CISM 15e Domain1

CISM EXAM
PREPARATION
Copyright 2016 ISACA. All rights reserved.

Pre-Course Question 1
Which of the following reasons is the MOST important to

develop a strategy before implementing an information
security program?
A. To justify program development costs

B. To integrate development activities
C. To gain management support for an information security
program
D. To comply with international standards
2 Copyright 2016 ISACA. All rights reserved.

How does knowledge of risk appetite help to increase

security control effectiveness?
A. It shows senior management that you understand their

needs.
B. It provides a basis for redistributing resources to
mitigate risk above the risk appetite.
C. It requires continuous monitoring because the entire risk
environment is constantly changing.
D. It facilitates communication with management about the
importance of security.

When an organization is setting up a relationship with a

third-party IT service provider, which of the following is one
of the MOST important topics to include in the contract from
a security standpoint?
A. Compliance with international security standards

B. Use of a two-factor authentication system
C. Existence of an alternate hot site in case of business
disruption
D. Compliance with the organizations information security
requirements

Which of the following choices is MOST important to verify

to ensure the availability of key business processes at an
alternate site?
A. Recovery time objective

B. Functional delegation matrix
C. Staff availability to the site
D. End-to-end transaction flow

Domain 1
Information Security Governance

Domain 1
Establish and/or maintain an information

security governance framework and
supporting processes to ensure that the
information security strategy is aligned
with organizational goals and objectives

Domain 1 (contd)
This domain reviews the body of knowledge and

associated tasks necessary to develop an
information security governance structure
aligned with organizational objectives.

Domain Objectives
Ensure that the CISM Candidate has the knowledge

necessary to:
Understand the purpose of information security
governance, what it consists of, and how to accomplish it.
Understand the purpose of an information security
strategy, its objectives and the reasons and steps required
to develop one.
Understand the meaning, content, creation and use of
policies, standards, procedures and guidelines and how
they relate to each other.
Develop business cases and gain commitment from senior
leadership.
Define governance metrics requirements, selection and
creation.
On the CISM Exam
This domain represents 24% (approximately 36

questions) of the CISM exam
Domain 1:
Domain 4:
Information
Information Security
Security
Incident
Governance, 24%
Management, 19%
Domain 3:
Information Security Domain 2:
Program Information Security
Development and Risk Management,
Management, 27% 30%

Governance vs. Management
Governance Management
Purpose is to set Purpose is plan,
goals build, execute and
Do the right thing monitor activities to
achieve goals
Do the thing right

Why Does Governance Matter?
Information is critical to our lives.
Protecting information is key, but costs and benefits vary.
How can we be sure we are choosing the appropriate option?
Governance helps align information security

with business goals and objectives
Effective Information Security
An effective information
security program:
Supports what the
organization is trying to do
Keeps risk within
acceptable levels
Tracks success and areas
of improvement
Changes with the
organization

Domain 1 Overview
Section One: Designing a Strategy and

Governance Framework
Section Two: Gaining Management
Support/Approval
Section Three: Implementing the Security
Strategy
Refer to the CISM Job

Practice for Task and
Knowledge Statements.

Section One
Designing a Strategy and

Governance Framework

Task Statements
T1.1 Establish and/or maintain an information
security strategy in alignment with organizational
goals and objectives to guide the establishment
and/or ongoing management of the information
security program.
T1.2 Establish and/or maintain an information

security governance framework to guide activities
that support the information security strategy.
T1.3 Integrate information security governance into

corporate governance to ensure that organizational
goals and objectives are supported by the
information security program.

Knowledge Statements
How does Section One relate to each of the following

knowledge statements?
Knowledge Statement Connection
K1.1 Techniques are ways to analyze what is needed and how it
differs from what is currently in place.
K1.2 Relationships provide a lens through which to understand
InfoSec.
K1.3 By using security frameworks, organizations can avoid
reinventing the wheel by using existing resources and
adapting it to the organization.
K1.4 Standards/frameworks are shortcuts for knowing what is
possible and how to get there.
K1.5 It is important to understand the foundational concepts of
governance along with the insights and lessons from
experts.

