CISM Certified Information Security Manager

Similar documents
Certified Information Security Manager (CISM) Course Overview

Security and Privacy Governance Program Guidelines

ISACA. Certification Details for Certified in the Governance of Enterprise IT (CGEIT )

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

TEL2813/IS2820 Security Management

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

<< Practice Test Demo - 2PassEasy >> Exam Questions CISM. Certified Information Security Manager.

INTELLIGENCE DRIVEN GRC FOR SECURITY

"Charting the Course... ITIL 2011 Managing Across the Lifecycle ( MALC ) Course Summary

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

01.0 Policy Responsibilities and Oversight

Security Management Models And Practices Feb 5, 2008

Application for Certification

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

CISM QAE ITEM DEVELOPMENT GUIDE

Solutions Technology, Inc. (STI) Corporate Capability Brief

Isaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

COBIT 5 With COSO 2013

CCISO Blueprint v1. EC-Council

Threat and Vulnerability Assessment Tool

THE POWER OF TECH-SAVVY BOARDS:

CISM - Certified Information Security Manager. Course Outline. CISM - Certified Information Security Manager.

Table of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING

Position Description IT Auditor

EXAM PREPARATION GUIDE

CISM ITEM DEVELOPMENT GUIDE

Why you should adopt the NIST Cybersecurity Framework

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

WHO SHOULD ATTEND? ITIL Foundation is suitable for anyone working in IT services requiring more information about the ITIL best practice framework.

CISA Training.

Protecting your data. EY s approach to data privacy and information security

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

Turning Risk into Advantage

COURSE BROCHURE. COBIT5 FOUNDATION Training & Certification

Rethinking Information Security Risk Management CRM002

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Val-EdTM. Valiant Technologies Education & Training Services. Workshop for CISM aspirants. All Trademarks and Copyrights recognized.

When Recognition Matters WHITEPAPER ISO SUPPLY CHAIN SECURITY MANAGEMENT SYSTEMS.

TSC Business Continuity & Disaster Recovery Session

Security Policies and Procedures Principles and Practices

Manchester Metropolitan University Information Security Strategy

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Continuous protection to reduce risk and maintain production availability

SOC for cybersecurity

Managing IT Risk: The ISACA Risk IT Framework. 1 st ISACA Day, Sofia 15 October Charalampos (Haris)Brilakis, CISA

COURSE BROCHURE CISA TRAINING

MNsure Privacy Program Strategic Plan FY

What is ISO ISMS? Business Beam

Information for entity management. April 2018

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Introduction to ISO/IEC 27001:2005

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

CISM - Certified Information Security Manager. Course Outline. CISM - Certified Information Security Manager. 22 Mar

INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK

Cyber Security Program

CISO as Change Agent: Getting to Yes

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Information Technology General Control Review

Accelerate Your Enterprise Private Cloud Initiative

Information Security Policy

Cybersecurity and the Board of Directors

John Snare Chair Standards Australia Committee IT/12/4

ROLE DESCRIPTION IT SPECIALIST

USING QUALYSGUARD TO MEET SOX COMPLIANCE & IT CONTROL OBJECTIVES

EXAM PREPARATION GUIDE

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

Canada Life Cyber Security Statement 2018

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

The Role of Public Sector Audit and Risk Committees in Cybersecurity & Digital Transformation. ISACA All Rights Reserved.

Risk Advisory Academy Training Brochure

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

Achilles System Certification (ASC) from GE Digital

CYBERSECURITY RISK ASSESSMENT

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

Business Continuity Management Standards A Side-by-Side Comparison

BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW

Certified in the Governance of Enterprise IT Training - Brochure

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

ADDING BUSINESS VALUE THROUGH EFFECTIVE IT SECURITY MANAGEMENT

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Certified in Risk and Information Systems ControlTM Certification Training - Brochure

Automating the Top 20 CIS Critical Security Controls

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI

CERTIFIED IN THE GOVERNANCE OF ENTERPRISE IT CGEIT AFFIRM YOUR STRATEGIC VALUE AND CAREER SUCCESS

Apex Information Security Policy

Cloud First Policy General Directorate of Governance and Operations Version April 2017

POSITION DESCRIPTION

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

IT MANAGER PERMANENT SALARY SCALE: P07 (R ) Ref:AgriS042/2019 Information Technology Manager. Reporting to. Information Technology (IT)

