Sie sind auf Seite 1von 222

ISACA

CISM Certification
Certified Information Security
Manager Courseware
Version 4.0

CISM
Firebrand Accelerated
Training

1
4/17/2015

2015 CISM Review Course

Introduction

2
4/17/2015

Agenda
This introduction will address:
The CISM Certification
Course format

Examination format
Introduction of Attendees
To set the scene Recent Incidents

4
4/17/2015

This is NOT a Death-By-PowerPoint


Seminar

5
4/17/2015

But it IS a Seminar

6
4/17/2015

CISM
Certified Information Security Manager
Designed for personnel that have (or want to
have) responsibility for managing an
Information Security program
Tough but very good quality examination
Requires understanding of the concepts
behind a security program not just the
definitions

7
4/17/2015

CISM Exam Review Course Overview


The CISM Exam is based on the CISM job
practice.
The ISACA CISM Certification Committee
oversees the development of the exam and
ensures the currency of its content.
There are four content areas that the CISM
candidate is expected to know.

8
4/17/2015

CISM Qualifications
To earn the CISM designation, information
security professionals are required to:
Successfully pass the CISM exam
Adhere to the ISACA Code of Professional
Ethics
Agree to comply with the CISM continuing
education policy
Submit verified evidence of five (5) years of
work experience in the field of information
security.
9
4/17/2015

Daily Format
Lecture and Sample questions
Domain structure
Learning Objectives
Content
Sample Questions
Please note that the information in every
domain overlaps with the information in other
domains during the course we will introduce
topics that are expanded upon in latter domains
10
4/17/2015

Domain Structure
Information Security
Governance

Reports To

Mandates
Information
Risk
Management and Compliance Influences
Deploys
Information Security Program
Development and Management
Requires
Information Security
Incident
Management

11

4/17/2015

Course Structure

Start Time
Breaks

Meals
End of Day
End of class on last day

12
4/17/2015

Logistics
Fire Escapes
Assembly point
Mobile phones / pagers

13
4/17/2015

The Examination

14
4/17/2015

Description of the Exam


The exam consists of 200 multiple choice
questions that cover the CISM job practice
areas.
Four hours are allotted for completing the
exam
See the Candidates Guide to the CISM Exam
and Certification

15
4/17/2015

Examination Job Content Areas


The exam items are based on the content in 4
information security areas
Information Security Governance 24%
Information Risk Management and Compliance
33%
Information Security Program Development
and Management 25%
Information Security Incident Management
18%

16
4/17/2015

Examination Job Content Areas


Information
Security
Incident
Management,
18%

Information
Security
Program
Development
and
Management,
25%

Information
Security
Governance,
24%

Information
Risk
Management
and
Compliance,
33%
17

4/17/2015

2015 Exam Dates


The exam will be administered three times in
2015
The 1st exam date is June 13
April 21 is deadline for registration
The 2nd exam date is Sept 12
The 3rd exam date is Dec 12
Many examination locations worldwide
Register at www.isaca.org

18
4/17/2015

Examination Day
Be on time!!
The doors are locked when the instructions
start approximately 30 minutes before
examination start time.
Bring the admission ticket (sent out prior to
the examination from ISACA) and an
acceptable form of original photo
identification (passport, photo id or drivers
license).
19
4/17/2015

Completing the Examination Items


Bring several #2 pencils and an eraser
Read each question carefully
Read ALL answers prior to selecting the
BEST answer
Mark the appropriate answer on the test
answer sheet.
When correcting an answer be sure to
thoroughly erase the wrong answer before
filling in a new one.
There is no penalty for guessing. Answer
every question.
20
4/17/2015

Grading the Exam


Candidate scores are reported as a scaled
score based on the conversion of a
candidates raw score on an exam to a
common scale.

ISACA uses and reports scores on a common


scale from 200 to 800. A candidate must
receive a score of 450 or higher to pass.
Exam results will be mailed (and emailed) out
approximately 8 weeks after the exam date.
Good Luck!
21
4/17/2015

10

Introduction of Classmates

22
4/17/2015

HIGHLY
HIGHLY TECHNICAL
TECHNICALATTACKS
ATTACKS

23
4/17/2015

11

Stuxnet
Part of Operation Olympic Games, a 2006 operation designed
to disrupt Irans nuclear programme
General James E Cartwright, head of CyberOps inside the US
Strategic Command developed the Stuxnet plan
Stage 1: Plant code that extracts maps of the air-gapped
networks supporting nuclear labs & reprocessing plants in Iran
Stage 2: Payload development by NSAs Foreign Affairs
Directorate & IDFs Intelligence Corps Unit 8200
Code named: The Bug
Stage 3: Test against P-1 centrifuges
Stage 4: Plant the worm in Natanz via spies, and tricked
insiders ( engineers to maintenance workers anyone with
physical access to the plant). This was in 2008
The Op was successful
ICS were infected & high-speed centrifuges were infected
Iranians blamed themselves or suppliers for observed problems
24
4/17/2015

Stuxnet
20x more complex than any piece of previous malware
Array of capabilities
Increase pressure inside nuclear reactors while telling
system operators everything was normal
Does not carry a forged security clearance (used by
malware to escalate privilege). It had a real clearance,
stolen from one of the most Globally-reputable
technology companies
Exploited 20 zero-day vulnerabilities
Target specific. It remained dormant until target was
sighted. Target was the P-1 centrifuges. May have shut
down 1000 centrifuges in Natanz,
Iran has responded to the attack with an open call to
hackers to join the Iranian Revolutionary Guard. It now
has the 2nd largest online army
25
4/17/2015

12

GhostNet
GhostNet
represents
a
network
of
compromised computers resident in highvalue political, economic, and media
locations spread across numerous countries
worldwide

26
4/17/2015

GhostNet
Infected 986 machines across 93 countries

27
4/17/2015

13

GhostNet
Malware retrieving a sensitive document

This screen capture of the Wireshark network analysis tool shows an infected
computer at the Office of the Dalai Lama uploading a sensitive document to one
of the CGI networks control servers.

28
4/17/2015

GhostNet
The gh0st RAT interface:

29
4/17/2015

14

GhostNet
gh0st RAT demonstration
https://www.youtube.com/watch?v=6p7FqSav6
Ho

30
4/17/2015

Technical Social Engineering


The purpose of social engineering is to
transparently install malicious software or to
trick you into handing over sensitive
information.

Technical Social Engineering is a chained


exploit. Human nature and software
vulnerabilities are both exploited.

31
4/17/2015

15

Technical Social Engineering

32
4/17/2015

Operation Aurora
Targeted 34 companies in the financial,
technology & defense sectors
Never before seen level of sophistication outside
the defense industry. Prior to this, commercial
attacks were SQL-injection or wireless breach
based
Highly sophisticated & coordinated hack attack
against Googles corporate network
Targeted & stole IP (source code repositories)
Accessed Gmail accounts of human rights
activists

33
4/17/2015

16

Operation Aurora
Used several pieces of malware, levels of encryption, stealth
programming & zero-day exploits in IE, Word, Excel & Adobe
PDFs
Attack was obfuscated & avoided common detection methods
Tailored to target a small number of corporate users

sending a malicious document attached to an email or


sending a spoofed email message with a link to a malicious website

Infected machines will typically have the following components installed:

%System%\[RANDOM].dll: main file. Runs as a service and has back door capabilities

%System%\acelpvc.dll: Streams live desktop feed to the attacker

%System%\VedioDriver.dll: Helper dll for acelpvc.dll

34
4/17/2015

Operation Aurora
Siphoned off live feed and/or data to C & C
servers in Illinois, Texas & Taiwan
One C&C server was hosted by RackSpace
Designed to occur during a holiday season
when co. SOC & IRTs would be thinly staffed

35
4/17/2015

17

Operation Aurora Tojan.Hydraq


Infects Win2K, Win7, Win2003, Win2008,
Vista, XP
Creates 2 files
Creates a service RASxxxx

Registers service by creating a registry


subkey
Modifies this registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\SvcHost\netsvcs

4/17/2015

Opens a backdoor allowing a remote


attacker to do a number of things

36

Operation Aurora Google Case Study


Initial attack occurred when company executives visited a
malicious site

Via clicked URL sent by


email/IM or
Via social networking sites

Drive-by Download

IE exploited via zero-day


exploit
Multiple pieces of
malware downloaded
into device
Automatically &
Transparently
37
4/17/2015

18

Operation Aurora Google Case Study


Shell code 3X encrypted

Downloaded encrypted
binary code in 2
encrypted .exes from
external node

Opened backdoor
Beachead
into other parts
of the corporate
network
4/17/2015

Established
encrypted covert
channel
masquerading as SSL
connection

38

ICEFOG Advanced Persistent Threat


A threat actor
Emerging trend of cyber-mercenary teams of 10s to
100s available for hire to perform surgical hit-andrun ops
Going after the supply chain & compromising target
with surgical precision
Relies on spear phishing emails that attempt to trick
a victim into opening a malicious attachment or
visiting a malicious website
Victims were Japanese & South Korean targets.
From China with love
39
4/17/2015

19

End of Introduction

40
4/17/2015

20

ISACA
Trust in, and value from,
information systems

1
4/17/2015

2015 CISM Review Course

Chapter 1
Information Security
Governance

2
4/17/2015

Course Agenda
Priorities for the CISM
Corporate Governance
Information Security Strategy
Information Security Program
Elements of a Security Program
Roles and Responsibilities
Evaluating a Security Program
Reporting and Compliance
Ethics
3
4/17/2015

Examination Content

The CISM Candidate understands:


Effective security governance framework
Building and deploying a security strategy
aligned with organizational goals
Manage risk appropriately
Responsible management of program
resources
The content area in this chapter will
represent approximately 24% of
the CISM examination
(approximately 48 questions).
4

4/17/2015

Chapter 1 Learning Objectives


Align the organizations Information security strategy with
business goals and objectives
Obtain Senior Management commitment
Provide support for:
Governance
Business cases to justify security
Compliance with legal and regulatory mandates
Organizational priorities and strategy
Identify drivers affecting the organization
Define roles and responsibilities
Establish metrics to report on effectiveness of the security
strategy
5
4/17/2015

The Priorities for the CISM


Candidate in Chapter One

6
4/17/2015

CISM Priorities
The CISM must understand:
Requirements for effective information
security governance

Elements and actions required to:


Develop an information security strategy
Plan of action to implement it

7
4/17/2015

The First Question


In your own words, please describe what
information Security is, what is the purpose
or value of information security in relation to
the business

8
4/17/2015

Information Security
Information is indispensable to conduct
business effectively today
Information must be:
Available
Have Integrity of data and process
Be kept Confidential as needed
Protection of information is a responsibility
of the Board of Directors
9
4/17/2015

Information Security
Information Protection includes:
Accountability
Oversight
Prioritization
Risk Management
Compliance (Regulations and Legislation)

10
4/17/2015

Information Security Governance Overview


Information security is much more than just IT
security (more than technology)
Information must be protected at all levels of the
organization and in all forms
Information security is a responsibility of
everyone
In all forms paper, fax, audio, video,
microfiche, networks, storage media, computer
systems
11
4/17/2015

Selling the Importance of Information Security


Benefits of effective information security
governance include:
Improved trust in customer relationships

Protecting the organizations reputation


Better accountability for safeguarding
information during critical business activities
Reduction in loss through better incident
handling and disaster recovery
12
4/17/2015

The First Priority for the CISM


Remember that Information Security is a
business-driven activity.
Security is here to support the interests and
needs of the organization not just the
desires of security
Security is always a balance between cost
and benefit; security and productivity

13
4/17/2015

Corporate Governance

14
4/17/2015

Business Goals and Objectives


Corporate governance is the set of
responsibilities and practices exercised by
the board and executive management
Goals include:
Providing strategic direction
Reaching security and business objectives
Ensure that risks are managed appropriately
Verify that the enterprises resources are used
responsibly
15
4/17/2015

Outcomes of Information Security Governance


The six basic outcomes of effective security
governance:
Strategic alignment
Risk management
Value delivery
Resource management
Performance measurement
Integration
16
4/17/2015

Benefits of Information Security Governance


Effective information security governance can offer
many benefits to an organization, including:
Compliance and protection from litigation or penalties
Cost savings through better risk management
Avoid risk of lost opportunities
Better oversight of systems and business operations
Opportunity to leverage new technologies to business
advantage

17
4/17/2015

Performance and Governance


Governance is only possible when metrics are
in place to:
Measuring
Monitoring
Reporting
On whether critical organizational objectives
are achieved
Enterprise-wide measurements should be
developed
18
4/17/2015

Information Security
Strategy

19
4/17/2015

Developing Information Security Strategy

Information Security Strategy


Long term perspective

Standard across the organization


Aligned with business strategy / direction
Understands the culture of the organization
Reflects business priorities

20
4/17/2015

10

Elements of a Strategy
A security strategy needs to include:
Resources needed
Constraints
A road map

Includes people, processes, technologies and


other resources
A security architecture: defining business
drivers, resource relationships and process flows

Achieving the desired state is a long-term


goal of a series of projects
21
4/17/2015

Objectives of Security Strategy


The objectives of an information security
strategy must
Be defined
Be supported by metrics (measureable)
Provide guidance

22
4/17/2015

11

The Goal of Information Security


The goal of information security is to
protect the organizations assets,
individuals and mission
This requires:
Asset identification
Classification of data and systems
according to criticality and sensitivity
Application of appropriate controls

*Information is an asset only to the degree it supports the primary


purpose of the business
23
4/17/2015

Defining Security Objectives


The information security strategy forms the
basis for the plan(s) of action required to
achieve security objectives
The long-term objectives describe the
desired state
Should describe a well-articulated vision of
the desired outcomes for a security program
Security strategy objectives should be stated
in terms of specific goals directly aimed at
supporting business activities
24
4/17/2015

12

Business Linkages
Business linkages
Start with understanding the specific
objectives of a particular line of business
Take into consideration all information flows
and processes that are critical to ensuring
continued operations
Enable security to be aligned with and
support business at strategic, tactical and
operational levels
25
4/17/2015

Business Case Development


The Business case for initiating a project
must be captured and communicated:
Dependencies
Reference
Context

Project metrics

Value Proposition

Workload

Focus

Required resources

Deliverables

Commitments

The Business case for Security must address


the same criteria
26
4/17/2015

13

The Information Security


Program

27
4/17/2015

Question:
What steps/elements are
necessary to develop an
effective security program?

28
4/17/2015

14

Security Program Priorities


Achieve high standards of corporate
governance
Treat information security as a critical
business issue
Create a security positive environment
Have declared responsibilities

29
4/17/2015

Security versus Business


Security must be aligned with business needs
and direction
Security is woven into the business functions
Provides
Strength
Resilience
Protection
Stability
Consistency

30

4/17/2015

15

Security Program Objectives


Ensure the availability of systems and data
Allow access to the correct people in a
timely manner
Protect the integrity of data and business
processes
Ensure no improper modifications
Protect confidentiality of information
Unauthorized disclosure of information
Privacy, trade secrets,
31
4/17/2015

What is Security
A structured deployment of risk-based
controls related to:
People

Processes
Technology

32
4/17/2015

16

Security Integration
Security needs to be integrated INTO the
business processes
The goal is to reduce security gaps through
organizational-wide security programs
Integrate IT with:
Physical security
Risk Management
Privacy and Compliance
Business Continuity Management
33
4/17/2015

Security Program
Starts with theory and concepts
Policy
Interpreted through:

Procedures
Baselines
Standards
Measured through audit
34
4/17/2015

17

Architecture
Information security architecture is similar physical
architecture
Requirements definition
Design / Modeling
Creation of detailed blueprints
Development, deployment

Architecture is planning and design to meet the


needs of the stakeholders
Security architecture is one of the greatest needs for
most organizations
35
4/17/2015

Information Security Frameworks


Framework
Template
Structure
Measurable / Auditable
Project Planning and Management
Strategic, Tactical and Operational
viewpoints
36
4/17/2015

18

Using an Information Security Framework


Effective information security is provided
through adoption of a security framework
Defines information security objectives
Aligns with business objectives
Provides metrics to measure compliance and
trends
Standardizes baseline security activities
enterprise-wide
37
4/17/2015

The Desired State of Security


The desired state of security must be
defined in terms of attributes,
characteristics and outcomes
It should be clear to all stakeholders what
the intended security state is

38
4/17/2015

19

The Desired State cont.


