hi team welcome to my session on coffee with PR and today we're going to discuss about CM your last minute guide I can assure you one thing it is a first kind of a video on YouTube which talk about all the four domains based on the news labus my name is PR and I'm taking a cism from last 10 year and when it come to success rate in last 10 year I maintained 99% and um for more information you can check my LinkedIn profile and if you're new to the channel do subscribe to the YouTube channel and click on the Bell icon to make sure you should not miss is the future videos on a similar topic so without wasting a time let's start with the first part thank [Music] [Music] you okay so in cism we have a total four domains and full form of cism is certified information security manager now when talking about the cism so we have a domain one which is called information security governance because governance help you to build the foundation we're going to discuss in the further slide what is governance but for your information governance is all about set of operations Now set of operations are there which help you to conduct the information security risk management because when you want to implement any kind of a controls in the organization you have to do risk management based on risk management based on that we can Define the controls with the help of information security program because information Miss security program include all the controls what we have and make sure the controls are working effectively and all that if any issue comes in the control with the help of inent management we can manage and whatever the Gap we identify we report back to the same to the board now this is the complete cycle we have so governance is a set of operation they're doing a risk assessment to identify gaps threats issues and based on that they organize the controls and information security program and once they implement the controls any kind of a program any kind of a challenge they basically face we can handle this change challenge with the help of inent management process and from the inent management process we get the reporting and everything by which we can able to improve the controls and that is how the cism has organized the four domains okay so in cism people say you have to think like a manager you know you don't you should not think like a practitioner so what is the definition of think like a manager see whenever you answer any questions the first thing is that whenever you answer make sure you have to keep mon in your mind is you have to focus on business goals I'll give an example now according to you what is the best firewall need your suggestion in the comment box some people will say Polo Alto some will say 40 net but the best firewall is the one which meet the business requirement that is the mindset we need in so normally we have a two type profile in the company one is called as a practitioner and one is called as a professional so practitioner is the one who implement the solution and professional is the one who manage okay every organization start with strategy then we have a tactical plan and then we have an operational plan now cism guy is basically come on this side professional he understand the business he understand the requirement he understand the Regulatory and based on that he will do the risk assessment and suggest the control and get the control implemented from the operation team that is how things works so professional is the one who understand the business analyze the requirement and practitioner is the one who implement the solution so in the cism you have to think like a professional okay there is no one solution which fix all the issues you have to understand that also understood that's that's basically the most important part now as I said when it come to cism okay you have to you have to focus on business goals that's the first priority business goals like you know always align your answers with the organization objectives such as protecting assets ensuring compliance and more important enable the business continuity by end of the day you have to maintain the CIA but always remember one thing ultimate goal of any solution is to achieve the business objectives is it clear second we have a risk-based thinking risk-based thinking is very important so you have to prioritize risk management by identifying assessing mitigating risk in a way that you can able to balance the security need with business business operations in layment term I can say any kind of initiative you're doing in the organization when you hire anyone when you fire anyone you do risk assessment so risk based thinking you need to have in the system let's say example you're dealing with multiple incidents with the limited resources so how you handle that you'll do first impact analysis or risk assessment to prioritize what is important and what is not the third important thing we call as a strategic alignment okay so you have to emphasis on how the information security supports the organizational strategy and you also need to check the goals rather than focusing only on technical controls so that is the first important thing you need to understand from the exam point of view so that is called as a think like a manager concept now second important thing you have to uh you can say you have to analyze the scenario holistically how so you need to consider stakeholders that is your first priority so you have to evaluate the scenarios from the perspective of employees Executives customer and Regulators okay that's a one thing second is long-term implications you have to choose the answer that reflect the sustainable and scalable Solutions rather than short-term fixes example like ultimate goal of risk management is not to identify risk but reduce the risk to an acceptable level right so that's called as a long-term implication the third most important part is called as a compliance and governance so you have to incorporate all the regulatory requirement governance Frameworks and everything okay next is called as a um which is called as a um prioritize the actions based on a impact very very important now here we have a most important thing is required is critical thinking so you have to you know assess which actions provide the greatest value which reduce the most critical task you are to also need to consider Resource Management where you consider cost effective and resource constraint when you're selecting a Solutions and then we have a inent response when you're handling the incidents in the exam questions focus on minimizing the business impact and restoring the operations efficiently ultimate goal of inant management is to reduce a risk to an acceptable level that's true so that that you have to check how you basically prioritize that okay always remember avoid all the technical over premises okay example like or over emphasis sorry like for example detailing firewall configuration is not required more focus on how far will enforce the policies second is when you're discussing the encryptions emphasis will be role on the achieving a confidentiality objective than the technical implementations so these are the basic steps is required for your understanding that you need to follow follow okay now in the exam this keywords are very important the first keyword is best best use according to a particular situation example like you have created a security policies what is the best way to communicate the policies so answer is awareness training but when you're creating a pol created a policy the most important step is approval of management so difference is that best is focus on best appropriate and strategic Solutions among the several valid options all four options will be great but still we have to select the one one which can cover everything on the second part the word most is there most highlight the critical priority and highest impact example like what is the most important outcome of security governance or what is the most important requirement of successful security governance the answer is basically C management approval without C management approval we can't do anything on top of it one more important is called as a in aligned with the business objective because if it's not aligned with the business objective management cannot approve that so keyword is most or second option is in the month of December most of the Indians or most of the people in India go to Goa so that's called critical priority highest impact but best to be stay at home according to the problem another keyword is basically called as a primary primary mean what is the first goal of this initiatives okay like what is the primary goal of your uh watching this video learning no learning is one of goal but ultimate goal or prime AR goal is to pass this exam right so when you're doing any initiative you have to understand from this initiative what is a primary like primary goal of Incident Management reduce the impact primary goal of problem management drag the root cause so primary mean from this particular initiative what is the first thing I will achieve then last is called as a first first we use in that case when you're talking about sequence like what is the first step in the risk management what is a first step in the Bia what is the first step in this what is the first step in that whenever the question talking about sequence it mean the question talking about first and all that so you have to select answer accordingly sometime what happen is options are also combination example like what is the first step of the risk management answer is identifying risk but one also option is there is reduce risk to an acceptable level now this option is an outcome of the question not a sequence but this option is the sequence of the question so this is how you need to validate the functions and for more information there's already a video I made on the C some think like manager do check that okay ultimate goal of this video is to give you the visibility about what is cover in cism so that's like primary objective of this video is not to teach you how to think like a manager but what is in cism so there's another video I have you can check that video okay so let's let's move to the first domain which is called as a domain one so before we start with actual thing let's understand the basics first so what what is governance okay so governance is like a you know governing something or it is a it is basically a framework okay it is a framework for rules practice and process that guide how organization is managed and controll now if you take example of country like India let's say example of India okay so we have more than 25 States right so we have more than 25 States each state has their own belief system so country like India country like Pakistan country like Bangladesh country like us UA and all that so each and every stat each and every country has their their own belief systems and there are some different resources we have like people are there nature is there so everything need to be managed properly and to manage them they need to create a rules okay they need to introduce law they need to manage them appropriately so they will form one system system that system is called as a governance if you take another example okay with the same context of India and India what happen is we have a ministers so we appoint ministers the minister create a law they create a department and then they manage them to create a value for us that is called as a governance even when your parents create a rules for you introduce a processes for you okay every day morning you have to wake up 9:00 10:00 you need to have a breakfast 11:00 you have to go to school come back so they creating a policy which is called as a law for you they're creating a process how to follow that policy and by end of the day they're trying to create a discipline to give you the better life same like company in order to manage that company their resources everything they create a rule they create a practices and processes that guide how the organization is manage and control I want to show you one video okay so you get a visibility why governance is important so if you see this video you'll get a better visibility he just Di directly jump into the car no parking nothing breaking a glass you can see the way of taking taxi it is against the law wherever you park you jump and you break the glass no one care even it is mentioned no helmet he's still wearing a helmet and now you see the entry tan so that is a perfect example of bad governance now understood so if they have a system if they have a law if they have some policies then nothing will be happening like that so that's why called governance ensure accountability transparency alignment with the goals and objective so it is like governance which is a process of governing or overseeing the control and direction of something okay if country creating governance country governance if parenting creating a rule for their kids that is called parenting governance so now question is why governance matter in the organization okay so the first part why governance matter so why because the first biggest reason is direction see when you're talking about governance governance set the organization goals okay and they strategic directions just like family you know you have a family so family is something which set the goals okay set they set the goals they they set the you know the goals like they want to planning a vacation so or they want to save for a new car or making sure kid do wells in a school so governance in an organization also set the goals and directions okay so if you take example this is the bank we have so this bank is doing offline business in Delhi or Melbourne offline business mean there's nothing online everyone has to go to bank and Avail the services now the bank understood they want expansion they need to introduce it so they have given instruction to CI plan the it function then CI get the information from a ceso ensure the security all these part of a strategic Direction so the family have a strategic direction to save money spend quality time together or prioritize education same like the company basically have a strategic Direction okay this year this plan next year this plan and if the organization has appropriate strategy and everything that shows a good governance governance that's why governance matter second is called as an accountability see it ensure your decisions are made responsible with a clear and accountability at every level that's why if you notice in your company you have a racy metrics racy racy metric so someone is responsible someone is accountable someone is need to be consulted and informed okay so in a family same everyone has a responsibility so parent might manage the finance older kids might help with the you know and younger kids are responsible for their school work so governance ensure everyone know their roles and it can be counted on so if anything happen for instance a family can quickly see who was supposed to do what hold them accountable so they have a visibility so accountability is very important the third important thing risk management in my further slide we discuss in detail so governance structure helps to identify assess and control the risk same like your family face risk too like managing expenses staying being safe or preparing for emergencies right so governance in a family involved planning for those risk like saving from unexpected expenses or having an emergency contacts or teaching kid about safety and this way risk are minimized now let's say example I'm getting every month salary of $10,000 suppose I have a kid I don't have a kid but suppose I have a kid now he said today he need a PlayStation so I have to see my finance and I will see okay can I gift him a PlayStation in this budget and if I gift him PlayStation from this cause can I able to run my entire house understood so here I'm doing a RIS because I don't want if tomorrow buy and I have to face the consequences same like company when they go for new project and all that so project can give reward also but it can also give a liability a good company is the one a good governance is the one we do risk management because ultimately we have to reduce the risk and prepare for the surprises and last is called as a governance called compliance why governance matter in the organiz because of compliance so like example my father has set the rules for me so I have to abide with that rule so I'm using a word called comply with the rule understood so family follow the rules right so compliance ensure we other to the law regulations and internal policy which protecting the organization from fines or reputational damage so compliance here like family follow the rules or maintain the harmony to ensure everyone well beinging like beted time limit on screen time or taking turns with responsib ility right like on the on the on the dinner time no phones so we have to comply with the rule rule was set under the governance so because if you see the word g RC governance risk management compliance so during a governance we set the rule and now we have to comply if we don't comply there is a risk right so during a part of a building process they have ensured no one will basically take a phone during a dinner time and this is basically we have to comply right so compliance basically ensure you other to the specific things okay now question is overall why governance matter so in this example you notice right without governance family might struggle okay if you don't have a direction the family might struggle with you know unexpected goals confusion over the responsibility and conflict around a rule and by setting a goal and ensuring accountability we can prepare for risk and maintaining a rule and the family can build a healthy organized and supportive environment just as a governance does for the organization that is why governance matter today in the organization so let's discuss the next part a key element of governance so the question is what are the key elements of the governance the first important element is policy and standard everyone has to wake up on time it's a law created by it's a policy or it's a rule of my house same like every system must be protected with the password that is a policy policy is nothing it is like a law of the company seem like policy which is cre for my house it's a law of my house but the standard is what time we have to wake up like policy say that we have to wake up on time but question is what is a Time 7:00 a.m. is the standard time it is for me and for my cousin so the first important component which is a foundation for any any company governance is policy so if you want to check the maturity of any company first ask for the policy okay so governance include setting up the policy okay and standard that Define the expected behavior and operational practice and this these policies helps to establish what is allowed required or prohibited within the organization same like I said in family policy are like house rules such as no phones at dinner table or bedtime at 9:00 p.m. so these rules set clear expectation what is allowed or what is not and they help everyone understand what behaviors are expected to maintain Harmony at the home that is where any kind of an activity you want to introduce policy is the first step second important element is called roles so governance Define who is responsible for various activity so there should not be any surprises okay and this is something we document as a decision within the organization and this ensure the accountability and Clarity so that everyone understand their duties from a Senior Management to the individual contributor so every family member has a specific role like parent may handle the finance grocery shoppings older kids will taking care of the trash or doing the dishes and so role make sure everyone know what they responsible and this reduce the confusion and making the family run smoothly that is why in your company you have a RAC Matrix third is that whatever the policy standard we have to follow it is followed by the procedures okay so on one side we are saying we have to go on bed 9:00 a.m. or 9:00 p.m. so what is a process what is a procedure or I have to set eight8 character password so what is a process what is a procedure so governance outline the procedures that ensure consistent okay reliable and repeatable outcome so these process are specially important in the critical areas like Risk Management compliance and quality control I'll give an example so I the I have appointed a Dr coordinator Disaster Recovery coordinator he created a procedure or she created a procedure now in her absence or in his absence someone can follow the procedure blindly and that is called as a good governance so procedures are the one which generate the same results consistent results like procedures like processes in a family like routine such as getting ready for the school in the morning or each steps is organize everyone wake up eat breakfast brushes their te teeth and get dressed so these routines helps the things to ensure in a predictable way so no one miss the school bus or forget their lunch that's why that's very important part the next thing is called as accountability and oversight so governance provide the mechanism to monitor the activities okay which is added to the policies and all that and this oversight bodies like board of directors or governance committee they review the report because if you ask me the overall function of governance is three so we have a governance part evaluate direct and monitor and this is my operation team when they work on that this is basically oversight by the board so board is the one who always get a reports on regular basis because by that they get a visibility and it is very important to have that okay it is very important so same like you know we collecting a audits we doing an audits we review the reports and by this you can hold people accountable for their actions that's why when you face any Audits and all that you you know auditor give you the recommendation and then do the follow up okay that's that's an important part so accountability in a family mean making sure everyone does their part so parent check if if uh cleaning has been done properly or if homework is completed like you know I'm sure you also experiened that that's EX example of oversight next important thing a good governance is the one where whatever the strategy you have set whatever the initiative you have set it is aligned with the business goals for instances governance might ensure securitya practices align with the business goals so that good security governance is the one which align with the business goals or family might have a goal like saving money or Vacations so making sure everyone eat healthier so governance helps to align daily activity with these goals understood so that is something is part of the function so these are the key components we have now now let's