Cover
Title Page
Copyright
Dedication
Acknowledgments
About the Author
About the Technical Editor
Introduction
1. The CISM Exam
2. CISM Exam Objectives
3. CISM Certification Exam Objective Map
4. Assessment Test
5. Answers to Assessment Test
Chapter 1: Today's Information Security Manager
1. Information Security Objectives
2. Role of the Information Security Manager
3. Information Security Risks
4. Building an Information Security Strategy
5. Implementing Security Controls
6. Data Protection
7. Summary
8. Exam Essentials
9. Review Questions
Chapter 2: Information Security Governance and Compliance
1. Governance
2. Understanding Policy Documents
3. Complying with Laws and Regulations
4. Adopting Standard Frameworks
5. Security Control Verification and Quality Control
6. Summary
7. Exam Essentials
8. Review Questions
Chapter 3: Information Risk Management
1. Analyzing Risk
2. Risk Treatment and Response
3. Risk Analysis
4. Disaster Recovery Planning
5. Privacy
6. Summary
7. Exam Essentials
8. Review Questions
Chapter 4: Cybersecurity Threats
1. Exploring Cybersecurity Threats
2. Threat Data and Intelligence
3. Summary
4. Exam Essentials
5. Review Questions
Chapter 5: Information Security Program Development and Management
1. Information Security Programs
2. Security Awareness and Training
3. Managing the Information Security Team
4. Managing the Security Budget
5. Integrating Security with Other Business Functions
6. Summary
7. Exam Essentials
8. Review Questions
Chapter 6: Security Assessment and Testing
1. Vulnerability Management
2. Security Vulnerabilities
3. Penetration Testing
4. Training and Exercises
5. Summary
6. Exam Essentials
7. Review Questions
Chapter 7: Cybersecurity Technology
1. Endpoint Security
2. Network Security
3. Cloud Computing Security
4. Cryptography
5. Code Security
6. Identity and Access Management
7. Summary
8. Exam Essentials
9. Review Questions
Chapter 8: Incident Response
1. Security Incidents
2. Phases of Incident Response
3. Building the Incident Response Plan
4. Creating an Incident Response Team
5. Coordination and Information Sharing
6. Classifying Incidents
7. Conducting Investigations
8. Plan Training, Testing, and Evaluation
9. Summary
10. Exam Essentials
11. Review Questions
Chapter 9: Business Continuity and Disaster Recovery
1. Planning for Business Continuity
2. Project Scope and Planning
3. Business Impact Analysis
4. Continuity Planning
5. Plan Approval and Implementation
6. The Nature of Disaster
7. System Resilience, High Availability, and Fault Tolerance
8. Recovery Strategy
9. Recovery Plan Development
10. Training, Awareness, and Documentation
11. Testing and Maintenance
12. Summary
13. Exam Essentials
14. Review Questions
Appendix: Answers to the Review Questions
1. Chapter 1: Today's Information Security Manager
2. Chapter 2: Information Security Governance and Compliance
3. Chapter 3: Information Risk Management
4. Chapter 4: Cybersecurity Threats
5. Chapter 5: Information Security Program Development and Management
6. Chapter 6: Security Assessment and Testing
7. Chapter 7: Cybersecurity Technology
8. Chapter 8: Incident Response
9. Chapter 9: Business Continuity and Disaster Recovery
Index
End User License Agreement

