Certified Information Security Manager Exam Prep Guide

By : Hemang Doshi

Certified Information Security Manager Exam Prep Guide

By: Hemang Doshi

Overview of this book

With cyber threats on the rise, IT professionals are now choosing cybersecurity as the next step to boost their career, and holding the relevant certification can prove to be a game-changer in this competitive market. CISM is one of the top-paying and most sought-after certifications by employers. This CISM Certification Guide comprises comprehensive self-study exam content for those who want to achieve CISM certification on the first attempt. This book is a great resource for information security leaders with a pragmatic approach to challenges related to real-world case scenarios. You'll learn about the practical aspects of information security governance and information security risk management. As you advance through the chapters, you'll get to grips with information security program development and management. The book will also help you to gain a clear understanding of the procedural aspects of information security incident management. By the end of this CISM exam book, you'll have covered everything needed to pass the CISM certification exam and have a handy, on-the-job desktop reference guide.

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the color images

Get in touch

Share your thoughts

Section 1: Information Security Governance

Free Chapter

Chapter 1: Information Security Governance

Introducing information security governance

Understanding governance, risk management, and compliance

Discovering the maturity model

Getting to know the information security roles and responsibilities

Finding out about the governance of third-party relationships

Obtaining commitment from senior management

Introducing the business case and the feasibility study

Understanding information security governance metrics

Summary

Chapter 2: Practical Aspects of Information Security Governance

Information security strategy and plan

Information security program

Enterprise information security architecture

Organizational structure

Record retention

Awareness and education

Summary

Section 2: Information Risk Management

Chapter 3: Overview of Information Risk Management

Risk management overview

Risk management strategy

Implementing risk management

Risk assessment and analysis methodologies

Risk assessment

Summary

Chapter 4: Practical Aspects of Information Risk Management

Information asset classification

Asset valuation

Operational risk management

Outsourcing and third-party service providers

Risk management integration with the process life cycle

Summary

Chapter 5: Procedural Aspects of Information Risk Management

Change management

Patch management

Security baseline controls

Risk monitoring and communication

Security awareness training and education

Documentation

Summary

Section 3: Information Security Program Development Management

Chapter 6: Overview of Information Security Program Development Management

Information security program management overview

Information security program objectives

Information security framework components

Defining an information security program road map

Policy, standards, and procedures

Security budget

Security program management and administrative activities

Privacy laws

Summary

Chapter 7: Information Security Infrastructure and Architecture

Information security architecture

Architecture implementation

Access control

Virtual private networks

Biometrics

Factors of authentication

Wireless network

Different attack methods

Summary

Chapter 8: Practical Aspects of Information Security Program Development Management

Cloud computing

Controls and countermeasures

Penetration testing

Security program metrics and monitoring

Summary

Chapter 9: Information Security Monitoring Tools and Techniques

Firewall types and their implementation

IDSes and IPSes

Digital signature

Elements of PKI

Asymmetric encryption

Summary

Section 4: Information Security Incident Management

Chapter 10: Overview of Information Security Incident Manager

Incident management overview

Incident response procedure

Incident management metrics and indicators

The current state of the incident response capabilities

Developing an incident response plan

Summary

Chapter 11: Practical Aspects of Information Security Incident Management

Business continuity and disaster recovery procedures

Testing incident response, BCP, and DRP

Executing response and recovery plans

Post-incident activities and investigation

Summary

Why subscribe?

Other Books You May Enjoy

Packt is searching for authors like you

Share your thoughts

Customer Reviews

5 star

4 star

3 star

2 star

1 star

Understanding governance, risk management, and compliance

GRC is a term used to align and integrate the processes of governance, risk management, and compliance. GRC emphasizes that governance should be in place for effective risk management and the enforcement of compliance.

Governance, risk management, and compliance are three related aspects that help to achieve the organization's objectives. GRC aims to lay down operations for more effective organizational processes and avoiding wasteful overlaps. Each of these three disciplines impacts the organizational technologies, people, processes, and information. If governance, risk management, and compliance activities are handled independently of each other, it may result in a considerable amount of duplication and a waste of resources. The integration of these three functions helps to streamline the assurance activities of an organization by addressing the overlapping and duplicated GRC activities.

Though a GRC program can be applied in any function of the organization, it is mostly focused on the financial, IT, and legal areas.

Financial GRC focuses on effective risk management and compliance for finance processes. IT GRC focuses on information technology processes. Legal GRC focuses on the overall enterprise-level regulatory compliance.

GRC is an ever-evolving concept, and a security manager should understand the current state of GRC in their organization and determine how to ensure its continuous improvement.

Key aspects from the CISM exam perspective

The following are some of the key aspects from a CISM exam perspective:

Table 1.2 – Key aspects from the CISM exam perspective

Questions

Which of the following is the main objective of implementing GRC procedures?
A. To minimize the governance cost.
B. To improve risk management.
C. To synchronize security initiatives.
D. To ensure regulatory compliance.
Answer: B. To improve risk management.
Explanation: GRC is implemented by integrating interrelated control activities across the organization for improving risk management activities. The other options are secondary objectives.
What is the prime objective of GRC?
A. To synchronize and align the organization's assurance functions.
B. To address the requirements of the information security policy.
C. To address the requirements of regulations.
D. To design a low-cost security strategy.
Answer: A. To synchronize and align the organization's assurance functions.
Explanation: The concept of GRC is an effort to synchronize and align the assurance activities across the organization for greater efficiency and effectiveness. The other options can be considered secondary objectives.

Certified Information Security Manager Exam Prep Guide

By : Hemang Doshi

Certified Information Security Manager Exam Prep Guide

By: Hemang Doshi

Overview of this book

Related Content you might be interested in

Current Title:

Certified Information Security Manager Exam Prep Guide

CISA – Certified Information Systems Auditor Study Guide

CISA – Certified Information Systems Auditor Study Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

Understanding governance, risk management, and compliance

Key aspects from the CISM exam perspective

Questions