2

Information Security Strategy

Accessing the Online Content

With this book, you get unlimited access to web-based CISM exam prep tools which include practice questions, flashcards, exam tips, and more. To unlock the content, you'll need to create an account using your unique sign-up code provided with this book. Refer to the Instructions for Unlocking the Online Content section in the Preface on how to do that.

If you've already created your account using those instructions, visit this link http://packt.link/cismexamguidewebsite or scan the following QR code to quickly open the website. Once there, click the Login link in the top-right corner of the page to access the content using your credentials.

In this chapter, you will explore the practical aspects of an information security strategy and understand how a well-defined strategy impacts the success of security projects. You will learn about the different aspects of what a security strategy is and understand the role of an information security manager in supporting business objectives.

The following topics will be covered in this chapter:

• Information Security Strategy Development
• Information Governance Frameworks and Standards
• The IT Balanced Scorecard
• Information Security Programs
• Enterprise Information Security Architecture
• Awareness and Education
• Governance, Risk Management, and Compliance
• Commitment from Senior Management
• Business Case and Feasibility Studies

Information Security Strategy and Plan

An information security strategy is a set of actions designed to ensure that an organization achieves its security objectives. This strategy includes what should be done, how it should be done, and when it should be done to achieve the security objectives.

A strategy is basically a roadmap of specific actions that must be completed to achieve any objective. Long-term and short-term plans are finalized based on the strategy adopted.

The primary objective of any security strategy is to support the business objectives, and the information security strategy should be aligned with the business objectives. The first step for an information security manager in creating a plan is to understand and evaluate the business strategy. This is essential to align the information security plan with the business strategy.

A strategy plan should include the desired level of information security. A strategy is only considered effective if the objectives of the controls are met. As discussed in Chapter 1, Enterprise Governance, "the ultimate responsibility for the appropriate protection of an organization's information falls on the board of directors. The involvement of board members in information security initiatives indicates good governance. The liability of directors can be protected if the board has exercised due care. Many laws and regulations make the board responsible in case of data breaches. Even the cybersecurity insurance policy requires the board to exercise due care as a pre-condition for insurance coverage."

Note

The preceding point is reiterated here to serve as a reminder. During the CISM certification exam, you can expect to face at least one question on this subject.

The chief information security officer (CISO) is primarily responsible for the design and development of the information security strategy in accordance with the security policy.

Information Security Policies

Policies are high-level documentation of the intent and direction of an organization's management. Security policies are developed based on the company's security strategy and they indicate the management's intent regarding security. Various procedures and architectures are designed based on these security policies.

Any changes in the management's intent should be appropriately addressed in the policies.

It is important to ensure compliance with the policy requirements at regular intervals. Self-assessment is the best way to determine the readiness and remediation of non-compliance items. This helps the organization to prepare for regulatory reviews conducted as per different regulations.

Key Aspects from the CISM Exam Perspective

Following are some of the key aspects from the perspective of the CISM exam:

Question	Possible Answer
What is the first step in developing an information security plan?	To understand the business strategy
What is the main objective of designing an information security strategy?	To support the business objectives
What is the first step in developing an information security management program?	To ascertain the need and justification for creating the program
What is the best way to address the conflicting requirements of a multinational organization's security policy with local regulations?	The best way in such a situation is to establish a local version of the policy that is aligned with the local laws and regulations.
What is the conflict of security controls with business requirements?	The objective of security controls is to support the business objectives and requirements. A security control should not restrict the users' ability to perform their jobs. When a security control is not supporting the business needs, it is termed as a conflict of security controls with business requirements.
The objectives of information security can be best described as:	The requirements of the desired state (i.e., whatever is required to achieve the desired state).
What is value delivery in information security?	Value delivery means designing processes that give maximum benefit to the organization. It indicates high utilization of available resources for the benefit of the organization.
What is the roadmap for information security implementation primarily based on?	The security strategy.
On what basis should intangible assets be valued?	The ability of the assets to generate revenue. In the absence of the availability of intangible assets, the organization will lose the amount of revenue the asset normally generates. The acquisition or replacement cost may be more or less than the asset's actual ability to generate revenue.

Figure 2.1: Key aspects from the CISM exam perspective

Note

The answer key and explanations for all practice and revision questions for this chapter can be found via this link.

