Anda di halaman 1dari 84

CISM

Certified Information
Security Manager
Firebrand Custom Designed Courseware

2016 Firebrand
5/6/2016
Logistics
Start Time
Breaks
End Time
Fire escapes
Instructor
Introductions

2016 Firebrand
5/6/2016
Introduction to Information Security
Management

2016 Firebrand
5/6/2016
Course Mission
Educational Value
Both theoretical and practical
Up-to-date
Relevant

2016 Firebrand
5/6/2016
CISM
Certified Information Security Manager
Designed for personnel that have (or want to
have) responsibility for managing an
Information Security program
Tough but very good quality examination
Requires understanding of the concepts
behind a security program not just the
definitions

2016 Firebrand
5/6/2016
CISM Exam Review Course Overview
The CISM Exam is based on the
CISM job practice.
The ISACA CISM Certification
Committee oversees the
development of the exam and
ensures the currency of its
content.
There are four content areas
that the CISM candidate is
expected to know.

2016 Firebrand
5/6/2016
Job Practice Areas

2016 Firebrand
5/6/2016
Domain Structure
Reports To
Information Security
Governance
Mandates
Information
Risk
Management and Compliance Influences
Deploys
Information Security Program
Development and Management
Requires
Information Security
Incident
2016 Firebrand
Management
5/6/2016
CISM Qualifications
To earn the CISM designation, information security
professionals are required to:
Successfully pass the CISM exam
Adhere to the ISACA Code of Professional Ethics
Agree to comply with the CISM continuing education
policy
Submit verified evidence of five (5) years of work
experience in the field of information security.

2016 Firebrand
5/6/2016
The Examination
The exam consists of 200 multiple choice
questions that cover the CISM job practice
areas.
Four hours are allotted for completing the
exam
See the Job Practice Areas including task
Statements and Knowledge Statements listed
on the ISACA website

2016 Firebrand
5/6/2016
Examination Day
Be on time!!
The doors are locked when the instructions start
approximately 30 minutes before examination start
time.
Bring the admission ticket (sent out prior to the
examination from ISACA) and an acceptable form of
original photo identification (passport, photo id or
drivers license).

2016 Firebrand
5/6/2016
Completing the Examination Items
Bring several #2 pencils and an eraser
Read each question carefully
Read ALL answers prior to selecting the BEST answer
Mark the appropriate answer on the test answer
sheet.
When correcting an answer be sure to thoroughly
erase the wrong answer before filling in a new one.
There is no penalty for guessing. Answer every
question.

2016 Firebrand
5/6/2016
Grading the Exam
Candidate scores are reported as a scaled score
based on the conversion of a candidates raw score
on an exam to a common scale.
ISACA uses and reports scores on a common scale
from 200 to 800. A candidate must receive a score
of 450 or higher to pass.
Exam results will be mailed (and emailed) out
approximately 6-8 weeks after the exam date.
Good Luck!

2016 Firebrand
5/6/2016
End of Introduction

Welcome to the CISM course!!

2016 Firebrand
5/6/2016
2016 CISM Review Course

Chapter 1
Information Security Governance

2016 Firebrand
5/6/2016
Information Security Management
The responsible protection of the information assets
of the organization
Supporting Security Governance and risk
management
Adoption of a security framework and standards

2016 Firebrand
ISACA CISM Review Manual Page 14 16
5/6/2016
Governance
Governance:
Ensures that stakeholders needs, conditions and
options are evaluated to determine balanced,
agreed-on enterprise objectives to be achieved:
Setting direction through prioritization and
decision-making:
Monitoring performance and compliance against
agreed-on directions and objectives

2016 Firebrand
ISACA CISM Review Manual Page 14
5/6/2016
Examination Content
The CISM Candidate understands:
Effective security governance framework
Building and deploying a security strategy aligned with
organizational goals
Manage risk appropriately
Responsible management of program resources
The content area in this chapter will represent
approximately 24% of the CISM examination
(approximately 48 questions).

