Scribd
Upload
5 views10 pages

Mahinda - CISM Guide (Old)

The CISM Guide outlines key components of Information Security Governance, including enterprise governance, organizational culture, and the development of information security strategies. It emphasizes the importance of risk management, security program resources, and incident management readiness and operations. The document serves as a comprehensive framework for aligning business objectives with information security efforts and ensuring effective incident response and recovery processes.

Uploaded by

Mahinda Jayasundara
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
5 views10 pages

Mahinda - CISM Guide (Old)

The CISM Guide outlines key components of Information Security Governance, including enterprise governance, organizational culture, and the development of information security strategies. It emphasizes the importance of risk management, security program resources, and incident management readiness and operations. The document serves as a comprehensive framework for aligning business objectives with information security efforts and ensuring effective incident response and recovery processes.

Uploaded by

Mahinda Jayasundara
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 10

CISM Guide

Mahinda Jayasundara
1 INFORMATION SECURITY GOVERNANCE.............................................................................3
1.1 ENTERPRISE GOVERNANCE...........................................................................................................................3
1.2 ORGANIZATIONAL CULTURE.........................................................................................................................3
1.3 INFORMATION SECURITY STRATEGY............................................................................................................4
1.3.1 Information Security Strategy Development.........................................................................................4
1.3.2 Information Governance Frameworks and Standards.........................................................................4
1.3.3 Strategic Planning................................................................................................................................5
2 INFORMATION SECURITY RISK MANAGEMENT.................................................................6

3 INFORMATION SECURITY PROGRAM.....................................................................................7


3.1 SECURITY PROGRAM RESOURCES.................................................................................................................7
3.1.1 Policies.................................................................................................................................................7
3.1.2 Processes..............................................................................................................................................7
3.1.3 Procedures............................................................................................................................................7
3.1.4 Standards..............................................................................................................................................7
3.1.5 Guidelines.............................................................................................................................................7
3.1.6 Architecture..........................................................................................................................................7
3.1.7 Controls................................................................................................................................................7
3.1.8 Metrics..................................................................................................................................................7
3.1.9 Assets....................................................................................................................................................7
3.1.10 Risk Ledgers.....................................................................................................................................8
3.1.11 Vulnerability Assessments................................................................................................................8
3.1.12 Insurance..........................................................................................................................................8
3.1.13 Critical Data....................................................................................................................................8
3.1.14 BIA’s.................................................................................................................................................8
3.1.15 BC/DR Planning...............................................................................................................................8
3.1.16 Incident Logs....................................................................................................................................8
3.1.17 Audits................................................................................................................................................8
3.1.18 Culture..............................................................................................................................................8
3.1.19 Security Training..............................................................................................................................8
3.1.20 Third Party Risk...............................................................................................................................8
3.1.21 LCR Requirements...........................................................................................................................8
3.2 SECURITY PROGRAM IMPLEMENTATION.......................................................................................................9
3.3 SECURITY ROLES AND METRIC.....................................................................................................................9
4 INCIDENT MANAGEMENT.........................................................................................................10
4.1 INCIDENT MANAGEMENT READINESS.........................................................................................................10
4.1.1 Incident Response Plan......................................................................................................................10
4.1.2 Business Impact Analysis (BIA)..........................................................................................................10
4.1.3 Business Continuity Plan (BCP).........................................................................................................10
4.1.4 Disaster Recovery Plan (DRP)...........................................................................................................10
4.1.5 Incident Classification/Categorization...............................................................................................10
4.1.6 Incident Management Training, Testing and Evaluation...................................................................10
4.2 INCIDENT MANAGEMENT OPERATIONS......................................................................................................10
4.2.1 Incident Management Tools and Techniques.....................................................................................10
4.2.2 Incident Investigation and Evaluation................................................................................................10
4.2.3 Incident Containment Methods...........................................................................................................10
4.2.4 Incident Response Communications (e.g., reporting, notification, escalation).................................10
4.2.5 Incident Eradication and Recovery....................................................................................................10
4.2.6 Post-incident Review Practices..........................................................................................................10
1 Information Security Governance
1.1 Enterprise Governance
Governance is overseeing if something is done

Purpose of IS governance is alignment between Business Objectives and


Information Security Efforts

Primary objective of IS governance is CIA Triad

Outcome of IS governance is Internal & External Trust / Reputation

1.2 Organizational Culture

BMIS (Business Model for Information Security)  identify & influence


Culture
Key aspects of BMIS
Alignment
Risk based approach
Balance across organisation

1.3 Information Security Strategy

1.3.1 Information Security Strategy Development

Scope of define a strategy


Where we want to be  use a framework
Where are we now  Assessment (Security, Risk, Threat, Compliance)
What are the gaps  Gap assessment (Align strategy to cover gaps)

4 main aspects in a strategy


Alignment
Manage Risk
Manage Resource
Measure performance (Use Metrics)

1.3.2 Information Governance Frameworks and Standards

COBIT from ISACA (IT process)


Control Objectives for Information and related Technologies

ISO/IEC 27001 (IS management)


Risk Management

ITLT ISO/IEC 20000


For IT management process

PCI DSS for Credit cards

HIPAA for Health care ePHI (Electronic Protected Health Information)

NIST SP 800 – 53
Federal/ Military/ All DoD contractors (Nov 2020)
18 categories

NIS Cyber Security Framework (CSF)


Risk based

CIS Top 20 (SANS Top 20)

1.3.3 Strategic Planning

SWOT Analysis (Strength, Weakness, Opportunity, Threat)


Do it on each process or strategic area

CMM (Capability Maturity Model)


Scale of maturity for processes

Road Map development


2 Information Security Risk Management
3 Information Security Program
3.1 Security Program Resources

3.1.1 Policies
Intent of the organisation
Assessing policies.
They should be reviewed/updated

3.1.2 Processes
Between Policy and Procedure
Plan on who is responsible/doing

3.1.3 Procedures
How to do
Technical

3.1.4 Standards
Rules/Guidelines to adhere
Help to do things in an approved way

NIST – National Institute for Standards and Technology


ISO – 27000
FISMA

3.1.5 Guidelines
Recommendations for doing thing
Bridge Policies with Technology/Config

3.1.6 Architecture
Servers/ Networks/ Data flows/

3.1.7 Controls
Reduce risk
Firewall/ Anti-Virus/ Cameras/ Security system
Are there..? Update..? Do they Work..? Monitored..?

3.1.8 Metrics
Values and Data that Show the state of IS program

3.1.9 Assets

3.1.10 Risk Ledgers


3.1.11 Vulnerability Assessments

3.1.12 Insurance

3.1.13 Critical Data

3.1.14 BIA’s

3.1.15 BC/DR Planning

3.1.16 Incident Logs

3.1.17 Audits

3.1.18 Culture

3.1.19 Security Training

3.1.20 Third Party Risk

3.1.21 LCR Requirements


3.2 Security Program Implementation

3.3 Security Roles and Metric


4 Incident Management
4.1 Incident Management Readiness

4.1.1 Incident Response Plan

4.1.2 Business Impact Analysis (BIA)

4.1.3 Business Continuity Plan (BCP)

4.1.4 Disaster Recovery Plan (DRP)

4.1.5 Incident Classification/Categorization

4.1.6 Incident Management Training, Testing and Evaluation

4.2 Incident Management Operations

4.2.1 Incident Management Tools and Techniques

4.2.2 Incident Investigation and Evaluation

4.2.3 Incident Containment Methods

4.2.4 Incident Response Communications (e.g., reporting,


notification, escalation)

4.2.5 Incident Eradication and Recovery

4.2.6 Post-incident Review Practices

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy