实例介绍
【实例简介】
CISM考试必备资料,请自行下载打印复习使用
CISM. sertified formation 国际信息安全学习联盟 CISM REVIEW MANUAL 2013 ISACA is pleased to offer the 2013(11th) edition of the CISM Review Manual. The purpose of this manual is to provide CISM candidates with updated tcchnical information and references to assist in the preparation and study for the Certified Information Security Manager exam TheCismjobpracticecanbeviewedatwww.isaca.org/cismjobpracticeandintheCandidatesGuidetotheCismexAmand Certification. The exam is based on the knowledge statements in the job practice, which involved thousands of CiSms and other industry professionals worldwide who served as committee members, focus group participants, subject matter experts and survey respondents The CISM Review Manual is updated annually to keep pace with rapid changes in the management, design, oversight and assessment of information sccurity. As with previous manuals, thc 20 13 edition is the result of contributions from many qualificd authorities who have generously volunteered their time and expertise. We respect and appreciate their contributions and hope their efforts provide extensive educational value to cism manual readers Your comments and suggestions regarding this manual are welcome. After taking the exam, please take a moment to complete the onlinequestionnaire(www.isaca.org/studyaidsevaluation).Yourobservationswillbeinvaluableforthepreparationofthe2014edition of the cism Review manual The sample questions contained in this manual are designed to depict the type of questions typically found on the Cism exam and to providc further clarity to the content prescnted in this manual. Thc CISM exam is a practicc-based cxam. Simply reading the rofcI material in this manual will not properly prepare candidates for the exam. The sample questions are included for guidance o. Crencc Scoring results do not indicate future individual exam success Certification has resulted in a positive impact on many careers. CISM is designed to provide executive management with assurance that those earning the designation have the required knowledge and ability to provide effective in formation security management and consulting. While the central focus of the CISM certification is information security management, all those in the IT profession with security experience will certainly find value in the cism designation ISACa wishes you success with the CIsm exam CISM Review anua 2013 W. cncisa cor ISACA. All Rights Reserved. @ ACKNOWLEDGMENTS The 2013 edition of the CISM Review Manual is the result of the collective efforts of many volunteers. ISACA members from throughout thc global information sccurity management profession participated, generously offering thcir talent and cxpcrtisc. Thi international team exhibited a spirit and selflessness that has become the hallmark of contributors to this manual Their participation and insight are truly appreciated Special thanks go to W. Krag Brotby, CISM, a senior security consultant from the Los Angeles Chapter, USA, who served as technical content project leader and editor All of the IsaCa members who participated in the review of the CISM Review Manual deserve our thanks and gratitude Expert Reviewers Shawna Flanders, CISA, CISM. CRISC. ACS CSSGB SSBB, PSCU-FS, USA Sandeep godbole, CISA, CISM, CGEIT, CISSP, Syntel, India Robert t hanson cisa, CIsM. CRISC. australia Foster j. henderson cisM. CRISC. CISSP NSA-IEM. Citizant USA Veryl White, CISA, CISM, CRISC, W.S. Badcock Corporation, USA Larry g. Wlosinski, CISA, CISM, CRISC, CAP, CDP, CISSP, ITIL, Booz Allen Hamilton, USA ISACA has begun planning the 2014 edition of the CISM Review manual. Volunteer participation drives the success of the manual. If you are interested in becoming a member of the sclect group of professionals involved in this global project we want to hear from you Please email us at studymaterials(@isaca.org W. cncisa cor CsM Review anua2013 ISACA. All Rights Reserved CISM. sertified