Pass Your Isaca CISM Exam Easy!

Isaca CISM Certified Information Security Manager exam dumps vce, practice test questions, study guide & video training course to study and pass quickly and easily. Isaca CISM Certified Information Security Manager exam dumps & practice test questions and answers. You need avanset vce exam simulator in order to study the Isaca CISM certification exam dumps & Isaca CISM practice test questions in vce format.

Domain 01 - Information Security Governance

46. Convergence

So the process of convergence is really about having different aspects of security divided among those various bureaucracies rather than having them all work together to provide the best results. And again, we might even think about integrating physical security as it relates to data security. So I mean, you can imagine if you have physical security. Let's say you have even contracted with a company that provides guards to control access into a building or facility. Somehow they need to be related, as well as the data security, because a part of what they're protecting is the actual equipment that houses the information and the data. I can think of a very quick example without getting into much complexity. I was hired years ago to implement the installation of some Cisco routers in an electronics chain store. It was a nationwide one. And what they were doing was creating small internet hotspots, as we referred to them at the time. They weren't wireless, but people could go in and use this nationwide Internet service as a test and then get the little DVD to go home and install it. But they needed to communicate with that network. When I shipped this router and was told to go put it on a wire and hook it into the network, okay, that was great. Most of them had some sort of guard that would walk with me into the building. Okay, that's fine. So what happened to us? Their goal was to have me in the server room, at the point of sale network. I could be doing all sorts of evil. The thing is that the physical guards are good at what they do. They probably had no idea if I was disconnecting devices, changing traffic paths, intercepting information, or simply installing a router because they were assigned to specific tasks. And I think that silo was to make sure I didn't leave with more equipment than I walked in with, but maybe not really having an understanding of what they should be looking for in terms of data security—understanding the full convergence of those two fields. Now I realise that's a pretty iffy example, but I'm just trying to give you some examples of how integration might have worked. If that person may be new on the surface, what I should be working with may be where I should wrap this up: what routers, switches, or servers should I be nowhere near? Things like that are things that we can put together as a part of convergence.

47. Governance and Third-Party Relationships

It may be that we're working with third-party relationships just to be able to do a normal course of business. And your security governance should also cover those companies that you're dealing with in a third-party relationship. It might be an Internet service provider here. Okay, so why would we use an Internet service provider? Obviously, to get Internet access, We may also be using a service provider—not necessarily for Internet access, but for wide-area network connectivity, meaning I might have headquarters in one city and several branch offices in different states or different countries. And relying on the service provider to securely relay my data from one place to another could be outsourced operations, as I just alluded to a third-party security outfit. Which. by the way. This is not unusual because we frequently want security to be independent of upper management in order to avoid any conflict of interest and to know that if the security operations say these people. You don't come in at this or that time. that they can't get technically outranked and be threatened with being fired if they don't comply. those types of things. So it's not unusual to see these outsourced operations. It could even be a single company that stores your backups. All right, so outsourced operations are just things that we have to look at in different services that are being provided for us because it might be cheaper than us providing it for ourselves. Cloud computing certainly seems to be a big example of an outsourced operation. It could be trading partners or mergers between companies. All of these could be examples of third-party relationships. Now, the potential risks and impacts of having a third-party relationship need to be clear and documented, as well as having policies and standards that involve information security in working with the third party. And, as I previously stated, if you have a business that will do credit card processing, you may need to connect to a company that specialises in credit card processing, such as those that supply card readers or have connectivity to banks to authorise funds. They'll probably require some minimum policy standards from you before allowing you to connect to their network because they recognise that adding you to their network introduces a new potential risk. And if I can't verify that your company meets a certain requirement of security or policies or standards, then do I want to let you in to my network, even if it means more business for me? At some point, we will have policies and standards for all of our existing customers as well. It's.

48. Lesson 6: Information Security Governance Metrics

Now, we're taking a look at your information security governance metrics. Now, "metrics" is a term that, as we know, has a description of measurements. Really. Security in its meaning is theprotection from or absence of danger. Well, how do you know that's working if you have no way of measuring those states? So metrics are really measuring the state or degree of safety in relation to a specific reference point that you're looking for. In other words, if I have objectives that I want to achieve in security, how do I know I've met those objectives if I can't measure them? And if I am measuring the performance of my security, but I have no foundation for what my goal is or what the objective is, then how do I know that those numbers are meaningful or that I'm doing good or bad? So we're going to talk about also considering that you want to have good metrics.

49. Metrics

In some cases, metrics can be of a technical nature. Now, technical metrics can be useful and wecan easily obtain them from your technical systems. Your intrusion detection or prevention systems can be tracking the types of payload violations, and maybe they've detected malware buffer overflows or anomalous types of behaviour or network activity that are not a part of their normal operations, and so they can give you some indication about these events. Well, sometimes what they give you is what we call false positives. It could be completely normal traffic they've seen, but because it's different from what they've seen before, they're just reporting it as a difference, an anomaly. So again, it's technical information, but we also need to understand what it's measuring and what we're looking at. proxy servers the same way, right? We can have a number of proxy servers. Web proxies are very common; we can see what web pages people are visiting and they can report on potentially malicious script on web pages people are trying to download that have been firewall-protected. Give us indications of the types of packets they've had to drop—potentially packets from somebody doing a port scan or a ping sweep or other types of attacks—to see what can get through. Now, these types of metrics can be helpful, but for strategic management or governance they might not be completely helpful as far as what they're looking at. I mean, these types of metrics don't relate to your organisational objectives, activities, or even how well risks are being managed. They only report the number of incidents or the type of incidents you have.

50. Effective Security Metrics Part1

So then, what are effective security metrics? Well, first of all, without effective metrics, it's difficult, if not impossible, for you to manage any type of security activity. I mean, if you don't have a way of measuring what's happening, then how do you know your implementation of a countermeasure or control policy is really working? That means that we need to have useful metrics because with them, we can make good fundamental decisions about how to support our security efforts. Now, your effective metrics are not really going to be measured in an absolute sense, but perhaps with some probabilities based on attributes, effects, and consequences. Now, some of the useful approaches that we might see are things like: What's the value of risk? What is the return on security investments? What are my annual loss expectations? These are ways that we can try to qualify or quantify the type of risks that we have and be able to look to see if the metrics are showing us that what we've implemented is improving any of those areas. S.

51. Effective Security Metrics Part2

So then, what are effective security metrics? Well, first of all, without effective metrics, it's difficult, if not impossible, for you to manage any type of security activity. I mean, if you don't have a way of measuring what's happening, then how do you know your implementation of a countermeasure or control policy is really working? That means that we need to have useful metrics because with them, we can make good fundamental decisions about how to support our security efforts. Now, your effective metrics are not really going to be measured in an absolute sense, but perhaps with some probabilities based on attributes, effects, and consequences. Now, some of the useful approaches that we might see are things like: What's the value of risk? What is the return on security investments? What are my annual loss expectations? These are ways that we can try to qualify or quantify the type of risks that we have and be able to look to see if the metrics are showing us that what we've implemented is improving any of those areas. S.

Go to testing centre with ease on our mind when you use Isaca CISM vce exam dumps, practice test questions and answers. Isaca CISM Certified Information Security Manager certification practice test questions and answers, study guide, exam dumps and video training course in vce format to help you study with ease. Prepare with confidence and study using Isaca CISM exam dumps & practice test questions and answers vce from ExamCollection.