The CISM Prep Guide: Mastering the Five Domains of Information Security Management

Authors: Ronald L. Krutz and Russell Dean Vines
Pages: 456
Publisher: Wiley
ISBN: 0471455989

Introduction

Certified Information Security Manager (CISM) is a certification developed by the Information Systems Audit and Control Association (ISACA). This certification is a confirmation for experienced information security managers that they know how to manage information security system.

The CISM Prep Guide absorbs the key concepts for each of the five presented domains. The book should prepare the candidate for the CISM exam with text, practice tests, and techniques described by two bestselling authors. By reading this book, a candidate will get some knowledge about five domains of Information Security Management.

About the Authors

Ronald L. Krutz is a Senior Information Security Consultant with the Information Assurance Solutions (IAS) operation of BAE Enterprise Systems. He is also the lead for all Capability Maturity Model (CMM) engagements for IAS, and developed IAS?­s HIPAA-CMM assessment methodology.

Russell Dean Vines is president and founder of The RDV Group Inc., a New York City-based security consulting services firm. He is the authors of Wireless Security Essentials and coauthors of the CISSP Prep Guide, The CISSP Prep Guide, Gold Edition, and the Security+ Prep Guide.

Inside the Book

Information Security Governance is the first chapter of this preparation guide. It brings basic information and security concepts covering the CIA (confidentiality, integrity, availability) triad, network security, access control, policies and procedures, etc. This chapter is one short cookbook of security related fields that a certified security manager should know. Every theme is shortly described and the reader becomes familiar with various security concepts. If one wanted to learn some specific concept, he/she should get some additional reading. As the authors mentioned, this chapter gives a framework to provide assurance aligned with business processes.

Without risk management a true information security system doesn’t exist. Risk is first of all things the security manager must mitigate, avoid or remove completely. The goal of the second chapter is to define elements that must be identified and managed. Risk assessment is the first process in the methodology called risk management. This chapter describes this process prosaically, together with NIST Risk assessment process, without any example or case study, which can be very useful for this subject.

Information Security Program Management includes design, development, and management of an information security program. The aim is to implement the information security governance framework. The main theme here is information security process improvement through development and modeling. The authors cover project management that can be useful if information security program management is understood like one big project. Also, the system development life cycle methodologies are mentioned followed by security metrics. Life cycle models describe a structured approach to the development and adjustment processes.

After taking care of information security program management, the next step is to execute it. Chapter four covers acquisition management, service level agreements, contracts, problem management, and third-party service providers as administration processes. Again, there isn’t any example, just words explaining what is what. The authors also explain the difference between monitoring and auditing method, followed by configuration management. The future certified security manager can read about different types of configuration management. The third section of this chapter is dedicated to security review and testing covering scanning types and vulnerability testing. At the end readers are presented with material on security awareness which is very important, as we all know that people are weakest link in a security chain.

Every security manager must be prepared for security incidents, and respond to them in the proper way. Response management is another domain described in this book, in chapter five. It covers three ways of responding to information security events, and those are: intrusion detection, business continuity and contingency planning and forensics. While intrusion detection and forensics are the concrete tasks of monitoring system or investigation, the business contingency plan is a strategy used to minimize the effect of disturbances. A good security manager must know them all. This chapter, unlike others, has some practices and examples of responding teams.

Every chapter in this book ends with some sample questions. This is excellent for those who have plans to be certified security managers.

Additional reading is comprised of three appendixes. Appendix A is a glossary with almost 740 terms and acronyms related to information security. Appendix B gives a review of knowledge for each area covered in this book, and a CISM should know to be prepared for examination. Appendix C is the real treasure as it consists of answers to sample questions with an explanation of the correct answer.

About the CD-ROM

The content of the CD is a testing engine powered by Boson Software. You must install it on your computer and you get a quiz with questions presented in every chapter of the book. It’s a multiple choice quiz and easy to use and it’s certainly recommended for practice.

Final thoughts

This book isn’t as comprehensive as it seems to be. It does describe the five domains of information security management, but more like a list of “must know” themes.

“The CISM Prep Guide” is a good framework, and it’s good to have it if you’re preparing for this certification, but you must not rely on it exclusively.