Certified Information Security Manager Exam Prep Guide: Aligned with the latest edition of the CISM Review Manual to help you pass the exam with confidence
By Hemang Doshi
()
About this ebook
With cyber threats on the rise, IT professionals are now choosing cybersecurity as the next step to boost their career, and holding the relevant certification can prove to be a game-changer in this competitive market. CISM is one of the top-paying and most sought-after certifications by employers.
This CISM Certification Guide comprises comprehensive self-study exam content for those who want to achieve CISM certification on the first attempt. This book is a great resource for information security leaders with a pragmatic approach to challenges related to real-world case scenarios. You'll learn about the practical aspects of information security governance and information security risk management. As you advance through the chapters, you'll get to grips with information security program development and management. The book will also help you to gain a clear understanding of the procedural aspects of information security incident management.
By the end of this CISM exam book, you'll have covered everything needed to pass the CISM certification exam and have a handy, on-the-job desktop reference guide.
Read more from Hemang Doshi
CISA Exam - Testing Concept-Fire Suppression Systems (Domain-5) Rating: 5 out of 5 stars5/5CISA Exam-Testing Concept-Knowledge of Logical Access Control Rating: 3 out of 5 stars3/5CISA EXAM-Testing Concept-Knowledge of Compliance & Substantive Testing Aspects Rating: 3 out of 5 stars3/5CRISC Exam - Study Guide Rating: 0 out of 5 stars0 ratingsCISA EXAM-Testing Concept-Digital Signature Rating: 3 out of 5 stars3/5CISA Exam-Testing Concept-Knowledge of Risk Assessment Rating: 3 out of 5 stars3/5CISA EXAM-Testing Concept-Roles of various functions Rating: 2 out of 5 stars2/5CISA Exam-Testing Concept-Elements of PKI i.e CA/RA/CRL/CPS (Domain-5) Rating: 4 out of 5 stars4/5CISA EXAM-Testing Concept-Firewall Rating: 3 out of 5 stars3/5CISA Exam-Testing Concept-Decision Support System (DSS) (Domain-3) Rating: 0 out of 5 stars0 ratingsCISA Exam - Testing Concept-Network Physical Media (Fiber Optic/ UTP/STP/Co-axial) (Domain-4) Rating: 0 out of 5 stars0 ratingsCertified Ethical Hacker (CEH) Exam - Study Guide Rating: 0 out of 5 stars0 ratingsCISA Exam-Testing Concept-OSI Architecture (Domain-5) Rating: 0 out of 5 stars0 ratingsCISA Exam-Testing Concept-PERT/CPM/Gantt Chart/FPA/EVA/Timebox (Chapter-3) Rating: 2 out of 5 stars2/5CISA EXAM-Testing Concept-Recovery Time Objective (RTO) & Recovery Point Objective (RPO) Rating: 1 out of 5 stars1/5Certified Information Security Manager Exam Prep Guide: Gain the confidence to pass the CISM exam using test-oriented study material Rating: 0 out of 5 stars0 ratings
Related to Certified Information Security Manager Exam Prep Guide
Related ebooks
Certified Information Security Manager Exam Prep Guide: Gain the confidence to pass the CISM exam using test-oriented study material Rating: 0 out of 5 stars0 ratingsInformation Security Handbook: Enhance your proficiency in information security program development Rating: 0 out of 5 stars0 ratingsMastering Information Security Compliance Management: A comprehensive handbook on ISO/IEC 27001:2022 compliance Rating: 0 out of 5 stars0 ratingsInfosec Strategies and Best Practices: Gain proficiency in information security using expert-level strategies and best practices Rating: 0 out of 5 stars0 ratingsExecutive's Cybersecurity Program Handbook: A comprehensive guide to building and operationalizing a complete cybersecurity program Rating: 0 out of 5 stars0 ratingsIncident Response in the Age of Cloud: Techniques and best practices to effectively respond to cybersecurity incidents Rating: 0 out of 5 stars0 ratingsPractical Cybersecurity Architecture: A guide to creating and implementing robust designs for cybersecurity architects Rating: 0 out of 5 stars0 ratingsCybersecurity Attacks – Red Team Strategies: A practical guide to building a penetration testing program having homefield advantage Rating: 0 out of 5 stars0 ratingsCybersecurity Architect's Handbook: An end-to-end guide to implementing and maintaining robust security architecture Rating: 0 out of 5 stars0 ratingsCISSP Official (ISC)2 Practice Tests Rating: 5 out of 5 stars5/5Cybersecurity Blue Team Strategies: Uncover the secrets of blue teams to combat cyber threats in your organization Rating: 0 out of 5 stars0 ratingsCISA Certified Information Systems Auditor All-in-One Exam Guide, Third Edition Rating: 5 out of 5 stars5/5CISA Certified Information Systems Auditor Study Guide Rating: 5 out of 5 stars5/5The CISO Perspective: Understand the importance of the CISO in the cyber threat landscape Rating: 0 out of 5 stars0 ratingsBuilding an Effective Cybersecurity Program, 2nd Edition Rating: 0 out of 5 stars0 ratings(ISC)2 SSCP Systems Security Certified Practitioner Official Practice Tests Rating: 0 out of 5 stars0 ratingsAgile Security Operations: Engineering for agility in cyber defense, detection, and response Rating: 0 out of 5 stars0 ratings(ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests Rating: 5 out of 5 stars5/5Cybersecurity and Privacy Law Handbook: A beginner's guide to dealing with privacy and security while keeping hackers at bay Rating: 0 out of 5 stars0 ratingsThe Chief Information Security Officer: Insights, tools and survival skills Rating: 1 out of 5 stars1/5Nine Steps to Success: An ISO 27001:2022 Implementation Overview Rating: 0 out of 5 stars0 ratingsImplementing an Information Security Management System: Security Management Based on ISO 27001 Guidelines Rating: 0 out of 5 stars0 ratingsCCSP (ISC)2 Certified Cloud Security Professional Exam Guide: Build your knowledge to pass the CCSP exam with expert guidance Rating: 0 out of 5 stars0 ratings
