CISM Certification: CISM Domain 4 Video Boot Camp 2026

In this lecture, we introduce CISM Domain 4: Incident Management, which now accounts for 30% of the weighted exam questions in the 2022 exam changes, up from 19% previously. This shift aligns with ISACA's move towards a more tactical and technical focus on management. You should expect about 45 questions primarily from Domain 4, although many questions will touch on multiple domains. This video series covers more topics than the official book, as ISACA assumes candidates have significant specific knowledge. ISACA provides a list of 29 additional resources to study if incident management is a weak area, acknowledging that their official book is not comprehensive enough on its own. Domain 4 focuses on incident management, including preparation, minimization, and response to compromises. Topics include business continuity planning (BCP), disaster recovery planning (DRP), testing, training, forensics, zero-day attacks, types of attackers, malware, personal safety, and redundancy. This content is expected to be tested on the current 2022 version until the next update in 2027, as ISACA follows a 5-year update cycle.

In this lecture, we will discuss incident management which is the process of managing and responding to security events on our systems. We will talk about how we monitor and detect these events and use our incident response plan to choose the appropriate response. We will also delve into the administrative function of incident management and its primary purpose of having clearly defined, well-understood, and predictable responses to any event. Additionally, we will touch upon the importance of planning, training, and raising staff awareness in order to have a well-prepared team. Furthermore, we will review the categorization of incidents and events into natural, human, and environmental causes. Lastly, we will look at the definitions of events and incidents and how to properly categorize them for effective incident management.

In this lecture and the one following it, we will be talking about Incident Management and will use an 8-step life cycle. For the exam, it is important to know what each step is, what we do in that step, the flow of them, and to understand the logic behind it. We will start by discussing planning or preparation and then move on to detection, response, mitigation, reporting, recovery, remediation, and finally, lessons learned. We will also look at the importance of preparation and how to keep our incident response plan updated. The emphasis will be on understanding the logic behind each step and not just memorizing them.

In this lecture, we will finish discussing Incident Management and move on to Mitigation. We will talk about what steps to take after identifying and fixing the vulnerability or vulnerabilities that were used to access our systems. We will also look at the recovery phase, which is when we restore the system back to operations. We will discuss the importance of doing a root-cause analysis and using that information to determine the appropriate countermeasures to put in place. We will also talk about the importance of reporting, both in terms of technical details and notifying management and other key stakeholders. Finally, we will discuss the recovery phase, including the process of restoring systems to an operational status and determining when they are ready to be used again.

In this lecture, we will be discussing business continuity planning (BCP) and briefly touching on disaster recovery planning (DRP). These topics are crucial for both the exam and real-world situations as any organization will eventually face a disaster. It is important to have a plan in place to minimize the impact and ensure that the organization can recover as quickly as possible. The BCP is the overall plan that includes subplans such as the continuity of operations plan, crisis communication plan, and critical infrastructure protection plan. We will cover DRP in more detail later, but it focuses on the IT aspects of disaster recovery. It is important to have the right amount of security and recovery in place and to consider the cost benefit analysis. Asking "what if" questions can help identify potential disasters and create a plan to minimize their impact.

Building a Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) involves using publicly available frameworks and standards to ensure that all necessary steps are taken to prevent and recover from potential disasters. The process begins with project initiation and stakeholder identification, followed by scoping the project and conducting a Business Impact Analysis to identify and prioritize critical systems. Next, preventative controls are considered and recovery strategies are developed, followed by designing and developing specific plans, implementing countermeasures, training staff, and testing the plan to ensure it is effective.

In this lecture, we will discuss personnel shortages and the various causes of these shortages such as human factors, nature and environmental factors. Thor also mentions how the pandemic has changed the perspective on personnel shortages and the importance of having enough staff to manage critical jobs. Thor emphasizes the need for cross-training and having people redundancy, just like we have with our systems. Thor also mentions the importance of identifying critical staff by position rather than by name and building in more redundancy for these positions. Thor also talks about the need to have a disaster recovery plan in place and to avoid naming individuals in the plan as it is common for IT staff to have a turnover rate of 5-8% per year. We also talked about how during Covid-19 all of a sudden employees could work from home where before it was "impossible".

