CISM Quick Review Guide - Stephen J. Bigelow

CISM® Certified Information
Security Manager®
Quick Review Guide
Peter H. Gregory
CISM, CISA, CRISC, CIPM,
CISSP, CCSK, CCISO, PCI-QSA
CISM® Certified Information Security Manager® Quick Review Guide
Table of Contents
Chapter 1: Information Security Governance ...................................................................... 4
Governance Activities ........................................................................................................ 4

Roles and Responsibilities ................................................................................................. 4
Information Security Governance Metrics ........................................................................... 5
Governance Frameworks and Tools .................................................................................... 6
Security Strategy Development .......................................................................................... 6
A Final Tip .......................................................................................................................... 8
Chapter 2: Information Risk Management .......................................................................... 8
Risk Management Concepts ............................................................................................... 9

Implementing an Information Risk Management Program ................................................... 9
Risk Management Frameworks........................................................................................... 9
Risk Management Context ............................................................................................... 10
The Risk Management Life Cycle...................................................................................... 10
Asset Identification and Valuation.................................................................................... 11
Threat Identification ........................................................................................................ 11
Vulnerability Identification ............................................................................................... 12
Risk Identification............................................................................................................ 12
Risk Analysis Techniques and Considerations .................................................................. 12
Risk Treatment ................................................................................................................ 13
Operational Risk Management ......................................................................................... 14
Third-Party Risk Management ........................................................................................... 15
The Risk Register ............................................................................................................. 15
Integration of Risk Management into Other Processes ..................................................... 16
Risk Monitoring and Reporting ......................................................................................... 17
Key Risk Indicators .......................................................................................................... 17
Training and Awareness ................................................................................................... 17
Risk Documentation......................................................................................................... 18
Chapter 3: Information Security Program Development and Management ...................... 18
Information Security Programs ......................................................................................... 18

Security Program Management ........................................................................................ 19
Copyright © 2019 McGraw-Hill Education. All rights reserved. 2

Risk Management ............................................................................................................ 20

Audits .............................................................................................................................. 20
Policy Development ......................................................................................................... 21
Third-Party Risk Management ........................................................................................... 21
Administrative Activities .................................................................................................. 22
Security Program Operations............................................................................................ 23
Identity and Access Management..................................................................................... 24
Security Awareness Training ............................................................................................ 24
Managed Security Service Providers ................................................................................ 25
Data Security ................................................................................................................... 26
IT Service Management .................................................................................................... 27
Controls ........................................................................................................................... 28
Metrics and Monitoring .................................................................................................... 29
Continuous Improvement ................................................................................................. 30
Chapter 4: Information Security Incident Management .................................................... 30
Security Incident Response .............................................................................................. 30

Security Incident Response Plan Development ................................................................. 32
Responding to Security Incidents ..................................................................................... 33
Business Continuity and Disaster Recovery Planning ........................................................ 35

Welcome to the CISM Certified Information Security Manager Certification Quick Review Guide! This
guide is an excellent resource to help you study for the CISM certification exam, and after you earn
your CISM certification, it will continue to serve you as a handy desk reference. It summarizes all of
the important points you need to know to pass the exam and function as an effective security
manager. I recommend that you pick up a copy of CISM Certified Information Security Manager All-In-
One Exam Guide (be sure to choose most recent edition), which contains all of the details behind the
summaries in CISM Certified Information Security Manager Practice Exams. Best of luck on your CISM
exam, and welcome to the world of information security management!
Chapter 1:
Information Security Governance
This topic is all about the practices related to the framework and supporting processes that ensure
that an organization’s information security strategy is aligned with organizational goals and
objectives. I can’t stress enough that one of the most important success factors for any organization’s
information security program is the need for business alignment. In most organizations, business
alignment is achieved through periodic involvement of business leaders in the organization’s
information security program.
Governance Activities
a Governance is a process whereby senior management exerts strategic control over business
functions through policies, objectives, delegation of authority, and monitoring. Often this is
achieved via a steering committee that participates in strategic information security–related
discussions and decisions.
a For information security governance to be successful, an organization’s IT governance
function must also be present and effective in ensuring that IT processes, systems, and staff
support key organization business processes.
Roles and Responsibilities

a Information security governance is most effective when everyone in an organization knows
what is expected of them. A role is often the same as a job title, but not always. A role is a

label that provides some clues for others on the types of activities a person in a role will
perform. Responsibilities are specific activities that are assigned to a person in a role.
a Roles and responsibilities are sometimes documented in a RACI (Responsible, Accountable,
Consulted, Informed) chart that illustrates which persons have what types of responsibilities
within business processes. For instance, in an access request process, there will be people
who perform various activities in the process; a RACI chart is a matrix that designates
whether each person is Responsible, Accountable, Consulted, or Informed, or serves no role,
within each business process.
a Although the details vary from organization to organization, it is important for a security
manager to understand the nature of roles and responsibilities of various groups and
individuals in an organization, including the board of directors, chief information security
officer, chief privacy officer, other executives, and other personnel. A security manager must
be especially aware of roles and responsibilities of all personnel within the IT organization,
but also many roles outside of IT, especially legal, human resources, finance, and the various
business lines that may develop and deliver goods and services to customers or constituents.
Information Security Governance Metrics

a Metrics are the means through which management can measure key processes and other
activities in the organization. This helps management understand how well its strategies are
working, as well as helping managers understand how effective various business processes
are at certain points in time and in trends over long periods of time.
a In an information security program, plenty of operational metrics help security personnel
understand how various controls and supporting systems are functioning. Security leaders
take key metrics and transform them into key risk indicators (KRIs) so that management can
get an idea of how well information security is supporting the organization.
a Many security managers use the SMART method of developing metrics and KRIs. The
SMART method means that metrics are Specific, Measurable, Attainable, Relevant, and
Timely.
a The subject matter covered through metrics and KRIs include risk management,
performance measurement, convergence, value delivery, and resource management.
a The balanced scorecard (BSC) is a management tool used to measure the performance and
effectiveness of an organization.

Governance Frameworks and Tools

a The Business Model for Information Security (BMIS) is a guide for business-aligned, risk-based
security governance. The BMIS contains four elements: people, process, technology, and the
business. Each element is connected to every other through Dynamic Interconnections (DI),
which help security managers and leaders better understand the nature of the
interconnections between the elements. For instance, the DI joining People and Technology
is called “human factors” and covers the interaction between users and the systems they
interact with.
a The Zachman Framework is an enterprise architecture model that is used to define and
describe IT systems and environments at high functioning levels and in increasing levels of
detail. The Zachman model permits an organization to observe the cross-sections of an IT
environment (including security components) that support business processes.
a Data flow diagrams (DFDs) help nontechnical business executives understand an
organization’s supporting IT systems and the relationships between them. This includes
outsourced systems and cloud-based systems including SaaS, PaaS, and IaaS environments.
Security Strategy Development

a The purpose of a strategy is to develop a roadmap of activities to transform a process from its
current state to a desired future state. A strategy should be business aligned, it must enable
effective risk management and value delivery, it must use resources efficiently and
effectively, and it should be measurable.
a A series of information security strategies will result in the existence of a framework of
controls, activities that ensure desired outcomes. Several industry control frameworks exist,
including COBIT, ISO/IEC 27001, ISO/IEC 38500, ITIL, HIPAA, NIST SP 800-53, NIST CSF,
CIS 20, and PCI-DSS. Many organizations start with one of these and customize to meet
their specific needs.
a A key part of an information security strategy is the achievement of a desired risk level. This
risk level is often called risk tolerance or risk appetite. Often described in qualitative terms
such as “high,” “medium,” and “low,” risk tolerance is a reflection of—and a guide for—the
culture of risk management activities in an organization.

a Development of a successful strategy requires a thorough understanding of the present state.