List of Illustrations

Chapter 1
1. FIGURE 1.1 The three key objectives of cybersecurity programs are confidenti...
2. FIGURE 1.2 Information security managers must be both security experts and b...
3. FIGURE 1.3 Typical cybersecurity organizational structure
4. FIGURE 1.4 RACI matrix for information security
5. FIGURE 1.5 The three key threats to cybersecurity programs are disclosure, a...
6. FIGURE 1.6 Cybersecurity SWOT analysis example
7. FIGURE 1.7 CMMI levels
8. FIGURE 1.8 Communicating the security strategy
Chapter 2
1. FIGURE 2.1 Typical corporate governance model
2. FIGURE 2.2 Excerpt from CMS roles and responsibilities chart
3. FIGURE 2.3 Excerpt from UC Berkeley Minimum Security Standards for Electroni...
4. FIGURE 2.4 NIST Cybersecurity Framework Core Structure
5. FIGURE 2.5 Asset Management Cybersecurity Framework
6. FIGURE 2.6 NIST Risk Management Framework
7. FIGURE 2.7 Windows Server 2019 security benchmark excerpt
Chapter 3
1. FIGURE 3.1 Risk exists at the intersection of a threat and a corresponding v...
2. FIGURE 3.2 Qualitative risk assessments use subjective rating scales to eval...
3. FIGURE 3.3 (a) STOP tag attached to a device. (b) Residue remaining on devic...
4. FIGURE 3.4 Risk register excerpt
5. FIGURE 3.5 Risk matrix
6. FIGURE 3.6 Cover sheets used to identify classified U.S. government informat...
Chapter 4
1. FIGURE 4.1 Logo of the hacktivist group Anonymous
2. FIGURE 4.2 Dark web market
3. FIGURE 4.3 Recent alert listing from the CISA website
4. FIGURE 4.4 FireEye Cybersecurity Threat Map
Chapter 5
1. FIGURE 5.1 Security awareness poster
2. FIGURE 5.2 Relationship between calendar years and fiscal years
Chapter 6
1. FIGURE 6.1 Qualys asset map
2. FIGURE 6.2 Configuring a Nessus scan
3. FIGURE 6.3 Sample Nessus scan report
4. FIGURE 6.4 Nessus scan templates
5. FIGURE 6.5 Disabling unused plug-ins
6. FIGURE 6.6 Configuring credentialed scanning
7. FIGURE 6.7 Choosing a scan appliance
8. FIGURE 6.8 Nessus vulnerability in the NIST National Vulnerability Database...
9. FIGURE 6.9 Nessus Automatic Updates
10. FIGURE 6.10 Nikto web application scanner
11. FIGURE 6.11 Arachni web application scanner
12. FIGURE 6.12 Nessus vulnerability scan report
13. FIGURE 6.13 Missing patch vulnerability
14. FIGURE 6.14 Unsupported operating system vulnerability
15. FIGURE 6.15 Debug mode vulnerability
16. FIGURE 6.16 FTP cleartext authentication vulnerability
17. FIGURE 6.17 Insecure SSL cipher vulnerability
Chapter 7
1. FIGURE 7.1 Network firewalls divide networks into three zones.
2. FIGURE 7.2 (a) Vertical scaling vs. (b) Horizontal scaling
3. FIGURE 7.3 Thin clients, such as this Samsung Google Chromebook, are suffici...
4. FIGURE 7.4 AWS Lambda function as a service environment
5. FIGURE 7.5 HathiTrust is an example of community cloud computing.
6. FIGURE 7.6 AWS Outposts offer hybrid cloud capability.
7. FIGURE 7.7 Shared responsibility model for cloud computing
8. FIGURE 7.8 Cloud Reference Architecture
9. FIGURE 7.9 Cloud Controls Matrix excerpt
10. FIGURE 7.10 Limiting the data center regions used for a Zoom meeting
11. FIGURE 7.11 Challenge-response authentication protocol
12. FIGURE 7.12 Symmetric key cryptography
13. FIGURE 7.13 Asymmetric key cryptography
14. FIGURE 7.14 High-level SDLC view
15. FIGURE 7.15 The Waterfall SDLC model
16. FIGURE 7.16 The Spiral SDLC model
17. FIGURE 7.17 Agile sprints
18. FIGURE 7.18 The CI/CD pipeline
19. FIGURE 7.19 Fagan code review
20. FIGURE 7.20 Biometric authentication with a (a) retinal scanner (b) fingerpr...
21. FIGURE 7.21 Authentication token
22. FIGURE 7.22 False acceptance rate (FAR), false rejection rate (FRR), and cro...
Chapter 8
1. FIGURE 8.1 Incident response process
2. FIGURE 8.2 Proactive network segmentation
3. FIGURE 8.3 Network segmentation for incident response
4. FIGURE 8.4 Network isolation for incident response
5. FIGURE 8.5 Network removal for incident response
6. FIGURE 8.6 Patching priorities
7. FIGURE 8.7 Sanitization and disposition decision flow
8. FIGURE 8.8 Incident response checklist
Chapter 9
1. FIGURE 9.1 U.S. earthquake risk map
2. FIGURE 9.2 Flood hazard map for Miami–Dade County, Florida
3. FIGURE 9.3 Failover cluster with network load balancing

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

978-1-119-80193-1
978-1-119-80204-4 (ebk.)
978-1-119-80194-8 (ebk.)

