第1页 / 共264页
第2页 / 共264页
第3页 / 共264页
第4页 / 共264页
第5页 / 共264页
第6页 / 共264页
第7页 / 共264页
第8页 / 共264页
CISM review manual 2013.pdf
2013
CISM®
Review
Manual
2013
ISACA®
With more than 100,000 constituents in 180 countries, ISACA (www.isaca.org) is a leading global provider of knowledge,
certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise
governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit, independent
ISACA hosts international conferences, publishes the ISACA® Journal, and develops international IS auditing and control
standards, which help its constituents ensure trust in, and value from, information systems. It also advances and attests
IT skills and knowledge through the globally respected Certified Information Systems Auditor® (CISA®), Certified
Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk
and Information Systems ControlTM (CRISCTM) designations.
ISACA continually updates and expands the practical guidance and product family based on the COBIT® framework.
COBIT helps IT professionals and enterprise leaders fulfill their IT governance and management responsibilities,
particularly in the areas of assurance, security, risk and control, and deliver value to the business.
Disclaimer
ISACA has designed and created CISM® Review Manual 2013 primarily as an educational resource to assist individuals
preparing to take the CISM certification exam. It was produced independently from the CISM exam and the CISM
Certification Committee, which has had no responsibility for its content. Copies of past exams are not released to the public
and were not made available to ISACA for preparation of this publication. ISACA makes no representations or warranties
whatsoever with regard to these or other ISACA publications assuring candidates’ passage of the CISM exam.
Reservation of Rights
© 2012 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed,
displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical, photocopying,
recording or otherwise) without the prior written authorization of ISACA.
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, Illinois 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: info@isaca.org
Web site: www.isaca.org
Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center
Follow ISACA on Twitter: https://twitter.com/ISACANews
Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial
Like ISACA on Facebook: www.facebook.com/ISACAHQ
ISBN 978-1-60420-317-2
CISM® Review Manual 2013
Printed in the United States of America
CRISC is a trademark/service mark of ISACA. The mark has been applied for or registered in countries throughout the world.
ii
CISM Review Manual 2013
ISACA. All Rights Reserved.
CISM REVIEW MANUAL 2013
ISACA is pleased to offer the 2013 (11th) edition of the CISM® Review Manual. The purpose of this manual is to provide CISM
candidates with updated technical information and references to assist in the preparation and study for the Certified Information
Security Manager exam.
The CISM job practice can be viewed at www.isaca.org/cismjobpractice and in the Candidate’s Guide to the CISM® Exam and
Certification. The exam is based on the knowledge statements in the job practice, which involved thousands of CISMs and
other industry professionals worldwide who served as committee members, focus group participants, subject matter experts and
survey respondents.
The CISM® Review Manual is updated annually to keep pace with rapid changes in the management, design, oversight and assessment
of information security. As with previous manuals, the 2013 edition is the result of contributions from many qualified authorities who
have generously volunteered their time and expertise. We respect and appreciate their contributions and hope their efforts provide
extensive educational value to CISM manual readers.
Your comments and suggestions regarding this manual are welcome. After taking the exam, please take a moment to complete the
online questionnaire (www.isaca.org/studyaidsevaluation). Your observations will be invaluable for the preparation of the 2014 edition
of the CISM® Review Manual.
The sample questions contained in this manual are designed to depict the type of questions typically found on the CISM exam and to
provide further clarity to the content presented in this manual. The CISM exam is a practice-based exam. Simply reading the reference
material in this manual will not properly prepare candidates for the exam. The sample questions are included for guidance only.
Scoring results do not indicate future individual exam success.
Certification has resulted in a positive impact on many careers. CISM is designed to provide executive management with assurance
that those earning the designation have the required knowledge and ability to provide effective information security management and
consulting. While the central focus of the CISM certification is information security management, all those in the IT profession with
security experience will certainly find value in the CISM designation. ISACA wishes you success with the CISM exam.
CISM Review Manual 2013
ISACA. All Rights Reserved.
iii
ACkNoWLEdgMENtS
The 2013 edition of the CISM® Review Manual is the result of the collective efforts of many volunteers. ISACA members from
throughout the global information security management profession participated, generously offering their talent and expertise. This
international team exhibited a spirit and selflessness that has become the hallmark of contributors to this manual. Their participation
and insight are truly appreciated.
