CISM Foundations: Module 5
Part One: Roles, Responsibilities, RACI, Due Care, Due Dilligence, and Cybersecurity Principles

This next section in the CISM learning path covers a range of topics relating to information security and highlights the processes, techniques, and standards that can be used to protect your organization.

If you have any feedback relating to this course, please contact us at

Learning Objectives

  • Understand how roles and responsibilities can be used in information security
  • Learn about due care and due diligence
  • Learn the principles of cybersecurity
  • Understand how to use metrics, indicators, and security-related technology
  • Learn about the security standards and frameworks to protect organizations

Intended Audience

This course is intended for those looking to take the CISM (Certified Information Security Manager) exam or anyone who wants to improve their understanding of information security.


Any experience relating to information security would be advantageous, but not essential. All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field. 



Now we're going to move into Section 12, where we will cover some very important attributes, leading to a sound identity management program. The association of information access with role requirements is one of the fundamental control areas of any security program.

In order to ensure that a correct match is made between access and requirement, a clear understanding of the role itself is necessary. What we call role is not the same as a job title, which frequently designates a position in an organizational hierarchy.

For our purposes, a role is a precise definition of what a person holding a given position actually does and what information access needs that enable success in that position. The common traits that must be defined and associated to create this association are, for the person, clearance and need to know and for the information itself, a classification and a category. These terms are often associated with a military setting. But in every commercial enterprise, we find their equivalence. 

Clearance relates to the establishment of a level of trust for the person in the role. Need to know is intended to associate that role with its specific functional information needs. Classification defines the sensitivity of the information based on confidentiality, integrity, or a combination. And category describes the intended function for the type and use of the information.

Clearence and classification are normally associated with each other, and both are typically hierarchical in nature. Need to know and category are similarly associated since both functional attributes and are more direct than hierarchical. The alignment of these attributes should provide a very close match between the roles responsibilities and the system or application or information access that will enable the person occupying that role to fully accomplish those duties. This is called a RACI chart.

On this RACI or racy, you see there is a straightforward and easily accessible tool for aligning actions at a functional level with persons that require such access at an organizational level. The readers should note that there is a material distinction between responsible and accountable.

The responsible party is the one who has the operational duty to perform the given task or role while the accountable party is the final authority over that task or role and holds a management obligation in regards to it. This obligation is often related to a regulatory or a fiduciary requirement that must be met in cases involving these attributes.

It is possible that the responsible party and the accountable party can be the same person without creating a conflict of interest. Multiple combinations of these can be created that likewise do not. Prior to such combinations being made however, and evaluation of a potential conflict of interest must be made certain so that not one is not being created.

In addition to organizational position and functional role in RACI terms skill and the need for training for the person in the given role must also be considered. Any person being granted access must be prepared to execute the duties and the transactions that it may require.

They must also be aware of all compliance and performance requirements that go along with access being granted. This applies to internal staff and any external service provider performing the same duties. Likewise, these same qualities and requirements should be reflected in the language of any employment agreement or services contract within a third party.

Now we move into Section 13 for a brief discussion on due care and due diligence. The two practices due care and due diligence describe a process that focuses on taking the steps necessary to first recognize that one has an obligation to be fulfilled by sensible actions.

In legal terms due care means the care that an ordinarily reasonable and prudent person would use under the same or similar circumstances. In complement to this, due diligence is a process of acquiring objective and reliable information, generally on a person or a company prior to a specific event or decision.

It is usually a systematic research effort which is used to gather the critical facts and descriptive information, which are most relevant to the making of an informed decision on a matter of importance. To put this simply, one begins with due care by recognizing that they have an obligation to learn about an important matter that will ultimately require an equally important decision.

The process of due diligence, then poses all the questions and with deliberation seeks to learn all that is learnable from trust with these sources to become as fully and properly informed as possible prior to making that decision. To practicing CISM is expected to do these on a regular basis in order to best advise his or her principals regarding cybersecurity matters to protect the enterprise, its people, and its operations.

In more simplistic terms, due care is when you act to ensure things don't go wrong. And due diligence, therefore, is the process of learning all that is learnable in an effort to try to make sure that things don't or can't go wrong. Not exercising due diligence means not taking the time to see if something can go wrong, how it can go wrong, and the steps needed to prevent that.

Being negligent means knowing that there is a risk and doing nothing about it. And through the process of due care and due diligence, you seek to stop that from being the case, by providing the obligation recognition and the proper information for leading to doing something effective about the risk.

Ignoring risk is not the same as accepting it as we mentioned before. And in every case of a risk that is both real and relevant, something effective, even if it is only putting in place continuous monitoring something must be done about it to affect that, to show action and to show recognition that our responsibility exists and that the prudent steps those that are possible have been taken.

We now move into Section 14, where we are going to discuss security principles that will be applied in the sound cybersecurity program. In cybersecurity and cybersecurity engineering. We are to be guided by several principles and practices that will produce the most appropriate security solutions. These solutions must be done using sound engineering practices and must achieve their objectives on balance with the organization's mission.

In the first column, we see that we have confidentiality defined as preventing unauthorized disclosure of information. Integrity, the characteristic which is to ensure that the information remains authentic and trustworthy. Availability which encompasses characteristics and intended to ensure that the information in any system or network that it is on will always be available in the proper form to the authorized users. And authentication which requires that authorized users validate their claim of identity.

In the second column we have additional characteristics non-repudiation which is the characteristic where originators or creators or senders cannot deny that they were in fact the party that did so. Access control wherein we provide access and the ability to manipulate information in a way and on a level that equates to the actual need of the party.

Privacy, which is the freedom that all individuals are supposed to enjoy from unwanted intrusion or disclosure of their information. And compliance which is about the measuring of policies, procedures, controls, and other assorted things that put us in compliance with regulations and ensure that we are any legal mandates and can prove that we are.

As far as the principals are concerned is our design and engineering capabilities that we'll put in place features and functions that will achieve the intended goals of these principles. Some additional principles having to do with security as well as include these.

On the left-hand column we start with simplicity. Put in another way this means economy of design, work and engineering application of Occam Razor to keep things simple. I know the way of looking at this is that complexity creates technical fragility. It is the enemy of good security.

Moving on, we have the quality of fail-safe which means that systems must fail into a state that is no less secure than it had been in before the failure. Completeness, which is that mediation that must be 100% with no bypass. Open design, which refers to the fact that security must never be based on black boxes or in any way technologies or techniques that are secret. And the principle of denial by default which means that systems when brought into operation start completely closed down and are gradually opened as requirements dictate.

The right hand column begins with separation of duties or at least privilege, which is of course keeping things at an authorized level commensurate with the needs of the parties, but at the lowest level of exposure. Psychological acceptability of controls which reflects that controls must require of users a reasonable effort and not be unduly difficult or arduous to use. This principle reflects the fact that if systems or controls are too difficult to use as perceived by the user, the temptation increases for them to find ways around control or to bypass it altogether. And it is on the avoidance of this condition that accessibility of controls rests.

Then we have layered defenses which we commonly call defense in depth. The idea behind this is that no single control is entirely sufficient onto itself that this control should be implemented in layers and by mutual reinforcement.

Our final principle is that of incident recording which refers to the need to document all incidences deconstruct them to understand their essential characteristics and causes and seeking to learn all that we can from the event so that our response to future events will be improved by what we've learned from past ones.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.