CISM Domain 3: Information Security Program Development & Management [Updated 2019]
This domain reviews one of the areas of knowledge that CISM candidates must grasp in order to be able to develop, manage and maintain an information security program that will be used to implement an information security strategy.
Information Security Program Development & Management (ISPDM) includes directing, overseeing and monitoring activities related to information security in support of organizational objectives, while at the same time bringing together human, physical and financial resources in an optimum combination.
In our article, “CISM Domain Overview”, we obtained an overview of the different domains that the CISM candidate encounters while taking the exam, discussing ISPDM lightly. In this piece, we gain a deeper understanding of the domain and discuss what candidates will need to know in preparation for the examination.
Information Security Program Development and Management Objectives
Candidates will be required to know how to define the resources required to achieve goals that are consistent with the objectives of the organization. They will be required to show a strong understanding in the initiation process of a security program from inception. This will involve knowledge of the many aspects and requirements of effective program design, implementation and management.
Candidates must familiarize themselves with the three essential elements of a security program. These include:
- It has to be the execution of a well-developed information security strategy. The program should support and be well aligned with organizational objectives.
- It must be well-designed, with cooperation and support from management and stakeholders.
- Effective metrics must be developed for program design and implementation phases, as well as the subsequent ongoing security program management phases to provide the feedback necessary to guide program execution to achieve the defined outcomes.
Importance of the Information Security Program
Information security program management is an ongoing process that protects information assets, satisfies regulatory obligations and minimizes possible legal and liability exposures. Candidates are extensively tested on their abilities to design effective program management plans. Good planning results in acceptable levels of information security and at a reasonable cost. Once candidates have exhibited an understanding on how planning is done, they are tested on designing, implementing, managing and monitoring the security program. Knowledge in this shows that candidates are able to transform the strategy into actuality.
Well defined models and frameworks exist that can assist candidates in the planning process.
Outcomes of Information Security Program Management
Effective information security program management should achieve the outcomes defined in ISG. The necessary goals must be defined in specific, objective and measurable terms. Appropriate metrics should also be put in place to measure whether or not the goals were achieved. If not, it should be known by how much the objectives were missed, and discussion done to improve on performance.
Candidates should focus on the following six outcomes, and they should be considered as the basis for developing the objectives of an effective information security program:
Strategic alignment: The emphasis here is on organizational information risk, selection of appropriate control objectives and standards, agreement on acceptable risk and risk tolerance and definitions of financial, operational and other constraints.
Risk management: Candidates must show a comprehensive understanding of threats the organization faces, its vulnerabilities and risk profile. Candidates must know how to evaluate the potential impacts of threats that materialize, and know approaches involved in reducing risks to an acceptable level.
Value delivery: Candidates should know that the execution of the security program can have a considerable impact on value delivery. Therefore, they should be able to show the ability of managing security investments so as to optimize support of business objectives. Candidates should be able to direct effort toward achievement of a standard set of security practices.
Resource management: Candidates must be able to show the ability to utilize available resources to develop and manage a security program. The different available resources often include people, financial and technical knowledge. Candidates must be able to ensure that knowledge is provided to those who need it, through proper documentation (this must be consistent with standards and policies).
Assurance process integration: Candidates must be aware of assurance functions since they invariably have significance for information security. It is important for candidates to be able to form formal relationships with various assurance providers and endeavour to integrate those activities with information security activities. In a typical organization this might include physical security, management, privacy office, audit, quality assurance, HR etc.
Performance measurement: Candidates must be able to identify points of useful monitoring during the evolution of a security program. There might be opportunities to “roll up” groups of metrics in order to provide a more holistic picture for managing security.
Candidates should be able to develop monitoring processes and associated metrics so as to provide continuous reporting on the effectiveness of information security processes and controls. Candidates should be aware that good metrics need to be developed at multiple levels, and should be defined, agreed on by management and aligned with strategic objectives.
Information Security Program Objectives
The primary objective of the information security program is to implement the strategy in the most cost effective manner while at the same time maximizing support of business functions and minimizing operational disruptions. In Information Security Governance (ISG) and Information Risk Management (IRM) the governance and risk objectives for a security program were defined and incorporated into an overall strategy.
The level of understanding that candidates need to have obtained in ISG and IRM will determine the degree of clarity in understanding information security program development objectives. For example, if candidates are able to come up with a well-developed security strategy, it would be less stressful for them to turn a high-level strategy into a meaningful, logical and physical reality.
Despite a well-formed security strategy, candidates must be able and prepared to modify or reconsider certain elements during the program design, development and administration, depending on the circumstances. This could result in a change in business requirements, underlying infrastructure, topology or even technologies used.
Candidates will also be tested on the primary drivers for an information security program. The ability to determine these drivers will enable the candidate to provide a basis for the development of relevant metrics. The common primary drivers that candidates should focus on are:
- The ever mounting requirements for regulatory compliance,
- Higher frequency and cost related to security incidences,
- Concerns over reputational damage, and
- Growing commercial demands of Payment Card Industry (PCI) Data Security Standard (DSS).
Once the objectives have been clearly defined, the next activity would be to develop the processes and projects that bridge the gap between the current state and those identified objectives. This can be done by performing gap analysis, however, candidates should note that if the processes outlined in ISG have been utilized to develop objectives, then the bridging would have been done at a high level. Nevertheless, much of what candidates will be tested on in relation to gap analysis (bridging the gap) will be the ability to identify the necessary controls, implement them, develop suitable metrics and then monitor control points in support of control objectives.
The Information Security Management Framework
Candidates should note that even though most frameworks for information security show the development of an IS program as starting with risk assessment and identification of control objectives, this may change depending on organizational objectives, and may be tailored to achieve the desired outcome, as discussed in ISG.
Candidates will be tested on operational components of a security program. They should have a solid grasp of the various components, including standard operating procedures, business operations security practices and maintenance of security technologies.
Candidates will also be tested on their ability to manage operational components. Sometimes these components fall outside of the information security domain (for example, operating system patching procedures). As such, the ability to communicate with IT, business units and other organizational units will be a plus for candidates. Examples of operational components that candidates will be tested on include:
- Identity management and access control administration
- Security event monitoring and analysis
- System patching procedures and configuration management
- Change control and/or release management processes
- Security metrics collection and reporting
- Maintenance of supplemental control techniques and program support technologies
- Incident response, investigation and resolution.
For each of the components above, candidates will be required to be able to identify the owner and collect key information needed for management of the necessary functions. Such information may include the component ownership and execution roles, activity schedule or triggers, required data inputs, success criteria and failure escalation criteria.
Candidates should display the ability to ensure that procedures for work log maintenance, issue escalation, management oversight and periodic quality assurance reviews are deployed and implemented. For example, a new operational procedure requiring a monthly chief operating officer (COO) review of security issues needs to be added to the appropriate task lists and schedules.
If you are interested in CISM bootcamp-style training, click here to receive an overview of what the course offers you and the current pricing. The course will allow candidates to develop the necessary skill set to fit into the current and ever-growing information security industry, and is in line with today’s acceptable industry standards.
After passing the examination, candidates will understand the necessary requirements for information security program development and management. They will develop the skillset necessary to design, implement and manage an information security program, according to organizational objectives, resulting in more job security, more job satisfaction and increased value to their organizations.