Professional Documents
Culture Documents
CISM
®
Certified Information
Security Manager
EXAM GUIDE
Second Edition
This page intentionally left blank
ALL IN ONE
CISM
®
Certified Information
Security Manager
EXAM GUIDE
Second Edition
Peter H. Gregory
McGraw Hill is an independent entity rom ISACA® and is not afliated with ISACA in any manner. Tis study/training guide and/or material
is not sponsored by, endorsed by, or afliated with ISACA in any manner. Tis publication and accompanying media may be used in assisting
students to prepare or Te CISM exam. Neither ISACA nor McGraw Hill warrants that use o this publication and accompanying media will
ensure passing any exam.
Copyright © 2023 by McGraw Hill. All rights reserved. Except as permitted under the United States Copyright Act of 1976, no
part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system,
without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and
executed in a computer system, but they may not be reproduced for publication.
ISBN: 978-1-26-426832-0
MHID: 1-26-426832-7
The material in this eBook also appears in the print version of this title: ISBN: 978-1-26-426831-3,
MHID: 1-26-426831-9.
All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trade-
marked name, we use names in an editorial fashion only, and to the benet of the trademark owner, with no intention of infringe-
ment of the trademark. Where such designations appear in this book, they have been printed with initial caps.
McGraw Hill eBooks are available at special quantity discounts to use as premiums and sales promotions or for use in corporate
training programs. To contact a representative, please visit the Contact Us page at www.mhprofessional.com.
Information has been obtained by McGraw Hill from sources believed to be reliable. However, because of the possibility of hu-
man or mechanical error by our sources, McGraw Hill, or others, McGraw Hill does not guarantee the accuracy, adequacy, or
completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such
information.
TERMS OF USE
This is a copyrighted work and McGraw-Hill Education and its licensors reserve all rights in and to the work. Use of this work
is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the
work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit,
distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill Education’s prior consent. You
may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to
use the work may be terminated if you fail to comply with these terms.
THE WORK IS PROVIDED “AS IS.” McGRAW-HILL EDUCATION AND ITS LICENSORS MAKE NO GUARANTEES
OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED
FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK
VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, IN-
CLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICU-
LAR PURPOSE. McGraw-Hill Education and its licensors do not warrant or guarantee that the functions contained in the work
will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill Education nor its
licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any
damages resulting therefrom. McGraw-Hill Education has no responsibility for the content of any information accessed through
the work. Under no circumstances shall McGraw-Hill Education and/or its licensors be liable for any indirect, incidental, special,
punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been
advised of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such
claim or cause arises in contract, tort or otherwise.
o Rebekah, the love o my lie.
This page intentionally left blank
ABOUT THE AUTHOR
Peter H. Gregory, CISM, CISA, CRISC, CDPSE, CISSP, CIPM, DRCE, CCSK,
is a 30-year career technologist and a security leader in a regional telecommunications
company. He has been developing and managing inormation security management
programs since 2002 and has been leading the development and testing o secure I
environments since 1990. Peter has also spent many years as a sotware engineer and
architect, systems engineer, network engineer, and security engineer.
Peter is the author o more than 50 books about inormation security and technology,
including Solaris Security, CIPM Certified Information Privacy Manager All-in-One Exam
Guide, and CISA Certified Information Systems Auditor All-in-One Exam Guide. He has
spoken at numerous industry conerences, including RSA, Interop, (ISC)² Security
Congress, ISACA CACS, SecureWorld Expo, West Coast Security Forum, IP3, Source
Conerence, Society or Inormation Management, the Washington echnology Industry
Association, and InraGard. Interviews o Peter appear in SC Magazine, U.S. News &
World Report, CNET News, SearchSecurity, Information Security Magazine, CIO, The
Seattle Times, and Forbes.
Peter serves on advisory boards or cybersecurity education programs at the University
o Washington and the University o South Florida. He was the lead instructor or nine
years in the University o Washington certiicate program in applied cybersecurity, a
ormer board member o the Washington State chapter o InraGard, and a ounding
member o the Paciic CISO Forum. He is a 2008 graduate o the FBI Citizens’ Academy
and a member o the FBI Citizens’ Academy Alumni Association. Peter is an executive
member o the CyberEdBoard and the Forbes echnology Council.
Peter resides with his amily in Washington state and can be ound online at
www.peterhgregory.com.
