The Strategy
Start course

This course is the first module in Domain 2: Information Risk Management, which starts off by taking a comprehensive look at the benefits, practices, and outcomes of risk management. We then move on to look at the importance of goals in risk management and how to work towards them.

Finally, we cover the various methods to consider when forming a strategy for reaching your risk management goals.

Learning Objectives

  • Obtain a comprehensive understanding of risk management
  • Learn the importance of risk management goals and the strategy to achieve those goals

Intended Audience

This course is intended for anyone preparing for the Certified Information Security Management exam or anyone who is simply interested in improving their knowledge of information security governance.


Before taking this course, we recommend taking the CISM Foundations learning path first.


So we're moving into this information risk management domain, and now we talk about the strategy. So as derived from the scope and charter statements, from this, we developed the strategy. Like all strategies, this is a plan to achieve the risk management goals stated in the previous slides. These goals are focused around our getting to an acceptable level of risk within the scope.

Acceptable levels, which could be arbitrarily stated by management, are frequently based on the ability to absorb loss and continue unimpeded, the risk appetite and tolerance of the organization, cost of course must figure in, and we must have a risk benefit ratio that we're trying to achieve. Every employee will play a part in identifying security issues, whether to a greater or lesser extent will depend on where the employee is, their role, and what they're involved with.

Part of this will foster a healthy and knowledgeable attitude towards risk and it will work towards managing the risk after we operationalize the results of the program. Awareness of the program should not disclose ongoing investigations or vulnerabilities. Changing up training as necessary to maintain awareness and engagement reflects the realities of the roles, their needs, and their roles in security specifically.

Awareness training for senior management, which is a requirement, should also highlight liability for them and for others within the company, need for compliance is always vital because these have legal consequences for failures to meet them, due care and due diligence which are part of the governance standards. It sets the tone and the culture beginning at the top, and it informs them of how they are responsible for setting risk acceptance levels and ensuring that the program is carried out and properly executed.

So in the risk management program, we always have to figure out, who does what? So in Section 37, that is what we are going to explore. So the information security liaison, this represents an individual in an operational area of the organization who represents the interests of security on balance with the business aspect of their particular area. This will include a physical corporate security department and in large organizations, these people are oftentimes former law enforcement individuals or former military due to their background and familiarity with physical security.

In a smaller organization, this may be in facilities or other departments. For IT or internal auditors, their job is to ensure policy compliance and the identification and management of risk operationally, and confirming that it is in fact being taken care of properly, highlighting where it is not. Information technology, these are the individuals who are hands-on implementers and operators. They see security many times as getting in the way of them doing their jobs. However, the program if it's executed properly will demonstrate for them business benefit of this and the necessity of compliance in such a way that interference with operations as they perceive it is minimized.

We typically will find that the controls are in place and that, properly implemented, they will achieve a balance between security and continued optimal performance. Business managers, typically asset managers as well and owners of risk in their respective areas, have to ensure that the business itself has a voice in security decisions.

Security also should be aware of product developments in order to help plan proper security for when the product is now offered. HR, of course, has to play a role as well because it governs various aspects of the employee participation and contribution to these efforts, as well as what happens when sanctions are needed for employees who do not. They're involved in policy construction and distribution, background checks, and various forms of training, including HR and working closely with them to make sure that computer usage and the training necessary to ensure that is properly handed out and pervades the workforce to get the optimal result.

Security liaisons in various areas oftentimes have a responsibility to ensure that other aspects are taken care of, such as with legal. These usually deal with compliance issues, liability, and due diligence. We have to regard each area and the security liaison's responsibilities reflect this that the employees in the given area are the first line of defense and highlights the importance of ensuring that they're properly trained. 

Procurement should have a security standard that they follow to ensure that when they purchase goods and services, that security is considered as fundamental to that procurement effort. The compliance effort, of course, is oftentimes placed in the hands of the legal department where most organizations feel it properly belongs. 

