Domain 1.

1: Professional Ethinic,
Ethinic, Security
Security Concep...
Concepts, Se Saved Comment 0 Export as PNG Share

Topic Subtopic Connection Icon Note Link 10% Theme Tips

Least privilege
Confidentiality (disclosure): Authorized
access. E.g PII, encryption, data breach
Need-to-know

Authenticity
1. Protect society Integrity (Alternation). E.g digital
signature, hash
Non-repudiation
2. Honor, honestly, justly, responsibly, legally
Code of Ethic Cannons
Accessibility
3. Provide service
Availability (Destruction): accessible on
Usability
4. Advance profession time. E.g ransomware

Timeliness
ISO 27001/2- framework for security management
standard. 114 control, 14 domains Security concept
DAD-disclosure, alternation, destruction
COBIT - ISACA, IT enterprise security control
objective, 34 processes, 214 control AAA-Authentication, Authorization, Accounting

NIST 800-53 RMF - security compliance for government 5 elements of AAA - Identification, Authentication,
Authorization, Auditing, Accountability
Security Control framework
NIST Cybersecurity framework (CSF) - Obama
signed critical infra. 5 functions: identify, Identification - claim the identity [username]
protect, detect, response, recover
Authentication - prove the identity [password]
ITIL (Ops) - UK, imrpove IT service management process,
E.g change management, configuration management Authorization - permission

CIS Critical security control Accountable - Identification + Authentication

Zachman Architecture framework Defense in depth

Open Group Architecture Framework (TOGAF) - vendor Abstraction - similar elements in same group/class
neutral platoform, uses business requirement Security Enterprise framework
Protection mechanism
Data hiding - prevent data being discovered
Sherwood Applied Business Security Architecture
(SABSA) - creates a chain of traceability Domain 1.1: Professional
Encryption - hiding meaning
Ethinic, Security Concepts,
Facilitated Risk Analysis Process (FRAP) - low cost to evaluate one system Security Governance
Strategic - Long term 5 years, organization's security purpose
Valye at Risk (VAR) - determine most
cost effective risk mitigation method Tactical - 1 year, details on accomplishing goal
Security management plan

NIST RMF 39,37,30 Operational - short term monthly,

detailed plan updated frequently (how)
ISO 27005 - risk treatment Risk Assess
Code of Fair Information Practice - personal info handling
Operationally Critical Threat, Asset, and Vulnerability
(OCTAVE) - risk assessment IT Ethic Internet Activities Board (IAB) - RFC 1087 internet behaviour

FAIR - probabilities of incidents, impacts Computer Ethics Institue (CEI) - Ten Commandments of Computer Ethics

The committee of sponsoring organization (COSO) Due diligence - senior management, continuous review
policy, preparation & research, accurate & timely
matter. E.g laws & regulation, industry standard,
27001 - ISMS requirement best practice
Liability
27002 - Best practice Due Care - Doing. Prudent man rule - senior
take responsibility. E.g security awareness
27003 - implementation guideline training, disabling access

27004 - monitoring, measurement
27005 - risk management
27031 - Business continuity
27035 - Incident management
NIST Cybersecurity Framework - secure government system
ISO 27000 series Ultimate responsible for information security
Security Program in business - C-level management
align wigh goal/mission
involve in info security in org process
(acquisitions, divestitures, and
Security governance governance committees)
Principles
Roles & Responsibilities

Identify security control framework

Practice due diligence , due care

Domain 1.2: Compliance, Legal,
Legal, Regulatory,
Regulatory, Intel...
Intellectua Saved Comment 0 Export as PNG Share

Topic Subtopic Connection Icon Note Link 30% Theme Tips

U.S. Federal Privacy Act of 1974 - US citizen info

HIPAA - PHI, healthcare provider, plan, clearing house

Civil (European)- wrong act of
individual or business, no PCI-DSS - Card holder
precedence
GLBA - consumer's financial info
Criminal - Prison Sentence, beyond a Privacy and data protection laws
reasonable doubt
SOX - public traded company
Categories of Law
Civil - Contract dispute between
Common Law (England) Family Educational Rights and Privacy Act
organization and service prodvider,
(FERPA) - student educational records
organization's matter

Administrative Law - Regulatory Children’s Online Privacy Protection Act

(COPPA) - children age under 13

Religious
SP 800-30 - Risk Management Guide for
Information Technology Systems
Copyright - protects art, music,
literature, source code created by
organization/indidual, 70 years SP 800-34 - Contingency Planning Guide
after creator's death for Information Technology Systems