formation 国际信息安全学习联盟 Table of contents About this manual Overview Organization of This manual Format of This manual About the CisM review Questions, Answers and Explanations Manual Chapter 1 nformation Security Governance ·······*: Section one: Overview 14 1.1 ntroduction Definition 14 Objectives 14 1.2 Task and Knowledge statements Tasks 14 Knowledge Statements 14 Rclationship of Task to Knowledge Statements 15 Knowledge Statement Reference Guide Suggested Resources for Further Study 1.3 Self-assessment Questions 27 Questions……… 27 Answers to Self-assessment Questi 28 Section two: Content 1.4 Information Security Governance overview 29 1.4.1 Importance of Information Security Governance 29 1. 4.2 Outcomes of information security governance 00 3 1.5 Effective Information Security Governance 1.5.1 Business goals and objectives 1.5.2 Scope and Charter of Information Security Governance 1.5.3 Roles and Responsibilities of Senior Management 32 Boards of Directors /Senior management Executive Managcment...... Steering Committee 33 CISO 1.5.4 Information Security roles and responsibilities Obtaining senior management Commitment 35 Establishing reporting and communication Channel 1.5.5 Governance, Risk Management and Compliance ..35 1.5.6 Business model for Information Securit 37 1.5.7 Assurance Process Intcgration--Convcrgence 39 1.6 Information Security Concepts and Technologies 1.7 Governance and Third-party relationships 40 1.8 Information Security Governance Metrics 1.8.1 Effective Security metrics 1.8.2 Governance Implementation Metrics..... 42 1.8.3 Strategic Alignment metrics 43 1.8.4 Risk management Metrics 1. 8.5 Valuc deli 43 1.8.6 Resource management metrics 43 1. 8. 7 Performance Measurement 1.8.8 Assurance Process Integration(Convergence) CISM Review anua 2013 W. cncisa co ISACA. All Rights Reserved. Table of contents @ 安函联 1.9 Information Security strategy overview .44 1. 9. 1 An Alternate View of Strategy 45 1.10 Developing an Information Security Strategy 10.1 Common pitfalls I11 Information Security strategy objectives 47 47 1. 11. 2 Defining Objectives A Business linkages 1. 11. 3 The Desired State 49 COBIT 49 Capability Maturity Model .50 Balanced scorecard 50 archite l Approache ISO/EC 27001 and 27002 Other Approache 1. 11. 4 Risk Objectives. 52 1. 12 Determining Current State of Security .53 1. 12. 1 Current risk Business Impact analysis/Assessment 1.13 Information Security Strategy Development 1. 13. 1 Elements of a strategy Road map 1. 13.2 Strategy resources and constraints-Overview 55555 R esources Constraints… 54 1. 14 Strategy resources 1. 14.1 Policies and standards Policies 55 Standards 55 Procedures… Guidelines 1. 14.2 Enterprise Information Security Architecture(s Alternative Enterprise Architecture Frameworks 1. 14.3 Controls IT Controls Non-IT Controls Countermeasures 8888 Layered Defenses 1. 14.4 Technologies 1 45 Personnel 1. 14.6 Organizational Structure Centralized and Decentralized Approaches to Coordinating Information Security 1. 14.7 Employee Roles and responsibilities .60 1. 14. 8 Skills 60 1. 14.9 Awareness and education 60 1. 14.10 Audits 61 14 11 Compliance enforcement 61 14.12 Threat assessment 61 14.13 Vulnerability Assessment 14.14 Risk Assessment and management 62 14 15 Insurance 1. 14.16 Business Impact Assessment 1. 14 17 Resource Dependency analysis 1. 14.18 Outsourced services 1. 14 19 Other Organizational Support and Assurance Providers W. cncisa cor CS/M Review anua 2013 ISACA. All Rights Reserved CISM. sertified formation 国际信息型的9 Contents An lGACA' Certif eater 1.15 Strategy Constraints .63 1. 15.1 Legal and Regulatory requirements Requirements for Content and Retention of Business records E-discovery 63 1.15.2 Physical 63 l15.3 Ethics 63 1. 15. 4 Culture 63 1. 15.5 Organizational Structure 1.15.6 Costs……… 1. 15.7 Personnel 1. 15. 8 Resources 1.15.9 Capabilities… …654 1.1510Time 1.15. 1l Risk Acceptance and tolerance 1. 