and investigation

Identifying the root cause and corrective action558

Documenting the event558

Chain of custody 558

Key aspects from the CISM exam's perspective 560

Practice questions 561

Summary

Other Books You May Enjoy

Preface

ISACA's Certified Information Security Manager (CISM) certification indicates expertise in information security governance, program development and management, incident management, and risk management. Whether you are seeking a new career opportunity or striving to grow within your current organization, a CISM certification proves your expertise in these work-related domains:

Who this book is for

This book is ideal for IT risk professionals, IT auditors, CISOs, information security managers, and risk management professionals.

What this book covers

Chapter 1, Information Security Governance, is an overview of information security governance.

Chapter 2, Practical Aspects of Information Security Governance, discusses information security strategies.

Chapter 3,Overview of Information Risk Management, covers basic elements of risk management.

Chapter 4, Practical Aspects of Information Risk Management, covers tools and techniques for risk management programs.

Chapter 5, Procedural Aspects of Information Risk Management, covers risk communication and security training awareness.

Chapter 6, Overview of Information Security Program Development Management, discusses basic elements of information security program development and management.

Chapter 7, Information Security Infrastructure and Architecture, discusses information security infrastructure and architecture.

Chapter 8, Practical Aspects of Information Security Program Development Management, discusses various controls and countermeasures.

Chapter 9, Information Security Monitoring Tools and Techniques, emphasizes the importance of monitoring tools and techniques.

Chapter 10, Overview of Information Security Incident Manager, discusses basic elements of information security incident management.

Chapter 11, Practical Aspects of Information Security Incident Management, covers business continuity and disaster recovery processes.

To get the most out of this book

This book is completely aligned with the CISM Review Manual of ISACA. It is advisable to follow these steps during your CISM studies:

CISM aspirants will gain a lot of confidence if they approach their CISM preparation by following these steps.

Download the color images

We also provide a PDF file that has color images of the screenshots and diagrams used in this book. You can download it here: https://static.packt-cdn.com/downloads/9781801074100_ColorImages.pdf.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share your thoughts

Once you've read Certified Information Security Manager Exam Guide, we'd love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we're delivering excellent quality content.

Section 1: Information Security Governance

This part is about the management and governance of information security. It covers 24% of the CISM certification exam.

This section contains the following chapters:

Chapter 1: Information Security Governance

Governance is an important aspect of the certified information security manager (CISM) exam.

In this chapter, we will cover an overview of information security governance and aim to understand the impact of good governance on the effectiveness of information security projects.

You will learn about assurance functions such as governance, risk, and compliance (GRC), and details about the various roles and responsibilities of the security function. You will also be introduced to the best practices for obtaining the commitment from the senior management of an organization toward information security.

The following topics will be covered in this chapter:

Let's dive in and discuss each one of these topics in detail.

Introducing information security governance

In simple terms, governance can be defined as a set of rules to direct, monitor, and control an organization's activities. Governance can be implemented by way of policies, standards, and procedures.

The information security governance model is primarily impacted by the complexity of an organization's structure. An organization's structure includes objectives, its vision and mission, different function units, different product lines, hierarchy structure, leadership structure, and other relevant factors. A review of organizational structure will help the security manager to understand the roles and responsibilities of information security governance, as discussed in our next topic.

The responsibility of information security governance

The responsibility for information security governance primarily resides with the board of directors and senior management. Information security governance is a subset of the overall enterprise governance. The board of directors is required to make security an important part of governance by way of monitoring key aspects of security. Senior management holds the responsibility to ensure that security aspects are integrated with business processes.

The involvement of senior management and the steering committee in discussions and in the approval of security projects indicates that the management is committed to aspects relating to security. Generally, a steering committee consists of senior officials from different departments. The role of an information security steering committee is to provide oversight on the security environment of the organization.

It is very important for a CISM aspirant to understand the steps for establishing the governance, as we will discuss in the next section.

Steps for establishing the governance

For effective governance, it should be established in a structured manner. A CISM aspirant should understand the following steps for establishing governance:

These specific actions are implemented by way of security policies, standards, and procedures.

