CISM - Firebrand Training · business advantage ISACA CISM Review Manual Page 32. ... management level ISACA CISM Review Manual Page ... •Business Continuity Management ISACA CISM

5/6/2016© 2016 Firebrand

CISM™

Certified Information

Security Manager

Firebrand Custom Designed Courseware

5/6/2016© 2016 Firebrand

Logistics

Start Time

Breaks

End Time

Fire escapes

Instructor

Introductions

5/6/2016© 2016 Firebrand

Introduction to Information Security

Management

5/6/2016© 2016 Firebrand

Course Mission

Educational Value

• Both theoretical and practical

• Up-to-date

• Relevant

5/6/2016© 2016 Firebrand

CISM

Certified Information Security Manager

• Designed for personnel that have (or want to

have) responsibility for managing an

Information Security program

• Tough but very good quality examination

• Requires understanding of the concepts

behind a security program – not just the

definitions

5/6/2016© 2016 Firebrand

CISM Exam Review Course Overview

The CISM Exam is based on the

CISM job practice.

• The ISACA CISM Certification

Committee oversees the

development of the exam and

ensures the currency of its

content.

There are four content areas

that the CISM candidate is

expected to know.

5/6/2016© 2016 Firebrand

Job Practice Areas

5/6/2016© 2016 Firebrand

Domain Structure

Information Security

Governance


Incident

Management

Information

Risk

Management and Compliance

Information Security Program

Development and Management

Mandates

Requires

Deploys

Reports To

Influences

5/6/2016© 2016 Firebrand

CISM Qualifications

To earn the CISM designation, information security

professionals are required to:

• Successfully pass the CISM exam

• Adhere to the ISACA Code of Professional Ethics

• Agree to comply with the CISM continuing education

policy

• Submit verified evidence of five (5) years of work

experience in the field of information security.

5/6/2016© 2016 Firebrand

The Examination

The exam consists of 200 multiple choice

questions that cover the CISM job practice

areas.

Four hours are allotted for completing the

exam

See the Job Practice Areas including task

Statements and Knowledge Statements listed

on the ISACA website

5/6/2016© 2016 Firebrand

Examination Day

Be on time!!

• The doors are locked when the instructions start –

approximately 30 minutes before examination start

time.

Bring the admission ticket (sent out prior to the

examination from ISACA) and an acceptable form of

original photo identification (passport, photo id or

drivers license).

5/6/2016© 2016 Firebrand

Completing the Examination Items

• Bring several #2 pencils and an eraser

• Read each question carefully

• Read ALL answers prior to selecting the BEST answer

• Mark the appropriate answer on the test answer

sheet.

• When correcting an answer be sure to thoroughly

erase the wrong answer before filling in a new one.

• There is no penalty for guessing. Answer every

question.

5/6/2016© 2016 Firebrand

Grading the Exam

Candidate scores are reported as a scaled score

based on the conversion of a candidate’s raw score

on an exam to a common scale.

ISACA uses and reports scores on a common scale

from 200 to 800. A candidate must receive a score

of 450 or higher to pass.

Exam results will be mailed (and emailed) out

approximately 6-8 weeks after the exam date.

Good Luck!

5/6/2016© 2016 Firebrand

End of Introduction

Welcome to the CISM course!!

5/6/2016© 2016 Firebrand

2016 CISM Review Course

Chapter 1

Information Security Governance

5/6/2016© 2016 Firebrand

Information Security Management

The responsible protection of the information assets

of the organization

Supporting Security Governance and risk

management

Adoption of a security framework and standards

16ISACA CISM Review Manual Page 14

5/6/2016© 2016 Firebrand

Governance

Governance:

• Ensures that stakeholders needs, conditions and

options are evaluated to determine balanced,

agreed-on enterprise objectives to be achieved:

• Setting direction through prioritization and

decision-making:

• Monitoring performance and compliance against

agreed-on directions and objectives

ISACA CISM Review Manual Page 14

5/6/2016© 2016 Firebrand

Examination Content

The CISM Candidate understands:

• Effective security governance framework

• Building and deploying a security strategy aligned with

organizational goals

• Manage risk appropriately

• Responsible management of program resources

• The content area in this chapter will represent

approximately 24% of the CISM examination

(approximately 48 questions).