Practice Question Set 1

1. A newly appointed information security manager is required to develop an information security plan. What should their first step be?
   1. To conduct a vulnerability assessment
   2. To evaluate the current business strategy
   3. To perform an information system audit
   4. To evaluate the risk culture of the organization
2. An information security manager is designing an information security strategy plan for the approval of the security steering committee. The most important factor to be included in this plan is:
   1. Information security manpower requirements
   2. Information security tools and technique requirements
   3. Information security mission statement
   4. Desired future state of information security
3. An information security manager is designing an information security strategy plan for the approval of the security steering committee. The primary objective of designing an information security strategy is:
   1. To monitor performance
   2. To support the business objectives
   3. To enhance the responsibility of the security manager
   4. To comply with legal requirements
4. The most important factor to be included in an information security strategy is:
   1. Details of key business controls
   2. Security objectives and processes
   3. Budget for specific security tools
   4. Details of network security control
5. The best way to address a conflict between a multinational organization's security policy and local regulations is:
   1. To give priority to policy requirements over local laws
   2. To follow local laws only
   3. To establish a local version of the organization's policy
   4. To discontinue services in the conflicting jurisdiction
6. The best way to prepare for a regulatory audit is:
   1. To nominate a security administrator as regulatory liaison
   2. To conduct self-assessment using regulatory guidelines and reports
   3. To discuss the previous year's regulatory reports with the process owner
   4. To ensure that all regulatory inquiries are approved by the legal department
7. Who is responsible for the enforcement of an information security policy?
   1. The information security steering committee
   2. The chief technical officer
   3. The chief information security officer
   4. The chief compliance officer
8. The most important role for a Chief Information Security Officer is to:
   1. Design and develop an information security strategy
   2. Conduct business continuity plan testing
   3. Approve system access
   4. Deploy patch releases
9. The timeline for an information security strategy plan should be:
   1. In accordance with the IT strategic plan
   2. In accordance with technology changes
   3. For a duration of five years
   4. Aligned with business strategy
10. Commitment and support from senior management with respect to information security can be best addressed by:
    1. Emphasizing the organizational risk
    2. Emphasizing the requirements of global security standards
    3. Emphasizing the industry benchmark
    4. Emphasizing the responsibility of the organization
11. The primary objective of developing an information security strategy is:
    1. To manage the risks impacting business objectives
    2. To mitigate risks to zero
    3. To transfer risks to insurers
    4. To develop a risk-aware culture
12. Immediately after implementing access control for the internet, an organization's employees started complaining that they were unable to perform business functions on internet sites. This is an example of:
    1. A conflict of security controls with business requirements
    2. Stringent security controls
    3. Mandatory access control
    4. Discretionary access control
13. Which of the following should be the first action when developing an information security strategy?
    1. Identifying the assets
    2. Performing a risk analysis
    3. Defining the scope
    4. Determining critical business processes
14. The most important objective of an information security strategy is:
    1. To minimize the risk to an acceptable level
    2. To support the business objectives and goals of the enterprise
    3. To ensure optimum utilization of security resources
    4. To maximize return on security investment
15. The most critical factor for designing an information security strategy is:
    1. Defined objectives
    2. A defined time frame
    3. A defined framework
    4. Defined policies
16. In an information security steering committee, there is no representation from user management. Which of the following is the main risk in this scenario?
    1. Functional requirements may not be adequately addressed.
    2. Inadequate user training.
    3. Inadequate budget allocation.
    4. The information security strategy may not be aligned with business requirements.
17. Which of the following is the best approach for an information security manager when there is a disagreement between them and the business manager regarding the security aspect of a new process?
    1. To accept the business manager's decision as they are the process owner
    2. To mandate the security manager's decision
    3. To review the risk assessment with senior management for final consideration
    4. To prepare a new risk assessment to address the disagreement
18. The connection between business objectives and security should be demonstrated by:
    1. Indirect linkages
    2. Mapping to standardized controls
    3. Interconnected constraints
    4. Direct traceability
19. The accountability for information categorization and protective measures resides with:
    1. Security administrators
    2. Senior management
    3. System administrators
    4. End users
20. As a newly appointed information security manager, you are required to develop a strategic plan for the information security of the organization. Your most important action should be:
    1. To understand the key business objectives
    2. To provide training to the information security team
    3. To provide sufficient resources for information security
    4. To develop a risk-aware culture

Information Governance Frameworks and Standards

The governance framework is a structure or outline that supports the implementation of the information security strategy. It provides the best practices for a structured security program. Frameworks are flexible structures that any organization can adopt as per their environment and requirements. COBIT and ISO 27001 are two widely accepted and implemented frameworks for security governance.

The Objective of Information Security Governance

Information security governance is a subset of enterprise governance. The same framework should be used for both enterprise governance and security governance to enable better integration of one with the other.

The following are the objectives of security governance:

• To ensure that security initiatives are aligned with the business strategy and that they support organizational objectives.
• To optimize security investments and ensure the high-value execution of business processes.
• To monitor security processes and ensure that security objectives are achieved
• To integrate and align the activities of all assurance functions for effective and efficient security measures.
• To support the security strategy in ensuring that residual risks are well within acceptable limits. This reassures the management.

