CISM DOMAIN 01: Information Security Governance

• Information Security Objectives

  • CIA Triad

    • Confidentiality

    • Integriity

    • Availability

• Information Security Manager (dual-hattedness)

  • CISO

    • Report to

      • Chief executive officer (CEO)

      • Chief risk officer (CRO)

      • Chief security officer (CSO) (this role includes oversight of information security, physical security, and other security concerns)

      • Chief operating officer (COO)

      • Chief audit executive

  • Security Team (Org Chart)

• Roles and Responsibilities

  • The RACI matrix

    • Responsible (R) 

    • Accountable (A) 

    • Consulted (C) 

    • Informed (I)

• Information Security Risks

  • DAD Triad

    • Disclosure

      • Disclosure is the act of releasing confidential or sensitive information to unauthorized individuals or entities.

    • Alteration

      • Alteration refers to the unauthorized modification of data or information, leading to potential security breaches.

    • Denial

      • Denial is a concept in information security where access to resources or services is denied intentionally or by mistake.

  • Incident Impact

    • Financial Risk

      • Financial risk refers to the potential loss of financial resources due to information security incidents.

      • Organizations face financial risks when they are unable to effectively mitigate information security risks.

      • Financial risk can arise from incidents such as data breaches, theft of financial information, or fraud.

    • Reputational Risk

      • Reputational risk refers to the potential damage to an organization's reputation due to a security incident.

      • This type of risk can arise from incidents such as data breaches, cyber attacks, or other security breaches.

      • The impact of reputational risk can lead to loss of customer trust, negative publicity, and financial repercussions for the organization.

    • Strategic Risk

      • Strategic risk refers to potential threats that can have a significant impact on the overall goals and objectives of an organization.

    • Operational Risk

      • Operational risk refers to the potential for loss resulting from inadequate or failed internal processes, systems, or people.

      • It focuses on the risks associated with day-to-day operations of an organization and how they can impact the achievement of objectives.

    • Compliance Risk

      • Compliance risk refers to the potential for failing to comply with laws, regulations, or industry standards related to information security.

• Governance

  • Corporate Governance

    • Governance of the organization

    • Risk management

      • Will be covered in Domain 02

    • Compliance

  • Information Security Governance

    • Information Security Program

      • Foundations

        • Security Strategy

        • Action Plan

      • Objective

        • The objective of the information security program is to protect the interests of those relying in the information and the processes, systems, and communications that handle, store and deliver the information from harm, resulting from failures of:Confidentiality,Integrity,  Availability

          • CIA Triad

            • Confidentiality

            • Integriity

            • Availability

    • Values, Vision, Mission, Strategic Objectives, Action & KPI's

      • Values

        • Values are the core beliefs and principles that guide an organization's behavior and decision-making process.

        • Values help in defining the ethical standards and culture within an organization, setting the tone for how business is conducted.

        • Values act as a compass, ensuring that all activities and strategies align with the fundamental beliefs of the organization.

        • Values are essential for creating a strong foundation for Information Security Governance practices.

      • Vision

        • Vision is a fundamental aspect of security governance, providing a clear direction and purpose for the organization.

        • It is the desired future state that the organization aims to achieve through its security initiatives and strategies.

        • A strong vision statement guides decision-making, resource allocation, and the overall security posture of the organization.

        • It should be aligned with the organization's values, mission, and strategic objectives to ensure coherence and effectiveness.

      • Mission

        • The mission of an organization defines its purpose and reason for existence.

        • It outlines the specific goals and objectives that the organization aims to achieve.

        • A clear mission statement helps guide decision-making and actions within the organization.

        • It serves as a compass for the organization's overall direction and strategy.

      • Strategic Objectives

        • Strategic objectives are the high-level goals set by an organization to achieve its mission and vision.

      • Action & KPI's

        • Action & KPI's refer to the specific steps and performance indicators used to measure the success of information security governance.