Governance framework

The governance framework is a structure or outline that supports the implementation of the information security strategy. They provide the best practices for a structured security program. Frameworks are a flexible structure that any organization can adopt as per their environment and its requirements. Governance frameworks such as COBIT and ISO 27000 are both examples of widely accepted and implemented frameworks for security governance.

Let's look a bit closer at an example of information security governance in the next section.

The aim of information security governance

Information security governance is a subset of the overall enterprise governance of an organization. The same framework should be used for both enterprise governance and information security governance for better integration between the two.

The following are the objectives of information security governance:

We will now go through the key aspects from the perspective of the CISM exam, and in our next topic, we will discuss important aspects of GRC. A CISM aspirant should understand why it is important to integrate all GRC functions.

Key aspects from the CISM exam perspective

The following are some of the key aspects from the CISM exam perspective:

Table 1.1 – Key aspects from the CISM exam perspective

Questions

A. Security projects are discussed and approved by a steering committee.

B. Security training is mandatory for all executive-level employees.

C. A security training module is available on the intranet for all employees.

D. Patches are tested before deployment.

Answer: A. Security projects are discussed and approved by a steering committee.

Explanation: The involvement of a steering committee in the discussion and approval of security projects indicates that the management is committed to security governance. The other options are not as significant as option A.

A. The number of workstations.

B. The geographical spread of business units.

C. The complexity of the organizational structure.

D. The information security budget.

Answer: C. The complexity of the organizational structure.

Explanation: The information security governance model is primarily impacted by the complexity of the organizational structure. The organizational structure includes the organization's objectives, vision and mission, hierarchy structure, leadership structure, different function units, different product lines, and other relevant factors. The other options are not as significant as option C.

A. Employee training.

B. The development of security policies.

C. The development of security architecture.

D. The availability of an incident management team.

Answer: B. The development of security policies.

Explanation: Security policies indicate the intent of the management. Based on these policies, the security architecture and various procedures are designed.

A. Technology requirements.

B. Compliance requirements.

C. The business strategy.

D. Financial constraints.

Answer: C. The business strategy.

Explanation: Information security governance should support the business strategy. Security must be aligned with business objectives. The other options are not a primary driver of information security governance.

A. To manage the information security team.

B. To design content for security training.

C. To prioritize the information security projects.

D. To provide access to critical systems.

Answer: C. To prioritize the information security projects.

Explanation: One of the important responsibilities of a steering committee is to discuss, approve, and prioritize information security projects and to ensure that they are aligned with the goals and objectives of the enterprise.

A. To design security procedures and guidelines.

B. To develop a security baseline.

C. To define the security strategy.

D. To develop security policies.

Answer: C. To define the security strategy.

Explanation: The first step is to adopt the security strategy. The next step is to develop security policies based on this strategy. The step after this is to develop security procedures and guidelines based on the security policies.

A. To align with the organization's business strategy.

B. To be derived from a globally accepted risk management framework.

C. To be able to address regulatory compliance.

D. To promote a risk-aware culture.

Answer: A. To align with the organization's business strategy.

Explanation. The most important objective of an information security governance program is to ensure that the information security strategy is in alignment with the strategic goals and objectives of the enterprise. The other options are secondary factors.

A. An approved security architecture.

B. A certification from an international body.

C. Frequent audits.

D. An established risk management program.

Answer: D. An established risk management program.

Explanation: An effective and efficient risk management program is a key element of effective governance. The other options are not as significant as an established risk management program.

A. The use of a bottom-up approach.

B. Initiatives by the IT department.

C. A compliance-oriented approach.

D. The use of a top-down approach.

Answer: D. The use of a top-down approach.

Explanation: In a top-down approach, policies, procedures, and goals are set by senior management, and as a result, the policies and procedures are directly aligned with the business objectives. A bottom-up approach may not directly address management priorities. Initiatives by the IT department and a compliance-oriented approach are not as significant as the use of a top-down approach.

A. To design and develop the security strategy.

B. To allocate a budget for the security strategy.

C. To review and approve the security strategy.

D. To train the end users.

Answer: A. To design and develop the security strategy.

Explanation: The prime responsibility of the information security manager is to develop the security strategy based on the business objectives in coordination with the business process owner. The review and approval of the security strategy is the responsibility of the steering committee and senior management. The security manager is not directly required to train the end users. The budget allocation is the responsibility of senior management.