Information Security/Cybersecurity Management Frameworks

An information security manager should have a basic understanding of the following widely accepted frameworks for information security. Please note that in the CISM exam, there will be no direct questions on any of the frameworks.

Framework	Particulars
ISO 27001	The ISO 27001 standard is a widely accepted framework for information security management systems. It recommends 14 areas of control consisting of a total of 114 controls. These include the availability of information security policies, human resource securities, asset management, access controls, and so on. An organization needs to implement all the applicable controls and get them audited by a certification body to be ISO 27001 certified. An ISO 27001 certified organization is preferred as a service provider/supplier compared to a non-certified organization.
NIST Cybersecurity Framework	NIST Cybersecurity Framework emphasizes the importance of effective risk management integration and extensively promotes the improvement of supply chain risk management. The NIST Cybersecurity Framework does not include any controls. Rather, it provides guidance on the process of identifying gaps between present practices and a desirable target state. Understanding these gaps helps the organization to adopt the desirable controls to improve information security risk management.
NIST Risk Management Framework (RMF)	NIST RMF was originally designed to assist US government agencies in evaluating and improving information security. It has since been expanded to apply to any business and is free to use. It emphasizes the integration of security, privacy, and cyber supply chain risk management activities into the system development life cycle. NIST RMF includes a risk-based approach to categorizing relevant assets and selecting and implementing controls to achieve adequate protection.

Figure 2.2: Information security management frameworks

The IT Balanced Scorecard

Figure 2.3: IT balanced scorecard

The objective of an IT balanced scorecard (IT BSC) is to establish, monitor, and evaluate IT performance in terms of (i) business contribution, (ii) future orientation, (iii) operational excellence, and (iv) user orientation.

CISM aspirants should understand the following aspects of a balanced scorecard:

• The primary objective of an IT balanced scorecard is to optimize performance.
• The three indicators of an IT balanced scorecard are (a) customer satisfaction, (b) internal processes, and (c) the ability to innovate.

  Note

  Though financial performance is an indicator of a generic balanced scorecard, it is not part of an IT BSC.

• An IT BSC is the most effective means to aid the IT strategy committee and management in achieving IT governance through proper IT and business alignment. The success of an IT balanced scorecard depends upon the involvement of senior management in IT strategy planning.
• It is of utmost importance that you define key performance indicators (KPIs) before implementing an IT BSC. KPIs help to measure performance. Examples of KPIs include system uptime, incident response time, and system restoration time.

Practice Question Set 2

1. Which of the following is not considered while evaluating an IT balanced score card?
   1. Financial performance
   2. Customer satisfaction
   3. Internal processes
   4. Innovation capacity
2. Which of the following is the most important prerequisite before implementing an IT balanced scorecard?
   1. Existence of effective and efficient IT services
   2. Defining key performance indicators
   3. Ensuring that IT projects add value to the business
   4. IT expenses being within the allotted budget
3. As an information security manager, you note that senior management is not involved in IT strategy planning. Which of the following is the area of most concern?
   1. A lack of investment in technology
   2. Absence of a structured methodology for IT security
   3. Absence of IT alignment with business objectives
   4. Absence of control over outsourced vendors
4. As an information security manager, you have been asked to review the parameters for measuring IT performance. The main objective of the IT performance measurement process is:
   1. To reduce errors
   2. To obtain performance data
   3. To finalize the requirement baseline
   4. To improve performance

Information Security Programs

A program can be defined as a set of activities implemented in a structured manner to achieve a common objective. A security program includes various activities, such as implementing controls, raising awareness, monitoring, and reporting on controls and other related activities.

A security strategy is a guiding force for the implementation of a security program. The roadmap detailing the security implementation, i.e., procedure, resources, and timelines, is developed based on this strategy. Further, various implementation activities can be aligned and integrated on the basis of this strategy to achieve security objectives more effectively and efficiently.

An information security program should be aligned with the business objectives of the organization. The effectiveness of an information security program is determined based on its ability to address the risks impacting the business objectives.

Key Aspects from the CISM Exam Perspective

Following are some of the key aspects from the perspective of the CISM exam:

Question	Possible Answer
Define a program.	A program can be defined as a set of activities implemented in a structured manner to achieve a common objective.
What is the first step in developing an information security management program?	To ascertain the need and justification for creating the program.
What is the roadmap for information security implementation primarily based on?	Security strategy.
What is the aim of cost-benefit analysis when implementing controls?	The cost of implementing a control should not exceed the expected benefits.

