AssuranceSecurityGovernanceMembers & LeadersProfessionals & PractitionersStudents & EducatorsExhibitors & Advertisers
CISM Certification
 Requirements
 Code of Professional Ethics
 Exam
  Registration
  Bulletin of Information
  Preparation
  Content Areas
 Exam Review Courses
 Application & Maintenance
 Exam Item Writer Program
 CISM in the News
 FAQ
Education & Conferences
Professional Resources
Downloads
Bookstore
Membership
My ISACA
Career Centre
Print this page

Home SecurityCISM CertificationExam Content Areas

Information Security Program(me) Management

Design, develop and manage an information security program(me) to implement the information security governance framework.

Tasks

  • Create and maintain plans to implement the information security governance framework.
  • Develop information security baseline(s).
  • Develop procedures and guidelines to ensure business processes address information security risk.
  • Develop procedures and guidelines for IT infrastructure activities to ensure compliance with information security policies.
  • Integrate information security program(me) requirements into the organization's life cycle activities.
  • Develop methods of meeting information security policy requirements that recognize impact on end users.
  • Promote accountability by business process owners and other stakeholders in managing information security risks.
  • Establish metrics to manage the information security governance framework.
  • Ensure that internal and external resources for information security are identified, appropriated and managed.

Knowledge Statements

  • Knowledge of methods to develop an implementation plan that meets security requirements identified in risk analyses
  • Knowledge of project management methods and techniques
  • Knowledge of the components of an information security governance framework for integrating security principles, practices, management and awareness into all aspects and all levels of the enterprise
  • Knowledge of security baselines and configuration management in the design and management of business applications and the infrastructure
  • Knowledge of information security architectures: (for example, single sign-on, rules-based as opposed to list-based system access control for systems, limited points of systems administration)
  • Knowledge of information security technologies (for example, cryptographic techniques and digital signatures, to enable management to select appropriate controls)
  • Knowledge of security procedures and guidelines for business processes and infrastructure activities
  • Knowledge of the systems development life cycle methodologies (for example, traditional SDLC, prototyping)
  • Knowledge of planning, conducting, reporting and follow-up of security testing
  • Knowledge of certifying and accrediting the compliance of business applications and infrastructure to the enterprise's information security governance framework
  • Knowledge of types, benefits and costs of physical, administrative and technical controls
  • Knowledge of planning, designing, developing, testing and implementing information security requirements into an enterprise's business processes
  • Knowledge of security metrics design, development and implementation
  • Knowledge of acquisition management methods and techniques (for example, evaluation of vendor service level agreements, preparation of contracts)
 
Assurance | Security | Governance
Members & Leaders | Professionals & Practitioners | Students & Educators | Exhibitors & Advertisers
Info Request | Join | Bookstore | My ISACA | About ISACA
Home | Site Map | Shopping Cart | Logout | Contact Us

Terms Of Use | Privacy Policy | IP Guidelines
© 2006 Information Systems Audit and Control Association (ISACA) All rights reserved.
3701 Algonquin Road, Suite 1010, Rolling Meadows, Illinois 60008 USA