understand how the overall organization works in the functions okay so we going to discuss now type of governance so that give you the better visibility see when we talking about organization hierarchy so this is how the actual organization works so the first part is called as a CEO okay now before going to discuss this I want to discuss the hierarchy so as I said governance is a set of operation okay so under the governance we have a important element let me change the color okay so under the governance we have first thing which is called as a corporate governance corporate governance corporate governance okay and corporate governance is the one who set the goal okay they are the one who set the goals and they are the one who set the direction hey guys we have to start new business we want to go digital so that is defined by the corporate governance now who is part of corporate governance board and Senior Management they are the one who set the goals so let's say example we are doing offline business and now we want to do online business okay that is basically my goal so we have decided because right now we're doing offline banking so I want to start banking services in entire Melbourne and I want to do in Sydney example or I want to do in Delhi or I want to do in Mumbai so what happen is Corporate governance said that okay increase business increase sales and everything so then it is giving a direction to the IT team which is called as it governance they create policy they create procedures they introduce AI ML and all that so this is basically driven by the CIO Chief Information officer so he so corporate governance given given a direction to it governance hey guys we want to go digital now support digital but make sure this digital should be secure we have one governance which is called as a information security governance they create their policy procedure and all that to protect the business and protect the it and protect the business so that's why say C CEO is the one who set the organization strategy we want to go digital fine CIO will ensure how the deel can support the goals ceso will ensure how the security can be achieve that then security manager create isms and all that then security admin is there who create a sock sop and this is how the security technical team operate on the local level so that is how the entire hierarchy works so to understand better let's understand one by one each and every statement okay so first let's discuss about the corporate governance so I already explained you in the previous slide what is corporate governance so Foundation of GRC is Corporate governance because they are the one who said the thing so if you see the hierarchy according to corit corporate governance is the one who follow three thing e DM according to covid E stand for evaluate so they evaluate the legal requirement regulat requirement compliance requirement customer requirement in in my further slide we discussed how we arrange the sequence so they evaluating the market condition and they understood yes we have to go digital okay we have to go digital that is basically my need we have so corporate governance understand that particular thing and then they basically giving a direction to the CIO okay so CIO is the one who drive the initiatives so now CIO got the direction so now what happen is C based on that create a strategy they create the Tactical plan they create operation plan and then so we have a evaluate direct CIO is the one who will do the planning building run and monitor but parall we also have a ceso ceso also doing a planning building run and monitor to make sure it can able to secure the business and provide the report and this is basically called as a e DM evaluate direct and monitor and cesos and CI doing a PBR they creating their strategy that's called it governance they're doing their information security governance and corporate doing their function that called corporate governance so corporate governance set the Strategic objectives and it guide the ethical Behavior oversee the compliance with legal regulatory requirement so their major Focus will be on the board oversight they want executive to be accountable they want transparencies and they are actually accountable for anything what is happening in the organization so and but the challenge is basically balance ING profitability with the social and environmental responsibilities because they have to run the business also but also respect the culture and everything and they are the one who set the regulated landscape and they follow the topd approach without governance we can't Implement anything remember that without governance we can't Implement anything so that is basically called as a corporate governance now second is called as a it governance they are the one who align the it strategy with corporate objectives as I said the bank has decided they want to go online right now they are the one who creating it strategy to ensure how can they go online so they are the one who managing a risk associate with the digal transformation and their focus area is how to allocate the resources how to create a performance metrics risk management and integrate with the business goals but challenges basically as the technology get changed today you can see there is a need of AI artificial intelligence machine learnings and all that so they have to see how can they optimize the it Investments and everything now next is called as a information security governance see in some companies information security reports to it in some companies information security directly report to the board so here the information security governance ensure the protection of information asset through the policy standard and framework and their focus area will be data protection risk assessment insent response compliance and everything challenges as things getting change and all that growing balance is there so how to comply with legal regular how to maintain security is the most important part see when you document information security under the information security we have a cyber security so difference is cyber security is protecting a digital assets and information security protect all type of assets all type of asset I repeat again information security protect all type of asset where cyber security protect digital assets if I have a laptop it has a data that will be protect under the cyber security I will keep this laptop in the physical Locker that come under the physical security okay and in the information security we have a three goals maintain the confidentiality integrity and availability like I want to make sure whatever the information we collect it will be protect from unauthorized disclosure it is a user who decid this information should be available to one person to this person apart from that if it's available to anyone else it's a breach of confidentiality whatever the information we provide it must be accurate that is called integrity and third is it must be available whenever it required it is same like right you're sharing your secret with your friend and he told everyone will you trust him no so it's a breach of confidentiality you ask for some advice and he gives some wrong advice will you trust him again no that is a Integrity he said okay whenever you need I will be available and he was not available when you need that is availability so that is how the governance risk compliance and inform information security works in the organization now this is the summary okay so here you can see corporate governance set the Strategic objective for it okay they are the one so first is set the objectives said we also Define the compliance requirement that we need to comply with the legal regulat requirement and then they basically expecting it risk assessment report from it but it get this assessment from the information security governance okay information security governance and it implement the security controls uh information security governance report to CIA on the it security metrix they do the risk assessment end to end to make sure things are working correctly so that they get a reports on regular basis and they also report the it performance so this is basically the overall type of governance now we're going to discuss about a day in a life of of a GRC analyst see in different different company the people does different different role okay in some company G C analyst mean doing doing an audit work in some company GRC analyst is the one who does the risk assessment and the implementation of a control so let's understand the day of a life of a JC analyst so you get a visibility what kind of a role he does okay let's move to the next part so information security governance I can say if you're preparing for the cism domain one is very important I Know It cover only 177% but that is very important because when you're talking about the domain one okay it's very important for you to know the basics 17 person so approx you will get 25 questions from this and that is the best thing about isaka what they commit they follow if they say they give 25 question they really me it so this module represent the um uh the combination of 25 questions okay that you need to know for the exam okay now before I want to start this section uh I want to discuss the basics of that so I don't want to directly start with the session so first I want to discuss about what is information security but as I said when you're preparing for this cism give proper attention to domain one because that is the base for the rest of the domain now here when you're talking about information security information security is always an outcome of confidentiality Integrity availability before we jump into CIA I want to discuss the basics of information security so we have a two things here one is called infosec and then we have a cyers sec information security and cyber security cyber security is a part of information security so you can say information security is the umbrella so if I say I want to protect all type of assets then the answer is information security but if I want to protect only digital assets digital digital assets then answer is basically cyber security so let's understand with the example so we have a phone here this is my phone okay in the phone we have WhatsApp chats I have a image and all that so this is basically protect with the password 4digit pin that is called a cyber but I place this phone in a physical locker and I lock the phone with the particular key physical key that is called as a physical security which part of information security now when I join as a SEO in any organization let's say example I join Bank okay now they're saying PR we want to create a value for the business and we are expecting information security create value for us definitely we create a value for the business how we make sure whatever the transactions are there it is only available to the respective customer so what is it meaning it mean we maintaining a confidentiality like this is the transaction it will be only available to the respective customer customer who basically own that account and if this information go outside of these two things so this is the bank this is the customer and if it go to any third person it is a breach of confidentiality and how we achieve that with the help of encryptions access controls and all that second is whatever the transactions we are doing it should be processed without any error so we have to ensure the transaction should be done in a proper manner so we maintain the hashing and all that and third is that whenever the user want the website to be available it must be available that is called as availability and forget about that today we use this confidence CIA tried in a real life also example like this is my friend and I told him buddy this this is is a issue and don't tell anyone and he meant he makes sure he will not tell anyone but one day what happened he told some people and that break the trust because he doesn't maintain the confidentiality second thing is I ask for the friend okay yeah how's your marriage life you know is a marriage is good and all that so he said yes his marriage is heaven and all that you should also get married so I trust his advice and I follow the advice and what happened is it's said I I really appreciate but I'm just giving example after that I don't get that friend so that is basically called as an Integrity he told mea whenever any issue happen I will be available I said okay and when I need him I called him buddy there's a fight happen you have to be there and after that he vanish that is called availability issue so same like in the organization if you fail to maintain the confidentiality if you fail to maintain the Integrity if you fail to maintain the availability then it will impact the business so your information security outcome is maintain the confidentiality integrity and availability and that's why we say for educate protection for educate protection for information asset information security strategy is essential and that is the process we need to understand here now this is the process but before I jump into the process I want to explain you with the example see when we're talking about any organization right so we have a vision then we have a mission and then we create an information security strategy ISS information security strategy you need to understand the sequence okay information security strategy then information security strategy backed and support by the information security policy and then information security policy include in the information security program in the information security program the first thing we do risk management and based on that we enforce the controls so this is the sequence you need to from exam point of view I repeat again vision of the company Mission of the company then we have a information security strategy based on information security strategy we create information security policy policy policy will be backed in support by the information security program because any kind of a program you want to introduce it should be backed and support by the policy so program when we create first thing we create a policy for that by end of the day policy is a part of program policy include in the program but to build the program you need a policy and when you implementing a controls all the controls come under the program which is include your Incident Management patch management everything everything part of information security program but when to implement how to implement which come with the risk management and you can see here organization has objective so organization has decided they want to go they so right now the organization doing lot of offline business they're doing offline business but now they want to go Global okay they want to go Global and that is only possible when they do all the business with the help of website so now when they want to go by website and all that okay so the vision of the company is to provide dacial services sustainability and Mission is basically we set for the internal stakeholders so here we have a m Vision here we have a mission and now we creating an organization strategy organization strategies increase business increase customer and all that and then further it is divided in two parts one is called as a call maintained by the CIO and one is maintained by the ceso and you are here you are here CI will ensure Cloud need to be there technology need to be there to support the dial business but make sure the business need to be run in Secure manner make make sure the technology need to be in Secure manner this is basically we have a ceso so ceso is the one first thing what he do he will create a information security strategy which cover your security objectives like protect the information maintain the trust and all that and based on that security strategy we develop the comprehensive policy and that is where we have a security policy policy talk about the controls and that controls is part of a program can you see that program so that something is basically there and program will be Implement with the help of risk management so that's why we say organization inform the information security manager information security manager create information security statut that is basically cover your objectives and then based on objective we create a policy and policy is basically Define the controls for the security program and want to implement all the controls we need to do with the help of risk management you can see risk management provide the feedback based on that we update the program program Effectiveness we need to inform the information security manager and information security manager informed the management that is how it works so in this entire structure information security governance play a very important role okay so before that I want to disc discuss one more important point which give you the better visibility so this is the blank screen but it's okay see when we talking about as a set we have a vision why we exist in this world that's called Vision we have a mission mission is basically the path and then we talk about the strategy the strategy is called as an organization strategy okay I will discuss further in detail all this pointer but right now I'm just covering a high level so organiz strategy is there and then organization strategy is further divid into the IT and information security strategy information security strategy driven by the SEO and it strategy driven by the I CIO so this is called as a information security govern and this is called as it governance and this is is called as a corporate governance okay so that's how it works so ultimate goal of information security governance is to create a value okay ultimate goal of information security governance is to create a value so there's a question can be can be asked in the exam is what is the purpose of information security governance establish an effective information security program that align with the Enterprise goals protect asset and support the compliance that is a primary purpose so if you get any question talking about what is the purpose of information security governance is to make sure it should support the goals protect assets and support the compliance second is the focus will be of information so purpose is different focus is different focus is basically what you're going to do so information security governance has outcome is risk management because it is not possible for me to protect all the asset with the same value so we the help of risk management we have to prioritize remember that okay we have to prioritize and through that prioritization you can able to optimize the resource same like you know it is not possible for you to read word by word line by line and remember everything to the last day of the exam so what you do you will create a strategy and in the strategy you create a program study program of two weeks and in that program the first thing you do risk management what is important what is not so with the help of that with the limited resource you try to optimize that and that limited resource you implement you do the performance measurement of that and more important you integrate with the Enterprise business that is the purpose that is a focus of information security govern and by doing that this by doing this you are aligning the Enterprise goals protect the asset and support the compliance so what is the seesm context you have to remember so as a CM context one thing you need to understand here is information security program success rely on the strong alignment with Enterprise overall governance leadership support and structure approach without leadership support you can't Implement information security governance in the organization so always remember one thing without leadership support you can't Implement program without leadership support you can't implement the policy without leadership support you can't Implement any solutions but one important requirement to get the leadership support is that your information security strategy should be integrated in align with the business objective if it's not been align with the business objective you can't get an approval on your program always remember okay that's a very important part now another important thing we need to understand here is yes this diagram it's very very important for you to know okay so this is the hierarchy we have okay now here you can see the first part is how so here this is the steps which talk about how to implement the information security in the organization okay it's very important now first thing and I'm going to explain with the when use case Okay so first thing is basically called as a determine the desire outcome see when you preparing for cism this is your current state and this is your desire State desire State you want to clear the exam current state where you stand so it's not necessary you have to start from zero you can do Gap assessment and based on that you can able to prioritize okay and this is the same thing we're doing we determining a desire outcome so let's say example the leadership company is there of ABC or aspirants identify the high level outcome they want to achieve and these outcomes are like including the Safeguard of customer data meeting compliance requirement and reduce the risk of data breach compliance requirement is gdpr so what aspirants did aspirants here the outcome is like they want to achieve the 100% outcome of compliance with gdpr they want to achieve the zero day vulnerability and they want to ensure the availability of a Services okay so that something is the desire outcome they are expecting now for that what we did is we defined the security objectives okay security objectives that something is part of the function now when we're talking about the security objectives is like you know you're translating the outcome into the measurable security objective on one side you're saying you want to a the 100% compliance right so now you will Define your security object like implement the encryption okay deploy 24 into 7 sock conduct the monthly vulnerability assessment that is called Define the security objectives and then you will see what is the current they have okay so see here I want to my goal is I want a 100% compliance okay I want a zero day vulnerabilities to be achieved like I don't want I don't want to have any kind of vulnerability and I want to to ensure uninterrupted services so that is my outcome based on the outcome I have create a security objectives like implement the encryption um um in you know deploy 24 into 7 sock okay doing a vulnerability management create a policies and everything that's a security objective but do we have currently and this is basically I'm doing a determine the current state so I will assess the current security posture to understand the gap between the existing and desired State and for that I I will do Gap assessment identify what they have and BAS that I will identify the