Information Security Program Development and Management Tutorial

3.1 Welcome

Hello and welcome to the Information Security Program Development and Management of Certified Information Security Manager (CISM®) Course offered by Simplilearn. Let us explore the objectives of this domain in the next screen.

3.2 Objectives

After completing this lesson, you will be able to: • Understand the scope and charter of an information security program • Describe the information security management framework • Discuss information security framework components • Explain the information security program • Define an information security program road map • List information security architecture and infrastructure • Describe security program management and administrative activities • List security program service and operational activities • Discuss controls and countermeasures • Define security program metrics and monitoring • List the common information security program challenges Let us look at the task statements in the next screen.

3.3 Task Statements

Task statements are what a CISM® candidate is expected to know and perform. The following nine task statements have to be performed to achieve the information security goals: • Establish and maintain information security program. • Ensure alignment between information security program and other business functions. • Identify, acquire, and manage requirements for internal and external resources. • Establish and maintain information security architectures. • Establish and communicate organizational information security standards and procedures. Let us look at some more task statements in the next screen.

3.4 Task Statements (contd.)

Some of the other task statements are: • Establish and monitor a program for information security awareness and training. • Integrate information security requirements into organizational processes. • Integrate information security requirements into agreements involving third party, and • Monitor periodical program management reports and operational metrics. Let us attempt a quick recall question in the next screen.

3.5 Knowledge Check

This question will help you to recall the concepts you have learned. Let us now look at the knowledge statements in the next screen.

3.6 Knowledge Statements

The knowledge statements form the basis for achieving the tasks. They include: • Establishing and maintaining information security program, • Aligning information security program requirements, • Identifying, acquiring, and managing requirements for internal and external resources, • Having basic knowledge of emerging technology and trends, • Designing information security controls and testing their effectiveness and applicability, • Having the Knowledge of IS architecture. Let us continue learning about other knowledge statements in the next screen.

3.7 Knowledge Statements (contd.)

Some more knowledge statements are: • Methods to execute and communicate information security policies and procedures, • Establish and monitor effective information security awareness and training, • Integrate information security requirements into organizational processes, • Incorporate information security requirements into contracts and third parties, • Be able to develop and handle operational information security metrics, and • Testing the efficacy and use of information security controls. Let us attempt a quick recall question in the next screen.

3.8 Knowledge Check

This question will help you to recall the concepts you have learned. Let us look at information security program objectives in the next screen.

3.9 Information Security Program Objectives

The key objective of the information security program is to tackle issues during its execution. Some of the objectives of the information security program are to: • Implement information security strategy in most cost-effective manner, • Achieve efficiency by practical and manageable implementation of projects and initiatives, and • Maximize support of business functions and minimize operational disruptions. In the following screen, we will look at the issues that the information security program faces.

3.10 Information Security Program Objectives (contd.)

Some of the issues that the information security program face are: • Changes in business environment such as the introduction of a new regulatory requirement, • Changes in organization’s technology infrastructure, • Changes in risk level, and • The availability of new applications. Let us define the information security program objectives in the next screen.

3.11 Defining Information Security Program Objectives

The basic outline of the information security program objective is to: • Analyze the current state of security against the desired state of security, and • Develop processes and projects to close the gap between current state and desired state of security. Let us continue to define information security program objectives in the next screen.

3.12 Defining Information Security Program Objectives (contd.)

Once the information security program objectives have been defined, it is necessary to understand the drivers of information security program. The drivers of information security program include: • Requirement to comply with regulations which are increasing day by day, • High costs and frequency of information security incidents, • Reputational damage caused by publicized security incidents such as the attack on Sony Pictures after the release of the movie title ‘The Interview’, and • Business processes that may increase organizational risk. A few questions will be presented in the following screens. Select the correct option and click Submit to see the feedback.

3.13 Scope and Charter of Information Security Program

Organizational culture, informal relationships, and interpersonal networking are the key factors for a successful information security program. The scope of an information program is established by how it supports: • Information security strategy, and • Its involvement in risk management activities. The scope covers: • The 3 Ps, that is people, processes, and policies ; and • Technology Let us learn about the factors that are required in introducing an information program in the next screen.

3.14 Introducing an Information Security Program

When an information program is introduced into an already established security function, it must integrate itself into the existing organizational environment. This is because, with anything new in an enterprise, there will be resistance that hinders the intended purpose. The areas to consider for the introduction of information security program are: • Organization stakeholders (employees, board, users, customers, suppliers, and partners), • Processes, • Policies, • System, • Technologies, and • Legal bodies. Let us attempt a quick recall question in the next screen.

3.15 Knowledge Check

This question will help you to recall the concepts you have learned. Let us learn more about introducing an information security program in the next screen.

3.16 Introducing an Information Security Program

When a new information security function is being introduced into an organization, the information security manager must have an understanding of certain facts. They are: • The organizational structure and culture; • Expectations, scope, budget, and reporting requirements of the security function; and • Legal and other organizational compliances. Let us look at how to introduce an information security program into an organization in the next screen.

3.17 Introducing an Information Security Program (contd.)

Information security program must also consider areas and activities beyond information security, such as: • Other internal organizational functions, • External things that can impact the business, • Challenges in development and management of information security program, • Organizational support for information or data management or handling chain, • People, process, and policy issues that can hamper information security program implementation, and • The absence of framework for implementing information security program. Let us learn some more about introducing an information security program in the next screen.

3.18 Introducing an Information Security Program (contd.)

There are a number of challenges faced during the development of an information security program. They include the need for cooperation and conflicting PPP issues: Click each challenge to know more. • The process of setting a program in place and measuring its results involves a great deal of cooperation from everyone in an organization who handle data. • The Information security program development is usually hampered by process, people, and policies issues that conflict with program objectives rather than by technology choices that are available. A few questions will be presented in the following screens. Select the correct option and click Submit to see the feedback.

3.19 Information Security Management Framework

The information security management framework is the implementation of a coherent set of policies, processes, and systems required to establish the required level of information security within an organization. It covers the technical, operational, administrative, and managerial components within an organization. In the next screen we will look at COBIT, which is one of the information security management framework.

3.20 COBIT

COBIT is one of the information security management framework. Click the tab to know more about COBIT. • COBIT stands for Control Objective over Information and Related Technology. • The main function of COBIT is to help the company to map their IT processes to ISACA standards. • The latest COBIT Standard is COBIT 5. Let us continue to look at the principles of COBIT in the next screen.

3.21 COBIT (contd.)

COBIT has five main principles. They are: Click each tab to know more about each of the principles of COBIT. • Delivering stakeholder needs • Ensuring end to end coverage of the enterprise • Implementing a single framework • Providing a holistic approach in information security governance • Providing a clear distinction of information security governance from management Let us attempt a quick recall question in the next screen. After learning about the five main principles of COBIT, we need to understand the concept of ISO/IEC 27001. The ISO/IEC 27001 is an internationally recognized structured methodology of information security that covers several areas. They are: • Security Policy, • Organization of assets and resources, • Asset classification and controls, • Personnel security, and • Physical and environmental security. Let us look at some more areas of ISO/IEC 27001 in the next screen.

