CISM Domain – Information Security Governance

April 20, 2011 by Kenneth Magee

CISM Domain 1 – Information Security Governance (ISG)

ISG accounts for 23 percent of the CISM exam or about 46 questions. In 2010, ISACA reorganized the CISM Review Manual and separated each chapter into two major sections. Section 1 of each chapter contains the definitions and objectives with the corresponding tasks and knowledge statements that are test on the exam. Section 2 contains reference material and content that supports the knowledge statements and is pertinent for CISM candidates’ knowledge and/or understanding when preparing for the exam.

There are eight (8) task statements for ISG and twenty (20) knowledge statements. The eight task statements are:

  1. Develop an information security strategy aligned with business goals and objectives.
  2. Align information security strategy with corporate governance.
  3. Develop business cases justifying investment in information security.
  4. Identify current and potential legal and regulatory requirements affecting information security.
  5. Identify drivers affecting the organization and their impact on information security.
  6. Obtain senior management commitment to information security.
  7. Define roles and responsibilities for information security throughout the organization.
  8. Establish internal and external reporting and communication channels that support information security.

There are several “Suggested Resources” in Chapter 1. Of the 16 listed there are six which you should have in your personal library and should read as several questions on the exam comes from this material. The six specific ones are:

  1. Brotby, Krag; Information Security Governance: Guidance for Boards of Directors and Executive Management, 2nd Edition, IT Governance Institute, USA, 2006
  2. Brotby, Krag; Information Security Governance: Guidance for Information Security Managers, ISACA, USA, 2008
  3. IT Governance Institute, Control Objectives for Information and related Technology (CobiT) 4.1, USA, 2007,
  4. IT Governance Institute, Unlocking Value: An Executive Primer on the Critical Role of IT Governance, USA, 2008
  5. Sherwood, John; Andrew Clark; David Lynas; Enterprise Security Architecture: A Business Driven Approach, CMP Books, USA, 2005,
  6. Tarantino, Anthony; Manager’s Guide to Compliance, John Wiley & Sons Inc., USA, 2006

In information security governance there are six basic outcomes of effective ISG.

  1. Strategic Alignment
  2. Risk Management
  3. Value Delivery
  4. Resource Management
  5. Performance Measurement
  6. Integration

You will need to know the relationship between the outcomes of effective ISG and management responsibilities. ISACA has developed a comprehensive matrix in their review manual — this is one of those things you should memorize. In the 2010 manual it was exhibit 1.3 on page 37 entitled “Relationship of Information Security Governance Outcomes to Management Responsibilities.” Three to four questions on the exam come directly from this table.

You will want to take a look at the Business Model for Information Security and understand the interrelation between Organization Design and Strategy, People, Process, and Technology elements. You’ll also want to understand the dynamic interconnections of Governance, Culture, Enabling and Support, Emergence, Human Factors, and Architecture. Several questions deal with varying the value of one of the dynamic connections or elements and what the effective result would be, say for example, if the People element is undertrained.

There are a number of ISG concepts, the one you should have down cold is Security Metrics – Specific descriptions of how a quantitative and periodic assessment of security performance is to be measured.

For each of the aforementioned six basic outcomes of effective ISG there has to be a way to measure the effectiveness of that outcome. So of the six, as an example, let’s look at #3 Value Delivery. How do we measure the effectiveness of value delivery? A couple of ways, 1) is the cost of security proportional to the value of the asset? We’re not delivering value if the cost of the security is say $100,000 and the value of the asset is only $50,000. 2) Control effectiveness is determined by periodic testing. We’re not delivering value if the controls we put in place are not being tested to see if they are effective.

In Information Security Strategy, you will need to know the definition of the term “desired state.” How can you have a security strategy without knowing what the baseline is? By the way, that’s a hint.

In CobiT, you will need to understand the concept of the Capability Maturity Model, particularly levels 3, 4 and 5. (Defined process, Managed and measureable and Optimized)

In Strategy Resources, you will need to know the two security frameworks of Zachman and SABSA. Once in a while, ISACA will also throw in a random question about a third called EA2F. You can Google the last one, but that’s only if you have nothing better to do. You’ll also need to understand “Defense in Depth.” What happens in prevention; in containment; in detection/notification; in reaction; in evidence collection (There are several questions regarding chain-of-custody); and in Recovery/restoration.

One of the current “hot topics” is in the area of legal and regulatory requirements and “transborder data flow.” Understand that across the border, the rules may be different.

Finally in an effective ISG program there has to be measurements of success — or said another way: metrics. And you as an Information Security Manager need to understand metrics, need to know how to define metrics, and you need to produce those metrics for upper management. As an example, I recently spoke with someone who shared with me this example. His boss came in and asked if they could cut the budget line for anti-virus software which would save some $800,000 annually. The boss stated there hadn’t been a virus infection in the past two years. The ISO did some research and presented the following information to his boss. Three years ago we had a virus which brought down the entire LAN, the cost to repair that outage, between man-hours and lost productivity, was $125,000 and you will recall the network was down for two full working weekdays. On an average, over the past two years, the anti-virus software we currently have in place detects and quarantines 400 viruses a day. If just one of those viruses got through each month, the cost to recover would exceed $1,500,000. The boss, in his presentation to the budget committee, stated that the ISO had presented the most complete and accurate business case for maintaining anti-virus software of any of his subordinates and the line item for the A-V software would remain untouched and in fact, he was recommending an increase of 15% for this line item.

To review the other CISM Domains, you can find links to those reviews here.

Posted: April 20, 2011
Articles Author
Kenneth Magee
View Profile

Ken is President and owner of Data Security Consultation and Training, LLC. He has taught cybersecurity at the JAG school at the University of Virginia, KPMG Advisory University, Microsoft and several major federal financial institutions and government agencies. As CISO for the Virginia Community College System, Ken’s focus was the standardization of security around the ISO 27000 series framework. Writing is one of his passions and he has authored and/or co-authored several courses, including CISSP, CISA, CISM, CGEIT, CRISC, DoD Cloud Computing SRG and a course for training Security Control Assessors using NIST SP 800-53A. Ken has also achieved a number of certifications, including CISSP, SSCP, CCSP, CAP, ISSMP, ISSAP, ISSEP, CISM, CISA, CAC, CEH, ISO9000LA, ISO14001LA, ISO27001PA, Security+, CySA+, CASP, CTT+, CPT, GSEC, GSNA, GWAPT, CIA, CGAP, CFE, MCP, MCSA, MCSE and MCT.

Leave a Reply

Your email address will not be published. Required fields are marked *