How does Section One relate to each of the following

K1.6 Making the most of a framework requires a good
understanding of its benefits and how to put it in place.
K1.7 Other departments or business units may not immediate
understand the value of information security. This makes it
important for the information security organization to
communicate with those outside of the security workspace.
K1.10 An effective program is one that the organization can
afford and that delivers useful, actionable information.
K1.11 The InfoSec program needs to adapt to changes in the
complex ecosystem of the organization to remain useful
K1.12 Programs are only as good as they are seen to be; a well-
designed program that is poorly communicated wont get
off the ground.

Key Terms
Key Term Definition

Control The means of managing risk, including policies, procedures,
guidelines, practices or organizational structures, which can be
of an administrative, technical, management, or legal nature
Framework An outline of what relationships may exist between activities
without specifying how those relationships must be made to
work
Policy Overall intention and direction as formally expressed by
management
Risk The combination of the probability of an event and its
consequence. (ISO/IEC 73)
Standard A mandatory requirement, code of practice or specification
approved by a recognized external standards organization,
such as International Organization for Standardization (ISO)
Strategy A high-level plan to achieve an objective
See www.isaca.org/glossary for more key terms.

Goals and Strategy
Business goals are set by the board of

directors
o Senior management builds the
strategy to achieve these goals Goals
Governance ensures business strategy

remains consistent with business goals
Information security governance provides Objectives
strategic guidance for security

Information security strategy should
be linked to the overall business
strategy
Strategy

Outcomes of Information Security
Governance
Six basic outcomes of a security program:
Strategic alignment
Risk management
Value delivery
Resource optimization
Performance measurement
Assurance process integration

Risk Appetite
Risk is part of any business activity.

Potential for greater rewards comes with potential higher
consequences
Risk capacity: Amount of loss an enterprise can tolerate
without its continued existence being questioned.
Risk appetite: The amount of risk that an entity is willing
to accept in pursuit of its mission.

Strategy and Risk
Purpose of information security: Manage

information risk to an acceptable level
Understand the risk profile
Understand risk exposure
Be aware of risk management priorities
Ensure sufficient risk mitigation
Base risk treatment decisions on potential
consequences

Discussion Question
Why is it important to have a formal process for

accepting risk?

Governance, Risk and Compliance
GRC is an
integrated
assurance process
Governance
Convergence can
exist independently
across different
business functions
Risk Compliance
Information security
is often a part of
GRC

Pitfalls in Strategy Development
Overconfidence/Optimism
Anchoring
Status quo bias
Mental accounting
Herding instinct
False consensus
Confirmation bias
Groupthink

Start with the Goals
What is the goal?

Typically to assure the reliability of information-related
business processes
Often unaware of what information exists within
the enterprise, criticality, etc.
Impact cost-effectiveness
Goals help set objectives, which drive strategy
Should tie to enterprise goals

Asset Classification
Initial classification can

be time consuming
Does not get easier over
time
Best approach is to start
as soon as possible
Classify new assets when
they are created
Monitor for changes over
time

Focus on Data
Information security has traditionally focused on

IT systems.
Business process owners regard IT systems as
tools, while data produced has value
Integration with corporate governance becomes
easier with a data focus

Valuation of Data
Criticality of data can be derived from criticality

of processes that use that data.
Sensitivity can be derived by determining
consequences of data leakage.
Sensitivity of data may be subjective.
Certain types of data may be considered
sensitive by law or regulation.

Current Vs. Desired State
Desired State Gaps between current

Ideal information security and desired state
environment Plans for achieving
Frameworks/standards desired state
helpful to identify outcomes
Defined desired state makes
it easier to identify path from
current state
Current State
What is actually occurring
Help to identify where the
environment falls short of the
desired

Good to Know
Knowledge of the current state is never quite complete,

and the desired state may change over time.
An accurate view of how things are today and what is a
desired target state is good enough for governance
purposes.

Building the Strategy
Strategy provides a road

map to the desired state
Path could be long
depending on distance
between current and
desired state
Should identify:
Available resources
Available methods
Constraints

Policies, Standards and Controls
Policies Standards Controls
Part of
Governance Management
security
tools tools
architecture
Constitution Laws Enforcement

Strategy Constraints
Legal
Physical
Ethics
Culture
Costs
Personnel
Organizational structure
Resources
Capabilities
Time
Risk appetite
Legal and Regulatory Requirements
Information security linked

to privacy, IP and law
Security strategies for
different regions may be
required
Retention requirements
E-discovery
Treat as any other risk

Physical Constraints
Include capacity, space, environmental hazards,

etc.
Safety of personnel should also be considered
Often ignored and can lead to interruptions or
breaches
Disaster recovery should be considered

Ethics and Culture
Ethics
Perception of the enterprises behavior
Influenced by location and culture
Culture
Internal culture
Local culture

Costs
Justify spending based on a projects value.