and doing the risk assessment okay like no encryption is implemented security monitoring is manual and vulnerability assessments are performed once a year okay I will do the deep Deep Gap analysis so I will identify the gap between the current state and desire state for example the Gap number one is no encryption so we required implementing a full disk encryption no 24 into 7 monitoring so we required setting up the out sort so and third is perform the uh in infrequent vulnerability testing so we require increasing of the frequency that is basically perform the Gap analysis between the current state and desire State and then I will develop the strategy to close the gap this is how the plan how to address the identify Gap so like encrypting a sensor data partner with third party increase the vulnerability scan frequency to monthly that something is developed the strategy to close the gap and then I will create a road map for that I will break down the strategy into actionable step like I will do research of encryption tools encrypt the sensor data onboard the sock provider or automate the vulnerability scanning and then finally I will Define and develop the program with the governance policy like I will establish the isms Define the instant response procedures and develop the third party management policy and then I will manage a program with the help of metric your entire cism is around this area only okay the entire cism is around this area only so we talk about lot of time GRC governance risk management so governance is set of um uh process by which we set the policy and ensure with business objective in my previous section you have seen how the governance work then we have a risk management risk management is all about identifying risk and everything so that we can able to treat the risk reduce risk to an acceptable level and finally we have a compliance compliance to the legal regul Regulatory and organization standard so let's say example in the previous video Same Same example I've said is uh company when when you join any company you create a process you're creating a policies that's part of governance if you want to run any country you need to create law law created by the ministers and that shows the good governance parents creating a law parents creating a rules for your kids kids that's a governance right but to follow the process it's not possible for me to do everything so I will do risk management so governance do the risk assessment to identify prioritize so that so that they can able to comply with the legal regulatory requirement now when you're talking about in the isaka they follow kobit and kobit differentiate governance with management okay now here before I move to that I want to discuss the CIT example so in kit we have one thing called e d m okay and governance so and another thing is called as a p b r m now what is the meaning let me explain you so when I say EDM EDM is driven by governance governance mean corporate governance here and pbrm is by the management management is CIO and ceso So Co in CIT they actually segregate the thin land difference between the governance and management so in layman term you can say governance is all about evaluating the need of the stakeholder evaluate the need of regulatory giving a directions to the CI and Cesar and CI CES based on the plan build run and monitor and what are the metrics we have we provide to the management so this is one thing you need to know from exam perspective what so governance is the one who set the goals and management is the one who focus on execution so as a cism context you need to understand the distin distinction between the governance and management so in layman term you can say governance is like a ex corporate governance management who run the show management is the one who manage that particular show CIU and all that okay that's a very important part now when you're going for the cism it's very important for you to know the rules so one thing you need to understand is these rules board board of directors one thing you need to remember they are the ultimately accountable for anything whatever happening in the organization so any question talking about who is ultimately accountable for security answer is board and Executives remember that information security manager is the one who develop communicate and manage the strategy and policy he's the one who developed the policy he's the one who developed the strategy but board is the one who approv those policies because it's a conflict of interest third is called a data owner so every company has a business owner who bring business to the organization even when you're sending a email Men You're creating a document you are the data owner so data owner ensure data security policy align with the organization needs and legal requirement now there is one more thing we called as a committee committee okay one is called as a committee and one committee you need to know from exam point of view which is called as security steering committee SSC security steering committee now the difference between the committee and the board or management is committee is temporary when we executing any project for that we create a committee committee is basically the combination of the representative from the boards and operation team so in the cism committee is very important because they do the joint so example like security manager creates a policy he submit the policy to the committee committee has the team of all people technical functional business they will share their Viewpoint about the policy from all the vertical see one thing is that if they review and approve it's a very good policy if they approve the strategy it's a very good thing because we getting a Viewpoint from all the people so many organization from the security steering committee consisting of stakeholders from many of the organization business units Department functions and principal locations and they may have a variety of responsibilities okay so if they approving anything it's a good thing okay because they getting a Viewpoint for everything so that's something you need to know from exam point of view okay another important thing we have a data owner and we have a Data customer let me explain with the example so this is your airport okay so you carry your baggage and you're traveling from Delhi to Goa so you tell the airline team traveling from Delhi to Goa and my bag has some fragile items so you are you are the one who own the bags so same like you are the data owner Airline team are the one who ask about what is in a fragile and all that and you would inform them so Airline team is the one who manage that baggage on behalf of you so they are the data custodian so same like in the company Security administrator backup administrators they are the one are the data custodian and they protect data based on a data owner data owner is the one who follow the policy that is how the entire company works works but when you're talking about implementing a security governance the most important factor which Drive the information security governance is culture culture is very important now what is an example you join one organization okay there is no culture of reporting an incident you join one more company example where you can see everyone is reporting the security issues you join one company where you can see no one follow the policy seriously and there is a one company who follow pass security policy seriously that's called the culture culture is the foundation for any organization okay you have a best Security Solutions you have a best security policy but if there's no good culture they will not follow that so organization culture impact the effectiveness of information security especially in the area of Teamworks norms and communication so very important you need to understand the biggest parameter which impact Security's culture so as a CM context cism professional must ensure the roles are clearly defined okay and the culture support information security initiative so if you get any questions talking about what is the most important support for information security initiatives the answer is culture because culture include your leadership support culture include the people and everything okay now let's move to the next part so as I said if you want to build information security governance in the organization the first step is create a strategy strategy is very high level okay let's example this year my strategy is I want to implement sock for 2024 I want to implement VAP in 2025 27,1 2025 so I I'm talking about the high level requirement okay that's something documented in the strategy and a good strategy is the one which align with the business so we follow some principles okay so the purpose of strategy is to define the objectives Define the goals and road map one thing you need to remember okay and the key objectives of the information security strategy is strategic alignment risk management value delivery and resource optimization and as a CM candidate you should know this so when I say I'm implementing information security in the organization or I saying okay they this company has a good security governance okay good security governance how can you say you have a good security governance so outcome of a good security governance is or outcome of a good um you know strategy is that the first most important part of your strategy should be aligned with the business objective so if they give you question is what is the primary objective of security strategy option a strategic alignment option b risk management option C value delivery and resource optimization by end of the day by achieving this you're achieving this only ultimately your information security strategy should be aligned with the business objective and for that what we have to do is we have to do risk management see on one side your business is saying that with the $2,000 you you have to protect everything a good strategy is the one which align with this requirement but for that the first thing we have to do risk management risk management is very important because with the limited cost you have to implement the security and by doing risk management I'm creating a value delivery I'm I'm I'm I'm ensuring the security Investments benefit the business right and last we can able to do that with the help of optimization of resource so you can see that outcome is to align with business for that we do risk management and that create a value why because with the help of limited resource I can able to manage everything so outcome of a good security strategy is this four or five outcomes so a good strategy as I said a good strategy is the one which clearly communicates its value include the metrics for performance measurement and it should be aligned with the business see when you're creating a security strategy you have to also understand the legal Regulatory and contractual requirement okay so one thing is that compliance compliance is nothing it's all about Act of abiding I will give example okay let's say example this is the office which is in India and I highly recommend you can check my one governance fundamental video which also give you a good visibility about the governance so let's say example I join as a ceso so we have office in India okay they're doing a support EU operation so they're doing a support in European Union One of company one of country they're supporting is Germany okay so they have a sales team in India so need your reply in the comment box if you are doing a business in Europe what is the primary privacy regulation you have to follow the answer is gdpr so you need to follow gdpr in gdpr so many articles are there it is is it possible for you to follow all the Articles the answer is no okay and if you tell the sales team hey guys have to be follow gdpr they will basically run away from the company because in gdpr we have more than more than 25 30 articles but what happen is we appoint the DPO data privacy officer he will interpret the gdpi requirement and then he tell the ceso okay buddy we need to implement this and that controls so we implement this and that controls on the second floor like USB access is block camera is enabled no one carry a smart pH so by creating a policy creating a strategy this is part of information security governance okay you implement the controls on the second floor by that you comply with the gdpr comply is nothing it is all about Act of abiding so if this is the company and you're saying you have a good governance how can you demonstrate you comply with certification you compliance with ISO you compliance with everything so that's called as an outcome of a good governance okay and ensure the governance with the help of security functions so compliance is all about Act of biding okay Privacy Law is there gdpr and everything it's very important the difference between privacy and secrecy is privacy deal with individual information secrecy deal with organization sometime when you're creating a strategy and all that you also need to consider third party management you have to contract so should be contract to third party and contract should include data protection requirement Clauses and audit right one thing you need to remember whenever you're dealing with the vendor make sure service level need to be documented and write to audit Clause should be there so both option is there select service level because without service level you can't do audit is it clear so whenever you're dealing with third party vendors make sure in the contract at the service levels without service level it is difficult for you to ensure the Quality Security and everything regulatory standards we have to follow so as a cism context you need to understand is understanding regulatory impact is critical because based on regulation only you create a security strategy okay now let's say example is you need to implement the itions On the Border network but because of regulator you can't intercept the data so your regulat requirement impact the strategy so if you get any question around what is the biggest impact the security strategy the answer is regulations because we follow regulations regulation will not follow us understood So based on information security strategy we create a policy and policies we have to do based on the risk assessment see any kind of an activity you want to do you do the policy first okay so policy is a foundation we'll discuss in the further slide what is policy okay so when you're building information security program so what is the first step you create information security strategy then you create a policy and then you create a program same like isms you know isms is the program right but the foundation of the program is isms policy as per the Clause five so your program include multiple things the first thing is called risk assessment risk management program security policies awareness training all these things inent Management program all these are part of a information security program development but the sequence is first we do risk assessment identify issues based on that we identify we need a controls to implement the controls you create a policy first that's why if you notice policies are created based on a threat profile which is signed by the management and understood by the employees one example is in my previous scenario I said we need to comply with gdpr right so we identify some controls required for gdpr so for that first we need to create a security policies hey guys no one supposed to brow social media no one's supposed to carry USB drives so here what happened we create a policy based on the threat profile threat is failed to comply with gdpr emerging of threat regulations and all that and then I communicate that policies with the help of awareness training awareness training is all about modifying the behavior ultimate goal of awareness training I'm going to discuss in the further slide ultimate goal of awareness training is to make the employee aware about the responsibility so the primary outcome of the security program is to realize of strategy goals and objectives now to implement the program in the organization the first thing we need to understand the components okay so we Define the steps we include the people process technology because by end of the day PPT work together to create a value and we also need to see what are the constraint and potential risk we have so we follow the architecture architecture is a road map okay it's a structure framework which support the strategy and implementations and one of the framework we talk about is sapsa and toaf because we decided we need to implement the program in the organization but how to do that so one of the common framework we follow is sapsa let me show you an example okay now here you can see the example of sapsa but before that let me explain you one thing see sapsa is an architecture okay now what is architecture architecture is called as a logical framework okay now what is that let's say example this is your current state okay you're not going to gym you're not doing any workout you're not having a proper food neither you sleep on time and desire state is that you have to go for 5K marathon you have to go for 5K marathon running problem is that based on current state it's not possible so you decided you need a strategy you need a program but PR but strategy is like um you know be healthy and all that and program is achieve this running and all that so you decided you have to go gym and all but how to do this so you need to organize this blocks in a sequence and this is where you introduce the architecture framework you introduce the architecture framework okay first in the morning I will do gym then I will do I will have a work uh I will have a food then I will do yoga so I organize this in a block which help me to arrange the sequence so this timetable is called as a architecture same like you want to construct a house what is the first step so you need a doors you need a balcony you need a sofa so by following this architecture you can get a visibility about what is a resource how much money we need to spend so one of the architecture is sapsa so they say okay you want to do something think first understand the business perspective then you have a conceptual architecture then you have a design then you construct then you introduce Solutions here which is called component and then you manage them so saps and toaf are one of the Frameworks that we follow okay don't worry in the exam you don't need to know each and every component but you need to have visibility what is the name of an architecture or driven architecture security architecture which align with the business and sapsa is basically one of them and there's a dedicated video I made on sapsa if you want to really understand detail you can check that so saps to is important so as a cism professional you should adapt to create a road map that factor the organization constraint and align with the security architecture another important thing in the program we have a data classification see it's not possible for me to protect all the data with the same value so we BAS basically understand the value of the data and according to that we produ same like you know your ward drops in your house you have two type of clothes one cloth that you wear for uh anniversaries events and all that and one cloth you're wearing in a house and all that definitely you give more attention to the the things that you buy outside according to that you will spend money also on those clothes right so same like you have a pi data and you have a business data you have a operation data let's say example for you Pi is very important because if you don't protect Pi data it can be have a big impact so here we decide the base on a value value is toward the regulation okay so data classification when you classify the most important factor is how much it value to the business and this is basically where I want to add my ceso advice when you're talking about any organization we only have a three type of data one is called regulated data one is called business data and one is called as an operational data by end of the day any company you take this is the only classification we have any data which Rel to regulation come under regulated data your trade secrets and everything will part of business data and operational data is like you know logs and everything ultimately we cannot able to give attention to same all so we classify and categorize but the most important parameter based on which we classifies value value is also two type qualitative and quantitative an ultimate goal of data classification is to ensure the data should receive the appropriate level of security okay and and classific ification is a foundation for any data management so data classification when you're talking about here is okay proper classification underpin data protection effort and see some professional need to ensure the classification align with the business standards okay so we have some standards that you need to know like cobit is there cobit is a framework okay so you here you need to understand what is the difference between the framework and standard what is the difference between the framework and standard framework is a logical structure standard is a requirement first we adopt the framework and then we go for standard let's say example I want to implement information security in the organization I don't know anything so I will adopt CI uh this called um nist framework nist uh this is called cisa framework and one of the framework requirement is you need to have a password management now here based on my experience I can say password should be8 character but I'm looking for the universal exal so in that case nist also have a standard 00 uh particular things so they talk about 14 character is a minimum secure passport ISO say that 8 character is a secure password that's called as a standard same like I want a TV that is a necessity of my house that is called as a framework but I want to go for lgtv that is a standard so framework can be customized modified as for the business requirement but standard come with the certification standard come with the mandatory requirement standard is just English word it mean uniform across the organization okay so CIT is a framework which align the ID with business is 2701 is a standard for information security and toaf is a framework so by and that's I said if you want to implement the program you have a zero visibility you can start with the framework first so by applying a framework you can able to align the business objectives and everything so as a cism candidate as a cism candidate you must know how to apply the Frameworks effectively to develop the governance models that support the organization resilience that's a very important part now next important thing we talk about the information security metrix definitely once you implement the program you have to measure the program okay and for that