Figure 2.4: Key aspects from the CISM exam perspective

Practice Question Set 3

1. Which of the following should be the first step in implementing a new security monitoring solution?
   1. To evaluate the various alternatives available for the solution
   2. To determine a budget for the new solution
   3. To evaluate and determine the correlation between the solution and the business objectives
   4. To develop a team for implementation
2. An information security program is primarily created to:
   1. Develop an information security strategy.
   2. Establish a business continuity plan.
   3. Ensure optimum utilization of security resources.
   4. Mitigate the risks impacting the business.
3. The most important factor in developing a security strategy before implementing a security program is:
   1. Reducing the cost of implementation
   2. Aligning and integrating development activities
   3. Obtaining support from management
   4. Adhering to international requirements
4. The most likely reason for a sudden increase in the number of security events could be:
   1. A higher amount of vulnerabilities being exploited
   2. An increase in the number of threat actors
   3. Failure of detective controls
   4. The absence of an information system audit
5. The primary objective of an information security program is:
   1. To protect information assets in accordance with the business strategy and objectives
   2. To standardize operational risk management processes
   3. To protect the confidentiality of information
   4. To develop the information security policy
6. A combination of management, administrative, and technical controls is important for effective information security because:
   1. An organization cannot completely depend on technical controls to address faulty processes.
   2. Technical control is too expensive to manage.
   3. Monitoring and reporting the effectiveness of technical control is difficult.
   4. Implementing the right technical control is an iterative process.
7. The best way to learn and improve from a security incident is:
   1. To improve the integration of business and security processes
   2. To increase the information security budget
   3. To set up a separate compliance monitoring department
   4. To acquire high-end technical controls
8. As an information security manager, you are required to develop an information security management program. What should your first step be?
   1. To ascertain key business risks
   2. To ascertain the need for creating the program
   3. To ascertain who the information security program manager is
   4. To ascertain the sufficiency of existing controls

Enterprise Information Security Architecture

Figure 2.5: Security budget

Enterprise Architecture (EA) defines and documents the structure and process flow of the operations of an organization. It describes how different elements such as processes, systems, data, employees, and other infrastructure are integrated to achieve the organization's current and future objectives.

Security architecture is a subset of enterprise architecture. Its objective is to improve the security posture of the organization. Security architecture clearly defines the processes that a business performs and how those processes are executed and secured.

The first step for a security manager implementing the security strategy is to understand and evaluate the IT architecture and portfolio. Once they have a fair idea of the IT architecture, they can determine the security strategy.

Challenges in Designing the Security Architecture

While designing the security architecture, it is important for a security manager to understand the possible challenges. This will help to address the challenges in an effective and efficient manner.

The following are some of these challenges:

• Most security architecture projects are expensive and time-consuming.
• A lack of competent security architects results in more effort being required to build reliable security architecture.
• The potential benefits of a well-designed security architecture cannot be quantified, so gaining support from management can be very difficult.

Benefits of Security Architecture

Security architecture provides detailed information about how a business operates and what security controls are required. This helps the security manager determine the processes and systems where more security efforts are required.

Key Aspects from the CISM Exam Perspective

Following are some of the key aspects from the perspective of the CISM exam:

Question	Possible Answer
Information security architecture should be aligned with:	Business goals and objectives.

Figure 2.6: Key aspects from the CISM exam perspective

Practice Question Set 4

1. As an information security manager, you are required to develop the information security architecture for an organization. The information security architecture should be best aligned with:
   1. International security standards
   2. Business goals and objectives
   3. IT architecture
   4. Industry standards
2. An information security manager is entrusted with creating the information security strategy for the organization. Their first step should be:
   1. To understand the IT architecture and portfolio
   2. To determine the security baseline
   3. To document the information security policy
   4. To conduct an IT risk assessment

Awareness and Education

Figure 2.7: Training for information security

End users are one of the most important stakeholders when considering the overall security strategy. Training, education, and awareness are of extreme importance to ensure that policies, standards, and procedures are appropriately followed.

Increasing the Effectiveness of Security Training

The most effective way to increase the effectiveness of training is to customize it as per the target audience and to address the systems and procedures applicable to that particular group. For example, a system developer needs to undergo an enhanced level of training that covers secure coding aspects. By contrast, data entry operators only need to be trained on security aspects related to their functions.

Key Aspects from the CISM Exam Perspective

Following are some of the key aspects from the perspective of the CISM exam:

Question	Possible Answer
What is the best method to increase the effectiveness of security training?	Customizing training for the target audience.

Figure 2.8: Key aspects from the CISM exam perspective

Governance, Risk Management, and Compliance

GRC is a term used to align and integrate the processes of governance, risk management, and compliance. GRC emphasizes that governance should be in place for effective risk management and the enforcement of compliance.