Special thanks go to W. Krag Brotby, CISM, a senior security consultant from the Los Angeles Chapter, USA, who served as technical
content project leader and editor.
All of the ISACA members who participated in the review of the CISM® Review Manual deserve our thanks and gratitude.
Expert Reviewers
Shawna Flanders, CISA, CISM, CRISC, ACS, CSSGB, SSBB, PSCU-FS, USA
Sandeep Godbole, CISA, CISM, CGEIT, CISSP, Syntel, India
Robert T. Hanson, CISA, CISM, CRISC, Australia
Foster J. Henderson, CISM, CRISC, CISSP, NSA-IEM, Citizant, USA
Veryl White, CISA, CISM, CRISC, W. S. Badcock Corporation, USA
Larry G. Wlosinski, CISA, CISM, CRISC, CAP, CDP, CISSP, ITIL, Booz Allen Hamilton, USA
ISACA has begun planning the 2014 edition of the CISM® Review Manual. Volunteer participation drives the success of the manual. If
you are interested in becoming a member of the select group of professionals involved in this global project, we want to hear from you.
Please email us at studymaterials@isaca.org.
iv
CISM Review Manual 2013
ISACA. All Rights Reserved.
t a b l e o f C o n t e n t s
About this Manual ............................................................................................................................................................ 11
Overview ............................................................................................................................................................................................. 11
Organization of This Manual ............................................................................................................................................................ 11
Format of This Manual ...................................................................................................................................................................... 11
About the CISM Review Questions, Answers and Explanations Manual ..................................................................................... 12
Chapter 1:
Information Security governance ....................................................................................................................... 13
Section One: Overview ........................................................................................................................................................... 14
Introduction ............................................................................................................................................................................... 14
1.1
Definition .................................................................................................................................................................................... 14
Objectives ................................................................................................................................................................................... 14
1.2 Task and Knowledge Statements ............................................................................................................................................. 14
Tasks ........................................................................................................................................................................................... 14
Knowledge Statements ............................................................................................................................................................... 14
Relationship of Task to Knowledge Statements.......................................................................................................................... 15
Knowledge Statement Reference Guide ..................................................................................................................................... 16
Suggested Resources for Further Study...................................................................................................................................... 26
1.3 Self-assessment Questions ........................................................................................................................................................ 27
Questions .................................................................................................................................................................................... 27
Answers to Self-assessment Questions ....................................................................................................................................... 28
Section Two: Content .............................................................................................................................................................. 29
1.4
Information Security Governance Overview .......................................................................................................................... 29
1.4.1 Importance of Information Security Governance .............................................................................................................. 29
1.4.2 Outcomes of Information Security Governance ................................................................................................................ 30
1.5 Effective Information Security Governance ........................................................................................................................... 30
1.5.1 Business Goals and Objectives ......................................................................................................................................... 31
1.5.2 Scope and Charter of Information Security Governance ................................................................................................... 31
1.5.3 Roles and Responsibilities of Senior Management ........................................................................................................... 32
Boards of Directors/Senior Management ...................................................................................................................... 32
Executive Management .................................................................................................................................................. 33
Steering Committee ....................................................................................................................................................... 33
CISO............................................................................................................................................................................... 33
1.5.4 Information Security Roles and Responsibilities ............................................................................................................ 34
Obtaining Senior Management Commitment ............................................................................................................... 35
Establishing Reporting and Communication Channels ................................................................................................ 35
1.5.5 Governance, Risk Management and Compliance .............................................................................................................. 35
1.5.6 Business Model for Information Security ......................................................................................................................... 37
Dynamic Interconnections ............................................................................................................................................. 38
1.5.7 Assurance Process Integration—Convergence .................................................................................................................. 39
Convergence ................................................................................................................................................................... 39
1.6
Information Security Concepts and Technologies ................................................................................................................. 40
1.7 Governance and Third-party Relationships ........................................................................................................................... 40
Information Security Governance Metrics ............................................................................................................................. 40
1.8
1.8.1 Effective Security Metrics ................................................................................................................................................. 41
1.8.2 Governance Implementation Metrics ................................................................................................................................. 42
1.8.3 Strategic Alignment Metrics .............................................................................................................................................. 43
1.8.4 Risk Management Metrics ................................................................................................................................................. 43
1.8.5 Value Delivery Metrics ...................................................................................................................................................... 43
1.8.6 Resource Management Metrics ......................................................................................................................................... 43
1.8.7 Performance Measurement ................................................................................................................................................ 44
1.8.8 Assurance Process Integration (Convergence) ................................................................................................................... 44
CISM Review Manual 2013
ISACA. All Rights Reserved.