5/6/2016© 2016 Firebrand

Learning Objectives

Align the organization’s Information security strategy with

business goals and objectives

• Obtain Senior Management commitment

Provide support for:

• Governance

• Business cases to justify security

• Compliance with legal and regulatory mandates


5/6/2016© 2016 Firebrand

Learning Objectives cont.

Provide support for:

• Organizational priorities and strategy

• Identify drivers affecting the organization

• Define roles and responsibilities

• Establish metrics to report on effectiveness of the

security strategy


5/6/2016© 2016 Firebrand

CISM Priorities

The CISM must understand:

• Requirements for effective information security

governance

• Elements and actions required to:

• Develop an information security strategy

• Plan of action to implement it


5/6/2016© 2016 Firebrand


Information is indispensable to conduct business

effectively today

Information must be:

• Available

• Have Integrity of data and process

• Be kept confidential as needed

Protection of information is a responsibility of the

Board of Directors


5/6/2016© 2016 Firebrand


Information Protection includes:

• Accountability

• Oversight

• Prioritization

• Risk Management

• Compliance (Regulations and Legislation)


5/6/2016© 2016 Firebrand


Overview

Information security is much more than just IT

security (more than technology)

Information must be protected at all levels of the

organization and in all forms

• Information security is a responsibility of everyone

• In all forms – paper, fax, audio, video, microfiche,

networks, storage media, computer systems


5/6/2016© 2016 Firebrand

Security Program Priorities

Achieve high standards of corporate

governance

Treat information security as a critical

business issue

Create a security positive environment

Have declared responsibilities

5/6/2016© 2016 Firebrand

Security versus Business

Security must be aligned with business needs

and direction

Security is woven into the business functions

• Provides

•Strength

•Resilience

•Protection

•Stability

•Consistency

5/6/2016© 2016 Firebrand

Security Program Objectives

Ensure the availability of systems and data

• Allow access to the correct people in a

timely manner

Protect the integrity of data and business

processes

• Ensure no improper modifications

Protect confidentiality of information

• Unauthorized disclosure of information

•Privacy, trade secrets,

5/6/2016© 2016 Firebrand

Selling the Importance of Information

Security

Benefits of effective information security governance

include:

• Improved trust in customer relationships

• Protecting the organization’s reputation

• Better accountability for safeguarding information

during critical business activities

• Reduction in loss through better incident handling

and disaster recovery


5/6/2016© 2016 Firebrand

The First Priority for the CISM

Remember that Information Security is a business-

driven activity.

• Security is here to support the interests and needs

of the organization – not just the desires of security

• Security is always a balance between cost and

benefit; security and productivity


5/6/2016© 2016 Firebrand

Corporate Governance

5/6/2016© 2016 Firebrand

Business Goals and Objectives

Corporate governance is the set of

responsibilities and practices exercised by

the board and executive management

Goals include:

–Providing strategic direction

–Reaching security and business objectives

–Ensure that risks are managed appropriately

–Verify that the enterprise’s resources are used

responsibly


5/6/2016© 2016 Firebrand

Outcomes of Information Security

Governance

The six basic outcomes of effective security

governance:

• Strategic alignment

• Risk management

• Value delivery

• Resource optimization

• Performance measurement

• Integration


5/6/2016© 2016 Firebrand

Benefits of Information Security

Governance

Effective information security governance can offer

many benefits to an organization, including:

• Compliance and protection from litigation or

penalties

• Cost savings through better risk management

• Avoid risk of lost opportunities

• Better oversight of systems and business operations

• Opportunity to leverage new technologies to

business advantage


5/6/2016© 2016 Firebrand

Performance and Governance

Governance is only possible when metrics are in place to:

• Measuring

• Monitoring

• Reporting

On whether critical organizational objectives are achieved

Enterprise-wide measurements should be developed


5/6/2016© 2016 Firebrand

Governance Roles and Responsibilities

Board of Directors/Senior Management

• Effective security requires senior management

support

Steering Committee

• Ensure continued alignment between IT and

business objectives

CISO – Chief Information Security Officer

• Ensures security is addressed at a senior

management level

ISACA CISM Review Manual Page 35, 36

5/6/2016© 2016 Firebrand

Governance Roles and Responsibilities cont.