Disclaimer
None o the inormation in this book relects the security posture or practices o any
current or ormer employer or client.
CONTENTS AT A GLANCE
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577
ix
This page intentionally left blank
CONTENTS
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
xi
CISM Certified Information Security Manager All-in-One Exam Guide
xii
Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Chapter 2 Inormation Security Strategy ................................ 37
Inormation Security Strategy Development . . . . . . . . . . . . . . . . . . 38
Strategy Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Strategy Participants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Strategy Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Strategy Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Strategy Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Inormation Governance Frameworks and Standards . . . . . . . . . . . 72
Business Model or Inormation Security ............... 73
he Zachman Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
he Open Group Architecture Framework . . . . . . . . . . . . . . 83
ISO/IEC 27001 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
NIS Cybersecurity Framework . . . . . . . . . . . . . . . . . . . . . . 85
NIS Risk Management Framework . . . . . . . . . . . . . . . . . . . 87
Strategic Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Roadmap Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Developing a Business Case . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Figure Credits
Figure 2-1 Courtesy Xhienne: SWO pt.svg, CC BY-SA 2.5, https://
commons.wikimedia.org/w/index.php?curid=2838770.
Figure 2-2 Adapted rom the Business Model or Inormation Security,
ISACA.
Figure 2-3 Adapted rom the University o Southern Caliornia Marshall
School o Business Institute or Critical Inormation Inrastructure
Protection, USA.
Figure 2-5 Courtesy he Open Group.
Figure 2-7 Courtesy High Tech Security Solutions magazine.
Figure 3-1 Source: National Institute or Standards and echnology.
Figure 6-8 Courtesy Blueoxicy at en.wikipedia.org.
Figure 7-4 Source: NASA.
Figure 7-6 Courtesy Gustavo Basso.
Figure 7-7 Courtesy John Crowley at en.wikipedia.org.
This page intentionally left blank
ACKNOWLEDGMENTS
I am immensely grateul to Wendy Rinaldi or airming the need to have this book
published on a tighter than usual timeline. My readers, including current and uture
inormation security managers, deserve nothing less.
Heartelt thanks to Wendy Rinaldi and Caitlin Cromley-Linn or proiciently manag-
ing and coordinating this project, acilitating rapid turnaround, and equipping us with
the inormation and guidance we needed to produce the manuscript.
Many thanks to Patty Mon, Nitesh Sharma, and homas Somers or managing the
editorial and production ends o the project, and to Lisa heobald or copy editing the
book and urther improving readability. I appreciate KnowledgeWorks Global Ltd. or
expertly laying out the inal manuscript pages. Also, thanks to Rick Camp and Lisa
McCoy or expert prooreading and ed Laux or indexing. Like stage perormers, they
make hard work look easy, and I appreciate their skills.
I would like to thank my ormer consulting colleague, Jay Burke, who took on the
task o tech reviewing the entire manuscript. Jay careully and thoughtully scrutinized
the entire drat manuscript and made scores o valuable suggestions that have improved
the book’s quality and value or readers. hanks also to two BCDR colleagues: Charlein
Barni, or reviewing Chapter 7, and Michael Kenney, who conirmed some concepts.
Finally, thanks to Ben Everett, a reader who inormed me o a couple o typos or ambi-
guities in the irst edition.
Many thanks to my literary agent, Carole Jelen, or her diligent assistance during this
and other projects. Sincere thanks to Rebecca Steele, my business manager and publicist,
or her long-term vision and keeping me on track.
his is the 52nd book manuscript I have written since I started writing in 1998. I’m
grateul or those who initially brought me into the publishing business, particularly Liz
Suto (author o Informix Online Performance Tuning, and my irst oicial gig as a tech
editor) and Greg Doench (executive editor at Prentice-Hall Publishers), and so many
more along the way, including Melody Layne, Mark aub, Rev Mengle, Sebastian Nokes,
Greg Croy, Katie Feltman, Katie Mohr, Lindsey Leevere, Josh Freel, Amy Fandrei, Amy
Gray, im Green, Steve Helba, and many others. hank you, all o you, or the splendid
opportunity that has enabled me to help so many readers.