1
Table of Contents
1.9
Information Security Strategy Overview ................................................................................................................................ 44
1.9.1 An Alternate View of Strategy ........................................................................................................................................... 45
1.10 Developing an Information Security Strategy ........................................................................................................................ 46
1.10.1 Common Pitfalls .............................................................................................................................................................. 46
1.11 Information Security Strategy Objectives .............................................................................................................................. 47
1.11.1 The Goal .......................................................................................................................................................................... 47
1.11.2 Defining Objectives ......................................................................................................................................................... 48
Business Linkages .......................................................................................................................................................... 48
1.11.3 The Desired State ............................................................................................................................................................. 49
COBIT ............................................................................................................................................................................ 49
Capability Maturity Model ............................................................................................................................................ 50
Balanced Scorecard ........................................................................................................................................................ 50
Architectural Approaches ............................................................................................................................................... 50
ISO/IEC 27001 and 27002 ............................................................................................................................................. 51
Other Approaches ........................................................................................................................................................... 52
1.11.4 Risk Objectives ................................................................................................................................................................ 52
1.12 Determining Current State Of Security.................................................................................................................................. 53
1.12.1 Current Risk ..................................................................................................................................................................... 53
Business Impact Analysis/Assessment .......................................................................................................................... 53
1.13 Information Security Strategy Development .......................................................................................................................... 53
1.13.1 Elements of a Strategy .................................................................................................................................................... 54
Road Map ....................................................................................................................................................................... 54
1.13.2 Strategy Resources and Constraints—Overview ............................................................................................................. 54
Resources ....................................................................................................................................................................... 54
Constraints ..................................................................................................................................................................... 54
1.14 Strategy Resources .................................................................................................................................................................... 55
1.14.1 Policies and Standards ..................................................................................................................................................... 55
Policies ........................................................................................................................................................................... 55
Standards ........................................................................................................................................................................ 55
Procedures ...................................................................................................................................................................... 55
Guidelines ...................................................................................................................................................................... 55
1.14.2 Enterprise Information Security Architecture(s) ............................................................................................................. 55
Alternative Enterprise Architecture Frameworks .......................................................................................................... 57
1.14.3 Controls ........................................................................................................................................................................... 57
IT Controls ..................................................................................................................................................................... 58
Non-IT Controls ............................................................................................................................................................. 58
Countermeasures ............................................................................................................................................................ 58
Layered Defenses ........................................................................................................................................................... 58
1.14.4 Technologies .................................................................................................................................................................... 58
1.14.5 Personnel .......................................................................................................................................................................... 58
1.14.6 Organizational Structure .................................................................................................................................................. 59
Centralized and Decentralized Approaches to Coordinating Information Security ...................................................... 59
1.14.7 Employee Roles and Responsibilities .............................................................................................................................. 60
1.14.8 Skills ................................................................................................................................................................................ 60
1.14.9 Awareness and Education ................................................................................................................................................ 60
1.14.10 Audits ............................................................................................................................................................................. 61
1.14.11 Compliance Enforcement .............................................................................................................................................. 61
1.14.12 Threat Assessment ......................................................................................................................................................... 61
1.14.13 Vulnerability Assessment ............................................................................................................................................... 61
1.14.14 Risk Assessment and Management ................................................................................................................................ 62
1.14.15 Insurance ........................................................................................................................................................................ 62
1.14.16 Business Impact Assessment ......................................................................................................................................... 62
1.14.17 Resource Dependency Analysis ..................................................................................................................................... 62
1.14.18 Outsourced Services ...................................................................................................................................................... 62
1.14.19 Other Organizational Support and Assurance Providers ............................................................................................... 62
2
CISM Review Manual 2013
ISACA. All Rights Reserved.