The desired state according to COBIT (Control
Objectives for Information and related
Technology)
Protecting the interests of those relying on
information, and the processes, systems and
communications that handle, store and deliver the
information, from harm resulting from failures of
availability, confidentiality and integrity
Focuses on IT-related processes from IT
governance, management and control perspectives
39
4/17/2015

The Maturity of the Security Program Using CMM


0: NonexistentNo recognition by organization of need
for security
1: Ad hocRisks are considered on an ad hoc basisno
formal processes
2: Repeatable but intuitiveEmerging understanding of
risk and need for security
3: Defined processCompanywide risk management
policy/security awareness
4: Managed and measurableRisk assessment standard
procedure, roles and responsibilities assigned, policies
and standards in place
5: OptimizedOrganization-wide processes
implemented, monitored and managed
40
4/17/2015

20

Using the Balanced Scorecard


The Four Perspectives of the Balanced Scorecard

Financial

Vision and
Strategy

Customer

Internal
Business
Processes

Learning and
Growth
41
4/17/2015

The ISO27001:2013 Framework


The goal of ISO27001:2013 is to:
Establish
Implement
Maintain, and
Continually improve
An information security management system

Contains:
14 Clauses, 35 Controls Objectives and 114
controls
42
4/17/2015

21

Examples of Other Security Frameworks


SABSA (Sherwood Applied Business Security
Architecture)
COBIT
COSO
Business Model for Information Security
Model originated at the Institute for Critical
Information Infrastructure Protection

43
4/17/2015

Examples of Other Security Frameworks


ISO standards on quality (ISO 9001:2000)
Six Sigma
Publications from NIST and ISF
US Federal Information Security
Management Act (FISMA)

44
4/17/2015

22

Constraints and Considerations for a Security


Program
Constraints
LegalLaws and regulatory requirements
PhysicalCapacity, space, environmental
constraints
EthicsAppropriate, reasonable and customary
CultureBoth inside and outside the
organization
CostsTime, money
PersonnelResistance to change, resentment
against new constraints

45

4/17/2015

Constraints and Considerations for a


Security Program cont.
Constraints
Organizational structureHow decisions are
made and by whom, turf protection
ResourcesCapital, technology, people
CapabilitiesKnowledge, training, skills,
expertise
TimeWindow of opportunity, mandated
compliance
Risk toleranceThreats, vulnerabilities, impacts
46
4/17/2015

23

Elements of a Security Program

47
4/17/2015

Elements of Risk and Security


The next few slides list many factors that go
into a Security program.

48
4/17/2015

24

Risk Management
The basis for most security programs is Risk
Management:
Risk identification
Risk Mitigation

Ongoing Risk Monitoring and evaluation


The CISM must remember that risk is
measured according to potential impact on
the ability of the business to meet its mission
not just on the impact on IT.
49
4/17/2015

Information Security Concepts


Access
Architecture
Attacks
Auditability
Authentication
Authorization
Availability
Business
dependency
analysis

Business impact
analysis
Confidentiality
Countermeasures
Criticality
Data classification
Exposures
Gap analysis
Governance
50

4/17/2015

25

Information Security Concepts cont.


Identification

Sensitivity

Impact

Standards

Integrity

Strategy

Layered security

Threats

Management

Vulnerabilities

Nonrepudiation

Enterprise
architecture

Risk / Residual risk

Security domains

Security metrics

Trust models
51

4/17/2015

Security Program Elements


Policies
Standards
Procedures
Guidelines
Controlsphysical,
technical,
procedural

Technologies
Personnel security
Organizational
structure
Skills

52
4/17/2015

26

Security Program Elements cont.


Training
Awareness and
education
Compliance
enforcement

Outsourced security
providers
Other organizational
support and assurance
providers
Facilities
Environmental security

53
4/17/2015

Third Party Agreements


Ensure that security requirements are
addressed in all third party agreements
Service Level Agreements
Jurisdiction in case of dispute
Right to audit or obtain independent
verification of compliance

54
4/17/2015

27

Roles and Responsibilities

55
4/17/2015

Roles and Responsibilities of Senior


Management
Board of directors
Information security governance / Accountability

Executive management
Implementing effective security governance and
defining the strategic security objectives
Budget and Support

Steering committee
Ensuring that all stakeholders impacted by security
considerations are involved
Oversight and monitoring of security program
56
4/17/2015

28

Senior Management Commitment


To be successful, information security must
have the support of senior management
Budget
Direction/ Policy
Reporting and Monitoring
A bottom-up management approach to
information security activities is much less
likely to be successful
57
4/17/2015

How can we obtain continued


Senior Management support for
the security program?

58
4/17/2015

29

Steering Committee
Oversight of Information Security Program
Acts as Liaison between Management,
Business, Information Technology, and
Information Security

Ensures all stakeholder interests are


addressed
Oversees compliance activities

59
4/17/2015

CISO Chief Information Security Officer


Responsibilities
Responsible for Information securityrelated activity
Policy
Investigation
Testing
Compliance

60
4/17/2015

30

Business Manager Responsibilities


Responsible for security enforcement and
direction in their area
Day to day monitoring
Reporting
Disciplinary actions
Compliance

61
4/17/2015

IT Staff Responsibilities
Responsible for security design, deployment
and maintenance
System and Network monitoring

Reporting
Operations of security controls
Compliance

62
4/17/2015

31

Centralized versus Decentralized


Security
Which is better?
Consistency versus flexibility
Central control versus Local ownership
Procedural versus responsive
Core skills versus distributed skills
Visibility to senior management versus
visibility to users and local business units
63
4/17/2015

Evaluating the Security Program

64
4/17/2015

32

Audit and Assurance of Security


Objective review of security risk, controls
and compliance
Assurance regarding the effectiveness of
security is a part of regular organizational
reporting and monitoring

65
4/17/2015

Evaluating the Security Program


Metrics are used to measure results
Measure security concepts that are
important to the business
Use metrics that can be used for each
reporting period
Compare results and detect trends

66
4/17/2015

33

Effective Security Metrics


Set metrics that will indicate the health of
the security program
Incident management
Degree of alignment between security and
business development
Was security consulted
Were controls designed in the systems or
added later
67
4/17/2015

Effective Security Metrics cont.


Choose metrics that can be controlled
Measure items that can be influenced or
managed by local managers / security

Not external factors such as number of


viruses released in the past year
Have clear reporting guidelines
Monitor on a regular scheduled basis

68
4/17/2015

34

Key Performance Indicators (KPIs)


Thresholds to measure
Compliance / non-compliance
Pass / fail
Satisfactory / unsatisfactory results
A KPI is set at a level that indicates action
should / must be taken
Alarm point
69
4/17/2015

End to End Security


Security must be enabled across the
organization not just on a system by system
basis
Performance measures should ensure that
security systems are integrated with each
other
Layered defenses

70
4/17/2015

35

Correlation Tools
The CISM may use Security Event and Incident
Management (SEIM, SIM, SEM) tools to
aggregate data from across the organization
Data analysis

Trend detection
Reporting tools

71
4/17/2015

Reporting and Compliance

72
4/17/2015

36

Regulations and Standards


The CISM must be aware of National
Laws
Privacy
Regulations
Reporting, Performance
Industry standards
Payment Card Industry (PCI)
BASEL II
73
4/17/2015

Effect of Regulations
Requirements for business operations
Potential impact of breach
Cost
Reputation
Scheduled reporting requirements
Frequency
Format
74
4/17/2015

37

Reporting and Analysis

Data gathering at source


Accuracy
Identification
Reports signed by Organizational Officer

75
4/17/2015

Ethics

76
4/17/2015

38

Ethical Standards
Rules of behaviour
Legal
Corporate

Industry
Personal

77
4/17/2015

Ethical Responsibility
Responsibility to all stakeholders
Customers
Suppliers

Management
Owners
Employees
Community
78
4/17/2015

39

ISACA Code of Ethics cont.


Required for all certification holders
Support the implementation of, and
encourage compliance with, appropriate
standards, procedures and controls for
information systems.
Perform their duties with objectivity, due
diligence and professional care, in
accordance with professional standards and
best practices.
79
4/17/2015

ISACA Code of Ethics cont.


Serve in the interest of stakeholders in a
lawful and honest manner, while maintaining
high standards of conduct and character, and
not engage in acts discreditable to the
profession.
Maintain the privacy and confidentiality of
information obtained in the course of their
duties unless disclosure is required by legal
authority. Such information shall not be used
for personal benefit or released to
inappropriate parties.
80
4/17/2015

40

ISACA Code of Ethics cont.


Maintain competency in their respective
fields and agree to undertake only those
activities, which they can reasonably expect
to complete with professional competence.
Inform appropriate parties of the results of
work performed; revealing all significant
facts known to them.
Support the professional education of
stakeholders in enhancing their understanding
of information systems security and control.
81
4/17/2015

Practice Question
1.

The PRIMARY purpose of a security


strategy is to provide:
A. The basis for determining the security
architecture for the organization.
B. The intent and direction of management.
C. Guidance for users on how to comply with
security requirements.
D. Standards to measure compliance.

82
4/17/2015

41

Practice Question
2. The BEST method of improving security
compliance is:
A. To make it easier for employees to follow
security rules.
B. To have comprehensive organization-wide
security policies.
C. To have an active security awareness program.
D. To inform all staff about legal regulations and
legislation..

83
4/17/2015

Practice Question
3. The MOST important task of the CRISC
regarding compliance with regulations is to:
A. Develop the policies and standards to be followed
by the organization.
B. Ensure that accurate and complete data is used in
reporting procedures
C. Provide guidance to business units on the legal
requirements for compliance.
D. Approve all reports prior to submission to outside
agencies
84
4/17/2015

42

Practice Question
4. The MOST important consideration in the
development of security policies is that:
A. The policies reflect the intent of Senior
Management.
B. The policies are legal.
C. All employees agree with the policies.
D. That the correct procedures are developed to
support the requirements of policy.

85
4/17/2015

End of Domain

86
4/17/2015

43

17/04/2015

ISACA
Trust in, and value from,
information systems

1
4/17/2015

2015 CISM Review Course

Chapter 2
Information Risk
Management and
Compliance

2
4/17/2015

17/04/2015

Course Agenda

4/17/2015

Information Asset
Classification
Identify regulatory, legal
and other requirements
Identify risk, threats and
vulnerabilities
Risk treatment
Evaluate security controls
Integrate risk management
into business processes
Report non-compliance
and other changes in risk

Exam Relevance
Ensure that the CISM candidate
Manages information risk to an acceptable
level to meet the business and compliance
requirements of the organization
The content area in this chapter will
represent approximately 33% of
the CISM examination
(approximately 66 questions).

4
4/17/2015

17/04/2015

Chapter 2 Task Statements


Establish an information asset classification
and ownership process
Ensure risk, threat and vulnerability
assessments are conducted periodically
Evaluate security controls
Identify gaps between current and desired
state

5
4/17/2015

Chapter 2 Task Statements cont.


Integrate risk, threat and vulnerability
identification and management into the
organization
Monitor existing risk to ensure changes are
identified and managed appropriately
Report information risk management levels to
management.

6
4/17/2015

17/04/2015

Information Asset
Classification

7
4/17/2015

Information Asset Classification


Need to know what information to protect
Need to know who is responsible to
protect it

Ownership
Roles and responsibilities

8
4/17/2015

17/04/2015

Roles and Responsibilities


Information protection requires clear
assignment of responsibilities
Information owner
Information System owner

Board of Directors / Chief Executive Officer


Users
Information Custodians
Third Party Suppliers
9
4/17/2015

Roles and Responsibilities


Information security risk management is an
integral part of security governance
Is the responsibility of the board of directors
or the equivalent to ensure that these
efforts are visible
Management must be involved in and sign off
on acceptable risk levels and risk
management objectives

10
4/17/2015

17/04/2015

Information Classification Considerations


Business Impact and reliance of business on
information and information system
Understand business objectives

Availability of data / systems


Sensitivity of data / systems

11
4/17/2015

Regulations and Legislation


Information asset protection may be required
by legislation
Privacy
Consumer data
Employee data
Financial accuracy
SOX-type laws
12
4/17/2015

17/04/2015

Asset Valuation
Information Asset valuation may be based on:
Financial considerations
Liability for lost data
Cost to create or restore data
Impact on business mission
Reputation
Customer or supplier confidence
13
4/17/2015

Valuation Process
Determine ownership
Determine number of
classification levels
Develop labeling
scheme
Identify all information
types and locations
De-classify when data
no longer needs
protection
14
4/17/2015

17/04/2015

Information Protection
Ensure that data is protected consistently
across all systems
Protect data in all forms paper, electronic,
optical, fax,
Protect data at all times:
Storage
Transmission
Processing
Destruction
15
4/17/2015

Information Asset Protection


Policies
Communicated
Enforced

Clean desk / Clear screen


Need to know Least privilege
Procedures
Labeling
Destruction
16
4/17/2015

17/04/2015

Risk Management

17
4/17/2015

Definition of Risk
Risk is a function of the likelihood of a
threat-source exercising a vulnerability and
the resulting impact of that adverse event on
the mission of the organization.

Asset
Threat
Vulnerability
Likelihood (probability)
Impact (consequence)
18
4/17/2015

17/04/2015

Why is Risk Important


Risk management is a fundamental
function of Information Security
Provides rationale and justification for
virtually all information security activities
Prioritization of Risk allows the development
of a security roadmap

19
4/17/2015

Risk Management Definition


What is risk management?
The systematic application of management
policies, procedures and practices to the
tasks of:
Identifying
Analyzing
Evaluating
Treating
Monitoring,
Risk related to information and information
systems
20
4/17/2015

10

17/04/2015

Risk Management Objective


The objective of risk management is to
identify, quantify and manage
information security risk.
Reduce risk to an acceptable level
through the application of risk-based,
cost-effective controls.

21
4/17/2015

Risk Management Overview


Risk is the probability of occurrence of an
event or transaction causing financial loss
or damage to
Organization
Staff
Assets

Quantitative and
Qualitative Measures

Reputation
22
4/17/2015

11

17/04/2015

Risk Management Overview


Risk management is the process of
ensuring that the impact of threats
exploiting vulnerabilities is within
acceptable limits at an acceptable cost

At a high level, this is accomplished by


Balancing risk against mitigation costs
Implementing appropriate countermeasures
and controls
23
4/17/2015

Defining the Risk Environment


The most critical prerequisite to a successful risk
management program is understanding the
organization including:
Key business drivers
The organizations SWOT (strengths, weaknesses,
opportunities and threats)
Internal and external stakeholders
Organizational structure and culture
Assets (resources, information, customers,
equipment)
Goals and objectives, and the strategies already in
place to achieve them
24
4/17/2015

12

17/04/2015

Threats to Information and Information


Systems
Threats to information and information
systems are related to:
Availability
Confidentiality
Integrity
Non-repudiation

25
4/17/2015

Threat Analysis
Intentional versus Unintentional attacks
Natural
Man-made

Utility / Equipment
Threats affected by
The skill and motivation of the attacker
The existence of attack tools
26
4/17/2015

13

17/04/2015

Aggregate Risk
Aggregate risk must be considered
Aggregate risk is where a several smaller
risk factors combine to create a larger risk
(the perfect storm scenario)

27
4/17/2015

Cascading Risk
Cascading risks are the effect of one incident
leading to a chain of adverse events (domino
effect)

28
4/17/2015

14

17/04/2015

Identification of Vulnerabilities
Weaknesses in security controls
Patches not applied
Non-hardened systems
Inappropriate access levels
Unencrypted sensitive data
Software bugs or coding issues (buffer
overflow)
Physical security
29
4/17/2015

The Effect of Risk


An exploit of a vulnerability by a threat may
lead to an exposure.
An exposure is measured by the impact it has
on the organization or the ability of the
organization to meet its mission.