Trademark -branding such as SP 800-53 - RMF Security and Privacy

slogan, logo, 10 years renewable NIST Controls for Federal Information Systems and
Intellectual Property Organization
Patent- right to use, create or sell
an invention, 20 years SP 800-86 - Guide to Integrating Forensic Techniques into Incident Response

Trade secret - not protect by law, SP 800-88 - Guidelines for Media Sanitization
protect confidential info how product
is created (secret recipes), not SP 800-137 - Information Security Continuous Monitoring
disclose to public

Domain 1.2: Compliance, HITECH Breach Notification rule

U.S privacy law. Fourth amendment -
Legal, Regulatory,
requires search warrant
Intellectual Property Organisation for Economic
Co-operation and Development (OECD) -
US Federal Privacy Act of 1974 transborder flows of personal info
Cybercrime and data breach
Electronic Communications Privacy California Consumer Privacy Act (CCPA)
Act of 1986 (ECPA)
USA PATRIOT Act of 2001 - electronic
Communications Assistance for Law monitoring
Enforcement Act (CALEA) of 1994 -
US Privacy Laws
wiretap
US Computer Security Act of 1987 - non-military

Canadian Privacy Law-PIPEDA restrict

Computer fraud and abuse act - cybercrime specific legislation
how commercial business collect PII
Computer
State Privacy Laws-California Federal Information Security Management Act (FISMA) -
Security
consumer privacy act (CCPA) government contractors
Laws

EU-US Privacy Shield, Safe Harbour framework Federal Sentencing Guidelines

- US process personal info in EU
Digital millennium copyright act (DMCA)
European Union Data Protection
Directive (DPD) Economic Espionage Act - trade secrets

European union general data protection EU Privacy Laws IP Laws Lanham Act - trademark
(GDPR) - lawfulness, purpose, data min,
accuracy, storage, CI + accountability,
right to forgot United States Patent and Trademark Office (USPTO) - registration of trademark

US companies can't export to Cuba, Contratual license - written contract

Iran, North Korea, Suda, Syria Import/Export control-
cryptography Shrink-wrap license agreement - outside of software packaging
Wassenaar Arrangement Licensing
Click through - accept button during installation

Cloud service licence agreement - click through/terms

Domain 1.3: Business Continuity
Continuity (People,
(People, Process...
Process, Tec Saved Comment 0 Export as PNG Share

Topic Subtopic Connection Icon Note Link 70% Theme Tips

Policies (why, when) - high level overview of

company security posture (purpose, scope, 1. Select individual to interview for data gathering
responsibilities, compliance)
2. Create data gathering technique
Standards (what) - technical aspect

Policies, Standard, Procedures, 3. Identify critical business function

Procedures (How)- step 1,2,3
Baseline
4. Identify resources
Baseline (must) - min level of BIA Steps
security,non-mandatory 5. Calculate MTD

Guidelines (FYI)- recommend/best 6. Identify vulnerabilities and threats

practice, non-mandatory

7. Calculate risk
1. Develop a BCP policy management (C-level)

8. Document finding and report

2. BIA

RPO (Recovery point objective) – amount of data lost

3. Identify preventive controls

RTO (Recovery time objective) - amount of time to restore in SLA

4. Develop recovery strategies

MTD (Maximum tolerable downtime) – MTD

5.Develop an IT contingency plan
= RTO + WRT, max time of service idle
without causing serious damage
6.Perform DRP training and testing

