Certificate in Information Security Management Principles (CISMP) Course

This certification is accredited by the Information Systems Examination Board, ISEB a division of the British Computer Society. The course will provide you with the knowledge and understanding of the main principals required to be an effective member of an information security team with security responsibilities as part of your day to day role. It will also prepare individuals who are thinking of moving into information security or related functions.

The achieved qualification will prove that the holder has a good knowledge and basic understanding of the wide range of subject areas that make up information security management.

A minimum of 12 months experience within any IT job. No technical skill or Security background is required.

Topics covered on the 5 day Certificate in Information Security Management Principles (CISMP) course

A. Information Security Principles (10%)

A.1. Concepts and Definitions

• Information security (confidentiality, integrity, availability)
• Asset and asset types (information, physical, software); asset value
• Threat, vulnerability, risk, impact
• Information security policy concepts
• The purpose of controls

A.2. The need for, and benefits of, Information Security

• Importance of information security as part of the general issue of protection of business assets and of the creation of new business models.
• Different business models and their impact on security (e.g. on-line business vs. traditional manufacturing vs. financial services vs. retail).
• Effect of rapidly changing information and business environment.

B. Information Risk (15%)

B.1. Threats to, and Vulnerabilities of information systems

• Threat categorisation (accidental vs. deliberate, internal vs. external, etc)
• Types of accidental threats (e.g. human error, malfunctions, fire, flood, etc)
• Types of deliberate threats (e.g. hacking, malicious software, sabotage, cyber terrorism, hi-tech crime, etc)
• Sources of accidental threat (e.g. internal employee, trusted partner)

B.2. Risk Management

• Risk management process (identification, analysis, mitigation, monitoring of risks)
• Options for dealing with risks (e.g. eliminate, reduce, transfer, accept)
• The purpose of risk assessment/analysis - strategic and tactical options
• Approaches to risk analysis/assessment - qualitative, quantitative, software tools, questionnaires.
• Identifying and accounting for the value of information assets

C. Information Security Framework (35%)

C.1. Information Security Management

C.1.1 Organisation & responsibilities

• Information security roles in an enterprise
• Placement in the organisation structure
• Board/Director responsibility
• Responsibilities across the organisation
• Need to take account of statutory (e.g. data protection, health & safety)

C.1.2 Policy, standards & procedures

C.1.3 Information Security Governance

C.1.4 Security Incident Management including Investigations and Forensics

C.1.5 Information Security Implementation

C.2. Legal Framework

C.3. Security Standards and Procedures

D. Information Security Controls (40%)

D.1. Protection from Malicious Software

• Types of malicious software – trojans, viruses, worms, active content (e.g. Java, Active-X), etc.
• Different ways systems can get infected
• Methods of control – common approaches, need for regular updates, etc.

D.2. People

• Organisational culture of security
• Employee, contractor and business partner awareness of the need for security
• Role of contracts of employment
• Need for and topics within service contracts and security undertakings
• Rights, responsibilities and duties of individuals - codes of conduct

D.3. User Access Controls

D.4. Networks and Communications

D.5. External Services

D.6. IT Infrastructure

D.7. Testing, Audit & Review

D.8. Systems Development and Support

D.9. Role of Cryptography

D.10. Training

D.11. Physical & Environmental Security

D.12. Business Continuity Management