3.22 Knowledge Check

This question will help you to recall the concepts you have learned. Let us look at the ISO/IEC 27001 series in the next screen.

3.23 ISO IEC 27001

After learning about the five main principles of COBIT, we need to understand the concept of ISO/IEC 27001. The ISO/IEC 27001 is an internationally recognized structured methodology of information security that covers several areas. They are: • Security Policy, • Organization of assets and resources, • Asset classification and controls, • Personnel security, and • Physical and environmental security. Let us look at some more areas of ISO/IEC 27001 in the next screen.

3.24 ISO IEC 27001(contd.)

Some more areas that are covered under ISO/IEC 27001 are: • Communications and operations management, • Access control, • Information systems acquisition, • Development and maintenance, • Information security incident management, • Business continuity management, and • Compliance and relationships with suppliers. A few questions will be presented in the following screens. Select the correct option and click Submit to see the feedback.

3.25 Components of Information Security Framework

Information Security Framework has the following components: • Operational, • Management, • Administrative, • Educational, and • Informational components. Let us begin with Operational Components in the next screen.

3.26 Operational Components

The operational components include: • Standard operating procedures, • Business operations security practices, and • Maintenance and administration of security technologies. Many operational components fall outside the domain of information security, such as patching procedures. Therefore the information security manager should control IT, business units, and other resources to meet the operational needs accurately. Let us continue learning more about operational components in the next screen.

3.27 Operational Components (contd.)

There are several Operational components of the management. They are: • Identifying management and access control administration, • Monitoring and analyzing security event, • Patching the system, • Changing control and/or releasing management, • Collecting and reporting security metrics, • Maintaining supplement control technologies and program support technologies, and • Investigating and resolving incident response, Let us attempt a quick recall question in the next screen.

3.28 Knowledge Check

This question will help you to recall the concepts you have learned. Let us move to management components in the next screen.

3.29 Management Components

An information security manager has a number of management components to consider. The management components of an information security management program include: • Develop policy establishment, • Strategic implementation activities, and • Oversight of execution. Few activities take place less frequently than operational components. Most often they are the responsibility of the middle and senior level management. Some issues, particularly those related to oversight, can be escalated to the board level. Let us see the objectives of management components in the next screen.

3.30 Objectives of Management Components

The major objectives of management components include: • Establishing management objectives, requirements, and policies; • Analyzing assets, threats, risks, and organizational impacts; • Ensuring strategic decisions made in support of operational and technical implementation; • Ensuring fulfillment of requirements and adherence to strategic direction during management oversight; • Addressing needs such as monetary support and recruit personnel; and • Establishing realistic timelines. It is also important to establish management oversight forums comprising of senior management. We will continue to look at the objectives of management components in the next slide.

3.31 Objectives of Management Components (contd.)

The functions of an information security manager during a management program are to: Click each tab to know more about the functions of an information security manager. • Monitor all oversight activities that takes place due to the change in the program, and • Channelize communication outside the established management oversight process. Let us attempt a quick recall question in the next screen.

3.32 Knowledge Check

This question will help you to recall the concepts you have learned. We will look at the administrative components in the next screen.

3.33 Administrative Components

After learning about management components, let us understand the importance of administrative components. The information security manager must ensure that the financial, HR, and all management functions are effective. It must be ensured that a clear working relationship with the organizations, such as finance department and HR department, is present. In the next screen we will look at the educational and informational components.

3.34 Educational and Informational Components

After learning about administrative components, let us look at the role of educational and informational components. Click each tab to know more about the role of educational and informational components. Awareness The information security program must include activities like employee education and awareness regarding security risk and information security program. Policies and procedures General organizational policies and procedures should be communicated and administered by the organization’s HR unit. Business units The information security manager should collaborate with the HR unit and business units to identify information security education needs. A few questions will be presented in the following screens. Select the correct option and click Submit to see the feedback.

3.35 Information Security Program Roadmap

Let us now understand the concept of information security program. The information security program is required to: Click each tab to know more about the role of the information security program: • An information security program should find ways and opportunities to add business value, enhance the ready acceptance and compliance of controls and information security. • Establish measures and generate reports on the performance of information security to move up the information security levels. In the next screen we look at the elements of an information security program road map.

3.36 Elementsof Information Security Program RoadMap

The elements of a road map depend on the status of the information security within an organization. Click on each status to know more. • When there is an availability of well-developed existing road map, then the conceptual objectives are turned into reality and proactively integrated with the business effectively • When there is a non-availability of security strategy and road map, then there is a scattered development of information security program, lack of integration, and lack of metrics Let us look at the development of information security program road map in the next screen.

3.37 Development of Information Security Program Road Map

To develop an information security program road map, the current security levels or current state when looked at from security level of data, applications, systems, facilities, and processes) must be reviewed. The development of an information security program road map from “current state” to achieve “desired state” involves: • High level plan for projects or initiatives, • Architectural design wherever required, and • Achieving Key Goal Indicators (KGI), Critical success factors (CSF), and Key Performance Indicators (KPI). We will now look at Gap Analysis in the next screen.

3.38 Gap Analysis

Gap Analysis involves: • Analyzing the gaps between current state and desired state. For example, a company might want to move from having an incomplete process to optimizing processes as its desired state. • Gap analysis would also involve identifying areas where control objectives are inadequate or absent, • Establishing controls and control points, and • Monitoring controls to ensure control objectives are achieved. Let us attempt a quick recall question in the next screen.

3.39 Knowledge Check

This question will help you to recall the concepts you have learned. Let us to look at the information security infrastructure and architecture in the next screen.

3.40 Information Security Infrastructure and Architecture

Do you know what infrastructure means? Infrastructure refers to the base or foundation on which information systems are deployed. It includes: • Computing platforms, • Networks, • Middleware, • Applications, and • The end points. Let us continue to look at the information security infrastructure and architecture in the next screen.

3.41 Information Security Infrastructure and Architecture (contd.)

For an infrastructure to be designed, implemented, and maintained the following are the pre-requisites: • It should to be consistent with organizational policies and standards, • Achieve organizational security objectives, and • Consider information systems architecture that includes goals, environment, and technical capabilities. Let us attempt a quick recall question in the next screen.

3.42 Knowledge Check

This question will help you to recall the concepts you have learned. Let us look at the objectives of information security architecture in the next screen.