This includes but is not limited to policies, procedures, standards, guidelines, assets,
controls, architecture, metrics, and staff, in addition to the results of risk and threat
assessments, vulnerability assessments, audits, security incidents, and culture.
a Traditionally used in the field of business continuity planning, a business impact analysis (BIA)
can help a security manager better understand the organization’s current state and desired
future state through its catalog of business processes that are critical to the organization. The
BIA also cites the resources required to sustain each business process.
a When a security manager understands the organization’s current state, he or she can
develop one or more strategic objectives, or definitions, of desired future states. Generally,
strategic objectives will represent improvements in controls, incident visibility, incident
response, reductions in risk or cost, or improvements in business resilience.
a To aid a security manager in development of a roadmap to achieve a strategy, a security
manager will often perform a gap assessment to assist in his or her understanding of the
differences between the current state and the desired future state. A gap assessment must be
thorough and leave no stone unturned.
a To assist in the development of a roadmap, a security manager might also perform SWOT
(strengths, weaknesses, opportunities, and threats) analysis. SWOT is introspective by
nature and helps the strategist better understand the portion(s) of a security program that is
the subject of a strategy.
a Security managers commonly use capability maturity models such as the Capability Maturity
Model Integration for Development (CMMI-DEV) to qualitatively measure the maturity of IT
and security business processes. Understanding process maturity gives a security manager
an additional perspective when studying business processes and identifying improvement
opportunities.
a Once a security manager has defined a strategy’s desired end state and has performed a gap
analysis (and potentially other analyses such as SWOT and maturity) the roadmap can be
developed, which provides a description of the steps required to achieve the desired end
state successfully.
a Often, fulfillment of a strategy will require changes in key components such as policies,
standards, guidelines, architectures, roles and responsibilities, controls, and procedures.
Frequently, some personnel will need to receive training to understand how things are

supposed to work. Often, changes to information systems are required, as well as the
acquisition of new systems and the replacement of old systems.
a Before a security manager is permitted to execute a strategy, often he or she will be required
to build a business case that will be presented to senior management. Typically, a business
case contains a problem statement, descriptions of current and desired states, success
criteria, requirements, approach, and a high-level plan. To be successful, the business case
must be relevant and result in the delivery of value to the organization.
a Management commitment is necessary for the success of a security strategy, as well as for
the ongoing effectiveness of a security program. A security manager must be familiar with
the organization and be a skilled communicator in order to obtain management
commitment.
a Effective communications and reporting are a critical part of a successful and relevant
security program. This includes board of directors meetings, governance and steering
committee meetings, security awareness, security advisories, security incidents, and metrics.
A Final Tip
a Success is never guaranteed. A security manager must be mindful of the factors that present
challenges to the success of a strategy, as well as ongoing operations. These factors include
organizational culture, staff capabilities, budgets, legal and regulatory obligations,
organizational inertia, and the usual human resistance to change.
Chapter 2:
Information Risk Management
Information risk management is the practice of balancing business opportunity with potential
information security–related losses. Information risk management is largely a qualitative effort, since
it is difficult to know the probability and costs of significant loss events. Still, several methods for
measuring risk have been established that help organizations better understand risks and how they
can be handled. These methods include both qualitative and quantitative techniques that are used to
contribute to business decisions.

Risk Management Concepts

a Risk management is the fundamental undertaking for any organization that desires to be
reasonably aware of risks that, if not identified or monitored, could result in unexpected
losses and even threaten the survival of the organization.
a The purpose of risk management is to identify credible risks and to provide the means to
decide what to do about those risks. Organizations using effective risk management
processes experience fewer security incidents; those that occur have lower impact, and the
organization is better prepared to deal with them.
a An acceptable level of risk is related to the organization’s risk appetite, its ability to build
defenses and absorb losses, and regulatory and legal requirements.
Implementing an Information Risk Management Program

a Many larger organizations, as well as organizations in some industry sectors including
financial services, have existing enterprise risk management (ERM) functions. Often, it’s easiest
to incorporate information security risk concepts and content into the ERM function as
opposed to building similar, yet separate, business processes.
a A risk management program is a business-centric activity. Success depends more on
relationships between the security manager and business leaders than it does on technology.
a A risk management program includes elements of risk communication, which enables
business leaders better to understand specific information security risks that may require
attention and action. Simply put, a security manager must be able to communicate
information security risks effectively to management in business terms.
a Risk awareness is the result of effective risk communication.
Risk Management Frameworks

a Several established risk management frameworks exist and can be used as the foundation for
an organization’s risk management program.
a Risk management frameworks include ISO/IEC 27001 (“Information technology — Security
techniques — Information security management systems — Requirements”), ISO/IEC 27005
(“Information Technology — Security Techniques — Information security risk management”),
ISO/IEC 31010 (“Risk management — Risk assessment techniques”), NIST SP 800-37 (“Guide

for Applying the Risk Management Framework to Federal Information Systems: A Security
Life Cycle Approach”), NIST SP 800-39 (“Managing Information Security Risk”), COBIT 5,
RIMS Risk Maturity Model, and FRAP (Facilitate Risk Assessment process).
a Risk management frameworks have several elements in common. Mainly, they include risk
objectives and risk policy, statements of risk appetite/tolerance, roles and responsibilities, a
risk management life cycle process, documentation and business records, and management
review (which may include metrics and KRIs).
Risk Management Context

a A security manager cannot build a risk management program in a vacuum. Instead, it must
be business aligned and integrated into existing business processes.
a To be successful, a strategy for implementing (or improving) a risk management program is
just as necessary as a strategy for any other information security function. The strategy must
include a thorough consideration of the current state and the desired end state, and must
include activities such as a gap assessment to understand these states.
The Risk Management Life Cycle

a The risk management life cycle is a cyclical, iterative activity that is used to acquire, analyze,
and treat risks.
a Risk treatment refers to a decision that is made about the risk. The possible decisions are
mitigate, accept, transfer, and avoid.
a A risk management process is defined by scope (which parts of the business and of IT are
included).
a Successful risk management includes established methods for identifying, classifying, and
assigning value to assets. This includes intangible assets such as trade secrets, intellectual
property, and other information.
a To be consistent during risk treatment, a formal definition of risk appetite/tolerance is needed,
so that those persons making risk treatment decisions can be confident in their decision-
making.
a The risk management process must be open to many sources for the acquisition of new risks
(this activity is called risk identification). If this is defined too narrowly, the organization may

