Summary
5 days
The CISM (Certified Information Systems Manager) Exam Preparation Boot Camp is designed to fully prepare you to become a Certified Information Systems Manager. CISM certification signifies commitment to serving an organization and the IS management, measurement, control and security industry with distinction. This course maps to the exam objectives and offers numerous features such as exam tips, case studies, and practice exams.
The Certified Information Systems Manager (CISM) program, sponsored by ISACA®, has been developed specifically for experienced information security managers and those who have information security management responsibilities.
Audience
The CISM Exam Preparation Boot Camp is specifically designed for Candidates and prospective Candidates for the CISM examination and those wishing to expand their knowledge in the field of Information Systems Management.
The CISM Exam Preparation Boot Camp is for the individual who manages, designs, oversees and/or assesses an enterprises information security (IS).
Prerequisites
Participants must be familiar with common computer functions. This boot camp caters to those with no previous experience in security management, measurement, controls or auditing.
Certification
Requirements for CISM Certification
1. Successfully Pass the CISM Exam
Score a passing grade on the CISM exam. A passing score on the CISM examination, without completing the required work experience as outlined below, will only be valid for five years. If the applicant does not meet the CISM certification requirements within the five-year period, the passing score will be voided.
2. The Code of Professional Ethics
Members of ISACA and/or holders of the CISM designation agree to a Code of Professional Ethics to guide professional and personal conduct.
3. Continuing Education Policy
Continuing Education Program Objectives
The objectives of the continuing education program are to:
a. Maintain an individual's competency by requiring the update of existing knowledge and skills in the areas of information systems auditing, management, accounting and business areas related to specific industries (e.g., finance, insurance, business law, etc.)
b. Provide a means to differentiate between qualified CISMs and those who have not met the requirements for continuation of their certification
c. Provide a mechanism for monitoring information systems audit, control and security professionals' maintenance of their competency
d. Aid top management in developing sound information systems audit, control and security functions by providing criteria for personnel selection and development
Maintenance fees and a minimum of 20 contact hours of CPE are required annually. In addition, a minimum of 120 contact hours is required during a fixed 3-year period. Upon completing the requirements for initial certification, the CISM will be provided with the CPE policy booklet for detailed criteria to be used in developing a personal CPE program.
4. Work Experience
Submit verified evidence of a minimum of five years of information security work experience, with a minimum of three years of information security management work experience in three or more of the job practice analysis areas. The work experience must be gained within the ten-year period preceding the application date for certification or within five years from the date of originally passing the exam.
Experience Substitutions
The following security-related certifications and information systems management experience can be used to satisfy the indicated amount of information security work experience.
a Two Years:
- Certified Information Systems Auditor (CISA) in good standing
- Certified Information Systems Security Professional (CISSP) in good standing
- Post-graduate degree in information security or a related field (e.g., business administration, information systems, information assurance)
b One Year:
- One full year of information systems management experience
- Skill-based security certifications (e.g., SANS Global Information Assurance Certification (GIAC), Microsoft Certified Systems Engineer (MCSE), CompTIA Security +, Disaster Recovery Institute Certified Business Continuity Professional (CBCP), ESL IT Security Manager)
The experience substitutions will not satisfy any portion of the three-year information security management work experience requirement.
5. Submit an Application for CISM Certification
Once a CISM candidate has passed the CISM certification exam and has met the work experience requirements, the final step is to complete the CISM Application for Certification.
Student Materials
The student kit includes a comprehensive workbook and other necessary materials for this class.
Course Outline
CISM Job Practice Area 1: Information Security Governance (23% of exam)
Establish and maintain a framework to provide assurance that information security strategies are aligned with business objectives and consistent with applicable laws and regulations.
Tasks:
1.1 Develop an information security strategy aligned with business goals and objectives.
1.2 Align information security strategy with corporate governance.
1.3 Develop business cases justifying investment in information security.
1.4 Identify current and potential legal and regulatory requirements affecting information security.
1.5 Identify drivers affecting the organization (e.g., technology, business environment, risk tolerance, geographic location) and their impact on information security.