A. To comply with industry benchmarks.

B. To comply with the security budget.

C. To obtain a consensus from the business functions.

D. To align with organizational goals.

Answer: D. To align with organizational goals.

Explanation: The objective of the security governance is to support the objectives of the business. The most important factor is to align with organizational objectives and goals. The other options are secondary factors.

A. To synchronize and align the organization's assurance functions.

B. To address the requirements of the information security policy.

C. To address the requirements of regulations.

D. To design low-cost a security strategy.

Answer: A. To synchronize and align the organization's assurance functions.

Explanation: The concept of GRC is an effort to synchronize and align the assurance activities across the organization for greater efficiency and effectiveness. The other options can be considered secondary objectives.

A. Marketing and risk management.

B. IT, finance, and legal.

C. Risk and audit.

D. Compliance and information security.

Answer: B. IT, finance, and legal.

Explanation: Though a GRC program can be applied in any function of the organization, it is mostly focused on IT, finance, and legal areas. Financial GRC focuses on effective risk management and compliance for finance processes. IT GRC focuses on IT processes. Legal GRC focuses on the overall enterprise-level regulatory compliance. GRC is majorly focused on IT, finance, and legal processes to ensure that regulatory requirements are adhered to and risks are appropriately addressed.

A. To align the requirements of the business with an information security framework.

B. To understand the objectives of the business units.

C. To address regulatory requirements.

D. To arrange security training for all managers.

Answer: B. To understand the objectives of the business units.

Explanation: The information security governance program will not be effective if it is not able to address the requirements of the business units. The objective of the business units can be best understood by reviewing their processes and functions. Option A is not correct, as security requirements should be aligned with the business and not the other way round. Options C and D are not as significant as option B.

A. To ensure the adequate protection of information assets.

B. To provide assurance to the management about information security.

C. To support complex IT infrastructure.

D. To optimize the security strategy to support the business objectives.

Answer: D. To optimize the security strategy to support the business objectives.

Explanation: The objective of security governance is to set the direction to ensure that the business objectives are achieved. Unless the information security strategy is aligned with the business objectives, the other options will not offer any value.

A. Documented procedures are not available.

B. Ineffective governance.

C. Inadequate training.

D. Inappropriate standards.

Answer: B. Ineffective governance.

Explanation: Governance is the process of oversight to ensure the availability of effective and efficient processes. A lack of procedures, training, and standards is a sign of ineffective governance.

A. A framework that provides detailed processes and methods.

B. A framework that provides required outputs.

C. A framework that provides structure and guidance.

D. A framework that provides programming inputs.

Answer: C. A framework that provides structure and guidance.

Explanation: A framework is a structure intended to support the processes and methods. They provide outlines and basic structure rather than detailed processes and methods. Frameworks are generally not intended to provide programming inputs.

A. To allow the optimum utilization of security resources.

B. To standardize the processes.

C. To support operational processes.

D. To address operational risks.

Answer: D. To address operational risks.

Explanation: The main objective of integrating the security aspect in business processes is to address operational risks. The other options may be considered secondary benefits.

A. A well-defined organizational structure with necessary resources and defined responsibilities.

B. The availability of the organization's policies and guidelines.

C. The business objectives support the information security strategy.

D. Security guidelines supporting regulatory requirements.

Answer: A. A well-defined organizational structure with necessary resources and defined responsibilities.

Explanation: The most important attribute is a well-defined organizational structure that minimizes any conflicts of interest. This ensures better governance. Options B and D are important aspects, but option A is more critical. Option C is not correct, as the security strategy supports the business objectives, and not the other way round.

A. A standard.

B. A framework.

C. A process.

D. A model.

Answer: B. A framework.

Explanation: A framework is the most suitable method for developing an information security program as they are more flexible in adoption. Some of the common frameworks include ISO 27001 and COBIT. Standards, processes, and models are not as flexible as frameworks.

Understanding governance, risk management, and compliance

GRC is a term used to align and integrate the processes of governance, risk management, and compliance. GRC emphasizes that governance should be in place for effective risk management and the enforcement of compliance.