In this lecture, we will discuss Disaster Recovery Planning (DRP) Basics. We will look at the objective and purpose of the plan, as well as the people or teams that are responsible in case of a disruption and their responsibilities. We will also examine the procedures and scenarios outlined in a normal DRP, including the definition of a disaster, who can declare it, and the process for updating relevant parties. Additionally, we will explore the roles and responsibilities of different departments and the communication plan for informing them. The DRP lifecycle will also be discussed, including the phases of mitigation, preparation, response, and recovery. The importance of ongoing updates and improvement will also be emphasized.

In this lecture, we will look at how to develop business continuity and disaster recovery plans. We will discuss the importance of using frameworks and drawing on the experience of professionals who do this work full-time. The lecture will also cover the steps outlined in the older versions of NIST 800-34, which can be used to build our BCP and DRP. There will also be links provided in the link section for additional resources. The process for developing a BCP and DRP is similar to a project, with a clearly defined start and finish, and it is an iterative process. The lecture will cover project initiation, identifying stakeholders, getting senior management buy-in, formalizing the project structure, and scoping the project. This includes clearly defining what is in scope and what is out of scope. The lecture will also cover the Business Impact Analysis, identifying and prioritizing critical systems, and assigning different tiers to different systems. After the Business Impact Analysis, the lecture will discuss preventative controls and recovery strategies. The lecture will also cover designing and developing plans, implementing countermeasures, training, and testing. The goal is to have the right security and the right recovery strategy that balances impact and cost.

In this lecture, we will discuss Business Impact Analysis (BIA), which is an important topic that involves analyzing the impact on a business by identifying critical systems and determining their level of criticality. This includes identifying which systems are essential and which can be down for a certain amount of time, and determining the cost of recovery for each system. Additionally, we will discuss the concept of maximum tolerable downtime, which is the maximum amount of time a system or activity can be down before it severely impacts the business. We will also look at recovery point objectives (RPOs) and the tier system, which assigns different acceptable downtimes and recovery point objectives to different systems and activities. The lecture highlights the importance of conducting a BIA, as it can determine the survival of a business in the event of a disaster or data loss.

In this lecture, we will discuss various recovery strategies. First, we will look at the non-IT aspects of recovery. As IT security professionals, it is important to consider everything, not just IT. Even if we can quickly restore our data center, if we have no outside connectivity, it may not be useful. We will discuss how to ensure redundancy in our supply chain, such as having a second supplier as a backup in case our primary vendor goes out of business. We will also talk about how to prepare for potential shortages and how to find other suppliers. Additionally, we will consider the infrastructure necessary to keep our business running, such as power, sewage, internet, and water. We will discuss how long we can function without these necessities and how to ensure we have backup plans in case of a disaster. We will also consider the importance of network redundancy and explore alternative options, such as a satellite connection. This lecture is the first in a series on recovery strategies and we will continue to explore this topic in future lectures.

In this lecture, we will continue discussing recovery strategies with a focus on disaster recovery sites. We previously talked about Maximum Tolerable Downtime for our critical systems, and now we will use that to design our mitigation strategies and how we can recover. One option for recovery is disaster recovery sites, which come in a few different forms. The first is a redundant site, which is an identical copy of the production site with real-time copies of data. It can be set up to fail over automatically or as an active-active pair. The redundant site is the most expensive option, but it ensures that end users and employees will not notice any disruption. It is important that these redundant sites are geographically distant to minimize the impact of a disaster. Another option is a hot site, which only houses critical applications and systems on lower spec systems. Traffic must be failed over manually and it should take an hour or less. A warm site is similar to a hot site, but it does not have real-time data transfer and it can take between 4 and 24 hours to switch over and restore data. Factors that affect the time it takes to restore include the amount of data being restored, the location of backups, and what happens at the primary site. Cold sites are similar in size, but lack hardware and recovery can take weeks. Redundant sites have identical systems, but recovery can also take a long time. Reciprocal sites involve agreements with other organizations to store equipment in their data centers. Mobile sites are data centers on wheels that can move, but are not cost-effective. Subscription or cloud sites are becoming more prevalent as they are cost-effective, allowing users to pay for servers or a full replica of their production environment.

