Introducing information security governance

In simple terms, governance can be defined as a set of rules to direct, monitor, and control an organization's activities. Governance can be implemented by way of policies, standards, and procedures.

The information security governance model is primarily impacted by the complexity of an organization's structure. An organization's structure includes objectives, its vision and mission, different function units, different product lines, hierarchy structure, leadership structure, and other relevant factors. A review of organizational structure will help the security manager to understand the roles and responsibilities of information security governance, as discussed in our next topic.

The responsibility of information security governance

The responsibility for information security governance primarily resides with the board of directors and senior management. Information security governance is a subset of the overall enterprise governance. The board of directors is required to make security an important part of governance by way of monitoring key aspects of security. Senior management holds the responsibility to ensure that security aspects are integrated with business processes.

The involvement of senior management and the steering committee in discussions and in the approval of security projects indicates that the management is committed to aspects relating to security. Generally, a steering committee consists of senior officials from different departments. The role of an information security steering committee is to provide oversight on the security environment of the organization.

It is very important for a CISM aspirant to understand the steps for establishing the governance, as we will discuss in the next section.

Steps for establishing the governance

For effective governance, it should be established in a structured manner. A CISM aspirant should understand the following steps for establishing governance:

1. First, determine the objectives of an information security program. Most often, these objectives are derived from risk management and the acceptable level of risk that you are willing to take. One example of an objective for a bank may be that the system should always be available for customers – that is, there should be zero downtime. Information security objectives must also align with and be guided by the organization's business objectives.
2. The next step is that the information security manager develops a strategy and requirements based on these objectives. The security manager is required to conduct a gap analysis and identify the strategy to move to the desired state of security from its current state of security. The desired state of security is also termed as the security objectives. This gap analysis becomes the basis for the strategy.
3. The final step is to create the road map and identify specific actionable steps to achieve the security objectives. The security manager needs to consider various factors such as time limits, resource availability, the security budget, laws and regulations, and other relevant factors.

These specific actions are implemented by way of security policies, standards, and procedures.

Governance framework

The governance framework is a structure or outline that supports the implementation of the information security strategy. They provide the best practices for a structured security program. Frameworks are a flexible structure that any organization can adopt as per their environment and its requirements. Governance frameworks such as COBIT and ISO 27000 are both examples of widely accepted and implemented frameworks for security governance.

Let's look a bit closer at an example of information security governance in the next section.

The aim of information security governance

Information security governance is a subset of the overall enterprise governance of an organization. The same framework should be used for both enterprise governance and information security governance for better integration between the two.

The following are the objectives of information security governance:

• To ensure that security initiatives are aligned with the business's strategy and support organizational objectives.
• To optimize security investments and ensure the high-value delivery of business processes.
• To monitor the security processes to ensure that security objectives are achieved.
• To integrate and align the activities of all assurance functions for effective and efficient security measures.
• To ensure that residual risks are well within acceptable limits. This gives comfort to the management.

We will now go through the key aspects from the perspective of the CISM exam, and in our next topic, we will discuss important aspects of GRC. A CISM aspirant should understand why it is important to integrate all GRC functions.

Key aspects from the CISM exam perspective

The following are some of the key aspects from the CISM exam perspective:

Table 1.1 – Key aspects from the CISM exam perspective

Questions

1. The effectiveness of information security governance is best indicated by which of the following?

   A. Security projects are discussed and approved by a steering committee.

   B. Security training is mandatory for all executive-level employees.

   C. A security training module is available on the intranet for all employees.

   D. Patches are tested before deployment.

   Answer: A. Security projects are discussed and approved by a steering committee.

   Explanation: The involvement of a steering committee in the discussion and approval of security projects indicates that the management is committed to security governance. The other options are not as significant as option A.

2. An information security governance model is most likely to be impacted by which of the following?

   A. The number of workstations.

   B. The geographical spread of business units.

   C. The complexity of the organizational structure.

   D. The information security budget.

   Answer: C. The complexity of the organizational structure.

