Isaca Cism Courseware

ISACA
CISM Certification
Certified Information Security
Manager Courseware
Version 4.0
CISM
Firebrand Accelerated
Training
1
4/17/2015
2015 CISM Review Course
Introduction
2
4/17/2015
Agenda
This introduction will address:
The CISM Certification
Course format
Examination format
Introduction of Attendees
To set the scene Recent Incidents
4
4/17/2015
This is NOT a Death-By-PowerPoint

Seminar
5
4/17/2015
But it IS a Seminar
6
4/17/2015
CISM
Certified Information Security Manager
Designed for personnel that have (or want to
have) responsibility for managing an
Information Security program
Tough but very good quality examination
Requires understanding of the concepts
behind a security program not just the
definitions
7
4/17/2015
CISM Exam Review Course Overview

The CISM Exam is based on the CISM job
practice.
The ISACA CISM Certification Committee
oversees the development of the exam and
ensures the currency of its content.
There are four content areas that the CISM
candidate is expected to know.
8
4/17/2015
CISM Qualifications
To earn the CISM designation, information
security professionals are required to:
Successfully pass the CISM exam
Adhere to the ISACA Code of Professional
Ethics
Agree to comply with the CISM continuing
education policy
Submit verified evidence of five (5) years of
work experience in the field of information
security.
9
4/17/2015
Daily Format
Lecture and Sample questions
Domain structure
Learning Objectives
Content
Sample Questions
Please note that the information in every
domain overlaps with the information in other
domains during the course we will introduce
topics that are expanded upon in latter domains
10
4/17/2015
Domain Structure
Information Security
Governance
Reports To
Mandates
Information
Risk
Management and Compliance Influences
Deploys
Information Security Program
Development and Management
Requires
Incident
Management
11
4/17/2015
Course Structure
Start Time
Breaks
Meals
End of Day
End of class on last day
12
4/17/2015
Logistics
Fire Escapes
Assembly point
Mobile phones / pagers
13
4/17/2015
The Examination
14
4/17/2015
Description of the Exam

The exam consists of 200 multiple choice
questions that cover the CISM job practice
areas.
Four hours are allotted for completing the
exam
See the Candidates Guide to the CISM Exam
and Certification
15
4/17/2015
Examination Job Content Areas

The exam items are based on the content in 4
information security areas
Information Security Governance 24%
Information Risk Management and Compliance
33%
Information Security Program Development
and Management 25%
Information Security Incident Management
18%
16
4/17/2015
Examination Job Content Areas

Information
Security
Incident
Management,
18%
Information
Security
Program
Development
and
Management,
25%
Information
Security
Governance,
24%
Information
Risk
Management
and
Compliance,
33%
17
4/17/2015
2015 Exam Dates

The exam will be administered three times in
2015
The 1st exam date is June 13
April 21 is deadline for registration
The 2nd exam date is Sept 12
The 3rd exam date is Dec 12
Many examination locations worldwide
Register at www.isaca.org
18
4/17/2015
Examination Day
Be on time!!
The doors are locked when the instructions
start approximately 30 minutes before
examination start time.
Bring the admission ticket (sent out prior to
the examination from ISACA) and an
acceptable form of original photo
identification (passport, photo id or drivers
license).
19
4/17/2015
Completing the Examination Items

Bring several #2 pencils and an eraser
Read each question carefully
Read ALL answers prior to selecting the
BEST answer
Mark the appropriate answer on the test
answer sheet.
When correcting an answer be sure to
thoroughly erase the wrong answer before
filling in a new one.
There is no penalty for guessing. Answer
every question.
20
4/17/2015
Grading the Exam

Candidate scores are reported as a scaled
score based on the conversion of a
candidates raw score on an exam to a
common scale.
ISACA uses and reports scores on a common

scale from 200 to 800. A candidate must
receive a score of 450 or higher to pass.
Exam results will be mailed (and emailed) out
approximately 8 weeks after the exam date.
Good Luck!
21
4/17/2015
10
Introduction of Classmates
22
4/17/2015
HIGHLY
HIGHLY TECHNICAL
TECHNICALATTACKS
ATTACKS
23
4/17/2015
11
Stuxnet
Part of Operation Olympic Games, a 2006 operation designed
to disrupt Irans nuclear programme
General James E Cartwright, head of CyberOps inside the US
Strategic Command developed the Stuxnet plan
Stage 1: Plant code that extracts maps of the air-gapped
networks supporting nuclear labs & reprocessing plants in Iran
Stage 2: Payload development by NSAs Foreign Affairs
Directorate & IDFs Intelligence Corps Unit 8200
Code named: The Bug
Stage 3: Test against P-1 centrifuges
Stage 4: Plant the worm in Natanz via spies, and tricked
insiders ( engineers to maintenance workers anyone with
physical access to the plant). This was in 2008
The Op was successful
ICS were infected & high-speed centrifuges were infected
Iranians blamed themselves or suppliers for observed problems
24
4/17/2015
Stuxnet
20x more complex than any piece of previous malware
Array of capabilities
Increase pressure inside nuclear reactors while telling
system operators everything was normal
Does not carry a forged security clearance (used by
malware to escalate privilege). It had a real clearance,
stolen from one of the most Globally-reputable
technology companies
Exploited 20 zero-day vulnerabilities
Target specific. It remained dormant until target was
sighted. Target was the P-1 centrifuges. May have shut
down 1000 centrifuges in Natanz,
Iran has responded to the attack with an open call to
hackers to join the Iranian Revolutionary Guard. It now
has the 2nd largest online army
25
4/17/2015
12
GhostNet
GhostNet
represents
a
network
of
compromised computers resident in highvalue political, economic, and media
locations spread across numerous countries
worldwide
26
4/17/2015
GhostNet
Infected 986 machines across 93 countries
27
4/17/2015
13
GhostNet
Malware retrieving a sensitive document
This screen capture of the Wireshark network analysis tool shows an infected
computer at the Office of the Dalai Lama uploading a sensitive document to one
of the CGI networks control servers.
28
4/17/2015
GhostNet
The gh0st RAT interface:
29
4/17/2015
14
GhostNet
gh0st RAT demonstration
https://www.youtube.com/watch?v=6p7FqSav6
Ho
30
4/17/2015
Technical Social Engineering

The purpose of social engineering is to
transparently install malicious software or to
trick you into handing over sensitive
information.
Technical Social Engineering is a chained

exploit. Human nature and software
vulnerabilities are both exploited.
31
4/17/2015
15
Technical Social Engineering
32
4/17/2015
Operation Aurora
Targeted 34 companies in the financial,
technology & defense sectors
Never before seen level of sophistication outside
the defense industry. Prior to this, commercial
attacks were SQL-injection or wireless breach
based
Highly sophisticated & coordinated hack attack
against Googles corporate network
Targeted & stole IP (source code repositories)
Accessed Gmail accounts of human rights
activists
33
4/17/2015
16
Operation Aurora
Used several pieces of malware, levels of encryption, stealth
programming & zero-day exploits in IE, Word, Excel & Adobe
PDFs
Attack was obfuscated & avoided common detection methods
Tailored to target a small number of corporate users
sending a malicious document attached to an email or

sending a spoofed email message with a link to a malicious website
Infected machines will typically have the following components installed:
%System%\[RANDOM].dll: main file. Runs as a service and has back door capabilities
%System%\acelpvc.dll: Streams live desktop feed to the attacker
%System%\VedioDriver.dll: Helper dll for acelpvc.dll
34
4/17/2015
Operation Aurora
Siphoned off live feed and/or data to C & C
servers in Illinois, Texas & Taiwan
One C&C server was hosted by RackSpace
Designed to occur during a holiday season
when co. SOC & IRTs would be thinly staffed
35
4/17/2015
17
Operation Aurora Tojan.Hydraq

Infects Win2K, Win7, Win2003, Win2008,
Vista, XP
Creates 2 files
Creates a service RASxxxx
Registers service by creating a registry

subkey
Modifies this registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\SvcHost\netsvcs
4/17/2015
Opens a backdoor allowing a remote

attacker to do a number of things
36
Operation Aurora Google Case Study

Initial attack occurred when company executives visited a
malicious site
Via clicked URL sent by

email/IM or
Via social networking sites
Drive-by Download
IE exploited via zero-day

exploit
Multiple pieces of
malware downloaded
into device
Automatically &
Transparently
37
4/17/2015
18
Operation Aurora Google Case Study

Shell code 3X encrypted
Downloaded encrypted
binary code in 2
encrypted .exes from
external node
Opened backdoor
Beachead
into other parts
of the corporate
network
4/17/2015
Established
encrypted covert
channel
masquerading as SSL
connection
38
ICEFOG Advanced Persistent Threat

A threat actor
Emerging trend of cyber-mercenary teams of 10s to
100s available for hire to perform surgical hit-andrun ops
Going after the supply chain & compromising target
with surgical precision
Relies on spear phishing emails that attempt to trick
a victim into opening a malicious attachment or
visiting a malicious website
Victims were Japanese & South Korean targets.
From China with love
39
4/17/2015
19
End of Introduction
40
4/17/2015
20
ISACA
Trust in, and value from,
information systems
1
4/17/2015
Chapter 1
Governance
2
4/17/2015
Course Agenda
Priorities for the CISM
Corporate Governance
Information Security Strategy
Elements of a Security Program
Roles and Responsibilities
Evaluating a Security Program
Reporting and Compliance
Ethics
3
4/17/2015
Examination Content
The CISM Candidate understands:

Effective security governance framework
Building and deploying a security strategy
aligned with organizational goals
Manage risk appropriately
Responsible management of program
resources
The content area in this chapter will
represent approximately 24% of
the CISM examination
(approximately 48 questions).
4
4/17/2015
Chapter 1 Learning Objectives

Align the organizations Information security strategy with
business goals and objectives
Obtain Senior Management commitment
Provide support for:
Governance
Business cases to justify security
Compliance with legal and regulatory mandates
Organizational priorities and strategy
Identify drivers affecting the organization
Define roles and responsibilities
Establish metrics to report on effectiveness of the security
strategy
5
4/17/2015
The Priorities for the CISM

Candidate in Chapter One
6
4/17/2015
CISM Priorities
The CISM must understand:
Requirements for effective information
security governance
Elements and actions required to:

Develop an information security strategy
Plan of action to implement it
7
4/17/2015
The First Question

In your own words, please describe what
information Security is, what is the purpose
or value of information security in relation to
the business
8
4/17/2015
Information is indispensable to conduct
business effectively today
Information must be:
Available
Have Integrity of data and process
Be kept Confidential as needed
Protection of information is a responsibility
of the Board of Directors
9
4/17/2015
Information Protection includes:
Accountability
Oversight
Prioritization
Risk Management
Compliance (Regulations and Legislation)
10
4/17/2015
Information Security Governance Overview

Information security is much more than just IT
security (more than technology)
Information must be protected at all levels of the
organization and in all forms
Information security is a responsibility of
everyone
In all forms paper, fax, audio, video,
microfiche, networks, storage media, computer
systems
11
4/17/2015
Selling the Importance of Information Security

Benefits of effective information security
governance include:
Improved trust in customer relationships
Protecting the organizations reputation

Better accountability for safeguarding
information during critical business activities
Reduction in loss through better incident
handling and disaster recovery
12
4/17/2015
The First Priority for the CISM

Remember that Information Security is a
business-driven activity.
Security is here to support the interests and
needs of the organization not just the
desires of security
Security is always a balance between cost
and benefit; security and productivity
13
4/17/2015
Corporate Governance
14
4/17/2015
Business Goals and Objectives

Corporate governance is the set of
responsibilities and practices exercised by
the board and executive management
Goals include:
Providing strategic direction
Reaching security and business objectives
Ensure that risks are managed appropriately
Verify that the enterprises resources are used
responsibly
15
4/17/2015
Outcomes of Information Security Governance

The six basic outcomes of effective security
governance:
Strategic alignment
Risk management
Value delivery
Resource management
Performance measurement
Integration
16
4/17/2015
Benefits of Information Security Governance

Effective information security governance can offer
many benefits to an organization, including:
Compliance and protection from litigation or penalties
Cost savings through better risk management
Avoid risk of lost opportunities
Better oversight of systems and business operations
Opportunity to leverage new technologies to business
advantage
17
4/17/2015
Performance and Governance

Governance is only possible when metrics are
in place to:
Measuring
Monitoring
Reporting
On whether critical organizational objectives
are achieved
Enterprise-wide measurements should be
developed
18
4/17/2015
Strategy
19
4/17/2015
Developing Information Security Strategy
Information Security Strategy

Long term perspective
Standard across the organization

Aligned with business strategy / direction
Understands the culture of the organization
Reflects business priorities
20
4/17/2015
10
Elements of a Strategy
A security strategy needs to include:
Resources needed
Constraints
A road map
Includes people, processes, technologies and

other resources
A security architecture: defining business
drivers, resource relationships and process flows
Achieving the desired state is a long-term

goal of a series of projects
21
4/17/2015
Objectives of Security Strategy

The objectives of an information security
strategy must
Be defined
Be supported by metrics (measureable)
Provide guidance
22
4/17/2015
11
The Goal of Information Security

The goal of information security is to
protect the organizations assets,
individuals and mission
This requires:
Asset identification
Classification of data and systems
according to criticality and sensitivity
Application of appropriate controls
*Information is an asset only to the degree it supports the primary

purpose of the business
23
4/17/2015
Defining Security Objectives

The information security strategy forms the
basis for the plan(s) of action required to
achieve security objectives
The long-term objectives describe the
desired state
Should describe a well-articulated vision of
the desired outcomes for a security program
Security strategy objectives should be stated
in terms of specific goals directly aimed at
supporting business activities
24
4/17/2015
12
Business Linkages
Business linkages
Start with understanding the specific
objectives of a particular line of business
Take into consideration all information flows
and processes that are critical to ensuring
continued operations
Enable security to be aligned with and
support business at strategic, tactical and
operational levels
25
4/17/2015
Business Case Development

The Business case for initiating a project
must be captured and communicated:
Dependencies
Reference
Context
Project metrics
Value Proposition
Workload
Focus
Required resources
Deliverables
Commitments
The Business case for Security must address

the same criteria
26
4/17/2015
13
The Information Security

Program
27
4/17/2015
Question:
What steps/elements are
necessary to develop an
effective security program?
28
4/17/2015
14
Security Program Priorities

Achieve high standards of corporate
governance
Treat information security as a critical
business issue
Create a security positive environment
Have declared responsibilities
29
4/17/2015
Security versus Business

Security must be aligned with business needs
and direction
Security is woven into the business functions
Provides
Strength
Resilience
Protection
Stability
Consistency
30
4/17/2015
15
Security Program Objectives

Ensure the availability of systems and data
Allow access to the correct people in a
timely manner
Protect the integrity of data and business
processes
Ensure no improper modifications
Protect confidentiality of information
Unauthorized disclosure of information
Privacy, trade secrets,
31
4/17/2015
What is Security
A structured deployment of risk-based
controls related to:
People
Processes
Technology
32
4/17/2015
16
Security Integration
Security needs to be integrated INTO the
business processes
The goal is to reduce security gaps through
organizational-wide security programs
Integrate IT with:
Physical security
Risk Management
Privacy and Compliance
Business Continuity Management
33
4/17/2015
Security Program
Starts with theory and concepts
Policy
Interpreted through:
Procedures
Baselines
Standards
Measured through audit
34
4/17/2015
17
Architecture
Information security architecture is similar physical
architecture
Requirements definition
Design / Modeling
Creation of detailed blueprints
Development, deployment
Architecture is planning and design to meet the

needs of the stakeholders
Security architecture is one of the greatest needs for
most organizations
35
4/17/2015
Information Security Frameworks

Framework
Template
Structure
Measurable / Auditable
Project Planning and Management
Strategic, Tactical and Operational
viewpoints
36
4/17/2015
18
Using an Information Security Framework

Effective information security is provided
through adoption of a security framework
Defines information security objectives
Aligns with business objectives
Provides metrics to measure compliance and
trends
Standardizes baseline security activities
enterprise-wide
37
4/17/2015
The Desired State of Security

The desired state of security must be
defined in terms of attributes,
characteristics and outcomes
It should be clear to all stakeholders what
the intended security state is
38
4/17/2015
19
The Desired State cont.