I have diiculty putting into words my gratitude or my wie and love o my lie,
Rebekah, or tolerating my requent absences (in the home oice) while I developed the
manuscript. his project could not have been completed without her loyal and unailing
support and encouragement.
xix
This page intentionally left blank
INTRODUCTION
he dizzying pace o inormation systems innovation has made vast expanses o inorma-
tion available to organizations and the public. Design laws and technical vulnerabilities
oten bring unintended consequences, usually in the orm o inormation thet and disclo-
sure. Attacks rom nation-states and cybercriminal organizations are increasing dramati-
cally. he result is a patchwork o laws, regulations, and standards such as Sarbanes–Oxley,
GDPR, CCPA, Gramm–Leach-Bliley, HIPAA, PCI DSS, PIPEDA, NERC CIP, CMMC,
and scores o U.S. state laws requiring public disclosure o security breaches involving
private inormation. he relatively new Cybersecurity & Inrastructure Security Agency
(CISA) has become a prominent voice in the United States, and executive orders require
organizations to improve deenses and disclose breaches. As a result o these laws and
regulatory agencies, organizations are required or incentivized to build or improve their
inormation security programs to avoid security breaches, penalties, sanctions, lawsuits, and
embarrassing news headlines.
hese developments continue to drive demand or inormation security proessionals
and inormation security leaders. hese highly sought-ater proessionals play a crucial
role in developing better inormation security programs that reduce risk and improve
conidence in eective systems and data protection.
he Certiied Inormation Security Manager (CISM) certiication, established in
2002, has become the leading certiication or inormation security management.
Demand or the CISM certiication has grown so much that the once-per-year certi-
ication exam was changed to twice per year in 2005 and is now oered continually.
In 2005, the CISM certiication was accredited by the American National Standards
Institute (ANSI) under the international standard ISO/IEC 17024:2012 and is also
one o the ew certiications ormally approved by the U.S. Department o Deense in
its Inormation Assurance echnical category (DoD 8570.01-M). In 2018 and again in
2020, CISM was awarded the Best Proessional Certiication by SC Media. here are
now more than 50,000 proessionals with the certiication, and the worldwide average
salary or CISM holders is more than US$149,000.
Founded in 1969 as the Electronic Data Processing Auditors Association (EDPAA),
ISACA is a solid and lasting proessional organization. Its irst certiication, Certiied
Inormation Systems Auditor (CISA), was established in 1978.
xxi
CISM Certified Information Security Manager All-in-One Exam Guide
xxii
his book is one source o inormation to help you prepare or the CISM exam, but it
should not be thought o as the ultimate collection o all the knowledge and experience
that ISACA expects qualiied CISM candidates to possess. No single publication covers
all o this inormation.
his book is also a reerence or aspiring and practicing I security managers, security
leaders, and CISOs. he content required to pass the CISM exam is the same content
that practicing security managers must be amiliar with in their day-to-day work. his
book is a deinitive CISM exam study guide as well as a desk reerence or those who have
already earned their CISM certiication.
his book is also invaluable or inormation security proessionals who are not in
leadership positions today. You will gain considerable insight into today’s inormation
security management challenges. his book is also helpul or I and business manage-
ment proessionals working with inormation security leaders who need to understand
what they are doing and why.
his is an excellent guide or anyone exploring a security management career. he
study chapters explain the relevant technologies, techniques, and processes used to man-
age a modern inormation security program. his is useul i you are wondering what the
security management proession is all about.
Pay Earn
Maintenance CPEs Lose CISM
Fee Certification
Substitution of Experience
Up to two years o direct work experience can be substituted with the ollowing to meet
the ive-year experience requirement. Only one waiver is permitted.
Two Years
• Certiied Inormation Systems Auditor (CISA) in good standing
• Certiied Inormation Systems Security Proessional (CISSP) in good standing
CISM Certified Information Security Manager All-in-One Exam Guide
xxviii
• MBA or master’s degree in inormation security or a related ield; transcripts or
a letter conirming degree status must be sent rom the university attended to
obtain the experience waiver
One Year
• Bachelor’s degree in inormation security or a related ield
• Skill-based or general security certiication
• One ull year o inormation systems management experience
Here is an example o a CISM candidate whose experience and education are consid-
ered or CISM certiication: A candidate graduated in 2002 with a bachelor’s degree in
computer science. hey spent ive years working or a sotware company managing I,
and in January 2015, they began managing inormation security. In January 2017, they
took some time o work or personal reasons. In 2019, they earned their Security+ cer-
tiication and rejoined the workorce in December 2019, working as a risk manager or
a public company in its enterprise risk management department. he candidate passed
the CISM exam in June 2022 and applied or CISM certiication in September 2022.