30
4/17/2015

15

17/04/2015

Impact
Examples of direct and indirect financial losses:
Direct loss of money (cash or credit)
Criminal or civil liability
Loss of reputation/goodwill/image
Reduction of share value
Conflict of interests to staff or customers or
shareholders

31
4/17/2015

Impact cont.
Examples of direct and indirect financial losses:
Breach of confidence/privacy
Loss of business opportunity/competition
Loss of market share
Reduction in operational efficiency/performance
Interruption of business activity
Noncompliance with laws and regulations resulting in
penalties

32
4/17/2015

16

17/04/2015

Risk Management Process


Risk
Identification
(Assessment
and Analysis)

Risk
Treatment
(Control
Selection)

Evaluation
and
Assessment

33
4/17/2015

Risk Assessment Methodology


Quantitative
Determine the impact of a single event
Single Loss Expectancy

SLE = Asset Value x Exposure Factor


Calculate frequency of events
Annualized rate of occurrence (ARO)
ARO = Incidents per year
34
4/17/2015

17

17/04/2015

Annualized Loss Expectancy (ALE)


ALE is the calculated cost of risk per year
from a single event
ALE = SLE x ARO
Used to justify expense of implementing
controls to reduce risk levels
Cost of controls should not be greater than
benefit realized by implementing the control

35
4/17/2015

Qualitative Risk Assessment


Determine risk levels through scenario-based
analysis
Rank risk levels according to frequency and
impact (Low (1), Moderate (2), High (3))

Likelihood

Impact
Low

Moderate

High

High

Moderate

Low

3
36

4/17/2015

18

17/04/2015

Data Gathering Techniques


Surveys / Questionnaires
Observation
Workshops
Delphi techniques

37
4/17/2015

Results of Risk Assessment


Documentation of risk levels
Risk register
Determination of threat and vulnerability
levels
Forecast of impact and frequency of events
Recommendations for risk mitigation
Controls, safeguards, countermeasures
38
4/17/2015

19

17/04/2015

Alignment of Risk Assessment and BIA


Risk Assessment measures Impact and
Likelihood
Business Impact Analysis measures Impact
over Time

Related disciplines but not the same


BIA must be done periodically to determine
how risk and impact levels increase over time
Set priorities for critical business functions
39
4/17/2015

Risk Treatment

40
4/17/2015

20

17/04/2015

Risk Treatment
Risk Treatment takes the recommendations
from the risk assessment process and selects
the best choice for managing risk at an
acceptable level
Residual Risk
Risk Acceptance
Cost / Benefit
Priorities
Balance between security and business
41
4/17/2015

Risk Treatment
Risk Treatment Options
Reduction / mitigation implement changes
Enhance managerial, technical, physical
and operational controls
Acceptance
Transference
Avoidance
42
4/17/2015

21

17/04/2015

Risk Mitigation and Controls


Controls (safeguards / countermeasures) are
implemented in order to reduce a specified
risk
Existing controls and countermeasures can
be evaluated
New controls and countermeasures can be
designed

43
4/17/2015

Control Recommendations
Factors to be considered when recommending
new or enhanced controls are:
Cost-benefit analysis
Anticipated effectiveness
Compatibility with other controls, systems, and
processes
Legislation and regulation
Organizational policy, standards, and culture
Impact of control on business processes
Control reliability
44
4/17/2015

22

17/04/2015

Cost Benefit Analysis of Controls


Cost-benefit analysis must consider the cost of
the control throughout the full life cycle of the
control or countermeasure including:
Acquisition / purchase costs

Deployment and implementation costs


Recurring maintenance costs
Testing and assessment costs

45
4/17/2015

Cost Benefit Analysis of Controls cont.


Cost benefit analysis includes costs of:
Compliance monitoring and enforcement
Inconvenience to users
Reduced throughput of controlled processes
Training in new procedures or technologies as
applicable
End of life decommissioning

46
4/17/2015

23

17/04/2015

Risk Mitigation Schematic


Owners

Value

Wish to minimize

Countermeasures

Impose

To
Reduce

Threat Agents
Give Rise to

Threats

Risk
To

That
increase

To

Assets

Wish to abuse and/or may damage

47

4/17/2015

Control Types and Categories


Controls may be:
Managerial
Technical
Physical

48
4/17/2015

24

17/04/2015

Control Types and Categories cont.


Controls may be:
Directive
Deterrent
Preventative
Detective
Recovery
Corrective
Compensating
49
4/17/2015

Security Control Baselines


Creating baselines of control can assist in
developing a consistent security infrastructure
Principles for developing baselines include

Assess of the level of security that is


appropriate for the organization
Mandate a configuration for all systems and
components attached to the organizations
network

50
4/17/2015

25

17/04/2015

Ongoing Risk Assessment and Building Risk


Management into the Organization

51
4/17/2015

Ongoing Risk Assessment


Monitor controls to ensure that they are
working effectively
Implemented as designed
Operating properly
Producing the desired outcome (mitigating
the risk they were installed to address)

52
4/17/2015

26

17/04/2015

Measuring Control Effectiveness


Determine metrics to measure control
effectiveness
Do regular monitoring and reporting
Aggregate data from several control points

Security Event Incident Monitoring (SEIM)


Measure control effectiveness in comparison
to business goals and objectives

53
4/17/2015

Building Risk Management In (Agenda)


Risk Management should be built in to
business processes
Change control
Systems development life cycle (SDLC)
Ongoing monitoring and analysis
Audit
Business process re-engineering
Project management
Employment
Procurement
54
4/17/2015

27

17/04/2015

Risk Related to Change Control


Uncontrolled / Unauthorized changes
Changes implemented incorrectly
Backup

Rollback
Changes that bypass / overwrite controls
Interruption to service

55
4/17/2015

Controlling Risk in Change Control


Oversight / Steering Committee
Formal Change control process
Documentation of changes
Approvals
Testing
Review of all proposed / implemented
changes for impact on security controls
56
4/17/2015

28

17/04/2015

Risk Management During SDLC


Integrate risk management throughout the
SDLC
Review risk levels as system is designed,
developed, tested and implemented
Test the implemented security controls
Ensure the ability to log and monitor events
is built into all systems
Review all new systems for correct operation
of controls and associated risk levels
57
4/17/2015

Ongoing Risk Management Monitoring


and Analysis
Do risk assessment annually
More frequently in event of:
Organizational changes

Regulation
Incidents
Monitor controls frequently and report to
management
Standardized reporting (format)
Trend analysis

58

4/17/2015

29

17/04/2015

Audit and Risk Management


Audit validates that risk is being managed
correctly
Compared with culture of organization
Policy
Regulation
Best practices

59
4/17/2015

Audit and Risk Management cont.


Validate that risk is within acceptable levels
Risk appetite
Threat and vulnerability analysis was done
correctly
Controls are working correctly
Mitigating risk effectively
Validate compliance with controls
Reporting and recommendations
60
4/17/2015

30

17/04/2015

Risk in Business Process Re-Engineering


Review all major systems and business
process changes for impact on risk levels
Ensure that ability to monitor controls is built
into business processes
Enable reporting and compliance
Regular reporting to management on status of
changes
Ensure that changes do not bypass controls
Separation of duties, least privilege
61
4/17/2015

Risk in Project Management


Risk of Scope Creep
Risk of project overrun
Budget
Time
Failure to deliver expected results
Vendor compliance with requirements

62
4/17/2015

31

17/04/2015

Risk During Employment Process


Hiring Procedures
Correct skills and experience
Background checks
Criminal
Financial
References from former employers /
associates
63
4/17/2015

New Employee Initiation


Require signing of
Non-disclosure agreements (NDA)
Non-compete agreements
Ethics statement
Review security policy
Awareness training

64
4/17/2015

32

17/04/2015

Risk During Employment


Access Creep adding more and more access
Violation of least privilege / need to know
Enforce compliance with controls
Regular awareness sessions

65
4/17/2015

Risk at Termination of Employment


Need to remove all access
Recover all organizational assets
ID cards

Laptops
Remote access tokens
Blackberry/ cellphone
Documents
Review NDAs
66
4/17/2015

33

17/04/2015

Risks During Procurement


Need to purchase the right equipment at
the right price
Improper buying practices
Influence

Kickbacks
Piracy / imitations
Inappropriate relations / selection of
vendors
67
4/17/2015

Risk During Procurement cont.


Equipment not delivered according to
specifications /contract terms
Equipment not configured / installed properly

Vendor not providing contracted maintenance


according to maintenance agreements
Maintain correct patch levels

68
4/17/2015

34

17/04/2015

Reporting to Management
Regular reporting
Standard format
Scheduled basis
Consistent metrics to allow comparison of
results over time
Reporting on an exceptional basis
Following an event

69
4/17/2015

Documentation
Typical risk management documentation
includes:
A risk register
An inventory of information assets
Threat and vulnerability analysis
Control effectiveness report
Initial risk rating
Risk report - consequences and likelihood of
compromise
A risk mitigation and action plan
70
4/17/2015

35

17/04/2015

Training and Awareness


The most effective control to mitigate risk is
training of all personnel
Awareness
Training
Education
Educate on policies, standards, practices
Creates accountability
71
4/17/2015

Training and Awareness


End users should receive training on
The importance of adhering to information
security policies, standards, and procedures

Clean desk policy


Responding to incidents and emergencies
Privacy and confidentiality requirements
The security implications of logical access in
an IT environment
72
4/17/2015

36

17/04/2015

Training for End Users


Practical training topics
Clean desk policy
Responding to incidents and emergencies
Privacy and confidentiality requirements
Handling sensitive data and intellectual
property
The security requirements for access to IT
systems
73
4/17/2015

Practice Question
The PRIMARY purpose of a risk management
program is
a) To eliminate risk

b) To reduce all risks to a minimal level of impact


c) To satisfy regulatory requirements
d) To ensure risk levels are acceptable to senior
management

74
4/17/2015

37

17/04/2015

Practice Question 2
The formula SLE x ARO relates to
a) Annualized Loss Expectancy (ALE)
b) Risk acceptance levels
c) The frequency of attacks
d) Calculation of the impact of a threat

75
4/17/2015

38

17/04/2015

ISACA
Trust in, and value from,
information systems

1
4/17/2015

2015 CISM Review Course

Chapter 3
Information Security
Program Development and
Management

2
4/17/2015

17/04/2015

Course Flow
Chapter One
Information
Security
Governance

Influenced
by

Directs
changes
to

Chapter Four
Information
Security
Incident
Management

Chapter Two
Information
Risk
Management
Directs
development
of

Enforced by

Chapter Three
Develop and
Manage a
Security
Program
3

4/17/2015

Course Agenda
Learning objectives
Security Program Development
Objectives
Role of the Information Security
Manager
Information Security Program
Development
Elements of a Security Program
Information Security Concepts
Technology and Tools, Security Models
Integrating Security into the Business

4/17/2015

17/04/2015

Exam Relevance
Ensure that the CISM candidate
Understands how to manage the information
security program in alignment with the
information security strategy

The content area in this chapter will


represent approximately 25% of
the CISM examination
(approximately 50 questions).

5
4/17/2015

Chapter 3 Learning Objectives


Develop and maintain plans to implement an
information security program that is aligned
with the information security strategy
Ensure alignment between the information
security program and other business functions
Identify internal and external resources
required to execute the information security
program
Ensure the development of information
security architectures
6
4/17/2015

17/04/2015

Learning Objectives cont.


Ensure the development, communication,
and maintenance of standards, procedures
and other documentation that support
information security policies
Design and develop a program for
information security awareness, training
and education
Integrate information security
requirements into contracts and third
party agreements
7
4/17/2015

Definition
Information security program management
includes:
Directing

Overseeing
Monitoring
Information-security-related activities in support
of organizational objectives.

8
4/17/2015

17/04/2015

Security Strategy and Program Relationship


The security strategy is the long term plan
of creating a security structure that will
support the business goals of the
organization
The security program outlines the steps
necessary to implement the security
strategy
The security program should be defined in
business terms
9
4/17/2015

Information Security Management


Information Security management is primarily
concerned with
Ongoing, day-to-day operations of a security
department

Budget for security


Planning
Business case development for security
projects
Staff development and training
10
4/17/2015

17/04/2015

Importance of Security Management


Achieving adequate levels of information
security means:
Implementing cost effective security
solutions
Supporting business operations
Strategic planning and alignment between
security and the business
Compliance and reporting

11
4/17/2015

Definition
Information security program development
is the integrated set of:
Activities

Projects
Initiatives
to implement the information security
strategy
12
4/17/2015

17/04/2015

Effective Security Management


Effective security management must
demonstrate value to the organization
Compliance with policies and procedures
Cost effective
Improved audit results
Business process assurance

13
4/17/2015

Reasons for Security Program Failure


Poorly understood requirements
Lack of understanding about what is important
and why
Lack of funding or resources
Lack of will to make security a priority
Too much technical focus

14
4/17/2015

17/04/2015

Security Program Development Objectives

15
4/17/2015

Program Objectives
Implement the objectives of the security
strategy
Managerial controls
Technical controls
Physical controls

16
4/17/2015

17/04/2015

Security Program Development


The elements essential to ensure successful
security program design and
implementation:
A well defined and clear information
security strategy
Cooperation and support from
management and stakeholders
Effective metrics to measure program
effectiveness
17
4/17/2015

Security Program Development cont.


