You are previewing The CISM™ Prep Guide: Mastering the Five Domains of Information Security Management.
O'Reilly logo
The CISM™ Prep Guide: Mastering the Five Domains of Information Security Management

Book Description

  • Prepares readers for the Certified Information Security Manager (CISM) exam, ISACA's new certification that launches in June 2003

  • CISM is business-oriented and intended for the individual who must manage, design, oversee, and assess an enterprise's information security

  • Essential reading for those who are cramming for this new test and need an authoritative study guide

  • Many out-of-work IT professionals are seeking security management certification as a vehicle to re-employment

  • CD-ROM includes a Boson-powered test engine with all the questions and answers from the book

Table of Contents

  1. Copyright
  2. Acknowledgments
  3. Introduction
    1. Certification Requirements
    2. The Prep Guide Approach
    3. Approach and Hints
  4. About the Authors
  5. 1. Information Security Governance
    1. 1.1. Basic Information Security Concepts
      1. 1.1.1. Confidentiality, Integrity, and Availability
      2. 1.1.2. Information Classification
        1. 1.1.2.1. Classification Criteria
        2. 1.1.2.2. Distributing Classified Information
        3. 1.1.2.3. Classification Roles
          1. 1.1.2.3.1. Owner
          2. 1.1.2.3.2. Custodian
          3. 1.1.2.3.3. User
      3. 1.1.3. Network Security
        1. 1.1.3.1. Network Address Translation (NAT)
        2. 1.1.3.2. Virtual Private Networking (VPN)
        3. 1.1.3.3. Firewalls
          1. 1.1.3.3.1. Bastion Host
        4. 1.1.3.4. VLANs
      4. 1.1.4. Access Control
        1. 1.1.4.1. Controls
        2. 1.1.4.2. Authentication
          1. 1.1.4.2.1. Passwords
          2. 1.1.4.2.2. Static Password Tokens
          3. 1.1.4.2.3. Synchronous Dynamic Password Tokens
          4. 1.1.4.2.4. Asynchronous Dynamic Password Tokens
          5. 1.1.4.2.5. Challenge-Response Tokens
        3. 1.1.4.3. Multifactor Authentication
        4. 1.1.4.4. The Access Matrix
        5. 1.1.4.5. Access Control Models
      5. 1.1.5. Security Architecture and Technologies
        1. 1.1.5.1. Single Sign-On (SSO)
          1. 1.1.5.1.1. Kerberos
          2. 1.1.5.1.2. Kerberos Client-TGS Server Initial Exchange
          3. 1.1.5.1.3. Kerberos Client to TGS Server Request for Service
          4. 1.1.5.1.4. Kerberos TGS Server to Client Issuing of Ticket for Service
          5. 1.1.5.1.5. Kerberos Client to Server Authentication Exchange and Providing of Service
        2. 1.1.5.2. DAC/MAC/RBAC
          1. 1.1.5.2.1. Discretionary Access Control
          2. 1.1.5.2.2. Mandatory Access Control
          3. 1.1.5.2.3. Role-Based Access Control (RBAC)
        3. 1.1.5.3. Cryptographic Techniques
          1. 1.1.5.3.1. Symmetric Key Cryptography
          2. 1.1.5.3.2. Asymmetric Key Cryptography
          3. 1.1.5.3.3. Digital Certificates
          4. 1.1.5.3.4. Key Management and Control
          5. 1.1.5.3.5. Cryptographic Attacks
          6. 1.1.5.3.6. Steganography
        4. 1.1.5.4. Digital Signatures
    2. 1.2. Roles and Responsibilities
      1. 1.2.1. Polices and Procedures
        1. 1.2.1.1. Policy Statements
          1. 1.2.1.1.1. Senior Management Statement of Policy
          2. 1.2.1.1.2. Regulatory Policy
          3. 1.2.1.1.3. Advisory Policy
          4. 1.2.1.1.4. Informative Policy
          5. 1.2.1.1.5. System Security Policy
          6. 1.2.1.1.6. Password Management Policy
          7. 1.2.1.1.7. Disposal/Destruction Policy
          8. 1.2.1.1.8. Human Resources Policy
        2. 1.2.1.2. Standards, Guidelines, and Procedures
        3. 1.2.1.3. Administrative Policy Controls
          1. 1.2.1.3.1. Acceptable Use
          2. 1.2.1.3.2. Due Care
          3. 1.2.1.3.3. Separation of Duties