be confronted with a risk that it does not properly process because of constraints in policies
or procedures.
a Risk analysis is the next step in the risk management life cycle, where a risk manager begins
to determine probability of event occurrence; impact of event occurrence; various means for
mitigating, transferring, accepting, or avoiding a risk; as well as a recommendation. This is
generally written up in a report for an information security steering committee or other
decision-making body.
a After analysis, a new risk will be entered into a risk register or risk ledger, a business record
where newly identified risks are recorded.
a The information security steering committee will discuss and deliberate the new risk and
usually make a risk treatment decision. For difficult risks, there may be some additional
discovery or negotiation before a formal, final decision can be made. Often this is because
risk treatment may be expensive or may impact the business model in some way.
Asset Identification and Valuation

a Successful risk management requires that the organization identify and assign value to each
asset. Asset management is a key activity for other processes such as vulnerability
management and incident management; risk management provides another justification for
the development and operation of an effective asset management program.
a The types of assets of interest to a risk management program include hardware, software,
information (including customers, intellectual property, trade secrets, financials, and
employees), cloud-based assets, and virtual assets.
a Assets can be classified in several ways, including value, location, criticality, and sensitivity.
Organizations often implement data classification, system classification, and site
classification policies.
a Asset valuation is performed in various ways, including qualitative (often using a number
range from 1 to 5 or 1 to 10) and quantitative (replacement cost, book value, net present
value, redeployment cost, creation or reacquisition cost, or consequential financial cost).
Threat Identification
a Threat identification is a key activity in a risk assessment.

a A threat is defined as an event that, if realized, would bring harm to an asset and, thus, to the
organization. A threat is not a weakness in a system—that is a vulnerability.
a Because many organizations outsource parts of their IT function, it is prudent for
organizations to identify threats to those third-party service providers.
a Threats are typically classified as external or internal, as intentional or unintentional, and as
manmade or natural.
a A risk assessment should contain a reasonably complete list of relevant threats. Good
sources for threats are found in ISO/IEC 27005 as well as NIST SP800-30.
Vulnerability Identification
a Vulnerability identification is a key activity in a risk assessment.
a A vulnerability is any weakness in a system that permits an attack to compromise a target
system successfully. A vulnerability is not an attack or technique—that is a threat.
a Because so many organizations outsource many aspects of their IT function, it is necessary
for an organization to be able to identify vulnerabilities in third-party service providers.
Risk Identification
a Once the values of specific assets are known, together with vulnerabilities and relevant
threats, risks can be identified.
a Risk is generally calculated by one of these formulas:
Risk = threats × vulnerabilities
Risk = threats × vulnerabilities × asset value
Risk = threats × vulnerabilities × probabilities
Risk = threats × vulnerabilities × asset value × probabilities
Risk Analysis Techniques and Considerations

a Risk analysis and risk identification can also utilize the BIA (business impact analysis) if one
is available. This helps the security manager understand the criticality of relevant business
processes.

a Risk analysts gather information by interviewing business and security personnel, examining
business records, and examining any analysis of incidents or prior risk assessments that may
have occurred.
a Qualitative risk analysis is most common: probabilities of occurrence, impact of occurrence,
and asset valuation are expressed as Low, Medium, or High. Qualitative risk analysis helps
security managers distinguish higher risks from lower risks without having to perform a lot
of financial calculations.
a Semiquantitative risk analysis resembles qualitative risk analysis. In semiquantitative risk
analysis, scores for probability, impact, and value are expressed in numerical ranges such as
1–3, 1–5, or 1–10.
a Quantitative risk analysis deals in more specific monetary values and event probabilities than
do qualitative and semiquantitative risk analyses. Risk analysts who perform quantitative
risk analysis often begin with semiqualitative risk analysis and then plug in more precise
values where they are known.
a Several risks analysis techniques are available, including OCTAVE (Operationally Critical
Threat Asset and Vulnerability Evaluation), Delphi, event tree analysis (ETA), fault tree
analysis (FTA), and Monte Carlo analysis.
a It is important to assign a risk to a risk owner. A risk owner is typically a middle- to upper-
management leader who controls the business activities that are the subject of the risk
analysis. A risk owner will have a say in the risk treatment decision process.
Risk Treatment
a Risk treatment is the decision that is made about a risk that has been identified and analyzed.
The four possible risk treatment decisions are accept, mitigate, transfer, and avoid.
a There is almost always some leftover risk, known as residual risk, with any of these options.
In some cases, residual risk is large enough to warrant its own risk analysis to determine
whether additional risk treatment decisions can be made to bring residual risk down to
acceptable levels.
a Organizations generally will develop a scheme whereby higher officials in an organization
are required to approve risk treatment decisions for matters of high risk.

a Risk acceptance decisions should not be perpetual; instead, they should expire so that
management can re-evaluate them. This is prudent because many aspects of the risk can
change, including the nature of threats, protective and detective controls, and asset value.
Operational Risk Management

a Operational risk management is concerned with financial losses and survival of an
organization. Operational risk is defined as the risk of loss resulting from failed controls,
processes, and systems; internal and external events; and other occurrences that impact
business operations and threaten an organization’s survival.
a Within the context of operational risk, organizations develop key recovery targets including
Recovery Time Objective (RTO), the period of time from the onset of an outage until the
resumption of service; Recovery Point Objective (RPO), the period of acceptable data loss due
to an incident or disaster; Recovery Capacity Objective (RCO), the capacity of a temporary or
recovery process, as compared to the normal process; and Service Delivery Objective (SDO),
the level or quality of service that is required after an event, as compared to business normal
operations. These recovery targets are all related to one another.
a Organizations often develop another target known as Maximum Tolerable Downtime (MTD), a
theoretical time period, measured from the onset of a disaster, after which the organization’s
ongoing viability would be at risk. Sometimes this is known as allowable interruption window
and acceptable interruption window.
a Some organizations also develop a maximum tolerable outage (MTO) target, defined as the
maximum period of time that an organization can tolerate operating in recovery (or alternate
processing) mode. This is relevant for organizations in which the costs and constraints
associated with operating in alternate processing mode are not sustainable in the long term.
a Business executives should understand and approve all the aforementioned targets, because
there will be costs associated with an organization’s ability to meet these targets.
a Organizations often also develop service level agreements (SLAs) in the context of risk
management, as a way of setting expectations for the period of time necessary for risk
analysis to be completed.
a Risk management and business continuity planning share a considerable amount of
common ground. The risk analysis process will help to identify credible disaster event

threats, and the risk treatment process facilitates decision-making. Recovery targets define
pragmatic limits and help define remediation and recovery plans.
Third-Party Risk Management

a Third-party risk management (TPRM) refers to activities used to discover and manage risks
associated with external organizations performing operational functions for an organization.
Though TPRM can exist wholly within an organization’s risk management program, many
organizations outsource operations to a large number of outside parties, which warrants a
more consistent approach to risk identification and treatment.
a TPRM techniques help an organization to determine specific risks that may exist within
individual third-party organizations. Still, because third parties are separate organizations, it
is almost always more difficult to gather as much risk information about a third party as one
can obtain from one’s own organization.
a The TPRM life cycle consists of 1) classification of a third party into a risk tier; 2) initial
assessment; 3) development of legal agreement; 4) and an ongoing operational state
consisting of a) classification of the third party, b) re-assessment, and c) renegotiation of a
legal agreement.
a A TPRM program generally includes reporting to senior management and identifying high-
risk areas and trends of risk over time. Often these metrics will be included in an
organization’s overall risk management program.
a Risk mitigation is more challenging with third parties; a third party often will be unable or
unwilling to change its controls as a result of one customer’s risk assessment.
The Risk Register

a A risk register is a business record that contains information about business risks and
information about their origin, potential impact, affected assets, probability of occurrence,
and treatment. A risk register is the central business record in an organization’s risk
management program, the set of activities used to identify and risks.
a A risk register can be stored in a spreadsheet, database, or within a governance, risk, and
compliance tool used to manage risk and other activities in the security program.

