ISACA CISM – Domain 03 – Information Security Program Development Part 1

1. Introduction

Now this domain is about the Information Security program development and what we’re going to do is we’re going to look at the diverse areas of knowledge that we need to be able to plan to design and implement an information Security policy. Remember that that Information Security policy is kind of a coordinated set of activities, projects and or initiatives that we use to implement the Information Security strategy. And the strategy of course was trying to achieve, achieve the objectives of information security that also support the goals of the organization.

2. Lesson 1: Development of Information Security Program

We’re going to take a look at the development of an information security program. Now, the information security program covers all of the activities and resources to provide our information security. Now, this could be something that’s a shortterm project, it could be a large multiyear endeavor. It can even be a combination of both of those where the ultimate goal might be a multiyear endeavor with lots of shortterm projects leading our way up there. Now, there are three important elements to any security program. The program has got to be based on good information that’s integrated with the business objectives. Now, we have mentioned this in other domains, but it is important that I bring it up here because our ultimate goal is to make sure that the business itself is successful.

If I have a corporation that is manufacturing Widgets, I need to make sure that what we work with as far as our security program is designed to be integrated into that process of helping them build widgets if they’re an online e commerce company. And I don’t want to create a security program that locks out anybody trying to connect to our web server without making them go through painstaking authentication processes. That’s generally not how a lot of ecommerce servers work, at least not to introduce the products, maybe for actually ordering the products. So again, it’s important that we try to integrate that with the business objectives because we don’t want to put the business out of work. But we don’t want to do that because then we really have good security because there’s no business anymore anyway.

It needs to be well designed. But most importantly, this security program must have the support from management. That is a concept we talked about a lot in these domains and that is the support from the top down. Putting the ability to enforce a lot of these programs and policies that we’ll eventually come up with is important. Without that, it really isn’t worth having. Now, we also have to have quality metrics that we can use for the design and the implementation phases as well as for our ongoing monitoring. What do we do with our metrics? The metrics or measurements we are using help us make sure that we are meeting the compliance, that we are achieving the results that we want out of the security program.

And basically the saying was, how can you manage what you can’t measure? How do you know what’s really working if there’s no way to be able to have good quality metrics? And they have to be metrics that are meaningful as well. We even went so far as reminding you that sometimes certain countermeasures that have a lot of complex systems, it might be the best countermeasure you’ve ever seen. It might be very useless to you if it doesn’t have quality metrics that you can use to do an ongoing set of monitoring because you don’t necessarily want to just trust. Well, it’s turned on. It must be working. Type of results. We want to be able to find a way to do that.

3. Importance of the Program

Now, what is the importance of the program? Remember, the goal of strategy is not the implementation and operation. The security program is used to design security systems from the first build through the deployment, through the modification, the maintenance, all the way to the end of the life cycle. So we must say then that the program itself is the full life cycle. Now, if I say it’s not just implementation and operation well, it’s not just that. We are talking about from the very beginning to the very end of managing the security program. Now, that means that a successful security program is going to take a great deal of planning and it’s going to have the use or need the use of a lot of expertise and potentially a lot of resources to be able to plan through a lifecycle of a program like this.

4. Outcomes of Security Program Development

Now, what are some of the outcomes we want from our security program development? Well, we talked about the strategic alignment. Again the alignment with the business objectives. You’re going to hear that a lot throughout the entire set of domains when it comes to CISM because it is one of the main key points that we need to stress that our goal is to be in alignment with business objectives sometimes. I know that when we have folks that are working in it that’s the part of the world they see and sometimes have the feeling that the world revolves around them and of course it does, I’m in it. But in reality the world revolves around the company being profitable and we are there to support the business functions. So that’s obviously a part of what we want our security program to do. Well, in order to make that really work well, we also have to have a good set of communications and feedback.

That means we have to have communication paths when we talk about who I report to and who should be aware of different aspects of this program and is there a place to get the feedback and to realize where changes might be needed. Now, before any security program comes up, before any security system starts, we must have risk management. Now, risk management is used to help us get kind of an idea of our starting point and where we want to go and also lets us know if we’re maintaining acceptable levels. We also need to have a value delivery. In other words, the security program must bring a value to this organization. Part of this program deals with the resource management. Resources are people, the technologies and processes. We also need to have an assurance process integration and as before, a way of being able to measure the performance. All of these make up a part of our actual security program development.