Computers For You
The Invisible Rainbow: A History of Electricity and Life Rating: 5 out of 5 stars5/5Procreate for Beginners: Introduction to Procreate for Drawing and Illustrating on the iPad Rating: 0 out of 5 stars0 ratingsSlenderman: Online Obsession, Mental Illness, and the Violent Crime of Two Midwestern Girls Rating: 4 out of 5 stars4/5The Innovators: How a Group of Hackers, Geniuses, and Geeks Created the Digital Revolution Rating: 4 out of 5 stars4/5Elon Musk Rating: 4 out of 5 stars4/5Standard Deviations: Flawed Assumptions, Tortured Data, and Other Ways to Lie with Statistics Rating: 4 out of 5 stars4/5CompTIA IT Fundamentals (ITF+) Study Guide: Exam FC0-U61 Rating: 0 out of 5 stars0 ratingsMastering ChatGPT: 21 Prompts Templates for Effortless Writing Rating: 5 out of 5 stars5/5101 Awesome Builds: Minecraft® Secrets from the World's Greatest Crafters Rating: 4 out of 5 stars4/5The Professional Voiceover Handbook: Voiceover training, #1 Rating: 5 out of 5 stars5/5The Complete Powershell Training for Beginners Rating: 0 out of 5 stars0 ratingsEverybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Rating: 4 out of 5 stars4/5The ChatGPT Millionaire Handbook: Make Money Online With the Power of AI Technology Rating: 4 out of 5 stars4/5The Hacker Crackdown: Law and Disorder on the Electronic Frontier Rating: 4 out of 5 stars4/5Alan Turing: The Enigma: The Book That Inspired the Film The Imitation Game - Updated Edition Rating: 4 out of 5 stars4/5CompTIA Security+ Get Certified Get Ahead: SY0-701 Study Guide Rating: 5 out of 5 stars5/5Uncanny Valley: A Memoir Rating: 4 out of 5 stars4/5How to Create Cpn Numbers the Right way: A Step by Step Guide to Creating cpn Numbers Legally Rating: 4 out of 5 stars4/5Ultimate Guide to Mastering Command Blocks!: Minecraft Keys to Unlocking Secret Commands Rating: 5 out of 5 stars5/5CompTIA Security+ Practice Questions Rating: 2 out of 5 stars2/5Deep Search: How to Explore the Internet More Effectively Rating: 5 out of 5 stars5/5The Huffington Post Complete Guide to Blogging Rating: 3 out of 5 stars3/5
Reviews for Certified Information Security Manager Exam Prep Guide
0 ratings0 reviews
Book preview
Certified Information Security Manager Exam Prep Guide - Hemang Doshi
BIRMINGHAM—MUMBAI
Certified Information Security Manager Exam Prep Guide
Copyright © 2021 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
Group Product Manager: Vijin Boricha
Publishing Product Manager: Preet Ahuja
Senior Editor: Shazeen Iqbal
Content Development Editor: Romy Dias
Technical Editor: Nithik Cheruvakodan
Copy Editor: Safis Editing
Project Coordinator: Shagun Saini
Proofreader: Safis Editing
Indexer: Manju Arasan
Production Designer: Joshua Misquitta
First published: November 2021
Production reference: 1241121
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham
B3 2PB, UK.
ISBN 978-1-80107-410-0
www.packt.com
To my mother, Jyoti Doshi, and to the memory of my father, Hasmukh Doshi, for their sacrifices and for exemplifying the power of determination.
To my wife, Namrata Doshi, for being my loving partner throughout our life journey together, and to my 6 year-old daughter, Jia Doshi, for allowing me to write this book.
To my sister, Pooja Shah, my brother-in-law, Hiren Shah, and my nephew, Phenil Shah, for their love, support, and inspiration.
To my in-laws, Chandrakant Shah, Bharti Shah, and Ravish Shah, for their love and motivation. To my mentor and guide, Dipak Mazumder, for showing me how talent and creativity evolve.
To the extremely talented editorial team at Packt, including Preet Ahuja, Neil D'mello, Shazeen Iqbal, and Romy Dias, for their wonderful support throughout the journey of writing this book.
– Hemang Doshi
Contributors
About the author
Hemang Doshi is a chartered accountant and a Certified Information System Auditor with more than 15 years' experience in the field of information system auditing/risk-based auditing/compliance auditing/vendor risk management/due diligence/system risk and control. He is the founder of CISA Exam Study and CRISC Exam Study, dedicated platforms for those studying for the CISA and CRISC certifications, respectively. He has also authored a few books on information security.
I wish to thank those people who have been close to me and supported me, especially my wife, Namrata, and my parents.
About the reviewers
When George McPherson was pulled through the ranks and pinned as a 21-year-old Sergeant in the U.S. Army over 20 years ago, he learned two things about himself. He could accomplish anything he put his mind to, and he would always pull others up if he was in a position to do so. George prides himself on integrity, an insane work ethic, attention to detail and (his greatest super-power) outside-the-box creativity. With 25 years in the technology industry, the first 18 in telecoms and the last 7 in cybersecurity, George has had the opportunity to work in industries such as the military, telecoms, local government, healthcare, and electric utilities.