Certified Information Systems Auditor (CISA)

EXIN Expert in IT Service Management based on ISO/IEC Preparation Guide

Transcription:

CISM Certified Information Security Manager Firebrand Custom Designed Courseware

Logistics Start Time Breaks End Time Fire escapes Instructor Introductions

Introduction to Information Security Management

Course Mission Educational Value Both theoretical and practical Up-to-date Relevant

CISM Certified Information Security Manager Designed for personnel that have (or want to have) responsibility for managing an Information Security program Tough but very good quality examination Requires understanding of the concepts behind a security program not just the definitions

CISM Exam Review Course Overview The CISM Exam is based on the CISM job practice. The ISACA CISM Certification Committee oversees the development of the exam and ensures the currency of its content. There are four content areas that the CISM candidate is expected to know.

Job Practice Areas

Domain Structure Information Security Governance Reports To Mandates Information Risk Management and Compliance Deploys Influences Information Security Program Development and Management Requires Information Security Incident Management

CISM Qualifications To earn the CISM designation, information security professionals are required to: Successfully pass the CISM exam Adhere to the ISACA Code of Professional Ethics Agree to comply with the CISM continuing education policy Submit verified evidence of five (5) years of work experience in the field of information security.

The Examination The exam consists of 200 multiple choice questions that cover the CISM job practice areas. Four hours are allotted for completing the exam See the Job Practice Areas including task Statements and Knowledge Statements listed on the ISACA website

Examination Day Be on time!! The doors are locked when the instructions start approximately 30 minutes before examination start time. Bring the admission ticket (sent out prior to the examination from ISACA) and an acceptable form of original photo identification (passport, photo id or drivers license).

Completing the Examination Items Bring several #2 pencils and an eraser Read each question carefully Read ALL answers prior to selecting the BEST answer Mark the appropriate answer on the test answer sheet. When correcting an answer be sure to thoroughly erase the wrong answer before filling in a new one. There is no penalty for guessing. Answer every question.

Grading the Exam Candidate scores are reported as a scaled score based on the conversion of a candidate s raw score on an exam to a common scale. ISACA uses and reports scores on a common scale from 200 to 800. A candidate must receive a score of 450 or higher to pass. Exam results will be mailed (and emailed) out approximately 6-8 weeks after the exam date. Good Luck!

End of Introduction Welcome to the CISM course!!

2016 CISM Review Course Chapter 1 Information Security Governance

Information Security Management The responsible protection of the information assets of the organization Supporting Security Governance and risk management Adoption of a security framework and standards ISACA CISM Review Manual Page 14 16

Governance Governance: Ensures that stakeholders needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved: Setting direction through prioritization and decision-making: Monitoring performance and compliance against agreed-on directions and objectives ISACA CISM Review Manual Page 14

Examination Content The CISM Candidate understands: Effective security governance framework Building and deploying a security strategy aligned with organizational goals Manage risk appropriately Responsible management of program resources The content area in this chapter will represent approximately 24% of the CISM examination (approximately 48 questions). ISACA CISM Review Manual Page 14

Learning Objectives Align the organization s Information security strategy with business goals and objectives Obtain Senior Management commitment Provide support for: Governance Business cases to justify security Compliance with legal and regulatory mandates ISACA CISM Review Manual Page 14

Learning Objectives cont. Provide support for: Organizational priorities and strategy Identify drivers affecting the organization Define roles and responsibilities Establish metrics to report on effectiveness of the security strategy ISACA CISM Review Manual Page 14

CISM Priorities The CISM must understand: Requirements for effective information security governance Elements and actions required to: Develop an information security strategy Plan of action to implement it ISACA CISM Review Manual Page 14

Information Security Governance Information is indispensable to conduct business effectively today Information must be: Available Have Integrity of data and process Be kept confidential as needed Protection of information is a responsibility of the Board of Directors ISACA CISM Review Manual Page 31

Information Security Information Protection includes: Accountability Oversight Prioritization Risk Management Compliance (Regulations and Legislation) ISACA CISM Review Manual Page 31

