Book Image

Certified Information Security Manager Exam Prep Guide - Second Edition

By : Hemang Doshi
Book Image

Certified Information Security Manager Exam Prep Guide - Second Edition

By: Hemang Doshi

Overview of this book

CISM is a globally recognized and much sought-after certification in the field of IT security. This second edition of the Certified Information Security Manager Exam Prep Guide is up to date with complete coverage of the exam content through comprehensive and exam-oriented explanations of core concepts. Written in a clear, succinct manner, this book covers all four domains of the CISM Review Manual. With this book, you’ll unlock access to a powerful exam-prep platform which includes interactive practice questions, exam tips, and flashcards. The platform perfectly complements the book and even lets you bring your questions directly to the author. This mixed learning approach of exploring key concepts through the book and applying them to answer practice questions online is designed to help build your confidence in acing the CISM certification. By the end of this book, you'll have everything you need to succeed in your information security career and pass the CISM certification exam with this handy, on-the-job desktop reference guide.

Related Content you might be interested in

Current Title:

Small book image
Certified Information Security Manager Exam Prep Guide - Second Edition
Hemang Doshi
Dec, 2022 | 718 pages
Small book image
CISA – Certified Information Systems Auditor Study Guide
Hemang Doshi
Aug, 2020 | 590 pages
Small book image
CISA – Certified Information Systems Auditor Study Guide
Hemang Doshi
Jun, 2023 | 330 pages
Small book image
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide
Shobhit Mehta
Sep, 2023 | 316 pages
Table of Contents (12 chapters)
Preface
Preface
Online Exam-Prep Tools
Download a free PDF copy of this book
Free Chapter
1
Enterprise Governance
Enterprise Governance
Importance of Information Security Governance
Organizational Culture
Legal, Regulatory, and Contractual Requirements
Retention of Business Records
Organizational Structure
Maturity Model
Governance of Third-Party Relationships
Information Security Governance Metrics
Summary
Revision Questions
2
Information Security Strategy
Information Security Strategy
Information Security Strategy and Plan
Information Governance Frameworks and Standards
The IT Balanced Scorecard
Information Security Programs
Enterprise Information Security Architecture
Awareness and Education
Governance, Risk Management, and Compliance
Senior Management Commitment
Business Case and Feasibility Study
Summary
Revision Questions
3
Information Risk Assessment
Information Risk Assessment
Understanding Risk
Differentiating Risk Identification, Risk Analysis, and Risk Evaluation
Differentiating Risk Capacity, Risk Appetite, and Risk Tolerance
Inherent Risk and Residual Risk
Phases of Risk Management
Risk Awareness
Risk Assessment
Risk Identification
Risk Analysis
Risk Evaluation
Risk Register
Emerging Risk and the Threat Landscape
Vulnerability and Control Deficiency
Security Baselines
Summary
4
Information Risk Response
Information Risk Response
Risk Treatment/Risk Response Options
Risk Ownership and Accountability
Risk Monitoring and Communication
Implementing Risk Management
Change Management
Patch Management
Operational Risk Management
Risk Management Integration with Life Cycle
Summary
Revision Questions
5
Information Security Program Development
Information Security Program Development
Information Security Program Overview
Information Security Program Resources
Information Asset Identification and Classification
Information Asset Valuation
Industry Standards and Frameworks for Information Security
Information Security Policies, Procedures, and Guidelines
Defining an Information Security Program Roadmap
Information Security Program Metrics
Summary
Revision Questions
6
Information Security Program Management
Information Security Program Management
Information Security Control Design and Selection
Security Baseline Controls
Information Security Awareness and Training
Management of External Services and Relationships
Documentation
Information Security Program Objectives
Security Budget
Security Program Management and Administrative Activities
Privacy Laws
Cloud Computing
Summary
Revision Questions
7
Information Security Infrastructure and Architecture
Information Security Infrastructure and Architecture
Information Security Architecture
Architecture Implementation
Access Control
Virtual Private Networks
Biometrics
Factors of Authentication
Wireless Networks
Different Attack Methods for Information Security
Summary
Revision Questions
8
Information Security Monitoring Tools and Techniques
Information Security Monitoring Tools and Techniques
Firewall Types and Implementations
Intrusion Detection Systems and Intrusion Prevention Systems
Digital Signatures
Public Key Infrastructure
Cryptography
Penetration Testing
Summary
Revision Questions
9
Incident Management Readiness
Incident Management Readiness
Incident Management and Incident Response Overview
Incident Management and Incident Response Plans
Business Continuity and Disaster Recovery Procedures
Insurance
Incident Classification/Categorization
Testing Incident Response, BCP, and DRP
Summary
Revision Questions
10
Incident Management Operations
Incident Management Operations
Incident Management Tools and Technologies
Executing Response and Recovery Plans
Incident Containment Methods
Incident Response Communications
Incident Eradication
Recovery
Post-Incident Activities and Investigations
Incident Response Procedures
Incident Management Metrics and Indicators
The Current State of Incident Response Capabilities
Summary
Revision Questions
11
Answers to Practice Questions
Chapter 1: Enterprise Governance
Chapter 2: Information Security Strategy
Chapter 3: Information Risk Assessment
Chapter 4: Information Risk Response
Chapter 5: Information Security Program Development
Chapter 6: Information Security Program Management
Chapter 7: Information Security Infrastructure and Architecture
Chapter 8: Information Security Monitoring Tools and Techniques
Chapter 9: Incident Management Readiness
Chapter 10: Incident Management Operations