The desired state according to COBIT (Control
Objectives for Information and related
Technology)
Protecting the interests of those relying on
information, and the processes, systems and
communications that handle, store and deliver the
information, from harm resulting from failures of
availability, confidentiality and integrity
Focuses on IT-related processes from IT
governance, management and control perspectives
39
4/17/2015
The Maturity of the Security Program Using CMM

0: NonexistentNo recognition by organization of need
for security
1: Ad hocRisks are considered on an ad hoc basisno
formal processes
2: Repeatable but intuitiveEmerging understanding of
risk and need for security
3: Defined processCompanywide risk management
policy/security awareness
4: Managed and measurableRisk assessment standard
procedure, roles and responsibilities assigned, policies
and standards in place
5: OptimizedOrganization-wide processes
implemented, monitored and managed
40
4/17/2015
20
Using the Balanced Scorecard

The Four Perspectives of the Balanced Scorecard
Financial
Vision and
Strategy
Customer
Internal
Business
Processes
Learning and
Growth
41
4/17/2015
The ISO27001:2013 Framework

The goal of ISO27001:2013 is to:
Establish
Implement
Maintain, and
Continually improve
An information security management system
Contains:
14 Clauses, 35 Controls Objectives and 114
controls
42
4/17/2015
21
Examples of Other Security Frameworks

SABSA (Sherwood Applied Business Security
Architecture)
COBIT
COSO
Business Model for Information Security
Model originated at the Institute for Critical
Information Infrastructure Protection
43
4/17/2015
Examples of Other Security Frameworks

ISO standards on quality (ISO 9001:2000)
Six Sigma
Publications from NIST and ISF
US Federal Information Security
Management Act (FISMA)
44
4/17/2015
22
Constraints and Considerations for a Security

Program
Constraints
LegalLaws and regulatory requirements
PhysicalCapacity, space, environmental
constraints
EthicsAppropriate, reasonable and customary
CultureBoth inside and outside the
organization
CostsTime, money
PersonnelResistance to change, resentment
against new constraints
45
4/17/2015
Constraints and Considerations for a

Security Program cont.
Constraints
Organizational structureHow decisions are
made and by whom, turf protection
ResourcesCapital, technology, people
CapabilitiesKnowledge, training, skills,
expertise
TimeWindow of opportunity, mandated
compliance
Risk toleranceThreats, vulnerabilities, impacts
46
4/17/2015
23
47
4/17/2015
Elements of Risk and Security

The next few slides list many factors that go
into a Security program.
48
4/17/2015
24
Risk Management
The basis for most security programs is Risk
Management:
Risk identification
Risk Mitigation
Ongoing Risk Monitoring and evaluation

The CISM must remember that risk is
measured according to potential impact on
the ability of the business to meet its mission
not just on the impact on IT.
49
4/17/2015
Information Security Concepts

Access
Architecture
Attacks
Auditability
Authentication
Authorization
Availability
Business
dependency
analysis
Business impact
analysis
Confidentiality
Countermeasures
Criticality
Data classification
Exposures
Gap analysis
Governance
50
4/17/2015
25
Information Security Concepts cont.

Identification
Sensitivity
Impact
Standards
Integrity
Strategy
Layered security
Threats
Management
Vulnerabilities
Nonrepudiation
Enterprise
architecture
Risk / Residual risk
Security domains
Security metrics
Trust models
51
4/17/2015
Security Program Elements

Policies
Standards
Procedures
Guidelines
Controlsphysical,
technical,
procedural
Technologies
Personnel security
Organizational
structure
Skills
52
4/17/2015
26
Security Program Elements cont.

Training
Awareness and
education
Compliance
enforcement
Outsourced security
providers
Other organizational
support and assurance
providers
Facilities
Environmental security
53
4/17/2015
Third Party Agreements

Ensure that security requirements are
addressed in all third party agreements
Service Level Agreements
Jurisdiction in case of dispute
Right to audit or obtain independent
verification of compliance
54
4/17/2015
27
55
4/17/2015
Roles and Responsibilities of Senior

Management
Board of directors
Information security governance / Accountability
Executive management
Implementing effective security governance and
defining the strategic security objectives
Budget and Support
Steering committee
Ensuring that all stakeholders impacted by security
considerations are involved
Oversight and monitoring of security program
56
4/17/2015
28
Senior Management Commitment

To be successful, information security must
have the support of senior management
Budget
Direction/ Policy
Reporting and Monitoring
A bottom-up management approach to
information security activities is much less
likely to be successful
57
4/17/2015
How can we obtain continued

Senior Management support for
the security program?
58
4/17/2015
29
Steering Committee
Oversight of Information Security Program
Acts as Liaison between Management,
Business, Information Technology, and
Ensures all stakeholder interests are

addressed
Oversees compliance activities
59
4/17/2015
CISO Chief Information Security Officer

Responsibilities
Responsible for Information securityrelated activity
Policy
Investigation
Testing
Compliance
60
4/17/2015
30
Business Manager Responsibilities

Responsible for security enforcement and
direction in their area
Day to day monitoring
Reporting
Disciplinary actions
Compliance
61
4/17/2015
IT Staff Responsibilities
Responsible for security design, deployment
and maintenance
System and Network monitoring
Reporting
Operations of security controls
Compliance
62
4/17/2015
31
Centralized versus Decentralized

Security
Which is better?
Consistency versus flexibility
Central control versus Local ownership
Procedural versus responsive
Core skills versus distributed skills
Visibility to senior management versus
visibility to users and local business units
63
4/17/2015
Evaluating the Security Program
64
4/17/2015
32
Audit and Assurance of Security

Objective review of security risk, controls
and compliance
Assurance regarding the effectiveness of
security is a part of regular organizational
reporting and monitoring
65
4/17/2015

Metrics are used to measure results
Measure security concepts that are
important to the business
Use metrics that can be used for each
reporting period
Compare results and detect trends
66
4/17/2015
33
Effective Security Metrics

Set metrics that will indicate the health of
the security program
Incident management
Degree of alignment between security and
business development
Was security consulted
Were controls designed in the systems or
added later
67
4/17/2015
Effective Security Metrics cont.

Choose metrics that can be controlled
Measure items that can be influenced or
managed by local managers / security
Not external factors such as number of

viruses released in the past year
Have clear reporting guidelines
Monitor on a regular scheduled basis
68
4/17/2015
34
Key Performance Indicators (KPIs)

Thresholds to measure
Compliance / non-compliance
Pass / fail
Satisfactory / unsatisfactory results
A KPI is set at a level that indicates action
should / must be taken
Alarm point
69
4/17/2015
End to End Security

Security must be enabled across the
organization not just on a system by system
basis
Performance measures should ensure that
security systems are integrated with each
other
Layered defenses
70
4/17/2015
35
Correlation Tools
The CISM may use Security Event and Incident
Management (SEIM, SIM, SEM) tools to
aggregate data from across the organization
Data analysis
Trend detection
Reporting tools
71
4/17/2015
Reporting and Compliance
72
4/17/2015
36
Regulations and Standards

The CISM must be aware of National
Laws
Privacy
Regulations
Reporting, Performance
Industry standards
Payment Card Industry (PCI)
BASEL II
73
4/17/2015
Effect of Regulations
Requirements for business operations
Potential impact of breach
Cost
Reputation
Scheduled reporting requirements
Frequency
Format
74
4/17/2015
37
Reporting and Analysis
Data gathering at source

Accuracy
Identification
Reports signed by Organizational Officer
75
4/17/2015
Ethics
76
4/17/2015
38
Ethical Standards
Rules of behaviour
Legal
Corporate
Industry
Personal
77
4/17/2015
Ethical Responsibility
Responsibility to all stakeholders
Customers
Suppliers
Management
Owners
Employees
Community
78
4/17/2015
39
ISACA Code of Ethics cont.

Required for all certification holders
Support the implementation of, and
encourage compliance with, appropriate
standards, procedures and controls for
information systems.
Perform their duties with objectivity, due
diligence and professional care, in
accordance with professional standards and
best practices.
79
4/17/2015

Serve in the interest of stakeholders in a
lawful and honest manner, while maintaining
high standards of conduct and character, and
not engage in acts discreditable to the
profession.
Maintain the privacy and confidentiality of
information obtained in the course of their
duties unless disclosure is required by legal
authority. Such information shall not be used
for personal benefit or released to
inappropriate parties.
80
4/17/2015
40

Maintain competency in their respective
fields and agree to undertake only those
activities, which they can reasonably expect
to complete with professional competence.
Inform appropriate parties of the results of
work performed; revealing all significant
facts known to them.
Support the professional education of
stakeholders in enhancing their understanding
of information systems security and control.
81
4/17/2015
Practice Question
1.
The PRIMARY purpose of a security

strategy is to provide:
A. The basis for determining the security
architecture for the organization.
B. The intent and direction of management.
C. Guidance for users on how to comply with
security requirements.
D. Standards to measure compliance.
82
4/17/2015
41
Practice Question
2. The BEST method of improving security
compliance is:
A. To make it easier for employees to follow
security rules.
B. To have comprehensive organization-wide
security policies.
C. To have an active security awareness program.
D. To inform all staff about legal regulations and
legislation..
83
4/17/2015
Practice Question
3. The MOST important task of the CRISC
regarding compliance with regulations is to:
A. Develop the policies and standards to be followed
by the organization.
B. Ensure that accurate and complete data is used in
reporting procedures
C. Provide guidance to business units on the legal
requirements for compliance.
D. Approve all reports prior to submission to outside
agencies
84
4/17/2015
42
Practice Question
4. The MOST important consideration in the
development of security policies is that:
A. The policies reflect the intent of Senior
Management.
B. The policies are legal.
C. All employees agree with the policies.
D. That the correct procedures are developed to
support the requirements of policy.
85
4/17/2015
End of Domain
86
4/17/2015
43
17/04/2015
ISACA
information systems
1
4/17/2015
Chapter 2
Information Risk
Management and
Compliance
2
4/17/2015
17/04/2015
Course Agenda
4/17/2015
Information Asset
Classification
Identify regulatory, legal
and other requirements
Identify risk, threats and
vulnerabilities
Risk treatment
Evaluate security controls
Integrate risk management
into business processes
Report non-compliance
and other changes in risk
Exam Relevance
Ensure that the CISM candidate
Manages information risk to an acceptable
level to meet the business and compliance
requirements of the organization
4
4/17/2015
17/04/2015
Chapter 2 Task Statements

Establish an information asset classification
and ownership process
Ensure risk, threat and vulnerability
assessments are conducted periodically
Evaluate security controls
Identify gaps between current and desired
state
5
4/17/2015
Chapter 2 Task Statements cont.

Integrate risk, threat and vulnerability
identification and management into the
organization
Monitor existing risk to ensure changes are
identified and managed appropriately
Report information risk management levels to
management.
6
4/17/2015
17/04/2015
Information Asset
Classification
7
4/17/2015
Information Asset Classification

Need to know what information to protect
Need to know who is responsible to
protect it
Ownership
Roles and responsibilities
8
4/17/2015
17/04/2015

Information protection requires clear
assignment of responsibilities
Information owner
Information System owner
Board of Directors / Chief Executive Officer

Users
Information Custodians
Third Party Suppliers
9
4/17/2015

Information security risk management is an
integral part of security governance
Is the responsibility of the board of directors
or the equivalent to ensure that these
efforts are visible
Management must be involved in and sign off
on acceptable risk levels and risk
management objectives
10
4/17/2015
17/04/2015
Information Classification Considerations

Business Impact and reliance of business on
information and information system
Understand business objectives
Availability of data / systems

Sensitivity of data / systems
11
4/17/2015
Regulations and Legislation

Information asset protection may be required
by legislation
Privacy
Consumer data
Employee data
Financial accuracy
SOX-type laws
12
4/17/2015
17/04/2015
Asset Valuation
Information Asset valuation may be based on:
Financial considerations
Liability for lost data
Cost to create or restore data
Impact on business mission
Reputation
Customer or supplier confidence
13
4/17/2015
Valuation Process
Determine ownership
Determine number of
classification levels
Develop labeling
scheme
Identify all information
types and locations
De-classify when data
no longer needs
protection
14
4/17/2015
17/04/2015
Information Protection
Ensure that data is protected consistently
across all systems
Protect data in all forms paper, electronic,
optical, fax,
Protect data at all times:
Storage
Transmission
Processing
Destruction
15
4/17/2015
Information Asset Protection

Policies
Communicated
Enforced
Clean desk / Clear screen

Need to know Least privilege
Procedures
Labeling
Destruction
16
4/17/2015
17/04/2015
Risk Management
17
4/17/2015
Definition of Risk
Risk is a function of the likelihood of a
threat-source exercising a vulnerability and
the resulting impact of that adverse event on
the mission of the organization.
Asset
Threat
Vulnerability
Likelihood (probability)
Impact (consequence)
18
4/17/2015
17/04/2015
Why is Risk Important

Risk management is a fundamental
function of Information Security
Provides rationale and justification for
virtually all information security activities
Prioritization of Risk allows the development
of a security roadmap
19
4/17/2015
Risk Management Definition

What is risk management?
The systematic application of management
policies, procedures and practices to the
tasks of:
Identifying
Analyzing
Evaluating
Treating
Monitoring,
Risk related to information and information
systems
20
4/17/2015
10
17/04/2015
Risk Management Objective

The objective of risk management is to
identify, quantify and manage
information security risk.
Reduce risk to an acceptable level
through the application of risk-based,
cost-effective controls.
21
4/17/2015
Risk Management Overview

Risk is the probability of occurrence of an
event or transaction causing financial loss
or damage to
Organization
Staff
Assets
Quantitative and
Qualitative Measures
Reputation
22
4/17/2015
11
17/04/2015
Risk Management Overview

Risk management is the process of
ensuring that the impact of threats
exploiting vulnerabilities is within
acceptable limits at an acceptable cost
At a high level, this is accomplished by

Balancing risk against mitigation costs
Implementing appropriate countermeasures
and controls
23
4/17/2015
Defining the Risk Environment

The most critical prerequisite to a successful risk
management program is understanding the
organization including:
Key business drivers
The organizations SWOT (strengths, weaknesses,
opportunities and threats)
Internal and external stakeholders
Organizational structure and culture
Assets (resources, information, customers,
equipment)
Goals and objectives, and the strategies already in
place to achieve them
24
4/17/2015
12
17/04/2015
Threats to Information and Information

Systems
Threats to information and information
systems are related to:
Availability
Confidentiality
Integrity
Non-repudiation
25
4/17/2015
Threat Analysis
Intentional versus Unintentional attacks
Natural
Man-made
Utility / Equipment
Threats affected by
The skill and motivation of the attacker
The existence of attack tools
26
4/17/2015
13
17/04/2015
Aggregate Risk
Aggregate risk must be considered
Aggregate risk is where a several smaller
risk factors combine to create a larger risk
(the perfect storm scenario)
27
4/17/2015
Cascading Risk
Cascading risks are the effect of one incident
leading to a chain of adverse events (domino
effect)
28
4/17/2015
14
17/04/2015
Identification of Vulnerabilities
Weaknesses in security controls
Patches not applied
Non-hardened systems
Inappropriate access levels
Unencrypted sensitive data
Software bugs or coding issues (buffer
overflow)
Physical security
29
4/17/2015
The Effect of Risk

