cbtnuggets - ISACA CISM
cbtnuggets - ISACA CISM
English | mp4 | H264 1280x720 | AAC 1 ch | 7 hrs | 1.69 GB
eLearning, systems | Level: Intermediate
English | mp4 | H264 1280x720 | AAC 1 ch | 7 hrs | 1.69 GB
eLearning, systems | Level: Intermediate
Certified Information Security Manager
As a Certified Information Security Manager (CISM), you are responsible for ensuring that your organization is prepared to deal with all forms of attacks and malicious attempts to access the company’s information systems.
CISM means higher earning potential and career advancement. Recent independent studies consistently rank CISM as one of the highest paying and sought after IT certifications
- Familiarity with IT operations
- Familiarity with IT development lifecycles and project management
- Awareness of information security processes
- Middle-level management experience
- No special equipment or software needed
- Certified Information Security Manager (CISM)
Related Job Functions
- Operations management
- Development management
- Security management
- Project management
Steve Caseley has been a CBT Nuggets trainer since 2004 and holds a variety of PMI certifications, including PMI-PMP, PMI-ACP, and PMI-SP.
1. CISM Overview (6 min)
This Nugget provides an overview of the CISM exam and the four knowledge domains that the exam questions are based on. It also reviews the qualifications for the exam and some ways to gain some of the practical knowledge needed to correctly answer the exam questions.
2. Information Security Governance (9 min)
Steve discusses the nine tasks of Information Security Governance: Information Security Strategy, Governance Framework, Alignment to Organizational Goals, Policies, Justify Investments, Identify Internal and External Influencers, Obtain Management Commitment, and Define Roles and Responsibilities, and Establish Metrics.
3. Security Strategy (6 min)
Steve focuses on ensuring that an effective information security strategy is in place and that is it fully aligned with the business requirements. Steve also discusses the outcomes that are based on the risks, and whether or not cuts are justified.
4. Alignment to Business Goals (4 min)
Steve discusses the importance of ensuring that the level of security being applied is appropriate for the business goals and objectives, and that the appropriate governance structures are being put in place.
5. Governance Framework (6 min)
Steve reviews the business model for information systems and ensuring that policies and procedures are consistent with business needs. Steve concludes with a review of several frameworks available for developing governance frameworks.
6. Information Security Governance (4 min)
Steve discusses the importance of Information Security (IS) Governance, ensuring that everyone on the organization is aware of the roles and responsibilities of the IS organization.
7. Integrated Governance (6 min)
Steve reviews the importance of having the having security processes integrated into existing organizational processes. The closer the information security processes align to existing processes, the less opportunity for staff to reject security processes.
8. Industry Standards (9 min)
Steve provides a high-level overview of the industry standards that ISACA defines as most relevant for an information security manager.
9. Develop Security Policies (8 min)
Steve discusses the steps required to develop the security policies or security roadmap. This begins with a review of the existing architecture with the purpose of establishing the baseline against which changes will be made. Steve concludes with a series of guidelines that can be the basis of the policies.
10. Business Case Development (4 min)
Steve reviews the importance of developing an effective business case to justify the expenses of the security plan, and get organizational buy-in for security processes.
11. Security Budget (4 min)
Steve shares some tips and hints for ensuring that the security budget is approved, including Annual Loss Exposure (ALE) as a powerful tool for validating security expenses.
12. Security Influencers (9 min)
Steve reviews a number of factors that must be considered when developing a security strategy, including a review of some common pitfalls that must be avoided to ensure that the security strategy is as comprehensive as needed.
13. Obtain Management Commitment (4 min)
Steve focuses on what can be done to ensure that senior management will accept the security plan, which often requires substantial investment and organizational change.
14. Security Management Roles (6 min)
Steve discusses what can be done to ensure that there is an appropriate organizational model in place to identify the chief information security officer, and that this individual reports to the “top of the house” to ensure the independence needed to implement the needed security plan.
15. Organizational Structures (6 min)
Steve reviews the importance of having well-defined roles and responsibilities, specifically in the form of a RACI chart to ensure that everyone in the organization, business, and security understand who is responsible for each specific security component.
16. Effective Communication (4 min)
Steve reviews the importance of effective communication at all levels in the organization to ensure an awareness of how changes in the business can impact security.
17. Security Metrics (6 min)
Steve presents the importance of having security metrics to provide the evidence that the security plan is working.
18. Risk Management and Compliance (7 min)
Steve discusses Asset Classification Process, Identification of Acceptable Risk Levels, Ongoing Risk Assessments, Determination of Risk Treatment Options, Assessment of Risks on Security Controls, Identify Gaps in Risk Responses, Integrated Risk Management, Ongoing Risk Monitoring, and Report Risk Non-compliance.
