CISM Chapter 3 – Information Security Program Development (ISPD)

ISPD accounts for 17 percent of the CISM exam or about 34 questions.  In 2010, ISACA reorganized the CISM Review Manual and separated each chapter into two major sections.  Section 1 of each chapter contains the definitions and objectives with the corresponding tasks and knowledge statements that are test on the exam.  Section 2 contains reference material and content that supports the knowledge statements and is pertinent for CISM candidates’ knowledge and/or understanding when preparing for the exam.

There are eleven (11) task statements for ISPD and twenty-five (25) knowledge statements.  The 11 task statements are:

  1. Develop and maintain plans to implement the information security strategy.
  2. Specify the activities to be performed within the information security program.
  3. Ensure alignment between the information security program and other assurance functions (e.g., physical, human resources (HR), quality, IT).
  4. Identify internal and external resources (e.g., finances, people, equipment, systems) required to execute the information security program.
  5. Ensure the development of information security architectures (e.g., people, processes, technology).
  6. Establish, communicate and maintain information security policies that support the security strategy.
  7. Design and develop a program for information security awareness, training and education.
  8. Ensure the development, communication, and maintenance of standards, procedures and other documentation (e.g., guidelines, baselines, codes of conduct) that support information security policies.
  9. Integrate information security requirements into the organization’s processes (e.g., change control, mergers and acquisitions) and life cycle activities (e.g., development, employment, procurement).
  10. Develop a process to integrate information security controls into contracts (e.g., with joint ventures, outsourced providers, business partners, customers, third parties).
  11. Establish metrics to evaluate the effectiveness of the information security program.

There are several “Suggested Resources” in Chapter 3.  Of the nine listed there are six which you should have in your personal library and should read as several questions on the exam comes from this material.  Three of the six you will have already gotten as a result of the articles on Information Security Governance and Information Risk Management.  Those three were:

1)      IT Governance Institute, Control Objectives for Information and related Technology (CobiT) 4.1, USA, 2007, www.isaca.org/cobit

2)     Sherwood, John; Andrew Clark; David Lynas; Enterprise Security Architecture: A Business Driven Approach, CMP Books, USA, 2005, www.sabsa.org

3)     Killmeyer, Jan; Information Security Architecture: An Integrated Approach to Security in the Organization, 2nd Edition, Auerbach Publications, USA, 2006

The three new suggested resources are:

1)      Axelrod, C. Warren; Outsourcing Information Security, Artech House, USA, 2004

2)     Dubin, Joel; The Little Black Book of Computer Security, 2nd Edition, Penton Media Inc. USA, 2008

3)     Hardy, Gary; Lighthouse Global; IT Governance Domain Practices and Competencies Series, IT Governance Institute, USA, 2005

In ISPD there are three elements essential to ensure successful security program design and implementation.

1)      The program must be the execution of a well-developed information security strategy closely aligned with and supporting organizational objectives.

2)     The program must be well-designed with cooperation and support from management and stakeholders.

3)     Effective metrics must be developed for program design and implementation phases as well as the subsequent ongoing security program management phases to provide the feedback necessary to guide program execution to achieve the defined outcomes.

In ISPD there are also six outcomes as described in the article on Information Security Governance, which are:

1)      Strategic alignment

2)     Risk Management

3)     Value Delivery

4)     Resource Management

5)     Assurance Process Integration

6)     Performance Measurement

In order for Information Security Program to be effective, it must mitigate information and information technology risk at a cost that is balanced against potential loss magnitude and frequency.  As for all other aspects of effective security, executive management support is essential.  (This shows up several times on the exam.)  Exhibit 3.4 in Chapter 3 of the CISM review manual shows the role, associated information security process responsibility and sample key performance indicators for seven key roles.  You don’t need to memorize the whole chart, but knowing executive management, information security manager, and IT operations management’s roles would be worthwhile.  We talked a little about roles and responsibilities in the IRM article and it is repeated again in this chapter, needless to say ISACA thinks it’s IMPORTANT.

There are several challenges to ISPD, you need to know that most frequently, the challenges are people, process and policy issues that conflict with program objectives and not the wide array of technology choices.  Exhibit 3.5 in Chapter 3 of the CISM review manual lists 9 specific constraints on developing an information security road map.  The most important ones are 1) Legal and regulatory requirements, 2) Ethics, and 3) Personnel.  The people challenge again, think about it, some of the people challenges might be that HR is doing sporadic background checks, personnel screening is being done by untrained staff, and the list goes on and on.

It should be quite evident that the objective of ISPD is to implement the strategy in the most cost-effective manner possible, while minimizing impact to business functions.  For this the implementation strategy has four steps, 1) Define the goal/desired outcomes, 2) Define the objectives, 3) Defined the residual risks, and 4) Define the desired state.  You will definitely need to understand “Desired State.”  The desired state is to achieve a state where defined objectives have corresponding KGI’s, which in turn have corresponding control objectives.  These control objectives should be supported by a control activity which is managed and measurable.  (NOTE: the keyword is measurable.)

I mentioned earlier that the constraints on developing an information security road map were contained in Exhibit 3.5.  In developing an information security road map you need to know that you have to do a security review which consists of, an objective, a scope, constraints, an approach and a result.  For example, in “an objective” you might as a security spot check decide to determine whether a given security process is working.  (which by the way is a good test question).  Once you’ve done the road map then you can perform a gap analysis to determine what your course of action will be.

The architecture for information security can take many forms.  As you will recall in the previous articles on CISM, I mentioned Zackman, SABSA, and FEA.  To this list you will need to add and have an understanding of OBASHI and TOGAF.  OBASHI is the Ownership, Business Processes, Applications, Systems, Hardware, and Infrastructure business and IT methodology and framework; and TOGAF is The Open Group Architecture Framework.

When we talk about controls, we talk about such things as logical access control, principle of least privilege, segregation of duties, and trust (or trust no one).  When we speak of countermeasures, we speak of access control lists (ACLs), Choke routers, content filtering, encryption, public/private-key encryption, route filtering, and TCP/IP.  (The thing you will need to look up and memorize is “Choke routers”, Yeah I know it was a new one for me too.)  For people controls, remember you have to define their role (as in job description) and you have to train them in security (Security Awareness Training).

In implementing ISPD, remember to use PDCA (Plan, Do, Check, Act) from the old total quality management system (TQM).  There are really five things here you need to understand:

1)      Vision

2)     Strategic objectives

3)     CSFs, which are a set of circumstances or events that are necessary to achieve the strategic objectives

4)     KPIs

5)     Key Actions

Let me go back to framework architecture for a few sentences.  ISACA is big on SABSA, so pay careful attention to it.  Look at the SABSA Framework for Security Architecture Development and the SABSA Framework for Security Management (Exhibits 3.14 and 3.15 respectively in the CISM manual) and notice that the headings for both are the same;  Assets, motivation, process, people, location and time.  Focus on the “People” column and understand the role people play in each of the contextual, conceptual, logical, physical, component, and operational phases.

Finally, a few words about metrics; who needs to know; what do they need to know; and when do they need to know it?  Metrics should be provided at three different levels; strategic, management, and operational levels.  There are some attributes which are essential to good metrics.  They are manageable, meaningful, actionable, unambiguous, reliable, timely, and predictive.  Again remember our goal is to deliver value, manage risk and resources, align with the business’s strategic goals and objectives, assure process integration and be able to measure our performance.

As a final parting thought, consider how you would certify and accredit your information security systems.  Take a look at NIST SP 800-37 requirements as well as the Defense Information Assurance Certification and Accreditation Process (DIACAP).

To review the other CISM Domains, you can find links to those reviews here.