Different from other information security certifications, CISM focuses on the combination of management and technology. It requires the certifier to understand various mainstream technologies and standards in the field of information system security, and have practical experience in information system security management (the official ISCA requirement is 5 years including 3 years of management experience), to examine how information security managers effectively perform management tasks. The usual question in the exam is: in this case, what is the best practice for an information security manager or what action should be taken first. The CISM exam questions are based on the problems and challenges that the company will encounter in actual operations, verifying whether the candidates have the knowledge and skills required to perform a specific task.
The exam format is to complete 150 multiple-choice questions within 4 hours, with a full score of 800 points and a minimum passing score of 450 points. Of course, if you do not receive training and learning, you will not be able to pass the test. ISACA did not disclose the specific scoring standards, and there was no detailed analysis of the test result notification received.
The examination content is divided into four areas, namely information security governance, information security risk management, information security plan development and management, and information security incident management. These four fields are interrelated and influence each other and form the core logic of enterprise information security management. In the process of learning and practicing, some knowledge points and questions will appear repeatedly. Among them, the field of information security risk management is more difficult, with more concepts and knowledge points, and the topic form is flexible, which needs to be paid close attention to.
Most of the personnel participating in the CISM training and certification have considerable information security management experience, and some practical operations are slightly different from the concepts and teaching materials of ISACA. From the perspective of the examination, we need to be consistent with ISACA and fully understand and master the essentials.
Today we are going to talk about the first area, which is information security governance. The following is a summary of some knowledge points and some suggestions
Information security governance is the top-down security management and control and risk management in the organization. Information security governance is the top-down security management and control and risk management in the organization. Governance is typically through a steering committee, composed of senior executives from across the organization who are responsible for developing the overall strategic direction and policies to ensure that the security strategy is aligned with the goals of the organization's business strategy. The vision of the steering Committee is the task of guiding the organization through projects to achieve strategic goals. The steering committee can monitor progress and effectiveness through indicators and balanced scorecards.
It is necessary to fully understand the responsibilities of personnel and departments at different levels in the enterprise, such as the steering committee, senior management, department managers, key users, information security managers, information technology operation and maintenance departments, data owners (Owners) and data custody (Custodian).
Distinguish the Policy, Standard, Procedure, and Guideline.
The results of effective information security governance include alignment with business strategy, risk management, value realization, resource optimization, performance measurement, and integration. Integration means that information security should be integrated with business processes, and cooperate with other relevant departments (such as internal control, audit, etc.) to achieve resource optimization and value maximization. GRC is an integrated process.
The purpose of information security management is to manage risk at an acceptable level. You need to master the risk profile and risk appetite and understand the influence of organizational culture on risk appetite.
The goal is the description of the ideal state, and the strategy provides a road map to the ideal state. It is necessary to analyze the gap between the current state and the ideal state. You have to learn to use the different stages of the capability maturity model to locate and analyze the status quo.
You need to know three indicators, namely KPI, KGI, and KRI.
The information security manager needs to obtain the support of the management and establish a relationship of trust and cooperation with the management and department managers.