CISM Certified Information Security Manager Study Guide E-Book

Table of Contents

Cover

Title Page

Copyright

Dedication

Acknowledgments

About the Author

About the Technical Editor

Introduction

The CISM Exam

CISM Exam Objectives

CISM Certification Exam Objective Map

Assessment Test

Answers to Assessment Test

Chapter 1: Today's Information Security Manager

Information Security Objectives

Role of the Information Security Manager

Information Security Risks

Building an Information Security Strategy

Implementing Security Controls

Data Protection

Summary

Exam Essentials

Review Questions

Chapter 2: Information Security Governance and Compliance

Governance

Understanding Policy Documents

Complying with Laws and Regulations

Adopting Standard Frameworks

Security Control Verification and Quality Control

Summary

Exam Essentials

Review Questions

Chapter 3: Information Risk Management

Analyzing Risk

Risk Treatment and Response

Risk Analysis

Disaster Recovery Planning

Privacy

Summary

Exam Essentials

Review Questions

Chapter 4: Cybersecurity  Threats

Exploring Cybersecurity  Threats

Threat Data and Intelligence

Summary

Exam Essentials

Review Questions

Chapter 5: Information Security Program Development and Management

Information Security Programs

Security Awareness and Training

Managing the Information Security Team

Managing the Security Budget

Integrating Security with Other Business Functions

Summary

Exam Essentials

Review Questions

Chapter 6: Security Assessment and Testing

Vulnerability Management

Security Vulnerabilities

Penetration  Testing

Training and Exercises

Summary

Exam Essentials

Review Questions

Chapter 7: Cybersecurity  Technology

Endpoint Security

Network Security

Cloud Computing Security

Cryptography

Code Security

Identity and Access Management

Summary

Exam Essentials

Review Questions

Chapter 8: Incident Response

Security Incidents

Phases of Incident Response

Building the Incident Response Plan

Creating an Incident Response Team

Coordination and Information Sharing

Classifying Incidents

Conducting Investigations

Plan Training, Testing, and Evaluation

Summary

Exam Essentials

Review Questions

Chapter 9: Business Continuity and Disaster Recovery

Planning for Business Continuity

Project Scope and Planning

Business Impact Analysis

Continuity Planning

Plan Approval and Implementation

The Nature of Disaster

System Resilience, High Availability, and Fault Tolerance

Recovery Strategy

Recovery Plan Development

Training, Awareness, and Documentation

Testing and Maintenance

Summary

Exam Essentials

Review Questions

Appendix: Answers to the Review Questions

Chapter 1: Today's Information Security Manager

Chapter 2: Information Security Governance and Compliance

Chapter 3: Information Risk Management

Chapter 4: Cybersecurity  Threats

Chapter 5: Information Security Program Development and Management

Chapter 6: Security Assessment and Testing

Chapter 7: Cybersecurity  Technology

Chapter 8: Incident Response

Chapter 9: Business Continuity and Disaster Recovery

Index

End User License Agreement

List of Tables

Chapter 2

TABLE 2.1 NIST Cybersecurity Framework implementation tiers

Chapter 8

TABLE 8.1 NIST functional impact categories

TABLE 8.2 Economic impact categories

TABLE 8.3 NIST recoverability effort categories

TABLE 8.4 NIST information impact categories

TABLE 8.5 Private organization information impact categories

List of Illustrations

Chapter 1

FIGURE 1.1 The three key objectives of cybersecurity programs are confidenti...

FIGURE 1.2 Information security managers must be both security experts and b...

FIGURE 1.3 Typical cybersecurity organizational structure

FIGURE 1.4 RACI matrix for information security

FIGURE 1.5 The three key threats to cybersecurity programs are disclosure, a...

FIGURE 1.6 Cybersecurity SWOT analysis example

FIGURE 1.7 CMMI levels

FIGURE 1.8 Communicating the security strategy

Chapter 2

FIGURE 2.1 Typical corporate governance model

FIGURE 2.2 Excerpt from CMS roles and responsibilities chart

FIGURE 2.3 Excerpt from UC Berkeley Minimum Security Standards for Electroni...

FIGURE 2.4 NIST Cybersecurity Framework Core Structure

FIGURE 2.5 Asset Management Cybersecurity Framework

FIGURE 2.6 NIST Risk Management Framework

FIGURE 2.7 Windows Server 2019 security benchmark excerpt

Chapter 3

FIGURE 3.1 Risk exists at the intersection of a threat and a corresponding v...

FIGURE 3.2 Qualitative risk assessments use subjective rating scales to eval...

FIGURE 3.3 (a) STOP tag attached to a device. (b) Residue remaining on devic...

FIGURE 3.4 Risk register excerpt

FIGURE 3.5 Risk matrix

FIGURE 3.6 Cover sheets used to identify classified U.S. government informat...

Chapter 4

FIGURE 4.1 Logo of the hacktivist group Anonymous

FIGURE 4.2 Dark web market

FIGURE 4.3 Recent alert listing from the CISA website

FIGURE 4.4 FireEye Cybersecurity Threat Map

Chapter 5

FIGURE 5.1 Security awareness poster

FIGURE 5.2 Relationship between calendar years and fiscal years

Chapter 6

FIGURE 6.1 Qualys asset map

FIGURE 6.2 Configuring a Nessus scan

FIGURE 6.3 Sample Nessus scan report

FIGURE 6.4 Nessus scan templates

FIGURE 6.5 Disabling unused plug-ins

FIGURE 6.6 Configuring credentialed scanning

FIGURE 6.7 Choosing a scan appliance

FIGURE 6.8 Nessus vulnerability in the NIST National Vulnerability Database...