Legal, Regulatory, and Contractual Requirements

An information security manager should be cautious about adherence to laws and regulations. Laws and regulations should be addressed to the extent that they impact the organization.

Processes should be in place to scan all new regulations and determine their applicability to the organization.

The information security manager is required to determine the processes and activities that may be impacted and whether existing controls are adequate to address any new regulations. If not, further controls should be implemented to address the new regulations.

Departments affected by any new regulations are in the best position to determine the impact of new regulatory requirements on their processes, as well as the best ways to address them.

Key Aspects from the CISM Exam Perspective

The following are some key aspects from the exam perspective:

Question

Possible Answer

Who should determine the control processes for any new regulatory requirements?

The affected department (as they are in the best position to determine the impact of new regulatory requirements on their processes and the best way to address them)

What is the first step of an information security manager who notices a new regulation impacting one of the organization's processes?

To determine the processes and activities that may be impacted

To assess whether existing controls meet the regulations

What is the major focus of privacy law?

To protect identifiable personal data

Which factors have the greatest impact on the security strategy?

Organizational goals and objectives

Figure 1.4: Key aspects from the CISM exam perspective

Practice Question Set 3

  1. An information security steering committee has approved the implementation of a bring your own device (BYOD) policy for mobile devices. As an information security manager, what should your first step be?
    1. To ask management to stop the BYOD policy implementation, stating the associated risk
    2. To prepare a business case for the implementation of BYOD controls
    3. To make the end users aware of BYOD risks
    4. To determine the information security strategy for BYOD
  2. New regulatory requirements impacting information security will mostly come from which of the following?
    1. The chief legal officer
    2. The chief audit officer
    3. Affected departments
    4. Senior management
  3. Primarily, the requirements of an information security program are based on which of the following?
    1. The IT policy
    2. The desired outcomes
    3. The management perceptions
    4. The security strategy
  4. Which of the following should be the first step of an information security manager who notices a new regulation impacting one of the organization's processes?
    1. To pass on responsibility to the process owner for compliance
    2. To survey the industry practices
    3. To assess whether existing controls meet the regulation
    4. To update the IT security policy
  5. Privacy laws are mainly focused on which of the following?
    1. Big data analytics
    2. Corporate data
    3. Identity theft
    4. Identifiable personal data
  6. The information security manager notices a regulation that impacts the handling of sensitive data. Which of the following should they do first?
    1. Determine the processes and activities that may be impacted.
    2. Present a risk treatment option to senior management.
    3. Determine the cost of control.
    4. Discuss the possible consequences with the process owner.
  7. The information security manager should address laws and regulations in which way?
    1. To the extent that they impact the organization
    2. To meet the certification standards
    3. To address the requirements of policies
    4. To reduce the cost of compliance
  8. What is the most important consideration for organizations involved in cross-border transactions?
    1. The capability of the IT architecture
    2. The evolving data protection regulations
    3. The cost of network bandwidth
    4. The incident management process
  9. What should be the next step for the board of directors when they notice new regulations are impacting some of the organization's processes?
    1. Instruct the information security department to implement specific controls
    2. Evaluate various solutions to address the new regulations
    3. Require management to report on compliance
    4. Evaluate the cost of implementing new controls
  10. Which of the following factors is the most difficult to estimate?
    1. Vulnerabilities in the system
    2. Legal and regulatory requirements
    3. Compliance timelines
    4. The threat landscape
  11. What should the next step be for an information security manager upon noticing new regulations impacting some of the organization's processes?
    1. To identify whether the current controls are adequate
    2. To update the audit department about the new regulations
    3. To present a business case to senior management
    4. To implement the requirements of new regulations
Previous Section
End of Section 4
Next Section