George has over 20 professional certifications, including the CISM certification.
I would like to thank my beautiful wife, Audrey, whose constant support and sacrifice fuel my success.
Upen Patel is an IT professional with 20 years' experience, holding numerous professional IT certifications including CISM, CISA, CDPSE, CRISC, CCSP, CISSP, and Splunk Certified Architect. Upen attained a B.Sc. in geology from York College (CUNY), an M.Sc. in environment engineering from NYU Polytechnic Institute, and an M.Sc. in security and information assurance from Pace. Upen has held several positions, including cloud architect and security engineer, risk assessment expert, CyberArk consultant, and Splunk architecture consultant. He has worked on the implementation of many large public cloud projects on Azure and AWS and developed an automated DevRiskOps process in public. He has also implemented a large Splunk SIEM solution.
I would like to thank my family for their motivation and support.
Table of Contents
Preface
Section 1: Information Security Governance
Chapter 1: Information Security Governance
Introducing information security governance
The responsibility of information security governance4
Governance framework5
Key aspects from the CISM exam perspective 6
Questions 7
Understanding governance, risk management, and compliance
Key aspects from the CISM exam perspective 14
Questions 15
Discovering the maturity model
Key aspects from the CISM exam perspective 16
Questions 16
Getting to know the information security roles and responsibilities
Board of directors18
Senior management19
Business process owners19
Steering committee 19
Chief information security officer20
Chief operating officer20
Data custodian20
Communication channel 20
Indicators of a security culture21
Key aspects from the CISM exam perspective 21
Questions 22
Finding out about the governance of third-party relationships
The culture of an organization 37
Compliance with laws and regulations 37
Key aspects from the CISM exam perspective 38
Questions 38
Obtaining commitment from senior management
Information security investment 47
Strategic alignment 47
Key aspects from the CISM exam perspective 48
Questions 48
Introducing the business case and the feasibility study
Feasibility analysis 57
Key aspects from the CISM exam perspective 57
Questions 57
Understanding information security governance metrics
The objective of metrics 63
Technical metrics vis-à-vis governance-level metrics63
Characteristics of effective metrics 63
Key aspects from the CISM exam perspective 64
Questions 64
Summary
Chapter 2: Practical Aspects of Information Security Governance
Information security strategy and plan
Information security policies70
Key aspects from the CISM exam perspective 71
Practice questions 72
Information security program
Key aspects from the CISM exam perspective 88
Practice questions 88
Enterprise information security architecture
Challenges in designing security architectures91
Benefits of security architectures92
Key aspects from the CISM exam perspective 92
Practice questions 92
Organizational structure
Board of directors 93
Security steering committee93
Reporting of the security function93
Centralized vis-à-vis decentralized security functioning 94
Key aspects from the CISM exam perspective 95
Practice questions 95
Record retention
Electronic discovery 97
Key aspects from the CISM exam perspective 97
Practice questions 98
Awareness and education
Increasing the effectiveness of security training99
Key aspects from the CISM exam perspective 99
Summary
Section 2: Information Risk Management
Chapter 3: Overview of Information Risk Management
Risk management overview
Phases of risk management 104
The outcome of the risk management program105
Key aspects from the CISM exam's perspective 105
Questions 105
Risk management strategy
Risk capacity, appetite, and tolerance107
Risk communication 108
Risk awareness 109
Tailored awareness program 109
Training effectiveness 109
Awareness training for senior management 109
Key aspects from the CISM exam's perspective 110
Questions110
Implementing risk management
Risk management process 113
Integrating risk management in business processes 114
Prioritization of risk response 114
Defining a risk management framework 114
Defining the external and internal environment 115
Determining the risk management context115
Gap analysis 115
Cost-benefit analysis 116
Other kinds of organizational support 116
Key aspects from the CISM exam's perspective 117
Questions119
Risk assessment and analysis methodologies
Phases of risk assessment 139
Risk assessment
Asset identification 140
Asset valuation 140
Aggregated and cascading risk 141
Identifying risk141
Threats and vulnerabilities 143
Risk, likelihood, and impact 144
Risk register 145
Risk analysis145
Annual loss expectancy 148
Value at Risk (VaR)148
OCTAVE 148
Other risk analysis methods149
Evaluating risk150
Risk ranking 151
Risk ownership and accountability 151
Risk treatment options 151
Understanding inherent risk and residual risk 152
Security baseline 153
Key aspects from the CISM exam's perspective 154
Questions155
Summary
Chapter 4: Practical Aspects of Information Risk Management
Information asset classification
Benefits of classification 180
Understanding the steps involved in classification 180
Success factors for effective classification 181
Criticality, sensitivity, and impact assessment 182
Business dependency assessment 182
Risk analysis 182
Business interruptions 182
Key aspects from the CISM exam's perspective 183
Questions 184
Asset valuation
Determining the criticality of assets 194
Key aspects from the CISM exam's perspective 194
Questions 195
Operational risk management
Recovery time objective (RTO)200
Recovery Point Objective (RPO)200
Difference between RTO and RPO 200
Service delivery objective (SDO)202
Maximum tolerable outage (MTO)203
Allowable interruption window (AIW)203
Questions203
Outsourcing and third-party service providers
Evaluation criteria for outsourcing204
Steps for outsourcing205
Outsourcing – risk reduction options205
Provisions for outsourcing contracts206
The role of the security manager in monitoring outsourced activities206
Service-level agreement 206
Right to audit clause207
Impact of privacy laws on outsourcing 207
Sub-contracting/fourth party207
Compliance responsibility208
Key aspects from the CISM exam's perspective 208
Questions 209
Risk management integration with the process life cycle
System development life cycle 221
Key aspects from the CISM exam's perspective 222
Questions 222
Summary
Chapter 5: Procedural Aspects of Information Risk Management
Change management
The objective of change management 226
Approval from the system owner226
Regression testing 226
Involvement of the security team 226
Preventive control226