we introduce a matrix now if you get a question in the exam what is the ultimate purpose of Matrix I repeat what is the ultimate purpose of Matrix so answer is measure the effectiveness of information security strategy that's it ultimate goal of Matrix is measure the effectiveness of the security strategy and the key metrics are inant response time compliance rates V ability metrics it's very important you have to regularly track this progress and according to that you need to improve the program that's a very important part is it clear and another important thing is the metrics are essential to demonstrate the success of security initiatives example like I've conducted a security awareness program um last week so before awareness program 50 people report incident after awareness program 70 that's good number that matter Matrix help me to give the value okay we conducted awareness session before awareness session we have 50 and after awareness session people reporting more insurent which is called 70 so this is how I'm demonstrating the success of anything okay so one thing need to remember is ultimate purpose the primary purpose of metric is demonstrate the effectiveness of information security strategy and metrix are demonstrating the security initiatives that something is there now if you want to convey any kind of a security solution to the board the one document that we prepare is business case this is a very important topic for the exam business case provide the value let's say example I did the risk assessment I did the Gap assessment and I identify I want a firewall now I cannot simply go with the risk assessment results to the board so here I will present the business case in business case I will include the risk assessment data value propositions and everything and this is the exam question so risk assessment is part of business case business case part of risk no risk assessment is a part of business case business case is a document that you submit to the board you demonstrate to the board like why security is important so one important talk about the business case clear rational for security investment now what is the element in business case Define the problem current State financial implications risk benefit analysis again I'm telling you business case should be simple and easy to understand and you are a subject matter of information security you know how to present the facts so any document which propos a security Investments the answer is business case same like now you're looking for the cism training right so you presenting a business case to the board see we want to go for cism training by this we can able to manage this kind of a resource we can able to manage this kind of project by doing this training we can increase a business from this particular parameter to this particular parameter so business case providing a justification of your security initiative okay that's a very important part so as a CM context you should often create a business case to justify the security spending and a good business case is the one which align with the business goals a good business case a good business security case is the one which align with the business goals if it's not align they will not approve always remember is it clear that's that's a important part of the requirement okay that's a very important part of a requirement and when you're talking about the business case so then we move to strategic planning so when you talk about strategic planning we have some activities for the continuous like we do the awareness trainings okay the difference between awareness and training is awareness modify behavior training modify the skill okay so we have to make sure we have a skill development task as I said I was in an impression that okay 8 character password is a secure password so I was using 1 2 3 4 5 6 7 8 but in the awareness I got to know it should be combination alpha numeric I was it consultant moving to security so that is where I attend the CM training which modify my skill one thing you need to understand every company has a skill metrics chart skill metrics chart so this is called a skill metrics chart okay which maintain the skill set but one is that we we have a skill set but do we have a educate person on that skill set and if yes what is a level so that's something we check with the help of Competency score skill is something what you need to carry to perform the task but do you have that level of skills that come from the knowledge what is the level of knowledge we assess with the help of Competency chart competency chart talk about how much we have a knowledge about the skill and and we have an inventory which is called skill inventory so project manager check the skill inventory then from the skill inventory he check how many people are there on that competency of skills and according to that they allocate the project so as a as a cism context you need to understand here is as a cism context you need to understand here is that continuous education string the human element because who is the weakest link in the organization people people are the weakest link okay and that can be addressed with the help awareness training so always remember from exam point of view the most effective control for social engineering password sharing is security awareness program because even you have a strong password okay but you're a victim of social engineering then there's no point of having that solution so most effective control against the social engineering is awareness program okay now another important part we need to discuss is risk management process okay so next part is risk management we're going to have a dedicated module on the risk management but in the domain one they talk about basics of risk management risk management ultimate goal is reduce the risk to an acceptable level but when we talking about risk management it is driven based on three factors appetite tolerance and capacity and the one thing which is variable in nature is tolerance so let me explain with the example so risk capacity mean maximum risk organization can handle risk appetite is level of risk organization willing to accept and risk tolerance is an acceptable deviation from the appetite very very important same statements is very important okay let's take example I'm withdrawing every month salary which is $1,000 that is my salary that is a maximum salary I'm getting in a month and that's a maximum I can invest in a month that is my risk capacity okay I decided from the, to $100 on my training it's not fixed but it is the thing which I defined my boundary that is my risk appetite and the current training I'm taking which is a $150 that is my current risk tolerance which I'm okay to lose but there's a one new training is coming which cost me $250 in that case my risk tolerance going beyond the appetite but thankfully it is not going beyond the capacity okay so I will analyze everything before taking this Final Call okay so when we talking about about risk treatment which is called acceptance transfer mitigation avoidance all these factors are decided based on the risk capacity epid and tolerance always remember okay so the maximum risk the organization can handle so in this case $1,000 is the maximum risk $200 is basically my risk Apper time and 150 is my risk tolerance okay so it can go above the 200 so by end of the day risk tolerance defined my function so if you are a startup okay you don't have anything to lose so in that case you have a high risk tolerance but if establish company in that case you have a low risk tolerance okay same like now when you started your journey in cyber you have nothing to lose so you have a more risk tolerance you take more risk but when you have a commitment liabilities and everything you'll think twice so if you have a low risk tolerance you okay to invest more money on the controls when you have a higher risk tolerance in that case you okay to accept risk compared to accept the controls so anything go beyond the capacity you avoid that particular business let's take another example the speed limit set by the government is 200 the maximum speed you can go to 1,000 the current speed is your 150 that is again the parameter and you decide everything when you start your car from the house is it clear you want to go airport you know in 1 hour you cannot reach even you go by thousand so you drop the idea that's how you prioritize the things so risk in Risk Management we have risk as identification analysis evaluation treatment is it clear so one thing we need to understand here is season practition play Vital role in balancing a risk by ensuring it aligned with the organization risk tolerance and capacity and based on appetite we take the calls always remember one thing practitioner is the one who assess the parameters and based on that they take a call okay so we have to avoid some common governance pitfalls when you implementing a security strategy we follow some challenges the first is technical complexities with which can limit the understanding adoption of new security and everything secondly sometime budget constraints are there I want to implement new things but we have a budget constraint and because of that with difficult to us to implement third is conflicting business priorities that's another important concern so as a as a season context you need to understand is you need to aware about the challenge which help the season professional to proactively address and security bind from the leaderships that's a very important part now we have some other challenge also like complex cities and budget constraints so here you need to balance the cost and Effectiveness security you need to conflicting the business priorities because insuring security doesn't hinder the business operations okay and third is without CA management we can't Implement anything so that's the most important part okay it's a most important part so if you get all three options select high level sponsorship because without leadership support you can't implement the information security governance in the organization now next is called periodic reporting so regular updates on security post is very important because that bring the transparency and for that you need to have a proper communication because without communication you cannot get the approvals so strong Communications skills are crucial for cism role as it they often needed to be articulated the complex security issues in a more effective manner that's a very important part so this is all in the domain one okay let's move to the domain two so now we are moving to domain two information security risk management uh when talking about information security risk management uh 20% is testable from the domain two and approx 30 questions we can expect from domain 2 30 questions exactly now when you're talking about risk management information security risk management ultimate goal of risk management is to reduce risks to an acceptable level so if you get any question on topic around what is ultimate goal of risk management answer is ultimate goal of risk management is to reduce a risk to an acceptable level now one thing we need to understand and we have to understand the process so before we move uh we need to discuss high level what is risk management process so and let me explain you that so under risk management we have a first thing called risk identification second is called as a risk analysis third is called as a risk evaluation and fourth is called as a risk treatment so we have a four-step process now if you take a example of risk identification risk identification include identifying asset identifying threats identifying vulnerability under the risk analysis we have a two steps qualitative and quantitative because if you talking about R identification threats are something called as an action that you perform and vulnerability is called as a weakness so this is my server a okay and the server is configured with weak password weak password so there is a possibility hacker can exploit this weak password and through which he gain access to the system so hacker is a threat actor for performing an action weak password is a vulnerability we exploit and through which we gain access to the system and access to the data access to data is basically a risk if someone can gain access and whenever we calculate risk we use a formula called likelihood and impact likelihood probability of happening and impact is if it happen what is the impact so in Risk identification stage we identify asset we identify threats we identify vulnerability but we need to understand the level of impact and there is a two way to calculate the level of impact qualitative or quantitative qualitative where we use high low medium and quantitative where we use the numbers SLE Al o and then that results we're going to evaluate we evaluate the results with the capacity with the appetite and with the herb tolerance and based on that we decide to take a treatment we'll discuss in the further slide ultimate goal is to reduce risk to an acceptable level that is the ultimate goal we have remember that now here we're talking about the risk identification so when you talking risk identification uh it's all about identifying all assets threats and vulnerability including a third party risk and address the potential impact now we have a different type of threat we have internal threats like Insider poor configuration lack of awareness and external threats are called as cyber attacks APS and natural disaster let me give you another example of threat and vulnerability let's say example you have a weakness you cannot say no for anything you're very introvert guy you cannot say no to anything now some relatives use that an opportunity and one day what happen they say see we bring a marriage proposal for you and because you have a vulnerability that okay you cannot say no to anything default you accepted that and what was the impact see likelihood will be high the relative will come to your house and they can propose you any marriage proposal and all that and if you say yes the impact is basically high so that's called the threat is an action vulnerability is a weakness okay so internal threat Insider threats po configurations and all that external threat cyber attacks AP and all that and for the emerging threats we have a AP AP is something very very important you should know from exam perspective at advanced persistent threats okay so they basically hack the servers they hack the network and maintain the persistent access of the organization so what is the learning we have from the cesm context perspective so when you're talking about from a cesm context perspective as a CM it is crucial to have an in-depth understanding of the threat landscape and proactive in identifying and mitigating new risk okay so first step in the risk management is risk identification it's all about identifying assets okay and assess the Potential Threat and using a historical to create a risk scenario now second is Step called as a risk assessment process where we evaluate the potential impact and likelihood of each identified threats including assets threat Source vulnerabilities and operations we do the two level of assessment here also vulnerability assessment and threat analysis vulnerability assessment is all about identifying the vulnerability so let's say example this is my system a this is my system B so we identifying the weak password we identifying known configuration we we running a tool the tool maintaining a signature of known vulnerability we apply those signature on the system to identify the vulnerability okay and from there also we identify the threats so vulnerability assessment identifying weak points but exploiting the vulnerability gain access to system that is called PT so we do also do threat analysis where we examine threats that could exploit the vulnerabilities that something is there moving to ahead we also talking about risk register very very important this is something we create in Risk identification stage it is a centralized document which document all the identified risk asset threats and control and it's a live document live it is a live document that we follow throughout the risk management and the entire operations two major benefit of risk register is that it it is a centralized document so all team can see this and according to that they get a holistic view about the risk second is basically we create this in a first stage which is called risk identification stage so risk identification stage itself is a very critical because risk identification assessment process is a foundation and cism are responsible for establishing maintaining a comprehensive risk register it's a live document which maintain and document all the risk and all Department see that risk register and take the unified decisions now vulnerability and control deficiency see in a risk identification we identifying assets we identifying the vulnerability so vulnerability identification is very important so we have to regularly assess the vulnerability due to the weak controls out softwares and lack of security policies one thing I want to go bit off the topic is every company go for VA vulnerability assessment but not every company go for PT and the reason is very simple is vulnerability management process is closely work with patch management process that's why vulnerability management practice we follow but we don't go for the PT because aggressive PT can impact the availability and when we're doing a vulnerability assessment we do against a security control Baseline okay so we what is Baseline minimum security settings we need in a system let's say example we decided we need to implement a password eight character is a password that's a standard but alpha numeric is a minimum thing I need in the eight character passord that's a baseline so whenever we're talking about technology Baseline whenever we're talking about technology Baseline is very important I will give one more example here is let's say example uh this is my system okay I want the antivirus that's a minimum okay and I want password so antivir should be signature based that's a minimum Baseline I need I cannot go below that so when you're talking about security control Baseline establish the minimum standard for controls to ensure consistent security across the organization and how we validate that with the help of audit so here one thing you need to understand is audit play a very important role okay let's say example we have a customer and here we have a vendor customer is looking for a Cloud solution vendor has give him an assurance that we have ocate security controls vendor has assured the customer we have ocate security controls so First Fundamental principle you need to remember in cism writing it does not mean it happens go look and verify I repeat again writing it does not mean it happens go look and verify so even they provide me in document that there is a security controls we validate that control with the help of audit that is why audit is very important so when you draft the contract you add the right to audit Clause so regular audit is important and any kind of a control deficiencies there we can able to prioritize based on remediation based on impact cost and Threat Level that's something we always look for another important thing uh we always try is as a CSM professional we should focus on setting up the Baseline which align with the risk tolerance and risk appetite of an organization because based on level of risk tolerance we can take a call as I said if the company is new risk tolerance is high if the company is old risk tolerance is low or the company if they have a low risk tolerance they invest more money on the controls because they don't want to take much risk so one more important thing you need to understand risk versus incident incident is a confirm action the person already failed this exam that's an incident but if you don't prepare this or don't prepare that you might fail this exam with the risk the word come is might might might okay so one thing you need to understand it is based on a company risk tolerance we take all the initiatives based on risk appetite we Define the controls okay so either risk tolerance will be the best answer or either risk appetite is the best answer because ultimately within a risk appetite we take all the calls that's why we said here is CSM professional should focus on setting up the Baseline align with the organization risk tolerance and on regular B basis we validate to make sure this tolerance will be below the appetite level it should not go above the appetite level okay so now we understood okay we have a threats we have a assets we have a vulnerability but we need to understand the level of impact and here the level of impact is called as a three- way to calculate so we have a so we have a three type of analysis qualitative quantitative and uh hybrid now when you say qualitative analysis qualitative we evaluate the impact and likelihood in a description term descriptive term like high low medium so if the keyword is impact and likelihood descriptive answer is qualitative risk assessment second is called as a quantitative where we calculate the impact in terms of monetary value and here we use a formula called Al so we have a formula called exposure Factor we have a SLE and we have a Al the first thing what we calculate is the SLE single loss expectancy which is equal to asset value into exposure Factor then we have a Al annual loss expectancy the formula is basically SLE into AR okay so these are the formulas we are using to calculate the impact let's say example there's a company and um they're doing a business and they're generating a $10,000 value every year hypothetical scenario so that is my asset value okay so now we have a we need to calculate the SLE so asset value is $10,000 okay exposure Factor you know when we have no exposure Factor we always keep 100% so exposure 100 for is one incident happen the cost me $10,000 if it's happening once in a year 10,000 if happen two two times in a year and 2,000 so 20,000 so SLE is become $10,000 AR it happened once in a year so overall Al is basically 10,000 so we never take a call based on a SLE we always take a call based on Al annual loss of on annual loss EXP see so and third is called as a hybrid where we start with the quantitative and then we map to qualitative I repeat again we start with the quantitative we start with the quantitative and then we move to qualitative now another important thing we need to understand is we have a different way to evaluate the risk okay we have a different way to evaluate the risk because once we have a result with us we use those results to measure the level of impact okay and we'll see is the risk value is going Beyond the appetite and all that because whatever the results we got okay whatever the words will be there let's say example the capacity is suppose 30 appetite value is 25 okay so likelihood is five impact