In this lecture, we will discuss various sub-plans that fall under the overarching Business Continuity Plan (BCP). We have previously spent a lot of time discussing the Disaster Recovery Plan (DRP) but there are other important sub-plans to consider in a disaster scenario. The first sub-plan we will look at is the Continuity of Operations Plan (COOP) which focuses on how to keep operations running during a disaster. We will also discuss the Cyber Incident Response Plan, which is often a sub-plan of the DRP and focuses on online security threats such as DDoS attacks and malware. Additionally, we will look at the Occupant Emergency Plan (OEP) which addresses safety and evacuation procedures for staff and facilities in the event of a disaster. Lastly, we will examine the Business Recovery Plan, which outlines steps to return to normal business operations after a disruptive event.

In this lecture, we will continue discussing Business Continuity Planning (BCP) and look at various plans and how they are stored and accessed. We will also discuss the importance of having copies of the plan in both physical and digital forms, as well as the use of access controls to ensure only the necessary information is shared with each employee. Additionally, we will look at the Emergency Operations Center (EOC) and its role in disaster management, as well as the use of Memorandum of Understanding (MOU) or Memorandum of Agreement (MOA) with key staff to ensure their responsibilities during a disaster are clearly defined.

In the next couple of lectures, we will discuss how to test disaster recovery plans. We will review the plans for any glaring omissions or gaps, and make sure that everyone knows what they need to do in the event of a disaster. We will go through distinct phases of testing, including a review of the plan, a read-through or checklist, a walk-through or tabletop exercise, and a simulation test or walk-through drill. We will also do physical testing, such as parallel processing and partial interruption, to ensure that the plans will work in an actual disaster.

In this lecture, we will continue with testing our disaster recovery plans and specifically, we will focus on training for them and improving them. We previously discussed the importance of doing a lot of training and drills to ensure that staff is comfortable and prepared for disasters. Training is also necessary to raise awareness and make their response in a disaster more predictable. Thor uses a real-world example of a company that had a great disaster recovery plan, but it was 10 years old and no changes had been made. When a disaster occurred, the employees didn't know how to carry out the plan because they were not trained. Thor also brings up the importance of testing things like power outages and generator activation. In some cases, training may not be provided by leadership and it is the IT security manager's job to ensure that staff has the proper training. The goal of training is not only teaching, but also raising awareness and changing behavior. New employees should also be trained for their roles in disaster recovery and senior staff should have more extensive training.

In this lecture, Thor discusses the importance of "lessons learned" after experiencing a disruption or test. They stress that if we don't learn from our mistakes, we will continue to repeat them and that the lessons learned can be used to either prevent future disasters or reduce their impact. Thor notes that in the real world, many companies don't take the time to do a lessons learned analysis, but it can help improve our performance in the future. Thor also mentions common mistakes that can make a BCP (business continuity plan) and DRP (disaster recovery plan) ineffective, such as lack of involvement from senior leadership and business units, lack of prioritization of critical staff, and having too narrow of a scope. They stress that having the support of senior leadership and having a comprehensive scope are crucial to having effective plans in place.

In this lecture, we will discuss digital forensics and its focus on the recovery and investigation of materials found on digital devices. We will look at the difference between digital forensics and incident response, with digital forensics being the gathering and protection of evidence, and incident response being the actions taken during and after an attack. We will also explore the forensics process, including identifying potential evidence, acquiring it, analyzing it, and making a report. Additionally, we will discuss the importance of preserving the crime scene and the need for proper training and awareness to respond appropriately to an attack. We will also touch on the importance of accurate, complete, authentic, convincing, and admissible evidence in court.

