CISM Information Security Governance 1
Task Statements (TS)
- TS01 Develop an information security strategy aligned with business goals and objectives.
- TS02 Align information security strategy with corporate governance.
- TS03 Develop business cases justifying investment in information security.
- TS04 Identify current and potential legal and regulatory requirements affecting information security.
- TS05 Identify drivers affecting the organization (e.g. technology, business environment, risk tolerance, geographic location) and their impact on information security.
- TS06 Obtain senior management commitment to information security.
- TS07 Define roles and responsibilities for information security throughout the organization.
- TS08 Establish internal and external reporting and communication channels that support information security.
Knowledge Statements (KS)
- KS01 Knowledge of business goals and objectives
- KS02 Knowledge of information security concepts
- KS03 Knowledge of the components that comprise an information security strategy (e.g. processes, people, technologies, architectures)
- KS04 Knowledge of the relationship between information security and business functions
- KS05 Knowledge of the scope and charter of information security governance
- KS06 Knowledge of concepts of corporate and information security governance
- KS07 Knowledge of methods of integrating information security governance into the overall enterprise governance framework
- KS08 Knowledge of budgetary planning strategies and reporting methods
- KS09 Knowledge of methodologies for business case development
- KS10 Knowledge of the types and impact of internal and external drivers (e.g. technology, business environment, risk tolerance) that may affect organizations and information security
- KS11 Knowledge of regulatory requirements and their potential business impact from an information security standpoint
- KS12 Knowledge of common liability management strategies and insurance options (e.g. crime or fidelity insurance, business interruptions)
- KS13 Knowledge of third-party relationships and their impact on information security (e.g. mergers and acquisitions, partnerships, outsourcing)
- KS14 Knowledge of methods used to obtain senior management commitment to information security
- KS15 Knowledge of the establishment and operation of an information security steering group
- KS16 Knowledge of information security management roles, responsibilities and general organizational structures
- KS17 Knowledge of approaches for linking policies to enterprise business objectives
- KS18 Knowledge of generally accepted international standards for information security management
- KS19 Knowledge of centralized and distributed methods of coordinating information security activities
- KS20 Knowledge of methods for establishing reporting and communication channels throughout an organization
Task Statements (TS) and Knowledge Statements (KS) Mapping
TS01 Develop an information security strategy aligned with business goals and objectives.
- KS01 Knowledge of business goals and objectives
- KS02 Knowledge of information security concepts
- KS03 Knowledge of the components that comprise an information
- KS04 Knowledge of the relationship between information security and business functions
- KS05 Knowledge of the scope and charter of information security governance
- KS12 Knowledge of common liability management strategies and insurance options (e.g. crime or fidelity insurance, business interruptions)
- KS17 Knowledge of approaches for linking policies to enterprise business objectives
- KS18 Knowledge of generally accepted international standards for information security management
- KS19 Knowledge of centralized and distributed methods of coordinating information security activities
TS02 Align information security strategy with corporate governance.
- KS04 Knowledge of the relationship between information security and business functions
- KS06 Knowledge of concepts of corporate and information security governance
- KS07 Knowledge of methods of integrating information security governance into the overall enterprise governance framework
- KS15 Knowledge of the establishment and operation of an information security steering group
TS03 Develop business cases justifying investment in information security.
- KS01 Knowledge of business goals and objectives
- KS08 Knowledge of budgetary planning strategies and reporting methods
- KS09 Knowledge of methodologies for business case development
- KS15 Knowledge of the establishment and operation of an information security steering group
TS04 Identify current and potential legal and regulatory requirements affecting information security.
- KS11 Knowledge of regulatory requirements and their potential business impact from an information security standpoint
- KS15 Knowledge of the establishment and operation of an information security steering group
TS05 Identify drivers affecting the organization (e.g. technology, business environment, risk tolerance, geographic location) and their impact on information security.
- KS10 Knowledge of the types and impact of internal and external drivers (e.g. technology, business environment, risk tolerance) that may affect organizations and information security
- KS11 Knowledge of regulatory requirements and their potential business impact from an information security standpoint
- KS13 Knowledge of third-party relationships and their impact on information security (e.g. mergers and acquisitions, partnerships, outsourcing)
TS06 Obtain senior management commitment to information security.
- KS14 Knowledge of methods used to obtain senior management commitment to information security
- KS15 Knowledge of the establishment and operation of an information security steering group
TS07 Define roles and responsibilities for information security throughout the organization.
- KS16 Knowledge of information security management roles, responsibilities and general organizational structures
TS08 Establish internal and external reporting and communication channels that support information security.