2016 Firebrand
ISACA CISM Review Manual Page 14
5/6/2016
Learning Objectives
Align the organizations Information security strategy with
business goals and objectives
Obtain Senior Management commitment
Provide support for:
Governance
Business cases to justify security
Compliance with legal and regulatory mandates

2016 Firebrand
ISACA CISM Review Manual Page 14
5/6/2016
Learning Objectives cont.
Provide support for:
Organizational priorities and strategy
Identify drivers affecting the organization
Define roles and responsibilities
Establish metrics to report on effectiveness of the
security strategy

2016 Firebrand
ISACA CISM Review Manual Page 14
5/6/2016
CISM Priorities
The CISM must understand:
Requirements for effective information security
governance
Elements and actions required to:
Develop an information security strategy
Plan of action to implement it

2016 Firebrand
ISACA CISM Review Manual Page 14
5/6/2016
Information Security Governance
Information is indispensable to conduct business
effectively today
Information must be:
Available
Have Integrity of data and process
Be kept confidential as needed
Protection of information is a responsibility of the
Board of Directors

2016 Firebrand
ISACA CISM Review Manual Page 31
5/6/2016
Information Security
Information Protection includes:
Accountability
Oversight
Prioritization
Risk Management
Compliance (Regulations and Legislation)

2016 Firebrand
ISACA CISM Review Manual Page 31
5/6/2016
Information Security Governance
Overview
Information security is much more than just IT
security (more than technology)
Information must be protected at all levels of the
organization and in all forms
Information security is a responsibility of everyone
In all forms paper, fax, audio, video, microfiche,
networks, storage media, computer systems

2016 Firebrand
ISACA CISM Review Manual Page 31
5/6/2016
Security Program Priorities
Achieve high standards of corporate
governance
Treat information security as a critical
business issue
Create a security positive environment
Have declared responsibilities

2016 Firebrand
5/6/2016
Security versus Business
Security must be aligned with business needs
and direction
Security is woven into the business functions
Provides
Strength
Resilience
Protection
Stability

2016 Firebrand
Consistency
5/6/2016
Security Program Objectives
Ensure the availability of systems and data
Allow access to the correct people in a
timely manner
Protect the integrity of data and business
processes
Ensure no improper modifications
Protect confidentiality of information
Unauthorized disclosure of information
Privacy, trade secrets,
2016 Firebrand
5/6/2016
Selling the Importance of Information
Security
Benefits of effective information security governance
include:
Improved trust in customer relationships
Protecting the organizations reputation
Better accountability for safeguarding information
during critical business activities
Reduction in loss through better incident handling
and disaster recovery

2016 Firebrand
ISACA CISM Review Manual Page 31
5/6/2016
The First Priority for the CISM
Remember that Information Security is a business-
driven activity.
Security is here to support the interests and needs
of the organization not just the desires of security
Security is always a balance between cost and
benefit; security and productivity

2016 Firebrand
ISACA CISM Review Manual Page 31
5/6/2016
Corporate Governance

2016 Firebrand
5/6/2016
Business Goals and Objectives
Corporate governance is the set of
responsibilities and practices exercised by
the board and executive management

Goals include:
Providing strategic direction
Reaching security and business objectives
Ensure that risks are managed appropriately
Verify that the enterprises resources are used
responsibly
2016 Firebrand
ISACA CISM Review Manual Page 32
5/6/2016
Outcomes of Information Security
Governance
The six basic outcomes of effective security
governance:
Strategic alignment
Risk management
Value delivery
Resource optimization
Performance measurement
Integration

2016 Firebrand
ISACA CISM Review Manual Page 32
5/6/2016
Benefits of Information Security
Governance
Effective information security governance can offer
many benefits to an organization, including:
Compliance and protection from litigation or
penalties
Cost savings through better risk management
Avoid risk of lost opportunities
Better oversight of systems and business operations
Opportunity to leverage new technologies to
business advantage

2016 Firebrand
ISACA CISM Review Manual Page 32
5/6/2016
Performance and Governance
Governance is only possible when metrics are in
place to:
Measuring
Monitoring
Reporting
On whether critical organizational objectives are
achieved
Enterprise-wide measurements should be developed

2016 Firebrand
ISACA CISM Review Manual Page 33
5/6/2016
Governance Roles and Responsibilities
Board of Directors/Senior Management
Effective security requires senior management
support
Steering Committee
Ensure continued alignment between IT and
business objectives
CISO Chief Information Security Officer
Ensures security is addressed at a senior
management level

2016 Firebrand
ISACA CISM Review Manual Page 35, 36
5/6/2016
Governance Roles and Responsibilities cont.
System Owners
Responsible to ensure that adequate protection is
in place to protect systems and the data they
process
Information Owners
Responsible for the protection of data regardless of
where it resides or is processed

