(Ebook pdf) CISM Certified Information Security Manager All-in-One Exam Guide, 2nd Edition Peter H. Gregory - eBook PDF all chapter

CISM Certified Information Security
Manager All-in-One Exam Guide, 2nd

Edition Peter H. Gregory - eBook PDF
Go to download the full and correct content document:
https://ebooksecure.com/download/cism-certified-information-security-manager-all-in-
one-exam-guide-2nd-edition-ebook-pdf/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...
CISM Certified Information Security Manager All-in-One

Exam Guide 1st Edition - eBook PDF
https://ebooksecure.com/download/cism-all-in-one-ebook-pdf/
Ccsp Certified Cloud Security Professional All-In-One

Exam Guide - eBook PDF
https://ebooksecure.com/download/ccsp-certified-cloud-security-
professional-all-in-one-exam-guide-ebook-pdf-2/
CCSP Certified Cloud Security Professional All-in-One

Exam Guide 3rd Edition Daniel Carter - eBook PDF
https://ebooksecure.com/download/ccsp-certified-cloud-security-
professional-all-in-one-exam-guide-ebook-pdf/
CC Certified in Cybersecurity All-in-One Exam Guide 1st

Edition - eBook PDF
https://ebooksecure.com/download/cc-certified-in-cybersecurity-
all-in-one-exam-guide-ebook-pdf/
CEH Certified Ethical Hacker All-in-One Exam Guide 4th
Edition (eBook PDF)
http://ebooksecure.com/product/ceh-certified-ethical-hacker-all-
in-one-exam-guide-4th-edition-ebook-pdf/
Google Cloud Certified Associate Cloud Engineer All-in-

One Exam Guide 1st edition - eBook PDF
https://ebooksecure.com/download/google-cloud-certified-
associate-cloud-engineer-all-in-one-exam-guide-ebook-pdf/
CDPSE Certified Data Privacy Solutions Engineer All-in-

One Exam Guide 1st Edition - eBook PDF
https://ebooksecure.com/download/cdpse-certified-data-privacy-
solutions-engineer-all-in-one-exam-guide-ebook-pdf/
CompTIA Security+ All-in-One Exam Guide (Exam SY0-501)

5th Edition Wm. Arthur Conklin - eBook PDF
https://ebooksecure.com/download/comptia-security-all-in-one-
exam-guide-exam-sy0-501-ebook-pdf/
GPEN GIAC Certified Penetration Tester All-in-One Exam

Guide 1st Edition Raymond Nutting - eBook PDF
https://ebooksecure.com/download/gpen-giac-certified-penetration-
tester-all-in-one-exam-guide-ebook-pdf/
ALL IN ONE
CISM
®
Certified Information
Security Manager
EXAM GUIDE
Second Edition
This page intentionally left blank
ALL IN ONE
CISM
®
Certified Information
Security Manager
EXAM GUIDE
Second Edition
Peter H. Gregory
New York Chicago San Francisco

Athens London Madrid Mexico City
Milan New Delhi Singapore Sydney Toronto
McGraw Hill is an independent entity rom ISACA® and is not afliated with ISACA in any manner. Tis study/training guide and/or material
is not sponsored by, endorsed by, or afliated with ISACA in any manner. Tis publication and accompanying media may be used in assisting
students to prepare or Te CISM exam. Neither ISACA nor McGraw Hill warrants that use o this publication and accompanying media will
ensure passing any exam.
Copyright © 2023 by McGraw Hill. All rights reserved. Except as permitted under the United States Copyright Act of 1976, no
part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system,
without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and
executed in a computer system, but they may not be reproduced for publication.
ISBN: 978-1-26-426832-0
MHID: 1-26-426832-7
The material in this eBook also appears in the print version of this title: ISBN: 978-1-26-426831-3,
MHID: 1-26-426831-9.
eBook conversion by codeMantra

Version 1.0
All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trade-
marked name, we use names in an editorial fashion only, and to the benet of the trademark owner, with no intention of infringe-
ment of the trademark. Where such designations appear in this book, they have been printed with initial caps.
McGraw Hill eBooks are available at special quantity discounts to use as premiums and sales promotions or for use in corporate
training programs. To contact a representative, please visit the Contact Us page at www.mhprofessional.com.
Information has been obtained by McGraw Hill from sources believed to be reliable. However, because of the possibility of hu-
man or mechanical error by our sources, McGraw Hill, or others, McGraw Hill does not guarantee the accuracy, adequacy, or
completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such
information.
TERMS OF USE
This is a copyrighted work and McGraw-Hill Education and its licensors reserve all rights in and to the work. Use of this work
is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the
work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit,
distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill Education’s prior consent. You
may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to
use the work may be terminated if you fail to comply with these terms.
THE WORK IS PROVIDED “AS IS.” McGRAW-HILL EDUCATION AND ITS LICENSORS MAKE NO GUARANTEES
OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED
FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK
VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, IN-
CLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICU-
LAR PURPOSE. McGraw-Hill Education and its licensors do not warrant or guarantee that the functions contained in the work
will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill Education nor its
licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any
damages resulting therefrom. McGraw-Hill Education has no responsibility for the content of any information accessed through
the work. Under no circumstances shall McGraw-Hill Education and/or its licensors be liable for any indirect, incidental, special,
punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been
advised of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such
claim or cause arises in contract, tort or otherwise.
o Rebekah, the love o my lie.
ABOUT THE AUTHOR
Peter H. Gregory, CISM, CISA, CRISC, CDPSE, CISSP, CIPM, DRCE, CCSK,
is a 30-year career technologist and a security leader in a regional telecommunications
company. He has been developing and managing inormation security management
programs since 2002 and has been leading the development and testing o secure I
environments since 1990. Peter has also spent many years as a sotware engineer and
architect, systems engineer, network engineer, and security engineer.
Peter is the author o more than 50 books about inormation security and technology,
including Solaris Security, CIPM Certified Information Privacy Manager All-in-One Exam
Guide, and CISA Certified Information Systems Auditor All-in-One Exam Guide. He has
spoken at numerous industry conerences, including RSA, Interop, (ISC)² Security
Congress, ISACA CACS, SecureWorld Expo, West Coast Security Forum, IP3, Source
Conerence, Society or Inormation Management, the Washington echnology Industry
Association, and InraGard. Interviews o Peter appear in SC Magazine, U.S. News &
World Report, CNET News, SearchSecurity, Information Security Magazine, CIO, The
Seattle Times, and Forbes.
Peter serves on advisory boards or cybersecurity education programs at the University
o Washington and the University o South Florida. He was the lead instructor or nine
years in the University o Washington certiicate program in applied cybersecurity, a
ormer board member o the Washington State chapter o InraGard, and a ounding
member o the Paciic CISO Forum. He is a 2008 graduate o the FBI Citizens’ Academy
and a member o the FBI Citizens’ Academy Alumni Association. Peter is an executive
member o the CyberEdBoard and the Forbes echnology Council.
Peter resides with his amily in Washington state and can be ound online at
www.peterhgregory.com.
About the Technical Editor

Jay Burke, CISSP, CISM, RBLP-, is a highly accomplished inormation security
proessional with more than 20 years o operational and executive experience across a
variety o industries.
Jay has worked with customers o dierent sizes and types to build, enhance, and
manage best-in-class cybersecurity programs. As an executive-level security proessional, he
has led detailed maturity assessments and acilitated executive workshops to assist CISOs
in maturing their cybersecurity programs. His practical experience includes engagements
addressing strategic consulting, project management, regulatory compliance (Sarbanes–
Oxley, PCI, NERC CIP, HIPAA, SOC 1 and SOC 2), and cybersecurity program devel-
opment leveraging ISO 27001/2, NIS 800-53, Cloud Security Alliance CCM, Shared
Assessments SIG, and Uniied Compliance Framework.
Jay currently serves as the strategic service manager or enable, helping customers
gain visibility o cyber risk by leveraging the enable Cyber Exposure platorm while also
providing the executive suite and board o directors with insight to ocus on the issues
that matter most and make better strategic decisions. Additionally, Jay is a partner at Sage
Advisory, LLC, which helps young proessionals ind their voice in the workplace and
supports the SMB market in the cybersecurity space.
Disclaimer
None o the inormation in this book relects the security posture or practices o any
current or ormer employer or client.
CONTENTS AT A GLANCE
Part I Inormation Security Governance

Chapter 1 Enterprise Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Chapter 2 Inormation Security Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Part II Inormation Security Risk Management

Chapter 3 Inormation Security Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Chapter 4 Inormation Security Risk Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Part III Inormation Security Risk Management

Chapter 5 Inormation Security Program Development . . . . . . . . . . . . . . . . . . . . . . 191
Chapter 6 Inormation Security Program Management . . . . . . . . . . . . . . . . . . . . . . 241
Part IV Incident Management

Chapter 7 Incident Management Readiness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Chapter 8 Incident Management Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
Part V Appendix and Glossary

Appendix About the Online Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577
ix
CONTENTS
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
Part I Inormation Security Governance

Chapter 1 Enterprise Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Introduction to Inormation Security Governance . . . . . . . . . . . . . 4
Reason or Security Governance . . . . . . . . . . . . . . . . . . . . . . 6
Security Governance Activities and Results . . . . . . . . . . . . . . 7
Business Alignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Organizational Culture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Acceptable Use Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Ethics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Legal, Regulatory, and Contractual Requirements . . . . . . . . . . . . . . 11
Organizational Structure, Roles, and Responsibilities . . . . . . . . . . . 12
Organizational Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Board o Directors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Executive Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Security Steering Committee . . . . . . . . . . . . . . . . . . . . . . . . . 19
Business Process and Business Asset Owners . . . . . . . . . . . . . 20
Custodial Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Chie Inormation Security Oicer . . . . . . . . . . . . . . . . . . . . 21
Chie Privacy Oicer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Chie Compliance Oicer . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Sotware Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Data Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Network Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Systems Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
I Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Governance, Risk, and Compliance . . . . . . . . . . . . . . . . . . . . 26
Business Resilience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Security Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Security Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Service Desk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Quality Assurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Other Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
General Sta . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Monitoring Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . 29
xi
CISM Certified Information Security Manager All-in-One Exam Guide
xii
Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Chapter 2 Inormation Security Strategy ................................ 37
Inormation Security Strategy Development . . . . . . . . . . . . . . . . . . 38
Strategy Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Strategy Participants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Strategy Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Strategy Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Strategy Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Inormation Governance Frameworks and Standards . . . . . . . . . . . 72
Business Model or Inormation Security ............... 73
he Zachman Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
he Open Group Architecture Framework . . . . . . . . . . . . . . 83
ISO/IEC 27001 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
NIS Cybersecurity Framework . . . . . . . . . . . . . . . . . . . . . . 85
NIS Risk Management Framework . . . . . . . . . . . . . . . . . . . 87
Strategic Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Roadmap Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Developing a Business Case . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Part II Inormation Security Risk Management

Chapter 3 Inormation Security Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . 101
Emerging Risk and hreat Landscape . . . . . . . . . . . . . . . . . . . . . . . 102
he Importance o Risk Management . . . . . . . . . . . . . . . . . . 102
Outcomes o Risk Management . . . . . . . . . . . . . . . . . . . . . . 103
Risk Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Risk Management echnologies . . . . . . . . . . . . . . . . . . . . . . . 104
Implementing a Risk Management Program . . . . . . . . . . . . . 105
he Risk Management Lie Cycle . . . . . . . . . . . . . . . . . . . . . 115
Vulnerability and Control Deiciency Analysis . . . . . . . . . . . . . . . . 127
Risk Assessment and Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
hreat Identiication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Risk Identiication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Risk Likelihood and Impact . . . . . . . . . . . . . . . . . . . . . . . . . 137
Risk Analysis echniques and Considerations . . . . . . . . . . . . 139
Risk Management and Business Continuity Planning . . . . . . 145
he Risk Register . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Integration o Risk Management into Other Processes . . . . . . 150
Contents
xiii
Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Chapter 4 Inormation Security Risk Response .......................... 165
Risk reatment / Risk Response Options . . . . . . . . . . . . . . . . . . . . . 166
Risk Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Risk ranser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Risk Avoidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Risk Acceptance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Evaluating Risk Response Options . . . . . . . . . . . . . . . . . . . . 171
Costs and Beneits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Residual Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Iterative Risk reatment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Risk Appetite, Capacity, and olerance . . . . . . . . . . . . . . . . . 174
Legal and Regulatory Considerations . . . . . . . . . . . . . . . . . . . 175
he Risk Register . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Risk and Control Ownership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Risk Ownership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Control Ownership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Risk Monitoring and Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Key Risk Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
raining and Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Risk Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Part III Inormation Security Risk Management