Key aspects from a CISM exam perspective 227
Questions 227
Patch management
Key aspects from a CISM exam perspective 233
Questions 233
Security baseline controls
Benefits of a security baseline 236
Developing a security baseline 236
Key aspects from a CISM exam perspective 236
Questions 237
Risk monitoring and communication
Risk reporting 239
Key risk indicators240
Reporting significant changes in risk 240
Key aspects from a CISM exam perspective 241
Questions 241
Security awareness training and education
Key aspects from a CISM exam perspective 254
Questions 254
Documentation
Summary
Section 3: Information Security Program Development Management
Chapter 6: Overview of Information Security Program Development Management
Information security program management overview
Outcomes of an information security program 269
The starting point of a security program270
Information security charter270
Support from senior management 270
Defense in depth 271
Key aspects from a CISM exam perspective 272
Questions 272
Information security program objectives
Key aspects from a CISM exam perspective276
Questions 276
Information security framework components
Framework – success factor278
Key aspects from a CISM exam perspective280
Questions280
Defining an information security program road map
Gap analysis284
Value of a security program284
Security program integration with another department 285
Key aspects from a CISM exam perspective285
Questions286
Policy, standards, and procedures
Reviewing and updating documents290
Key aspects from a CISM exam perspective 290
Questions 291
Security budget
Key aspects from a CISM exam perspective 296
Questions 296
Security program management and administrative activities
Information security team298
Acceptable usage policy 299
Documentation 299
Project management 300
Program budgeting 300
Plan – do – check – act 301
Security operations 301
Key aspects from a CISM exam perspective 302
Questions 303
Privacy laws
Questions313
Summary
Chapter 7: Information Security Infrastructure and Architecture
Information security architecture
Key learning aspects from the CISM exam perspective 317
Questions 317
Architecture implementation
Key aspects from the CISM exam perspective 319
Questions 320
Access control
Mandatory access control323
Discretionary access control324
Role-based access control324
Degaussing (demagnetizing)324
Key aspects from the CISM exam perspective 325
Questions 325
Virtual private networks
VPNs – technical aspects 332
Advantages of VPNs332
VPNs – security risks 332
Virtual desktop infrastructure environment 332
Key aspects from the CISM exam perspective 333
Questions 333
Biometrics
Biometrics – accuracy measure336
Biometric sensitivity tuning 337
Control over the biometric process338
Types of biometric attacks339
Questions 339
Factors of authentication
Password management 346
Key aspects from the CISM exam perspective 347
Questions 347
Wireless network
Enabling encryption 351
Enabling MAC filtering351
Disabling the SSID351
Disabling DHCP351
Common attack methods and techniques for a wireless network 352
Key aspects from the CISM exam perspective352
Questions 353
Different attack methods
Key aspects from the CISM exam perspective360
Questions 362
Summary
Chapter 8: Practical Aspects of Information Security Program Development Management
Cloud computing
Cloud computing – deployment models376
Types of cloud services 377
Cloud computing – the security manager's role378
Key aspects from a CISM exam perspective 380
Questions 380
Controls and countermeasures
Countermeasures 383
General controls and application-level controls 383
Control categories 384
Failure mode – fail closed or fail open385
Continuous monitoring 385
Key aspects from a CISM exam perspective 385
Questions 386
Penetration testing
Aspects to be covered within the scope of the test394
Types of penetration tests 394
White box testing and black box testing 395
Risks associated with penetration testing 395
Key aspects from a CISM exam perspective 396
Questions396
Security program metrics and monitoring
Objective of metrics 401
Monitoring 401
Attributes of effective metrics 401
Information security objectives and metrics 402
Useful metrics for management 402
Key aspects from a CISM exam perspective 403
Questions 403
Summary
Chapter 9: Information Security Monitoring Tools and Techniques
Firewall types and their implementation
Types of firewalls412
Types of firewall implementation415
Placing firewalls 416
Source routing 417
Firewall and the corresponding OSI layer417
Key aspects from the CISM exam's perspective 417
Questions 418
IDSes and IPSes
Intrusion detection system428
Intrusion prevention system432
Difference between IDS and IPS432
Honeypots and honeynets 432
Key aspects from the CISM exam's perspective 432
Questions 433
Digital signature
Creating a digital signature444
What is a hash or message digest?444
Key aspects from the CISM exam's perspective447
Questions 447
Elements of PKI
PKI terminologies455
The process of issuing a PKI456
CA versus RA456
Single point of failure 457
Functions of RA457
Key aspects from the CISM exam's perspective457
Questions 458
Asymmetric encryption
Symmetric encryption vis a vis asymmetric encryption 462
Encryption keys463
Using keys for different objectives464
Key aspects from the CISM exam's perspective 466
Questions467
Summary
Section 4: Information Security Incident Management
Chapter 10: Overview of Information Security Incident Manager
Incident management overview
Objectives of incident management 474
Phases of the incident management life cycle 474
Incident management, business continuity, and disaster recovery 475
Incident management and service delivery objective476
Maximum tolerable outage (MTO) and allowable interruption window (AIW)476
Key aspects from the CISM exam’s perspective 477
Practice questions478
Incident response procedure
The outcome of incident management 493
The role of the information security manager 494
Security Information and Event Management (SIEM)494
Key aspects from the CISM exam’s perspective 496
Practice questions 496
Incident management metrics and indicators
Key performance indicators and key goal indicators 498
Metrics for incident management 498
Reporting to senior management 499
The current state of the incident response capabilities
History of incidents 500
Threats and vulnerabilities 500
Threats 500
Vulnerability 501
Developing an incident response plan
Elements of an IRP501
Gap analysis 504
Business impact analysis 504
Escalation process 505
Help desk/service desk process for identifying incidents 506
Incident management and response teams 507
Incident notification process 507
Challenges in developing an incident management plan508
Key aspects from the CISM exam’s perspective 508
Practice questions 509
Summary
