Schism Certification Course - Day 1

Introduction

• Instructor: Kelly Handerhan
• Course: Schism (Certified Information Security Manager)
• Experience: Over 25 years in IT, with a focus on cybersecurity for the past 15 years
• Certifications: System, Cloud security, project management, risk management
• Objective: Provide information and tools for Schism certification exam preparation

Course Outline

1. Day 1: Information Security Governance (17% of the exam)
2. Day 2: Information Security Risk Management (20% of the exam)
3. Day 3: Information Security Program (33% of the exam)
4. Day 4: Incident Management (30% of the exam)

Schism Exam Overview

• Organization: ISACA
• Purpose: Assess information security management capability
• Format: 4 hours, 150 multiple-choice questions
• Focus Areas: Management skills, framework understanding, policy development
• Certification Process: Pass exam, submit application with relevant work experience

Prerequisites and Recommendations

• None required for the course
• Beneficial Experience: Networking, Security+, CRISC, Information Security Management
• Exam Requirements: Specific work experience, details on ISACA.org

Information Security Governance

• Role: Ensure stakeholder needs, conditions, and options are balanced
• Objectives: Set direction, prioritize, and oversee
• Evaluation: Assess assets, determine protection methods based on organizational goals

Corporate Governance Structure

• Key Roles: CEO, COO, CFO, CRO, CSO, CIO, CISO
• Responsibilities: Ensure risk mitigation, resource allocation, risk-aware decisions
• Functional Management: Implement policies, maintain security controls

Governance Principles

• Fairness: Act without bias
• Accountability: Adhere to standards, fulfill responsibilities
• Transparency: Open and auditable processes
• Responsibility: Serve stakeholder and stockholder needs

Benefits of Governance

• Oversight: Ensure organizational directions
• Goals and Objectives: Defined by governing entities
• Framework Selection: Align with business objectives (e.g., COBIT, ISO 27001)

Frameworks

COBIT

• Control Objectives for IT: Align business goals with IT controls
• Principles: Stakeholder value, holistic approach, governance alignment
• Domains: Evaluate, Direct, Monitor, Align, Plan, Organize, etc.

ISO 27001 and ISO 27002

• ISO 27001: Framework for an Information Security Management System (ISMS)
  • PDCA Cycle: Plan, Do, Check, Act
  • Clauses: 11 clauses and 14 control families
• ISO 27002: Details the security controls from ISO 27001

GDPR

• General Data Protection Regulation: Data subject rights, transparency, data protection
• Key Elements: Fines, data protection officer, data breach notification, rights to access, rectification, erasure

Capability Maturity Model Integration (CMMI)

• Levels: Initial, Managed, Defined, Quantitatively Managed, Optimizing
• Purpose: Assess process maturity for reliability

Legal and Regulatory Compliance

• Types: Privacy, intellectual property, contracts, civil/criminal laws
• Due Diligence and Due Care: Research (diligence) and action (care) to stay compliant
• Data Retention: Governed by laws/regulations, secure destruction at end of lifecycle

Physical Security Considerations

• CPTED: Crime Prevention Through Environmental Design
• Key Aspects: Natural surveillance, access control, maintenance
• Environmental Controls: Temperature and humidity management

Information Security Strategy

• Strategy Development: Goal alignment, risk prioritization, value delivery
• Gap Analysis: Current vs. desired state, roadmap to close gaps
• SWOT Analysis: Strengths, Weaknesses, Opportunities, Threats
• Balanced Scorecard: Financial, customer, internal processes, learning & growth metrics

Organizational Culture

• Impact: Driven by senior leadership, integrated security behaviors
• Improvement: Enhance team relationships, establish security awareness, enforce policies

Best Practices

• Security Awareness: Integrated into daily operations
• Leadership Involvement: Senior management buy-in
• Policy Enforcement: Consistent application and training

Wrap-Up

• Preparation Tips: Study concepts, understand frameworks, use exam prep questions
• Next Session: Information Security Risk Management (Day 2)

Questions and Review

• Q&A: Addressed during and after the session
• Follow-Up: Opportunity for further questions at the start of next session

---

Note: Today was foundational, expect more engaging content in subsequent sessions.