- KS15 Knowledge of the establishment and operation of an information security steering group
- KS20 Knowledge of methods for establishing reporting and communication channels throughout an organization
Outcomes of Information Security Governance
1. Strategic alignment
2. Risk management
3. Value delivery
4. Resource management
5. Performance measurement
6. Integrate
Information Security Concepts
- Confidentiality - Prevention of unintended disclosure
- Integrity - Assurance that data have not been subject to unauthorized modification
- Availability - Accessible and usable when required
- Auditability - Enable reconstruction, review and examination of sequence of events
- Identification - Verification of a person or thing; recognition
- Authentication - Providing proof of identity
- Authorization - What is allowed when access has been granted
- Nonrepudiation - Cannot deny an even or transaction
- Layered security - Defense in-depth so that compromise is contained
- Access control - Limiting authorized access to authenticated entities
- Security metrics, monitoring - Measuring security activities
- Governance - Providing control and direction to activities
- Strategy - The steps required to achieve an objective
- Architecture - The design of the structure and relationships of its elements
- Management - Overseeing activities to ensure objectives are met
- Risk - The exploitation of a vulnerability by a threat
- Exposures - Areas subject t impact by threats
- Vulnerabilities - Weaknesses that may be exploited by threats
- Threats - Any action or event that my cause adverse consequences
- Residual risk - Risk remaining after countermeasures and controls
- Impact - The results and consequences of a risk materializing
- Criticality - The importance to the business o a resource
- Sensitivity - The level of impact from unauthorized disclosure
- Business impact analysis - Evaluating the results and consequences of compromise
- Business dependency analysis - The extent to which the business relies ona resource
- Gap analysis - The difference between what is and the objective
- Controls - Any action or process that is used to mitigate risk
- Countermeasures - Any action or process that reduces vulnerability
- Policies - High level statement of management intent and direction
- Standards - Sets the allowable boundaries of actions and processes to meet policy
- Attacks - Types and nature of security compromises
- Data classification - The process of determining the sensitivity and criticality of information
Information Security Technologies
- Firewalls
- User account administration
- Intrusion detection and intrusion prevention
- Antivirus
- Public key infrastructure (PKI)
- Secure Sockets Layer (SSL)
- Single-sign on (SSO)
- Biometrics
- Encryption
- Privacy compliance
- Remote access
- Digital signature
- Electronic data interchange (EDI) and electronic funds transfer (EFT)
- Virtual private networks (VPNs)
- Secure electronic transfer (SET)
- Forensics
- Monitoring technologies
Task Statements (TS)
- TS01 Develop an information security strategy aligned with business goals and objectives.
- TS02 Align information security strategy with corporate governance.
- TS03 Develop business cases justifying investment in information security.
- TS04 Identify current and potential legal and regulatory requirements affecting information security.
- TS05 Identify drivers affecting the organization (e.g. technology, business environment, risk tolerance, geographic location) and their impact on information security.
- TS06 Obtain senior management commitment to information security.
- TS07 Define roles and responsibilities for information security throughout the organization.
- TS08 Establish internal and external reporting and communication channels that support information security.
Knowledge Statements (KS)
- KS01 Knowledge of business goals and objectives
- KS02 Knowledge of information security concepts
- KS03 Knowledge of the components that comprise an information security strategy (e.g. processes, people, technologies, architectures)
- KS04 Knowledge of the relationship between information security and business functions
- KS05 Knowledge of the scope and charter of information security governance
- KS06 Knowledge of concepts of corporate and information security governance
- KS07 Knowledge of methods of integrating information security governance into the overall enterprise governance framework
- KS08 Knowledge of budgetary planning strategies and reporting methods
- KS09 Knowledge of methodologies for business case development
- KS10 Knowledge of the types and impact of internal and external drivers (e.g. technology, business environment, risk tolerance) that may affect organizations and information security
- KS11 Knowledge of regulatory requirements and their potential business impact from an information security standpoint
- KS12 Knowledge of common liability management strategies and insurance options (e.g. crime or fidelity insurance, business interruptions)
- KS13 Knowledge of third-party relationships and their impact on information security (e.g. mergers and acquisitions, partnerships, outsourcing)
- KS14 Knowledge of methods used to obtain senior management commitment to information security
- KS15 Knowledge of the establishment and operation of an information security steering group
- KS16 Knowledge of information security management roles, responsibilities and general organizational structures
- KS17 Knowledge of approaches for linking policies to enterprise business objectives
- KS18 Knowledge of generally accepted international standards for information security management
- KS19 Knowledge of centralized and distributed methods of coordinating information security activities
- KS20 Knowledge of methods for establishing reporting and communication channels throughout an organization
Task Statements (TS) and Knowledge Statements (KS) Mapping
TS01 Develop an information security strategy aligned with business goals and objectives.