a A risk register generally contains items of strategic risk, whether associated with business
processes, information technology, the organization’s workers, and third-party service
providers.
a A risk register is usually not used to record matters of tactical risk, such as individual system
vulnerabilities or weaknesses.
a A risk register is also not used to record security incident. However, the identification of a
security incident may well trigger the creation of one or more risk register entries that may
represent weaknesses in the organization’s ability to prevent, detect, or respond to incidents.
a Entries for the risk register may come from many sources, such as risk assessments,
vulnerability assessments, internal audits, security incidents, threat intelligence, industry
developments, new laws and regulations, and outside experts including consultants.
Integration of Risk Management into Other Processes

a Risk assessment and risk management techniques can be employed in the systems
development life cycle in activities such as threat modeling, coding standards, code reviews,
code scanning, application scanning, and penetration testing.
a These techniques can be used in the change management process to ensure that information
security risks associated with any requested change can be known and dealt with.
a The techniques are useful in the configuration management process to ensure that security
and risk considerations are included in system configuration.
a In IT incident and problem management processes, risk assessment and risk management
techniques help ensure that security and risk considerations are identified and handled.
a These techniques can be used throughout the entire life cycle of physical security controls,
whether they are used for the protection of business assets, IT systems, or personnel. The
same risk analysis, risk treatment, and risk management processes can be used for all
physical security risk matters.
a They can be integrated into existing enterprise risk management (ERM) processes if they
exist. Often, including information security amounts to little more than additional content in
the ERM process, along with security managers and other subject matter experts.
a Several human resource activities, including recruiting, hiring, and performance evaluation
can benefit from risk assessment and management. In each case, context-aware risk analysis
can be performed, with risk treatment decisions made accordingly.

a These techniques should be incorporate into an organization’s PMO (project management

office) and project management methodologies to ensure that all relevant security and
privacy risks are identified and can be verified in the development/acquisition process.
Risk Monitoring and Reporting

a Security managers often engage in risk monitoring (internal audit, control self-assessment,
vulnerability assessments, and risk assessments) and risk reporting to keep executive
management informed of relevant business risks.
a Security managers regularly engage with business leaders to be aware of developments
throughout the business that may help identify risks not discoverable by other means.
Key Risk Indicators

a A KRI is a measure of information risk that is used to reveal trends related to levels of risk of
security incidents in the organization.
a There is no standard industry set of KRIs; instead, each organization needs to decide which
risk activities warrant the development of KRIs to be reported to management.
a KRIs are generally derived from security statistics and metrics that are transformed from
their operational roots into meaningful business language. This transformation is developed
by placing a statistic or metric into business context meaningful to management.
Training and Awareness

a The majority (as much as 90 percent, depending upon the source) of security incidents occur
because of human error. Whether an end user exercises poor judgment by clicking a
phishing message or a systems engineer mistypes a security configuration, security incidents
have potentially catastrophic impact on an organization.
a Many organizations respond by incorporating regular security awareness training for all staff
members.
a It is also a good practice to provide specific security training for technology workers to make
them aware of available techniques to create systems that are more resilient to attack.

Risk Documentation
a An organization’s risk management program needs to be documented to ensure that risk
management operations are consistently performed. This includes policy and procedure
documents, business records, roles and responsibilities, and records of communications.
Chapter 3:
Information Security Program
Development and Management
Security program development represents a wide assortment of activities in an organization. Most of
these activities have a direct impact on personnel, business processes, or information technology.
Often, security programs are focused on linking many disparate activities in an organization that are
all, one way or another, associated with the protection of valuable information assets. Another way
of thinking of security program management is that the security manager (and team, if any) acts as a
catalyst to ensure that activities throughout the organization are carried out in a way that does not
produce unacceptable risk.
Information Security Programs

a Information security programs are the collection of activities used to identify, communicate,
and address risks. The security program consists of controls, processes, and practices to
increase the resilience of the computing environment and ensure that risks are known and
handled in an effective manner.
a Security program models have been developed that include the primary activities needed in
any organization’s security program. However, because every organization is different,
security managers need to understand their organizations’ internal workings so that their
security programs can effectively align with the organization’s operations, practices, and
culture.
a The primary outcome of a security program is the realization of its strategy, goals, and
objectives. When an organization’s strategy is aligned with the business and its risk tolerance
and operations, the organization’s security program will act as a business enabler, enabling it

to consider new business ventures while being fully aware of associated risks that can be
managed and treated.
a The outcomes that should be a part of an organization’s security program should include
strategic alignment, risk management, value delivery, resource management, performance
management, and integration of security into several business processes.
a Many organizations define and empower a security program through a charter, a document
that describes the objectives of the security program, its scope, its main timelines, the
sources of funding, the names of its principal leaders and managers, and the business
executives who are sponsoring the program.
a Many organizations will build their security programs with a standard framework as its
foundation. Such frameworks include ISO/IEC 27001:2013, COBIT 5, and NIST CSF. Be
careful not to confuse a program framework with control frameworks!
a Many organizations develop an information security architecture, which is both a business
function as well as a technical model. As a business function, security architecture is a set of
activities that ensures that the organization designs and implements technology in the right
way. As a technical model, security architecture is the specifications and schematic diagrams
that the organization uses to implement technology consistently.
a Architecture frameworks in use today include TOGAF (The Open Group Architecture
Framework) and Zachman. Each is used to join business concepts with information
technology.
Security Program Management

a Security governance is the set of activities that management uses to identify, analyze, and
treats risks to key assets; establish key roles and responsibilities; and measure and adjust
key security processes. Several parties in an organization play various roles in security
governance, including the board of directors, an information security steering committee,
the CISO, internal audit, the CIO, all managers, and all workers.
a Activities that take place in the security governance function include risk management,
process improvement, incident response, compliance monitoring, business continuity
planning, resource management, and measurements to see how well various processes are
functioning.