FIGURE 6.9 Nessus Automatic Updates

FIGURE 6.10 Nikto web application scanner

FIGURE 6.11 Arachni web application scanner

FIGURE 6.12 Nessus vulnerability scan report

FIGURE 6.13 Missing patch vulnerability

FIGURE 6.14 Unsupported operating system vulnerability

FIGURE 6.15 Debug mode vulnerability

FIGURE 6.16 FTP cleartext authentication vulnerability

FIGURE 6.17 Insecure SSL cipher vulnerability

Chapter 7

FIGURE 7.1 Network firewalls divide networks into three zones.

FIGURE 7.2 (a) Vertical scaling vs. (b) Horizontal scaling

FIGURE 7.3 Thin clients, such as this Samsung Google Chromebook, are suffici...

FIGURE 7.4 AWS Lambda function as a service environment

FIGURE 7.5 HathiTrust is an example of community cloud computing.

FIGURE 7.6 AWS Outposts offer hybrid cloud capability.

FIGURE 7.7 Shared responsibility model for cloud computing

FIGURE 7.8 Cloud Reference Architecture

FIGURE 7.9 Cloud Controls Matrix excerpt

FIGURE 7.10 Limiting the data center regions used for a Zoom meeting

FIGURE 7.11 Challenge-response authentication protocol

FIGURE 7.12 Symmetric key cryptography

FIGURE 7.13 Asymmetric key cryptography

FIGURE 7.14 High-level SDLC view

FIGURE 7.15 The Waterfall SDLC model

FIGURE 7.16 The Spiral SDLC model

FIGURE 7.17 Agile sprints

FIGURE 7.18 The CI/CD pipeline

FIGURE 7.19 Fagan code review

FIGURE 7.20 Biometric authentication with a (a) retinal scanner (b) fingerpr...

FIGURE 7.21 Authentication token

FIGURE 7.22 False acceptance rate (FAR), false rejection rate (FRR), and cro...

Chapter 8

FIGURE 8.1 Incident response process

FIGURE 8.2 Proactive network segmentation

FIGURE 8.3 Network segmentation for incident response

FIGURE 8.4 Network isolation for incident response

FIGURE 8.5 Network removal for incident response

FIGURE 8.6 Patching priorities

FIGURE 8.7 Sanitization and disposition decision flow

FIGURE 8.8 Incident response checklist

Chapter 9

FIGURE 9.1 U.S. earthquake risk map

FIGURE 9.2 Flood hazard map for Miami–Dade County, Florida

FIGURE 9.3 Failover cluster with network load balancing

Guide

Cover

Table of Contents

Title Page

Copyright

Dedication

Acknowledgments

About the Author

About the Technical Editor

Introduction

Begin Reading

Appendix: Answers to the Review Questions

Index

End User License Agreement

Pages

i

ii

iii

v

vii

ix

xxi

xxii

xxiii

xxiv

xxv

xxvi

xxvii

xxviii

xxix

xxx

xxxi

xxxii

xxxiii

xxxiv

xxxv

xxxvi

xxxvii

xxxviii

xxxix

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

CISM®Certified Information Security ManagerStudy Guide

Copyright © 2022 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

978-1-119-80193-1978-1-119-80204-4 (ebk.)978-1-119-80194-8 (ebk.)

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permission.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Website is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Website may provide or recommendations it may make. Further, readers should be aware the Internet Websites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Control Number: 2021948030

Trademarks: WILEY, the Wiley logo, Sybex and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. CISM is a trademark or registered trademark of Information Systems Audit and Control Association, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Cover image: ©Jeremy Woodhouse/Getty Images

Cover design: Wiley

To my wife, Renee. We are 22 years into this adventure together and every moment is better than the last. Here's to what's next!

—Mike

Acknowledgments

Books like this involve work from many people, and as an author, I truly appreciate the hard work and dedication that the team at Wiley shows. I would especially like to thank my acquisitions editor, Jim Minatel. I've worked with Jim for too many years to count and it's always an absolute pleasure working with a true industry pro.

I also greatly appreciated the editing and production team for the book, including David Clark, the project editor, who brought years of experience and great talent to the project; Ben Malisow, the technical editor, who provided insightful advice and gave wonderful feedback throughout the book; and Barath Kumar Rajasekaran, the production editor, who guided me through layouts, formatting, and final cleanup to produce a great book. I would also like to thank the many behind-the-scenes contributors, including the graphics, production, and technical teams who make the book and companion materials into a finished product.

Victoria Mastagh, my production assistant at CertMike.com, was instrumental in preparing the glossary, and Matthew Howard, my research assistant at Notre Dame, played a crucial role in pulling together the class slides that accompany the book for instructors.

My agent, Carole Jelen of Waterside Productions, continues to provide me with wonderful opportunities, advice, and assistance throughout my writing career.

Finally, I would like to thank my family, who supported me through the late evenings, busy weekends, and long hours that a book like this requires to write, edit, and get to press.

About the Author

Mike Chapple, Ph.D., CISM, is the author of over 30 books, including the best-selling CISSP (ISC)2Certified Information Systems Security Professional Official Study Guide (Sybex, 2021) and the CISSP (ISC)2Official Practice Tests (Sybex, 2021). He is an information security professional with two decades of experience in higher education, the private sector, and government.

Mike currently serves as Teaching Professor in the IT, Analytics, and Operations department at the University of Notre Dame's Mendoza College of Business, where he teaches undergraduate and graduate courses on cybersecurity, data management, and business analytics.

