Essential CISM: Updated for the 15th Edition CISM Review Manual

by Phil Martin

The principle of least privilege is an approach that segments all resources so that we can increase access as-needed. This allows us to give people access only to the bare minimum resources they need to do their job. The downside of this approach is that it requires a well-thought-out plan from the very beginning and requires increased attention to ensure resources are properly segmented.

Need-to-know is a security approach that requires a person to not only have the proper authority to access resources, but also a valid need to do so. For example, it is not enough to be given authority to read customer files – your role in the company must also require it. This provides an extra layer of security to keep information out of the wrong hands.

Segregation of duties, or SOD, is a security mechanism that prevents a single role from having too much power. For example, in a bank, the same person who prints a check should not have the ability to change the name on that check – it should require a different person to execute both actions. This greatly reduces the chance of fraud.

Criticality is the impact that the loss of an asset will have, or how important the asset is to the business. For example, if the loss of a specific IT system would prevent orders from being processed until the system is returned to a usable state, it is most definitely critical to the business. On the other hand, payroll processing is not as critical – while the permanent loss of the ability to pay employees would certainly cause a mass exodus of people at some point, we can probably absorb a lengthier downtime.

Sensitivity is the impact that unauthorized disclosure of the asset will have, meaning that people that should not see information are able to get to it. Consider a scenario in which we want to keep the recipe to our secret sauce from getting out. The leakage of this information would not impact our day-to-day operations, so it is not considered to be critical. But, we would be losing one of our core advantages over competitors, and so the recipe is said to have a high sensitivity.

Assurance, related to security information, means that we can manage security risks by keeping vulnerabilities and threats to a level that we can live with. For example, if we deploy a firewall and encryption techniques to help protect access to a database, then we are assuring the database is being kept secure.

The total cost of ownership, or TCO, represents the true cost to own an asset, as opposed to just the cost to initially acquire it. TCO at a minimum covers the original cost, any upgrades, ongoing maintenance, support, and training.

governance is the act of creating a plan on how a company will achieve a goal and then making sure everyone executes that plan.

Governance is the responsibility of the board and company executives. These folks at the top might delegate a lot of the footwork, but they are ultimately responsible to ensure the plan is properly implemented.

A goal is the result we want to achieve.

A strategy is a plan of action to achieve our goal.

A strategy doesn’t have to tell us how we’re going to carry out each step, or how long it will take, or the problems we might face along the way. It just lays out a road map of how we are going to reach our goal.

A policy is a high-level statement of what senior management expects and will dictate the direction in which we are heading.

In mature organizations, policies are well-developed and remain unchanged for a long time.

If a policy cannot be traced back to strategy elements, something went wrong – either the strategy is incomplete, or the policy is just flat out wrong.

The policy we just described can be linked directly to our third strategy element, “Launch it to Mars without anyone knowing what we’re really up to”. By keeping that information from unauthorized eyes, the policy carries out the strategy.

Most organizations today have an incoherent mish-mash of information security policies born out of reaction to incidents as they occur. There is seld...

At times, we may encounter the need to create a sub-policy to address a need separate from the bulk of the organization. For example, one business unit is engaging with an outside party that has some very unique and specific requirements. Rather than adopt those unique policies across the enterprise, a sub-policy is created for this one unit.

A good policy will exhibit several attributes, which are: It clearly describes a strategy that captures the intent of management It states only a single general mandate It is clear and easily understood by all affected parties It is no more than a few sentences long, except in rare cases It is part of a complete set that is no more than two dozen in number

In some organizations, effective practices have evolved that are not contained in a written policy. In these cases, the practices themselves should serve as a basis for policy and standards.

Now, if a policy simply reflects where we’re heading without being specific, how do we turn that into something useful? Something that we can point to and say ‘Yes, we have carried out that policy.’ For that, we need a standard!

If policies are the constitution of governance, then standards are the laws. Strategy results in policies that communicate intent and direction, and standards tell us how to carry out that policy.

A standard must provide enough parameters to allow us to confidently state if a procedure or practice meets the requirements.

Having said that, standards might change as technologies and requirements change to reflect new capabilities, and there are usually multiple standards for each policy.

When we encounter a standard for which there is not a readily available technology, or there is some other reason for which we cannot create a process to meet the standard, we must create an exception process.

Another way of looking at policies vs. standards is a strategic vs. tactical viewpoint.

Policies are strategic – a high-level view of where we want to get to.

Standards are tactical – they represent specific tools we use to get...

But a standard by itself doesn’t get any work done – it only describes at a medium level how it should work. To actually accomp...

A procedure is an unambiguous list of steps required to accomplish a task. It must define the following: Required conditions before execution Information displayed The expected outcome What to do when the unexpected happens

Whereas standards are left a little vague on execution, procedures must be very clear and exact.

Since a procedure is extremely sequential – most often a series of steps to carry out – we need to keep it as simple as we can.

A guideline contains information that is helpful when executing procedures. While standards are usually expressed in very explicit rules and are carried out by procedures, guidelines are a little more flexible to accommodate unforeseen circumstances.

Bringing It All Together In summary, we: 1) Identify a worthy goal 2) Shape a multi-step strategy to reach the goal 3) Craft policies to carry out each strategy 4) Define standards to outline how we carry out policies 5) Write procedures containing step-by-step instructions on how to implement standards 6) Fashion guidelines to help when a procedure runs into a problem

Goals, Strategies and Policies tell us where we want to go Standards provide the tools Procedures give us the step-by-step instructions Guidelines provide recommendations

Risk appetite, which is the amount of risk a business is willing to incur.

Risk tolerance, which is the amount of deviation from the risk appetite a business considers acceptable.

Risk capacity, which is the amount of risk a business can absorb without ceasing to exist.

risk appetite + risk tolerance <= risk capacity

If risk appetite plus risk tolerance is ever more than risk capacity, then something went wrong. The level of risk must always be equal to or lower than the risk capacity.

risk appetite + risk tolerance <= risk capacity

risk acceptance occurs when an organization decides that no action is required for a specific risk – it is willing to suffer the consequences instead of expending resources to mitigate it.

Defining these risk values – appetite, capacity and tolerance - is crucial if we hope to arrive at reasonable goals.

These are required for having a solid criteria for Risk Acceptance. Defination above.

a control is something put into effect to reduce risk.

In a nutshell, information security governance is the act of creating a plan on how a company will protect information and then making sure everyone executes that plan.

To recap, data is nothing but facts. But when data means something to us, it becomes information. When we absorb that information, it becomes knowledge. And when a company has knowledge, it can do some pretty amazing things with it. Information security governance is all about protecting the entire path of ‘data to information to knowledge’, and the reverse of that path.

enterprise governance watches over the entire organization or business, commonly referred to as the enterprise.

corporate governance, which sets the strategic direction of a business by defining goals.

Enterprise governance and corporate governance overlap slightly, and this is right where information security governance lives since it is concerned with both business...

Finally, IT governance, which is concerned with all things IT, resides wholly inside ...