Risk Management
a The purpose of risk management is to identify risks and enact changes to bring risks to
acceptable levels. Risk management is a life-cycle activity that has no beginning and no end.
It’s a continuous and phased set of activities that includes the examination of processes,
records, systems, and external phenomena in order to identify risks.
a An organization building a risk management program needs to define the program’s objectives,
scope, authority, roles and responsibilities, resources, and documentation that includes
policies, procedures, and records.
a The risk management process consists of the identification of assets, risk analysis to
understand specific threats and vulnerabilities associated with specific assets, threat analysis
to understand likely threats that require attention and to understand the probability of likely
threats, identification of vulnerabilities, and an understanding of the impact of threat
realization. Optionally, quantitative risk analysis may attempt to arrive at costs of threats
with probabilities factored in. Risk analysis continues with the development of one or more
risk treatment and mitigation options that provide management with an array of choices on
managing specific risks.
a Risk treatment is the action that management decides to take with any given risk. The four
risk treatment options are accept, mitigate, transfer, and avoid. Organizations maintain
business records that include risk treatment decisions and who made them. Traditionally,
there are four risk treatment options, but a fifth option is ignore the risk. In this case, an
organization refuses to identify and understand the risk. By default, this means that the
organization is accepting the risk, since it is taking no other risk treatment action.
Audits
a Organizations perform audits and reviews to help them understand the effectiveness of
policies, processes, and controls. A review is less formal, and an audit is more formal and
generally performed using a set of audit rules.
a There are several types of audits, including an operational audit, a financial audit, an integrated
audit, an IS audit, an administrative audit, a compliance audit, a forensic audit, and a service
provider audit. An audit is generally managed as a project, complete with a plan, scope,

objectives, participants, records, and a formal report. Audit evidence is usually archived for a
number of years.
a Organizations may perform a control self-assessment (CSA), alone or as a part of an audit or
other assurance program. In a CSA, control owners follow specific instructions, which
usually include answering a questionnaire about the business process or control and
submitting specific artifacts as evidence. Auditors can sometimes use information from
control self-assessments to augment their audit activities.
Policy Development
a Security managers frequently need to develop or update security policy as a part of the
development of a security program. Security policy is a set of statements that defines
expected behavior from workers in an organization, including the use of information
systems.
a When developing information security policy, security managers need to consider applicable
laws, regulations, standards, and other legal obligations, as well as the organization’s risk
tolerance, its controls, and organizational culture.
a It is often helpful to align security policy with the security controls and any controls
framework that may be in place.
a Security policy must be available to all workers in an organization. Many organizations
require workers to acknowledge in writing that they will comply with security policy as well
as other policy.
Third-Party Risk Management

a Because many organizations outsource a significant amount of information processing to
service providers, organizations develop a third-party risk management program that consists of
several activities that ensure that risks associated with third parties are identified and
treated, not unlike risks identified within an organization.
a Risks in third-party organizations are more difficult to identify that risks within an
organization, primarily because third-party organizations are not as transparent and do not
necessarily cooperate as internal personnel would. Similarly, when risks are identified, third-
party organizations are generally less cooperative than workers inside the organization.

a Identifying all of the third parties providing services to an organization is itself a daunting
task. Stakeholders involved with third parties can include legal, procurement, accounts
payable, IT, IT security, facilities, department heads, and business unit leaders.
a The entire population of service providers should reside in a central location. Tiers of risk
should be established so that organizations can identify the highest risk service providers.
This, in turn, is used to match varying levels of assessment rigor to service providers at each
level of risk. Service providers at the highest level of risk should be assessed at the highest
level of rigor, including lengthier questionnaires, audit reports, site visits in some cases, and
more frequent reassessments. Lowest risk service providers are generally assessed just at the
time of onboarding, with shorter questionnaires.
a Organizations need to determine what criteria is used to place a service provider in an
appropriate risk tier.
a Engagement with a service provider is appropriate when significant risks are identified.
Attempts may be made to compel the service provider to alter its controls, but this is not
always successful. Often, the organization needs to see whether it can perform mitigation
on its own through a compensating control, or whether it must just accept the risk. Risk
avoidance amounts to the organization ceasing to use the service provider, but this is rarely
utilized because of business impact.
Administrative Activities
a Administrative work must be performed by the security manager and the rest of the security
team.
a A security program can be successful only to the extent that the security manager has
developed key partnerships throughout the organization. Parties with whom key
partnerships are important include legal, human resources, facilities, information
technology, product/service development, procurement, finance, and business unit leaders.
a Security managers need to develop a number of external partnerships with parties including
law enforcement, regulators, auditors, standards organizations, security vendors, and
professional organizations.
a Security managers in many organizations are involved with compliance-related activities to
ensure that the organization is achieving and remaining compliant with applicable laws,

regulations, and standards. Security managers are quick to point out that compliance with a
security-related law, regulation, or standard is not the same thing as being secure.
a In all but the smallest organizations with one (or no) security personnel, security managers
are shouldered with the entire gamut of personnel management activities, just as any other
manager in an organization. Activities including finding and retaining talent, establishing
roles and responsibilities, creating job descriptions, participating in professional
development and training activities, and developing a team culture.
a Security managers are often required to develop a business case prior to upper management
approving new projects. A business case describes the activity in business terms and helps
management understand the costs and benefits of such endeavors.
Security Program Operations

a Event monitoring is the practice of examining the events that are occurring on information
systems, including applications, operating systems, database management systems, end user
devices, and every type and kind of network device. Security monitoring ensures that
security managers are aware of activities occurring throughout the entire operating
environment.
a Event monitoring is facilitated through centralized log collection, generally by a security event
and information management system (SIEM), which collects event log entries, performs
correlation, and produces alerts that are sent to personnel for investigation and action.
a In some cases, alerts sent from a SIEM precipitate the initiation of a security incident, which is
a process all its own.
a Vulnerability management the practice of proactive application of security patches (known as
patch management) and other configuration changes (known as system hardening), together
with periodic examinations of information systems (including but not limited to operating
systems and subsystems such as database management systems, applications, and network
devices) for the purpose of discovering exploitable vulnerabilities, related analysis, and
decisions about remediation.
a Security managers often encourage systems development teams to practice secure
development practices to ensure that information systems that are developed or acquired are
free of exploitable vulnerabilities that could otherwise result in damaging security incidents.

a Security managers work with their IT partners to ensure that the organization’s networks
are adequately protected through the use of firewalls, application firewalls, network
segmentation, intrusion prevention systems (IPSs), network anomaly detection, packet
sniffers, web content filters, cloud access security brokers (CASB), DNS filters, phishing
filters, and network access controls for both wired and wireless networks.
a Security managers work with IT to ensure that endpoints are adequately protected through
the use of configuration management practices, including system hardening, malware
prevention, whole disk encryption, firewalls, IPSs, and web content filters.
Identity and Access Management

a Identity and access management (IAM) represents the collection of business processes and
technologies that manage the identities of workers and systems and their access to systems
and information.
a Everyday activities in IAM includes provisioning access to workers, adjusting access rights to
workers being transferred, assisting workers with access issues such as forgotten passwords
and the inability to access a resource, and removal of access from departing workers.
a Access governance represents a number of activities used to ensure that user access conforms
to policy, including analysis of users’ access to information and information systems and
certification of users’ access to information and information systems.
a Segregation of duties (SOD) is the concept that ensures that no single individual will possess
privileges that could result in unauthorized activities or the manipulation or exposure of
sensitive data.
a User behavior analytics (UBA) represents an emerging technology in which an individual
user’s behavior is baselined, and anomalous activity triggers events or alarms.
Security Awareness Training

a Security awareness training represents the collection of activities that ensure that an
organization’s workers are aware of the organization’s acceptable use policy, information
security policy, privacy policy, and other policies; it ensures that workers are aware of
computer and Internet usage hygienic practices.