3.43 Objectives of Information Security Architecture

The main objectives of information security architecture are to provide framework and roadmap, simplicity and clarity, control points facility and other objectives. Click each element to know more about the objectives of information security architecture. • A framework and roadmap for implementation of projects, initiatives, and services that are integrated; • Simplicity and clarity through layering and modularization and business focus beyond the technical domain (goals and environmental factors); • Facility for control points in a system or application infrastructure; and • Other objectives include providing architecture, control objectives, and associated procedures to ensure compliance (legal, regulatory, and organizational compliance). A few questions will be presented in the following screens. Select the correct option and click Submit to see the feedback.

3.44 Architectural Implementation

After learning the objectives of information security architecture, let us now look at how security architecture protects the systems. Information security architecture protects the systems by: Click each element to know more about information security architecture. • Implementing security mechanism to validate input, • Protecting from unauthorized access by implementing control lists, • Monitoring for any detectable occurrence that are significant for the security of the organization and recovering from disruptions, and • Restoring normal operation as quickly as possible. Let us look at the SABSA model in the next screen.

3.45 SABSA Model

SABSA is an abbreviation that stands for Sherwood Applied Business Security Architecture, which is a framework and methodology for enterprise security architecture and service management. • SABSA is a generic model that can be the starting point for any organization. • It is a model used for developing risk-driven enterprise information security architectures. • It is used for delivering security infrastructure solutions for business initiatives. Let us continue to look at the SABSA model in the next screen.

3.46 SABSA Model (contd.)

SABSA can be used for both information technology (IT) and operational technology (OT) environments. The figure shows a SABSA matrix for security architecture development. A few questions will be presented in the following screens. Select the correct option and click Submit to see the feedback.

3.48 Security Program Management and Administrative Activities

The management components of an information security program include • Establishing objectives, • Setting up of policies to achieve objectives, • Strategic implementation of activities to achieve objectives, and • Oversight of execution. The information security program depends on the high-level management objectives and supporting policies. Hence, an information security manager should allow adjustments in the policies and objectives during the initial stages of the program. Let us look at the information security program administrative activities in the next screen.

3.49 Information Security Program Administrative Activities

The key elements of an administrative module of an information security program would include: • Interaction of the information security manager with the finance and HR, procurement and other management functions within the organization; • Suitable management structure and support personnel; • Interaction with the steering committee and senior management; • Security diligence on projects and initiatives; and • Monitor day to day operations and performance of existing security operating environment. We will learn about information security roles and responsibilities in the next screen.

3.50 Information Security Program Roles Responsibilities SkillsandCulture

Roles, responsibilities, skills, and culture play a vital role in an information security program. Click each element to know more. • Roles include access rights, restrictions, and responsibilities that are provided based on the work, activity, procedure, or function the individual performs. • Responsibilities may be specific to a role or could be common responsibilities applying to all stakeholders. • Skills include the expertise and experience held by the personnel in the given job function. • Organizational culture involves the collective behavior of stakeholders that form a part of an organization. The information security manager has to promote appropriate culture of security within the organization through effective communication, training, and awareness and make security a part of all business activities. Let us attempt a quick recall question in the next screen.

3.51 Knowledge Check

This question will help you to recall the concepts you have learned. In the next screen we will look at the security awareness training.

3.52 Security Awareness Training

Awareness of the risks and available safeguards is the first line of defense for the security of information systems and networks in an organization. The security awareness trainings must include all stakeholders so that they have the knowledge and awareness of the information assets of the organization. Trainings should be conducted periodically based on the organization’s risk or threat environment. Let’s learn more about security awareness training in the next screen.

3.53 Security Awareness Training (contd.)

Some of the topics that are covered as part of security awareness training are: Physical security, which will also include environmental controls; Desktop security, such as ensuring to always lock the computers when the employees leave their workstations; Wireless Networks and security; Malware threats; Social engineering threats; Backup of information and data; Organization-specific proprietary information and classification; and Identifying security breaches and reporting mechanisms. Let’s learn about documentation in the next screen.

3.54 Documentation

The documentation of an information security program includes: • Policies, operating techniques, and technical ethics • Technical illustrations of infrastructure • Risk analyses, recommendations, and related documentation • Security system projects, configuration strategies, and upkeep of documentation • Operational registers, such as shift reports and incident tracking reports • Training and awareness programs, and • Organizational charts, such as the RACI matrix, which defines who is Responsible, Accountable, and who should be consulted as well as the person to be informed, or the RAM model which defines Responsibility Assignment Matrix. Let us continue leaning about documentation in the next screen.

3.55 Documentation (contd.)

To ensure proper documentation, each document: • Must be assigned an owner who reports updates, • Must reflect the current status, • Must ensure that all the controlled changes are in place, • Must be in sync with the organizational requirements, and • Must be well protected to ensure its sensitivity. Let us attempt a quick recall question in the next screen.

3.56 Knowledge Check

This question will help you to recall the concepts you have learned. Let’s look at project management in the next screen.

3.57 Project Management and Program Development

After learning about documentation, let us now learn about project management and program development. An information security manager plans projects and initiatives to fill the gaps between the current state of security and the desired state to manage risk to an acceptable level. Some of the key elements to be considered in developing a project management plan include: • Project start and completion dates, • The development life cycle, • Prototype to be used, and • Tasks in each phase of the development. In the next screen we will continue to look at project management and program development.

3.58 Project Management and Program Development (contd.)

Some of the other key elements to be considered in developing a project management plan are: • Critical points and milestones in the development process, • Resources required to complete the project successfully, • Match the skill levels of available personnel, • Task flow, • Project costs and break-even points, and • Project review standards. Let us attempt a quick recall question in the next screen.

3.59 Knowledge Check

This question will help you to recall the concepts you have learned. In the next screen we will look at risk management.

3.60 Risk Management

What does risk management involve? Risk management involves: • The identification, assessment, and prioritization of risks. It involves managing risks related to information security program development and management; • Adapting to business, technical, legal, and environmental changes; and • Managing threats that organization faces, its vulnerabilities, and its risk profile. Let’s look at the business case development in the next screen.

3.61 Business Case Development

What does a business case mean? A business case: • Obtains management commitment and approval for investment in business change including programs and projects. • Provides a structure for the planning and management of organizational change. • Monitors the ongoing feasibility of the program or project against the business case. In the next screen we learn about business case elements.

3.62 Business Case Elements

Business case elements include: • Reference which state the project name, • Context that define business objectives, • Value proposition that comprise desired outcomes and benefits, • Focus that look at the scope of the problem, • Deliverables which are the planned outcomes, • Dependencies that are the success factors, • Project metrics which include key goal indicators or key performance indicators, • Workload that defines the breakdown of delivery activities, • Resources that state the project team and funds, and • Commitments that include controls within the project. In the following screen we will learn about business case design.