Chapter 11: Practical Aspects of Information Security Incident Management
Business continuity and disaster recovery procedures
Phases of recovery planning 525
Recovery sites525
Continuity of network services 530
Insurance 531
Key aspects from the CISM exam's perspective 531
Practice questions 532
Testing incident response, BCP, and DRP
Types of test544
Effectiveness of tests545
Category of tests545
Recovery test metrics 546
Success criteria for the test547
Key aspects from the CISM exam's perspective 548
Practice questions548
Executing response and recovery plans
Key aspects from the CISM exam's perspective 554
Practice questions 555
Post-incident activities and investigation
Identifying the root cause and corrective action558
Documenting the event558
Chain of custody 558
Key aspects from the CISM exam's perspective 560
Practice questions 561
Summary
Other Books You May Enjoy
Preface
ISACA's Certified Information Security Manager (CISM) certification indicates expertise in information security governance, program development and management, incident management, and risk management. Whether you are seeking a new career opportunity or striving to grow within your current organization, a CISM certification proves your expertise in these work-related domains:
Information security governance
Information risk management
Information security program development and management
Information security incident management
Who this book is for
This book is ideal for IT risk professionals, IT auditors, CISOs, information security managers, and risk management professionals.
What this book covers
Chapter 1, Information Security Governance, is an overview of information security governance.
Chapter 2, Practical Aspects of Information Security Governance, discusses information security strategies.
Chapter 3, Overview of Information Risk Management, covers basic elements of risk management.
Chapter 4, Practical Aspects of Information Risk Management, covers tools and techniques for risk management programs.
Chapter 5, Procedural Aspects of Information Risk Management, covers risk communication and security training awareness.
Chapter 6, Overview of Information Security Program Development Management, discusses basic elements of information security program development and management.
Chapter 7, Information Security Infrastructure and Architecture, discusses information security infrastructure and architecture.
Chapter 8, Practical Aspects of Information Security Program Development Management, discusses various controls and countermeasures.
Chapter 9, Information Security Monitoring Tools and Techniques, emphasizes the importance of monitoring tools and techniques.
Chapter 10, Overview of Information Security Incident Manager, discusses basic elements of information security incident management.
Chapter 11, Practical Aspects of Information Security Incident Management, covers business continuity and disaster recovery processes.
To get the most out of this book
This book is completely aligned with the CISM Review Manual of ISACA. It is advisable to follow these steps during your CISM studies:
Read this book.
Complete ISACA's QAE book or database.
Refer to ISACA's CISM Review Manual.
CISM aspirants will gain a lot of confidence if they approach their CISM preparation by following these steps.
Download the color images
We also provide a PDF file that has color images of the screenshots and diagrams used in this book. You can download it here: https://static.packt-cdn.com/downloads/9781801074100_ColorImages.pdf.
Get in touch
Feedback from our readers is always welcome.
General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.
Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.
Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.
If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.
Share your thoughts
Once you've read Certified Information Security Manager Exam Guide, we'd love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.
Your review is important to us and the tech community and will help us make sure we're delivering excellent quality content.
Section 1: Information Security Governance
This part is about the management and governance of information security. It covers 24% of the CISM certification exam.
This section contains the following chapters:
Chapter 1, Information Security Governance
Chapter 2, Practical Aspects of Information Security Governance
Chapter 1: Information Security Governance
Governance is an important aspect of the certified information security manager (CISM) exam.
In this chapter, we will cover an overview of information security governance and aim to understand the impact of good governance on the effectiveness of information security projects.
You will learn about assurance functions such as governance, risk, and compliance (GRC), and details about the various roles and responsibilities of the security function. You will also be introduced to the best practices for obtaining the commitment from the senior management of an organization toward information security.
The following topics will be covered in this chapter:
Introducing information security governance
Understanding GRC
Discovering the maturity model
Getting to know the information security roles and responsibilities
Finding out about the governance of third-party relationships
Obtaining commitment from senior management
Introducing the business case and the feasibility study
Understanding information security governance metrics
Let's dive in and discuss each one of these topics in detail.
Introducing information security governance
In simple terms, governance can be defined as a set of rules to direct, monitor, and control an organization's activities. Governance can be implemented by way of policies, standards, and procedures.
The information security governance model is primarily impacted by the complexity of an organization's structure. An organization's structure includes objectives, its vision and mission, different function units, different product lines, hierarchy structure, leadership structure, and other relevant factors. A review of organizational structure will help the security manager to understand the roles and responsibilities of information security governance, as discussed in our next topic.
The responsibility of information security governance
The responsibility for information security governance primarily resides with the board of directors and senior management. Information security governance is a subset of the overall enterprise governance. The board of directors is required to make security an important part of governance by way of monitoring key aspects of security. Senior management holds the responsibility to ensure that security aspects are integrated with business processes.