Mike previously served as executive vice president and chief information officer of the Brand Institute, a Miami-based marketing consultancy. Mike also spent four years in the information security research group at the National Security Agency and served as an active-duty intelligence officer in the U.S. Air Force.

Mike is a technical editor for Information Security Magazine and has written more than 25 books. He earned both his B.S. and Ph.D. degrees from Notre Dame in computer science and engineering. Mike also holds an M.S. in computer science from the University of Idaho and an MBA from Auburn University. Mike holds the Cybersecurity Analyst+ (CySA+), Security+, Certified Information Security Manager (CISM), Certified Cloud Security Professional (CCSP), and Certified Information Systems Security Professional (CISSP) certifications.

Learn more about Mike and his other security certification materials at his website, CertMike.com.

About the Technical Editor

Ben Malisow has worked in the fields of education/training, communication, information technology, security, and/or some combination of these industries, for over 25 years. Prior to his current position, Ben has provided information security consulting services and training to a diverse host of clients, including the Defense Advanced Research Projects Agency (DARPA), the Department of Homeland Security (at TSA), and the FBI. He has also served as an Air Force officer, after graduating from the Air Force Academy.

An experienced trainer, Ben has been an adjunct professor of English at the College of Southern Nevada, a computer teacher for troubled junior/senior high school students in Las Vegas, a senior instructor for the University of Texas - San Antonio, and he has taught computer security certification prep classes for Carnegie-Mellon University's CERT/SEI.

Ben has published widely in many fields. His latest books include Exposed: How Revealing Your Data and Eliminating Privacy Increases Trust and Liberates Humanity (Wiley, 2020), the CCSP (ISC)2Official Study Guide (Sybex, 2020), the CCSP Official (ISC)2Practice Tests (Sybex, 2018), and How to Pass Your INFOSEC Exam from Amazon Direct. Updates to his work and his podcast, “The Sensuous Sounds of INFOSEC,” can be found at securityzed.com. His certification-preparation courses can be found on Udemy.com.

Introduction

If you're preparing to take the Certified Information Security Manager (CISM) exam, you'll undoubtedly want to find as much information as you can about information security and the art of leading and managing security teams. The more information you have at your disposal, the better off you'll be when taking the exam. This study guide was written with that in mind. The goal was to provide enough information to prepare you for the test, but not so much that you'll be overloaded with information that's outside the scope of the exam.

This book presents the material at an intermediate technical level. Experience with and knowledge of security concepts, operating systems, and application systems will help you get a full understanding of the challenges you'll face as a security manager.

I've included review questions at the end of each chapter to give you a taste of what it's like to take the exam. I recommend that you check out these questions first to gauge your level of expertise. You can then use the book mainly to fill in the gaps in your current knowledge. This study guide will help you round out your knowledge base before tackling the exam.

If you can answer 90 percent or more of the review questions correctly for a given chapter, you can feel safe moving on to the next chapter. If you're unable to answer that many correctly, reread the chapter and try the questions again. Your score should improve.

Don't just study the questions and answers! The questions on the actual exam will be different from the practice questions included in this book. The exam is designed to test your knowledge of a concept or objective, so use this book to learn the objectives behind the questions.

The CISM Exam

The CISM exam is designed to be a vendor-neutral certification for cybersecurity managers. ISACA recommends this certification for those who already have technical experience in the information security field and are either already serving in management roles or who want to shift from being an individual contributor into a management role.

The exam covers four major domains:

Information Security Governance

Information Security Risk Management

Information Security Program

Incident Management

These four areas include a range of topics, from enterprise risk management to responding to cybersecurity incidents. They focus heavily on scenario-based learning and the role of the information security manager in various scenarios. There's a lot of information that you'll need to learn, but you'll be well rewarded for possessing this credential. ISACA reports that the average salary of CISM credential holders is over $118,000.

The CISM exam includes only standard multiple-choice questions. Each question has four possible answer choices and only one of those answer choices is the correct answer. When you're taking the test, you'll likely find some questions where you think multiple answers might be correct. In those cases, remember that you're looking for the best possible answer to the question!

The exam costs $575 for ISACA members and $760 for nonmembers. More details about the CISM exam and how to take it can be found at:

www.isaca.org/credentialing/cism

You'll have four hours to take the exam and will be asked to answer 150 questions during that time period. Your exam will be scored on a scale ranging from 200 to 800, with a passing score of 450.

ISACA frequently does what is called item seeding, which is the practice of including unscored questions on exams. It does so to gather psychometric data, which is then used when developing new versions of the exam. Before you take the exam, you will be told that your exam may include these unscored questions. So, if you come across a question that does not appear to map to any of the exam objectives—or for that matter, does not appear to belong in the exam—it is likely a seeded question. You never really know whether or not a question is seeded, however, so always make your best effort to answer every question.

Taking the Exam

Once you are fully prepared to take the exam, you can visit the ISACA website to register. Currently, ISACA offers two options for taking the exam: an in-person exam at a testing center and an at-home exam that you take on your own computer through a remote proctoring service.

In-Person Exams

ISACA partners with PSI Exams testing centers, so your next step will be to locate a testing center near you. In the United States, you can do this based on your address or your ZIP code, while non-U.S. test takers may find it easier to enter their city and country. You can search for a test center near you at the PSI Exams website:

https://isacaavailability.psiexams.com

Now that you know where you'd like to take the exam, simply set up a PSI testing account and schedule an exam on their site.

On the day of the test, bring a government-issued identification card or passport that contains your full name (exactly matching the name on your exam registration), your signature, and your photograph. Make sure to show up with plenty of time before the exam starts. Remember that you will not be able to take your notes, electronic devices (including smartphones and watches), or other materials in with you.