3.63 Business Case Process Design

After identifying the business case elements, let us now look at a business case process design. A business case process is designed to be: • Adaptable to ensure it fits the risk profile, • Consistent with all the business issues, • Business oriented as opposed to technological focus, • Comprehensive to ensure a complete evaluation, • Understandable and simple for evaluation, • Measurable as all aspects can be quantified, • Transparent and should be justified correctly, and • Clear accountability and commitment Let us attempt a quick recall question in the next screen.

3.64 Knowledge Check

This question will help you to recall the concepts you learned. Let us look at the information security program budget in the next screen.

3.65 Information Security Program Budget

Let us look at the factors to consider for an information security program budget. They are: • Information security strategy; • Overall IT budget; • Knowledge of budget process; • Planned project and initiatives; • Staff size and training needs; • Technology requirements which can either be new, upgrades, or maintenance; • Software subscription and licensing; • Cost of security assessments; and • Outsourced security services. In the next screen, we will learn about information security program budget guidelines.

3.66 Information Security Program Budget Guidelines

The information security program budgeting guidelines involve: • Senior and executive management, business units; • Gathering any relevant input; • Assessing techniques to use; • Identifying alternative costing options and possible risks; • Ensuring cost estimates are assigned to the appropriate account; and • Estimated costs, level of estimate, list of assumptions. Let us attempt a quick recall question in the next screen.

3.67 Knowledge Check

This question will help you to recall the concepts you learned. In the next screen we learn about acceptable use policy.

3.68 Acceptable Use Policy

What do acceptable use policies mean? Acceptable use policies are an internal part of the framework of information security policies. It is often a common practice to ask new members of an organization to sign an acceptable usage policy before they are given access to its information systems. This provides a means for communicating to new employees about information security in a more straight forward manner. The common elements of acceptable usage statements are: • Provisions for access control; • Information classification such as stating which are critical information within the enterprise and how they should be distributed; • Relevant data or information handling requirements; • Reporting requirements and disclosure constraint; and • Rules regarding email and Internet use, such us limiting social media or pornographic sites. Let us learn about information security problem management in the next screen.

3.69 Information Security Problem Management

The prime goal of information security is to assure safety of information. When protecting information, it is the value of the information that must be protected. The information security problem management prevents the recurrence of incidents errors like: • Systematic approach to understanding the cause, • Defining the problem, • Designing action plan, and • Assigning tasks with a planned end-date. Let us learn about vendor management in the next screen.

3.70 Vendor Management

With increased outsourcing and regulatory concerns, organizations have to carefully manage their relationships with vendors. Vendor management enables organizations to: • Not only optimally develop, manage, and control vendor contracts • But also manage relationships and performance for the efficient delivery of contracted products and services It is the responsibility of the information security manager to help clients to: • Meet business objectives, • Minimize potential business disruption, • Avoid deal and delivery failures, and • Ensure more-sustainable multi-sourcing, while driving the most value from the vendors. Let us learn about information security program management evaluation in the next screen.

3.71 Information Security Program Management Evaluation

An information security program needs to be evaluated for compliance requirement, managing programs, security operations, technical security, and resources levels. Click each evaluation area to know more. • Compliance requirement is required to ensure the program fulfills any compliance standards • Program management is required to ensure that management supports existing programs • Security operations management is required to ensure that the programs fit security operational activities • Technical security management is required to ensure the program supports information processing systems • Resources levels identification ensures whether financial or human resources should be identified early to prevent deficiency In the next screen we look at the plan do check act.

3.72 Information Security Program Management Evaluation (contd.)

Have you heard of Plan Do Check Act (PCDA)? An information security program is based on the effective, efficient management of controls that is designed and implemented to treat or mitigate threats and vulnerabilities. This is included within the Total Quality Management system (TQM) which is based on PDCA, which is called the Deming cycle. Click each level to know more. • At Plan level, the information security program is designed • At Do level, the information security program is maintained • Check level involves a review of the program • Act level involves taking corrective action Let us attempt a quick recall question in the next screen.

3.73 Knowledge Check

This question will help you to recall the concepts you have learned. Let us look at the legal, physical, and environmental factors in the next screen.

3.74 Legal, Physical and Environmental Factors

An information security program must cover suitable physical security policies and control devices for information assets. The level of security depends on various factors. They are: • The sensitivity of data or information, • Business significance of applications processed, and • The cost of equipment and availability of backup equipment. Let us continue to look at the legal, physical, and environmental factors in the next screen.

3.75 Legal, Physical and Environmental Factors (contd.)

After learning about the legal, physical, and environmental factors, you will now identify the items that will ensure better security policies. They are: • Lawful standards related to confidential information and transactions, • Collection and handling of audit records, • E-mail retention policies, • Incident investigation procedures, • Cooperation with legal authorities, and • Investigation or monitoring of employees for inappropriate behavior. In the following screen we will look at the ethics.

3.76 Ethics

Ethics is a very important factor in any organization and most of them provide training on ethics to convey what the organization considers appropriate and inappropriate behavior. All employees must read, understand, and accept the organizational code of ethics. Activities such as: • Monitoring users; • Penetration testing; and • Access to sensitive data, conflicts of interest, or activities that are detrimental to the organization. Let us look at the cultural and regional differences in the next screen.

3.77 Cultural and Regional Differences

The policies and procedures of an information security program need to take into account the: • Perceptions, customs, and behaviors that might be different across regions and cultures; • Laws of the land in terms of sharing of personal information; and • Elements of policies and procedures that may be culturally offensive. In order to develop strategies for addressing differences across the regions and cultures represented within the organization the information security manager must work together with the human resources department. We will look at the logistics related to the information security program in the next screen.

3.78 Logistics

An information security program must address logistic issues such as: • Cross-organizational strategic planning and execution, • Project and task management, • Coordination of committee meetings and activities, • Schedules of regularly performed procedures, • Resource prioritization including managing workload, and • Security of resources and activities with larger projects and operations. A few questions will be presented in the following screens. Select the correct option and click Submit to see the feedback.

3.79 Security Program Services and Operational Activities

An information security manager plays a vital role in an organization. Information security responsibilities must be distributed over a variety of job functions. The information security manager: • Should set clear policies and assist in process coordination. The management in all areas also must assist in providing oversight. • For an effective information security program development and management, the information security manager must maintain ongoing relationships with all business entities within the organizations. • The information security manager should liaise with the following teams within an organization: ? Physical and corporate security ? Information technology Audit ? Information Technology unit ? Business Unit Managers ? Procurement and supply chain ? Compliance, Privacy sections ? Legal Department and training teams ? Quality Assurance and insurance ? Third-party Management ? Project Management Office In the next screen we learn about incident response.

3.80 Incident Response

What do you mean by an incident response? Incident response is an operational requirement for the information security program. It provides first responders to the inevitable security incidents experienced in virtually all organizations. The objectives include: • Quickly identifying and containing incidents, • Preventing significant interruptions to business activities, • Restoring the affected services, • Determining their root causes, and • Implementing improvements to prevent recurrence. In the next screen, we will look at the security review and audits.