Cost-benefit/financial analysis most widely
accepted
ALE
ROI

Personnel and Organizational Structure
Personnel
Resistance to changes can impact the success of
strategy implementation
Organizational structure
Impacts how a governance strategy can be
implemented
Cooperation is needed
Senior management buy-in helps to ensure
cooperation

Resources, Capabilities and Time
Resources
Consider available budgets, TCO and personnel
requirements
Capabilities
Expertise and skills
Time
Deadlines/Windows of opportunity

Risk Appetite
Risk acceptance and risk tolerance play a major

role
Difficult to measure
RTOs/RPOs

Ongoing Assessment
The information security

strategy needs to be
dynamic.
Update assessments
regularly.

Discussion Question
What are some reasons that the information risk

environment changes over time?

Strategy and Framework
A framework is a scaffold of
interlinked items
Strategy is the starting
point of the framework
Ensures that information
security is focused on the right
goals

Frameworks and Architecture
Frameworks are closely

associated with enterprise
architecture
Goals = conceptual
architecture
Framework = logical
architecture
Physical architecture
implements the logical
architecture through
policies, standards and
controls

Relationship of Governance Elements

Third-party Resources
Variety of resources available to use as a basis

COBIT, CMMI, ISO, etc.
Frameworks define relationships
May derive benefit from certified compliance with
third-party standards (e.g., ISO)

SABSA Security Architecture Matrix
Source: Copyright SABSA Institute, www.sabsa.org. Reproduced with permission.

The Structure of the TOGAF Document
Source: The Open Group; TOGAF, Version 9.1., United Kingdom 2011

Building Consistency
Integration ensures consistency.

When adding information security to an existing
governance structure, it is not necessary to use
a different framework.
If no general framework is used, find a
framework that is comprehensive and can be
used across the organization

Section One

In the Big Picture
Governance authority comes

from the board of directors.

strategy is how the
organization manages risk
Section One associated with information
Designing a Strategy and Governance assets and ensures that they
Framework are able to support the
attainment of business
goals.

Section One
Exam Review Questions

Review Question
Which of the following steps should be FIRST in developing

an information security plan?
A. Perform a technical vulnerabilities assessment.

B. Analyze the current business strategy.
C. Perform a business impact analysis.
D. Assess the current levels of security awareness.

Review Question
Information security governance is PRIMARILY driven by:
A. technology constraints.
B. regulatory requirements.
C. litigation potential.
D. business strategy.

Review Question
The FIRST step to create an internal culture that embraces

information security is to:
A. implement stronger controls.

B. conduct periodic awareness training.
C. actively monitor operations.
D. gain endorsement from executive management.

Review Question
The purpose of an information security strategy is to:
A. express the goals of an information security program

and the plan to achieve them.
B. outline the intended configuration of information system
security controls.
C. mandate the behavior and acceptable actions of all
information system users.
D. authorize the steps and procedures necessary to
protect critical information systems.

Section Two
Gaining Management
Support/Approval

Task Statements
T1.5 Develop business cases to support
investments in information security.
T1.6 Identify internal and external influences to the

organization (e.g., emerging technologies, social
media, business environment, risk tolerance,
regulatory requirements, third-party considerations,
threat landscape) to ensure that these factors are
continually addressed by the information security
strategy.
T1.7 Gain ongoing commitment from senior

leadership and other stakeholders to support the
successful implementation of the information
security strategy.
How does Section Two relate to each of the following

K1.7 Factors outside of the organization may impact how it
approaches governance, and that approach may not be
flexible. Its often necessary to change the information
security governance model to align with corporate
governance rather than expecting the reverse.
K1.9 Executives and decision-makers tend to be well-versed in
evaluating business cases. You need to speak their
language to gain support.
K1.10 Understanding costs and benefits helps keep focus on the
value that information security can provide.