Chapter 5 Inormation Security Program Development . . . . . . . . . . . . . . . . . . 191
Inormation Security Program Resources . . . . . . . . . . . . . . . . . . . . . 192
rends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Outcomes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Charter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Inormation Security Processes . . . . . . . . . . . . . . . . . . . . . . . 195
Inormation Security echnologies . . . . . . . . . . . . . . . . . . . . 196
Inormation Asset Identiication and Classiication . . . . . . . . . . . . . 199
Asset Identiication and Valuation . . . . . . . . . . . . . . . . . . . . . 199
Asset Classiication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Asset Valuation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
xiv
Industry Standards and Frameworks or Inormation Security . . . . . 210
Control Frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Inormation Security Management Frameworks . . . . . . . . . . 218
Inormation Security Architecture . . . . . . . . . . . . . . . . . . . . . 218
Inormation Security Policies, Procedures, and Guidelines . . . . . . . 220
Policy Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Processes and Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Inormation Security Program Metrics . . . . . . . . . . . . . . . . . . . . . . 225
ypes o Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Audiences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
he Security Balanced Scorecard . . . . . . . . . . . . . . . . . . . . . . 232
Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Chapter 6 Inormation Security Program Management . . . . . . . . . . . . . . . . . . 241
Inormation Security Control Design and Selection . . . . . . . . . . . . 242
Control Classiication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Control Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
General Computing Controls . . . . . . . . . . . . . . . . . . . . . . . . 246
Controls: Build Versus Buy . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Control Frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Inormation Security Control Implementation and Integrations . . . 272
Controls Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Control Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Security and Control Operations . . . . . . . . . . . . . . . . . . . . . . 275
Inormation Security Control esting and Evaluation . . . . . . . . . . . 321
Control Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Control Reviews and Audits . . . . . . . . . . . . . . . . . . . . . . . . . 322
Inormation Security Awareness and raining . . . . . . . . . . . . . . . . . 339
Security Awareness raining Objectives . . . . . . . . . . . . . . . . . 339
Creating or Selecting Content
or Security Awareness raining . . . . . . . . . . . . . . . . . . . . 340
Security Awareness raining Audiences . . . . . . . . . . . . . . . . . 340
Awareness raining Communications . . . . . . . . . . . . . . . . . . 343
Management o External Services . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Beneits o Outsourcing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Risks o Outsourcing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Identiying hird Parties . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Cloud Service Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
PRM Lie Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Contents
xv
Risk iering and Vendor Classiication . . . . . . . . . . . . . . . . . 354
Assessing hird Parties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Proactive Issue Remediation . . . . . . . . . . . . . . . . . . . . . . . . . 360
Responsive Issue Remediation . . . . . . . . . . . . . . . . . . . . . . . . 362
Security Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Inormation Security Program Communications and Reporting . . . 363
Security Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Internal Partnerships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
External Partnerships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Compliance Management . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Security Awareness raining . . . . . . . . . . . . . . . . . . . . . . . . . . 375
echnical Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Personnel Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Project and Program Management . . . . . . . . . . . . . . . . . . . . . 382
Budget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
I Service Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Service Desk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Incident Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Problem Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
Change Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Coniguration Management . . . . . . . . . . . . . . . . . . . . . . . . . 388
Release Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Service-Level Management . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Financial Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Capacity Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Service Continuity Management . . . . . . . . . . . . . . . . . . . . . . 393
Availability Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Asset Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Continuous Improvement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Part IV Incident Management

Chapter 7 Incident Management Readiness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Incident Response Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Security Incident Response Overview . . . . . . . . . . . . . . . . . . 408
Incident Response Plan Development . . . . . . . . . . . . . . . . . . 411
Business Impact Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
Inventory o Key Processes and Systems . . . . . . . . . . . . . . . . . 417
Statements o Impact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Criticality Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Determine Maximum olerable Downtime . . . . . . . . . . . . . . 422
xvi
Determine Maximum olerable Outage . . . . . . . . . . . . . . . . 422
Establish Key Recovery argets . . . . . . . . . . . . . . . . . . . . . . . 423
Business Continuity Plan (BCP) . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
Business Continuity Planning . . . . . . . . . . . . . . . . . . . . . . . . 427
Disaster Recovery Plan (DRP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
Disaster Response eams’ Roles and Responsibilities . . . . . . . 456
Recovery Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
Incident Classiication/Categorization . . . . . . . . . . . . . . . . . . . . . . . 473
Incident Management raining, esting, and Evaluation . . . . . . . . . 475
Security Incident Response raining . . . . . . . . . . . . . . . . . . . 475
Business Continuity and Disaster Response raining . . . . . . . 476
esting Security Incident Response Plans . . . . . . . . . . . . . . . . 477
esting Business Continuity and Disaster Recovery Plans . . . 478
Evaluating Business Continuity Planning . . . . . . . . . . . . . . . 484
Evaluating Disaster Recovery Planning . . . . . . . . . . . . . . . . . 488
Evaluating Security Incident Response . . . . . . . . . . . . . . . . . . 492
Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
Chapter 8 Incident Management Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
Incident Management ools and echniques . . . . . . . . . . . . . . . . . . 502
Incident Response Roles and Responsibilities . . . . . . . . . . . . 502
Incident Response ools and echniques . . . . . . . . . . . . . . . . 503
Incident Investigation and Evaluation . . . . . . . . . . . . . . . . . . . . . . . 507
Incident Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
Incident Initiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
Incident Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
Incident Containment Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
Incident Response Communications . . . . . . . . . . . . . . . . . . . . . . . . 515
Crisis Management and Communications . . . . . . . . . . . . . . . 515
Communications in the Incident Response Plan . . . . . . . . . . 516
Incident Response Metrics and Reporting . . . . . . . . . . . . . . . 517
Incident Eradication, and Recovery . . . . . . . . . . . . . . . . . . . . . . . . . 519
Incident Eradication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
Incident Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
Incident Remediation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Post-incident Review Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
Closure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
Post-incident Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
Contents
xvii
Part V Appendix and Glossary
Appendix About the Online Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
Your otal Seminars raining Hub Account . . . . . . . . . . . . . . . . . . 531
Privacy Notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
Single User License erms and Conditions . . . . . . . . . . . . . . . . . . . 531
otalester Online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
echnical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
Glossary ..................................................... 535
Index ........................................................ 577
Figure Credits
Figure 2-1 Courtesy Xhienne: SWO pt.svg, CC BY-SA 2.5, https://
commons.wikimedia.org/w/index.php?curid=2838770.
Figure 2-2 Adapted rom the Business Model or Inormation Security,
ISACA.
Figure 2-3 Adapted rom the University o Southern Caliornia Marshall
School o Business Institute or Critical Inormation Inrastructure
Protection, USA.
Figure 2-5 Courtesy he Open Group.
Figure 2-7 Courtesy High Tech Security Solutions magazine.
Figure 3-1 Source: National Institute or Standards and echnology.
Figure 6-8 Courtesy Blueoxicy at en.wikipedia.org.
Figure 7-4 Source: NASA.
Figure 7-6 Courtesy Gustavo Basso.
Figure 7-7 Courtesy John Crowley at en.wikipedia.org.
ACKNOWLEDGMENTS
I am immensely grateul to Wendy Rinaldi or airming the need to have this book
published on a tighter than usual timeline. My readers, including current and uture
inormation security managers, deserve nothing less.
Heartelt thanks to Wendy Rinaldi and Caitlin Cromley-Linn or proiciently manag-
ing and coordinating this project, acilitating rapid turnaround, and equipping us with
the inormation and guidance we needed to produce the manuscript.
Many thanks to Patty Mon, Nitesh Sharma, and homas Somers or managing the
editorial and production ends o the project, and to Lisa heobald or copy editing the
book and urther improving readability. I appreciate KnowledgeWorks Global Ltd. or
expertly laying out the inal manuscript pages. Also, thanks to Rick Camp and Lisa
McCoy or expert prooreading and ed Laux or indexing. Like stage perormers, they
make hard work look easy, and I appreciate their skills.
I would like to thank my ormer consulting colleague, Jay Burke, who took on the
task o tech reviewing the entire manuscript. Jay careully and thoughtully scrutinized
the entire drat manuscript and made scores o valuable suggestions that have improved
the book’s quality and value or readers. hanks also to two BCDR colleagues: Charlein
Barni, or reviewing Chapter 7, and Michael Kenney, who conirmed some concepts.
Finally, thanks to Ben Everett, a reader who inormed me o a couple o typos or ambi-
guities in the irst edition.
Many thanks to my literary agent, Carole Jelen, or her diligent assistance during this
and other projects. Sincere thanks to Rebecca Steele, my business manager and publicist,
or her long-term vision and keeping me on track.
his is the 52nd book manuscript I have written since I started writing in 1998. I’m
grateul or those who initially brought me into the publishing business, particularly Liz
Suto (author o Informix Online Performance Tuning, and my irst oicial gig as a tech
editor) and Greg Doench (executive editor at Prentice-Hall Publishers), and so many
more along the way, including Melody Layne, Mark aub, Rev Mengle, Sebastian Nokes,
Greg Croy, Katie Feltman, Katie Mohr, Lindsey Leevere, Josh Freel, Amy Fandrei, Amy
Gray, im Green, Steve Helba, and many others. hank you, all o you, or the splendid
opportunity that has enabled me to help so many readers.
I have diiculty putting into words my gratitude or my wie and love o my lie,
Rebekah, or tolerating my requent absences (in the home oice) while I developed the
manuscript. his project could not have been completed without her loyal and unailing
support and encouragement.
xix
INTRODUCTION
he dizzying pace o inormation systems innovation has made vast expanses o inorma-
tion available to organizations and the public. Design laws and technical vulnerabilities
oten bring unintended consequences, usually in the orm o inormation thet and disclo-
sure. Attacks rom nation-states and cybercriminal organizations are increasing dramati-
cally. he result is a patchwork o laws, regulations, and standards such as Sarbanes–Oxley,
GDPR, CCPA, Gramm–Leach-Bliley, HIPAA, PCI DSS, PIPEDA, NERC CIP, CMMC,
and scores o U.S. state laws requiring public disclosure o security breaches involving
private inormation. he relatively new Cybersecurity & Inrastructure Security Agency
(CISA) has become a prominent voice in the United States, and executive orders require
organizations to improve deenses and disclose breaches. As a result o these laws and
regulatory agencies, organizations are required or incentivized to build or improve their
inormation security programs to avoid security breaches, penalties, sanctions, lawsuits, and
embarrassing news headlines.
hese developments continue to drive demand or inormation security proessionals
and inormation security leaders. hese highly sought-ater proessionals play a crucial
role in developing better inormation security programs that reduce risk and improve
conidence in eective systems and data protection.
he Certiied Inormation Security Manager (CISM) certiication, established in
2002, has become the leading certiication or inormation security management.
Demand or the CISM certiication has grown so much that the once-per-year certi-
ication exam was changed to twice per year in 2005 and is now oered continually.
In 2005, the CISM certiication was accredited by the American National Standards
Institute (ANSI) under the international standard ISO/IEC 17024:2012 and is also
one o the ew certiications ormally approved by the U.S. Department o Deense in
its Inormation Assurance echnical category (DoD 8570.01-M). In 2018 and again in
2020, CISM was awarded the Best Proessional Certiication by SC Media. here are
now more than 50,000 proessionals with the certiication, and the worldwide average
salary or CISM holders is more than US$149,000.
Founded in 1969 as the Electronic Data Processing Auditors Association (EDPAA),
ISACA is a solid and lasting proessional organization. Its irst certiication, Certiied
Inormation Systems Auditor (CISA), was established in 1978.
Purpose of This Book