A well-executed security program will :
Support governance of information security
Convert security initiatives into a practical
real-world implementations
Provide proof that security implementations
are meeting business and security needs
Be flexible enough to adapt to changes in
security / business requirements
18
4/17/2015

17/04/2015

Outcomes of Information Security


Program Development
As seen in Chapter One, objectives for
information security governance include:
Strategic alignment
Risk management

Value delivery
Resource management
Assurance process integration
Performance measurement
19
4/17/2015

Governance of the Security Program


Acceptance and support for the
strategy and the objectives of the
security program is the responsibility of
executive management
Everyone is responsible for compliance
with security requirements

20
4/17/2015

10

17/04/2015

Role of the Information Security Manager

21
4/17/2015

Role of the Information Security


Manager (Agenda)
Strategy
Policy

Compliance
Prevention

Monitoring

Detection

Correction

Awareness

Implementation
22
4/17/2015

11

17/04/2015

Strategy
The first step to development of an
information security program (as seen in
chapter one) is to align the security strategy
with the objectives of the business
Governance
Resources
Reporting
Compliance
Regulations
23
4/17/2015

Policy
Policy provides:
Authority
Direction

Requires:
Background
Scope
Applicability
24
4/17/2015

12

17/04/2015

Creating Effective Policy


Ownership
Up to date
Exceptions
Enforceable / legal
Non-technical
Reflects culture and mission of the
organization
25
4/17/2015

Awareness
People are the most important element of a
security program, therefore they must:
Understand their roles
Be capable of performing their roles
Be provided adequate training
Be accountable for results

26
4/17/2015

13

17/04/2015

Implementation
Converts strategy to practical tools and
techniques
Controls
Safeguards
Countermeasures

27
4/17/2015

Monitoring
Review of security controls,
countermeasures, safeguards
Continuous or periodic testing
Frequency is dependent on
Laws
Business changes
Culture

28
4/17/2015

14

17/04/2015

Compliance
Compliance ensures that business processes
and security measures meet the requirements
of corporate policy, local regulations,
industry-based standards, and best practices.
Compliance requires proof (not just theory)
Testing, logging
Reporting

29
4/17/2015

Information Security Program


Development

30
4/17/2015

15

17/04/2015

Developing an Information Security Road


Map
The CISM must consider the security
program from the perspective of:
Data
Applications
Systems
Facilities
Processes
31
4/17/2015

Defining Security Program Objectives


Whether or not there is an existing information
security program, there are some basic
program components:

Understanding managements security


objectives
Develop key goal indicators (KGIs) that
reflect and measure business priorities
Ways to measure whether the program is
heading in the right direction
32
4/17/2015

16

17/04/2015

Inventory of Information Systems


Document all aspects of the information
systems including:

System categorization
System description including system boundaries
Network diagram and data flows
Software and hardware inventory
Users and system owners
Business risk assessment
System risk assessment
Contingency plan
System security plan
33

4/17/2015

Challenges in Developing an Information


Security Program
The process of setting a program in place and
measuring its results requires a great deal of
cooperation among everyone in the
organization who handles data

Information security program development is


not usually hampered by technology choices
available, but rather by people, process and
policy issues that conflict with program
objectives and see security as a hindrance to
business operations
34
4/17/2015

17

17/04/2015

Challenges in Developing an Information


Security Program cont.
The challenges faced by the CISM while
developing a security program may include:
Organizational resistance due to:
Changes in areas of responsibility
A perception that increased security will
impact productivity and access
Unfair monitoring / restrictions
Lack of adequate budget, personnel, skills
or support
Unanticipated problems with existing
controls, systems or ongoing projects
35

4/17/2015

Elements of a Security Program Road


Map
A vital element of the information security
program is a roles and responsibilities matrix
(RACI - Responsible, Accountable, Consulted,
Informed)
CEO

CISO

CIO

VP HR

Policy
Development

Business
Continuity

Incident
Management

36
4/17/2015

18

17/04/2015

Elements of a Security Program Road


Map
An understanding of the
general risk appetite of an
organization and a review to
discover any gaps or determine
whether the information
security program is operating at
acceptable levels

Potential Loss due to


Equipment Failure
75,000

50,000

Acceptable Risk Level

Risk

Current Risk Level


25,000

37
4/17/2015

Elements of a Security Program Road


Map
Ability to link the security program with business
objectives and demonstrate justification for the
evolution from a security concept towards a
security architecture and finally into the selection
and implementation of security tools and
technologies

Security
Context

Security
Concept

Logical
Architecture

Physical
Architecture

Component

38
4/17/2015

19

17/04/2015

Security Programs and Projects


The overall security program will almost
always consist of a series of individual
projects designed to meet security objectives
Security Program

Policy Creation Project

Firewall Implementation
project

Awareness Sessions
39
4/17/2015

Security Program and Project Development


A gap analysis will identify a series of projects
required to implement the information security
program
Each project should have time, budget,
milestones, deliverables, and measurable
results
Each project should be clearly defined and
integrate with other projects and
departments
HR, Finance, Physical security
40
4/17/2015

20

17/04/2015

Security Program and Project Development


cont.
Security projects should be prioritized so that:
Most important projects are given priority
Projects do not overlap or cause a delay for
other projects

Resources are appropriately allocated


Results are documented and reported to
management

41
4/17/2015

Security Project Planning


Determine project needs
Oversight / timelines
Equipment

Personnel (skills)
Outsourcing or contract staff
Infrastructure
Networks, databases, facilities, etc.
42
4/17/2015

21

17/04/2015

Selection of Controls
Controls are
Technical
Managerial
Physical
Tools designed to provide reasonable
assurance that:
Business objectives will be achieved
Undesirable events will be prevented or
detected and corrected
43
4/17/2015

Common Control Practices


Common control practices include:
Logical Access control
Principle of least privilege / need to know

Compartmentalization to minimize damage


Domains
Segregation of duties
Transparency
44
4/17/2015

22

17/04/2015

Elements of a Security Program

45
4/17/2015

Security Program Elements (Agenda)


Policies
Standards
Procedures
Guidelines
Technologies
Personnel security
Organizational
structure

Outsourced security
providers
Facilities
Environmental
security

46
4/17/2015

23

17/04/2015

Policies
Provide authority and direction for security
program from management
High level versus functional policies
Are interpreted by standards,
procedures, baselines
What are the characteristics of effective
policies? What makes a policy effective?

47
4/17/2015

Acceptable Use Policy


An acceptable use policy
Should provide a user-friendly summary of
what should and should not be done to
comply with policy
Must detail in everyday terms the
obligations of all users
Must be communicated to all users
Must be read and understood by all users
Should be provided to new personnel

48
4/17/2015

24

17/04/2015

Acceptable Use Policy cont.


Rules of use for all personnel include the
policies and standards for
Access control
Classification of data
Marking and handling of documents
Reporting requirements and disclosure
constraints
Rules regarding email and Internet use

49
4/17/2015

Standards
Standards ensure that systems are
configured and operated in an similar manner
Compliance with standards should be
automated
Ensure that system configurations do not
(intentionally or unintentionally) deviate
from policy compliance
Standards are used to implement policy
Deviations from a standard must have formal
approval
50
4/17/2015

25

17/04/2015

Procedures
Procedures provide a defined, step by step
method of completing a task
i.e., new user registration / user ID
creation; incident management

Allow actual activity to be reviewed for


compliance with the required procedures
Helps ensure consistency of operations

51
4/17/2015

Guidelines
Provide recommendations for better security
practices:
Password creation, use of social media

Are only recommendations, not mandatory

52
4/17/2015

26

17/04/2015

Technology
One of the most important elements of a
security program
Without the right tools, an effective
security program is not feasible
Many tools available

53
4/17/2015

Personnel Security
Protect staff from being harmed
Duress alarms, cameras
Having the right people:

Skills / Education required


Awareness
Management and oversight
Disciplinary action when required
Separation of duties
54
4/17/2015

27

17/04/2015

Training and Skills Matrix


Determine level of training needed by staff
according to job responsibilities
Develop training matrix
Perform gap analysis
Manager

Administrator

User

Level III

CISM

CCSP

SEC +

Level II

SEC +

GSEC

Awareness

Level I

Awareness

SEC +

Awareness

55
4/17/2015

Organizational Structure
Who should security report to
Normal reporting
Incident reports

Adequate:
Budget
Authority
Scope
56
4/17/2015

28

17/04/2015

Outsourced Security Providers


Outsourcing security and monitoring may
have many benefits
Provide necessary expertise
Monitor all corporate systems
Correlate activity from several systems
Centralized reporting

57
4/17/2015

Third-party Service Providers


When using a third party:
Ensure data are stored and secured adequately in
the service provider environment
Define data destruction and data sanitization
processes
Create channels of communication and liaison
with outsourced firm
Maintain accountability in the service provider
organization for policy enforcement
Remember that prime liability for data
protection is with the organization, not with the
outsourced firm
58
4/17/2015

29

17/04/2015

Facilities
Secure operational areas
Server rooms
Equipment rooms
Administrator, developer, and operator
work areas
Consider factors such as:
Age of building (fire codes)
Shared facility with other companies
59
4/17/2015

Facilities Security
Physical controls may include:
Smart cards or access controls based on
biometrics
Security cameras

Security guards
Fences
Lighting
Locks
Sensors
60
4/17/2015

30

17/04/2015

Environmental Security
Heating, ventilation and humidity controls
Reliable power supplies

61
4/17/2015

Information Security Concepts

62
4/17/2015

31

17/04/2015

Information Security Concepts (Agenda)


Topics already
covered:
Confidentiality

Risk Management
Threats
Vulnerabilities

Integrity

Attacks

Availability

Exposure

Countermeasures

Architecture

Controls

Business impact
analysis (BIA)

Governance
Layered Defense

Data classification
63

4/17/2015

Information Security Concepts (Agenda)


Access Control
Identification
Authentication
Authorization
Accounting / Auditability
Criticality
Sensitivity
Trust Models
64
4/17/2015

32

17/04/2015

Access Control
Controlling who and what has access to the
facilities, systems, people and data of the
organization
Ensuring the right people have the right
level of access
Preventing inappropriate use, modification
or destruction of organizational resources
Tracking all activity to the responsible
entity
65
4/17/2015

Identification
Access control starts with knowing who or
what is accessing our systems, data, facilities
or other resources.
Unique (track able to the correct
person/process)
Removed when no longer required
i.e., IDs, customer account numbers,
fingerprints

66
4/17/2015

33

17/04/2015

Authentication
Validating the claimed identity is the person
requesting access really who they say they
are?
Knowledge (password)

Ownership (Token, smartcard, badge)


Characteristic (biometrics)

67
4/17/2015

Authorization
Granting the authenticated user the correct
level of permissions needed
Read

Write
Execute
Create
Delete
68
4/17/2015

34

17/04/2015

Accounting / Auditability
Logging, monitoring and tracking of activity
Ability to associate activity with a specific
user
Audit log:
Protection
Review
Analysis
69
4/17/2015

Criticality
How much is the ability of the organization to
deliver its products and services dependent
on:
Information

Information systems
What would the extent of the impact be on
the business (quantitatively and qualitatively)
if they were not available
This is a measure of the criticality of the
resource
70
4/17/2015

35

17/04/2015

Sensitivity
How much is the organization dependent on
the accuracy or confidentiality requirements
for:
Information
Information systems
This is a measure of the sensitivity of the
resource

71
4/17/2015

Trust Models
Multi-level security
Users have different levels of trust (access)
Domains of trust
Departmentalization/compartmentalization
Security perimeters
Trusted links between systems

72
4/17/2015

36

17/04/2015

Technologies and Tools


Security Components and Models

73
4/17/2015

Technology-based Security
Technology-based controls
Many technologies available
Are used to implement controls

Have controls built into their


implementation
Must be enabled
Must be monitored / updated

74
4/17/2015

37

17/04/2015

Technologies
There are numerous technologies relevant
to security that the CISM should be
familiar with including:
Firewalls
Routers and switches
IDS, NIDS, HIDS
Cryptographic techniques (PKI, DES)
Digital signatures
Smart cards
75
4/17/2015

Security in Technical Components


Native control technologies
Security features built in to equipment and
applications.
Access control on switches, routers
Error handling in applications
Many products feature Out-of-the-box
security features that can be configured to
protect business information systems
Generally configured and operated by IT
76
4/17/2015

38

17/04/2015

Security in Technical Components cont.


Supplemental control technologies
Security control devices added to an
information system
IDS (Intrusion Detection Systems), Firewall,
PKI (Public Key Infrastructure)
Operate as a form of layered defense

77
4/17/2015

Security in Technical Components cont.


Management support technologies
Provide support for management to monitor
systems and controls
Examples include security information event
management (SIEM) tools, compliance
monitoring scanners and security event
analysis systems
Are often used by information security group
independently of information technology
78
4/17/2015

39

17/04/2015

Security in Technical Components cont.


The effectiveness of the security technologies
must be evaluated
Use clear, repeatable metrics
Evaluate:
Control placement
Control effectiveness
Control efficiency
Control policy
Control implementation
79
4/17/2015

Operations Security
Operational security
Monitoring of systems
Maintenance of systems
Procedures
Change control
Backups
User access management
Patch Management
Usually performed by IT administrators
80
4/17/2015

40

17/04/2015

Technologies Access Control Lists


Access control lists (ACLs)
Designate levels of access accorded to
users, processes
Based on either the rights of the users or the
protection levels accorded to the protected
resource

81
4/17/2015

Filtering and Content Management


Data Loss Prevention (DLP)
Scans documents emails, etc. for sensitive
data.
Will block unauthorized transmission of data
Web Filtering
Scans web, email, and IM traffic for
inappropriate content
Blocks mobile code, inappropriate links,
cookies, etc.
82
4/17/2015

41

17/04/2015

Technologies - SPAM
Email filtering to weed out unsolicited email
May contain malicious code
Causes network and storage congestion
Disable links and potentially malicious
attachments

83
4/17/2015

Technologies Databases and DBMS


Databases
Electronic storage of data
May be accessed remotely

Need stringent security controls


architecture, access, backup, journaling
Database Management System (DBMS)
Manages the database (retrieves, updates,
logs, organizes data)
Ensures changes meet with rules
84
4/17/2015

42

17/04/2015

Encryption
Allows data to be stored, transmitted or
displayed in a secure format unreadable
except to authorized personnel
Changes the format/structure of the data
Provides
Confidentiality
Integrity
Authenticity
Access control
Non-repudiation
85
4/17/2015

Technologies - Cryptography
Symmetric key algorithms
Use the same key to encrypt and decrypt a
message

Fast and excellent for confidentiality

86
4/17/2015

43

17/04/2015

Technologies Cryptography cont.


Asymmetric
Use a mathematically-related key pair
Private key (only known to key owner)
Public key (can be distributed freely)
Provide
Confidentiality
Proof of origin / non-repudiation (digital
signatures)
Integrity
Access control
87
4/17/2015

Technologies Encryption cont.


Protect data at various levels
Application layer encryption
PGP

Session / transport layer encryption


SSH, SSL, TLS
Network Layer encryption
IPSEC
Link layer encryption
88
4/17/2015

44

17/04/2015

Technologies Hashing Algorithms


Compute a fixed length value from a message
that can be used to verify message integrity
Message has not be altered or changed
Either intentionally or accidentally

Are used in digital signatures

89
4/17/2015

Technology Communications OSI Model


Open Systems
Interconnect (OSI
model)
Seven layer model for
communications
Layering
Encapsulation

Application
Presentation
Session
Transport
Network
Data Link
Physical

90
4/17/2015

45

17/04/2015

Technology Communications TCP/IP


Transmission Control
Protocol / Internet
Protocol
Four layer model used
for most
communications today
Robust
Works on most
platforms and vendor
systems

Application

Host to Host
Internetworking
Data Link /
Physical

91
4/17/2015

Technologies Operating Systems


Provide interface between hardware and user
applications
Manage the use of system resources

92
4/17/2015

46

17/04/2015

Technology - Firewalls
Regulate traffic flows between networks
Operate at various network layers
Application proxies
Session layer proxies
Network layer
Packet Filtering

93
4/17/2015

Emerging Technologies
The CISM must be aware of emerging
technologies and their impact on the
information security program:
Virtual environments

Cloud computing
Mobile computing
Apple and Android Apps
VOIP
SCADA networks
94
4/17/2015

47

17/04/2015

Testing the Security Program

95
4/17/2015

Intrusion Detection Policies and


Processes
The ISM should understand and manage intrusion
detection systems and procedures, including:
Personnel who run and monitor intrusion
detection systems have adequate training
Intrusion detection software and hardware runs
continuously
Intrusion detection software can be easily
modified to adapt to changing environments
Intrusion detection systems do not impose
excessive overhead, especially excessive
network overhead
96
4/17/2015

48

17/04/2015

Intrusion Detection Systems


An organization should ideally use two
types of intrusion detection systems (IDSs)
Host-based
Network-based

Sensors should be suitably placed to


provide adequate coverage of the network
typology

97
4/17/2015

IDS / IPS
Intrusion detection and prevention systems
should:
Identify and record any attempts to exploit a
system by an attacker
Adequately protect networks and systems from
security breaches
Be monitored and maintained daily
Protect logs for use in future investigations

98
4/17/2015

49

17/04/2015

Password Cracking
Many tools available
Software
Hardware (keystroke loggers)
Should be forbidden by policy except for
extraordinary, authorized purposes
Brute force attacks
Dictionary attacks
Rainbow tables
Restrict access to password files
Store passwords as hashed values
99
4/17/2015

Vulnerability Assessments
Discover potential weaknesses or gaps in the
security controls
Open ports or services
Lack of training
Improper rule-base configurations
Poor incident handling

100
4/17/2015

50

17/04/2015

Vulnerability Assessments cont.


A vulnerability assessment can include assessing
Network visibility and accessibility
Information leakage
Presence of unneeded software and/or
utilities
Unpatched equipment
Application-level vulnerabilities (including
databases)
Weak security policies and standards
101
4/17/2015

Vulnerability Assessments cont.