        • KGI's, KPI's and KRI's

          • Key Goal Indicators (KGI)

            • KGIs tend to reflect more strategic goals

          • Key Performance Indicators (KPI)

            • KPIs tend to reflect more tactical goals

          • Key Risk Indicators (KRI)

    • Policy Documents

      • Policy (Mandatory)

        • High-level management directives

      • Standards (Mandatory)

        • Describe the specific use of a technology (ex. laptop make/model/specs):

      • Procedure (Mandatory)

        • Step-by-step guide for accomplishing a task

      • Security Guidelines

        • (Discretionary) Recommendations

    • Legal & Regulatory

      • Types of Law

        • Criminal Law

        • Civil Law

        • Administrative Law

      • Laws

        • Computer Fraud and Abuse Act (CFAA)

        • Federal Information Security Management Act (FISMA)

        • Copyright and the Digital Millennium Copyright Act

        • Wassenaar Arrangement

        • International Traffic In Arms (ITAR):

        • Export Administration Regulations (EAR)

      • IP & Licensing

        • Trade Secrets

          • Trade secrets Disclosure

            • In order to gain an unfair advantage over competitors or to reap the benefits of another company's hard work without putting in any effort of their own, economic and industrial espionage frequently targets trade secrets.

        • Copyright

          • Copyright attacks

            • Piracy – unauthorized use or reproduction of material

        • Trademarks

          • Trademark attacks

            • Counterfeiting – products intended to be mistakenly associated with brand

            • Dilution – widespread use of brand name as stand-in for product (e.g. Kleenex, Xerox, etc.)

        • Patents

          • Patent attacks

            • primarily involve infringement upon the reserved rights of the patent holder (knowingly or unknowingly)

        • Licensing

          • Contractual license agreements

          • Shrink-wrap license agreements

          • Click-through license agreements

          • Cloud services license agreements

      • Encryption and Privacy

        • Computer Export Controls

        • Encryption Export Controls

        • Privacy (US)

          • HIPAA

          • (Health Insurance Portability and Accountability

          • HITECH

          • (Health Information Technology for Economic and

          • Clinical Health)

          • Gramm Leach Bliley Act (financial Institutions)

          • Children’s Online Privacy Protection Act (COPPA)

          • Electronic Communications Privacy Act (ECPA)

          • Communications Assistance for Law Enforcement Act

          • (CALEA)

        • Privacy (EU)

          • GDPR

    • Third-Party Relationships

      • Master service agreements (MSAs) provide an umbrella contract for the work that a vendor does with an organization over an extended period of time. The MSA typically includes detailed security and privacy requirements. Each time the organization enters into a new project with the vendor, they may then create a statement of work (SOW) that contains project-specific details and references the MSA.

      • Service-level agreements (SLAs) are written contracts that specify the conditions of service that will be provided by the vendor and the remedies available to the customer if the vendor fails to meet the SLA. SLAs commonly cover issues such as system availability, data durability, and response time.

      • A memorandum of understanding (MOU) is a letter written to document aspects of the relationship. MOUs are an informal mechanism that allows the parties to document their relationship to avoid future misunderstandings. MOUs are commonly used in cases where an internal service provider is offering a service to a customer that is in a different business unit of the same company.

      • Business partnership agreements (BPAs) exist when two organizations agree to do business with each other in a partnership. For example, if two companies jointly develop and market a product, the BPA might specify each partner's responsibilities and the division of profits.

      • Nondisclosure agreements (NDAs) protect the confidentiality of information used in the relationship. NDAs may be mutual, protecting the confidentiality of information belonging to both parties in the relationship, or one-way, protecting the confidential information belonging to only the customer or the supplier.

    • Standard and Control Frameworks

      • COBIT

      • NIST Cybersecurity Framework

      • NIST Risk Management Framework

      • ISO Standards

        • ISO 27001

          • ISO 27001 is a standard titled “Information technology—Security techniques—Information security management systems—Requirements.” This standard includes control objectives covering 14 categories:

          • Information security policies

          • Organization of information security

          • Human resource security

          • Asset management

          • Access control

          • Cryptography

          • Physical and environmental security

          • Operations security

          • Communications security

          • System acquisition, development, and maintenance

          • Supplier relationships

          • Information security incident management

          • Information security aspects of business continuity management

          • Compliance with internal requirements, such as policies, and with external requirements, such as laws

        • ISO 27002

          • Select information security controls

          • Implement information security controls

          • Develop information security management guidelines

        • ISO 27004

        • ISO 27701

        • ISO 31000

      • Benchmarks and Secure Configuration Guides

    • Security Control Verification and Quality Control

      • Service Organization controls (SOC)

        • SOC Engagements

          • SOC 1 Engagements

            • Assess the organization’s controls that might impact the accuracy of financial reporting.