The involvement of senior management and the steering committee in discussions and in the approval of security projects indicates that the management is committed to aspects relating to security. Generally, a steering committee consists of senior officials from different departments. The role of an information security steering committee is to provide oversight on the security environment of the organization.
It is very important for a CISM aspirant to understand the steps for establishing the governance, as we will discuss in the next section.
Steps for establishing the governance
For effective governance, it should be established in a structured manner. A CISM aspirant should understand the following steps for establishing governance:
First, determine the objectives of an information security program. Most often, these objectives are derived from risk management and the acceptable level of risk that you are willing to take. One example of an objective for a bank may be that the system should always be available for customers – that is, there should be zero downtime. Information security objectives must also align with and be guided by the organization's business objectives.
The next step is that the information security manager develops a strategy and requirements based on these objectives. The security manager is required to conduct a gap analysis and identify the strategy to move to the desired state of security from its current state of security. The desired state of security is also termed as the security objectives. This gap analysis becomes the basis for the strategy.
The final step is to create the road map and identify specific actionable steps to achieve the security objectives. The security manager needs to consider various factors such as time limits, resource availability, the security budget, laws and regulations, and other relevant factors.
These specific actions are implemented by way of security policies, standards, and procedures.
Governance framework
The governance framework is a structure or outline that supports the implementation of the information security strategy. They provide the best practices for a structured security program. Frameworks are a flexible structure that any organization can adopt as per their environment and its requirements. Governance frameworks such as COBIT and ISO 27000 are both examples of widely accepted and implemented frameworks for security governance.
Let's look a bit closer at an example of information security governance in the next section.
The aim of information security governance
Information security governance is a subset of the overall enterprise governance of an organization. The same framework should be used for both enterprise governance and information security governance for better integration between the two.
The following are the objectives of information security governance:
To ensure that security initiatives are aligned with the business's strategy and support organizational objectives.
To optimize security investments and ensure the high-value delivery of business processes.
To monitor the security processes to ensure that security objectives are achieved.
To integrate and align the activities of all assurance functions for effective and efficient security measures.
To ensure that residual risks are well within acceptable limits. This gives comfort to the management.
We will now go through the key aspects from the perspective of the CISM exam, and in our next topic, we will discuss important aspects of GRC. A CISM aspirant should understand why it is important to integrate all GRC functions.
Key aspects from the CISM exam perspective
The following are some of the key aspects from the CISM exam perspective:
Table 1.1 – Key aspects from the CISM exam perspectiveTable 1.1 – Key aspects from the CISM exam perspective
Questions
The effectiveness of information security governance is best indicated by which of the following?
A. Security projects are discussed and approved by a steering committee.
B. Security training is mandatory for all executive-level employees.
C. A security training module is available on the intranet for all employees.
D. Patches are tested before deployment.
Answer: A. Security projects are discussed and approved by a steering committee.
Explanation: The involvement of a steering committee in the discussion and approval of security projects indicates that the management is committed to security governance. The other options are not as significant as option A.
An information security governance model is most likely to be impacted by which of the following?
A. The number of workstations.
B. The geographical spread of business units.
C. The complexity of the organizational structure.
D. The information security budget.
Answer: C. The complexity of the organizational structure.
Explanation: The information security governance model is primarily impacted by the complexity of the organizational structure. The organizational structure includes the organization's objectives, vision and mission, hierarchy structure, leadership structure, different function units, different product lines, and other relevant factors. The other options are not as significant as option C.
Which of the following is the first step in implementing information security governance?
A. Employee training.
B. The development of security policies.
C. The development of security architecture.
D. The availability of an incident management team.
Answer: B. The development of security policies.
Explanation: Security policies indicate the intent of the management. Based on these policies, the security architecture and various procedures are designed.
Which of the following factors primarily drives information security governance?
A. Technology requirements.
B. Compliance requirements.
C. The business strategy.
D. Financial constraints.
Answer: C. The business strategy.
Explanation: Information security governance should support the business strategy. Security must be aligned with business objectives. The other options are not a primary driver of information security governance.
Which of the following is the responsibility of the information security governance steering committee?
A. To manage the information security team.
B. To design content for security training.
C. To prioritize the information security projects.
D. To provide access to critical systems.
Answer: C. To prioritize the information security projects.
Explanation: One of the important responsibilities of a steering committee is to discuss, approve, and prioritize information security projects and to ensure that they are aligned with the goals and objectives of the enterprise.
Which of the following is the first step of information security governance?
A. To design security procedures and guidelines.
B. To develop a security baseline.
C. To define the security strategy.
D. To develop security policies.
Answer: C. To define the security strategy.
Explanation: The first step is to adopt the security strategy. The next step is to develop security policies based on this strategy. The step after this is to develop security procedures and guidelines based on the security policies.
Which of the following is the most important factor for an information security governance program?
A. To align with the organization's business strategy.
B. To be derived from a globally accepted risk management framework.
C. To be able to address regulatory compliance.
D. To promote a risk-aware culture.
Answer: A. To align with the organization's business strategy.
Explanation. The most important objective of an information security governance program is to ensure that the information security strategy is in alignment with the strategic goals and objectives of the enterprise. The other options are secondary factors.
Which of the following is effective governance best indicated by?
A. An approved security architecture.
B. A certification from an international body.
C. Frequent audits.
D. An established risk management program.
Answer: D. An established risk management program.
Explanation: An effective and efficient risk management program is a key element of effective governance. The other options are not as significant as an established risk management program.
Which of the following is the effectiveness of governance best ensured by?
A. The use of a bottom-up approach.
B. Initiatives by the IT department.
C. A compliance-oriented approach.
D. The use of a top-down approach.
Answer: D. The use of a top-down approach.
