CISSP Module 1 Summary: Security and Risk Management

CISSP Module 1 Summary: Security and Risk Management

  1. Fundamental principals of Security (Security Objectives)-CIA Triad
    The CIA triad is a cornerstone of information security, guiding the implementation of measures to protect data and systems from a wide range of threats and vulnerabilities.
    ⦁ C-Confidentiality-This aspect of the triad focuses on ensuring that sensitive information is accessible only to authorized individuals or entities. It involves safeguarding data from unauthorized access, disclosure, or exposure.
    ⦁ I-Integrity-Integrity pertains to the trustworthiness and accuracy of data. It ensures that data remains unaltered and reliable throughout its lifecycle, safeguarding it from unauthorized modifications or tampering.
    ⦁ A-Availability-Availability ensures that data and services are consistently accessible and operational when needed. It safeguards against disruptions, downtime, and delays, making resources and systems accessible to authorized users.
  2. Balanced Security
    Different assets may have varying requirements: some demand strict confidentiality, others rely heavily on data integrity, and some necessitate uninterrupted availability.
    Here’s a brief list of controls and how they align with the components of the CIA triad.
    Confidentiality:
    ⦁ Encryption for data in transit (IPSec, TLS, PPTP, SSH)
    ⦁ Encryption for data at rest (whole disk, database encryption)
    ⦁ Access control (physical and technical)
    Integrity
    ⦁ Access control (physical and technical)
    ⦁ Software digital signing
    ⦁ Hashing (data integrity)
    ⦁ Transmission cyclic redundancy check (CRC) functions
    ⦁ Configuration management (system integrity)
    ⦁ Change control (process integrity)
    Availability:
    ⦁ Co-location and offsite facilities
    ⦁ Rollback functions
    ⦁ Redundant array of independent disks (RAID)
    ⦁ Clustering
    ⦁ Load balancing
    ⦁ Failover configurations
    ⦁ Redundant data and power lines
    ⦁ Software and data backups
    ⦁ Disk shadowing
  3. Security Definitions
    Certainly, here are the definitions of each of the key terms in the context of security:
    ⦁ Threat: A threat refers to any potential danger or harmful event that may exploit vulnerabilities in a system or organization. Threats can come in various forms, such as cyberattacks, natural disasters, or human errors, and they have the potential to compromise the security of assets or data.
    ⦁ Vulnerability: A vulnerability is a weakness or flaw in a system, process, or component that can be exploited by a threat to breach security. Vulnerabilities can exist in software, hardware, procedures, or even human behavior and create opportunities for security breaches.
    ⦁ Risk: Risk represents the likelihood or probability of a threat exploiting a vulnerability, potentially resulting in harm or damage to an organization’s assets or objectives.
    ⦁ Exposure: Exposure relates to the state of being vulnerable or susceptible to risks and threats. It refers to the condition where assets, data, or systems are not adequately protected and can be harmed if a threat takes advantage of vulnerabilities.
    ⦁ Control: Controls are measures or countermeasures implemented to safeguard assets and mitigate risks. They can be technical, administrative, or physical in nature and are designed to prevent, detect, or respond to security threats. Controls aim to reduce vulnerabilities and manage exposure to risks effectively.
  4. Control Types
    Controls are essential for mitigating an organization’s risk and can be categorized into three primary types: administrative, technical, and physical.
    ⦁ Administrative Controls: These are management-oriented measures. Examples include security documentation, risk management, personnel security, and training.
    ⦁ Technical Controls: These controls involve software or hardware components, such as firewalls, intrusion detection systems (IDS), encryption, and identification and authentication mechanisms.
    ⦁ Physical Controls: These controls are implemented to safeguard facilities, personnel, and resources and include measures like security guards, locks, fencing, and adequate lighting.
    These three control categories collectively address a wide range of security needs within an organization. Also, There are six different functional control functionality.