BCP Steps WRT (Work Recovery Time) = time to recover

Domain 1.3: Business
7. Perform BCP/DRP maintenance
Continuity (People,
Process, Technology), MTBF (Mean time to between failure) -
BCP documentation - goals, statement of Personnel Security Priorities of BIA how long will function before next
importance/priorities/org's responsibility, fault (repairable)
urgency and timing, risk assessment & acceptance,
mitigatio, emergency response guideline MTTF (mean time to failure) -
lifespan of device
C-level role - priorities, obtain resource, (non-repairable)
arbitrating disputes among team member
MOR (Minimum operating requirement) –
Goal: ensure business will continue to min requirement for critical system
operate before, after disaster. Focus on to function
bsuiness as a whole. Long term strategy
MTTR (Mean time to repair) - time to
Business Continuity Plan (BCP) - repair/restore by service provider
procedures (before incident)
Hiring - background check, reference check,
Continuity of Operations Plan (COOP) - financial history, security clearance
ensure critical/mission service is continue
Onboarding - sign NDA, non-compete
Disaster Recovery Plan (DRP) - restore IT service (after agreement (NCA) - conflict interest
incident), checklist to act immediately after disaster strike after leaving company, account provision
Plan
Personnel security (New Employee) (no access)
Crisis Communication Plan
Employee oversight - audit job description, privilege
Information System Contingency Plan (ISCP) -
procedures of recovery of system Offboarding - notify employee, disable account,
restore org asset, revoke access (no incident
Occupant Emergency Plan (OEP) - after a period of time)
safety of personnel
Domain 1.4: Risk management, threat
threat modeling,
modeling, sup...
supp
Vulnerability - weakness/missing safeguard in asset
Value of safeguard - [ALE pre-safeg] - ALE post-safeg - annual cost of safeguard
1.Asset Value (AV) - $
2.Exposure factor (EF) - %
3. Single loss expectancy (SLE) - AV * EF
4. Rate of occurrence (ARO) - x times/ year
5. Annual loss expectancy (ALO) - SLE * ARO
6. Perform cost/benefit analysis
numerical data, measuable results,
difficult to perform and more time,
experienced ppl in risk assessment
brainstorm, survey, 1:1,
delphi technique (anonymous feedback)
descriptive result, easier perform, less time, for
ppl who not much experience in risk assessment but
familiar with system or business process
Preventive (stop) - NDA, SoD, locks, ACL, Encryption
Detective - review logs, job rotation, cctv
Compensating - support security policy, examine logs
on-site assessment - visit org, interview, observe operating habit
Process/Policy review - copies of security policies, procedures
Saved
Topic
Asset - anything of value
Threat - potential cause damage
Threat agent - attacker
Threat vector - path to gain access
Risk - likelihood that threat exploit vulnerability
safeguard - security control, countermeasure
Risk = Threat * Vulnerability
Inherent risk - default risk (absence of controls)
Total risk - amount of risks if no safeguard.
Threat * Vulnerabilities * Asset
Residual risk - amount of risk after safeguard.
Total risk - controls gap
Quantitative risk analysis (numerical)
Qualitative risk analysis (risk rating
HML)
Directive (Control subject's action)- AUP
Deterrent (discourage)- warns,
policies, acceptable use
Corrective (return normal) -
AV, Fire suppresion, patches
Recovery - DRP, BCP, backup/recover
Doc exchange and review
Supply Chain Risk Management
Third party Audit
SLA, SRA
Comment 0 Export as PNG Share
Subtopic Connection Icon Note Link 10% Theme Tips
mitigate - lower chance of risk
avoid - eliminate use of tech/service
Risk response
accept - leave asset unprotected when
safeguard>asset
transfer - shift risk to third party insurance
1. prepare - categorize IS (laws, goals, prioritise, resource)
Risk terminology 2.select security control (tailor)
3.implement security control (How)
NIST Risk
management
4.assess security control
framework
800-37
5.authorize information system
6.monitor security control
Risk Framework: OCTAVE, FAIR, TARA
Administrative - Policies
Security Control Categories Technical/Logical - Hardware/Software
Physical - Physically touch item
Goal: identifying potential threats, assess
probability, potential harm, priority of
attacks, reduce security defect, reduce
severity of remaining facts
Domain 1.4: Risk
management, threat 1. identify threats
modeling, supply chain
BIA (Risk Assessment)
risk, social 2. determine and diagramming potential attack
engineering, security Steps
training
3. Perform reduction analysis (decomposing app)
4. Rank the threats (Probability X Impact)
STRIDE (Microsoft)- spoofing,
tampering, repudiation, info
disclosure, DoS, Elevation privilege
PASTA 7 stages - objective, scope,
app/threat/vulnerability analysis, attack &
Model simulation, risk analysis
VAST - Agile
Threat Modeling
DREAD - Damage, Reproducibility,
Exploitability, Affected Users,
Discoverability, rank threat numerically
Security Control Types
spear phishing - msg is drafted to
group of target individuals
Security Awareness - Acknowledge
whaling - C- level, admin
Training - skills
Hoax - audience perform action that
Security Awareness Education - Learn more than need to might cause security
know, change behaviour,
understanding Social Engineering Attack Baiting - USB stick
Gamification - rewarding , role based Typo squatting - mistype domain name
training gooogle.com
Intimidation - threat to motivate
someone
Consensus - mimic what others doing in past