3.81 Security Review and Audits

After learning about incident response, you will now understand the concept of security reviews and audit. The information security manager must have a consistent and standardized approach in assessing and evaluating various aspects of the information security program. This will provide a metric for improvements of various aspects of the information security program and can be accomplished using security reviews process. The process of all security reviews and audit must have objectives, scope, constraints, approach, and results. An information security program: • Should have established policies, standards, and procedures, which are formally documented • Must integrate with internal and/or external auditing activities The information security manager should coordinate with organizational auditors and audit coordinators to ensure that time and resources are allocated to address audit activities. Let us attempt a quick recall question in the next screen.

3.82 Knowledge Check

This question will help you to recall the concepts you have learned. In the next screen, we will learn about management of security technology.

3.83 Management of Security Technology

Information security program employs a number of technologies that require effective management and operations to achieve optimal value of service delivery and resource management. Although information security spans technical, operational and managerial domains, the actual implementation of information processing is primarily technical. The information security manager and the larger security organization are often considered the primary source for technical security subject matter expertise within an organization. Therefore, the information security manager must work with: • The security steering committee, • Senior management, and • Other security stakeholders to establish the scope and approach concerning technical skills delivery. In the next screen, we will learn about due diligence.

3.84 Due Diligence

What is due diligence? Due diligence relates to the notion of the standard of due care. Ideally, it involves steps that should be taken by a reasonable person in certain circumstances. Components of due diligence include: • Senior management support; • Comprehensive policies, standards and procedures; • Appropriate security education, training, and awareness throughout the organization; • Periodic risk assessments; effective backup and recovery processes; • Implementation of adequate security controls; • Effective monitoring and metrics of the security program; • Effective compliance efforts; and • Tested business continuity and disaster recovery plans. In the next screen we will look at the compliance monitoring and enforcement.

3.85 Compliance Monitoring and Enforcement

Compliance enforcement refers to any activity within the information security program that is designed to ensure compliance with the security policies, standards, and procedures. Compliance includes policy, standard, resolution of noncompliance issues, and compliance enforcement. Click each compliance to know more. • Policy compliance ensures that policies are comprehensive enough to cover all applications and situations, organization data and information; • Standard compliance provides boundaries of options for systems, processes, and actions that will comply with the policies; • Resolution of noncompliance issues that might result in elevated risks; and • Compliance enforcement by ensuring that information security standards and activities are fulfilled. Let us attempt a quick recall question in the next screen.

3.86 Knowledge Check

This question will help you to recall the concepts you have learned. Let us look at the risk and business impact assessment in the next screen.

3.87 Risk and Business Impact Assessment

The information security manager should always ensure that risk is at tolerable levels and acceptable levels. This can be facilitated by carrying out a vulnerability assessment and threat assessment and to ensure these are always monitored. Business Impact Assessment (BIA) helps in: • Establishing high-level prioritization • Is based on risk assessment results The information security manager should guide BIAs by cataloging the organization’s information assets. By mapping information assets, including processing services and data resources to specific organizational functions (for example, finance and customer service), the information security manager demonstrates the organization’s operational dependency on the information assets. We will now look at resource dependency assessment in the next screen.

3.88 Resource Dependency Assessment

If resource or other constraints do not allow for comprehensive risk or BIA, a business dependency assessment can be an alternative to provide the basis for allocating available resources. A business dependency assessment: • Reviews what resources are used to conduct business; this will be the first step of a business impact analysis, • Identifies the critical assets and resources, and • Provide a high-level basis for allocating protection efforts. Let us attempt a quick recall question in the next screen.

3.89 Knowledge Check

This question will help you to recall the concepts you have learned. We will learn about outsourcing and service providers in the next screen.

3.90 Outsourcing and Service Providers

Do you know the types of outsourcing? The types of outsourcing that an information security manager needs to manage are: • Third-party providers of security services, and • Outsourced IT or business process The information security manager should always know that obtaining services from outside providers does not: • Affect the security responsibility of the organization • Suggest delegated responsibility We will continue to learn about outsourcing and service providers in the next screen.

3.91 Outsourcing and Service Providers (contd.)

Let’s now learn about some common risks faced when outsourcing. There are several risks faced when outsourcing, such as security process, loss of important skills, unreliable vendor, regional, ethical and cultural differences, complex incident management, and vendor access control. Click each risk to know more. • Security process that is invisible to the information security manager • Loss of important skills and technical skills that cannot be easily acquired. • Unreliable vendor, who does not meet the service level agreement • Regional, ethical, and cultural differences especially where the outsourced party sits in a different country • Complex incident management procedures that might not address the company needs • Vendor access to the company’s system which might not be easily controlled. For example, if an employee of the third party vendor leaves the vendor organization, the company might not know in time that the employee has exited and therefore their access to systems cannot be revoked in time. Let us attempt a quick recall question in the next screen.

3.92 Knowledge Check

This question will help you to recall the concepts you have learned. Let us learn about third party access in the next screen.

3.93 Third-party Access

Third party access to the information security manager’s organization’s processing facilities should be controlled based on risk assessment and must be clearly denied in a service level agreement (SLA). SLA states that: • Access should be granted only on signing a contract • Access should be granted on the three security principles of least privilege, need-to-know and need-to-do • Access must be based on clearly defined methods of access, access rights, and level of functionality • Access should be granted only on signing a contract, and finally • Access should be approved by the asset owner Let’s learn more about third party access in the next screen.

3.94 Third-party Access (contd.)

Let’s now look at the responsibilities of the information security manager. The information security manager on a regular basis should review: • The criticality of information to which access rights are given • The criticality of privileges given, and • The period of contract Let us attempt a quick recall question in the next screen.

3.95 Knowledge Check

This question will help you to recall the concepts you have learned. In the following screen we will look at the outsourcing contracts.

3.96 Outsourcing Contracts

Let’s look at the responsibilities of the information security manager in an outsourcing contract. In an outsourcing contract the information security manager should: • Ensure that the parties to the contract are aware of their responsibilities and rights • Provide means to address disagreements, and • Once the contract is in force, it should include provisions for security and information protection The areas an information security manager should be concerned in a contract should include: • Specification of the outsourced services • Security requirements captured • Securing information assets • Right to audit In the following screen we will continue to look at the outsourcing contracts.

3.97 Outsourcing Contracts (contd.)

Some more areas in which an information security manager should be concerned in a contract are: • Incident management • Non-disclosure agreements • Protection of intellectual property • Meet specific legal and regulatory requirements • Return of information assets after expiry of the contract In the following screen we will learn about cloud computing.

