Remerciez-le!

Remerciez @Admin pour avoir partagé cet document gratuitement, de la manière la plus simple, en partageant sur les réseaux sociaux.

Certified Information Security Manager Exam Prep Guide Aligned with the latest

Certified Information Security Manager Exam Prep Guide Aligned with the latest edition of the CISM Review Manual to help you pass the exam with confidence Hemang Doshi BIRMINGHAM—MUMBAI Certified Information Security Manager Exam Prep Guide Copyright © 2021 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. Group Product Manager: Vijin Boricha Publishing Product Manager: Preet Ahuja Senior Editor: Shazeen Iqbal Content Development Editor: Romy Dias Technical Editor: Nithik Cheruvakodan Copy Editor: Safis Editing Project Coordinator: Shagun Saini Proofreader: Safis Editing Indexer: Manju Arasan Production Designer: Joshua Misquitta First published: November 2021 Production reference: 1241121 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-80107-410-0 www.packt.com To my mother, Jyoti Doshi, and to the memory of my father, Hasmukh Doshi, for their sacrifices and for exemplifying the power of determination. To my wife, Namrata Doshi, for being my loving partner throughout our life journey together, and to my 6 year-old daughter, Jia Doshi, for allowing me to write this book. To my sister, Pooja Shah, my brother-in-law, Hiren Shah, and my nephew, Phenil Shah, for their love, support, and inspiration. To my in-laws, Chandrakant Shah, Bharti Shah, and Ravish Shah, for their love and motivation. To my mentor and guide, Dipak Mazumder, for showing me how talent and creativity evolve. To the extremely talented editorial team at Packt, including Preet Ahuja, Neil D'mello, Shazeen Iqbal, and Romy Dias, for their wonderful support throughout the journey of writing this book. – Hemang Doshi Contributors About the author Hemang Doshi is a chartered accountant and a Certified Information System Auditor with more than 15 years' experience in the field of information system auditing/risk- based auditing/compliance auditing/vendor risk management/due diligence/system risk and control. He is the founder of CISA Exam Study and CRISC Exam Study, dedicated platforms for those studying for the CISA and CRISC certifications, respectively. He has also authored a few books on information security. I wish to thank those people who have been close to me and supported me, especially my wife, Namrata, and my parents. About the reviewers When George McPherson was pulled through the ranks and pinned as a 21-year-old Sergeant in the U.S. Army over 20 years ago, he learned two things about himself. He could accomplish anything he put his mind to, and he would always pull others up if he was in a position to do so. George prides himself on integrity, an insane work ethic, attention to detail and (his greatest super-power) outside-the-box creativity. With 25 years in the technology industry, the first 18 in telecoms and the last 7 in cybersecurity, George has had the opportunity to work in industries such as the military, telecoms, local government, healthcare, and electric utilities. George has over 20 professional certifications, including the CISM certification. I would like to thank my beautiful wife, Audrey, whose constant support and sacrifice fuel my success. Upen Patel is an IT professional with 20 years' experience, holding numerous professional IT certifications including CISM, CISA, CDPSE, CRISC, CCSP, CISSP, and Splunk Certified Architect. Upen attained a B.Sc. in geology from York College (CUNY), an M.Sc. in environment engineering from NYU Polytechnic Institute, and an M.Sc. in security and information assurance from Pace. Upen has held several positions, including cloud architect and security engineer, risk assessment expert, CyberArk consultant, and Splunk architecture consultant. He has worked on the implementation of many large public cloud projects on Azure and AWS and developed an automated DevRiskOps process in public. He has also implemented a large Splunk SIEM solution. I would like to thank my family for their motivation and support. Table of Contents Preface Section 1: Information Security Governance 1 Information Security Governance Introducing information Board of directors 18 security governance 4 Senior management 19 The responsibility of information Business process owners 19 security governance 4 Steering committee 19 Governance framework 5 Chief information security officer 20 Key aspects from the CISM exam Chief operating officer 20 perspective 6 Data custodian 20 Questions 7 Communication channel 20 Understanding governance, risk management, and compliance 14 Key aspects from the CISM exam perspective 14 Questions 