2016 Firebrand
ISACA CISM Review Manual Page 37
5/6/2016
Gaining Management Support
Formal presentation
From a business perspective
Align security with the business
Identify risk and consequences
Describe audit and reporting procedures

2016 Firebrand
ISACA CISM Review Manual Page 38
5/6/2016
Communication Channels
Track the status of the security program
Share security awareness and knowledge of risk
Communicate policies and procedures
Deliver to all staff at appropriate level of detail

2016 Firebrand
ISACA CISM Review Manual Page 38
5/6/2016
GRC
The combination of overlapping activities into
a single business process to recognize the
importance to senior management of
information security and assurance
Governance
Risk
Compliance

2016 Firebrand
ISACA CISM Review Manual Page 40
5/6/2016
BMIS
The business model for information security is
one approach to show the interraltionship
between several elements of a robust
security management program:
Organization Design and Strategy
People
Process
Technology

2016 Firebrand
ISACA CISM Review Manual Page 41
5/6/2016
BMIS
The interaction of these processes is
important to provide coordination between
the dynamic elements of security:
Governance
Culture
Enablement and Support
Emergence
Human Factors
Architecture

2016 Firebrand
ISACA CISM Review Manual Page 42
5/6/2016
Governance of Third-Party Relationships
As organizations move more towards the use
of third parties for support (e.g., the Cloud),
the need to govern and manage these
relationships is of increasing importance.
Service providers
Outsourced operations
Trading partners
Merged or acquired organizations

2016 Firebrand
ISACA CISM Review Manual Page 43
5/6/2016
Information Security Metrics
A framework that cannot be measured,
cannot be trusted. The security program must
be accountable for its budget, deliverables
and strategy.
Meaningful Actionable
Accurate Genuine
Cost-effective
Repeatable
Predictive

2016 Firebrand
ISACA CISM Review Manual Page 44
5/6/2016
KPIs and KGIs
Indicate attainment of service goals,
organizational objectives and milestones.
Key Goal Indicators
Key Risk Indicators

2016 Firebrand
ISACA CISM Review Manual Page 46
5/6/2016
Security Integration
Security needs to be integrated INTO the
business processes
The goal is to reduce security gaps through
organizational-wide security programs
Integrate IT with:
Physical security
Risk Management
Privacy and Compliance
Business Continuity Management

2016 Firebrand
ISACA CISM Review Manual Page 46
5/6/2016
Areas to Measure (Metrics)
Risk Management
Value Delivery
Resource Management
Performance Measurement
Incident reporting
Benchmarking

2016 Firebrand
ISACA CISM Review Manual Page 47
5/6/2016
Developing Information Security
Strategy
Information Security Strategy
Long term perspective
Standard across the organization
Aligned with business strategy / direction
Understands the culture of the organization
Reflects business priorities

2016 Firebrand
ISACA CISM Review Manual Page 49
5/6/2016
The Desired State of Security
The desired state of security must be
defined in terms of attributes,
characteristics and outcomes

It should be clear to all stakeholders what


the intended security state is

2016 Firebrand
ISACA CISM Review Manual Page 53
5/6/2016
The Desired State cont.
One definition of the desired state:

Protecting the interests of those relying on information,


and the processes, systems and communications that
handle, store and deliver the information, from harm
resulting from failures of availability, confidentiality and
integrity

Focuses on IT-related processes from IT


governance, management and control perspectives

2016 Firebrand
ISACA CISM Review Manual Page 53
5/6/2016
Elements of a Strategy

A security strategy needs to include:


Resources needed
Constraints
A road map
Includes people, processes, technologies and
other resources
A security architecture: defining business
drivers, resource relationships and process flows
Achieving the desired state is a long-term
goal of a series of projects

2016 Firebrand
ISACA CISM Review Manual Page 53
5/6/2016
Business Linkages
Business linkages
Start with understanding the specific
objectives of a particular line of business
Take into consideration all information flows
and processes that are critical to ensuring
continued operations
Enable security to be aligned with and
support business at strategic, tactical and
operational levels

2016 Firebrand
ISACA CISM Review Manual Page 53
5/6/2016
Objectives of Security Strategy
The objectives of an information security
strategy must
Be defined
Be supported by metrics (measureable)
Capability Maturity Model (CMM)
Provide guidance

2016 Firebrand
ISACA CISM Review Manual Page 55
5/6/2016
Balanced Scorecard (BSC)
See next slide for diagram
Ensures that multiple perspectives are
considered when developing a security
strategy
Seeks balance between competing interests

