CISM Exam Boot Camp

I. About CISM

Requirements for certification

• Experience
• Passing the exam
• The ISACA Code of Ethics
• Maintaining certification

II. Information Security Governance

• Overview
• Information is a valuable resource in all of its formats
• Not just IT related
• We need to converge information security into the business
• Effective information security governance
• Business drivers
• Business support
• Provide assurance to management
• Risk objectives
• Operational risk management
• We must be able to meet our desired state
• Build an information security strategy
• Business model for information security (BMIS)
• Strategy
• Controls
• Types of controls
• IT controls
• Non-IT controls
• Countermeasures
• Example defense in depth
• Provide assurance to management
• ISO 27001
• Security Metrics
• Extend security knowledge to everyone
• Awareness
• Training
• Education
• Action plan to implement strategy
• Projects
• Gap analysis
• Critical success factors

III. Information Risk Management & Compliance

• 1. Overview
• 2. Information classification
• Why should information be classified
• Developing the program
• Ownership
• Responsibilities
• 3. Methods to evaluate impact of adverse events
• Business impact analysis
• 4. Legal and regulatory requirements
• 5. Emerging threats and vulnerabilities
• Sources of information
• 6. Risk management
• Elements of risk
• Risk assessment
• Prioritizing risk
• Reporting risk
• Monitoring Risk
• Risk handling
• Control baseline modeling
• Controls
• Gap analysis
• Integrate risk management into business and IT processes
• Compliance
• 7. Re-assessing risk and changing security program elements
• Risk management is a cyclic process
• Triggers to re-assess

IV. Information Security Program Development & Management

• 1. Overview
• 2. Align information security program to business function
• 3. Resource requirements definition
• Internal
• External
• Identify, acquire and manage
• 4. Emerging trends in information security
• Cloud computing
• Mobile computing
• 5. Security control design
• 6. Security architectures
• BSIM
• 7. Methods to develop
• Standards
• Procedures
• Guidelines
• 8. Methods to implement and communicate
• Policies
• Standards
• Procedures
• Guidelines
• 9. Security awareness and training
• Methods to establish
• Methods to maintain
• 10. Methods to integrate security requirements into organizational processes
• 11. Methods to incorporate security requirements
• Contracts
• 3rd party management processes
• 12. Security metrics
• Design
• Implement
• Report
• 13. Testing security controls
• Effectiveness
• Applicability

V. Information Security Incident Management

• 1. Overview
• 2. Definition
• Distinction between IR, BCP and DRP
• Senior management commitment
• Policy
• Personnel
• 3. Objectives
• Intended outcomes
• Incident management
• Incident handling
• Incident response
• Incident systems and tools
• 4. What technologies must an IRT know?
• Vulnerabilities/Weaknesses
• Networking
• Operating systems
• Malicious software
• Programming languages
• 5. Defining incident management procedures
• Plan for management
• 6. Current state of incident response plan
• Gap analysis
• 7. Develop a plan
• Plan elements
• Notification process
• Escalation process
• Help desk process for identifying incidents
• Response teams
• 8. Challenges in developing a plan
• 9. BCP/DRP
• Recovery operations
• Recovery strategies
• Recovery sites
• Basis for recovery site selection
• Notification requirements
• Supplies
• Communication structure
• Testing the plan
• Recovery test metrics
• Test results
• Post-incident activities and investigations