Governance, risk management, and compliance are three related aspects that help achieve organizational objectives. GRC aims to lay down operations for more effective organizational processes and avoid wasteful overlaps. Each of these three disciplines impacts the organization's technologies, people, processes, and information. If GRC activities are handled independently of each other, it may result in a considerable amount of duplication and a waste of resources. The integration of these three functions helps to streamline assurance activities by addressing overlapping and duplicated GRC activities.

Though GRC can be applied in any function of an organization, it focuses primarily on financial, IT, and legal areas.

Financial GRC focuses on effective risk management and compliance for finance processes. IT GRC focuses on information technology processes. Legal GRC focuses on enterprise-level regulatory compliance.

GRC is an ever-evolving concept, and a security manager should understand the current state of GRC in their organization and determine how to ensure its continuous improvement.

Key Aspects from the CISM Exam Perspective

Following are some of the key aspects from the perspective of the CISM exam:

Question	Possible Answer
What is the main objective of implementing GRC procedures?	To improve risk management processes by integrating various assurance-related activities To synchronize and align an organization's assurance functions
What areas are focused on most in GRC?	IT, finance, and legal

Figure 2.9: Key aspects from the CISM exam perspective

Practice Question Set 5

1. As an information security manager, you are part of a team that is responsible for implementing governance, risk, and compliance procedures. Which of the following is the main reason to implement these procedures?
   1. To minimize the governance cost
   2. To improve risk management
   3. To synchronize security initiatives
   4. To ensure regulatory compliance
2. The primary objective of governance, risk, and compliance is:
   1. To synchronize and align an organization's assurance functions
   2. To address the requirements of information security policy
   3. To address the requirement of regulation
   4. To design a low-cost security strategy
3. The primary areas of focus of governance, risk, and compliance is:
   1. Marketing and risk management
   2. IT, finance, and legal
   3. Risk and audit
   4. Compliance and information security

Senior Management Commitment

For effective implementation of security governance, support and commitment from senior management is the most important prerequisite. A lack of high-level sponsorship will have an adverse impact on the effectiveness of security projects.

It is very important for the information security manager to gain support from senior management. The most effective way is to ensure that the security program continues to be aligned with, and supports, the business objectives. This is critical for promoting management support. Senior management is more concerned about the achievement of business objectives and will be keen to address all risks impacting key business objectives.

Obtaining commitment from senior managers is very important to ensure appropriate investment in information security, as you will explore in the next section.

Information Security Investment

Any investment should be able to provide value to the business. The primary driver for investment in an information security project is value analysis and a sound business case. To obtain approval for an information security budget, the budget should primarily include a cost-benefit analysis. Senior management is more interested in the benefit that is derived from the budget.

For example, as a security manager, if you request a budget of $5,000 for security investment, senior management may not be convinced. But if you also project annualized savings of $10,000 against that investment, senior management may be more willing to invest.

Strategic Alignment

Information security activities are said to have a strategic alignment when they support the requirements of the key business stakeholders. Information security should support the achievement of organizational objectives by minimizing business disruption. The most effective way to enhance management commitment toward information security is to conduct a periodic review of alignment between security and business goals. A discussion with key business stakeholders will provide an accurate picture of the alignment of security programs to support business objectives.

A survey of management is the best way to determine whether the security program supports the business objectives. Achieving strategic alignment means business process owners and managers believe that information security is effectively supporting their goals. If business management is not confident in the security programs, the information security manager should redesign the process to provide better value to the business.

Another aspect of determining the strategic alignment is to review the business balanced scorecard. A business scorecard contains important metrics from a business perspective. It helps to determine the alignment of security goals with business goals.

Key Aspects from the CISM Exam Perspective

Following are some of the key aspects from the perspective of the CISM exam:

Question	Possible Answer
What is the most important factor to be included in a budget note while obtaining approval from management?	Cost-benefit analysis
What is the best way to gain support from senior management for security projects?	Explain to management the impact of security risks on key business objectives.
What is the primary driver for investment in an information security project?	A value analysis and a sound business case

