Complete Guide to CISM Certification (Google eBook)

Front Cover
CRC Press, Dec 13, 2006 - Computers - 480 pages
0 Reviews
The Certified Information Security Manager®(CISM®) certification program was developed by the Information Systems Audit and Controls Association (ISACA®). It has been designed specifically for experienced information security managers and those who have information security management responsibilities. The Complete Guide to CISM® Certification examines five functional areas—security governance, risk management, information security program management, information security management, and response management.

Presenting definitions of roles and responsibilities throughout the organization, this practical guide identifies information security risks. It deals with processes and technical solutions that implement the information security governance framework, focuses on the tasks necessary for the information security manager to effectively manage information security within an organization, and provides a description of various techniques the information security manager can use. The book also covers steps and solutions for responding to an incident. At the end of each key area, a quiz is offered on the materials just presented. Also included is a workbook to a thirty-question final exam.

Complete Guide to CISM® Certification describes the tasks performed by information security managers and contains the necessary knowledge to manage, design, and oversee an information security program. With definitions and practical examples, this text is ideal for information security managers, IT auditors, and network and system administrators.

  

What people are saying - Write a review

We haven't found any reviews in the usual places.

Selected pages

Contents

Information Security Governance
1
CISM Mapping
2
Developing an Information Security Strategy in Support of Business Strategy and Direction
4
Obtain Senior Management Commitment and Support
12
Definitions of Roles and Responsibilities
14
Obtaining Senior Management Commitment
15
Change in Focus
16
Responsibilities and Functional Roles
17
Methods of Attack
237
OneWay Functions
238
Digital Signatures
239
Classic Cryptographic Systems
240
Transposition Ciphers
241
PolyAlphabetic Cipher
242
Concealment
243
Codes
244