At-Home Exams

ISACA began offering online exam proctoring in 2020 in response to the coronavirus pandemic. When this book went to press, the at-home testing option was still available and appears likely to continue. Candidates using this approach will take the exam at their home or office and be proctored over a webcam by a remote proctor.

Due to the rapidly changing nature of the at-home testing experience, candidates wishing to pursue this option should check the ISACA website for the latest details. In fact, checking the ISACA website for exam policy changes is a good idea for all test takers.

After the CISM Exam

Once you have taken the exam, you will be notified of your score immediately, so you'll know if you passed the test right away. You should keep track of your score report with your exam registration records and the email address you used to register for the exam.

Meeting the Experience Requirement

The CISM program is designed to demonstrate that an individual is a qualified information security manager. That requires more than just passing a test—it also requires real hands-on work experience managing cybersecurity teams.

The CISM work experience requirement has two different components:

You must have five years of information security work experience.

You must have at least three years of information security management work experience. That work experience must come from at least three of the four CISM domains.

If you're a current information security manager, you may find it easy to meet these requirements. If you've been in the field for five years and have been a manager for at least three of those years, you're probably good to go because your time as an information security manager also counts toward your general information security experience requirement.

There are some waivers available that can knock one or two years off your experience requirement. All of these waivers apply only to the general information security work experience requirement, not the management requirement.

If you hold any of the following credentials, you qualify for a two-year reduction in the experience requirement:

Certified Information Systems Security Professional (CISSP)

Certified Information Systems Auditor (CISA)

Master of Business Administration (MBA) degree

Master's degree in information security or a related field

One year experience requirement waivers are available for holders of:

Skill-based or general security certifications (such as the CompTIA Security+ credential)

Bachelor's degree in information security or a related field

One full year of general information systems management experience

One full year of general security management experience

You must have earned all of the experience used toward your requirement within the 10 years preceding your application or within 5 years of the date you pass the exam.

Maintaining Your Certification

Information security is a constantly evolving field with new threats and controls arising regularly. All CISM holders must complete continuing professional education on an annual basis to keep their knowledge current and their skills sharp. The guidelines around continuing professional education are somewhat complicated, but they boil down to two main requirements:

You must complete 120 hours of credit every three years to remain certified.

You must have a minimum of 20 hours of credit every year during that cycle.

You must meet both of these requirements. For example, if you earn 120 credit hours during the first year of your certification cycle, you still must earn 20 additional credits in each of the next two years.

Continuing education requirements follow calendar years, and your clock will begin ticking on January 1 of the year after you earn your certification. You are allowed to begin earning credits immediately after you're certified. They'll just count for the next year.

There are many acceptable ways to earn CPE credits, many of which do not require travel or attending a training seminar. The important requirement is that you generally do not earn CPEs for work that you perform as part of your regular job. CPEs are intended to cover professional development opportunities outside of your day-to-day work. You can earn CPEs in several ways:

Attending conferences

Attending training programs

Attending professional meetings and activities

Taking self-study courses

Participating in vendor marketing presentations

Teaching, lecturing, or presenting

Publishing articles, monographs, or books

Participating in the exam development process

Volunteering with ISACA

Earning other professional credentials

Contributing to the profession

Mentoring

For more information on the activities that qualify for CPE credits, visit this site:

www.isaca.org/credentialing/how-to-earn-cpe

Study Guide Elements

This study guide uses several common elements to help you prepare. These include the following:

Summaries

   The summary section of each chapter briefly explains the chapter, allowing you to easily understand what it covers.

Exam Essentials

   The exam essentials focus on major exam topics and critical knowledge that you should take into the test. The exam essentials focus on the exam objectives provided by ISACA.

Chapter Review Questions

   A set of questions at the end of each chapter will help you assess your knowledge and if you are ready to take the exam based on your knowledge of that chapter's topics.

Additional Study Tools

This book comes with some additional study tools to help you prepare for the exam. They include the following.

Go to www.wiley.com/go/sybextestprep to register and gain access to this interactive online learning environment and test bank with study tools.

Sybex Test Preparation Software

Sybex's test preparation software lets you prepare with electronic test versions of the review questions from each chapter, the practice exam, and the bonus exam that are included in this book. You can build and take tests on specific domains, by chapter, or cover the entire set of CISM exam objectives using randomized tests.

Audio Reviews

The author of this book recorded files containing the exam essentials for each chapter in a convenient audio form. Use these audio reviews in the car, on the train, when you're out for a run, or whenever you have a few minutes to review what you've learned.

Electronic Flashcards

Our electronic flashcards are designed to help you prepare for the exam. Over 100 flashcards will ensure that you know critical terms and concepts.

Glossary of Terms

Sybex provides a full glossary of terms in PDF format, allowing quick searches and easy reference to materials in this book.

Bonus Practice Exams

In addition to the practice questions for each chapter, this book includes two full 150-question practice exams. We recommend that you use them both to test your preparedness for the certification exam.

Like all exams, the CISM certification from ISACA is updated periodically and may eventually be retired or replaced. At some point after ISACA is no longer offering this exam, the old editions of our books and online tools will be retired. If you have purchased this book after the exam was retired, or are attempting to register in the Sybex online learning environment after the exam was retired, please know that we make no guarantees that this exam’s online Sybex tools will be available once the exam is no longer available.

CISM Exam Objectives

ISACA publishes relative weightings for each of the exam's objectives. The following table lists the four CISM domains and the extent to which they are represented on the exam.