          4. 1.2.1.3.4. Need to Know
        4. 1.2.1.4. Policies and Ethics
          1. 1.2.1.4.1. (ISC)2 Code of Ethics
          2. 1.2.1.4.2. The U.S. Department of Health, Education, and Welfare Code of Fair Information Practices
    3. 1.3. Legal and Regulatory
      1. 1.3.1. Information Security Management Due Diligence
      2. 1.3.2. Privacy
        1. 1.3.2.1. Privacy Policy
        2. 1.3.2.2. Privacy-Related Legislation and Guidelines
        3. 1.3.2.3. Electronic Monitoring
        4. 1.3.2.4. The Platform for Privacy Preferences (P3P)
      3. 1.3.3. Restrictions on Cryptography
      4. 1.3.4. Warranties, Patents, Copyrights, Trade Secrets
        1. 1.3.4.1. Warranties
        2. 1.3.4.2. Patents
        3. 1.3.4.3. Copyrights
          1. 1.3.4.3.1. The Digital Millennium Copyright Act (DMCA)
        4. 1.3.4.4. Trade Secrets
      5. 1.3.5. National Security
        1. 1.3.5.1. Privacy Rights versus National Security
        2. 1.3.5.2. U. S. Department of Defense Security Clearance
      6. 1.3.6. Document Retention
    4. 1.4. Sample Questions
  6. 2. Risk Management
    1. 2.1. Risk Management Principles and Practices
      1. 2.1.1. Principles of Risk Management
        1. 2.1.1.1. The Purpose of Risk Analysis
        2. 2.1.1.2. Terms and Definitions
    2. 2.2. Risk Assessment
      1. 2.2.1. Quantitative Risk Analysis
        1. 2.2.1.1. Preliminary Security Examination (PSE)
          1. 2.2.1.1.1. Estimate Potential Losses
          2. 2.2.1.1.2. Analyze Potential Threats
          3. 2.2.1.1.3. Define the Annualized Loss Expectancy (ALE)
      2. 2.2.2. Qualitative Risk Analysis
      3. 2.2.3. Asset Identification and Valuation
      4. 2.2.4. Threat Identification
      5. 2.2.5. Vulnerability Definition
    3. 2.3. Risk Mitigation Strategies
      1. 2.3.1. Cost/Benefit Analysis
      2. 2.3.2. Level of Manual Operations
      3. 2.3.3. Auditability and Accountability Features
      4. 2.3.4. Recovery Ability
      5. 2.3.5. Vendor Relations
    4. 2.4. NIST RA Process
      1. 2.4.1. Step 1: System Characterization
        1. 2.4.1.1. Information-Gathering Techniques
      2. 2.4.2. Step 2: Threat Identification
      3. 2.4.3. Step 3: Vulnerability Identification
        1. 2.4.3.1. System Security Testing
        2. 2.4.3.2. Development of a Security Requirements Checklist
      4. 2.4.4. Step 4: Control Analysis
      5. 2.4.5. Step 5: Likelihood Determination
      6. 2.4.6. Step 6: Impact Analysis
      7. 2.4.7. Step 7: Risk Determination
      8. 2.4.8. Step 8: Control Recommendations
      9. 2.4.9. Step 9: Results Documentation
    5. 2.5. Sample Questions
  7. 3. Information Security Program Management
    1. 3.1. Control and Safeguard Selection
      1. 3.1.1. Control and Safeguard Implementation Methods
        1. 3.1.1.1. Evaluation Criteria
      2. 3.1.2. Cost versus Benefits of Physical, Administrative, and Technical Controls
    2. 3.2. Information Security Process Improvement
      1. 3.2.1. Information Security Process Improvement Model
        1. 3.2.1.1. The Software Capability Maturity Model(CMM)
        2. 3.2.1.2. The Systems Security Engineering Capability Maturity Model (SSE-CMM)
        3. 3.2.1.3. Security Engineering
        4. 3.2.1.4. Project and Organizational Practices
      2. 3.2.2. Security Architecture Development and Modeling
        1. 3.2.2.1. The Trusted Computing Base
        2. 3.2.2.2. Rings
        3. 3.2.2.3. Security Labels
        4. 3.2.2.4. Security Modes
        5. 3.2.2.5. Security Architecture Vulnerabilities
        6. 3.2.2.6. System Failure Architectural Considerations
        7. 3.2.2.7. Modeling
        8. 3.2.2.8. Access Control Models
          1. 3.2.2.8.1. The Access Matrix
          2. 3.2.2.8.2. Take-Grant Model
          3. 3.2.2.8.3. Bell-LaPadula Model
        9. 3.2.2.9. Integrity Models
