book

CISM Certified Information Security Manager All-in-One Exam Guide, Second Edition, 2nd Edition

Name: CISM Certified Information Security Manager All-in-One Exam Guide, Second Edition, 2nd Edition
Author: Peter H. Gregory
ISBN: 9781264268320

by Peter H. Gregory

October 2022

Intermediate to advanced

656 pages

20h 51m

English

McGraw-Hill

Read now

Unlock full access

Cover
Title Page
Copyright Page
Dedication
About the Author
Contents at a Glance
Contents
Acknowledgments
Introduction
Part I Information Security Governance

Chapter 1 Enterprise Governance
Introduction to Information Security GovernanceReason for Security GovernanceSecurity Governance Activities and ResultsBusiness AlignmentOrganizational CultureAcceptable Use PolicyEthicsLegal, Regulatory, and Contractual RequirementsOrganizational Structure, Roles, and ResponsibilitiesOrganizational RolesBoard of DirectorsExecutive ManagementSecurity Steering CommitteeBusiness Process and Business Asset OwnersCustodial ResponsibilitiesChief Information Security OfficerChief Privacy OfficerChief Compliance OfficerSoftware DevelopmentData ManagementNetwork ManagementSystems ManagementIT OperationsGovernance, Risk, and ComplianceBusiness ResilienceSecurity OperationsSecurity AuditService DeskQuality AssuranceOther RolesGeneral StaffMonitoring ResponsibilitiesChapter ReviewNotesQuestionsAnswers
Chapter 2 Information Security Strategy
Information Security Strategy DevelopmentStrategy ObjectivesStrategy ParticipantsStrategy ResourcesStrategy DevelopmentStrategy ConstraintsInformation Governance Frameworks and StandardsBusiness Model for Information SecurityThe Zachman FrameworkThe Open Group Architecture FrameworkISO/IEC 27001NIST Cybersecurity FrameworkNIST Risk Management FrameworkStrategic PlanningRoadmap DevelopmentDeveloping a Business CaseChapter ReviewNotesQuestionsAnswers
Part II Information Security Risk Management
Chapter 3 Information Security Risk Assessment
Emerging Risk and Threat LandscapeThe Importance of Risk ManagementOutcomes of Risk ManagementRisk ObjectivesRisk Management TechnologiesImplementing a Risk Management ProgramThe Risk Management Life CycleVulnerability and Control Deficiency AnalysisRisk Assessment and AnalysisThreat IdentificationRisk IdentificationRisk Likelihood and ImpactRisk Analysis Techniques and ConsiderationsRisk Management and Business Continuity PlanningThe Risk RegisterIntegration of Risk Management into Other ProcessesChapter ReviewNotesQuestionsAnswers
Chapter 4 Information Security Risk Response
Risk Treatment / Risk Response OptionsRisk MitigationRisk TransferRisk AvoidanceRisk AcceptanceEvaluating Risk Response OptionsCosts and BenefitsResidual RiskIterative Risk TreatmentRisk Appetite, Capacity, and ToleranceLegal and Regulatory ConsiderationsThe Risk RegisterRisk and Control OwnershipRisk OwnershipControl OwnershipRisk Monitoring and ReportingKey Risk IndicatorsTraining and AwarenessRisk DocumentationChapter ReviewNotesQuestionsAnswers
Part III Information Security Risk Management
Chapter 5 Information Security Program Development
Information Security Program ResourcesTrendsOutcomesCharterScopeInformation Security ProcessesInformation Security TechnologiesInformation Asset Identification and ClassificationAsset Identification and ValuationAsset ClassificationAsset ValuationIndustry Standards and Frameworks for Information SecurityControl FrameworksInformation Security Management FrameworksInformation Security ArchitectureInformation Security Policies, Procedures, and GuidelinesPolicy DevelopmentStandardsGuidelinesRequirementsProcesses and ProceduresInformation Security Program MetricsTypes of MetricsAudiencesThe Security Balanced ScorecardChapter ReviewNotesQuestionsAnswers
Chapter 6 Information Security Program Management
Information Security Control Design and SelectionControl ClassificationControl ObjectivesGeneral Computing ControlsControls: Build Versus BuyControl FrameworksInformation Security Control Implementation and IntegrationsControls DevelopmentControl ImplementationSecurity and Control OperationsInformation Security Control Testing and EvaluationControl MonitoringControl Reviews and Audits
