Certified Information Systems

Security Professional (CISSP)

Certification Training Course
Domain 01: Security and Risk Management
 Learning Objectives

By the end of this lesson, you will be able to:

Recognize the importance of information security management

Describe security policy implementation

Describe information risk management

Define personnel security and security function management

process

Define computer crime

Explain the BCP process

Introduction to Domain 1: Security and Risk Management
Importance of Information Security and Risk Management

Kevin Butler is a Security Administrator in the network firewalls

division at Nutri Worldwide Inc. He must prepare for the CISSP exam.
He starts his preparation by reading a historical case of a competitor.

The competitor company had failed to understand the importance of

information security. The company had planned their Business
Continuity Plan (BCP) without continuous involvement of IT.
IT security input was taken without the team playing an active role.
The BCP was weak in the area of IT security. When the headquarters
of the competitor company was hit by a tornado, there was a huge
information leak as data protection measures were not well planned
at the time of the natural disaster. The IT department tried their best
to prevent this. The company faced major losses, which led them to
file for bankruptcy within a few years.
 Introduction to Information Security

Information security is the process of protecting information and information systems

from the following:

Unauthorized disclosure,
access, and use Disruption
Information
Security

Destruction Modification

Deletion
 Introduction to Information Security

Factors that impact information security:

Business plans and general

Technology
business environment

• Platforms and tools used • Nature of business

• Network connectivity • Risk tolerance

• Level of IT complexity • Industry trends

• New or emerging security tools • Merger acquisitions and partnership

• Operational support for security • Outsourcing service or providers

 Cybersecurity
What is Cybersecurity?
• Cybersecurity refers to anything
intended to protect enterprises from
intentional attacks, breaches, incidents,
and consequences
• It can also be defined as the protection
of information assets by addressing
threats to information processed,
stored, and transported by
internetworked information systems
Why is Cybersecurity important?
• Due to technological advancement, the
rate of cybercrime is increasing
• As most of the business happens
online these days, there is an
increasing demand to protect this data
• Presence of crime syndicates
• Cyber armies
• Financial fraud
 Difference between Information Security and Cybersecurity
Information Security
• Information security deals with
information regardless of its format.
• It encompasses paper documents,
digital data, and intellectual property.
Cybersecurity
• It can be defined as the protection of
information assets by addressing
threats to information processed,
stored, and transported by
internetworked information systems.
• Cybersecurity is a component of
information security.
 Terrifying Cybercrime Statistics

Recent trends which make Cybersecurity more important:

• During the first six months of 2018, more than 25 million

records were compromised or exposed every day
• Over 24,000 malicious mobile apps are blocked daily
• Ransomware attacks on the healthcare industry will quadruple
• Cybercrime to cost $6 trillion by 2021
• 300 billion passwords worldwide by 2020
• More than 60% of fraud originates from mobile devices
• Personal data sells for as little as $0.20
• 90% of hackers use encryption
 Approaches to Cybersecurity

Compliance based Ad hoc

Relies on regulations or This approach simply

standards to determine implements security with no
security implementation rationale or criteria

Risk based
This approach relies on identifying
the unique risk a particular
organization faces and designing
and implementing security
controls to address that risk
Understand, Adhere to, and Promote Professional Ethics
 (ISC)2 Code of Professional Ethics

The (ISC)2 Code of Professional Ethics has two categories:

• The safety and welfare of society and the common good, duty to
our principles, and to each other, requires that we adhere, and be
Code of Ethics
seen to adhere, to the highest ethical standards of behavior.
Preamble
• Therefore, strict adherence to this Code is a condition of
certification.

• Protect society, the common good, necessary public trust and

confidence, and the infrastructure.
Code of Ethics • Act honorably, honestly, justly, responsibly, and legally.
Canons
• Provide diligent and competent service to principles.
• Advance and protect the profession.
 Organizational Code of Ethics

A code of ethics provides a

Ethics are the principles and
values used by an individual to
govern his or her actions and
decisions.
An organization code of ethics
general understanding of the
expresses the overarching
ethical or moral responsibilities
principles or ideals that guide an
that the governing body,
organization’s decisions and
employees, and volunteers are
actions when conducting
expected to meet while working
operations and service delivery.
for the organization.

A code of ethics can help your organization to:

• Show customers that • Define the terms of ethical • Guide decision-making

it values integrity standard of behavior at work in difficult situations
Understand and Apply Security Concepts
 Role and Importance of CIA in Information Security

Confidentiality, Integrity, and Availability (CIA) have served as the industry

standard for computer security since the time of the first mainframes.

Integrity

Availability

Confidentiality

CIA Triad: The three principles of security

 Confidentiality

The principle of confidentiality asserts that information and functions can be accessed only by
authorized parties.

Example: Military secrets

Threats to Confidentiality:
• Hackers
• Masqueraders Integrity

• Unauthorized user activity

• Unprotected files downloaded
Availability
Availability
• Unprotected networks
• Unauthorized programs Confidentiality

• Social engineering attacks

 Integrity

The principle of integrity asserts that information and functions can be added, altered, or removed
only by authorized people and means.

Example: Incorrect data entered by the user into a database

Threats to Integrity:
• Hackers
• Masqueraders Integrity
• Unauthorized user activity
• Unprotected files downloaded
Availability
Availability
• Unprotected networks
• Unauthorized programs Confidentiality

• Social engineering attacks

• Authorized subjects corrupting data and programs
accidentally or intentionally
 Availability

The principle of availability asserts that systems, functions, and data must be available on-demand
according to the agreed-upon parameters based on levels of service.

Example: Network Load Balancing

Threats to Availability:
• Denial of service
• Distributed denial of service attacks Integrity

• Natural disasters like fire, floods, storms, or earthquakes

• Human actions like bombs or strikes
Availability
Availability
Confidentiality
Evaluate and Apply Security Governance Principles
 Information Security Management

• Information Security Management describes the controls

that an organization needs to implement to ensure that it
is sensibly protecting the confidentiality, availability, and
integrity of assets from threats and vulnerabilities.
Information
Security • It also includes information risk management which is a
Management process that involves the assessment of the risks an
organization must deal with in order to manage and
protect the assets, as well as the dissemination of other
risks to all appropriate stakeholders.
 Information Security Management

Information security management ensures

the implementation of the following:

• Information security policies

• Standards
• Procedures
• Guidelines
• Baselines
• Information classification
• Risk management
• Security organization
• Security education
 Information Security Governance

Major Focus of Governance

Risk Resource Performance Strategic Delivery

Management Management Measures Alignment
 Information Security Governance

Information Security Governance is intended to guarantee

Risks are reduced

Appropriate information verifying

that security activities are being
performed

Information security
investments are
appropriately directed

The executive management can

determine program effectiveness
 Governance, Risk Management, and Compliance (GRC)

GRC stands for Governance, Risk Management,

and Compliance.

The GRC of every organization is different and

varies based on the type of organization.

G R C It depends on an organization’s mission (business),

GOVERNANCE RISK COMPLIANCE size, industry, culture, and legal regulations.

Introduction to GRC
Ultimate responsibility of GRC program is to
protect their assets and operations, including
their IT infrastructure and information.
 Governance, Risk Management, and Compliance (GRC)

Governance

Governance is the responsibility of

the board of directors and senior
management of the organization.
 Governance, Risk Management, and Compliance (GRC)

Ascertain whether risk A governance program

is being managed has several goals
appropriately

Verify that the

organization’s resources Ensure that objectives are
are being used responsibly achieved

Provide strategic direction

 Governance, Risk Management, and Compliance (GRC)

• Risk Management is the process by which an organization

manages risk to acceptable levels.
• It requires the development and implementation of internal
Risk Management
controls to manage and mitigate risk throughout the
organization, including financial and investment risk,
physical risk, and cyber risk.

• Compliance is the act of adhering to, and the ability to

demonstrate adherence to, mandated requirements defined
Compliance by laws and regulations.
• It also includes voluntary requirements resulting from
contractual obligations and internal policies.
 Business Scenario

Kevin is studying the importance of Information Security Governance and Management.

• Governance is associated with providing an oversight, enacting policies,

establishing accountability, and planning resources and strategies.
• Management on the other hand involves implementing strategies, enforcing
policies, handling responsibilities, and planning resources and the project.

Doing the right thing is Management; doing things right is Governance.

Question: Is this statement true?

 Business Scenario

Kevin is studying the importance of Information Security Governance and Management.

• Governance is associated with providing an oversight, enacting policies,

establishing accountability, and planning resources and strategies.
• Management on the other hand involves implementing strategies, enforcing
policies, handling responsibilities, and planning resources and the project.

Doing the right thing is Management; doing things right is Governance.

Question: Is this statement true?

Answer: It is not true. The correct statement would be: Doing the right thing is Governance. Doing
things right is Management.
IT Security and Organizational Goals, Mission, and Objectives

Goal, mission, and objective:

Define what the Help in creating Indicate how it will

organization long term and proceed to achieve
desires to achieve short-term strategies them
 Goals, Mission, and Objectives

The definition of goals, mission, and objectives is as follows:

Objectives Mission Goals

The map used to Provides the overall A statement of the

reach the goals of context for what the organization’s purpose
the organization organization wants to and reason for
accomplish existence
 Aligning Security with Goals, Mission, and Objectives

Information security can be aligned with organizational goals, mission, and objectives in two ways.