Figure 2.10: Key aspects from the CISM exam perspective

Practice Question Set 6

1. As an information security manager, you are required to obtain approval for an information security budget from senior management. Your budget proposal should primarily include:
   1. A cost-benefit analysis
   2. Industry benchmarks
   3. Total cost of ownership
   4. All the resources required by business units
2. What is the most important role of senior management in supporting an information security program?
   1. Evaluating the latest security products
   2. Conducting risk assessments
   3. Approving policy statements and funding
   4. Mandating information security audits
3. Information security activities are said to have strategic alignment when:
   1. They support the requirements of all key business stakeholders
   2. They support the requirements of the IT team
   3. They support the requirements of the globally accepted standards
   4. They provide a reliable and cost-effective service
4. The best way to gain support from senior management is to:
   1. Provide examples of security breaches in other organizations
   2. Provide details of technical risks applicable to the organization
   3. Showcase industry best practices
   4. Explain the impact of security risks on key business objectives
5. For implementing a new project, support from senior management can be obtained by:
   1. Conducting a risk assessment
   2. Explaining regulatory requirements
   3. Developing a business case
   4. Selecting the latest technology
6. The most effective way to enhance the management's commitment to information security is:
   1. To have the security policy approved by the chief executive officer
   2. To conduct frequent security awareness training
   3. To conduct periodic reviews of alignment between security and business goals
   4. To conduct periodic information security audits
7. The most effective way to justify the information security budget is:
   1. To consider the number of security breaches
   2. To consider the expected annual loss
   3. To consider a cost-benefit analysis
   4. To consider industry benchmarks
8. Senior management's commitment to security programs is best indicated by their involvement in:
   1. Asset risk assessment
   2. Review and approval of risk management methodologies
   3. Review and approval of residual risks
   4. Review and approval of inherent risks
9. The most effective justification to gain support from senior management for security investment is:
   1. Reduction in security budget
   2. Adherence to regulatory requirements
   3. Protection of information assets
   4. Enhanced business value
10. The most likely position to sponsor the security steering committee is:
    1. The chief audit officer
    2. The information security manager
    3. The chief operating officer
    4. The head of legal
11. The best driver for investment in an information security project is:
    1. An information security audit report
    2. A value analysis
    3. The business environment
    4. A penetration test report
12. The most important prerequisite for implementing an information security program is:
    1. Senior management commitment
    2. A documented framework
    3. A documented policy
    4. Frequent security awareness training
13. An information security governance plan can be best approved by:
    1. The system auditor
    2. The security manager
    3. The steering committee
    4. The system administrator
14. The best method to change an organization's security culture is:
    1. Stringent penalties for non-compliance
    2. Strong management support
    3. Strong security controls
    4. Frequent system audits
15. Which of the following will have the most adverse impact on the effective implementation of security governance?
    1. A complex organizational environment
    2. Limited budget for information security
    3. Improper business priorities
    4. A lack of high-level sponsorship
16. What is the best method to measure the strategic alignment of an information security program?
    1. To survey the business stakeholders
    2. To conduct frequent audits
    3. To analyze incident trends
    4. To evaluate the business case
17. What is the best method to determine the level of alignment of the security objectives with the business objectives?
    1. Interviewing the security manager
    2. Reviewing the capability maturity model
    3. Reviewing the risk assessment report
    4. Reviewing the business balanced scorecard
18. The best factor to ensure a successful implementation of an information security program is:
    1. Support from senior management
    2. The level of security budget
    3. The size of the security team
    4. Regular information system audits
19. The most effective method to achieve strategic alignment is:
    1. A periodic survey of management
    2. Following an industry-accepted governance framework
    3. Conducting frequent audits
    4. Developing enterprise risk management
20. The objective of aligning information security governance with corporate governance is to:
    1. Ensure that the security team understands the business objectives
    2. Comply with regulations
    3. Maximize the cost-effectiveness of the control
    4. Reduce the number of rules required for governance
21. What is the best method to address the senior management's concerns regarding the effectiveness of the existing information security program?
    1. Redesign the program based on industry-recognized standards.
    2. Analyze the cost-benefit of the existing program.
    3. Discuss with senior management to understand their concerns.
    4. Show the approved business case to senior management.

Business Case and Feasibility Study

A business case is a justification for a proposed project. It is prepared to justify the effort and investment in a proposed project and captures the reasoning for initiating a new project or task. Generally, the business case is a precursor to the start of any new project.

The business case is a key element in the decision-making for any project. The proposed return on investment (ROI), along with any other expected benefits, is the most important consideration for decision-making in any new project.

The first step in developing a business case is to define the need for and justification of the problem.

A feasibility study or analysis is an analysis that takes various factors into account, including economic, technical, and legal factors, to ascertain the likelihood of completing the project successfully.

A feasibility study should consider how the project will impact the organization in terms of risk, costs, and benefits. It helps to assess whether a solution is practical and achievable within the established budgets and schedule requirements.