An exploit of a vulnerability by a threat may
lead to an exposure.
An exposure is measured by the impact it has
on the organization or the ability of the
organization to meet its mission.
30
4/17/2015
15
17/04/2015
Impact
Examples of direct and indirect financial losses:
Direct loss of money (cash or credit)
Criminal or civil liability
Loss of reputation/goodwill/image
Reduction of share value
Conflict of interests to staff or customers or
shareholders
31
4/17/2015
Impact cont.
Examples of direct and indirect financial losses:
Breach of confidence/privacy
Loss of business opportunity/competition
Loss of market share
Reduction in operational efficiency/performance
Interruption of business activity
Noncompliance with laws and regulations resulting in
penalties
32
4/17/2015
16
17/04/2015
Risk Management Process

Risk
Identification
(Assessment
and Analysis)
Risk
Treatment
(Control
Selection)
Evaluation
and
Assessment
33
4/17/2015
Risk Assessment Methodology

Quantitative
Determine the impact of a single event
Single Loss Expectancy
SLE = Asset Value x Exposure Factor

Calculate frequency of events
Annualized rate of occurrence (ARO)
ARO = Incidents per year
34
4/17/2015
17
17/04/2015
Annualized Loss Expectancy (ALE)

ALE is the calculated cost of risk per year
from a single event
ALE = SLE x ARO
Used to justify expense of implementing
controls to reduce risk levels
Cost of controls should not be greater than
benefit realized by implementing the control
35
4/17/2015
Qualitative Risk Assessment

Determine risk levels through scenario-based
analysis
Rank risk levels according to frequency and
impact (Low (1), Moderate (2), High (3))
Likelihood
Impact
Low
Moderate
High
High
Moderate
Low
3
36
4/17/2015
18
17/04/2015
Data Gathering Techniques

Surveys / Questionnaires
Observation
Workshops
Delphi techniques
37
4/17/2015
Results of Risk Assessment

Documentation of risk levels
Risk register
Determination of threat and vulnerability
levels
Forecast of impact and frequency of events
Recommendations for risk mitigation
Controls, safeguards, countermeasures
38
4/17/2015
19
17/04/2015
Alignment of Risk Assessment and BIA

Risk Assessment measures Impact and
Likelihood
Business Impact Analysis measures Impact
over Time
Related disciplines but not the same

BIA must be done periodically to determine
how risk and impact levels increase over time
Set priorities for critical business functions
39
4/17/2015
Risk Treatment
40
4/17/2015
20
17/04/2015
Risk Treatment
Risk Treatment takes the recommendations
from the risk assessment process and selects
the best choice for managing risk at an
acceptable level
Residual Risk
Risk Acceptance
Cost / Benefit
Priorities
Balance between security and business
41
4/17/2015
Risk Treatment
Risk Treatment Options
Reduction / mitigation implement changes
Enhance managerial, technical, physical
and operational controls
Acceptance
Transference
Avoidance
42
4/17/2015
21
17/04/2015
Risk Mitigation and Controls

Controls (safeguards / countermeasures) are
implemented in order to reduce a specified
risk
Existing controls and countermeasures can
be evaluated
New controls and countermeasures can be
designed
43
4/17/2015
Control Recommendations
Factors to be considered when recommending
new or enhanced controls are:
Cost-benefit analysis
Anticipated effectiveness
Compatibility with other controls, systems, and
processes
Legislation and regulation
Organizational policy, standards, and culture
Impact of control on business processes
Control reliability
44
4/17/2015
22
17/04/2015
Cost Benefit Analysis of Controls

Cost-benefit analysis must consider the cost of
the control throughout the full life cycle of the
control or countermeasure including:
Acquisition / purchase costs
Deployment and implementation costs

Recurring maintenance costs
Testing and assessment costs
45
4/17/2015
Cost Benefit Analysis of Controls cont.

Cost benefit analysis includes costs of:
Compliance monitoring and enforcement
Inconvenience to users
Reduced throughput of controlled processes
Training in new procedures or technologies as
applicable
End of life decommissioning
46
4/17/2015
23
17/04/2015
Risk Mitigation Schematic

Owners
Value
Wish to minimize
Countermeasures
Impose
To
Reduce
Threat Agents
Give Rise to
Threats
Risk
To
That
increase
To
Assets
Wish to abuse and/or may damage
47
4/17/2015
Control Types and Categories

Controls may be:
Managerial
Technical
Physical
48
4/17/2015
24
17/04/2015
Control Types and Categories cont.

Controls may be:
Directive
Deterrent
Preventative
Detective
Recovery
Corrective
Compensating
49
4/17/2015
Security Control Baselines

Creating baselines of control can assist in
developing a consistent security infrastructure
Principles for developing baselines include
Assess of the level of security that is

appropriate for the organization
Mandate a configuration for all systems and
components attached to the organizations
network
50
4/17/2015
25
17/04/2015
Ongoing Risk Assessment and Building Risk

Management into the Organization
51
4/17/2015
Ongoing Risk Assessment

Monitor controls to ensure that they are
working effectively
Implemented as designed
Operating properly
Producing the desired outcome (mitigating
the risk they were installed to address)
52
4/17/2015
26
17/04/2015
Measuring Control Effectiveness

Determine metrics to measure control
effectiveness
Do regular monitoring and reporting
Aggregate data from several control points
Security Event Incident Monitoring (SEIM)

Measure control effectiveness in comparison
to business goals and objectives
53
4/17/2015
Building Risk Management In (Agenda)

Risk Management should be built in to
business processes
Change control
Systems development life cycle (SDLC)
Ongoing monitoring and analysis
Audit
Business process re-engineering
Project management
Employment
Procurement
54
4/17/2015
27
17/04/2015
Risk Related to Change Control

Uncontrolled / Unauthorized changes
Changes implemented incorrectly
Backup
Rollback
Changes that bypass / overwrite controls
Interruption to service
55
4/17/2015
Controlling Risk in Change Control

Oversight / Steering Committee
Formal Change control process
Documentation of changes
Approvals
Testing
Review of all proposed / implemented
changes for impact on security controls
56
4/17/2015
28
17/04/2015
Risk Management During SDLC

Integrate risk management throughout the
SDLC
Review risk levels as system is designed,
developed, tested and implemented
Test the implemented security controls
Ensure the ability to log and monitor events
is built into all systems
Review all new systems for correct operation
of controls and associated risk levels
57
4/17/2015
Ongoing Risk Management Monitoring

and Analysis
Do risk assessment annually
More frequently in event of:
Organizational changes
Regulation
Incidents
Monitor controls frequently and report to
management
Standardized reporting (format)
Trend analysis
58
4/17/2015
29
17/04/2015
Audit and Risk Management

Audit validates that risk is being managed
correctly
Compared with culture of organization
Policy
Regulation
Best practices
59
4/17/2015
Audit and Risk Management cont.

Validate that risk is within acceptable levels
Risk appetite
Threat and vulnerability analysis was done
correctly
Controls are working correctly
Mitigating risk effectively
Validate compliance with controls
Reporting and recommendations
60
4/17/2015
30
17/04/2015
Risk in Business Process Re-Engineering

Review all major systems and business
process changes for impact on risk levels
Ensure that ability to monitor controls is built
into business processes
Enable reporting and compliance
Regular reporting to management on status of
changes
Ensure that changes do not bypass controls
Separation of duties, least privilege
61
4/17/2015
Risk in Project Management

Risk of Scope Creep
Risk of project overrun
Budget
Time
Failure to deliver expected results
Vendor compliance with requirements
62
4/17/2015
31
17/04/2015
Risk During Employment Process

Hiring Procedures
Correct skills and experience
Background checks
Criminal
Financial
References from former employers /
associates
63
4/17/2015
New Employee Initiation

Require signing of
Non-disclosure agreements (NDA)
Non-compete agreements
Ethics statement
Review security policy
Awareness training
64
4/17/2015
32
17/04/2015
Risk During Employment

Access Creep adding more and more access
Violation of least privilege / need to know
Enforce compliance with controls
Regular awareness sessions
65
4/17/2015
Risk at Termination of Employment

Need to remove all access
Recover all organizational assets
ID cards
Laptops
Remote access tokens
Blackberry/ cellphone
Documents
Review NDAs
66
4/17/2015
33
17/04/2015
Risks During Procurement

Need to purchase the right equipment at
the right price
Improper buying practices
Influence
Kickbacks
Piracy / imitations
Inappropriate relations / selection of
vendors
67
4/17/2015
Risk During Procurement cont.

Equipment not delivered according to
specifications /contract terms
Equipment not configured / installed properly
Vendor not providing contracted maintenance

according to maintenance agreements
Maintain correct patch levels
68
4/17/2015
34
17/04/2015
Reporting to Management
Regular reporting
Standard format
Scheduled basis
Consistent metrics to allow comparison of
results over time
Reporting on an exceptional basis
Following an event
69
4/17/2015
Documentation
Typical risk management documentation
includes:
A risk register
An inventory of information assets
Threat and vulnerability analysis
Control effectiveness report
Initial risk rating
Risk report - consequences and likelihood of
compromise
A risk mitigation and action plan
70
4/17/2015
35
17/04/2015
Training and Awareness

The most effective control to mitigate risk is
training of all personnel
Awareness
Training
Education
Educate on policies, standards, practices
Creates accountability
71
4/17/2015
Training and Awareness

End users should receive training on
The importance of adhering to information
security policies, standards, and procedures
Clean desk policy

Responding to incidents and emergencies
Privacy and confidentiality requirements
The security implications of logical access in
an IT environment
72
4/17/2015
36
17/04/2015
Training for End Users

Practical training topics
Clean desk policy
Responding to incidents and emergencies
Privacy and confidentiality requirements
Handling sensitive data and intellectual
property
The security requirements for access to IT
systems
73
4/17/2015
Practice Question
The PRIMARY purpose of a risk management
program is
a) To eliminate risk
b) To reduce all risks to a minimal level of impact

c) To satisfy regulatory requirements
d) To ensure risk levels are acceptable to senior
management
74
4/17/2015
37
17/04/2015
Practice Question 2
The formula SLE x ARO relates to
a) Annualized Loss Expectancy (ALE)
b) Risk acceptance levels
c) The frequency of attacks
d) Calculation of the impact of a threat
75
4/17/2015
38
17/04/2015
ISACA
information systems
1
4/17/2015
Chapter 3
Program Development and
Management
2
4/17/2015
17/04/2015
Course Flow
Chapter One
Information
Security
Governance
Influenced
by
Directs
changes
to
Chapter Four
Information
Security
Incident
Management
Chapter Two
Information
Risk
Management
Directs
development
of
Enforced by
Chapter Three
Develop and
Manage a
Security
Program
3
4/17/2015
Course Agenda
Learning objectives
Security Program Development
Objectives
Role of the Information Security
Manager
Development
Technology and Tools, Security Models
Integrating Security into the Business
4/17/2015
17/04/2015
Exam Relevance
Understands how to manage the information
security program in alignment with the
information security strategy

5
4/17/2015

Develop and maintain plans to implement an
information security program that is aligned
with the information security strategy
Ensure alignment between the information
security program and other business functions
Identify internal and external resources
required to execute the information security
program
Ensure the development of information
security architectures
6
4/17/2015
17/04/2015
Learning Objectives cont.

Ensure the development, communication,
and maintenance of standards, procedures
and other documentation that support
information security policies
Design and develop a program for
information security awareness, training
and education
Integrate information security
requirements into contracts and third
party agreements
7
4/17/2015
Definition
Information security program management
includes:
Directing
Overseeing
Monitoring
Information-security-related activities in support
of organizational objectives.
8
4/17/2015
17/04/2015
Security Strategy and Program Relationship

The security strategy is the long term plan
of creating a security structure that will
support the business goals of the
organization
The security program outlines the steps
necessary to implement the security
strategy
The security program should be defined in
business terms
9
4/17/2015
Information Security Management

Information Security management is primarily
concerned with
Ongoing, day-to-day operations of a security
department
Budget for security

Planning
Business case development for security
projects
Staff development and training
10
4/17/2015
17/04/2015
Importance of Security Management

Achieving adequate levels of information
security means:
Implementing cost effective security
solutions
Supporting business operations
Strategic planning and alignment between
security and the business
Compliance and reporting
11
4/17/2015
Definition
Information security program development
is the integrated set of:
Activities
Projects
Initiatives
to implement the information security
strategy
12
4/17/2015
17/04/2015
Effective Security Management

Effective security management must
demonstrate value to the organization
Compliance with policies and procedures
Cost effective
Improved audit results
Business process assurance
13
4/17/2015
Reasons for Security Program Failure

Poorly understood requirements
Lack of understanding about what is important
and why
Lack of funding or resources
Lack of will to make security a priority
Too much technical focus
14
4/17/2015
17/04/2015
Security Program Development Objectives
15
4/17/2015
Program Objectives
Implement the objectives of the security
strategy
Managerial controls
Technical controls
Physical controls
16
4/17/2015
17/04/2015
Security Program Development

The elements essential to ensure successful
security program design and
implementation:
A well defined and clear information
security strategy
Cooperation and support from
management and stakeholders
Effective metrics to measure program
effectiveness
17
4/17/2015
Security Program Development cont.

A well-executed security program will :
Support governance of information security
Convert security initiatives into a practical
real-world implementations
Provide proof that security implementations
are meeting business and security needs
Be flexible enough to adapt to changes in
security / business requirements
18
4/17/2015
17/04/2015
Outcomes of Information Security

Program Development
As seen in Chapter One, objectives for
information security governance include:
Strategic alignment
Risk management
Value delivery
Resource management
Assurance process integration
Performance measurement
19
4/17/2015
Governance of the Security Program

Acceptance and support for the
strategy and the objectives of the
security program is the responsibility of
executive management
Everyone is responsible for compliance
with security requirements
20
4/17/2015
10
17/04/2015
Role of the Information Security Manager
21
4/17/2015
Role of the Information Security

Manager (Agenda)
Strategy
Policy
Compliance
Prevention
Monitoring
Detection
Correction
Awareness
Implementation
22
4/17/2015
11
17/04/2015
Strategy
The first step to development of an
information security program (as seen in
chapter one) is to align the security strategy
with the objectives of the business
Governance
Resources
Reporting
Compliance
Regulations
23
4/17/2015
Policy
Policy provides:
Authority
Direction
Requires:
Background
Scope
Applicability
24
4/17/2015
12
17/04/2015
Creating Effective Policy

Ownership
Up to date
Exceptions
Enforceable / legal
Non-technical
Reflects culture and mission of the
organization
25
4/17/2015
Awareness
People are the most important element of a
security program, therefore they must:
Understand their roles
Be capable of performing their roles
Be provided adequate training
Be accountable for results
26
4/17/2015
13
17/04/2015
Implementation
Converts strategy to practical tools and
techniques
Controls
Safeguards
Countermeasures
27
4/17/2015
Monitoring
Review of security controls,
countermeasures, safeguards
Continuous or periodic testing
Frequency is dependent on
Laws
Business changes
Culture
28
4/17/2015
14
17/04/2015
Compliance
Compliance ensures that business processes
and security measures meet the requirements
of corporate policy, local regulations,
industry-based standards, and best practices.
Compliance requires proof (not just theory)
Testing, logging
Reporting
29
4/17/2015

Development
30
4/17/2015
15
17/04/2015
Developing an Information Security Road

Map
The CISM must consider the security
program from the perspective of:
Data
Applications
Systems
Facilities
Processes
31
4/17/2015
Defining Security Program Objectives