is basically five so overall is coming 25 so it is equal to appetite but the value go beyond the 30 31 and all that in that case we need to avoid that risk so that's a reason risk evaluation is a phase where we map the value with RIS risk appetite and risk tolerance okay ultimately we have to make sure everything should go below the appetite ultimately we have to drive the activity below the appetite that is something there and once you calculate the impact we also need to prioritize which impact we need to treat first and that's something we discuss in the Bia business impact analysis it is a critical step in understanding the potential impact on business operations okay once you identify the impact we need to prioritize the impact which impact we need to treat first again based on the value only we can able to prioritize the impact so C some candidate so they must evaluate the risk accurately and make sure your mitigation strategy should be aligned with the organization risk appe and capacity okay remember one thing this statement is your treatment strategy or mitigation strategy should be aligned with the risk appetite make sure risk should be below the appetite so we have a four way to treat the risk okay so we have a four way to treat the risk one is called as a risk avoidance where you're avoiding a business which bringing risk to the company example like I know the exam cost is very high but I also know if I go for the exam the there's a good increment there's a good hik in all that but now I decided I will not go for this exam because cost of exam is very high so in that case I dro the idea not to continue my exam that's called risk avoidance it the same like you're already doing a business in Europe and India because of strong regulations now if I'm moving to the Singapore or if I'm moving to Saudi they have a strong regulations and I it already having a lot of of losses there's no point of taking a new business so in that case we avoid and we also take avoidance in that case when the risk going beyond the capacity second is called as risk mitigation where we implementing control to reduce a risk that is called risk mitigation and ultimate goal in mitigation is to bring the risk below the appetite level the third important part is called as risk transfer we go for risk transfer in that case when uh we talk about the insurance we go for RIS transfer in that case when the likelihood is low but impact is high and I'll give an example okay you take a medical insurance right why so let's say example in India average individual medical insurance will cost you 10,000 rupees okay for a year you are paying around U for a for for 10 year you're paying 1 lakh for a 10 year you paying 10 LH sorry for one for 10 year you paying 1 lakh for 20 year you paying 2 lakh but you know very well you're going to gym you're wearing helmet you're doing everything the likelihood of getting accident is low but if if it happen the impact is high because once you admit in the hospital this two lak will be going one shot same like you have a strong security controls you have a strong regulations you have one of the best thing in the market but if one issue happen the impact is very high so in that case we make sure we take a cyber Insurance okay so with the help of cyber Insurance you can reduce the impact third is called so fourth is called as risk acceptance where the cost of control is high over the cost of risk we accept the risk when the risk is below the appetite we accept the risk risk and the risk which is left after implementing control the resal risk that we accept actually we have a two risk here one is called as a inherent risk and one is called as a residual risk residual risk the risk before implementing control is called inherit oh so so big book it is difficult for me to read the read the book that's an inherent risk then you attend the training as a part of a treatment and then you went with the % preparation in the exam so the risk which is left after implementing control that's called resal risk and if the resal risk is within appetite they accept that okay so that something is a factor so two conditions are there in which we accept the risk when the cost of control is higher than cost of risk or the second is the risk is below the appetite level but the question is what should be the strategy of your residual risk so your residual risk strategy when we talking about um you know it it should be you know uh the risk remain after implementing control and should be aligned with the organization risk tolerance and your risk tolerance should be below the appetite okay so as a CM context cesm are responsible for determining and recommending appropriate risk response based on the need and res risk tolerance okay so once you implement the controls and everything okay the next thing is that you have to do the monitoring so communication monitoring or continuous monitoring is very important and this is basically where you introduce a pointer which is called kri a matrix to Signal the chance the risk profile and emerging threats based on a k only we take a call in the further slide we discuss what is k key risk indicator let's say example you're driving a car you know your car switched to reserve it mean you have a less fuel that is a k if you don't give attention to that at one point of time the car will stop right now it giving you indicator car might stop might stop might stop is it clear if you don't give attention to that the car will stop then it is a incident so K are the signals changes in the risk profile okay it's very important based on a k we take a calls K is a topic very very important for the exam when you're preparing for the season so when you're talking about the risk reporting it's very important when you're presenting a reports on the risk whatever you have so risk reporting is what your identified risk level of impact and your recommended uh controls okay based on that action plan prepared by the customer so your reporting should regularly update Management on the S risk data then we have to use dashboard to present risk effectively and based on the audience we prepare the report make sure you should have a clear and structured reporting channel to ensure timely updates should be there on the risk and risk response so as a CM candidate you must Define the clear Communication channel reporting mechanism to ensure all stakeholders are informed and involved in the risk management now in the risk management process we have a two things risk owner so your business are the risk owners Senor management is a risk owner so there should be some individual should take the accountability to decide to implement the control let's say example I'm doing an audit of change management process and I discovered in the change management process the documentation is missing so chain management lead the team who heading that he will be the risk owner then he contact the IT team and say okay we need some controls from the it point of view and they also have a team who responsible for implementing control so there is a person who own the risk that's called risk ownership and in 90% case control ownership is owned by the same team but in some 10% it will be owned by the it team like example in the chain management process we discovered SSL was not used so risk will be owned by the chain management lead but control will be owned by the ID team so control owners typically lies with the responsible for implementing maintaining the control that is a important factor we have okay again I'm telling you risk owner is basically all about informed decisions on the risk mitigation or treatment and control owner is the one who responsible for implementing and maintaining the controls and everything has to be documented it's very important okay it's very important you have to document that so ensure all risk and control owners decisions should be documented we have to document the decisions risk acceptance and control Effectiveness so as a CM you need to ensure the clarity should be there in risk and control ownership that's why a company have a r chart and by having this documentation you can able to facilitating the alignment and accountability within the organization that's something is important part of the requirement but but as I said when you're implementing a controls and everything it's very important you need to make sure you should be comply with the legal regulatory so you need to comply with gdpr you need to comply with HIPPA and we also have a risk from non-compliance like organization may choose to accept or mitigate risk based on impact of non-compliance also right that is also there one more important thing please understand this carefully okay let's take example you have a policy no one's supposed to send any data outside of your company but now regulatory has a requirement you need to send them data now if you don't send them then it's a non- compliance from a regulation and if you send them then it's a non-compliance from the policy so whenever you have to go beyond the policy you first have to assess the risk of non-compliance look for the benefit and then take a call like you know there is a fire occurrence Data Center policy said that you should not break the door but in this case you have to break the door so you have to assess the risk of non-compliance and according to that you have to take the final call so organization may choose to accept or mitigate risk based on the impact of the non-compliance another important thing we have is indemnity agreement very very important okay so this can be used to transfer the responsibility to third party any question talking about Indemnity agreement it mean we're talking about transferring responsibility to third party in managing the risk in a third party relationship because by the contract only by the agreement only you can able to manage the things okay so cesm must work with the legal compliance team okay to integrate the regulat requirements into the risk management process and by which you can able to manage things effectively another important thing we talk about the risk and awareness training it's very important you need to update the risk awareness details to the management so regularly educated employs about the risk factors and best practice it's better you can add there in a security awareness program and that is why we say security awareness program should be custom and create as per the audience along with that you can also use metrics to measure the effectiveness of the awareness training which can be adjusted as necessary so what is the CM pointer is effective risk awareness training can significantly reduce the human related vulnerabilities and essential responsibility of the cesm role that something is there now when we doing a risk analysis we have a different way to do the analysis the first is called as baso scenario okay we developed the scenario to assess the potential outcome and cost getting impact let's say example if supplier is unavailable what happens it will will not able to provide me the you know fun business support functions and all that if they don't able to provide me support business function is a different level of impact so that is called as a scenario analysis so we develop the r scenarios to the potential outcome and cascading impact cascading mean One impact have on other impact another technique that we use is Bia where we estimate the impact of a specific risk on the business operations okay and third we prioritize a risk based on likelihood and impact to guide the response strategy so as a cism professional you must be adapt in Risk analysis method to predict and prepare for possible risk event and ensure the response strategy are aligned with the business priority and appetite level now the question is how you create a risk scenarios so in that the first thing is called likelihood example if you're going on the cloud you might lose the data you might lose the governance that's called likelihood and impact is you will lose the data so likelihood is a probability of R risk occurrence let's say example likelihood is talk about How likely the risk is to occur and usually an appropriate estimate but impact is talk about the severity and estimate of the effect of the risk if the risk is evaluated which is impact is called as a consequences but the another important part we talk about is casing impact if if impact one business what is an impact on the other business that is called as a cascading impact so when you evaluating we have to make sure your evaluation should be aligned with the appetite and tolerance remember that okay so when you're evaluating your parameter should be aligned okay must be aligned with the organization risk appetite and tolerance because we have to make sure that risk should all always and always below the appetite level so as a as a cesm context okay we develop the realistic risk scenarios which help the CM professional to understand the impact and you need to prioritize the risk response effectively that something is part of the function so now we have a call to do risk response and defining the acceptable risk level so without defining a limit is difficult to measure if security objectives has been met and that is the reason we saying we have to create appetite capacity and tolerance so we have a boundary to be set so when we're talking about risk appetite the level RIS organization willing to take the capacity is a maximum risk the organization can handle there's a difference between appetite and capacity is appetite is a level of risk that we can take but maximum risk we cannot go beyond that that is called capacity and the variation between that is called as a risk tolerance and now what is a exam pointer is as a parameter CM role requir thorough understanding of acceptable level of risk so that we can able to take a decisions and balance a risk against the goals sry not Goa it's goals okay so that something is part of the function now we have a criteria based on which we uh we actually go for the risk residual so we need to evaluate the controls okay implementation cost we look for the Enterprise culture we look for the asset criticality so when we evaluating control implementation we look for the cost culture and asset criticality and we always accept risk when mitigation cost outweigh the benefit it okay so example like I know the training cost is very high compared to certification cost so I will draw I will accept the exam without going for the training I will say okay I'm getting a second shot free I'm getting a benefits let me go for the exam so in that case I'm not spending money on the training because training cost is $1,000 exam cost is $500 why should I pay ,000 here right so in that case we accept the risk so CM must ensure the res risk are managed align with the organization policies and risk tolerance tolerance mean it should be below the appetite level so we maintain some kind of a documents here so first document is called risk register which document all the identified risk including owners and response actions second is chain management so adapt the risk policies and business environment change to keep the pace with a new risk and ultimate goal of chain management is to track the accountability okay so effective documentation and version controls are vital because risk constantly getting changed we also update the documents so according to that you need to have a version history and by that you can able to allow the cesm to update and track the policy accurately so it's very important when you identify risk and everything you need to create a matrix so effective Matrix are very important and what is a primary objective while developing a matrix it should have actionable insights and that Matrix can be used for the decision making so you can use a matrix to track the progress and you can able to adjust the strategy and report on security status okay and Matrix is always a Cornerstone of reporting for cism because it allow them to demonstrate the risk management performance and improvement over the time that's a very important part that's why metrics are very important and it should it it should need to be maintained as per the part of the Integrity principle so now we talking about one of the most important stuff which is very very important for your cism preparation is kpi kri and KCI before I discuss about this let me give you a high level overview see when we talking about metrics the first thing we always set is kpi key performance indicator let's say example percentage of the system with updated security patch that is a kpi now for that I'm setting a k k basically mean the challenge we which is basically we face while achieving our kpi like number of detected malware attempts per month number of people not available in the office so that is called K and third is called as a KCI key control Effectiveness which talk about the percentage of the successful pen test has been passed so that something is part of the requirement so more of the story is that we set the kpi we use K and we use a KC so here the first thing is called as a k key risk indicator now here you can see K are the Matrix that indicate changes in the risk profile of the organization and they they signals when risk levels are increasing or when specific risk are approaching an acceptable level that is called as a k same like you know you're riding a car or you're driving a car sorry so after one point of time there will be Reserve car will be in reserve that give me the indicator we have to fill the fuel if I don't fill the fuel if it increase at one point on the car May got stop right so that is basically my K so kri is the Matrix which indicate the changes in the risk profile and they signal when risk levels are increasing or when specific risk approach to an acceptable level and the purpose of defining a k is the organization monitor the potential risk and identify the emerging threats so example like increase in the fail login attempts might indicate the higher Insider threat risk or growing number of unpatched vulnerabilities so that is a live example of the K so from a season context point of view it's very important you need to know K because it is critical for CSM professional to monitor the effess risk management activity and that is only possible when you monitor the KY functions is it clear so let me explain you again K first is called kpi indicator that helps to govern manage and provide the assurance that we are achieving our objective kri indicator helps to govern manage and provide Assurance about the risk and KCI key control indicator is a indicator talk about the uh control Effectiveness so in my next slide I'm going to discuss about the KCI key control indicator so KCI measure effectiveness of control implemented to mitigate specific risk and they indicate how well the existing controls are working to manage the risk and the purpose is control performance and all that so example of the controls are number of successful fireal block or number of access violations detected by the monitoring system so for seasms kcii helps in verifying the controls in place and by that by by having effect Ive KCI we can have a reduce in the K now third is called as a KGI key goal indicators okay so KGI are the high level metrics that measure the progress toward achieving the Strategic objectives in some cases we use KB as a KGI and with the help of KGI you can evaluate if the information security program is meeting the Strategic objectives so if the question says which Matrix is very very important to check are we achieving a strategy objectives and answer is KGI which metrics is basically used should track the ineffectiveness of the control or ineffectiveness of the risk parameters and all then answer is K because KC include in the K so we have some examples here like like achievement rate of completion Target is my KGI reduction in the number of security incidents or breach over the time sorry that is called as a KGI so I'll give an example okay so let's say example your organization is willing to accept low risk of data breach okay so here we have a risk appetite and the risk appetite is U okay risk appetite is except okay except a low risk of data breaches that is called esape Tite now for this we set the K give me a second so here we have a k kisk indicator so what is a k number of new malware new malware detect per month that is called K then we have a kpi okay number of data breach per month and then so here what happened the target is that your organ want to detect 99% of the new malware variant so organization will monitor the number of new malw which is variant detected per month if number of new malware variant detect per month exceed by 1% then organization will take action to mitigate the risk is it clear so K is number of new malw variant detected per month and KP is number of data breaches per month so your organization want to detect 99% of a new Mal variant so monitoring what we're doing is you will monitor the number of new Mal variant directed per month if the number of new Malo variant directed per month exceed by 1% so your organization will take an action to mitigate the risk is it clear so that's how you set the kpi KJ and all that so more of the story is that one thing we need to understand here is you know kgis are essential for demonstrating the value and impact of security program through Senior Management and they provide the evidence so kg are the high level metrics that measure the progress so by end of the day this is the the only metrics which provide to the management and they provide the evidence that your security initiatives are basically supporting the organization goals and they supporting a continuous Improvement so we have a different type of controls that we Implement so we have a preventative control we have a corrective control we have a detective we have a compensating we have a deterrent control let's say example we have a firewall so we introduce a firewall to reduce or eliminate the attacks the primary objective is to viate attempt to you know block those things which viate the security policy governance and everything so that is called as a preventative control second is called as a corrective control corrective control come into the picture if the preventative control is failed and we have record the incident after incident we have to reduce the impact that is called as a corrective control third is called as a detective control detective control mean detect the incident compensating control come into the picture when your primary control is not effective but it is used to further block the attack that is called compensating and DET control is something which is talk about the behavior of the preventing the discouraging the behavior so let me give you an example so we have a policy okay no one supposed to browse social media 925 if we found anyone browsing social media 925 we will take a necessary actions we will fire that candidate we will terminate the candidate so