ISACA® is a registered trademark of Information Systems Audit and Control Association. CISA®, Certified Information Systems Auditor®, CISM®, CGEIT®, Certified in the Governance of Enterprise IT/CGEIT® (and design)®, COBIT® are registered trademarks of ISACA®. CRISC™, Certified in Risk and Information Systems Control™, Certified Information Security Manager™, Risk IT™, Val IT™ are trademarks of ISACA®. Trademarks are properties of the holders, who are not affiliated with mind map author.
It covers 4 domains, 37 tasks and 60 knowledge statements (statements covering the required technical knowledge).
The CISM® certification / designation reflects a solid achievement record in managing information security, as well as in such areas as risk analyses, risk management, security strategy, security organisation etc.
ISACA® CISM® Item Development Guide, http://www.isaca.org/Certification/Write-an-Exam-Question/Documents/CISM-Item-Development-Guide-2013.pdf
ISACA® CISM® QAE Item Development Guide, https://www.isaca.org/Certification/Write-an-Exam-Question/Documents/CISM-QAE-Item-Development-Guide.pdf
Has 4 elements, Organization Design and Strategy, People, Process, Technology
A structured deployment of risk-based controls related to, People, Processes, Technology
Security is a business-driven activity.
The content area for Domain 1 will represent ..., 24% of the CISM® examination, 62 questions
What is it?, Corporate governance is the set of responsibilities and practices exercised by the board and executive management
Goals, Providing strategic direction, Reaching security and business objectives, Ensure that risks are managed appropriately, Verify that the enterprise’s resources are used responsibly
The goal of information security is to protect the organization’s assets, individuals and mission, requires, Asset identification, Classification of data and systems according to criticality and sensitivity, Application of appropriate controls
The Business case for initiating a project must be captured and communicated:, Reference, Context, Value Proposition, Focus, Deliverables, Dependencies, Project metrics, Workload, Required resources, Commitments, The Business case for Security must address the same criteria
Security needs to be integrated INTO the business processes
Goal, The goal is to reduce security gaps through organizational-wide security programs
Integrate IT with, Physical security, Risk Management, Privacy and Compliance, Business Continuity Management
Outcomes of effective InfoSec Governance, Strategic alignment, Risk management, Value delivery, Resource management, Performance measurement, Integration
Benefits of effective InfoSec Governance, Compliance and protection from litigation or penalties, Cost savings through better risk management, Avoid risk of lost opportunities, Better oversight of systems and business operations, Opportunity to leverage new technologies to business advantage, Improved trust in customer relationships, Protecting the organization’s reputation, Better accountability for safeguarding information during critical business activities, Reduction in loss through better incident handling and disaster recovery
Information security architecture is similar physical architecture, Requirements definition, Design / Modeling, Creation of detailed blueprints, Development, deployment
Architecture is planning and design to meet the needs of the stakeholders
Security architecture is one of the greatest needs for most organizations
Effective information security is provided through adoption of a security framework, Defines information security objectives, Aligns with business objectives, Provides metrics to measure compliance and trends, Standardizes baseline security activities enterprise-wide
Examples of Other Security Frameworks, SABSA (Sherwood Applied Business Security Architecture), Business Model for Information Security, Model originated at the Institute for Critical, Information Infrastructure Protection, COBIT, COSO, ISO27001:2013, Goal, Establish, Implement, Maintain, Continually improve, Contains, 14 Clauses, 35 Controls Objectives, 114 Controls
Objectives, Ensure the availability of systems and data, e.g., Allow access to the correct people in a timely manner, Protect the integrity of data and business processes, e.g., Ensure no improper modifications, Protect confidentiality of information, e.g., Unauthorized disclosure of information, Privacy, trade secrets
Priorities, Achieve high standards of corporate governance, Treat information security as a critical business issue, Create a security positive environment, Have declared responsibilities
Security versus Business, Security must be aligned with business needs and direction, Security is woven into the business functions, Strength, Resilience, Protection, Stability, Consistency
Starts with theory and concepts, Policy
Interpreted through, Procedures, Baselines, Standards
Measured through audit
Information Security Concepts
Evaluating the Security Program, Audit and Assurance of Security, Metrics are used to measure results, Measure security concepts that are important to the business, Use metrics that can be used for each reporting period, Compare results and detect trends, Key Performance Indicators (KPIs), Thresholds to measure, Compliance / non-compliance, Pass / fail, Satisfactory / unsatisfactory results, A KPI is set at a level that indicates action should / must be taken, Alarm point
End to End Security, Security must be enabled across the organization – not just on a system by system basis, Performance measures should ensure that security systems are integrated with each other, Layered defenses
Developing Information Security Strategy, Long term perspective, Standard across the organization, Aligned with business strategy / direction, Understands the culture of the organization, Reflects business priorities
Achieving the desired state is a long-term goal of a series of projects
Goal, Protect the organization’s information assets
Objectives, 6 defined outcomes of security governance will provide high-level guidance to Information Security Strategy, Defined, Supported by metrics (measurable), Provide guidance, The long-term objectives describe the “desired state”, Should describe a well-articulated vision of the desired outcomes for a security program, Security strategy objectives should be stated in terms of specific goals directly aimed at supporting business activities
