CISM Exam Boot Camp

Course Overview

• I. About CISM
  • Requirements for certification
    • Experience
    • Passing the exam
    • The ISACA Code of Ethics
    • Maintaining certification
• II. Information Security Governance
  • Overview
    • Information is a valuable resource in all of its formats
    • Not just IT related
    • We need to converge information security into the business
  • Effective information security governance
    • Business drivers
    • Business support
    • Provide assurance to management
  • Risk objectives
    • Operational risk management
    • We must be able to meet our desired state
  • Build an information security strategy
    • Business model for information security (BMIS)
    • Strategy
  • Controls
    • Types of controls
    • IT controls
    • Non-IT controls
    • Countermeasures
    • Example defense in depth
  • Provide assurance to management
    • ISO 27001
    • Security Metrics
  • Extend security knowledge to everyone
    • Awareness
    • Training
    • Education
  • Action plan to implement strategy
    • Projects
    • Gap analysis
    • Critical success factors
• III. Information Risk Management & Compliance
  • Overview
  • Information classification
    • Why should information be classified
    • Developing the program
    • Ownership
    • Responsibilities
  • Methods to evaluate impact of adverse events
    • Business impact analysis
  • Legal and regulatory requirements
  • Emerging threats and vulnerabilities
    • Sources of information
  • Risk management
    • Elements of risk
    • Risk assessment
    • Prioritizing risk
    • Reporting risk
    • Monitoring Risk
    • Risk handling
    • Control baseline modeling
    • Controls
    • Gap analysis
    • Integrate risk management into business and IT processes
    • Compliance
  • Re-assessing risk and changing security program elements
    • Risk management is a cyclic process
    • Triggers to re-assess
• IV. Information Security Program Development & Management
  • Overview
  • Align information security program to business function
  • Resource requirements definition
    • Internal
    • External
    • Identify, acquire and manage
  • Emerging trends in information security
    • Cloud computing
    • Mobile computing
  • Security control design
  • Security architectures
    • BSIM
  • Methods to develop
    • Standards
    • Procedures
    • Guidelines
  • Methods to implement and communicate
    • Policies
    • Standards
    • Procedures
    • Guidelines
  • Security awareness and training
    • Methods to establish
    • Methods to maintain
  • Methods to integrate security requirements into organizational processes
  • Methods to incorporate security requirements
    • Contracts
    • 3rd party management processes
  • Security metrics
    • Design
    • Implement
    • Report
  • Testing security controls
    • Effectiveness
    • Applicability
• V. Information Security Incident Management
  • Overview
  • Definition
    • Distinction between IR, BCP and DRP
    • Senior management commitment
    • Policy
    • Personnel
  • Objectives
    • Intended outcomes
    • Incident management
    • Incident handling
    • Incident response
    • Incident systems and tools
  • What technologies must an IRT know?
    • Vulnerabilities/Weaknesses
    • Networking
    • Operating systems
    • Malicious software
    • Programming languages
  • Defining incident management procedures
    • Plan for management
  • Current state of incident response plan
    • Gap analysis
  • Develop a plan
    • Plan elements
    • Notification process
    • Escalation process
    • Help desk process for identifying incidents
    • Response teams
  • Challenges in developing a plan
  • BCP/DRP
    • Recovery operations
    • Recovery strategies
    • Recovery sites
    • Basis for recovery site selection
    • Notification requirements
    • Supplies
    • Communication structure
    • Testing the plan
    • Recovery test metrics
    • Test results
    • Post-incident activities and investigations

Prerequisites