Whether or not there is an existing information
security program, there are some basic
program components:
Understanding managements security

objectives
Develop key goal indicators (KGIs) that
reflect and measure business priorities
Ways to measure whether the program is
heading in the right direction
32
4/17/2015
16
17/04/2015
Inventory of Information Systems

Document all aspects of the information
systems including:
System categorization
System description including system boundaries
Network diagram and data flows
Software and hardware inventory
Users and system owners
Business risk assessment
System risk assessment
Contingency plan
System security plan
33
4/17/2015
Challenges in Developing an Information

Security Program
The process of setting a program in place and
measuring its results requires a great deal of
cooperation among everyone in the
organization who handles data
Information security program development is

not usually hampered by technology choices
available, but rather by people, process and
policy issues that conflict with program
objectives and see security as a hindrance to
business operations
34
4/17/2015
17
17/04/2015
Challenges in Developing an Information

Security Program cont.
The challenges faced by the CISM while
developing a security program may include:
Organizational resistance due to:
Changes in areas of responsibility
A perception that increased security will
impact productivity and access
Unfair monitoring / restrictions
Lack of adequate budget, personnel, skills
or support
Unanticipated problems with existing
controls, systems or ongoing projects
35
4/17/2015
Elements of a Security Program Road

Map
A vital element of the information security
program is a roles and responsibilities matrix
(RACI - Responsible, Accountable, Consulted,
Informed)
CEO
CISO
CIO
VP HR
Policy
Development
Business
Continuity
Incident
Management
36
4/17/2015
18
17/04/2015

Map
An understanding of the
general risk appetite of an
organization and a review to
discover any gaps or determine
whether the information
security program is operating at
acceptable levels
Potential Loss due to

Equipment Failure
75,000
50,000
Acceptable Risk Level
Risk
Current Risk Level

25,000
37
4/17/2015

Map
Ability to link the security program with business
objectives and demonstrate justification for the
evolution from a security concept towards a
security architecture and finally into the selection
and implementation of security tools and
technologies
Security
Context
Security
Concept
Logical
Architecture
Physical
Architecture
Component
38
4/17/2015
19
17/04/2015
Security Programs and Projects

The overall security program will almost
always consist of a series of individual
projects designed to meet security objectives
Security Program
Policy Creation Project
Firewall Implementation
project
Awareness Sessions
39
4/17/2015
Security Program and Project Development

A gap analysis will identify a series of projects
required to implement the information security
program
Each project should have time, budget,
milestones, deliverables, and measurable
results
Each project should be clearly defined and
integrate with other projects and
departments
HR, Finance, Physical security
40
4/17/2015
20
17/04/2015
Security Program and Project Development

cont.
Security projects should be prioritized so that:
Most important projects are given priority
Projects do not overlap or cause a delay for
other projects
Resources are appropriately allocated

Results are documented and reported to
management
41
4/17/2015
Security Project Planning

Determine project needs
Oversight / timelines
Equipment
Personnel (skills)
Outsourcing or contract staff
Infrastructure
Networks, databases, facilities, etc.
42
4/17/2015
21
17/04/2015
Selection of Controls
Controls are
Technical
Managerial
Physical
Tools designed to provide reasonable
assurance that:
Business objectives will be achieved
Undesirable events will be prevented or
detected and corrected
43
4/17/2015
Common Control Practices

Common control practices include:
Logical Access control
Principle of least privilege / need to know
Compartmentalization to minimize damage

Domains
Segregation of duties
Transparency
44
4/17/2015
22
17/04/2015
45
4/17/2015
Security Program Elements (Agenda)

Policies
Standards
Procedures
Guidelines
Technologies
Personnel security
Organizational
structure
Outsourced security
providers
Facilities
Environmental
security
46
4/17/2015
23
17/04/2015
Policies
Provide authority and direction for security
program from management
High level versus functional policies
Are interpreted by standards,
procedures, baselines
What are the characteristics of effective
policies? What makes a policy effective?
47
4/17/2015
Acceptable Use Policy

An acceptable use policy
Should provide a user-friendly summary of
what should and should not be done to
comply with policy
Must detail in everyday terms the
obligations of all users
Must be communicated to all users
Must be read and understood by all users
Should be provided to new personnel
48
4/17/2015
24
17/04/2015
Acceptable Use Policy cont.

Rules of use for all personnel include the
policies and standards for
Access control
Classification of data
Marking and handling of documents
Reporting requirements and disclosure
constraints
Rules regarding email and Internet use
49
4/17/2015
Standards
Standards ensure that systems are
configured and operated in an similar manner
Compliance with standards should be
automated
Ensure that system configurations do not
(intentionally or unintentionally) deviate
from policy compliance
Standards are used to implement policy
Deviations from a standard must have formal
approval
50
4/17/2015
25
17/04/2015
Procedures
Procedures provide a defined, step by step
method of completing a task
i.e., new user registration / user ID
creation; incident management
Allow actual activity to be reviewed for

compliance with the required procedures
Helps ensure consistency of operations
51
4/17/2015
Guidelines
Provide recommendations for better security
practices:
Password creation, use of social media
Are only recommendations, not mandatory
52
4/17/2015
26
17/04/2015
Technology
One of the most important elements of a
security program
Without the right tools, an effective
security program is not feasible
Many tools available
53
4/17/2015
Personnel Security
Protect staff from being harmed
Duress alarms, cameras
Having the right people:
Skills / Education required

Awareness
Management and oversight
Disciplinary action when required
Separation of duties
54
4/17/2015
27
17/04/2015
Training and Skills Matrix

Determine level of training needed by staff
according to job responsibilities
Develop training matrix
Perform gap analysis
Manager
Administrator
User
Level III
CISM
CCSP
SEC +
Level II
SEC +
GSEC
Awareness
Level I
Awareness
SEC +
Awareness
55
4/17/2015
Organizational Structure
Who should security report to
Normal reporting
Incident reports
Adequate:
Budget
Authority
Scope
56
4/17/2015
28
17/04/2015
Outsourced Security Providers

Outsourcing security and monitoring may
have many benefits
Provide necessary expertise
Monitor all corporate systems
Correlate activity from several systems
Centralized reporting
57
4/17/2015
Third-party Service Providers

When using a third party:
Ensure data are stored and secured adequately in
the service provider environment
Define data destruction and data sanitization
processes
Create channels of communication and liaison
with outsourced firm
Maintain accountability in the service provider
organization for policy enforcement
Remember that prime liability for data
protection is with the organization, not with the
outsourced firm
58
4/17/2015
29
17/04/2015
Facilities
Secure operational areas
Server rooms
Equipment rooms
Administrator, developer, and operator
work areas
Consider factors such as:
Age of building (fire codes)
Shared facility with other companies
59
4/17/2015
Facilities Security
Physical controls may include:
Smart cards or access controls based on
biometrics
Security cameras
Security guards
Fences
Lighting
Locks
Sensors
60
4/17/2015
30
17/04/2015
Environmental Security
Heating, ventilation and humidity controls
Reliable power supplies
61
4/17/2015
62
4/17/2015
31
17/04/2015
Information Security Concepts (Agenda)

Topics already
covered:
Confidentiality
Risk Management
Threats
Vulnerabilities
Integrity
Attacks
Availability
Exposure
Countermeasures
Architecture
Controls
Business impact
analysis (BIA)
Governance
Layered Defense
Data classification
63
4/17/2015
Information Security Concepts (Agenda)

Access Control
Identification
Authentication
Authorization
Accounting / Auditability
Criticality
Sensitivity
Trust Models
64
4/17/2015
32
17/04/2015
Access Control
Controlling who and what has access to the
facilities, systems, people and data of the
organization
Ensuring the right people have the right
level of access
Preventing inappropriate use, modification
or destruction of organizational resources
Tracking all activity to the responsible
entity
65
4/17/2015
Identification
Access control starts with knowing who or
what is accessing our systems, data, facilities
or other resources.
Unique (track able to the correct
person/process)
Removed when no longer required
i.e., IDs, customer account numbers,
fingerprints
66
4/17/2015
33
17/04/2015
Authentication
Validating the claimed identity is the person
requesting access really who they say they
are?
Knowledge (password)
Ownership (Token, smartcard, badge)

Characteristic (biometrics)
67
4/17/2015
Authorization
Granting the authenticated user the correct
level of permissions needed
Read
Write
Execute
Create
Delete
68
4/17/2015
34
17/04/2015
Accounting / Auditability
Logging, monitoring and tracking of activity
Ability to associate activity with a specific
user
Audit log:
Protection
Review
Analysis
69
4/17/2015
Criticality
How much is the ability of the organization to
deliver its products and services dependent
on:
Information
Information systems
What would the extent of the impact be on
the business (quantitatively and qualitatively)
if they were not available
This is a measure of the criticality of the
resource
70
4/17/2015
35
17/04/2015
Sensitivity
How much is the organization dependent on
the accuracy or confidentiality requirements
for:
Information
Information systems
This is a measure of the sensitivity of the
resource
71
4/17/2015
Trust Models
Multi-level security
Users have different levels of trust (access)
Domains of trust
Departmentalization/compartmentalization
Security perimeters
Trusted links between systems
72
4/17/2015
36
17/04/2015
Technologies and Tools

Security Components and Models
73
4/17/2015
Technology-based Security
Technology-based controls
Many technologies available
Are used to implement controls
Have controls built into their

implementation
Must be enabled
Must be monitored / updated
74
4/17/2015
37
17/04/2015
Technologies
There are numerous technologies relevant
to security that the CISM should be
familiar with including:
Firewalls
Routers and switches
IDS, NIDS, HIDS
Cryptographic techniques (PKI, DES)
Digital signatures
Smart cards
75
4/17/2015
Security in Technical Components

Native control technologies
Security features built in to equipment and
applications.
Access control on switches, routers
Error handling in applications
Many products feature Out-of-the-box
security features that can be configured to
protect business information systems
Generally configured and operated by IT
76
4/17/2015
38
17/04/2015
Security in Technical Components cont.

Supplemental control technologies
Security control devices added to an
information system
IDS (Intrusion Detection Systems), Firewall,
PKI (Public Key Infrastructure)
Operate as a form of layered defense
77
4/17/2015

Management support technologies
Provide support for management to monitor
systems and controls
Examples include security information event
management (SIEM) tools, compliance
monitoring scanners and security event
analysis systems
Are often used by information security group
independently of information technology
78
4/17/2015
39
17/04/2015

The effectiveness of the security technologies
must be evaluated
Use clear, repeatable metrics
Evaluate:
Control placement
Control effectiveness
Control efficiency
Control policy
Control implementation
79
4/17/2015
Operations Security
Operational security
Monitoring of systems
Maintenance of systems
Procedures
Change control
Backups
User access management
Patch Management
Usually performed by IT administrators
80
4/17/2015
40
17/04/2015
Technologies Access Control Lists

Access control lists (ACLs)
Designate levels of access accorded to
users, processes
Based on either the rights of the users or the
protection levels accorded to the protected
resource
81
4/17/2015
Filtering and Content Management

Data Loss Prevention (DLP)
Scans documents emails, etc. for sensitive
data.
Will block unauthorized transmission of data
Web Filtering
Scans web, email, and IM traffic for
inappropriate content
Blocks mobile code, inappropriate links,
cookies, etc.
82
4/17/2015
41
17/04/2015
Technologies - SPAM
Email filtering to weed out unsolicited email
May contain malicious code
Causes network and storage congestion
Disable links and potentially malicious
attachments
83
4/17/2015
Technologies Databases and DBMS

Databases
Electronic storage of data
May be accessed remotely
Need stringent security controls

architecture, access, backup, journaling
Database Management System (DBMS)
Manages the database (retrieves, updates,
logs, organizes data)
Ensures changes meet with rules
84
4/17/2015
42
17/04/2015
Encryption
Allows data to be stored, transmitted or
displayed in a secure format unreadable
except to authorized personnel
Changes the format/structure of the data
Provides
Confidentiality
Integrity
Authenticity
Access control
Non-repudiation
85
4/17/2015
Technologies - Cryptography
Symmetric key algorithms
Use the same key to encrypt and decrypt a
message
Fast and excellent for confidentiality
86
4/17/2015
43
17/04/2015
Technologies Cryptography cont.

Asymmetric
Use a mathematically-related key pair
Private key (only known to key owner)
Public key (can be distributed freely)
Provide
Confidentiality
Proof of origin / non-repudiation (digital
signatures)
Integrity
Access control
87
4/17/2015
Technologies Encryption cont.

Protect data at various levels
Application layer encryption
PGP
Session / transport layer encryption

SSH, SSL, TLS
Network Layer encryption
IPSEC
Link layer encryption
88
4/17/2015
44
17/04/2015
Technologies Hashing Algorithms

Compute a fixed length value from a message
that can be used to verify message integrity
Message has not be altered or changed
Either intentionally or accidentally
Are used in digital signatures
89
4/17/2015
Technology Communications OSI Model

Open Systems
Interconnect (OSI
model)
Seven layer model for
communications
Layering
Encapsulation
Application
Presentation
Session
Transport
Network
Data Link
Physical
90
4/17/2015
45
17/04/2015
Technology Communications TCP/IP

Transmission Control
Protocol / Internet
Protocol
Four layer model used
for most
communications today
Robust
Works on most
platforms and vendor
systems
Application
Host to Host
Internetworking
Data Link /
Physical
91
4/17/2015
Technologies Operating Systems

Provide interface between hardware and user
applications
Manage the use of system resources
92
4/17/2015
46
17/04/2015
Technology - Firewalls
Regulate traffic flows between networks
Operate at various network layers
Application proxies
Session layer proxies
Network layer
Packet Filtering
93
4/17/2015
Emerging Technologies
The CISM must be aware of emerging
technologies and their impact on the
information security program:
Virtual environments
Cloud computing
Mobile computing
Apple and Android Apps
VOIP
SCADA networks
94
4/17/2015
47
17/04/2015
Testing the Security Program
95
4/17/2015
Intrusion Detection Policies and

Processes
The ISM should understand and manage intrusion
detection systems and procedures, including:
Personnel who run and monitor intrusion
detection systems have adequate training
Intrusion detection software and hardware runs
continuously
Intrusion detection software can be easily
modified to adapt to changing environments
Intrusion detection systems do not impose
excessive overhead, especially excessive
network overhead
96
4/17/2015
48
17/04/2015
Intrusion Detection Systems

An organization should ideally use two
types of intrusion detection systems (IDSs)
Host-based
Network-based
Sensors should be suitably placed to

provide adequate coverage of the network
typology
97
4/17/2015
IDS / IPS
Intrusion detection and prevention systems
should:
Identify and record any attempts to exploit a
system by an attacker
Adequately protect networks and systems from
security breaches
Be monitored and maintained daily
Protect logs for use in future investigations
98
4/17/2015
49
17/04/2015
Password Cracking
Many tools available
Software
Hardware (keystroke loggers)
Should be forbidden by policy except for
extraordinary, authorized purposes
Brute force attacks
Dictionary attacks
Rainbow tables
Restrict access to password files
Store passwords as hashed values
99
4/17/2015
Vulnerability Assessments
Discover potential weaknesses or gaps in the
security controls
Open ports or services
Lack of training
Improper rule-base configurations
Poor incident handling
100
4/17/2015
50
17/04/2015
Vulnerability Assessments cont.

A vulnerability assessment can include assessing
Network visibility and accessibility
Information leakage
Presence of unneeded software and/or
utilities
Unpatched equipment
Application-level vulnerabilities (including
databases)
Weak security policies and standards
101
4/17/2015
Vulnerability Assessments cont.

Assessment Tools
Scans
May indicate many false positives
Require analysis to determine true level of
vulnerability
Testing inline, integrated test facility
Observation
102
4/17/2015
51
17/04/2015
Penetration Testing
Attempt to exploit a perceived vulnerability
Usually more focussed than a vulnerability
scan
Indicates whether the vulnerability does
pose a serious risk of breach
Allows determination of potential impact
Can be done by external or internal testing
teams
Must have prior approval
103
4/17/2015
Penetration Testing cont.

