Hello. Welcome to certified Information Security Manager Ah Sai Berry Schism Preparation course And what we're gonna try to do in this course of thin This course, of course, is to get you ready to take this schism exam. And what we want to work towards is gonna help you pass it the first time.
So my name's Kelly Hander hand. I'll be your instructor throughout the material,
and I'm really glad that you've chosen Cyber Eri to help you get your certification. So before we get moving just a little bit about the schism certification, this'll is put out by an organization called Ice AKA, which stands for Information Systems Audit and Control Association.
And they put out assert on auditing, which is the scissor exam. They also put out a risk management, see risk
and some other organizational study guides and study materials. So I sacked is great organization. Schism is becoming one of those search that's more and more recognized in the field. And as a matter of fact, it's one of those few courses where we can't find enough certified people to fill the jobs forces. Um,
course. I think it's a really important certain that you've chosen to take and we'll move forward a little more introductory material and then we'll get right into the course material focusing on the schism body of knowledge. All right, about your instructor. That's me, Kelly Hander Hanna.
A little younger, little thinner. But these things sort of happened.
I've been around the I T field since the late nineties, got my start with Novell, moved over into Windows and T 351 Indy for Oh, and kind of sold my soul to Microsoft early on. And I know what your security professionals, many of your scoffing at that. But
I always felt like if you could secure a Microsoft system, you were gonna have a job. And that has been true for me. Thus, for
now, certainly I work with Lennox and UNIX and, uh, uh, many other elements of a network. But that's sort of my background. I focused in on information security for maybe the last 11 or 12 years. It's certainly one of those areas of I t that can't be outsourced or really
probably shouldn't be outsourced.
So it's another one of those things that I feel like is a position that's always gonna have a degree of job security.
Now, I've been in this field for a long time, so I have a lot of certifications and, you know, and I know that some of you may not be really, really big believers and certification, but the bottom line is you have to have something that sets you apart from others in this field and certifications air the way to do that.
And it doesn't mean just because you're certified that you can handle your job,
but it means that it'll at least get you in the door for an interview, having the appropriate Certs. Okay, so the certification that I have, um what's the certifications that I have currently? I have the p m. P. I have poor sis is, um C I S s P
and see risk. And like I said, I have numerous technical certifications,
but these were the ones that I feel like they're gonna help you the most for this material, and I've certainly found them to be very useful. All right. So the overview of the schism certification as a whole, let's talk about what we're gonna talk about in this course, So
various objectives and we're gonna be able to just check these off and say, yes, we've accomplished this and this and this,
So we're gonna start off with just a kn introduction to this certification. Some of you may be new to it. Some of you might just be here to check it out. Or some of you may very purposefully have chosen to take this certain. We want to just make sure that it's going to meet your needs.
All right, we'll talk about who is this is, um what does this is, um, do within the organization.
And this is, um, certification has four domains that you'll be tested on. We'll talk about security. Governance will talk about risk management will talk about a security program, and we'll talk about incident response. And those are, you know, in a high level, the domains that will be covered.
And the big piece of this exam that we really want to stress is how we serve the needs of the business by what we do is's ums and our focus in those four domains. Because when it comes down to it, when push comes to shove, there is only one reason Any organization
has an information security department.
I'm gonna say that again. There is only one reason
every organization out there has an information security team,
and that reason is simply that that supports the business.
Yeah, but doesn't that give us do care? Well, of course it does. And that supports the business. But doesn't it help us meet customer requirements? Of course it does. That supports the business. So every reason that you can think of that we care about security can be summed up with. We support the business,
We help the organization meet their long term or their strategic goals. And that's what it's all about.
Okay, so we're gonna frame that in the world of, uh, risk management, because really, all security is this risk management were to look at our assets, will look a threats and vulnerabilities, try to figure out a potential for laws and then figure out how to mitigate those risks
is really important that all of our decisions start with risk management. Because that's how we can make
choices in order to secure our environment.
Okay, um, and the main goal, the main goal is really for me to fold. Certainly we want to get you ready for the schism exam. And I'm going to give you as many exam tips and hopefully give you some new ways to think about things. But it's also really important to me that this is a meaningful class
so that you just don't walk out with paper certification
but that the material that we talk about really makes sense and that it teaches us a new way to approach information security and to align our thoughts with best practices as we conserve the business. So, yeah, I want you certified and we're gonna do everything we can to get you certified. But I also want you to understand the material
and see the validity of what we're talking about in this class. So who's gonna be my job to get both of them?