Let’s get the obvious out o the way: his is a comprehensive study guide or the security
management proessional who needs a serious reerence or individual or group-led study
or the Certiied Inormation Security Manager (CISM) certiication. he content in
this book contains the technical inormation that CISM candidates are required to know.
xxi
xxii
his book is one source o inormation to help you prepare or the CISM exam, but it
should not be thought o as the ultimate collection o all the knowledge and experience
that ISACA expects qualiied CISM candidates to possess. No single publication covers
all o this inormation.
his book is also a reerence or aspiring and practicing I security managers, security
leaders, and CISOs. he content required to pass the CISM exam is the same content
that practicing security managers must be amiliar with in their day-to-day work. his
book is a deinitive CISM exam study guide as well as a desk reerence or those who have
already earned their CISM certiication.
his book is also invaluable or inormation security proessionals who are not in
leadership positions today. You will gain considerable insight into today’s inormation
security management challenges. his book is also helpul or I and business manage-
ment proessionals working with inormation security leaders who need to understand
what they are doing and why.
his is an excellent guide or anyone exploring a security management career. he
study chapters explain the relevant technologies, techniques, and processes used to man-
age a modern inormation security program. his is useul i you are wondering what the
security management proession is all about.
How to Use This Book

his book covers everything you’ll need to know or ISACA’s CISM certiication exami-
nation. Each chapter covers speciic objectives and details or the exam, as ISACA deines
in its job practice areas. he chapters and their sections correspond precisely to the CISM
job practice that ISACA updates rom time to time, most recently in mid-2022.
Each chapter has several components designed to eectively communicate the
inormation you’ll need or the exam.
• he topics covered in each chapter are listed in the irst section to help map out
your study.
• Tips in each chapter oer great inormation about how the concepts you’re
reading about apply in a place I like to call “the real world.” Oten, they may
give you more inormation on a topic covered in the text.
• Exam Tips are included to highlight areas you need to ocus on or the exam.
hey won’t give you any exam answers, but they help you know about important
topics you may see on the test.
• Notes may be included in a chapter as well. hese bits o inormation are relevant
to the discussion and point out extra inormation.
• Fiteen practice questions at the end o each chapter are designed to enable you
to attempt some exam questions on the topics covered in the domain.
• Access to an online question bank is available rom otalester Online,
customizable practice exam sotware with 300 practice exam questions.
• A glossary contains about 650 terms used in the inormation security management
proession.
Introduction
xxiii
About This Second Edition
ISACA has historically recalibrated the contents o its certiications every ive years.
I learned that ISACA would update the CISM job practice (the basis or the exam and
the requirements to earn the certiication) in early 2022, eective in mid-2022. o ensure
that this inormation is up to date, Wendy Rinaldi and I developed a plan or the second
edition as quickly as possible; this book is the result o that eort.
he new CISM job practice inormation was made available in March 2022.
We began work at that time to update the second edition manuscript. his has been
updated to relect all o the changes in the CISM job practice and changes in inorma-
tion security and inormation technology since the irst edition was published.
Information Security vs. Cybersecurity

In our proession, the term “inormation security” is giving way to “cybersecurity.”
Both terms are used in this book, and generally they can be considered equal in
meaning. he act that the certiication, Certiied Information Security Manager,
contains those core words means that the phrase “inormation security” isn’t quite
gone yet. Indeed, ISACA will eventually have to grapple with the brand recognition
o CISM and deal with the possibility that this moniker may be seen as antiquated
because o those two words. Will CISM someday be known as CCM?
Changes to the CISM Job Practice

For the 2022 CISM job practice, ISACA reormatted how the practice areas are described.
Previously, each job practice had a set o Knowledge Statements and ask Statements.
In the 2022 model, each job practice consists o two major categories with three to six
subtopic areas each. his is ollowed by 37 Supporting asks or CISM that are not spe-
ciically associated with the our domains. able 1 illustrates each previous and current
CISM job practice and its corresponding chapters in this book, along with the structure
o the new job practice and coverage in this book.
As is typical or each new job practice and revision o this CISM Certified Information
Security Manager All-in-One Exam Guide, I perormed a gap analysis to understand what
subject matter was added to the new job practice and what was eliminated. My conclu-
sion: ISACA made no signiicant additions or changes to the CISM 2022 job practice
besides numerous structural changes and changes in the weighting between domains.
Several topics are new or expanded rom the irst edition, including the ollowing:
• he distinction between control rameworks, program management rameworks,
risk management rameworks, and architecture rameworks (with examples o each)
• Mention and discussion o a published inormation security ramework that is
older than most living people in the world
• New challenges in obtaining cyber-insurance policies
• Bow-tie risk analysis
xxiv
All-in-One
2016 CISM Job Practice 2022 CISM Job Practice Coverage
1. Inormation Security 24% 1. Inormation Security 17%
Governance Governance
A. Enterprise Chapter 1
Governance
B. Inormation Chapter 2
Security Strategy
2. Inormation 30% 2. Inormation Security 20%
Risk Management Risk Management
A. Inormation Security Chapter 3
Risk Assessment
B. Inormation Security Chapter 4
Risk Response
3. Inormation Security 27% 3. Inormation 33%
Program Development Security Program
and Management
A. Inormation Chapter 5
Security Program
Development
B. Inormation Chapter 6
Security Program
Management
4. Inormation Security 19% 4. Incident Management 30%
Incident Management
A. Incident Chapter 7
Management
Readiness
B. Incident Chapter 8
Management
Operations
Table 1 Previous and Current CISM Job Practices and Corresponding Chapters
• Control architecture, implementation, and operation

• Controlled unclassiied inormation (CUI)
• Crisis communications and crisis management
• Crosswalks
• Cybersecurity maturity model certiication (CMMC)
• Data debt
• Data governance
• Distributed workorce
• Endpoint detection and response (EDR)
• European ESI standards
Introduction
xxv
• Extended detection and response (XDR)
• Foreign Corrupt Practices Act (FCPA)
• Groupthink
• Inormation governance
• Integrated risk management (IRM)
• MIRE A&CK ramework
• Network traic analysis (NA)
• NIS SP 800-171 and SP 800-172
• Passwordless authentication
• Personnel classiication
• Reerence architectures
• Functional and nonunctional requirements
• Risk and control ownership
• Security orchestration, automation, and response (SOAR)
• Sotware as a service (SaaS) disaster recovery
• SaaS security incident response
• echnical debt
• hreat intelligence platorm (IP)
• hree lines o deense
• Workorce transormation, remote work, and hybrid work models
• Zero-trust network architecture
• Addition o about 70 new entries and several cross-reerences to the glossary
(and a ew deprecated entries such as SAS-70, SE, and S-HP removed)
By the time we completed this book, even more new developments, technologies, tech-
niques, and breaches provided additional insight and the promise o still more changes.
Like the surace o Saturn’s moon, Io, our proession is ever-changing. he technology
boneyard is illed with vendors, products, protocols, techniques, and methodologies that
once held great promise, later replaced with better things. his underscores the need or
security leaders (and I, audit, and risk proessionals) to stay current by reading up on
current events, new technologies, and techniques. Some last-minute changes that may
not be ully relected in the manuscript include the ollowing:
• ISO/IEC 27001:2013 was replaced by ISO/IEC 27001:2022 in early 2022.
• ISO/IEC 27002:2013 is scheduled to be replaced by ISO/IEC 27002:2022 in
late 2022.
• A new U.S. national law on privacy may have been enacted.
• Additional U.S. presidential Executive Orders on the topic o cybersecurity may
have been issued.
xxvi
Becoming a CISM Professional
o become a CISM proessional, you must pay the exam ee, pass the exam, prove that
you have the necessary education and experience, and agree to uphold ethics and stan-
dards. o keep your CISM certiication, you must take at least 20 continuing education
hours each year (120 hours in three years) and pay annual maintenance ees. his lie
cycle is depicted in Figure 1.
he ollowing list outlines the primary requirements or becoming certiied:
• Experience A CISM candidate must submit veriiable evidence o at least
ive years o proessional work experience in inormation security management.
Experience must be veriied and gained within the ten years preceding the
application date or certiication or within ive years rom passing the exam.
Experience waivers are available or as many as two years.
• Ethics Candidates must commit to adhering to ISACA’s Code o Proessional
Ethics, which guides the personal and proessional conduct o those certiied.
• Exam Candidates must receive a passing score on the CISM exam. A passing
score is valid or up to ive years, ater which the passing score is void. A CISM
candidate who passes the exam has a maximum o ive years to apply or CISM
certiication; candidates who pass the exam but ail to act ater ive years must
retake the exam i they want to become CISM certiied.
• Education hose who are certiied must adhere to the CISM Continuing
Proessional Education Policy, which requires a minimum o 20 continuing
proessional education (CPE) hours each year, with a total requirement o
120 CPEs over each three-year certiication period.
• Application Ater successully passing the exam, meeting the experience
requirements, and reading through the Code o Proessional Ethics and Standards,
a candidate is ready to apply or certiication. An application must be received
within ive years o passing the exam.
Register Pay Exam Pass

for Exam Fee Exam
Certified
Failure Failure to Pay
CISM Ethics
to Earn Maintenance
Document Work Violation
CPEs Fees
Experience
Pay Earn
Maintenance CPEs Lose CISM
Fee Certification
Figure 1 The CISM certiication lie cycle (Source: Peter Gregory)

Introduction
xxvii
Experience Requirements
o qualiy or CISM certiication, you must have completed the equivalent o ive years
o total work experience in inormation security management. Additional details on the
minimum certiication requirements, substitution options, and various examples are
discussed next.
NOTE Although it is not recommended, a CISM candidate can take the

exam beore completing any work experience directly related to inormation
security management. As long as the candidate passes the exam and the
work experience requirements are illed within ive years o the exam date
and ten years rom the application or certiication, the candidate is eligible
or certiication.
Direct Work Experience

You must have a minimum o ive years o work experience in the ield o inormation
security management. his is equivalent to roughly 10,000 actual work hours, which
must be related to three or more o the CISM job practice areas, as ollows:
• Information security governance Establish and/or maintain an inormation
security governance ramework and supporting processes to ensure that the
inormation security strategy is aligned with organizational goals and objectives.
• Information security risk management Manage inormation risk to an
acceptable level based on risk appetite to meet organizational goals and objectives.
• Information security program Develop and maintain an inormation security
program that identiies, manages, and protects the organization’s assets while
aligning to inormation security strategy and business goals, thereby supporting
an eective security posture.
• Incident management Plan, establish, and manage the capability to detect,
investigate, respond to, and recover rom inormation security and disaster
incidents to minimize business impact.
All work experience must be completed within the ten-year period beore complet-
ing the certiication application or within ive years rom the date o initially passing the
CISM exam. You will need to complete a separate Veriication o Work Experience orm
or each segment o experience.
Substitution of Experience
Up to two years o direct work experience can be substituted with the ollowing to meet
the ive-year experience requirement. Only one waiver is permitted.
Two Years
• Certiied Inormation Systems Auditor (CISA) in good standing
• Certiied Inormation Systems Security Proessional (CISSP) in good standing
xxviii
• MBA or master’s degree in inormation security or a related ield; transcripts or
a letter conirming degree status must be sent rom the university attended to
obtain the experience waiver
One Year
• Bachelor’s degree in inormation security or a related ield
• Skill-based or general security certiication
• One ull year o inormation systems management experience
Here is an example o a CISM candidate whose experience and education are consid-
ered or CISM certiication: A candidate graduated in 2002 with a bachelor’s degree in
computer science. hey spent ive years working or a sotware company managing I,
and in January 2015, they began managing inormation security. In January 2017, they
took some time o work or personal reasons. In 2019, they earned their Security+ cer-
tiication and rejoined the workorce in December 2019, working as a risk manager or
a public company in its enterprise risk management department. he candidate passed
the CISM exam in June 2022 and applied or CISM certiication in September 2022.
Do they have all o the experience required? What evidence will they need to submit?
• Skills-based certification he candidate obtained their Security+ certiication,
which equates to a one-year experience substitution.
• Two years of direct experience hey can count their two ull years o inormation
security management experience in 2015 and 2016.
• One-year substitution hey cannot take into account one year o I management
experience completed between January 2002 to January 2007, because it was not
completed within ten years o their application.
• One-year direct experience he candidate would want to utilize their new risk
manager experience or work experience.
he candidate would need to send the ollowing with their application to prove the
experience requirements are met:
• Veriication o Work Experience orms illed out and signed by their supervisors
(or any superior) at the sotware company and the public company, veriying
both the security management and non–security management work conducted
• ranscripts or letters conirming degree status sent rom the university
TIP Read the CISM certiication qualiications on the ISACA web site. ISACA
changes the qualiication rules rom time to time, and I want you to have the
most up-to-date inormation available.
Introduction
xxix
ISACA Code of Professional Ethics
Becoming a CISM proessional means adhering to the ISACA Code o Proessional Eth-
ics, a ormal document outlining what you will do to ensure the utmost integrity in a way
that best supports and represents the proession. Speciically, the ISACA code o ethics
requires ISACA members and certiication holders to do the ollowing:
• Support the implementation o, and encourage compliance with, appropriate
standards and procedures or the eective governance and management o
enterprise inormation systems and technology, including audit, control, security,
and risk management.
• Perorm their duties with objectivity, due diligence, and proessional care, in
accordance with proessional standards.
• Serve in the interest o stakeholders in a lawul manner, while maintaining
high standards o conduct and character and not discrediting their proession
or the association.
• Maintain the privacy and conidentiality o inormation obtained in the course o
their activities unless disclosure is required by legal authority. Such inormation
shall not be used or personal beneit or released to inappropriate parties.
• Maintain competency in their respective ields and agree to undertake only
those activities they can reasonably expect to complete with the necessary skills,
knowledge, and competence.
• Inorm appropriate parties o the results o work perormed, including the
disclosure o all signiicant acts known to them that, i not disclosed, may
distort the reporting o the results.
• Support the proessional education o stakeholders in enhancing their
understanding o the governance and management o enterprise inormation
systems and technology, including audit, control, security, and risk management.
Failure to comply with this Code o Proessional Ethics can result in an investigation
into a member’s or certiication holder’s conduct and, ultimately, disciplinary measures,
including the oreiture o hard-won certiication(s).
You can ind the ull text and terms o enorcement o the ISACA Code o Ethics at
www.isaca.org/ethics.
The Certification Exam