Risk of system failure / interruption
Areas to test
Web applications
Firewalls / proxy devices

Operating systems
Applications and Utilities
Physical access
104
4/17/2015
52
17/04/2015
Third Party Security Reviews

Advantages
Objective
Not influenced by that is how we have
always done it around here excuse
Expertise
May not be available in-house
Disadvantages
Need Non-disclosure agreements
Cost
105
4/17/2015
Integration of the Security

Program into the Business
106
4/17/2015
53
17/04/2015
Integration into Life Cycle Processes

A security program must be integrated into the
change management process for the
organization
Identify IT changes being initiated, funded,
and deployed
Provides the opportunity to
Identify vulnerabilities in new systems
Identify new threats presented by systems
Ensure that existing security controls will not
be adversely affected by proposed or actual
changes
107
4/17/2015
Security in External Agreements

Ensure that security requirements are
included in outsourcing agreements:
Suppliers
Subcontractors
Joint ventures
Business partners
Outsourced functions
108
4/17/2015
54
17/04/2015
Security in External Agreements

Include in all external agreements
Right to audit
Service level agreements (SLAs)
Performance metrics
Due diligence
Ensure systems and data are protected
adequately (compliance)
109
4/17/2015
Security Program Implementation

Rome was not built in a day neither will a
security program be rolled out all at once
May consist of many projects
Network security
User security
Application security
Physical security
Systems security and backup
110
4/17/2015
55
17/04/2015
Phased Approach
The program should be phased in by:
Region
Department
Product / service / business process
Building
Application
According to priorities, staff availability and
regulation
111
4/17/2015
Challenges During Implementation

Unexpected discovery of unaccounted-for
systems or processes
Resistance from staff / management
Time or budget
Impact on business operations
Availability of equipment
Training requirements
112
4/17/2015
56
17/04/2015
Review and Audit of the Security

Program
113
4/17/2015

The information security manager must evaluate
the documented security objectives for the
program:
Are program goals aligned with governance
objectives if they exist?
Are objectives measurable, realistic and
associated with specific timelines?
Do program objectives align with
organizational goals, initiatives, compliance
needs and operational?
114
4/17/2015
57
17/04/2015
Evaluating Security Program cont.

The information security manager must evaluate
the documented security objectives
Is there consensus on program objectives?
Have metrics been implemented to measure
program objective success and shortfalls?
Are there regular management reviews of
objectives and accomplishments?
115
4/17/2015
Evaluating the Security Program cont.

Review of the Security Program may be
Automated
Minimize low-value activity workload
Manual
Incremental reviews
Continuous Auditing techniques
Conducted by external or internal parties
116
4/17/2015
58
17/04/2015
Measuring Information Security Risk and

Loss
The following are possible approaches to
periodically measuring the programs success
against risk management and loss prevention
objectives:
The technical vulnerability management approach
The risk management approach
The loss prevention approach
117
4/17/2015
Measuring Effectiveness of Technical

Security Program
Ensure that equipment is configured according
to required baselines
Identify single points of failure
Verify that controls are working correctly and
mitigating risk effectively
Ensure controls are being monitored as
scheduled
Ensure incident reports are generated and
distributed
118
4/17/2015
59
17/04/2015
Measuring Effectiveness of Security

Management
Methods of tracking the programs success include:
Tracking the frequency of issue recurrence
The degree to which procedures are
standardized
Documented information security roles and
responsibilities
Information security requirements incorporated
into every project plan
Efforts and results in making the program more
productive and cost-effective
Overall security resource utilization
119
4/17/2015
Security Project Management

Because there will never be adequate budget
or staff, the CISM must prioritize security
projects
Approval of Steering Committee
Utilize external resources
Recruitment of additional staff
Regular reporting on the status of ongoing
security projects is necessary
120
4/17/2015
60
17/04/2015
Review of Security Compliance

A key role of the CISM is to review the levels
of compliance with
Policies
Procedures
Standards
Baselines
Deviations from the mandated levels of
compliance may require a review of the
policies, or the need to strengthen the
controls
121
4/17/2015
Sample Questions
122
4/17/2015
61
17/04/2015
Practice Question
1.) A security manger is most likely to be
concerned with pending changes when:
A. Rollback procedures have not been
documented
B. Users have not been notified of changes
C. System performance tests were not
conducted
D. Program changes have not been
documented
123
4/17/2015
Practice Question
2.)
The MOST important element of a good

information security policy is:
A. Being easy to read and understand.
B. Allowing for flexible interpretation.
C. Capturing the intent of management.
D. Defining secure operating procedures
124
4/17/2015
62
17/04/2015
Practice Question
3.) Which of the following would be the BEST
approach when conducting a security
awareness campaign?
A. Provide interesting technical details of past
exploits.
B. Target high risk groups like system
administrators and the help desk.
C. Provide customized messages for different
groups.
D. Clearly describe acceptable use policies and
procedures
125
4/17/2015
Practice Question
4.) The MOST appropriate metric to measure how
well information security is managing the

administration of user access is the percent of
user IDs:
A. That have been reviewed by management
B. That have been created and deleted in the
past year.
C. That have high level access to
organizational systems.
D. With corresponding payroll records.
126
4/17/2015
63
17/04/2015
End of Domain Three
127
4/17/2015
64
17/04/2015
ISACA
information systems
1
4/17/2015
Chapter 4
Incident Management
2
4/17/2015
17/04/2015
Exam Relevance
Plan, establish and manage the capability to detect,
investigate, respond to and recover from information
security incidents to minimize business impact.

3
4/17/2015

Develop and implement processes for:
Detecting
Identifying
Analyzing
Responding
To information security incidents
4
4/17/2015
17/04/2015

Incident Management process
Escalation and communication processes
Lines of authority
Plans to respond to, and document,
information security incidents
Capability, skills and procedures to
investigate information security incidents
Communicate with internal parties and
external organizations
5
4/17/2015

Test and refine information security incident
response plans
Manage incident response
Conduct reviews of security incidents, to
determine root cause, develop corrective
actions and reassess risk
Integrate incident response plans with
business continuity plans (BCP) and disaster
recovery plans (DRP)
6
4/17/2015
17/04/2015
Definition
Incident
Any event that has the potential to
adversely impact the ability of the business
to meet its objectives
Incident management
The capability to effectively manage
unexpected disruptive events
Minimize impacts
Maintain and restore normal business
operations within defined time limits
7
4/17/2015
Definition
Incident response
The operational capability of incident
management that identifies, prepares for
and responds to incidents
Provide forensic and investigative
capabilities
Restore normal operations as defined in
service level agreements (SLAs)
Manage the impact of unexpected disruptive
events to acceptable levels
8
4/17/2015
17/04/2015
Definition
Incident Management will ensure that
incidents are detected, recorded and
managed to limit impacts.
9
4/17/2015
Goals of Incident Management and Response

The goals of incident management and
response include:
The ability to deal effectively with
unanticipated events
Detection and monitoring capabilities to alert
staff to a potential incident
Effective notification and reporting to
management
A response plan that is aligned with business
priorities
10
4/17/2015
17/04/2015
Goals of Incident Response cont.

The ability to learn from past incidents and
prevent future problems
Regular testing and validation of the
effectiveness of the plan
11
4/17/2015
What is an Incident - Intentional

Malicious code
Unauthorized access to IT systems, facilities,
information
Unauthorized use of resources
Unauthorized changes to systems, networks
Denial of service (DOS)
Surveillance, espionage
Social Engineering
Fraud
12
4/17/2015
17/04/2015
What is an Incident - Unintentional

Equipment failure
Utility failure (power)
Software bugs
Deletion of files
Weather-related issues
13
4/17/2015
History of Incidents
Past incidents provide valuable information
on risk trends, threat types and business
impact due to an incident
Can be used to evaluate the existing plans
Used as input to know the types of incidents
that must be considered and planned for
14
4/17/2015
17/04/2015
Developing Response and Recovery

Plans
Factors to consider when developing
response and recovery plans include:
Available resources
Expected services levels
Types, kinds, and severity of threats faced

by the organization
15
4/17/2015
Preparing the Incident Response

Plan
16
4/17/2015
17/04/2015
Incident Management and Response

The incident management and response
structure should include:
Incident Response Planning
Business Continuity Planning
Disaster Recovery Planning
Recovery of IT systems
17
4/17/2015
Incident Management and Response cont.

Plans must be
Clearly documented
Readily accessible
Based on the long range IT plan
Consistent with the overall business
continuity and security strategies
18
4/17/2015
17/04/2015
Incident Management and Response cont.

Incident Response planning includes
Incident detection capabilities (ability to
recognize an event (false positive vs. real event)
Clearly defined severity criteria (catastrophic,
major, minor)
Assessment and triage capabilities (determine
extent of incident)
Declaration criteria (activation of response
teams)
19
4/17/2015
Importance of Incident Management

and Response
Incident response is required since even minor
incidents may:
Affect business viability
Develop into major incidents
Require public communications plans
Necessitate advising regulators, clients or
other affected stakeholders
Even the best controls cannot prevent all
incidents
20
4/17/2015
10
17/04/2015
Incident Response Functions

Detection and reporting
Alerting, escalation
Triage
Containment, recovery
Analysis
Root cause, lessons learned
Incident response team skills
Necessary training and experience
21
4/17/2015
Incident Management Technologies

An effective incident management system
should
Monitor and consolidate inputs from
multiple systems
Identify incidents or potential incidents

Prioritize incidents based on business impact
Provide status tracking and notifications
Integrate with major IT management
systems
Follow good practices guidelines
22
4/17/2015
11
17/04/2015
Responsibilities of the CISM

Developing the information security incident
management and response plans
Handling and coordinating information
security incident response activities
Validating, verifying and reporting on
effectiveness of protective controls and
countermeasure solutions
Planning, budgeting and program
development for all matters related to
information security incident management
and response
23
4/17/2015
Incident Response Manager Responsibilities

The responsibilities of the incident response
manager include:
Managing the incident so that the impact is
contained and minimal damage occurs
Notifying the appropriate people and
escalating the incident to management
when required
Recovering quickly and efficiently from
security incidents
Balancing operational and security needs
24
4/17/2015
12
17/04/2015
Incident Response Manager Responsibilities

cont.
The responsibilities of the incident response
manager include:
Responding systematically and decreasing
the likelihood of cascading problems or
incident recurrence
Dealing with legal and law enforcementrelated issues
Ensuring that the incident response is
documented
Following up on lessons learned to enhance
controls
25
4/17/2015
Requirements for Incident Response

Managers
Have the leadership skills necessary to
manage crisis teams
Understand business priorities and culture
Have the experience, knowledge, and the
authority to invoke the disaster recovery
processes necessary to maintain or recover
operational status
26
4/17/2015
13
17/04/2015
Senior Management Involvement

Senior management provides strategic
direction during the crisis
Reporting of the incident is escalated to
senior management
Decisions and direction is passed down to
the incident management teams
27
4/17/2015
The Desired State

Incident management and response requires
Well-developed monitoring capabilities for
key controls
Personnel trained in assessing the situation,
capable of providing triage, and managing
effective responses
Managers that have made provisions to
capture all relevant information and apply
previously learned lessons
28
4/17/2015
14
17/04/2015
Strategic Alignment of Incident Response

Incident management must be aligned with the
organizations strategic plan
Scope what incidents are the responsibility of the
Incident response team
Services services should be clearly defined
Organizational structure Reporting and oversight
Resources sufficient staffing and skills necessary
for effective response
Funding sufficient funding as required to manage
incident response
Management buy-in Senior management buy-in is
essential
29
4/17/2015
Creating a Detailed Incident

Response Plan
30
4/17/2015
15
17/04/2015
Detailed Plan of Action for Incident

Management
The incident management action plan outlined in
the CMU/SEI technical report titled Defining
Incident Management Processes:
Prepare/improve/sustain (prepare)
Protect infrastructure (protect)
Detect events (detect)
Triage events (triage)
Respond
31
4/17/2015

Management - Prepare
Prepare/improve/sustain (prepare) phase:
Coordinate planning and design:
Identify incident management requirements.
Establish vision and mission.

Obtain funding and sponsorship.
Develop implementation plan.
Coordinate implementation:
32
4/17/2015
16
17/04/2015

Management Prepare cont.
Prepare/improve/sustain (prepare) phase
Develop policies, processes and plans.
Establish incident handling criteria.
Implement defined resources.
Evaluate incident management capability.
Conduct postmortem review.
Determine incident management process
changes.
Implement incident management process
changes.
33
4/17/2015

Management - Protect
Protect infrastructure (protect) phase
Implement changes to computing infrastructure
to mitigate ongoing or potential incident.
Implement infrastructure protection
improvements from postmortem reviews or
other process improvement mechanisms.
Evaluate computing infrastructure by
performing proactive security assessment and
evaluation.
Provide input to detect process on
incidents/potential incidents.
34
4/17/2015
17
17/04/2015

Management - Detect
Detect events (detect) phase
Proactive detectionThe detect process is
conducted prior to incident alert. This will
enable the response team to detect attack
precursors, false negatives and emerging
threats.
Reactive detectionThe detect process is
conducted when there are reports of possible
incidents from system users or other
organizations
35
4/17/2015

Management - Triage
Triage
Requires initial gathering of incident data,
incident severity determination, notification
and activation of incident response team
Can be done on two levels
Tactical - Based on a set of criteria
Strategic - Based on the impact of business
36
4/17/2015
18
17/04/2015

Management - Response
Response
Technical response
Collecting data for further analysis
Analyzing incident supporting information
such as log files
Technical mitigation strategies and recovery
options
Development and deployment of workarounds
Management response
Legal response
37
4/17/2015
Elements of an Incident Response Plan

Another approach to the development of
an incident response plan based on the
SANS Institute
Preparation
Identification
Containment
Eradication
Recovery
Lessons learned
38
4/17/2015
19
17/04/2015
Crisis Communications
One of the greatest challenges in a crisis is
effective communications
Internal
Staff, management, business units
External
Business partners
Shareholders
General public
Government and regulatory bodies
Law Enforcement
39
4/17/2015
Challenges in Developing an Incident

Management Plan
Unanticipated challenges may be the
result of
Lack of management buy-in and
organizational consensus
Mismatch to organizational goals and
priorities
Incident management team member
turnover
Poor communications
Complex and wide plan
40
4/17/2015
20
17/04/2015
Incident Response Team Members
41
4/17/2015
Personnel
An Incident Response Team usually
consists of
The Incident Manager (often an Information
Security Manager)
The Team Leader
Steering committee/advisory board
Provide oversight and authority
42
4/17/2015
21
17/04/2015
Personnel cont.
An Incident Response Team usually
consists of
Permanent/dedicated team members
Specialized skills forensics, audit,
communications, legal
Representation from key departments
Operations, IT, HR, Finance, Security,
Executive, etc.
Virtual/temporary team members
External experts
43
4/17/2015
Personnel cont.
The composition of the incident response team
will depend on a number of factors such as
Mission and goals of the incident response program
Nature and range of services provided
Available staff expertise

Scope and technology base
Anticipated incident load
Severity or complexity of incident reports
Funding
Regulations and legal considerations
44
4/17/2015
22
17/04/2015
Team Member Skills

The set of basic skills that incident response
team members need can be separated into
two broad groups:
Personal skills
Ability to handle stress
Leadership skills
Expertise based on the incident handlers
daily activity.
Technical skills
Specialized skills in IT, communications, etc
45
4/17/2015
Skills cont.
Personal skills
Communication
Presentation skills
Ability to follow policies and procedures
Team skills
Integrity
Confidence
Problem solving
Time management
46
4/17/2015
23
17/04/2015
Skills cont.
Technical skills
Basic understanding of the underlying
technologies used by the organization
Understanding of the techniques,
decision points and supporting tools
required in incident management
47
4/17/2015
Security Concepts and Technologies

