Updated: Jan 3
Today we are going to learn information security accident management related knowledge points, as well as some matters needing attention.
Summary of Information Security Incident Management
This field mainly includes the development of effective incident response plans, and the understanding of their relationship with BIA-Business Impact Analysis, DRP-Disaster Recovery Plan, and Business Continuity Plan.
(1) You need to understand the Severity Criteria, Declaration Criteria, Escalation Criteria, and Escalation procedures.
(2) You need to know the types of various recovery sites, such as mirror sites, hot backup sites, warm backup sites, and cold backup sites. A considerable part of its knowledge points will be related to the aforementioned RTO, RPO, etc.
(3) The testing of information security incident management procedures is also an important part. It is necessary to understand the actual business meaning and effects of various tests. As an information security manager, you need to make the best testing methods under what circumstances.
(4) Information security accident management involves forensic knowledge, so you should have knowledge of the chain of custody and local law.
(5) Information security incident management also requires management’s support and commitment and is consistent with business goals.
This part should be easier to score, but it is not surprising that some unpopular knowledge and special circumstances will cause points to be lost.
Technical knowledge of CISM exam
The CISM exam focuses on the combination of management and technology, requires a certain amount of practical technical experience, but does not involve too low-level technical knowledge. The breadth of knowledge is more important than depth. In the learning process, the key technical knowledge points for review and preparation are as follows:
Cross-site scripting (XSS): XSS is a security vulnerability, attackers can use this vulnerability to inject malicious client code on the website.
Cross-Site Request Forgery (XSRF): Cross-site Request Forgery (XSRF), also known as one-click attack or session riding, commonly abbreviated as CSRF or XSRF, is a method of hijacking an attempt by a user to perform an unintended action on a currently logged Web application. In contrast to cross-site scripting (XSS), XSS exploits the user's trust in a given site, while CSRF exploits the site's trust in the user's web browser.
SQL Injection Attack
Man-in-the-middle (MitM) attack
Certificate-based authentication of the web client
Knowledge of public key infrastructure PKI
Knowledge of encryption and decryption
Knowledge of firewall/VPN/DMZ, etc.
Role-based access controls
Mandatory access controls: Mandatory access controls restrict access to files based on their security classification. This prevents users from sharing files with unauthorized users
WPA2 is currently one of the most secure authentication and encryption protocols in mainstream wireless products.
WEP is no longer a secure encryption mechanism for wireless communication. The cracking software can easily crack the WEP key within minutes
IDS (intrusion detection system): The characteristics and differences between IDS (Statistical anomaly-based IDS) and signature-based IDS (Signature-based IDS)
SIEM: Collect event log entries, perform correlation and generate alerts, and send them to relevant personnel for investigation and action.
Cloud Access Security Brokers (CASB): I think there will be more cloud service management knowledge points in the CISM exam in the future.
The CISM exam also requires a broad technical knowledge and understanding of the IT field.
In addition, with the widespread use of cloud computing in enterprises, cloud service-related security management may account for more of the CISM exam. You can do some technical knowledge reserves.
Regulations, standards, and frameworks related to CISM
Many industry standards and frameworks are involved in the official textbooks of CISM.
Security Architecture such as Sherwood Applied Business Security Architecture (SABSA), Zachman framework, etc.
Security Management Frameworks, such as ISO/IEC 27001, COBIT, NIST, etc.
Control Framework, such as COBIT, ITIL, HIPAA, PCI-DSS, CIS, NIST SP series, ISO/IEC 27001, etc.
Security laws and regulations, such as GDPR, etc.
Its specific standards and provisions will not be involved in the CISM exam. However, information security managers should have some understanding of its overall framework, industry adaptation, and logical methods, which can be used as the direction for continuous learning in the future (combined with their actual situation and industry).
The test time
The CISM exam format is to complete 150 multiple choice questions within 4 hours. From my experience, there is plenty of time. In the beginning, you may encounter a problem that you are not familiar with. You can mark it first, and come back to do it again. The interface design of the examination software is very friendly, if you are not sure about the interface operation, you can ask the invigilator.
Be sure to read the questions carefully, don't take for granted some seemingly simple questions, try to figure out the intention of the questioner, and the key points to be investigated.
Among the four answers, you will definitely encounter situations where the answers are relatively close or seem to be correct. At this time, you need to compare your current choice with the others to see if they have anything in common. If so, your current answer may not be correct, because there is only one correct answer to the multiple-choice question. It is impossible that both options are right. You should consider if there is a more appropriate answer, or if you have not considered it well.
The above is my personal summary of this certification exam, I hope it will be helpful to everyone.
Check out part 1 and part 2 of this article from here: