xiii
© 2011 by Taylor & Francis Group, LLC
Introduction
(ISC)
2
’s information security management certication—the CISSP-ISSMP—is a
concentration of the base CISSP certication that focuses on the comprehensive
management aspects of enterprise information security programs. While the CISSP
certication addresses all aspects of information security, including management
issues, the CISSP-ISSMP certication further explores the management side to
develop greater detail to meet the needs of high-level (director and C-level) person-
nel. As a prerequisite for obtaining the CISSP-ISSMP, the CISSP gauges candi-
dates’ general understanding of the management aspects involved in implementing
an information security program, while the CISSP-ISSMP delves deeper into secu-
rity risk management, compliance, best practices, and strategies. Obtaining this
certication demonstrates competence in the rigorous requirements for informa-
tion security management.
Security management can be dened as the process of ensuring that the creation
and maintenance of the information security structure of an enterprise protects
the condentiality, integrity, and availability of critical and/or sensitive business
systems, while also being in compliance with external and internal policies, legisla-
tion, and regulations. us, the security manager is responsible and qualied to
perform the functions necessary to accomplish the security goals of the enterprise.
e ISSMP certication is intended to measure and evaluate the ability of an indi-
vidual to be accredited as a professional in this demanding eld.
e CISSP-ISSMP CBK has been developed to encompass all knowledge ele-
ments that an individual is required to possess for an information security manage-
ment role. e CISSP-ISSMP covers ve domains: Enterprise Security Management
Practices, Enterprise-Wide System Development Security, Overseeing Compliance
of Security Operations, Business Continuity Planning, Disaster Recovery Plan-
ning, and Continuity of Operations Planning, and Law, Investigation, Forensics,
and Ethics.
The topics covered in the Enterprise Security Management Practices
domain include:
xiv ◾ Introduction
© 2011 by Taylor & Francis Group, LLC
◾ Enterprise governance (Mission/Goals and Objectives/Culture/Business
Processes/Economics and Competitive Environment)
− Security concepts (Availability/Integrity/Condentiality)
− Data classication (Sensitivity/Criticality/Zones of Control)
− Security framework (Policy/Standards/Guidelines/Procedures/Baselines)
◾ Security roles and responsibilities (Budgeting/Return on Security Investment/
Security Program Maturity/Project Management/Ownership)
− Risk management program (Objectives/Risk Analysis/Countermeasures)
− Security agreements (Service Level/Interconnection/Outsourcing)
− Personnel security (Identity Management/Security Awareness Training)
e Enterprise-Wide System Development Security domain covers the fol-
lowing topics:
◾ SDLC security (Project Risk/Security Designed in/Project Element Security)
◾ System testing (Security Element Testing and Documentation/Condential
Test Data/Insider Attacks)
◾ Certication and accreditation (C&A Process Support)
e topics covered in the Overseeing Compliance of Security Operations
domain include:
◾ Operations security issues (Backups/Equipment Inventory and Conguration)
◾ Auditing (Preparation/Response/Log Files)
◾ Compliance (Access Control/Policy/Contracts and Agreements/Software
Licensing/Record Retention)
◾ Conguration management (Library/Patch/Change Control)
◾ Penetration and vulnerability testing (Botnet Awareness/Outbound Trac/
Web Application Firewalls)
In the Business Continuity Planning, Disaster Recovery Planning, and Con ti-
nu ity of Operations Planning domain, the topics covered include:
◾ BCP and DRP project planning (Steering Committee/Business Drivers/Policy/
Scope/Resource Requirements)
◾ Business impact analysis (reat Analysis/Critical Business Processes/Legal,
Regulatory, and Contractual Obligations/ird Party Dependencies/Executive
Succession Planning)
◾ Recovery strategies (Recommendations/Insurance/Roles and Responsibilities)
◾ Plan design (Emergency Response/Notication)
Introduction ◾ xv
© 2011 by Taylor & Francis Group, LLC
e Law Investigation, Forensics, and Ethics domain covers the following topics:
◾ Information security laws (Licensing/Computer Crime/Intellectual Property/
Import and Export Laws/Liability/Privacy Law/Monitoring Employees/
Litiga tion Support)
◾ Elements of investigations (Incident Handling and Response/Evidence
Preservation/Digital Forensics/Interviewing and Fact Finding)
◾ Professional ethics
A candidate for the CISSP-ISSMP certication should demonstrate a thorough
understanding of the topics listed above, while applying their expertise to success-
fully manage the information security program for an enterprise.
Hal Tipton
Get Official (ISC)2® Guide to the ISSMP® CBK® now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.