- KS01 Knowledge of business goals and objectives
- KS02 Knowledge of information security concepts
- KS03 Knowledge of the components that comprise an information
- KS04 Knowledge of the relationship between information security and business functions
- KS05 Knowledge of the scope and charter of information security governance
- KS12 Knowledge of common liability management strategies and insurance options (e.g. crime or fidelity insurance, business interruptions)
- KS17 Knowledge of approaches for linking policies to enterprise business objectives
- KS18 Knowledge of generally accepted international standards for information security management
- KS19 Knowledge of centralized and distributed methods of coordinating information security activities
TS02 Align information security strategy with corporate governance.
- KS04 Knowledge of the relationship between information security and business functions
- KS06 Knowledge of concepts of corporate and information security governance
- KS07 Knowledge of methods of integrating information security governance into the overall enterprise governance framework
- KS15 Knowledge of the establishment and operation of an information security steering group
TS03 Develop business cases justifying investment in information security.
- KS01 Knowledge of business goals and objectives
- KS08 Knowledge of budgetary planning strategies and reporting methods
- KS09 Knowledge of methodologies for business case development
- KS15 Knowledge of the establishment and operation of an information security steering group
TS04 Identify current and potential legal and regulatory requirements affecting information security.
- KS11 Knowledge of regulatory requirements and their potential business impact from an information security standpoint
- KS15 Knowledge of the establishment and operation of an information security steering group
TS05 Identify drivers affecting the organization (e.g. technology, business environment, risk tolerance, geographic location) and their impact on information security.
- KS10 Knowledge of the types and impact of internal and external drivers (e.g. technology, business environment, risk tolerance) that may affect organizations and information security
- KS11 Knowledge of regulatory requirements and their potential business impact from an information security standpoint
- KS13 Knowledge of third-party relationships and their impact on information security (e.g. mergers and acquisitions, partnerships, outsourcing)
TS06 Obtain senior management commitment to information security.
- KS14 Knowledge of methods used to obtain senior management commitment to information security
- KS15 Knowledge of the establishment and operation of an information security steering group
TS07 Define roles and responsibilities for information security throughout the organization.
- KS16 Knowledge of information security management roles, responsibilities and general organizational structures
TS08 Establish internal and external reporting and communication channels that support information security.
- KS15 Knowledge of the establishment and operation of an information security steering group
- KS20 Knowledge of methods for establishing reporting and communication channels throughout an organization
Outcomes of Information Security Governance
1. Strategic alignment
2. Risk management
3. Value delivery
4. Resource management
5. Performance measurement
6. Integrate
Information Security Concepts
- Confidentiality - Prevention of unintended disclosure
- Integrity - Assurance that data have not been subject to unauthorized modification
- Availability - Accessible and usable when required
- Auditability - Enable reconstruction, review and examination of sequence of events
- Identification - Verification of a person or thing; recognition
- Authentication - Providing proof of identity
- Authorization - What is allowed when access has been granted
- Nonrepudiation - Cannot deny an even or transaction
- Layered security - Defense in-depth so that compromise is contained
- Access control - Limiting authorized access to authenticated entities
- Security metrics, monitoring - Measuring security activities
- Governance - Providing control and direction to activities
- Strategy - The steps required to achieve an objective
- Architecture - The design of the structure and relationships of its elements
- Management - Overseeing activities to ensure objectives are met
- Risk - The exploitation of a vulnerability by a threat
- Exposures - Areas subject t impact by threats
- Vulnerabilities - Weaknesses that may be exploited by threats
- Threats - Any action or event that my cause adverse consequences
- Residual risk - Risk remaining after countermeasures and controls
- Impact - The results and consequences of a risk materializing
- Criticality - The importance to the business o a resource
- Sensitivity - The level of impact from unauthorized disclosure
- Business impact analysis - Evaluating the results and consequences of compromise
- Business dependency analysis - The extent to which the business relies ona resource
- Gap analysis - The difference between what is and the objective
- Controls - Any action or process that is used to mitigate risk
- Countermeasures - Any action or process that reduces vulnerability
- Policies - High level statement of management intent and direction
- Standards - Sets the allowable boundaries of actions and processes to meet policy
- Attacks - Types and nature of security compromises
- Data classification - The process of determining the sensitivity and criticality of information
Information Security Technologies
- Firewalls
- User account administration
- Intrusion detection and intrusion prevention
- Antivirus
- Public key infrastructure (PKI)
- Secure Sockets Layer (SSL)
- Single-sign on (SSO)
- Biometrics
- Encryption
- Privacy compliance
- Remote access
- Digital signature
- Electronic data interchange (EDI) and electronic funds transfer (EFT)
- Virtual private networks (VPNs)
- Secure electronic transfer (SET)
- Forensics
- Monitoring technologies