1.6 Obtain senior management commitment to information security.
1.7 Define roles and responsibilities for information security throughout the organization.
1.8 Establish internal and external reporting and communication channels that support information security.
Knowledge Statements:
1.1 Knowledge of business goals and objectives
1.2 Knowledge of information security concepts
1.3 Knowledge of the components that comprise an information security strategy (e.g. processes, people, technologies, architectures)
1.4 Knowledge of the relationship between information security and business functions
1.5 Knowledge of the scope and charter of information security governance
1.6 Knowledge of the concepts of corporation and information security governance
1.7 Knowledge of methods of integrating information security governance into the overall enterprise governance framework
1.8 Knowledge of budgetary planning strategies and reporting methods
1.9 Knowledge of business case development
1.10 Knowledge of the types and impact of internal and external drivers (e.g. technology, business environment, risk tolerance) that may affect organizations and information security
1.11 Knowledge of regulatory requirements and their potential business impact from an information security standpoint
1.12 Knowledge of common liability management strategies and insurance options (e.g. crime or fidelity insurance, business interruptions)
1.13 Knowledge of third party relationships and their impact on information security (e.g. mergers and acquisitions)
1.14 Knowledge of methods used to obtain senior management commitment to information security
1.15 Knowledge of the establishment and operation of an information security steering group
1.16 Knowledge of information security management roles, responsibilities and general organizational structures
1.17 Knowledge of approaches for linking policies to enterprise business objectives
1.18 Knowledge of generally accepted international standards for information security management
1.19 Knowledge of centralized and distributed methods of coordinating information security activities
1.20 Knowledge of methods for establishing reporting and communication channels throughout an organization
CISM Job Practice Area 2: Information Risk Management (22% of exam)
Identify and manage information security risks to achieve business objectives.
Tasks:
2.1 Establish a process for information asset classification and ownership.
2.2 Implement a systematic and structured information risk assessment process.
2.3 Ensure that business impact assessments are conducted periodically.
2.4 Ensure that threat and vulnerability evaluations are performed on an ongoing basis.
2.5 Identify and periodically evaluate information security controls and countermeasures to mitigate risk to acceptable levels.
2.6 Integrate risk, threat and vulnerability identification and management into life cycle processes (e.g., development, procurement and employment life cycles).
2.7 Report significant changes in information risk to appropriate levels of management for acceptance on both a periodic and event-driven basis.
Knowledge Statements:
2.1 Knowledge of required components for establishing an information classification schema consistent with business objectives (including the identification of assets)
2.2 Knowledge of the components of information ownership schema (including drivers of the schema such as roles and responsibilities)
2.3 Knowledge of information threats, vulnerabilities and exposures
2.4 Knowledge of information resource valuation methodologies
2.5 Knowledge of risk assessment and analysis methodologies (including measurability, repeatability and documentation)
2.6 Knowledge of factors used to determine risk reporting frequency and requirements
2.7 Knowledge of quantitative and qualitative methods used to determine sensitivity and criticality of information resources and the impact of adverse events on the business
2.8 Knowledge of baseline modeling and its relationship to risk-based assessments of control requirements
2.9 Knowledge of information security controls and countermeasures
2.10 Knowledge of methods of analyzing effectiveness of information security controls and countermeasures
2.11 Knowledge of risk mitigation strategies used in defining security requirements for information resources
2.12 Knowledge of gap analysis to assess generally accepted standards of good practice for information security management against current state
2.13 Knowledge of cost benefit analysis techniques in assessing options for mitigating risks to acceptable levels
2.14 Knowledge of life-cycle-based risk management principles and practices
CISM Job Practice Area 3: Information Security Program Development (17% of exam)
Create and maintain a program to implement the information security strategy.
Tasks:
3.1 Develop and maintain plans to implement the information security strategy.
3.2 Specify the activities to be performed within the information security program.
3.3 Ensure alignment between the information security program and other assurance functions (e.g., physical, HR, quality, IT).
3.4 Identify internal and external resources (e.g., finances, people, equipment, systems) required to execute the information security program).
