Domain 5 Objectives
Domain 5 Objectives
Controls are measures or safeguards put in place to reduce risk and ensure compliance with
policies, procedures, laws, and regulations
Category
Control type
When consireding their purpose, the following controls types can be found:
Some of the important regulations, standards, and legislations that impact organizational
security posture are:
Some of the important frameworks that impact organizational security posture are:
1. Center for Internet Security (CIS): The Center for Internet Security (CIS) is a nonprofit
organization that is focused on providing cybersecurity solutions to public and private
sector organizations. The CIS has developed a series of security benchmarks, guidelines,
and best practices that are widely recognized and adopted in the industry. These
benchmarks cover a wide range of technology domains, including operating systems,
network devices, cloud infrastructure, and more. The CIS benchmarks are updated
regularly to keep pace with emerging threats and technologies.
2. National Institute of Standards and Technology (NIST) RISK Management
Framework (RMF)/Cybersecurity Framework (CSF): The NIST CSF is a framework
developed by the U.S. government to provide guidance for improving cybersecurity risk
management and resilience.
3. International Organization for Standardization (ISO) 27001/27002/27701/31000: ISO are
standards for information security management that provides a systematic approach to
managing sensitive information and ensuring data security.
o ISO 27001: A globally recognized standard for Information Security Management
Systems (ISMS) that provides a framework for managing and protecting
sensitive information using a risk management approach.
o ISO 27002: A code of practice for information security management that provides
guidelines and general principles for initiating, implementing, maintaining, and
improving information security management in an organization.
o ISO 27701: An extension to the ISO 27001 and ISO 27002 standards that provides
guidance on implementing and maintaining a privacy information management
system (PIMS) to support compliance with various privacy regulations and
requirements.
o ISO 31000: A standard for risk management that provides guidelines for
managing risks faced by organizations, including principles, a framework, and a
process for managing risk.
4. SSAE SOC 2 Type I/II: The Statement on Standards for Attestation Engagements
(SSAE) is a set of auditing standards that are used to assess the effectiveness of internal
controls. SOC 2 is a type of SSAE report that focuses on the controls related to security,
availability, processing integrity, confidentiality, and privacy. SOC 2 Type I reports are
designed to evaluate the design of the controls, while SOC 2 Type II reports evaluate
both the design and the operating effectiveness of the controls over a period of time.
5. Cloud Security Alliance: The Cloud Security Alliance (CSA) is a nonprofit organization
that is focused on promoting the use of best practices for secure cloud computing. The
CSA has developed a series of guidance documents, best practices, and other resources
that are designed to help organizations secure their cloud environments. The CSA
Security, Trust & Assurance Registry (STAR) program provides a level of transparency
and accountability in the cloud industry by providing independent third-party
assessments of cloud service providers.
6. Cloud Control Matrix: The Cloud Control Matrix (CCM) is a set of controls that are
designed to help organizations assess the security of cloud computing services. The
CCM is organized into 17 domains that cover a wide range of security considerations,
including data privacy, compliance, risk management, and more. The CCM provides a
framework for organizations to evaluate cloud service providers and to ensure that their
cloud deployments meet their security requirements.
7. Reference Architecture: A reference architecture is a set of standards, guidelines, and
best practices that are designed to help organizations design and implement secure IT
systems. A reference architecture provides a blueprint for designing and deploying IT
systems that are secure, scalable, and reliable. It helps organizations to align their
technology investments with their business objectives and to ensure that their IT
systems meet their security requirements.
Compliance with these regulations, standards, or frameworks can help organizations ensure
that they have effective security controls in place, and can also help demonstrate to customers
and stakeholders that the organization takes security seriously.
Benchmarks, also known as secure configuration guides, are documents that provide guidance
on secure configuration settings for various systems, software, and devices. These
benchmarks are typically created by security organizations, and are based on industry best
practices and standards. The goal of benchmarks is to provide organizations with a set of
recommended security settings that can help improve their security posture and reduce the risk
of cyber threats. By implementing these recommended settings, organizations can reduce the
attack surface of their systems and make it harder for attackers to exploit vulnerabilities.
Personnel
A Personnel policy is a set of guidelines and procedures that an organization has in place to
manage the behavior and actions of its employees. It covers a broad range of areas, from
hiring and onboarding to day-to-day operations and separation from the company.