Key Aspects from the CISM Exam Perspective

Following are some of the key aspects from the perspective of the CISM exam:

Question	Possible Answer
What is the objective of a business case?	To justify the implementation of a new project.
What are the first steps for the development of a business case?	To define issues to be addressed. To define the need for the project.
On what basis is a business case primarily developed?	Feasibility and value proposition.
What does it mean if an organization implements "system thinking"?	Using "system thinking" means the organization views overall systems as more than just the sum of their parts.

Figure 2.11: Key aspects from the CISM exam perspective

Practice Question Set 7

1. As an information security manager, you are required to develop a business case for a new information security initiative. The business case should primarily include:
   1. Appropriate justification
   2. Results of a gap analysis
   3. Legal requirements
   4. Expected annual loss
2. As an information security manager, you are required to develop a business case for a new information security initiative. Your first step should be:
   1. To determine the budget
   2. To determine the vendor
   3. To define the need
   4. To determine cost efficiency
3. When implementing a new project, support from senior management can be obtained by:
   1. Conducting a risk assessment
   2. Explaining regulatory requirements
   3. Developing a business case
   4. Selecting the latest technology
4. The main criterion for selecting a security technology is:
   1. Whether the technology can mitigate the risk
   2. Whether the technology is widely accepted in industry
   3. Whether it's the latest technology available
   4. Whether the technology provides benefits in comparison to its costs
5. Which of the following is of the least concern for an information security manager when implementing a new project?
   1. Technical requirements
   2. Regulatory requirements
   3. Privacy requirements
   4. Business requirements
6. The most effective report while proposing the implementation of a new security solution is:
   1. A vendor evaluation report
   2. A risk analysis report
   3. A business case
   4. A budget utilization report
7. What is the biggest challenge when preparing a business case in relation to obtaining approval from senior management for a new security project?
   1. To make the senior management understand the technical aspects of security
   2. To demonstrate the project's value and benefit
   3. To present various risk scenarios
   4. To provide comparative data on the industry
8. The best way to obtain support from senior management for an information security initiative is to:
   1. Develop and present a business case
   2. Present various risk scenarios
   3. Inform them about the financial benefits of the project
   4. Align the initiative to the organization's goals
9. Which of the following is the first step for the development of a business case?
   1. To conduct an industry survey
   2. To work out the return on investment
   3. To evaluate cost-effective alternatives
   4. To define issues to be addressed
10. A business case is primarily developed based on:
    1. Various risk scenarios
    2. Return on investment
    3. Organizational objectives
    4. Feasibility and value proposition
11. What is the best way to address senior management's reluctance to provide a budget for new security initiatives?
    1. To develop and present a business case
    2. To develop and present various risk scenarios
    3. To let the user management take the initiative
    4. To organize security awareness training for the senior management
12. An information security manager is evaluating two technologies to address a particular risk and is required to select one for implementation. The best approach for the security manager, with a limited budget, to choose between the two technologies is:
    1. A risk assessment
    2. A business impact analysis
    3. To assess the ROI
    4. A cost-benefit analysis
13. An information security program is best justified by:
    1. An impact analysis
    2. A detailed business case
    3. An industry benchmark
    4. Acceptance by users
14. Which factor is most likely to persuade management to approve a new information security budget?
    1. A detailed risk assessment
    2. Risk treatment options
    3. A well-developed business case
    4. Calculating the future value of the current budget
15. The development of a business case should primarily consider:
    1. Various risk scenarios
    2. Industry benchmarks
    3. Implementation benefits
    4. Affordability

Summary

In this chapter, you learned about the various aspects of security strategy, governance frameworks, and information security programs. You also explored in detail the benefits of increasing the effectiveness of security training. This helps the CISM aspirant understand the organization's security program and architecture.

In the next chapter, you will go through the important aspects of information risk assessment.