3.5 Ensure the development of information security architectures (e.g., people, processes, technology).
3.6 Establish, communicate and maintain information security policies that support the security strategy.
3.7 Design and develop a program for information security awareness, training and education.
3.8 Ensure the development, communication and maintenance of standards, procedures and other documentation (e.g., guidelines, baselines, codes of conduct) that support information security policies.
3.9 Integrate information security requirements into the organization's processes (e.g., change control, mergers and acquisitions) and life cycle activities (e.g., development, employment, procurement).
3.10 Develop a process to integrate information security controls into contracts (e.g., with joint ventures, outsourced providers, business partners, customers, third parties).
3.11 Establish metrics to evaluate the effectiveness of the information security program.
Knowledge Statements:
3.1 Knowledge of methods to interpret strategies into manageable and maintainable plans for implementing information security
3.2 Knowledge of the types of activities required within an information security program
3.3 Knowledge of methods for managing the implementation of the information security program
3.4 Knowledge of planning, designing, developing, testing and implementing information security controls
3.5 Knowledge of methods to align information security program requirements with those of other assurance functions (E.g. physical, HR, quality, IT)
3.6 Knowledge of how to identify internal and external resources and skills requirements (e.g. finances, people, equipment, systems)
3.7 Knowledge of resources and skills acquisition (e.g. project budgeting, employment of contract staff, equipment purchase)
3.8 Knowledge of information security architectures (e.g. logical architectures and physical architectures) and their deployment
3.9 Knowledge of security technologies and controls (e.g. cryptographic techniques, access controls, monitoring tools)
3.10 Knowledge of the process for developing information security policies that meet and support enterprise business objectives
3.11 Knowledge of content for information security awareness, training and education across the enterprise (e.g. general security awareness, writing secure code, operating security controls)
3.12 Knowledge of methods to identify activities to close the gap between proficiency levels and skill requirements
3.13 Knowledge of activities to foster a positive security culture and behavior
3.14 Knowledge of the uses of and differences between policies, standards, procedures, guidelines and other documentation
3.15 Knowledge of process for linking policies to enterprise business objectives
3.16 Knowledge of methods to develop, implement, communicate and maintain information security policies, standards, procedures, guidelines and other documentation
3.17 Knowledge of methods of integrating information security requirements into organizational processes (e.g. change control, mergers and acquisitions)
3.18 Knowledge of life cycle methodologies and activities (e.g. development, employment, procurement)
3.19 Knowledge of processes for incorporating security requirements into contracts (e.g. with joint ventures, outsourced providers, business partners, customers, third parties)
3.20 Knowledge of methods and techniques to manage third-party risks (e.g. service level agreements, contracts, due diligence, suppliers, sub-contractors)
3.21 Knowledge of the design, development and implementation of information security metrics
3.22 Knowledge of certifying and accrediting the compliance of business applications and infrastructures to business needs
3.23 Knowledge of methods for ongoing evaluation of the effectiveness and applicability of information security controls (e.g. vulnerability testing, assessment tools)
3.24 Knowledge of methods of tracking and measuring the effectiveness and currency of information security awareness, training and education
3.25 Knowledge of methods of sustaining the information security program (e.g. succession planning, allocation o jobs, documentation of the program)
CISM Job Practice Area 4: Information Security Program Management (24% of exam)
Oversee and direct information security activities to execute the information security program.
Tasks:
4.1 Manage internal and external resources (e.g., finances, people, equipment, systems) required to execute the information security program.
4.2 Ensure that processes and procedures are performed in compliance with the organizations information security policies and standards.
4.3 Ensure that the information security controls agreed to in contracts (e.g., with joint ventures, outsourced providers, business partners, customers, third parties) are performed.
4.4 Ensure that information security is an integral part of the systems development process.
4.5 Ensure that information security is maintained throughout the organization's processes (e.g., change control, mergers and acquisitions) and life cycle activities (e.g., development, employment, procurement).
4.6 Provide information security advice and guidance (e.g., risk analysis, control selection) to the organization.
4.7 Provide information security awareness, training and education to stakeholders (e.g., business process owners, users, information technology).
4.8 Monitor, measure, test and report on the effectiveness and efficiency of information security controls and compliance with information security policies.
