CISM Domain – Information Security Program Management

May 11, 2011 by Kenneth Magee

CISM Chapter 4 – Information Security Program Management (ISPM)

In Chapter 3 we talked about Information Security Program Development, in Chapter 4 we’re going to talk about the management of that security program which we just developed.

ISPM accounts for 24 percent of the CISM exam or about 48 questions.  As you can see ISACA has increased the respective percentage up from 17 percent for development to 24 percent for the management of the program which we just developed.  So ISACA is placing more emphasis on the management of the security program and I’ll get into some of the specifics later on; for now though let’s get some of the mundane stuff out of the way.

There are nine task statements for ISPM and 17 knowledge statements.  The nine task statements are:

  1. Manage internal and external resources (e.g., finances, people, equipment, systems) required to execute the information security program.
  2. Ensure that processes and procedures are performed in compliance with the organization’s information security policies and standards.
  3. Ensure the performance of contractually agreed (e.g., with joint ventures, outsourced providers, business partners, customers, third parties) information security controls.
  4. Ensure that information security is an integral part of the systems development process and acquisition processes.
  5. Ensure that information security is maintained throughout the organization’s processes (e.g., change control, mergers and acquisitions) and life cycle activities (e.g., development, employment, procurement).
  6. Provide information security advice and guidance (e.g., risk analysis, control selection) in the organization.
  7. Provide information security awareness, training and education to stakeholders (e.g., business process owners, users, information technology).
  8. Monitor, measure, test and report on the effectiveness and efficiency of information security controls and compliance with information security policies.
  9. Ensure that noncompliance issues and other variances are resolved in a timely manner.

I don’t normally recite the knowledge statements but in this chapter there are two which bear mentioning:

Number 12 which reads “Knowledge of due diligence activities, reviews and related standards for managing and controlling access to information,” and

Number 14 which reads “Knowledge of events affecting security baselines that may require risk reassessments and changes to information security program elements.”

There are about 17 “Suggested Resources” in Chapter 4.  Of those there is one which you should have in your personal library and should read as several questions on the exam comes from this material.  It’s the same one recommended from Chapter 2 and that was:

1)      Van Grembergen, Wim; Steven De Haes; Measuring and Demonstrating the Value of IT, IT Governance Institute, USA, 2005

Take this to heart, if ISACA keeps repeating that you need to read a certain book, and we know for a fact that several test questions on the exam come straight from the book, wouldn’t you go out and buy yourself a copy?  Seems obvious to me.

In an increasing number of medium and larger organizations, ISPM is at an executive level within the organization, holding titles such as VP of Security, Chief Information Security Officer, etc.

In ISPM just like in ISPD there are also six outcomes as described in the article on Information Security Governance, which are:

  1. Strategic alignment
  2. Risk Management
  3. Value Delivery
  4. Resource Management
  5. Assurance Process Integration
  6. Performance Measurement

There we go again, ISACA is repeating itself, you heard it in Chapter 1, in Chapter 3 and now again in Chapter 4, seems to me we should MEMORIZE these six elements/outcomes.

When we talk about roles and responsibilities, the bulk of the work falls to the Information Security Manager and they need to have:

  1. An awareness of security standards and practices
  2. Risk management responsibilities
  3. Technological competence, and
  4. Management and Administrative responsibilities

There are also specific roles and responsibilities for the Board of Directors, Executive Management, Information Security Steering Committee, Information Technology Unit, Business Unit Managers, Human Resources and the Legal Department.  Of this group, you will need to know that the Information Security Steering Committee should have as common topics, agendas and decisions for a security steering committee meeting, things like Security Strategy,,,,,Security Strategy,,,,,,Security Strategy. OOPS. My fingers seem to have gotten stuck on the keyboard, but you get the message.

For analysis of technical components and architecture, you’ll want to understand; control placement, control effectiveness, control efficiency, control policy and control implementation.  Then, in addition to the technical components, there are the operational components, management components, administrative components, educational components and the assurance function.

ISPM is all about measuring information security management performance; things like “How do you measure information security risk and loss?”; “How do you measure support of organizational objectives?”:; “How do you measure compliance, operational productivity, cost-effectiveness, organizational awareness, technical security architecture effectiveness, management framework effectiveness and operational performance?”  Of all of these you need to understand the difference between technical vulnerability (TV) management – risk management approach – and loss prevention.  And in technical vulnerability management you will need to understand the details on how many TVs are there, how many TVs have been resolved and what was the average time to resolve a TV.

There are three basic and common challenges to security management; no management support; no funding and no staff or inadequate staff.

One of the first things you want to do in ISPM is to determine what the current state is and then go from there.  For example, are program goals aligned with governance objectives; are objectives measurable, realistic and associated with specific timelines?  Another thing you will want to know is if you are in compliance will laws and regulations, then you’ll want to evaluate whether the program is being managed and does it have adequate resources, (management support, funding, and staffing).

Speaking of resources there are several resources for ISPM and they consist of:

  1. Policies, Standards and Procedures
  2. Controls
  3. Countermeasures
  4. Supporting Technologies (Look up SIM tools – Security Information Management)
  5. Personnel
  6. Skills
  7. Awareness and Education
  8. Audits
  9. Compliance Enforcement
  10. Periodic Threat Analysis
  11. Ongoing Technical Vulnerability Analysis
  12. Periodic/Incremental Risk Assessment
  13. Periodic Business Impact Analysis
  14. Periodic Resource Dependency Analysis
  15. Outsourced Security Providers
  16. Other Organizational Support and Assurance Providers

Of these the most important are Personnel, Skills, Controls and Countermeasures.

I mentioned “due diligence” at the beginning in one of the knowledge statements and it bears further discussion.  Due diligence is essentially a term related to the notion of the “standard of due care.”  It is the idea that there are steps that should be taken by a reasonable person of similar competency in similar circumstances.  For an information security manager, this means ensuring that the basic components of a reasonable security program are in place.

As a final parting thought, there needs to be a process in place to ensure that noncompliance issues are resolved in an effective and timely manner.  These events could potentially affect security baselines and necessitate the need for a risk re-assessment.

To review the other CISM Domains, you can find links to those reviews here.

Posted: May 11, 2011
Kenneth Magee
View Profile

Ken is President and owner of Data Security Consultation and Training, LLC. He has taught cybersecurity at the JAG school at the University of Virginia, KPMG Advisory University, Microsoft and several major federal financial institutions and government agencies. As CISO for the Virginia Community College System, Ken’s focus was the standardization of security around the ISO 27000 series framework. Writing is one of his passions and he has authored and/or co-authored several courses, including CISSP, CISA, CISM, CGEIT, CRISC, DoD Cloud Computing SRG and a course for training Security Control Assessors using NIST SP 800-53A. Ken has also achieved a number of certifications, including CISSP, SSCP, CCSP, CAP, ISSMP, ISSAP, ISSEP, CISM, CISA, CAC, CEH, ISO9000LA, ISO14001LA, ISO27001PA, Security+, CySA+, CASP, CTT+, CPT, GSEC, GSNA, GWAPT, CIA, CGAP, CFE, MCP, MCSA, MCSE and MCT.

Leave a Reply

Your email address will not be published. Required fields are marked *