CISM Pre assessment

To justify program development costs

To integrate development activities

To gain management support for an information security program

To comply with international standards

It shows senior management that you understand their needs

It provides a basis for redistributing resources to mitigate risk above the risk appetite

It requires continuous monitoring because the entire risk environment is constantly changing

It facilitates communication with management about the importance of security

Compliance with international security standards

Use of a two-factor authentication system

Existence of an alternate hot site in case of business disruption

Compliance with the organization’s information security requirements

Recovery time objective

Functional delegation matrix

Staff availability to the site

End-to-end transaction flow

Perform a technical vulnerabilities assessment.

Analyze the current business strategy.

Perform a business impact analysis

Assess the current levels of security awareness

technology constraints

regulatory requirements.

litigation potential.

business strategy.

implement stronger controls.

conduct periodic awareness training.

actively monitor operations

gain endorsement from executive management.

express the goals of an information security program and the plan to achieve them.

outline the intended configuration of information system security controls.

mandate the behavior and acceptable actions of all information system users.

authorize the steps and procedures necessary to protect critical information systems.

use illustrative examples of successful attacks.

explain the technical risk to the organization.

evaluate the organization against good security practices.

tie security risk to key business objectives.

Examples of genuine incidents at similar organizations

Statement of generally accepted good practices

Associating realistic threats to corporate objectives

Analysis of current technological exposures