In this lecture, we will discuss disk forensics and examine how hard drives are both physically and logically segmented. We will look at how tracks, sectors, and clusters are used to divide the physical disk, and how allocated and unallocated space is used to divide the logical disk. We will also explore the concept of slack space and bad blocks/clusters/sectors and how they can be used by attackers to hide malware. We will understand why it is important to do a bit-level copy when analyzing a hard drive and how it can reveal hidden data that might otherwise go unnoticed.

In this lecture, we will discuss the concepts of memory and data remanence, including the difference between volatile and non-volatile memory and how it can be used in different types of memory such as ROM, EPROM, EEPROM, and PLDs. We will also discuss the importance of understanding these concepts for the exam and the potential security risks associated with flashing memory and updating systems.

In this lecture, we will discuss how to dispose of media safely and securely, as improper disposal can lead to data breaches. We will cover different methods of disposing of paper, including shredding and cross shredding, and digital disposal methods such as deletion, formatting, overwriting, and purging. It is important to choose the appropriate disposal method for the specific media and ensure that licensed and bonded companies are used for proper disposal. We will also discuss considerations for damaged media and the importance of having backup controls in place.

In this lecture, we will finish our discussion on digital forensics by exploring network forensics, embedded devices, analysis, egress monitoring, and e-discovery. We will begin by looking at network forensics, where we will actively monitor and analyze all the traffic happening on our network right now. This is a crucial step in information gathering, as the evidence collected might be needed in court. We will delve into intrusion detection and intrusion prevention systems, which play a major role in this process. We will also touch upon the importance of pushing logs to a centralized server with a strong security posture and regular admin access restrictions, as this ensures that the attacker cannot delete all the logs. We will also discuss the two uses of network forensics, with the first being what we do on our internal networks, and the second being what law enforcement does with a search warrant. We will also explore the systems we use for network forensics, which can be divided into two types: catch-it-as-you-can and stop, look, listen. Finally, we will discuss the need to keep an eye on embedded devices and their security.

In this lecture, we will discuss 0-day vulnerabilities which are vulnerabilities that are not known to the general public and have not been discovered at large. We will look at how once a vulnerability is discovered, there are typically patches or signatures released within a short time span. We will also discuss the potential for a high number of vulnerabilities that have yet to be discovered and the importance of having layers of security in place to potentially mitigate a 0-day attack. We will also examine a practical example of the Stuxnet worm and how it used four unique 0-day exploits.

In this lecture, we will continue to discuss the Human disaster category and focus on the topics of warfare, terrorism, and sabotage. These terms can be used interchangeably depending on the perspective of the individual or group. The lecture will address the ongoing presence of traditional warfare, including the use of physical weapons such as guns, bullets, tanks, and planes. However, it will also delve into the growing threat of cyber warfare, where individuals and groups use the internet to carry out attacks on infrastructure and other important systems. This can be done for a variety of reasons, including war, trade, gaining influence in a region, or financial gain. The lecture will also touch on the increasing prevalence of financially motivated cyber attacks, which can be carried out with varying levels of skill and can cause significant damage and financial loss. Additionally, the lecture will address the growing numbness to large-scale cyber attacks and the acceptance of them as a normal occurrence.

In the next couple of lectures, we will be discussing programming concepts and the importance of designing security into software from the beginning, rather than adding it later. We will look at different types of software, including machine code, source code, assembler languages, compilers, interpreted languages, bytecode, and various programming languages such as procedural languages and Object-Oriented Programming (OOP). We will also discuss the evolution of programming languages and how they have become more user-friendly over time. Additionally, we will touch on the fact that while some languages may be considered obsolete, they may still be in use by some companies or organizations. As an example during the COVID-19 pandemic, many states in the US had issues with their unemployment systems because they were built on an older programming language called COBOL.

In this lecture, we will finish discussing programming concepts by looking at two approaches to programming: Top-Down Programming and Bottom-Up Programming.
Top-Down Programming starts with the big picture and breaks it down into smaller segments, similar to project management. An example of this could be procedural programming.
On the other hand, Bottom-Up Programming starts with multiple smaller complex systems that become a subset of the bigger system. We design the individual elements in great detail to begin with, and then combine them into the bigger system. An example of this could be object-oriented programming.
We also talk about different ways of releasing software, such as Open Source and Closed Source/Proprietary, and the pros and cons of each.