How does Section Two relate to each of the following

K1.11 The information security program exists within a complex
ecosystem of dynamic processes inside and outside of the
organization. It needs to be able to adapt to changes in
this ecosystem to remain relevant and useful.
K1.12 Programs are only as good as they are seen to be. A well-
designed program poorly communicated wont get off the
ground.
K1.13 Going to the right people at the right times and in the right
ways can make all of the difference in whether a proposal
is approved or rejected. Its important to know how and
wen people want to be contacted and do your best to meet
their expectations whenever possible.

Key Terms
Key Term Definition

Business case Documentation of the rationale for making a business
investment, used both to support a business decision on
whether to proceed with the investment and as an operational
tool to support management of the investment through its full
economic life cycle
Risk tolerance The acceptable level of variation that management is willing to
allow for any particular risk as the enterprise pursues its
objectives
Stakeholder Anyone who has a responsibility for, an expectation from or
some other interest in the enterprise. Examples: shareholders,
users, government, suppliers, customers and the public
Threat landscape The set of all known threats facing the organization

Commitment is Key
Senior management
backing is essential to
success
Information security may
need to educate senior
managers to get them on
board
Use business language,
not technical jargon

Selling the Strategy
The security strategy should manage

information risk at an acceptable level in line
with the business strategy.
Information security managers need to convey

the value proposition of what is proposed.

Lay the Foundation
Workshops or briefings
can set the stage for
strategy
implementation.
Try to anticipate
issues/concerns
managers already have

Roles and Responsibilities
Board of Directors Senior Management

Need to be aware of Ensure needed
information assets functions/resources are
available
Provided with high-level
results of risk assessments Ensure resources are
and BIAs. properly utilized
Exercise due care in Promote cooperation,
protecting key assets arbitrate when needed
and set priorities

Steering committee
Comprised of senior representatives of groups
impacted by information security
Ensures alignment of security program with business
objectives
Common topics:
Security strategy and integration efforts
Specific actions and progress related to business unit
support of information security program functions
Emerging risk, business unit security practices and
compliance issues

Chief Risk Officer

Generally responsible for all non-information risk and
overall ERM
Chief Information Officer
Responsible for IT planning, budgeting and
performance
Chief Information Security Officer
Similar functions as information security manager with
more strategic and management elements; IT
strategy

Good to Know
Many not be an official position

Trends have shown most organizations have a CISO
in charge of the security program
Some organizations have a CSO over information
security and physical security.
Most often reports to the CEO, followed by the
CIO and board
Conflicts of interest may arise if the CISO reports to
the CIO because security is often seen as a constraint
on IT

Tracking Roles
Source: ISACA, COBIT 5: Enabling Processes, USA, 2012

Activity
Complete the following RACI chart.

Activity Answers
Information Board of Chief Chief Business
Security Directors Information Executive Process
Manager Officer Officer Owner
Define target C R A I
IT
capabilities.
Conduct a R A R
gap analysis.
Define the C A C
strategic plan
and road
map.
Communicate I I R R I
the IT
strategy and
direction.

The Business Case
Provides a formal proposal

for a project
Likely costs
Benefits
Should have enough detail
to explain the why of a
project and what it will
deliver back

Preparing a Business Case
Elements of a feasibility study

Project scope
Current analysis
Requirements
Recommended approach
Evaluation
Formal review
Note: The feasibility study focuses on direct, up-front costs,

while the business case should focus on total cost of
ownership.

The Business Case and Project
Management
The business case drives the decision process
If no longer valid, project should be review
Used at stage gates (kill points)
Reevaluation/reapproval needed when circumstances
change

Communicating Value
Value can be estimated as

revenue, savings or both
An effective information
security program:
Reduces likelihood of a
significant event
Reduces the losses from an
event
Either of the two outcomes
equal savings

Stakeholder Buy-in
Other groups are affected by the information

security proposal
Stakeholders may be internal/external
Failure to achieve buy-in can sabotage your
proposal

Discussion Question
Who are some of the stakeholders in an organizations

information security strategy?

Internal Stakeholders
Managers responsible for key business

processes
Managers responsible for revenue-producing
activities
Human resources
Legal and privacy
Note: The business case should be updated to

note requests, even if they are not accepted.

External Stakeholders
Service providers
Critical vendors
Outsourcing partners
Consumers/members
Information security
may be affected by
contracts.

Presenting the Strategy
Can be used to educate

and communicate
Common factors for
acceptance:
Aligning security with
business objectives
Identifying potential
consequences
Identifying budget items
Using common
risk/benefit or financial
models
Defining monitoring and
auditing measures

Presenting the Strategy
Remember: You are the subject matter expert!