Preventive Controls:
Security controls created to prevent an attack.
⦁ Access Control: Prevents unauthorized access to systems and data by enforcing authentication and authorization measures, like passwords, biometrics, and access permissions.
⦁ Firewalls: These network security devices block unauthorized access and filter incoming and outgoing traffic based on predefined security rules.
⦁ Intrusion Prevention Systems (IPS): IPS identifies and prevents potential threats or attacks by monitoring network traffic for malicious activities.


⦁ Detective Controls:
Security controls created to detect an attack.
⦁ Intrusion Detection Systems (IDS): IDS monitors network or system activities to identify and alert on suspicious behavior or security incidents.
⦁ Security Information and Event Management (SIEM): SIEM solutions collect and analyze data from various sources to provide insights into security events and incidents.
⦁ Log Monitoring: Regularly reviewing and analyzing system logs can help detect security issues and breaches.
⦁ Vulnerability Scanning: Scans are conducted to identify weaknesses or vulnerabilities in systems and applications.

⦁ Corrective Controls:
Security controls created to fix/remediate an attack
⦁ Incident Response Plans: These plans outline the steps to be taken when a security incident occurs, helping to contain, mitigate, and recover from security breaches.
⦁ Backup and Recovery: Regular backups and disaster recovery plans are essential for restoring systems and data after a security incident or system failure.
⦁ Patch Management: In addition to prevention, patch management also falls under corrective controls to fix vulnerabilities after they are discovered.
⦁ Access Revocation: When an employee leaves an organization or changes roles, their access to systems and data should be promptly revoked to prevent unauthorized access.


⦁ Deterrent Controls:
Security controls created to to deter or not encourage from performing an attack
⦁ Security Policies and Awareness Training: Security policies set expectations and guidelines, while awareness training educates employees about security best practices, acting as a deterrent against insider threats.
⦁ Physical Security Measures: Physical controls, like access cards and biometric systems, deter unauthorized personnel from entering secure areas.
⦁ Security Cameras: The presence of security cameras can deter both physical and cyber threats by acting as a visible surveillance measure.


⦁ Compensating Controls: Compensating controls are put in place when standard security measures may not be feasible or fully effective. They provide alternative safeguards to achieve the same security objectives. These controls should be carefully considered and documented in a risk management context.


⦁ Recovery Controls: Recovery Controls are a set of measures and strategies aimed at restoring normal operations after a security incident or disaster. They include data backup and restore procedures, disaster recovery plans, redundancy, failover systems, incident response plans, testing, and cloud-based recovery services. These controls are crucial for minimizing downtime, protecting data, and maintaining business continuity following disruptions.
Organizations need to implement a combination of these controls to create a comprehensive cybersecurity strategy. The choice of controls depends on the organization’s specific security needs, risk assessment, and compliance requirements.