16 Action Plan To Implement Strategy 4 1.16.1 Gap analysis-Basis for an Action plan 64 1.16.2 Policy Development 1.16.3 Standards Development…………… 1.16. 4 Training and awareness 1. 16.5 Action Plan metrics 6 Key goal Indicators Critical success factors ..66 Key performance Indicators 66 General metrics considerations 1.17 Implementing Security Governance-Example 67 1.17.1 Additional Policy Samples 1.18 Action plan intermediate goals 69 1.19 Information Security Program Objectives 70 1.20 Case Study ..70 Chapter 2 Information Risk Management And Compliance 73 Section one: overview 74 2.1 Introduction ..74 Definit Objectives 74 2.2 Task and Knowledge Statements 74 74 Knowledge statements 74 Relationship of Task to Knowledge Statements 75 Knowledge Statement Reference Guide 76 Suggested Resources for Further Study 85 2.、3self- assessment Questions… Questions Answers to Self-assessment Questions Section Two: Content 89 2. 4 Risk management overview 89 2.4. I The Importance of risk management…… 2.4.2 Outcomes of Risk managcment 90 2.5 Risk management strategy,. 90 2.5.1 Risk Communication, Risk Awareness and Consulting ..91 CISM Review anua 2013 W. cncisa co 3 ISACA. All Rights Reserved. Table of contents @ 安联强 2.6 Effective Information Security Risk Management 91 2.6. 1 Developing a risk management Program Establish Context and Purpose 91 Define scope and cha Asset Identification, Classification and Ownership Determine objectives Determine methodologies Designate Program Development Team 2.6.2 Roles And responsibilities R olcs 92 2.7 Information Security risk management Concepts 7. 1 Concepts 2. 7.2 Technologies 2.8 Implementing Risk Managemenf. ..93 2.8. 1 Risk Management Process 2.8.2 Defining a Risk Management Framework 2.8.3 Defining the External Environment 96 2.8.4 Defining the Internal environment ·· 96 2.8.5 Determining the Risk Management Context 96 2.8.6 Gap analysis… 97 2.8.7 Other Organizational Support 97 2.9 Risk Assessment and Analysis methodologies 97 2.10 Risk Assessment 97 2. 10. 1 NIST Risk Assessment Methodolog 98 2.10.2 Aggregated and Cascading Risk 99 2.10.3 Other Risk Assessment Approaches 100 Factor Analysis of Information Risk Risk Factor analysis 101 Probabilistic risk assessment 101 2.10.4 Identification of Risk 102 2.10.5 Threats 103 2.10.6 Vulnerabilities 2.10.7Risk 104 2.10.8 Analysis of Relevant Risk Qualitative Analysis….… 106 Semiquantitative Analysis 106 Examplc of a Semiquantitative Analysis 107 Quantitative Analysis 107 Annual Loss expectancy 108 Value at risk… 108 2.10.9 Evaluation of risk 108 2.10.10 Risk Treatment Options 108 Terminate the activit 109 Transfer the risk 109 Mitigate the risk ··· .109 Tolcratc/Accept the risk Risk Acceptance Framework 109 2. 10. 11 Impact.. 109 2.10.12 Legal and Regulatory Requirements .110 2. 10.13 Residual risk 0 2.10.14 Costs and benefits 110 2.10. 15 Risk Reassessment of Events Affecting Security Baselines Ill 2.11 Information resource valuation 2. 11.1 Information Resource Valuation Strategies 112 2.11.2 Information Rcsource Valuation Methodologies 2.11.3 Information Asset Classification 13 Methods to Determine Criticality of Resources and Impact of Adverse Events 113 2.11.4 Impact Assessment and analysis W. cncisa cor CS/M Review anua 2013 ISACA. All Rights Reserved CISM. sertified formation 国际信息型的9 Contents 2. 12 Recovery Time Objectives 117 2. 12.1 RTO and Its Relation to Business Continuity Planning and Contingency Planning Objectives and Processes...117 2. 12.2 Recovery Point Objectives 117 2. 12.3 Service Delivery Objectives l18 2.12.4 Third-party Service Providers l18 2.13 Integration With Life Cycle Processes 119 2.13. 1 Risk Management for IT System Development Life Cycle 120 2.13.2 Life Cycle-based risk management Principles and Practices 120 2.14 Security Control Baselines 120 2.15 Risk Monitoring and Communication 122 2.15.1 Risk Monitoring ... 122 2. 