Be concise, but be honest
Senior management may not realize the impact of
reputational damage
Alignment is key: If the strategy is aligned with
the business, it is more likely to be approved.

Section Two

In the Big Picture

strategy supports the goals
and business strategy of
the organization.
Having senior leadership

Section Two approval to implement the
Gaining Management strategy is essential
Support/Approval because it provides access
to resources and helps to
remove procedural
roadblocks.

Section Two

Review Question
Senior management commitment and support for

information security can BEST be obtained through
presentations that:
A. use illustrative examples of successful attacks.

B. explain the technical risk to the organization.
C. evaluate the organization against good security
practices.
D. tie security risk to key business objectives.

Review Question
A security manager is preparing a report to obtain the

commitment of executive management to a security
program. Inclusion of which of the following items would be
of MOST value?
A. Examples of genuine incidents at similar organizations

B. Statement of generally accepted good practices
C. Associating realistic threats to corporate objectives
D. Analysis of current technological exposures

Review Question
The MOST important requirement for gaining management

commitment to the information security program is to:
A. benchmark a number of successful organizations.

B. demonstrate potential losses and other impacts that can
result from a lack of support.
C. inform management of the legal requirements of due
care.
D. demonstrate support for desired outcomes.

Review Question
Which of the following situations would MOST inhibit the

effective implementation of security governance?
A. The complexity of technology

B. Budgetary constraints
C. Conflicting business priorities
D. Lack of high-level sponsorship

Section Three
Implementing the Security

Strategy

Task Statements
T1.4 Establish and maintain information security
policies to guide the development of standards,
procedures and guidelines in alignment with
enterprise goals and objectives.
T1.8 Define, communicate and monitor information

security responsibilities throughout the organization
(e.g., data owners, data custodians, end users,
privileged or high-risk users) and lines of authority
T1.9 Establish, monitor, evaluate and report key

information security metrics to provide management
with accurate and meaningful information regarding
the effectiveness of information security strategy

How does Section Three relate to each of the following

K1.2 Relationships provide a lens through which to understand
information security.
K1.8 Policies require executive support to be effective, so you
need to know how to engage the people at the top in ways
that fit your organizational culture. If the executives arent
willing to follow a policy they put in place, neither will
anyone else.
K1.10 An effective program is one that the organization can
afford and that delivers useful, accountable information.

How does Section Three relate to each of the following

knowledge statements? Pg. 19 of the
Review
Manual

K1.15 Information security can require involvement at virtually
any level of an organizationfrom functional teams up to
the board of directors. Its critical to know how information
flows and who approves which levels of escalation.
K1.16 The right people need to get the right information at the
right times. Understanding the structure helps avoid
overlooking anyone who may need to know something and
also makes it easier to limit reporting of what may be
sensitive information.
K1.17 Organizations change over time, and changes to reporting
relationships and structures outside of the information
security function may not always be widely communicated.
Develop a way to monitor these changes as they occur
and build them into the governance process.

How does Section Three relate to each of the

following knowledge statements?
K1.18 Avoid creating new communication methods whenever
existing methods can be adapted or expanded to include
information security. When new channels are needed,
understand how your organization expects them to be
evaluated and approved before theyre established.
K1.19 Information security covers a huge array of processes,
technologies and concerns that can be individually or
collectively monitored. Identifying the key indicators for
risk, performance and other considerations helps make
reporting more effective.

Key Terms
Key Term Definition

Data custodian The individual(s) and department(s) responsible for the
storage and safeguarding of computerized data
Guideline A description of a particular way of accomplishing
something that is less prescriptive than a procedure.
Metric A quantifiable entity that allows the measurement of the
achievement of a process goal
Procedure A document containing a detailed description of the
steps necessary to perform specific operations in
conformance with applicable standards. Procedures are
defined as part of processes.