Reducing Risk Senior Management Support

• Protect the organization’s assets and • It aids security professionals to be

processes through appropriate involved in and influence the
activities and controls. organization’s core activities.

• It also helps to identify priority tasks

• Be aware of IT assets and goals,
and divert resources to achieving
mission, and objectives of the
security goals.
organization.
 Business Scenario

Kevin has understood the importance of the mission, goals, and objectives of
his organization and the importance of aligning its security to these.
He read the following statement on the company website.

“Nutri Worldwide Inc. will pursue and foster opportunities for growth and
enrichment for its employees and stakeholders with the customer being the
focal point.”

Question: Is this a mission, goal, or objective statement?

 Business Scenario

Kevin has understood the importance of the mission, goals, and objectives of
his organization and the importance of aligning its security to these.
He read the following statement on the company website.

“Nutri Worldwide Inc. will pursue and foster opportunities for growth and
enrichment for its employees and stakeholders with the customer being the
focal point.”

Question: Is this a mission, goal, or objective statement?

Answer: It is a mission statement.
 Control Framework

• Control framework is a data structure that

comprises a set of an organization's internal
controls, that is, the practices and strategies built to
enhance business processes and minimize risk.

• It is a set of controls that protects data within the IT

infrastructure of a business or another entity.

• The control framework acts as a comprehensive

security protocol that protects against fraud or theft
from a spectrum of outside parties, including
hackers and other kinds of cyber-criminals.

• Example:
o COBIT (Control Objectives for Information and
Related Technologies)
o ISO 17799/27001
Control Objectives for Information and Related Technologies (COBIT)

• Issued by ISACA® (Information Systems Audit and Control

Association), which is a nonprofit organization for IT governance
COBIT
• Main function of COBIT is to help a company map their IT
process to ISACA® best practices and standards

• Meeting stakeholder needs

• Covering the enterprise end-to-end
COBIT Principles • Applying a single integrated framework
• Enabling a holistic approach
• Separating governance from management
 ISO 27001:2013

ISO/IEC 27001 ISO 27001 Domains

• An internationally recognized and • Security policies

structured methodology dedicated to
information security
• A management process to evaluate,
implement, and maintain an information
security management system (ISMS)
• A comprehensive set of controls
comprised of the best practices in
information security
• Organization of information security
• Human resources security
• Asset management
• Access control
• Cryptography
• Physical and environmental security
• Operations security
• Communications security
• System acquisition, development, and
maintenance
 ISO 27001:2013

ISO/IEC 27001 ISO 27001 Domains

• Can be applicable to all industry sectors • Supplier relationships

• Emphasizes prevention • Information security incident

management
• ISO 27001 has 114 controls mapped to
14 security domains • Information security aspects of business
continuity management

• Compliance
 Due Care

It’s a legal term. It pertains to the legal duty of the organization. Lack of due care is
considered negligence.

Due care shows that a company has:

Taken responsibility Taken necessary steps Taken reasonable care

for the activities that to protect the company, in protecting the
take place within the its resources, and its organization
corporation employees from
possible threats
 Due Care: Examples

Training employees in Mandating statements from the Deploying firewalls in

security awareness employees stating that they have the organization
read and understood appropriate
computer behavior
 Due Diligence

Due diligence might not be legally liable. It:

• Is the act of understanding and investigating

the risks the company faces
• Means practicing the activities that maintain
the due care efforts
• Pertains to the best practices that a company
should follow
 Due Diligence: Examples

In the case of firewalls, security

Ensuring that the security controls controls should be regularly
are regularly monitored and monitored and rules should be
frequently updated updated depending on the
requirement
Determine Compliance and Other Requirements
 Service-Level Agreement

Service-level agreement (SLA) is a formally defined level of service provided by an organization.

Service Requirements
SLAs may be defined for:

• Security incident response

• Security alert delivery
SLA
• Security investigation
• Policy and procedure review

Service Delivery

Client Provider
 Managing Third-Party Governance

Outsourcing is the subcontracting of a business process to a third-party company.

• Loss of control of confidential information

• Accountability
Risks Associated • Compliance
with Outsourcing

• On-site assessment
• Document exchange and review
Secure • Policy and process review
Outsourcing
Offshoring: Privacy Requirements and Compliance

• Offshoring is outsourcing to another country.

• Offshoring can increase privacy and regulatory issues.

Example: Data offshored to India by a U.S medical

transcription organization is less secure.

• Health Insurance Portability and Accountability Act

(HIPAA) certification is a major regulation covering
healthcare data in the United States.
• A good contract ensures that regulations and laws
governing privacy are followed both in and beyond a
country’s jurisdiction.

Example: The Indian company to which the U.S. Medical

Transcription organization’s data is offshored can agree
to follow HIPAA rules via a contract.
Understand Legal and Regulatory Issues that Pertain to Information
Security in a Holistic Context
 Computer Crimes

Cybercrime: Definition

Cybercrimes are defined as offences that

are committed against individuals or groups
of individuals with a criminal motive to
intentionally harm the reputation of the
victim or cause physical or mental harm to
the victim directly or indirectly, using
modern telecommunication networks, such
as the Internet, through chat rooms, emails,
notice boards, groups, and mobile phones
through SMS or MMS.
 Introduction to Computer Crimes

• Any crime that involves a computer and a network.

• Computer-related crimes have increased due to
the:
o Connectivity of the Internet
o Low costs of computational resources
• Examples: Cracking, copyright infringement, child
pornography, and child grooming
 Introduction to Intellectual Property (IP) Law

• Intellectual property laws are designed to protect both the tangible and intangible items
and properties.
• The main goal is to protect properties from those who want to copy or use it without due
compensation to the inventor or creator.

IP Law Categories

Industrial Property Copyright

Novels, poems, plays, films,

Inventions or patents,
musical works, drawings,
trademarks, industrial
paintings, photographs,
designs, and geographical
and sculptures and
indications of source
architectural designs
 Types of Intellectual Property (IP) Law
Patent
• A patent grants the owner a legally
enforceable right to exclude others from
practicing the invention.
• A patent is applicable for 20 years.
• A patent protects new, useful, and
nonobvious inventions.
• After the expiry of a patent, the invention
is open to the public domain.
• Three requirements that need to be
satisfied are:
o The invention should be new and an
original idea
o The invention must be useful
o The invention must not be obvious
Trademark
• Trademark laws protect the goodwill a
merchant or vendor invests in the
products.
• A trademark grants exclusive rights to the
owner of the trademark.
• A trademark consists of any word, name,
symbol, color, sound, product shape,
device, or a combination of these.
• Trademarks are registered with a
government registrar.
• One trademark must not be similar to
another trademark.
• The trademark should not be descriptive
of the goods or service that you will offer.
 Types of Intellectual Property (IP) Law
Copyright
Copyright
• A copyright covers the expression of ideas
• It usually protects artistic properties, such
as writing, recordings, databases, and
computer programs.
• The duration of protection is longer.
• Works of one or more authors are protected
until 70 years after the death of the last
surviving author.
• Anonymous works are provided protection
for 95 years from the first publishing date or
120 years from the date of creation,
whichever is shorter.
Trade Secret
Trade Secret
• Trade secret law protects certain types of
information or resources from
unauthorized use or disclosure.
• A trade secret is something that is
proprietary to a company and important for
its survival and profitability.
• Examples include the formula used for a
soft drink such as Coke or Pepsi, a new form
of mathematics, the source code of a
program, or a method of making the perfect
jellybean.
• You can protect a trade secret by having
your own control structures depending on
the type of trade secret and by making your
employees sign an NDA.
 Digital Millennium Copyright Act (DMCA)
Digital Millennium
Copyright Act (DMCA)
• The Digital Millennium Copyright Act (DMCA)
is a controversial United States digital rights
management (DRM) law. The intent behind
DMCA was to create an updated version of
the copyright laws to deal with the special
challenges of regulating digital material.
• Nonprofit organizations are exempted from
this act.
DMCA Takedown Notice
• It is a notification given to a company,
usually a web host or a search engine,
that they are either hosting or linking to
copyright-infringing material. It
provides them a notice to remove the
copyrighted works.
 Types of Intellectual Property (IP) Laws

• Software licenses are a contract between the provider of a software and the consumer.
• The four categories of software licensing are:
o Contractual license agreement: It is a written contract between the software vendor
and the customer.
o Shrink-wrap license: A shrink-wrap license is an end-user agreement (EULA) that is
enclosed with a software in a plastic-wrapped packaging. Once the end-user opens
Licenses the packaging, the EULA is in effect.
o Clickwrap license: This type of agreement is often used in connection with software
licenses. Most clickwrap agreements require the end-user to manifest his or her
assent by clicking an OK or agree button on a dialog box or a pop-up window.
o Cloud services license agreement: It is similar to a clickwrap agreement and is
mainly concentrated on the services provided by cloud vendors.
 Business Scenario

Kevin Butler was studying about intellectual property laws as a part of his
preparation for the CISSP exam. While studying the topic, he remembered a
recent case in which his organization had successfully won a lawsuit against a
competitor organization.

