CISM Exam Boot Camp

1. About CISM
Requirements for certification
· Experience
· Passing the exam
· The ISACA Code of Ethics
· Maintaining certification

2. Information Security Governance

· Information is a valuable resource in all of its formats
· Not just IT related
· We need to converge information security into the business

Effective information security governance
· Business drivers
· Business support
· Provide assurance to management

Risk objectives
· Operational risk management
· We must be able to meet our desired state

Build an information security strategy
· Business model for information security (BMIS)
· Strategy

Controls
· Types of controls
· IT controls
· Non-IT controls
· Countermeasures
· Example defense in depth

Provide assurance to management
· ISO 27001
· Security Metrics

Extend security knowledge to everyone
· Awareness
· Training
· Education



Action plan to implement strategy
· Projects
· Gap analysis
· Critical success factors

3. Information Risk Management & Compliance

Information classification
· Why should information be classified
· Developing the program
· Ownership
· Responsibilities

Methods to evaluate impact of adverse events
· Business impact analysis
· Legal and regulatory requirements

Emerging threats and vulnerabilities
· Sources of information

Risk management
· Elements of risk
· Risk assessment
· Prioritizing risk
· Reporting risk
· Monitoring Risk
· Risk handling
· Control baseline modeling

Controls
· Gap analysis
· Integrate risk management into business and IT processes
· Compliance

Re-assessing risk and changing security program elements
· Risk management is a cyclic process
· Triggers to re-assess






4. Information Security Program Development & Management

Align information security program to business function
· Resource requirements definition
· Internal
· External
· Identify, acquire and manage

Emerging trends in information security
· Cloud computing
· Mobile computing

Security control design

Security architectures
· BSIM

Methods to develop
· Standards
· Procedures
· Guidelines

Methods to implement and communicate
· Policies
· Standards
· Procedures
· Guidelines

Security awareness and training
· Methods to establish
· Methods to maintain

Methods to integrate security requirements
into organizational processes
· Methods to incorporate security requirements
· Contracts
· 3rd party management processes

Security metrics
· Design
· Implement
· Report


Testing security controls
· Effectiveness
· Applicability

5. Information Security Incident Management
Definition
· Distinction between IR, BCP and DRP
· Senior management commitment
· Policy
· Personnel

Objectives
· Intended outcomes
· Incident management
· Incident handling
· Incident response
· Incident systems and tools

What technologies must an IRT know?
· Vulnerabilities/Weaknesses
· Networking
· Operating systems
· Malicious software
· Programming languages

Defining incident management procedures
· Plan for management

Current state of incident response plan
· Gap analysis

Develop a plan
· Plan elements
· Notification process
· Escalation process
· Help desk process for identifying incidents
· Response teams

Challenges in developing a plan

BCP/DRP
· Recovery operations
· Recovery strategies
· Recovery sites
· Basis for recovery site selection
· Notification requirements
· Supplies
· Communication structure
· Testing the plan
· Recovery test metrics
· Test results
· Post-incident activities and investigations