15 Discovering the maturity model 15 Key aspects from the CISM exam perspective 16 Questions 16 Getting to know the information security roles and responsibilities 18 Indicators of a security culture 21 Key aspects from the CISM exam perspective 21 Questions 22 Finding out about the governance of third-party relationships 36 The culture of an organization 37 Compliance with laws and regulations 37 Key aspects from the CISM exam perspective 38 Questions 38 Obtaining commitment from senior management 46 viii Table of Contents Information security investment 47 Strategic alignment 47 Key aspects from the CISM exam perspective 48 Questions 48 Introducing the business case and the feasibility study 56 Feasibility analysis 57 Key aspects from the CISM exam perspective 57 Questions 57 2 Understanding information security governance metrics 63 The objective of metrics 63 Technical metrics vis-à-vis governance-level metrics 63 Characteristics of effective metrics 63 Key aspects from the CISM exam perspective 64 Questions 64 Summary 67 Practical Aspects of Information Security Governance Information security strategy and plan 70 Information security policies 70 Key aspects from the CISM exam perspective 71 Practice questions 72 Information security program 87 Key aspects from the CISM exam perspective 88 Practice questions 88 Enterprise information security architecture 91 Challenges in designing security architectures 91 Benefits of security architectures 92 Key aspects from the CISM exam perspective 92 Practice questions 92 Organizational structure 93 Board of directors 93 Security steering committee 93 Reporting of the security function 93 Centralized vis-à-vis decentralized security functioning 94 Key aspects from the CISM exam perspective 95 Practice questions 95 Record retention 97 Electronic discovery 97 Key aspects from the CISM exam perspective 97 Practice questions 98 Awareness and education 99 Increasing the effectiveness of security training 99 Key aspects from the CISM exam perspective 99 Summary 99 Table of Contents ix Section 2: Information Risk Management 3 Overview of Information Risk Management Risk management overview 104 Phases of risk management 104 The outcome of the risk management program 105 Key aspects from the CISM exam's perspective 105 Questions 105 Risk management strategy 107 Risk capacity, appetite, and tolerance 107 Risk communication 108 Risk awareness 109 Tailored awareness program 109 Training effectiveness 109 Awareness training for senior management 109 Key aspects from the CISM exam's perspective 110 Questions 110 Implementing risk management 113 Risk management process 113 Integrating risk management in business processes 114 Prioritization of risk response 114 Defining a risk management framework 114 Defining the external and internal environment 115 Determining the risk management context 115 Gap analysis 115 Cost-benefit analysis 116 Other kinds of organizational support 116 Key aspects from the CISM exam's perspective 117 Questions 119 Risk assessment and analysis methodologies 139 Phases of risk assessment 139 Risk assessment 140 Asset identification 140 Asset valuation 140 Aggregated and cascading risk 141 Identifying risk 141 Threats and vulnerabilities 143 Risk, likelihood, and impact 144 Risk register 145 Risk analysis 145 Annual loss expectancy 148 Value at Risk (VaR) 148 OCTAVE 148 Other risk analysis methods 149 Evaluating risk 150 Risk ranking 151 Risk ownership and accountability 151 Risk treatment options 151 Understanding inherent risk and residual risk 152 Security baseline 153 Key aspects from the CISM exam's perspective 154 Questions 155 Summary 177 x Table of Contents 4 Practical Aspects of Information Risk Management Information asset classification 180 Benefits of classification 180 Understanding the steps involved in classification 180 Success factors for effective classification 181 Criticality, sensitivity, and impact assessment 182 Business dependency assessment 182 Risk analysis 182 Business interruptions 182 Key aspects from the CISM exam's perspective 183 Questions 184 Asset valuation 194 Determining the criticality of assets 194 Key aspects from the CISM exam's perspective 194 Questions 195 Operational risk management 200 Recovery time objective (RTO) 200 Recovery Point Objective (RPO) 200 Difference between RTO and RPO 200 Service delivery objective (SDO) 202 Maximum tolerable outage (MTO) 203 Allowable interruption window (AIW) 203 Questions 203 Outsourcing and third-party service providers 203 Evaluation criteria for outsourcing 204 Steps for outsourcing 205 Outsourcing – risk reduction options 205 Provisions for outsourcing contracts 206 The uploads/Industriel/ cism-prep-guide.pdf