System Owners

• Responsible to ensure that adequate protection is

in place to protect systems and the data they

process

Information Owners

• Responsible for the protection of data regardless of

where it resides or is processed


5/6/2016© 2016 Firebrand

Gaining Management Support

Formal presentation

• From a business perspective

• Align security with the business

• Identify risk and consequences

• Describe audit and reporting procedures


5/6/2016© 2016 Firebrand

Communication Channels

Track the status of the security program

Share security awareness and knowledge of risk

Communicate policies and procedures

Deliver to all staff at appropriate level of detail


5/6/2016© 2016 Firebrand

GRC

The combination of overlapping activities into

a single business process to recognize the

importance to senior management of

information security and assurance

• Governance

• Risk

• Compliance


5/6/2016© 2016 Firebrand

BMIS

The business model for information security is

one approach to show the interraltionship

between several elements of a robust

security management program:

• Organization Design and Strategy

• People

• Process

• Technology


5/6/2016© 2016 Firebrand

BMIS

The interaction of these processes is

important to provide coordination between

the dynamic elements of security:

• Governance

• Culture

• Enablement and Support

• Emergence

• Human Factors

• Architecture


5/6/2016© 2016 Firebrand

Governance of Third-Party Relationships

As organizations move more towards the use

of third parties for support (e.g., the Cloud),

the need to govern and manage these

relationships is of increasing importance.

• Service providers

• Outsourced operations

• Trading partners

• Merged or acquired organizations


5/6/2016© 2016 Firebrand

Information Security Metrics

A framework that cannot be measured,

cannot be trusted. The security program must

be accountable for its budget, deliverables

and strategy.

• Meaningful

• Accurate

• Cost-effective

• Repeatable

• Predictive

• Actionable

• Genuine


5/6/2016© 2016 Firebrand

KPIs and KGIs

Indicate attainment of service goals,

organizational objectives and milestones.

Key Goal Indicators

Key Risk Indicators


5/6/2016© 2016 Firebrand

Security Integration

Security needs to be integrated INTO the

business processes

The goal is to reduce security gaps through

organizational-wide security programs

Integrate IT with:

• Physical security

• Risk Management

• Privacy and Compliance

• Business Continuity Management


5/6/2016© 2016 Firebrand

Areas to Measure (Metrics)

Risk Management

Value Delivery

Resource Management

Performance Measurement

• Incident reporting

• Benchmarking


5/6/2016© 2016 Firebrand

Developing Information Security

Strategy

Information Security Strategy

• Long term perspective

• Standard across the organization

• Aligned with business strategy / direction

• Understands the culture of the organization

• Reflects business priorities


5/6/2016© 2016 Firebrand

The Desired State of Security

The “desired state of security” must be defined in terms of attributes, characteristics and outcomes

• It should be clear to all stakeholders what the intended security state is


5/6/2016© 2016 Firebrand

The Desired State cont.

One definition of the desired state:

“Protecting the interests of those relying on information,

and the processes, systems and communications that

handle, store and deliver the information, from harm

resulting from failures of availability, confidentiality and

integrity”

• Focuses on IT-related processes from IT

governance, management and control perspectives


5/6/2016© 2016 Firebrand

Elements of a Strategy

A security strategy needs to include:

• Resources needed

• Constraints

• A road map

•Includes people, processes, technologies and

other resources

•A security architecture: defining business

drivers, resource relationships and process flows

Achieving the desired state is a long-term

goal of a series of projects


5/6/2016© 2016 Firebrand

Business Linkages

Business linkages

• Start with understanding the specific

objectives of a particular line of business

• Take into consideration all information flows

and processes that are critical to ensuring

continued operations

• Enable security to be aligned with and

support business at strategic, tactical and

operational levels


5/6/2016© 2016 Firebrand

Objectives of Security Strategy

The objectives of an information security

strategy must

• Be defined

• Be supported by metrics (measureable)

