Domain 01 - Information Security Governance

69. Objectives of the Information Security Strategy

The goals of your information creation Security strategies should be defined in terms of metrics that help determine whether or not the objectives have been met. Now those objectives might be some of the things we've talked about, the strategic alignment, remember, trying to help support the actual business objectives. They should be in alignment with risk management. In fact, we've already said that without proper risk management, you really don't know what it is that is at risk, what it is you're trying to protect, and what the goals of that security policy or security strategy are going to be.

We need to look at them in terms of value delivery, basically asking if this is worth the investment, if we're going to be able to redeem or recoup some of the costs of going through the process of the security strategy, whether or not we have the resources capable of meeting that security strategy. You may want to have a group that monitors firewall logs 24/7, but you know what, that takes a lot of people to be able to go through that process. Not necessarily every company that has that kind of resource capability, obviously performance measurements, that's another important aspect of security or the security strategy, how well is it working? Is it meeting the needs? Do we have a way of even knowing if we're living up to the goals of that objective? And of course, process assurance integration, which is again talking about not having independent business units to know that it's integrating well with other aspects of security rather than having our little silos of security.

70. What is the Goal?

So I guess you can ask the question, what's the goal? Now, basically, if an organisation doesn't have a goal,then how do you have an effective security strategy? I heard Zig Ziggler once say that if you don't have a target, don't worry, you can hit it every time. You know, I mean, that's just the case, right? If you're just shooting error arrows and something hits, then there you go, you hit your goal. So, in order for your organisation to have an effective security strategy, you must first understand what your goal is. In other words, the objectives of the security strategy should be very specific. One approach might be to assign values to the information resources based on importance. Again, that also comes from a lot of business impact analysis that's a part of our risk management to understand what this business needs to have available to be able to do or meetits objectives, and going from those classifications of criticality to those things that we can do without. Another approach could be to rate a business's dependency on an asset.

Again, if we're thinking about I'm an e-commerce company, yes, having my webservers up and running is very important. But if my Internet service provider, that is,allowing customers to connect to my company, goes down, you can certainly say they are dependent or we have a dependency on that. Your information ratings might be different as far as different classifications. If you're military, it would be things like top secret and secret. And remember, again, the importance of information helps add to the criticality focus of our security strategy. So you might use terms like "confidential," "internal use," or "public use."

71. Defining Objectives

Well, we have to define our objectives. Again, a good security strategy is used as the basis of a plan of action, and it's necessary for us to define what the objectives are so we know what the desired state is going to be. In other words, if you have a plan, if you have a strategy, call it a roadmap. Where are you going to be at the end of that road? That's your desired state. Without an objective, the strategy might be created in what we call an ad hoc fashion. In other words, you may say, you know, I've heard you've always needed one of these here firewalls, so let's go buy one and just plug it in. Forgetting that, maybe you should make sure that the traffic you want to block is crossing that path. You just don't add things in and hope that they work. Some objectives may simply be made to lower your risks, and that's an easy kind of categorization, but at least it's an objective. I'm saying that I need to limit access to a certain server or to certain files because I don't want to be infected with malware. It may just simply be saying that malware viruses increase the risks of people taking over our systems. So that might be my objective: what can I do to lower the risk of remote connectivity or remote attackers? Now, again, your objective should also deal with aligning the strategy of your security to the business objectives as well.

72. Business Linkages

Now your business linkages should be viewed from the perspective of business linkages or business objectives. In other words, again, what does the company do, produce, make, how does it stay in business, how does it make its money? Governmental agencies, certainly they're not income-generating, but they have specific goals for what they do. If it's the post office and mail delivery and many other aspects of dealing with parcels, if it's a governmental agency, Department of Defense, right, we have those things. We need to know what those goals are for the business. As an example, like again, an e-commerce-based business, it may seem like a very straightforward or relatively straightforward type of business objective. I want to sell things through the internet to my customers. Now in that case, even though it seems to be straightforward, you have to remember that it's going to have to really rely on other information to be successful.

So again, what information? Well, you might think I need a webserver, a service provider, a beautiful webpage, a little bit of advertising, people there, that's my business strategy. But really, on the back end, we have to deal with the banks for the ability to take funds from the customer and put them into the funds in our accounts, warehouses, and suppliers, as well as protect the customer's information after they submit that information to us for processing their payments. Understanding the whole perspective can really help you in building the proper objectives for your security policies. And again, the idea was I'm just truly understanding what it takes for that business to run, not just a simple oh we got a web server, that's what needs to be protected, but the entire set of processes that make the business objectives run so that we can link our security policies to that as well.

73. Business Case Development Part1

So let's take a look at some business case development. The main purpose of a formal business caseprocess is really to introduce a way of thinking that may cause people to make recommendations for new projects and consider, of course, their costs, the risks, and relative priorities. A business case may be your way of saying that here's a project that we should undertake if it's aligned to security, to add new protections. Maybe we need to upgrade the type of way in which we have voice over IP communications,or maybe even consider that we can better safeguard our communications if we can go through voiceover IP as opposed to a traditional sense. So there's a way of saying, "Okay, I'm going to make a business case for that." So that means we're trying to introduce a way of thinking. Now doing that Our hope is that by presenting the case, we will get people from executive management and board of directors to then recommend projects. And of course, that means they do have to consider what's the cost. Is there a costbenefit in the long run to voice over IP? Most people think so. That's why they're going to that type of solution. Of course, there's a new risk because now your data traffic and voice traffic are travelling on the same set of wires or media. And so we have a new risk that's inherent in voice that you might not have had previously. And of course, we also have to what's the priority of doing that? All right, so another purpose of the formal business case is to require those who make them to justify their value to the organization. And of course, we have to determine the proposal's value and whether it is achievable in our situation.

Study with ExamSnap to prepare for Isaca CISM Practice Test Questions and Answers, Study Guide, and a comprehensive Video Training Course. Powered by the popular VCE format, Isaca CISM Certification Exam Dumps compiled by the industry experts to make sure that you get verified answers. Our Product team ensures that our exams provide Isaca CISM Practice Test Questions & Exam Dumps that are up-to-date.