Domain

% of Exam

1. Information Security Governance

17%

2. Information Security Risk Management

20%

3. Information Security Program

33%

4. Incident Management

30%

CISM Certification Exam Objective Map

The CISM exam covers two different types of objectives: topics and supporting tasks. I recommend that instead of focusing on these objectives in the order they appear in the exam objectives that you instead learn them in the order they are presented in this book. In my 25 years of experience teaching information security topics, I've found that approaching these topics in a more logical order will better prepare you for the exam.

If you're looking for where I've covered a specific objective in the book, use the following two tables to find the appropriate chapter.

Topic Mapping

Topic

Chapter(s)

Domain 1: Information Security Governance

A. Enterprise Governance

1

,

2

1A1. Organizational Culture

1

1A2. Legal, Regulatory, and Contractual Requirements

2

1A3. Organizational Structures, Roles, and Responsibilities

1

B. Information Security Strategy

1

,

2

1B1. Information Security Strategy Development

1

1B2. Information Governance Frameworks and Standards

2

1B3. Strategic Planning (e.g., budgets, resources, business case)

2

Domain 2: Information Security Risk Management

A. Information Security Risk Assessment

3

,

4

,

6

2A1. Emerging Risk and Threat Landscape

4

2A2. Vulnerability and Control Deficiency Analysis

6

2A3. Risk Assessment and Analysis

3

B. Information Security Risk Response

3

2B1. Risk Treatment/Risk Response Options

3

2B2. Risk and Control Ownership

3

2B3. Risk Monitoring and Reporting

3

Domain 3: Information Security Program

A. Information Security Program Development

2

,

3

,

5

3A1. Information Security Program Resources (e.g., people, tools, technologies)

5

3A2. Information Asset Identification and Classification

3

3A3. Industry Standards and Frameworks for Information Security

2

3A4. Information Security Policies, Procedures, and Guidelines

2

3A5. Information Security Program Metrics

5

B. Information Security Program Management

5

,

6

,

7

3B1. Information Security Control Design and Selection

7

3B2. Information Security Control Implementation and Integrations

7

3B3. Information Security Control Testing and Evaluation

6

3B4. Information Security Awareness and Training

5

3B5. Management of External Services (e.g., providers, suppliers, third parties, fourth parties)

5

3B6. Information Security Program Communications and Reporting

5

Domain 4: Incident Management

A. Incident Management Readiness

8

,

9

4A1. Incident Response Plan

8

4A2. Business Impact Analysis (BIA)

9

4A3. Business Continuity Plan (BCP)

9

4A4. Disaster Recovery Plan (DRP)

9

4A5. Incident Classification/Categorization

8

4A6. Incident Management Training, Testing, and Evaluation

8

B. Incident Management Operations

8

4B1. Incident Management Tools and Techniques

8

4B2. Incident Investigation and Evaluation

8

4B3. Incident Containment Methods

8

4B4. Incident Response Communications (e.g., reporting, notification, escalation)

8

4B5. Incident Eradication and Recovery

8

4B6. Post-incident Review Practices

8

Supporting Task Mapping

Supporting Task

Chapter(s)

1. Identify internal and external influences to the organization that impact the information security strategy.

1

,

4

2. Establish and/or maintain an information security strategy in alignment with organizational goals and objectives.

1

3. Establish and/or maintain an information security governance framework.

2

4. Integrate information security governance into corporate governance.

2

5. Establish and maintain information security policies to guide the development of standards, procedures, and guidelines.

2

6. Develop business cases to support investments in information security.

2

7. Gain ongoing commitment from senior leadership and other stakeholders to support the successful implementation of the information security strategy.

1

8. Define, communicate, and monitor information security responsibilities throughout the organization and lines of authority.

1

9. Compile and present reports to key stakeholders on the activities, trends, and overall effectiveness of the information security program.

5

10. Evaluate and report information security metrics to key stakeholders.

5

11. Establish and/or maintain the information security program in alignment with the information security strategy.

5

12. Align the information security program with the operational objectives of other business functions.

5

13. Establish and maintain information security processes and resources to execute the information security program.

5

14. Establish, communicate, and maintain organizational information security policies, standards, guidelines, procedures, and other documentation.

2

15. Establish, promote, and maintain a program for information security awareness and training.

5

16. Integrate information security requirements into organizational processes to maintain the organization's security strategy.

5

17. Integrate information security requirements into contracts and activities of external parties.

5

18. Monitor external parties' adherence to established security requirements.

5

19. Define and monitor management and operational metrics for the information security program.

5

20. Establish and/or maintain a process for information asset identification and classification.

3

21. Identify legal, regulatory, organizational, and other applicable compliance requirements.

2

22. Participate in and/or oversee the risk identification, risk assessment, and risk treatment process.

3

23. Participate in and/or oversee the vulnerability assessment and threat analysis process.

4

,

6

24. Identify, recommend, or implement appropriate risk treatment and response options to manage risk to acceptable levels based on organizational risk appetite.

3

25. Determine whether information security controls are appropriate and effectively manage risk to an acceptable level.

3

,

7

26. Facilitate the integration of information risk management into business and IT processes.

3

27. Monitor for internal and external factors that may require reassessment of risk.

3

28. Report on information security risk, including noncompliance and changes in information risk, to key stakeholders to facilitate the risk management decision-making process.

3

29. Establish and maintain an incident response plan, in alignment with the business continuity plan and disaster recovery plan.

8

30. Establish and maintain an information security incident classification and categorization process.

8

31. Develop and implement processes to ensure the timely identification of information security incidents.

8

32. Establish and maintain processes to investigate and document information security incidents in accordance with legal and regulatory requirements.

