Remerciez-le!

Remerciez @Admin pour avoir partagé cet document gratuitement, de la manière la plus simple, en partageant sur les réseaux sociaux.

ESSENTIAL CISM Exam Guide Updated for the 15th Edition Review Manual Phil Marti

ESSENTIAL CISM Exam Guide Updated for the 15th Edition Review Manual Phil Martin Copyright © 2018. All rights reserved. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher. ISBN 978-1-98068-442-8 Essential CISM Contents CONTENTS FIGURES TABLES ABOUT THE EXAM HOW TO USE THIS BOOK SECTION 1: THE BASICS CHAPTER 1: SECURITY CONCEPTS CHAPTER 2: GOVERNANCE, GOALS, STRATEGIES, POLICIES, STANDARDS AND PROCEDURES CHAPTER 3: STRATEGY CHAPTER 4: RISK APPETITE, TOLERANCE AND CAPACITY CHAPTER 5: ANALYSIS OF RISK CHAPTER 6: CONTROLLING THREATS AND RISK CHAPTER 7: CONTROLS AND COUNTERMEASURES CHAPTER 8: ALE, RTO, RPO, SDO, MTO, MTD AND AIW CHAPTER 9: BCP, DRP AND BIA CHAPTER 10: BUSINESS CONTINUITY AND DISASTER RECOVERY CHAPTER 11: TESTING INCIDENT RESPONSE, BUSINESS CONTINUITY PLANS AND DISASTER RECOVERY PLANS CHAPTER 12: ROLES, RESPONSIBILITIES, RACI AND SKILLS CHAPTER 13: DUE DILIGENCE AND DUE CARE CHAPTER 14: SECURITY PRINCIPLES CHAPTER 15: KGIS, KPIS, KRIS AND CSFS CHAPTER 16: TECHNOLOGIES CHAPTER 17: STANDARDS AND FRAMEWORKS CHAPTER 18: CULTURE CHAPTER 19: METRICS CHAPTER 20: CURRENT STATE, DESIRED STATE AND THE GAP IN-BETWEEN CHAPTER 21: INFORMATION SECURITY INFRASTRUCTURE AND ARCHITECTURE CHAPTER 22: CLOUD COMPUTING CHAPTER 23: METRICS DEVELOPMENT CHAPTER 24: BUSINESS MODEL FOR INFORMATION SECURITY (BMIS) SECTION 2: THE FOUR DOMAINS CHAPTER 25: INFORMATION SECURITY GOVERNANCE – OVERVIEW CHAPTER 26: INFORMATION SECURITY GOVERNANCE – THE GOAL CHAPTER 27: INFORMATION SECURITY GOVERNANCE – THE STRATEGY CHAPTER 28: INFORMATION SECURITY GOVERNANCE – WHO DOES WHAT CHAPTER 29: INFORMATION SECURITY GOVERNANCE – RESOURCES THAT HELP CHAPTER 30: INFORMATION SECURITY GOVERNANCE – CONSTRAINTS THAT HURT CHAPTER 31: INFORMATION SECURITY GOVERNANCE – THE ACTION PLAN CHAPTER 32: INFORMATION SECURITY GOVERNANCE – METRICS AND MONITORING CHAPTER 33: INFORMATION SECURITY GOVERNANCE – WHAT SUCCESS LOOKS LIKE CHAPTER 34: INFORMATION RISK MANAGEMENT – OVERVIEW CHAPTER 35: INFORMATION RISK MANAGEMENT – THE GOAL CHAPTER 36: INFORMATION RISK MANAGEMENT – THE STRATEGY CHAPTER 37: INFORMATION RISK MANAGEMENT – WHO DOES WHAT CHAPTER 38: INFORMATION RISK MANAGEMENT – RESOURCES THAT HELP CHAPTER 39: INFORMATION RISK MANAGEMENT – CONSTRAINTS THAT HURT CHAPTER 40: INFORMATION RISK MANAGEMENT – THE ACTION PLAN CHAPTER 42: INFORMATION RISK MANAGEMENT – WHAT SUCCESS LOOKS LIKE CHAPTER 43: INFORMATION SECURITY PROGRAM DEVELOPMENT AND MANAGEMENT – OVERVIEW CHAPTER 44: INFORMATION SECURITY PROGRAM DEVELOPMENT AND MANAGEMENT – THE GOAL CHAPTER 45: INFORMATION SECURITY PROGRAM DEVELOPMENT AND MANAGEMENT – THE STRATEGY CHAPTER 46: INFORMATION SECURITY PROGRAM DEVELOPMENT AND MANAGEMENT – WHO DOES WHAT CHAPTER 47: INFORMATION SECURITY PROGRAM DEVELOPMENT AND MANAGEMENT – RESOURCES THAT HELP CHAPTER 48: INFORMATION SECURITY PROGRAM DEVELOPMENT AND MANAGEMENT – CONSTRAINTS THAT HURT CHAPTER 49: INFORMATION SECURITY PROGRAM DEVELOPMENT AND MANAGEMENT – THE ACTION PLAN CHAPTER 50: INFORMATION SECURITY PROGRAM DEVELOPMENT AND MANAGEMENT – METRICS AND MONITORING CHAPTER 51: INFORMATION SECURITY PROGRAM DEVELOPMENT AND MANAGEMENT – WHAT SUCCESS LOOKS LIKE CHAPTER 52: INFORMATION SECURITY INCIDENT MANAGEMENT – OVERVIEW CHAPTER 53: INFORMATION SECURITY INCIDENT MANAGEMENT – THE GOAL CHAPTER 54: INFORMATION SECURITY INCIDENT MANAGEMENT – THE STRATEGY CHAPTER 55: INFORMATION SECURITY INCIDENT MANAGEMENT – WHO DOES WHAT CHAPTER 56: INFORMATION SECURITY INCIDENT MANAGEMENT – RESOURCES THAT HELP CHAPTER 57: INFORMATION SECURITY INCIDENT MANAGEMENT – CONSTRAINTS THAT HURT CHAPTER 58: INFORMATION SECURITY INCIDENT MANAGEMENT – THE ACTION PLAN CHAPTER 59: INFORMATION SECURITY INCIDENT MANAGEMENT – METRICS AND MONITORING CHAPTER 60-: INFORMATION SECURITY INCIDENT MANAGEMENT – WHAT SUCCESS LOOKS LIKE ACRONYMS DEFINITIONS INDEX Figures Figure 1: Goals, Strategies, Policies, Standards, Procedures and Guidelines Figure 2: Optimizing Risk Costs Figure 3: Qualitative Impact Matrix Figure 4: Semiquantitative Matrix Figure 5: Information Security Relationships Figure 6: Control Types and Effect Figure 7:Techniques Implemented in Relation to RTOs and RPOs Figure 8: COBIT 5 Principles Figure 9: COBIT 5 Enterprise Enablers Figure 10: Overview of the Process Assessment Model Figure 11: TOGAF Architecture Development Cycle Figure 12: Characteristics of CMMI Maturity Levels Figure 13: Balanced Scorecard Dimensions Figure 14: How Cultures are Created Figure 15: Common Framework Layers Figure 16: Enterprise Architecture Domains Figure 17: Classic Architecture vs. Cloud Computing Figure 18: Cloud Computing Deployment Models Figure 19: 'as a Service' Offerings Figure 20: Cloud Computing Risk Map