Security Certification

A test of expertise

Unlike other security certifications discussed in this series, CISM is for experienced information security professionals. Do you have what it takes to get this certification?

Avinash Kadam

Information Security is surely going places. Apart from the growing number of security professionals aspiring to be certified, new certifications are being added. The latest is Certified Information Security Manager (CISM) from Information Systems Audit and Control Association (ISACA), a body that has been offering the CISA certification for more than twenty-five years.

How does the latest certification differ from the old and established certificates? ISACA states that CISM is not an entry-level certification. "It is specifically developed for information security professionals, who have acquired experience working on the front lines of information security, and have five years or more of experience managing the information security function of an enterprise. "

How does CISM test the knowledge of such an experienced security professional?

CISM has defined five practice areas in which the expertise of an information security manager is tested. For each practice area, the main tasks have been defined, followed by knowledge statements, which explain the specific areas of expertise required for the particular practice area. The percentages in parenthesis signify the weight given to each domain in the examination.

1. Information Security Governance (21%)

Under this topic, the information security manager is expected to establish and maintain a framework to provide assurance that information security strategies are aligned with the business objectives and consistent with applicable laws and regulations.

This domain takes a high-level view of information security. It begins with establishing information security objectives to support the business objectives and operations. This requires obtaining senior management commitment by issuing overall policy directives, establishing a steering group, identifying security management roles, responsibilities and organizational structure. The domain further deals in other areas of information security governance like risk management, data classification management, network security, system access, centralized vs. decentralized approaches to coordinate information security, understanding legal and regulatory issues, and insurance policies covering information security risks. The domain also dwells upon designing information security programs with appropriate policies linking with business objectives, procedures, guidelines, information security process improvement models, and various international standards for information security management.

This is a very broad domain requiring vast understanding of philosophy of information security management, various models and approaches, and integrating information security in the corporate culture.

2. Risk Management (21%)

This domain expects you to identify and manage information security risks to achieve business objectives.

Risk management is the focal point of any security program. Risk management starts with doing information resources valuation and information classification. You should also be familiar with the concept of security baseline and cycle-based risk management. Knowledge of various quantitative and qualitative methods to determine sensitivity and criticality of information resources as outlined in standard methods like COBIT, NIST, Octave, is required. Also, analysis of threats, vulnerabilities and exposures affecting confidentiality, integrity and availability of resources needs to be understood. Next in line are the business impact analysis, recovery time objective (RTO) and business continuity and contingency planning objectives and processes. Finally, various risk mitigation strategies, from physical security measures to application security measures need to be understood.

Subject matter covered in this domain is very relevant to information security management implementation. Once again, the domain requires you to read a vast amount of literature to bring yourself up to date.

3. Information Security Program Management (21%)

This domain deals with design, development and management of information security programs to implement the information security governance framework.

This is the third step in implementation of information security management in an organization, after creating the framework and performing risk assessment and business impact analysis.

The candidates should have good knowledge of project management techniques as the success of an information security program lies in strong project management. The next area of expertise is information security architectures like rules-based, list-based system access, single sign-on etc. and various security technologies like firewalls, IDS, PKI, wireless security, Web security, application security etc. This further requires knowledge of security procedures, guidelines and security as part of the system development lifecycle, security testing, security certification and accreditation. You should be able to do a cost/benefit analysis of various physical, administrative and technical controls, design and implement various security metrics and also evaluate vendor service level agreements and prepare contracts.

Obviously, this domain thoroughly tests the technical and administrative knowledge of the candidate.

4. Information Security Management (24%)

This domain tests your skills to oversee and direct information security activities, to execute the information security program.

This is the implementation phase of information security, where the God is in details. You have to ensure that the information security policy designed for the enterprise does get implemented across the organization through the technical and procedural implementations. The administrative procedures should be designed to ensure compliance with policies. Even the outsourced providers should get covered. Metrics should be used to measure and monitor the effectiveness and efficiency of information security controls and their compliance with information security policies.

In the ever-changing world of security, care should be taken that the security management is not compromised due to inadequate change management procedures. Periodic vulnerability assessment should be preformed to evaluate effectiveness of existing control. This calls for a good understanding of various vulnerability assessment techniques. Lastly, the information security manager has to bring about a cultural change in the organization, by making the organization more aware of its security responsibilities. This requires knowledge of various techniques, which could bring about this change in the organization without undue resistance.

5. Response Management (13%)

In this domain, you have to demonstrate the understanding of how to develop and manage capability to respond to and recover from disruptive and destructive information security events.

Each of the security related event has to be detected, identified, analyzed and appropriate action has to be taken. This requires a response management process as well as response and recovery plan. Disaster recovery planning and business continuity planning needs to be formulated with proper understanding of recovery time objectives (RTO) and recovery point objectives (RPO). Incident response teams need to be organized, trained and equipped to deal with every eventuality. Adequacy of the plans as well as preparedness of the teams needs to be periodically tested. Test plans, beginning with tabletop testing up-to full simulations have to be prepared. This requires good documentation to track the test results and improve procedures, as well as, take follow-up actions for each real life incident. This may also include forensic analysis. Post-event, corrective and preventive actions have to be initiated.

The last domain tests the understanding of preparation required to handle and manage any type of security incidence.

As I have done in the previous articles, I have compared the CISM syllabus with BS7799 clauses.

CISM covers all the areas required by BS7799, which is not surprising. After all both are dealing with Information Security Management. Of course, the emphasis on some areas like correlating information security strategies with business objectives and operations is more explicit in CISM whereas it is assumed to be present in BS7799. Secondly, CISM requires the design and implementation of security metrics. BS7799 does not require this but it is assumed that to identify measurable ISMS improvement required in clause 7, the Information Security Manager will deploy appropriate security metrics.

If you have the requisite information security experience and already possess CISA designation, it may be a good idea to aim at CISM. From a market visibility point, CISSP is more visible, but CISM will catch up in due course. One impediment in the growth of CISM could be that the examination is held only once a year. So if you miss the opportunity in June, you have to wait till next June.

How to become a CISM?

Since this certificate is offered by ISACA, it has similar guidelines as stipulated for getting the CISA designation. Remember, passing the examination is just the first step.

1. Successful completion of the CISM examination

The examination is conducted once a year on the second Saturday of June. So the next examination is scheduled on 12th June 2004. The examination consists of 200 multiple choice questions to be answered within four hours. Approximate percentage of questions asked from each domain is given in bracket after each domain title. The passing score is 75 percent, which means that if you pass the exam, you have scored marks, which put you in the top 25 percent.

2. Information security work experience

You need to have minimum five years of information security work experience with a minimum of three years of information security management experience in three or more of the job practice areas. You could get a waiver of up to two years if you are a CISA or CISSP, but no waivers for information security management experience.

3. Adherence to the Code of Professional Ethics, and agreement to comply with continued education policy.

Get more details from the website www.isaca.org.