ISACA - Firebrand Training

1 Kit Code: K-106-01 ISACA CISM Certification Certified Information Security Manager Courseware Courseware version 16/1/2017 2017 Firebrand CISM Certified Information Security ManagerFirebrand Custom Designed Courseware6/1/2017 2017 Firebrand LogisticsStart TimeBreaks End TimeFire escapesInstructorIntroductions Firebrand Training Ltd26/1/2017 2017 Firebrand Introduction to Information Security Management6/1/2017 2017 Firebrand Course MissionEducational Value Both theoretical and practical Up-to-date Relevant Firebrand Training Ltd36/1/2017 2017 Firebrand CISMC ertified Information Security Manager Designed for personnel that have (or want to have) responsibility for managing an Information Security program Tough but very good quality examination Requires understanding of the concepts behind a security program not just the definitions6/1/2017 2017 Firebrand CISM Exam Review Course OverviewThe CISM Exam is based on the CISM job practice.

2 The ISACA CISM Certification Committee oversees the development of the exam and ensures the currency of its are four content areas that the CISM candidate is expected to know. Firebrand Training Ltd46/1/2017 2017 Firebrand Job Practice Areas6/1/2017 2017 Firebrand Domain StructureInformation Security GovernanceInformation Risk ManagementInformation Security Program Development and ManagementInformation Security Incident Managementmandatesdrivesrequiresinfluenc esinformsRelationship between domains Firebrand Training Ltd56/1/2017 2017 Firebrand CISM QualificationsTo earn the CISM designation, information security professionals are required to: Successfully pass the CISM exam Adhere to the ISACA Code of Professional Ethics Agree to comply with the CISM continuing education policy Submit verified evidence of five (5) years of work experience in the field of information security.

3 Waivers are permitted for certifications 6/1/2017 2017 Firebrand The Examination Firebrand Training Ltd66/1/2017 2017 Firebrand Description of the ExamThe exam consists of 150 multiple choice questions that cover the CISM job practice hours are allotted for completing the examSee the Job Practice Areas including task Statements and Knowledge Statements listed on the ISACA website6/1/2017 2017 Firebrand Examination DayBe on time!! Nothing may be brought into the exam room Breaks are permitted but the clock does not stopAll questions are multiple choice with four possible responses. Only choose the ONE BEST answerPreliminary pass/fail results provided at completion of the exam Detailed score provided via email in ten days Firebrand Training Ltd76/1/2017 2017 Firebrand Completing the Examination Items Read each question carefully Read ALL answers prior to selecting the BEST answer Mark the appropriate answer Do not skip any questions There is no penalty for guessing.

4 Answer every 2017 Firebrand Grading the Exam Candidate scores are reported as a scaled score based on the conversion of a candidate s raw score on an exam to a common uses and reports scores on a common scale from 200 to 800. A candidate must receive a score of 450 or higher to Luck! Firebrand Training Ltd86/1/2017 2017 Firebrand End of Introduction Welcome to the CISM course!!6/1/2017 2017 Firebrand 2017 CISM Review CourseChapter 1 Information Security Governance Firebrand Training Ltd96/1/2017 2017 Firebrand Information Security GovernanceDevelop information security governance aligned with organisational objectives Establish and/or maintain an information security governance framework and supporting processes to ensure that the information security strategy is aligned with organisational goals and objectives176/1/2017 2017 Firebrand Learning ObjectivesUnderstand the purpose of an information security governance, what it consists of and how to accomplish itUnderstand the purpose of an information security strategy, its objectives, and the reasons and steps required to develop oneUnderstand the meaning, content, creation and use of policies, standards.

5 Procedures and guidelines and how they relate to one another Firebrand Training Ltd106/1/2017 2017 Firebrand Learning Objectives (continued)Develop business cases and gain commitment from senior leadershipDefine governance metrics requirements, selection and creation6/1/2017 2017 Firebrand IntroductionTo effectively address the ever-growing challenges of providing adequate protection for information assets, an information security strategy is essential. Documents the direction and goals for the security program Provides the basis for governance Firebrand Training Ltd116/1/2017 2017 Firebrand GovernanceGovernance: The rules that run the organisation including policies, standards and procedures Sets direction and control for the organisation s activities6/1/2017 2017 Firebrand Steps in Establishing GovernanceSenior management deciding on desired outcomes Based on acceptable riskDevelop a security strategy based on those objectives Move from current to desired stateCreate a roadmap to reach the objectives Firebrand Training Ltd126/1/2017 2017 Firebrand Security Policies Designed to mitigate risk Usually developed in response to an actual or perceived threatState management s intent and direction at a high levelPolicies support strategic objectives6/1/2017 2017 Firebrand StandardsAre developed or modified to set boundaries for people, processes.