Table of Contents
1.15 Strategy Constraints ................................................................................................................................................................. 63
1.15.1 Legal and Regulatory Requirements ............................................................................................................................... 63
Requirements for Content and Retention of Business Records .................................................................................... 63
E-discovery .................................................................................................................................................................... 63
1.15.2 Physical ........................................................................................................................................................................... 63
1.15.3 Ethics .............................................................................................................................................................................. 63
1.15.4 Culture ........................................................................................................................................................................... 63
1.15.5 Organizational Structure ................................................................................................................................................. 64
1.15.6 Costs ............................................................................................................................................................................... 64
1.15.7 Personnel ........................................................................................................................................................................ 64
1.15.8 Resources ....................................................................................................................................................................... 64
1.15.9 Capabilities ...................................................................................................................................................................... 64
1.15.10 Time ............................................................................................................................................................................. 64
1.15.11 Risk Acceptance and Tolerance .................................................................................................................................... 64
1.16 Action Plan To Implement Strategy .......................................................................................................................................... 64
1.16.1 Gap Analysis—Basis for an Action Plan ......................................................................................................................... 64
1.16.2 Policy Development ......................................................................................................................................................... 65
1.16.3 Standards Development ................................................................................................................................................... 65
1.16.4 Training and Awareness ................................................................................................................................................... 66
1.16.5 Action Plan Metrics ......................................................................................................................................................... 66
Key Goal Indicators ....................................................................................................................................................... 66
Critical Success Factors ................................................................................................................................................. 66
Key Performance Indicators ........................................................................................................................................... 66
General Metrics Considerations ..................................................................................................................................... 67
1.17 Implementing Security Governance—Example ..................................................................................................................... 67
1.17.1 Additional Policy Samples ............................................................................................................................................... 69
1.18 Action Plan Intermediate Goals .............................................................................................................................................. 69
1.19 Information Security Program Objectives ............................................................................................................................. 70
1.20 Case Study ................................................................................................................................................................................. 70
Chapter 2:
Information Risk Management And Compliance ................................................................................. 73
Section One: Overview ........................................................................................................................................................... 74
Introduction ............................................................................................................................................................................... 74
2.1
Definition .................................................................................................................................................................................... 74
Objectives ................................................................................................................................................................................... 74
2.2 Task and Knowledge Statements ............................................................................................................................................. 74
Tasks ........................................................................................................................................................................................... 74
Knowledge Statements ............................................................................................................................................................... 74
Relationship of Task to Knowledge Statements.......................................................................................................................... 75
Knowledge Statement Reference Guide ..................................................................................................................................... 76
Suggested Resources for Further Study...................................................................................................................................... 85
2.3 Self-assessment Questions ........................................................................................................................................................ 85
Questions .................................................................................................................................................................................... 85
Answers to Self-assessment Questions ....................................................................................................................................... 86
Section Two: Content .............................................................................................................................................................. 89
2.4 Risk Management Overview .................................................................................................................................................... 89
2.4.1 The Importance of Risk Management ............................................................................................................................... 90
2.4.2 Outcomes of Risk Management......................................................................................................................................... 90
2.5 Risk Management Strategy ...................................................................................................................................................... 90
2.5.1 Risk Communication, Risk Awareness and Consulting ..................................................................................................... 91
CISM Review Manual 2013
ISACA. All Rights Reserved.
