Resources that Help


The course is part of this learning path

Start course
1h 8m

In this course, you will be introduced to domain one — the first of four domains of the Certified Information Security Management certification. We begin by introducing the Domains part of the CISM exam and introducing some security concepts before moving on to the strategy of information security governance.

Then we look at the roles, functions, and responsible parties within information security governance. Finally, we take a look at the wide range of resources that complement the human factor when implementing information security.

Learning Objectives

  • Understand the main components and requirements of the CISM Domains
  • Learn about the roles and functions for information security governance
  • Learn about the additional resources that can be used for IT security

Intended Audience

This course is intended for anyone preparing for the Certified Information Security Management exam or anyone who is simply interested in improving their knowledge of information security governance.


Before taking this course, we recommend taking the CISM Foundations learning path first.


And speaking of resources, we now move on to section 29 so that we can discuss resources that help our information security governance program perform and succeed. So looking at assurance process integration and convergence, we have to take a look at what we have.

Looking at this particular mess, so to speak, we have our governance risk management and compliance. We have the ISACA-sponsored business model for information security or BMIS. And then of course we have a standard for the framework of governance, the ISO 27001.

One of the things that we find is most of these are designed around success for information security but they don't tend to include physical security very well. What we do find though upon closer examination is that information security without integrating physical security will leave sometimes large and glaring gaps. So in looking at our assurance for integration and convergence, is bringing both of these aspects together for the electronic and the physical worlds so that we can ensure that these gaps don't persist.

Now the Alliance for Enterprise Security Risk Management, talks about these factors; rapid expansion of the enterprise, increasing value of information, any new technology, new compliance requirements, a constantly changing part of our landscape, and the pressure constant pressure to reduce costs. These all seem to combine to drive convergence of our program elements. And what AESRM recommends is this will improve the value of the entire business. It moves security to a decentralized model thus putting it where it needs to be put and develop an entirely new view of risk and how it integrates with overall business management.

Now when we look at good presentations, one of the things that we get in the way of a benefit is that the security manager properly educates senior management. This allows them to perform in such a way that it gains clear and positive support for the strategies. It means effective communication. It also communicates that security will be measured and tells how. It presents the training for all employees appropriate to the context of the role is going to be done and that it is not optional. It does beg the question of how management will provide adequate resources to ensure that the program is properly funded and supported, meaning that it has far better chances for success. And it positions information security, both the physical and the electronic functions, as a critical business component.

The third parties are then shown that security is a big deal and it is integrated into our third party or supply chain relationships. And security when appropriate, is discussed at the high level of board meetings. It presents ideas to emphasize in the formal presentation to senior management. And the fact that this communication is being done to senior management in this format illustrates that the problems can be properly described in terms it can be described and understood by all of the attendees and that it is shown to have a relationship directly to the business success.

This should also be pursued when it comes to periodically reporting to senior management who will want updates from time to time about how the program is going. This should always cover the general progress, how well implementation is going, how far along it is, what is the business impact analysis say before, and what does it say today, and what are we projected for it to say when we're completed.

We have to have evidence and through these reports, it'll be reported that the mitigation program that's been outlined or how it's been adjusted is working. It continually defines and identifies weak links and seeks to address them through various program elements, either those present or those added. And as each presentation is done for these reports, ongoing required approvals will be necessary to ensure the interaction and continued involvement of senior management is maintained. Having this continuous communication shows that these groups, senior management, process owners, operational management, and workforce, are all involved, all engaged and all performing as respective duties require.

Historically, one of the things that we in information security have done a relatively poor job of is making the business case, but in today's world more than anything, this is now demanded to show that there is direct business impact to an adverse information security event. The business case that we put together presents the value in terms of the cost benefit analysis and uses the business language to present it, rather than speaking in the somewhat arcane terms as it's called, that we speak of an information security. This will be a typical business case, presenting scope, a problem statement, recommended approach, evaluation of prior elements and why change is needed or why addition is needed, and then looking at the feasibility of what we propose to do and what the forecasted outcome is going to be.

Anytime a business case is part of a project, it needs to show how it will affect, amplify, enhance, and be successful in being integrated with the project's life cycle. There is always going to have to be a reflection of the cost benefit analysis of the proposed security methods.

Having various stage gates or kill points to force reviews will also ensure that business is regularly informed and that the business case remains valid or that it's changed and requires adjustment. Communication is never going to be simply one way. It is gonna be communication always with feedback loops. We have to establish these channels throughout the organization to ensure that business issues that need senior management attention are escalated, brought to their attention so that guidance and solutions can be pushed downwards, and we need it so that we can broadcast any changes, any potential impacts to various audiences throughout the organization.

As we've already said, upward communication ensures that senior management remains in the loop, informed, and can make better quality, better-informed decisions.

So, here's how we might tailor our communications. Senior management would typically be communicated with about strategy. Business process owners would look at things from a more operational perspective. Other management in other areas will be informed as necessary and as relevant to their particular area. And the workforce will need training, various kinds of hiring programs. They will get general programmatic communication and they will be informed as need be about changes in policy and procedures.