19. Information Classification (7 min)
Steve reviews the importance of ensuring that all information assets, data, equipment, and processes are properly classified to identify their importance, and to ensure that appropriate protection is implemented.
20. Responsibility Assignment (3 min)
Steve discusses the importance of ensuring that someone with the appropriate authority is assigned as the owner of each information security asset in order to ensure that the asset remains protected for its entire life.
21. Evaluate Risk Impacts (6 min)
Steve expands on the Business Impact Analysis to ensure that the risk impact is fully understood and that the entire scope of the impact is documented.
22. Asset Validation Methods (7 min)
Steve reviews the processes for determining the value of the information assets you need to protect, and for ensuring that the protection costs do not exceed the value of the asset to the organization.
23. Legal and Regulatory Requirements (7 min)
Steve focuses on ensuring that the risks of non-compliance to rules and regulations are being dealt with, or at least that management is aware of the risks of non-compliance.
24. Sources for Identifying Emerging Threats (6 min)
Steve reviews a number of sources that should be considered in order to stay current regarding information system security risks.
25. When is it time to Reassess (4 min)
Steve reviews a number of conditions that are indicators of needing to step back and reassess systems information security processes and plans.
26. Threat Knowledge (9 min)
This Nugget is the eighth of 19 discussing the knowledge statements for the Risk Management and Compliance Domain. It discusses three core security threat terms: Threat, vulnerability and exposure and how to measure and deal with these for internal and external threats.
27. Risk Assessment and Analysis Methodologies (11 min)
This Nugget is the ninth of 19 discussing the knowledge statements for the Risk Management and Compliance Domain. It introduces the risk management methodologies and frameworks that will be applied in an organization.
28. Risk Prioritization (10 min)
This Nugget is the 10th of 19 discussing the knowledge statements for the Risk Management and Compliance Domain. We review the importance of, and processes to do risk prioritization to ensure that we are focused on the high impact, high probability risks.
29. Risk Reporting (6 min)
Steve discusses the processes to be followed to ensure that effective risk reporting takes place to keep the organization current on the security activities taking place.
30. Monitoring Risk (5 min)
We review the importance of recognizing the indicators that a risk is happening, and ensuring that you have a firm understanding of the events that might proceed a risk event — so that you can begin the proactive actions to eliminate the risk.
31. Risk Treatment Strategies (5 min)
Steve reviews the four possible risk treatment strategies: Avoid, transfer, mitigate and accept.
32. Risk Baselines (7 min)
Defining a risk baseline for each risk classification is important to establish the appropriate controls and define what is acceptable and differentiates the expectations for protecting public data as opposed to top secret data.
33. Monitoring Security Controls (4 min)
Keeping the security controls current is a critical component of having an effective security system as new security threats are constantly emerging. But equally important is that old security controls need to be reviewed to ensure that they are still relevant — and even needed — as the security risks change.
34. Gap Analysis (7 min)
Recognizing that it is not possible to ever be 100 percent security-protected, this Nugget reviews the principles of analyzing the gap between the desired state and what can be delivered to identify the gap and define the impact that this gap presents to the business.
35. Risk Integration (5 min)
We review the importance of ensuring that risk is fully integrated with the business/security processes, as well as with the systems development lifecycle.
36. Compliance Reporting (3 min)
Steve discusses the importance of having the right reporting process in place to ensure that you are able to produce all the reports needed to satisfy any legal and regulatory reporting requirements, based on the areas in which your organization operates.
37. Cost Benefit Analysis (10 min)
Steve wraps up this knowledge domain with a discussion of the cost analysis measures that can be applied to ensure that the security processes are cost effective.
38. Information Security Program Development and Management (6 min)
Steve discusses the seven tasks: Establish Information Security Program, Align to Business, Define Requirements, Establish Security Architecture, Institutionalize Security, Process Integration, Vendor Integration, and Evaluate Effectiveness.
39. Alignment with the Business (5 min)
Steve reviews the implementation of the steps to ensure that the security system is closely aligned with the business to minimize the impact of the security activities has on daily activities.
40. Acquire and Deploy Security Resources (6 min)
We identify, define, acquire, and manage the human and physical resources needed to implement the security policies.
41. Security Technologies (5 min)
Steve reviews the information an information security manager needs to be aware of to ensure that the security technologies implemented are appropriate for an organization’s needs.
42. Security Control Design (13 min)
Steve discusses the strength, reliability effectiveness, and strength of the security design to ensure that it supports the requirements when operating in both a functional and failed mode, and the importance of ensuring that it provides the appropriate preventative, detective, corrective, compensatory, and deterrent measures.
43. Security Architecture (5 min)
Steve reviews the importance of having a security architecture, which will help you move from a disjointed, hastily patched security environment to a well-planned and defined environment.
44. Standards and Procedures Development (9 min)
Steve reviews the importance of keeping the security policies and procedures up to date to ensure there is s single location for everyone to get the latest security processes to be followed.