          • SOC 2 Engagements

            • Assess the organization’s controls that affect the security (confidentiality, integrity, and availability) and privacy of information stored in a system. SOC 2 audit results are confidential and are normally only shared outside the organization under an NDA.

          • SOC 3 Engagements

            • Assess the organization’s controls that affect the security (confidentiality, integrity, and availability) and privacy of information stored in a system. However, SOC 3 audit results are intended for public disclosure.

        • SOC Reporting

          • Type I Reports

            • These reports provide the auditor’s opinion on the description provided by management and the suitability of the design of the controls. Type I reports also cover only a specific point in time, rather than an extended period. You can think of the Type I report as more of a documentation review where the auditor is checking things out on paper and making sure that the controls described by management are reasonable and appropriate.

          • Type II Reports

            • These reports go further and also provide the auditor’s opinion on the operating effectiveness of the controls. That is, the auditor actually confirms that the controls are functioning properly. The Type II report also covers an extended period of time: at least six months of operation. You can think of the Type II report as more like a traditional audit. The auditors are not just checking the paperwork; they are also going in and verifying that the controls function properly. Type II reports are considered much more reliable than Type I reports because they include independent testing of controls. Type I reports simply take the service organization at their word that the controls are implemented as described.

• Information Security Strategy

  • Threat Research

    • Threat actors are the individuals or groups seeking to undermine the security of an organization.

    • Threat vectors are the tactics, tools, and techniques used by threat actors to achieve their objectives.

  • SWOT Analysis

    • Strengths

    • Weaknesses

    • Opportunities

    • Threats

  • Gap Analysis

    • evaluation of the organization's current information security program against its desired state.

    • Identifying the existing process

    • Identifying the existing outcome

    • Identify and document the gap

    • identify the procss to achieve the desired outcome

    • Develop the means to fill the gap

    • Develop and prioritize requirement to fill the gap 

  • Control Objectives

    • Keep the impact and occurrence of information security incidents within the enterprise's risk appetite levels.

  • Maturity Models

    • Level 1: Initial

    • Level 2: Managed

    • Level 3: Defined

    • Level 4: Quantitatively Managed

    • Level 5: Optimizing

  • Creating SMART Goals

    • SMART goals are Specific, Measurable, Achievable, Relevant, and Time-bound objectives that help organizations focus on achieving their information security strategy.

    • By setting SMART goals, organizations can clearly define the steps needed to enhance their security posture and measure progress effectively.

• Alignment with Business Strategy

  • Leadership Support

  • Internal and External Influences

    • The broader business environment within which your organization operates. 

    • Your organization's risk tolerance. 

    • The regulatory environment within which your organization operates. 

    • Changes in the threat landscape. 

    • Emerging technologies in use in your field.

    • Social media spreads news at faster rates than ever before. 

    • Third-party considerations also play a role.

  • Cybersecurity Responsibilities

  • Communication

  • Action Plans

    • action plan that outlines both the short-term and long-term steps that you will take to move your organization from its current state to its desired state.

• Data Protection

  • Data States

    • Data at Rest

      • Data at rest (sometimes called data on storage) is any data stored on media such as system hard drives, solid-state drives (SSDs), external USB drives, storage area networks (SANs), and backup tapes. Strong symmetric encryption protects data at rest.

    • Data in Transit / Motion

      • Transit Data in transit (sometimes called data in motion or being communicated) is any data transmitted over a network. This includes data transmitted over an internal network using wired or wireless methods and data transmitted over public

      • networks such as the internet. A combination of symmetric and asymmetric encryption protects data in transit.

    • Data in Use

      • Data in use (also known as data being processed) refers to data in memory or temporary storage buffers while an application is using it. Applications often decrypt encrypted data before placing it in memory. This allows the application to work on it, but it’s important to flush these buffers when the data is no longer needed. In some cases, it’s possible for an application to work on encrypted data using homomorphic

      • encryption. This limits the risk because memory doesn’t hold unencrypted data.

  • Security controls

    • Data Encryption

      • Data Encryption is a method used to protect sensitive information by converting it into a code that can only be read by authorized parties.

      • It ensures that even if unauthorized individuals gain access to the data, they won't be able to understand or use it without the encryption key.

      • Data Encryption is essential in information security governance to safeguard data against breaches and maintain confidentiality.

    • Data Loss Prevention

      • two  environment

        • Host-based DLP

          • Host-based DLP is a type of Data Loss Prevention (DLP) that focuses on protecting data at the individual computer or device level.