3.98 Cloud Computing

Do you know what cloud computing is? Cloud computing is a technology that uses the Internet and central remote servers to maintain data and applications. The advantages of cloud computing include cost, scalability, reliability, performance, and agility. Click each advantage to know more. • Cloud technology is paid incrementally, which means you pay as you use, thereby saving organization’s money • The cloud can be scaled on demand when more computing is needed • With redundancies in place by cloud computing service providers, the cloud is more reliable than traditional methods • Cloud providers monitor continuously, which increases performance • Infrastructure can be provisioned easily making the cloud agile to the organization’s needs In the following screen we will learn more about cloud computing.

3.99 Cloud Computing (contd.)

For organizations where security is not considered a high priority, cloud computing is a significant improvement. The information security manager must carefully assess security issues of the cloud provider. The issues include: Loss of control over sensitive data Location of data which can be either outside the country and thus subject to varying privacy legislation Availability of logs for review, and Levels of security available whether it fits the organization’s standards Let us attempt a quick recall question in the next screen.

3.100 Knowledge Check

This question will help you to recall the concepts you have learned. Let us look at the service models in the next screen.

3.101 Cloud Service and Deployment Models

Do you know the different service models in cloud computing? The three service models in cloud computing are Infrastructure as a Service, Platform as a Service, and Software as a Service. Click each service model to know more. • In an Infrastructure as a Service (IaaS) set up, the cloud provider provisions storage, processing, network, and other resources. The client will have to install their own software. For example, a service provider gives you a cloud storage where one has to install the operating system and all other applications that are need. • In the Platform as a Service (PaaS) set up, the cloud provider provisions infrastructure with applications that the client can run on the cloud. The tools are supported by the service provider. For example, a custom payroll application in the cloud that can be accessed by various clients. • In a Software as a Service (SaaS) set up, the client uses the cloud provider’s application that is running on the server. For example, the client can access a web mail client through the browser. Let us continue with the service models in the next screen.

3.102 Cloud Service and Deployment Models (contd.)

After learning about the three service models in cloud computing, let’s look at the types of cloud deployment. There are various types of cloud deployments, such as private cloud, community cloud, public cloud, and hybrid cloud. Click each type of cloud deployments to know more. • In a private cloud, the cloud infrastructure is provisioned and provided to an organization. The organization can manage this set up or a third party can do it on its behalf • A community cloud is where the infrastructure is shared by many organizations with communal interests or missions • In a public cloud set up, a cloud service provider sets up an infrastructure that can be accessed by the general public. For example, the Google Cloud that is accessible to anyone • A hybrid cloud comprises a composition of private, community or public cloud, but the technology in use should be proprietary or unique to ensure that it can be ported between any of these cloud deployments Let us attempt a quick recall question in the next screen.

3.103 Knowledge Check

This question will help you to recall the concepts you have learned. We will look at integration with system development lifecycles in the next screen.

3.104 Integration with System Life Cycle Processes

To integrate the life cycle processes with the system, the information security manager: • Must define and provide interfaces between the organization’s security-related functions with assurance functions processes • Must define the baseline security controls as a standing requirement for all new systems development • Must include risk and protection considerations in the software development life cycle We will continue with integration with system development lifecycles in the next screen.

3.105 Integration with System Life Cycle Processes (contd.)

The information security manager includes risk and protection considerations in the software development life cycle by: • Establishing security requirements and feasibility • Solution architecture and design that includes security controls • Proof of concept • Full development and coding that ensures the software is secure by design • Integration testing including penetration tests and deployment • Quality and acceptance testing • Deployment and maintenance, and lastly • Systems’ end-of-life In the following screen we will learn about change management and release management.

3.106 Change Management and Release Management

What is change and release management? Organizations use standardized methods and procedures for controlled, efficient, and prompt handling of all IS program changes. This process is called change management. Change management responds to the business and IT requests for change that will align the security objectives with the business objectives. The information security manager should: • Identify all the change management processes that are used by the organization • Implement processes that support security implications in each change management process • Monitor and maintain security continuously, as new vulnerabilities may be introduced as a result of system or process changes, and • Introduce security as part of the development cycle for internal applications In the following screen we will continue to learn more about change management and release management.

3.107 Change Management and Release Management (contd.)

Let us look at release management. Adequate security testing in release management reduces the chances of operational failure by: • Ensuring adequate testing has been performed • Ensuring required conditions exist for the correct operation of new software or systems A few questions will be presented in the following screens. Select the correct option and click Submit to see the feedback.

3.108 Information Security Controls and Countermeasures

After understanding the concept of change and release management, let’s look at information security controls. Controls are designed to provide reasonable assurance of business objectives and unwanted events that can be detected and corrected. Controls include: • Policies • Procedures • Practices • Technologies, and • Organizational structures Controls should be automated as far as possible. Security controls selection should be based on: • Usefulness • Financially effective to business activities • The optimal form of control In the following screen, we will continue to learn more about information security controls and countermeasures.

3.109 Information Security Controls and Counter measure (contd.)

After learning about information security, let’s now understand the categories of controls. There are five categories of controls. They are preventive, detective, compensatory, deterrent, and corrective. Countermeasure is another control that is put in place for a specific threat. We will look at countermeasures in broad length later. Click each control type to know more about its functions. Preventive controls inhibit violation of a control. For example, requirement of a password ensures no one can access a computer system Detective controls report or warn violations or attempts of violations of policies. A good example here is an audit log that would show violations of a security policy Compensatory controls provide mitigating controls Deterrent controls warn violators of control such as warning violators of a computer system by providing a legal warning Corrective controls provide a remediation plan after the control has been violated such as, having a backup in case the computer systems goes down Let us attempt a quick recall question in the next screen.

3.110 Knowledge Check

This question will help you to recall the concepts you have learned. We will look at control design in the next screen.

3.111 Control Design

Based on today’s regulated environment, controls and countermeasures should be approached based on the risk. Hence an information security manager must recognize the security value of the IT products. Let’s now look the principles used while designing controls. Principles used while designing controls are: • Access control in the company, whether they are Mandatory Access Control (MAC) or Discretionary Access Control (DAC) • Security failure in the case where there is a malfunction • Principle of least privileges • Compartmentalize to minimize damage • Segregation of duties where a user is not supposed to have two functions where one is supposed to supervise the other • Transparency of the control design to end users, and • Trust where a user can be authenticated based on the certificate issued by a trusted authority and also avoid trusting individuals but ensuring controls are in place Let us look at control strengths and methods in the next screen.

3.112 Control Strengths-and Methods

Strength of controls can be measured by the type of control being evaluated in terms of its inherent or design strength, and the likelihood of its effectiveness. Security controls are technical and nontechnical. Click each type to know more. Technical controls are identification and authentication mechanisms, encryption methods, and intrusion detection softwares that are incorporated into: • Computer hardware • Software, and • Firmware Non-technical controls are management and operational controls such as: • Security policies • Operational procedures and personnel, and • Physical and environmental security Let us attempt a quick recall question in the next screen.