In this lecture, we will cover key terms related to database security such as polyinstantiation, which refers to the ability to have multiple versions of the same file depending on who is accessing it. We will also discuss aggregation, where an attacker collects data for statistical analysis, and inference, where the attacker deduces facts from evidence and reasoning. We will also touch on data mining and data analytics, which involves using computers to discover patterns in large sets of data. This is a controversial topic as it can reveal a lot of personal information about individuals, as seen in large breaches like Equifax in 2017.

In this lecture, we will discuss malware, which is a catch-all phrase for malicious software that is used to compromise our systems or data. Malware can come in many forms and types. We will take a look at some of the most common types, but it is important to note that the exam will not focus on definition questions. Instead, you will be asked about how to protect against certain types of malware and what to do once infected. This means it is important to not only learn about the different types of malware, but also how to apply that knowledge in real-world scenarios. We will start by discussing viruses, which are one of the most common types of malware and typically require human interaction to infect systems. We will also cover macro and document viruses, boot sector viruses, stealth viruses, and polymorphic viruses. It is important to note that 95% of compromise is either due to human error or failure to take necessary precautions.

In this lecture, we will be focusing on different types of malware, including worms, Trojans, root kits, logic bombs, and packers. Worms spread through self-propagation, meaning they don't need any help or human interactions to spread. They contain both the payload damage, which does whatever it is designed to do on your system, and also replicate aggressively through a network. Trojans, on the other hand, look like the real thing but hidden inside is the malicious code that can infect your system. Root kits replace some part of the OS or kernel with malicious code, which can be a problem if the boot sectors are not scanned before they load up. Logic bombs are based on a certain time or event and can be hard to find because they are dormant until the condition is fulfilled. Lastly, packers are programs used to compress executable files, which can be used by bad actors to hide malware. It is important to remember that training to raise awareness and technical measures behind the scenes can help prevent these types of malware attacks.

In this lecture, we will discuss the topic of Web Architecture and Attacks. First, we will delve into the history and background of the Internet, which was initially designed for secure closed networks and not intended for the widespread use it has today. This means that security was not built into the protocols and standards, leading to a patchwork of security measures being added after the fact. We will also talk about the concept of adding security to an already established system, like building a house without any doors or windows and then trying to add them later. We will also cover topics such as the most common web security issues, as outlined by the Open Web Application Security Project (OWASP) and how to defend against them. The goal of the lecture is to understand the importance of incorporating security into the design and implementation process.

In this lecture, we will discuss the importance of personnel safety in emergency situations. The main point being emphasized is that people should always come first in any emergency situation. Clear policies and procedures need to be established in order to ensure the safe evacuation of employees. This includes providing the necessary training to raise awareness and understanding of emergency protocol. Appointing a leader to oversee the evacuation and designated meeting places outside the building are also crucial in ensuring everyone gets out safely and preventing people from going back in to look for missing colleagues. It is important to have plans in place for disabled employees and those who need special assistance, as well as regular fire drills and evacuation drills to ensure the best outcome in emergency situations.

In this lecture, we conclude our study of CISM Domain 4: Incident Management, which accounts for 30% of the exam questions in the current 2022 version. You should expect around 45 questions primarily from Domain 4. Remember that this video course covers more than the official book, as ISACA assumes significant knowledge from candidates. If you need to study more in certain areas, refer to the 29 resources ISACA suggests to help grow your knowledge in Domain 4. Domain 4 focuses on incident management, including preparation, response to compromises, and impact minimization. We covered topics such as the Business Continuity Plan (BCP), Disaster Recovery Plan (DRP), recovery sites, testing, staff training, plan updates, forensics, zero-day attacks, types of attackers, malware, personnel safety, and redundancy. This content is expected to remain the same until the next exam update in 2027. If you're unsure about a concept, don't hesitate to review the relevant video. As we wrap up Domain 4, reflect on your progress and identify any areas that may require further study.