a Organizations typically require their workers to undergo security awareness training at the
time of hire and annually thereafter. Typical security awareness training includes
opportunities for workers to practice skills such as creating good passwords and identifying
phishing e-mail messages. Typical training also includes competency testing with minimum
scores required for users to complete their training. Organizations usually maintain records
of each individual user’s training for a number of years.
a Security awareness training also includes messaging in other forms, including e-mail
messages from executives and from security leaders, posters, flyers, promotions, contests,
and announcements.
a In addition to training for office workers, many organizations also implement specialized
security training for information workers such as software developers, system engineers,
database administrators, network engineers, and security engineers.
a Organizations that outsource critical information-related services to third parties often
require those third-party organizations to implement security awareness training for their
employees.
Managed Security Service Providers

a Many organizations outsource portions of their security operations to outside specialty firms
known as managed security services providers (MSSPs). Typical activities performed by MSSPs
include monitoring of event management systems, monitoring of endpoint detection and
response (EDR) systems, and management of security devices such as firewalls, IPSs,
antimalware system consoles, and cloud access security broker (CASB) systems.
a In MSSP arrangements, the MSSP personnel will perform specific tasks, and customer
organizations will, in turn, perform specific tasks. For instance, an MSSP that is monitoring a
customer organization’s SIEM will detect new alerts and inform the customer organization
about those alerts; the customer organization will be responsible for remediation of the
conditions that caused alerts.
a As organizations have an increasingly difficult time finding and retaining skilled information
security personnel, more organizations are turning to MSSPs and other security-related
service providers to relieve the pressure of having to find their own staff to perform critical
security operations.

Data Security
a ISACA defines data security as those controls that seek to maintain confidentiality, integrity,
and availability of information. Data security is the heart of everything concerned with
information security laws, standards, and practices.
a Typical data security topics include access management cryptography, backup and recovery,
data loss prevention, cloud access security brokers, and user behavior analytics.
a Cryptography is the practice of hiding information in plain sight. Put another way, encryption
is the practice of hiding information from unwanted persons. The purpose of encryption is to
make it difficult for unauthorized personnel to be able to access encrypted information.
a Encryption works by scrambling the characters in a message using a method known only to
the sender and receiver, making the message useless to any other party that intercepts the
message.
a Encryption is considered a form of access control; without knowledge of an encryption key
and other information, unauthorized parties are unable to access the plaintext (unencrypted)
form of information.
a Encryption is used to protect data in motion (data being transmitted from one system to
another over a network), at rest (while stored in a system in memory or in main storage), and
in transit (while stored on removable media being transported from one location to another).
a Encryption is used in many circumstances, including encryption of e-mail messages, data
stored on a removable storage devices, data stored in a database, data being transmitted
between a web server and a web browser, and data stored on backup media.
a Key management is the term used to describe policies, procedures, and tools that generate,
manage, protect, and dispose of encryption keys.
a Backup is a practice of making copies of critical information onto a separate storage system or
media device. The purpose of backup is to protect critical information from loss if some
event damages or destroys the original information.
a Replication is a practice wherein data being written to a storage system is copied (replicated)
to another storage system. Typically, for disaster recovery planning purposes, the other
storage system is located a large distance away from the main storage system.
a Data loss prevention (DLP) represents a variety of capabilities in which the movement and/or
storage of sensitive data can be detected and, optionally, controlled. DLP technology is

considered a content-aware control that some organizations use to detect and even control the
storage, transmission, and use of sensitive data.
a Cloud access security brokers (CASB) are products that monitor and, optionally, restrict users’
access to and use of cloud-based resources. CASB tools are typically used to help an
organization understand what Internet-based services are being used by their personnel.
a Digital rights management (DRM) represents access control technologies used to control the
distribution and use of electronic content. DRM is still considered an emerging technology
and practice.
a User behavior analytics (UBA) represents an emerging capability that enables organizations to
detect anomalous or abnormal behavior of its personnel. UBA systems observe users’
behavior over time and create events or alarms when user behavior deviates from the norm.
IT Service Management
a IT service management (ITSM) is the set of activities that ensures that the delivery of IT
services is efficient and effective, through active management and the continuous
improvement of processes. IT service management is defined by standards such as ITIL (IT
Infrastructure Library) and ISO/IEC 20000.
a Often known as the helpdesk, the IT service desk handles incidents and service requests on
behalf of customers by acting as a single point of contact. The service desk performs end-to-
end management of incidents and service requests (at least from the perspective of the
customer) and is also responsible for communicating status reports to the customer.
a Incident management is the collection of IT processes that detect and respond to unplanned
interruptions or reductions in quality of an IT service.
a Problem management is the set of activities designed to reduce the number of incidents.
a Change management is the set of processes that ensures all changes performed in an IT
environment are controlled and performed consistently.
a Configuration management (CM) is the process of recording and maintaining the configuration
of IT systems. Each configuration setting is known in ITSM jargon as a configuration item (CI).
a Release management is the term used to describe the portion of the SDLC where changes in
applications are made available to end users. Release management is used to control the
changes that are made to software programs, applications, and environments.

a Service-level management is composed of the set of activities that confirms whether IS

operations is providing adequate service to its customers. This is achieved through
continuous monitoring and periodic review of IT service delivery.
a Financial management for IT services consists of several activities, including budgeting, capital
investment, expense management, and project accounting and project return on investment
(ROI).
a Capacity management is a set of activities that confirms there is sufficient capacity in IT
systems and IT processes to meet service needs.
a Service continuity management is the set of activities concerned with the ability of the
organization to continue providing services, primarily in the event of a natural or manmade
disaster.
a Asset management is the collection of activities used to manage the inventory, classification,
use, and disposal of assets. Asset management is a foundational activity, without which
several other activities could not be effectively managed, including vulnerability
management, device hardening, incident management, data security, and some aspects of
financial management.
Controls
a The policies, procedures, mechanisms, systems, and other measures designed to reduce risk
are known as controls. They are a primary means used to influence important outcomes in an
IT environment.
a An organization develops controls to ensure that its business objectives will be met, risks will
be reduced, and errors will be prevented or corrected.
a Controls are used in two primary ways in an organization: they are created to ensure desired
outcomes, and they are created to avoid unwanted outcomes.
a There are many ways to look at controls to help you better understand them and how they
work. In the CISM Certified Information Security Manager All-In-One Exam Guide and CISM
Certified Information Security Manager Practice Exams books, controls are described using the
words “types,” “classes,” and “categories.” The types of controls are physical, technical, and
administrative. The classes of controls are preventive, detective, deterrent, corrective,
compensating, and recovery. The categories of controls are automatic and manual.