he certiication is oered throughout the year in several examination windows. You
have several ways to register; however, I highly recommend planning and registering early
regardless o your chosen method.
In 2022, as I write, the schedule o exam ees in U.S. dollars is
• CISM application ee: $50
• Regular registration: $575 member/$760 nonmember
xxx
As I write this, we’re emerging rom the global COVID-19 pandemic. During the
pandemic, ISACA and other certiication bodies adapted and developed remotely proc-
tored exams that permitted test-takers to sit or a certiication exam rom their residence.
I have observed that ISACA has returned to tests administered at testing centers while
continuing to oer remotely proctored exams or those who preer remote testing. I’ll
discuss both options in this section.
NOTE Pay close attention to inormation on ISACA’s web site regarding

testing logistics and locations.
Once your registration is complete, you will immediately receive an e-mail acknowl-
edging this. Next, you will need to schedule your certiication exam. he ISACA web
site will direct you to the certiication registration page, where you will select a date,
time, and (optionally) location to take your exam. When you conirm the date, time,
and location or your exam, you will receive a conirmation via e-mail. You will need the
conirmation letter to enter the test location—make sure to keep it unmarked and in a
sae place until test time.
Onsite Testing Center

When you arrive at the test site, you will be required to sign in, and you may be required
to sign an agreement. Also, you will be asked to turn in your smartphone, wallet or purse,
and other personal items or saekeeping. he exam proctor will read aloud the rules
you must ollow while taking the exam. hese rules will address matters such as breaks,
drinking water, and snacks. While you take the exam, you will be supervised by the proc-
tor, who may monitor you and your ellow test-takers by video surveillance in the test
center to ensure that no one can cheat.
Remote Proctored Testing

I you have registered or a remote proctored exam, you must meet all o the technical
requirements. ISACA has published the “Remote Proctoring Guide” that includes all o
the necessary technical requirements and describes the step-by-step procedures or taking
the exam.
A remote proctored exam means you’ll be taking the exam on your own computer in
your residence or other location. You’ll be in live contact with an exam proctor, and your
webcam will be turned on throughout the exam so that the proctor can observe while
you take the exam to ensure you are not cheating through the use o reerence materials
(books or online). You will also be required to use your webcam to show the entire room
to your proctor, to demonstrate that you do not have reerence materials or inormation
anywhere in view.
o be eligible or a remote proctored exam, you must have a supported version o
Windows or macOS, a current Google Chrome or other Chromium (such as Brave,
SRware Iron) browser, a webcam with at least 640×480 resolution, a microphone, and a
Introduction
xxxi
stable broadband Internet connection. You must be able to install the PSI Secure Browser
and modiy irewalls and other administrative tasks on the day o the exam (this requires
administrative privileges on the computer you are using, which might be a problem i
you are using a company-issued computer).
You’ll be required to log in to your My ISACA account when your exam is sched-
uled. Next, you’ll navigate to your certiications, ind the exam you have scheduled, and
launch the exam. You’ll be directed to perorm several tasks, including installing the
secure browser and closing several other programs on your computer, such as other web
browsers and programs such as Adobe Reader, Word, Excel, and any others that could
include reerence material.
You are not permitted to speak or perorm gestures during the exam. In short, you
cannot be seen to perorm any action that may be an indication o aid by an accomplice.
You’ll be required to veriy your ID by holding it near your webcam so that the proctor
can see it to conirm that you, not someone else, are taking the exam. You will also be
required to use your webcam to show the entire room to your proctor.
Ater completing all steps, the proctor will release the exam and you may begin.
Exam Questions
Each registrant has our hours to take the exam, with 150 multiple-choice questions
representing the our job practice areas. Each question has our answer choices; you must
select only one best answer. You can skip questions and return to them later, and you can
also lag questions you want to review later i time permits. While you are taking your
exam, the time remaining will appear on the screen.
When you have completed the exam, you’ll be directed to close the exam. At that
time, the exam will display your pass or ail status, reminding you that your score and
passing status are subject to review. You will be scored or each job practice area and then
provided one inal score. All scores are scaled. Scores range rom 200 to 800; a inal score
o 450 is required to pass.
Exam questions are derived rom a job practice analysis study conducted by ISACA.
he selected areas represent tasks perormed in a CISM’s day-to-day activities and the
background knowledge required to develop and manage an inormation security pro-
gram. You can ind more detailed descriptions o the task and knowledge statements at
www.isaca.org/credentialing/cism/cism-exam-content-outline.
Exam Coverage
he CISM exam is quite broad in its scope. It covers our job practice areas, as shown
in able 2.
Domain CISM Job Practice Area Percentage of Exam

1 Inormation security governance 17%
2 Inormation security risk management 20%
3 Inormation security program 33%
4 Incident management 30%
Table 2 CISM Exam Practice Areas
xxxii
Independent committees have been developed to determine the best questions, review
exam results, and statistically analyze the results or continuous improvement. Should
you come across a horriically diicult or strange question, do not panic. his question
may have been written or another purpose. A ew questions on the exam are included
or research and analysis purposes and will not be counted against your score. he exam
contains no indications in this regard, so do your best to answer every question.
Preparing for the Exam

he CISM certiication requires that CISM candidates possess much knowledge and
experience. You need to map out a long-term study strategy to pass the exam. he ollow-
ing sections oer some tips to help guide you to, through, and beyond exam day.
Before the Exam

Consider the ollowing list o tips on tasks and resources or exam preparation. hey are
listed in sequential order.
• Read the candidate’s guide For inormation on the certiication exam and
requirements or the current year, go to www.isaca.org/credentialing/exam-
candidate-guides and select the guide in your language o choice.
• Register I you can, register early or any cost savings and solidiy your
commitment to moving orward with this proessional achievement.
• Schedule your exam Find a location, date, and time, and then commit.
• Become familiar with the CISM job practice areas he job practice areas
serve as the basis or the exam and requirements. Beginning with the 2022 exam,
the job practice areas have changed. Ensure that your study materials align with
the current list at www.isaca.org/credentialing/cism.
• Download and study the ISACA Glossary It’s important or you to be amiliar
with ISACA’s vocabulary, which you can download rom www.isaca.org/resources/
glossary.
• Know your best learning methods Everyone has preerred learning styles,
whether sel-study, a study group, an instructor-led course, or a boot camp.
ry to set up a study program that leverages your strengths.
• Self-assess Run through practice exam questions available or download
(see the appendix or more inormation). ISACA may oer a ree online CISM
sel-assessment.
• Iterative study Depending on your work experience in inormation security
management, I suggest you plan your study program to take at least two months
but as long as six months. During this time, periodically take practice exams and
note your areas o strength and weakness. Once you have identiied your weak
areas, ocus on those areas weekly by rereading the related sections in this book,
retaking practice exams, and noting your progress.
Introduction
xxxiii
• Avoid cramming We’ve all seen the books on the shelves with titles that
involve last-minute cramming. he Internet reveals various web sites that teach
individuals how to cram or exams. Research sites claim that exam cramming can
lead to susceptibility to colds and lu, sleep disruptions, overeating, and digestive
problems. One thing is certain: many people ind that good, steady study habits
result in less stress and greater clarity and ocus during the exam. Because o
the complexity o this exam, I highly recommend the long-term, steady-study
option. Study the job practice areas thoroughly. here are many study options.
I time permits, investigate the many resources available to you.
• Find a study group Many ISACA chapters and other organizations have ormed
speciic study groups or oer less expensive exam review courses. Contact your
local chapter to see whether these options are available to you. In addition, be sure
to keep your eye on the ISACA web site. And use your local network to ind out
whether there are other local study groups and helpul resources.
• Confirmation letter Recheck your conirmation letter. Do not write on it or
lose it. Put it in a sae place and note on your calendar when you will need to
arrive at the site. Conirm that the location is the one you selected and is nearby.
• Logistics check Check the candidate guide and your conirmation letter or
the exact time you are required to report to the test site (or log in rom home i
you registered or a remote proctored exam). A ew days beore the exam, check
the site—become amiliar with the location and tricks to getting there. I you are
taking public transportation, be sure to look at the schedule or the day o the
exam: i your CISM exam is on a Saturday, public transportation schedules may
dier rom weekday schedules. I you are driving, know the route and where to
park your vehicle.
• Pack he night beore, place your conirmation letter and a photo ID in a
sae place, ready to go. Your ID must be a current, government-issued photo ID
that matches the name on the conirmation letter and must not be handwritten.
Examples o acceptable orms o ID are passports, driver’s licenses, state IDs,
green cards, and national IDs. Leave behind ood, drinks, laptops, cell phones,
and other electronic devices, because they are not permitted at the test site. For
inormation on what can and cannot be brought to the exam site, see the CISM
exam candidate guide at www.isaca.org/credentialing/cism.
• Notification decision Decide whether you want your test results e-mailed to
you. You will have the opportunity to consent to e-mail notiication o the exam
results. I you are ully paid (zero balance on exam ee) and have agreed to the
e-mail notiication, you should receive a one-time e-mail approximately eight
weeks rom the exam date with the results.
• Sleep Make sure you get a good night’s sleep beore the exam. Research suggests
that you avoid caeine at least our hours beore bedtime. Keep a notepad and
pen next to the bed to capture late-night thoughts that might keep you awake,
eliminate as much noise and light as possible, and keep your room a suitable
temperature or sleeping. In the morning, rise early so as not to rush and subject
yoursel to additional stress.
xxxiv
Day of the Exam
On the day o the exam, ollow these tips:
• Arrive early Check the Bulletin o Inormation and your conirmation letter
or the exact time you are required to report to the test site. he conirmation
letter and the candidate guide explain that you must be at the test site no later
than approximately 30 minutes before testing time. he examiner will begin
reading the exam instructions at this time, and any latecomers will be disqualiied
rom taking the test and will not receive a reund o ees.
• Observe test center rules here may be rules about taking breaks. his
will be discussed by the examiner, along with exam instructions. I you need
something during the exam and are unsure about the rules, be sure to ask irst.
For inormation on conduct during the exam, see the ISACA Exam Candidate
Inormation Guide at www.isaca.org/credentialing/exam-candidate-guides.
• Answer all exam questions Read questions careully, but do not try to
overanalyze. Remember to select the best solution based upon the CISM Job
Practice and ISACA’s vocabulary. here may be several reasonable answers,
but one is better than the others. I you aren’t sure about an answer, mark the
question, so that ater working through all the questions, you can return to any
marked questions (and others) to read them and consider them more careully.
Above all, don’t try to overanalyze questions, and do trust your instincts. Do
not try to rush through the exam; there is plenty o time to take as much as a
ew minutes or each question. But at the same time, do watch the clock so that
you don’t ind yoursel going so slowly that you won’t be able to answer every
question thoughtully.
• Note your exam result When you have completed the exam, you should see your
pass/ail result. Your results may not be in large, blinking text; you may need to
read the ine print to get your preliminary results. I you passed, congratulations!
I you did not pass, observe any remarks about your status; you will be able to
retake the exam—you’ll ind inormation about this on the ISACA web site.
If You Do Not Pass

