xiii
© 2011 by Taylor & Francis Group, LLC
Introduction
(ISC)
2
s information security management certication—the CISSP-ISSMP—is a
concentration of the base CISSP certication that focuses on the comprehensive
management aspects of enterprise information security programs. While the CISSP
certication addresses all aspects of information security, including management
issues, the CISSP-ISSMP certication further explores the management side to
develop greater detail to meet the needs of high-level (director and C-level) person-
nel. As a prerequisite for obtaining the CISSP-ISSMP, the CISSP gauges candi-
dates’ general understanding of the management aspects involved in implementing
an information security program, while the CISSP-ISSMP delves deeper into secu-
rity risk management, compliance, best practices, and strategies. Obtaining this
certication demonstrates competence in the rigorous requirements for informa-
tion security management.
Security management can be dened as the process of ensuring that the creation
and maintenance of the information security structure of an enterprise protects
the condentiality, integrity, and availability of critical and/or sensitive business
systems, while also being in compliance with external and internal policies, legisla-
tion, and regulations. us, the security manager is responsible and qualied to
perform the functions necessary to accomplish the security goals of the enterprise.
e ISSMP certication is intended to measure and evaluate the ability of an indi-
vidual to be accredited as a professional in this demanding eld.
e CISSP-ISSMP CBK has been developed to encompass all knowledge ele-
ments that an individual is required to possess for an information security manage-
ment role. e CISSP-ISSMP covers ve domains: Enterprise Security Management
Practices, Enterprise-Wide System Development Security, Overseeing Compliance
of Security Operations, Business Continuity Planning, Disaster Recovery Plan-
ning, and Continuity of Operations Planning, and Law, Investigation, Forensics,
and Ethics.
The topics covered in the Enterprise Security Management Practices
domain include:
xiv ◾  Introduction
© 2011 by Taylor & Francis Group, LLC
Enterprise governance (Mission/Goals and Objectives/Culture/Business
Processes/Economics and Competitive Environment)
Security concepts (Availability/Integrity/Condentiality)
Data classication (Sensitivity/Criticality/Zones of Control)
Security framework (Policy/Standards/Guidelines/Procedures/Baselines)
Security roles and responsibilities (Budgeting/Return on Security Investment/
Security Program Maturity/Project Management/Ownership)
Risk management program (Objectives/Risk Analysis/Countermeasures)
Security agreements (Service Level/Interconnection/Outsourcing)
Personnel security (Identity Management/Security Awareness Training)
e Enterprise-Wide System Development Security domain covers the fol-
lowing topics:
SDLC security (Project Risk/Security Designed in/Project Element Security)
System testing (Security Element Testing and Documentation/Condential
Test Data/Insider Attacks)
Certication and accreditation (C&A Process Support)
e topics covered in the Overseeing Compliance of Security Operations
domain include:
Operations security issues (Backups/Equipment Inventory and Conguration)
Auditing (Preparation/Response/Log Files)
Compliance (Access Control/Policy/Contracts and Agreements/Software
Licensing/Record Retention)
Conguration management (Library/Patch/Change Control)
Penetration and vulnerability testing (Botnet Awareness/Outbound Trac/
Web Application Firewalls)
In the Business Continuity Planning, Disaster Recovery Planning, and Con ti-
nu ity of Operations Planning domain, the topics covered include:
BCP and DRP project planning (Steering Committee/Business Drivers/Policy/
Scope/Resource Requirements)
Business impact analysis (reat Analysis/Critical Business Processes/Legal,
Regulatory, and Contractual Obligations/ird Party Dependencies/Executive
Succession Planning)
Recovery strategies (Recommendations/Insurance/Roles and Responsibilities)
Plan design (Emergency Response/Notication)
Introduction ◾  xv
© 2011 by Taylor & Francis Group, LLC
e Law Investigation, Forensics, and Ethics domain covers the following topics:
Information security laws (Licensing/Computer Crime/Intellectual Property/
Import and Export Laws/Liability/Privacy Law/Monitoring Employees/
Litiga tion Support)
Elements of investigations (Incident Handling and Response/Evidence
Preservation/Digital Forensics/Interviewing and Fact Finding)
Professional ethics
A candidate for the CISSP-ISSMP certication should demonstrate a thorough
understanding of the topics listed above, while applying their expertise to success-
fully manage the information security program for an enterprise.
Hal Tipton

Get Official (ISC)2® Guide to the ISSMP® CBK® now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.