2016 Firebrand
ISACA CISM Review Manual Page 55
5/6/2016
Balanced Scorecard (BSC)

Financial

Customer Information Learning

Process

2016 Firebrand
ISACA CISM Review Manual Page 55
5/6/2016
The Maturity of the Security Program
Using CMM

0: Nonexistent - No recognition by organization of need for


security
1: Ad hoc - Risks are considered on an ad hoc basis no
formal processes
2: Repeatable but intuitive - Emerging understanding of risk
and need for security
3: Defined process - Companywide risk management
policy/security awareness
4: Managed and measurable - Risk assessment standard
procedure, roles and responsibilities assigned, policies and
standards in place
5: Optimized - Organization-wide processes
implemented, monitored and managed

2016 Firebrand
ISACA CISM Review Manual Page 55
5/6/2016
The ISO27001:2013 Framework
The goal of ISO27001:2013 is to:
Establish
Implement
Maintain, and
Continually improve
An information security management system
Contains:
14 Clauses, 35 Controls Objectives and 114
controls

2016 Firebrand
ISACA CISM Review Manual Page 56
5/6/2016
Risk Management
The basis for most security programs is Risk
Management:
Risk identification
Risk Mitigation
Ongoing Risk Monitoring and evaluation
The CISM must remember that risk is
measured according to potential impact on
the ability of the business to meet its mission
not just on the impact on IT.

2016 Firebrand
ISACA CISM Review Manual Page 56
5/6/2016
Examples of Other Security
Frameworks
SABSA (Sherwood Applied Business Security
Architecture)
COBIT
COSO
Business Model for Information Security
Model originated at the Institute for Critical
Information Infrastructure Protection

2016 Firebrand
ISACA CISM Review Manual Page 49, 61
5/6/2016
Examples of Other Security
Frameworks

ISO standards on quality (ISO 9001:2000)


Six Sigma
Publications from NIST and ISF
US Federal Information Security
Management Act (FISMA)

2016 Firebrand
ISACA CISM Review Manual Page 56
5/6/2016
Constraints and Considerations for a
Security Program

Constraints
LegalLaws and regulatory requirements
PhysicalCapacity, space, environmental
constraints
EthicsAppropriate, reasonable and customary
CultureBoth inside and outside the
organization
CostsTime, money
PersonnelResistance to change, resentment
against new constraints
ISACA CISM Review Manual Page 59
2016 Firebrand
5/6/2016
Constraints and Considerations for a
Security Program cont.
Constraints
Organizational structureHow decisions
are made and by whom, turf protection
ResourcesCapital, technology, people
CapabilitiesKnowledge, training, skills,
expertise
TimeWindow of opportunity, mandated
compliance
Risk toleranceThreats, vulnerabilities,
impacts

2016 Firebrand
ISACA CISM Review Manual Page 59
5/6/2016
Security Program
Starts with theory and concepts
Policy
Interpreted through:
Procedures
Baselines
Standards
Measured through audit

2016 Firebrand
ISACA CISM Review Manual Page 60
5/6/2016
Architecture
Information security architecture is similar physical
architecture

Requirements definition

Design / Modeling

Creation of detailed blueprints

Development, deployment

Architecture is planning and design to meet the needs


of the stakeholders

Security architecture is one of the greatest needs for


most organizations
2016 Firebrand
ISACA CISM Review Manual Page 60
5/6/2016
Using an Information Security
Framework
Effective information security is provided
through adoption of a security framework
Defines information security objectives
Aligns with business objectives
Provides metrics to measure compliance and
trends
Standardizes baseline security activities
enterprise-wide

2016 Firebrand
ISACA CISM Review Manual Page 62
5/6/2016
The Goal of Information Security
The goal of information security is to
protect the organizations assets,
individuals and mission
This requires:
Asset identification
Classification of data and systems
according to criticality and sensitivity
Application of appropriate controls

2016 Firebrand
ISACA CISM Review Manual Page 62
5/6/2016
Controls
Non-IT controls (
Labeling, handling requirements
Countermeasures
Reduce a vulnerability (reduce likelihood or
impact of an incident)
Layered Defense

2016 Firebrand
ISACA CISM Review Manual Page 63
5/6/2016
Elements of Risk and Security

The next few slides list many factors that go


into a Security program.

