Course Domain
This course contains the following domians.
Domain 1: Information Security Governance
- CISM Introduction
- Information Security
- Business Goals, Objectives, and Functions
- Business Goals and Information Security
- Information Security Threats
- Information Security Management
- Identity Management
- Data Protection
- Network Security
- Personnel Security
- Facility Security
- Security Compliance and Standards
- Information Security Strategy
- Inputs and Outputs of the Informtion Security Strategy
- Processes in an Information Security Strategy
- People in an Information Security Strategy
- Technologies in an Indormation Security Strategy
- Logical and Physical Information Security Strategy Architectures
- Information Security and Business Functions
- Information Security Policies and Enterprise Objectives
- International Standards for the Security Management
- ISO/IEC 27000 Standards
- International Info Government Standards
- Information Security Government Standards in the United States
- Methods of Coordinating Information Security Activites
- How to Develop an Information Security Strategy
- Information Security Governance
- Role of the Security in Governance
- Scope of Information Security Governance
- Charter of Information Security Governance
- Information Security Governance and Enterprise Governance
- How to Align Information Security Strategy with Corporate Governance
- Regulatory Requirements and Information Security
- Business Impact of Regulatory Requirements
- Liability Management
- Liability Management Strategies
- How to Identify Legal and Regulatory Requirements
- Business Case Development
- Budgetary Reporting Methods
- Budgetary Planning Strategy
- How to Justify Investment in Info Security
- Organizational Drivers
- Impact of Drivers on Info Security
- Third Party Relationships
- How to Identify Drivers Affecting the Organization
- Purpose of Obtaining Commitment to Info Security
- Methods for Obtaining Commitment
- ISSG
- ISSG Roles and Responsibilities
- ISSG Operation
- How to Obtain Senior Management’s Commitment to Info Security
- Info Security Management Roles and Responsibilities
- How to Define Roles and Responsibilities for Info Security
- The Need for Reporting and Communicating
- Methods for Reporting in an Organization
- Methods of Communication in an Organization
- How to Establish Reporting and Communicating Channels
Domain 2: Risk Management
- Risk
- Risk Assessment
- Info Threat Types
- Info Vulnerabilities
- Common Points of Exposure
- Info Security Controls
- Types of Info Security Controls
- Common Info Security Countermeasures
- Overview of the Risk Assessment Process
- Factors Used in Risk Assessment and Analysis
- Risk Assessment Methodologies
- Quantitative Risk Assessment – Part 1
- Quantitative Risk Assessment – Part 2
- Qualitative Risk Assessment
- Hybrid Risk Assessment
- Best Practices for Info Security Management
- Gap Analysis
- How to Implement an Info Risk Assessment Process
- Info Classification Schemas
- Components of Info Classification Schemas
- Info Ownership Schemas
- Components of Info Ownership Schemas
- Info Resource Valuation
- Valuation Methodologies
- How to Determine Info Asset Classification and Ownership
- Baseline Modeling
- Control Requirements
- Baseline Modeling and Risk Based Assessment of Control Requirements
- How to Conduct Ongoing Threat and Vulnerability Evaluations
- BIA’s
- BIA Methods
- Factors for Determining Info Resource Sensitivity and Critically
- Impact of Adverse Events
- How to Conduct Periodic BIA’s
- Methods for Measuring Effectiveness of Controls and Countermeasures
- Risk Mitigation
- Risk Mitigation Strategies
- Effect of Implementing Risk Mitigation Strategies
- Acceptable Levels of Risk
- Cost Benefit Analysis
- How to Identify and Evaluate Risk Mitigation Strategies
- Life Cycle Processes
- Life Cycle-Based Risk Management
- Risk Management Life Cycle
- Business Life Cycle Processes Affected by Risk Management
- Life Cycled-Based Risk Management Principles and Practices
- How to Integrate Risk Management Into Business Life Cycle Processes
- Significant Changes
- Risk Management Process
- Risk Reporting Methods
- Components of Risk Reports
- How to Report Changes in Info Risk
Domain 3: Information Security Program
- Info Security Strategies
- Common Info Security Strategies
- Info Security Implementation Plans
- Conversation of Strategies Into Implementation Plans
- Info Security Programs
- Info Security Program Maintenance
- Methods for Maintaining an Info Security Program
- Succession Planning
- Allocation of Jobs
- Program Documentation
- How to Develop Plans to Implement an Info Security Strategy
- Security Technologies and Controls
- Cryptographic Techniques
- Symmetric Cryptography
- Public Key Cryptography
- Hashes
- Access Control
- Access Control Categories
- Physical Access Controls
- Technical Access Controls
- Administrative Access Controls
- Monitoring Tools
- IDS’s
- Anti-Virus Systems
- Policy-Compliance Systems
- Common Activities Required in Info Security Programs
- Prerequisites for Implementing the Program
- Implementation Plan Management
- Types of Security Controls
- Info Security Controls Development
- How to Specify info Security Program Activities
- Business Assurance Function
- Common Business Assurance Functions
- Methods for Aligning info Security Programs with Business Assurance Functions
- How to Coordinate Info Security Programs with Business Assurance Functions
- SLA’s
- Internal Resources
- External Resources
- Services Provided by External Resources – Part 1
- Services Provided by External Resources – Part 2
- Skills Commonly Required for Info Security Program Implementation