Governance, risk management, and compliance are three related aspects that help to achieve the organization's objectives. GRC aims to lay down operations for more effective organizational processes and avoiding wasteful overlaps. Each of these three disciplines impacts the organizational technologies, people, processes, and information. If governance, risk management, and compliance activities are handled independently of each other, it may result in a considerable amount of duplication and a waste of resources. The integration of these three functions helps to streamline the assurance activities of an organization by addressing the overlapping and duplicated GRC activities.

Though a GRC program can be applied in any function of the organization, it is mostly focused on the financial, IT, and legal areas.

Financial GRC focuses on effective risk management and compliance for finance processes. IT GRC focuses on information technology processes. Legal GRC focuses on the overall enterprise-level regulatory compliance.

GRC is an ever-evolving concept, and a security manager should understand the current state of GRC in their organization and determine how to ensure its continuous improvement.

Key aspects from the CISM exam perspective

The following are some of the key aspects from a CISM exam perspective:

Table 1.2 – Key aspects from the CISM exam perspective

Questions

A. To minimize the governance cost.

B. To improve risk management.

C. To synchronize security initiatives.

D. To ensure regulatory compliance.

Answer: B. To improve risk management.

Explanation: GRC is implemented by integrating interrelated control activities across the organization for improving risk management activities. The other options are secondary objectives.

A. To synchronize and align the organization's assurance functions.

B. To address the requirements of the information security policy.

C. To address the requirements of regulations.

D. To design a low-cost security strategy.

Answer: A. To synchronize and align the organization's assurance functions.

Explanation: The concept of GRC is an effort to synchronize and align the assurance activities across the organization for greater efficiency and effectiveness. The other options can be considered secondary objectives.

Discovering the maturity model

CISM aspirants are expected to understand the basic details of a maturity model. A maturity model is a tool that helps the organization to assess the current effectiveness of a process and to determine what capabilities they need to improve their performance.

Capability maturity models (CMMs) are useful to determine the maturity level of governance processes. The following list defines the different maturity levels of an organization:

The CMM indicates a scale of 0 to 5 based on process maturity level, and it is the most common method applied by organizations to measure their existing state and then to determine the desired one.

Maturity models identify the gaps between the current state of the governance process and the desired state to help the organization to determine the necessary remediation steps for improvement. A maturity model requires continuous improvement in the governance framework. It requires continuous evaluation, monitoring, and improvement to move towards the desired state from the current state.

Key aspects from the CISM exam perspective

The following are some of the key aspects from an exam perspective:

Table 1.3 – Key aspects from the CISM exam perspective

Questions

A. Continuous evaluation, monitoring, and improvement.

B. The return on technology investment.

C. Continuous risk mitigation.

D. Continuous key risk indicator (KRI) monitoring.

Answer: A. Continuous evaluation, monitoring, and improvement.

Explanation: The maturity model requires continuous improvement in the governance framework. It requires continuous evaluation, monitoring, and improvement to move towards the desired state from the current state. The other options are not as significant as option A.

A. A defined maturity model.

B. The size of the security team.

C. The availability of policies and procedures.

D. The number of security incidents.

Answer: A. A defined maturity model.

Explanation: A defined maturity model will be the best indicator to determine the level of security governance. The maturity model indicates the maturity of the governance processes on a scale of 0 to 5, where Level 0 indicates incomplete processes, and Level 5 indicates optimized processes. The other options may not be as useful as the maturity model in determining the level of security.

A. The annual loss expectancy.

B. The maturity level.

C. A risk assessment.

D. An external audit.

Answer: B. The maturity level.

Explanation: A defined maturity model will be the best indicator to determine the level of security governance. The maturity model indicates the maturity of the governance processes on a scale of 0 to 5, where Level 0 indicates incomplete processes, and Level 5 indicates optimized processes. The other options may not be as useful as the maturity model in determining the level of security.

Getting to know the information security roles and responsibilities

It is very important to ensure that security-related roles and responsibilities are clearly defined, documented, and communicated throughout the organization. Each employee of the organization should be aware of their respective roles and responsibilities. Clearly defined roles also facilitate effective access rights management, as access is provided based on the respective job functions and job profiles of employees – that is, on a need-to-know basis only.