The case in question was regarding the use of Nutri Worldwide Inc.’s
product name for a similar product by the competitor organization.
The court gave its verdict in favor of Nutri Worldwide Inc., and the opposite
party had to pay a heavy fine.

Question: Under which type of IP law was the lawsuit filed?

 Business Scenario

Kevin Butler was studying about intellectual property laws as a part of his
preparation for the CISSP exam. While studying the topic, he remembered a
recent case in which his organization had successfully won a lawsuit against a
competitor organization.

The case in question was regarding the use of Nutri Worldwide Inc.’s
product name for a similar product by the competitor organization.
The court gave its verdict in favor of Nutri Worldwide Inc., and the opposite
party had to pay a heavy fine.

Question: Under which type of IP law was the lawsuit filed?

Answer: The dispute was over the violation of Nutri Worldwide Inc.’s trademark.
 Import or Export Controls and Transborder Data Flow

Following are the basic concepts of import or export controls and transborder data flow:

Import or Export Controls Transborder Data Flow

• They ensure that software complies • It involves transfer of data from one
with the local laws. country to another.

• A few software applications are illegal • An information security professional

to import or export, for example an should understand the jurisdiction
encryption software. over the data when it moves from
one country to the other.
• The United Nations Security Council
(UNSC) can impose sanctions on any
country as voted on by member
nations of the council. Due to the
sanctions, the technology transfer to
these countries is strictly prohibited.
 OECD Privacy Principles

Personal data should be obtained by

Collection lawful and fair means and, where
limitation appropriate, with the knowledge or
consent of the individual.

Personal data should be relevant,

The Organization for Economic
Data quality necessary, accurate, complete, and up-to-
Cooperation and Development
date.
(OECD) is a group of 34
member countries that discuss The purpose for which the data is used
and develop economic and Purpose
should, in principle, be specified at the time
social policies. specification
of the collection.

Personal data should in principle not be

Use used for purposes other than those
limitation specified at the time of the collection,
except in certain cases.
 OECD Privacy Principles

Security Personal data should be protected by

Safeguards reasonable security safeguards.

Data collection and processing should be

The OECD published a set of
revised guidelines governing
the protection of privacy and
transborder flows of
Participation
personal data.
Openness
transparent to the individuals.
Individuals should have the right to access
Individual
personal data and have the data erased,
rectified, completed, or amended.

A data controller should be accountable

Accountability for complying with the implemented
measures.
 General Data Protection Regulation (GDPR)

The EU General Data Protection Regulation (EU GDPR) is a regulation that

requires businesses to protect the personal data and privacy of EU citizens
for transactions that occur within the EU.

Companies that collect data on citizens in the European Union (EU)

countries will need to comply with strict new rules for protecting customer
data from the May 25, 2018.

Noncompliant organizations may face administrative fines up to €20 million

or up to 4% of the entity’s global turnover of the preceding financial year,
whichever is higher.
 General Data Protection Regulation (GDPR)

Organizations must report data breaches within 72 hours.

Companies must also allow users to export their data and delete it.

Under the existing right to be forgotten provisions, people who don’t want
certain data about them online can request companies to remove it.
 GDPR: Roles and Responsibilities

• A data subject is an identifiable natural person who can be

identified, directly or indirectly, in particular by reference to an
identifier such as a name, an identification number, location data,
an online identifier, or to one or more factors specific to the
physical, physiological, genetic, mental, economic, cultural, or
social identity of that natural person.
• A data controller is the legal entity who either alone or jointly
determines the purpose for and manner in which personal data is,
or will be, processed.
• A data processor processes data on behalf of the data controller
but does not control the data and cannot change the purpose or
use of the particular set of data.
• A supervisory authority (SA), established in each EU member
state, has been tasked to enforce the GDPR and monitor the
application of GDPR rules to protect individual rights with respect
to the processing and transfer of personal data within the EU.
 Data Protection Principles

The EU General Data Protection Regulation (EU GDPR) outlines six data protection principles that
organizations need to follow for collecting, processing, and storing individuals’ personal data.

1. Lawfulness, fairness, 2. Purpose limitation 3. Data minimization

and transparency

6. Integrity and
4. Accuracy 5. Storage limitations
confidentiality

The data controller is responsible for complying with the principles and must be able
to demonstrate the organization’s compliance practices.

Lawfulness, fairness,
and transparency
Personal data shall be processed
lawfully, fairly, and in a
transparent manner in relation to
the data subject.
Data Protection Principles
Purpose limitation
Personal data shall be collected for
specified, explicit, and legitimate
purposes and not further processed
in a manner that is incompatible
with those purposes.
Data minimization
Personal data shall be adequate,
relevant, and limited to what is
necessary in relation to the
purposes for which they are
processed.

Accuracy
Personal data shall be accurate
and, where necessary, kept up to
date; every reasonable step must
be taken to ensure that personal
data that are inaccurate, having
regard to the purposes for which
they are processed, are erased or
rectified without delay.
Data Protection Principles
Storage limitations
Personal data shall be kept in a
form which permits identification of
data subjects for no longer than is
necessary for the purposes for
which the personal data are
processed.
Integrity and
confidentiality
Personal data shall be processed
in a manner that ensures
appropriate security of the
personal data, including
protection against unauthorized
or unlawful processing and
against accidental loss,
destruction or damage, using
appropriate technical or
organizational measures.
 Business Scenario

A regulatory authority is required by an enactment to carry out certain functions,

including the handling of complaints from members of the public who have
environmental concerns.

Given the large number of complaints it receives, a regulatory authority

provider decides to outsource its complaints handling department to a much
larger regulatory authority provider with a better logistical capacity and most
of its staff will second the larger authority.
The two authorities put an agreement in place stating that all data protection
compliance responsibilities have been passed over to the larger authority.

Question: Is the larger authority provider a data controller or a data processor?

 Business Scenario

A regulatory authority is required by an enactment to carry out certain functions,

including the handling of complaints from members of the public who have
environmental concerns.

Given the large number of complaints it receives, a regulatory authority

provider decides to outsource its complaints handling department to a much
larger regulatory authority provider with a better logistical capacity and most
of its staff will second the larger authority.
The two authorities put an agreement in place stating that all data protection
compliance responsibilities have been passed over to the larger authority.

Question: Is the larger authority provider a data controller or a data processor?

Answer: The larger authority provider is a data processor acting on the instruction of the regulatory
authority.
Understand Requirements for Investigation Types
 Investigation

“An investigation is a fact-finding process of logically, methodically, and lawfully gathering and
documenting information for the specific purpose of objectively developing a reasonable conclusion
based on the facts learned through the process.”

~ ANSI/ASIS INV.1-2015 Investigation Standards

The purpose of an investigation is to:

Identify and collect evidence Determine what happened

Determine who is responsible

 Investigation Types: Criminal Investigation

Criminal Punishment usually

Criminal cases
investigations involve It is usually involves jail time,
involve an action
determining whether conducted by law monetary fines, or
that is harmful to
a criminal law has enforcement sometimes capital
society.
been violated. organizations. punishment.
 Investigation Types: Civil Investigation

Civil investigation
deals with offense Punishment usually
committed against involves recovering
individuals or money to compensate
companies that result the victim for
in damages or loss. damages.
 Investigation Types: Administrative Investigation

Administrative investigation is explained as:

These are conducted by Administrative

local management in investigation may be
response to complaints or initiated in response to
concerns that generally complaints, mishaps,
are personnel related and misconduct, or violation
non-criminal in nature. of organization’s policy.

If evidence reveal any malicious or

criminal activities, it could trigger
criminal or civil investigations.
 Investigation Types: Regulatory Investigation

Initial inquiries range

from an informal
Regulatory
phone call seeking
investigations
Regulation is a law limited information
involve determining
established by the to a full-blown
whether a
government body. regulatory
regulatory law has
investigation with
been violated.
subpoenas seeking
answers.
 Investigation Types: Industry Standards

Penalties may lead to

fines or other sanctions.

Investigations into violations of

industry standards (such as PCI Investigations may be
DSS) are based on contractual performed by independent
obligations between participating third party.
organizations.
 Business Scenario

Kevin Butler was studying the major legal systems, which are followed throughout
the world. He then thought of going through the archives of legal cases involving
Nutri Worldwide Inc.

He came across a recent case where Nutri Worldwide Inc. lost a legal battle
against one of its partner organizations. The dispute was regarding breach of
some clause of the partner agreement. The partner filed a lawsuit against
Nutri Worldwide Inc. for violation of its rights and claimed a compensation of
$2 million.

Question: Under which type of law had the partner filed the lawsuit?
 Business Scenario

Kevin Butler was studying the major legal systems, which are followed throughout
the world. He then thought of going through the archives of legal cases involving
Nutri Worldwide Inc.

He came across a recent case where Nutri Worldwide Inc. lost a legal battle
against one of its partner organizations. The dispute was regarding breach of
some clause of the partner agreement. The partner filed a lawsuit against
Nutri Worldwide Inc. for violation of its rights and claimed a compensation of
$2 million.

