Job Aid

Knowledge of CISO
Purpose: Use this Job Aid to know about the key security concepts and technologies that a CISO
should be aware of.
To ensure the effectiveness of information security governance, a CISO needs to have a thorough
understanding of certain key security concepts.
Definitions of Key Security Concepts
Key Security
Concept

Definition

Access control refers to procedures, policies, and deployment mechanisms

that deny or allow access to information systems, resources, and physical
access to premises.
Architecture is the design of a structure that includes the elements it is
Architecture
made up of and the interactions between them.
Attacks
Attacks are different kinds of security compromises.
Auditability is the level to which you can track and audit transactions
Auditability
using a system.
Authentication involves verifying a user's identity and determining the
Authentication
user's right to access computerized information.
Authorization is the permission granted to a user to access resources for
Authorization
approved actions.
Availability indicates the power to access and use information whenever
Availability
required.
Business dependency Business dependency analysis specifies the level to which an
analysis
organization's business depends on a resource.
Business impact
Business impact analysis involves assessing the results of a security
analysis
compromise.
Confidentiality involves ensuring that important and valuable information
Confidentiality
is not disclosed without permission.
Controls
Controls are the procedures or actions that you can use to mitigate risks.
Countermeasures are the procedures or actions that you can use to reduce
Countermeasures
vulnerability.
Criticality
Criticality indicates the significance of a resource to the business.
Data classification is the process by which you can find the sensitivity and
Data classification
importance of information.
Exposures
Exposures are areas of an organization that might be affected by threats.
Gap analysis involves finding the gaps between the objective and the
Gap analysis
actual condition.
Governance
Governance implies providing direction to activities and managing them.
Identification
Identification is the method for verifying an object or a person.
Impact
Impact is the result of a risk that has materialized.
Integrity
Integrity indicates the validity, completeness, and correctness of
Access control

Definitions of Key Security Concepts

Key Security
Concept
Layered security
Management
Nonrepudiation
Policies
Residual risk
Risk
Security metrics
Sensitivity
Standards
Strategy
Threats
Vulnerabilities
Enterprise
architecture
Security domains
Trust models

Definition
information.
Layered security is the in-depth protection for controlling compromise.
Management refers to the supervision of activities for ensuring the
achievement of objectives.
Nonrepudiation is the assurance that a party cannot refuse that it originated
some data, that there is evidence about the origin and integrity of data, and
that the evidence can be verified by a third party.
Policies are high-level statements that indicate the intent and direction of
an organization's senior management.
Residual risk is the risk that is left after implementing controls and
countermeasures.
Risk is the possibility of a threat taking advantage of a vulnerability.
Security metrics describe the ways of making a quantitative and periodic
assessment of security performance.
Sensitivity is the impact level of an unauthorized disclosure.
Standards indicate the permitted limits of procedures and actions for
meeting the policy.
Strategy refers to the steps to be performed for attaining an objective.
Threats are events or actions that can lead to harmful results.
Vulnerabilities are weaknesses that can be exploited by threats.
Enterprise architecture is the systematic logic for IT infrastructure and
business processes.
Security domains are logical areas that are surrounded by various levels of
security.
Trust models map security controls and functions to various security
levels.

A CISO should also have a conceptual understanding of security technologies such as firewalls,
antivirus, antispam, encryption, biometrics, and forensics. Other security technologies include
user account administration, intrusion detection and intrusion prevention, privacy compliance,
remote access, digital signature, public key infrastructure, or PKI, and virtual private networks,
also called VPNs.
Some more security technologies that a CISO should know are Secure Sockets Layer or SSL,
secure electronic transfer or SET, monitoring technologies, electronic data interchange, or EDI,
electronic funds transfer, also called as EFT, identity and access management, known as IAM,
single-sign on, or SSO, and system information and event management, referred as SIEM.
Course: CISM: Information Security Governance (Part 1)
Topic: Senior Management and Information Security Governance
2015 Skillsoft Ireland Limited

Job Aid
Principles of Effective Information Security
Governance
Purpose: Use this Job Aid to learn about the twelve principles of effective information security
governance.

Information security business model

The Corporate Governance Task Force of the National Security Partnership, a U.S. entity, has
created twelve principles for implementing effective information security governance. These
core principles reflect the elements and interconnections of the information security business
model.
The principles are as follows:

organizations must ensure that employees consider information security to be an

important part of the system life cycle

as a risk management function, organizations must assess risks to information assets at

regular intervals

for protecting information assets, organizations must implement policies and processes
based on the assessment of risks

to ensure proper protection of networks, facilities, systems, and information,

organizations must create plans and initiate appropriate actions

chief executive officers, or CEOs, must assess information security once a year, study the
results with their employees, and submit the performance report to the board of directors

in order to clearly define the roles, responsibilities, authority, and accountability of

employees for information security, organizations must set up a security management
structure

organizations must devise and implement plans for managing any gaps in information
security

organizations must assess the efficiency of the information security policies and
processes on a regular basis

to assess the performance of information security, organizations must use security best
practices guidance, such as ISO 17799

organizations must ensure that employees completely understand information security by

providing them proper training

to ensure continuity of operations, organizations must develop plans, processes, and tests,
and

organizations must create and execute incident response procedures