CISM Cert Prep: 3 Information Security Program Development and Management

Introduction

• Information security program development and management
• What you need to know
• Study resources

• Scope and charter
• Alignment of security and business objectives
• Building a security team
• Conducting a gap analysis

• Improving personnel security
• Security in the hiring process
• Employee termination process
• Employee privacy
• Social networking

• File permissions
• Data encryption

• Virtualization
• Cloud computing models
• Public cloud tiers
• Cloud storage security

• Operating system security
• Malware prevention
• Application management
• Host-based network security controls
• Hardware security

• Mobile device security
• Mobile device management
• Mobile device tracking
• Mobile application security
• Bring your own device (BYOD) policy

• Understanding encryption
• Symmetric and asymmetric cryptography
• Goals of cryptography
• Choosing encryption algorithms
• The cryptographic life cycle
• Key exchange
• Diffie–Hellman
• Key escrow
• Key stretching
• Trust models
• PKI and digital certificates
• Hash functions
• Digital signatures
• TLS and SSL
• IPsec
• Securing common protocols

• Physical security control types
• Physical access control
• Visitor management

• Routers and switches
• Firewalls
• VPNs and VPN concentrators
• Network intrusion detection and prevention
• Unified threat management
• VLANs and network segmentation
• Network access control
• Remote network access

• Identity and access management
• Identification, authentication, and authorization
• Usernames and access cards
• Authentication factors
• Biometrics
• Multifactor authentication
• Something you have

• Physical asset management
• Change and configuration management

• Employee safety
• Emergency management

• Application security
• Development methodologies
• Maturity models
• Operation, maintenance, and change management
• Risk analysis and mitigation
• Software testing
• Acquired software

• What's next?