CISM Study Guide

1 CISM Study Guide Christian Reina, CISSP, CISA, CRISC 2010 An investment in knowledge pays the best interest. Benjamin Franklin _____ This document may be used only for informational, training and noncommercial purposes. Table of Contents Information Security Governance .. 7 Overview .. 7 Significant benefits: .. 7 Outcomes: .. 7 Effective Governance .. 7 Business goals and objectives .. 7 Roles and Responsibilities .. 8 Governance, Risk and Compliance .. 8 Business Model for Information Security .. 8 Information security manager .. 9 Obtaining senior management commitment.

2 9 Governance metrics .. 9 Effective security metrics .. 9 Strategic alignment .. 9 Risk management .. 9 Value 9 Resource management .. 9 Performance measurement .. 9 Assurance integration .. 9 Common pitfalls in developing a security strategy .. 10 Strategic Objectives .. 10 The goal .. 10 Business case development .. 10 The desired 11 Risk objectives .. 11 Information security strategy .. 12 Road map .. 12 Resources .. 12 Constraints .. 12 Action Plan .. 13 Information Risk Management .. 13 Overview .. 13 Effective information risk management .. 14 Development.

3 14 Roles and Responsibilities .. 14 Implementing Risk Management .. 14 Process: .. 14 Framework .. 14 External and Internal environment .. 14 Risk management scope .. 15 Risk Assessment .. 15 NIST approach .. 15 Aggregated and cascading risk .. 15 Other .. 15 Identification of 15 Threats .. 16 Vulnerabilities .. 16 Risks .. 16 Risk Analysis .. 16 Evaluation of risks .. 16 Risk treatment .. 16 Impact .. 16 Controls .. 16 Information Resource valuation .. 16 Information Asset Classification .. 17 Impact assessment and analysis .. 17 Integration with Life Cycle Processes.

4 17 Risk monitoring and communication .. 17 Information Security Program 17 Overview .. 17 Outcomes .. 17 Information Security Manager Responsibilities .. 17 Scope and Charter development .. 18 Development Objectives .. 18 Defining objectives .. 18 Residual risks .. 18 The Desired State .. 18 Defining a program development road map .. 19 Program Resources .. 19 Implementing an Information security program .. 20 PDCA Methodology .. 20 Information Infrastructure and Architecture .. 20 20 Development Metrics .. 21 Levels .. 21 Attributes .. 21 Goals .. 21 Information Security Program Management.

5 22 Overview .. 22 Outcomes .. 22 Roles and responsibilities .. 22 Information security manager .. 22 Board of directors .. 23 Executive management .. 23 Steering committee .. 23 23 Business unit managers .. 23 Management Framework .. 23 Technical .. 23 Operational .. 23 Management .. 24 Administrative .. 24 Educational .. 24 Assurance integration .. 24 Measuring Performance .. 24 Risk and Loss .. 24 Support of business objectives .. 24 Compliance .. 24 Operational productivity .. 24 Cost effectiveness .. 25 Organizational awareness .. 25 Technical security architecture.

6 25 Effectiveness of management framework and resources .. 25 Operational performance .. 25 Management challenges .. 25 Determine the State of Information Security .. 25 Information Security Management Resources .. 26 Implementing Management .. 26 Outsourcing .. 27 Incident Management and Response .. 27 Overview .. 27 Incident management and response .. 28 Incident handling process .. 28 Detection and 28 Triage .. 28 Analysis .. 28 Incident response .. 28 Information security manager responsibilities .. 28 Metrics and Indicators .. 28 Strategic alignment .. 28 Risk management.

7 29 Assurance process integration .. 29 Value 29 Resource management .. 29 Performance Measurement .. 29 Plan of action .. 29 Challenges .. 29 Resources .. 30 BIA .. 30 Goals .. 30 Activities .. 30 Current state of incident response capability .. 31 Developing an incident response plan .. 31 Elements .. 31 Gap analysis .. 31 Response and recovery plans .. 31 Threat mitigation .. 31 Recovery sites .. 31 Basis for recovery .. 31 Incident management teams .. 32 Continuity of network services .. 32 Insurance .. 32 Testing .. 32 Types of tests .. 32 Test Results .. 33 Executing Response and Recovery Plans.

8 33 Ensuring Execution as 33 Forensic Evidence .. 33 Information Security Governance Overview Significant benefits: Policy compliance Lowering risks Optimize resources Assurance on critical decisions Efficient and effective risk management Trust and reputation Outcomes: 1. Strategic Alignment a. Security requirements driven by organizational objectives b. Security solutions fit for organizational processes c. Investments aligned with the organizational strategy 2. Risk Management a. Collective understanding b. Risks mitigation 3. Value delivery a.

9 Standard set of security practices b. Prioritizing security objectives based on risk analysis 4. Resource management a. Knowledge is captured and available b. Efficient security architecture 5. Performance measurement a. Metrics b. External assessments and audits 6. Integration a. Relationships with assurance functions b. Roles and responsibilities between assurance functions should not overlap Effective Governance Business goals and objectives Security strategy linked with business objectives Policies address each aspect of strategy, controls, and regulation Standards for each policy Sufficient authority Metrics and monitoring Roles and Responsibilities Board of directors/senior management Validating and ratifying the key assets they want protected and the protection levels Penalties for non compliance must be communicated and enforced Executive management Implement effective security governance Align information security activities in support of business objectives Steering Committee Consensus on priorities and tradeoffs Ensuring the alignment of the security program with business

10 Objectives CISO CISO, CSO, C-Level responsibility, authority, and required resources to improve the security posture Governance, Risk and Compliance Governance: senior executive management responsibility Risk management: Risk tolerance, risk identification and impact, risk mitigation Compliance: Records and monitors the policies, procedures, and controls needed to ensure that plicies and standards are adhered to. Business Model for Information Security 1. Elements a. Organization design and strategy b. People i. Recruitment strategies ii. Employment issues iii.