Do they have all o the experience required? What evidence will they need to submit?
• Skills-based certification he candidate obtained their Security+ certiication,
which equates to a one-year experience substitution.
• Two years of direct experience hey can count their two ull years o inormation
security management experience in 2015 and 2016.
• One-year substitution hey cannot take into account one year o I management
experience completed between January 2002 to January 2007, because it was not
completed within ten years o their application.
• One-year direct experience he candidate would want to utilize their new risk
manager experience or work experience.
he candidate would need to send the ollowing with their application to prove the
experience requirements are met:
• Veriication o Work Experience orms illed out and signed by their supervisors
(or any superior) at the sotware company and the public company, veriying
both the security management and non–security management work conducted
• ranscripts or letters conirming degree status sent rom the university
TIP Read the CISM certiication qualiications on the ISACA web site. ISACA
changes the qualiication rules rom time to time, and I want you to have the
most up-to-date inormation available.
Introduction
xxix
ISACA Code of Professional Ethics
Becoming a CISM proessional means adhering to the ISACA Code o Proessional Eth-
ics, a ormal document outlining what you will do to ensure the utmost integrity in a way
that best supports and represents the proession. Speciically, the ISACA code o ethics
requires ISACA members and certiication holders to do the ollowing:
• Support the implementation o, and encourage compliance with, appropriate
standards and procedures or the eective governance and management o
enterprise inormation systems and technology, including audit, control, security,
and risk management.
• Perorm their duties with objectivity, due diligence, and proessional care, in
accordance with proessional standards.
• Serve in the interest o stakeholders in a lawul manner, while maintaining
high standards o conduct and character and not discrediting their proession
or the association.
• Maintain the privacy and conidentiality o inormation obtained in the course o
their activities unless disclosure is required by legal authority. Such inormation
shall not be used or personal beneit or released to inappropriate parties.
• Maintain competency in their respective ields and agree to undertake only
those activities they can reasonably expect to complete with the necessary skills,
knowledge, and competence.
• Inorm appropriate parties o the results o work perormed, including the
disclosure o all signiicant acts known to them that, i not disclosed, may
distort the reporting o the results.
• Support the proessional education o stakeholders in enhancing their
understanding o the governance and management o enterprise inormation
systems and technology, including audit, control, security, and risk management.
Failure to comply with this Code o Proessional Ethics can result in an investigation
into a member’s or certiication holder’s conduct and, ultimately, disciplinary measures,
including the oreiture o hard-won certiication(s).
You can ind the ull text and terms o enorcement o the ISACA Code o Ethics at
www.isaca.org/ethics.
Once your registration is complete, you will immediately receive an e-mail acknowl-
edging this. Next, you will need to schedule your certiication exam. he ISACA web
site will direct you to the certiication registration page, where you will select a date,
time, and (optionally) location to take your exam. When you conirm the date, time,
and location or your exam, you will receive a conirmation via e-mail. You will need the
conirmation letter to enter the test location—make sure to keep it unmarked and in a
sae place until test time.
Exam Questions
Each registrant has our hours to take the exam, with 150 multiple-choice questions
representing the our job practice areas. Each question has our answer choices; you must
select only one best answer. You can skip questions and return to them later, and you can
also lag questions you want to review later i time permits. While you are taking your
exam, the time remaining will appear on the screen.
When you have completed the exam, you’ll be directed to close the exam. At that
time, the exam will display your pass or ail status, reminding you that your score and
passing status are subject to review. You will be scored or each job practice area and then
provided one inal score. All scores are scaled. Scores range rom 200 to 800; a inal score
o 450 is required to pass.
Exam questions are derived rom a job practice analysis study conducted by ISACA.
he selected areas represent tasks perormed in a CISM’s day-to-day activities and the
background knowledge required to develop and manage an inormation security pro-
gram. You can ind more detailed descriptions o the task and knowledge statements at
www.isaca.org/credentialing/cism/cism-exam-content-outline.
Exam Coverage
he CISM exam is quite broad in its scope. It covers our job practice areas, as shown
in able 2.
NOTE You are not permitted to display the CISM moniker until you have
completed certiication. Passing the exam is not suicient to use the CISM
anywhere, including e-mail, résumés, correspondence, or social media.