Question: Under which type of law had the partner filed the lawsuit?
Answer: The partner had filed the lawsuit under the Civil Law.
Develop, Document, and Implement Security Policy, Standards,
Procedures, and Guidelines
 Security Policies

Security policy is a broad statement produced by the senior management that dictates the role of
security within the organization.

The characteristics of security policies are:

It must be generic, non-technical, and It must integrate security into all

easily understood. business processes and functions.

It must be reviewed and modified

It must support the vision and mission
periodically or as the company
of the organization.
environment changes.
 Types of Security Policies

There are mainly three types of security policies:

Organizational It focuses on issues relevant to every aspect of

security policy the organization.

Issue-specific It focuses on a specific service, department, or

policy function that is distinct from the organization.

System-specific It focuses on individual systems.

policy
 Security Policy Implementation

Policy documents often come with the endorsement or signature of the executive
powers within an organization.

Standard policy Purpose statement, policy objectives, resources provision, staff

components allocation, and guidelines and standards

Policy elements Purpose, scope, responsibilities, and compliance

Assigning a principal function to be responsible for control, compliance

Policy creation
with policy as a condition of employment, and avoiding exceeding two
guidelines
pages and use generic terms
 Security Policy Implementation

Policy documents often come with the endorsement or signature of the executive
powers within an organization.

Management Protecting resource assets within the company’s control, implementing

responsibilities security in accordance with the company policy, and initiating corrective
for policy actions for security violations

Policy Avoiding errors that can lead to legal challenges and ensuring compliance
enforcement with policy
 Policy Chart

A strategic goal can be viewed as the ultimate endpoint, while tactical goals are the steps
necessary to achieve it.

Laws, regulations, and requirements

General organizational policy

Functional implementation policies

Standards Guidelines Procedures Baselines

 Standards, Guidelines, Procedures, and Baselines

Standards Guidelines

• Refers to the mandatory activities, • Refers to the recommended

rules, actions, or regulations operational guides or actions
provided to the users, operations
• Defines compulsory requirements staff, IT staff, and others

• Provides a course of action for • Are flexible and can be customized

uniform deployment of technology for each unique system

• Are tactical documents • Serves as operating guides

• Example: ISO 27001 • Are not mandatory statements

• Example: Security password

guideline
 Standards, Guidelines, Procedures, and Baselines
Procedures
• Refers to the step-by-step tasks to be
performed to achieve a certain
objective
• Forms the final elements of the
formalized security policy structure
• Are system and software specific
• Example: Incident response procedure
Baseline
• Defines minimum level of security
that every system must meet
• Are system-specific
• Establishes common secure states
• Refers to a stage or state that is
used as a comparison for future
changes (reference point)
• Example: All Windows 7 systems
must have SP1 installed
Identify, Analyze, and Prioritize Business Continuity (BC) Requirements
 Need for Business Continuity Planning

Business operations are interrupted by unexpected events. Companies must develop Business
Continuity and disaster recovery plans to face these issues.

The focus areas of business continuity planning are:

Protect lives of Minimize the Restore normal Prevent financial

employees disruptions business losses
 Basic Concepts: Disruptive Events

Any incident, act, or occurrence that suspends normal operations can be termed as a disruptive
event or disaster.
• Disruptive events can be intentional or unintentional.
• BCP aims at minimizing the effects of a disruptive event on a company.

Few types of
disruptive
events are: Human
Natural

Environmental
 Basic Concepts: Business Continuity Planning

The goal of a BCP is to ensure business continuity before, during, and after a disaster strikes.
 Importance of Business Continuity Planning

The organization’s ability to respond to any

disaster and recover from disruptions depends on
Business Continuity Planning (BCP) or Disaster
Recovery Planning (DRP) as it:

• Is the last line of defense for any organization

against any threat

• Ensures all planning has been considered

• Helps reduce the risks faced by the

organization

Example: Usage of cloud computing resources to

safeguard data
 Business Continuity Planning Phases

The high-level phases as per NIST 800-34 for achieving comprehensive BCP or DRP are:

Project initiation Preventive controls Planning design BCP or DRP

and scoping identification and development maintenance

Business impact Recovery Implementation,

analysis strategy testing, and training
 BCP or DRP Phase 1: Project Initiation and Scoping

According to NIST 800-34, project initiation and scoping is the first step to achieve a
comprehensive BCP or DRP.

Recent trends which make Cybersecurity more important:

• Creating project scope and defining parameters

• Obtaining management’s support
• Identifying potential outages to critical systems for risk analysis to be
performed
• Appointing project planner and selecting staff for plan development and
execution
• Assigning the BCP or DRP project manager or coordinator as the key point of
contact (POC)
• Ensuring the completions of BCP or DRP by Project Manager and testing it
routinely
• Identifying the representatives of BCP committee from senior management,
legal, CFO, systems and applications, business units, systems support,
communications, data center, communications, and information security
 BCP or DRP Phase 2: Business Impact Analysis (BIA)

According to NIST 800-34, business impact analysis is the second phase to achieve a
comprehensive BCP or DRP.

The Business Impact Analysis (BIA):

• Is the formal method of determining the impact of disruption to the

organization’s IT systems on the business and organization’s processes
and functions
• Enables the BCP or DR project manager to plan the requirements and
priorities for IT contingencies by identifying and prioritizing critical IT
systems and components
 BIA: Goals

The three major goals of BIA are:

• Identification and prioritization of every critical business unit process

Criticality • Evaluation of the impact of a disruptive event
Prioritization • Time-critical business processes require higher priority rating for
recovery than non–critical business processes

• Estimating Maximum Tolerable Downtime (MTD) using the BIA

Downtime • The downtime required for the business to remain viable
Estimation • Non-recovery, if the interruption of critical process extends the maximum
tolerable downtime

• Estimating resource requirements

Resource
• Most resources allocated to time sensitive processes as compared to less
Requirements
critical processes
 BIA: Steps

The steps of a BIA are outlined here:

Identify the
Select individuals to Calculate risk for
resources on which
interview for data each business
the critical business
gathering function
functions depend

Gather, analyze, and

Calculate the
Create and use data interpret the
longevity of these
gathering qualitative and
functions without
techniques quantitative impact
the resources
information

Identify the Identify

Document and
company’s critical vulnerabilities and
report to the
business functions threats to these
management
functions
 BIA Steps: Business Unit Level

For each major business unit within the organization, the following steps will be performed:

Identify business components

or activities that, if disrupted Determine required
or unavailable, could Maximum Tolerable
jeopardize the company’s Downtime (MTD)
operations
 Maximum Tolerable Downtime (MTD)

Maximum Tolerable Downtime (MTD) is:

The maximum period for which the organization’s key

processes and functions are unavailable, after which the
organization would suffer significant losses

Measured in minutes, hours,

Revised several times during
days, or longer, depending on
the course of a project
the nature of the business
 Maximum Tolerable Downtime (MTD)

The alternate terms for MTD include Maximum Allowable Downtime (MAD), Maximum Acceptable
Outage (MAO), and Maximum Tolerable Outage (MTO).

Business Continuity and Disaster Recovery Timeline

RPO, RTO and MTD

Recovery Point Objective Recovery Time Objective

(RPO) (RTO)

App and Normal

Disaster Infrastructure Test Critical Business is
Data Backup Data Loss Data Business
Strikes Recovery Apps Hurt
Recovery Resumes

Maximum Tolerable Downtime (MTD)

 Failure and Recovery Metrics

A number of metrics are used to quantify the frequency of system failures.

Recovery Point Objective

• Level of data, work loss, or system inaccessibility resulting from a disruptive event
• Usually expressed in units of time

Recovery Time Objective

• The maximum time allowed to recover business or IT systems

• Expressed in units of time such as minutes, hours, or days

Work Recovery Time

• The time required to configure a recovered system

• Consists of the system’s recovery time and the work recovery time
 Failure and Recovery Metrics

A number of metrics are used to quantify the frequency of system failures.

Mean Time between Failures

• The predicted elapsed time between inherent failures of a system during operation
• Calculated as the arithmetic mean time between failures of a system

Mean Time to Repair

• The duration to recover a specific failed system
• The total corrective maintenance time divided by the total number of corrective
maintenance actions during a given period

Minimum Operating Requirements

• The minimum environmental and connectivity requirements for a computer equipment
to operate
• Documentation is important for each IT critical asset
 Stages of Failure and Recovery

The various stages of failure and recovery are shown in the figure.