Explanation: In a top-down approach, policies, procedures, and goals are set by senior management, and as a result, the policies and procedures are directly aligned with the business objectives. A bottom-up approach may not directly address management priorities. Initiatives by the IT department and a compliance-oriented approach are not as significant as the use of a top-down approach.
What is the prime responsibility of the information security manager in the implementation of security governance?
A. To design and develop the security strategy.
B. To allocate a budget for the security strategy.
C. To review and approve the security strategy.
D. To train the end users.
Answer: A. To design and develop the security strategy.
Explanation: The prime responsibility of the information security manager is to develop the security strategy based on the business objectives in coordination with the business process owner. The review and approval of the security strategy is the responsibility of the steering committee and senior management. The security manager is not directly required to train the end users. The budget allocation is the responsibility of senior management.
What is the most important factor when developing information security governance?
A. To comply with industry benchmarks.
B. To comply with the security budget.
C. To obtain a consensus from the business functions.
D. To align with organizational goals.
Answer: D. To align with organizational goals.
Explanation: The objective of the security governance is to support the objectives of the business. The most important factor is to align with organizational objectives and goals. The other options are secondary factors.
What is the prime objective of GRC:
A. To synchronize and align the organization's assurance functions.
B. To address the requirements of the information security policy.
C. To address the requirements of regulations.
D. To design low-cost a security strategy.
Answer: A. To synchronize and align the organization's assurance functions.
Explanation: The concept of GRC is an effort to synchronize and align the assurance activities across the organization for greater efficiency and effectiveness. The other options can be considered secondary objectives.
What organizational areas are the main focus for GRC?
A. Marketing and risk management.
B. IT, finance, and legal.
C. Risk and audit.
D. Compliance and information security.
Answer: B. IT, finance, and legal.
Explanation: Though a GRC program can be applied in any function of the organization, it is mostly focused on IT, finance, and legal areas. Financial GRC focuses on effective risk management and compliance for finance processes. IT GRC focuses on IT processes. Legal GRC focuses on the overall enterprise-level regulatory compliance. GRC is majorly focused on IT, finance, and legal processes to ensure that regulatory requirements are adhered to and risks are appropriately addressed.
What is the most effective way to build an information security governance program?
A. To align the requirements of the business with an information security framework.
B. To understand the objectives of the business units.
C. To address regulatory requirements.
D. To arrange security training for all managers.
Answer: B. To understand the objectives of the business units.
Explanation: The information security governance program will not be effective if it is not able to address the requirements of the business units. The objective of the business units can be best understood by reviewing their processes and functions. Option A is not correct, as security requirements should be aligned with the business and not the other way round. Options C and D are not as significant as option B.
What is the main objective of information security governance?
A. To ensure the adequate protection of information assets.
B. To provide assurance to the management about information security.
C. To support complex IT infrastructure.
D. To optimize the security strategy to support the business objectives.
Answer: D. To optimize the security strategy to support the business objectives.
Explanation: The objective of security governance is to set the direction to ensure that the business objectives are achieved. Unless the information security strategy is aligned with the business objectives, the other options will not offer any value.
The security manager noticed inconsistencies in the system configuration. What is the most likely reason for this?
A. Documented procedures are not available.
B. Ineffective governance.
C. Inadequate training.
D. Inappropriate standards.
Answer: B. Ineffective governance.
Explanation: Governance is the process of oversight to ensure the availability of effective and efficient processes. A lack of procedures, training, and standards is a sign of ineffective governance.
What is an information security framework best described as?
A. A framework that provides detailed processes and methods.
B. A framework that provides required outputs.
C. A framework that provides structure and guidance.
D. A framework that provides programming inputs.
Answer: C. A framework that provides structure and guidance.
Explanation: A framework is a structure intended to support the processes and methods. They provide outlines and basic structure rather than detailed processes and methods. Frameworks are generally not intended to provide programming inputs.
What is the main reason for integrating information security governance into business activities?
A. To allow the optimum utilization of security resources.
B. To standardize the processes.
C. To support operational processes.
D. To address operational risks.
Answer: D. To address operational risks.
Explanation: The main objective of integrating the security aspect in business processes is to address operational risks. The other options may be considered secondary benefits.
Which of the following is the most important attribute of an effective information security governance framework?
A. A well-defined organizational structure with necessary resources and defined responsibilities.
B. The availability of the organization's policies and guidelines.
C. The business objectives support the information security strategy.
D. Security guidelines supporting regulatory requirements.
Answer: A. A well-defined organizational structure with necessary resources and defined responsibilities.
Explanation: The most important attribute is a well-defined organizational structure that minimizes any conflicts of interest. This ensures better governance. Options B and D are important aspects, but option A is more critical. Option C is not correct, as the security strategy supports the business objectives, and not the other way round.
What is the most effective method to use to develop an information security program?
A. A standard.
B. A framework.
C. A process.
D. A model.
Answer: B. A framework.
Explanation: A framework is the most suitable method for developing an information security program as they are more flexible in adoption. Some of the common frameworks include ISO 27001 and COBIT. Standards, processes, and models are not as flexible as frameworks.
Understanding governance, risk management, and compliance
GRC is a term used to align and integrate the processes of governance, risk management, and compliance. GRC emphasizes that governance should be in place for effective risk management and the enforcement of compliance.
Governance, risk management, and compliance are three related aspects that help to achieve the organization's objectives. GRC aims to lay down operations for more effective organizational processes and avoiding wasteful overlaps. Each of these three disciplines impacts the organizational technologies, people, processes, and information. If governance, risk management, and compliance activities are handled independently of each other, it may result in a considerable amount of duplication and a waste of resources. The integration of these three functions helps to streamline the assurance activities of an organization by addressing the overlapping and duplicated GRC activities.
