Start course

This course covers the foundations of information security and prepares students for the CISM (Certified Information Security Manager) exam. It starts off by taking a comprehensive look at the fundamental, core concepts of information security. We then move on to governance, goals, strategies, policies, standards, and procedures of information security, before finally doing a deep dive on security strategy.

If you have any feedback relating to this course, feel free to reach out to us at

Learning Objectives

  • Prepare for the CISM exam
  • Understand the core concepts of information security
  • Learn about governance, goals, strategies, policies, standards, and procedures of information security

Intended Audience

This course is intended for those looking to take the CISM (Certified Information Security Manager) exam or anyone who wants to improve their understanding of information security.


Any experience relating to information security would be advantageous, but not essential. All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


Now we move on to section three, wherein we're going to describe strategy. So regarding strategy, let's begin with an overview. Strategies have to specify a number of things beginning with our starting point, our ending point, the definition of functional level of the gap between the two and a general high-level guidance on closing that gap.

As we see on the slide, we have where are we now? Where do we want to be? What is the gap between the two? And what do we do to close that gap? As the detail of our discussion. While everyone seems to be able to specified goals in the various contexts in which they find themselves, there seems to be a certain skill associated with defining the strategy necessary to achieve those goals.

Strategies can fail for a variety of reasons and those specifying strategies to achieve defined goals need to be careful and watchful for these various factors that can bring about the failure of their strategy, such as overconfidence, which is of course, the overestimation of capabilities to carry out the strategy.

  • Optimism. When combined with overconfidence, optimism can lead to unrealistic estimates, minimization of obstacles and a lack of vision perceiving complicating factors.
  • Anchoring. a human characteristic to follow the first number or the first information that they hear regardless of whether it turns out to be unrelated or inaccurate.
  • Status quo. another human characteristic describing the human tendency to stick with the way we do it now, even if it's ineffective, rather than taking a risk on a change.
  • The endowment effect. People tend to place more value on the things they already have rather than things that they have to work to achieve. Another way to describe this is a burden the hand.
  • Mental accounting. This is the characteristic of treating actual money differently based on the source from which it comes. And the herding effect sometimes referred to as the mob effect. This is the tendency of people to follow what others are doing regardless of whether it's effective or not. Other characteristics that also contribute to strategy failure include false consensus. This is an overestimation of just how much agreement there really is in a crowd and discounts the potential for something less than complete agreement.
  • Confirmation bias. This is the tendency of people to seek confirmation only from those who will agree with their positions or opinions.
  • Selective recall. a common tendency of people to remember only what it suits them to remember or that has a positive impact on their desired outcome.
  • Biased assimilation. This is the tendency to accept only the facts that support their current perspective and ignore all others.
  • Biased evaluation, a characteristic similar to the biased assimilation in that anything that appears to be in conflict with already held beliefs or convictions must obviously be wrong.
  • Group think. another characteristic similar to the mob effect where a person in a group succumbs to pressure to believe or accept what the rest of the group believes.

Moving on to the elements of a strategy. As long as we can avoid the foregoing main causes of strategy failure, we begin with a much more solid approach. The first thing that needs to happen is that we need to define the elements between start and end of a strategy. By defining the starting and ending points, we clearly recognize how we begin and hold a clear vision of what the end should look like when we succeed.

As always with any plan or other project, the elements that must be considered most carefully and accurately are the resources and the constraints. Another very important and quite serious consideration is the interaction between the elements that will make up our strategy can be very complex. This needs to be considered very carefully because complexity can amplify difficulties in a problem or complicate the pursuit of a strategy.

Starting with a properly and well considered selection of a security framework can reduce the opportunities for this complexity to grow. One way of controlling the growth of complexity would be to break down the strategy into smaller subproject levels. Doing this can make the pieces easier to manage with built-in checkpoints, make simpler the ability to adjust to changes mid-course and provide valuable metrics on how the progress of the overall strategy is proceeding.

Here, we have lists of various strategy resources that will come into play throughout the execution of the strategy itself. These include mechanisms, processes, and systems that will be available for use for the performance of the strategy.

As with all good project planning, all required resources should be enumerated from the very beginning or added as are recognized as needed during the progress of the strategy. On this slide, there appears two lists of many of the common resources used in the execution of normal projects.

As we see on the left-hand column are guidance documents starting at the top. Moving down the list, we have a variety of mechanisms, controls, technologies that will be implemented as guided by that governance's documents. Near the bottom of that list, there appears a number of things that are related to specific things that humans will require for further performance within the strategy.

In the right-hand column, we see that it starts with more of what the human participants in the strategy will require. As we move down the list, it begins with audits, compliance enforcement, threat assessment, and a variety of other tasks that will help ensure people planning execution throughout the end of the project.

Every bit is important as the resources are, of course, the constraints. These are factors that will work against the various needs of efficiencies, performance, and effectively stand in the way of accomplishment as originally envisioned.

As shown on in the list on this slide, they include legal, physical, cultural, personnel, those lacking or imbalanced, time, and risk appetite. In the course of developing the strategy, some of these constraints may be dealt with and mitigated but at the beginning of a strategy development, all constraints that can be known should be accounted for while laying out the strategy.

It is very common for constraints to arise after the performance of the strategy has begun. And these need to be accounted for, to ensure that they are effectively dealt with and kept from interfering with strategy success.

Here on slide 44, we complete our first module. At this point, you should take time to review the information we covered in this first section. We're going to stop here before moving on to our next section.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.