6 Procedures and technologies To maintain compliance with policies and support the achievement of the organisation s goals and , standards are combined with other controls ( , technical, physical, administrative) to create the security baselines. Firebrand Training Ltd136/1/2017 2017 Firebrand Business CaseUsed to capture the business reasoning for initiating a project or task Should identify needs and business purpose Should include all factors that could affect project success or failure Total Cost of Ownership (TCO) should address costs across the lifecycle of the project6/1/2017 2017 Firebrand Living DocumentStrategy is never static as businesses evolve Internal changes External changesObjectives, approaches and methods may change to meet new conditions Firebrand Training Ltd146/1/2017 2017 Firebrand Information Security Strategy SuccessSenior management support is essential Funding Staffing Compliance Support gained by.

7 Educating senior management Develop persuasive business cases6/1/2017 2017 Firebrand Effective SecurityEveryone must have responsibility for security and risk managementEveryone must be aware of security policies and proceduresInformation Security must be measured and monitored Establish management accountability Firebrand Training Ltd156/1/2017 2017 Firebrand Information Security GovernanceInformation is data with meaning and purposeInformation is indispensable to conduct business effectively todayInformation must be: Available Have Integrity of data and process Be kept confidential as neededProtection of information is a responsibility of the Board of Directors6/1/2017 2017 Firebrand Information SecurityInformation Protection includes: Accountability Oversight Prioritisation Risk Management Compliance (Regulations and Legislation) Firebrand Training Ltd166/1/2017 2017 Firebrand Outcomes of Information Security GovernanceDevelop, implement and manage a program.

8 Strategic alignment Risk management Value delivery Resource optimisation Performance measurement Assurance process integration6/1/2017 2017 Firebrand Business Goals and ObjectivesStrategy linked to businessPolicies based on strategyStandards based on policyOrganisational structure with adequate resources and authorityDefined workflows and structures that establish responsibilities and accountabilityMetrics and monitoring processes to ensure compliance and report on control effectiveness Firebrand Training Ltd176/1/2017 2017 Firebrand Security Program PrioritiesAchieve high standards of corporate governanceTreat information security as a critical business issue Create a security positive environmentHave declared responsibilities6/1/2017 2017 Firebrand Determining Risk CapacityRisk capacity is the objective amount of loss an enterprise can tolerate without its continued existence being called into questionRisk appetite is defined as the amount of risk senior management is will to accept in the pursuit of its missionRisk acceptance is a formal process but must not exceed the risk capacity Firebrand Training Ltd186/1/2017 2017 Firebrand Scope and Charter of Information Security GovernanceProtect information in any medium Written Spoken Electronic Whether it is being.

9 Created, viewed, transported, stored or destroyed6/1/2017 2017 Firebrand Information Technology vs Information SecurityIT has a focus on technology and the boundaries of technologyInformation security protects information at all times and locations not just technologyIT is not usually the owner of the data IT have care of or custody of the data and act as custodians for the data owner Firebrand Training Ltd196/1/2017 2017 Firebrand GRC Governance, Risk Management and ComplianceGovernance the responsibility of senior management and the board of directorsRisk management the process by which an organisation manages risk to an acceptable levelCompliance ensures that policies and standards are adequately adhered to 6/1/2017 2017 Firebrand Business Model for Information SecurityA system must be viewed holistically not merely as a sum of its partsExamine how complex systems work Network of: Events Relationships Reactions Consequences Technologies People Processes Firebrand Training Ltd206/1/2017 2017 Firebrand BMIS (continued)Elements of the BMIS model: Organisation design and strategy People Process Technology 6/1/2017 2017 Firebrand Assurance Process Integration -ConvergenceIntegration of silos that were traditionally separate.

10 Physical security Risk management Privacy Compliance Information security Firebrand Training Ltd216/1/2017 2017 Firebrand Roles and ResponsibilitiesRole a designation assigned to an individual by virtue of a job function or other labelResponsibility -a description of a procedure or function related to the role that someone is accountable to performRACI Model Responsible, Accountable, Consulted, InformedSkills must be considered when creating RACI charts proficiencies, competencies, specific skills6/1/2017 2017 Firebrand CultureCulture represents organisational behaviour, norms, teamwork, attitudeCulture is affected by: Backgrounds, work ethics, values, past experiences, individual filters, perceptionsCreate a positive security culture Firebrand Training Ltd226/1/2017 2017 Firebrand Governance Roles and ResponsibilitiesBoard of Directors/Senior Management Effective security requires senior management support and oversight Exercise due careSenior Management Leadership and ongoing support Responsible for ensuring that resources, functions and supporting infrastructure are available and properly utilised6/1/2017 2017 Firebrand Roles and ResponsibilitiesBusiness Process Owners Assist in development of the security strategySteering Committee represent all stakeholders Review strategy, specific action and progress.