3
Table of Contents
2.8
2.7
2.6 Effective Information Security Risk Management ................................................................................................................ 91
2.6.1 Developing a Risk Management Program ......................................................................................................................... 91
Establish Context and Purpose ..................................................................................................................................... 91
Define Scope and Charter .............................................................................................................................................. 91
Asset Identification, Classification and Ownership ..................................................................................................... 92
Determine Objectives ..................................................................................................................................................... 92
Determine Methodologies .............................................................................................................................................. 92
Designate Program Development Team ......................................................................................................................... 92
2.6.2 Roles And Responsibilities ................................................................................................................................................ 92
Key Roles ....................................................................................................................................................................... 92
Information Security Risk Management Concepts ............................................................................................................... 93
2.7.1 Concepts ............................................................................................................................................................................ 93
2.7.2 Technologies ...................................................................................................................................................................... 93
Implementing Risk Management ........................................................................................................................................... 94
2.8.1 Risk Management Process ................................................................................................................................................. 94
2.8.2 Defining a Risk Management Framework ......................................................................................................................... 94
2.8.3 Defining the External Environment ................................................................................................................................... 96
2.8.4 Defining the Internal Environment .................................................................................................................................... 96
2.8.5 Determining the Risk Management Context ..................................................................................................................... 96
2.8.6 Gap Analysis ..................................................................................................................................................................... 97
2.8.7 Other Organizational Support ........................................................................................................................................... 97
2.9 Risk Assessment and Analysis Methodologies ........................................................................................................................ 97
2.10 Risk Assessment ........................................................................................................................................................................ 97
2.10.1 NIST Risk Assessment Methodology .............................................................................................................................. 98
2.10.2 Aggregated and Cascading Risk ...................................................................................................................................... 99
2.10.3 Other Risk Assessment Approaches .............................................................................................................................. 100
Factor Analysis of Information Risk ............................................................................................................................ 101
Risk Factor Analysis .................................................................................................................................................... 101
Probabilistic Risk Assessment ..................................................................................................................................... 101
2.10.4 Identification of Risk ..................................................................................................................................................... 102
2.10.5 Threats ........................................................................................................................................................................... 103
2.10.6 Vulnerabilities ................................................................................................................................................................ 103
2.10.7 Risk ................................................................................................................................................................................ 104
2.10.8 Analysis of Relevant Risk .............................................................................................................................................. 105
Qualitative Analysis ..................................................................................................................................................... 106
Semiquantitative Analysis ........................................................................................................................................... 106
Example of a Semiquantitative Analysis ..................................................................................................................... 107
Quantitative Analysis ................................................................................................................................................... 107
Annual Loss Expectancy.............................................................................................................................................. 108
Value at Risk ................................................................................................................................................................ 108
2.10.9 Evaluation of Risk ......................................................................................................................................................... 108
2.10.10 Risk Treatment Options ............................................................................................................................................... 108
Terminate the Activity .................................................................................................................................................. 109
Transfer the Risk .......................................................................................................................................................... 109
Mitigate the Risk .......................................................................................................................................................... 109
Tolerate/Accept the Risk .............................................................................................................................................. 109
Risk Acceptance Framework ........................................................................................................................................ 109
2.10.11 Impact .......................................................................................................................................................................... 109
2.10.12 Legal and Regulatory Requirements ........................................................................................................................... 110
2.10.13 Residual Risk ............................................................................................................................................................... 110
2.10.14 Costs and Benefits ....................................................................................................................................................... 110
2.10.15 Risk Reassessment of Events Affecting Security Baselines ........................................................................................ 111
2.11 Information Resource Valuation ........................................................................................................................................... 111
2.11.1 Information Resource Valuation Strategies ................................................................................................................... 112
2.11.2 Information Resource Valuation Methodologies ........................................................................................................... 112
2.11.3 Information Asset Classification ................................................................................................................................... 113
Methods to Determine Criticality of Resources and Impact of Adverse Events ........................................................ 113
2.11.4 Impact Assessment and Analysis ................................................................................................................................... 115
4
CISM Review Manual 2013
ISACA. All Rights Reserved.
相关推荐
2023年江西萍乡中考道德与法治真题及答案.doc
2012年重庆南川中考生物真题及答案.doc
2013年江西师范大学地理学综合及文艺理论基础考研真题.doc
2020年四川甘孜小升初语文真题及答案I卷.doc
2020年注册岩土工程师专业基础考试真题及答案.doc
2023-2024学年福建省厦门市九年级上学期数学月考试题及答案.doc
2021-2022学年辽宁省沈阳市大东区九年级上学期语文期末试题及答案.doc
2022-2023学年北京东城区初三第一学期物理期末试卷及答案.doc
2018上半年江西教师资格初中地理学科知识与教学能力真题及答案.doc
2012年河北国家公务员申论考试真题及答案-省级.doc
2020-2021学年江苏省扬州市江都区邵樊片九年级上学期数学第一次质量检测试题及答案.doc
2022下半年黑龙江教师资格证中学综合素质真题及答案.doc
