Domain 1 : Information Security Governance

We have talked about a sort of big picture for the CISM exam and for what this course is gonna
provide us with from an information standpoint, so now we are gonna go ahead and get into the
material of Domain 1, which is information security governance, so we are gonna start off by
defining the learning objectives from this chapter and we will look at those in terms of task and
knowledge statements, so these task and knowledge statements ultimately this is what ISACA
says that at the completion of this chapter you should be comfortable discussing or working
with, so we will look into those pieces and of course for the rest of the module we are gonna
sum up and really focus on information security governance, we will talk about what our role is
in relation to governance, as CISM our job really is to support the governance function, so we are
providing support to senior management, we are providing risk management, we are influencing
the program and our strategies, we are not performing the work, we are advising, we are
influencing policy, but as far as me going downstairs and disabling the user account that's not
gonna happen, so on the exam you really want to stay away from those action items, you know a
user leaves the organization; what should you do upon termination, many people are gonna
chose: hey go downstairs and revoke his credentials, but I don't do that, I'm a risk advisor, I'm an
information security manager, so in that case I'm not doing, I may call the approriate party,
making sure that we have policies and procedures in place to revoke credentials of employees;
yes, but as far as actually going and doing, that is not my role.

So what are we gonna do as a CISM and how do we support governance? I have already
mentioned; we are gonna be influencing the security strategy and the program, so if we think
about strategy, it's a very high level approach, how am I ultimately gonna get from here to
there, where as when we look at the program that's more of the how, so the strategy is broader
and the program is more specific. So ultimately we want to improve security through encrypting
sensitive data and providing multi-factor authentication to ultimately receive such and such
standard in the field, that's strategy, now how are we gonna do that? that's gonna be the
security program, that's gonna be made up with the policies and procedure standards and
guidelines. The strategy is more what big picture, and the program is more how.

Alright, now we are gonna cover this at a pretty cursory view, because chapter three or domain
three is much more in depth about security program, but we do need to talk about it the little in
the domain 1.

Roles and responsibilities :

Really important is who does what, like if the difficult decision is to be made: who has the
priority?

Evaluating a security program, you never want to implement something without having
expectations right, so if I implement a new security program, my important question and answer
is, was it effective? did it work? and I can't know that without determining metrics ahead of
time, what do I want from this security program? and then when it comes down to evaluation,
our question becomes: did it meet it's objectives, and then reporting incompliants, we talk about
providing the information that's necessary for us to determine whether or not our program is
effective, and then last but not least we will talk little bit about ethics, particularly ISACA's code
of ethics.

Alright so getting started with our learning objective, so this is for chapter one, what we want to
be able to do is understand and support organizational governance specifically in the realm of
information security. And what we want to be able to do is to make good business decisions on
how we implement security and what controls we put in place so we are gonna be able to justify
that.

Now one of the top priorities will always be maintain