Policies
Directly traceable to
strategy elements
Broad enough to not
require regular revision, but
should be periodically
reviewed
Approved at the highest
level
Pave the way for effective
implementation

Policies
Attributes of good policies:

Should capture the intent, expectations and direction
of management
Should state only one general security mandate
Must be clear and easily understood
Includes just enough context to be useful
Rarely number more than two dozen in total

Setting Standards
Provide measurement for compliance

Govern procedure and guideline creation
Set security baselines
Reflect acceptable risk and control objectives
Act as criteria for evaluating acceptable risk
Are unambiguous, consistent and precise
Are disseminated to those governed by them
and those impacted

Setting Standards
Third-party standards are

typically prescriptive to
allow for certification.
If used as a reference, your
organization may have some
flexibility when using the
standard.
Exception processes must
be developed

Discussion Question
Once standards are set, what are some factors that may
determine whether or not they are followed?

Training and Awareness
People need to be aware of security policies and

standards in order to be compliant.
Training and awareness go beyond publishing a
policy
Type should be appropriate to logistics, culture, etc.
Relevant to the audience

Tone at the Top
Employees emulate the

behavior of management
If mangers ignore
standards and policies,
fewer people will follow
them.

Controls
Influence the behaviors of people, processes

and technology in order to manage risk to
acceptable levels
Keep in mind:
Controls are not always as effective as intended
Controls may not address all outcomes
Changes in technology may render controls obsolete

Discussion Question
What are some examples of how changes in technology

can bypass or negate previously effective controls?

IT Controls
Constitute the majority of controls in an

organization
Control objective: A statement of the desired
result or purpose to be achieved by
implementing control procedures in a particular
IT activity.

Layered Defense
Deploying controls in layers is good practice

Defense in depth
Uses:
To provide additional protection in the event of a
control failure
Because a single control is known to be inadequate
Controls tailored to specific threats may be more
cost effective

Layered Defense

Countermeasures
Designed to reduce a single vulnerability or a

threat
Can be passive or active
Should be considered from a strategic
perspective

Non-IT Controls
Information security extends beyond IT

Include:
Secure marking, handling and storage
Efforts to prevent social engineering
Can help to mitigate risk posed by individual
judgement calls

Discussion Question
One example of a non-IT control is educating people on

the importance of not writing down or sharing
passwords. What others come to mind?

Procedures
A non-IT control direct precisely how something

is to be done
Responsibility of operations staff
Uses unambiguous language
Include all necessary steps
Ensure an organization can continue operations
even if regular staff are unavailable

Good to Know
People tend to memorize their actions when doing

something regularly and may not refer to procedures.
This makes it harder to keep procedures up to date and
increases the probability of errors.
Checklists are helpful to promote regular use of
procedures.

Guidelines
Contain information that will be helpful in

executing procedures
Enable use of individual judgement
Can be helpful when an outcome needs to be
achieved, but the how does not matter

Metrics and Measurement
Security metrics tell us about the state of

security relative to a reference point
Technical metrics of little value from a strategic
standpoint

Metrics and Measurement
Metrics should be SMART:

Specific
Measurement
Attainable
Relevant
Timely
Avoid measuring
something simply because
it can be measured.

Metrics at the Strategic Level
Key goal indicators (KGIs) and key performance

indicators (KPIs) can be useful for process or
service goals.
High-level metrics related to implementing a
strategy include:
Alignment with business goals and objectives
Management of risk to acceptable levels
Effective management of resources
Performance and value delivery

Risk Management Metrics
Indicators of appropriate
risk management include:
Defined risk appetite and
tolerance
Process for management
of adverse impacts
Trends in periodic risk
assessment and impacts
Completeness of asset
inventory
Ratio of security incidents
from known to unknown
security risks

Value Delivery Metrics
KGIs and KPIs include:

The cost of security being proportional to the value of
assets
Security resources that are allocated by degree of
assessed risk and potential impact
Protection costs that are aggregated as a function of
revenues or asset valuation
An adequate and appropriate number of controls to
achieve acceptable risk and impact levels
Policies in place that require all controls to be
periodically reevaluated for cost, compliance and
effectiveness
The use and effectiveness of controls

Resource Management Metrics
Indicators of effective resource
management include:
Infrequent problem solution
rediscovery
Effective knowledge capture and
dissemination
Clearly defined roles and
responsibilities
The percentage of information
assets and related threats
adequately addressed by security
activities
The proper organizational location,
level of authority and number of
personnel for the information
security function
Resource utilization levels
Staff productivity
Per-seat cost of security services

Performance Measurement
Indicators of effective performance

measurement include:
The time required to detect and report security events
The number and frequency of unreported incidents
Benchmarking comparable organizations for costs
and effectiveness
Knowledge of evolving and impending threats
Methods of tracking evolving risk
Consistency of log review practices
Results of BCP/DR tests
Extent to which key controls are monitored

Auditing and Compliance
Audits can be useful as a means of identifying

shortfalls.
Senior managers tend to believe audit reports.
Audit reports indicate what has already
happened.
Useful for insight
Cannot be used as the only means of identifying
problems

Section Three

In the Big Picture
The success of an
information security
strategy depends on the
behavior of people,
processes and technology.
Section Three
Implementing the Security Strategy Security is dynamic and
regular monitoring and
auditing are needed.