Okay, now, when we do talk about earning your schism certification there several pieces. So the first step is to register for the exam.
After you take this course, you'll want a little bit of time to study. But you don't want this hanging out on the horizon. Someday I'll get to it I'll get to it once you have the knowledge study up and go take the certification exam. Okay. Um,
many times people will wait and say, I'll come back around to it. And then the longer you put that off, the less Unless you care, the less likely you are to take it. And even if you do take it, you will for gotten a lot of what we do today. Okay, So schedule the exam,
then. Of course, you've gotta prep for the exam. I'm imagining a portion of you already have the exam scheduled and that you're using this as part of your study tool. So that's great. If you don't have it stuff, you know, scheduled, you'll get it scheduled. And this is a great tool to help you prepare.
Then the next step you've scheduled the exam. Might as well show up and take it.
And I will encourage you that when you do take this exam that you go back in your mind and remember some of the things that we've stressed as part of course preparation. All right. I want you to remember what we talked about because those little pieces air gonna be the key to passing the exam.
Now many people say, Whoa, I passed the exam. We're done and that's actually not correct. You have to complete an application for certification that has to be approved. And then once you are schism certified every three years, you have to submit a certain amount of continuing education unit so that you can maintain
So there are a lot of pieces here to getting schism certified.
All right, now the material that we're gonna cover and again this is high level. But therefore domains that we need to cover as part of this course the first piece information security, governance and everything's going to start from governance. When I say, um,
governing into tease or we talk about governance, we're thinking about high level.
We're thinking about board of directors were thinking about senior management. We're talking about any sort of steering committees, those air that entities that are responsible for governance and in a word, or maybe two words information, security, governance is responsible for strategic direction,
long term goals where we want to be.
Okay, so that lays the groundwork. Now what's We have a broad understanding of where We want to be in 3 to 5 years out, kind of long term. Then we have to have risk management. That'll help us figure out well, here's where I am. Here's where I want to be.
What are the appropriate ways to close that gap we talked about? That is Gap analysis,
and we'll talk about current state versus desired state. What We have to look at our threats and vulnerabilities in context of what we value our assets. And we have to figure out how we implement mitigating strategies to close up the gaps that we have currently
in our current structure
versus where we want to be. So risk management is where it's at. That's where the cool kids today are focusing their time and effort and energy because risk management is an essential skill
in order to make good business decisions. As a matter of fact, I'll encourage you guys after you go out and get your system Tau. Look at that see risk certification because what that's gonna do is that's going to provide assurance that you're knowledgeable in risk management, very important today's world.
All right, then we move into information security program development and management. So we talk about governance in the first section, right? Our first demain nous governance that figures what we want to do. Big picture. Well, the security program is gonna tell us how we're gonna do it.
It's the day to day the operational stuff
that will help us figure out our policies, procedure, standards, guidelines. What architecture we configure for a network. How we align big picture with smaller objectives. That's gonna be domain three and then domain four.
What if we have problems? What if the best laid plans still have compromised or still fail in some aspect or another? While we have to be able to respond to those incidents very quickly and in such a manner that minimizes the impact of the business
right now with the main structure part to this just shows kind of how those domains run together. Governance is gonna dictate that we use risk management, which is gonna help us deploy our security program and an incident. Security management
is going to be a direct result of our program,
and that's ultimately gonna provide information back to governance so that we can continue working and improving our environment.
Now the schism exam itself
is one of the search that we're actually finding that we don't have enough people that are certified to fill the jobs that are out there, and I may have mentioned that before, but that means this is a great certification for those of you that are interested in moving into information security management. This is a great sir tow. Have any time
there are more jobs than people?
That's a great place to be. Okay, Um, there are a few technical aspects of this certification, but it's not a technical examines much more geared towards senior management. And it's much more geared towards risk management, making good business decisions in the world off
information security manage
right? And they're just a few other pieces of information. I let you go through there. I'll just point out a couple of things s Oh, it's a computer based exam. They will provide you this, says pencil and eraser are allowed. They'll actually give you
a Sharpie and a little laminated board, and that's all you can take into the testing room
with you. So you've got those two things, but nothing else. They may also give you noise canceling headphones. And if they do, that's great. That's always helpful. And I would recommend that they use that. Use them if they're available.
