All Isaca CISM certification exam dumps, study guide, training courses are Prepared by industry experts. PrepAway's ETE files povide the CISM Certified Information Security Manager practice test questions and answers & exam dumps, study guide and training courses help you study and pass hassle-free!
Domain 01 - Information Security Governance
80. COBIT Framework
Now, as we talk about the COBIT framework, remember just kind of that collection of policies, procedures, and standards, and really there are 34 processes that they put in the framework to be able to manage and control information technology, which they divide into four different domains. And those domains are things like planning and organizing, which is where you find your strategy and tactics to achieve your business objectives. Then the other one would be "acquire and implement," where you basically would identify, develop, or acquire an IT solution. The delivery and support area would be for what sounds like the delivery of required services or training. And the other and last category would be "Monitor and Evaluate," where it's kind of a way of having an assessment for quality and compliance with your regulations or requirements.
81. Capability Maturity Model
Another framework we have is the capability and maturity model. Now, in this model, the desired state of security can be defined as achieving specific levels. In the model, there would basically be a range of zero to five, or six different ratings. And what we're seeing here is that when we're talking about usually in the development of software or applications, whether or not we've even thought about security from the very beginning or if we had an actual, full-fledged plan, So the Capability Maturity Model starts off with level zero, which is pretty much nonexistent security.
Now I can tell you that back in the very early to mid-80s, when I was working in the world of programming, nobody ever really taught us to worry about security. It was more about the efficiency of the program, which did not use a lot of memory since we had virtually none by today's standards. The Capability Maturity Model, level one, would be called "ad hoc," where there's no formal process. But as we're testing the program, we say, "Oh, this is something that's bad," and we work on fixing that. At level two, we call that repeatable. But intuitively, that means that there's an emerging understanding that there is risk involved in the programs. At level three, we have a defined process, which means we have companywide risk management policies that we're working with; at level four, we're managed and measurable; there are formal risk assessment procedures and policies in place; and at level five, we're optimized. We're talking about an organization-wide process that's implemented, monitored, and managed for security.
82. Balanced Scorecard
Another approach to looking at your security strategy is what's called a "balanced scorecard." Now, this is a management and measurement system that is trying to basically help organisations clarify their vision and strategy and translate those into action. Now, there are four perspectives to a balanced scorecard, and those are learning and growth, business process, customer, and financial. And if you can imagine that the goal of your projector is to get to a certain objective, then we could say, "Okay, to get to this objective, let's take a look at the learning and growth it would take to get there." What business processes are used?
The customer's input the financial inputs and rate them on a scorecard, and think about trying to find a way of getting to that objective that tries to put a balance maybe close to evenly on all four of those categories. knowing that some business processes may have a higher financial cost. So we may have to change some business processes to get a better financial return. But we also have to see how that reflection works with the customer. if the decisions might make it harder for the customers and what it would take for us to get there and to train and everything else. So it's kind of an approach trying to get to a strategy that you can use and put into action for your business.
83. Architectural Approaches
Another aspect is what we call the "architectural approach." Now, the Enterprise Information Security Architecture (EISA), which is a subset of the Enterprise Architecture, has a number of different methodologies that have evolved, including process models, frameworks, and ad hoc approaches. The architectural approaches, which are inclusive of business processes that might be helpful in defining the desired state of security, can be exemplified by a number of different types of approaches. One is the Open Group Architecture Framework (TOAF), the Zachman Enterprise Architecture Framework, or the Extended Enterprise Architecture Framework (EA-2). Now, again, these are examples of frameworks that you can see in the architectural approach. And the importance here is to understand or have a wide array of knowledge about approaches that you can take when it comes down to the idea of overall information security management.
84. ISO/IEC 27001 and 27002
Now, when we take a look at another idea of the framework, we have the ISO IEC 270 one and zero zero two. Now, to be able to COVID all of the relevant elements of security, these standards provide eleven areas to use as a useful framework. And again, we're not here to get into depth of any one certification, location or framework, but to give you an idea that there are places to go or places you can use as a starting point to help in building your security policy. So, of course, this breakdown of the eleven areas are things like security policy, the organizational information security asset management, your human resource security your physical and environmental security points the communications and operations management access control you have the information security Acquisition, development and maintenance. You also have your information Security incident Management, your business continuity management and of course, monitoring for compliance.
Isaca CISM practice test questions and answers, training course, study guide are uploaded in ETE Files format by real users. Study and Pass CISM Certified Information Security Manager certification exam dumps & practice test questions and answers are to help students.
88.1% students found the test questions almost same
