Looking forward to December 8, 2012.  I’m going to take the Certified Information Security Manager exam from ISACA (I’m already a CISSP and thought I’d expand the letters to the right of the comma after my name).  I know COBIT pretty well and so I know what I expect from ISACA.  In general, they structure governance like no other organization I’ve known.

But judging by the “CISM Review Questions, Answers & Explanations Manual 2012”, my primary study aid, they have a ways to go in making sure their questions are consistent.  They are a bit too attached to words like “best”, “primary” and “most”.  What is superlative is the greatest for theoretical exercises, but in the real world, it is not even necessarily the appropriate way to approach the task at hand.  You cannot let the perfect be the enemy of the good.

Consider these two questions and how an addiction to having “one right answer” paints ISACA into the corner of having two questions that seem to be going in different, if not opposite, directions:

S1-5  Information security governance is *PRIMARILY* driven by:

A. Technology constraints

B. Regulatory requirements

C. Litigation potential

D. Business strategy

ANSWER: D.  “Governance is directly tied to the strategy and direction of the business.  Technology constraints, regulatory requirements and litigation potential are all important factors, but they are necessarily in line with the business strategy.”

S1-44 An information security manager at a global organization has to ensure that the local information security program will initially ensure compliance with the:

A. Corporate data privacy policy

B. Data privacy policy where the data are collected

C. Data privacy policy of the headquarters’ country

D. Data privacy directive applicable globally

Now you’d certainly think that given the answer to S1-5 above, that  “governance is directly tied to the strategy and direction of the business”, that a local information security program is bound to be sure to comply with something having to do with the business.  I would have thought “A”, “corporate data privacy policy”.   Policy is a tool of governance and if governance is primarily to be driven by business strategy and direction, then “A” is the answer, yes?

Well, no.  ISACA explains that the answer is “B”.   Their reasoning?  “As a subsidiary, the local entity will have to comply with the local law for data collected in the country.  Senior management will be accountable for this legal compliance.  The policy, being internal, cannot supersede the local law.”

The difference is subtle.  S1-5 wants you to think about how to “drive” governance while S1-44 wants to make sure you know what your program must “comply” with.  At the risk of confusing myself into failing in December, I’m going to say that this is just splitting that hair too finely in hopes of making sure there is one and only one answer.

Governance must always be driven by compliance with applicable law AND alignment with the business.  It is specifically when the two might be in conflict that the Information Security professional adds value by being the center of deciding how to balance the two drivers.  And policy, as a tool of governance, must follow suit.  My take:

Answer to S1-5:  E. B & D

Answer to S1-44:  E. A & B