  1. Security Framework
    The security program should be layered, with each layer supporting the one above it and providing protection to the layer below it. This layered approach allows organizations to incorporate different technologies, methods, and procedures into their security program, making it flexible and adaptable to changing needs. The goal is to build a strong and resilient security program, much like constructing a fortress based on a flexible and structured plan.
    ⦁ Security Program Development-ISO/SEC 27000 Series
    The ISO/IEC 27000 series is a comprehensive collection of international standards and guidelines related to information security management. These standards are designed to help organizations establish, implement, maintain, and continually improve their information security practices. The key components of the ISO/IEC 27000 series include:
    Information Security Management System (ISMS): ISO/IEC 27001 Security Controls
    Risk Management: ISO/IEC 27005 Guidance and Frameworks:
    Privacy Management: ISO/IEC
    Certification and Compliance: ISO/IEC
    ⦁ Enterprise Architecture Development
    Enterprise architecture involves the core elements of an organization, encompassing its structure and function. It represents the components, their interconnections, and their interactions with the external environment.
    ⦁ Zachman Framework Model:
    ⦁ Definition: The Zachman Framework, developed by John Zachman, is a structured approach for organizing and managing an organization’s enterprise architecture. It categorizes and standardizes the various perspectives of an enterprise, helping to improve communication, planning, and alignment.
    ⦁ Summary: The Zachman Framework provides a comprehensive perspective on enterprise architecture, breaking it down into six dimensions: What, How, Where, Who, When, and Why. This framework helps organizations understand and document their architecture from different viewpoints, enabling better decision-making.
    ⦁ TOGAF (The Open Group Architecture Framework):
    ⦁ Definition: TOGAF is a widely used methodology for developing and managing enterprise architectures. It offers a structured approach, a set of processes, and a framework to design, plan, and govern enterprise IT architecture.
    ⦁ Summary: TOGAF provides a detailed and comprehensive approach to enterprise architecture development. It consists of a systematic process for creating architecture and addressing various aspects, such as business, data, applications, and technology. TOGAF is known for its robust methodology and a set of best practices and enables desigining an architecture for complex structures such as banks, military.
    ⦁ DoDAF (U.S. Department of Defense Architecture Framework):
    ⦁ Definition: DoDAF is a framework used by the U.S. Department of Defense to ensure the interoperability and alignment of systems and processes to meet military mission goals. It is designed to support mission-critical operations.
    ⦁ Summary: DoDAF is specifically tailored for the defense sector and focuses on creating architectures that enable effective military operations. It includes standardized viewpoints and data models to ensure systems and technologies work together seamlessly to achieve mission objectives.
    ⦁ MODAF (Ministry of Defence Architecture Framework):
    ⦁ Definition: MODAF is an architecture framework primarily used by the British Ministry of Defence. It is designed to support military support missions and the procurement and management of defense systems.
    ⦁ Summary: MODAF is specialized for military applications and emphasizes the design, development, and management of defense-related systems. It enables interoperability and efficiency in military support operations.
    ⦁ SABSA Model (Sherwood Applied Business Security Architecture):
    ⦁ Definition: The SABSA model is a methodology for developing information security enterprise architectures. It focuses on integrating security into the overall enterprise architecture to ensure comprehensive protection of information assets.
    ⦁ Summary: SABSA is a security-focused framework that helps organizations design and implement information security architectures. It emphasizes aligning security strategies with business objectives and managing security risks effectively.

Security Control Development

COBIT 5 (Control Objectives for Information and Related Technologies):

⦁ Explanation: COBIT 5 is a comprehensive business framework developed by ISACA (Information Systems Audit and Control Association) for managing and governing enterprise IT. It provides a set of guidelines and best practices to ensure effective IT management, align IT with business goals, and maintain governance and control over information and related technologies.
⦁ Summary: COBIT 5 is a framework that helps organizations maximize the value of their IT investments while managing risks and ensuring compliance with regulatory requirements. It offers a structured approach to IT governance and risk management, making it a valuable resource for organizations seeking to improve their IT-related processes.
NIST SP 800-53 (National Institute of Standards and Technology Special Publication 800-53):

⦁ Explanation: NIST SP 800-53 is a set of security controls developed by the U.S. National Institute of Standards and Technology. It is primarily used to protect federal information systems and provides a comprehensive catalog of security controls and guidelines for federal agencies and organizations dealing with sensitive data.
⦁ Summary: NIST SP 800-53 serves as a critical resource for ensuring the security and protection of U.S. federal information systems. It covers a wide range of security controls and measures, making it a valuable reference for organizations seeking to enhance their information security posture, particularly in government-related contexts.
COSO Internal Control-Integrated Framework (Committee of Sponsoring Organizations of the Treadway Commission):

⦁ Explanation: The COSO Internal Control-Integrated Framework is a set of internal corporate controls developed by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission. Its primary purpose is to reduce the risk of financial fraud and ensure effective internal control over financial reporting.
⦁ Summary: COSO’s framework provides guidance and principles for establishing internal controls that help organizations prevent and detect financial fraud, errors, and irregularities. It is widely adopted in corporate governance and financial management to promote transparency, accountability, and reliability in financial reporting.
Process Management Development

ITIL (Information Technology Infrastructure Library):

