The Complete Course from ExamCollection industry leading experts to help you prepare and provides the full 360 solution for self prep including CISM: Certified Information Security Manager Certification Video Training Course, Practice Test Questions and Answers, Study Guide & Exam Dumps.

Domain 01 - Information Security Governance

57. Risk Management

As far as risk management goes, we could say that it is the ultimate objective of all information security activities. In fact, I think it's a great starting point to be able to even begin the process of coming up with policies and eventually the standards and procedures that you're going to use for your security program. Now there's no real direct measurement of risk management's effectiveness, but there are certainly indicators to show that it can be a successful tool that is used in the creation of your security program. These indicators could be things like having an understanding of the company's risk types or having a security strategy that can achieve whatever acceptable level of risk the company has the appetite to take. We can also show or demonstrate the mitigation of risk. We can even define processes to help reduce the impacts of risk based on having risk management in place. Now, that can also be indicated by a successful test of your business continuity plan or your disaster recovery plan. And of course, we should, as part of risk management, have a business impact analysis done, especially on those crucial parts of our information assets.

58. Value Delivery

The function of value delivery is to align security and business objectives, resulting in an optimal investment to achieve that achievable and acceptable level of risk. Now, some of the key indicators for value delivery could be the cost of protection, looking at it as a function of revenue or asset value, and having your security resources allocated by assessed risk and potential impact. Now, what does that mean? That means that when we have different assets that we want to protect, the ones that are very important to us will probably get the majority of the security resources that we have, as opposed to when I'm worried about someone stealing pencils from the supply closet, which might be down a little bit lower to just like a lock on the door. All right, so periodic testing of controls as wellas adds to the value of the delivery andhaving a periodic review of the cost along withthe compliance and how effective that it's been.

59. Resource Management Part1

Resource management is a way of thinking to describe the process of planning, allocating, and controlling information security resources, which come in a variety of aspects. Number one, of course, is the need for people with the competencies to be able to perform the security functions or to be able to follow the policies that we create, or just the awareness and training of people that are somehow involved with the corporation or the organisation that can provide part of the resources in trying to add to the overall security. Certainly, of course, another resource that we have are the processes that we use and the technology as well as the funds or the costs for these different types of ways of approaching our total risk or total security.

60. Resource Management Part2

Now there are some indications of good resource management. things like having infrequent problem rediscoveries and having good knowledge capture and dissemination of that knowledge. Remember we talked a lot about communication channels using standardised processes and having well-defined roles and responsibilities? Certainly a great way to use people resources when you have limitations to ensure that we can show that we have these assets distributed correctly, as information assets, and the threats covered by security resources. Another indicator of good resource management might be proper organisational locations, levels of authority, and the personnel for the security functions that you need.

61. Performance Measurement

Now, the metrics of information security processes are needed to ensure the organization's objectives are achieved. Remember, you can't manage what you can't measure. Some indicators of good performance metrics or measurements include how long it took to detect and then report an incident. What are the numbers and frequencies of unreported incidents? And, again, without any type of measurement, do you have a comparison of costs and effectiveness—the ability to determine how effective a control has actually been? How do you actually put this into a way that you can describe or even manage just from those bullet points? When we talk about things like the time from detection to reporting, that's a measurement. And if we have a security process that's taking a long time from the point of detection to reporting, we might want to consider revising that. As an example, we have intrusion detection as a possible solution, and it records anomalies or malware or signs of attacks and logs that information. Maybe. Or maybe we didn't set it up to do an instant alert or email or other type of update. And so a week later, when somebody decides to review the logs and they see that there was an attempted breach or maybe there was a breach, is that time too long? Can we do things to improve that right now? So that's one of the things that performance measurement can help us determine. Now, the subject of this particular discussion is: What is a good performance measurement? And that means that it's a measurement that's worthwhile and means something. So if the measurement said it took a week from the time it was detected by intrusion detection to the time it was discovered and reported, that might not be a measurement you like to hear, but it is a good measurement because it's giving you information that you can base management decisions on. The same thing can be said again as to the number and frequency of unreported incidences. Looking at cost and effectiveness, again, we don't want to throw money into something that's not really helping us in the long run. How do I know it's effective? How do I know that if I spend double, it's going to be more effective? Again, I need to have good measurements to see, because if I'm going to spend double the money and get very little effectiveness or improvement out of it, it might not be worth that extra cost. Returning to good metrics, hopefully you can apply some of your ideas about what constitutes a good metric as we discuss these indicators. So the last thing I said was the ability to determine the control's effectiveness, all right? Again, there must be a good measurement that actually lets me see that the way to measure it is to be able to actually say, in a chart form or some sort of analysis, "yes," this control is doing the job. Because look what happened before we had that control. Documenting security objectives should be met. and, of course, consistency in log review practices. all of which can be good indicators or good performance measurements.

62. Assurance Process Integration/Convergence

We should look at the assurance process—integration or convergence, as we might call it. A good integration of processes should work end-to-end to minimise hidden risks. Things like information and asset protection are very important to us. So what are we looking at, and what do we mean by end to end? You know, if I'm talking about information as being the asset that I'm worried about, an end-to-end solution would get us into that little silo area that we try to avoid at the time where the information is being entered. It may be at a bunch of point-of-sale locations; it may be a bunch of dataentry operators that we have working for us. Is the information good? Is it start off good and then inits transmission to us, is it protected? Are we storing it well? Do we have the oversight of auditing the information and testing that the information is as accurate as it should be? I revisited a law enforcement agency that was experiencing what I thought was a minor issue as a result of this end-to-end process of good information; I'm not sure I wasn't thinking their protection wasn't so bad. I mean, I don't remember any breaches back in the 80s, but the way the information got put in wasn't so good. They were involved in entering arrest information, and for a person like me, whose first name can go by many different forms, whether it's Ken, Kenneth, or Kenny, it would just depend on how the report was written and how they would enter that person in. That same person might have several arrests listed among three different people in this system. In other words, there was not an audit that I could foresee that made sure the information was accurate at the time it was submitted. That's an end to end part of this process and Ithink that's a part of the information protection as well. We want to protect the information for the entire lifecycle. So if we're integrating or converging these assurance processes, then it's not just my responsibility once it's on a hard drive to make sure that it's safe. I think that as an end-to-end process, we are talking about full integration. Now, at the same time, we might also be able to see that other business units were attempting similar types of security options, and maybe that's costing my company more money. When we're actually overlapping some of the different security functions that we could do in unison or as one so we can eliminate security overlaps, having well-defined roles and responsibilities again so that everybody knows what their part of this process is going to be, what they're responsible for taking care of, and of course, understanding one's assurance function with another one, is essential. That is, once again, business integration, ensuring that we are all working together to meet the overall business objectives.