Though a GRC program can be applied in any function of the organization, it is mostly focused on the financial, IT, and legal areas.
Financial GRC focuses on effective risk management and compliance for finance processes. IT GRC focuses on information technology processes. Legal GRC focuses on the overall enterprise-level regulatory compliance.
GRC is an ever-evolving concept, and a security manager should understand the current state of GRC in their organization and determine how to ensure its continuous improvement.
Key aspects from the CISM exam perspective
The following are some of the key aspects from a CISM exam perspective:
Table 1.2 – Key aspects from the CISM exam perspectiveTable 1.2 – Key aspects from the CISM exam perspective
Questions
Which of the following is the main objective of implementing GRC procedures?
A. To minimize the governance cost.
B. To improve risk management.
C. To synchronize security initiatives.
D. To ensure regulatory compliance.
Answer: B. To improve risk management.
Explanation: GRC is implemented by integrating interrelated control activities across the organization for improving risk management activities. The other options are secondary objectives.
What is the prime objective of GRC?
A. To synchronize and align the organization's assurance functions.
B. To address the requirements of the information security policy.
C. To address the requirements of regulations.
D. To design a low-cost security strategy.
Answer: A. To synchronize and align the organization's assurance functions.
Explanation: The concept of GRC is an effort to synchronize and align the assurance activities across the organization for greater efficiency and effectiveness. The other options can be considered secondary objectives.
Discovering the maturity model
CISM aspirants are expected to understand the basic details of a maturity model. A maturity model is a tool that helps the organization to assess the current effectiveness of a process and to determine what capabilities they need to improve their performance.
Capability maturity models (CMMs) are useful to determine the maturity level of governance processes. The following list defines the different maturity levels of an organization:
Level 0: Incomplete: On this level, the process is not implemented or does not achieve its intended purpose.
Level 1: Performed: On this level, the process can achieve its intended purpose.
Level 2: Managed: On this level, the process can achieve its intended purpose. Also, the process is appropriately planned, monitored, and controlled.
Level 3: Established: Apart from the Level 2 process, there is a well-defined, documented, and established process to manage the process.
Level 4: Predictable: On this level, the process is predictable and operates within defined parameters and limits to achieve its intended purpose.
Level 5: Optimized: This is the level at which the process is continuously improved to meet the current as well as projected goals.
The CMM indicates a scale of 0 to 5 based on process maturity level, and it is the most common method applied by organizations to measure their existing state and then to determine the desired one.
Maturity models identify the gaps between the current state of the governance process and the desired state to help the organization to determine the necessary remediation steps for improvement. A maturity model requires continuous improvement in the governance framework. It requires continuous evaluation, monitoring, and improvement to move towards the desired state from the current state.
Key aspects from the CISM exam perspective
The following are some of the key aspects from an exam perspective:
Table 1.3 – Key aspects from the CISM exam perspectiveTable 1.3 – Key aspects from the CISM exam perspective
Questions
What is the most important factor for the development of a maturity model-based information security governance framework?
A. Continuous evaluation, monitoring, and improvement.
B. The return on technology investment.
C. Continuous risk mitigation.
D. Continuous key risk indicator (KRI) monitoring.
Answer: A. Continuous evaluation, monitoring, and improvement.
Explanation: The maturity model requires continuous improvement in the governance framework. It requires continuous evaluation, monitoring, and improvement to move towards the desired state from the current state. The other options are not as significant as option A.
What best indicates the level of information security governance?
A. A defined maturity model.
B. The size of the security team.
C. The availability of policies and procedures.
D. The number of security incidents.
Answer: A. A defined maturity model.
Explanation: A defined maturity model will be the best indicator to determine the level of security governance. The maturity model indicates the maturity of the governance processes on a scale of 0 to 5, where Level 0 indicates incomplete processes, and Level 5 indicates optimized processes. The other options may not be as useful as the maturity model in determining the level of security.
What is the most effective indicator of the level of security governance?
A. The annual loss expectancy.
B. The maturity level.
C. A risk assessment.
D. An external audit.
Answer: B. The maturity level.
Explanation: A defined maturity model will be the best indicator to determine the level of security governance. The maturity model indicates the maturity of the governance processes on a scale of 0 to 5, where Level 0 indicates incomplete processes, and Level 5 indicates optimized processes. The other options may not be as useful as the maturity model in determining the level of security.
Getting to know the information security roles and responsibilities
It is very important to ensure that security-related roles and responsibilities are clearly defined, documented, and communicated throughout the organization. Each employee of the organization should be aware of their respective roles and responsibilities. Clearly defined roles also facilitate effective access rights management, as access is provided based on the respective job functions and job profiles of employees – that is, on a need-to-know basis only.
One of the simplest ways of defining roles and responsibilities in a business or organization is to form a matrix known as a RACI chart. This stands for responsible, accountable, consulted, and informed.
This chart indicates who is responsible for a particular function, who is accountable with regard to the function, who should be consulted about the function, and who should be informed about the particular function. Clearly defined RACI charts make the information security program more effective.
Let's look at the definitions of RACI in more detail:
Responsible: This is the person who is required to execute a particular job function.
Accountable: This is the person who is required to supervise a job function.
Consulted: This is the person who gives suggestions and recommendations for executing a job function.
Informed: This is the person who should be kept updated about the progress of the job function.
In the next section, I will take you through the various roles that are integral to information security.
Board of directors
The role of board members in information security is of utmost