Assessment Tools
Scans
May indicate many false positives
Require analysis to determine true level of
vulnerability
Testing inline, integrated test facility
Observation
102
4/17/2015

51

17/04/2015

Penetration Testing
Attempt to exploit a perceived vulnerability
Usually more focussed than a vulnerability
scan
Indicates whether the vulnerability does
pose a serious risk of breach
Allows determination of potential impact
Can be done by external or internal testing
teams
Must have prior approval
103
4/17/2015

Penetration Testing cont.


Risk of system failure / interruption
Areas to test
Web applications

Firewalls / proxy devices


Operating systems
Applications and Utilities
Physical access
104
4/17/2015

52

17/04/2015

Third Party Security Reviews


Advantages
Objective
Not influenced by that is how we have
always done it around here excuse
Expertise
May not be available in-house
Disadvantages
Need Non-disclosure agreements
Cost
105
4/17/2015

Integration of the Security


Program into the Business

106
4/17/2015

53

17/04/2015

Integration into Life Cycle Processes


A security program must be integrated into the
change management process for the
organization
Identify IT changes being initiated, funded,
and deployed
Provides the opportunity to
Identify vulnerabilities in new systems
Identify new threats presented by systems
Ensure that existing security controls will not
be adversely affected by proposed or actual
changes
107
4/17/2015

Security in External Agreements


Ensure that security requirements are
included in outsourcing agreements:
Suppliers

Subcontractors
Joint ventures
Business partners
Outsourced functions
108
4/17/2015

54

17/04/2015

Security in External Agreements


Include in all external agreements
Right to audit
Service level agreements (SLAs)
Performance metrics
Due diligence
Ensure systems and data are protected
adequately (compliance)

109
4/17/2015

Security Program Implementation


Rome was not built in a day neither will a
security program be rolled out all at once
May consist of many projects
Network security
User security
Application security
Physical security
Systems security and backup
110
4/17/2015

55

17/04/2015

Phased Approach
The program should be phased in by:
Region
Department
Product / service / business process
Building
Application
According to priorities, staff availability and
regulation
111
4/17/2015

Challenges During Implementation


Unexpected discovery of unaccounted-for
systems or processes
Resistance from staff / management
Time or budget
Impact on business operations
Availability of equipment
Training requirements

112
4/17/2015

56

17/04/2015

Review and Audit of the Security


Program

113
4/17/2015

Evaluating the Security Program


The information security manager must evaluate
the documented security objectives for the
program:
Are program goals aligned with governance
objectives if they exist?
Are objectives measurable, realistic and
associated with specific timelines?
Do program objectives align with
organizational goals, initiatives, compliance
needs and operational?
114
4/17/2015

57

17/04/2015

Evaluating Security Program cont.


The information security manager must evaluate
the documented security objectives
Is there consensus on program objectives?
Have metrics been implemented to measure
program objective success and shortfalls?
Are there regular management reviews of
objectives and accomplishments?

115
4/17/2015

Evaluating the Security Program cont.


Review of the Security Program may be
Automated
Minimize low-value activity workload

Manual
Incremental reviews
Continuous Auditing techniques
Conducted by external or internal parties
116
4/17/2015

58

17/04/2015

Measuring Information Security Risk and


Loss
The following are possible approaches to
periodically measuring the programs success
against risk management and loss prevention
objectives:
The technical vulnerability management approach
The risk management approach
The loss prevention approach

117
4/17/2015

Measuring Effectiveness of Technical


Security Program
Ensure that equipment is configured according
to required baselines
Identify single points of failure
Verify that controls are working correctly and
mitigating risk effectively
Ensure controls are being monitored as
scheduled
Ensure incident reports are generated and
distributed
118
4/17/2015

59

17/04/2015

Measuring Effectiveness of Security


Management
Methods of tracking the programs success include:
Tracking the frequency of issue recurrence
The degree to which procedures are
standardized
Documented information security roles and
responsibilities
Information security requirements incorporated
into every project plan
Efforts and results in making the program more
productive and cost-effective
Overall security resource utilization
119
4/17/2015

Security Project Management


Because there will never be adequate budget
or staff, the CISM must prioritize security
projects
Approval of Steering Committee
Utilize external resources
Recruitment of additional staff
Regular reporting on the status of ongoing
security projects is necessary

120
4/17/2015

60

17/04/2015

Review of Security Compliance


A key role of the CISM is to review the levels
of compliance with
Policies
Procedures

Standards
Baselines
Deviations from the mandated levels of
compliance may require a review of the
policies, or the need to strengthen the
controls

121

4/17/2015

Sample Questions

122
4/17/2015

61

17/04/2015

Practice Question
1.) A security manger is most likely to be
concerned with pending changes when:
A. Rollback procedures have not been
documented
B. Users have not been notified of changes
C. System performance tests were not
conducted
D. Program changes have not been
documented
123
4/17/2015

Practice Question
2.)

The MOST important element of a good


information security policy is:
A. Being easy to read and understand.
B. Allowing for flexible interpretation.
C. Capturing the intent of management.
D. Defining secure operating procedures

124
4/17/2015

62

17/04/2015

Practice Question
3.) Which of the following would be the BEST
approach when conducting a security
awareness campaign?
A. Provide interesting technical details of past
exploits.
B. Target high risk groups like system
administrators and the help desk.
C. Provide customized messages for different
groups.
D. Clearly describe acceptable use policies and
procedures
125
4/17/2015

Practice Question
4.) The MOST appropriate metric to measure how

well information security is managing the


administration of user access is the percent of
user IDs:
A. That have been reviewed by management
B. That have been created and deleted in the
past year.
C. That have high level access to
organizational systems.
D. With corresponding payroll records.
126
4/17/2015

63

17/04/2015

End of Domain Three

127
4/17/2015

64

17/04/2015

ISACA
Trust in, and value from,
information systems

1
4/17/2015

2015 CISM Review Course

Chapter 4
Information Security
Incident Management

2
4/17/2015

17/04/2015

Exam Relevance
Ensure that the CISM candidate
Plan, establish and manage the capability to detect,
investigate, respond to and recover from information
security incidents to minimize business impact.

The content area in this chapter will


represent approximately 18% of
the CISM examination
(approximately 36 questions).

3
4/17/2015

Chapter 4 Learning Objectives


Develop and implement processes for:
Detecting
Identifying
Analyzing
Responding
To information security incidents

4
4/17/2015

17/04/2015

Learning Objectives cont.


Incident Management process
Escalation and communication processes
Lines of authority
Plans to respond to, and document,
information security incidents
Capability, skills and procedures to
investigate information security incidents
Communicate with internal parties and
external organizations

5
4/17/2015

Learning Objectives cont.


Test and refine information security incident
response plans
Manage incident response
Conduct reviews of security incidents, to
determine root cause, develop corrective
actions and reassess risk
Integrate incident response plans with
business continuity plans (BCP) and disaster
recovery plans (DRP)

6
4/17/2015

17/04/2015

Definition
Incident
Any event that has the potential to
adversely impact the ability of the business
to meet its objectives
Incident management
The capability to effectively manage
unexpected disruptive events
Minimize impacts
Maintain and restore normal business
operations within defined time limits
7
4/17/2015

Definition
Incident response
The operational capability of incident
management that identifies, prepares for
and responds to incidents
Provide forensic and investigative
capabilities
Restore normal operations as defined in
service level agreements (SLAs)
Manage the impact of unexpected disruptive
events to acceptable levels
8
4/17/2015

17/04/2015

Definition
Incident Management will ensure that
incidents are detected, recorded and
managed to limit impacts.

9
4/17/2015

Goals of Incident Management and Response


The goals of incident management and
response include:
The ability to deal effectively with
unanticipated events
Detection and monitoring capabilities to alert
staff to a potential incident
Effective notification and reporting to
management
A response plan that is aligned with business
priorities
10
4/17/2015

17/04/2015

Goals of Incident Response cont.


The ability to learn from past incidents and
prevent future problems
Regular testing and validation of the
effectiveness of the plan

11
4/17/2015

What is an Incident - Intentional


Malicious code
Unauthorized access to IT systems, facilities,
information
Unauthorized use of resources
Unauthorized changes to systems, networks
Denial of service (DOS)
Surveillance, espionage
Social Engineering
Fraud

12

4/17/2015

17/04/2015

What is an Incident - Unintentional


Equipment failure
Utility failure (power)
Software bugs

Deletion of files
Weather-related issues

13
4/17/2015

History of Incidents
Past incidents provide valuable information
on risk trends, threat types and business
impact due to an incident
Can be used to evaluate the existing plans
Used as input to know the types of incidents
that must be considered and planned for

14
4/17/2015

17/04/2015

Developing Response and Recovery


Plans
Factors to consider when developing
response and recovery plans include:
Available resources
Expected services levels

Types, kinds, and severity of threats faced


by the organization

15
4/17/2015

Preparing the Incident Response


Plan

16
4/17/2015

17/04/2015

Incident Management and Response


The incident management and response
structure should include:
Incident Response Planning
Business Continuity Planning
Disaster Recovery Planning
Recovery of IT systems

17
4/17/2015

Incident Management and Response cont.


Plans must be
Clearly documented
Readily accessible
Based on the long range IT plan
Consistent with the overall business
continuity and security strategies

18
4/17/2015

17/04/2015

Incident Management and Response cont.


Incident Response planning includes
Incident detection capabilities (ability to
recognize an event (false positive vs. real event)
Clearly defined severity criteria (catastrophic,
major, minor)
Assessment and triage capabilities (determine
extent of incident)
Declaration criteria (activation of response
teams)
19
4/17/2015

Importance of Incident Management


and Response
Incident response is required since even minor
incidents may:
Affect business viability
Develop into major incidents
Require public communications plans
Necessitate advising regulators, clients or
other affected stakeholders
Even the best controls cannot prevent all
incidents
20
4/17/2015

10

17/04/2015

Incident Response Functions


Detection and reporting
Alerting, escalation
Triage
Containment, recovery
Analysis
Root cause, lessons learned
Incident response team skills
Necessary training and experience
21
4/17/2015

Incident Management Technologies


An effective incident management system
should
Monitor and consolidate inputs from
multiple systems

Identify incidents or potential incidents


Prioritize incidents based on business impact
Provide status tracking and notifications
Integrate with major IT management
systems
Follow good practices guidelines

22

4/17/2015

11

17/04/2015

Responsibilities of the CISM


Developing the information security incident
management and response plans
Handling and coordinating information
security incident response activities
Validating, verifying and reporting on
effectiveness of protective controls and
countermeasure solutions
Planning, budgeting and program
development for all matters related to
information security incident management
and response
23
4/17/2015

Incident Response Manager Responsibilities


The responsibilities of the incident response
manager include:
Managing the incident so that the impact is
contained and minimal damage occurs
Notifying the appropriate people and
escalating the incident to management
when required
Recovering quickly and efficiently from
security incidents
Balancing operational and security needs
24
4/17/2015

12

17/04/2015

Incident Response Manager Responsibilities


cont.
The responsibilities of the incident response
manager include:
Responding systematically and decreasing
the likelihood of cascading problems or
incident recurrence
Dealing with legal and law enforcementrelated issues
Ensuring that the incident response is
documented
Following up on lessons learned to enhance
controls
25
4/17/2015

Requirements for Incident Response


Managers
Have the leadership skills necessary to
manage crisis teams
Understand business priorities and culture
Have the experience, knowledge, and the
authority to invoke the disaster recovery
processes necessary to maintain or recover
operational status

26
4/17/2015

13

17/04/2015

Senior Management Involvement


Senior management provides strategic
direction during the crisis
Reporting of the incident is escalated to
senior management
Decisions and direction is passed down to
the incident management teams

27
4/17/2015

The Desired State


Incident management and response requires
Well-developed monitoring capabilities for
key controls
Personnel trained in assessing the situation,
capable of providing triage, and managing
effective responses
Managers that have made provisions to
capture all relevant information and apply
previously learned lessons
28
4/17/2015

14

17/04/2015

Strategic Alignment of Incident Response


Incident management must be aligned with the
organizations strategic plan
Scope what incidents are the responsibility of the
Incident response team
Services services should be clearly defined
Organizational structure Reporting and oversight
Resources sufficient staffing and skills necessary
for effective response
Funding sufficient funding as required to manage
incident response
Management buy-in Senior management buy-in is
essential
29
4/17/2015

Creating a Detailed Incident


Response Plan

30
4/17/2015

15

17/04/2015

Detailed Plan of Action for Incident


Management
The incident management action plan outlined in
the CMU/SEI technical report titled Defining
Incident Management Processes:
Prepare/improve/sustain (prepare)
Protect infrastructure (protect)
Detect events (detect)
Triage events (triage)
Respond

31
4/17/2015

Detailed Plan of Action for Incident


Management - Prepare
Prepare/improve/sustain (prepare) phase:
Coordinate planning and design:
Identify incident management requirements.

Establish vision and mission.


Obtain funding and sponsorship.
Develop implementation plan.
Coordinate implementation:

32
4/17/2015

16

17/04/2015

Detailed Plan of Action for Incident


Management Prepare cont.
Prepare/improve/sustain (prepare) phase
Develop policies, processes and plans.
Establish incident handling criteria.
Implement defined resources.
Evaluate incident management capability.
Conduct postmortem review.
Determine incident management process
changes.
Implement incident management process
changes.
33
4/17/2015

Detailed Plan of Action for Incident


Management - Protect
Protect infrastructure (protect) phase
Implement changes to computing infrastructure
to mitigate ongoing or potential incident.
Implement infrastructure protection
improvements from postmortem reviews or
other process improvement mechanisms.
Evaluate computing infrastructure by
performing proactive security assessment and
evaluation.
Provide input to detect process on
incidents/potential incidents.
34
4/17/2015

17

17/04/2015

Detailed Plan of Action for Incident


Management - Detect
Detect events (detect) phase
Proactive detectionThe detect process is
conducted prior to incident alert. This will
enable the response team to detect attack
precursors, false negatives and emerging
threats.
Reactive detectionThe detect process is
conducted when there are reports of possible
incidents from system users or other
organizations
35
4/17/2015

Detailed Plan of Action for Incident


Management - Triage
Triage
Requires initial gathering of incident data,
incident severity determination, notification
and activation of incident response team
Can be done on two levels
Tactical - Based on a set of criteria
Strategic - Based on the impact of business

36
4/17/2015

18

17/04/2015

Detailed Plan of Action for Incident


Management - Response
Response
Technical response
Collecting data for further analysis
Analyzing incident supporting information
such as log files
Technical mitigation strategies and recovery
options
Development and deployment of workarounds
Management response
Legal response
37
4/17/2015

Elements of an Incident Response Plan


Another approach to the development of
an incident response plan based on the
SANS Institute

Preparation
Identification
Containment
Eradication
Recovery
Lessons learned
38

4/17/2015

19

17/04/2015

Crisis Communications
One of the greatest challenges in a crisis is
effective communications
Internal
Staff, management, business units
External
Business partners
Shareholders
General public
Government and regulatory bodies
Law Enforcement
39
4/17/2015

Challenges in Developing an Incident


Management Plan
Unanticipated challenges may be the
result of
Lack of management buy-in and
organizational consensus
Mismatch to organizational goals and
priorities
Incident management team member
turnover
Poor communications
Complex and wide plan
40
4/17/2015

20

17/04/2015

Incident Response Team Members

41
4/17/2015

Personnel
An Incident Response Team usually
consists of
The Incident Manager (often an Information
Security Manager)
The Team Leader
Steering committee/advisory board
Provide oversight and authority

42
4/17/2015

21

17/04/2015

Personnel cont.
An Incident Response Team usually
consists of
Permanent/dedicated team members
Specialized skills forensics, audit,
communications, legal
Representation from key departments
Operations, IT, HR, Finance, Security,
Executive, etc.
Virtual/temporary team members
External experts
43
4/17/2015

Personnel cont.
The composition of the incident response team
will depend on a number of factors such as
Mission and goals of the incident response program
Nature and range of services provided

Available staff expertise


Scope and technology base
Anticipated incident load
Severity or complexity of incident reports
Funding
Regulations and legal considerations
44
4/17/2015

22

17/04/2015

Team Member Skills


The set of basic skills that incident response
team members need can be separated into
two broad groups:
Personal skills
Ability to handle stress
Leadership skills
Expertise based on the incident handlers
daily activity.
Technical skills
Specialized skills in IT, communications, etc
45
4/17/2015

Skills cont.
Personal skills
Communication
Presentation skills
Ability to follow policies and procedures
Team skills
Integrity
Confidence
Problem solving
Time management
46
4/17/2015

23

17/04/2015

Skills cont.