Acceptable use policy: This policy outlines the acceptable use of company resources,
including computers, internet, email, and social media. It informs employees of what is
and is not allowed and what the consequences are if policy is violated.
Job rotation: Job rotation policy involves rotating employees through different job roles
within the organization to provide cross-training and prevent fraud.
Mandatory vacation: A mandatory vacation policy requires employees to take a
minimum amount of time off each year. This policy helps detect fraud or other illegal
activities by giving someone else access to the employee's work during their absence.
Separation of duties: Separation of duties policy requires that no single employee has
control over an entire process or system. This helps prevent fraud, errors, and
unauthorized access.
Least privilege: Least privilege policy limits employee access to the minimum amount
of data and systems necessary to perform their job.
Clean desk space: Clean desk policy requires employees to keep their work area clear of
confidential or sensitive information. This helps prevent unauthorized access to
sensitive information.
Background checks: Background checks policy outlines the procedures for conducting
background checks on potential employees, vendors, and contractors.
Non-disclosure agreement (NDA): NDA policy requires employees to sign an
agreement that they will not disclose company confidential information. This helps
protect the company's sensitive information.
Social media analysis: Social media policy outlines guidelines for employee use of social
media to ensure that employees do not harm the company's reputation.
Onboarding: Onboarding policy outlines the procedures for integrating new employees
into the organization. This includes orientation, training, and support.
Offboarding: Offboarding policy outlines the procedures for separating employees from
the organization. This includes exit interviews, returning company assets, and revoking
access to systems and data.
User training: User training policy outlines the requirements for employee training in
cybersecurity awareness, including gamification, capture the flag exercises, phishing
campaigns and simulations, computer-based training (CBT), and role-based training.
o Gamification: Gamification is the use of game elements such as points, rewards,
and competition to make learning cybersecurity awareness more engaging and
enjoyable for employees.
o Capture the flag: Capture the flag exercises are cybersecurity challenges that
simulate real-world attacks to teach employees about vulnerabilities and threats.
o Phishing campaigns and simulations: Phishing campaigns and simulations are
training exercises that simulate phishing attacks to teach employees how to
recognize and respond to them.
o Computer-based training (CBT): CBT is a form of training that uses interactive
computer-based modules to teach employees cybersecurity awareness.
o Role-based training: Role-based training is customized cybersecurity awareness
training based on an employee's job role and level of access to systems and data.
Diversity of training techniques refers to the use of various methods and approaches to
provide training and education to individuals in an organization. This can include traditional
classroom-style training, computer-based training (CBT), role-playing, gamification, and
simulations, among others. The use of a variety of training techniques can help to engage
individuals with different learning styles, promote active learning, and enhance knowledge
retention. It can also help to make training more interesting and enjoyable for individuals,
increasing their motivation to participate and learn.
Third-party risk management policies refer to the set of policies and procedures that an
organization uses to manage the risks associated with its relationships with external entities,
such as vendors, suppliers, business partners, and contractors.
Some third-party risk management policies are or cover the following areas:
Data
Data policies are guidelines and procedures that an organization implements to manage data
effectively and securely. Here are some elaborations on three types of data policies:
1. Classification: This policy outlines how data should be categorized based on its
sensitivity, value, and criticality. Classification enables an organization to identify and
prioritize protection measures based on the level of risk and potential impact if the data
is compromised.
2. Governance: This policy defines how data should be collected, stored, managed, and
used across the organization. It ensures that data is used ethically and legally and is
compliant with relevant laws and regulations. Data governance policies help to maintain
the quality, accuracy, completeness, consistency, and security of data throughout its
lifecycle.
3. Retention: This policy specifies how long data should be retained, where it should be
stored, and when it should be deleted or destroyed. Retention policies help
organizations to manage their legal and regulatory compliance obligations, minimize
risks and liabilities, and optimize data storage and usage. Retention policies may vary
depending on the type and classification of data, as well as the industry and jurisdiction.
Overall, data policies provide a framework for effective data management and protection, and
they should be regularly reviewed and updated to reflect changes in business, technology, and
regulatory environments.