One of the simplest ways of defining roles and responsibilities in a business or organization is to form a matrix known as a RACI chart. This stands for responsible, accountable, consulted, and informed.

This chart indicates who is responsible for a particular function, who is accountable with regard to the function, who should be consulted about the function, and who should be informed about the particular function. Clearly defined RACI charts make the information security program more effective.

Let's look at the definitions of RACI in more detail:

In the next section, I will take you through the various roles that are integral to information security.

Board of directors

The role of board members in information security is of utmost importance. Board members need to be aware of security-related KRIs that can impact the business objectives. The intent and objectives of information security governance must be communicated from the board level down.

The current status of key security risks should be tabled and discussed at board meetings. This helps the board to determine the effectiveness of the current security governance.

Another essential reason for the board of directors to be involved in security governance is liability. Most of the organization obtains specific insurance to make good on the financial liability of the organization in the event of a security incident. This type of insurance requires those bound by it to exercise due care in the discharge of their duties. Any negligence from the board in addressing the information security risk may make the insurance void.

Senior management

The role of senior management is to ensure that the intent and requirements of the board are implemented in an effective and efficient manner. Senior management is required to provide ongoing support to information security projects in terms of budgets, resources, and other infrastructure. In some instances, there may be disagreement between IT and security. In such cases, senior management can take a balanced view after considering performance, cost, and security. The role of senior management is to map and align the security objectives with the overall business objectives.

Business process owners

The role of a business process owner is to own the security-related risks impacting their business processes. They need to ensure that information security activities are aligned and support their respective business objectives. They need to monitor the effectiveness of security measures on an ongoing basis.

Steering committee

A steering committee comprises the senior management of an organization. The role of a steering committee is as follows:

The roles, responsibilities, and scope of a steering committee should be clearly defined.

Chief information security officer

The chief information security officer (CISO) is a senior-level officer who has been entrusted with making security-related decisions and is responsible for implementing security programs. The CISO should be an executive-level officer directly reporting to the chief executive officer (CEO). The role of the CISO is fundamentally a regulatory role, whereas the role of the CIO is to generally focus on IT performance.

Chief operating officer

The chief operating officer (COO) is the head of operational activities in the organization. Operational processes are reviewed and approved by the COO. The COO has a thorough knowledge of the business operations and objectives. The COO is most likely the sponsor for the implementation of security projects as they have a strong influence across the organization. Sponsoring means supporting the project financially or through products or services. Although the CISO should provide security advice and recommendations, the sponsor should be the COO for effective ground-level implementation.

Data custodian

The data custodian is a staff member who is entrusted with the safe custody of data. The data custodian is different from the data owner, though in some cases, both data custodian and data owner may be the same individual. A data custodian is responsible for managing the data on behalf of the data owner in terms of data backup, ensuring data integrity, and providing access to data for different individuals through the approval of the data owner. From a security perspective, a data custodian is responsible for ensuring that appropriate security measures are implemented and are consistent with organizational policy.

Communication channel

A well-defined communication channel is of utmost importance in the management of information security. A mature organization has dedicated systems to manage risk-related communication. This should be a two-way system, wherein management can reach all the employees and at the same time employees can reach a designated risk official to report identified risks. This will help in the timely reporting of events as well as to disseminate the security information. In the absence of an appropriate communication channel, the identification of events may be delayed.

Indicators of a security culture

The following list consists of some of the indicators of a successful security culture:

Understanding the roles and responsibilities as covered in this section will help the security manager to implement an effective security strategy.

Key aspects from the CISM exam perspective

The following are some of the key aspects from the CISM exam perspective:

Table 1.4 – Key aspects from the CISM exam perspective

Questions

A. The principle of accountability.

B. The principle of proportionality.

C. The principle of integration.

D. The principle of the code of ethics.

Answer: B. The principle of proportionality.

Explanation: The principle of proportionality requires that the access should be proportionate to the criticality of the assets and access should be provided on a need-to-know basis. The principle of accountability is important for the mapping of job descriptions; however, people with access to data may not always be accountable. Options C and D are not directly relevant to mapping job descriptions.