15.2 Reporting Significant Changes in Risk .123 2.16 Training and Awareness 2.17 Documentation 123 Chapter 3 Information Security Program Development and Management 125 Section one: Overview 126 3.1 Introduction 126 Definition 126 Objectives… 126 32 Task and Knowledge Statements…… ……126 126 Relationship of Task to Knowledge Statements 126 127 Knowledge statement Reference guid 128 Suggested Resources for Further Study l38 3.3 Self-assessment Questions 138 Questions 138 Answers to Self-assessment Questions 140 Section Two: Content 141 3.4 Information Security Program Management Overview 141 Information Security management trends Essential Elements of an Information Security program 14 34.1 Importance of the Information Security Program……… 3.4.2 Outcomes of Information Security Program management 142 Strategic Alignment Risk management Value delivery Resource management ssurance Process Integration.…… Performance measurement 3.5 Information Security program Objectives 3.5. I Defining Objectives 145 6 Information Security Program Concepts ......145 3.6. 1 Concepts 145 3.6.2 Technology rcsourccs 146 3.7 Scope and charter of an Information Security program .146 3. 8 The Information Security Management Framework 148 3.8.1 COBIT 5 48 COBIT5 for Information Security 149 3.8.2IsO/IEC27001 3.9 Information Security Framework Components 150 3.9.1 Operational Components 150 3.9.2 Management Components 150 3.9.3 Administrativc Components...……. 151 3.9.4 Educational and Informational Components 151 CISM Review anua 2013 W. cncisa co ISACA. All Rights Reserved. Table of contents @ 安函联 3.10 Defining an Information Security Program road Map 152 3. 10. 1 Elements of a road map 152 3.10.2 Developing an Information Security Program road Map 3. 10.3 Gap Analysis--Basis for an Action Plan 3.11 Information Security Infrastructure and architecture 3.11.1 Enterprise Information Security Architecture 3.11.2 Objectives of Information Security Architectures 154 Providing a framework and road mar …154 Simplicity and Clarity Through Layering and modularization .155 Business focus beyond the Technical domain 155 Architecture and Control objectives 155 3. 12 Architecture Implementation 155 SABSA Framework for Security Service Management 3.13 Security Program Management and Administrative Activities …156 Program Administration... 158 3. 13.1 Personnel, Roles and responsibilities, and skill 158 Roles 159 Skills 159 3. 13.2 Security Awareness. Training and education 159 3.13.3 Documentation…… …160 Document maintenance 16 3. 13.4 Program Development and Project Management 161 3.13. 5 Risk management 162 Risk management responsibilities 162 3. 13.6 Business Case Development 162 Business case evaluation 162 Business Case objectives 162 3. 13.7 Program Budgeting 163 Elements of an Information Security Program budget 163 3. 13.8 General Rules of Use/Acceptable Use Policy .163 3. 13.9 Information Security Problem Management Practices 163 3.13. 10 Vendor Management 3. 13.11 Program Management Evaluation 164 ogram obJectives Compliance requirements Program management 164 Security Operations Management 165 Technical Security management 165 Resource levels 165 3.13.12 Plan-Do-Check-Act 166 3. 13.13 Legal and Regulatory Requirements 中· 166 3. 13 14 Physical and Environmental Factors 166 3.13. 15 Ethics 168 3. 13.16 Culture and Regional variances 168 3. 13 17 Logistics …168 3. 14 Security Program Services and operational activities 168 3. 14. 1 Information Security Liaison responsibilities 168 Physical/Corporate Security IT Audit l68 Information Technology Unit 168 Business unit managers 169 Human resources 169 Legal department Emplo 169 Procurement 169 Compliance 170 PrⅤacy 170 Training 170 Quality assurant 170 W. cncisa co CS/M Review anua 2013 ISACA. All Rights Reserved 【实例截图】
【核心代码】
CISM考试必备资料,请自行下载打印复习使用