          1. 3.2.2.9.1. The Biba Integrity Model
          2. 3.2.2.9.2. The Clark-Wilson Integrity Model
          3. 3.2.2.9.3. Information Flow Models
          4. 3.2.2.9.4. Noninterference Model
          5. 3.2.2.9.5. Composition Theories
    3. 3.3. Project Management Methods and Techniques
      1. 3.3.1. Work Breakdown Structure
      2. 3.3.2. Gantt Chart
      3. 3.3.3. PERT Chart
      4. 3.3.4. The Management Approach
    4. 3.4. Systems Development Life Cycle (SDLC) Methodologies
      1. 3.4.1. Traditional SDLC
        1. 3.4.1.1. The Waterfall Model
        2. 3.4.1.2. The Spiral Model
        3. 3.4.1.3. Change Control and Software Maintenance
        4. 3.4.1.4. Configuration Management
        5. 3.4.1.5. Cost Estimation Models
      2. 3.4.2. Information Security and the Systems Development Life Cycle
        1. 3.4.2.1. The Systems Development Life Cycle
          1. 3.4.2.1.1. Initiation Phase
          2. 3.4.2.1.2. Development/Acquisition Phase
          3. 3.4.2.1.3. Implementation Phase
          4. 3.4.2.1.4. Operation/Maintenance Phase
          5. 3.4.2.1.5. Disposal Phase
      3. 3.4.3. Prototyping
    5. 3.5. Certification and Accreditation
      1. 3.5.1. DITSCAP
      2. 3.5.2. NIACAP
    6. 3.6. Security Metrics Implementation
      1. 3.6.1. NSA-IAM
      2. 3.6.2. The Automated Security Self-Evaluation Tool (ASSET)
      3. 3.6.3. Defense-Wide Information Assurance Program (DIAP)
    7. 3.7. Sample Questions
  8. 4. Information Security Management
    1. 4.1. Administration Processes and Procedures
      1. 4.1.1. Acquisition Management Methods and Techniques
        1. 4.1.1.1. The National Security Agency/Central Security Service (NSA/CSS) Circular No. 500R
        2. 4.1.1.2. The Software Acquisition Capability Maturity Model
        3. 4.1.1.3. The U.S. Office of the Secretary of Defense (OSD) Acquisition Reform
        4. 4.1.1.4. Evolutionary Acquisition
        5. 4.1.1.5. Service Level Agreements (SLAs)
      2. 4.1.2. Contracts
        1. 4.1.2.1. Entering into a Contract
        2. 4.1.2.2. Damages
        3. 4.1.2.3. Contract Performance
      3. 4.1.3. Problem Management
        1. 4.1.3.1. Tools
      4. 4.1.4. Third-Party Service Providers
    2. 4.2. Monitoring and Auditing
      1. 4.2.1. Monitoring
        1. 4.2.1.1. Intrusion Detection
        2. 4.2.1.2. Violation Analysis
      2. 4.2.2. Auditing
        1. 4.2.2.1. Security Auditing
        2. 4.2.2.2. Audit Trails
        3. 4.2.2.3. Problem Management and Auditing
    3. 4.3. Configuration Management
      1. 4.3.1. Configuration Identification
      2. 4.3.2. Configuration Control
      3. 4.3.3. Configuration Status Accounting
      4. 4.3.4. Configuration Auditing
      5. 4.3.5. Documentation Change Control
    4. 4.4. Security Review and Testing
      1. 4.4.1. System Scanning
        1. 4.4.1.1. Vulnerability Scanning
          1. 4.4.1.1.1. Discovery Scanning
          2. 4.4.1.1.2. Workstation Scanning
          3. 4.4.1.1.3. Server Scanning
        2. 4.4.1.2. Port Scanning
        3. 4.4.1.3. TCP/UDP Scanning Types
          1. 4.4.1.3.1. Stealth Scans
          2. 4.4.1.3.2. Spoofed Scans
        4. 4.4.1.4. Scanning Tools
        5. 4.4.1.5. Issues with Vulnerability Scanning
      2. 4.4.2. External Vulnerability Testing
    5. 4.5. Security Awareness and Education
      1. 4.5.1. Awareness Methods and Techniques
      2. 4.5.2. Integrating Awareness
      3. 4.5.3. Changing Culture and Behavior of Staff
    6. 4.6. Sample Questions
  9. 5. Response Management
    1. 5.1. Intrusion Detection and Response
      1. 5.1.1. Components of Incident Response Capability
        1. 5.1.1.1. Network-Based ID
        2. 5.1.1.2. Host-Based ID
        3. 5.1.1.3. Signature-Based ID
        4. 5.1.1.4. Statistical Anomaly-Based ID
      2. 5.1.2. Intrusion Detection Policies and Processes