Normal Normal
Operations Disruptive Recovery Time Frame Operations
Event

RPO RTO WRT

MTD

1 2 3 4
 BCP or DRP Phase 3: Identify Preventive Controls

According to NIST 800-34, Identify Preventive Controls is the third phase to achieve a comprehensive
BCP or DRP. Preventive controls avert the potential impact of disruptive events.
The types of preventive controls include:

Process or device that mitigates effect of a threat but cannot

Existing controls
prevent occurrence

Fire suppression or sprinkler systems, access control systems,

Physical controls
security guards

Procedural controls Hiring and termination policies and clean desk policy

Data storage protection and protection given to assets based

Logical controls
on their location
Contribute to and Enforce Personnel Security Policies and Procedures
 Best Work Practices

Following are the best practices:

Separation of duties

Job rotation

Mandatory vacations

Split knowledge

Dual control
 Importance of Managing Personnel Security

The people inside the organization need access to data and resources to complete their assigned
work and, therefore, have the potential to abuse these access privileges. It is important to:

• Protect sensitive information by securely managing

the lifecycle of employment

• Hire qualified and trustworthy individuals to reduce

the risk to information assets

• Screen out individuals whose past actions indicate

undesirable behavior to avoid potential risks to the
organization
 Managing Personnel Security: Hiring Practices

Following are the hiring practices:

• Perform background checks: Education, prior

employment, financial history, and criminal history
• Get the confidentiality agreements signed:
Non-Disclosure Agreement and Intellectual Property
Agreement
• Get Conflict of Interest Agreements for the positions
handling competitive information
• Get the Non-Compete Agreements for the positions
in charge of unique corporate processes
 Managing Personnel Security: Employee Termination

Following are the employee termination policies:

• Voluntary: Return of all access keys and badges, exit

interview, removal of system access
• Involuntary: Escort from premises, restriction of
access immediately upon notification, change of
system passwords in user’s area
 Vendor, Contractors, and Consultant Controls

Controls for vendors, contractors, and consultants mostly act as preventive controls.

• Vendors and temporary employees should be

given limited access to the information.
• Contractors should always be escorted within the
organization.
• Consultants must be escorted whenever they visit
your facility.
 Compliance: Need for Compliance

Compliance means conforming to a rule, such as a specification, policy, standard, or law.

Need for Compliance

• Protect critical information

• Enforce controls through formal written policy
• Understand the requirements for protecting organizational information
• Identify requirements for protecting organizational information
• Avoid inadequate implementation and enforcement; this can lead to fines, penalties, and
imprisonment
• Avoid failures that lead to loss of customer confidence, competitive advantage, contracts, and jobs
• Protect shareholder interests
• Use good controls that make good business sense
 Compliance Policy Requirements

Compliance policy facilitates compliance with

applicable laws, regulations, policies, and standards.

Compliance training must be provided to all employees to

ensure they are aware of their compliance responsibilities.
Then training should be tailored to specific employees in
high-risk areas.

Audits are performed to ensure compliance to contracts,

regulations, and laws and assist in detecting abnormal
activities.
 Acceptable Usage Policy

• Outlines which activities are acceptable and

unacceptable in the workplace and establishes
employee expectations on how to use the
company resources.
• Inappropriate use exposes the organization to
risks including virus attacks, compromise of
network systems and services, and legal issues.
• Employees should be aware of the consequence of
non-compliance with their company's AUP.
• Employees should know that violation of this policy
may be subject to disciplinary action, up to and
including termination of employment.
What should an Acceptable Use Policy
contain?
• Introducing malicious programs
• Disclosing confidential information
• Sharing passwords
• Unauthorized security scanning
• Sending unsolicited email
• Circumventing security
• Making unauthorized representations
 Privacy Policy Requirements

A privacy policy is a statement that discloses how a particular organization collects,

stores, and utilizes the personal information provided by its users.

Any organization collecting any personal information from their customers, clients,
or end users, are legally required to publish a privacy policy on their site.

The exact content of a privacy policy will depend on the nature of the business,
location of the business, location of the users, and the applicable laws.

At minimum, an organization’s privacy policy should disclose what personal or sensitive

information they collect, how they collected it, how they intend to use that information,
and whether they will disclose some or all the information to any third parties.
Understand and Apply Risk Management Concepts
 Security Definitions
A few security terms that a CISSP candidate must know:

Asset: An asset is any information, software, 1

hardware, or equipment that is utilized for,
and critical to, business objective, service
delivery, and financial success. 2 Vulnerability: Vulnerability is any hardware,
software, or procedural weakness that may
give an attacker the open door for
Threat: Threat is any potential danger to 3 unauthorized access to resources.
systems or information.

4 Threat Agent: Threat agent is any entity that

takes advantage of a vulnerability.

Risk: Risk is the likelihood of a threat agent 5

taking advantage of a weakness or
vulnerability and the resulting business
impact. 6 Exposure: Exposure is an instance of being
exposed to losses from a threat agent.

Countermeasure or Safeguard: 7
Countermeasure or safeguard is put into
place to mitigate the potential risk.
 Information Risk Management

Information Risk Management is the process of identifying and assessing risk, reducing it to an
acceptable level, and implementing the right mechanisms to maintain it at that level.

Recognition
Threat of the Annualized
Impact Uncertainty Cost

Threat Threat Risk Cost or

Event Frequency Mitigation Benefit
Analysis
 Risk Management: Steps

There are four steps in the risk management life cycle:

Risk Response Risk and Control Monitoring

and Mitigation and Reporting

Risk
Management
Life Cycle
IT Risk IT Risk Identification
Assessment
 Business Scenario

While studying the Information Risk Management process, Kevin made notes
on the security definitions based on examples from his day-to-day work:

• Asset: Servers and systems of the company

• Vulnerability: Weak rule in firewall
• Threat: Hacking network or servers
• Threat Agent: Hacker
• Risk: Loss of critical organization data
• Exposure: 25% loss of data (which is unencrypted)

Question: What will the risk management process achieve?

 Business Scenario

While studying the Information Risk Management process, Kevin made notes
on the security definitions based on examples from his day-to-day work:

• Asset: Servers and systems of the company

• Vulnerability: Weak rule in firewall
• Threat: Hacking network or servers
• Threat Agent: Hacker
• Risk: Loss of critical organization data
• Exposure: 25% loss of data (which is unencrypted)

Question: What will the risk management process achieve?

Answer: It helps to maintain the identified risks at an acceptable level.
 Introduction to Risk Analysis

Risk analysis is the analysis of the probability and consequences of each known risk.

• Risk analysis prioritizes risks and calculates the

cost of safeguards.

• It provides a cost/benefit comparison between

cost of safeguards and cost of loss.

• It identifies and prioritizes the risk factors with

great impact.

• It also integrates the security program objectives

with the organization’s business objectives and
requirements.
 Goals of Risk Analysis

To identify organizational
assets and their value

To balance the cost of

To identify vulnerabilities
countermeasure and the
and threats
impact of threats

Goals of Risk Analysis

To measure probability and

the impact of latent threats
 Risk Analysis Team

An organization needs to form a risk analysis team to analyze risks effectively. These are the stakeholders
in a risk analysis team:

Information Risk
Security Manager
Officer

Executive System or
Sponsor Network
Risk Analysis Administrator
Team

System System
Technical Business
Owner Owner
 Risk Analysis Team

The steps to perform risk analysis:

Risk analysis and assessment

Countermeasure
Asset and information value
selection and
assignment
implementation
 Information and Asset Valuation

The following issues should be considered when assigning values to an asset:

• Cost to acquire or develop the asset

• Cost to maintain and protect the asset
• Value of the asset to owners and users
• Value of the asset to adversaries
• Value of intellectual property that went into developing the
information
• Price others are willing to pay for the asset
• Cost to replace the asset if lost or damaged
 Information and Asset Valuation

The following issues should be considered when assigning values to an asset:

• Operational and production activities that are affected if the

asset is unavailable
• Liability issues if the asset is compromised
• Usefulness and role of the asset in the organization
 Types of Risk Analysis

There are two major types of approaches to risk analysis and their features are as follows:

• Uses risk calculations that attempt to predict the level of

monetary losses and the percentage of chance for each
Quantitative type of threat
Analysis
• Objective in nature

• Situation and scenario based

Qualitative • Subjective in nature

Analysis
• Does not assign numbers and monetary values to
components and losses
 Key Terms in Quantitative Risk Analysis

Asset • Total value of assets

• Percentage of loss the organization

Exposure would suffer if a risk materializes
Factor
• Also referred to as the loss potential

• Cost associated with a single-realized risk

Single Loss against a specific asset
Expectancy
• SLE = AV * EF
(SLE)
• It is calculated in dollars
 Key Terms in Quantitative Risk Analysis

• Frequency with which a specific threat will occur within

Annualized a single year
Rate of
Occurrence • Ranges from 0 (threat will not occur) to large numbers
(ARO)
• Also known as probability determination

Annualized • Possible yearly cost of all instances of a specific threat

Loss realized against a specific asset
Expectancy
(ALE) • ALE = SLE * ARO

Annual Cost • The cost associated in procuring, developing, and

of Safeguard maintaining control against a potential threat
(ACS) • The ACS should not exceed the ALE
 Quantitative Risk Analysis Steps

Step 1: Assign asset

value

Step 6: Perform
Step 2: Calculate
cost or benefit
exposure factor
analysis of
countermeasure

Steps in
Quantitative
Risk Analysis

Step 5: Derive Step 3: Calculate single

annualized loss loss expectancy
expectancy

Step 4: Assess
annualized rate of
occurrence
 Quantitative Risk Analysis: Problem

Problem: Fire destroys a server with encrypted data.