Don’t lose heart i you do not pass your exam on the irst attempt. Instead, remem-
ber that ailure is a stepping stone to success. houghtully take stock and determine
your improvement areas. Be honest about areas where you need to learn more.
hen reread the chapters or sections and return to this book’s practice exams. I you
participated in a study group or training, contact your study group coach or class
instructor i you believe you may get advice about how to study up on the topics
you need to master. ake at least several weeks to study those topics, reresh yoursel
on other topics, and then give it another go. Success is granted to those who are
persistent and determined.
Introduction
xxxv
After the Exam
A ew weeks rom the exam date, you will receive your exam results by e-mail or postal
mail. Each job practice area score will be noted in addition to the inal score. All scores
are scaled. Should you receive a passing score, you will also receive the application or
certiication.
hose unsuccessul in passing will also be notiied. hese individuals will want to
closely look at the job practice area scores to determine areas or urther study. hey may
retake the exam as oten as needed on uture exam dates, as long as they have registered
and paid the applicable ees. Regardless o pass or ail, exam results will not be disclosed
via telephone, ax, or e-mail (except or the consented e-mail notiication).
NOTE You are not permitted to display the CISM moniker until you have
completed certiication. Passing the exam is not suicient to use the CISM
anywhere, including e-mail, résumés, correspondence, or social media.
Applying for CISM Certification

You must submit evidence o a passing score and related work experience to apply or
certiication. Remember that you have ive years to apply or CISM certiication ater
you receive a passing exam score. Ater this time, you will need to retake the exam beore
you can apply. In addition, all work experience submitted must have occurred within ten
years o your new certiication application.
o complete the application process, you need to submit the ollowing inormation:
• CISM application Note the exam ID number in your exam results letter, list
the inormation security management experience and any experience substitutions,
and identiy which CISM job practice area (or areas) your experience pertains to.
• Verification of Work Experience forms hese must be illed out and signed by
your immediate supervisor or a person o higher rank in the organization to veriy
your work experience noted on the application. You must ill out a complete set o
Veriication o Work Experience orms or each separate employer.
Ater you’ve submitted the application, you will wait approximately eight weeks or
processing. hen, i your application is approved, you will receive an e-mail notiication,
ollowed by a package in the postal mail containing your letter o certiication, certii-
cate, and a copy o the Continuing Proessional Education Policy. You can then proudly
display your certiicate and use the “CISM” designation on your résumé, e-mail, social
media proiles, and business cards.
NOTE You are permitted to use the CISM moniker only ater receiving your
certiication letter rom ISACA.
xxxvi
Retaining Your CISM Certification
here is more to becoming a CISM proessional than passing an exam, submitting
an application, and receiving a paper certiicate. Becoming a CISM proessional is an
ongoing and continuous liestyle. hose with CISM certiication agree to abide by the
code o ethics, meet ongoing education requirements, and pay annual certiication
maintenance ees. Let’s take a closer look at the education requirements and explain the
costs o retaining certiication.
Continuing Education
he goal o proessional continuing education requirements is to ensure that individuals
maintain CISM-related knowledge to help them successully develop and manage secu-
rity management programs. o maintain CISM certiication, individuals must obtain
120 continuing education hours within three years, with a minimum requirement o
20 hours per year. Each CPE hour accounts or 50 minutes o active participation in
educational activities.
What Counts as a Valid CPE Credit?

For training and activities to be utilized or CPEs, they must involve technical or managerial
training directly applicable to inormation security and inormation security management.
he ollowing activities have been approved by the CISM certiication committee and can
count toward your CPE requirements:
• ISACA proessional education activities and meetings
• ISACA members can take Information Systems Control Journal CPE quizzes online
or participate in monthly webcasts, earning CPEs ater passing a quiz
• Non-ISACA proessional education activities and meetings
• Sel-study courses
• Vendor sales or marketing presentations (10-hour annual limit)
• eaching, lecturing, or presenting on subjects related to job practice areas
• Publication o articles and books related to the proession
• Exam question development and review or any ISACA certiication
• Passing related proessional examinations
• Participation in ISACA boards or committees (20-hour annual limit per
ISACA certiication)
• Contributions to the inormation security management proession
(10-hour annual limit)
• Mentoring (10-hour annual limit)
Introduction
xxxvii
For more inormation on acceptable CPE credit, see the Continuing Proessional
Education Policy at www.isaca.org/credentialing/how-to-earn-cpe/#cpe-policy.
Tracking and Submitting CPEs

Not only are you required to submit a CPE tracking orm or the annual renewal process,
but you also should keep detailed records or each activity. Records associated with each
activity should include the ollowing:
• Name o attendee
• Name o sponsoring organization
• Activity title
• Activity description
• Activity date
• Number o CPE hours awarded
It is best to track all CPE inormation in a single ile or worksheet. ISACA has devel-
oped a tracking orm or your use in the Continuing Proessional Education Policy. o
make it easy on yoursel, consider keeping all related records such as receipts, brochures,
and certiicates in the same place. Documentation should be retained throughout the
three-year certiication period and or at least one additional year aterward. Evidence
retention is essential, as you may someday be audited. I this happens, you will be
required to submit all paperwork. So why not be prepared?
For new CISMs, the annual and three-year certiication period begins on January 1
o the year ollowing certiication. You are not required to report CPE hours or the irst
partial year ater your certiication; however, the hours earned rom the time o certiica-
tion to December 31 can be utilized in the irst certiication reporting period the ollow-
ing year. hereore, should you get certiied in January, you will have until the ollowing
January to accumulate CPEs. You will not have to report them until you report the totals
or the ollowing year, in October or November. his is known as the renewal period. You
will receive an e-mail directing you to the web site to enter CPEs earned over the year.
Alternatively, the renewal will be mailed to you, and then CPEs can be recorded on the
hard-copy invoice and sent with your maintenance ee payment. CPEs and maintenance
ees must be received by January 15 to retain certiication.
Notiication o compliance rom the certiication department is sent ater all the inor-
mation has been received and processed. I ISACA has questions about your submitted
inormation, you will be contacted directly.
Sample CPE Records

able 3 contains an example o CPE records.
xxxviii
Name John Jacob
Certiication Number 67895787
Certiication Period 1/1/2023 to 12/31/2023
Activity CPE
Activity Title/Sponsor Description Date Hours Support Docs Included?
ISACA presentation/lunch PCI 2/12/2023 1 Yes (receipt)
compliance
ISACA presentation/lunch Security in 3/12/2023 1 Yes (receipt)
SDLC
Regional Conerence, RIMS Compliance, 1/15–17/2023 6 Yes (CPE receipt)
risk
BrightFly webinar Governance, 2/16/2023 3 Yes (conirmation e-mail)
risk, &
compliance
ISACA board meeting Chapter board 4/9/2023 2 Yes (meeting minutes)
meeting
Presented at ISSA meeting Risk 6/21/2023 1 Yes (meeting notice)
management
presentation
Published an article in XYZ Journal article 4/12/2023 4 Yes (article)

on SOX ITGCs
Vendor presentation Learned about 5/12/2023 2 Yes
GRC tool
capability
Employer-oered training Change 3/26/2023 7 Yes (certiicate o course
management completion)
course
Table 3 Sample CPE Records
CPE Maintenance Fees

o remain CISM certiied, you must pay CPE maintenance ees each year. hese annual
ees are (as o 2022) $45 or members and $85 or nonmembers. he ees do not include
ISACA membership and local chapter dues (neither is required to maintain your CISM
certiication). More inormation is available rom www.isaca.org/credentialing/cism/
maintain-cism-certiication.
Revocation of Certification
A CISM-certiied individual may have his or her certiication revoked or the ollow-
ing reasons:
• Failure to complete the minimum number o CPEs during the period
• Failure to document and provide evidence o CPEs in an audit
Introduction
xxxix
• Failure to submit payment or maintenance ees
• Failure to comply with the Code o Proessional Ethics, which can result in
investigation and ultimately lead to revocation o certiication
I you have received a revocation notice, contact the ISACA Certiication Department
at https://support.isaca.org/ or more inormation.
Living the CISM Lifestyle

Being a CISM-certiied individual involves much more than passing the exam, participat-
ing in continuous learning, and paying the annual maintenance ees. here are numerous
opportunities to get involved in local, national, and global activities and events to help
you grow proessionally and meet other risk management proessionals.
Find a Local Chapter

ISACA has more than 200 chapters in about 100 countries around the world. Chances
are there is a chapter near you. I attended many ISACA chapter meetings and other
events in Seattle when I lived there, where engaging speakers spoke on new topics, and
I met many like-minded security and audit proessionals over the years.
Local chapters rely entirely on volunteers, and there is room or you to help in some
way. Some chapters have various programs, events, study groups, and other activities
that enrich participants proessionally. Most o my ISACA experiences happen in my
local chapter.
Attend ISACA Events

ISACA puts on antastic in-person conerences with world-class keynote speakers, expert
presentations, vendor demonstrations and exhibits, a bookstore, and opportunities to
meet other security, risk, and audit proessionals. I ind ISACA conerences enriching to
the point o being overwhelming. With so many learning and networking opportunities,
I have ound mysel nearly exhausted at the end o an ISACA conerence.
Join the Online Community

ISACA has an online community known as Engage, in which participants can discuss
any topic related to security, risk, audit, privacy, and I management. You can read and
participate in online discussions, ask questions, help others with their questions, and
make new proessional connections. You can join Engage at https://engage.isaca.org/.
Pay It Forward Through Mentorship

I you are at the point in your career where you qualiy or and have a reasonable prospect
o passing the CISM exam, chances are you have had a mentor or two earlier, and maybe
you have one now. As you grow in your proessional stature, others will look to you as a
potential mentor. Perhaps someone will ask i you would consider mentoring him or her.
xl
he world needs more, and better, inormation security proessionals and leaders. Men-
toring is a great way to “pay it orward” by helping others get into the proession and grow
proessionally. Mentoring will enrich your lie as well.
Volunteer
As a nonproit organization, ISACA relies upon volunteers to enrich its programs and
events. here are many ways to help, and one or more o these volunteer opportunities
may suit you:
• Speak at an ISACA event Whether you make a keynote address or host a session
on a speciic topic, speaking at an ISACA event is a mountaintop experience. You
can share your knowledge and expertise on a particular topic with attendees, but
you’ll learn some things too.
• Serve as a chapter board member Local chapters don’t run by themselves; they
rely on volunteers—working proessionals who want to improve the lot o other
proessionals in the local community. Board members can serve in various ways,
rom inancial management to membership to events.
• Start or help a CISM study group Whether part o a local chapter or a chapter
at large, consider starting or helping a group o proessionals who want to learn
the details o the CISM job practice. I am a proponent o study groups because
study group participants make the best students: they take the initiative to take
on a big challenge to advance their careers.
• Write an article ISACA has online and paper-based publications that eature
articles on various subjects, including current developments in security, privacy,
risk, and I management rom many perspectives. I you have specialized
knowledge on some topic, other ISACA members can beneit rom this knowledge
i you write about it.
• Participate in a credential working group ISACA works hard to ensure that
its many certiications remain relevant and up to date. Experts worldwide in many
industries give o their time to ensure that ISACA certiications remain the best
in the world. ISACA conducts online and in-person working groups to update
certiication job practices, write certiication exam questions, and publish updated
study guides and practice exams. I contributed to the irst CRISC certiication
working group in 2013 when ISACA initially developed the CRISC certiication
exam; I met many like-minded proessionals, some o whom I am still in regular
and meaningul contact with.
• Participate in ISACA CommunITy Day ISACA organizes a global eort o
local volunteering to make the world a better, saer place or everyone. Learn
about the next CommunIy day at https://engage.isaca.org/communityday/.
• Write certification exam questions ISACA needs experienced subject matter
experts willing to write new certiication exam questions. ISACA has a rigorous,
high-quality process or exam questions that includes training. You could even
be invited to an in-person exam item writing workshop. You can ind out more
about how this works at www.isaca.org/credentialing/write-an-exam-question.
Introduction
xli
Please take a minute to relect upon the quality and richness o the ISACA organiza-
tion and its many world-class certiications, publications, and events. hese are all ueled
by volunteers who made ISACA into what it is today. Only through your contribution
o time and expertise will ISACA continue in its excellence or uture security, risk, pri-
vacy, and I proessionals. And one last thing you can only experience on your own:
volunteering helps others and enriches you. Will you consider leaving your mark and
making ISACA better than you ound it? For more inormation about these and many
other volunteer opportunities, visit www.isaca.org/why-isaca/participate-and-volunteer.
Continue to Grow Professionally