   Explanation: The information security governance model is primarily impacted by the complexity of the organizational structure. The organizational structure includes the organization's objectives, vision and mission, hierarchy structure, leadership structure, different function units, different product lines, and other relevant factors. The other options are not as significant as option C.

3. Which of the following is the first step in implementing information security governance?

   A. Employee training.

   B. The development of security policies.

   C. The development of security architecture.

   D. The availability of an incident management team.

   Answer: B. The development of security policies.

   Explanation: Security policies indicate the intent of the management. Based on these policies, the security architecture and various procedures are designed.

4. Which of the following factors primarily drives information security governance?

   A. Technology requirements.

   B. Compliance requirements.

   C. The business strategy.

   D. Financial constraints.

   Answer: C. The business strategy.

   Explanation: Information security governance should support the business strategy. Security must be aligned with business objectives. The other options are not a primary driver of information security governance.

5. Which of the following is the responsibility of the information security governance steering committee?

   A. To manage the information security team.

   B. To design content for security training.

   C. To prioritize the information security projects.

   D. To provide access to critical systems.

   Answer: C. To prioritize the information security projects.

   Explanation: One of the important responsibilities of a steering committee is to discuss, approve, and prioritize information security projects and to ensure that they are aligned with the goals and objectives of the enterprise.

6. Which of the following is the first step of information security governance?

   A. To design security procedures and guidelines.

   B. To develop a security baseline.

   C. To define the security strategy.

   D. To develop security policies.

   Answer: C. To define the security strategy.

   Explanation: The first step is to adopt the security strategy. The next step is to develop security policies based on this strategy. The step after this is to develop security procedures and guidelines based on the security policies.

7. Which of the following is the most important factor for an information security governance program?

   A. To align with the organization's business strategy.

   B. To be derived from a globally accepted risk management framework.

   C. To be able to address regulatory compliance.

   D. To promote a risk-aware culture.

   Answer: A. To align with the organization's business strategy.

   Explanation. The most important objective of an information security governance program is to ensure that the information security strategy is in alignment with the strategic goals and objectives of the enterprise. The other options are secondary factors.

8. Which of the following is effective governance best indicated by?

   A. An approved security architecture.

   B. A certification from an international body.

   C. Frequent audits.

   D. An established risk management program.

   Answer: D. An established risk management program.

   Explanation: An effective and efficient risk management program is a key element of effective governance. The other options are not as significant as an established risk management program.

9. Which of the following is the effectiveness of governance best ensured by?

   A. The use of a bottom-up approach.

   B. Initiatives by the IT department.

   C. A compliance-oriented approach.

   D. The use of a top-down approach.

   Answer: D. The use of a top-down approach.

   Explanation: In a top-down approach, policies, procedures, and goals are set by senior management, and as a result, the policies and procedures are directly aligned with the business objectives. A bottom-up approach may not directly address management priorities. Initiatives by the IT department and a compliance-oriented approach are not as significant as the use of a top-down approach.

10. What is the prime responsibility of the information security manager in the implementation of security governance?

    A. To design and develop the security strategy.

    B. To allocate a budget for the security strategy.

    C. To review and approve the security strategy.

    D. To train the end users.

    Answer: A. To design and develop the security strategy.

    Explanation: The prime responsibility of the information security manager is to develop the security strategy based on the business objectives in coordination with the business process owner. The review and approval of the security strategy is the responsibility of the steering committee and senior management. The security manager is not directly required to train the end users. The budget allocation is the responsibility of senior management.

11. What is the most important factor when developing information security governance?

    A. To comply with industry benchmarks.

    B. To comply with the security budget.

    C. To obtain a consensus from the business functions.

    D. To align with organizational goals.

    Answer: D. To align with organizational goals.

    Explanation: The objective of the security governance is to support the objectives of the business. The most important factor is to align with organizational objectives and goals. The other options are secondary factors.

12. What is the prime objective of GRC:

    A. To synchronize and align the organization's assurance functions.

    B. To address the requirements of the information security policy.

    C. To address the requirements of regulations.

    D. To design low-cost a security strategy.

    Answer: A. To synchronize and align the organization's assurance functions.