It is a multiple choice exam. And I do believe also, um, this has shifted down to being 100 and 50 questions. So you may just kind of make a note of that is we're going throughout reserved the right to tweak the slides here and there
because the thing about every certification exam
is they are in a state of flux. You know, each organization reserves the right to make changes, change the test bank, change the outline. And so if there any things, anything that strikes me as needing to change or at least consider, I'll certainly let you know. So
I do believe the exam is now
150 questions. You still get four hours to complete.
They're no negative points, which means
you only get you get points for what you answer correctly. Do not skip questions on the exam.
Okay? If you skip it, it's automatically wrong. You know what? If you guess
C c is a fine answer win and out. Charlie out. Okay. If you don't know anything. Put something down. You can always market and go back later. But you need to put something down in case you don't have the time.
Now, this is interesting. No prerequisite for the exam. That really is true. You don't have to have any sort of certification, any sort of background to take the exam.
Now you can take the exam and pass it,
but there are prerequisites to actually being certified. So basically, what that's gonna tell you is you can have all the fun of taking the exam without any other requirements being met. But to be certified, there are requirements you have to meet. Okay. And I'll tell you about those in a minute. Now, recommend reading. Let me tell you, um,
any certification exam, you will benefit by studying a studying a glossary of terms. Okay, Every glossary is gonna, you know, show you certain terms that the organization is gonna use uniquely,
you know, some organizations will use risk appetite in risk management, risk governance and risk tolerance and risk capacity.
You know, those terms may get tossed around and use differently. So you do want tohave, and you can search out on the Internet, Blah three forces, um, exam and you'll find some matches to that. And that's certainly worth a review.
Now, um, I Sacha also puts out a review manual development guide Risk i t. Framework. I'll be honest with you. What I've tried to do in these slides is summarized those elements. So if you didn't have Cyberia, these would be things that very strongly recommend that you go through and read.
But part of my job is to take,
uh, those touched based manuals that may get more detailed, more technical ultimately, and I'm gonna try to make them easy. And I'm going to try to help, you know, is easy as possible, but I'm gonna try to make them digestible.
And I'm gonna present the material that I fully believe is what you need to pass the exam.
So I don't want you to feel just cause I've referenced this slide. Oh, my gosh. I've got to go out and buy a lot of other material. I really believe that if you study and if you take my recommendations that what we do here, I believe is gonna be
enough to get you certified now of course. That depends on your background and your skill set. Are you good test taker.
But I don't want you to feel like after you get a done with this is, um, exam. Oh, I've gotta run out and spend a lot of money on books because I don't believe that. Okay, So, like I said, you don't have any prerequisites to take the tape,
but to be certified, you actually do. So. Of course. The first thing you gotta do is taken, passed the exam.
But then there are some additional steps, and I have the wink eye socket dot org's slash sees schism app.
Um and you do have to apply, So when you pass the exam, you have five years to complete the application. But remember, you're not certified until the application is completed reviewed, and you get your notification that is accepted.
Okay, In addition to passing, you have to document relevant work experience in the schism job practice areas, and then you have to submit your application and pay an application processing fee as well.
Now, we don't go into those details because, like I said, these certifications change.
So what? I'm always going to do for those exams? Specifics has say, Goto i sacha dot org's for all the facts about the certification, and those, of course, will be the most current and up today.
Hey, when you pass, celebrate again, fill out the application, pay your application processing fee, document your schism job, your work experience in relation relation to the practice areas, those four domains.
And then after you submit your application, I cycle will review,
and hopefully you'll be well on your way certified in information security management.
So just wrapping up. I've given you an introduction to the course material talked at a very high level about what we're going to cover. Um, the book or the material that I will be going through slide by slide is how we're gonna cover this material.
Ah, we have the four domains which waas information security, governance.
And then we talked about risk management, then developing an information security program. And then incident response is being the four domains that we're gonna work on. We mentioned we're gonna prepare for 150 questions, multiple choice,
all right. And we talked about some additional material that you could use in order to prepare. But like I said, I really have taken the material. I thinks most meaningful from those sources. And that's gonna be part of my presentation. All right, take the exam,
fill out your application, document the work experience you need to,
and then you should be C I s m certified and well on your way to working in the information security management field. So that's all the preliminary information. I know. That was a lot that we want to make sure that we're on the same page as we move forward.
And so the next thing we're gonna do, we're gonna jump right into the material.