CISM Introduction
Information Security
Business Goals, Objectives, and Functions
Business Goals and Information Security
Information Security Threats
Information Security Management
Identity Management
Data Protection
Network Security
Personnel Security
Facility Security
Security Compliance and Standards
Information Security Strategy
Inputs and Outputs of the Informtion Security Strategy
Processes in an Information Security Strategy
People in an Information Security Strategy
Technologies in an Indormation Security Strategy
Logical and Physical Information Security Strategy Architectures
Information Security and Business Functions
Information Security Policies and Enterprise Objectives
International Standards for the Security Management
ISO/IEC 27000 Standards
International Info Government Standards
Information Security Government Standards in the United States
Methods of Coordinating Information Security Activites
How to Develop an Information Security Strategy
Information Security Governance
Role of the Security in Governance
Scope of Information Security Governance
Charter of Information Security Governance
Information Security Governance and Enterprise Governance
How to Align Information Security Strategy with Corporate Governance
Regulatory Requirements and Information Security
Business Impact of Regulatory Requirements
Liability Management
Liability Management Strategies
How to Identify Legal and Regulatory Requirements
Business Case Development
Budgetary Reporting Methods
Budgetary Planning Strategy
How to Justify Investment in Info Security
Organizational Drivers
Impact of Drivers on Info Security
Third Party Relationships
How to Identify Drivers Affecting the Organization
Purpose of Obtaining Commitment to Info Security
Methods for Obtaining Commitment
ISSG
ISSG Roles and Responsibilities
ISSG Operation
How to Obtain Senior Management's Commitment to Info Security
Info Security Management Roles and Responsibilities
How to Define Roles and Responsibilities for Info Security
The Need for Reporting and Communicating
Methods for Reporting in an Organization
Methods of Communication in an Organization
How to Establish Reporting and Communicating Channels

 Risk
Risk Assessment
Info Threat Types
Info Vulnerabilities
Common Points of Exposure
Info Security Controls
Types of Info Security Controls
Common Info Security Countermeasures
Overview of the Risk Assessment Process
Factors Used in Risk Assessment and Analysis
Risk Assessment Methodologies
Quantitative Risk Assessment - Part 1
Quantitative Risk Assessment - Part 2
Qualitative Risk Assessment
Hybrid Risk Assessment
Best Practices for Info Security Management
Gap Analysis
How to Implement an Info Risk Assessment Process
Info Classification Schemas
Components of Info Classification Schemas
Info Ownership Schemas
Components of Info Ownership Schemas
Info Resource Valuation
Valuation Methodologies
How to Determine Info Asset Classification and Ownership
Baseline Modeling
Control Requirements
Baseline Modeling and Risk Based Assessment of Control Requirements
How to Conduct Ongoing Threat and Vulnerability Evaluations
BIA's
BIA Methods
Factors for Determining Info Resource Sensitivity and Critically
Impact of Adverse Events
How to Conduct Periodic BIA's
Methods for Measuring Effectiveness of Controls and Countermeasures
Risk Mitigation
Risk Mitigation Strategies
Effect of Implementing Risk Mitigation Strategies
Acceptable Levels of Risk
Cost Benefit Analysis
How to Identify and Evaluate Risk Mitigation Strategies
Life Cycle Processes
Life Cycle-Based Risk Management
Risk Management Life Cycle
Business Life Cycle Processes Affected by Risk Management
Life Cycled-Based Risk Management Principles and Practices
How to Integrate Risk Management Into Business Life Cycle Processes
Significant Changes
Risk Management Process
Risk Reporting Methods
Components of Risk Reports
How to Report Changes in Info Risk

 Info Security Strategies
Common Info Security Strategies
Info Security Implementation Plans
Conversation of Strategies Into Implementation Plans
Info Security Programs
Info Security Program Maintenance
Methods for Maintaining an Info Security Program
Succession Planning
Allocation of Jobs
Program Documentation
How to Develop Plans to Implement an Info Security Strategy
Security Technologies and Controls
Cryptographic Techniques
Symmetric Cryptography
Public Key Cryptography
Hashes
Access Control
Access Control Categories
Physical Access Controls
Technical Access Controls
Administrative Access Controls
Monitoring Tools
IDS's
Anti-Virus Systems
Policy-Compliance Systems
Common Activities Required in Info Security Programs
Prerequisites for Implementing the Program
Implementation Plan Management
Types of Security Controls
Info Security Controls Development
How to Specify info Security Program Activities
Business Assurance Function
Common Business Assurance Functions
Methods for Aligning info Security Programs with Business Assurance Functions
How to Coordinate Info Security Programs with Business Assurance Functions
SLA's
Internal Resources
External Resources
Services Provided by External Resources - Part 1
Services Provided by External Resources - Part 2
Skills Commonly Required for Info Security Program Implementation
Dentification of Resources and Skills Required for a Particular Implementation
Resource Acquisition Methods
Skills Acquisition Methods
How to Identify Resources Needed for Info Security Program Implementation
Info Security Architectures
The SABSA Model for Security Architecture
Deployment Considerations
Deployment of Info Security Architectures
How to Develop Info Security Architecture
Info Security Policies
Components of Info Security Policies
Info Security Policies and the Info Security Strategy
Info Security Policies and Enterprise Business Objectives
Info Security Policy Development Factors
Methods for Communicating Info Security Policies
Info Security Policy Maintenance
How to Develop Info Security Policies
Info Security Awareness Program, Training Programs, and Education Programs
Security Awareness, Training, and Education Gap Analysis
Methods for Closing the Security Awareness, Training, and Education Gaps
Security-Based Cultures and Behaviors
Methods for Establishing and Maintaining a Security-Based Culture in the Enterprise
How to Develop Info Security Awareness, Training, and Education Programs
Supporting Documentation for Info Security Policies
Standards, Procedures, Guidelines, and Baselines
Codes of Conduct
NDA's
Methods for Developing Supporting Documentation
Methods for Implementing Supporting Documentation and for Communicating Supporting Documentation
Methods for Maintaining Supporting Documentation
C and A
C and A Programs
How to Develop Supporting Documentation for Info Security Policies

