CISM Training - Philippines

Certified Information Security Manager (CISM) Training Outline

This CISM training course covers the following areas:

Domain 1: Information Security Governance

Module 1: Organisational Culture

• About Information Security Governance
• Reason for Security Governance
• Security Governance Activities and Results
• Risk Appetite

Module 2: Legal, Regulatory, and Contractual Requirements

• Introduction
• Requirements for Content and Retention of Business Records

Module 3: Organisational Structures, Roles and Responsibilities

• Roles and Responsibilities
• Monitoring Responsibilities

Module 4: Information Security Strategy Development

• Introduction
• Business Goals and Objectives
• Information Security Strategy Objectives
• Ensuring Objective and Business Integration
• Avoiding Common Pitfalls and Bias
• Desired State
• Elements of a Strategy

Module 5: Information Governance Frameworks and Standards

• Security Balanced Scorecard
• Architectural Approaches
• Enterprise Risk Management Framework
• Information Security Management Frameworks and Models

Module 6: Strategic Planning

• Workforce Composition and Skills
• Assurance Provisions
• Risk Assessment and Management
• Action Plan to Implement Strategy
• Information Security Program Objectives

Domain 2: Information Security Risk Management

Module 7: Emerging Risk and Threat Landscape

• Risk Identification
• Threats
• Defining a Risk Management Framework
• Emerging Threats
• Risk, Likelihood and Impact
• Risk Register

Module 8: Vulnerability and Control Deficiency Analysis

• Introduction
• Security Control Baselines
• Events Affecting Security Baselines

Module 9: Risk Assessment and Analysis

• Introduction to Risk Assessment and Analysis
• Determining the Risk Management Context
• Operational Risk Management
• Risk Management Integration with IT Life Cycle Management Processes
• Risk Scenarios
• Risk Assessment Process
• Risk Assessment and Analysis Methodologies
• Other Risk Assessment Approaches
• Risk Analysis
• Risk Evaluation
• Risk Ranking

Module 10: Risk Treatment / Risk Response Options

• Introduction to Risk Treatment / Risk Response Options
• Determining Risk Capacity and Acceptable Risk (Risk Appetite)
• Risk Response Options
• Risk Acceptance Framework
• Inherent and Residual Risk
• Impact
• Controls
• Legal and Regulatory Requirements
• Costs and Benefits

Module 11: Risk and Control Ownership

• Risk Ownership and Accountability
• Risk Owner
• Control Owner

Module 12: Risk Monitoring and Reporting

• Risk Monitoring
• Key Risk Indicators
• Reporting Changes in Risk
• Risk Communication, Awareness and Consulting
• Documentation

Domain 3: Information Security Program Development and Management

Module 13: Information Security Program Resources

• Introduction to Security Program Development and Management
• Information Security Program Objectives
• Information Security Program Concepts
• Common Information Security Program Challenges
• Common Information Security Program Constraints

Module 14: Information Asset Identification and Classification

• Information Asset Identification and Valuation
• Information Asset Valuation Strategies
• Information Asset Classification
• Methods to Determine Criticality of Assets and Impact of Adverse Events

Module 15: Industry Standards and Frameworks for Information Security

• Enterprise Information Security Architectures
• Information Security Management Frameworks
• Information Security Frameworks Components

Module 16: Information Security Policies, Procedures, and Guidelines

• Policies
• Standards
• Procedures
• Guidelines

Module 17: Information Security Program Metrics

• Introduction to Information Security program Metrics
• Effective Security Metrics
• Security Program Metrics and Monitoring
• Metrics Tailored to Enterprise Needs

Module 18: Information Security Control Design and Selection

• Introduction
• Managing Risk Through Controls
• Controls and Countermeasures
• Control Categories
• Control Design Considerations
• Control Methods

Module 19: Information Security Control Implementation, Integration, Testing, and Evaluation

• Introduction
• Baseline Controls

• Introduction
• Control Strength
• Control Recommendations

Module 20: Information Security Awareness and Training

• Security Awareness Training and Education
• Developing an Information Security Awareness Program
• Role Based Training

Module 21: Management of External Services

• Governance of Third-Party Relationships
• Third Party Service Providers
• Outsourcing Challenges
• Third-Party Access

Module 22: Information Security Program Communications and Reporting

• Program Management Evaluation
• Plan-Do-Check-Act Cycle
• Security Reviews and Audits
• Compliance Monitoring and Enforcement
• Monitoring Approaches
• Measuring Information Security Management Performance
• Ongoing Monitoring and Communication

Domain 4: Incident Management

Module 23: Incident Response Plan

• Introduction to Incident Response Plan
• Relationship Between Incident Management and Incident Response
• Goals of Incident Management and Incident Response
• Incident Handling and Management Life Cycle
• Incident Management and Incident Response Plans
• Importance of Incident Management
• Outcomes of Incident Management
• Incident Management Resources
• Policies and Standards
• Incident Management Objectives
• Strategic Alignment
• Response and Recovery Plan
• Role of Information Security Manager in Incident Management
• Risk Management
• Assurance Process Integration
• Value Delivery
• Resource Management
• Defining Incident Management Procedures
• Detailed Plan of Action for Incident Management
• Current State of Incident Response Capability
• Developing and Incident Response Plan
• Incident Management Response Teams
• Organising, Training and Equipping the Resource Staff
• Incident Notification Process
• Challenges in Developing an Incident Management Plan

Module 24: Business Impact Analysis

• Introduction to Business Impact Analysis
• Elements of Business Impact Analysis
• Benefits of Conducting a Business Impact Analysis

Module 25: Business Continuity Plan

• Integrating Incident Response with Business Continuity
• Methods for Providing Continuity of Network Services
• High-Availability Considerations
• Insurance

Module 26: Disaster Recovery Plan

• Introduction to Disaster
• Business Continuity and Disaster Recovery Procedures
• Recovery Operations
• Evaluating Recovery Strategies
• Addressing Threats
• Recovery Sites
• Basis for Recovery Site Selection
• Response and Recovery Strategy Implementation

Module 27: Incident Classification/Categorisation

• Introduction to Incident Classification/Categorisation
• Escalation Process for Effective Incident Management
• Help/Service Desk Processes for Identifying Security Incidents

Module 28: Incident Management Training, Testing and Evaluation

• Incident Management Roles and Responsibilities
• Incident Management Metrics and Indicators
• Performance Measurement
• Updating Recovery Plans
• Testing Incident Response and Business Continuity/Disaster Recovery Plans
• Periodic Testing of the Response and Recovery Plans
• Testing for Infrastructure and Critical Business Applications
• Types of Tests
• Test Results
• Recovery Test Metrics

Module 29: Incident Management Tools and Technologies

• Incident Management Systems
• Incident Response Technology Foundations
• Personnel
• Skills
• Awareness and Education
• Audits
• Outsourced Security Providers

Module 30: Incident Investigation, Evaluation, and Containment Methods

• Introduction
• Executing Response and Recovery Plans

• Introduction to Incident Containment Methods

Module 31: Incident Response Communication, Eradication, and Recovery

• Introduction to Incident Response Communication
• Notification Requirements
• Communication Networks

• Eradication Activities
• Recovery

Module 32: Post-Incident Review Practices

• Introduction Post-Incident Review Practices
• Identifying Causes and Corrective Actions
• Documenting Events
• Establishing Legal Procedures to Assist Post-Incident Activities
• Requirements for Evidence
• Legal Aspects of Forensic Evidence