CISM. sertified formation 国际信息安全学习联盟 CISM REVIEW MANUAL 2013 ISACA is pleased to offer the 2013(11th) edition of the CISM Review Manual. The purpose of this manual is to provide CISM candidates with updated tcchnical information and references to assist in the preparation and study for the Certified Information Security Manager exam TheCismjobpracticecanbeviewedatwww.isaca.org/cismjobpracticeandintheCandidatesGuidetotheCismexAmand Certification. The exam is based on the knowledge statements in the job practice, which involved thousands of CiSms and other industry professionals worldwide who served as committee members, focus group participants, subject matter experts and survey respondents The CISM Review Manual is updated annually to keep pace with rapid changes in the management, design, oversight and assessment of information sccurity. As with previous manuals, thc 20 13 edition is the result of contributions from many qualificd authorities who have generously volunteered their time and expertise. We respect and appreciate their contributions and hope their efforts provide extensive educational value to cism manual readers Your comments and suggestions regarding this manual are welcome. After taking the exam, please take a moment to complete the onlinequestionnaire(www.isaca.org/studyaidsevaluation).Yourobservationswillbeinvaluableforthepreparationofthe2014edition of the cism Review manual The sample questions contained in this manual are designed to depict the type of questions typically found on the Cism exam and to providc further clarity to the content prescnted in this manual. Thc CISM exam is a practicc-based cxam. Simply reading the rofcI material in this manual will not properly prepare candidates for the exam. The sample questions are included for guidance o. Crencc Scoring results do not indicate future individual exam success Certification has resulted in a positive impact on many careers. CISM is designed to provide executive management with assurance that those earning the designation have the required knowledge and ability to provide effective in formation security management and consulting. While the central focus of the CISM certification is information security management, all those in the IT profession with security experience will certainly find value in the cism designation ISACa wishes you success with the CIsm exam CISM Review anua 2013 W. cncisa cor ISACA. All Rights Reserved. @ ACKNOWLEDGMENTS The 2013 edition of the CISM Review Manual is the result of the collective efforts of many volunteers. ISACA members from throughout thc global information sccurity management profession participated, generously offering thcir talent and cxpcrtisc. Thi international team exhibited a spirit and selflessness that has become the hallmark of contributors to this manual Their participation and insight are truly appreciated Special thanks go to W. Krag Brotby, CISM, a senior security consultant from the Los Angeles Chapter, USA, who served as technical content project leader and editor All of the IsaCa members who participated in the review of the CISM Review Manual deserve our thanks and gratitude Expert Reviewers Shawna Flanders, CISA, CISM. CRISC. ACS CSSGB SSBB, PSCU-FS, USA Sandeep godbole, CISA, CISM, CGEIT, CISSP, Syntel, India Robert t hanson cisa, CIsM. CRISC. australia Foster j. henderson cisM. CRISC. CISSP NSA-IEM. Citizant USA Veryl White, CISA, CISM, CRISC, W.S. Badcock Corporation, USA Larry g. Wlosinski, CISA, CISM, CRISC, CAP, CDP, CISSP, ITIL, Booz Allen Hamilton, USA ISACA has begun planning the 2014 edition of the CISM Review manual. Volunteer participation drives the success of the manual. If you are interested in becoming a member of the sclect group of professionals involved in this global project we want to hear from you Please email us at studymaterials(@isaca.org W. cncisa cor CsM Review anua2013 ISACA. All Rights Reserved CISM. sertified formation 国际信息安全学习联盟 Table of contents About this manual Overview Organization of This manual Format of This manual About the CisM review Questions, Answers and Explanations Manual Chapter 1 nformation Security Governance ·······*: Section one: Overview 14 1.1 ntroduction Definition 14 Objectives 14 1.2 Task and Knowledge statements Tasks 14 Knowledge Statements 14 Rclationship of Task to Knowledge Statements 15 Knowledge Statement Reference Guide Suggested Resources for Further Study 1.3 Self-assessment Questions 27 Questions……… 27 Answers to Self-assessment Questi 28 Section two: Content 1.4 Information Security Governance overview 29 1.4.1 Importance of Information Security Governance 29 1. 