Continual improvement is a mindset and liestyle built into I service management and
inormation security, and it’s even a ormal requirement in ISO/IEC 27001! I suggest
you periodically take stock o your career status and aspirations, be honest with yoursel,
and determine what mountain you will climb next. I needed, ind a mentor who can
guide you and give you solid advice.
Although this may not immediately make sense to you, know this: helping others,
whether through any o the volunteer opportunities listed here, or in other ways, will
enrich you personally and proessionally. I’m not talking about eathers in your cap or
juicy items in your résumé, but rather the growth in character and wisdom that results
rom helping and serving others, particularly when you initiated the helping and serving.
Proessional growth means dierent things to dierent people. Whether it’s a better
job title, more money, a better (or bigger, or smaller) employer, a dierent team, more
responsibility, or more certiications, embarking on long-term career planning will pay
dividends. ake control o your career and your career path. his is yours to own and
shape as you will.
Summary
Becoming and being a CISM proessional is a liestyle, not just a one-time event. It takes
motivation, skill, good judgment, persistence, and proiciency to be a strong and eective
leader in inormation security management. he CISM certiication was designed to help
you navigate the security management world more easily and conidently.
Each CISM job practice area is discussed in detail in the ollowing chapters, and
additional reerence material is presented. Not only is this inormation helpul or those
o you who are studying beore taking the exam, but it is also meant to serve as a
resource throughout your career as an inormation security management proessional.
PART I
Information Security
Governance
Chapter 1 Enterprise Governance
Chapter 2 Inormation Security Strategy
Another random document with
no related content on Scribd:
Swiftly we released her from the tape and wire that silenced and
bound her; then, to our astonishment, we found that she was
chained by the ankle to an iron post of the bed. The Chief
immediately set to work to unfasten the chain, which looked like an
ordinary dog-chain.
By this time, McGinity had discovered a light fixture in the wall, near
the front window, containing one bulb, which he turned on. Mrs.
LaRauche stared dazedly from one to the other of us, giving me no
sign of recognition, although I addressed her by name. But she
appeared to comprehend what we were up to. Still unable to speak,
she raised one hand weakly, and pointed towards the window in the
back of the room, behind the bed.
In doing this, she furnished us with an important clue. LaRauche had
escaped through this window, which was set in the Mansard roof,
and gave on to a broadish ledge, sufficient wide for a person to walk
on. This ledge extended clear around the house.
"We've got to get LaRauche!" Chief Meigs exclaimed, but he couldn't
get through the window because of his rather portly physique. Nor
could I. McGinity, slim in figure, managed it nicely. He had such good
eye-sight that he could distinguish objects which were beyond the
view of normal-sighted people. And he was hardly outside, on the
ledge, and debating whether he should turn to the left or the right,
when he espied a figure, crouching in the dark, at the far end of the
roof extension.
"You see it?" he asked Chief Meigs, who was leaning out of the
window.
"I can't see a damn thing," the Chief replied.
"Next time, you'd better bring your opera-glasses," the reporter
suggested, ironically.
"I wonder if it is LaRauche?" said the Chief, thoughtfully.
"It's a man, at any rate," said McGinity. "Looks like he's wearing
black trousers and a white shirt. No coat or hat at all. He's got bushy
white hair."
"Then it's LaRauche," the Chief exclaimed. "Call to him, and tell him
to come back into the house. Say it's no use trying to escape."
McGinity did as the Chief requested, and there came in reply a
cackling laugh.
"I heard that," said the Chief. "It's the laugh of a maniac." Then he
added quickly: "What's he doing now?"
McGinity did not reply immediately. He had seen something very
strange happen. LaRauche had mysteriously disappeared—
vanished into the air.
"He's gone!" the reporter cried at last. "Escaped! He just flew off the
roof."
The Chief gave a groan of disappointment. "Oh, come back in!" he
ordered gruffly. "Don't be funny!"
McGinity came back through the window, his knees a little unsteady.
Then he explained what he had seen. LaRauche had floated off the
roof, into the air, lightly but swiftly, taking a downward course, and
had been swallowed up in the darkness below.
"You don't expect me to believe a fairy story like that?" Chief Meigs
growled. "Here, let's get downstairs. We're wasting time."
"It's the gospel truth, officer," McGinity declared, vehemently; "but
how he did it is a puzzle to me."
It was no puzzle to me. I had always considered LaRauche mad, and
mad scientists work in a strange, mysterious way. His vanishing into
the air, from the roof, might have a perfectly natural explanation.
Having my own views, which I was not inclined at the moment to
expose, for fear of further disgruntling the Chief, I said nothing.
Five minutes after the Chief and McGinity had gone downstairs, the
reporter to search for LaRauche in the back-yard, while Chief Meigs
reported the mysterious death of Orkins, and summoned medical aid
for Mrs. LaRauche, by telephone, my attention was again attracted
to the back window. This time it was by a bright glare of light.
Hurrying to the window, I was made speedily conscious of what was
happening. LaRauche had, indeed, escaped from the house by way
of the roof, in a manner yet to be revealed, and was now, apparently,
making a quick getaway in his plane.
He had set off a magnesium flare. The small hangar and flying field
were bathed in a weird and eerie silver-colored haze. His plane was
in sight. Even at this distance, I caught the glint of its wings in the
silver-colored light as it taxied across the field. With a roar, it shot
upward, and was lost in the blackness of the night.
McGinity had heard the noise of the take-off, and came running up,
to learn from me, and make sure his speculations, that LaRauche
had really vanished from the roof, as if by magic, and was now
escaping in his plane. I assured him on these two points very firmly
and quickly.
And while he hurriedly retraced his steps downstairs, to report to
Meigs, I again turned my attention to Mrs. LaRauche, whose mind,
although still in confusion, was slowly clearing.
Later, we were to hear some very remarkable things from her.
XXVIII
My intuitive feeling that we had a night's work before us, which I had
voiced prophetically to McGinity earlier in the evening, as we started
for the LaRauche place, with only the faint clue of a woman's voice
on the telephone to go on, proved conformable to fact. Dawn was
breaking when we returned to the castle, weary and heavy at heart.
The place was silent; the only sound that came to us was the swish-
swish of the incoming tide, as it broke against the rocks at the foot of
the cliff.
We were both so saddened and unstrung over our unpleasant and
tragic experiences during the past twenty-four hours, and so
physically dog-tired, that we were averse to talking them over.
The three tragedies, occurring so closely together, first, Niki, then Mr.
Zzyx, and now, Orkins, after all, seemed to have been so
unnecessary; or, as Henry had voiced his opinion about Mr. Zzyx's
fearful death, so senseless. And while there was a logical connection
between them and the perpetration of the Martian hoax, so far they
had contributed little or nothing in clearing up the mystery which was
still baffling us both.
It was here that Mrs. LaRauche came into the picture. My conviction,
from the time I recognized her voice on the telephone, was that she
knew more than any one else did. I had been shocked rather than
distressed at the death of Orkins. A providential death, perhaps, with
LaRauche gone now, and his wife holding the secret.
But where was LaRauche going? Evidently, after the systematic
manner of his escape, he had a set goal. He was an experienced
pilot, and a very expert one, considering his age, and probably knew
of many places where a man could land safely in the dark.
Word of his escape by plane had been broadcast; the machinery of
police watchfulness set in motion along the entire eastern seaboard,
and far inland, as well. Somewhere in the air, a man was flying—
wanted by the police.
Mrs. LaRauche was a badly shaken woman, but her condition was
not serious. I remained at her side until the arrival of an ambulance
physician from the county hospital. He was accompanied by a nurse,
who took her immediately in charge. But she had other ideas than of
going to the hospital. Her brain had cleared considerably, and she
insisted on remaining in her home. I agreed with her on this, and to
the inconvenience of the proprietor of an employment agency in the
village, who had retired for the night, I soon had a competent
manservant, with his wife, on the premises.
By the time they arrived, bringing ample provisions and milk, which I
had the foresight to order, the police had removed the body of
Orkins, as well as all traces of his death. The couple set to work at
once, systematically clearing up and setting things in order. By
midnight, the house was freshened up considerably, and Mrs.
LaRauche made as comfortable as possible in her own, redressed
bedroom, with the hospital nurse in attendance.
What she needed most, the physician decreed, was absolute rest
and quiet. The kindly attentions showered upon her appeared for the
moment to compensate for the loss of her demented husband. She
had come out of a horror, but she was not thinking—or allowing
herself to think—it seemed to me.
The house still seemed empty and queer as McGinity and I drove
away, around one o'clock, trailing Chief Meigs' car back to the
village. The Chief's last act was to station a policeman on guard,
which made me a lot easier in my mind.
The situation was still lamentable enough, but McGinity and I, with
an air of bravado, continued our inquiries on reaching the village.
With police assistance, we had no difficulty in locating the light truck
which Orkins had rented, and once located and properly inspected,
we found nothing to indicate that it had been used to transport the
stolen rocket from the Museum of Science to the East River.
And then McGinity suddenly found something, which was vitally
important. A screw from the rocket. Chief Meigs chuckled; he
couldn't see that a screw could possibly have any bearing on our
situation. When we returned to the police station, I showed him.
"Why, that's just an ordinary screw," he said, after inspecting the
screw more closely. "I don't see how it could mean anything."
"No?" I said. "Then you don't know how they make screws on Mars.
If you think it's just ordinary, here's a screw-driver and a piece of pine
wood. Now, drive it in!"
"That doesn't worry me at all," Meigs bantered. He went to his task
cheerfully, even whistling, and giving a wink to several policemen
who were looking on. But the screw refused to function in the
ordinary way. Finally, he gave it up. "Why the damn thing won't go
into the wood is a mystery to me," he remarked, as he handed the
screw and screw-driver back to me.
"Because it works in reverse to our screws," I explained, as I drove
the screw into the soft wood easily enough by a reverse motion.
"There, I've done the job," I concluded, "which proves conclusively
that only a Martian screw could be jolted out of a Martian rocket. And
as the screw was found in the truck, the van therefore must have
carried the rocket."
The Chief of Police grew pop-eyed in amazement.
"Everything about the rocket has this unusual element," I continued,
"except the metal from which it was constructed, and it is a scientific
fact that the metallic ores which abound on the earth are to be found
in other planets."
The Chief's look of blank astonishment prompted me to go on.
"Now, whatever we may have thought at first about this rocket
having originated on Mars, we know now that LaRauche
manufactured it himself. He had the brain power necessary to create
this fantasy in mechanism, and the means and method of carrying
out his motive, which was to bring my brother Henry to shame."
"All of which stirred the popular imagination, and increased the
circulation of the Daily Recorder half a million," McGinity interjected.
"Well," Chief Meigs drawled, "all I got to say is this. If making screws
that go in backwards is not the act of a lunatic, then I'm crazy
myself."
For several hours, McGinity and I remained at the police station,
occupying ourselves piecing together from this and that all the
information at our command; and at the end, it was as clear as
daylight that we knew no more about the actual perpetration of the
hoax than we did twenty-four hours back. The impression we both
had gained was that tragedy had been obtruded into LaRauche's
suave scheme that was shockingly disturbing, but had nothing
whatever to do with clearing up the case.
There was little or nothing at the LaRauche home for the police to go
on with. No trace of the revolver that had pierced Orkins' heart with
its deadly bullet; no firearms of any sort, in fact. Mrs. LaRauche
heightened the mystery by declaring her husband had an inherent
fear of the use of firearms, as he had of fire, and had never owned a
revolver. Nor was any sort of weapon discovered during the
inspection of his laboratory, or workrooms, in the observatory and
hangar, in which he operated outside his dwelling. No evidence even
was found that would in the slightest degree incriminate him in the
Martian fraud.
The city papers had come by plane, after midnight, and I read them
all with interest. McGinity, fed up on the story, waved them away.
They contained a very full account of what had occurred at the
castle, Orkins' mysterious death, and LaRauche's escape by plane.
About three o'clock, I succeeded in reaching Olinski on the
telephone, at his city home, and he was so upset over the whole
affair, as reported in the papers, that at first all he could seem to do
was to sputter into the mouthpiece.
"I fear, my dear Mr. Royce," he managed to say, finally, "that you and
that reporter fellow have made a great mistake—a serious error. You
have found nothing to prove that the radio message, and the rocket,
did not originate in Mars, now, have you?"
"Nothing," I replied, "except that water-mark we found in the scroll."
"That proves nothing," he fairly shouted. "Some utterly unscrupulous
and wicked person may have changed that scroll after it passed out
of my possession."
"That is your theory, Mr. Olinski?" I asked.
"Can you suggest any other?" he countered. "No; because there can
be no other. Unless you are accusing me of complicity—"
"I didn't say so, Mr. Olinski," I interrupted.
"Yet you believe this Dr. LaRauche, the scientist you've been telling
me about, is at the bottom of this so-called hoax?"
"That is highly possible," I answered. "I myself think so."
"But you have, of course, no idea just how he did it?"
"No idea whatever, but it's quite plain that for motives of his own he
had the opportunity."
"And that," Olinski declared, "that's as far as you've got?"
"At present," I replied.
"And that's as far as you'll ever get, my dear Mr. Royce," he rejoined
in a bitter, sardonic tone, and then suddenly hung up.
When we had thus made an end, a dead silence followed, during
which McGinity and I looked at each other for a moment or two, in
silence. After I had told him what Olinski had said, the reporter
spoke.
"I've put it out of my mind that Olinski had anything to do with this
affair," he said. "The more I think of it, Mr. Royce, the more I'm dead
certain that Mrs. LaRauche is our only hope. Finding her husband
will be a police detail, and several days may elapse before he's
apprehended. Now, if we could get to her, the first thing in the
morning. Do you think that would be possible?"
Before I could answer, Chief Meigs walked in to say that a plane,
answering the description of LaRauche's machine, had passed over
Montauk Point, heading south, a little before three o'clock, had been
picked up by a coast-guard searchlight, but had dodged out of the
light. With this announcement, all thoughts of Mrs. LaRauche
vanished, and—to me, at any rate—did not recur until we had driven
back to the castle at the break of dawn, after a weary vigil of waiting
at the police station to hear further word of LaRauche. But the
reports were blank and disappointing.
XXIX
Interviewing Mrs. LaRauche did not prove as difficult as we had
anticipated. At ten o'clock—McGinity and I were still in bed—the
manservant I had installed at the LaRauche house, telephoned that
Mrs. LaRauche was feeling much stronger, and was most anxious to
see Henry and me on a matter of very urgent business; and would
we please bring along the village Chief of Police, also the young
newspaper reporter who had accompanied the officer and me to the
house the night before.
At eleven o'clock, we drove off. On our way through the village, we
picked up Chief Meigs, and the first thing he did after boarding the
car was to give me a wink, and mutter: "Screws!" Henry was pallid
and trembling. He had been deeply shocked when he learned of
Orkins' death. He seemed to have aged ten years during the night.
McGinity was in a state of excitement. After a late and hasty
breakfast, he and Pat had taken a stroll on the terrace. In spite of the
tragedies and excitement, Pat had come downstairs looking as fresh
and as bright as I had ever known her. I met them as I came out to
get into the car. McGinity had just reached out to take her hand in
his, and she had not drawn it away. She seemed a little breathless.
The strain of the past twenty-four hours, and loss of sleep, had been
too much for me. As we breezed along in the crisp, morning air, I
was no more capable of keeping my eyes open than I was of writing
poetry. My conversation was limited to monosyllabic answers;
between monosyllables, I fell into a light doze.
Nearing the LaRauche place, I became more wide-awake, and
began to speculate whether Mrs. LaRauche knew, and was in a
position to tell, the whole truth. Doubt had entered my mind. Even
after we had been admitted into the house, and had gathered around
her, in a sitting-room adjoining her bedchamber, I felt certain that she
would be able to contribute very little to the sum of information which
we had.
She was dressed in a dark morning gown, and seated in an easy
chair. The heavy window curtains were drawn, to save her eye-sight,
after long imprisonment in a darkened room. In the dim glow of a
shaded lamp, her face appeared pale and worn. Yet her poise was
serene; to all appearances, she was very much mistress of herself.
This was a great relief to me. I was afraid we would have a
quivering, sobbing woman on our hands, and the thought was
terrifying. Only once, when she grasped Henry's hand, on our arrival,
did she show that she was under a strain which was almost at a
breaking point.
She was a comely woman, even in her present pitiable state, and
she had the voice of a woman of refinement and education. I had
often wondered why she had married a man so much older than
herself, and so eccentric. She was LaRauche's second wife. God
knows what became of the first one!
After we had quietly taken seats, Chief Meigs broke the tension of
silence. "Do you feel strong enough to answer our questions, Mrs.
LaRauche?" he inquired.
She nodded, and replied: "I think so."
Then Henry spoke. "I wish to heaven, Mrs. LaRauche, you'd got in
touch sooner with Livingston and me. We've always prized your
friendship very highly, and if it had not been for—"
"Yes; I know," Mrs. LaRauche broke in, as though anticipating his
closing remark; "but I've been unable to communicate with any one
on the outside for several weeks. A day or so ago, I managed to get
the front window open, and waved to a motorcycle policeman, but
apparently he did not see me." She stopped, and glanced nervously
over her shoulder, and added, with a little shiver: "Oh, you don't
know how I've grown to hate this house!" Then, quickly regaining her
self-possession, she looked at McGinity steadily for a moment, and