The following security concepts and technologies
should be considered and known to IRTs
Security principles
Security
vulnerabilities/
weaknesses
Network applications
and services
Network security
issues
The Internet
Operating systems
Network protocols
Malicious code
Programming skills
48
4/17/2015
24
17/04/2015
Organizing, Training and Equipping the

Response Staff
Every incident response team member
should get the following types of training:
Induction to Incident response - basic
information about the team and its
operations
Description of the teams roles,
responsibilities and procedures
On the job training
Formal training
49
4/17/2015
Review and Audit of Incident

Response
50
4/17/2015
25
17/04/2015
Value Delivery
To deliver value, incident management
should:
Integrate and align with business processes
and structures
Improve the capability of businesses to
manage incidents effectively
Integrate incident management with risk
and business continuity
Become part of an organizations overall
strategy and effort to protect and secure
critical business function and assets
51
4/17/2015
Performance Measurement
Performance measurements for incident
management and response will focus on
achieving the defined objectives and
optimizing effectiveness
Incident response time

Application of lessons learned
KPIs and KGIs should be defined and
agreed upon by stakeholders and ratified
by senior management
52
4/17/2015
26
17/04/2015
Reviewing the Current State of Incident

Response Capability
Survey of senior management, business
managers and IT representatives
Self-assessment
External assessment or audit
53
4/17/2015
Audits
Audits (internal and external) must be
performed to verify
Incidents have been resolved and closed
off
Lessons learned applied to the
organization
Adherence by the incident response team
to the policies and procedures defined by
the organization
54
4/17/2015
27
17/04/2015
Gap Analysis Basis for

an Incident Response Plan
Gap analysis compares current incident
response capabilities with the desired
level.
The following may be identified:
Processes that need to be improved to be more
efficient and effective
Resources needed to achieve the objectives for
the incident response capability
55
4/17/2015
Responding to an Incident
56
4/17/2015
28
17/04/2015
When an Incident Occurs

If an incident occurs:
The Incident response team should follow
the procedures set out in the Incident
response plan
Properly document (record and preserve) all
information related to the incident
Follow data/evidence preservation
procedures
Take precautions to avoid changing, altering
or contaminating any potential or actual
evidence
57
4/17/2015
During an Incident
The initial response to an incident should
include:
Retrieving information needed to confirm an
incident
False positive or real event
Notify incident manager and activate incident
response teams
58
4/17/2015
29
17/04/2015
During an Incident cont.

Identifying the scope and size of the affected
environment (e.g., networks, systems,
applications)
Contain the incident and minimize the
potential for further damage
Determining the degree of loss, modification or
damage (if any)
Identifying the possible path or means of
attack
Restore critical services
59
4/17/2015
Containment Strategies
During an incident it is critically important to
contain the crisis and attempt to minimize
the amount of damage that occurs.
Network isolation and segmentation
Fire doors and fire suppression

Fail secure
Multiple suppliers
Multiple facilities
Cross trained staff
60
4/17/2015
30
17/04/2015
The Battle Box

Preloaded kits containing the tools and
support materials needed by the response
team in a crisis
Flashlights
Communications (radio, satellite phones)
Battery
Forms and documentation, pens
Tools
Protective clothing
First aid kits
Evidence collection bags
61
4/17/2015
Evidence Identification and Preservation

The CISM must know
Requirements for collecting and preserving
evidence
Rules for evidence, admissibility of
evidence, and quality and completeness of
evidence
The consequences of any contamination of
evidence following a security incident
Consider enlisting the help of third-party
specialists if detailed forensic skills are
needed
62
4/17/2015
31
17/04/2015
Post Event Reviews

Post Event reviews allow lessons learned
to be applied to future incidents
Use information gathered to improve
response procedures
Do reviews with all affected staff
Follow up on all lessons
63
4/17/2015
Business Continuity and Disaster

Recovery Planning
64
4/17/2015
32
17/04/2015
Disaster Recovery Planning (DRP) and

Business Recovery Processes
Disaster recovery has traditionally been
defined as the recovery of IT systems from
disastrous events
Business recovery (resumption) is defined
as the recovery of the critical business
processes necessary to continue or resume
operations.
65
4/17/2015
Development of BCP and DRP

Each of these planning processes typically
includes several main phases, including:
Risk and business impact assessment
Response and recovery strategy definition
Documenting response and recovery plans
Training all users and response teams
Updating response and recovery plans
Testing response and recovery plans
Auditing response and recovery plans
66
4/17/2015
33
17/04/2015
Plan Development
Plan development factors include:

Pre-incident readiness
Evacuation procedures
How to declare a disaster
Identifying the business processes and IT
resources that should be recovered
Identifying the responsibilities in the plan
67
4/17/2015
Plan Development cont.

Plan development factors include:
Identifying contact information
The step-by-step explanation of the recovery
options
Identifying the various resources required for
recovery and continued operations
Ensuring that other logistics such as personnel
relocation and temporary housing are
considered
68
4/17/2015
34
17/04/2015
Recovery Strategies
Recovery strategies must be sustainable for
the entire period of recovery until business
processes are restored to normal
Strategies may include:
Doing nothing until recovery facilities are
ready
Using manual procedures / workarounds
Focusing on the most important customers,
suppliers, products, and systems with
resources that are still available
69
4/17/2015
Recovery Strategies
The most appropriate recovery strategy is
based on:
The ability to recover within acceptable
recovery times at a reasonable cost
Which recovery strategies are available

Several options may be considered including
outsourcing of certain functions
70
4/17/2015
35
17/04/2015
Basis for Recovery Strategy Selections

Response and recovery strategy plans should
be based on the following considerations:
Interruption window
RTOs
RPOs
Services delivery objectives (SDOs)
Maximum tolerable outages (MTOs) / Maximum
Tolerable Period of Disruption (MTPD)
Location
Nature of probable disruptions
71
4/17/2015
Disaster Recovery Sites

Types of offsite backup hardware facilities
available include:
Hot sites
Warm sites
Cold sites
Mobile sites
Duplicate information processing facilities
Mirror sites
72
4/17/2015
36
17/04/2015
Disaster Recovery Sites cont.

Criteria for selecting alternate sites for
processing in the event of a disaster
include:
The recovery site should not be subject to
the same disaster(s) as the primary site
Availability of similar hardware /software
Ability to move people and resources to the
recovery location
Ability to test the recovery strategy
73
4/17/2015
Recovery of Communications
Recovery of IT facilities involves
telecommunications and network recovery
Alternative / Diverse routing

Long-haul network diversity
Voice recovery
Availability appropriate circuits and adequate
bandwidth
Availability of out-of-band communications in
case of failure of primary communications
methods
74
4/17/2015
37
17/04/2015
Notification Requirements
Plan should include a call tree with a prioritized
list of contacts
Representatives of equipment and software
vendors
Contacts within companies that have been
designated to provide supplies and equipment
or services
Contacts at recovery facilities, including hot
site representatives or predefined network
communications rerouting services
75
4/17/2015
Notification Requirements cont.

Plan should include a call tree with a prioritized
list of
Contacts at offsite media storage facilities and
the contacts within the company who are
authorized to retrieve media from the offsite
facility
Insurance company agents
Contacts at human resources (HR) and/or
contract personnel services
Law enforcement contacts
76
4/17/2015
38
17/04/2015
Response Teams
Number of teams depends upon size of
organization and magnitude of operations examples include:
The emergency action team
Damage assessment team
Emergency management team
Relocation team
Security team
77
4/17/2015
Insurance
Types of insurance coverage

IT equipment and facilities
Media (software) reconstruction
Extra expense
Business interruption
Valuable papers and records
Errors and omissions
Fidelity coverage
Media transportation
78
4/17/2015
39
17/04/2015
Testing Response and Recovery Plans

Testing must include:
Developing test objectives
Executing the test
Evaluating the test
Developing recommendations to improve the
effectiveness of testing processes as well as
response and recovery plans
Implementing a follow-up process to ensure
that the recommendations are implemented
79
4/17/2015
Types of Tests
Tests can include:
Desk check / Table-top walk-through of the
plans
Table-top walk-through with mock disaster
scenarios (simulation tests)
Testing the infrastructure and communication
components of the recovery plan
Testing the infrastructure and recovery of the
critical applications (parallel tests)
Full restoration and recovery tests with some
personnel unfamiliar with the systems
80
4/17/2015
40
17/04/2015
Test Results
The test should strive to:
Verify the completeness and effectiveness of
the response and recovery plans
Evaluate the performance of the personnel
involved in the exercise
Evaluate the coordination among the team
members and external vendors and suppliers
Indicate areas where improvements to the
plan are necessary
81
4/17/2015
Test Results cont.

The test should strive to:
Measure the ability and capacity of the
backup site to perform required processing
Ensure vital records / data can be retrieved
Evaluate the state and quantity of equipment
and supplies that have been relocated to the
recovery site
Measure the overall performance of
operational and information systems related
to maintaining the business entity
82
4/17/2015
41
17/04/2015
Plan Maintenance Activities

The BCP and DR plans must be maintained
through:
Developing a schedule for periodic review
and maintenance of the plan
Updating plan with personnel changes,
phone numbers and responsibilities or status
within the company
Updating the plan whenever significant
changes have occurred
Organizational change
Results of tests or incidents
83
4/17/2015
BCP and DRP Training

Training must be provided for all staff
dependent on their responsibilities:
Develop a schedule for training personnel in
emergency and recovery procedures
Users
Team members
Local business units liaisons
84
4/17/2015
42
17/04/2015
Practice Question
1. The PRIMARY goal of a post-incident review is
to:
A. Gather evidence for subsequent disciplinary
action.
B. Identify key individuals who provided critical
support during the crisis.
C. Prepare a report on the incident for further
management review
D. Derive ways to improve the response process.
85
4/17/2015
Practice Question
2. Which of the following is the MOST important
skill for an incident handler to possess?
A. Presentation skills for management reporting
B. Ability to follow policy and procedures
C. Integrity
D. Ability to cope with stress
86
4/17/2015
43
17/04/2015
Practice Question
3. What is the PRIMARY reason for conducting
triage?
A. To set the priorities for incident response
B. To determine the root cause of the incident
C. To mitigate the damage being caused by the
incident
D. To detect the presence of an incident
87
4/17/2015
Practice Question
4. Which of the following is MOST important
factor when deciding whether to build an
alternate facility or subscribe to a hot site
operated by a third party?
A. Cost to restore lost data following the incident
B. Incremental cost of losing different systems
C. Location, availability, and cost of commercial
recovery facilities
D. Estimated annualized loss expectancy (ALE)
from key risks
88
4/17/2015
44
17/04/2015
Practice Question
5.
Which of the following documents should be

contained in an incident response procedures
manual
A.
B.
C.
D.
Risk Assessment report

Communications plan
Record of all assets and systems
Alternate site recovery procedures
89
4/17/2015
45
ISACA EXAM CANDIDATE

INFORMATION GUIDE
2015
ISACA Exam Candidate Information Guide
ISACA Exams 2015

Important Date Information
Exam Date13 June 2015 Exam
Early registration deadline: 11 February 2015
Final registration deadline: 10 April 2015
Exam registration changes: Between 11 April and 24 April 2015, charged a
US $50 fee, with no changes accepted after 24 April 2015
Refunds: By 10 April 2015, charged a US $100 processing fee, with no
refunds after that date
Deferrals: Requests received on or before 24 April 2015, charged a US $50
processing fee. Requests received from 25 April through 22 May 2015, charged
a US $100 processing fee. After 22 May 2015, no deferrals will be permitted.
All deadlines are based upon Chicago, Illinois, USA 5 p.m. CT (central time)
Exam Date12 September

2015 Exam*
Early registration deadline: 17 June 2015
Final registration deadline: 24 July 2015
* CISA and CISM only at select locations
Exam registration changes: Between 25 July and 3 August, charged a
US $50 fee, with no changes accepted after 3 August 2015
Refunds: By 24 July 2015, charged a US $100 processing fee, with no refunds
after that date
Deferrals: Requests received on or before 10 August 2015, charged a US $50
processing fee. Requests received from 11 August through 28 August 2015,
charged a US $100 processing fee. After 28 August 2015, no deferrals will be
permitted.
Exam Date12 December

2015 Exam
Early registration deadline: 19 August 2015
Final registration deadline: 23 October 2015
Exam registration changes: Between 24 October and 30 October, charged a
US $50 fee, with no changes accepted after 30 October 2015
Refunds: By 23 October 2015, charged a US $100 processing fee, with no
refunds after that date
Deferrals: Requests received on or before 23 October 2015, charged a
US $50 processing fee. Requests received from 24 October through
27 November 2015, charged a US $100 processing fee. After 27 November 2015,
no deferrals will be permitted.
Note:
The CISA Chinese Mandarin Traditional, German, Italian and Hebrew
languages are only offered at the June exam.
The CISA Turkish is only offered at the June and December exams.
The CISM Japanese and Korean languages are only offered at the June exam.
Visit www.isaca.org/examlocations for a listing of the exam sites.
Select the appropriate tab for June, September or December.
Please contact exam@isaca.org for further information.
Table of Contents
ISACA Certification .................................................................3
JuneImportant Date Information .......................................5
SeptemberImportant Date Information .............................6
DecemberImportant Date Information ..............................7
Exam Day Information............................................................8
Post Exam Information .........................................................10
About ISACA
With more than 115,000 constituents in 180 countries, ISACA (www.isaca.org) helps business
and IT leaders build trust in, and value from, information and information systems. Established in
1969, ISACA is the trusted source of knowledge, standards, networking, and career development
for information systems audit, assurance, security, risk, privacy and governance professionals.
ISACA offers the Cybersecurity NexusTM, a comprehensive set of resources for cybersecurity
professionals, and COBIT, a business framework that helps enterprises govern and manage their
information and technology. ISACA also advances and validates business-critical skills and knowledge
through the globally respected Certified Information Systems Auditor (CISA), Certified Information
Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in
Risk and Information Systems Control (CRISC) credentials. The association has more than
200 chapters worldwide.
ANSI Accredited Program

PERSONNEL CERTIFICATION
#0694
ISO/IEC 17024
CISA, CISM, CGEIT and CRISC Program Accreditation
Renewed Under ISO/IEC 17024:2003
The American National Standards Institute (ANSI) has accredited the CISA, CISM, CGEIT and CRISC
certifications under ISO/IEC 17024:2003, General Requirements for Bodies Operating Certification
Systems of Persons. ANSI, a private, nonprofit organisation, accredits other organizations to serve
as third-party product, system and personnel certifiers. ISO/IEC 17024 specifies the requirements
to be followed by organizations certifying individuals against specific requirements. ANSI describes
ISO/IEC 17024 as expected to play a prominent role in facilitating global standardization of
the certification community, increasing mobility among countries, enhancing public safety and
protecting consumers.
ANSIs accreditation:
Promotes the unique qualifications and expertise that ISACA certifications provide
Protects the integrity of the certifications and provides legal defensibility
Enhances consumer and public confidence in the certifications and the people who hold them
Facilitates mobility across borders or industries
Accreditation by ANSI signifies that ISACAs procedures meet ANSIs essential requirements for
openness, balance, consensus and due process. With this accreditation, ISACA anticipates that
significant opportunities for CISAs, CISMs and CGEITs will continue to present themselves around
the world.
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: certification@isaca.org
Web site: www.isaca.org
Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center
Follow ISACA on Twitter: https://twitter.com/ISACANews
Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial
Like ISACA on Facebook: www.facebook.com/ISACAHQ
Reservation of Rights
Copyright 2014 ISACA. Reproduction or storage in any form for any purpose is not permitted
without ISACAs prior written permission. No other right or permission is granted with respect to
this work. All rights reserved.