Elements, Road map, Includes people, processes, technologies and other resources, A security architecture: defining business drivers, resource relationships and process flows, Resources, Policies, Standards, Procedures, Guidelines, Architectire, Controls, physical, technical, procedural, Countermeasures, Layered defenses, Technologies, Personnel security, Organizational structure, Roles and responsibilities, Skills, Training, Awareness and education, Audits, Compliance enforcement, Vulnerability analysis, Risk assessment, Business impact assessment, Resource dependency analysis, Third party service providers, Other organizational support and assurance providers, Facilities, Environmental security, Constraints, Legal, Laws and regulatory requirements, Physical, Capacity, space, environmental constraints, Ethics, Appropriate, reasonable and customary, Culture, Both inside and outside the organization, Costs, Time, money, Personnel, Resistance to change, resentment against new constraints, Organizational structure, How decisions are made and by whom, turf protection, Resources, Capital, technology, people, Capabilities, Knowledge, training, skills, expertise, Time, Window of opportunity, mandated compliance, Risk tolerance, Threats, vulnerabilities, impacts
Information Security Strategy Business Linkages, Start with understanding the specific objectives of a particular line of business, Take into consideration all information flows and processes that are critical to ensuring continued operations, Enable security to be aligned with and support business at strategic, tactical and operational levels
Desired State of Security, The “desired state of security” must be defined in terms of attributes, characteristics and outcomes, It should be clear to all stakeholders what the intended security state is, Available approaches to provide a framework to achieve a well-defined “desired state“, COBIT (Control Objectives for Information and related Technology), “Protecting the interests of those relying on information, and the processes, systems and communications that handle, store and deliver the information, from harm resulting from failures of availability, confidentiality and integrity”, Focuses on IT-related processes from IT governance, management and control perspectives, Capability Maturity Model (CMM), Balanced Scorecard (BSC), Enterprise Architecture approaches, The Open Group Architecture Framework (TOGAF), Zachman Enterprise Architecture Framework, Extended Enterprise Architecture Framework (EA2F), ISO/IEC 27001 and 27002
Criteria, Meaningful, Accurate, Cost-effective, Repeatable, Predictive, Actionable, Genuine
Types, Performance metrics, Risk management metrics, Value delivery metrics, Resource management metrics, Strategic alignment metrics
Set metrics that will indicate the health of the security program, Incident management, Degree of alignment between security and business development, Was security consulted, Were controls designed in the systems or added later
Choose metrics that can be controlled, Measure items that can be influenced or managed by local managers / security, Not external factors such as number of viruses released in the past year, Have clear reporting guidelines, Monitor on a regular scheduled basis
0: Nonexistent—No recognition by organization of need for security
1: Ad hoc—Risks are considered on an ad hoc basis—no formal processes
2: Repeatable but intuitive—Emerging understanding of risk and need for security
3: Defined process—Companywide risk management policy/security awareness
4: Managed and measurable—Risk assessment standard procedure, roles and responsibilities assigned, policies and standards in place
5: Optimized—Organization-wide processes implemented, monitored and managed
Senior Management, Senior Management Commitment / Buy in, To be successful, information security must have the support of senior management (bottom-down), Budget, Direction/ Policy, Reporting and Monitoring, A bottom-up management approach to information security activities is much less likely to be successful, Give tone at the top
Board of directors / Senior Management, Information security governance / Accountability
Steering committee, Ensuring that all stakeholders impacted by security considerations are involved, Oversight and monitoring of Information Security Program, Acts as Liaison between Management, Business, Information Technology, and Information Security, Ensures all stakeholder interests are addressed, Oversees compliance activities
Executive management, Implementing effective security governance, Defining the strategic security objectives, Developing an effective information security strategy, Budget and Support
Chief Information Security Officer (CISO), Responsible for Information security related activity, Compliance, Investigation, Testing, Policy
Business Manager, Responsible for security enforcement and direction in their area, Day to day monitoring, Reporting, Disciplinary actions, Compliance
IT Staff, Responsible for security design, deployment and maintenance, System and Network monitoring, Reporting, Operations of security controls, Compliance
Industry standards, Payment Card Industry (PCI), BASEL II
Effect of Regulations, Potential impact of breach, Cost, Reputation, Scheduled reporting requirements, Frequency, Format
Reporting and Analysis, Data gathering at source, Accuracy, Identification, Reports signed by Organizational Officer
Rules of behaviour, Legal, Corporate, Industry, Personal
Ethical Responsibility, Responsibility to all stakeholders, Customers, Suppliers, Management, Owners, Employees, Community
ISACA Code of Ethics, Required for all ISACA certification holders, Support the implementation of, and encourage compliance with, appropriate standards, procedures and controls for information systems., Perform their duties with objectivity, due diligence and professional care, in accordance with professional standards and best practices., Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession., Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties., Maintain competency in their respective fields and agree to undertake only those activities, which they can reasonably expect to complete with professional competence., Inform appropriate parties of the results of work performed; revealing all significant facts known to them., Support the professional education of stakeholders in enhancing their understanding of information systems security and control.
The content area for Domain 1 will represent ..., 33% of the CISM® examination, 62 questions
The content area for Domain 1 will represent ..., 25% of the CISM® examination, 62 questions
The content area for Domain 1 will represent ..., 18% of the CISM® examination, 62 questions
CISM® exam questions are developed with the intent of measuring and testing practical knowledge and the application of general concepts and standards.
PBE & CBE (only pencil & eraser are allowed)., PBE - Paper based exam., CBE - Closed book exam.
4 hour exam.
200 multiple choice questions designed with one best answer.
No negative points.
Pre-requisite for exam:, none
Pre-requisite for certification:, Read CISM® Application Form, https://www.isaca.org/Certification/CISM-Certified-Information-Security-Manager/Apply-for-certification/Documents/CISM-application.pdf