said: "I haven't the slightest idea who you are. I only know that you
were a very thoughtful and kind young man last night. Are you the
newspaper reporter?"
McGinity nodded, with an embarrassed smile, and was about to
reply when I interjected: "A thousand pardons, Mrs. LaRauche," I
said. "Allow me to present Mr. Robert McGinity, of the New York
Daily Recorder, a young but very capable reporter, in whom we place
every confidence. In fact, we've grown so fond of him, he seems like
one of the family." Turning to Henry for confirmation, I concluded: "I
am quite right, am I not, Henry?"
"Of course, you're right," Henry answered, loudly. "And I don't know
what we're going to do without him when this—er—Martian affair—I
was about to say, Martian inquest—is finished."
I gasped with astonishment at Henry's remarks, while McGinity
turned very red, and said, stammeringly: "Thanks, Mr. Royce." Then
he began to fumble nervously with his inevitable bunch of copy
paper and pencil.
Mrs. LaRauche smiled wanly, and addressed herself again to the
reporter. "I'm so glad you've come, Mr. McGinity," she said, "for what
I'm going to tell, I wish to be given as much publicity as possible. I
want the public to know that Henry Royce was imposed upon, and
that my husband, now a fugitive, although I refuse to believe he's a
murderer, was wholly responsible, with the connivance of Orkins, his
manservant, in carrying out this cruel deception, which, I know, is still
puzzling all of you."
"Even at that, it doesn't seem so incredulous," Henry commented. "I
guess I'm one of the die-hard kind."
There was a little pause, then Mrs. LaRauche turned to Chief Meigs.
"Tell me," she said, "how is the search going? Have the police
discovered any clue to my husband's whereabouts?"
"I'm afraid I can't give you any information," Meigs replied; "no clue
at all."
"It isn't that I want him back," she said firmly, "or would ever want to
see him again, after the many cruelties he practiced on me. But he's
been out of his mind—insane—I'm sure, for weeks now, and is really
unaccountable for his acts."
Her voice had grown shaky, and her face went whiter than it had
been. We remained silent, recognizing the futility of questioning her
until she got control of herself. Our chief interest, of course, lay in the
unraveling of the mystery which still baffled us, and when she finally
got to it, she answered all our questions in a cool collected way.
On my suggestion, McGinity began the questioning, giving us a
specimen of his powers of observation. He omitted no detail of
importance, carefully marshaling his facts and presenting them to
Mrs. LaRauche as expertly as a lawyer examining a witness before a
jury.
"Your married life has been a very unhappy one, hasn't it, Mrs.
LaRauche?" he began.
"Very unhappy," she replied, sighing. "Insolent, quarrelsome, Rene
LaRauche humiliated me in every possible way. I was simply his
housekeeper—a vassal. He was the mighty, brainy scientist, and he
never allowed me to forget it—not for one instant."
"Apparently he did not confide in you?"
"Orkins had been his manservant for some years prior to our
marriage, and to him he entrusted the secrets of his scientific
discoveries and inventions, rather than to me. This was only one of
his many eccentricities, and I submitted to the indignity with
exemplary patience."
"How do you account for his making Orkins a confidant?"
"He was too self-centered, too egotistical, to invite the confidence of
brainy people. He seemed to like to impress—startle—inferior minds
with his discoveries. Orkins was a highly trained servant, and a
general handy man, but he was not intellectual."
"But you could easily have escaped all this bullying and domineering
on the part of your husband?"
"I often considered divorce," was the reply, "but a latent sense of
duty to my marriage vows prevented me from taking that step."
Here McGinity suddenly switched off that line of inquiry, and turned
to another. "Why have you brought us here today?" he asked.
"To disclose certain facts which prove my husband tricked Henry
Royce shamelessly in these Martian revelations."
"When did you come into possession of these facts?"
"Less than a month ago. Up to that time I had been as keenly
interested in the matter, and as gullible as the rest of you, and the
public at large. When Rene found that I had acquired this
knowledge, and that, motivated by a deep sense of justice and fair
play, I meant to disclose the real meaning of these revelations, he
hid my clothes, and locked me up in that attic room, where you found
me."
"How did you manage to get downstairs and phone to the Royce
house, last evening?"
"Orkins, who served my meals, forgot to lock the door after him. He
seemed preoccupied and nervous. It was my first opportunity to seek
outside aid since my imprisonment. I stole out quietly, and crept
downstairs, to the phone in the library, unaware that my husband
was shadowing me."
"And he cut you short, it seems."
"Before I had a chance even to tell my name, he sprang upon me
and choked me off, and then, in his usual cruel manner, bound me to
the chair and bed. He acted like a maniac, I was terribly frightened."
She paused, a little breathlessly, then added: "I am still in some
dilemma as to how my unfinished message was understood."
"You may recall, Mrs. LaRauche, that you spoke to me," I answered.
"Your voice was familiar, yet I couldn't place it at first. Finally, when I
was convinced that it was your voice, the incident put us on the right
track. Mr. McGinity and I already were in possession of several vital,
suspicious facts, and your phone call gave us another important
clue."
Then Henry spoke. "About Orkins. Had you any misgivings, Mrs.
LaRauche, when he entered my service as butler? I took him, you
know, on your husband's recommendation."
"It was not clear at the time," she answered. "Rene invented some
explanation that Orkins wanted to make more money. Now, I know
that he was deliberately planted in your house as a spy, and that he
kept my husband advised on all your secret workings in science. He
betrayed your confidence, as he cold-bloodedly tried to betray Rene,
for that $5,000 reward."
"Do you know anything at all about Orkins' death?" Chief Meigs
broke in, abruptly.
It was a pertinent question to put, but a little cruel. "No," Mrs.
LaRauche replied, almost defiantly. "I do recall hearing a distant,
sharp sound of some sort—it may have been the shot that killed him
—but I associated it with the back-firing of an automobile on the
highway. About an hour later, I heard a noise downstairs."
"That was when I smashed a panel in your front door, probably," the
Chief put in.
"Shortly afterwards," Mrs. LaRauche went on, "my husband entered
the attic room, looking very excited. He threw a sheet over me, and
then I heard him open the back window, and climb through, on to the
roof. I had the uncomfortable feeling that something sinister had
occurred, and that he was bent on escape. But I was bound to the
chair and helpless, and in too much anguish to think clearly."
"Mrs. LaRauche!" McGinity asked suddenly. "We are very anxious to
know how your husband escaped so magically from the roof, like he
had flown to the ground. Have you any theory?"
She smiled faintly, and replied: "Rene invented many peculiar things,
like the robot, now used in all New York subway and railroad
stations, where the traveler's usual questions are answered by a
phonographic voice, by simply pressing a button. He had a great fear
of fire, of being trapped by fire. Some months ago, he installed a
safety device, in case of fire, on our roof."
"What was it like?" I asked, eagerly.
"Simply a heavy wire stretched tautly from the roof to the ground,
and terminating at some distance away from the house, to make the
descent more gradual," she replied. "In case of fire, you step into a
sort of trapeze, which is attached to the wire by a grooved wheel,
and your descent to the ground is something like the 'slide for life,'
often seen at the circus, or in film melodramas. I can see how, in the
dark, it would give the illusion of flying."
XXX
After the concerted gasp of surprise over LaRauche's weird method
of escape from the roof had died away, McGinity put another
important question: "How did you first discover that your husband
was implicated in these Martian revelations, and that they were a
fraud? Did you find anything—papers?"
"Something like that," she replied.
She took out of the little bag, which lay in her lap, a charred slip of
paper, which she handed to McGinity; and while he passed it round
for our inspection, she continued: "I found this paper in the charred
rubbish, in the log fire-place, in my husband's laboratory, which
Orkins had neglected to clean out. You'll recognize the lettering it
contains as a portion of the code used for the radio messages from
Mars, and its deciphering into English. After I had studied this, I
began a secret investigation on my own, and gradually the scheme
was unveiled to me."
"This detecting business must have been a new and novel
experience," Henry remarked, good humoredly.
"Not exactly," Mrs. LaRauche replied. "You probably don't know—not
many do—that I have written several mystery novels under the pen
name of Martha Claxton."
This disclosure was followed by another concerted gasp of surprise.
After it had subsided, McGinity exclaimed: "Well, that's certainly a
knockout, Mrs. LaRauche! Why, I've read all of your novels, including
the latest one, 'The Country House Mystery,' and I consider Martha
Claxton—you—a close runner to the English Agatha Christie—a
feminine J. S. Fletcher. No wonder your husband, with his jealous
temperament, had this constitutional antagonism against any rival in
his household, in the field of fame."
"Combine jealousy and revenge," Mrs. LaRauche said, "and in these
two forces you have the most perverse evil in the world. Rene was
not only intensely jealous of Henry Royce for his successful findings
as an amateur scientist and astronomer, but he nursed a revenge
against him for the exposé of those faked African jungle films, and
his subsequent expulsion from the Exploration Club. He blamed—"
"Officially, I had nothing to do with it," Henry interrupted, vehemently.
"I simply voiced my belief to a fellow member of the club that the
films looked like fakes to me."
"What raised your suspicions?" Mrs. LaRauche asked.
"Well, I recognized, among those African jungle midgets," Henry
replied, "a Negro dwarf I had seen years ago at a circus side-show.
She was exhibited as a human crow. She had the remarkable
physiognomy and jet blackness of a crow, and she could caw like
one. She must be an old woman by now. In your husband's faked
film, she took the part of a chattering, pigmy grandmother, who was
thrown into the river and drowned because of her great age and
uselessness. As she was engulfed in the river torrent, and sank, I
recognized her pitiful 'caw-caw'."
"Fancy your remembering that," Mrs. LaRauche remarked.
Again Chief Meigs spoke abruptly. "Pardon me, Mrs. LaRauche," he
said, "but how long do you reckon your husband has been out of his
mind?"
She looked startled for a moment, then calmly replied. "He was silent
and brooding for some months past, but I attributed this to his being
deeply engrossed in some new scientific research. It's rather difficult
to say when he passed into the stage of actual insanity. It's my
opinion that all inventive scientists are a little bit cracked." She
hesitated a moment, and smiled apologetically at Henry. "It's my
belief, though," she went on, "that he became definitely deranged
when the success of his scheme centered the attention of the world
upon Henry Royce, and raised him to the heights of fame. Rene had
not figured on this. It was like a boomerang. When he realized that
his scheme was reacting to his own damage, then, perhaps,
something in his brain snapped."
"Have you any personal knowledge of the implication of your
husband and Orkins in the theft of the rocket?" McGinity asked.
She shook her head. "Only a suspicion," she replied. "There were
many, many nights, while I was locked in the attic, when I couldn't
sleep, so I used to listen for sounds from the lower part of the house.
The night the rocket was stolen, I remember distinctly the house was
as quiet as a tomb. I remained awake all night, terrorized at the
thought of being left alone. Towards morning, I heard familiar sounds
again—footfalls in the hall—voices—and went to sleep."
"I wonder what motive prompted LaRauche to do a crazy thing like
that?" I interrogated.
"Dispose of the rocket, and he would be less liable to detection,"
Mrs. LaRauche replied. "He must have become suddenly fearful of
some one tracing the workmanship of the rocket to him. It was public
knowledge that he had made considerable progress in the creation
of a metal rocket, which he hoped, eventually, to catapult to the
moon. No doubt he reconditioned this rocket to meet the
requirements of his mad Martian scheme."
"It's one of the most intricate and puzzling pieces of craftsmanship
and mechanism I've ever seen," I said, glancing at Chief Meigs, who
punctuated my remark with a smile and a wink, and the silent
mouthing of "Screws!"
By this time, McGinity was showing signs of impatience. "If there is
no reason why we shouldn't," he said, emphatically, "I think we'd
better get through with this business now, as quickly as possible.
Mrs. LaRauche is under a great strain, and we must spare her all we
can. So why not let her tell us, in as few words as she can, all she
knows. I leave it to her."
"Very well, Mr. McGinity," she assented, nodding her head two or
three times. Then she began. "There are a great many things I know
nothing whatever about. Some things I say may be true, or partly
true; the rest will be based on my deductions.
"As I've already told you," she continued, "my husband carried on
this work in the greatest secrecy. My curiosity, rather than suspicion,
was aroused when he began to collect scientific books on Mars, and
studies of the ancient inscriptions, cuneiforms and hieroglyphics, of
Babylon and Egypt. He began sending Orkins on frequent visits to
the city. It was Orkins, no doubt, who ordered the making of the
scroll. He fits the old bookseller's description to a nicety—'middle-
aged, well-dressed, well-bred.'
"The time came when Rene dropped his preliminary studies and
research, and applied himself wholly to his work, in the laboratory,
and at his workshop in the hangar. He worked at all hours of the day
and night, in a kind of frenzy. Finally, late in the summer, as I
reconstruct it, matters began to take shape. He must have had in his
possession by that time all the information Orkins had obtained,
surreptitiously, in relation to Henry Royce's and Serge Olinski's
experiments in trying to establish radio communication with Mars.
"Early in August, he did a lot of night flying, always accompanied by
Orkins. The trust he put in that scoundrel, and the money Orkins
must have bled him for! They were usually in the air from nine to
eleven. When I quizzed Rene on the purpose of these night flights,
he said he was conducting a series of meteorological experiments.
But what he was really doing—if my surmise is correct—was flying
high over the Royce castle, or Radio Center, and testing his carefully
thought out Martian code on Mr. Royce and Mr. Olinski, wherever
they happened to be conducting their radio experiments; sort of
baiting them.
"He was perfectly able to do this with the powerful wireless sending
outfit with which he had equipped his plane. Apparently Mr. Royce
and his co-worker were finally satisfied that these signals in code
came from Mars, for we next heard of Mr. Royce erecting two
stations, one designed for transmitting, the other for receiving
Martian radio messages.
"Now, comes the strange story of the public demonstration of direct
radio communication with Mars, at Radio Center. I happened to be in
town that night, having gone there to visit friends, over the week-end,
at Rene's persistent urging that I take a holiday, which was a rather
strange attitude for him to adopt. Up to that time, I was not in the
least suspicious, and listened in that night with a great deal of
enjoyment, although I thought the Martian message, as decoded and
broadcast—well, somehow it seemed perfectly incredulous to me.
"If any man was pleased with the success of this undertaking, Rene
must have been. He achieved it with great risk, in a hazardous flight
into the sub-stratosphere. We must at least give him credit for this
daring feat, also for the cleverness of his Martian code, which he
sent by wireless from this great height, and the perfect artistry of
English into which it was so easily transcribed by Mr. Olinski. My
suspicions of Rene's sub-stratosphere performance, in his plane,
were confirmed after I had discovered a visored aluminum helmet,
and a rubber fabric suit, in which he had received oxygen, hidden
under some rubbish in the hangar.
"It is perfectly amazing to me how he accomplished two such
remarkable feats in one night, transmitting the Martian message from
the sub-stratosphere, garbling it and fading out, to indicate ethereal
disturbance, and dropping the rocket on the water-front. Oh, he must
have dropped it from his plane while flying low over the beach! There
can be no other explanation. He had plenty of time in which to return
to the field, after the altitude flight, attach the rocket under the plane,
on the principle of a bomber, with Orkins' assistance, of course, and
soar off again. The rocket appears heavy, but, as you know, it is
constructed of comparatively light metal, and, without fuel, is easily
handled. The exterior of the rocket was purposely fired in advance, I
found, to give the effect of its having traveled through the earth's
atmosphere at great speed.
"In this stunt, he had the spectacular accessory of the falling
meteors, and he added to the realism by sending off a great quantity
of fire-works from the plane when he dropped the rocket on the
beach. There was little chance of his plane being detected at this
time of night; he was just another strange traveler in the sky. He
carried enough fire-works to equip a Fourth of July celebration. In my
investigation, I found a dozen or so burned out Roman candles, and
other unused fire-works, which he had secreted under his work-
bench in the hangar.
"His mission achieved, he went into retreat. For weeks we lived in
practical isolation, while the world buzzed with the great Martian
revelations, and honors were heaped upon Mr. Royce. It is not easy
for the mind to grasp how Rene managed to put over this
stupendous hoax, having as its object the humiliation of a bitterly
hated rival, unless one considers that it was the cold-blooded
scheme of a great mind gone wrong. And into that deranged mind
there must have gleamed some light of inspiration. His detailed
description of life as it exists at present on Mars, which he set forth in
the cuneiform code, contained in the scroll, I consider marvelous—
absolutely marvelous. It is logical, and it rings true. No scientist,
ancient or modern, has ever given a more plausible picture of the
history of Mars, and conditions of life there. No scientist in his right
mind would have been so fearless. But Rene—the madman—dared.
"I'm sorry it isn't true. I want it to be true. I want to think there are
people like ourselves living on Mars. We know now that it is
technically possible to bridge the space between us with radio, to
register our music, our ideas, in that planet. And we need the
Martian ideas, and their hopes and illusions, as well, to buoy up our
drooping spirit, just as much as they need ours. Perhaps, after we're
all dead and buried, this revelation from Mars will come. Radio was
given to the world to bring about universal harmony, to bring nations
closer together. Why not interstellar harmony? Oh, it's coming! Who
knows?
"And now, my friends, since I've given you every detail I can think of,
what have you to say?"
There was deep silence for a few moments, and then I spoke. "Your
findings and deductions, Mrs. LaRauche, are all very wonderful, and
very convincing," I said; "but there is still one very important matter
to be cleared up. It may be that your memory is at fault."
"Something important that I've overlooked?" Mrs. LaRauche asked,
thoughtfully.
"Quite so," I replied. "We have awaited breathlessly for your theory
regarding the passenger in the rocket—the man-ape."