Consider the following conditions:
• Asset value = $6,000
• EF = 50%
• ARO = 10% chances of fire in one year
?
Solution:
• Single Loss Expectancy (SLE) = $6,000 x 50% = $3,000
• Annual Loss Expectancy (ALE) = 10% x $3,000 = $300
 Qualitative Risk Analysis

Qualitative analysis techniques include judgment, best practices, intuition, and experience. Examples of
qualitative techniques to gather data are:

Delphi Brainstorming Storyboarding

Focus Groups Surveys Questionnaires

Checklists One-on-one meetings Interviews

 Qualitative Risk Analysis

The following table deals with some of the threats, the level of threat, and countermeasures:

Threat
Threat Impact Countermeasure
Probability

Fire Low High Fire Extinguishers

Theft Medium High Key cards, guards

Logical Intrusion prevention

Medium High
Intrusion system
 Qualitative Risk Analysis

• The type of approach to risk analysis will be decided based on the risk analysis team,
management, risk analysis tools, and culture of the company.
• The chart below sorts different attributes into qualitative and quantitative risk analysis.

Attributes Quantitative Qualitative

Requires complex calculations √ X

Requires high degree of guess work X √

Provides credible cost/benefit analysis √ X

Provides opinions of the individuals who know the process well X √

Shows clear-cut losses that can be accrued within one year √ X

 Hybrid Analysis

Hybrid analysis uses both quantitative and qualitative analysis.

The following are some points about why hybrid analysis is required:

• It is almost impossible to carry out only

quantitative assessment.

• Qualitative analysis does not provide

sufficient data to make financial decisions.

• Quantitative evaluation is used for

financial values of tangible assets.

• Qualitative assessment can be used for

priority values of intangible assets.
 Countermeasure Selection: Problem

A commonly used cost/benefit calculation for a given safeguard:

Value of the safeguard to the company = (ALE before implementing safeguard) – (ALE after
implementing safeguard) – (Annual cost of safeguard)

Problem:
• ALE of the threat of a fire bringing down a web server prior to implementing the suggested
safeguard = $10,000
• ALE after implementing the safeguard= $2,000
• Annual cost of maintenance and operation of the safeguard = $500

Solution:
• Value of the safeguard to the company = $10,000 -$2,000 -$500
= $7,500
 Countermeasure Selection: Other Factors

Other factors that influence the selection of countermeasure or safeguard:

Total Cost of
TCO is the total cost of a mitigating safeguard
Ownership (TCO)

Return on
Investment (ROI) ROI is the amount of money saved by implementing a safeguard

Uncertainty refers to the degree to which you lack confidence in an estimate.

Uncertainty This is expressed as a percentage, from 0 to 100 percent. If you have a 25
percent confidence level in something, then it could be said that you have a
75 percent uncertainty level.
 Handling Risk

Risk treatment can be done in the following four ways:

Transfer the risk

Accept the loss 4 2 Terminate the risk activity

3
Take measures
 Handling Risk

Conceptual formulas to calculate total risk and residual risk:

Visitor’s Perspective Online Strategy

Total Risk Total Risk = Threats x Vulnerabilities x Asset Value

Residual Risk Residual Risk = Total Risk x Control Gap

Residual Risk = Total Risk – Countermeasures
 Residual Risk Mitigation

Here is a flowchart that explains the steps in the risk mitigation process:

Risk < Acceptable level ? Yes

No

Mitigate Risk No Mitigation Cost > Asset Yes Accept Risk

Value
 Controls or Countermeasures

Physical control

Controls based on Technical control

• Security controls are the measures taken to implementation
safeguard an information system from attacks
Administrative control
against the confidentiality, integrity, and
availability of the information system. Deterrent control
Categories of
• Security controls are selected and applied based Controls
Preventive control
on a risk assessment of the information system.
Detective control
• The risk assessment process identifies system Controls based on
threats and vulnerabilities, and then security functionality
Corrective control
controls are selected to reduce or mitigate
the risk. Recovery control

Compensating control
 Controls Based on Implementation

There are three types of controls based on implementation:

Administrative controls Technical controls Physical controls

• They are commonly
referred to as soft
controls because they
are more management
oriented.
• Examples of
administrative controls
are security
documentation, risk
management, personnel
security, and training
• Technical controls, also
called logical controls,
are software or
hardware components.
• Examples: Firewalls,
IDS, encryption,
identification, and
authentication
mechanisms
Physical controls
• They are items put into
place to protect facility,
personnel, and
resources.
• Examples of physical
controls are security
guards, locks, and
fencing
 Controls Based on Functionality

The six controls based on functionality are:

Deterrent Intends
• Usesto discourage
risk a potential
calculations attacker
that attempt to predict the level of

Preventive Intends to avoid an incident from occurring

• Uses risk calculations that attempt to predict the level of

Corrective
Corrective Fixes components or systems after an incident has occurred

Recovery
Recovery Intends to bring the environment back to regular operations
• Uses risk calculations that attempt to predict the level of

Detective Helps identify an incident’s activities and potentially an intruder

Detective
• Uses risk calculations that attempt to predict the level of

Compensating
Compensating
Uses risk
•Provides an calculations that attempt
alternative measure to predict the level of
of control
 Security Control Assessment (SCA)

Security control assessment (SCA) is a

comprehensive evaluation or Its goal is to determine the extent to
assessment of the management, which the controls are meeting the
operational, and technical security security requirements of the system.
controls of an information system.
 Security Control Assessment (SCA)

• Evidence of the effectiveness of implemented controls

SCA results • An indication of the quality of the risk management processes employed
provide: Security
within Control Assessment (SCA)
the organization
• Information about the strengths and weaknesses of information systems
that are supporting organizational missions and business functions
 Assurance for Security Control Effectiveness

To ensure security control effectiveness, one should compile evidence that the controls are:

Implemented correctly

Operating as intended

Meeting the security

requirements of the information
system
 Security Control Assessment (SCA)

The types of system tests conducted Security control assessments are

include audits, security reviews, conducted before the system is put
vulnerability scanning, and into production and annually
penetration testing. thereafter.
 Security Control Assessment Team

• The SCA team is an individual, group, or organization

responsible for conducting a comprehensive security
control assessment of an information system.

• They may also provide a risk assessment of the severity

of weaknesses or deficiencies discovered in the
information system and recommend corrective actions
to address the identified vulnerabilities in the system.

• Common controls utilized for high and moderate impact

systems must be performed by an independent
assessment team.

• They prepare the final security assessment report

containing the results and findings of the assessment.
 Risk Monitoring and Measurement

The risk environment is dynamic because the organization’s internal and

external environments are constantly changing.

Organizations should continuously monitor the IT risks and controls to relevant

stakeholders in order to ensure the continued efficiency and effectiveness of the
IT risk management strategy and its alignment to business objectives.
 Risk Measurement

KRIs and KPIs can be used to measure, monitor, and report risk. The two are
explained below in detail.

• A key risk indicator (KRI) is a measure used in risk management to

indicate how risky an activity is.
Key risk indicator
• By comparing an appropriate set of key risk indicators with defined
(KRI)
thresholds, organizations receive an early warning when a risk
Riskan
approaches Measurement
unacceptable level.

• A key performance indicator (KPI) is used to measure how well a

Key
process is performing in terms of its stated goal.
performance
indicators (KPIs) • KPIs are used to set benchmarks for risk management goals and
to monitor whether those goals are being met.
 Risk Reporting

A risk report includes information on current risk

management capabilities and actual status and trends
about risk.

Results of the risk monitoring

Risk Reporting process need to be
documented and reported to the senior management
on a regular basis.

A significant security incident or significant changes in

risk should trigger a report to the senior management
and a reassessment of the risk controls.
 Continuous Improvement

Organizations can use a risk

A mature risk management
maturity model to improve their
program is better at preventing,
risk management processes by
detecting, and responding to
identifying their current and
security incidents.
desired capabilities.

Maturity and growth comes

from practice and learning from
past experiences.
 Continuous Improvement

Risk Management Impact on Optimizing

Business Value
Quantitatively
Managed

Defined
Initial Managed

Stages of Risk Management Maturity

Continuous Risk
Focus Risk Management is Basic Risk Management
Standardized Risk Quantitative Risk
Management Process
informal and Adhoc Management Process Management Process

Medium Quality/
Result Lowest Quality / Highest
Low Quality/ High Risk Medium Risk High Quality / Low Risk Highest Quality / Lowest Risk
Risk
 Risk Frameworks

Risk management framework is used to identify, measure, manage, monitor, and

report the significant risks to the achievement of business objectives.

There are three risk frameworks, namely:

ENISA Risk
NIST Risk Management Management/
ISO 31000
Framework Risk Assessment
(RM/RA) Framework
Understand and Apply Threat Modeling Concepts and Methodologies
 Threat Modeling

Threat Modeling

• It is a security process where potential

threats in a system are identified,
quantified, and addressed.