8

33. Establish and maintain incident handling process, including containment, notification, escalation, eradication, and recovery.

8

34. Organize, train, equip, and assign responsibilities to incident response teams.

8

35. Establish and maintain incident communication plans and processes for internal and external parties.

8

36. Evaluate incident management plans through testing and review, including table-top exercises, checklist review, and simulation testing at planned intervals.

8

37. Conduct post-incident reviews to facilitate continuous improvement, including root-cause analysis, lessons learned, corrective actions, and reassessment of risk.

8

Assessment Test

Seth's organization recently experienced a security incident where an attacker was able to place offensive content on the homepage of his organization's website. Seth would like to implement a series of security controls to prevent this type of attack from occurring in the future. What goal of information security is Seth most directly addressing?

Integrity

Availability

Nonrepudiation

Confidentiality

Kevin is conducting a SWOT analysis for his organization's cybersecurity program. He is especially proud of the talented and diverse team that exists within his organization. Where would he place this quality on the SWOT matrix?

Upper-left quadrant

Upper-right quadrant

Lower-left quadrant

Lower-right quadrant

Jen is building out a series of controls for her organization's information security program and is categorizing those controls by type. She is updating the organization's firewall to include next-generation capabilities. What type of control is she working on?

Detective

Preventive

Compensating

Deterrent

Belinda recently assumed the CISO role at a publicly traded company. She is sorting through the corporate governance model and identifying the roles that different people and groups play in the organization. Which one of the following roles has ultimate authority for the corporation?

CEO

CIO

Board

Board chair

Brandon leads the information security team for a large organization and is working with the software development team to provide them with application security testing services. He would like to document the roles and responsibilities of the two teams in a written agreement with the leader of the development team. What type of agreement would be most appropriate?

MOU

SLA

BPA

MSA

Monica is conducting a quantitative risk assessment of the risk that a fire poses to her organization's primary operating facility. She believes that a serious fire would destroy 50 percent of the facility, causing $10 million in damage. She expects that a fire of this nature would only occur once every 50 years, on average. What is the AV in this scenario?

$200,000

$5 million

$10 million

$20 million

After assessing the risk of fire, Monica decides to install new sprinkler systems throughout the facility to reduce the likelihood of a serious fire. What type of risk treatment action is she taking?

Risk avoidance

Risk acceptance

Risk transference

Risk mitigation

Victor is a security consultant who was recently hired to perform a penetration test of an organization. He is not an employee but an independent contractor. He is reporting his findings directly to the CIO, and the security team is not aware of the work he is doing. What term best describes Victor's work?

White hat

Gray hat

Black hat

Red hat

Peihua is working on the organizing documents for her organization's cybersecurity program. Her document will outline the parameters under which the organization will function. What type of document is she creating?

Charter

Scope statement

Business purpose statement

Statement of authority

Fred is helping his boss develop a set of metrics for the organization's security program. After consulting the ITIL framework used by his organization, he decides to track the number of major security incidents that occur each year. What type of metric is this?

KGI

KPI

KSI

KRI

Tim recently entered into an agreement with a service provider to perform weekly vulnerability scanning of his organization. The contract will last for three years. What type of expense best describes this purchase?

Budgeted expense

Nonbudgeted expense

Capital expense

Operational expense

Carl is conducting a review of his system's security. He is assuming that an attacker has already compromised the system and searching for signs of that compromise. What term best describes this work?

Penetration testing

Security assessment

Threat hunting

Black-box testing

Lisa's team is participating in a security exercise. They are testing the security of systems and attempting to break into systems controlled by others in the organization. What type of team is Lisa leading?

Blue team

White team

Purple team

Red team

Cindy is concerned that users in her organization might take sensitive data and email it to their personal email accounts for access after they leave the organization. Which one of the following security technologies would best protect against this risk?

Firewall

IPS

DLP

Configuration management

Andrea is placing a new server onto her organization's network. The server is a web server that will be accessible only by internal employees. What network zone would be the most appropriate location for this server?

Internet

Intranet

Extranet

DMZ

Matthew is responsible for managing the cloud infrastructure supporting his organization's website. As demand for the site increases, Matthew would like to scale the infrastructure's computing capability. Which one of the following is an example of horizontal scaling?

Adding memory and processing power to the server

Adding additional network bandwidth

Adding additional servers

Adding new load balancers

Danielle is revising her organization's cybersecurity incident response plan and would like a consistent scale for rating the severity of an incident. What organization produces a widely used severity rating scale?

NIST

FBI

NSA

CIA

Ricky is collecting evidence as part of an investigation that his organization believes will lead to a civil lawsuit against one of their suppliers. What is the standard of evidence that would normally be applied in this type of lawsuit?

Beyond a reasonable doubt

Beyond the shadow of doubt

Preponderance of the evidence

Absolute proof

Wally is assessing the controls used to protect his organization against the risk of data loss. Which one of the following controls would be the best defense against the accidental deletion of data by an authorized user?

RAID 1

RAID 5

Backups

Access controls

Melissa is preparing to test her organization's disaster recovery plan. During the test, she will activate the organization's backup processing facility and use it to process data as a test, but normal operations will continue in the primary facility. What type of test is she running?

Parallel test

Full interruption test

Simulation test

Structured walk-through

Answers to Assessment Test

A. The three main goals of information security are confidentiality, integrity, and availability, so we can eliminate nonrepudiation right away. There is also no indication that there was any disclosure of sensitive information, so we can also eliminate confidentiality. We could consider this an availability breach if the attacker made legitimate information unavailable, but integrity is a better answer here because the attacker definitely altered the content of the website without authorization. You'll find a thorough discussion of the goals of an information security program in

Chapter 1

.

