Find Resources and Connect with members on topics that interest you.

AI - Acquire and Implement

PO - Plan and Organize

DS - Deliver and Support

Please sign in to see your topics.

Subscribe to this discussion

CISM Review Manual - Need Clarification

Hello All,

I am preparing my CISM exam using CISM Review Manual (15th Edition).

I need clarification and found repeated sentences on the below topics in the Manual.

1. Page number 188.

Topic :- 3.12.1 Control Categories

In the control categories. there is " Knowledge Check: Control Categories", In this I found that " Data Backup" consider as " Corrective " control. (Answer page number 206) 

My personal view  is Data Backup should be " Preventive "  control and Data Restore consider as " "Corrective" control.  

Any thoughts ?

2. Page number 181

Topic :- Third-Party Access,

In the first line, it stating that 
" Third-party access to the information security manager's (space) organization's processing facilities under any circumstances should be controlled........"

 I am really didn't get what author is trying to convey the message on the above lines.

If anyone understand this, kindly clarify.

3. Page number 167

Topic :- Figure 3.7 - PDCA Methodology

In the "PLAN" column :- Repeated sentences 

" These activities include creating a strategy;socialization concepts;and polices,goals,objectives and practices  as necessary to manage risk"  




You must sign in to rate content.
(Unrated)

Comments

RE: CISM Review Manual - Need Clarification

Hi Sathishkumar,

In the CISSP manual, they also include Recovery Controls and that's where backup fit into. However, the idea of the preventive controls is to prevent the unauthorized activity. Back up doesn't do that. Encryptions prevents an authorized user from reading my data. A lock in door prevents a thief from getting into. Authentication prevents from unauthorized access. BackUps do not actually prevent, they do not avoid my data from being modified or deleted. However, if my data gets deleted, modified or corrupted then I can use my backups to correct this situation (in CISSP terms to recover from that situation)

Hope it helps
Omar795Influential at 4/14/2017 8:13:59 AM Quote
You must sign in to rate content.
(Unrated)

RE: CISM Review Manual - Need Clarification

I think you can read the Third Party access like this:

"Third-party access to the organization's processing facilities (where the information secuirty manager works) should be controlled .... "

Does it make sense?
Omar795Influential at 4/14/2017 8:20:53 AM Quote
You must sign in to rate content.
(Unrated)

RE: CISM Review Manual - Need Clarification

My personal view is Data Backup should be " Preventive " control and Data Restore consider as " "Corrective" control.

Hi Sathishkumar745

The way I think about it is that data backups need to be taken in advance in order to be available when an incident occurs and so they require a degree of preparation. Being prepared is not the same as a preventative measure as taking a backup does nothing to prevent a data loss event occuring in the first place. The purpose of a data backup is to be able to use it to restore data when needed. Hence it is a corrective control. Hope that helps.

Peter O'TooleInfluential at 4/18/2017 5:42:19 AM Quote
You must sign in to rate content.
(Unrated)

RE: CISM Review Manual - Need Clarification

First of all, Sorry for my delay replay. I really appreciated all your answers, It is really make understand the concept of it. 

Once again, Thank you for all !!!

Sathishkumar745Social at 4/18/2017 6:23:49 AM Quote
You must sign in to rate content.
(Unrated)

RE: CISM Review Manual - Need Clarification

First of all, Sorry for my delay replay. I really appreciated all your answers, It is really make understand the concept of it. 

Once again, Thank you for all !!!

Sathishkumar745Social at 4/18/2017 6:23:49 AM Quote
You must sign in to rate content.
(Unrated)

RE: CISM Review Manual - Need Clarification

My personal view is Data Backup should be " Preventive " control and Data Restore consider as " "Corrective" control.

Hi Sathishkumar745

The way I think about it is that data backups need to be taken in advance in order to be available when an incident occurs and so they require a degree of preparation. Being prepared is not the same as a preventative measure as taking a backup does nothing to prevent a data loss event occuring in the first place. The purpose of a data backup is to be able to use it to restore data when needed. Hence it is a corrective control. Hope that helps.

Peter O'TooleInfluential at 4/18/2017 5:42:19 AM Quote
You must sign in to rate content.
(Unrated)

RE: CISM Review Manual - Need Clarification

I think you can read the Third Party access like this:

"Third-party access to the organization's processing facilities (where the information secuirty manager works) should be controlled .... "

Does it make sense?
Omar795Influential at 4/14/2017 8:20:53 AM Quote
You must sign in to rate content.
(Unrated)

RE: CISM Review Manual - Need Clarification

Hi Sathishkumar,

In the CISSP manual, they also include Recovery Controls and that's where backup fit into. However, the idea of the preventive controls is to prevent the unauthorized activity. Back up doesn't do that. Encryptions prevents an authorized user from reading my data. A lock in door prevents a thief from getting into. Authentication prevents from unauthorized access. BackUps do not actually prevent, they do not avoid my data from being modified or deleted. However, if my data gets deleted, modified or corrupted then I can use my backups to correct this situation (in CISSP terms to recover from that situation)

Hope it helps
Omar795Influential at 4/14/2017 8:13:59 AM Quote
You must sign in to rate content.
(Unrated)

RE: CISM Review Manual - Need Clarification

Hi Sathishkumar,

In the CISSP manual, they also include Recovery Controls and that's where backup fit into. However, the idea of the preventive controls is to prevent the unauthorized activity. Back up doesn't do that. Encryptions prevents an authorized user from reading my data. A lock in door prevents a thief from getting into. Authentication prevents from unauthorized access. BackUps do not actually prevent, they do not avoid my data from being modified or deleted. However, if my data gets deleted, modified or corrupted then I can use my backups to correct this situation (in CISSP terms to recover from that situation)

Hope it helps
Omar795Influential at 4/14/2017 8:13:59 AM Quote
You must sign in to rate content.
(Unrated)

RE: CISM Review Manual - Need Clarification

I think you can read the Third Party access like this:

"Third-party access to the organization's processing facilities (where the information secuirty manager works) should be controlled .... "

Does it make sense?
Omar795Influential at 4/14/2017 8:20:53 AM Quote
You must sign in to rate content.
(Unrated)

RE: CISM Review Manual - Need Clarification

My personal view is Data Backup should be " Preventive " control and Data Restore consider as " "Corrective" control.

Hi Sathishkumar745

The way I think about it is that data backups need to be taken in advance in order to be available when an incident occurs and so they require a degree of preparation. Being prepared is not the same as a preventative measure as taking a backup does nothing to prevent a data loss event occuring in the first place. The purpose of a data backup is to be able to use it to restore data when needed. Hence it is a corrective control. Hope that helps.

Peter O'TooleInfluential at 4/18/2017 5:42:19 AM Quote
You must sign in to rate content.
(Unrated)

RE: CISM Review Manual - Need Clarification

First of all, Sorry for my delay replay. I really appreciated all your answers, It is really make understand the concept of it. 

Once again, Thank you for all !!!

Sathishkumar745Social at 4/18/2017 6:23:49 AM Quote
You must sign in to rate content.
(Unrated)

Leave a Comment

* required

You must login to leave a comment.