5. Effective Information Security Program Development

Now as we deal with the effective information Security program, we need to know that every program has roles and responsibilities. And of course it starts with Executive management and we’ll move on down to the organizational chart. Now there could be a matrix of outcomes and responsibilities which kind of connects these different components of the program with whatever the related activities are. In other words, no one group is responsible for all aspects of my security program, but they work together with each of the responsibilities to be able to piece this together as a complete project. Now that means, as I said, our team members should be working together. They should be made aware of the content of the information Security program to be able to coordinate this with their respective areas. So where do we start? Well, we’re probably going to start up here with a strategy.

Now here really the Information Security Manager, I’ll call that person the Ism, is going to basically be looking at your standard industry practices. They’re going to be working with a strategy and starting with usually some sort of framework or foundation. So they’re looking at those standard practices and they will make some recommendations. Now at that point, from that information that we gather through our strategy, we’re probably going to move on here to the policy. And that is where the Information Security Manager, so I’ll call them again, the Ism will be responsible for writing or publishing these policies. Now, it’s important to remember that you may be in charge of writing them and publishing them, but they still need to have approval from that executive Management.

All right? Awareness, that is that somehow the Ism is there to do training and training is to make everybody aware of where they are, what their roles are, what they should be. There as far as classes about security publishing announcements. All right, so having said that, right, we’re so far kind of going through and by the way, you might have noticed that these are really all the work so far of the Information Security Manager as far as the set of their responsibilities. Now they may delegate these responsibilities maybe to the training, they may delegate some of these, but it is still up to them at that position to make sure this happens. All right? So from that point we have the implementation. Now you notice that Awareness was done prior to the implementation. In fact, policy was done before awareness.

Hopefully it makes sense that I can’t train you about policy if it’s not already in place and giving you the awareness. And the training is to kind of prepare you for the impending implementation rather than implement it and then get people in trouble for not following it or getting increased risk for the people aren’t aware of the new policies or what we’re implementing. We’re kind of basically getting ready for the implementation by making sure people understand that on such a date something’s going to occur. Now here the implementation part of this is done through often a secure review process as well as maybe several projects. So the implementation may not be all at once, right? There may be several projects to be able to get through here in setting this up.

And in fact you could even say that during the implementation we may have to deal with some corrections and those corrections we do to prevent some other issues and of course detect issues that need the corrections as well. So I can’t tell that says det for detect. So we may have a little lifecycle going on here through the implementation as we kind of work out the bugs. Now, once we get to the implementation, the next thing the Information Security Manager is going to do is do the ongoing monitoring. So the ISM’s job is to review the critical configurations and do so periodically to maintain metrics on the security configuration, to look at the logs to make sure that we are still within compliance. That is our goal. It’s through that process to maintain compliance.

Now at this point within the compliance the Information Security Manager may have required or founded a security issue. And if suddenly hey, we’ve got a security issue that we have to deal with because I realized at this point maybe we’re not in compliance, then I’m have to start back with a strategy to be able to address that issue, update policies, go back through the cycle again. So again it’s just kind of an idea of the process, of the development of what’s going on and at some point as well there’s the end of life cycle when this particular management or security program won’t be in use and we’ll be on to something new.

6. Lesson 2: Information Security Program Objectives

So in this lesson, we’re going to talk about the information security program objectives. And that means we’ll first of all talk about what program objectives are and then talk about how we can define those objectives.

7. Cross Organizational Responsibilities

Let’s take a look at our cross organizational responsibilities. Now we’ll break it down by the roles, the responsibilities and the KPIs. And again, this is kind of sometimes you can use just as an overlay or as a guideline. But when we look at the role of executive management, we often take a look at things like what are the responsibilities? And for them it’s really an oversight. And to make sure that the policies and the programs are in alignment with the business objectives. Their job really is to assign responsibilities to take care of the delegation in the role of business risk management. We might talk about having the It risk assessment. Their goal is to have a prioritization of the risks in the department manager. They may have a sign off and testing of security requirements to be able to determine the access and authorizations, which means that they have basically a formal approval of the security features as well as assigning access rights in the It operations management.