3.113 Knowledge Check

This question will help you to recall the concepts you have learned. We will look at the elements of controls in the next screen.

3.114 Elements of Control

The goal of controls is to reduce risk of information assets to an acceptable level. The following factors have to be considered when recommending controls: • Effectiveness • Compatibility with other impacted systems, processes, and controls • Relevant legislation and regulation • Organizational policy and standards • Organizational structure and culture • Safety and reliability, and • Operational impact Let us discuss the countermeasures on the next screen.

3.115 Counter measures

What do countermeasures provide? Countermeasures provide: • Definite protection that make them less efficient than general safeguards • Countermeasures are not necessarily less cost-effective • They are deployed to address specific threats that cause financial burden, and thus can become a distraction from core security operations The information security manager should thus deploy countermeasures only: • With clear justification • With due caution, and • Only on failing to mitigate the threat Let us attempt a quick recall question in the next screen.

3.116 Knowledge Check

This question will help you to recall the concepts you have learned. Let’s discuss physical and environmental controls in the next screen.

3.117 Physical and Environmental Controls

What are physical and environmental controls? Physical and environmental controls are: • A specialized set of general controls upon which all computing facilities as well as personnel depend • Physical and environmental controls prevent damage to facilities and other tangible resources that may be caused by natural or technological events, and • They also provide physical security that needs to be implemented for things like electronic locks, cameras, and motion detectors The information security manager has to understand the use of the roles and responsibilities for interfacing with various local physical security organizations if they are geographically dispersed. Let’s discuss the types of control technologies in the next screen.

3.118 Types of Control Technologies

There are three types of control technologies: native control, supplemental control, and management support. Click each technology to know more. • Native control technologies are integrated in an organization’s information systems, for example, an operating system requiring a password before logging in. • Supplemental control technologies are additional controls added to a control such as firewalls and intrusion prevention systems • Management support technologies automate procedures and provide management information. For example, a security information and event management (SIEM) tool Let us attempt a quick recall question in the next screen.

3.119 Knowledge Check

This question will help you to recall the concepts you have learned. Let us discuss more on the components and architecture of technical control in the next screen.

3.120 Components and Architecture of Technical Control

Information security program management includes dealing with a wide range of technical components. Hence the information security manager must clearly follow a set of measurable criteria to monitor performance metrics of controls. The criteria for analyzing technical security architecture and components are: • Control placement within the organization • Control effectiveness and reliability • Control efficiency and utilization • Control policy and configuration, and • Control implementation in accordance with company policies Let’s discuss control testing and modification in the next screen.

3.121 Control Testing and Modification

After analyzing technical security architecture and components, let’s look at control testing and modification. Any change in the technical or operational environment can alter the protective effect of controls, thus compromising the existing controls that are not designed to mitigate. The following control testing and modifications need to be taken care of for an effective security: • Periodic testing of controls • Acceptance testing • Review and approval of operational procedures • Requisite changes to process inputs, activity steps, approvals or reviews, and process results • Workload considerations, and • Provide additional training if required Let us attempt a quick recall question in the next screen.

3.122 Knowledge Check

This question will help you to recall the concepts you have learned. Let’s discuss baseline controls in the next screen.

3.123 Baseline Controls

Well-defined baseline security controls should be the standing requirement for all new systems development. All baseline controls should: • Start with the requirement phase • Ensure and support different phases of life cycle (SDLC) • Involve information security program management in quality and acceptance phases, and • Ensure that the application meets control objectives A few questions will be presented in the following screens. Select the correct option and click Submit to see the feedback.

3.124 Information Security Program Metrics and Monitoring

After learning about baseline controls, let’s now learn about information security program metrics and monitoring. The information security manager must know how to continually monitor security programs and controls. Monitoring might be quantitative and technical or it may be qualitative and imprecise. The metrics that can be used to provide for quantitative monitoring are: • Number of un-remediated vulnerabilities • Number of closed audit items • Number or percentage of user accounts in compliance with standards • Perimeter penetrations • Unresolved security variances Let us discuss metrics development in the next screen.

3.125 Metrics Development

Considerations made in developing metrics ensure that they are: • Manageable by being easily collected, stored, and understood • Meaningful and understandable to the recipient • Actionable and implementable by the recipient • Unambiguous and clear • Reliable • Timely • Accurate • Predictive, and • Valuable Let us continue to discuss the metrics development in the next screen.

3.126 Metrics Development (contd.)

After learning about considerations made in developing, let’s identify the levels of metrics. Metrics need to provide information at one or more of the three levels: strategic, management, and operational. Click each level to know more. • Strategic metrics are compilation of other management metrics which indicate that the information security program is on track, on target, and on budget to achieve desired outcomes. • Management metrics are needed to manage the information security program such as; level of policy and standards, compliance, incident management and response effectiveness, and manpower and resource utilization. • Operational metrics are more common technical and procedural metrics such as, open vulnerabilities, patch management status, and so on. We will attempt a quick recall question in the next screen.

3.127 Knowledge Check

This question will help you to recall the concepts you have learned. Let’s discuss monitoring approaches in the next screen.

3.128 Monitoring Approaches

Let’s now learn about the characteristics of monitoring approaches. The characteristics of monitoring approaches are shown on the screen. Click each characteristic to know more. • Effective metrics require that a baseline is established for each measurement and should have Specific, Measurable, Attainable, Repeatable, and Time-dependent (SMART) attributes. • The organization’s change management activities should be updated into the monitoring program. Metrics are important and should be updated regularly. • Metrics must be regularly reviewed and any unusual outcomes must be reported. A proactive plan must be developed to address the unusual activity that may lead to a security breach or failure. Let us discuss measuring support of organizational objectives in the next screen.

3.129 Measuring Support of Organizational Objectives

Let’s now learn about the qualitative measures that support organizational objectives. The qualitative measures can be reviewed by the information security steering committee and/or executive management. They are: • Look for a documented correlation between key organizational milestones and the objectives of the information security management program • The successful completion of the information security objectives that were in support of organizational goals • The organizational goals that were not fulfilled because the information security objectives were not met • The strength of the consensus among business units, executive management, and other information security stakeholders that make the program objectives complete and appropriate Let us discuss measuring information security management performance in the next screen.

3.130 Measuring Information Security Management Performance

The information security management performance can be measured by looking at attainment of the following objectives: • Risk and loss minimization that arises through security incidents, • Information security objectives that assists in attaining organizational objectives, • Achieving organizational compliance, and • Ensuring the information security program’s operational productivity is maximized. Let us continue to discuss measuring information security management performance in the next screen.

3.131 Measuring Information Security Management Performance (contd.)

A few other measures for measuring information security management performance are: • Ensuring that security cost-effectiveness is maximized • Improving organizational security awareness levels • Ensuring logical and operational architecture is effective • Ensuring the program framework and resources are maximized • Ensuring operational performance is maximized Let us attempt a quick recall question in the next screen.