Technical skills
Basic understanding of the underlying
technologies used by the organization
Understanding of the techniques,
decision points and supporting tools
required in incident management

47
4/17/2015

Security Concepts and Technologies


The following security concepts and technologies
should be considered and known to IRTs
Security principles
Security
vulnerabilities/
weaknesses

Network applications
and services

Network security
issues

The Internet

Operating systems

Network protocols

Malicious code
Programming skills

48
4/17/2015

24

17/04/2015

Organizing, Training and Equipping the


Response Staff
Every incident response team member
should get the following types of training:
Induction to Incident response - basic
information about the team and its
operations
Description of the teams roles,
responsibilities and procedures
On the job training
Formal training
49
4/17/2015

Review and Audit of Incident


Response

50
4/17/2015

25

17/04/2015

Value Delivery
To deliver value, incident management
should:
Integrate and align with business processes
and structures
Improve the capability of businesses to
manage incidents effectively
Integrate incident management with risk
and business continuity
Become part of an organizations overall
strategy and effort to protect and secure
critical business function and assets

51

4/17/2015

Performance Measurement
Performance measurements for incident
management and response will focus on
achieving the defined objectives and
optimizing effectiveness

Incident response time


Application of lessons learned
KPIs and KGIs should be defined and
agreed upon by stakeholders and ratified
by senior management
52
4/17/2015

26

17/04/2015

Reviewing the Current State of Incident


Response Capability
Survey of senior management, business
managers and IT representatives
Self-assessment
External assessment or audit

53
4/17/2015

Audits
Audits (internal and external) must be
performed to verify
Incidents have been resolved and closed
off
Lessons learned applied to the
organization
Adherence by the incident response team
to the policies and procedures defined by
the organization
54
4/17/2015

27

17/04/2015

Gap Analysis Basis for


an Incident Response Plan
Gap analysis compares current incident
response capabilities with the desired
level.
The following may be identified:
Processes that need to be improved to be more
efficient and effective
Resources needed to achieve the objectives for
the incident response capability

55
4/17/2015

Responding to an Incident

56
4/17/2015

28

17/04/2015

When an Incident Occurs


If an incident occurs:
The Incident response team should follow
the procedures set out in the Incident
response plan
Properly document (record and preserve) all
information related to the incident
Follow data/evidence preservation
procedures
Take precautions to avoid changing, altering
or contaminating any potential or actual
evidence
57
4/17/2015

During an Incident
The initial response to an incident should
include:
Retrieving information needed to confirm an
incident
False positive or real event
Notify incident manager and activate incident
response teams

58
4/17/2015

29

17/04/2015

During an Incident cont.


Identifying the scope and size of the affected
environment (e.g., networks, systems,
applications)
Contain the incident and minimize the
potential for further damage
Determining the degree of loss, modification or
damage (if any)
Identifying the possible path or means of
attack
Restore critical services
59
4/17/2015

Containment Strategies
During an incident it is critically important to
contain the crisis and attempt to minimize
the amount of damage that occurs.
Network isolation and segmentation

Fire doors and fire suppression


Fail secure
Multiple suppliers
Multiple facilities
Cross trained staff
60
4/17/2015

30

17/04/2015

The Battle Box


Preloaded kits containing the tools and
support materials needed by the response
team in a crisis
Flashlights
Communications (radio, satellite phones)
Battery
Forms and documentation, pens
Tools
Protective clothing
First aid kits
Evidence collection bags
61
4/17/2015

Evidence Identification and Preservation


The CISM must know
Requirements for collecting and preserving
evidence
Rules for evidence, admissibility of
evidence, and quality and completeness of
evidence
The consequences of any contamination of
evidence following a security incident
Consider enlisting the help of third-party
specialists if detailed forensic skills are
needed
62
4/17/2015

31

17/04/2015

Post Event Reviews


Post Event reviews allow lessons learned
to be applied to future incidents
Use information gathered to improve
response procedures
Do reviews with all affected staff
Follow up on all lessons

63
4/17/2015

Business Continuity and Disaster


Recovery Planning

64
4/17/2015

32

17/04/2015

Disaster Recovery Planning (DRP) and


Business Recovery Processes
Disaster recovery has traditionally been
defined as the recovery of IT systems from
disastrous events
Business recovery (resumption) is defined
as the recovery of the critical business
processes necessary to continue or resume
operations.

65
4/17/2015

Development of BCP and DRP


Each of these planning processes typically
includes several main phases, including:
Risk and business impact assessment
Response and recovery strategy definition
Documenting response and recovery plans
Training all users and response teams
Updating response and recovery plans
Testing response and recovery plans
Auditing response and recovery plans
66
4/17/2015

33

17/04/2015

Plan Development

Plan development factors include:


Pre-incident readiness
Evacuation procedures
How to declare a disaster
Identifying the business processes and IT
resources that should be recovered
Identifying the responsibilities in the plan

67
4/17/2015

Plan Development cont.


Plan development factors include:
Identifying contact information
The step-by-step explanation of the recovery
options
Identifying the various resources required for
recovery and continued operations
Ensuring that other logistics such as personnel
relocation and temporary housing are
considered
68
4/17/2015

34

17/04/2015

Recovery Strategies
Recovery strategies must be sustainable for
the entire period of recovery until business
processes are restored to normal
Strategies may include:
Doing nothing until recovery facilities are
ready
Using manual procedures / workarounds
Focusing on the most important customers,
suppliers, products, and systems with
resources that are still available
69
4/17/2015

Recovery Strategies
The most appropriate recovery strategy is
based on:
The ability to recover within acceptable
recovery times at a reasonable cost

Which recovery strategies are available


Several options may be considered including
outsourcing of certain functions

70
4/17/2015

35

17/04/2015

Basis for Recovery Strategy Selections


Response and recovery strategy plans should
be based on the following considerations:
Interruption window
RTOs
RPOs
Services delivery objectives (SDOs)
Maximum tolerable outages (MTOs) / Maximum
Tolerable Period of Disruption (MTPD)
Location
Nature of probable disruptions
71
4/17/2015

Disaster Recovery Sites


Types of offsite backup hardware facilities
available include:
Hot sites
Warm sites
Cold sites
Mobile sites
Duplicate information processing facilities
Mirror sites
72
4/17/2015

36

17/04/2015

Disaster Recovery Sites cont.


Criteria for selecting alternate sites for
processing in the event of a disaster
include:
The recovery site should not be subject to
the same disaster(s) as the primary site
Availability of similar hardware /software
Ability to move people and resources to the
recovery location
Ability to test the recovery strategy
73
4/17/2015

Recovery of Communications
Recovery of IT facilities involves
telecommunications and network recovery

Alternative / Diverse routing


Long-haul network diversity
Voice recovery
Availability appropriate circuits and adequate
bandwidth
Availability of out-of-band communications in
case of failure of primary communications
methods
74
4/17/2015

37

17/04/2015

Notification Requirements
Plan should include a call tree with a prioritized
list of contacts
Representatives of equipment and software
vendors
Contacts within companies that have been
designated to provide supplies and equipment
or services
Contacts at recovery facilities, including hot
site representatives or predefined network
communications rerouting services

75
4/17/2015

Notification Requirements cont.


Plan should include a call tree with a prioritized
list of
Contacts at offsite media storage facilities and
the contacts within the company who are
authorized to retrieve media from the offsite
facility
Insurance company agents
Contacts at human resources (HR) and/or
contract personnel services
Law enforcement contacts
76
4/17/2015

38

17/04/2015

Response Teams
Number of teams depends upon size of
organization and magnitude of operations examples include:
The emergency action team
Damage assessment team
Emergency management team
Relocation team
Security team
77
4/17/2015

Insurance

Types of insurance coverage


IT equipment and facilities
Media (software) reconstruction
Extra expense
Business interruption
Valuable papers and records
Errors and omissions
Fidelity coverage
Media transportation
78
4/17/2015

39

17/04/2015

Testing Response and Recovery Plans


Testing must include:
Developing test objectives
Executing the test
Evaluating the test
Developing recommendations to improve the
effectiveness of testing processes as well as
response and recovery plans
Implementing a follow-up process to ensure
that the recommendations are implemented
79
4/17/2015

Types of Tests
Tests can include:
Desk check / Table-top walk-through of the
plans
Table-top walk-through with mock disaster
scenarios (simulation tests)
Testing the infrastructure and communication
components of the recovery plan
Testing the infrastructure and recovery of the
critical applications (parallel tests)
Full restoration and recovery tests with some
personnel unfamiliar with the systems
80
4/17/2015

40

17/04/2015

Test Results
The test should strive to:
Verify the completeness and effectiveness of
the response and recovery plans
Evaluate the performance of the personnel
involved in the exercise
Evaluate the coordination among the team
members and external vendors and suppliers
Indicate areas where improvements to the
plan are necessary

81
4/17/2015

Test Results cont.


The test should strive to:
Measure the ability and capacity of the
backup site to perform required processing
Ensure vital records / data can be retrieved
Evaluate the state and quantity of equipment
and supplies that have been relocated to the
recovery site
Measure the overall performance of
operational and information systems related
to maintaining the business entity
82
4/17/2015

41

17/04/2015

Plan Maintenance Activities


The BCP and DR plans must be maintained
through:
Developing a schedule for periodic review
and maintenance of the plan
Updating plan with personnel changes,
phone numbers and responsibilities or status
within the company
Updating the plan whenever significant
changes have occurred
Organizational change
Results of tests or incidents
83
4/17/2015

BCP and DRP Training


Training must be provided for all staff
dependent on their responsibilities:
Develop a schedule for training personnel in
emergency and recovery procedures
Users
Team members
Local business units liaisons

84
4/17/2015

42

17/04/2015

Practice Question
1. The PRIMARY goal of a post-incident review is
to:
A. Gather evidence for subsequent disciplinary
action.
B. Identify key individuals who provided critical
support during the crisis.
C. Prepare a report on the incident for further
management review
D. Derive ways to improve the response process.

85
4/17/2015

Practice Question
2. Which of the following is the MOST important
skill for an incident handler to possess?
A. Presentation skills for management reporting
B. Ability to follow policy and procedures
C. Integrity
D. Ability to cope with stress

86
4/17/2015

43

17/04/2015

Practice Question
3. What is the PRIMARY reason for conducting
triage?
A. To set the priorities for incident response
B. To determine the root cause of the incident
C. To mitigate the damage being caused by the
incident
D. To detect the presence of an incident

87
4/17/2015

Practice Question
4. Which of the following is MOST important
factor when deciding whether to build an
alternate facility or subscribe to a hot site
operated by a third party?
A. Cost to restore lost data following the incident
B. Incremental cost of losing different systems
C. Location, availability, and cost of commercial
recovery facilities
D. Estimated annualized loss expectancy (ALE)
from key risks
88
4/17/2015

44

17/04/2015

Practice Question
5.

Which of the following documents should be


contained in an incident response procedures
manual
A.
B.
C.
D.

Risk Assessment report


Communications plan
Record of all assets and systems
Alternate site recovery procedures

89
4/17/2015

45

ISACA EXAM CANDIDATE


INFORMATION GUIDE
2015

ISACA Exam Candidate Information Guide

ISACA Exams 2015


Important Date Information
Exam Date13 June 2015 Exam
Early registration deadline: 11 February 2015
Final registration deadline: 10 April 2015
Exam registration changes: Between 11 April and 24 April 2015, charged a
US $50 fee, with no changes accepted after 24 April 2015
Refunds: By 10 April 2015, charged a US $100 processing fee, with no
refunds after that date
Deferrals: Requests received on or before 24 April 2015, charged a US $50
processing fee. Requests received from 25 April through 22 May 2015, charged
a US $100 processing fee. After 22 May 2015, no deferrals will be permitted.
All deadlines are based upon Chicago, Illinois, USA 5 p.m. CT (central time)

Exam Date12 September


2015 Exam*
Early registration deadline: 17 June 2015
Final registration deadline: 24 July 2015
* CISA and CISM only at select locations
Exam registration changes: Between 25 July and 3 August, charged a
US $50 fee, with no changes accepted after 3 August 2015
Refunds: By 24 July 2015, charged a US $100 processing fee, with no refunds
after that date
Deferrals: Requests received on or before 10 August 2015, charged a US $50
processing fee. Requests received from 11 August through 28 August 2015,
charged a US $100 processing fee. After 28 August 2015, no deferrals will be
permitted.
All deadlines are based upon Chicago, Illinois, USA 5 p.m. CT (central time)

Exam Date12 December


2015 Exam
Early registration deadline: 19 August 2015
Final registration deadline: 23 October 2015
Exam registration changes: Between 24 October and 30 October, charged a
US $50 fee, with no changes accepted after 30 October 2015
Refunds: By 23 October 2015, charged a US $100 processing fee, with no
refunds after that date
Deferrals: Requests received on or before 23 October 2015, charged a
US $50 processing fee. Requests received from 24 October through
27 November 2015, charged a US $100 processing fee. After 27 November 2015,
no deferrals will be permitted.
All deadlines are based upon Chicago, Illinois, USA 5 p.m. CT (central time)
Note:
The CISA Chinese Mandarin Traditional, German, Italian and Hebrew
languages are only offered at the June exam.
The CISA Turkish is only offered at the June and December exams.
The CISM Japanese and Korean languages are only offered at the June exam.
Visit www.isaca.org/examlocations for a listing of the exam sites.
Select the appropriate tab for June, September or December.
Please contact exam@isaca.org for further information.

Table of Contents
ISACA Certification .................................................................3
JuneImportant Date Information .......................................5
SeptemberImportant Date Information .............................6
DecemberImportant Date Information ..............................7
Exam Day Information............................................................8
Post Exam Information .........................................................10
About ISACA
With more than 115,000 constituents in 180 countries, ISACA (www.isaca.org) helps business
and IT leaders build trust in, and value from, information and information systems. Established in
1969, ISACA is the trusted source of knowledge, standards, networking, and career development
for information systems audit, assurance, security, risk, privacy and governance professionals.
ISACA offers the Cybersecurity NexusTM, a comprehensive set of resources for cybersecurity
professionals, and COBIT, a business framework that helps enterprises govern and manage their
information and technology. ISACA also advances and validates business-critical skills and knowledge
through the globally respected Certified Information Systems Auditor (CISA), Certified Information
Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in
Risk and Information Systems Control (CRISC) credentials. The association has more than
200 chapters worldwide.

ANSI Accredited Program


PERSONNEL CERTIFICATION
#0694
ISO/IEC 17024
CISA, CISM, CGEIT and CRISC Program Accreditation
Renewed Under ISO/IEC 17024:2003
The American National Standards Institute (ANSI) has accredited the CISA, CISM, CGEIT and CRISC
certifications under ISO/IEC 17024:2003, General Requirements for Bodies Operating Certification
Systems of Persons. ANSI, a private, nonprofit organisation, accredits other organizations to serve
as third-party product, system and personnel certifiers. ISO/IEC 17024 specifies the requirements
to be followed by organizations certifying individuals against specific requirements. ANSI describes
ISO/IEC 17024 as expected to play a prominent role in facilitating global standardization of
the certification community, increasing mobility among countries, enhancing public safety and
protecting consumers.
ANSIs accreditation:
Promotes the unique qualifications and expertise that ISACA certifications provide
Protects the integrity of the certifications and provides legal defensibility
Enhances consumer and public confidence in the certifications and the people who hold them
Facilitates mobility across borders or industries
Accreditation by ANSI signifies that ISACAs procedures meet ANSIs essential requirements for
openness, balance, consensus and due process. With this accreditation, ISACA anticipates that
significant opportunities for CISAs, CISMs and CGEITs will continue to present themselves around
the world.
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: certification@isaca.org
Web site: www.isaca.org
Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center
Follow ISACA on Twitter: https://twitter.com/ISACANews
Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial
Like ISACA on Facebook: www.facebook.com/ISACAHQ
Reservation of Rights
Copyright 2014 ISACA. Reproduction or storage in any form for any purpose is not permitted
without ISACAs prior written permission. No other right or permission is granted with respect to
this work. All rights reserved.