•Capability Maturity Model (CMM)

• Provide guidance


5/6/2016© 2016 Firebrand

Balanced Scorecard (BSC)

See next slide for diagram

Ensures that multiple perspectives are

considered when developing a security

strategy

Seeks balance between competing interests


5/6/2016© 2016 Firebrand

Balanced Scorecard (BSC)

Financial

Customer Learning

Process

Information


5/6/2016© 2016 Firebrand

The Maturity of the Security Program

Using CMM

0: Nonexistent - No recognition by organization of need for

security

1: Ad hoc - Risks are considered on an ad hoc basis – no

formal processes

2: Repeatable but intuitive - Emerging understanding of risk

and need for security

3: Defined process - Companywide risk management

policy/security awareness

4: Managed and measurable - Risk assessment standard

procedure, roles and responsibilities assigned, policies and

standards in place

5: Optimized - Organization-wide processes

implemented, monitored and managed


5/6/2016© 2016 Firebrand

The ISO27001:2013 Framework

The goal of ISO27001:2013 is to:

Establish

Implement

Maintain, and

Continually improve

An information security management system

Contains:

• 14 Clauses, 35 Controls Objectives and 114

controls


5/6/2016© 2016 Firebrand

Risk Management

The basis for most security programs is Risk

Management:

• Risk identification

• Risk Mitigation

• Ongoing Risk Monitoring and evaluation

The CISM must remember that risk is

measured according to potential impact on

the ability of the business to meet its mission

– not just on the impact on IT.


5/6/2016© 2016 Firebrand

Examples of Other Security

Frameworks

SABSA (Sherwood Applied Business Security

Architecture)

COBIT

COSO

Business Model for Information Security

• Model originated at the Institute for Critical

Information Infrastructure Protection

ISACA CISM Review Manual Page 49, 61

5/6/2016© 2016 Firebrand

Examples of Other Security

Frameworks

• ISO standards on quality (ISO 9001:2000)

• Six Sigma

• Publications from NIST and ISF

• US Federal Information Security

Management Act (FISMA)


5/6/2016© 2016 Firebrand

Constraints and Considerations for a

Security Program

Constraints

Legal—Laws and regulatory requirements

Physical—Capacity, space, environmental

constraints

Ethics—Appropriate, reasonable and customary

Culture—Both inside and outside the

organization

Costs—Time, money

Personnel—Resistance to change, resentment

against new constraintsISACA CISM Review Manual Page 59

5/6/2016© 2016 Firebrand

Constraints and Considerations for a

Security Program cont.

Constraints

Organizational structure—How decisions

are made and by whom, turf protection

Resources—Capital, technology, people

Capabilities—Knowledge, training, skills,

expertise

Time—Window of opportunity, mandated

compliance

Risk tolerance—Threats, vulnerabilities,

impacts


5/6/2016© 2016 Firebrand

Security Program

Starts with theory and concepts

• Policy

Interpreted through:

• Procedures

• Baselines

• Standards

Measured through audit


5/6/2016© 2016 Firebrand

Architecture

Information security architecture is similar physical

architecture

• Requirements definition

• Design / Modeling

• Creation of detailed blueprints

• Development, deployment

Architecture is planning and design to meet the needs

of the stakeholders

Security architecture is one of the greatest needs for

most organizationsISACA CISM Review Manual Page 60

5/6/2016© 2016 Firebrand

Using an Information Security

Framework

Effective information security is provided

through adoption of a security framework

− Defines information security objectives

− Aligns with business objectives

− Provides metrics to measure compliance and

trends

− Standardizes baseline security activities

enterprise-wide


5/6/2016© 2016 Firebrand

The Goal of Information Security

The goal of information security is to

protect the organization’s assets,

individuals and mission

This requires:

• Asset identification

•Classification of data and systems

according to criticality and sensitivity

•Application of appropriate controls


5/6/2016© 2016 Firebrand

Controls

Non-IT controls (

• Labeling, handling requirements

Countermeasures

• Reduce a vulnerability (reduce likelihood or

impact of an incident)

Layered Defense


5/6/2016© 2016 Firebrand

Elements of Risk and Security

The next few slides list many factors that go

into a Security program.