          • Host-based DLP solutions can monitor and control data transfers, access, and usage on a specific device, ensuring data protection within that environment.

        • Network DLP

          • Network DLP focuses on preventing data loss within the network environment.

      • two mechanisms

        • Pattern matching

          • Pattern matching is a mechanism used in Data Loss Prevention (DLP) to identify specific data patterns.

          • It involves scanning data to look for predefined patterns such as credit card numbers, social security numbers, or other sensitive information.

        • Watermarking,

          • Watermarking is a technique used to embed information into digital content to verify its authenticity and ownership.

    • Data Minimization

      • Data minimization techniques reduce risk by reducing the amount of sensitive information that we maintain on a regular basis. The best way to achieve data minimization is to simply destroy data when it is no longer necessary to meet our original business purpose.

      • If we can't completely remove data from a dataset, we can often transform it into a format where the original sensitive information is de-identified. The de-identification (or “anonymization”) process removes the ability to link data back to an individual, reducing its sensitivity.

      • An alternative to de-identifying data is transforming it into a format where the original information can't be retrieved. This is a process called data obfuscation, and we have several tools at our disposal to assist with it:

        • Hashing uses a hash function to transform a value in our dataset to a corresponding hash value. If we apply a strong hash function to a data element, we may replace the value in our file with the hashed value. Hashing uses a one-way function, meaning that it is not possible to retrieve the original value if you only have access to the hashed value.

        • Tokenization replaces sensitive values with a unique identifier using a lookup table. For example, we might replace a widely known value, such as a student ID, with a randomly generated 10-digit number. We'd then maintain a lookup table that allows us to convert those back to student IDs if we need to determine someone's identity. Of course, if you use this approach, you must keep the lookup table secure!

        • Masking partially redacts sensitive information by replacing some or all sensitive fields with blank characters. For example, we might replace all but the last four digits of a credit card number with X's or *'s to render the card number unreadable.

• Implementing Security Controls

  • Control Categories

    • Administrative

      • Developing & publishing policies, standards, procedures (Ex. Risk Mgmt, Chg. Ctrl)

    • Technical.

      • Implementing access control mechanisms, password mgmt, Ident & Auth, etc.

    • Physical

      • Controlling individual physical access (Ex. locks, environmental controls, disable USB)

  • Control Types

    • Preventive

      • Prevents harmful occurrences by restricting what a potential user can do
         Physical: Lock, Mantrap | Technical: Firewall | Admin: Pre-employment drug screen

    • Deterrent.

      • Discouraging unwanted actions (ex. Beware of Dog sign, documented punishment)
         Physical: Beware of Dog sign | Administrative: Sanction policy

    • Detective

      • Controls that alert during or after a successful attack (ex. IDS/IPS, CCTV, Alarm)
         Phsyical: CCTV, Light | Technical: IDS | Admin: Post-employment random drug screen

    • Compensating

      • Compensate for weaknesses in other controls (ex. reviewing users web usage)

    • Corrective

      • Restores systems that are victims of harmful attacks (often bundled with Detective)

    • Recovery

      • Restore functionality of the system and organization (ex. re-image a PC, Restore, etc.)

    • Directive

      • Controls that alert during or after a successful attack (ex. IDS/IPS, CCTV, Alarm)
         Phsyical: CCTV, Light | Technical: IDS | Admin: Post-employment random drug screen

  • Security Control Framework

    • COBIT

      • o Operational framework & best practices Model for IT Governance

      • o Defines goals for controls that should be used to manage IT and ensure IT maps to business needs

      • o 4 Domains (34 Processes):

        •  Plan & Organize

        •  Acquire & Implement

        •  Deliver & Support

        •  Monitor & Evaluate

    • COSO

      • o Strategic Model for Corporate Governance

      • o 5 Components:

        •  Control Environment

        •  Risk Assessment

        •  Control Activities

        •  Communication of Information

        •  Monitoring (ITIL) Information Technology Infrastructure

    • ISO

    • ITIL- IT Best Practices

      • o Customizable framework for providing best services in IT Service Management (ITSM)

      • o 5 Service Management Practices-Core Guidance publications

        •  Service Strategy (helps IT provide services)

        •  Service Design (designing infrastructure & architecture)

        •  Service Transition (making projects operational)

        •  Service Operation (operations controls)

        •  Continual Service Improvement (ways to improve existing services)