A. Approving access to the data.

B. The classification of assets.

C. Enhancing the value of data.

D. Ensuring all security measures are in accordance with organizational policy.

Answer: D. Ensuring all security measures are in accordance with organizational policy.

Explanation: The data custodian is responsible for ensuring that appropriate security measures are implemented and are consistent with organizational policy. The other options are not the responsibility of the data custodian.

A. Refer the matter to an external third party for resolution.

B. Request senior management to discontinue the relevant project immediately.

C. Ask the IT team to accept the risk.

D. Refer the matter to senior management along with any necessary recommendations.

Answer: D. Refer the matter to senior management along with any necessary recommendations.

Explanation: The best option for a security manager in this case is to highlight the issue to senior management. Senior management will be in the best position to take a decision after considering business as well security aspects.

A. The adherence to security policies throughout the organization.

B. Well-structured process flows.

C. The implementation of segregation of duties (SoD).

D. Better accountability.

Answer: D. Better accountability.

Explanation: Having clearly set out roles and responsibilities ensures better accountability, as individuals are aware of their key performance area and expected outcomes. The other options may be indirect benefits, but the only direct benefit is better accountability.

A. To define and ratify the data classification process.

B. To map all data to different classification levels.

C. To provide data security, as per the classification.

D. To confirm that data is properly classified.

Answer: A. To define and ratify the data classification process.

Explanation: The primary role of an information security manager is to define the structure of data classification. They need to ensure that the data classification policy is consistent with the organization's risk appetite. The mapping of data as per the classification is the responsibility of the data owner. Providing security is the responsibility of the data custodian. Confirming proper classification may be the role of the information security manager or the information security auditor.

A. That there are vacant positions in the information security department.

B. That the information security policy is approved by senior management.

C. That the steering committee only meets on a quarterly basis.

D. That security projects are reviewed and approved by the data center manager.

Answer: D. That security projects are reviewed and approved by the data center manager.

Explanation: Security projects should be approved by the steering committee consisting of senior management. The data center manager may not be in a position to ensure the alignment of security projects with the overall enterprise objectives. This will have an adverse impact on security governance. The approval of the security policy by senior management indicates good governance. Vacant positions are not a major concern. The steering committee meeting on a quarterly basis is also not an issue.

A. Supporting organizational objectives.

B. Ensuring regulatory compliance.

C. Concentrating on high-risk areas.

D. Evaluating business threats.

Answer: A. Supporting organizational objectives.

Explanation: The main objective of the security manager having a thorough understanding of the business operations is to support the organization's objectives. The other options are specific actions to support the business objectives.

A. Conduct frequent audits of the business processes.

B. Deploy a firewall and intrusion detection system (IDS).

C. Develop communication channels across the organization.

D. Conduct vulnerability assessments of new systems.

Answer: C. Develop communication channels across the organization.

Explanation: The best approach is to develop communication channels that will help in the timely reporting of events as well as to disseminate security information. The other options are good practices; however, without an appropriate communication channel, the identification of events may be delayed.

A. The chief information security officer.

B. The head of legal.

C. The board of directors and senior management.

D. The steering committee.

Answer: C. The board of directors and senior management.

Explanation: The ultimate responsibility for compliance with legal and regulatory requirements is with the board of directors and senior management. The CISO, head of legal, and steering committee implement the directive of the board and senior management, but they are not individually liable for the failure of security.

A. Lower the information security budget.

B. Conduct a risk assessment.

C. Highlight industry best practices.

D. Design an information security policy.

Answer: B. Conduct a risk assessment.

Explanation: The best way to gain the support of senior management is to conduct a risk assessment and present it to management in the form of an impact analysis. A risk assessment will help management to understand areas of concern. The other options may be considered secondary factors.

A. The turnaround time of the project.

B. The impact on the organization's objectives.

C. The budget of the security project.

D. The resource requirements for the project.

Answer: B. The impact on the organization's objectives.

Explanation: Security projects should be assessed and prioritized based on their impact on the organization. The other options are secondary factors.

A. The process owner.

B. The data owner.

C. The steering committee.

D. The security administrators.

Answer: D. The security administrators.