ISACA Exam Candidate Information Guide


ISACA CERTIFICATION: IS AUDIT, SECURITY, GOVERNANCE AND RISK AND CONTROL
The ISACA Exam Candidate Information Guide includes candidate information about exam registration, dates, and deadlines and provides important key candidate
details for exam day administration. This publication is available online at www.isaca.org/examguide
The following certifications are addressed in this guide: Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the
Governance of Enterprise IT (CGEIT), and Certified in Risk and Information Systems Control (CRISC). A brief summary of each follows.
CISA

CISM

CGEIT

CRISC

Description

The CISA designation is a globally


recognized certification for IS
audit control, assurance, and
security professionals.

The management-focused
CISM certification promotes
international security practices
and recognizes the individual who
manages, designs, and oversees
and assesses an enterprises
information security.

CGEIT recognizes a wide range


of professionals for their
knowledge and application
of enterprise IT governance
principles and practices.

CRISC certification is designed


for those experienced in the
management of IT risk, and
the design, implementation,
monitoring and maintenance of
IS controls.

Eligibility
Requirements

Five (5) or more years of


experience in IS audit, control,
assurance, or security. Waivers
are available for a maximum of
three (3) years.

Five (5) or more years of


experience in information security
management. Waivers are
available for a maximum of
two (2) years.

Five (5) or more years of


experience managing, serving
in an advisory or oversight role,
and/or otherwise supporting the
governance of the IT-related
contribution to an enterprise
including a minimum of one
year of experience relating to
the definition, establishment and
management of a Framework for
the Governance of IT. There are
no substitutions or experience
waivers.

Three (3) or more years of


cumulative work experience
performing the tasks of a CRISC
professional across at least
two (2) CRISC domains, of which
one must be in Domain 1 or 2, is
required for certification.
There are no substitutions or
experience waivers.

Domains (%)

Domain 1The Process of


Auditing Information
Systems (14%)
Domain 2Governance and
Management of IT
(14%)
Domain 3Information Systems
Acquisition,
Development, and
Implementation
(19%)
Domain 4Information
Systems Operations,
Maintenance and
Support (23%)
Domain 5Protection of
Information Assets
(30%)

Domain 1Information Security


Governance (24%)
Domain 2Information Risk
Management and
Compliance (33%)
Domain 3Information
Security Program
Development and
Management (25%)
Domain 4Information Security
Incident Management
(18%)

Domain 1: Framework for


the Governance of
Enterprise IT (25%)
Domain 2: Strategic Management
(20%)
Domain 3: Benefits Realization
(16%)
Domain 4: Risk Optimization
(24%)
Domain 5: Resource Optimization
(15%)

Domain 1: IT Risk Identification


(27%)
Domain 2: IT Risk Assessment
(28%)
Domain 3: Risk Response and
Mitigation (23%)
Domain 4: Risk and Control
Monitoring and
Reporting (22%)

Number of
exam questions*:
length of exam

200 questions: 4 hours

200 questions: 4 hours

150 questions: 4 hours

150 questions: 4 hours

Exam Languages

Chinese Mandarin Traditional**


Chinese Mandarin Simplified
English
French
German**
Hebrew**
Italian**
Japanese
Korean
Spanish
Turkish***

English
Japanese**
Korean**
Spanish

English

English
Spanish

* Consists of multiple choice items that cover the respective job practice areas created from the most recent job practice analysis. See page 11 for related links.
** June exam only
*** June and December exam only.

ISACA Exam Candidate Information Guide


REGISTERING FOR THE EXAM
REGISTER FOR THE EXAM
You can register for an ISACA exam via online registration or hard copy registration form. To place your online registration via the ISACA web site visit
www.isaca.org/examreg. To register via hardcopy registration form, complete the hardcopy registration form provided at www.isaca.org/exam
and fax or mail to ISACA along with your payment information.
Note: Faxed/mailed registrations will incur an additional US $75 charge.

SUBMIT REGISTRATION FEES AND PAYMENT


Online early registrations received on or before early registration deadline
Online final registrations received by final registration deadline

ISACA
member
US $440
US $490

Non-ISACA
member
US $625
US $675

NOTE: Registration form and payment must


be received on or before the early registration
deadline to qualify for the early registration
rate.

Notes:
The CISA Chinese Mandarin Traditional, German, Hebrew, and Italian languages will only be offered at the June exam.
The CISM Japanese and Korean languages are only offered at the June Exam.
Visit www.isaca.org/examlocations for a listing of the exam sites. Please select the appropriate tab for the June, September or December locations.
Please contact exam@isaca.org for further information.

CONSIDER ISACA MEMBERSHIP


If you are not yet an ISACA member, consider joining during the registration process and enjoy the member discount on your exam and study materials.
Please visit www.isaca.org/join for detailed information on membership benefits and fees.
Join Dates
From 1 August 2014 to 30 May 2015
From 1 June 2015 to 31 July 2015
From 1 August 2015 to December 2015

Member Through
31 December 2015
31 December 2015
31 December 2016

Due Dates
Deadlines are based on Chicago, Illinois, USA, 5 P.M. Central Time (UTC/GMT-06:00 Chicago, Illinois, USA). If not registering online, please mail or fax the
registration form to ISACA. Do not do both. Submitting duplicate registrations online and/or by hard copy to ISACA may result in multiple registrations
and charges. Final registration forms and payment must be postmarked or received by fax on or before the final registration date for the exam you are registering
for. Both pages of the registration form must be received to complete a registration.

ACKNOWLEDGMENT OF REGISTRATION
An email acknowledgement of the exam registration, exam test site and exam language will be sent to registrants shortly after the processing of the registration.
Please review the exam registration details carefully and contact the ISACA certification department at exam@isaca.org for any corrections or changes. A receipt
letter acknowledging exam registration and payment with a link to ISACAs Exam Candidate Information Guide should be received by exam registrants within four
weeks (depending on your worldwide location and local postal delivery) of the processing of the registration form and payment. We encourage exam candidates to
review this Guide to familiarize themselves with exam day information and rules.

ISACA Exam Candidate Information Guide


JUNEIMPORTANT DATE INFORMATION
Exam Date 13 June 2015
Exam Registration Changes
Changes to the exam site, test language and candidate name are subject to the following charges:
z On or before 10 April 2015 ................................ No charge
z 11 April through 24 April 2015 .......................... US $50
No exam registration changes will be granted after 24 April 2015.

Refund and Deferrals of Fees


Refund: Candidates unable to take the exam are eligible for a refund of registration fees, less a US $100 processing fee, if such a request is received in
writing on or before 10 April 2015. All requests for a refund after this date will be denied. Exam candidates who have deferred their exam are not eligible for
a refund of their deferral fee and associated exam payment.
Deferrals: Exam registrants may elect to defer their registration to the following exam date. A deferral fee is required based on the following schedule:
z On or before 24 April ......................................... US $50
z 25 April through 22 May .................................... US $100
Deferral requests will not be accepted after 22 May 2015. To request a deferral, please go to www.isaca.org/examdefer. Exam candidates who have
deferred their exam are not eligible for a refund of their deferral fee and associated exam payment. Exam candidates who do not appear for the exam (or
arrive too late to be admitted) are not eligible for a refund or deferral of their exam registration payment.
Any candidate who has not received his/her admission ticket by 1 June 2015 should contact the ISACA certification department at exam@isaca.org or via
phone at +1.847.660.5660.

Special Accommodations
Upon request, ISACA will make reasonable accommodations in its exam procedures for candidates with documented disabilities or religious requirements.
Consideration for reasonable alterations in scheduling, exam format, presentation, and allowance of food or drink at the exam site must be requested.
Documented disability requests must be accompanied by a doctors note. Requests for a religious requirement must be accompanied by a note from the
candidates religious leader. Unless requested and approved, no food or drink is allowed at any exam site. Requests for consideration must be submitted to
ISACA International Headquarters in writing, accompanied by appropriate documentation, no later than 10 April 2015 to exam@isaca.org.

Request for Additional Test Centers


If an exam center is not available within 100 miles (160 kilometers) of the location in which a candidate wants to be tested, and if there are ten or more
paid candidates who wish to enter as a group at this location, they may request that a new exam center be established. Written requests for establishment
of new exam centers, including a minimum of ten paid registration forms, must be received at ISACA International Headquarters no later than 1 February
2015. While there is no guarantee that a new exam center can be arranged, every attempt will be made to provide one.

Exam locations
For a complete listing of the exam sites for the June exam administration visit www.isaca.org/examlocations and select the June Exam Locations tab.
All deadlines are based on Chicago, Illinois, USA, 5 p.m. Central Time (UTC/GMT-06:00 Chicago, Illinois, USA). No refunds or exchanges will be given for
study aids, associated taxes, shipping and handling charges, or membership dues. Exam registration and membership fees are nontransferable.

ISACA Exam Candidate Information Guide


SEPTEMBERIMPORTANT DATE INFORMATION
Exam Date 12 September 2015
The September exam administration is only offered for the CISA and CISM certification exams at limited exam sites.

Exam Registration Changes


Changes to the exam site, test language and candidate name are subject to the following charges:
z On or before 24 July 2015................................. No charge
z 25 July through 3 August 2015 ......................... US $50
No exam registration changes will be granted after 3 August 2015.

Refund and Deferrals of Fees


Refund: Candidates unable to take the exam are eligible for a refund of registration fees, less a US $100 processing fee, if such a request is received in
writing on or before 24 July 2015. All requests for a refund after this date will be denied. Exam candidates who have deferred their exam are not eligible
for a refund of their deferral fee and associated exam payment.
Deferrals: Exam registrants may elect to defer their registration to the following exam date. A deferral fee is required based on the following schedule:
z On or before 10 August 2015 ............................ US $50
z 11 August through 28 August 2015................... US $100
Deferral requests will not be accepted after 28 August 2015. To request a deferral, please go to www.isaca.org/examdefer. Exam candidates who have
deferred their exam are not eligible for a refund of their deferral fee and associated exam payment. Exam candidates who do not appear for the exam
(or arrive too late to be admitted) are not eligible for a refund or deferral of their exam registration payment.
Any candidate who has not received his/her admission ticket by 15 August 2015 should contact the ISACA certification department at exam@isaca.org or
via phone at +1.847.660.5660.

Special Accommodations
Upon request, ISACA will make reasonable accommodations in its exam procedures for candidates with documented disabilities. Consideration for
reasonable alterations in exam format, presentation, and allowance of food or drink at the exam site must be requested and accompanied by a doctors
note. Unless requested and approved, no food or drink is allowed at any exam site. Requests for consideration must be submitted to ISACA International
Headquarters in writing, accompanied by appropriate documentation, no later than 27 July 2015 to exam@isaca.org.

Exam Locations
For a complete listing of the exam sites for the September exam administration visit www.isaca.org/examlocations and select the September Exam
Locations tab.
All deadlines are based on Chicago, Illinois, USA, 5 p.m. Central Time (UTC/GMT-06:00 Chicago, Illinois, USA). No refunds or exchanges will be given for
study aids, associated taxes, shipping and handling charges, or membership dues. Exam registration and membership fees are nontransferable.

ISACA Exam Candidate Information Guide


DECEMBERIMPORTANT DATE INFORMATION
Exam Date 12 December 2015
Exam Registration Changes
Changes to the exam site, test language and candidate name are subject to the following charges:
z On or before 23 October .................................... No charge
z 24 October through 30 October......................... US $50
No exam registration changes will be granted after 30 October 2015.

Refund and Deferrals of Fees


Refund: Candidates unable to take the exam are eligible for a refund of registration fees, less a US $100 processing fee, if such a request is received in
writing on or before 23 October 2015. All requests for a refund after this date will be denied. Exam candidates who have deferred their exam are not
eligible for a refund of their deferral fee and associated exam payment.
Deferrals: Exam registrants may elect to defer their registration to the following exam date. A deferral fee is required based on the following schedule:
z On or before 23 October .................................... US $50
z 24 October through 27 November ..................... US $100
Deferral requests will not be accepted after 27 November 2015. To request a deferral, please go to www.isaca.org/examdefer. Exam candidates who have
deferred their exam are not eligible for a refund of their deferral fee and associated exam payment. Exam candidates who do not appear for the exam (or
arrive too late to be admitted) are not eligible for a refund or deferral of their exam registration payment.
Any candidate who has not received his/her admission ticket by 1 December 2015 should contact the ISACA certification department at exam@isaca.org or
via phone at +1.847.660.5660.

Special Accommodations
Upon request, ISACA will make reasonable accommodations in its exam procedures for candidates with documented disabilities or religious requirements.
Consideration for reasonable alterations in scheduling, exam format, presentation, and allowance of food or drink at the exam site must be requested.
Documented disability requests must be accompanied by a doctors note. Requests for a religious requirement must be accompanied by a note from the
candidates religious leader. Unless requested and approved, no food or drink is allowed at any exam site. Requests for consideration must be submitted to
ISACA International Headquarters in writing, accompanied by appropriate documentation, no later than 23 October 2015 to exam@isaca.org.

Request for Additional Test Centers


If an exam center is not available within 100 miles (160 kilometers) of the location in which a candidate wants to be tested, and if there are ten or more
paid candidates who wish to enter as a group at this location, they may request that a new exam center be established. Written requests for establishment
of new exam centers, including a minimum of ten paid registration forms, must be received at ISACA International Headquarters no later than 1 August
2015. While there is no guarantee that a new exam center can be arranged, every attempt will be made to provide one.

Exam Locations
For a complete listing of the exam sites for the December exam administration visit www.isaca.org/examlocations and select the December Exam Locations tab.
All deadlines are based on Chicago, Illinois, USA, 5 p.m. Central Time (UTC/GMT-06:00 Chicago, Illinois, USA). No refunds or exchanges will be given for
study aids, associated taxes, shipping and handling charges, or membership dues. Exam registration and membership fees are nontransferable.