A. This is an example of a strength. It is an internal force that is positive. Therefore, it would be placed in the upper-left quadrant. The upper-right quadrant is for internal negative forces or weaknesses. The lower-left quadrant is for external positive forces or opportunities. The lower-right quadrant is for external negative forces or threats. You'll find more information about SWOT analyses in

Chapter 1

.

B. Firewalls are best described as preventive controls because their purpose is to block an attack from succeeding. Detective controls seek to identify attacks that are taking place and, though a firewall can detect some attacks, this is not the primary purpose of the device. Firewalls may also serve as compensating controls in a regulatory environment, but there is no indication in this question that the firewall is being used as a compensating control. Firewalls are not normally visible to an attacker until after they have attempted an attack, so they cannot serve as deterrent controls. You'll find a discussion of control categories and types in

Chapter 1

.

C. The board of directors, acting as a group, has ultimate authority over the organization. They are elected by the shareholders who own the company and serve as the owner's representatives. They delegate much of their authority to the Chief Executive Officer (CEO) but retain ultimate control. You'll learn more about corporate governance models in

Chapter 2

.

A. In this case, Brandon needs an agreement with another internal organization. These types of agreements most commonly take the form of memoranda of understanding (MOU). More formal master service agreements (MSAs) and service level agreements (SLAs) are normally used with external service providers. Business partnership agreements (BPAs) are used when two organizations are entering into a joint effort. You'll learn more about different agreement types in

Chapter 2

.

D. The asset value (AV) is the total value of the asset being analyzed. In this case, we know that the data center would be 50 percent destroyed by a fire and that the damage caused by the fire would be valued at $10 million. We can then work backward to determine that if $10 million is 50 percent of the asset value, then the asset value is $20 million. You'll learn more about quantitative risk assessment in

Chapter 3

.

D. Monica is seeking to reduce the likelihood and/or impact of a risk. Therefore, she is engaging in risk mitigation activity. Risk avoidance involves changing business practices to make a risk irrelevant. Risk acceptance involves continuing business activities in the face of a risk. Risk transference involves shifting some of the impact of a risk to a third party, such as an insurance company. You'll learn more about risk treatment options in

Chapter 3

.

A. Victor is working as an authorized tester and, therefore, his work is definitely white-hat hacking. It is not relevant whether he is an employee or a contractor or what groups within the organization are aware of his testing. The only relevant factor is that he is performing authorized security testing on behalf of the organization. Gray-hat hackers perform similar work and report their results to the organization but do so without authorization. Black-hat hackers perform testing for malicious purposes. Red-hat hackers are not a common category of attacker. You'll learn more about different attacker types in

Chapter 4

.

A. Peihua is drafting the organization's security program charter. This is the organizing document for the program, and it outlines the parameters under which the program will function. This is a tricky question because the scope statement, business purpose statement, and statement of authority are all common elements of the charter. You'll learn more about the organizing documents for a security program in

Chapter 5

.

B. This metric is directly out of the ITIL framework's nine key performance indicators (KPIs) for a security program. KPIs are metrics that demonstrate the success of the program in achieving its objects and are a look at historical performance. Key goal indicators (KGIs) are similar but track progress toward a defined goal and there is no clear goal in this scenario. Key risk indicators (KRIs) look forward at risks that may jeopardize future security. You'll learn more about security metrics in

Chapter 5

.

D. There is no indication in the question of whether this expense is budgeted or nonbudgeted, so we can eliminate those two answer choices. Capital expenses are used to acquire and maintain large assets, whereas operational expenses cover day-to-day business costs. Tom is signing a services agreement and not purchasing an asset, so this agreement would best be classified as an operational expense. You'll learn more about security program budgeting in

Chapter 5

.

C. Carl is conducting a security assessment, but that is not the best answer here because there is a more specific correct answer. The presumption of compromise is the hallmark of threat hunting, a type of security assessment. You'll learn more about threat hunting and other security assessments in

Chapter 6

.

D. During a security exercise, teams like Lisa's who attempt to gain access to systems are classified as the red team. Blue team members are the defenders who secure systems from attack. White team members are observers and judges. Purple team events bring together members of the red and blue teams. You'll learn more about cybersecurity exercises in

Chapter 6

.

C. While it is possible that any security technology could play an indirect role in preventing the unauthorized exfiltration of information, data loss prevention (DLP) technology is specifically designed to protect against this threat, so that is the best possible answer to this question. You'll learn more about DLP and other security technologies in

Chapter 7

.

B. Servers intended for internal use should only be placed on the intranet, where they are accessible only to other internal systems. The DMZ would be an appropriate location for this server if it permitted public access. An extranet would be appropriate if the server was being accessed by business partners. The Internet is generally never a good location for a server. You'll learn more about firewalls and security zones in

Chapter 7

.

C. Any one of these solutions is an example of scaling the environment to meet increased demand. However, the question is specifically asking about computing capability. Adding computing capability requires modifying the servers, so we can eliminate the options about adding network bandwidth or load balancers. We're also asking specifically about horizontal scaling, which is adding additional servers, making that our correct answer. Adding additional memory or processing power to the existing server would be vertical scaling. You'll learn more about different scaling options in

Chapter 7

.

A. The National Institute for Standards and Technology (NIST) produces a widely used rating scale that categorizes security incidents based on the scope of their impact and the types of data involved. You'll learn more about this rating scale in

Chapter 8

.

