ISACA CISM Training Boot Camp

Day 1: Information security governance

• Information security concepts
• Relationship between information security and business operations
• Techniques used to secure senior management commitment and support of information security management
• Methods of integrating information security governance into the overall enterprise governance framework
• Practices associated with an overall policy directive that captures senior management
• Level direction and expectations for information security in laying the foundation for information security management within an organization
• An information security steering group function
• Information security management roles, responsibilities and organizational structure
• Areas of governance (e.g., risk management, data classification management, network security, system access)
• Centralized and decentralized approaches to coordinating information security
• Legal and regulatory issues associated with internet businesses, global transmissions and transborder data flows (e.g., privacy, tax laws and tariffs, data import/export restrictions, restrictions on cryptography, warranties, patents, copyrights, trade secrets, national security)
• Common insurance policies and imposed conditions (e.g., crime or fidelity insurance, business interruption)
• Requirements for the content and retention of business records and compliance
• Process for linking policies to enterprise business objectives
• Function and content of essential elements of an information security program (e.g., policy statements, procedures and guidelines)
• Techniques for developing an information security process improvement model for sustainable and repeatable information security policies and procedures
• Information security process improvement and its relationship to traditional process management, security architecture development and modeling, and security infrastructure
• Generally accepted international standards for information security management and related process improvement models
• The key components of cost-benefit analysis and enterprise transformation/migration plans (e.g., architectural alignment, organizational positioning, change management, benchmarking, market/competitive analysis)
• Methodology for business case development and computing enterprise value proposition

Day 2: Risk management

• Information resources used in support of business processes
• Information resource valuation methodologies
• Information classification
• The principles of development of baselines and their relationship to risk-based assessments of control requirements
• Life-cycle-based risk management principles and practices
• Threats, vulnerabilities and exposures associated with confidentiality, integrity and availability of information resources
• Quantitative and qualitative methods used to determine sensitivity and criticality of information resources and the impact of adverse events
• Use of gap analysis to assess generally accepted standards of good practice for information security management against current state
• Recovery time objectives (RTO) for information resources and how to determine RTO
• RTO and how it relates to business continuity and contingency planning objectives and processes
• Risk mitigation strategies used in defining security requirements for information resources supporting business applications
• Cost-benefit analysis techniques in assessing options for mitigating risks threats and exposures to acceptable levels
• Managing and reporting status of identified risks

Day 3: Information security program development and management

• Methods to develop an implementation plan that meets security requirements identified in risk analyses
• Project management methods and techniques
• The components of an information security governance framework for integrating security principles, practices, management and awareness into all aspects and all levels of the enterprise
• Security baselines and configuration management in the design and management of business applications and the infrastructure
• Information security architectures (e.g., single sign-on, rules-based as opposed to list-based system access control for systems, limited points of systems administration)
• Information security technologies (e.g., cryptographic techniques and digital signatures, enabling management to select appropriate controls)

• Security procedures and guidelines for business processes and infrastructure activities
• Systems development life cycle methodologies (e.g., traditional SDLC, prototyping)
• Planning, conducting, reporting and follow-up of security testing
• Assessing and authorizing the compliance of business applications and infrastructure to the enterprise’s information security governance framework
• Types, benefits and costs of physical, administrative and technical controls
• Planning, designing, developing, testing and implementing information security requirements into an enterprise’s business processes
• Security metrics design, development and implementation
• Acquisition management methods and techniques (e.g., evaluation of vendor service level agreements, preparation of contracts)

Day 4: Information security program development and management (continued)

• How to interpret information security policies into operational use
• Information security administration process and procedures
• Methods for managing the implementation of the enterprise’s information security program through third parties, including trading partners and security services providers
• Continuous monitoring of security activities in the enterprise’s infrastructure and business applications
• Methods used to manage success/failure in information security investments through data collection and periodic review of key performance indicators
• Change and configuration management activities
  Information security management due diligence activities and reviews of the infrastructure
• Liaison activities with internal/external assurance providers performing information security reviews
• Due diligence activities, reviews and related standards for managing and controlling access to information resources
• External vulnerability reporting sources, which provide information that may require changes to the information security in applications and infrastructure
• Events affecting security baselines that may require risk reassessments and changes to information security requirements in security plans, test plans and reperformance
• Information security problem management practices
• Information security manager facilitative roles as change agents, educators and consultants
• Ways in which cultural and socially acceptable differences affect the behavior of staff
• Activities that can change cultural and socially acceptable behavior of staff
• Methods and techniques for security awareness training and education

Day 5: Information security incident management

• Components of an incident response capability
• Information security emergency management practices (e.g., production change control activities, development of computer emergency response team)
• Disaster recovery planning and business recovery processes
• Disaster recovery testing for infrastructure and critical business applications
• Escalation processes for effective security management
• Intrusion detection policies and processes
• Help desk processes for identifying security incidents reported by users and distinguishing them from other issues dealt with the help desks
• Notification process in managing security incidents and recovery (e.g., automated notice and recovery mechanisms in response to virus alerts in a real-time fashion)
• Requirements for collecting and presenting evidence: rules for evidence, admissibility of evidence, quality and completeness of evidence
• Post-incident reviews and follow-up procedures