Section Three

Review Question
The enactment of policies and procedures for preventing

hacker intrusions is an example of an activity that belongs
to:
A. risk management.
B. compliance.
C. IT management.
D. governance.

Review Question
Which of the following choices would be the MOST

significant key risk indicator?
A. A deviation in employee turnover

B. The number of packets dropped by the firewall
C. The number of viruses detected
D. The reporting relationship of IT

Review Question
Which person or group should have final approval of an

organizations information technology (IT) security policies?
A. Business unit managers

B. Chief information security officer
C. Senior management
D. Chief information officer

Review Question
Which of the following is the PRIMARY reason to change

policies during program development?
A. The policies must comply with new regulatory and legal

mandates.
B. Appropriate security baselines are no longer set in the
policies.
C. The policies no longer reflect management intent and
direction.
D. Employees consistently ignore the policies.

Domain 1
Summary

Summary
Effective information security governance

requires alignment with business goals.
Senior management commitment to the
information security strategy is key to success.
Security is dynamic, so metrics are key to
determining success and monitoring is required
to indicate any issues.

Questions

CISM 15e Domain1

Uploaded by

Document Informationclick to expand document informationCISM Slides - Domain 1

Document Informationclick to expand document information

Copyright:

Available Formats

CISM 15e Domain1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CISM 15e Domain1

Uploaded by

Copyright:

Available Formats

CISM EXAM

Copyright 2016 ISACA. All rights reserved.

Which of the following reasons is the MOST important to

A. To justify program development costs

2 Copyright 2016 ISACA. All rights reserved.

How does knowledge of risk appetite help to increase

A. It shows senior management that you understand their

3 Copyright 2016 ISACA. All rights reserved.

When an organization is setting up a relationship with a

A. Compliance with international security standards

4 Copyright 2016 ISACA. All rights reserved.

Which of the following choices is MOST important to verify

A. Recovery time objective

5 Copyright 2016 ISACA. All rights reserved.

Information Security Governance

Copyright 2016 ISACA. All rights reserved.

Establish and/or maintain an information

7 Copyright 2016 ISACA. All rights reserved.

This domain reviews the body of knowledge and

8 Copyright 2016 ISACA. All rights reserved.

Ensure that the CISM Candidate has the knowledge

This domain represents 24% (approximately 36

10 Copyright 2016 ISACA. All rights reserved.

11 Copyright 2016 ISACA. All rights reserved.

Information is critical to our lives.

Protecting information is key, but costs and benefits vary.

How can we be sure we are choosing the appropriate option?

Governance helps align information security

13 Copyright 2016 ISACA. All rights reserved.

Section One: Designing a Strategy and

Refer to the CISM Job

14 Copyright 2016 ISACA. All rights reserved.

Designing a Strategy and

Copyright 2016 ISACA. All rights reserved.

T1.2 Establish and/or maintain an information

T1.3 Integrate information security governance into

16 Copyright 2016 ISACA. All rights reserved.

How does Section One relate to each of the following

17 Copyright 2016 ISACA. All rights reserved.

How does Section One relate to each of the following

18 Copyright 2016 ISACA. All rights reserved.

Key Term Definition

See www.isaca.org/glossary for more key terms.

Business goals are set by the board of

Governance ensures business strategy

strategic guidance for security

20 Copyright 2016 ISACA. All rights reserved.

21 Copyright 2016 ISACA. All rights reserved.

Risk is part of any business activity.

22 Copyright 2016 ISACA. All rights reserved.

Purpose of information security: Manage

23 Copyright 2016 ISACA. All rights reserved.

Why is it important to have a formal process for

24 Copyright 2016 ISACA. All rights reserved.

25 Copyright 2016 ISACA. All rights reserved.

26 Copyright 2016 ISACA. All rights reserved.

What is the goal?