Recommendation
19
Mission Statement
23
Legal and Regulatory Issues
24
Establish and Maintain Information Security Policies
32
Global Policy Tier 1
33
Topic
34
Responsibilities
35
Thesis Statement
36
Responsibilities
37
ApplicationSpecific Policy Tier 3
38
Key Security Concepts
39
Develop Business Case and Enterprise Value Analysis Support
41
Summary
45
Information Security Risk Management
53
CISM Mapping
54
Develop a Systematic and Continuous Risk Management Process
58
Ensure Risk Identification Analysis and Mitigation Activities Are Integrated Into the Life Cycle Process
60
Apply Risk Identification and Analysis Methods
66
Asset Definition
67
Threat Identification
69
Determine Probability of Occurrence
72
Controls Recommended
74
Documentation
75
Define Strategies and Prioritize Options to Mitigate Risks to Levels Acceptable to the Enterprise
87
Threat Identification
91
Threat Vulnerability
93
Controls and Safeguards
98
CostBenefit Analysis
101
Documentation
114
Quantitative Versus Qualitative Risk Assessment
118
Report Significant Changes in Risk
121
Knowledge Statements
122
Recovery Time Objectives
123
Summary
125
Questions
126
Information Security Program Management
133
Introduction
134
Physical
135
Network
136
Transport
138
Session
139
The TCPIP Model
141
IP Addressing
142
Protocols
146
Internet Protocol IP Details
147
Subnet Masks and Internet Protocol IP Classes
148
Beyond Class C Networks
149
IP Hosts
150
Private Internet Protocol IP Networks
152
The Internet Protocol IP Header
153
Datagram Structure
156
Transmission Control Protocol TCP
159
WellKnown Ports
160
Port Scanning
163
The TCP ThreeWay Handshake
166
The SYNACK Packet
168
After the Shaking
169
User Datagram Protocol UDP
170
UDP Error Messages
172
ICMP Common Examples
176
Risks and Vulnerabilities Associated with IP Protocols
178
CIA Triad
180
PPPN
184
Platform
185
Network
186
Attacking Methodology
187
Malicious Code
189
Trojan Horses
190
Distributed DenialofService Attacks
191
Attacks Against Access Control Systems
193
Threats Summary
194
Access Control
195
Discretionary Access Control
196
LatticeBased Access Control
197
RuleBased Access Control
198
Single SignOn
201
Access Control Methods
202
Password Selection
203
RADIUS
204
The Role of RADIUS in 8021x
205
Access Control Zone of Control
206
Caching
214
Network SegmentationSubdomain Isolation
215
Subnetting for Isolation
216
Routing for Isolation
218
Types of Intrusions
219
IDS Information Processing
220
IDS Versus IPS
222
Goals of Cryptography
224
Cryptographic Definitions
225
Kerckhoffs Principle
226
Private or Secret Key Cryptography
227
The Advanced Encryption Standard
230
Public Key Cryptography
231
Stream Ciphers
233
Block Ciphers
235
Secure Sockets Layer SSL
245
Message Authentication Codes
248
Certificate Authority CA
249
Project Management for Information Security Managers
250
Baselines
251
Wireless
252
How It Works
253
The Alphabet Soup
254
RC4 and the OneTime Pad
255
WEPs Implementation of RC4
256
Key Management and Key Size
257
Help My IV Is Too Small
258
RC4
259
Another Standard 8021x
260
The 8021x Function
261
More on 8021x
263
8021x Doesnt Work Alone
266
Back to the Alphabet Soup One Last Time80211i
268
Buffer Overflows versus Application Security
269
Virtual Private Networks VPNs
270
Security Testing
271
Vulnerability Assessment
272
Penetration Testing
273
What Was Covered in This Chapter
274
Questions
275
Information Security Management
293
CISM Mapping
295
Information Systems Compliance
297
Administrative Procedures
298
Ensure Services Outsourced Are Consistent
305
Measure Monitor and Report Effectiveness and Efficiency of the Controls and Compliance Policies
307
Ensure That Information Security Is Not Compromised Throughout the Change Management Process
309
Perform Vulnerability Assessments to Evaluate Effectiveness of Existing Controls
311
Ensure That Noncompliance Issues and Other Variances Are Resolved in a Timely Manner
318
Information Security Awareness and Education
322
Key Security Requirements
323
Believe in What You Are Doing
324
Program Goals
326
Segmenting the Audience
328
Determine How Receptive the Audience Is
329
Possible Allies
330
Program Development
331
Methods to Convey the Message
332
Presentation Keys
334
Presentation Format
336
When to Do Awareness
338
Presentation Styles
339
Managers
340
Summary
341
Questions
342
Response Management
351
Introduction
352
The Role of Intrusion Detection and AntiVirus Systems
354
Business Continuity Planning and Disaster Recovery Planning
355
The Planning
356
BCP Resources
358
BCP Responsibilities
360
Business Recovery Plan BRP also Business Resumption Plan
361
Continuity of Operations Plan COOP
362
Cyber Incident Response Plan
363
Performing a BIA
365
Business Impact Analysis Results
368
Finding Resources and Dependencies
369
Alternate Sites
370
Cold Sites
372
Mirrored Sites
373
Implementation and Writing
374
Testing the Plan
375
Improve the Plan
376
Updating the Plan
377
Incident Response
379
Discovery
380
Preliminary Investigation
382
Disclosure
383
Electronic Surveillance
384
Running the Investigation
386
Factors of Investigation
387
Most Likely SuspectsInsiders Outsiders and Collaboration
388
SuspectsWitnessesInterview
389
Freezing the Environment
390
PostIncident Access
391
Forensic Processes
393
Inventory Internal Devices
395
Forensic ProcessingImaging
396
Live System Variation
400
Forensic ProcessingImaging
401
Forensic Reporting
403
Exclusionary Rule
404
Incident Response Training
405
Difficulties with Following the Plan
406
Containment
407
Government Facilities to Assist in Planning for a Disaster
408
Summary
409
Questions
410
Index
429
Copyright

Common terms and phrases

Bibliographic information