Credential policies
Credential policies are guidelines and procedures that organizations implement to protect
their credentials and sensitive data from unauthorized access, theft, or misuse. It includes
policies for managing, storing, and protecting passwords, usernames, and other forms of
credentials used to access the organization's information systems. The following are some of the
credential policies and their elaborations:
Personnel: The personnel credential policy defines guidelines for creating and managing
employee credentials, such as usernames, passwords, and security questions. This policy
includes guidelines for password complexity, minimum password length, password
expiration, and password reuse. It also includes guidelines for access control and
authentication, such as the use of multifactor authentication (MFA) and biometric
authentication.
Third-party: The third-party credential policy defines guidelines for managing third-
party vendor credentials, such as usernames and passwords used to access the
organization's systems. This policy includes guidelines for vetting vendors and assessing
their security controls, as well as guidelines for managing and monitoring third-party
access to the organization's systems.
Devices: The device credential policy defines guidelines for managing device
credentials, such as usernames and passwords used to access network devices and
endpoints. This policy includes guidelines for managing default credentials, ensuring
secure storage of device credentials, and implementing password complexity and
expiration policies.
Service accounts: The service account credential policy defines guidelines for managing
service account credentials used by applications and services. This policy includes
guidelines for managing and rotating service account passwords, ensuring secure
storage of service account credentials, and limiting access to service accounts.
Administrator/root accounts: The administrator/root credential policy defines
guidelines for managing administrative account credentials, such as usernames and
passwords used to access critical systems and data. This policy includes guidelines for
implementing strong password policies, limiting the use of administrative accounts, and
monitoring administrative account access for unauthorized activity.
Organizational policies
Organizational policies are a set of guidelines and procedures that govern the activities and
behavior of an organization's employees. These policies provide a framework for decision-
making and ensure that the organization operates in a consistent and efficient manner. Two
important types of organizational policies are change management and asset management.
Asset management is the process of tracking and managing the organization's IT assets,
including hardware, software, and data. This includes asset inventory, tracking asset
utilization, and ensuring that assets are properly secured and maintained throughout their
lifecycle.
Risk types
Risk types refer to the various categories or classifications of potential risks that
organizations face. Each type of risk presents unique challenges and requires specific strategies
and controls to mitigate.
1. External risks: These are risks that originate outside of the organization, such as natural
disasters, cyber attacks, or economic downturns.
2. Internal risks: These are risks that arise from within the organization, such as employee
theft, fraud, or mismanagement.
3. Legacy systems risks: These are risks that arise from the use of outdated technology or
systems, which can be vulnerable to security threats or may fail to meet compliance
requirements.
4. Multiparty risks: These are risks that arise from interactions with third-party vendors,
partners, or other entities, such as supply chain disruptions or vendor breaches.
5. IP theft risks: These are risks that arise from the theft or unauthorized use of intellectual
property, such as trade secrets or patents.
6. Software compliance/licensing risks: These are risks that arise from noncompliance
with software licensing agreements, which can result in legal penalties or financial
losses.
Each of these risk types requires specific controls and strategies to manage and mitigate their
potential impact on the organization.
1. Risk acceptance: This strategy involves accepting the potential consequences of a risk
and making a decision to do nothing about it. This can be appropriate when the cost of
addressing the risk is higher than the potential impact of the risk.
2. Risk avoidance: This strategy involves avoiding or eliminating the risk altogether. For
example, an organization might decide not to pursue a particular business opportunity
if it involves a risk that is considered too high.
3. Risk transference: This strategy involves transferring the risk to another party. This can
be done through various means, including purchasing insurance, outsourcing the risk to
a third-party vendor, or entering into a contract with another party that specifies the
allocation of risk.
4. Risk mitigation: This strategy involves implementing controls or other measures to
reduce the likelihood or impact of a risk. This can include implementing technical
controls, developing policies and procedures, or providing employee training.
Risk analysis
Risk analysis is the process of identifying, assessing, and evaluating potential risks to an
organization's assets, systems, operations, and objectives. It is an important aspect of
information security management that helps organizations identify vulnerabilities and develop
strategies to mitigate risk. The following are some key terms related to risk analysis:
Risk register: A document that lists all identified risks, including their likelihood,
impact, and associated risk mitigation strategies.
Risk matrix/heat map: A visual representation of the likelihood and impact of various
risks, used to prioritize risks for mitigation.
Risk control assessment: An evaluation of the effectiveness of existing risk controls and
their ability to reduce or eliminate risk.
Risk control self-assessment: A self-assessment process used by individuals or teams to
identify and assess risks within their areas of responsibility.
