CISM Domain 3 – Information Security Program

The Domain 3 – Information Security Program of CISM exam holds a total weightage of 33% in the exam.

Below are the summaries of key objectives of Domain 3 – Information Security Program.

The Information Security Program domain carries a weightage of 33% in the CISM exam, highlighting its significance in the certification process. These objectives are essential for information security professionals to effectively develop, implement, and manage security programs that align with business objectives and mitigate risks

The Information Security Program domain of the CISM certification covers the following key objectives:

1. Security Program Frameworks, Scope, and Charter: This involves understanding the structure, extent, and purpose of security programs within an organization, including the development of a program charter that outlines its scope and objectives.
2. Security Program Alignment with Business Processes and Objectives: Candidates are tested on their ability to ensure that security programs are closely aligned with the organization’s business processes and objectives, supporting the overall strategic direction of the organization.
3. Information Security Frameworks: This includes familiarity with various information security frameworks, such as ISO 27001, NIST, and COBIT, and how to apply them in the context of security program development and management.
4. Security Program Management Administrative Activities: Candidates should be familiar with the administrative activities involved in managing security programs, such as resource allocation, planning, and reporting.
5. Security Operations: This involves understanding the day-to-day security operations within an organization, including incident response, monitoring, and enforcement of security policies and procedures.
6. Internal and External Audits and Assessments: Candidates need to understand the processes and requirements for conducting internal and external security audits and assessments to ensure the effectiveness of security programs.
7. Metrics that Tell the Security Management Story: This includes the identification and application of relevant metrics to measure the effectiveness of security programs and communicate their value to key stakeholders.
8. Controls: Candidates should be familiar with the various security controls and how they are selected, implemented, and monitored to support the organization’s security objectives.

Unique Terms and Definitions from Domain 3 – Information Security Program

• Information security program – The collection of activities used to identify, communicate, and address risks in an organization.
• Security program framework – A business process model that includes essential processes and activities needed for effective security management and risk reduction.
• Security program charter – A formal, written definition of the objectives, scope, and authority of a security program, ratified by executive management.
• Security program alignment – The process of ensuring that the security program supports and works in harmony with the rest of the organization and its business objectives.
• Risk management – The process of identifying, analyzing, evaluating, and treating risks in a systematic and consistent manner.
• Value delivery – The process of ensuring that the security program delivers benefits to the organization, such as risk reduction, cost savings, or business enablement.
• Resource management – The process of ensuring that the security program uses resources effectively and efficiently to achieve its goals and objectives.
• Performance management – The process of measuring and reporting the key activities and outcomes of the security program to management and stakeholders.
• Assurance process integration – The process of aligning and integrating the security program with other assurance processes and programs in the organization, such as audit, compliance, or enterprise risk management.
• Information security management system (ISMS) – A set of processes used to assess risk, develop policy and controls, and manage security operations, as defined by ISO/IEC 27001.
• COBIT 5 – A controls and governance framework for managing an IT organization, developed by ISACA.
• COBIT 5 for Information Security – An extension of COBIT 5 that explains each component of COBIT 5 from an information security perspective.
• NIST Cybersecurity Framework (CSF) – An outcomes-based security management and control framework that guides an organization to understand its existing maturity levels, assess risk, identify gaps, and develop action plans for strategic improvement, developed by the U.S. National Institute of Standards and Technology (NIST).
• Information security architecture – A subset or special topic within enterprise architecture that is concerned with the protective characteristics and specific components in an enterprise architecture that provide preventive or detective security function.
• Enterprise architecture (EA) – A business function and a technical model that ensures that important business needs are met by IT systems, and that IT systems are structured and consistent throughout the organization.
• Risk analysis – The activity in a risk management program where individual risks are examined and quantified in terms of probability and impact.
• Threat – An event that, if realized, would bring harm to an asset and, hence, to the organization.
• Vulnerability – A weakness or flaw in an asset or its protection that can be exploited by a threat.
• Control – A measure that is modifying risk by preventing, detecting, or correcting unwanted events or incidents.
• Risk treatment – The process of selecting and implementing appropriate controls to modify risk to an acceptable level.
• Audit – A systematic, independent, and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled.
• Audit objectives – The specific goals for an audit, such as determining whether controls exist and whether they are effective in some specific aspect of business operations in an organization.
• Audit scope – The extent and boundaries of an audit, such as the locations, departments, functions, processes, systems, or controls to be audited.
• Audit criteria – The set of policies, procedures, standards, regulations, or benchmarks used as a reference against which audit evidence is compared.
• Audit evidence – The records, statements of fact, or other information that are relevant to the audit criteria and verifiable.
• Audit findings – The results of the evaluation of audit evidence against audit criteria, which may indicate conformity, nonconformity, or opportunities for improvement.
• Audit report – A formal document that communicates the audit objectives, scope, criteria, findings, conclusions, and recommendations, as well as any reservations, qualifications, or limitations.
• Audit follow-up – The process of verifying the implementation and effectiveness of corrective actions taken as a result of an audit.
• Security metrics – Quantitative or qualitative measures that describe the performance or effectiveness of security processes, activities, or controls.
• Key performance indicator (KPI) – A type of security metric that measures how well an activity or process is achieving its objectives or goals.
• Key risk indicator (KRI) – A type of security metric that measures the level of risk or the potential for risk in an activity or process.
• Security awareness training – A type of security education that aims to increase the knowledge and change the behavior of personnel regarding security policies, procedures, and best practices.
• Security culture – The collective set of attitudes, practices, communication, communication styles, ethics, and other behavior in an organization that influence the awareness and importance of information security.
• Business case – A documentation of the rationale for making a business investment, used both to support a business decision on whether to proceed with the investment and as an operational tool to support management of the investment through its full economic life cycle.
• Digital rights management (DRM) – A type of access control technology used to control the distribution and use of electronic content^.