a Controls are generally organized into control frameworks, which are typically a hierarchy of
controls based on their context or by other means. Well-known control frameworks include
ISO/IEC 27002, NIST Cyber Security Framework, COBIT, NERC, Cloud Security Alliance,
NIST SP800-53, COSO, CIS-20, and PCI-DSS. Organizations are frequently required to
adhere to two or more control frameworks; this leads organizations to “map” all of the
controls into a single list of controls that is easier to manage.
a Generally computing controls (GCCs) are a general set of controls that apply across all of an
organization’s applications and services.
a Risk assessments are the primary means through which organizations will identify the need to
develop, modify, or remove individual controls in their control framework.
a The design of a control includes an explanation of its intent, a description of its scope, any
related policies or procedures, and the names of parties responsible for the correct operation
of a control.
a Controls are generally monitored so that management has a way of knowing whether the
control is being operated. Although controls need to be designed so that they can be
monitored, some controls are inherently difficult to monitor.
a Organizations typically have assessments performed against their controls as a way of
identifying whether controls are effective.
a Organizations that act as information-related service providers implement service
organization controls (SOC) and undergo assessments of these controls. There are
established standards for SOC controls and their audits, known as SOC1, SOC2, and SOC3.
a Organizations that decide to implement a set of controls have two basic choices: they can
implement a standard control framework such as ISO/IEC 27002 or NIST SP800-53, or they
can develop controls from scratch.
Metrics and Monitoring

a A metric is a measurement of a periodic or ongoing activity for the purpose of understanding
the activity within the context of overall business operations. In metrics, these measurements
are collected and revealed or published to various business audiences.
a Organizations develop metrics on many topics, including compliance, organizational
awareness, operational productivity, organizational support, technical security architecture,
operational performance, and cost efficiency.

a When building or improving a metrics program, security managers need to consider the
purpose of any particular metric and the audience to whom it is sent. A common mistake
made by security managers is the publication of metrics to various audiences without first
understanding whether any individual metric will have meaning to any particular person.
Continuous Improvement
a Continuous improvement represents the desire to increase the efficiency and effectiveness of
processes and controls over time.
a Several security standards require that an organization adopt a culture of continuous
improvement, including ISO/IEC 27001, NIST SP800-53, and NIST Cyber Security
Framework.
Chapter 4:
Information Security Incident Management
Although security incident response, business continuity planning, and disaster recovery planning
are often considered separate disciplines, they share a common objective: the secure continuity of
business operations during and after a threat event. There are a wide variety of threat events that, if
realized, will call upon one or more of the three disciplines in response:
a Security incident response, business continuity, and disaster recovery all require advance
planning, so that the organization will have discussed, documented, and outlined the
responses required for various types of incidents in advance of their occurrence.
a Risk assessments are the foundation of planning for all three disciplines, as it is necessary to
discover relevant risks and to establish priorities during response.
Security Incident Response

a A security incident is an event where the confidentiality, integrity, or availability of
information (or an information system) has been or is in danger of being compromised. A
security incident can also be thought of as any event that represents a violation of an
organization’s security policy.

a Examples of security incidents include computer account abuse, computer or network

trespass, information exposure or theft, fraud, denial of service (DoS), distributed denial of
service (DDoS), deliberate destruction of information or information systems, information
system theft, and corruption of information.
a The Intrusion Kill Chain, developed by Lockheed Martin in 2011, is a model that represents
a typical computer intrusion by an attacker. The phases of the kill chain are reconnaissance,
weaponization, delivery, exploitation, installation, command and control, and actions on
objective.
a The phases of incident response are Planning, Detection, Initiation, Analysis, Containment,
Eradication, Recovery, Remediation, Closure, Post-Incident review, and Retention of
evidence.
a The planning step of incident response involves the development of written response plans,
guidelines, and procedures that are followed when an incident occurs. These procedures are
created once the organization’s practices, processes, and technologies are well understood.
a The detection step of incident response involves the tools and procedures used to alert
personnel of the existence of events that may constitute a security incident that warrants
response.
a The initiation step of incident response involves the declaration of a security incident by an
individual empowered to do so. Declaring an incident starts a series of activities intended to
notify security incident responders that their assistance is required to understand and stop a
security incident.
a The analysis step of incident response involves one or more security incident responders
examining any available information that will help them understand the nature, scope, and
extent of an incident that may have occurred or may still be occurring.
a The containment step of incident response involves direct actions (usually on the part of
incident responders) that halt the progress or advancement of an incident.
a The eradication step of incident response involves direct actions (usually on the part of
incident responders) to remove the source of the incident. This may include removing
malware, blocking incoming and/or outgoing command and control messages, or removing
an intruder.
a The recovery step of incident response involves actions to return affected systems to their
pre-incident state. Depending upon the nature of an incident, this may include recovering an

affected device or system from a recent backup, or even replacing affected hardware if it has
been damaged as a result of the incident.
a The remediation step of incident response involves steps taken to prevent the incident (or a
similar incident) from recurring. This may include changing the security configuration of a
system, installing a patch, changing a firewall (or other security device) configuration,
changing access controls, or changing network or system architecture. Remediation may
instead focus on changes to policies, controls, procedures, or standards.
a The closure step of incident response occurs when all response activities have been
completed.
a The post-incident review step of incident response consists of a lengthy discussion of the
entire incident, including its discovery and all phases of response. The purpose of the post
incident review is to identify potential improvements in affected systems, detection methods,
and response methods.
a The retention of evidence step of incident response is concerned with the archival of
information about the incident, including forensic evidence and other records, in the event
that legal proceedings occur at a later time. Thus, any such evidence is typically gathered and
managed through chain of custody procedures to ensure the integrity of the evidence.
Security Incident Response Plan Development

a Like any emergency, the best time to plan for security incident response is prior to the start
of any actual incident. During an incident, where there is little or no advance planning,
emotions may run high and there may be a heightened sense of urgency; this is a poor time
to analyze the situation thoughtfully, conduct research, and work out the sequence of events
that should take place.
a Organizations need to establish their objectives prior to undertaking an effort to develop
security incident response plans. Otherwise, it may not be clear whether business needs are
being met.
a When undertaking an effort to develop a security incident response plan, an organization
should consider its current and desired levels of maturity for the incident response process.
The CMMI-DEV maturity model is a good choice for understanding and establishing current
and end-state maturity.

a While developing an incident response plan, a security manager needs to understand what
resources are available to detect and respond to an incident. Such resources include
personnel, retainer agreements with third-party organizations (such as forensic
investigators), and tools for incident detection as well as analysis and response.
a A security incident response plan needs to contain information about specific roles and
responsibilities to ensure that a security incident is handled properly and promptly.
a Prior to developing an incident response plan, a security manager should determine the
current response plan and the desired plan and perform a gap analysis to determine what
additions, changes, and improvements are needed.
a A security incident response plan typically includes policy, roles and responsibilities,
communications procedures, and recordkeeping. Some response plans include a set of
playbooks, which are more detailed response procedures for specific security incident
scenarios.
a Incident response plans need to account for incidents that may occur in critical third-party
organizations. Coordination of incident response between the organization and the third
party is essential in such situations.
a Incident response plans generally include a scheme for classifying an incident. Criteria for
incident classification include the scope of impact of an incident as well as whether there are
requirements to notify affected parties.
a Incident response plans include escalation procedures, generally associated with incident
classifications.
a Organizations should review and update their incident response plan documents at least
once per year as well as any time a significant change is made in an organization or its
supporting systems.
a Organizations should periodically test personnel to ensure that they remain familiar with
response procedures and to confirm that response procedures are still appropriate and up-to-
date. Tabletop testing incorporates a simulation of an actual incident, which adds realism to
the test. Testing an incident response plan can also serve as training for incident responders.
Responding to Security Incidents

a Response to a security incident consists of several phases, from detection to closure and
post-incident review.