Revision Questions

1. The most important consideration while developing an information security strategy is:
   1. The availability of information security resources
   2. Adherence to laws and regulations
   3. Effectiveness in mitigating risk
   4. Budget allocation for information security
2. The objectives of information security can be best described as:
   1. The requirements of the desired state
   2. The attributes of the current state
   3. The key business processes
   4. The control objectives for loss expectations
3. The most important factor when developing risk management strategies is:
   1. Using an industry-adopted risk assessment framework
   2. Aligning with business objectives and risk appetite
   3. Technology architecture
   4. The geographical spread of business units
4. "Systems thinking," in terms of information security, refers to:
   1. The perspective of artificial intelligence
   2. The perspective of the whole being greater than the sum of its individual parts
   3. The perspective of supporting the business objective
   4. The perspective of governance of the entire organization
5. An information security manager is asked to develop a cost-effective information security strategy. What will the most important step be?
   1. To identify information assets
   2. To conduct a valuation of the information assets
   3. To determine the objectives of the security strategy
   4. To classify assets as per the risk assessment
6. Which of the following is considered to have the most important strategic value?
   1. Privileged access management process
   2. Trends in incident occurrence
   3. System downtime analysis
   4. The results of a penetration test
7. An information security manager is considered to have achieved value delivery when:
   1. Resource utilization is high
   2. Budget requirements are low
   3. Low-cost vendors are appointed
   4. Staff costs are reduced
8. The most effective factor to develop an information security strategy is:
   1. IT architecture
   2. Governance framework
   3. The current state of security and future objectives
   4. Support from senior management
9. While developing a security strategy, a security manager should be most concerned about:
   1. Whether the strategy supports the business objectives
   2. Whether the strategy ensures the optimum utilization of available resources
   3. Whether the strategy ensures compliance with regulatory requirements
   4. Whether the strategy minimizes the budget requirement
10. What is the main objective of an information security strategy?
    1. To determine the goals of security and the plan to achieve them
    2. To determine the configuration of security controls
    3. To determine the acceptable usage of information assets
    4. To determine the budget of an information security program
11. The roadmap for information security implementation is primarily based on:
    1. IT architecture
    2. IT policy
    3. Security strategy
    4. Regulatory requirements
12. Which of the following can be the main reason for a change in a policy?
    1. Changes in regulation
    2. Changes in security baseline
    3. Changes in management intent and direction
    4. Changes in organizational culture
13. The most important result of an information security strategy is:
    1. Mature policies and procedures
    2. Ensuring that residual risk is kept within acceptable levels
    3. Mature vulnerability assessment procedures
    4. Alignment of controls with international standards
14. The best indicator to determine the effectiveness of a security strategy is:
    1. The strategy helps to improve the risk appetite of the organization
    2. The strategy helps to implement countermeasures for all the threats
    3. The strategy helps to minimize annual losses
    4. The strategy helps to achieve the control objectives
15. The primary reason for the board of directors to be involved in information security initiatives is:
    1. Concerns regarding IT architecture
    2. Concerns regarding the organization's liability
    3. Concerns regarding compliance
    4. Concerns regarding the implementation of policy
16. The information security manager has been asked to implement a particular security standard. Which of the following is most effective to monitor this?
    1. Key success factors
    2. Key objective indicators
    3. Key performance indicators
    4. Key goal indicators
17. What is the most effective way of measuring the degree of alignment between security objectives and business objectives?
    1. Interviewing the security manager
    2. Reviewing the capability maturity model
    3. Reviewing the risk assessment report
    4. Reviewing the business balanced scorecard
18. The best way to align security goals with business goals is:
    1. To design functional goals that support security goals
    2. To have business goals and security goals that support each other
    3. To ensure that the security goals are derived from the business goals
    4. To ensure that the business goals and security goals are independent of each other
19. The security baseline of a mature organization is most generally defined with reference to:
    1. The availability of policies
    2. The availability of IT architecture
    3. Control objectives being met
    4. Adherence to regulatory requirements
20. Which of the following is the area of most concern for the security manager of an organization that operates in multiple countries?
    1. Difficulty in implementing a standardized security program
    2. Difficulty in monitoring security posture across a wide geographical area
    3. Difficulty in developing a customized security awareness program
    4. Difficulty in monitoring compliance with laws and regulations
21. Which of the following is considered the most significant key risk indicator?
    1. An abnormal deviation in employee attrition rate
    2. High count of viruses quarantined by antivirus software
    3. High count of packets filtered by the firewall
    4. A low count of information security officers
22. The most important aspect of an information security strategy from senior management's perspective is:
    1. The details of technology
    2. The details of compliance requirements
    3. The business priorities
    4. The details of procedural aspects
23. The best method to develop an effective data protection strategy is:
    1. To conduct a vulnerability assessment
    2. To design a tailored methodology based on exposure
    3. To obtain an insurance policy for data losses
    4. To implement industry best practices
24. Out of the following, what is the most effective way to obtain commitment from senior management for the implementation of a security program?
    1. Discuss the industry best practices.
    2. Discuss various risk scenarios.
    3. Discuss the cost-benefit analysis.
    4. Discuss the relationship between the security program and business goals.
25. Which of these factors most influences the success of an information security strategy?
    1. Approval from the chief information officer
    2. Alignment with IT plans
    3. Alignment with the goals set by the board of directors
    4. Measurement against a key performance indicator
26. The most effective method to obtain commitment from senior management for the implementation of any new security program, given the following choices, is:
    1. To demonstrate the success of industry peers
    2. To demonstrate potential loss and other negative impacts due to a lack of support
    3. To demonstrate the regulatory requirements related to security
    4. To demonstrate support for the desired outcome