4.2 Outcomes of information security governance 00 3 1.5 Effective Information Security Governance 1.5.1 Business goals and objectives 1.5.2 Scope and Charter of Information Security Governance 1.5.3 Roles and Responsibilities of Senior Management 32 Boards of Directors /Senior management Executive Managcment...... Steering Committee 33 CISO 1.5.4 Information Security roles and responsibilities Obtaining senior management Commitment 35 Establishing reporting and communication Channel 1.5.5 Governance, Risk Management and Compliance ..35 1.5.6 Business model for Information Securit 37 1.5.7 Assurance Process Intcgration--Convcrgence 39 1.6 Information Security Concepts and Technologies 1.7 Governance and Third-party relationships 40 1.8 Information Security Governance Metrics 1.8.1 Effective Security metrics 1.8.2 Governance Implementation Metrics..... 42 1.8.3 Strategic Alignment metrics 43 1.8.4 Risk management Metrics 1. 8.5 Valuc deli 43 1.8.6 Resource management metrics 43 1. 8. 7 Performance Measurement 1.8.8 Assurance Process Integration(Convergence) CISM Review anua 2013 W. cncisa co ISACA. All Rights Reserved. Table of contents @ 安函联 1.9 Information Security strategy overview .44 1. 9. 1 An Alternate View of Strategy 45 1.10 Developing an Information Security Strategy 10.1 Common pitfalls I11 Information Security strategy objectives 47 47 1. 11. 2 Defining Objectives A Business linkages 1. 11. 3 The Desired State 49 COBIT 49 Capability Maturity Model .50 Balanced scorecard 50 archite l Approache ISO/EC 27001 and 27002 Other Approache 1. 11. 4 Risk Objectives. 52 1. 12 Determining Current State of Security .53 1. 12. 1 Current risk Business Impact analysis/Assessment 1.13 Information Security Strategy Development 1. 13. 1 Elements of a strategy Road map 1. 13.2 Strategy resources and constraints-Overview 55555 R esources Constraints… 54 1. 14 Strategy resources 1. 14.1 Policies and standards Policies 55 Standards 55 Procedures… Guidelines 1. 14.2 Enterprise Information Security Architecture(s Alternative Enterprise Architecture Frameworks 1. 14.3 Controls IT Controls Non-IT Controls Countermeasures 8888 Layered Defenses 1. 14.4 Technologies 1 45 Personnel 1. 14.6 Organizational Structure Centralized and Decentralized Approaches to Coordinating Information Security 1. 14.7 Employee Roles and responsibilities .60 1. 14. 8 Skills 60 1. 14.9 Awareness and education 60 1. 14.10 Audits 61 14 11 Compliance enforcement 61 14.12 Threat assessment 61 14.13 Vulnerability Assessment 14.14 Risk Assessment and management 62 14 15 Insurance 1. 14.16 Business Impact Assessment 1. 14 17 Resource Dependency analysis 1. 14.18 Outsourced services 1. 14 19 Other Organizational Support and Assurance Providers W. cncisa cor CS/M Review anua 2013 ISACA. All Rights Reserved CISM. sertified formation 国际信息型的9 Contents An lGACA' Certif eater 1.15 Strategy Constraints .63 1. 15.1 Legal and Regulatory requirements Requirements for Content and Retention of Business records E-discovery 63 1.15.2 Physical 63 l15.3 Ethics 63 1. 15. 4 Culture 63 1. 15.5 Organizational Structure 1.15.6 Costs……… 1. 15.7 Personnel 1. 15. 8 Resources 1.15.9 Capabilities… …654 1.1510Time 1.15. 1l Risk Acceptance and tolerance 1. 16 Action Plan To Implement Strategy 4 1.16.1 Gap analysis-Basis for an Action plan 64 1.16.2 Policy Development 1.16.3 Standards Development…………… 1.16. 4 Training and awareness 1. 