a The detection phase marks the start of an organization’s awareness of a security incident. In
many cases, a period of time elapses between the start of the actual incident and the moment
the organization becomes aware of it. This period of time is known as dwell time.
a The ability to detect an intrusion or incident requires a capability known as event visibility.
Typically, event visibility is achieved through the use of event log collection and analysis
tools or via an employee, a customer or client, social media, a regulator, a security
researcher, or law enforcement.
a When an organization has realized that a security incident has taken place or is still taking
place, an incident responder or other person will make an incident declaration. An
organization’s security incident response plan should include a procedure for declaring an
incident.
a The evaluation phase of security incident response is concerned with the examination of
available information that reveals the nature of the incident. This may include the use of
forensic examination techniques that permit the examiner to determine how an incident was
able to occur. Incidents are often classified at the conclusion of the evaluation phase.
a The eradication phase of security incident response is concerned with the removal of the
agent(s) or factor(s) that caused or aided the incident. Depending on the nature of the
incident, this may involve the removal of physical subjects from a work center or information
processing center, or the removal of malware from one or more affected systems.
a The recovery phase focuses on the restoration of affected systems and assets to their pre-
incident state. Recovery is performed after eradication is completed; this means that any
malware or other tools used by the intruder have been removed.
a The remediation phase involves the remediation of any vulnerabilities that were exploited
during the incident. This includes, but is not limited to, technical vulnerabilities that may
have permitted malware exploits to work, but also any supporting technology, business
process, or personnel training vulnerabilities.
a The closure phase is marked by an end of response activities. Here, forensic evidence and
communications records are archived, and internal personnel and outside authorities are
notified.
a A post incident review includes a discussion that identifies what went well during the incident
and what could have been handled or performed in a better way.

Business Continuity and Disaster Recovery Planning

a Business continuity planning (BCP) and disaster recovery planning (DRP) are two interrelated
disciplines with a common objective: to keep critical business processes operating
throughout a disaster scenario, while recovering/rebuilding damaged assets in order to
restore business operations in its primary locations.
a Business continuity planning is undertaken to reduce risks related to the onset of disasters and
other disruptive events. BCP activities identify risks and mitigate those risks through
changes or enhancements in technology or business processes so that the impact of disasters
is reduced and the time to recovery is lessened. The primary objective of BCP is to improve
the chances that the organization will survive a disaster without incurring costly or even fatal
damage to its most critical activities.
a Disaster recovery planning is undertaken to reduce risks related to the onset of disasters and
other events. DRP is mainly an IT function to ensure that key IT systems are available to
support critical business processes.
a Disaster recovery plans are contingency plans for recovering IT systems that support critical
business processes. When properly aligned, disaster recovery plans are established to ensure
that critical business processes will have the necessary level of resilience as determined
through business continuity planning.
a A business impact analysis (BIA) is performed to determine which business processes are the
most critical, along with dependencies on internal and external resources.
a A BIA is also useful for information security, as the BIA identifies the most critical business
processes in the organization. Once those business processes are mapped to supporting IT
systems and external service providers, security leaders understand which IT systems are
required to have the best protection and resilience.
a Key recovery targets include recovery time objective (RTO), recovery point objective (RPO),
recovery consistency objective (RCO), and recovery capacity objective (RCapO). Because the
values of these recovery targets will determine the costs required to meet them, business
executives need to ratify and support these objectives.
a A serious cybersecurity incident may trigger a disaster declaration. For example, an attack
with NotPetya or similar malware may result in damage to IT infrastructure, necessitating
the declaration of a disaster so that resources can be marshaled to begin recovery efforts to
keep critical business functions running.

a The entirety of an organization’s security policies, standards, procedures, and architectures

must be applied to all aspects of BCPs and DRPs: security cannot be compromised despite
the need to keep critical business functions running.

CISM Quick Review Guide - Stephen J. Bigelow

Uploaded by

Copyright:

Available Formats

You might also like

CISM Quick Review Guide - Stephen J. Bigelow

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CISM Quick Review Guide - Stephen J. Bigelow

Uploaded by

Copyright:

Available Formats

CISM® Certified Information

Chapter 1: Information Security Governance ...................................................................... 4

Governance Activities ........................................................................................................ 4

Chapter 2: Information Risk Management .......................................................................... 8

Risk Management Concepts ............................................................................................... 9

Chapter 3: Information Security Program Development and Management ...................... 18

Information Security Programs ......................................................................................... 18

Copyright © 2019 McGraw-Hill Education. All rights reserved. 2

Risk Management ............................................................................................................ 20

Chapter 4: Information Security Incident Management .................................................... 30

Security Incident Response .............................................................................................. 30

Copyright © 2019 McGraw-Hill Education. All rights reserved. 3

Roles and Responsibilities

Copyright © 2019 McGraw-Hill Education. All rights reserved. 4

Information Security Governance Metrics

Copyright © 2019 McGraw-Hill Education. All rights reserved. 5

Governance Frameworks and Tools

Security Strategy Development

Copyright © 2019 McGraw-Hill Education. All rights reserved. 6

a Development of a successful strategy requires a thorough understanding of the present state.

Copyright © 2019 McGraw-Hill Education. All rights reserved. 7

Copyright © 2019 McGraw-Hill Education. All rights reserved. 8

Risk Management Concepts

Implementing an Information Risk Management Program

Risk Management Frameworks

Copyright © 2019 McGraw-Hill Education. All rights reserved. 9

Risk Management Context

The Risk Management Life Cycle

Copyright © 2019 McGraw-Hill Education. All rights reserved. 10

Asset Identification and Valuation

Copyright © 2019 McGraw-Hill Education. All rights reserved. 11

Risk = threats × vulnerabilities

Risk = threats × vulnerabilities × asset value

Risk = threats × vulnerabilities × probabilities

Risk = threats × vulnerabilities × asset value × probabilities

Risk Analysis Techniques and Considerations

Copyright © 2019 McGraw-Hill Education. All rights reserved. 12

Copyright © 2019 McGraw-Hill Education. All rights reserved. 13

Operational Risk Management

Copyright © 2019 McGraw-Hill Education. All rights reserved. 14

Third-Party Risk Management

The Risk Register

Copyright © 2019 McGraw-Hill Education. All rights reserved. 15

Integration of Risk Management into Other Processes

Copyright © 2019 McGraw-Hill Education. All rights reserved. 16

a These techniques should be incorporate into an organization’s PMO (project management

Risk Monitoring and Reporting

Key Risk Indicators

Training and Awareness

Copyright © 2019 McGraw-Hill Education. All rights reserved. 17

Information Security Programs

Copyright © 2019 McGraw-Hill Education. All rights reserved. 18

Security Program Management

Copyright © 2019 McGraw-Hill Education. All rights reserved. 19

Copyright © 2019 McGraw-Hill Education. All rights reserved. 20

Third-Party Risk Management

Copyright © 2019 McGraw-Hill Education. All rights reserved. 21

Copyright © 2019 McGraw-Hill Education. All rights reserved. 22

Security Program Operations