5/6/2016© 2016 Firebrand

Information Security Concepts

Access

Architecture

Attacks

Auditability

Authentication

Authorization

Availability

Business dependency

analysis

Business impact

analysis

Confidentiality

Countermeasures

Criticality

Data classification

Exposures

Gap analysis

Governance

ISACA CISM Review Manual Page 64-69

5/6/2016© 2016 Firebrand

Information Security Concepts cont.

Identification

Impact

Integrity

Layered security

Management

Nonrepudiation

Risk / Residual risk

Security metrics

Sensitivity

Standards

Strategy

Threats

Vulnerabilities

Enterprise architecture

Security domains

Trust models


5/6/2016© 2016 Firebrand

Security Program Elements

Policies

Standards

Procedures

Guidelines

Controls—physical,

technical,

procedural

Technologies

Personnel security

Organizational

structure

Skills


5/6/2016© 2016 Firebrand

Security Program Elements cont.

Training

Awareness and

education

Compliance

enforcement

Outsourced security

providers

Other organizational

support and assurance

providers

Facilities

Environmental security


5/6/2016© 2016 Firebrand

Centralized versus Decentralized

Security

Which is better?

Consistency versus flexibility

Central control versus Local ownership

Procedural versus responsive

Core skills versus distributed skills

Visibility to senior management versus

visibility to users and local business units


5/6/2016© 2016 Firebrand

Audit and Assurance of Security

Objective review of security risk, controls

and compliance

Assurance regarding the effectiveness of

security is a part of regular organizational

reporting and monitoring


5/6/2016© 2016 Firebrand

Ethical Standards

Rules of behaviour

• Legal

• Corporate

• Industry

• Personal


5/6/2016© 2016 Firebrand

Ethical Responsibility

Responsibility to all stakeholders

• Customers

• Suppliers

• Management

• Owners

• Employees

• Community


5/6/2016© 2016 Firebrand

Evaluating the Security Program

Metrics are used to measure results

Measure security concepts that are

important to the business

Use metrics that can be used for each

reporting period

• Compare results and detect trends


5/6/2016© 2016 Firebrand

Effective Security Metrics

Set metrics that will indicate the health of

the security program

• Incident management

• Degree of alignment between security and

business development

•Was security consulted

•Were controls designed in the systems or

added later


5/6/2016© 2016 Firebrand

Effective Security Metrics cont.

Choose metrics that can be controlled

• Measure items that can be influenced or

managed by local managers / security

• Not external factors such as number of

viruses released in the past year

• Have clear reporting guidelines

• Monitor on a regular scheduled basis


5/6/2016© 2016 Firebrand

Key Performance Indicators (KPIs)

Thresholds to measure

• Compliance / non-compliance

• Pass / fail

• Satisfactory / unsatisfactory results

A KPI is set at a level that indicates action

should / must be taken

• Alarm point


5/6/2016© 2016 Firebrand

End to End Security

Security must be enabled across the

organization – not just on a system by system

basis

Performance measures should ensure that

security systems are integrated with each

other

• Layered defenses


5/6/2016© 2016 Firebrand

Correlation Tools

The CISM may use Security Event and Incident Management (SEIM, SIM, SEM) tools to aggregate data from across the organization

Data analysis

Trend detection

Reporting tools

Added value on exam but not in the ISACA book

5/6/2016© 2016 Firebrand

Regulations and Standards

The CISM must be aware of National

• Laws

•Privacy

• Regulations

•Reporting, Performance

Industry standards

• Payment Card Industry (PCI)

• BASEL II


5/6/2016© 2016 Firebrand

Effect of Regulations

Requirements for business operations

• Potential impact of breach

•Cost

•Reputation

• Scheduled reporting requirements

•Frequency

•Format


5/6/2016© 2016 Firebrand

Reporting and Analysis

Data gathering at source

• Accuracy

• Identification

Reports signed by

Organizational Officer


Documents

CISM - Firebrand Training · business advantage ISACA CISM Review Manual Page 32. ... management level ISACA CISM Review Manual Page ... •Business Continuity Management ISACA CISM