CISM

Objectives These are desired capabilities or end

states, ideally expressed in achievable, measurable
terms.
• Strategy This is a plan to achieve one or more
objectives.
• Policy At its minimum, security policy should
directly reflect the mission, objectives, and goals of
the overall organization.
• Priorities The priorities in the security program
should flow directly from the organization’s
mission, objectives, and goals. Whatever is most
important to the organization as a whole should be
important to information security as well.
• Standards The technologies, protocols, and
practices used by IT should be a reflection of the
organization’s needs. On their own, standards help
to drive a consistent approach to solving business
challenges; the choice of standards should
facilitate solutions that meet the organization’s
needs in a costeffective and secure manner.
• Processes These are formalized descriptions of
repeated business activities that include
instructions to applicable personnel. Processes
include one or more procedures, as well as
definitions of business records and other facts that
help workers understand how things are supposed
to be done.
• Controls These are formal descriptions of critical
activities to ensure desired outcomes.
• Program and project management The
organization’s IT and security programs and
projects should be organized and performed in a
consistent manner that reflects business priorities
and supports the business.
• Metrics/reporting This includes the formal
measurement of processes and controls so that
management understands and can measure them

Risk Appetite
Each organization has a particular appetite for risk,
although few have documented that appetite. ISACA
defines risk appetite as the level of risk that an
organization is willing to accept while in pursuit of its
mission, strategy, and objectives, and before action is
needed to treat the risk.
Risk capacity is related to risk appetite. ISACA defines
risk capacity as the objective amount of loss that an
organization can tolerate without its continued
existence being called into question.
Generally, only highly risk-averse organizations such
as banks, insurance companies, and public utilities will
document and define risk appetite in concrete terms.
Other organizations are more tolerant of risk and make
individual risk decisions based on gut feeling. However,
because of increased influence and mandates by
customers, many organizations are finding it necessary
to document and articulate the risk posture and appetite
of the organization. This is an emerging trend in the
marketplace but is still fairly new to many
organizations.
Risk-averse organizations generally have a formal
system of accountability and traceability of risk
decisions back to department heads and business
executives. This activity is often seen within risk
management and risk treatment processes, where
individual risk treatment decisions are made and one or
more business executives are made accountable for
their risk treatment decisions.
In a properly functioning risk management program,
the chief information security officer (CISO) is rarely
the person who makes a risk treatment decision and is
accountable for that decision. Instead, the CISO is a
facilitator for risk discussions that eventually lead to a
risk treatment decision. The only time the CISO would
be the accountable party would be when risk treatment
decisions directly affect the risk management program
itself, such as the selection of a governance, risk, and
compliance (GRC) tool for managing and reporting on
risk.
Organizations rarely have a single risk tolerance level
across the entire business; instead, different business
functions and different aspects of security will have
varying levels of risk. For example, a mobile gaming
software company may have a moderate tolerance for
risk with regard to the introduction of new products, a
low tolerance for workplace safety risks, and no
tolerance for risk for legal and compliance matters.
Mature organizations will develop and publish a
statement of risk tolerance or appetite that expresse.

Board of Directors
The board of directors in an organization is a body of
people who oversee activities in an organization.
Depending on the type of organization, board members
may be elected by shareholders or constituents, or they
may be appointed. This role can be either paid or
voluntary in nature.
Activities performed by the board of directors, as well
as directors’ authority, are usually defined by a
constitution, bylaws, or external regulation. The board
of directors is typically accountable to the owners of the
organization or, in the case of a government body, to the
electorate.
In many cases, board members have fiduciary duty.
This means they are accountable to shareholders or
constituents to act in the best interests of the
organization with no appearance of impropriety, conflict
of interest, or ill-gotten profit as a result of their actions.
In nongovernment organizations, the board of
directors is responsible for appointing a chief executive
officer (CEO) and possibly other executives. The CEO,
then, is accountable to the board of directors and carries
out their directives. Board members may also be
selected for any of the following reasons:
• Investor representation One or more board
members may be appointed by significant
investors to give them control over the strategy
and direction of the organization.
• Business experience Board members bring
outside business management experience, which
helps them develop successful business strategies
for the organization.
• Access to resources Board members bring
business connections, including additional
investors, business partners, suppliers, or
customers.
Often, one or more board members will have
business finance experience in order to bring financial
management oversight to the organization. In the case
of U.S. public companies, the U.S. Sarbanes-Oxley Act
requires board members to form an audit committee;
one or more audit committee members are required to
have financial management experience. External
financial audits and internal audit activities are often
accountable directly to the audit committee in order to
perform direct oversight of the organization’s financial
management activities. As the issue of information
security becomes more prevalent in discussions at the
executive level, some organizations have added a board
member who is technically savvy or have formed an
additional committee, often referred to as the
Technology Risk Committee.
Boards of directors are generally expected to require
that the CEO and other executives implement a
corporate governance function to ensure that executive
management has an appropriate level of visibility and
control over the operations of the organization.
Executives are accountable to the board of directors to
demonstrate that they are effectively carrying out the
board’s strategies.
Many, if not most, organizations are highly
dependent upon information technology for their daily
operations. As a result, information security is an
important topic to boards of directors. Today’s standard
of due care for corporate boards requires that they
include information security considerations in the
strategies they develop and the oversight they exert on
the organization. In its publication Cyber-Risk
Oversight, the National Association of Corporate
Directors has developed five principles about the
importance of information security:
• Principle 1: Directors need to understand and
approach cybersecurity as an enterprise-wide risk
management issue, not just an IT issue.
• Principle 2: Directors should understand the legal
implications of cyber risks as they relate to their
company’s specific circumstances.
• Principle 3: Boards should have adequate access to
cybersecurity expertise, and discussions about
cyber-risk management should be given regular
and adequate time on board meeting agendas.
• Principle 4: Boards should set the expectation that
management will establish an enterprise-wide
cyber-risk management framework with adequate
staffing and budget.
• Principle 5: Board management discussions about
cyber risk should include identification of which
risks to avoid, which to accept, and which to
mitigate or transfer through insurance, as well as
specific plans associated with each approach.
Executive Management
Executive management is responsible for carrying out
directives issued by the board of directors. In the
context of information security management, this
includes ensuring that there are sufficient resources for
the organization to implement a security program and to
develop and maintain security controls to protect critical
assets.
Executive management must ensure that priorities
are balanced. In the case of IT and information security,
these functions are usually tightly coupled but
sometimes in conflict. IT’s primary mission is the
development and operation of business-enabling
capabilities through the use of information systems,
while information security’s mission includes security
and compliance. Executive management must ensure
that these two sometimes-conflicting missions are
successful.
Typical IT and security-related executive position
titles include the following:
• Chief information officer (CIO) This is the
title of the topmost leader in a larger IT
organization.
• Chief technical officer (CTO) This position is
usually responsible for an organization’s overall
technology strategy. Depending upon the purpose
of the organization, this position may be separate
from IT.
• Chief information security officer (CISO)
This position is responsible for all aspects of datarelated
security. This usually includes incident
management, disaster recovery, vulnerability
management, and compliance. This role is usually
separate from IT.