Their responsibilities are things like security monitoring, their incident response, crisis Management site inventory. What are they doing in the KPIs? They should be able to help in the identification of security incidences as well as having proper responses and recovery procedures. The quality manager will be doing things like a security review, application security design, change control, management of security upgrades. And they might be part of looking at creating your security policy compliance. Not making the policy, but making sure. That they’re in compliance with it to meet the business needs requirements for the confidentiality, integrity and availability testing applications and looking at software fixes. And again we can see that when we look at the responsibilities that we are spreading them out because different people have different levels and roles that are going to participate in this entire security program.

8. Program Objectives Part1

So when we take a look at program objectives, the main objective basically is that we have a strategy that is going to be the most costeffective manner possible that we can use. And so again, remember now program objectives is kind of a broad term, I realize that. So I’m not being very specific of what we’re trying to do as far as a particular program. But whatever that program is, hopefully it makes sense that if it’s worth having a program that you have a strategy and that we’re not wasting money in this, in the creation of this program. In other words, whatever the program is, one of our hopes is, is that it’s maximizing business. Remember everything I’ve always said and we’ll continue to say is it’s about the business needs. And so we’re hoping that we can maximize business as well as minimize disruptions, depending of course, on what the program is.

There may be a time where there might be a maintenance window while we’re getting things put together and getting it online into production and maintenance windows do provide disruptions. And so they’re parts of what we plan, parts of the change control that we go through now, along with any of these programs, there is going to be inherently some risk. And in some of the other domains we’ve talked about looking at risks for the projects, risk for the program itself. And so really it’s important that we also have some sort of risk analysis about what could go wrong as we’re going through this process. Hopefully lots of testing in a lab type of setting have been done before any of these programs get put into place.

Now depending on how clear you are on these first steps is going to really make a lot lower risk and make it easier to actually implement this. So as I’m saying, if it’s a well developed type of a program then what we really are hoping is that your primary task of this program is turning whatever this highly strategy is into something that fits into the logical and physical reality. And that’s of course then coming up with the detailed documentation that we would need to be able to get these different programs into the production environment.

9. Program Objectives Part2

Now, remember, some things are inevitable, and that is that when we’re going from this planning stage, right, that’s kind of where we would start with any of these. And that’s why, again, we’re talking about what the objectives are that through the program development, some of the elements that some assumptions you may have had might have to be modified or maybe even completely reconsidered. Don’t be objective actionable to the fact that your plan that you started with might have changes. Now if you think about it over time, from the time this program is being implemented even while it’s in place, there could be changes in the business requirements that you have to account for.

It may also be that your underlying infrastructure may have changed or you may have had topology changes topology meaning the path in which traffic would move through your network and of course you could have internal resistance. You may have some people who might not be on board with this particular program. If you ask me those are again all parts of where we’re looking at the risk of the program. The things that are going to change that might cause the program’s cost to change may cause you to have to go back to the planning stage but again, that’s just part of what we call information security programs.

10. Defining Objectives Part1

Now a part of this program is that you should define the objectives. And really, if you think about it, there’s not going to be a time when a security manager is going to come into a situation where there might be no security program already in place. So more than likely, you already have a security program in place. And so that’s where we have to, as we’re modifying our security program, to compare what the existing organization’s activity is to what’s going to be required to be able to get to the desired state of the program. Now, there are going to be some forces that are going to drive business needs that are going to affect your security program. Obviously, first one is very important regulatory compliance. If you’re not in compliance, your company could face being shut down, could face high numbers of fines.

Another thing that’s going to drive the needs for maybe a new security program is having a higher frequency of security incidents. And that means that we’re trying to make sure we can adapt to the changing world of security. We certainly want to know that what we’re going to put in place can help avoid this reputational damage that can come from having a security breach. And one of the other things that some of you may or may not have to look at is the fact that some of the business needs might be maybe a company that now wants to do online payment. And so because so many places, I mean, even your pizza delivery people now have credit card scanners on their smartphones so that they can take your payment right online.

And that means that we have new regulations that have to govern how secure we are with the PCI, the payment card industry, or depending again on the information, the data security standards, the DSS, all of those are going to really kind of drive the needs for usually having changes to your security program. And so any of these, by the way, can be drivers for the reason why you want to clarify the objectives of the program. Remember that once the objectives have been clearly defined, then your security program development activities is designed to develop the processes and projects that can close the gap from your current state to get to those objectives.

• Category: Uncategorized