that is called as a deterrent control in that in that policy we give the warning still there is one employee who try to open the social media but problem is that firewall has blocked that particular website that is called as a preventative control now what happen is it disconnect from the internet he tried to use his external dongle and through that he trying to connect the internet but because of DLP it still prevent him from browsing the site so here we have a DP which is act like a compensating control till now there is no incident but all the activities record in the locks that is called as a detective control isolate a system immediately and terminate the candidate that is basically called as a corrective control so this is how we basically works okay one more example if we find anyone outside without any reason we will put them in the jail that's part of a deterrent control during a covid time right remember during a covid time we have introduced this circular right so people are wearing mask maintaining a social distance that's a part of preventative compensating is they have a vaccinations so we did the trials we did the test and all that and we discover some covid positive that's called detective control and isolate a person immediately from the family that is part of a corrective and go for the his recovery and all that so all those are part of corrective okay so if the question talking about backup procedures backup registation answer is corrective control question talking about audit controls audit Trails IDs the answer is basically detective control if the question specifically um question specifically targeting about uh uh um around multi-layer defense that answer is compensating control okay because compensating control are introduced to reduce a risk of an existing or potential control weakness okay deterrence control reduce the threat by providing warning and all that but we Implement in a three way so one is called as a managerial another name of a managerial is Administrative control so don't get confused in the exam another name of manager is called as a administrative control actually we are implementing all this in a three way managerial way technical way and physical way I'll give an example now when I say managerial control it is also called as a administrative control so company sent a policy no one supposed to browse social media 9 to5 if you found anyone browsing social media will take a necessary action so it's like a administrative but more like a deterrent in nature no one will no one is allowed if they don't wearing a mask that's a administrative preventative so administrative controls apply to the processes and behavior by the people example policy procedure employee development compliance reporting and all that technical control is something we apply to the information system software and network which include the firewall inion detection and password and antivirus software and physical control something you apply physically okay physic security guards and all that so here controls and can any effect category May implement but most important part is we Implement based on the risk assessment now in the domain two the there are some uh topics we have which is technical in nature but it is testable the first is called as a DMZ now what is DMZ so before going to understand the DMZ let me share the brief history now this is your internet okay this is one network you have web server also in here you have a denas also here now you have a database also here just give a second you have a database also here and you have a ad also here all are part of the same network everything is part of a same network okay so these two are critical and these two sensitive and now there is a user from outside so user is here you want to access the internet so when user try to access the internet and through that he want to access the website if he install the firewall here in the firewall if he have a too many restrictions so all the packet going through this restrictions and it take time to for the inspection it will slow down the process and that basically delay the performance and customer will not be happy it is same like you know in airport security checks after uh immigrations and all that the same thing happen here so websites and so one thing we need to understand is if I consider this factor I have to have a very limited rules in the firewall if I I consider this factor I have to have very strict rules in the firewall that is what happened we created a DMZ demilitarized zone it's a concept came from military DMZ now when you're talking about the DMZ concept we keep those systems in the DMZ which is a public facing site for me website and DNS should be public facing and which is sensitive nature we kept in the database so ultimate goal of having a DMZ is to protect my internal network from outside so any connections comes it will be terminated at this point and then we basically install the another firewall here to block the further actions so remember one thing whatever the public facing server we have we can keep it in the DMZ and ultimate goal of DMZ is to protect my internal network from external attack along with that we are using cryptography there's a dedicated video I made on cryptography symmetric and asymmetric when we using a same key to encrypt and decrypt the data that is called symmetric when I'm using public and private key to encrypt de the data we use asymmetric but today we use these two crypto these two cryptography together how symmetric cryptography we use for data encryption and we use asymmetric for the key exchange key exchange and that is why today it is called as a hybrid cryptography so as a summary here you can see the summary summary summary K detect Rising risk and allows cm to respond proactively KCs is the control Effectiveness guiding the fine tuning and KGI measure the achievement of security goals showing theat strategic impact of security effort so this is all from my side on domain two let's move to domain three thank you okay so we are in a domain three information security program information security program represent 33% of the domain of the entire CSM and we have around 50 questions we can expect from this area those who are preparing for CM make sure you should give proper attention to the domain three it's very important after domain one so in this particular domain we're going to discuss about how to build program because program include the controls and controls we Implement based on the risk assessment and that we already did in the domain two so when we're talking about the program okay give me a second so when you're talking about the program program is all about a set of controls which include your risk management inent management other functions so we developed the coac program to move away from a fragmented security effort and integrate security into the Enterprise wide risk awareness and a good program is the one which can be integrated across the organization so the program steps include Define the desire outcome like outcome is I want to implement the gdpr controls I want to implement the isms so the program step include Define the desire outcomes then we conduct the Gap analysis and then we develop the strategy this this this can be the parameter test table like when we we do Gap assessment so when we defining a desire outcome then we do the Gap analysis and then we develop the strategy and road map to bra the Gap okay my outcome is uh I want uh security controls current what is the level of security control then we develop the strategy to fill the Gap so what is the context here is as a CM professional you're responsible for structuring an effective program with a measurable outcome and that is only possible with the help of metrics and uh we have to make sure this program should be aligned with the security objectives and Enterprise goal now when you're talking about this program program has a framework so we use cobit we use 27,000 one and we also use nist CSF cyber security framework and uh we also use Enterprise security architecture which is act as a blueprint and aligning your security with business goals and supporting a risk management because by using an architecture you can able to organize things in a block so as a cism candidate you should be familiar with the Frameworks because Frameworks helps the cism to choose a best approach to building and maintaining a program okay now when we talking about the program outcome so program outcome is maap with the Strategic alignment risk management value delivery resource management and performance measurement we already discussed in the past like my initiative should be aligned to the business for that we do risk management your um your program should create a value should have a proper Roi and we should able to manage the resource effectively and we should introduce a metrics to measure the program Effectiveness so we developed the program in a phases starting with a stakeholder interview we draft the policies and ensure the policy compliance so as a cism candidate the road map basically helped the cism to create step-by-step guide for implementing a security initiatives and make sure you keeping the Strategic alignment with the business goals is a priority now when you're implementing a program you introduce a metrics so we have operation metrics which measure day-to-day security activities like vulnerability Management Open vulnerabilities and all that second is called as a management metrix which track the policy compliance cost effectively and then we have a strategic matrics which align with the organization level security goals strategic matrics are introducing to convey board managable matrics to convey cesos and operation matrics are for the operation teams so by this they can able to track the things so as a cism candidate you should know that effective use of Matrix allow cm to demonstrate the program progress to the Senior Management and also based on the Matrix only take a decision so it enable the data driven decisions now when you're talking about program management so program management the first thing is include the program objectives where we have to Define goals in measurable terms so we establish the metrics and monitor the performance let's say example my goal is to m 99.999 availability that is my measurable term okay then based on that I will establish the metrics I will try to monitor I have to make sure the maximum downtime is 1% it should not go beyond that because 99% is availability we have to maintain and that is why we have an committee which is the team of the security Business technical and everything who jointly discuss everything and the good information security strategy or approval requirement of security strategy comes if the security sharing committee or strategy committee approve that strategy because if they approving it mean we're taking a consent from all the Departments so as a committee will guide the strategy and approve changes and ensure alignment with the organization goal now next thing we talk about the context so program management ensure the is program achieve its defined objectives Shing committee which provide the essential oversight and support now next important part we need to understand is training program now please please listen this carefully we have a three things here one we talk about the awareness one we talk about the training and one we talk about the education okay awareness modify behavior training modify skill education modify career Okay so we have a task to perform a task you need a special skill to perform a skill you need a knowledge and knowledge you impart from the training not from awareness training so you're attending a cism program where you will learn the knowledge of security governance that basically create a skill for you how to create a policy and everything and based on that you can able to do the task but do you have the adequate knowledge we do the competency score test you are an impression that okay eight character is a secure password so you are using 1 2 3 4 5 6 7 8 but now in the awareness program you got to know that you have to change the behavior you have to use alpha numeric special character that is basically part of awareness so question is when to do training when to do awareness whenever an employee join the organization after joining the organization the first thing he will do he will sign the NDA sign the contract and then he attend the awareness and training program so we start the training at OD moding and we Contin with the regular updates we also have a role Based training for the specific skill sets we use different methods for the engagement like quiz reminders the best method is gamification we have to choose communication method and content appropriate so according to audience we have to prepare the content according to audience we have to prepare the training content also that is something is very very important okay so as a CSM awareness program reduce the human errors so the human is the weakest link in the organization so no matter in one laptop you have a strong password you have a best EDR and all that but if there's no patch for human stupidity so if human do mistake it's a problem like social engineering password sharing can be mitigated by the human awareness only that's why we say the most effective control for social engineering is the awareness program because with the help of awareness program we can able to improve the behavior of the person and one of the best way to meure the awareness program is increase in the incent report and decrease in a security viation because if they attend the awareness training they get more information about how to report an incident and by reporting more incident we can reduce a security violation so we always believe that security program should be integrated with the it operations and it should be integrated as early as possible so one of the program we have is sdlc software development life cycle and we always prefer the security should introduce as early as possible because if you go by the sdlc process we have a different phases in the sdlc the first step is initiation second is called as a acquisition and development third is called as a implementation then fourth is called as an operation we always prefer security should be introduced as early as possible that's why in the initiation we introduce security because this is where you understand the requirement of the customer then you take a call whether you need to develop develop in-house or you have to acquire from outside then you go for testing and then you deploy the operations we also have a new modern methodology so we have a two type of of development methodology one is called as a iterative iterative and one is called as a non- iterative iterative you're interacting with the customer parall and discussing things and the best example of iterative is agile non iterative is waterfall so if you see the Indian movies we call pushpa pushpa so that is a non-iterative waterfall if you move from phase one to phase two you cannot go back that's non iterative iterative is like just like a suran movie whatever babuji will say I Will Follow That is a iterative so in iterative what happen we have a daily meetings we have a weekly meeting to discuss the status of the project that's why we introduce the concept Dave Ops and Dave secops so in this case what happened we have a development team and then we have a operation team and then we have a quality team and they follow one concept which is called CI and CD so during a CI we develop the module we integrate the model then we release the module then we test the model and then then we store in the Repository so we introduce module by module in the pipeline so we integrate the security in the gel process why to ensure the secure continuous deployment so this is the pointer you need to know by in so what is the best way you can maintain the secure continuous delivery by integrating Security in the gel process how you ensure the security in sdlc you can introduce the security as early as possible which save time and cost also and the best way you can ensure the Securities integrate the security program in the sdlc that's something we can try so CM should facilitate the integration of information security with it operation to ensure security is bed into the process not treated as afterthought that's a very important part the next important thing we talk about the program Communications reporting and Performance Management so it's very important you need to regularly update the stakeholders to ensure the transparencies and make sure you use some kind of a dashboards to present the security facts one thing always remember whenever you presenting the reportings whenever you presenting the facts make sure you should have a proper Integrity because if you don't produce with the facts it's a problem so cesm need to ensure they have a strong communication skills to convey the program values and ensure the continuous support from senior leadership now next thing we talk about the policy procedure and program so one thing we need to understand that when you implementing security program the policy is the foundation step without policy governance can be ineffective and if you want to check the maturity of any company the first thing you ask the policy document so let's say example we have a business we have a legal we have a regulat requirement and here the Senior Management has a intention they have a wish the people who working on the operation level like people process and Technology wish to comply with the regulations legal and business so first thing what we do we create a policy so policy set the intention set the expectations and directions always remember hey guys every system must be protected with the password so that's a policy so employee will say okay we know but what is a what is the size of the password so password should be eight character that is called standard eight character step by-step process of creating a password that is called procedure so policy is strategic in nature standard is tactical and operational is procedure in nature guideline is optional good to have and any kind of a deviations we doing from the policy make sure we should follow the exception management and make sure we document that approach so your policy standard may need expectations exceptions also so we can establish the formal document process for the risk based exceptions example like we have a policy no one supposed to send data outside of the organization standard is we should not send confidential data but in some cases we have to send those data so we follow the exception process we assess the risk of non-compliance and then we send that and we have to do ment this exceptions because policy is sometime dynamic in nature you cannot have an anarchy there and policy need to be reviewed annually or in the case of major change in the business that's a very important part you need to understand so a well- defined policy standard support the effective governance and when you're building a policy the most important element is that it should have a compliance with the strictness with flexibility to demonstrate the Practical change that something is there okay now next thing we need to understand the controls I think we already discussed that but just for a Clarity so we have a preventative control which stop the incident before they occur detective control identify incidents corrective is address the impact of the incident and compensating is alternative control when primary control is insufficient but is the control is working effectively and that's something we assess with the help of VAP so ultimate goal of doing a VAP testing is to check the control Effectiveness so any question talking about ultimate goal of testing ultimate goal of VAP answer is demonstrating the effectiveness of the control if I'm saying firewall is effective by doing a vapt we assessing the firal effectiveness so we regularly evaluate control Effectiveness to adapt to the new risk and validate the controls aligned with the desired security posture and by VAP we do that so cesm has a task which ensure the controls effectively manage the risk okay optimize a defense in depth strategy that that actually balance the cost with security need the question is how can we do this controls so we introduced some kind of an automation controls which reduce a human error but that demand the consistent configuration without having a consistent configuration it is difficult for us to implement the Automation in the controls and one primary advantage of automation control is fastest way to respond to any incidents another important automation we are using is sore security orchestration automation response okay so this word orchestration is a word come from orchestra band imagine like you know you have a drum you have a piano you have a flute so everyone has to play together in such a way that it creating meaningful sound music same like in the organization we have a firewall okay so we have a firewall here and then we have a s here then we have a system a and then we have a sore so now what happen any incident happen any incident is let me so any incident is trigger okay F will send the logs to sim that activi is basically went to a that information goes to s s basically feed the locks to sore SAR is basically based on that it acts like a brain and according to the will try to block the attack so here what happened all solutions are orchestrated with the help of sore so he take the unified approach through which he integrate and respond to the thing so the biggest reason of using a s is enabling the faster thread detection and response because they follow one concept which is called run book the reason of introducing a sore is the initially what happened when we used to have any incident on a particular system we always send a L1 guy there security analyst L1 to save time and all that now we create threshold if this this happen they should block this if did did this happen we block this so that instruction has to given in the sore and that instruction is called as a run book okay so they follow the predefined instructions for the basic incidents which save time of the sock professionals there's another solution we are using is which is called as a log management system so we have a firewall here we have a switch we have a system a we have a system B we have a system C okay now if you can notice here we have a here log management system so any activity happened bypass the firewall when to system a b c d so if you don't have a lock server manually we have to go to firewall manually we have to go to system a b c to collect the locks and then we have to check the lcks which take time and devices does not have enough storage to hold the huge amount of logs that's why what happen any activity happen the firewall I want one dedicated server to keep all the logs and that's why we introduced the concept of