NOTE You are permitted to use the CISM moniker only ater receiving your
certiication letter rom ISACA.
CISM Certified Information Security Manager All-in-One Exam Guide
xxxvi
Retaining Your CISM Certification
here is more to becoming a CISM proessional than passing an exam, submitting
an application, and receiving a paper certiicate. Becoming a CISM proessional is an
ongoing and continuous liestyle. hose with CISM certiication agree to abide by the
code o ethics, meet ongoing education requirements, and pay annual certiication
maintenance ees. Let’s take a closer look at the education requirements and explain the
costs o retaining certiication.
Continuing Education
he goal o proessional continuing education requirements is to ensure that individuals
maintain CISM-related knowledge to help them successully develop and manage secu-
rity management programs. o maintain CISM certiication, individuals must obtain
120 continuing education hours within three years, with a minimum requirement o
20 hours per year. Each CPE hour accounts or 50 minutes o active participation in
educational activities.
Activity CPE
Activity Title/Sponsor Description Date Hours Support Docs Included?
ISACA presentation/lunch PCI 2/12/2023 1 Yes (receipt)
compliance
ISACA presentation/lunch Security in 3/12/2023 1 Yes (receipt)
SDLC
Regional Conerence, RIMS Compliance, 1/15–17/2023 6 Yes (CPE receipt)
risk
BrightFly webinar Governance, 2/16/2023 3 Yes (conirmation e-mail)
risk, &
compliance
ISACA board meeting Chapter board 4/9/2023 2 Yes (meeting minutes)
meeting
Presented at ISSA meeting Risk 6/21/2023 1 Yes (meeting notice)
management
presentation
Revocation of Certification
A CISM-certiied individual may have his or her certiication revoked or the ollow-
ing reasons:
• Failure to complete the minimum number o CPEs during the period
• Failure to document and provide evidence o CPEs in an audit
Introduction
xxxix
• Failure to submit payment or maintenance ees
• Failure to comply with the Code o Proessional Ethics, which can result in
investigation and ultimately lead to revocation o certiication
I you have received a revocation notice, contact the ISACA Certiication Department
at https://support.isaca.org/ or more inormation.
Volunteer
As a nonproit organization, ISACA relies upon volunteers to enrich its programs and
events. here are many ways to help, and one or more o these volunteer opportunities
may suit you:
• Speak at an ISACA event Whether you make a keynote address or host a session
on a speciic topic, speaking at an ISACA event is a mountaintop experience. You
can share your knowledge and expertise on a particular topic with attendees, but
you’ll learn some things too.
• Serve as a chapter board member Local chapters don’t run by themselves; they
rely on volunteers—working proessionals who want to improve the lot o other
proessionals in the local community. Board members can serve in various ways,
rom inancial management to membership to events.
• Start or help a CISM study group Whether part o a local chapter or a chapter
at large, consider starting or helping a group o proessionals who want to learn
the details o the CISM job practice. I am a proponent o study groups because
study group participants make the best students: they take the initiative to take
on a big challenge to advance their careers.
• Write an article ISACA has online and paper-based publications that eature
articles on various subjects, including current developments in security, privacy,
risk, and I management rom many perspectives. I you have specialized
knowledge on some topic, other ISACA members can beneit rom this knowledge
i you write about it.
• Participate in a credential working group ISACA works hard to ensure that
its many certiications remain relevant and up to date. Experts worldwide in many
industries give o their time to ensure that ISACA certiications remain the best
in the world. ISACA conducts online and in-person working groups to update
certiication job practices, write certiication exam questions, and publish updated
study guides and practice exams. I contributed to the irst CRISC certiication
working group in 2013 when ISACA initially developed the CRISC certiication
exam; I met many like-minded proessionals, some o whom I am still in regular
and meaningul contact with.
• Participate in ISACA CommunITy Day ISACA organizes a global eort o
local volunteering to make the world a better, saer place or everyone. Learn
about the next CommunIy day at https://engage.isaca.org/communityday/.
• Write certification exam questions ISACA needs experienced subject matter
experts willing to write new certiication exam questions. ISACA has a rigorous,
high-quality process or exam questions that includes training. You could even
be invited to an in-person exam item writing workshop. You can ind out more
about how this works at www.isaca.org/credentialing/write-an-exam-question.