Explanation: The security administrators are custodians of the data and they need to ensure that data is in safe custody. They are responsible for enforcing and implementing security measures in accordance with the information security policy. The data owner and process owner are responsible for classifying the data and approving access rights. However, they do not enforce and implement the security controls. The steering committee is not responsible for enforcement.

A. The data administrator.

B. The information security manager.

C. The information system auditor.

D. The data owner.

Answer: D. The data owner.

Explanation: The data owner has responsibility for the classification of their data in accordance with the organization's data classification policy. The data administrator is required to implement security controls as per the security policy. The security manager and system auditor oversee the data classification and handling process to ensure conformance to the policy.

A. Industry practices.

B. Business requirements.

C. Regulatory requirements.

D. Storage requirements.

Answer: B. Business requirements.

Explanation: The primary basis for defining the data retention period is the business requirements. Business requirements will consider any legal and regulatory aspects. If its data is not retained as per business needs, it may have a negative impact on the business objectives.

A. The local security programs should comply with the corporate data privacy policy.

B. The local security program should comply with the data privacy policy of the location where the data is collected.

C. The local security program should comply with the data privacy policy of the country where the headquarters are located.

D. Local security program should comply with industry best practices.

Answer: B. The local security program should comply with the data privacy policy of the location where the data is collected.

Explanation: Data privacy laws are country-specific. It is very important to ensure adherence to local laws. The organization's privacy policy may not be able to address all the local laws and requirements. The organization's data privacy policy cannot supersede the local laws.

A. The security administrators.

B. The steering committee.

C. The board of directors.

D. The security manager.

Answer: C. The board of directors.

Explanation: The board of directors has the ultimate accountability for information security. The other options such as the security administrators, steering committee, and security managers are responsible for implementing, enforcing, and monitoring security controls as per the directive of the board.

A. The CISO.

B. The COO.

C. The head of legal.

D. The data protection officer.

Answer: B. The COO.

Explanation: The chief operating officer is the head of operational activities in the organization. Operational processes are reviewed and approved by the COO. The COO has the most thorough knowledge of the business operations and objectives. The COO is most likely the sponsor for the implementation of security projects as they have a strong influence across the organization. Sponsoring means supporting the project financially or through products or services. Although the CISO should provide security advice and recommendations, the sponsor should be the COO for effective ground-level implementation.

A. The security officer.

B. The data protection officer.

C. The compliance officer.

D. The business owner.

Answer: D. The business owner.

Explanation: The business owner needs to ensure that their data is appropriately protected, and access is provided on a need-to-know basis only. The security officer, data protection officer, and compliance officer can advise on security aspects, but they do not have final responsibility.

A. The information security steering committee.

B. The data owner.

C. The system auditor.

D. The system owner.

Answer: B. The data owner.

Explanation: The data owner is responsible for determining the level of security controls for the data, as well as for the application that stores the data. The system owner is generally responsible for platforms rather than applications or data. The system auditor is responsible for evaluating the security controls. The steering committee consists of senior-level officials and is responsible for aligning the security strategy with the business objectives.

A. Establishing more than one operation center.

B. Delegating authority for the recovery execution.

C. Outsourcing the recovery process.

D. Taking incremental backups of the database.

Answer: B. Delegating authority for recovery execution.

Explanation: During an incident, considerable time is taken up in escalation procedures, as decisions need to be made at each management level. The delegation of authority for the recovery execution makes the recovery process faster and more effective. However, the scope of the recovery delegation must be assessed beforehand and appropriately documented. Having multiple operation centers is too expensive to implement. Outsourcing is not a feasible option. Incremental backups do facilitate faster backups; however, they generally increase the time needed to restore the data.

A. Implementing strong password rules.

B. Making available a security awareness poster on the intranet.

C. Frequent information security training.

D. Reviewing access privileges when an operator's role changes.

Answer: D. Reviewing access privileges when an operator's role changes.

Explanation: In the absence of access privilege reviews, there is the risk that a single staff member can acquire excess operational capabilities. This will defeat the objective of SoD. In order to maintain the effectiveness of SoD, it is important to review access privileges more frequently and more specifically when an operator's role changes.

A. To manage the risk to information assets.

B. To implement the security configuration for IT assets.

C. To conduct disaster recovery testing.