Information Security Governance Overview Information security is much more than just IT security (more than technology) Information must be protected at all levels of the organization and in all forms Information security is a responsibility of everyone In all forms paper, fax, audio, video, microfiche, networks, storage media, computer systems ISACA CISM Review Manual Page 31

Security Program Priorities Achieve high standards of corporate governance Treat information security as a critical business issue Create a security positive environment Have declared responsibilities

Security versus Business Security must be aligned with business needs and direction Security is woven into the business functions Provides Strength Resilience Protection Stability Consistency

Security Program Objectives Ensure the availability of systems and data Allow access to the correct people in a timely manner Protect the integrity of data and business processes Ensure no improper modifications Protect confidentiality of information Unauthorized disclosure of information Privacy, trade secrets,

Selling the Importance of Information Security Benefits of effective information security governance include: Improved trust in customer relationships Protecting the organization s reputation Better accountability for safeguarding information during critical business activities Reduction in loss through better incident handling and disaster recovery ISACA CISM Review Manual Page 31

The First Priority for the CISM Remember that Information Security is a businessdriven activity. Security is here to support the interests and needs of the organization not just the desires of security Security is always a balance between cost and benefit; security and productivity ISACA CISM Review Manual Page 31

Corporate Governance

Business Goals and Objectives Corporate governance is the set of responsibilities and practices exercised by the board and executive management Goals include: Providing strategic direction Reaching security and business objectives Ensure that risks are managed appropriately Verify that the enterprise s resources are used responsibly ISACA CISM Review Manual Page 32

Outcomes of Information Security Governance The six basic outcomes of effective security governance: Strategic alignment Risk management Value delivery Resource optimization Performance measurement Integration ISACA CISM Review Manual Page 32

Benefits of Information Security Governance Effective information security governance can offer many benefits to an organization, including: Compliance and protection from litigation or penalties Cost savings through better risk management Avoid risk of lost opportunities Better oversight of systems and business operations Opportunity to leverage new technologies to business advantage ISACA CISM Review Manual Page 32

Performance and Governance Governance is only possible when metrics are in place to: Measuring Monitoring Reporting On whether critical organizational objectives are achieved Enterprise-wide measurements should be developed ISACA CISM Review Manual Page 33

Governance Roles and Responsibilities Board of Directors/Senior Management Effective security requires senior management support Steering Committee Ensure continued alignment between IT and business objectives CISO Chief Information Security Officer Ensures security is addressed at a senior management level ISACA CISM Review Manual Page 35, 36

Governance Roles and Responsibilities cont. System Owners Responsible to ensure that adequate protection is in place to protect systems and the data they process Information Owners Responsible for the protection of data regardless of where it resides or is processed ISACA CISM Review Manual Page 37

Gaining Management Support Formal presentation From a business perspective Align security with the business Identify risk and consequences Describe audit and reporting procedures ISACA CISM Review Manual Page 38

Communication Channels Track the status of the security program Share security awareness and knowledge of risk Communicate policies and procedures Deliver to all staff at appropriate level of detail ISACA CISM Review Manual Page 38

GRC The combination of overlapping activities into a single business process to recognize the importance to senior management of information security and assurance Governance Risk Compliance ISACA CISM Review Manual Page 40

BMIS The business model for information security is one approach to show the interraltionship between several elements of a robust security management program: Organization Design and Strategy People Process Technology ISACA CISM Review Manual Page 41

BMIS The interaction of these processes is important to provide coordination between the dynamic elements of security: Governance Culture Enablement and Support Emergence Human Factors Architecture ISACA CISM Review Manual Page 42

Governance of Third-Party Relationships As organizations move more towards the use of third parties for support (e.g., the Cloud), the need to govern and manage these relationships is of increasing importance. Service providers Outsourced operations Trading partners Merged or acquired organizations ISACA CISM Review Manual Page 43

Information Security Metrics A framework that cannot be measured, cannot be trusted. The security program must be accountable for its budget, deliverables and strategy. Meaningful Accurate Cost-effective Repeatable Predictive Actionable Genuine ISACA CISM Review Manual Page 44

KPIs and KGIs Indicate attainment of service goals, organizational objectives and milestones. Key Goal Indicators Key Risk Indicators ISACA CISM Review Manual Page 46

Security Integration Security needs to be integrated INTO the business processes The goal is to reduce security gaps through organizational-wide security programs Integrate IT with: Physical security Risk Management Privacy and Compliance Business Continuity Management ISACA CISM Review Manual Page 46