ISACA CERTIFICATION: IS AUDIT, SECURITY, GOVERNANCE AND RISK AND CONTROL
The ISACA Exam Candidate Information Guide includes candidate information about exam registration, dates, and deadlines and provides important key candidate
details for exam day administration. This publication is available online at www.isaca.org/examguide
The following certifications are addressed in this guide: Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the
Governance of Enterprise IT (CGEIT), and Certified in Risk and Information Systems Control (CRISC). A brief summary of each follows.
CISA
CISM
CGEIT
CRISC
Description
The CISA designation is a globally

recognized certification for IS
audit control, assurance, and
security professionals.
The management-focused
CISM certification promotes
international security practices
and recognizes the individual who
manages, designs, and oversees
and assesses an enterprises
information security.
CGEIT recognizes a wide range

of professionals for their
knowledge and application
of enterprise IT governance
principles and practices.
CRISC certification is designed

for those experienced in the
management of IT risk, and
the design, implementation,
monitoring and maintenance of
IS controls.
Eligibility
Requirements
Five (5) or more years of

experience in IS audit, control,
assurance, or security. Waivers
are available for a maximum of
three (3) years.

experience in information security
management. Waivers are
available for a maximum of
two (2) years.

experience managing, serving
in an advisory or oversight role,
and/or otherwise supporting the
governance of the IT-related
contribution to an enterprise
including a minimum of one
year of experience relating to
the definition, establishment and
management of a Framework for
the Governance of IT. There are
no substitutions or experience
waivers.
Three (3) or more years of

cumulative work experience
performing the tasks of a CRISC
professional across at least
two (2) CRISC domains, of which
one must be in Domain 1 or 2, is
required for certification.
There are no substitutions or
experience waivers.
Domains (%)
Domain 1The Process of

Auditing Information
Systems (14%)
Domain 2Governance and
Management of IT
(14%)
Domain 3Information Systems
Acquisition,
Development, and
Implementation
(19%)
Domain 4Information
Systems Operations,
Maintenance and
Support (23%)
Domain 5Protection of
Information Assets
(30%)
Domain 1Information Security

Governance (24%)
Domain 2Information Risk
Management and
Compliance (33%)
Domain 3Information
Security Program
Development and
Management (25%)
Domain 4Information Security
Incident Management
(18%)
Domain 1: Framework for

the Governance of
Enterprise IT (25%)
Domain 2: Strategic Management
(20%)
Domain 3: Benefits Realization
(16%)
Domain 4: Risk Optimization
(24%)
Domain 5: Resource Optimization
(15%)
Domain 1: IT Risk Identification

(27%)
Domain 2: IT Risk Assessment
(28%)
Domain 3: Risk Response and
Mitigation (23%)
Domain 4: Risk and Control
Monitoring and
Reporting (22%)
Number of
exam questions*:
length of exam
200 questions: 4 hours
Exam Languages
Chinese Mandarin Traditional**

Chinese Mandarin Simplified
English
French
German**
Hebrew**
Italian**
Japanese
Korean
Spanish
Turkish***
English
Japanese**
Korean**
Spanish
English
English
Spanish
* Consists of multiple choice items that cover the respective job practice areas created from the most recent job practice analysis. See page 11 for related links.
** June exam only
*** June and December exam only.

REGISTERING FOR THE EXAM
REGISTER FOR THE EXAM
You can register for an ISACA exam via online registration or hard copy registration form. To place your online registration via the ISACA web site visit
www.isaca.org/examreg. To register via hardcopy registration form, complete the hardcopy registration form provided at www.isaca.org/exam
and fax or mail to ISACA along with your payment information.
Note: Faxed/mailed registrations will incur an additional US $75 charge.
SUBMIT REGISTRATION FEES AND PAYMENT

Online early registrations received on or before early registration deadline
Online final registrations received by final registration deadline
ISACA
member
US $440
US $490
Non-ISACA
member
US $625
US $675
NOTE: Registration form and payment must

be received on or before the early registration
deadline to qualify for the early registration
rate.
Notes:
The CISA Chinese Mandarin Traditional, German, Hebrew, and Italian languages will only be offered at the June exam.
The CISM Japanese and Korean languages are only offered at the June Exam.
Visit www.isaca.org/examlocations for a listing of the exam sites. Please select the appropriate tab for the June, September or December locations.
Please contact exam@isaca.org for further information.
CONSIDER ISACA MEMBERSHIP

If you are not yet an ISACA member, consider joining during the registration process and enjoy the member discount on your exam and study materials.
Please visit www.isaca.org/join for detailed information on membership benefits and fees.
Join Dates
From 1 August 2014 to 30 May 2015
From 1 June 2015 to 31 July 2015
From 1 August 2015 to December 2015
Member Through
31 December 2015
31 December 2015
31 December 2016
Due Dates
Deadlines are based on Chicago, Illinois, USA, 5 P.M. Central Time (UTC/GMT-06:00 Chicago, Illinois, USA). If not registering online, please mail or fax the
registration form to ISACA. Do not do both. Submitting duplicate registrations online and/or by hard copy to ISACA may result in multiple registrations
and charges. Final registration forms and payment must be postmarked or received by fax on or before the final registration date for the exam you are registering
for. Both pages of the registration form must be received to complete a registration.
ACKNOWLEDGMENT OF REGISTRATION
An email acknowledgement of the exam registration, exam test site and exam language will be sent to registrants shortly after the processing of the registration.
Please review the exam registration details carefully and contact the ISACA certification department at exam@isaca.org for any corrections or changes. A receipt
letter acknowledging exam registration and payment with a link to ISACAs Exam Candidate Information Guide should be received by exam registrants within four
weeks (depending on your worldwide location and local postal delivery) of the processing of the registration form and payment. We encourage exam candidates to
review this Guide to familiarize themselves with exam day information and rules.

JUNEIMPORTANT DATE INFORMATION
Exam Date 13 June 2015
Exam Registration Changes
Changes to the exam site, test language and candidate name are subject to the following charges:
z On or before 10 April 2015 ................................ No charge
z 11 April through 24 April 2015 .......................... US $50
No exam registration changes will be granted after 24 April 2015.
Refund and Deferrals of Fees

Refund: Candidates unable to take the exam are eligible for a refund of registration fees, less a US $100 processing fee, if such a request is received in
writing on or before 10 April 2015. All requests for a refund after this date will be denied. Exam candidates who have deferred their exam are not eligible for
a refund of their deferral fee and associated exam payment.
Deferrals: Exam registrants may elect to defer their registration to the following exam date. A deferral fee is required based on the following schedule:
z On or before 24 April ......................................... US $50
z 25 April through 22 May .................................... US $100
Deferral requests will not be accepted after 22 May 2015. To request a deferral, please go to www.isaca.org/examdefer. Exam candidates who have
deferred their exam are not eligible for a refund of their deferral fee and associated exam payment. Exam candidates who do not appear for the exam (or
arrive too late to be admitted) are not eligible for a refund or deferral of their exam registration payment.
Any candidate who has not received his/her admission ticket by 1 June 2015 should contact the ISACA certification department at exam@isaca.org or via
phone at +1.847.660.5660.
Special Accommodations
Upon request, ISACA will make reasonable accommodations in its exam procedures for candidates with documented disabilities or religious requirements.
Consideration for reasonable alterations in scheduling, exam format, presentation, and allowance of food or drink at the exam site must be requested.
Documented disability requests must be accompanied by a doctors note. Requests for a religious requirement must be accompanied by a note from the
candidates religious leader. Unless requested and approved, no food or drink is allowed at any exam site. Requests for consideration must be submitted to
ISACA International Headquarters in writing, accompanied by appropriate documentation, no later than 10 April 2015 to exam@isaca.org.
Request for Additional Test Centers

If an exam center is not available within 100 miles (160 kilometers) of the location in which a candidate wants to be tested, and if there are ten or more
paid candidates who wish to enter as a group at this location, they may request that a new exam center be established. Written requests for establishment
of new exam centers, including a minimum of ten paid registration forms, must be received at ISACA International Headquarters no later than 1 February
2015. While there is no guarantee that a new exam center can be arranged, every attempt will be made to provide one.
Exam locations
For a complete listing of the exam sites for the June exam administration visit www.isaca.org/examlocations and select the June Exam Locations tab.
All deadlines are based on Chicago, Illinois, USA, 5 p.m. Central Time (UTC/GMT-06:00 Chicago, Illinois, USA). No refunds or exchanges will be given for
study aids, associated taxes, shipping and handling charges, or membership dues. Exam registration and membership fees are nontransferable.

SEPTEMBERIMPORTANT DATE INFORMATION
Exam Date 12 September 2015
The September exam administration is only offered for the CISA and CISM certification exams at limited exam sites.

z On or before 24 July 2015................................. No charge
z 25 July through 3 August 2015 ......................... US $50
No exam registration changes will be granted after 3 August 2015.

writing on or before 24 July 2015. All requests for a refund after this date will be denied. Exam candidates who have deferred their exam are not eligible
for a refund of their deferral fee and associated exam payment.
z On or before 10 August 2015 ............................ US $50
z 11 August through 28 August 2015................... US $100
Deferral requests will not be accepted after 28 August 2015. To request a deferral, please go to www.isaca.org/examdefer. Exam candidates who have
deferred their exam are not eligible for a refund of their deferral fee and associated exam payment. Exam candidates who do not appear for the exam
(or arrive too late to be admitted) are not eligible for a refund or deferral of their exam registration payment.
Any candidate who has not received his/her admission ticket by 15 August 2015 should contact the ISACA certification department at exam@isaca.org or
via phone at +1.847.660.5660.
Upon request, ISACA will make reasonable accommodations in its exam procedures for candidates with documented disabilities. Consideration for
reasonable alterations in exam format, presentation, and allowance of food or drink at the exam site must be requested and accompanied by a doctors
note. Unless requested and approved, no food or drink is allowed at any exam site. Requests for consideration must be submitted to ISACA International
Headquarters in writing, accompanied by appropriate documentation, no later than 27 July 2015 to exam@isaca.org.
Exam Locations
For a complete listing of the exam sites for the September exam administration visit www.isaca.org/examlocations and select the September Exam
Locations tab.

DECEMBERIMPORTANT DATE INFORMATION
Exam Date 12 December 2015
z On or before 23 October .................................... No charge
z 24 October through 30 October......................... US $50
No exam registration changes will be granted after 30 October 2015.

writing on or before 23 October 2015. All requests for a refund after this date will be denied. Exam candidates who have deferred their exam are not
eligible for a refund of their deferral fee and associated exam payment.
z On or before 23 October .................................... US $50
z 24 October through 27 November ..................... US $100
Deferral requests will not be accepted after 27 November 2015. To request a deferral, please go to www.isaca.org/examdefer. Exam candidates who have
deferred their exam are not eligible for a refund of their deferral fee and associated exam payment. Exam candidates who do not appear for the exam (or
arrive too late to be admitted) are not eligible for a refund or deferral of their exam registration payment.
Any candidate who has not received his/her admission ticket by 1 December 2015 should contact the ISACA certification department at exam@isaca.org or
via phone at +1.847.660.5660.
Upon request, ISACA will make reasonable accommodations in its exam procedures for candidates with documented disabilities or religious requirements.
Consideration for reasonable alterations in scheduling, exam format, presentation, and allowance of food or drink at the exam site must be requested.
Documented disability requests must be accompanied by a doctors note. Requests for a religious requirement must be accompanied by a note from the
candidates religious leader. Unless requested and approved, no food or drink is allowed at any exam site. Requests for consideration must be submitted to
ISACA International Headquarters in writing, accompanied by appropriate documentation, no later than 23 October 2015 to exam@isaca.org.
Request for Additional Test Centers

If an exam center is not available within 100 miles (160 kilometers) of the location in which a candidate wants to be tested, and if there are ten or more
paid candidates who wish to enter as a group at this location, they may request that a new exam center be established. Written requests for establishment
of new exam centers, including a minimum of ten paid registration forms, must be received at ISACA International Headquarters no later than 1 August
2015. While there is no guarantee that a new exam center can be arranged, every attempt will be made to provide one.
Exam Locations
For a complete listing of the exam sites for the December exam administration visit www.isaca.org/examlocations and select the December Exam Locations tab.

EXAM DAY INFORMATION
Admission Ticket
Approximately two to three weeks prior to the exam date, candidates will be sent an email admission ticket (eticket) from ISACA. Admission tickets are sent
via email to the current email address on file. In order to receive an admission ticket, all fees must be paid. Exam candidates can also download a copy of
the admission ticket at www.isaca.org > MyISACA page of the web site. Tickets will indicate the date, registration time and location of the exam, as well as
a schedule of events for that day and a list of materials that candidates must bring with them to take the exam. Candidates are not to write on the admission
ticket. Candidates can use their admission ticket (either a printout of their e-ticket or their downloaded ticket) only at the designated test center.
Identification on Exam Day
Candidates will be admitted to the test center only if they have a valid admission ticket and an acceptable form of identification (ID). An acceptable form of ID
must be a current and original government-issued ID that contains the candidates name, as it appears on the admission ticket, and the candidates
photograph. The information on the ID cannot be handwritten. All of these characteristics must be demonstrated by the single piece of ID provided. Examples
include, but are not limited to, a passport, drivers license, military ID, state ID, green card and national ID. Any candidate who does not provide an acceptable
form of ID will not be allowed to sit for the exam and will forfeit his/her registration fee. IDs will be checked during the exam administration.
Only candidates with an admission ticket and an acceptable government-issued ID will be admitted to take the exam, and the name on the
admission ticket must match the name on the government-issued ID. If candidates mailing and/or email addresses change, they should update
their profile on the ISACA web site (www.isaca.org ) or contact exam@isaca.org.
Arrival Time For Exam
It is imperative that candidates note the specific registration and exam times on their admission ticket. NO CANDIDATE WILL BE ADMITTED TO THE
TEST CENTER ONCE THE CHIEF EXAMINER BEGINS READING THE ORAL INSTRUCTIONS, APPROXIMATELY 30 MINUTES BEFORE THE EXAM BEGINS.
Any candidate who arrives after the oral instructions have begun will not be allowed to sit for the exam and will forfeit his/her registration fee.
An admission ticket can only be used at the designated test center specified on the admission ticket. To ensure that you arrive in plenty of time for the exam,
we recommend that you become familiar with the exact location and the best travel route to your exam site prior to the date of the exam. Test center
telephone numbers and web site references have been provided (when available) to assist you in obtaining directions to the facility.
Exam Rules
Candidates will not be admitted to a test center after the oral instructions have begun.
Candidates should bring several sharpened No. 2 or HB (soft lead) pencils and a good eraser. Pencils and erasers will not be available at the test center.
As exam venues vary, every attempt will be made to make the climate control comfortable at each exam venue. Candidates may want to dress to their
own comfort level.
Candidates are not allowed to bring reference materials, blank paper, note pads or language dictionaries into the test center.
Candidates are not allowed to bring or use a calculator in the test center.
Candidates are not allowed to bring any type of communication, surveillance or recording device (including, but not limited to cell phones, tablets, smart
glasses, smart watches, mobile devices, etc.) into the test center. If exam candidates are viewed with any such communication, surveillance or
recording device during the exam administration, their exams will be voided and they will be asked to immediately leave the exam site.
Candidates are not allowed to bring baggage of any kind, including but not limited to handbags/purses, briefcases, etc. into the test center. Visit
www.isaca.org/cisabelongings, www.isaca.org/cismbelongings, www.isaca.org/cgeitbelongings, www.isaca.org/criscbelongings for more information
on personal belongings allowed or prohibited.
Visitors are not permitted in the test center.
No food or beverages are allowed in the test center (without advanced authorization from ISACA).
Candidates are urged to immediately record their answers on their answer sheet. No additional time will be allowed after the exam time has elapsed to transfer
or record answers should candidates mark their answers in the test booklet. The exam will be scored based on the answer sheet recordings only.
Candidates must gain authorization or be accompanied by a test proctor to leave the testing area.
Candidates may leave the testing room with authorization during the examination to visit the facilities. Only one person will be excused from the room at a
time. Testing staff will collect the candidate examination materials and the candidate will be required to check-out and check-in again upon re-entering the
exam. Note the examination time will not stop and no extra time will be allotted.
Misconduct
Candidates who are discovered in violation of the Exam Rules or engaging in any kind of misconduct including but not limited to the activities listed below will
be subject to disqualification. The testing agency will report all cases of misconduct to the respective ISACA Certification Committee for committee review in
order to render any decision necessary.
Giving or receiving help; using notes, papers or other aids,
Attempting to take the exam for someone else,
Possession of communication, surveillance or recording device, including but not limited to cell phones, tablets, smart glasses, smart watches,
mobile devices, etc, during the exam administration,
Removing test materials, answer sheet or notes from the testing center,
Attempting to share test questions or answers or other information contained in the exam (as such are the confidential information of ISACA); including
sharing test questions subsequent to the exam.
Leaving the testing room or area without authorization or accompaniment by a test proctor. (These individuals will not be allowed to return to the testing room),
Accessing items stored in the personal belongings area before the completion of the exam, and
Continuing to write the exam after the proctor signals the end of the exam time.

