Unlock the full potential of your projects.
Show full map
Copy and edit map Copy

CISM

Ming 11
Get Started. It's Free
or sign up with your email address
Similar Mind Maps Mind Map Outline
CISM by Mind Map: CISM

1. Security Program

1.1. Strategy

1.1.1. Policy

1.1.1.1. Standard

1.1.1.1.1. Baseline

1.1.1.1.2. Guideline (not mandatory)

1.2. Development

1.2.1. Sec Awareness Training

1.2.1.1. Mitigate Social Engineering

1.2.1.2. Lower residual risk

1.2.2. Data Classification Awareness

1.2.3. Control Design

1.2.3.1. Controls

1.2.3.1.1. Preventive

1.2.3.1.2. Detective

1.2.3.1.3. Corrective

1.2.4. Sec Architecture

1.3. Management

1.3.1. Change Management

1.3.1.1. Align with Sec Prog

1.3.1.2. Prevent system weakness vs Patch MGNT prevent security weakness being introduced

1.3.2. Outsource & Vendor

1.3.2.1. Right to Audit / Sec Review Regularly

1.3.2.2. Contract

1.3.3. Access

1.3.3.1. Role Based Access Control

1.3.3.1.1. SOD

1.3.3.2. Mandatory - no delegation

1.3.4. Metric

1.3.4.1. Relevance to recipient

1.4. Operation

1.4.1. DMZ / Screened subnet (IDS)

1.5. Effective

1.5.1. Senior Management

1.5.2. Biz Relationship

1.5.3. Cost of control vs Cost of Asset

2. Incident Management

2.1. Incident Response - resiliency

2.1.1. Defined roles and responsibility

2.2. BCP

2.2.1. RTO: Length of Time

2.2.2. RPO: age of data/extent of data loss, before-image restore

2.2.3. DR mode

2.2.3.1. Hot Site

2.2.3.2. Warm

2.2.3.3. Cold

2.2.3.4. Mirror

2.2.3.5. Reciprocal

2.2.4. DR test

2.2.4.1. Checklikt

2.2.4.2. Walk through

2.2.4.3. Simulation

2.2.4.4. Full Operation

2.2.5. Max Tolerable Outage > Allowable Interruption Window > RTO

2.2.6. Service Delivery Objective

3. Governance, Strategy, Objectives & Metrics

3.1. Governance

3.1.1. capability maturity model (CMM)

3.2. Roles and Responsiblities

3.2.1. Clear - Accountability

3.2.2. Ultimate or Final - Board / Sr. Management

3.2.3. Maturity Level -> Process Performance and Capability

3.2.4. COO > CSIO

3.2.5. Data Owner - Classify info, Responsible for access, app store the data

3.2.6. Data Custodian / Sec Admin

3.2.6.1. enforce access rights

3.2.6.2. securing info asset

3.3. 3rd Party Governance

3.3.1. Org culture - Risk Appetite

3.3.2. Culture diff

3.3.3. Cost of compliance vs Sanctions

3.3.4. Retention policy - Legal and regulatory

3.3.4.1. app system and media

4. Risk Management

4.1. Asset Classification

4.1.1. Valuation

4.1.1.1. Impact of comprimise

4.1.2. Impact assessment

4.1.2.1. Criticality

4.1.2.2. Sensitivity

4.2. Data Classification

4.2.1. Protection level

4.3. Risk Appetite / Risk Tolerance Level

4.4. Risk Assessment

4.4.1. Annually or whenever significant change

4.4.2. Regulatory Compliance - just another risk

4.4.3. Qualitative analysis - scenario with threat

4.4.4. Quantify - interruption insurance

4.4.5. Value At Risk - Max probable loss over time

4.4.6. Vulnerability Assessment - Assurance to Management

4.4.7. Output: inventory of risk

4.4.8. Penetration Test - Network & System misconfig

4.4.9. Effectiveness: % of incident from unknown risk