| CISM Security Consulting Services |
|
Synesis offers the services of security consultants who have earned CISM Certification. CISM defines the core competencies and international standards of performance that information security managers are expected to master. It provides executive management with the assurance that those who have earned their CISM have the experience and knowledge to offer effective security management and consulting services. CISM measures expertise in the following areas, with corresponding tasks:
|
| Information Security Governance |
|
Establish and maintain a framework to provide assurance that information security strategies are aligned with business objectives and consistent with applicable laws and regulations. Tasks include:
|
- Develop the information security strategy in support of business strategy and direction.
- Obtain senior management commitment and support for information security throughout the enterprise.
- Ensure that definitions of roles and responsibilities throughout the enterprise include information security governance activities.
- Establish reporting and communication channels that support information security governance activities.
- Establish and maintain information security policies that support business goals and objectives.
- Ensure the development of procedures and guidelines that support information security policies.
- Develop business case and enterprise value analysis that support information security program investments.
|
|
Risk Management
|
|
Identify and manage information security risks to achieve business objectives. Tasks include:
|
- Develop a systematic, analytical and continuous risk management process.
- Ensure that risk identification, analysis and mitigation activities are integrated into life cycle processes.
- Apply risk identification and analysis methods.
- Define strategies and prioritize options to mitigate risk to levels acceptable to the enterprise.
- Report significant changes in risk to appropriate levels of management on both a periodic and event-driven basis.
|
|
Information Security Program Management
|
|
Design, develop and manage an information security program to implement the information security governance framework. Tasks include:
|
- Create and maintain plans to implement the information security governance framework.
- Develop information security baseline.
- Develop procedures and guidelines to ensure business processes address information security risk.
- Develop procedures and guidelines for IT infrastructure activities to ensure compliance with information security policies.
- Integrate information security program requirements into the organization's life cycle activities.
- Develop methods of meeting information security policy requirements that recognize impact on end users.
- Promote accountability by business process owners and other stakeholders in managing information security risks.
- Establish metrics to manage the information security governance framework.
- Ensure that internal and external resources for information security are identified, appropriated and managed.
|
|
Information Security Management
|
|
Oversee and direct information security activities to execute the information security program. Tasks include:
|
- Ensure that the rules of use for information systems comply with the enterprise's information security policies.
- Ensure that the administrative procedures for information systems comply with the enterprise's information security policies.
- Ensure that services provided by other enterprises, including outsourced providers, are consistent with established information security policies.
- Use metrics to measure, monitor and report on the effectiveness of information security controls and compliance with information security policies.
- Ensure that information security is not compromised throughout the change management process.
- Ensure that vulnerability assessments are performed to evaluate effectiveness of existing controls.
- Ensure that noncompliance issues and other variances are resolved in a timely manner.
- Ensure the development and delivery of activities that can influence culture and behavior of staff including information security education and awareness.
|
|
Response Management
|
|
Develop and manage a capability to respond to and recover from disruptive and destructive information security events. Tasks include:
|
- Develop and implement processes for detecting, identifying and analyzing security related events.
- Develop response and recovery plans including organizing, training and equipping the teams.
- Ensure periodic testing of the response and recovery plans where appropriate.
- Ensure the execution of response and recovery plans as required.
- Establish procedures for documenting an event as a basis for subsequent action, including forensics when necessary.
- Manage post-event reviews to identify causes and corrective actions.
|
|
