Best Seller!
CISM: Certified Information Security Manager

CISM: Certified Information Security Manager Certification Video Training Course

CISM: Certified Information Security Manager Certification Video Training Course includes 388 Lectures which proven in-depth knowledge on all key concepts of the exam. Pass your exam easily and learn everything you need with our CISM: Certified Information Security Manager Certification Training Video Course.

523 Students Enrolled
388 Lectures
14:34:18 hr

Curriculum for Isaca CISM Certification Video Training Course

CISM: Certified Information Security Manager Certification Video Training Course Info:

The Complete Course from ExamCollection industry leading experts to help you prepare and provides the full 360 solution for self prep including CISM: Certified Information Security Manager Certification Video Training Course, Practice Test Questions and Answers, Study Guide & Exam Dumps.

Domain 01 - Information Security Governance

57. Risk Management

As far as risk management goes, we could say that it is the ultimate objective of all information security activities. In fact, I think it's a great starting point to be able to even begin the process of coming up with policies and eventually the standards and procedures that you're going to use for your security program. Now there's no real direct measurement of risk management's effectiveness, but there are certainly indicators to show that it can be a successful tool that is used in the creation of your security program. These indicators could be things like having an understanding of the company's risk types or having a security strategy that can achieve whatever acceptable level of risk the company has the appetite to take. We can also show or demonstrate the mitigation of risk. We can even define processes to help reduce the impacts of risk based on having risk management in place. Now, that can also be indicated by a successful test of your business continuity plan or your disaster recovery plan. And of course, we should, as part of risk management, have a business impact analysis done, especially on those crucial parts of our information assets.

58. Value Delivery

The function of value delivery is to align security and business objectives, resulting in an optimal investment to achieve that achievable and acceptable level of risk. Now, some of the key indicators for value delivery could be the cost of protection, looking at it as a function of revenue or asset value, and having your security resources allocated by assessed risk and potential impact. Now, what does that mean? That means that when we have different assets that we want to protect, the ones that are very important to us will probably get the majority of the security resources that we have, as opposed to when I'm worried about someone stealing pencils from the supply closet, which might be down a little bit lower to just like a lock on the door. All right, so periodic testing of controls as wellas adds to the value of the delivery andhaving a periodic review of the cost along withthe compliance and how effective that it's been.

59. Resource Management Part1

Resource management is a way of thinking to describe the process of planning, allocating, and controlling information security resources, which come in a variety of aspects. Number one, of course, is the need for people with the competencies to be able to perform the security functions or to be able to follow the policies that we create, or just the awareness and training of people that are somehow involved with the corporation or the organisation that can provide part of the resources in trying to add to the overall security. Certainly, of course, another resource that we have are the processes that we use and the technology as well as the funds or the costs for these different types of ways of approaching our total risk or total security.

60. Resource Management Part2

Now there are some indications of good resource management. things like having infrequent problem rediscoveries and having good knowledge capture and dissemination of that knowledge. Remember we talked a lot about communication channels using standardised processes and having well-defined roles and responsibilities? Certainly a great way to use people resources when you have limitations to ensure that we can show that we have these assets distributed correctly, as information assets, and the threats covered by security resources. Another indicator of good resource management might be proper organisational locations, levels of authority, and the personnel for the security functions that you need.

61. Performance Measurement

Now, the metrics of information security processes are needed to ensure the organization's objectives are achieved. Remember, you can't manage what you can't measure. Some indicators of good performance metrics or measurements include how long it took to detect and then report an incident. What are the numbers and frequencies of unreported incidents? And, again, without any type of measurement, do you have a comparison of costs and effectiveness—the ability to determine how effective a control has actually been? How do you actually put this into a way that you can describe or even manage just from those bullet points? When we talk about things like the time from detection to reporting, that's a measurement. And if we have a security process that's taking a long time from the point of detection to reporting, we might want to consider revising that. As an example, we have intrusion detection as a possible solution, and it records anomalies or malware or signs of attacks and logs that information. Maybe. Or maybe we didn't set it up to do an instant alert or email or other type of update. And so a week later, when somebody decides to review the logs and they see that there was an attempted breach or maybe there was a breach, is that time too long? Can we do things to improve that right now? So that's one of the things that performance measurement can help us determine. Now, the subject of this particular discussion is: What is a good performance measurement? And that means that it's a measurement that's worthwhile and means something. So if the measurement said it took a week from the time it was detected by intrusion detection to the time it was discovered and reported, that might not be a measurement you like to hear, but it is a good measurement because it's giving you information that you can base management decisions on. The same thing can be said again as to the number and frequency of unreported incidences. Looking at cost and effectiveness, again, we don't want to throw money into something that's not really helping us in the long run. How do I know it's effective? How do I know that if I spend double, it's going to be more effective? Again, I need to have good measurements to see, because if I'm going to spend double the money and get very little effectiveness or improvement out of it, it might not be worth that extra cost. Returning to good metrics, hopefully you can apply some of your ideas about what constitutes a good metric as we discuss these indicators. So the last thing I said was the ability to determine the control's effectiveness, all right? Again, there must be a good measurement that actually lets me see that the way to measure it is to be able to actually say, in a chart form or some sort of analysis, "yes," this control is doing the job. Because look what happened before we had that control. Documenting security objectives should be met. and, of course, consistency in log review practices. all of which can be good indicators or good performance measurements.