16.5 Action Plan metrics 6 Key goal Indicators Critical success factors ..66 Key performance Indicators 66 General metrics considerations 1.17 Implementing Security Governance-Example 67 1.17.1 Additional Policy Samples 1.18 Action plan intermediate goals 69 1.19 Information Security Program Objectives 70 1.20 Case Study ..70 Chapter 2 Information Risk Management And Compliance 73 Section one: overview 74 2.1 Introduction ..74 Definit Objectives 74 2.2 Task and Knowledge Statements 74 74 Knowledge statements 74 Relationship of Task to Knowledge Statements 75 Knowledge Statement Reference Guide 76 Suggested Resources for Further Study 85 2.、3self- assessment Questions… Questions Answers to Self-assessment Questions Section Two: Content 89 2. 4 Risk management overview 89 2.4. I The Importance of risk management…… 2.4.2 Outcomes of Risk managcment 90 2.5 Risk management strategy,. 90 2.5.1 Risk Communication, Risk Awareness and Consulting ..91 CISM Review anua 2013 W. cncisa co 3 ISACA. All Rights Reserved. Table of contents @ 安联强 2.6 Effective Information Security Risk Management 91 2.6. 1 Developing a risk management Program Establish Context and Purpose 91 Define scope and cha Asset Identification, Classification and Ownership Determine objectives Determine methodologies Designate Program Development Team 2.6.2 Roles And responsibilities R olcs 92 2.7 Information Security risk management Concepts 7. 1 Concepts 2. 7.2 Technologies 2.8 Implementing Risk Managemenf. ..93 2.8. 1 Risk Management Process 2.8.2 Defining a Risk Management Framework 2.8.3 Defining the External Environment 96 2.8.4 Defining the Internal environment ·· 96 2.8.5 Determining the Risk Management Context 96 2.8.6 Gap analysis… 97 2.8.7 Other Organizational Support 97 2.9 Risk Assessment and Analysis methodologies 97 2.10 Risk Assessment 97 2. 10. 1 NIST Risk Assessment Methodolog 98 2.10.2 Aggregated and Cascading Risk 99 2.10.3 Other Risk Assessment Approaches 100 Factor Analysis of Information Risk Risk Factor analysis 101 Probabilistic risk assessment 101 2.10.4 Identification of Risk 102 2.10.5 Threats 103 2.10.6 Vulnerabilities 2.10.7Risk 104 2.10.8 Analysis of Relevant Risk Qualitative Analysis….… 106 Semiquantitative Analysis 106 Examplc of a Semiquantitative Analysis 107 Quantitative Analysis 107 Annual Loss expectancy 108 Value at risk… 108 2.10.9 Evaluation of risk 108 2.10.10 Risk Treatment Options 108 Terminate the activit 109 Transfer the risk 109 Mitigate the risk ··· .109 Tolcratc/Accept the risk Risk Acceptance Framework 109 2. 10. 11 Impact.. 109 2.10.12 Legal and Regulatory Requirements .110 2. 10.13 Residual risk 0 2.10.14 Costs and benefits 110 2.10. 15 Risk Reassessment of Events Affecting Security Baselines Ill 2.11 Information resource valuation 2. 11.1 Information Resource Valuation Strategies 112 2.11.2 Information Rcsource Valuation Methodologies 2.11.3 Information Asset Classification 13 Methods to Determine Criticality of Resources and Impact of Adverse Events 113 2.11.4 Impact Assessment and analysis W. cncisa cor CS/M Review anua 2013 ISACA. All Rights Reserved CISM. sertified formation 国际信息型的9 Contents 2. 12 Recovery Time Objectives 117 2. 12.1 RTO and Its Relation to Business Continuity Planning and Contingency Planning Objectives and Processes...117 2. 12.2 Recovery Point Objectives 117 2. 12.3 Service Delivery Objectives l18 2.12.4 Third-party Service Providers l18 2.13 Integration With Life Cycle Processes 119 2.13. 1 Risk Management for IT System Development Life Cycle 120 2.13.2 Life Cycle-based risk management Principles and Practices 120 2.14 Security Control Baselines 120 2.15 Risk Monitoring and Communication 122 2.15.1 Risk Monitoring ... 122 2. 