Areas to Measure (Metrics) Risk Management Value Delivery Resource Management Performance Measurement Incident reporting Benchmarking ISACA CISM Review Manual Page 47

Developing Information Security Strategy Information Security Strategy Long term perspective Standard across the organization Aligned with business strategy / direction Understands the culture of the organization Reflects business priorities ISACA CISM Review Manual Page 49

The Desired State of Security The desired state of security must be defined in terms of attributes, characteristics and outcomes It should be clear to all stakeholders what the intended security state is ISACA CISM Review Manual Page 53

The Desired State cont. One definition of the desired state: Protecting the interests of those relying on information, and the processes, systems and communications that handle, store and deliver the information, from harm resulting from failures of availability, confidentiality and integrity Focuses on IT-related processes from IT governance, management and control perspectives ISACA CISM Review Manual Page 53

Elements of a Strategy A security strategy needs to include: Resources needed Constraints A road map Includes people, processes, technologies and other resources A security architecture: defining business drivers, resource relationships and process flows Achieving the desired state is a long-term goal of a series of projects ISACA CISM Review Manual Page 53

Business Linkages Business linkages Start with understanding the specific objectives of a particular line of business Take into consideration all information flows and processes that are critical to ensuring continued operations Enable security to be aligned with and support business at strategic, tactical and operational levels ISACA CISM Review Manual Page 53

Objectives of Security Strategy The objectives of an information security strategy must Be defined Be supported by metrics (measureable) Capability Maturity Model (CMM) Provide guidance ISACA CISM Review Manual Page 55

Balanced Scorecard (BSC) See next slide for diagram Ensures that multiple perspectives are considered when developing a security strategy Seeks balance between competing interests ISACA CISM Review Manual Page 55

Balanced Scorecard (BSC) Financial Customer Information Learning Process ISACA CISM Review Manual Page 55

The Maturity of the Security Program Using CMM 0: Nonexistent - No recognition by organization of need for security 1: Ad hoc - Risks are considered on an ad hoc basis no formal processes 2: Repeatable but intuitive - Emerging understanding of risk and need for security 3: Defined process - Companywide risk management policy/security awareness 4: Managed and measurable - Risk assessment standard procedure, roles and responsibilities assigned, policies and standards in place 5: Optimized - Organization-wide processes implemented, monitored and managed ISACA CISM Review Manual Page 55

The ISO27001:2013 Framework The goal of ISO27001:2013 is to: Establish Implement Maintain, and Continually improve An information security management system Contains: 14 Clauses, 35 Controls Objectives and 114 controls ISACA CISM Review Manual Page 56

Risk Management The basis for most security programs is Risk Management: Risk identification Risk Mitigation Ongoing Risk Monitoring and evaluation The CISM must remember that risk is measured according to potential impact on the ability of the business to meet its mission not just on the impact on IT. ISACA CISM Review Manual Page 56

Examples of Other Security Frameworks SABSA (Sherwood Applied Business Security Architecture) COBIT COSO Business Model for Information Security Model originated at the Institute for Critical Information Infrastructure Protection ISACA CISM Review Manual Page 49, 61

Examples of Other Security Frameworks ISO standards on quality (ISO 9001:2000) Six Sigma Publications from NIST and ISF US Federal Information Security Management Act (FISMA) ISACA CISM Review Manual Page 56

Constraints and Considerations for a Security Program Constraints Legal Laws and regulatory requirements Physical Capacity, space, environmental constraints Ethics Appropriate, reasonable and customary Culture Both inside and outside the organization Costs Time, money Personnel Resistance to change, resentment against new constraints ISACA CISM Review Manual Page 59

Constraints and Considerations for a Security Program cont. Constraints Organizational structure How decisions are made and by whom, turf protection Resources Capital, technology, people Capabilities Knowledge, training, skills, expertise Time Window of opportunity, mandated compliance Risk tolerance Threats, vulnerabilities, impacts ISACA CISM Review Manual Page 59

Security Program Starts with theory and concepts Policy Interpreted through: Procedures Baselines Standards Measured through audit ISACA CISM Review Manual Page 60