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permission.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Website is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Website may provide or recommendations it may make. Further, readers should be aware the Internet Websites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Control Number: 2021948030

Trademarks: WILEY, the Wiley logo, Sybex and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. CISM is a trademark or registered trademark of Information Systems Audit and Control Association, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Cover image: ©Jeremy Woodhouse/Getty Images

Cover design: Wiley

Acknowledgments

Books like this involve work from many people, and as an author, I truly appreciate the hard work and dedication that the team at Wiley shows. I would especially like to thank my acquisitions editor, Jim Minatel. I've worked with Jim for too many years to count and it's always an absolute pleasure working with a true industry pro.

I also greatly appreciated the editing and production team for the book, including David Clark, the project editor, who brought years of experience and great talent to the project; Ben Malisow, the technical editor, who provided insightful advice and gave wonderful feedback throughout the book; and Barath Kumar Rajasekaran, the production editor, who guided me through layouts, formatting, and final cleanup to produce a great book. I would also like to thank the many behind-the-scenes contributors, including the graphics, production, and technical teams who make the book and companion materials into a finished product.

Victoria Mastagh, my production assistant at CertMike.com, was instrumental in preparing the glossary, and Matthew Howard, my research assistant at Notre Dame, played a crucial role in pulling together the class slides that accompany the book for instructors.

My agent, Carole Jelen of Waterside Productions, continues to provide me with wonderful opportunities, advice, and assistance throughout my writing career.

Finally, I would like to thank my family, who supported me through the late evenings, busy weekends, and long hours that a book like this requires to write, edit, and get to press.

About the Author

Mike Chapple, Ph.D., CISM, is the author of over 30 books, including the best-selling CISSP (ISC)² Certified Information Systems Security Professional Official Study Guide (Sybex, 2021) and the CISSP (ISC)² Official Practice Tests (Sybex, 2021). He is an information security professional with two decades of experience in higher education, the private sector, and government.

Mike currently serves as Teaching Professor in the IT, Analytics, and Operations department at the University of Notre Dame's Mendoza College of Business, where he teaches undergraduate and graduate courses on cybersecurity, data management, and business analytics.

Mike previously served as executive vice president and chief information officer of the Brand Institute, a Miami-based marketing consultancy. Mike also spent four years in the information security research group at the National Security Agency and served as an active-duty intelligence officer in the U.S. Air Force.

Mike is a technical editor for Information Security Magazine and has written more than 25 books. He earned both his B.S. and Ph.D. degrees from Notre Dame in computer science and engineering. Mike also holds an M.S. in computer science from the University of Idaho and an MBA from Auburn University. Mike holds the Cybersecurity Analyst+ (CySA+), Security+, Certified Information Security Manager (CISM), Certified Cloud Security Professional (CCSP), and Certified Information Systems Security Professional (CISSP) certifications.

Learn more about Mike and his other security certification materials at his website, CertMike.com.

About the Technical Editor

Ben Malisow has worked in the fields of education/training, communication, information technology, security, and/or some combination of these industries, for over 25 years. Prior to his current position, Ben has provided information security consulting services and training to a diverse host of clients, including the Defense Advanced Research Projects Agency (DARPA), the Department of Homeland Security (at TSA), and the FBI. He has also served as an Air Force officer, after graduating from the Air Force Academy.

An experienced trainer, Ben has been an adjunct professor of English at the College of Southern Nevada, a computer teacher for troubled junior/senior high school students in Las Vegas, a senior instructor for the University of Texas - San Antonio, and he has taught computer security certification prep classes for Carnegie-Mellon University's CERT/SEI.

Ben has published widely in many fields. His latest books include Exposed: How Revealing Your Data and Eliminating Privacy Increases Trust and Liberates Humanity (Wiley, 2020), the CCSP (ISC)² Official Study Guide (Sybex, 2020), the CCSP Official (ISC)² Practice Tests (Sybex, 2018), and How to Pass Your INFOSEC Exam from Amazon Direct. Updates to his work and his podcast, “The Sensuous Sounds of INFOSEC,” can be found at securityzed.com. His certification-preparation courses can be found on Udemy.com.