62. Assurance Process Integration/Convergence

We should look at the assurance process—integration or convergence, as we might call it. A good integration of processes should work end-to-end to minimise hidden risks. Things like information and asset protection are very important to us. So what are we looking at, and what do we mean by end to end? You know, if I'm talking about information as being the asset that I'm worried about, an end-to-end solution would get us into that little silo area that we try to avoid at the time where the information is being entered. It may be at a bunch of point-of-sale locations; it may be a bunch of dataentry operators that we have working for us. Is the information good? Is it start off good and then inits transmission to us, is it protected? Are we storing it well? Do we have the oversight of auditing the information and testing that the information is as accurate as it should be? I revisited a law enforcement agency that was experiencing what I thought was a minor issue as a result of this end-to-end process of good information; I'm not sure I wasn't thinking their protection wasn't so bad. I mean, I don't remember any breaches back in the 80s, but the way the information got put in wasn't so good. They were involved in entering arrest information, and for a person like me, whose first name can go by many different forms, whether it's Ken, Kenneth, or Kenny, it would just depend on how the report was written and how they would enter that person in. That same person might have several arrests listed among three different people in this system. In other words, there was not an audit that I could foresee that made sure the information was accurate at the time it was submitted. That's an end to end part of this process and Ithink that's a part of the information protection as well. We want to protect the information for the entire lifecycle. So if we're integrating or converging these assurance processes, then it's not just my responsibility once it's on a hard drive to make sure that it's safe. I think that as an end-to-end process, we are talking about full integration. Now, at the same time, we might also be able to see that other business units were attempting similar types of security options, and maybe that's costing my company more money. When we're actually overlapping some of the different security functions that we could do in unison or as one so we can eliminate security overlaps, having well-defined roles and responsibilities again so that everybody knows what their part of this process is going to be, what they're responsible for taking care of, and of course, understanding one's assurance function with another one, is essential. That is, once again, business integration, ensuring that we are all working together to meet the overall business objectives.

Read More

* The most recent comment are at the top
  • Henry
  • Iceland
  • Feb 15, 2019

I have been for a long time dreaming of becoming an information security manager. The course truly validated my dream by enabling me to pass ISACA CISM certification exam. You made me proud guys. Thanks a lot!

  • Feb 15, 2019
  • Ryusei
  • Brazil
  • Feb 09, 2019

I completed my ISACA CISM exam last month and passed. I was very happy having scored 703 marks. My success was as a result of studying ISACA CISM course. Thank you to everyone who contributed towards my success.

  • Feb 09, 2019
  • Ryota
  • Brazil
  • Feb 05, 2019

I have gained uncountable skills from this course. I am applying those skills to resolve all problems related to information security in our company in order to enhance the achievement of goals and objectives set.

  • Feb 05, 2019
  • Luke
  • United States
  • Jan 30, 2019

It was an informative course in general. The concepts regarding information security management are properly articulated. The instructor is very confident and knowledgeable as far as ISACA CISM course is concerned.

  • Jan 30, 2019
  • Yuto
  • Switzerland
  • Jan 13, 2019

The course has made my learning process easy. The videos provided are clear and the mode of presentation is good. I am confident that the course has fully prepared me with every detail regarding ISACA CISM exam.

  • Jan 13, 2019

Add Comments

Feel Free to Post Your Comments About EamCollection's Isaca CISM Certification Video Training Course which Include Isaca CISM Exam Dumps, Practice Test Questions & Answers.

Only Registered Members Can Download VCE Files or View Training Courses

Please fill out your email address below in order to Download VCE files or view Training Courses. Registration is Free and Easy - you simply need to provide an email address.

  • Trusted By 1.2M IT Certification Candidates Every Month
  • VCE Files Simulate Real Exam Environment
  • Instant Download After Registration.
Please provide a correct e-mail address
A confirmation link will be sent to this email address to verify your login.
Already Member? Click Here to Login

Log into your ExamCollection Account

Please Log In to download VCE file or view Training Course

Please provide a correct E-mail address

Please provide your Password (min. 6 characters)

Only registered members can download vce files or view training courses.

Registration is free and easy - just provide your E-mail address. Click Here to Register


ExamCollection Premium

ExamCollection Premium Files

Pass your Exam with ExamCollection's PREMIUM files!

  • ExamCollection Certified Safe Files
  • Guaranteed to have ACTUAL Exam Questions
  • Up-to-Date Exam Study Material - Verified by Experts
  • Instant Downloads
Enter Your Email Address to Receive Your 10% Off Discount Code
A Confirmation Link will be sent to this email address to verify your login
We value your privacy. We will not rent or sell your email address


Use Discount Code:


A confirmation link was sent to your e-mail.
Please check your mailbox for a message from and follow the directions.


Download Free Demo of VCE Exam Simulator

Experience Avanset VCE Exam Simulator for yourself.

Simply submit your e-mail address below to get started with our interactive software demo of your free trial.

Free Demo Limits: In the demo version you will be able to access only first 5 questions from exam.