log server okay that is why we introduce the concept of log server but problem is that now any activity record in the fire it will not store in the firewall it will be stored in the lock server lock server lock server so now we have one server we keep all the locks all the locks but the problem is that again manually we have to convert the locks manually we need to correlate the logs manually we need to just take time so if I'm looking for the correlation purpose and all that then we introduce a concept which is called s Security in event security insent event management or security information event management tool there's no tool in this world detect the incident they detect the event so now what happened any activity happen in the firewall it go to the S S sim the first step what they do they collect the loog they normalize the normalize basically mean converting log into one common format then correlate and generate the activity but again Sim only detect the threats but correlate the threats respond to threats block the threats so they basically send the instruction to sore and sore based on that block the attacks and that's how the security evaluation start so as a cism context what we need to understand here is um automation control enhance the reliability and scalability and core aspect of program management so I want to show you something just give me second so if you can see if you can see the scenario you can see the very good perspective is firewall protect the network parameter so it inspect and block the incoming outgoing Network traffic then we have a ad in every system which secure the individual endpoint monitor detect the suspicious activity then we have a Sim s correlate data and detect the threats which aggregate the lcks from firewalls EDR and based on the and then they give information to sore sore is basically based on that take the automatic decisions that's how things works in the organization okay now next important element we called about the third party management so third party mean we dealing with third party who providing me services so let's take example okay so this is my company a so we have a company a I'm conducting a sessions I'm conducting online training and for that I have relied on the vendor which is called as a zoom or go to meeting if they are down by end of the day I'm the one who answerable to the customer so even I'm transferring the responsibility but I'm accountable for things example like you reach out to me for training right right and we agreed that okay from Sunday we'll have a session but that time zoom zoom doesn't working so by end of the day I'm the one who answerable to you so that's why in the company we have one Department which is called as a vendor Management Department okay give me a second so we have a department which is called as a vendor management department so when they onboard the vendor they assess the vendor risk evaluate the things and all that okay to make sure the vendor should not impact anything so in the vendor management the first step is Define the third party risk management requirement and anything you basically take the services it will do based on the contract so contract include the right to audit clause and third is that regularly we have to assess the third party compliance with slle one thing you need to make sure when you're Outsourcing a Services you have to document all the service expectation in the SLA in contract if you fail to achieve the SLA then it's a problem so right to audit Clause is very very important so we have to ensure the vendors uphold the security policies and establish the exit strategy to manage the transition that's a very important part that we need to understand okay that's a very important part you need to understand another important thing we need to understand here is the managing vendor security is a critical responsibility especially in the case of Outsourcing because it increas the complexity and risk and only way you can able to manage this control L by the contract and make sure in the contract you add the right to audit Clause that's a very important part okay the next important part we call as a compliance and enforcement so we have to do compliance monitoring so we do continuous monitoring and then into the policies and standard and we have to ensure the policy compliance thoro automate tools with periodic review so compliance enforcement reduce a risk and helps to meet the regulatory requirement and as a cesm you should create and maintain the strong compliance culture and whatever you implemented you do the monitoring so we have ongoing monitoring with the help we can track the performance and detect the unusual activities and for instant interaction we use IDs and Sim I already discussed IDs intrusion detection system so when we're talking about the idas you know there's a dedicated video I made on that in idas we have a two things one is called as a host based IDs one is called as a network based IDs let's say example this is my nids which I install in the border of the network then we have a switch here then we have a system a then we have a system B and then we have a system C okay so now what happen is we have a traffic which pass through the nads nads can track from where it is coming to where it is going but it will not able to detect what kind of a changes it introdu in a b c so for that in every system we install the HIDs HIDs detect the intrusion in each systems but the question is now how the IDS will detect the intrusion so first they use a signature and second is called as a behavior so when the packet pass to the nids N ID is check the signature of the traffic and compare again the stored signature if it match it is a intrusion that is called Signature base but one disadvantage of signature base is that it failed to DCT the new attacks that's why we introduce a second called behavioral base which is also called as anomaly so in the anomaly what happen we sending a multiple packets so we believe okay this are series of packet receiving so example like we have a server server should receive the traffic on port number 80 but we receiving a traffic on port number 23 which is not expected and it is against the Baseline so that will be record under the anomaly and we also use a vulnerability assessments and identifications and everything so as a cism candidate okay so continuous monitoring is essential for identifying and addressing potential issues in real time and the critical part of cism role is to maintain the effective security posture so we use some kind of metrics like we use KGI kpi K to measure the progress demonstrate the value so whenever the question talking about Information Security Programs we use this kpi KJ K most important is K and if you're looking for cost benefit analysis we use a TCO total cost of ownership the investment that you did and the profit that you earn that's called Roi return of investment example like you're spending money on cism training you spending money on the cism certification that's called TCO and based on that you get a hike of $5,000 $1,000 doll that is called as a Roi return of investment so it's very important if you want to demonstrate the information security program values so the metrix and cost analysis it can be done with the help of Investments it can be done with the help of the TC and R metrics now next important thing we talk about the cloud computing very very important very important okay now when we're talking about cloud cloud is just like an internet okay okay you know when we used to draw internet so we used to draw like this so same we call as a cloud cloud is just like that Computing is all about processor memory CPU storage that you can access from anywhere so when we're talking about cloud computing uh it's very important for us that from a from a exam perspective you need to understand one thing is data security data governance is a responsibility and accountability of a cloud customer physical security is a responsibility of a cloud provider let's say example this is you a subject data subject who went to the bank bank is using a third party Cloud for the CRM okay so if if cloud is compromised data is compromised by end of the bank is the one who answerable to customer it's answerable to RBI it's answerable to SEC so one thing you transferring the responsibility but you cannot transfer the accountability so when it comes to the cloud okay the biggest reason of going for the cloud is on demand it is available whenever it required right agree and you can compare cloud computing On Demand with Uber you went you moved to New City and you new to that City you don't want to own the car okay so you decided to use Uber on demand and they have a broad network access you can access from anywhere they also offer you metrics measure Services how much you use you will do the bilding accordingly and they have a rapid scalability elasticity you need two cars it it will be available you need one car it is available so these are the ideal features which reflect a good cloud provider now the cloud computing providing three type of services is pass and SAS so is provision the storage okay memory RAM CPU sorry storage storage RAM and CPU we only need to pay or billing will be done based how much storage I'm consuming how much RAM I'm consuming how much CPU I'm consuming I can decide as a customer what OS I want to install or application I want to install so yes you can say from the options point of view uh in this case customer has a more control but consider option to minimize the impact if cloud provider experien service Interruption it's a problem okay second is called as a platform as a services platform services mean I don't want to own Ram CPU I don't have a time just provide me the defined computation I will move my application on that particular computation my expertise doing a development I'm good with that you handle the computation that is called as a platform as a Services which allow for a deployment of customer created acquire application using a programming language third is called as a software services I don't want do anything I'm a startup I want CRM so you develop the CRM you build the CRM and provide me as a Services because I don't have a money to spend money on the hardware so today I don't want to buy a very huge Hardware configuration with a basic laptop I can connect to the cloud and I can access any application and the best example of SAS is Gmail Office 365 best example everything is developed by Microsoft you just need an internet connection with the help of connection you can connect with the cloud and access your application from anywhere okay so that's a thing so as you know in AAS you have a limited control so only way you can able to control is contract you bring try to bring more and more customization with the help of contract so summary is that when it comes to SS software as Services the provider manage more security aspect customer focus on user access control and data protection in the platform of services customer responsible for securing application they develop on the platform in the IAS customer handle the operating system security and application security data protection everything will be handled by the cloud customer now it's up to us how we deploy the services so we have four type of deployment here the first is called as a public Cloud cost effective okay but less control over the security like example you open the Amazon you subscribe to Amazon Services I subscribe to Amazon Services we have a common SL and everything that's called public Cloud it is same like me and you are going on the same party second is called as a private Cloud private Cloud mean greater controls security but high cost dedicated instances will be available to you you build your own Data Center host the services hybrid is a combination public and private okay which offer flexibility but can introduce the integration challenge let's say example the company having its own Data Center and host their own cloud services they do their development on this Zone and once the application is ready for a scalability reason they using a public Cloud so they're using a both that's example of hybrid Cloud okay so that's a example of hybrid cloud and then you can reuse your inhouse infrastructure for some other activities and Community cloud is like a balance a shared cost with a specific compliance need two three companies come together and they decided they will invest money and they will host the data because they don't have a budget to private Cloud but neither they want to go for public cloud in India the example is ibcc and all that Indian Bank Cil so summar is that data security governance is the accountability of a cloud customer and physical security is all service model responsibility cloud provider this is all in the domain three let's move to the domain four thank you now next is domain four 30% of the content testable from domain 4 and around 45 questions we can expect from domain 4 now when it comes to in Information Security inci Management very technical stuff okay so first we need to understand the incident now incident is anything which impact the organization negative manner that is called as an incident okay and I will give an example the best example so I have a scheduled training which need to be start from 9:00 a.m. I was there by 8:45 and 9:00 I was able to start the session so that's an event so a series of activity used to achieve the business objective that is an event but I reach 95 which is against the business objective then it is an incident so incident is anything which impact the organization negative manner now if you have a recurrence of incident it lead to the disaster and if you don't give attention to disaster it lead to the crisis so difference between risk and incident is risk is the probability but in incident is a confirm action so unexpected events impacting information security or CIA that is called as incident and the focus is on management response so inent Management program fall under the risk management it include planning preparation identification containment eradication recovery which I'm going to discuss in the further slide so inent management is a overall governance planning and coordination and response is a tactical actions that you take okay so you can say like that response is a part of the Management program okay so as a cism understanding these distinctions help in designing a ProActive instent Management program that integrate with Enterprise risk management and a good program is the one which integrate with the risk management program now let me explain you with one correlation how risk management is correlated with inser management see you identify the risk you evaluate and you treat I skipped the assessment okay so some of the treatment where the risk is within an acceptable level so we have to monitor that and that will be integrated to the inent management because if any point of time is going beyond the appetite and all that with the help of in management we have to reduce the impact that is why incident response program or inant management program is closely work with the risk man okay especially residual risk now next important thing we need to understand is the component of instant response plan so identification classification of incident because it is not possible for the one person to handle all the incident so we always classify categories based on the urgency and impact so we receive two incident ticket one ticket related to the workstation one ticket related to the server so we check the urgency and impact and according to that we take a call it is very important in your response plan you must include the notification and escalation process then we have a containment like isolator system removing a virus that's called eradication restoring a system back to the production is recovery so ultimate goal of the instant response plan or management plan is to minimize the impact and we always look for the facilitating the quick recovery and establish the severity criteria so as a CSM we have to ensure your IRP should be aligned with the bcpd plan and insure resp response plan can be escalate to recovery if needed now when we talking about the incident classification as I said incident will be classified based on the severity okay based on the number of acted systems and it is very very important to have a escalation process why because when when you're defining inent escalate to C management reporting is required and that something has to be documented okay that's a very important part another important thing we always look for is proper classification escalation so we have to ensure the efficient handling and prioritization because it allow seesm to maintain focus on incidents that align with the Enterprise risk appetite and we have some some terminologies here like we are using Sim which Aggregate and correlate the events then we introducing a new solution which is called Ed Dr and xdr we already discussed let's say example this is my firewall and we connected with the switch and here we have a system a so now what happened we have IP we able to bypass the firewall and went to the switch to a if you talk about traditional antivirus it detect the virus okay in the file and based on that it react but if virus bypass the antivirus and trying to modify the system memory system application I want to block in that level that is why in every system we install the EDR so E stand for endpoint d stand for detection and respond so whenever any memory Stacks any kind of modification attemp Ed will try to block that but now it basically bypass a b c and all that so for that we basically use the xdr so xdr is work on the network level and it aggregate that alerts and according to that it will block the attack on the firewall and everything so ADR work on the endpoint specific but xdr work on the overal network we also have MDR MDR mean third party will deploy the solution in your organization okay so that is something is called as a MDR which Outsource security monitoring response services to third party so as cism you have to be familiar with these Technologies because selecting a tool that improve detection tracking resolution is part of the need of the organization now when you plan your in management and this is the most most important part you have this is called your insurent management cycle or life so first part is called as a planning and preparation do not skip that and there's a dedicated coffee shot I made on this okay so first is called as a planning and preparation so in this stage we create a policy okay create a policy uh we acquire the management support okay and we develop the user awareness so we conduct the research we build the checklist we develop the communication plan and awareness training that's something we do in the planning and preparation step second is called as a detection triager investigation in this we detect the incident we prioritize the incidents we implement the ideas uh we conduct the participations and more important we also talking about here is instant response functions and everything and we conduct the logs Audits and everything that will be done in this particular stage now next thing is called as a containment containment analysis is all about tracking and Recovery we execute the containment strategy Contin strategy mean isolate a system we perform the forensic analysis we executing a recovery procedure in line with Enterprise business continu disaster recovery and we also determine uh the source of incident and post uh parameter that is part of a containment so we isolate a system we analyze the criticality we track and we restore the system back to the production ction and finally we have a post insent assessment ultimate goal of post insant assessment is to conduct the postmortem exactly what happened at what time how well did the staff management perform dealing with the incidents okay uh where the document procedure has been followed is it educate how to improve that and then we have a incant closure ultimate goal of post incent assessment is to improve the overall program so I repeat again detection is to uh confirm and validate so if you get a question in which particular State we confirm the incident the answer is Det only if anyone has reported incident the first step is to confirm the incident that's called detection then we follow the tri tri t r i a g triage triage is basically very important part okay because triage help you to prioritize and everything okay so during the prioritizations we rate the incidents and then we track and then we investigate further and then we isolate a system then we do analysis because we can't do the investigations or analysis uh in the live environment so we isolate a system then we do analysis we restore the system back to the state and then we do the post incident and then we have a incident closure incident closure is very important okay because instant closures give you the detailed reports about everything okay so that we're going to discuss in the further slide so this is important and confirm from the perspective okay it's very very important and you should have a very good understanding of this particular process okay so please understand this properly it's a very important part now I want your attention on this slide it's very important the first step is called as a preparation so this phase prepare the organization develop the IRP prior to the incident sufficient preparation facilitate the smooth execution so preparation is if the question talking about in which stage we establish the policy we establish the approach we establish a communication plan we develop the process we develop the criteria to report the inent everything building governance about inent management comes in the preparation step second is called as identification this phase aim to verify if if if any incident has happened and find more details about it example like some user has reported virus virus virus it is not necessary okay I will go and I will report that issue it will not be like that okay so we have to first confirm okay first we need to confirm it's true or not that is called as a identification because not all reports are valid okay as I said not every incident is a sorry not every event is an incident but every incident is a event right so activity in this stage we assign the ownership we verify the reports we establish the chain of custody we determine the severity of the incidents and all that then we have a containment okay it's confirm the system is infected with the virus isolate a system immediately I don't want you know just doing a continuous investigation uh you know during that time so containment is very important because uh with the help of containment we can isolate a system and we can reduce the impact the reason of doing a containment is to make sure the infected in system should not do the damage to other systems you know it seem like if if we find any person is a covid