C. Most civil cases do not follow the beyond-a-reasonable-doubt standard of proof. Instead, they use the weaker

preponderance of the evidence

standard. Meeting this standard simply requires that the evidence demonstrate that the outcome of the case is more likely than not. For this reason, evidence collection standards for civil investigations are not as rigorous as those used in criminal investigations. You'll learn more about security investigations and evidence standards in

Chapter 8

.

C. Backups allow the organization to recover data that was accidentally deleted. RAID technology is used to protect against the failure of a hard drive and would not protect against the loss of data by user action. Access controls would be effective to prevent an unauthorized user from deleting data but would not stop an authorized user from doing so. You'll learn more about data protection controls in

Chapter 9

.

A. This type of test, where the alternate processing facility is activated but the primary site retains operational control, is known as a parallel test. In a full interruption test, the primary site is shut down and operational control moves to the alternate site. Simulations and structured walk-throughs do not affect normal operations and do not activate the alternate site. You'll learn more about business continuity and disaster recovery programs and testing in

Chapter 9

.

Chapter 1Today's Information Security Manager

THE CERTIFIED INFORMATION SECURITY MANAGER (CISM) DOMAINS AND SUBTOPICS COVERED IN THIS CHAPTER INCLUDE:

Domain 1: Information Security Governance

A. Enterprise Governance

1A1. Organizational Culture

1A3. Organizational Structures, Roles and Responsibilities

B. Information Security Strategy

1B1. Information Security Strategy Development

THE CERTIFIED INFORMATION SECURITY MANAGER (CISM) SUPPORTING TASKS COVERED IN THIS CHAPTER INCLUDE:

1. Identify internal and external influences to the organization that impact the information security strategy.

2. Establish and/or maintain an information security strategy in alignment with organizational goals and objectives.

7. Gain ongoing commitment from senior leadership and other stakeholders to support the successful implementation of the information security strategy.

8. Define, communicate, and monitor information security responsibilities throughout the organization and lines of authority.

Information security managers are responsible for leading teams of cybersecurity professionals and helping them achieve the goals of the cybersecurity program while aligning those objectives with the needs of the business. This work is crucial to protecting their organizations in today's complex threat landscape. Managers must help their teams protect the confidentiality, integrity, and availability of information and information systems used by their organizations. Fulfilling this responsibility requires a strong understanding of the threat environment facing their organization and a commitment to designing and implementing a set of controls capable of rising to the occasion and answering those threats.

In the first section of this chapter, you will learn about the role that cybersecurity managers play in a modern organization. You will then learn the basic objectives of cybersecurity: confidentiality, integrity, and availability of your operations. In the sections that follow, you will learn about some of the controls that you can put in place to protect your most sensitive data from prying eyes. This chapter sets the stage for the remainder of the book, where you will dive more deeply into many different areas of cybersecurity management.

Information Security Objectives

When most people think of cybersecurity, they imagine hackers trying to break into an organization's system and steal sensitive information, ranging from Social Security numbers and credit cards to top-secret military information. Although protecting sensitive information from unauthorized disclosure is certainly one element of a cybersecurity program, it is important to understand that cybersecurity actually has three complementary objectives, as shown in Figure 1.1.

FIGURE 1.1 The three key objectives of cybersecurity programs are confidentiality, integrity, and availability.

Confidentiality ensures that unauthorized individuals are not able to gain access to sensitive information. Cybersecurity professionals develop and implement security controls, including firewalls, access control lists, and encryption, to prevent unauthorized access to information. Attackers may seek to undermine confidentiality controls to achieve one of their goals: the unauthorized disclosure of sensitive information.

Integrity ensures that there are no unauthorized modifications to information or systems, either intentionally or unintentionally. Security professionals use integrity controls, such as hashing and integrity monitoring solutions, to enforce this requirement. Integrity threats may come from attackers actively seeking the alteration of information without authorization, or they may result from human error, mechanical failure, or environmental conditions, such as a power spike corrupting information.

Availability ensures that information and systems are ready to meet the needs of legitimate users at the time those users request them. Security professionals use availability controls, such as fault tolerance, clustering, and backups, to ensure that legitimate users gain access as needed. Similar to integrity threats, availability threats may come from attackers actively seeking the disruption of access, or they may come from human error, mechanical failure, or environmental conditions, such as a fire destroying a data center that contains valuable information or services.

Cybersecurity analysts often refer to these three goals, known as the CIA Triad, when performing their work. They often characterize risks, attacks, and security controls as meeting one or more of the three CIA Triad goals when describing them.

Role of the Information Security Manager

Information security managers are responsible for safeguarding the confidentiality, integrity, and availability of the information and systems used by their organization. But they must achieve these goals within the context of the organization's day-to-day activities and strategic objectives. The information security manager must wear the two hats shown in Figure 1.2: that of a cybersecurity subject matter expert and that of a business leader engaged with the organization's mission.

FIGURE 1.2 Information security managers must be both security experts and business leaders.

This “dual-hattedness” is perhaps the most significant defining characteristic of what makes an information security leader different from an information security professional. Information security professionals can narrow much of their focus to cybersecurity matters. Leaders, on the other hand, must maintain that organizational focus at the same time and use their expertise to help guide the organization in making decisions that are both sound from a business perspective and reasonable from a risk management perspective.

Depending on the size of an organization, information security management and leadership may be a role shared by several (or many!) different people, a consolidated role held by a single person, or even a partial role filled by someone who also bears other responsibilities within the organization. There is no one-size-fits-all answer to sizing the information security function for an organization—the selection is highly dependent on the nature of the organization's security requirements, the complexity of their operating environment, and the team they have in place.

Chief Information Security Officer