Security must work with the legal department to ensure that compliance measures that involve security are being taken care of. If there is a privacy office, it needs to be seen in areas where privacy is the primary concern. Sometimes this is in the HR area. Sometimes this is in the legal office. And where it actually ends up in a given organization is a reflection of how it is perceived in that organization and where it is best positioned to be successful in its role. And training, oftentimes a part of HR itself, should be leveraged to create or acquire and deliver effective education programs.

Part of the security liaison's responsibilities might be inclusion of quality assurance to ensure that any product or any service has minimal defects and that it meets an acceptable level of control by the application of chosen measures. Insurance may be part of the security liaison's responsibility. Oftentimes it's part of operational office or an office of risk management.

Insurance is gotten for various conditions where something active in the way of mitigation, transference, or avoidance may not be possible. And insurance covers certain kinds of risks by coverage even though the event that you have the insurance to cover may indeed occur. We have third-party relationships, oftentimes handled through legal or through procurement. This involves outsourced functions which we find our sources of risks up and down our supply chain. Anything that happens within the supply chain needs to be communicated regularly and quickly to ensure a proper response that is both appropriate and timely.

There may also be an involvement in the project management office. Security needs to be considered as fundamental and at the earliest stages in any project. And so the security liaison can see to it that that is being done by the appointed project managers.

Now, without question, risk will cross organizational lines of responsibility and departmental lines of authority. What we have to do here is make sure that what is being recognized as appropriate to the context and that various functions are being handled to ensure that risk is being appropriately addressed as it crosses over these lines.

One of these controls would be separation or segregation of duties. We have to be careful with these because first off, we need to ensure that the conflicts of interest that they work to prevent aren't created, but we still have to achieve a balance between performance which may be degraded when we have a separation of duties. We might also find that individuals with both functions may choose performance over security, but that's where the evaluation process comes in to make sure that this balance is sought as the target and where trade-offs are made that proper business cases and oversight are applied.

Security program content should be spread among various parties to ensure that no person functions as a single point of failure or a roadblock. This will require working with senior management to ensure that employees understand the responsibilities clearly and execute them properly.

Management activities for a security program will include actions such as directing various projects with security built into them, risk management activities of course, incident management response when incidents occur, and practice between incidents, oversight and monitoring to ensure timely and regular information flow, development of policy and procedures, and then the creation of the standards that implement these.

A necessary function throughout this will be the administration, that is the mechanical running of the processes to ensure that all the various activities are being taken as appropriate, that the communications are being handled, and quite frankly, that the paperwork is being addressed.

Now, administration is concerned with repetitive and daily tasks needed to achieve these various goals. Example items that administration will deal with will be individual personnel performance, time tracking, purchasing and inventory management, project monitoring and tracking, and many other routine types of activities that ensure that the program is actually being carried out properly. 

Certain examples of technical and operational administrative duties might include encryption key management, log monitoring, change request approval, vulnerability scanning, and penetration testing. Overall, all of these contribute to effective security management. And security management as the role, the people occupying these positions must have a good working knowledge of the frameworks and standards that are being employed for IT and security. They have to act in a facilitative role to resolve competing goals between security and performance, thus to ensure that the balance is being sought and hopefully where possible achieved.

One of the things we seek is that people should want to seek out the security manager for value and expertise, meaning that they understand the needs of security and the business context, and actively positively work towards the balance between the two.

Some additional responsibilities may be present and these contribute positively to the overall success of the program. This will include various roles such as security engineers, QA, project managers. Small companies may assign multiple responsibilities to one individual. And of course, in such cases, we need to be sure that we're observing proper separation and segmentation of duties.

Each of these responsibilities will require a specific skill set to make sure that they're performed properly. And these must be provided through timely correct training. Some may be outsourced if there is a skills gap while we seek to close it or as a permanent solution. In some cases, we may have to rely on external providers to perform background checks or other actions.

A security manager can consult with the project management office for project information, its proper home, but everyone in the organization should know in the end what their role is, what their responsibility is, and what actions they're required and should be taking to ensure that the assets under their supervision are being properly protected. Here we come to the end of our next section. 

So we stop here and we will pick up after a short break with Section 38 information risk management and the resources that help.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.