4.9 Ensure that noncompliance issues and other variances are resolved in a timely manner.
Knowledge Statements:
4.1 Knowledge of how to interpret information security policies and implement them
4.2 Knowledge of information security administrative processes and procedures (e.g., access controls, identity management, remote access)
4.3 Knowledge of methods for managing the enterprise's information security program through third parties (e.g., trade partners, contractors, join ventures, outsourcing providers)
4.4 Knowledge of methods for managing the enterprise's information security program through security services providers
4.5 Knowledge of information security related contract provisions (e.g., right to audit, confidentiality, nondisclosure)
4.6 Knowledge of methods to define and monitor security requirements in service level agreements (SLA)
4.7 Knowledge of methods and approaches to providing continuous monitoring of security activities in the enterprise's infrastructure and business applications
4.8 Knowledge of management metrics to validate the information security program investment (e.g., data collection, periodic review, key performance indicators)
4.9 Knowledge of methods of testing the effectiveness and applicability of information security controls (e.g. penetration testing, password cracking, social engineering, assessment tools)
4.10 Knowledge of change and configuration management activities
4.11 Knowledge of the advantages /disadvantages of using internal/external assurance providers to perform information security reviews
4.12 Knowledge of due diligence activities, reviews and related standards for managing and controlling access to information
4.13 Knowledge of external vulnerability reporting sources for information on potential impacts on information security in applications and infrastructure
4.14 Knowledge of events affecting security baselines that may require risk reassessments and changes to information security program elements
4.15 Knowledge of information security problem management practices
4.16 Knowledge of reporting requirements of systems and infrastructure security status
4.17 Knowledge of general line management techniques including budgeting (e.g., estimating, quantifying, tradeoffs), staff management (e.g. motivating, appraising, objective-setting) and facilities (e.g. obtaining and using equipment)
CISM Job Practice Area 5: Incident Management & Response (14% of exam)
Plan, develop and manage a capability to detect, respond to and recover from information security incidents.
Tasks:
5.1 Develop and implement processes for detecting, identifying, analyzing and responding to information security incidents.
5.2 Establish escalation and communication processes and lines of authority.
5.3 Develop plans to respond to and document information security incidents.
5.4 Establish the capability to investigate information security incidents (e.g., forensics, evidence collection and preservation, log analysis, interviewing).
5.5 Develop a process to communicate with internal parties and external organizations (e.g., media, law enforcement, customers).
5.6 Integrate information security incident response plans with the organizations Disaster Recovery (DR) and Business Continuity Plan (BCP).
5.7 Organize, train and equip teams to respond to information security incidents.
5.8 Periodically test and refine information security incident response plans.
5.9 Manage the response to information security incidents.
5.10 Conduct reviews to identify causes of information security incidents, develop corrective actions and reassess risk.
Knowledge Statements:
5.1 Knowledge of the components of an incident response capability
5.2 Knowledge of recovery planning and business continuity planning
5.3 Knowledge of information incident management practices
5.4 Knowledge of disaster recovery testing for infrastructure and critical business applications
5.5 Knowledge of events that trigger incident response
5.6 Knowledge of methods of containing damage
5.7 Knowledge of notification and escalation processes for effective security management
5.8 Knowledge of the role of individuals in identifying and managing security incidents
5.9 Knowledge of crisis communications
5.10 Knowledge of methods identifying business resources essential to recovery
5.11 Knowledge of the types and sources of tools and equipment required to adequately equip incident response teams
5.12 Knowledge of forensic requirements for collecting, preserving and presenting evidence (e.g. admissibility, quality and completeness of evidence, chain of custody)
5.13 Knowledge used to document incidents and subsequent actions
5.14 Knowledge of internal and external reporting requirements
5.15 Knowledge of post-incident review practices and investigative methods to identify causes and determine corrective actions
5.16 Knowledge of techniques for quantifying damages, costs and other business impacts arising from security incidents
5.17 Knowledge of Recovery Time Objective (RTO) and its relationship to business continuity planning objectives and processes |
|
 |
$2,995.00
$2,845.25 CAD
online only
|
 |
1 (866) 635-5353 |
 |
sales@ctesolutions.com |
 |
 Latest Tweet
|
Ask your question online