Introduction
xli
Please take a minute to relect upon the quality and richness o the ISACA organiza-
tion and its many world-class certiications, publications, and events. hese are all ueled
by volunteers who made ISACA into what it is today. Only through your contribution
o time and expertise will ISACA continue in its excellence or uture security, risk, pri-
vacy, and I proessionals. And one last thing you can only experience on your own:
volunteering helps others and enriches you. Will you consider leaving your mark and
making ISACA better than you ound it? For more inormation about these and many
other volunteer opportunities, visit www.isaca.org/why-isaca/participate-and-volunteer.
Summary
Becoming and being a CISM proessional is a liestyle, not just a one-time event. It takes
motivation, skill, good judgment, persistence, and proiciency to be a strong and eective
leader in inormation security management. he CISM certiication was designed to help
you navigate the security management world more easily and conidently.
Each CISM job practice area is discussed in detail in the ollowing chapters, and
additional reerence material is presented. Not only is this inormation helpul or those
o you who are studying beore taking the exam, but it is also meant to serve as a
resource throughout your career as an inormation security management proessional.
This page intentionally left blank
PART I
Information Security
Governance
Chapter 1 Enterprise Governance
Chapter 2 Inormation Security Strategy
Another random document with
no related content on Scribd:
Paris. Comme si la cité avait dû revêtir, dès cette époque, le
caractère cosmopolite qui la distingue aujourd'hui, on y voyait,
alignés le long de la chaussée ou espacés des deux côtés dans les
champs, des tombeaux qui emmenaient la pensée aux extrémités
les plus opposées du monde ancien. Les inscriptions y parlaient les
deux langues de la civilisation, et le voyageur s'acheminait à travers
des avenues funéraires qui faisaient passer tour à tour sous ses
yeux les monuments du paganisme romain, les édicules étranges de
Mithra, et les chastes et sobres emblèmes de la foi chrétienne. Là
dormait, au milieu de plusieurs de ses successeurs, l'évêque de
Paris, saint Prudence, et l'on veut que les chrétiens des premiers
âges y aient possédé une catacombe où ils célébraient les sacrés
mystères, et qui s'élevait sur les ruines d'un ancien sanctuaire de
Diane, la déesse des forêts[317].
[316] Voir tome I, p. 103.
[317] Lebeuf, Histoire de la ville et de tout le diocèse de Paris, nouvelle édition,
Paris, 1883, t. I, pp. 228 et suiv.; Saintyves, Vie de sainte Geneviève, pp. 101, 130,
295; Franklin, dans Paris à travers les âges, IX, p. 2
Plus d'une fois, le regard de Clovis et de Clotilde s'était arrêté sur ce
tranquille horizon, des hauteurs duquel semblait descendre jusqu'à
eux, à travers le murmure des verdoyants ombrages, la solennelle
invitation de la mort. L'idée leur sourit d'y répondre en préparant là-
haut la place de leur dernière demeure, à l'abri d'un sanctuaire qui
serait le monument durable de leur foi commune, et qui dresserait
au-dessus de toute la vallée le signe glorieux de la résurrection.
Toujours le souvenir de Clotilde a été associé à celui de Clovis dans
l'histoire de cet édifice sacré[318]; il n'est guère douteux qu'elle en ait
suggéré la première idée au roi. Un chroniqueur parisien du huitième
siècle, dont les souvenirs locaux ont souvent une grande valeur
historique, attribue formellement cette initiative à Clotilde. Il est vrai
que, d'après lui, c'était dans la pensée du couple royal une église
votive, qui devait être bâtie si le roi revenait victorieux de la guerre
d'Aquitaine[319]. Ce qui est certain, c'est que la construction n'en fut
commencée que dans les dernières années, puisqu'elle n'était pas
achevée lorsque Clovis mourut.
[318] Grégoire de Tours, ii, 43: Basilica sanctorum Apostolorum quam cum
Chrodechilde regina ipse construxerat.—Le même, iv, 1: Nam basilicam illam ipsa
construxerat.
[319] Liber historiæ, c. 17.
Bientôt l'église surgit du sol, appuyée sur une crypte qui devait
recevoir les sépultures royales, et offrant aux regards l'aspect des
primitives basiliques. Elle pouvait avoir, nous dit un historien, deux
cents pieds de long sur cinquante à soixante de large[321]. L'intérieur
en était non voûté, mais lambrissé à la manière antique; de riches
mosaïques ainsi que des peintures murales en animaient les parois.