45. Security Implementation (7 min)
We discuss the actual implementation of the security equipment, but more importantly, the training and support needed to ensure that the business adapts to and uses the security systems.
46. Awareness and Training (5 min)
Steve focuses on the importance of business acceptance of the security policies. Education, training, support, and feedback are critical components of ensuring that the business understands why the security is needed and will help them adhere to the necessary security protocols.
47. Process Integration (5 min)
Steve reviews the processes to be followed when implementing the security policies to ensure that they are integrated with the business processes that they are protecting.
48. Contracts and Third Party Security (5 min)
Because most organizations use outsourcing and third party vendors to deliver some IT services, it is important that the security requirements are passed onto all vendors and included in the contract terms and conditions.
49. Security Metrics (9 min)
Gathering and reporting on security metrics is important as it provides the information needed to show management that their investment in security is paying off. Security metrics also are important for the security department as they give departments the information needed for the analysis of trends and changes to the security attacks.
50. Effectiveness and Applicability Testing (5 min)
End-to-end testing is required to ensure that all the technical components, as well as the procedures and processes fully integrate into a functional security system.
51. Security Incident Management (8 min)
Steve discusses the 10 tasks of Security Incident Management: Establish Severity Classifications, Develop an Incident Response Plan, Identify Incident Identification Processes, Develop Incident Investigation Processes, Document Incident Escalation Processes, Establish Incident Response Teams, Test and Review Incident Response Plans, Develop Communications Plans, Conduct Post Incident Reviews, and Integrate with DR and BCP.
52. Incident Response Plan (5 min)
Having a predefined plan for each major security incident is key to being prepared to deal with incidents when they happen. While it is unlikely that you will ever execute to the exact contents of a plan, it always provides a starting point and key considerations.
53. Incident Management Concepts and Practices (3 min)
We review a number of best practices to ensure effective incident management in your organization.
54. Integration with DR and BCP (7 min)
Steve reviews the integration of dealing with security incidents and the need to invoke the organization’s disaster recovery and/or business continuity plans.
55. Incident Classification Methods (4 min)
Proper and prompt classification of incidents is critical to ensure that the right tools and resources are assigned for resolving each incident.
56. Damage Containment (5 min)
Every organization eventually has to respond to a serious security incident. Steve reviews the knowledge of damage containment processes to minimize the impact, prevent spread, support operations, and prevent permanent loss will help you be more prepared for when these incidents take place.
57. Notification and Escalation (4 min)
While some security incidents will be handled within the security department, many serious incidents will take time for resolution, and therefore an established notification and escalation process is needed to ensure that the appropriate parties are aware of the problem.
58. Roles and Responsibilities (6 min)
Steve reviews the importance of having clearly defined roles and responsibilities to ensure that you have the appropriate people in place and that everyone knows their role during a security incident.
59. Incident Response Tools and Equipment (4 min)
This Nugget is the eighth of 14 discussing the knowledge statements for Security Incident Management Domain. We review the importance of having ready access to specialized tools and equipment that will aid in the triage, restoration, and repair of any incidents that your organization has to deal with.
60. Preserving Evidence (10 min)
Steve reviews the importance of using the proper procedures to gather and store the evidence gathered during a security incident investigation. Ensuring that the evidence has integrity is key to ensuring that it will be usable should you be able to press charges against whoever was responsible for the incident.
61. Incident Response Reporting and Procedures (5 min)
Recognizing that some security incidents will be significant enough to need the involvement of the local law enforcement, Steve reviews the processes and procedures that should be considered before and during the process of working with the police.
62. Root Cause Analysis (4 min)
A root cause analysis will allow the organization to review the reason a security incident happened, the underlying vulnerabilities, and hopefully, identify the responsible party for each security incident.
63. Business Impact Analysis (5 min)
Steve focuses on ensuring that the costs (direct and indirect) are included to ensure that the full impact to the business for each major security incident can be determined.
64. Incident Management System (6 min)
Steve focuses on ensuring that there is software in place to aid in the detection and management of incidents. The software should consolidate and correlate data, identify and prioritize incidents, and provide incident tracking and reporting.
65. Incident Resource Management (3 min)
Steve reviews the steps that the individuals responding to an incident should follow, starting with identifying the causes and finishing with ensuring that the evidence needed is available should the organization be able to press charges against who caused the incident.
66. Passing the Exam (5 min)
This Nugget reviews the format of the CISM exam and provides some tips and hints for passing the exam. The exam is a paper-based exam, consisting of 200 multiple-choice answer (Four possible answers for each question), with a time limit of four hours. In many instances, there will be multiple right answers where the correct answer is the best, where best is described as also being the best implementation in a real-world situation. The exam is marked out of 800, with a passing grade being 450.