Figure 21: Business Model for Information Security Figure 22: Governance Relationships Figure 23: Information Security Strategy Development Participants Figure 24: Prevalent Standards and Frameworks Figure 25: Relationship of Governance Elements Figure 26: Components of Security Metrics Figure 27: The IT Risk Management Life Cycle Figure 28: Top Layer of Business Risk Structure Figure 29: Critical Function Layer of Business Risk Structure Figure 30: Aligning Assets to the Critical Layer Function Figure 31: Asset Vulnerabilities Figure 32: Combined Impact Risk Structure Figure 33: Risk Analysis Framework Figure 34: Factor analysis of information risk (FAIR) Figure 35: Risk Scenario Structure Figure 36: PDCA Methodology Figure 37: Strategic Goals, CSFs, KPIs and Key Actions Figure 38: Disconnect of Responsibilities with Outsourced Providers Figure 39: Continuous Risk Management Steps Figure 40: Steps to Information Security Program Development Figure 41: Incident Response Plan Process Flow Figure 42: Incident Management Life Cycle Phases Tables Table 1: Basic Recovery Tests and Categories Table 2: A RACI Example Table 3: Roles and Responsibilities RACI Matrix Table 4: Security Content and Application Table 5: Security Incident Roles and Responsibilities About the Exam The CISM, or Certified Information Security Manager Certification, is one of the most recognized credentials for information security managers and has been awarded to more than 27,000 professionals to-date. Beyond passing the exam, a CISM Certification requires a minimum of five years of experience in information security, and a minimum of two years of experience as an information security manager. If you have a CISA or CISSP certification, or a post-graduate degree in information security or other related field, then you are eligible to substitute two years of work experience. Finally, you will be required to and agree and comply with the ISACA’s Code of Professional Ethics and the CISM Continuing Education Policy. The exam cost between $625 and $750. If you pay to register as a member with ISACA, you can receive a discount. ISACA offers a free self-assessment exam with 50 questions to test your readiness for the actual exam. You can register for the CISM exam on the ISACA website. The day of the test you must bring a photo ID and the admissions ticket provided after you register. The CISM exam is given twice per year in June and December. The test will take four hours and includes 200 total questions, giving you just over one minute per question. You are awarded 4 points per each correctly answered question, and a minimum score of 450, or roughly 113 correct questions, is required to pass the test. Once you pass the test and have the score in-hand, you can submit your CISM application to get your certification. This requires proof of five years of experience of work, with signed verification from your employers. There is only a 50-60% first time pass rate, so study the material repeatedly and take multiple assessment tests prior to taking the plunge. How to Use This Book If you have tried to read the official CISM Review Manual, then you know what a coma feels like. This book has boiled down the contents into a concise and easily-readable format, purposefully avoiding those $100 sentences that take 2 minutes to decipher. Some simple rules on text formatting… Underlined and italicized text: This is a term you should memorize. Bold text: This is a concept you should remember. Normal text: This is to help you understand the two above. Read this part at least once, and revisit as often as you need. This book is divided into two sections. Section 1 covers basic CISM concepts that are covered in more than one domain. Section 2 covers each of the four CISM domains. So, let’s start with the basics! An audio version of this print book is available on audible.com! Section 1: The Basics Before we go into each CISM domain, there are a number of topics we need to cover first. All the subjects in this section are repeatedly referred to in more than one domain. Instead of trying to keep adding sidebars to explain what is going on, you’re going to be put through a ‘boot camp’ in which each topic will be discussed. Later on, when you run across a topic, you’ll immediately know what is going on. Chapter 1: Security Concepts There are a few security-related concepts that keep coming up across the four domains. We’re going to cover them here, so you are prepared when each pops up. Principle of Least Privilege The principle of least privilege is an approach that segments all resources so that we can increase access as-needed. This allows us to give people access only to the bare minimum resources they need to do their job. The downside of this approach is that it requires a well-thought-out plan from the very beginning and requires increased attention to uploads/Management/ cism-exam-guide.pdf