Kick-starting the governance will oftentimes involve the selection on architectural framework which itself will serve as the foundation upon which we can build multiple forms of architecture. These frameworks typically describe a method for designing to achieve a desired state using well-described oftentimes fixed building blocks. The resulting architecture is oftentimes referred to as our reference architecture.

Now enterprise architecture itself is the foundation on which the entire organization is built. And the EISA is a subset designed to jumpstart the designing process. And the EISA must be integrated with the enterprise architecture of the business. Frequently we find that EISA is absent due to costliness, perceived lack of benefit, or plainly, a lack of understanding of how the chosen framework achieves the goals of integrating the EISA with the enterprise architecture itself.

Now the frameworks are considered such as the Sherwood Applied Business Security Architecture or SABSA, TOGAF, The Open Group Architecture Framework, and from ISACA, the COBIT 5. Now each of these frameworks tries to go through and define roles, define entities, and the various relationships between and among them.

Very important is the provision of a taxonomy for all processes, so that we have a common language and then to deliver a set of artifacts for describing security operations themselves. Using COBIT as an example, COBIT 5 does a very good job of describing how we can achieve these goals. It has analysis methods and metrics to focus on that provide us information and feedback on how we can go about protecting information systems ensuring their continuous availability thus emphasizing the business aspect and the performance aspect, how we comply with the various regulatory laws that we have to and how we can do so keeping our expenditures effective and efficient.

Now one approach that we find with any of these frameworks may be better aligned to your existing practices or needs than some other one. We have to of course, look at security architecture and ensure that it becomes and allows itself to become tightly integrated with the overall enterprise architecture of the company itself.

Now here you see an example of a framework that is widely accepted and employed. This is the ISO 27000 series, which has 30 some odd volumes defined of which 27 of them thus far have been published. The initial volume, and this is just a select a few examples. The initial volume of the 27000 itself describes the overall process the overall system of the 27000 portion of the ISO library, and gives an overview and defines a taxonomy that is carried through all volumes.

Then of course we have the 27001, the information security management system, the code of practice, the ISO 27002, how we go about information security management system implementation guidance, the 27003, security management and measurement, the volume on metrics, the 27004, and then of how we go through and manage the information security risk with an audit standard, the 27005.

We go all the way through various other volumes each one covering a specific topic but integrated to achieve the goal of an integrated security program. Here you see a graphical depiction of the ISO 27002 of 2013. The areas that you see in the blue or the current 14 areas or demands of the 27002 code of practice that when properly and appropriately implemented will help achieve the goals and support compliance as measured by the 27001.

Now we have other approaches, but the ones that we present here are not frameworks that can be used for achieving information security. They can however, if properly employed, contribute to its success. The ISO 9001, a very well-recognized quality management standard is itself not a framework but a specification for how to build a system to achieve improvements and consistent maintenance of a quality system.

We have the very popular Six Sigma which is a lean performance standard. We have the entire list of series 500 and series 800 NIST publications which are oftentimes descriptions of approaches to various problems and are thus seen as reference standards. The information security foundation has publications and these are industry focused guidance on how to achieve the various goals inclusive of operational and regulatory features. And then FISMA as an example of laws that have to be complied with for specific industry segments.

Now it is possible that not one of these will work on its own, so it's useful to consider an integrated combination of these standards and others in an integrator approach. Throughout all of our control structures and frameworks, we will have to look at the application of controls and these are the primary components that help us achieve the overall security strategy.

COBIT 5 focuses on IT controls for just that purpose. But there will also need to be consideration for controls for non IT processes. These include physical controls like handling and storing of hard copies and other physical measures and we have to have ones that control the human based processes and interactions. These are compliments to the overall IT to make sure that all aspects have been properly addressed.

Obviously this entire course and all of these certifications and our security programs have to apply technology to ensure that we achieve their objectives. That makes them a critical aspect for an effective security strategy to be accomplished. But we have to recognize that no technology can compensate for non systematic human based management cultural or operational problems, meaning that we have to see technology is not a cure-all to overcome all of these problems that other elements and other aspects have to be employed with equal importance.

We create policies, various standards, and assorted procedures for each one of our areas of performance and problems. And these need to be melded with technology and reflect them so that the overall program has a holistic approach and can be effective wherever applied.

Now it is commonly thought that people are expensive and this is both a pos and negative in terms of what we're referring to. Most security incidents are the result of people's actions, either actions or inactions. Part of what we have to ensure when we screen employees before they're hired, is to ensure that we have an understanding of their trustworthiness and their integrity, and then we have to apply these standards and measurements for our existing workforce as well. To do so, we will conduct background checks whenever needed and specifically for more sensitive positions.

Now there are certain legal limitations that can be applied or are applied on background checks to ensure that discrimination is eliminated. We may find that there's a small occurrence that still tells us that something larger may be in play but this can oftentimes be a subjective judgment rather than an objective feature.

Monitoring email might be beneficial. We still have to be very careful of how we employ any of these means because there are certain rules, such as union or government, that mandate that employees are given notice that this may be one of our normal auditing techniques, that no targeting is involved and that is simply routine. And of course, in the performance of it, we have to be sure that we can demonstrate that evenhandedness, that objectivity, is actually being achieved.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.