Enterprise Business Objectives
Integrating Enterprise Business Objectives & Info Security Policies
Organizational Processes
Change Control
Merges & Acquisitions
Organizational Processes & Info Security Policies
Methods for Integrating Info Security Policies & Organizational Processes
Life Cycle Methodologies
Types of Life Cycle Methodologies
How to Integrate Info Security Requirements Into Organizational Processes
Types of Contracts Affected by Info Security Programs
Joint Ventures
Outsourced Provides & Info Security
Business Partners & Info Security
Customers & Info Security
Third Party & Info Security
Risk Management
Risk Management Methods & Techniques for Third Parties
SLA's & Info Security
Contracts & Info Security
Due Diligence & Info Security
Suppliers & Info Security
Subcontractors & Info Security
How to Integrate Info Security Controls Into Contracts
Info Security Metrics
Types of Metrics Commonly Used for Info Security
Metric Design, Development & Implementation
Goals of Evaluating Info Security Controls
Methods of Evaluating Info Security Controls
Vulnerability Testing
Types of Vulnerability Testing
Effects of Vulnerability Assessment & Testing
Vulnerability Correction
Commercial Assessment Tools
Goals of Tracking Info Security Awareness, Training, & Education Programs
Methods for Tracking Info Security Awareness, Training, & Education Programs
Evaluation of Training Effectiveness & Relevance
How to Create Info Security Program Evaluation Metrics

 Management Metrics
Types of Management Metrics
Data Collection
Periodic Reviews
Monitoring Approaches
KPI's
Types of Measurements
Other Measurements
Info Security Reviews
The Role of Assurance Providers
Comparing Internal and External Assurance Providers
Line Management Technique
Budgeting
Staff Management
Facilities
How to Manage Info Security Program Resources
Security Policies
Security Policy Components
Implementation of Info Security Policies
Administrative Processes and Procedures
Access Control Types
ACM
Access Security Policy Principles
Identity Management and Compliance
Authentication Factors
Remote Access
User Registration
Procurement
How to Enforce Policy and Standards Compliance
Types of Third Party Relationships
Methods for Managing Info Security Regarding Third Parties
Security Service Providers
Third Party Contract Provisions
Methods to Define Security Requirements in SLA's, Security Provisions and SLA's, and Methods to Monitor Security
How to Enforce Contractual Info Security Controls
SDLC
Code Development
Common Techniques for Security Enforcement
How to Enforce Info Security During Systems Development
Maintenance
Methods of Monitoring Security Activities
Impact of Change and Configuration Management Activities
How to Maintain Info Security Within an Organization
Due Diligence Activities
Types of Due Diligence Activities
Reviews of Info Access
Standards of Managing and Controlling Info Access
How to Provide Info Security Advice and Guidance
Info Security Awareness
Types of Info Security Stakeholders
Methods of Stakeholder Education
Security Stakeholder Education Process
How to Provide Info Security Awareness and Training
Methods of Testing the Effectiveness of Info Security Control
The Penetration Testing Process
Types of Penetration Testing
Password Cracking
Social Engineering Attacks
Social Engineering Types
External Vulnerability Reporting Sources
Regulatory Reporting Requirements
Internal Reporting Requirements
How to Analyze the Effectiveness of Info Security Controls
Noncompliance Issues
Security Baselines
Events Affecting the Security Baseline
Info Security Problem Management Process
How to Resolve Noncompliance Issues

Incident Response Capability
Components of Incident Response
BCP
BIA Phase
Coop
DRP
Alternate Sites
Develop a BCP
Develop a DRP
MTD
RPO
RTO
Data Backup Strategies
Data Backup Types
Data Restoration Strategies
Info Incident Management Practices
IRP
Trigger Events and Types of Trigger Events
Methods of Containing Damage
How to Develop an IRP
Escalation Process
Notification Process
IRT
Crisis Communication
How to Establish an Escalation Process
Internal Reporting Requirements
External Reporting Requirements
Communication Process
How to Develop a Communication Process
IRP and DRP
IRP and BCP
Methods of Identifying Business Resources Essential to Recovery
How to Integrate an IRP
Role of Primary IRT Members and Role of Additional IRT Members
Response Team Tools and Equipment
How to Develop IRT's
BCP testing
Disaster Recovery Testing
Schedule Disaster Recovery Testing
Refine IRP
How to Test an IRP
Damage Assessment
Business Impacts Cause by Security Incidents
How to Manage Responses to Info Security Incidents
Computer and Digital Forensics
Forensic Requirements for Responding to Info Security Incidents
Evidence Life Cycle
Evidence Collection
Evidence Types
Five Common Rules of Evidence
Chain of Custody
How to Investigate an Info Security Incident
PIR Methods
Security Incident Review Process
Investigate Cause of a Security Incident
Identify Corrective Actions
Reassess Security Risks After a Security Incident
How to Conduct a Post-Incident Review
Outro - Pre Test/Test Strategy
Post Test