• It can be performed as a proactive measure

during the planning and design phase of the
SDLC and is continued throughout the
lifecycle

• A reactive approach to threat modeling

takes place after a product has been
created and deployed.
 Threat Modeling

Goals of threat modeling

Reducing the number

of security-related Reducing the severity
coding and design of remaining defects
defects
 Threat Modeling

Approaches to threat modeling:

Proactive Approach Reactive Approach

• Also known as the defensive approach • Also known as the adversarial approach

• Takes place during early stages of • Takes place after a product has been
systems development created and deployed

• Based on predicting threats and • This is the core concept behind ethical
design-specific countermeasures hacking, PT, source code review, and fuzz
during the coding and crafting process testing
 Threat Modeling Steps

• Focused on assets
Identifying threats • Focused on attackers
• Focused on software

Categorization of
threats • STRIDE model

Determining and • Data flow diagrams

diagramming • Privilege boundaries
potential attacks • Elements

• Trust boundaries
• Data flow path
Performing reduction
analysis • Input points
• Privilege operation
• Security stance and approach

Prioritization and • DREAD model

response
 Step 1: Identification of Threats

• Frames the threats based on the mindset of the perceived attacker

Focused on
attackers • Determines and addresses the attacker’s characteristics, skill sets,
motivations, and intentions

• Identifies the elements of the system that have risk associated

with them
Focused on
assets • Classifies assets according to their intrinsic value to a potential
attacker

Focused on • Establishes a system structure first and then identifies relevant

system or attack vectors on the macro- and micro-levels of interaction
software between subsystems
 Step 2: Categorization of Threats (STRIDE Approach)

Spoofing An attack with the goal of gaining access to a target system through the
use of a falsified identity

Tampering This is used to falsify communications or alter static information

Repudiation The ability of a user or an attacker to deny having performed an action

or activity

Information The revelation or distribution of private, confidential, or controlled

disclosure information to external or unauthorized entities

Denial of service An attack that attempts to prevent an authorized use of a resource

(DoS)

Elevation of An attack where a limited user account is transformed into an account

privilege with greater privileges, powers, and access
 Step 3: Determining and Diagramming Potential Attacks

Determining and Diagramming Potential Attacks

• Post identifying threats, the next step is to

determine the potential attack concepts that
could materialize

• Often accomplished by data flow diagrams,

privilege boundaries, and elements involved

• Once a diagram has been crafted, identify all the

technologies involved

• Identify attacks that could be targeted at each

element of the diagram

• Attacks should include all forms: logical,

physical, and social
Step 3: Determining and Diagramming Potential Attacks

User / Web Server

Boundary

Authenticate
Login Request User()

Web Login
Users Servlet Process
Authenticate
User Result

Authenticate Authenticate User

Login Response
User SQL SQL Query
Pages Query Result
Web Server /
Database Boundary
Data
Web College
Pages Database
Library
Files
Database

Data
 Step 4: Performing Reduction Analysis

Reduction analysis involves decomposing the application, system, or environment.

Input points
Locations where an
external input is received

Data flow paths Privilege operations

Movement of data Activities that require
between locations greater privileges

Trust boundaries Security stance and approach

Locations where the Declaration of the security
level of trust changes policy, security foundation, and
security assumptions
 Step 5: Prioritization and Response

Prioritization and Response

• Rates the threats in order to prioritize and address the most significant threats first

• Risk posed by a particular threat is equal to the probability of the threat occurring
against the potential damage
Risk = Probability * Potential Damage

• If a threat is rated as high, it poses a significant risk and needs to be addressed as

soon as possible

• Medium threats need to be addressed but with less urgency

• Low-level threats can be ignored depending upon the effort and cost required to
address these
 Step 5: Prioritization and Response

DREAD rating system:

Damage
How severe is the damage likely to be if the threat is realized?
potential

Reproducibility How complicated is it for attackers to reproduce the exploit?

Exploitability How hard is it to perform the attack?

Affected users How many users are likely to be affected by the attack?

Discoverability How hard is it for an attacker to discover the weakness?

 DREAD Rating

Threat description D R E A D Total Rating

Attacker obtains authentication

3 3 2 2 2 12 High
credentials by monitoring the network

Injection of SQL commands 3 3 3 3 2 14 High

 Threat Template

Threat description Injection of SQL commands

Threat target Data access component

Risk rating

Attacker appends SQL commands to username, which is used to form SQL

Attack techniques
query

Use a regular expression to validate the username and use a stored procedure
Countermeasures
that uses parameters to access the database
 Threat Template

Threat description Attacker obtains authentication credentials by monitoring the network

Threat target User authentication process in a web application

Risk rating High

Attack techniques Attacker uses network monitoring software

Countermeasures Use SSL to provide an encrypted channel

 Threat Template

Threat description Injection of SQL commands

Threat target Data access component

Risk rating

Attacker appends SQL commands to user name, which is used to form SQL
Attack techniques
query

Use a regular expression to validate the user name, and use a stored
Countermeasures
procedure that uses parameters to access the database
 Threat Modeling Outcomes

Outcome of a threat modeling activity is a threat module document that identifies:

Countermeasures

Assets, actors, and

use cases

Weakness that could

be exploited

Relevant threats
Apply Supply Chain Risk Management (SCRM) Concepts
 Supply-Chain Risk Management

Supply chain is the network of all the individuals, organizations, resources, activities, and technology
involved in the creation and sale of a product, from the delivery of source materials from the supplier
to the manufacturer through to its eventual delivery to the end user.

Supply-chain risk management (SCRM) is a process to help identify, monitor, detect, and mitigate
threats to supply chain continuity and profitability.

A supply chain compromise is an occurrence within the supply chain whereby an adversary
jeopardizes the confidentiality, integrity, or availability of a system or the information the system
processes, stores, or transmits.

It can occur anywhere within the system development life cycle of the product or service.
 Risks Associated with Hardware, Software, and Services

Here are a few risks associated with hardware, software, and services:

Counterfeit hardware or hardware Poor information security practices

with embedded malware by lower-tier suppliers

Software security vulnerabilities Compromised software or

in supply chain management or hardware purchased from
supplier systems suppliers
Mitigating Risks Associated with Hardware, Software, and Services

These supply-chain risks can be mitigated during acquisition lifecycle by:

Ensure supplier has good security development and

Supplier capability
management practices

Perform an assessment of the risk of the product for critical

Product security
security compromise and mitigation requirements

Control access to the product in transit at each step in the

Product logistics
supply chain

Operational product Implement appropriate configuration and monitoring controls

control during the operational use of the product or service
 Third-Party Management

• A third party is a company that is not under direct business control of the organization
that engages it. A third-party relationship is any business arrangement between a
company and another entity, by contract or otherwise.

• Outsourcing is the subcontracting of a business process to a third-party company.

• Organizations are increasingly outsourcing systems, business processes, and

data processing to service providers in an effort to focus on core competencies,
reduce costs, and more quickly deploy new application functionality.

• Third-party risk management is a comprehensive plan for identifying and

mitigating potential business uncertainties and legal liabilities regarding the
hiring of third-party services.
 Third-Party Risks

Information Security or Data

Business Continuity
Privacy

Third party has insufficient experience and

Third party cannot continuously maintain
controls to protect the company's and
its services due to business disruption
customer's information from unauthorized
(e.g., ineffective redundancy procedures).
access, disclosure, modification, or
destruction.

Financial Viability

Third party is not financially secure to

continue to provide you services at
acceptable levels.
 Third-Party Risks

Contract Compliance Legal or Regulatory

Third party products, services, or Third party does not possess the necessary licenses
systems are not consistent with your to operate. It lacks the expertise to enable the
policies and procedures, applicable company to remain compliant with domestic and
laws, regulations, and ethical standards. international laws and regulations.
 Third-Party Risk Management

The diagram given below will help us to understand the third-party risk management.

Planning

Due
Termination
Diligence

Ongoing Contract
Monitoring Negotiation

Oversight and Accountability

 Third-Party Risk Management

The plan should oversee the full lifecycle of a third-party relationship including:

• Company's strategy for why it is using the third party and the inherent risks the
relationship presents
• Proper due diligence in selecting the third party
• Written contracts that outline the rights and responsibilities of all parties
• Ongoing monitoring of the third party’s activities and performance
• Contingency plans for terminating the relationship in an effective manner
• Clear roles and responsibilities for overseeing and managing the relationship and
risk management process
• Documentation and reporting that facilitate oversight, accountability, monitoring,
and risk management
• Independent reviews that allow organization's management to determine that
processes align with its strategy and effectively manage risks
 Third-Party Risk Management Lifecycle

Contract Ongoing
Planning Due Diligence Termination
Negotiation Monitoring

Develop a plan to manage the relationship. This is often the first step in the third-party risk
management process.

• Identify regulatory requirements

• Identify need for third-party service
• Determine inherent risks of activities
• Determine business requirements
• Analyze risk or benefit
• Incorporate risk strategy
• Establish a third-party risk profile
• Identify and qualify third parties
 Third-Party Risk Management Lifecycle

Contract Ongoing
Planning Due Diligence Termination
Negotiation Monitoring

Conduct a review of a potential third party before signing a contract to ensure that the organization
selects an appropriate third party and understands and controls the risks posed by the relationship,
consistent with the organization’s risk appetite. On-site visits may be useful to fully understand the
third party’s operations and capability to serve.