Information Security Awareness and Training
Security Awareness Training ObjectivesCreating or Selecting Content for Security Awareness TrainingSecurity Awareness Training AudiencesAwareness Training CommunicationsManagement of External ServicesBenefits of OutsourcingRisks of OutsourcingIdentifying Third PartiesCloud Service ProvidersTPRM Life CycleRisk Tiering and Vendor ClassificationAssessing Third PartiesProactive Issue RemediationResponsive Issue RemediationSecurity IncidentsInformation Security Program Communications and ReportingSecurity OperationsRisk ManagementInternal PartnershipsExternal PartnershipsCompliance ManagementSecurity Awareness TrainingTechnical ArchitecturePersonnel ManagementProject and Program ManagementBudgetIT Service ManagementService DeskIncident ManagementProblem ManagementChange ManagementConfiguration ManagementRelease ManagementService-Level ManagementFinancial ManagementCapacity ManagementService Continuity ManagementAvailability ManagementAsset ManagementContinuous ImprovementChapter ReviewNotesQuestionsAnswers
Part IV Incident Management
Chapter 7 Incident Management Readiness
Incident Response PlanSecurity Incident Response OverviewIncident Response Plan DevelopmentBusiness Impact AnalysisInventory of Key Processes and SystemsStatements of ImpactCriticality AnalysisDetermine Maximum Tolerable DowntimeDetermine Maximum Tolerable OutageEstablish Key Recovery TargetsBusiness Continuity Plan (BCP)Business Continuity PlanningDisaster Recovery Plan (DRP)Disaster Response Teams’ Roles and ResponsibilitiesRecovery ObjectivesIncident Classification/CategorizationIncident Management Training, Testing, and EvaluationSecurity Incident Response TrainingBusiness Continuity and Disaster Response TrainingTesting Security Incident Response PlansTesting Business Continuity and Disaster Recovery PlansEvaluating Business Continuity PlanningEvaluating Disaster Recovery PlanningEvaluating Security Incident ResponseChapter ReviewNotesQuestionsAnswers
Chapter 8 Incident Management Operations
Incident Management Tools and TechniquesIncident Response Roles and ResponsibilitiesIncident Response Tools and TechniquesIncident Investigation and EvaluationIncident DetectionIncident InitiationIncident AnalysisIncident Containment MethodsIncident Response CommunicationsCrisis Management and CommunicationsCommunications in the Incident Response PlanIncident Response Metrics and ReportingIncident Eradication, and RecoveryIncident EradicationIncident RecoveryIncident RemediationPost-incident Review PracticesClosurePost-incident ReviewChapter ReviewNotesQuestionsAnswers
Part V Appendix and Glossary
Appendix About the Online Content
System RequirementsYour Total Seminars Training Hub AccountPrivacy NoticeSingle User License Terms and ConditionsTotalTester OnlineTechnical Support
Glossary
Index

Content preview from CISM Certified Information Security Manager All-in-One Exam Guide, Second Edition, 2nd Edition

GLOSSARY

0-day See zero-day.

A-123 A U.S. Office of Management and Budget (OMB) government circular that defines the management responsibilities for internal controls in federal agencies.

acceptable interruption window (AIW) See maximum tolerable downtime (MTD).

acceptable use policy (AUP) A security policy that defines the types of activities that are acceptable and those that are unacceptable in an organization, written for general audiences and applying to all personnel.

access bypass Any attempt by an intruder to bypass access controls to gain entry into a system.

access control Any means that detects or prevents unauthorized access and that permits authorized access.

access control policy A statement that defines the policy for ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

(ISC)2 SSCP Systems Security Certified Practitioner Official Study Guide, 3rd Edition

Publisher Resources

ISBN: 9781264268320

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

CISM Certified Information Security Manager All-in-One Exam Guide, Second Edition, 2nd Edition

by Peter H. Gregory

GLOSSARY

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.