Architecture Information security architecture is similar physical architecture Requirements definition Design / Modeling Creation of detailed blueprints Development, deployment Architecture is planning and design to meet the needs of the stakeholders Security architecture is one of the greatest needs for most organizations ISACA CISM Review Manual Page 60

Using an Information Security Framework Effective information security is provided through adoption of a security framework Defines information security objectives Aligns with business objectives Provides metrics to measure compliance and trends Standardizes baseline security activities enterprise-wide ISACA CISM Review Manual Page 62

The Goal of Information Security The goal of information security is to protect the organization s assets, individuals and mission This requires: Asset identification Classification of data and systems according to criticality and sensitivity Application of appropriate controls ISACA CISM Review Manual Page 62

Controls Non-IT controls ( Labeling, handling requirements Countermeasures Reduce a vulnerability (reduce likelihood or impact of an incident) Layered Defense ISACA CISM Review Manual Page 63

Elements of Risk and Security The next few slides list many factors that go into a Security program. ISACA CISM Review Manual Page 64

Information Security Concepts Access Architecture Attacks Auditability Authentication Authorization Availability Business dependency analysis Business impact analysis Confidentiality Countermeasures Criticality Data classification Exposures Gap analysis Governance ISACA CISM Review Manual Page 64-69

Information Security Concepts cont. Identification Impact Integrity Layered security Management Nonrepudiation Risk / Residual risk Security metrics Sensitivity Standards Strategy Threats Vulnerabilities Enterprise architecture Security domains Trust models ISACA CISM Review Manual Page 64-69

Security Program Elements Policies Standards Procedures Guidelines Controls physical, technical, procedural Technologies Personnel security Organizational structure Skills ISACA CISM Review Manual Page 64-69

Security Program Elements cont. Training Awareness and education Compliance enforcement Outsourced security providers Other organizational support and assurance providers Facilities Environmental security ISACA CISM Review Manual Page 64-69

Centralized versus Decentralized Security Which is better? Consistency versus flexibility Central control versus Local ownership Procedural versus responsive Core skills versus distributed skills Visibility to senior management versus visibility to users and local business units ISACA CISM Review Manual Page 65

Audit and Assurance of Security Objective review of security risk, controls and compliance Assurance regarding the effectiveness of security is a part of regular organizational reporting and monitoring ISACA CISM Review Manual Page 66

Ethical Standards Rules of behaviour Legal Corporate Industry Personal ISACA CISM Review Manual Page 68

Ethical Responsibility Responsibility to all stakeholders Customers Suppliers Management Owners Employees Community ISACA CISM Review Manual Page 68

Evaluating the Security Program Metrics are used to measure results Measure security concepts that are important to the business Use metrics that can be used for each reporting period Compare results and detect trends ISACA CISM Review Manual Page 71

Effective Security Metrics Set metrics that will indicate the health of the security program Incident management Degree of alignment between security and business development Was security consulted Were controls designed in the systems or added later ISACA CISM Review Manual Page 71

Effective Security Metrics cont. Choose metrics that can be controlled Measure items that can be influenced or managed by local managers / security Not external factors such as number of viruses released in the past year Have clear reporting guidelines Monitor on a regular scheduled basis ISACA CISM Review Manual Page 71

Key Performance Indicators (KPIs) Thresholds to measure Compliance / non-compliance Pass / fail Satisfactory / unsatisfactory results A KPI is set at a level that indicates action should / must be taken Alarm point ISACA CISM Review Manual Page 71

End to End Security Security must be enabled across the organization not just on a system by system basis Performance measures should ensure that security systems are integrated with each other Layered defenses ISACA CISM Review Manual Page 74

Correlation Tools The CISM may use Security Event and Incident Management (SEIM, SIM, SEM) tools to aggregate data from across the organization Data analysis Trend detection Reporting tools Added value on exam but not in the ISACA book

Regulations and Standards The CISM must be aware of National Laws Privacy Regulations Reporting, Performance Industry standards Payment Card Industry (PCI) BASEL II Added value on exam but not in the ISACA book

Effect of Regulations Requirements for business operations Potential impact of breach Cost Reputation Scheduled reporting requirements Frequency Format Added value on exam but not in the ISACA book

Reporting and Analysis Data gathering at source Accuracy Identification Reports signed by Organizational Officer Added value on exam but not in the ISACA book

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback