CISM Study Guide and 175 Practice Questions

Contents updated on 19 June, 2009.

According to ISACA, the Certified Information Security Manager certification program is developed specifically for experienced information security managers and those who have information security management responsibilities. It is especially for the individual who manages, designs, oversees and/or assesses an enterprise’s information security.

The CISM focuses more on IS security risk management and tends to be sought after by both CISA and CISSP certification communities. ISACA deliberately created the CISM to help foster a better fusion between IT Audit and Information Security perspectives. To earn the Certified Information Systems Manager (CISM) designation, you need to pass a multiple choices exam which covers the following content areas:

1. Information Security Governance
2. Information Risk Management
3. Information Security Program Development
4. Information Security Program Management
5. Incident Management and Response

Success factors in the CISM exam = 40% TECHNOLOGY + 60% BUSINESS PRACTICE. We are not talking about the percentage of questions here. We are talking about the success factor - the technology questions are easy to answer because they are mostly based on factual information. The business practice questions are different - different answers work best in different scenarios under different conditions.

Table of contents

EXAM FORMAT
ABOUT THIS BOOK
EXAM TOPICS
EXAM REGISTRATION CONTACTS
STUDY PSYCHOLOGY & EXAM TACTICS
KEY EXAM STRATEGIES
STRATEGY ONE: KEYWORD OR KEY PHRASE MATCHING.
STRATEGY TWO: CHOICES GROUPING.
STRATEGY THREE: THINK TRICKY.

SECURITY THEORIES
THE COMPUTER SYSTEM ITSELF AS LARGELY AN UNTRUSTED SYSTEM
DEFENSE IN DEPTH
VULNERABILITIES
SECURITY MEASURES
STANDARDS AND GUIDELINES
THE SARBANES–OXLEY ACT AND THE COSO FRAMEWORK

INFORMATION SECURITY MANAGEMENT AND GOVERNANCE
IS MANAGEMENT ACTIVITIES
INFORMATION MANAGEMENT POLICY
ORGANIZATIONAL STRUCTURE AND SUPPORT
THE ROLE OF THE INFORMATION SECURITY MANAGER
IS CONTROL CLASSIFICATION
DEVISING YOUR OWN CLASSIFICATION SCHEME
ACCESS CONTROL MODELS
ACLS VERSUS CAPABILITIES
WHAT IS ORANGE BOOK, BY THE WAY?
TYPES OF ACCESS CONTROL
THE AAA CONCEPT
PRACTICAL ACCESS CONTROL MEASURES
ESTABLISHING ACCOUNTABILITY THROUGH EVENT LOGGING
IS GOVERNANCE GUIDANCE
BASIC OUTCOMES OF IS GOVERNANCE
IT STRATEGIC PLANNING
IT STRATEGIC PLANNING DEFINED
PROTECTION OF INFORMATION ASSETS THROUGH SECURITY POLICY
INFORMATION ASSETS DEFINED
DATA CLASSIFICATIONS AND LAYER OF RESPONSIBILITIES
HANDLING CLASSIFIED MATERIAL
SECURITY POLICY
SECURITY MODELS AND MODES OF OPERATIONS
EXAMPLE POLICY
EFFECTIVE SECURITY MANAGEMENT PRACTICES AND HR
OWNERSHIP & RESPONSIBILITY
CONSEQUENCES OF VIOLATIONS
EVALUATION
SECURITY AWARENESS TRAINING
CHANGE CONTROL
RISK MANAGEMENT, BCP, BIA AND RESPONSE MANAGEMENT
RISK MANAGEMENT DEFINED
THE RISK MANAGEMENT STEPS
RISK MANAGEMENT AND THE IS MANAGER
BCP DEFINED
BCP VS BPCP VS DRP
BCP PHASES
STAKEHOLDERS AND CRISIS COMMUNICATIONS
THE RISK ASSESSMENT FLOW
RISK VS THREAT AND VULNERABILITY
IDENTIFYING RISKS
LOSS CALCULATIONS
BUSINESS IMPACT ANALYSIS DEFINED
BIA GOALS AND STEPS
BIA CHECKLIST
PREPARING FOR EMERGENCY RESPONSE
RESPONDING TO INCIDENTS AND MANAGING RECOVERY
TESTING THE PLAN
USER ACCEPTANCE
PLAN MAINTENANCE
INCIDENT HANDLING
IS PROGRAM MANAGEMENT, PROJECT MANAGEMENT AND CHANGE MANAGEMENT
INFORMATION SECURITY PLAN
INFORMATION SECURITY BASELINES
PROJECT MANAGEMENT DEFINED
CHANGE MANAGEMENT DEFINED
CHANGE MANAGEMENT STRATEGIES
CHANGE MANAGEMENT VS CHANGE CONTROL
CONFIGURATION MANAGEMENT
GENERAL GUIDELINES
SYSTEM CHANGE CONTROL
SOFTWARE DEVELOPMENT PROCESSES AND MODELS

SPECIAL TOPIC COVERAGE
Information Security Program Development and Management, with coverage on:

EISP

ISSP

SysSP

Combination SysSP

ISPME

IT Operations Management
Information Security Program and Policy Development
Policy and Program Management
Vulnerability & Patch Management
Data Storage Strategy
Environmental Controls
Imaging Technologies
ERP Security
Incident Response, with coverage on the different kinds of IRT.
Concealing hard disk data.

Baseline policy and guidelines
Planning and scoping of the assessment of risk
Methodologies for proper assessment of risk
Special notes on penetration testing
Internet Security
Firewall security
Virus security
Web server security
Name resolution security
Mail server security
RAS server security
Proxy server security
Authentication server security

Physical Site Management
Equipment and Media Management
Emergency Response
ERT Formation
ER Planning and Preparation
Coverage, goal and scope
Emergency priorities
Emergency Reporting Procedure
Emergency Escalation Procedure
Incident Monitoring

Forensic Processing
Software Testing

TECHNICAL READINGS

SECTION 1: TOPICS ON SECURITY THEORY

SECTION 2: TOPICS ON HACKING, ATTACKING, DEFENDING AND AUDITING

SECTION 3: TOPICS ON ENCRYPTION AND VPN

SECTION 4: TOPICS ON RESPONDING TO ATTACKS

SECTION 5: TOPICS ON VIRUSES

EXCELLENT PUBLIC RESOURCES
120 Technical Drill Practice Questions
55 Program and Policy Drill Questions
Basic Networking Technotes
Appendix updated 8 Dec 08 covering:
CMM AND CMMI
ESCROWED ENCRYPTION STANDARD (EES)
OBJECT ORIENTED DESIGN
COMPUTER FORENSICS
INCIDENT RESPONSE (IR)
HIPAA
PLATFORM FOR PRIVACY PREFERENCES PROJECT (P3P)
OECD GUIDELINES
CEI’S COMMANDMENTS OF ETHICS
THE INFOSEC ASSESSMENT METHODOLOGY (IAM)
COVERT CHANNEL ANALYSIS
COMMON CRITERIA (CC)
PHYSICAL AND ENVIRONMENTAL SECURITY
INFORMATION RETENTION & DISPOSAL PROCEDURES
BALANCED SCORECARD
BUSINESS PROCESS REENGINEERING
INTERNAL PREVENTIVE CONTROLS VERSUS COMPENSATING CONTROLS
SOFTWARE DEVELOPMENT APPROACHES: THE PROS & CONS
EMERGING PROCESSOR TECHNOLOGIES
EMERGING WIRELESS SECURITY STANDARDS
IM SECURITY
VOIP
HR AND SECURITY

Now comes with Practice Questions to drill you in key security technology and policy concepts!!!
The Technical Drill Practice Test Module is designed for reinforcing learning objectives and validating knowledge so you know you're prepared to answer even the toughest technical questions on the CISM certification exam. You will find this module to be a challenging and effective tool that will help you learn how to recognize IS security threats and recommend proper security solutions.

ExamREVIEW is an independent content developer not associated/affiliated with the certification vendor mentioned on this web page and throughout this web site. The certification exam described is the trademark of the corresponding certification vendor.

We at ExamREVIEW develop study material entirely on our own. Our material is fully copyrighted. Braindump is strictly prohibited. We provide essential knowledge contents, NOT any generalized "study system" kind of "pick-the-right-answer-every time" techniques or "visit this link" referrals.

You may choose products based on their purposes and/or nature:

Ready-to-go: the product will get you sufficiently prepared for the exam assuming you have reasonable background in the corresponding field.	Filling-the-gaps: the product is written to secure exam clearance through filling up exam-specific gaps found in the mainstream study material.	Essential Reference: the product provides coverage on selected essential topic(s) given BOK of a massive scale.	Focused revision: highly focused study notes covering key exam topics.
	Our printed books are distributed primarily through CREATESPACE AMAZON. Page size is 8" x 10", grayscale printing, with font sizing ranging from 10 to 14 (Garamond).		Our electronic study products are in PDF format. Full color printing, with font sizing ranging from 10 to 14 (Garamond).
Shipment is through		To view this web site properly, your browser needs to support Javascript. Click HERE to find out.

Exam Index Quick Support Subscribe Terms of Use Contact Us