- Dentification of Resources and Skills Required for a Particular Implementation
- Resource Acquisition Methods
- Skills Acquisition Methods
- How to Identify Resources Needed for Info Security Program Implementation
- Info Security Architectures
- The SABSA Model for Security Architecture
- Deployment Considerations
- Deployment of Info Security Architectures
- How to Develop Info Security Architecture
- Info Security Policies
- Components of Info Security Policies
- Info Security Policies and the Info Security Strategy
- Info Security Policies and Enterprise Business Objectives
- Info Security Policy Development Factors
- Methods for Communicating Info Security Policies
- Info Security Policy Maintenance
- How to Develop Info Security Policies
- Info Security Awareness Program, Training Programs, and Education Programs
- Security Awareness, Training, and Education Gap Analysis
- Methods for Closing the Security Awareness, Training, and Education Gaps
- Security-Based Cultures and Behaviors
- Methods for Establishing and Maintaining a Security-Based Culture in the Enterprise
- How to Develop Info Security Awareness, Training, and Education Programs
- Supporting Documentation for Info Security Policies
- Standards, Procedures, Guidelines, and Baselines
- Codes of Conduct
- NDA’s
- Methods for Developing Supporting Documentation
- Methods for Implementing Supporting Documentation and for Communicating Supporting Documentation
- Methods for Maintaining Supporting Documentation
- C and A
- C and A Programs
- How to Develop Supporting Documentation for Info Security Policies
Domain 4: Information Security Program Implementation
- Enterprise Business Objectives
- Integrating Enterprise Business Objectives & Info Security Policies
- Organizational Processes
- Change Control
- Merges & Acquisitions
- Organizational Processes & Info Security Policies
- Methods for Integrating Info Security Policies & Organizational Processes
- Life Cycle Methodologies
- Types of Life Cycle Methodologies
- How to Integrate Info Security Requirements Into Organizational Processes
- Types of Contracts Affected by Info Security Programs
- Joint Ventures
- Outsourced Provides & Info Security
- Business Partners & Info Security
- Customers & Info Security
- Third Party & Info Security
- Risk Management
- Risk Management Methods & Techniques for Third Parties
- SLA’s & Info Security
- Contracts & Info Security
- Due Diligence & Info Security
- Suppliers & Info Security
- Subcontractors & Info Security
- How to Integrate Info Security Controls Into Contracts
- Info Security Metrics
- Types of Metrics Commonly Used for Info Security
- Metric Design, Development & Implementation
- Goals of Evaluating Info Security Controls
- Methods of Evaluating Info Security Controls
- Vulnerability Testing
- Types of Vulnerability Testing
- Effects of Vulnerability Assessment & Testing
- Vulnerability Correction
- Commercial Assessment Tools
- Goals of Tracking Info Security Awareness, Training, & Education Programs
- Methods for Tracking Info Security Awareness, Training, & Education Programs
- Evaluation of Training Effectiveness & Relevance
- How to Create Info Security Program Evaluation Metrics
Domain 5: Information Security Program Management
- Management Metrics
- Types of Management Metrics
- Data Collection
- Periodic Reviews
- Monitoring Approaches
- KPI’s
- Types of Measurements
- Other Measurements
- Info Security Reviews
Domain 6: Incident Management and Response
- Management Metrics
- Types of Management Metrics
- Data Collection
- Periodic Reviews
- Monitoring Approaches
- KPI’s
- Types of Measurements
- Other Measurements
- Info Security Reviews
- The Role of Assurance Providers
- Comparing Internal and External Assurance Providers
- Line Management Technique
- Budgeting
- Staff Management
- Facilities
- How to Manage Info Security Program Resources
- Security Policies
- Security Policy Components
- Implementation of Info Security Policies
- Administrative Processes and Procedures
- Access Control Types
- ACM
- Access Security Policy Principles
- Identity Management and Compliance
- Authentication Factors
- Remote Access
- User Registration
- Procurement
- How to Enforce Policy and Standards Compliance
- Types of Third Party Relationships
- Methods for Managing Info Security Regarding Third Parties
- Security Service Providers
- Third Party Contract Provisions
- Methods to Define Security Requirements in SLA’s, Security Provisions and SLA’s, and Methods to Monitor Security
- How to Enforce Contractual Info Security Controls
- SDLC
- Code Development
- Common Techniques for Security Enforcement
- How to Enforce Info Security During Systems Development
- Maintenance
- Methods of Monitoring Security Activities
- Impact of Change and Configuration Management Activities
- How to Maintain Info Security Within an Organization
- Due Diligence Activities
- Types of Due Diligence Activities
- Reviews of Info Access
- Standards of Managing and Controlling Info Access
- How to Provide Info Security Advice and Guidance
- Info Security Awareness
- Types of Info Security Stakeholders
- Methods of Stakeholder Education
- Security Stakeholder Education Process
- How to Provide Info Security Awareness and Training
- Methods of Testing the Effectiveness of Info Security Control
- The Penetration Testing Process
- Types of Penetration Testing
- Password Cracking
- Social Engineering Attacks
- Social Engineering Types
- External Vulnerability Reporting Sources
- Regulatory Reporting Requirements
- Internal Reporting Requirements
- How to Analyze the Effectiveness of Info Security Controls
- Noncompliance Issues
- Security Baselines
- Events Affecting the Security Baseline
- Info Security Problem Management Process
- How to Resolve Noncompliance Issues