we isolate a person immediately from the family so he will move to one room so after incent has been identified and confirmed the most important part is we do the detail assessment we contact the system owner and we isolate a system immediately from the network and here we notifying the appropriate stakeholders also before you isolating any huh definitely we need to obtain the agreement on actions because it can affect the availability we have to get the it representative we have to obtain and preserve the evidence and forensic activity happen in the containment stage then we have a eradication eradication where we remove the virus we remove the things which is basically creating a cause so we determine the sign and cause of an incident we locate the most recent version of backups we remove all the root cause okay we remove the virus and everything and then we restore the system back to the production now listen carefully here with the business owner we agree in 4 hour we restore so with the following that metrix we have to make sure we have to restore that only so here we also follow the Bia okay Bia business impact analysis and finally we have a lesson learn lesson learn mean we should learn lesson from every incident which help me to improve the overall process example like in this incident the people has reported an incident late night and that time there is no team of us available so thankfully now if any incident has been reported so we we got to know okay we need to hire one person which work in the evening sheet which helped me to overall improve my inent management program so at the end of the instant response process a report should be developed to share with what is happened okay what measures has been taken the result after the plan was executed as a part of a report so the part of report should contain the lesson learn that provide the IMT and other stakeholders valuable learning point and what could have been done better and these lessons should be develop into plan to enhance the instant management capability so we write the inent reports we analyze the issues which is encountered during the instant response plan and we we also what you call um propose the Improvement based on the issues that we encounter so that something is done in the face so answer is creating a policy everything part of preparation identify the incident is a part of identification confirm the incident part of identification isolate a system from the network part of containment remove the virus from a system part of eradication uh then we have a recovery we restore the system back to the production and then we have a overall lesson what is the lesson we have learned one more important thing containment is a temporary recovery is a permanent that's something we have to understand now next important thing is element of in insulin response plan so from a season context should ensure the content strategy Define in advance and communicate effectively to mitigate incident and incent reviews are crucial for continuous uh Improvement so we have to make sure we enable the CM to enhance the security controls and refine the response strategy and by doing the post review and all that we can able to improve the overall function so we have to maintain some documents okay accurate record of incident is unfold so it's very useful because with the help of that you can have a clear timelines which help you to identify root cause why this happen how this happened undocumented changes May introduce new risk okay and we have to make sure we preserve the evidence which required The Unbroken chain of custody chain of custody means the sequence in which you maintain the evidence so let's say example uh PR is the one who collected the evidence at 7:40 and I hand over the evidence to Smitha at 9:30 Smita hand over evidence to SEMA at 10 so we maintain one form in which we document the timeline and along with the hash value like at 7:00 p.m. 7:00 a.m. and I collected the evidence the hash value was at7 when I hand over the evidence to Smitha the hash value was at7 when Smitha hand over to SEMA the hash value was 9B it mean during a Transit of SEMA to uh SMI or SMI SM SM to Sima the evidence got altered so when you submit the evidence in the code you have to submit the chain of custody form that's why I say whenever possible use standardization format which is easy to understand lesson Lear learn during in can be improve the security practice and take time to review what happen so according to that you can able to improve the functions another important thing we use is forensic investigation it's very important part okay forensic is very important the important consideration of instant response team is forign six which refer to Gathering of evidence but the question is how to gather the evidence so we follow one concept which called bit bybit image of the system how so we have a system a and and here we have a hacker hacker basically hacked into system we isolate a system so first thing what we did we did the ghost image okay so we did the ghost image when we did the ghost image we did the bit by bit image of the system so first we dump the memory first we dump the memory because if you shut down the data shut down the system you will lose the data lose the data in the memory so first we dump the memory then we create a ghost image of the system and how to create a ghost image bit by bit system is it clear the reason why if you do bit by bit it can capture the exact state of a system which capture your deleted files unallocate custers and all that and never ever do the investigation live system always do the investigation the copy of the systems so if scenarios in which legal action is likely identified there should be procedure need to be documented and more important inent Response Team should brainstorm the scenarios and write them into the actions so always remember isolate system system from a network first by removing a network cable dump the memory and then we make a ghost image which is called bit by bit image of the system that something is a practice we have to follow now next important element is called whatever the plan you created you have to test the plan okay so testing increase a likelihood the plan will work by assessing the technical soundness of the plan we increase each participant familiarity with the plan so during a testing we focus on Gap identifications okay we identifying gaps we verify the assumptions so example like when I say testing the difference between the testing and exercises testing is checking pass or fail exercise is all about realistic activity if in the plan it is mentioned the the person will get a report in two days we have to test that is it working or not so by doing a testing we identifying the Gap we verifying the assumptions we validate the time lines we determine the effectiveness and more important we determine the accuracy ultimate goal of testing the plan is to update the plan because it's not necessary I will be always available in the company in my absence someone should follow the plan blindly so that's why we say when we have to do the testing the testing should be done on a regular basis or at least annually so we have a different type of test that we need to understand so next is basically called as a type of test because we need to test the plan and it is very important for your preparation so when you're talking about type of test the first is called a checklist review we start with checklist review only we distribute the checklist we distribute the document to all the team heads and we tell them just check whether your area of section is okay or not is it clear so in the ultimate goal of checklist review is to ensure they are current once they say okay yes all steps are okay then we have a structure walkth through where the team members physically implement the plan on paper and review eight steps then we have a simulation test where we prepare the disaster scenario without activating a recovery site fire fire drill is example of simulation it has little bit impact then we have a parallel test parallel test we do on the alternate side and best side for testing is hot site okay and here the recovery site is bought up a state of operation Readiness and but primary site continue as a normal and then we have a full Interruption test that's something we do on the production site so if you take a example here so this is my primary site and this is my alternate site Okay so so when you're doing parallel test we doing parall test on the alternate sites how we basically ensure can we able to move services from primary to secondary as early as possible we verify the RTO can be achieved within a MTD and once we ensure okay my this site is okay then we do the test on the primary site that is called as a parallel test sorry that is then we do the test on the primary side that's part of a full Interruption test so ultimate goal is to validate the plan so testing should start simply and increase gradually as stretching the objective and success criteria but make sure we should do all these things with a limited impact that's basically the minimum priority we have okay so that's there now next important thing we need to understand the BCP BCP is very very important now before I discuss BCP in detail let me first discuss the definition so we have a BCP and we have a d DRP BCP is a plan which talk about how to sustain the business in the case of disaster and DRP talk about how to recover the IT service in the case of disaster let's take example this is me and I'm taking a training from home and this is you as a customer okay you are in different different locations so we all are connected by the network internet links I know for me the training on weekday is very critical so we have a training from 7: to 12 and mostly take the training from 7 to 12 so I can use my rest of the day for my activities so I have to make sure in this during that time internet should not be down power should not be down but what happened when start the session internet was down power is down thankfully I have a UPS and I have a rendent ISP connections by which I can continue the operation but problem is that I know I cannot drive the session for long so I call my friend and I ask him is is power is there or electricity is there he said yes so during the lunch time I moved to my friend house and from there I took the session so all these activities what I'm doing is Dr okay but ultimate goal is what sustain the business continue the business so BCP is the umbrella and Dr is a part of the umbrella there's a dedicated video I made okay on BCP do check that so when you're creating a BCP program the first step is create a policy we already discussed Second Step called as a Bia definitely in the case of disaster it is not possible for me to protect everything so I have to identify what is critical what is not understand bi in this way when we're talking about our old houses okay so where we don't have a generator or UPS concept so our dad used to say or Mom used to say okay beta or okay guys you want to study right huh so what is a necessary thing in the case of power failure Papa I want a fan to be operate and I want a light in the hall so this is something is critical for me and according to that I went to Market and buy the ups for that and we only give a critical connections to that so in the case of power failure only fan and light will work up the hall definitely you can't run AC fridge and everything so this is how that that visibility we get when we bi so bi basically all about what is critical what is not so then in the case of disaster we can able to focus on critical first so in Bia we have a three metrics MTD RTO RPO so MTD is all about the acceptable downtime RTO is the time you take to restore the services and RPO is the acceptable data loss let's say example is one day what happened my wife while coming back from her office she told me feeling hungry and make sure in 30 minutes cook something so that 30 minutes is the Ultima ultimatum for me okay the 30 minutes is the ultimatum for me make sure we have to make everything in 30 minutes so I called zato and they say 20 minutes they will deliver the that's my RTO so maximum tolerable downtime is 30 minutes because if wife reach home in the 30 minute then it's a problem and then in that case risk cannot be recover so I got to know my stakeholder is coming around 30 minutes before that the service should be there so that's why we order from zat to our food aggregator app the food was available in 20 minutes and by this way I will I I can I can able to demonstrate my kitchen continuity services to my wife so same thing happened the server is running the server is down at 11 MTD we have agreed is 4 hours so we have a time till 3: but by 2 I was able to restore the service that is my RTO a good BCB plan is a one where the RTO should not exceed the MTD and third part is called as RPO recovery Point objective recovery Point objective acceptable data loss in the case of disaster so we said the RP is 2 hour so 9:00 a.m. we took the backup 11 we can take the next backup at 11:15 the server was down so when I restore the server three the last backup I can restore is 11 and maximum data loss we have agreed is 2 hour but in this case the loss is 15 minutes so MTD and RPO set by the business owner so during a bi we identify what is critical and all that and then based on that we we identify preventative control and create a contingency strategy we go for hot site cold site warm site and then we get an approval from the management on that we then create Dr plan we test the plan and then we update the plan so that's how the Bia works now another important thing we talk about here is uh purpose of Bia Bia identify critical assets determine the impact on disruption and set the RTO so key element is identify functions and dependencies and deter the required recovery time to data loss and tolerance so from CM context bi findings helps to cism to align the inent response also and business Contin need because based on Bia we can able to prioritize the recovery based on the criticality Dr is a plan that we create so we Dr is all about recovery strategy we develop the D recovery plan which cover the logistics roles and contact informations and side selection coost location recovery need is very important part but the most important part is risk tolerance next important thing as a cism okay are responsible for ensure the Dr plan are align with the business need and make sure it should be periodically test for the effectiveness so we have a different type of Dr site the first is called as a hot site now what is hot site so let me explain with the example so we have a site one and we have a site two okay site two okay so hot site mean active passive so site one has a people process technology has a data but site two have people process technology with partial data currently everything is happening from the site one everything is happening from a site one if site is down we can move the recent data to site two and from there we can continue the operation that is my hot site okay second is called as a mirror site mirror site means active active if site one is down continue from site two that is called mirror site War site is basically mean we have HX systems we have a rack in the case of disaster we have to move server and make it as an operational that is called as a warm site okay and then we have a cold we have nothing nothing we have to move everything there and that is basically called as a cold site okay and finally we have mobile site portable site you can move from one location to other location I'm sure you have seen the big trucks in which we have a data center which can be move from one location to other locations so that's something we are using hope it is clear to everyone now next important part we need to understand is that whatever the plan we creating we have to test that so role Based training should be done testing type can be tabletop simulations we do and we check the RTO kpis metrics to check the things so regular training okay regular trainings ensure the Readiness in helping the season to go the instant maturity and justify The Continuous support okay the next thing is called as a RTO as I said maximum ex downtime MTO longest time system can be un avilable and sdo is a level of service needed during the recovery so let me explain you with the examples so you get a better visibility because I've seen a lot of people struggle on this area I I always use V diagram it's a v website V zo and he's one of my good friend so I'm using his reference here so here what happen your system is working in every 2 hour we're taking a backup and suddenly there was a disruption now I'm able to trying to restore but I'm able to restore some of the service which is 60% 60% service I was able to restore and with that I can continue my business that is my sdo service delivery objective okay is you can see another if there is a power failure happened the it came back but it came in phases it cannot run anything it cannot run everything so we can run some basic things so that acceptable things is called as a sdo service delivery object with that I can continue my operations and then at one point in time I restore everything so from the downtime till the full restoration that time is called as a AIW okay but the time till accept sdo that is by uh you know parameter I'm taking about the downtime and from the RTO to the full recovery that is called as a MTO MTO stand for maximum tolerable outage okay and overall downtime that we agreed was AIW and and then I restore the functions the same thing what we discussed so I repeat again the service was down I was able to restore the services and that exal Services I basically 60% with that I can run my business and that is my sdo service delivery objectives and with that I can continue my operations on the alternate site before that I have to restore if I don't restore before after this it's a problem and I restore at this point that is basically called as a recovered and from the downtime till the downtime this this is called my AIW okay that's how it basically we plan so as I said we are using this particular Matrix to validate the functions okay we also use another important thing called ioc and ioa ioc ioa is called like list of attacks happening on my network like this attack is coming from 1.1.1 that has been recorded in the firewall that is called as a ioa but same IP was recorded and confirmed in one of my system locks that is called ioc so IO ioa before attack and ioc is basically after the attack as an Evidence so we are using this metrix okay to measure the effectiveness and everything that is something part of the program like relatives are coming to the house is ioa but based on that they confirm the marriage proposal and you got married that's ioc and so your cousins got this opportunity they leave the place so understanding these metrics allow cm to set the realistic expectation measure the incident impact and maintain the continuous Improvement so forensic is very important we have to ensure the data Integrity during in investigation collection is a very important step notify the legal regulatory before doing any in investigations okay that's a very important part uh documentation is important in the entire Inc management process because it provide the audit Trails for incent handling and it also support the lesson learn and it's very important you should summarize the incident from management highlights and everything that's a well maintained documentation reports justify the inent response investment and it also helps to communicate the inant insights to the management and stakeholders that's why documentation is very important okay it's it's it's it's actually very important now it's very important to have a risk management with instant handling so instance are unprevented risk that materialize and handling should focus on containing risk without escalation so it's very important you have to integrate with the Assurance so you have to link the instant management with the other risk Assurance function for the compreh iens risk coverage so according to that you can able to take the calls and that is why inent management is a component of overall risk management because the risk that identified mitigated and all that the resal risk need to be tracked properly is it clear so resal risk is a risk which is left after implementing control so we have to monitor the res should not exceed okay see earthquake is part of my risk residual but if I occur we need to have a inant response plan so you have to make sure the inent management process should be aligned with the Enterprise goals that's one thing and if it's aligned then only we have a buy and approval from the Senior Management so as an instant management should not only mitigate risk but also enhance the organization resilience and require the cism professional to communicate its strategic importance to the leadership skills okay so I want to show you one diagram okay so here you can see we have a instant risk management where we identify analyze and develop the mitigation plan and we decided okay we need to monitor some res risk okay and for that we introduce a BCP plan we want a BCP update because any trigger happen we need a BCP plan or any issue happen with that residual risk when you have incent management plan Tri inent response and Recovery that's that's how this corelation basically works okay so it's very important how you validate each and everything so next is called as a review and process okay so conduct the formal review after insurance to identify the improvements and track the incident response time cause of incidents success rate that's a very important part because continuous Improvement is a very important part of the functions because by doing a continuous Improvement you can you can enable to refine the response strategy reduce the instant impact and also demonstrate the value to the inst management team so this is all from my side but before I want to wind up I want to tell you one thing some important things first Your Role is a manager Your Role is not to implement anything you will will get 240 minutes to answer 150 questions so time is not an enemy go for 50 questions 50 minutes 10 minutes break 50 questions 50 minutes 50 questions 50 minutes so in 1 15 minutes sorry in 60 60 60 in 180 minutes you complete the 150 questions so now you left with another 60 Minutes that 60 minutes you can take to review your weak areas time is not an enemy read the question carefully eliminate two options and then Focus your energy in other two options that's basically the beauty about this exam do let me know how do you find this special video and it's an it's an effort and Investments which I do for my students and it is a free and uh I will wait for your feedback and do let me know in the comment box shall I make a video on cisa and C risk in the same format thank you so much good day bye