Risk awareness: The level of awareness and understanding of risks within an
organization, including the potential consequences of a risk event.
Inherent risk: The level of risk before any controls or mitigation strategies are
implemented.
Residual risk: The level of risk remaining after controls or mitigation strategies have
been implemented.
Control risk: The risk that a control will fail or not operate as intended.
Risk appetite: The level of risk that an organization is willing to accept in pursuit of its
objectives.
Regulations that affect risk posture: Laws, regulations, or industry standards that
impact an organization's risk posture or risk management strategies.
Risk assessments: Two types of risk assessment methods used to evaluate risks.
Qualitative risk assessments involve subjective judgments and opinions, while
quantitative risk assessments involve the use of mathematical calculations and objective
data to determine risk levels.
Likelihood of occurrence: The probability or chance that a risk event will occur.
Impact: The effect or consequence of a risk event on an organization's assets, systems,
operations, or objectives.
Asset value: The estimated value of an organization's assets, including physical assets,
intellectual property, and data.
Single-loss expectancy (SLE): The estimated monetary loss associated with a single
occurrence of a risk event.
Annualized loss expectancy (ALE): The estimated annual monetary loss associated with
a risk event, calculated by multiplying the SLE by the annualized rate of occurrence.
Annualized rate of occurrence (ARO): The estimated number of times a risk event will
occur in a given year.
Disasters
Disasters are events or incidents that can have significant and negative impacts on
individuals, organizations, and society. Disasters can be caused by a wide range of factors,
including natural phenomena, human error, or malicious activities.
Some common types of disasters include environmental, person-made, internal and external.
Environmental disasters are caused by natural events such as earthquakes, hurricanes, floods,
or wildfires. These disasters can have a significant impact on infrastructure, supply chains, and
the economy, as well as on human life and the environment.
Person-made disasters, on the other hand, are caused by human activities such as accidents,
negligence, or intentional actions. These disasters can include things like industrial accidents,
transportation accidents, and cyberattacks.
Internal disasters are those that occur within an organization, such as data breaches, insider
threats, or system failures. External disasters, on the other hand, are events that occur outside
of an organization but can still have a significant impact on it, such as natural disasters or
terrorist attacks.
It is important for organizations to have disaster recovery and business continuity plans in
place to minimize the impact of disasters and ensure that critical business functions can
continue in the event of an unexpected disruption.
Business impact analysis (BIA) is a process used to identify and evaluate the potential effects
of disruptions to business operations. The BIA assesses the impact of disruptions on critical
business functions, systems, and processes, and identifies the recovery time objectives (RTO)
and recovery point objectives (RPO) necessary to resume normal business operations.
Here are some key terms related to BIA:
Recovery time objective (RTO): the maximum amount of time allowed for the
restoration of critical business processes after a disruption.
Recovery point objective (RPO): the maximum amount of data loss that can be
tolerated in the event of a disruption.
Mean time to repair (MTTR): the average time it takes to repair a failed system or
component.
Mean time between failures (MTBF): the average time between failures of a system or
component.
Functional recovery plans: plans for restoring critical business processes and systems in
the event of a disruption.
Single point of failure: a component or system that, if it fails, would cause a critical
business process to fail.
Disaster recovery plan (DRP): a plan for recovering critical systems and data in the
event of a disaster.
Mission essential functions: the critical functions and processes that an organization
must perform to achieve its mission.
Identification of critical systems: the identification of the systems and processes that are
critical to an organization's operations.
Site risk assessment: an assessment of the potential risks that could affect an
organization's facilities, including natural disasters, man-made disasters, and other
hazards.
Organizational consequences of privacy and data breaches can be severe and can result in a
wide range of negative impacts. These consequences can include:
Notifications of breaches
Notification of a breach refers to the process of informing individuals and entities whose data
may have been affected by the breach. Notification is a critical component of breach response,
as it helps to minimize the potential damage caused by a breach and to restore trust with
affected parties.
Public notifications and disclosures are another method of breach notification, which involves
informing the public or affected parties about a breach through public channels. This may
include issuing press releases, posting notifications on websites or social media, or sending out
email or text notifications. Public notification is typically required by law in many jurisdictions,
and it is often used to inform affected parties about the steps they can take to protect themselves
from potential harm resulting from the breach.