3.132 Knowledge Check

This question will help you to recall the concepts you have learned. Let us look at measuring compliance in the next screen.

3.133 Measuring Compliance

Let’s now learn about measuring compliance. The characteristics of a program that are considered while measuring its compliance are shown on the screen. Click each characteristic to know more. • If the organization must comply with compulsory or voluntary standards involving information security, the information security manager must ensure that program goals are aligned with these requirements. • The policies, procedures, and technologies implemented by the program must fulfill requirements of adopted standards. • Measurements of compliance achievement depend on the results of internal or external audits. • The information security manager may also wish to implement automated or manual compliance monitoring with higher frequency and/or broader scope than what is achievable with incremental audits. • In addition to actual point-in-time compliance, the program should be measured on the effectiveness of resolving identified compliance issues. Let us discuss measuring operational productivity in the next screen.

3.134 Measuring Operational Productivity

Let’s now learn how an information security manager can maximize operational productivity. The information security manager must maximize operational productivity. This can be improved through: • Automation technologies, • Outsourcing of low-value operational tasks, and • Leverage of other organizational units. The information security manager should set specific goals for increasing the productivity of the information security management program through specific initiatives. Goals should be reviewed regularly to regulate the productivity gains achieved. The information security manager should analyze data such as the cost of an employee per hour and the effort used per task to validate the worth of productivity improvement initiatives to senior management. Let us attempt a quick recall question in the next screen.

3.135 Knowledge Check

This question will help you to recall the concepts you have learned. Let’s discuss measuring security cost-effectiveness in the next screen.

3.136 Measuring Security Cost-effectiveness

Some considerations for measuring security cost-effectiveness are: • The information security program must be financially sustainable • This process must begin with accurate cost forecasting and budgeting • The information security manager should implement procedures to measure the cost-effectiveness of security components that are often achieved by monitoring cost/result ratios • The information security manager uses the ratios of result-units per currency-unit to demonstrate cost efficiency and results Let’s discuss measuring organizational awareness in the next screen.

3.137 Measuring Organizational Awareness

Let’s look at some considerations for measuring awareness of an organization. They are: • Personnel actions can present threats that can only be mitigated through education and awareness • The information security manager must implement processes to track the ongoing effectiveness of awareness programs • Tracking organizational awareness is most commonly achieved at the employee level • Employee testing can indicate awareness program effectiveness Let us discuss measuring effectiveness of technical security architecture in the next screen.

3.138 Measuring Effectiveness of Technical Security Architecture

Let’s now learn about measuring the effectiveness of technical security architecture. The information security manager must establish quantitative measures that inform management about the effectiveness of the technical security architecture. Technical security metrics can be categorized for reporting and analysis purposes by protected resource and geographic location. In addition to quantitative success metrics, there are a number of important qualitative measures that apply to the technical control environment. We will attempt a quick recall question in the next screen.

3.139 Knowledge Check

This question will help you to recall the concepts you have learned. Let us discuss measuring effectiveness of resources in the next screen.

3.140 Measuring Effectiveness of Resources

Let’s now learn about measuring the effectiveness of resources. Methods of tracking the program’s success include: • Tracking the frequency of issue recurrence • Monitoring the level of operational knowledge, capture and dissemination • The degree to which process implementations are standardized • Clarity and completeness of documented information security roles and responsibilities • Information security functions incorporated into every project plan • Efforts and results in making the program more productive and cost-effective Let us discuss measuring operational performance in the next screen.

3.141 Measuring Operational Performance

Measures of security operational performance include: • Average time to identify, intensify, separate, and cover incidents • Average time between vulnerability detection and resolution • Quantity, frequency, and severity of incidents discovered post hoc • Average time between vendor release of vulnerability patches and their application • Percentage of systems audited within a certain period • Number of changes released without full change control approval Let’s learn about monitoring and communication in the next screen.

3.142 Monitoring and Communication

The information security manager should consider the development of a central monitoring environment that provides analysts visibility into all enterprise information resources. Each organization needs to determine which security events are most pertinent in terms of affected resource and event type. Let us discuss common information security challenges in the next screen.

3.143 Common Information Security Challenges

Common information security challenges include the following: • Organizational resistance due to changes in areas of responsibility introduced by the information security program • Wrong perception that increased security will reduce access required for job functions • Over-reliance on subjective metrics • Failure of strategy • Assumptions of procedural compliance without confirming oversight • Ineffective project management and delaying security initiatives • Previously undetected, broken, or software filled with bugs • Inadequate management support • Inadequate funding • Inadequate staffing Let us continue to discuss the common information security challenges in the next screen.

3.144 Common Information Security Challenges (contd.)

Some more common information security challenges that the information security manager needs to know are: • Effective information security management • The reasons behind those challenges • The strategies for addressing them A few questions will be presented in the following screens. Select the correct option and click Submit to see the feedback.

3.145 Quiz

The quiz will help you to check your understanding of the concepts covered.

3.146 Summary

Here is a quick recap of what we have learned: • An overview of information security program – information security program development and management. • The roles and functions of an information security manager. • Importance of information security program and its outcomes. • Objectives and outline of the information security program. • The scope (3 Ps – People, Processes, and Policies) and other concerns faced by the information security program. • Challenges faced in the development and management of information security program. • The definition of information security Management Framework. • COBIT and its four phases. • ISO/IEC27001 and various areas it covers Let us continue with the recap in the next screen.

3.147 Summary (contd.)

• There are four categories of controls. • There are two types of control methods namely technical and non-technical. • There are three types of control technologies namely native, supplement, and management. • Architectural implementation protects the system by implementing security mechanism. • SABSA is a framework and methodology for Enterprise Security Architecture and Service Management. • The IS Program includes management and administrative activities. • Risk management and Business case development are an important part of a security program. • Ethics, knowledge of cultural variances and logistics play a key role in security programs of the organization. Let us continue with the recap in the next screen.

3.148 Summary (contd.)

• Considerations made in developing metrics include ensuring they are manageable, meaningful, actionable, and unambiguous. • Metrics can be categorized as being strategic, management, and operational. • The IS Manager should recognize that the maximum value of a successful measure is in analyzing why an objective was or was not met. • The IS Manager should be cognizant of : ? Common challenges to effective information security management ? The reasons behind those challenges ? Strategies for addressing them

3.149 Concludes

This concludes the domain on Information Security Program Development and Management. The next domain will focus on Information Security Incident Management.

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

We use cookies on this site for functional and analytical purposes. By using the site, you agree to be cookied and to our Terms of Use. Find out more

Request more information

For individuals
For business
Name*
Email*
Phone Number*
Your Message (Optional)

By proceeding, you agree to our Terms of Use and Privacy Policy

We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Email*
Phone Number*
Company*
Job Title*

By proceeding, you agree to our Terms of Use and Privacy Policy