Reasons for Dismissal or Disqualification and Voiding of Exam
Unauthorized admission to the test center.
Candidate creates a disturbance or gives or receives help.
Candidate attempts to remove test materials, questions, answers or notes from the test center.
Candidate impersonates another candidate.
Candidate brings items into the test center that are not permitted or accesses items stored in the personal belongings area during the exam.
Candidate possession of any communication, surveillance or recording device during the exam administration
Candidate leaves the test area without authorization.
Candidate continues to write the exam, including continuing to record answers on his/her answer sheet after the proctor signals the end of the examination.
Candidate shares test questions or other information contained in the exam.
Personal Belongings
Each test site will have a specific area designated for the storage of personal belongings. Neither ISACA or its testing vendor takes responsibility for personal
belongings of candidates. ISACA will not assume responsibility for stolen, lost or damaged personal property. To review the Personal Belongings Policy, please
visit www.isaca.org/cisabelongings, www.isaca.org/cismbelongings, www.isaca.org/cgeitbelongings, or www.isaca.org/criscbelongings. Personal items
brought to the exam site and stored in the belongings area of the testing center may not be accessed until the exam candidate has completed and submitted
his/her exam.
Taking the Exam/Types of Questions on the Exams
Exam questions are developed with the intent of measuring and testing practical knowledge and the application of general concepts and standards. All
questions are designed with one best answer.
Every question has a stem (question) and four options (answer choices). The candidate is asked to choose the correct or best answer from the options. The
stem may be in the form of a question or incomplete statement. In some instances, a scenario may also be included. These questions normally include a
description of a situation and require the candidate to answer two or more questions based on the information provided. The candidate is cautioned to read
each question carefully. An exam question may require the candidate to choose the appropriate answer based on a qualifier, such as MOST likely or BEST.
In every case, the candidate is required to read the question carefully, eliminate known incorrect answers and then make the best choice possible. To gain
a better understanding of the types of questions that might appear on the exam and how these questions are developed, refer to the Item Writing Guide
available at www.isaca.org/itemwriter. Representations of CISA exam questions are available at www.isaca.org/cisaassessment; CISM exam questions are
available at www.isaca.org/cismassessment.
Conduct Oneself Properly
To protect the security of the exam and maintain the validity of the scores, candidates are asked to sign the answer sheet.
The respective ISACA Certification Committee reserves the right to disqualify any candidate who is discovered engaging in any kind of misconduct or
violation of exam rules, including but not limited to giving or receiving help; using notes, papers or other aids; attempting to take the exam for someone
else; using any type of communication, surveillance or recording device during the exam administration, removing test materials or notes from the test
center or attempting to share test questions or answers or other information contained in the exam (as such are the confidential information of ISACA). The
testing agency will provide the respective ISACA Certification Committee with records regarding such irregularities for committee review and to render any
decision necessary.
Be Careful in Completing the Answer Sheet
Before a candidate begins the exam, the test center chief examiner will read aloud the instructions for entering identification information on the answer
sheet. A candidates identification number as it appears on the admission ticket and all other requested information must be correctly entered or scores
may be delayed or incorrectly reported.
A proctor speaking the primary language used at each test center is available. If a candidate desires to take the exam in a language other than the primary
language of the test center, the proctor may not be conversant in the language chosen. However, written instructions will be available in the language of the
exam.
A candidate is instructed to read all instructions carefully and understand them before attempting to answer the questions. Candidates who skip over the
directions or read them too quickly could miss important information and possibly lose credit.
All answers are to be marked in the appropriate circle on the answer sheet. Candidates must be careful not to mark more than one answer per question
and to be sure to answer a question in the appropriate row of answers. If an answer needs to be changed, a candidate is urged to erase the wrong answer
fully before marking in the new one.
All questions should be answered. There are no penalties for incorrect answers. Grades are based solely on the number of questions answered
correctly, so do not leave any questions blank.
After completion, candidates are required to hand in their answer sheet and test booklet.
Budget Ones Time
The exam is four hours in length. Candidates are advised to pace themselves to complete the entire exam.
Candidates are urged to immediately record their answers on the answer sheet. No additional time will be allowed after the exam time has
elapsed to transfer or record answers should a candidate mark answers in the test booklet. The exam will be scored based on the answer
sheet recordings only.

Exam Day Comments
ISACA utilizes an internationally recognized professional testing agency to assist the construction, administration and scoring of the exams.
Candidates wishing to comment on the test administration conditions may do so at the conclusion of the testing session by completing the Test Administration
Questionnaire. The Test Administration Questionnaire is presented at the back of the examination booklet with corresponding instructions for completion.
Candidates who wish to address any additional comments or concerns about the examination administration, including site conditions or the content of the
exam, should contact ISACA international headquarters by letter or by email (exam@isaca.org). Please include the following information in your comments:
exam ID number, testing site, date tested and any relevant details on the specific issue. Only those comments received by ISACA during the first 2 weeks
after the exam administration will be considered in the final scoring of the exam. Appeals undertaken by a certification exam taker, certification applicant or
by a certified individual are undertaken at the discretion and cost of the exam taker, applicant or individual.
POST EXAM INFORMATON:

Scoring the Exams
The ISACA exams consists of multiple-choice items. Candidate scores are reported as a scaled score. A scaled score is a conversion of a candidates raw
score on an exam to a common scale. ISACA uses and reports scores on a common scale from 200 to 800. For example, the scaled score of 800 represents
a perfect score with all questions answered correctly; a scaled score of 200 is the lowest score possible and signifies that only a small number of questions
were answered correctly. A candidate must receive a score of 450 or higher to pass the exam. A score of 450 represents a minimum consistent standard
of knowledge. A candidate receiving a passing score may then apply for certification if all other requirements are met.
The exams contain some questions which are included for research and analysis purposes only. These questions are not separately identified and not used to
calculate your final score.
Approximately five weeks for CISA/CISM and eight weeks for CGEIT/CRISC after the test date, the official exam results will be mailed to
candidates. Additionally, with the candidates consent during the registration process, an email message containing the candidates pass/fail status and
score will be sent to the candidate. This email notification will only be sent to the address listed in the candidates profile at the time of the initial release of
the results. To ensure the confidentiality of scores, exam results will not be reported by telephone or fax. To prevent email notification from being sent to spam
folders, candidates should add exam@isaca.org to their address book, whitelist or safe-senders list. Once released, scores will also be available in the ISACA
constituent profile at the MyISACA > MyCertifications page of the ISACA website.
Candidates will receive a score report containing a subscore for each domain area. Successful candidates will receive, along with a score report, details on
how to apply for certification.
The subscores can be useful in identifying those areas in which the unsuccessful candidate may need further study before retaking the exam. Unsuccessful
candidates should note that the total scaled score cannot be determined by calculating either a simple or weighted average of the subscores.
Candidates receiving a failing score on the exam may request a hand score of their answer sheets. This procedure ensures that no stray marks,
multiple responses or other conditions interfered with computer scoring. Candidates should understand, however, that all scores are subjected to
several quality control checks before they are reported; therefore, rescores most likely will not result in a score change. Requests for hand scoring must
be made in
writing to the certification department within 90 days following the release of the exam results. Requests for a hand score after the deadline date will not be
processed. All requests must include a candidates name, exam identification number and mailing address. A fee of US $75 must accompany each request.
Passing the exam does not grant the designation. Candidates have five years from the passing date to apply for certification. To become certified, each exam
passer must complete requirements including submitting an application for certification. Candidates receiving a score less than 450 have not passed and can
retake the exam by registering and paying the exam registration fee for the future administration. There are no limits to how many times a candidate can take
the exam.
ISACA Code of Professional Ethics
ISACA sets forth a Code of Professional Ethics to guide the professional and personal conduct of members of the association and/or its
certification holders. Members and certifieds are required to abide by the Code. Failure to comply with this Code of Professional Ethics can result in an
investigation into a members and/or certification holders conduct and, ultimately, in disciplinary measures. The ISACA Code of Professional Ethics can be
viewed online at www.isaca.org/ethics.
10

Confidentiality
By taking an ISACA Exam, the candidate understands and agrees that the Exam (which includes all aspects of the exam, including, without limitation, the test
questions, answers, examples and other information presented or contained in the exam and exam materials) belongs to ISACA and constitutes ISACAs
confidential information (collectively, Confidential Information). The candidate agrees to maintain the confidentiality of ISACAs Confidential Information
at all times and understands that any failure to maintain the confidentiality of ISACAs Confidential Information may result in disciplinary action against the
candidate by ISACA or other adverse consequences, including, without limitation, nullification of his/her exam, loss of his/her credentials, and/or litigation.
Specifically, the candidate understands that he/she may not, for example, discuss, publish or share any exam question(s), his/her answers or thoughts on any
questions(s) or the exams format in any forum or media (i.e., via e-mail, Facebook, LinkedIn).
IMPORTANT ADDITIONAL REFERENCES

These references contain essential exam information and should be read in their entirety.
Important Additional References

CISA Exam
CISM Exam
CGEIT Exam
CRISC Exam
Certification
www.isaca.org/cisa
www.isaca.org/cism
www.isaca.org/cgeit
www.isaca.org/crisc
Preparing for the Exam
www.isaca.org/cisaprep
www.isaca.org/cismprep
www.isaca.org/cgeitprep
www.isaca.org/criscprep
Requirements for
Certification
Job Practice
www.isaca.org/cisarequirements
www.isaca.org/cismrequirements
www.isaca.org/cgeitrequirements
www.isaca.org/criscrequirements
Applying for
Certification
Maintaining your
Certification
Glossary of Terms
Acronyms
www.isaca.org/cisaapp
www.isaca.org/cismapp
www.isaca.org/cgeitapp
www.isaca.org/criscapp
www.isaca.org/cisacpepolicy
www.isaca.org/cismcpepolicy
www.isaca.org/cgeitcpepolicy
www.isaca.org/crisccpepolicy
www.isaca.org/glossary
www.isaca.org/cisaprep
www.isaca.org/cismprep
www.isaca.org/cisajobpractice www.isaca.org/cismjobpractice www.isaca.org/cgeitjobpractice www.isaca.org/criscjobpractice
Available Study Materials From ISACA:

Passing an ISACA exam can be achieved through an organized plan of study.
To assist individuals with the development of a successful study plan, ISACA
offers, for purchase, study aids to exam candidates. Visit www.isaca.org/
bookstore for more complete details including detailed descriptions of the
products, costs, and languages available. Order early as delivery time can be
one to two weeks, depending on geographic location and customs clearance
practices.
CISA:
CISA Review Manual 2015.
CISA Review Questions, Answers & Explanations Manual 2015
CISA Review Questions, Answers & Explanations Manual Supplement 2015
CISA Review Questions, Answers & Explanation Database
12 month subscription
CISA Review Questions, Answers & Explanation Database V15 CD-ROM
CISA Online Review Course
CISM:
CISM Review Manual 2015
CISM Review Questions, Answers & Explanations Manual 2014
CISM Review Questions, Answers & Explanations Manual 2014 Supplement
CISM Review Questions, Answers & Explanations Manual 2015 Supplement
CISM Review Questions, Answers & Explanation Database
CISM Review Questions, Answers & Explanation Database V15 CD-ROM
CGEIT:
CGEIT Review Manual 2015
CGEIT Review Questions, Answers & Explanations Manual 2015
CGEIT Review Questions, Answers & Explanations Manual Supplement 2015
COBIT5
CRISC:
CRISC Review Manual 2015
CRISC Review Questions, Answers & Explanations Manual 2015
CRISC Review Questions, Answers & Explanations Manual Supplement 2015
CRISC Review Questions, Answers & Explanation Database
ISACA Contact Information

Exam and exam registration
Phone: +1.847.660.5660; Fax: +1.847.253.1443; Email: exam@isaca.org
Certification
Phone: +1.847.660.5660; Fax: +1.847.253.1443; Email: certification@
isaca.org
Study aids
Phone: +1.847.660.5650; Email: bookstore@isaca.org
ISACA membership
Phone: +1.847.660.5600; Email: membership@isaca.org
DOC: 2015 Exam Candidates Guide
Version: V3
Update: 2015-03
11

Isaca Cism Courseware

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Isaca Cism Courseware

Hochgeladen von

Copyright:

Verfügbare Formate

ISACA

2015 CISM Review Course

This is NOT a Death-By-PowerPoint

CISM Exam Review Course Overview

Description of the Exam

Examination Job Content Areas

Examination Job Content Areas

2015 Exam Dates

Completing the Examination Items

Grading the Exam

ISACA uses and reports scores on a common

Technical Social Engineering

Technical Social Engineering is a chained

Technical Social Engineering

sending a malicious document attached to an email or

Infected machines will typically have the following components installed:

%System%\acelpvc.dll: Streams live desktop feed to the attacker

%System%\VedioDriver.dll: Helper dll for acelpvc.dll

Operation Aurora Tojan.Hydraq

Registers service by creating a registry

Opens a backdoor allowing a remote

Operation Aurora Google Case Study

Via clicked URL sent by

IE exploited via zero-day

Operation Aurora Google Case Study

ICEFOG Advanced Persistent Threat

2015 CISM Review Course

The CISM Candidate understands:

Chapter 1 Learning Objectives

The Priorities for the CISM

Elements and actions required to:

The First Question

Information Security Governance Overview

Selling the Importance of Information Security

Protecting the organizations reputation

The First Priority for the CISM

Business Goals and Objectives

Outcomes of Information Security Governance

Benefits of Information Security Governance

Performance and Governance

Developing Information Security Strategy

Information Security Strategy

Standard across the organization

Includes people, processes, technologies and

Achieving the desired state is a long-term

Objectives of Security Strategy

The Goal of Information Security

*Information is an asset only to the degree it supports the primary

Defining Security Objectives

Business Case Development

The Business case for Security must address

The Information Security

Security Program Priorities

Security versus Business

Security Program Objectives

Architecture is planning and design to meet the

Information Security Frameworks

Using an Information Security Framework

The Desired State of Security

The Desired State cont.

The Maturity of the Security Program Using CMM

Using the Balanced Scorecard

The ISO27001:2013 Framework