        1. 5.1.2.1. CERT/CC Practices
          1. 5.1.2.1.1. Establish Response Policies and Procedures
          2. 5.1.2.1.2. Prepare to Respond to Intrusions
          3. 5.1.2.1.3. Analyze All Available Information
          4. 5.1.2.1.4. Communicate with All Parties
          5. 5.1.2.1.5. Collect and Protect Information
          6. 5.1.2.1.6. Apply Short-Term Containment Solutions
          7. 5.1.2.1.7. Eliminate All Means of Intruder Access
          8. 5.1.2.1.8. Return Systems to Normal Operation
          9. 5.1.2.1.9. Identify and Implement Security Lessons Learned
        2. 5.1.2.2. IETF
        3. 5.1.2.3. Layered Security and IDS
      3. 5.1.3. Computer Security and Incident Response Teams
        1. 5.1.3.1. CERT
        2. 5.1.3.2. FedCIRC
        3. 5.1.3.3. FIRST
      4. 5.1.4. Security Incident Notification Process
        1. 5.1.4.1. Automated Notice and Recovery Mechanisms
      5. 5.1.5. IDS Issues
    2. 5.2. Business Continuity and Contingency Planning
      1. 5.2.1. Scope and Plan Initiation
      2. 5.2.2. Business Impact Assessment
        1. 5.2.2.1. Gathering Assessment Materials
        2. 5.2.2.2. The Vulnerability Assessment
        3. 5.2.2.3. Analyzing the Information
        4. 5.2.2.4. Documentation and Recommendation
      3. 5.2.3. Business Continuity Plan Development
      4. 5.2.4. Plan Approval and Implementation
        1. 5.2.4.1. Senior Management Approval
        2. 5.2.4.2. Plan Awareness
        3. 5.2.4.3. Plan Maintenance
      5. 5.2.5. Roles and Responsibilities in the BCP Process
        1. 5.2.5.1. The BCP Committee
        2. 5.2.5.2. Senior Management's Role
      6. 5.2.6. Disaster Recovery Planning and Business Recovery
        1. 5.2.6.1. Creating the DRP
          1. 5.2.6.1.1. Recovery Time Objectives
          2. 5.2.6.1.2. Alternate Sites
          3. 5.2.6.1.3. Backup Viability
        2. 5.2.6.2. Testing and Adjusting the DRP
          1. 5.2.6.2.1. DRP Testing Types
          2. 5.2.6.2.2. DRP Maintenance
        3. 5.2.6.3. Executing the DRP
        4. 5.2.6.4. Secure Recovery
      7. 5.2.7. Emergency Management Practices
    3. 5.3. Forensics
      1. 5.3.1. Requirements for Collecting and Presenting Evidence
        1. 5.3.1.1. Rules for Evidence
        2. 5.3.1.2. Admissibility of Evidence
        3. 5.3.1.3. Quality and Completeness of Evidence
        4. 5.3.1.4. Post-Incident Reviews and Follow-Up Procedures
    4. 5.4. Sample Questions
  10. A. Glossary of Terms and Acronyms
    1. A.1. A
    2. A.2. B
    3. A.3. C
    4. A.4. D
    5. A.5. E
    6. A.6. F
    7. A.7. G
    8. A.8. H
    9. A.9. I
    10. A.10. J
    11. A.11. K
    12. A.12. L
    13. A.13. M
    14. A.14. N
    15. A.15. O
    16. A.16. P
    17. A.17. R
    18. A.18. S
    19. A.19. T
    20. A.20. U
    21. A.21. V
    22. A.22. X
  11. B. CISM Area Tasks and Knowledge Statements
    1. B.1. Information Security Governance
      1. B.1.1. Tasks
      2. B.1.2. Knowledge Statements
    2. B.2. Risk Management
      1. B.2.1. Tasks
      2. B.2.2. Knowledge Statements
    3. B.3. Information Security Program Management
      1. B.3.1. Tasks
      2. B.3.2. Knowledge Statements
    4. B.4. Information Security Management
      1. B.4.1. Tasks
      2. B.4.2. Knowledge Statements
    5. B.5. Response Management
      1. B.5.1. Tasks
      2. B.5.2. Knowledge Statements
  12. C. Answers to Sample Questions
    1. C.1. Chapter 1: Information Security Governance
    2. C.2. Chapter 2: Risk Management
    3. C.3. Chapter 3: Information Security Program Management
    4. C.4. Chapter 4: Information Security Management
    5. C.5. Chapter 5: Response Management
  13. Wiley Publishing, Inc. End-User License Agreement
  14. What's on the CD-ROM
    1. C.6. System Requirements
    2. C.7. Using the CD with Windows
    3. C.8. What's on the CD
    4. C.9. Troubleshooting