ISACA Exam Candidate Information Guide


EXAM DAY INFORMATION
Admission Ticket
Approximately two to three weeks prior to the exam date, candidates will be sent an email admission ticket (eticket) from ISACA. Admission tickets are sent
via email to the current email address on file. In order to receive an admission ticket, all fees must be paid. Exam candidates can also download a copy of
the admission ticket at www.isaca.org > MyISACA page of the web site. Tickets will indicate the date, registration time and location of the exam, as well as
a schedule of events for that day and a list of materials that candidates must bring with them to take the exam. Candidates are not to write on the admission
ticket. Candidates can use their admission ticket (either a printout of their e-ticket or their downloaded ticket) only at the designated test center.
Identification on Exam Day
Candidates will be admitted to the test center only if they have a valid admission ticket and an acceptable form of identification (ID). An acceptable form of ID
must be a current and original government-issued ID that contains the candidates name, as it appears on the admission ticket, and the candidates
photograph. The information on the ID cannot be handwritten. All of these characteristics must be demonstrated by the single piece of ID provided. Examples
include, but are not limited to, a passport, drivers license, military ID, state ID, green card and national ID. Any candidate who does not provide an acceptable
form of ID will not be allowed to sit for the exam and will forfeit his/her registration fee. IDs will be checked during the exam administration.
Only candidates with an admission ticket and an acceptable government-issued ID will be admitted to take the exam, and the name on the
admission ticket must match the name on the government-issued ID. If candidates mailing and/or email addresses change, they should update
their profile on the ISACA web site (www.isaca.org ) or contact exam@isaca.org.
Arrival Time For Exam
It is imperative that candidates note the specific registration and exam times on their admission ticket. NO CANDIDATE WILL BE ADMITTED TO THE
TEST CENTER ONCE THE CHIEF EXAMINER BEGINS READING THE ORAL INSTRUCTIONS, APPROXIMATELY 30 MINUTES BEFORE THE EXAM BEGINS.
Any candidate who arrives after the oral instructions have begun will not be allowed to sit for the exam and will forfeit his/her registration fee.
An admission ticket can only be used at the designated test center specified on the admission ticket. To ensure that you arrive in plenty of time for the exam,
we recommend that you become familiar with the exact location and the best travel route to your exam site prior to the date of the exam. Test center
telephone numbers and web site references have been provided (when available) to assist you in obtaining directions to the facility.
Exam Rules
Candidates will not be admitted to a test center after the oral instructions have begun.
Candidates should bring several sharpened No. 2 or HB (soft lead) pencils and a good eraser. Pencils and erasers will not be available at the test center.
As exam venues vary, every attempt will be made to make the climate control comfortable at each exam venue. Candidates may want to dress to their
own comfort level.
Candidates are not allowed to bring reference materials, blank paper, note pads or language dictionaries into the test center.
Candidates are not allowed to bring or use a calculator in the test center.
Candidates are not allowed to bring any type of communication, surveillance or recording device (including, but not limited to cell phones, tablets, smart
glasses, smart watches, mobile devices, etc.) into the test center. If exam candidates are viewed with any such communication, surveillance or
recording device during the exam administration, their exams will be voided and they will be asked to immediately leave the exam site.
Candidates are not allowed to bring baggage of any kind, including but not limited to handbags/purses, briefcases, etc. into the test center. Visit
www.isaca.org/cisabelongings, www.isaca.org/cismbelongings, www.isaca.org/cgeitbelongings, www.isaca.org/criscbelongings for more information
on personal belongings allowed or prohibited.
Visitors are not permitted in the test center.
No food or beverages are allowed in the test center (without advanced authorization from ISACA).
Candidates are urged to immediately record their answers on their answer sheet. No additional time will be allowed after the exam time has elapsed to transfer
or record answers should candidates mark their answers in the test booklet. The exam will be scored based on the answer sheet recordings only.
Candidates must gain authorization or be accompanied by a test proctor to leave the testing area.
Candidates may leave the testing room with authorization during the examination to visit the facilities. Only one person will be excused from the room at a
time. Testing staff will collect the candidate examination materials and the candidate will be required to check-out and check-in again upon re-entering the
exam. Note the examination time will not stop and no extra time will be allotted.
Misconduct
Candidates who are discovered in violation of the Exam Rules or engaging in any kind of misconduct including but not limited to the activities listed below will
be subject to disqualification. The testing agency will report all cases of misconduct to the respective ISACA Certification Committee for committee review in
order to render any decision necessary.
Giving or receiving help; using notes, papers or other aids,
Attempting to take the exam for someone else,
Possession of communication, surveillance or recording device, including but not limited to cell phones, tablets, smart glasses, smart watches,
mobile devices, etc, during the exam administration,
Removing test materials, answer sheet or notes from the testing center,
Attempting to share test questions or answers or other information contained in the exam (as such are the confidential information of ISACA); including
sharing test questions subsequent to the exam.
Leaving the testing room or area without authorization or accompaniment by a test proctor. (These individuals will not be allowed to return to the testing room),
Accessing items stored in the personal belongings area before the completion of the exam, and
Continuing to write the exam after the proctor signals the end of the exam time.

ISACA Exam Candidate Information Guide


Reasons for Dismissal or Disqualification and Voiding of Exam
Unauthorized admission to the test center.
Candidate creates a disturbance or gives or receives help.
Candidate attempts to remove test materials, questions, answers or notes from the test center.
Candidate impersonates another candidate.
Candidate brings items into the test center that are not permitted or accesses items stored in the personal belongings area during the exam.
Candidate possession of any communication, surveillance or recording device during the exam administration
Candidate leaves the test area without authorization.
Candidate continues to write the exam, including continuing to record answers on his/her answer sheet after the proctor signals the end of the examination.
Candidate shares test questions or other information contained in the exam.
Personal Belongings
Each test site will have a specific area designated for the storage of personal belongings. Neither ISACA or its testing vendor takes responsibility for personal
belongings of candidates. ISACA will not assume responsibility for stolen, lost or damaged personal property. To review the Personal Belongings Policy, please
visit www.isaca.org/cisabelongings, www.isaca.org/cismbelongings, www.isaca.org/cgeitbelongings, or www.isaca.org/criscbelongings. Personal items
brought to the exam site and stored in the belongings area of the testing center may not be accessed until the exam candidate has completed and submitted
his/her exam.
Taking the Exam/Types of Questions on the Exams
Exam questions are developed with the intent of measuring and testing practical knowledge and the application of general concepts and standards. All
questions are designed with one best answer.
Every question has a stem (question) and four options (answer choices). The candidate is asked to choose the correct or best answer from the options. The
stem may be in the form of a question or incomplete statement. In some instances, a scenario may also be included. These questions normally include a
description of a situation and require the candidate to answer two or more questions based on the information provided. The candidate is cautioned to read
each question carefully. An exam question may require the candidate to choose the appropriate answer based on a qualifier, such as MOST likely or BEST.
In every case, the candidate is required to read the question carefully, eliminate known incorrect answers and then make the best choice possible. To gain
a better understanding of the types of questions that might appear on the exam and how these questions are developed, refer to the Item Writing Guide
available at www.isaca.org/itemwriter. Representations of CISA exam questions are available at www.isaca.org/cisaassessment; CISM exam questions are
available at www.isaca.org/cismassessment.
Conduct Oneself Properly
To protect the security of the exam and maintain the validity of the scores, candidates are asked to sign the answer sheet.
The respective ISACA Certification Committee reserves the right to disqualify any candidate who is discovered engaging in any kind of misconduct or
violation of exam rules, including but not limited to giving or receiving help; using notes, papers or other aids; attempting to take the exam for someone
else; using any type of communication, surveillance or recording device during the exam administration, removing test materials or notes from the test
center or attempting to share test questions or answers or other information contained in the exam (as such are the confidential information of ISACA). The
testing agency will provide the respective ISACA Certification Committee with records regarding such irregularities for committee review and to render any
decision necessary.
Be Careful in Completing the Answer Sheet
Before a candidate begins the exam, the test center chief examiner will read aloud the instructions for entering identification information on the answer
sheet. A candidates identification number as it appears on the admission ticket and all other requested information must be correctly entered or scores
may be delayed or incorrectly reported.
A proctor speaking the primary language used at each test center is available. If a candidate desires to take the exam in a language other than the primary
language of the test center, the proctor may not be conversant in the language chosen. However, written instructions will be available in the language of the
exam.
A candidate is instructed to read all instructions carefully and understand them before attempting to answer the questions. Candidates who skip over the
directions or read them too quickly could miss important information and possibly lose credit.
All answers are to be marked in the appropriate circle on the answer sheet. Candidates must be careful not to mark more than one answer per question
and to be sure to answer a question in the appropriate row of answers. If an answer needs to be changed, a candidate is urged to erase the wrong answer
fully before marking in the new one.
All questions should be answered. There are no penalties for incorrect answers. Grades are based solely on the number of questions answered
correctly, so do not leave any questions blank.
After completion, candidates are required to hand in their answer sheet and test booklet.
Budget Ones Time
The exam is four hours in length. Candidates are advised to pace themselves to complete the entire exam.
Candidates are urged to immediately record their answers on the answer sheet. No additional time will be allowed after the exam time has
elapsed to transfer or record answers should a candidate mark answers in the test booklet. The exam will be scored based on the answer
sheet recordings only.

ISACA Exam Candidate Information Guide


Exam Day Comments

ISACA utilizes an internationally recognized professional testing agency to assist the construction, administration and scoring of the exams.
Candidates wishing to comment on the test administration conditions may do so at the conclusion of the testing session by completing the Test Administration
Questionnaire. The Test Administration Questionnaire is presented at the back of the examination booklet with corresponding instructions for completion.
Candidates who wish to address any additional comments or concerns about the examination administration, including site conditions or the content of the
exam, should contact ISACA international headquarters by letter or by email (exam@isaca.org). Please include the following information in your comments:
exam ID number, testing site, date tested and any relevant details on the specific issue. Only those comments received by ISACA during the first 2 weeks
after the exam administration will be considered in the final scoring of the exam. Appeals undertaken by a certification exam taker, certification applicant or
by a certified individual are undertaken at the discretion and cost of the exam taker, applicant or individual.

POST EXAM INFORMATON:


Scoring the Exams
The ISACA exams consists of multiple-choice items. Candidate scores are reported as a scaled score. A scaled score is a conversion of a candidates raw
score on an exam to a common scale. ISACA uses and reports scores on a common scale from 200 to 800. For example, the scaled score of 800 represents
a perfect score with all questions answered correctly; a scaled score of 200 is the lowest score possible and signifies that only a small number of questions
were answered correctly. A candidate must receive a score of 450 or higher to pass the exam. A score of 450 represents a minimum consistent standard
of knowledge. A candidate receiving a passing score may then apply for certification if all other requirements are met.
The exams contain some questions which are included for research and analysis purposes only. These questions are not separately identified and not used to
calculate your final score.
Approximately five weeks for CISA/CISM and eight weeks for CGEIT/CRISC after the test date, the official exam results will be mailed to
candidates. Additionally, with the candidates consent during the registration process, an email message containing the candidates pass/fail status and
score will be sent to the candidate. This email notification will only be sent to the address listed in the candidates profile at the time of the initial release of
the results. To ensure the confidentiality of scores, exam results will not be reported by telephone or fax. To prevent email notification from being sent to spam
folders, candidates should add exam@isaca.org to their address book, whitelist or safe-senders list. Once released, scores will also be available in the ISACA
constituent profile at the MyISACA > MyCertifications page of the ISACA website.
Candidates will receive a score report containing a subscore for each domain area. Successful candidates will receive, along with a score report, details on
how to apply for certification.
The subscores can be useful in identifying those areas in which the unsuccessful candidate may need further study before retaking the exam. Unsuccessful
candidates should note that the total scaled score cannot be determined by calculating either a simple or weighted average of the subscores.
Candidates receiving a failing score on the exam may request a hand score of their answer sheets. This procedure ensures that no stray marks,
multiple responses or other conditions interfered with computer scoring. Candidates should understand, however, that all scores are subjected to
several quality control checks before they are reported; therefore, rescores most likely will not result in a score change. Requests for hand scoring must
be made in
writing to the certification department within 90 days following the release of the exam results. Requests for a hand score after the deadline date will not be
processed. All requests must include a candidates name, exam identification number and mailing address. A fee of US $75 must accompany each request.
Passing the exam does not grant the designation. Candidates have five years from the passing date to apply for certification. To become certified, each exam
passer must complete requirements including submitting an application for certification. Candidates receiving a score less than 450 have not passed and can
retake the exam by registering and paying the exam registration fee for the future administration. There are no limits to how many times a candidate can take
the exam.
ISACA Code of Professional Ethics
ISACA sets forth a Code of Professional Ethics to guide the professional and personal conduct of members of the association and/or its
certification holders. Members and certifieds are required to abide by the Code. Failure to comply with this Code of Professional Ethics can result in an
investigation into a members and/or certification holders conduct and, ultimately, in disciplinary measures. The ISACA Code of Professional Ethics can be
viewed online at www.isaca.org/ethics.

10

ISACA Exam Candidate Information Guide


Confidentiality
By taking an ISACA Exam, the candidate understands and agrees that the Exam (which includes all aspects of the exam, including, without limitation, the test
questions, answers, examples and other information presented or contained in the exam and exam materials) belongs to ISACA and constitutes ISACAs
confidential information (collectively, Confidential Information). The candidate agrees to maintain the confidentiality of ISACAs Confidential Information
at all times and understands that any failure to maintain the confidentiality of ISACAs Confidential Information may result in disciplinary action against the
candidate by ISACA or other adverse consequences, including, without limitation, nullification of his/her exam, loss of his/her credentials, and/or litigation.
Specifically, the candidate understands that he/she may not, for example, discuss, publish or share any exam question(s), his/her answers or thoughts on any
questions(s) or the exams format in any forum or media (i.e., via e-mail, Facebook, LinkedIn).

IMPORTANT ADDITIONAL REFERENCES


These references contain essential exam information and should be read in their entirety.

Important Additional References


CISA Exam

CISM Exam

CGEIT Exam

CRISC Exam

Certification

www.isaca.org/cisa

www.isaca.org/cism

www.isaca.org/cgeit

www.isaca.org/crisc

Preparing for the Exam

www.isaca.org/cisaprep

www.isaca.org/cismprep

www.isaca.org/cgeitprep

www.isaca.org/criscprep

Requirements for
Certification
Job Practice

www.isaca.org/cisarequirements

www.isaca.org/cismrequirements

www.isaca.org/cgeitrequirements

www.isaca.org/criscrequirements

Applying for
Certification
Maintaining your
Certification
Glossary of Terms
Acronyms

www.isaca.org/cisaapp

www.isaca.org/cismapp

www.isaca.org/cgeitapp

www.isaca.org/criscapp

www.isaca.org/cisacpepolicy

www.isaca.org/cismcpepolicy

www.isaca.org/cgeitcpepolicy

www.isaca.org/crisccpepolicy

www.isaca.org/glossary

www.isaca.org/glossary

www.isaca.org/glossary

www.isaca.org/glossary

www.isaca.org/cisaprep

www.isaca.org/cismprep

www.isaca.org/cisajobpractice www.isaca.org/cismjobpractice www.isaca.org/cgeitjobpractice www.isaca.org/criscjobpractice

Available Study Materials From ISACA:


Passing an ISACA exam can be achieved through an organized plan of study.
To assist individuals with the development of a successful study plan, ISACA
offers, for purchase, study aids to exam candidates. Visit www.isaca.org/
bookstore for more complete details including detailed descriptions of the
products, costs, and languages available. Order early as delivery time can be
one to two weeks, depending on geographic location and customs clearance
practices.
CISA:
CISA Review Manual 2015.
CISA Review Questions, Answers & Explanations Manual 2015
CISA Review Questions, Answers & Explanations Manual Supplement 2015
CISA Review Questions, Answers & Explanation Database
12 month subscription
CISA Review Questions, Answers & Explanation Database V15 CD-ROM
CISA Online Review Course
CISM:
CISM Review Manual 2015
CISM Review Questions, Answers & Explanations Manual 2014
CISM Review Questions, Answers & Explanations Manual 2014 Supplement
CISM Review Questions, Answers & Explanations Manual 2015 Supplement
CISM Review Questions, Answers & Explanation Database
12 month subscription
CISM Review Questions, Answers & Explanation Database V15 CD-ROM

CGEIT:
CGEIT Review Manual 2015
CGEIT Review Questions, Answers & Explanations Manual 2015
CGEIT Review Questions, Answers & Explanations Manual Supplement 2015
COBIT5
CRISC:
CRISC Review Manual 2015
CRISC Review Questions, Answers & Explanations Manual 2015
CRISC Review Questions, Answers & Explanations Manual Supplement 2015
CRISC Review Questions, Answers & Explanation Database
12 month subscription

ISACA Contact Information


Exam and exam registration
Phone: +1.847.660.5660; Fax: +1.847.253.1443; Email: exam@isaca.org
Certification
Phone: +1.847.660.5660; Fax: +1.847.253.1443; Email: certification@
isaca.org
Study aids
Phone: +1.847.660.5650; Email: bookstore@isaca.org
ISACA membership
Phone: +1.847.660.5600; Email: membership@isaca.org
DOC: 2015 Exam Candidates Guide
Version: V3
Update: 2015-03

11