    Explanation: The concept of GRC is an effort to synchronize and align the assurance activities across the organization for greater efficiency and effectiveness. The other options can be considered secondary objectives.

13. What organizational areas are the main focus for GRC?

    A. Marketing and risk management.

    B. IT, finance, and legal.

    C. Risk and audit.

    D. Compliance and information security.

    Answer: B. IT, finance, and legal.

    Explanation: Though a GRC program can be applied in any function of the organization, it is mostly focused on IT, finance, and legal areas. Financial GRC focuses on effective risk management and compliance for finance processes. IT GRC focuses on IT processes. Legal GRC focuses on the overall enterprise-level regulatory compliance. GRC is majorly focused on IT, finance, and legal processes to ensure that regulatory requirements are adhered to and risks are appropriately addressed.

14. What is the most effective way to build an information security governance program?

    A. To align the requirements of the business with an information security framework.

    B. To understand the objectives of the business units.

    C. To address regulatory requirements.

    D. To arrange security training for all managers.

    Answer: B. To understand the objectives of the business units.

    Explanation: The information security governance program will not be effective if it is not able to address the requirements of the business units. The objective of the business units can be best understood by reviewing their processes and functions. Option A is not correct, as security requirements should be aligned with the business and not the other way round. Options C and D are not as significant as option B.

15. What is the main objective of information security governance?

    A. To ensure the adequate protection of information assets.

    B. To provide assurance to the management about information security.

    C. To support complex IT infrastructure.

    D. To optimize the security strategy to support the business objectives.

    Answer: D. To optimize the security strategy to support the business objectives.

    Explanation: The objective of security governance is to set the direction to ensure that the business objectives are achieved. Unless the information security strategy is aligned with the business objectives, the other options will not offer any value.

16. The security manager noticed inconsistencies in the system configuration. What is the most likely reason for this?

    A. Documented procedures are not available.

    B. Ineffective governance.

    C. Inadequate training.

    D. Inappropriate standards.

    Answer: B. Ineffective governance.

    Explanation: Governance is the process of oversight to ensure the availability of effective and efficient processes. A lack of procedures, training, and standards is a sign of ineffective governance.

17. What is an information security framework best described as?

    A. A framework that provides detailed processes and methods.

    B. A framework that provides required outputs.

    C. A framework that provides structure and guidance.

    D. A framework that provides programming inputs.

    Answer: C. A framework that provides structure and guidance.

    Explanation: A framework is a structure intended to support the processes and methods. They provide outlines and basic structure rather than detailed processes and methods. Frameworks are generally not intended to provide programming inputs.

18. What is the main reason for integrating information security governance into business activities?

    A. To allow the optimum utilization of security resources.

    B. To standardize the processes.

    C. To support operational processes.

    D. To address operational risks.

    Answer: D. To address operational risks.

    Explanation: The main objective of integrating the security aspect in business processes is to address operational risks. The other options may be considered secondary benefits.

19. Which of the following is the most important attribute of an effective information security governance framework?

    A. A well-defined organizational structure with necessary resources and defined responsibilities.

    B. The availability of the organization's policies and guidelines.

    C. The business objectives support the information security strategy.

    D. Security guidelines supporting regulatory requirements.

    Answer: A. A well-defined organizational structure with necessary resources and defined responsibilities.

    Explanation: The most important attribute is a well-defined organizational structure that minimizes any conflicts of interest. This ensures better governance. Options B and D are important aspects, but option A is more critical. Option C is not correct, as the security strategy supports the business objectives, and not the other way round.

20. What is the most effective method to use to develop an information security program?

    A. A standard.

    B. A framework.

    C. A process.

    D. A model.

    Answer: B. A framework.

    Explanation: A framework is the most suitable method for developing an information security program as they are more flexible in adoption. Some of the common frameworks include ISO 27001 and COBIT. Standards, processes, and models are not as flexible as frameworks.