2016 Firebrand
ISACA CISM Review Manual Page 64
5/6/2016
Information Security Concepts
Access Business impact
Architecture analysis
Attacks Confidentiality
Auditability Countermeasures
Authentication Criticality
Authorization Data classification
Availability Exposures
Business dependency Gap analysis
analysis Governance
2016 Firebrand
ISACA CISM Review Manual Page 64-69
5/6/2016
Information Security Concepts cont.

Identification Sensitivity
Impact Standards
Integrity Strategy
Layered security Threats
Vulnerabilities
Management
Enterprise
Nonrepudiation architecture
Risk / Residual risk Security domains
Security metrics Trust models

2016 Firebrand
ISACA CISM Review Manual Page 64-69
5/6/2016
Security Program Elements
Policies Technologies
Standards Personnel security
Procedures Organizational
Guidelines structure
Controlsphysical, Skills
technical,
procedural

2016 Firebrand
ISACA CISM Review Manual Page 64-69
5/6/2016
Security Program Elements cont.
Training Outsourced security
Awareness and providers
education Other organizational
Compliance support and assurance
enforcement providers
Facilities
Environmental security

2016 Firebrand
ISACA CISM Review Manual Page 64-69
5/6/2016
Centralized versus Decentralized
Security
Which is better?
Consistency versus flexibility
Central control versus Local ownership
Procedural versus responsive
Core skills versus distributed skills
Visibility to senior management versus
visibility to users and local business units

2016 Firebrand
ISACA CISM Review Manual Page 65
5/6/2016
Audit and Assurance of Security
Objective review of security risk, controls
and compliance
Assurance regarding the effectiveness of
security is a part of regular organizational
reporting and monitoring

2016 Firebrand
ISACA CISM Review Manual Page 66
5/6/2016
Ethical Standards
Rules of behaviour
Legal
Corporate
Industry
Personal

2016 Firebrand
ISACA CISM Review Manual Page 68
5/6/2016
Ethical Responsibility
Responsibility to all stakeholders
Customers
Suppliers
Management
Owners
Employees
Community

2016 Firebrand
ISACA CISM Review Manual Page 68
5/6/2016
Evaluating the Security Program

Metrics are used to measure results


Measure security concepts that are
important to the business
Use metrics that can be used for each
reporting period
Compare results and detect trends

2016 Firebrand
ISACA CISM Review Manual Page 71
5/6/2016
Effective Security Metrics
Set metrics that will indicate the health of
the security program
Incident management
Degree of alignment between security and
business development
Was security consulted
Were controls designed in the systems or
added later

2016 Firebrand
ISACA CISM Review Manual Page 71
5/6/2016
Effective Security Metrics cont.
Choose metrics that can be controlled
Measure items that can be influenced or
managed by local managers / security
Not external factors such as number of
viruses released in the past year
Have clear reporting guidelines
Monitor on a regular scheduled basis

2016 Firebrand
ISACA CISM Review Manual Page 71
5/6/2016
Key Performance Indicators (KPIs)

Thresholds to measure
Compliance / non-compliance
Pass / fail
Satisfactory / unsatisfactory results
A KPI is set at a level that indicates action
should / must be taken
Alarm point

2016 Firebrand
ISACA CISM Review Manual Page 71
5/6/2016
End to End Security
Security must be enabled across the
organization not just on a system by system
basis
Performance measures should ensure that
security systems are integrated with each
other
Layered defenses

2016 Firebrand
ISACA CISM Review Manual Page 74
5/6/2016
Correlation Tools
The CISM may use Security Event and Incident
Management (SEIM, SIM, SEM) tools to
aggregate data from across the organization
Data analysis
Trend detection
Reporting tools

2016 Firebrand
Added value on exam but not in the ISACA book
5/6/2016
Regulations and Standards
The CISM must be aware of National
Laws
Privacy
Regulations
Reporting, Performance
Industry standards
Payment Card Industry (PCI)
BASEL II
2016 Firebrand
Added value on exam but not in the ISACA book
5/6/2016
Effect of Regulations
Requirements for business operations
Potential impact of breach
Cost
Reputation
Scheduled reporting requirements
Frequency
Format

2016 Firebrand
Added value on exam but not in the ISACA book
5/6/2016
Reporting and Analysis
Data gathering at source
Accuracy
Identification
Reports signed by
Organizational Officer

2016 Firebrand
Added value on exam but not in the ISACA book
5/6/2016