15.2 Reporting Significant Changes in Risk .123 2.16 Training and Awareness 2.17 Documentation 123 Chapter 3 Information Security Program Development and Management 125 Section one: Overview 126 3.1 Introduction 126 Definition 126 Objectives… 126 32 Task and Knowledge Statements…… ……126 126 Relationship of Task to Knowledge Statements 126 127 Knowledge statement Reference guid 128 Suggested Resources for Further Study l38 3.3 Self-assessment Questions 138 Questions 138 Answers to Self-assessment Questions 140 Section Two: Content 141 3.4 Information Security Program Management Overview 141 Information Security management trends Essential Elements of an Information Security program 14 34.1 Importance of the Information Security Program……… 3.4.2 Outcomes of Information Security Program management 142 Strategic Alignment Risk management Value delivery Resource management ssurance Process Integration.…… Performance measurement 3.5 Information Security program Objectives 3.5. I Defining Objectives 145 6 Information Security Program Concepts ......145 3.6. 1 Concepts 145 3.6.2 Technology rcsourccs 146 3.7 Scope and charter of an Information Security program .146 3. 8 The Information Security Management Framework 148 3.8.1 COBIT 5 48 COBIT5 for Information Security 149 3.8.2IsO/IEC27001 3.9 Information Security Framework Components 150 3.9.1 Operational Components 150 3.9.2 Management Components 150 3.9.3 Administrativc Components...……. 151 3.9.4 Educational and Informational Components 151 CISM Review anua 2013 W. cncisa co ISACA. All Rights Reserved. Table of contents @ 安函联 3.10 Defining an Information Security Program road Map 152 3. 10. 1 Elements of a road map 152 3.10.2 Developing an Information Security Program road Map 3. 10.3 Gap Analysis--Basis for an Action Plan 3.11 Information Security Infrastructure and architecture 3.11.1 Enterprise Information Security Architecture 3.11.2 Objectives of Information Security Architectures 154 Providing a framework and road mar …154 Simplicity and Clarity Through Layering and modularization .155 Business focus beyond the Technical domain 155 Architecture and Control objectives 155 3. 12 Architecture Implementation 155 SABSA Framework for Security Service Management 3.13 Security Program Management and Administrative Activities …156 Program Administration... 158 3. 13.1 Personnel, Roles and responsibilities, and skill 158 Roles 159 Skills 159 3. 13.2 Security Awareness. Training and education 159 3.13.3 Documentation…… …160 Document maintenance 16 3. 13.4 Program Development and Project Management 161 3.13. 5 Risk management 162 Risk management responsibilities 162 3. 13.6 Business Case Development 162 Business case evaluation 162 Business Case objectives 162 3. 13.7 Program Budgeting 163 Elements of an Information Security Program budget 163 3. 13.8 General Rules of Use/Acceptable Use Policy .163 3. 13.9 Information Security Problem Management Practices 163 3.13. 10 Vendor Management 3. 13.11 Program Management Evaluation 164 ogram obJectives Compliance requirements Program management 164 Security Operations Management 165 Technical Security management 165 Resource levels 165 3.13.12 Plan-Do-Check-Act 166 3. 13.13 Legal and Regulatory Requirements 中· 166 3. 13 14 Physical and Environmental Factors 166 3.13. 15 Ethics 168 3. 13.16 Culture and Regional variances 168 3. 13 17 Logistics …168 3. 14 Security Program Services and operational activities 168 3. 14. 1 Information Security Liaison responsibilities 168 Physical/Corporate Security IT Audit l68 Information Technology Unit 168 Business unit managers 169 Human resources 169 Legal department Emplo 169 Procurement 169 Compliance 170 PrⅤacy 170 Training 170 Quality assurant 170 W. cncisa co CS/M Review anua 2013 ISACA. All Rights Reserved 【实例截图】
【核心代码】
标签:
好例子网口号:伸出你的我的手 — 分享!
小贴士
感谢您为本站写下的评论,您的评论对其它用户来说具有重要的参考价值,所以请认真填写。
- 类似“顶”、“沙发”之类没有营养的文字,对勤劳贡献的楼主来说是令人沮丧的反馈信息。
- 相信您也不想看到一排文字/表情墙,所以请不要反馈意义不大的重复字符,也请尽量不要纯表情的回复。
- 提问之前请再仔细看一遍楼主的说明,或许是您遗漏了。
- 请勿到处挖坑绊人、招贴广告。既占空间让人厌烦,又没人会搭理,于人于己都无利。
关于好例子网
本站旨在为广大IT学习爱好者提供一个非营利性互相学习交流分享平台。本站所有资源都可以被免费获取学习研究。本站资源来自网友分享,对搜索内容的合法性不具有预见性、识别性、控制性,仅供学习研究,请务必在下载后24小时内给予删除,不得用于其他任何用途,否则后果自负。基于互联网的特殊性,平台无法对用户传输的作品、信息、内容的权属或合法性、安全性、合规性、真实性、科学性、完整权、有效性等进行实质审查;无论平台是否已进行审查,用户均应自行承担因其传输的作品、信息、内容而可能或已经产生的侵权或权属纠纷等法律责任。本站所有资源不代表本站的观点或立场,基于网友分享,根据中国法律《信息网络传播权保护条例》第二十二与二十三条之规定,若资源存在侵权或相关问题请联系本站客服人员,点此联系我们。关于更多版权及免责申明参见 版权及免责申明
网友评论
我要评论