Data types
Privacy-enhancing technologies (PETs) refer to a set of tools, techniques, and approaches that
can be used to protect and enhance privacy in information systems and networks. These
technologies aim to provide effective privacy protection while still allowing for the use and
sharing of data.
Data minimization: The principle of collecting, processing, and storing only the
minimum amount of data necessary to achieve a specific purpose or goal.
Data masking: A technique used to obscure or mask sensitive data by replacing it with
nonsensitive data or symbols. This technique can be used to protect data during storage
or transmission.
Tokenization: A process that replaces sensitive data with a randomly generated token
or reference number. This technique is commonly used in payment card systems to
protect cardholder data.
Anonymization: The process of removing or altering identifying information from data
so that individuals cannot be re-identified. Anonymization techniques may include
removing names, addresses, or other identifying information from data sets.
Pseudo-anonymization: A technique used to replace identifying information with a
pseudonym or unique identifier. This technique is commonly used in health care
systems to protect patient privacy.
PETs can help organizations comply with privacy laws and regulations, protect sensitive data,
and maintain customer trust. However, it's important to note that PETs are not foolproof and
can still be subject to attacks or breaches. Therefore, it's crucial to implement a comprehensive
security strategy that includes PETs as well as other security measures such as access controls,
encryption, and monitoring.
Roles and responsibilities refer to the various individuals or positions within an organization
that have specific duties related to the handling of data. These roles and responsibilities are
important for ensuring that data is managed and protected in accordance with relevant laws
and regulations. Some of the key roles and responsibilities related to data privacy and
protection include:
Data owners: Individuals or groups within an organization who are responsible for the
overall management and security of data, including ensuring that it is accurate, up-to-
date, and properly secured.
Data controller: An individual or organization that determines the purposes and means
of processing personal data. The data controller is responsible for ensuring that data
processing is carried out in compliance with applicable laws and regulations.
Data processor: An individual or organization that processes personal data on behalf of
a data controller. The data processor is responsible for ensuring that data processing is
carried out in accordance with the instructions of the data controller and applicable laws
and regulations.
Data custodian/steward: Individuals within an organization who are responsible for the
day-to-day management and security of data, including ensuring that it is properly
stored, accessed, and maintained.
Data protection officer (DPO): An individual within an organization who is responsible
for ensuring compliance with data protection regulations, including GDPR. The DPO is
responsible for advising on data protection matters, monitoring compliance, and serving
as a point of contact for data subjects and regulatory authorities.
The information life cycle refers to the stages that data and information go through from their
creation to their eventual disposal. It encompasses the processes and procedures involved in
the creation, collection, use, storage, dissemination, archiving, and destruction of information
assets.
Effective management of the information life cycle is essential to ensure the confidentiality,
integrity, and availability of information assets throughout their entire life cycle.
Impact assessment
Impact assessment is the process of evaluating the potential consequences and effects of a
specific event or incident on an organization or system. It involves analyzing the various
aspects of the event or incident, such as the scope, severity, duration, and likelihood of
occurrence, in order to determine the potential impact on the organization's operations, assets,
personnel, reputation, and other key areas. The goal of an impact assessment is to identify and
prioritize the risks associated with the event or incident, and to develop strategies and plans to
mitigate those risks and minimize the impact on the organization. Impact assessments are
commonly used in the context of disaster planning, risk management, and information security.
Terms of agreement
Terms of agreement, also known as terms of service or terms and conditions, refer to the legal
agreement between a service provider and its customers or users that outlines the terms and
rules of using the service. The terms of agreement typically cover important information such
as the acceptable use policy, payment terms, liability limitations, disclaimers, intellectual
property rights, termination and cancellation policies, and privacy policies. By accepting the
terms of agreement, users agree to abide by the rules and guidelines set forth by the service
provider, and failure to comply with these terms may result in account suspension or
termination.
Privacy notice
A privacy notice is a public statement that informs individuals about how an organization
collects, uses, and protects their personal information. It is typically a document posted on the
organization's website or provided to individuals when they provide their personal
information. A privacy notice typically includes information such as the types of personal
information collected, the purposes for which the information is used, how it is shared with
third parties, and the measures taken to secure the information. The privacy notice is an
important part of an organization's privacy program, as it helps build trust with individuals by
providing transparency about how their personal information is handled.