• Audited financial statements

• Business reputation and litigation
• Risk management procedures
• Compliance capabilities
• Internal audit coverage
• Information security
• Reliance on subcontractors
• Insurance coverage
 Third-Party Risk Management Lifecycle

Contract Ongoing
Planning Due Diligence Termination
Negotiation Monitoring

Develop a written contract that clearly defines expectations and responsibilities of the third party to
ensure the contract’s enforceability, limit the organization’s liability, and mitigate disputes about
performance.

• Scope of the arrangement

• Performance measures or benchmarks
• Responsibilities
• Regulatory compliance requirements
• Default and termination
• Subcontracting
• Confidentiality and security
• Indemnification
 Third-Party Risk Management Lifecycle

Contract Ongoing
Planning Due Diligence Termination
Negotiation Monitoring

After entering into a contract with a third party, organization management should dedicate sufficient
staff with the necessary expertise, authority, and accountability to oversee and monitor the third
party’s activities and performance.

• Process or policy review

• Ongoing performance and risk monitoring
• Ongoing due diligence and assessments
• Ongoing site visits and reviews
• Oversight and supervision
• Third-party contingency plans
• Financial reviews for viability
• Ability to recover from service disruptions
 Third-Party Risk Management Lifecycle

Contract Ongoing
Planning Due Diligence Termination
Negotiation Monitoring

A contingency plan need to be developed to ensure that the organization can transition the activities to
another third party. Termination can happen for bringing the activities in-house, or discontinuing the
activities when a contract expires, when the terms of the contract have been satisfied, in response to
contract default, or changes to the organization’s or third party’s business strategy.

• Finalize exit strategy

• Provide notifications
• Risk exposure assessment
• Continuity planning
• Transition planning and execution
• Transfer of assets and information
• Legal confirmation of transition
• Payments, penalties, and final billings
 Minimum Security Requirements

• Third-party security requirements standard document sets out the minimum information
security requirements expected of third parties.

• Product or service specifications must include the requirements for security controls.

• Contracts with the third-party must address the identified security requirements.

• If the security functionality in a proposed product does not satisfy specific security
requirements, then the risk introduced must be evaluated and additional controls must be
reconsidered prior to purchasing the product.

• When additional functionality is supplied and causes a security risk, it must be disabled or
the proposed control structure must be reviewed to determine if advantage can be taken of
the available enhanced functionality.
 Service-Level Requirements

A Service-Level Requirements (SRL) document provides the

requirements for a service from a client viewpoint, defining
service-level targets, responsibilities, and other specific
requirements to manage the service.

A service provider prepares a Service-Level Agreement (SLA)

based on Service-Level Requirements (SRL).
 Real World Scenario

In 2017, Verizon, a major telecommunications provider, suffered a data security

breach with over 14 million US customers' personal details exposed on the
internet after Nice Systems, a third-party vendor, mistakenly left the sensitive
users’ details open on a server.

• Verizon’s partner Nice Systems logged customer files that contained sensitive
and personal information (including customer names, corresponding cell
phone numbers, and specific account PINs) on an Amazon S3 bucket.
• For reasons unknown, that bucket was left unsecured, thus exposing more
than 14 million Verizon customer records to anyone who discovered the
bucket.

Question: Among Verizon, NICE Systems, and Amazon, who is accountable for the data loss?
 Real World Scenario

In 2017, Verizon, a major telecommunications provider, suffered a data security

breach with over 14 million US customers' personal details exposed on the
internet after Nice Systems, a third-party vendor, mistakenly left the sensitive
users’ details open on a server.

• Verizon’s partner Nice Systems logged customer files that contained sensitive
and personal information (including customer names, corresponding cell
phone numbers, and specific account PINs) on an Amazon S3 bucket.
• For reasons unknown, that bucket was left unsecured, thus exposing more
than 14 million Verizon customer records to anyone who discovered the
bucket.

Question: Among Verizon, NICE Systems, and Amazon, who is accountable for the data loss?
Answer: Verizon. They should have ensured visibility into how partners and other stakeholders keep
their data secure.
Establish and Maintain a Security Awareness, Education, and Training Program
 Importance of Security Awareness Training

Security awareness
training is important to:

• Understand the importance of security

• Understand expected responsibilities,
acceptable behaviors, and noncompliance
consequences
• Modify employees’ behavior and attitude
toward security
• Improve the overall security of the organization
• Implement the controls in a better way
 Security Awareness Training: Awareness, Training, and Education

The table given below describes the three parts of security awareness training.

Basis of
Awareness Training Education
Distinction
To integrate security skills
To produce required and relevant and competencies into a
Objective To focus on security
security skills and competencies common body of
knowledge

Organizations can • Training provides guidance in

inform employees the performance of particular
Educated employees can
about their roles and security or risk management
aid the organization in
Advantages expectations in functions
fulfilling security program
observing the • Training provides information
objectives
information security on the security and risk
requirements management functions
 Implementation of Security Awareness Training Program

The following table represents the steps to develop and implement a good security
awareness training program.

Basis of
Education Training Awareness
Difference
Attribute Why How What
Level Insight Knowledge Information
Objective Understanding Skills Exposure
Teaching Theoretical instructions Practical instructions Media
• Discussion • Lecture
• Videos
• Seminar • Case study
Method • Newsletter
• Background reading • Workshop
• Posters
• Research • Hands-on practice
• True or false
Problem solving
Test measure Essay (interpret learning) • Multiple choice (identify
(apply learning)
learning)
Impact
Long term Intermediate Short term
timeframe
 Methods and Techniques to Present Awareness and Training

Security awareness training could help organizations protect against social

engineering attacks such as phishing.

Organizations should identify and train a security champion within a team who
then becomes an enabler and promoter of security best practices.

The security champion should be the single point of contact within a department
and should act as a liaison between the security team and the employees.

For example, a security champion within a software development team

can help other developers prioritize security and improving the overall
quality of the products.
 Methods and Techniques to Present Awareness and Training

Security leaders can use gamification to enhance cyber security training for
their employees.

Gamification is the use of game principles in nongame business scenarios by

engaging and motivating people to achieve business outcomes.

Employees can use a simulated environment to test and improve their readiness
for cyber incidents.
 Business Scenario

PwC launches Game of Threats

• In 2016, global accountancy firm PwC launched Game of Threats to help senior executives and
directors assess and enhance their readiness for cyber incidents.
• Game of Threats is an interactive digital game that simulates a real-world cyber breach to help
executives better understand the steps they can take to protect their companies.
• The game was based on others’ real-life experience with cyber attacks.
• Designed to be nontechnical, the game environment creates a realistic experience where
participants are required to make quick, high-impact decisions with minimal limited resources.
• The participants are provided with a detailed summary of each game with a review of their
strategy, actions, and missed opportunities.

Information source: https://www.pwc.co.uk/issues/cyber-security-services/game-of-threats.html

 Periodic Content Reviews

• The training content must be periodically reviewed and kept up to date.

• The content must be tailored to meet the needs of the target audience.

A security policy is added or updated

Reviews A major new threat is identified

could be
triggered at
any time A major security incident occurs which could have
been avoided through better security awareness

A major change is introduced to the information

systems
 Program Effectiveness Evaluation

Reaction
To what degree participants react favorably to the training

Learning Sample questions to measure learning:

• Was the course relevant and useful?
• Was the training enjoyable?
Behavior • Does the training accommodate their learning styles and paces?
• How likely would they recommend the course to their colleagues?

Results
 Program Effectiveness Evaluation

Reaction • To what degree participants acquire the intended knowledge, skills,

attitudes, confidence, and commitment based on their participation in a
training event
Learning
• Methods:
o Use assessments or tests before and after the training to check
Behavior
performance changes due to the program
• Sample questions:
o Has their knowledge increased as a result of the training?
Results
 Program Effectiveness Evaluation

Reaction
• To what degree participants apply what they learned during training
when they are back on the job
Learning
• Sample questions:
o Have the trainees put any of their learnings to use?
Behavior o Are trainees able to teach their new knowledge, skills, or attitudes to
other people?
o Are trainees aware that they've changed their behavior?
Results
 Program Effectiveness Evaluation

Reaction • To what degree targeted outcomes occur as a result of the training event
and subsequent reinforcement

Learning • Sample key metrics to measure results:

o Improved work quality and productivity
o Improved business results (e.g., sales, customer satisfaction, and
Behavior
retention)
o Increased employee engagement, satisfaction, and retention
o Reduced production cost, duration, and error and rework
Results
 Key Takeaways

Information security governance provides strategic

direction and ensures security objectives are
achieved.

Security policy guides the security program in the

organization.

Information risk management is the process of

identifying and assessing the risk, reducing it to
an acceptable level, and implementing the right
mechanisms to maintain it at that level.

When selecting the right control to reduce a

particular risk, the functionality, viability, and the
available budget must be assessed. Also, a cost-
benefit analysis must be performed.
 Key Takeaways

Computer crimes refer to any crime that involves a

computer and a network.

An organization’s ability to respond to any disaster

and recover from disruptions depends on the
business continuity plan (BCP).
 This concludes Security and Risk Management.

The next domain is Asset Security.

CISSP® is a registered trademark of (ISC)² ®