I have shared the knowledge points related to information security governance, in this article titled Experience of CISM Exam & Study Notes. Today we will learn the second and third areas together, namely information security risk management, information security plan development, and management.
1. Summary of key points of information security risk management
The concepts in this field should be fully grasped and deeply understood. In the exam, you may often encounter difficult problems. The four answers are almost all reasonable. This is to test whether the certifier has mastered the knowledge thoroughly.
Risk is a measure of the degree to which an entity is threatened by a potential situation or event, (i) if the situation or event occurs, it will have an adverse effect; (ii) the possibility of occurrence. The information security risk is the risk caused by the loss of confidentiality, integrity, or availability of information or information systems, reflecting the potential adverse effects on the organization's operations.
The aphorism to keep in mind is: "Know Your Asset, Know You Risk". Know what your assets are and the risks they are exposed to. A classic question is what does an information security manager do first when doing a risk assessment? The answer is usually “Identify business assets” or “Take an Asset Inventory”.
You need to understand the principles of asset classification and the responsibilities of personnel, and the various protection measures applied to the asset should match the business value of the asset. Assets need to be identified and evaluated in the risk management process.
Risk Treatment is how the organization chooses risk management activities to deal with identified risks. After risk treatment, the remaining risk is called residual risk. The residual risk should be handled through the risk management process, just like a new risk.
You should understand the methods of qualitative and quantitative analysis of risks, and implement the cost-benefit analysis of risk control. Risks are constantly changing, and KRI( key risk indicators) should be used to monitor risks.
In this field, the following concepts need to be very clear, and often these types of test questions test the candidate's best choice as an information security manager under specific conditions.
Recovery Time Objective (RTO)
Recovery Point Objective (RPO)
Services Delivery Objectives (SDOs)
Maximum Tolerable Outage (MTO)
Maximum Tolerable Downtime (MTD) or Allowable Interruption Window or (AIW) or Acceptable Interruption Window (AIW): In my learning, these are different descriptive names for the same concept. Related concepts include the Recovery Window (the length of the Recovery Window is defined by the business management department and determines the acceptable time range between the disaster and the recovery of critical services/applications).
If you have time, you can read ISACA's books and documents on Risk Management in COBIT, which will help deepen your understanding.
2. Summary of information security plan development and management
This area includes developing an information security plan that identifies, manages, and protects an organization's assets while aligning it with information security strategies and business goals to support effective Security posture.
The information security plan includes a series of actions to identify and deal with risks. The information security plan is based on results. The goal is the desired end state or result. The various tasks and projects performed in the information security plan bring the organization closer to these desired results.
Information security managers need to understand how to develop a business case to ensure that they obtain the necessary funds for information security projects. Rather than focusing on return on investment (ROI), information security managers need to focus more on reducing risk, and how each project can make a substantial contribution (and measurable) to reducing risk, so as to help the organization achieve strategic goals.
The following concepts need to be skillfully mastered and applied:
Critical Path.Including the difference from Waterfall Chart, Gantt Chart and Rapid Application Development (RAD)
Balanced Business Scorecard
Security Awareness Training
Information Security Baseline
The implementation of an information security plan can also be said to be a process of implementing various controls. Metrics are used to measure key activities and to determine whether to achieve key goals. Security managers need to select indicators and consider the target audience, such as distinguishing daily operation departments, senior management, or the board of directors; combining indicators with business goals.
This part is closer to the operational practice of an information security manager and should be a key point project.