CISM: Domain 1 - Module 2


CISM: Domain 1 - Module 2
The Action Plan

The course is part of this learning path

Constraints that Hurt

In this course, we start off by looking at constraints that may prevent us from reaching our security objectives before moving on to how to form an action plan. This involves carrying out a gap analysis to see where you are and where you want to be (with regards to information security, of course) and then putting a plan into place to close the gap.

We then need to implement ways to measure progress towards closing the gap and we will look at that in the metrics and monitoring lecture. Finally, we look at the six strategic outcomes which help us to define what success looks like.

Learning Objectives

  • Understand the potential constraints that may impede our security measures
  • Learn how to create an action plan to reach our security goals
  • Learn how to measure progress through metrics and monitoring
  • Understand how we define success

Intended Audience

This course is intended for anyone preparing for the Certified Information Security Management exam or anyone who is simply interested in improving their knowledge of information security governance.


Before taking this course, we recommend taking the CISM Foundations learning path first.


We continue now with the next module of part two of our CISM examination review seminar. And we're going to begin with section 30. Information security governance. Constraints that hurt. When we look at all the different things that we must comply with. The one thing that we worry about most is what constraints will be, that will prevent us from achieving our strategic goals. Concern areas include third-parties, involving service providers, outsourced operations, trading partners or merged or acquired organizations not yet fully assimilated.

The challenges in these areas are often unique and sometimes quite difficult to address. They involve cultural differences, technology and compatibilities, incident response processes either incompatible ones or their lack of existence and the level of acceptable business continuity and disaster recovery capabilities.

First thing we should begin with is to document all responsibilities for all companies and elements prior to the relationship approval. This enables identification of in response to risk appropriate and on par with the kind of threat and risk environment that it presents.

There should of course be a formal arrangement engagement model for the relationship. We always have to consider the legal and regulatory requirements of any of these situations that present. The security strategy must of course have them as part of its fundamental building blocks to ensure that we've dealt with all the legal requirements. For example, privacy laws will differ sometimes drastically between jurisdictions.

This is particularly true when international environments are involved. You can allow different strategies based on region or you can go generally restrictive overall attempting to meet the most stringent of all hoping to encompass the rest.

Regulatory compliance has to be treated like any other risk. It's a fundamental aspect of your business and therefore must be included and treated as such. Information retention, usually part of any of these regulatory sources has its own set of issues which are typically based on business requirements and the need for legal and regulatory compliance.

Legal and regulatory requirements for that matter may mandate minimum amounts of time to keep data or to retain certain documents even after retirement. Business requirements may extend that time but typically will not shorten it. The legal requirement being the ultimate determinant.

E-discovery also describes locating and delivering information in response to a legal request. We have to take care when destroying data because if litigation holds happened to arrive they will describe the necessity to stop all destruction direct retention of everything as it may be required for E-discovery.

Then we have our physical constraints. And when we consider these, we have to think about aspects such as storage capacity, physical space, various environmental hazards that must be protected against. What infrastructure exists to meet the need.

Personnel safety may be an aspect that has to be dealt with and resource safety or even environmental safety. Whenever we think of constraints we have to think of things that are cultural and reflective of the company's image. The organization needs to be seen as a good corporate citizen in its environment. As such, it must cultivate a good and positive image to both its customers and the general public. Anything that can happen that can negatively impact the company's image is likely to impact the company's value of care is not taken to protect both.

We have to be careful that perceptions being influenced by location and culture are proper and reflective of the kind of positive image that we want our enterprise to project. One of the things we have to deal with internally will be that certain kinds of assurance functions will be siloed along with others. They may have different reporting structures and authorities that might be incompatible or even in conflict with normal structures.

Senior management of course, must always be considered and have buy-in. As an example, two different departments have two different attitudes toward security. This of course, presents the need to align them with the strategy and the corporate psychology of security and ensure that they come much closer if not become identical in their treatment of security. This may require and frequently does an appeal to the management of those areas or to escalate it one level higher to the management that oversees both areas and bring about the increased compatibility and integration. Driving them both towards the same attitude. 

Without doubt, cost will always be one of the constraints. We will never have enough time, money or any other resource where we can spend something up to a national debt amount on security. At the same time, we have to recognize that no matter how much we spend simply throwing more money at a problem will not solve it any better without the application of a proper intelligently conceived and even better implemented strategy.

The problem with this strategy is, there's not necessarily a direct line to value for the company or the organization in terms of what these security projects will contribute. We have to point to the control of risks and compliance with regulations as an activity that removes cost items and keeps from bearing legal sanctions in the event our program fails.

We always need to conduct a proper cost benefit analysis on any decision we make regarding mitigation strategies when it involves technologies, physical changes or any other acquisition of a component. Doing so means we calculate the annualized loss expectancy. Both before and what we project afterwards and use it as an upper limit on the cost of controls. It is not exactly the same as a return on investment but it's as close as we can get.

In fact, speaking of ROI. It may not be helpful when it comes to regulatory compliance because compliance is a necessary cost of doing business. As such, it's a cost that will simply be born rather than invested in in the same psychology as producing a profit. If a penalty is a prison sentence for senior management, ROI won't really matter much either.

So we look for things in the areas of people, budget and time. One of the things that we have to account for in the area of constraints in these three areas in particular, is people's dislike of change. We have to look for available budget and we have to make sense out of the program and keep it within the budget or rationalize it in such a way that our budget changes. Hopefully upwards.

When considering these things, we always need to look at the total cost of ownership of any new technology in order to do the cost benefit analysis, to justify its acquisition and employment. Manpower requirements however, we'll have to be included as part of every operational lifecycle, new or existing.

There will be deadlines, of course and we may need to hit those or we may have an alternative to it known as a window of opportunity so that we can deal with something during a period in which our efforts will be most effective. Whereas comparatively at other times there'll be less effective. We always need to demonstrate that the capabilities we're seeking to put in place are part of the strategy and will achieve the desired results.

Fundamental to all of this will be the calculation of risk acceptance and risk tolerance. We must bear in mind that risk acceptance does not mean the literal doing of nothing or in effect taking no action. We have to regard it as a necessity. If the risk is real and relevant that some reasonable action will be required.

If monitoring is all that can be done the due care expectation will be that it should be. We must be certain that we know what the risk appetite and what the risk tolerance constraints will be for our organization. One method that will help us define these will be to discover what the recovery time objective will be for critical systems by performing the business impact analysis.

Normally the shorter the RTO the greater the cost and the lower the risk appetite. Deductibles in business continuity insurance may also be a good indicator of acceptable risk. And costs of protection should never exceed their delivered benefit.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.