(Ebook pdf) CISM Certified Information Security Manager All-in-One Exam Guide, 2nd Edition Peter H. Gregory - eBook PDF all chapter

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

(Ebook pdf) CISM Certified Information Security Manager All-in-One Exam Guide, 2nd Edition Peter H. Gregory - eBook PDF all chapter

Uploaded by

Copyright:

Available Formats

CISM Certified Information Security

Manager All-in-One Exam Guide, 2nd

CISM Certified Information Security Manager All-in-One

Ccsp Certified Cloud Security Professional All-In-One

CCSP Certified Cloud Security Professional All-in-One

CC Certified in Cybersecurity All-in-One Exam Guide 1st

Google Cloud Certified Associate Cloud Engineer All-in-

CDPSE Certified Data Privacy Solutions Engineer All-in-

CompTIA Security+ All-in-One Exam Guide (Exam SY0-501)

GPEN GIAC Certified Penetration Tester All-in-One Exam

New York Chicago San Francisco

eBook conversion by codeMantra

About the Technical Editor

Part I Inormation Security Governance

Part II Inormation Security Risk Management

Part III Inormation Security Risk Management

Part IV Incident Management

Part V Appendix and Glossary

Part I Inormation Security Governance

Part II Inormation Security Risk Management

Part III Inormation Security Risk Management

Part IV Incident Management

Index ........................................................ 577

Purpose of This Book

How to Use This Book

Information Security vs. Cybersecurity

Changes to the CISM Job Practice

• Control architecture, implementation, and operation

Register Pay Exam Pass

Figure 1 The CISM certiication lie cycle (Source: Peter Gregory)

NOTE Although it is not recommended, a CISM candidate can take the

Direct Work Experience

The Certification Exam

NOTE Pay close attention to inormation on ISACA’s web site regarding

Onsite Testing Center

Remote Proctored Testing

Domain CISM Job Practice Area Percentage of Exam

Preparing for the Exam

Before the Exam

If You Do Not Pass

Applying for CISM Certification

What Counts as a Valid CPE Credit?

Tracking and Submitting CPEs

Sample CPE Records

Published an article in XYZ Journal article 4/12/2023 4 Yes (article)

CPE Maintenance Fees

Living the CISM Lifestyle

Find a Local Chapter

Attend ISACA Events

Join the Online Community

Pay It Forward Through Mentorship

Continue to Grow Professionally

You might also like