On y avait accès, du côté occidental, par un triple portique orné,
comme l'intérieur, de mosaïques et de peintures représentant des
scènes de l'Ancien et du Nouveau Testament[322]. A côté de l'église
s'élevèrent de spacieux bâtiments conventuels pour la demeure des
chanoines réguliers qui devaient la desservir. Un vaste territoire,
longeant les jardins du palais et allant d'un côté jusqu'à la Seine et
de l'autre jusqu'à la Bièvre, forma la seconde enceinte de cette
fondation vraiment royale. La plus grande partie en était occupée par
des closeries et des vignobles à travers lesquels circulaient
d'ombreux sentiers de noyers et d'amandiers chantés au douzième
siècle, en vers agréables, par le poète Jean de Hautefeuille. Le
douaire assigné au monastère était considérable: il comprenait
Nanterre, Rosny, Vanves, Fossigny, Choisy, et la terre connue sous
le nom de fief de Sainte-Clotilde[323].
[321] Viallon, Vie de Clovis le Grand, pp. 448 et suiv.
[322] Vita sanctæ Genovefæ, xi, 53 (Kohler): Miracula sanctæ Genovefæ; cf. du
Molinet, Histoire de sainte Geneviève et de son église royale et apostolique à
Paris, manuscrit de la bibliothèque Sainte-Geneviève, livre III, chap. ii.
[323] Du Molinet, o. c., livre III, chap. iii, suivi par les autres historiens de sainte
Geneviève. Le livre de du Molinet, resté inédit, est un travail excellent, qu'il n'y
aurait plus intérêt à publier toutefois, parce que la meilleure partie en a passé
depuis dans les travaux consacrés au même sujet.
Clovis ne vécut pas assez longtemps pour voir l'achèvement de
cette fondation grandiose; c'est Clotilde qui la mit sous toit et qui en
termina les dépendances[324]. Il paraîtrait toutefois, si l'on en croit le
chroniqueur parisien auquel nous avons déjà fait des emprunts, que
le roi put encore assister à la consécration de l'église. Cet écrivain
ajoute que Clovis pria le pape de lui envoyer des reliques des saints
Pierre et Paul, parce qu'il voulait en faire les patrons du nouveau
sanctuaire, et qu'à cette occasion il fit tenir au souverain pontife de
riches cadeaux[325]. C'est probablement alors aussi qu'il lui envoya
une superbe couronne d'or, garnie de pierres précieuses, qu'on
appelait «le Règne»[326]. Plusieurs historiens du moyen âge ont
parlé de cette couronne qui mérite une mention ici, puisqu'elle fut le
premier hommage de la royauté très chrétienne à l'Église
universelle.
[324] Vita sancti Genovefæ, xi, 53 (Kohler).
[325] C'est ce que dit une note d'un des manuscrits du Liber historiæ, c. 17. Dans
tous les cas, elle se trompe tout au moins sur le nom du pape, qu'elle appelle
Hormisdas. Hormisdas ne monta sur le trône de saint Pierre qu'en 514, trois ans
après la mort de Clovis. Peut-être faut-il garder le nom d'Hormisdas, et remplacer
celui de Clovis par celui de Clotilde?
[326] Eodem tempore venit regnus cum gemmis preciosis a rege Francorum
Cloduveum christianum, donum beato Petro apostolo. Liber Pontificalis, éd.
Duchesne, t. I, p. 271. Ce passage, écrit au sixième siècle, a passé en substance
dans le Vita sancti Remigii de Hincmar, Acta Sanctorum, p. 156, F, et de là dans
Sigebert de Gembloux, Chronicon (dom Bouquet, III, p. 337). M. l'abbé Duchesne
écrit à ce sujet, o. c., p. 274: «Clovis mourut trois ans avant l'avènement du pape
Hormisdas. Il est possible que l'envoi du regnus ou couronne votive, dont il est ici
question, ait souffert quelque retard. Du reste, le nom de Clovis n'est attesté ici
que par les manuscrits de la seconde édition; l'abrégé Félicien coupe la phrase
après Francorum.» Cf. A. de Valois, I, pp. 270 et 299; dans ce dernier passage, il
fait dire à ses sources que Clovis envoya la couronne qu'il avait reçue d'Anastase.