⦁ Explanation. It offers a framework for organizing and managing IT services to align them with business needs and improve overall service quality.
⦁ Summary: ITIL provides a structured approach to managing IT services throughout their lifecycle. It encompasses various processes and practices, enabling organizations to deliver effective and efficient IT services that support business objectives.
Six Sigma:

⦁ Explanation: Six Sigma is a business management strategy used to achieve process improvement and operational excellence. It emphasizes reducing defects and variations in processes, ultimately leading to better quality, increased efficiency, and enhanced customer satisfaction.
⦁ Summary: Six Sigma employs a data-driven and systematic approach to identify and eliminate process inefficiencies. By focusing on data analysis and problem-solving, organizations can enhance their processes and deliver higher-quality products and services.
CMMI (Capability Maturity Model Integration):

⦁ Explanation: CMMI is an organizational development model for process improvement developed by Carnegie Mellon University. It offers a framework to assess and enhance an organization’s capability to consistently and predictably deliver high-quality products and services.
⦁ Summary: CMMI provides a structured approach to assess and improve an organization’s processes, from initial ad hoc practices to well-defined, consistently managed processes. It enables organizations to achieve higher levels of process maturity and capability.

5. Functionality vs Security
Functionality refers to the features and capabilities of a system or application that enable it to perform its intended tasks efficiently and effectively. It encompasses usability, performance, and the ability to meet business or operational requirements.
Security, on the other hand, focuses on protecting information and information systems from unauthorized access, disclosure, alteration, and destruction. It involves implementing controls and safeguards to mitigate risks and ensure the confidentiality, integrity, and availability of data and systems.
The challenge in information security is to strike a balance between functionality and security. While functionality is essential for meeting business objectives, security is necessary to protect against threats and vulnerabilities. The goal is to implement security measures that do not overly impede functionality but still provide adequate protection.

6. Laws Regulations and Directives
⦁ Federal Privacy Act (1974): This act safeguards personally identifiable information (PII) held in federal databases.
⦁ FISMA (Federal Information Security Management Act of 2002) : This law mandates security measures for government information systems. It requires agencies to establish security policies, conduct assessments, and report on their cybersecurity efforts, enhancing the protection of federal information assets and promoting transparency in security management.
⦁ HIPAA (Health Insurance Portability and Accountability Act): HIPAA focuses on protecting health-related information and was amended to introduce data breach notification requirements.
⦁ HITECH (Health Information Technology for Economic and Clinical Health Act, 2009): HITECH amends HIPAA, updating privacy and security requirements, particularly for business associates handling protected health information (PHI).
⦁ GLBA (Gramm-Leach-Bliley Act): GLBA mandates the protection of consumers’ financial information, particularly related to credit services.
⦁ PCI DSS (Payment Card Industry Data Security Standard): It is a set of security standards designed to protect cardholder data and ensure secure payment card transactions. It requires organizations that handle credit card information to implement specific security measures, such as encryption, access controls, and regular security assessments, to prevent data breaches and fraud. Compliance with PCI DSS is essential for businesses that handle payment card transactions.
⦁ PIPEDA (Personal Information Protection and Electronic Documents Act): PIPEDA establishes guidelines for obtaining consent, safeguarding information, and providing access to personal data, contributing to data protection in Canada.
⦁ The USA PATRIOT Act of 2001: The U.S. legislation enacted this act after the 9/11 attacks to enhance national security and counter-terrorism efforts. It grants authorities the power to conduct surveillance, collect intelligence, and investigate potential threats, particularly related to terrorism.
⦁ The Department of Veterans Affairs Information Security Protection Act: It aims to bolster the security of sensitive information held by the U.S. Department of Veterans Affairs (VA). It requires the VA to implement safeguards and security measures to protect veterans’ data, enhancing privacy and minimizing the risk of breaches or unauthorized access. The act underscores the importance of safeguarding veterans’ information within the VA’s systems.

8. Electronic Assets

The digital age has introduced the challenge of protecting intangible assets like data, which now tops the list of assets requiring safeguarding.

9.The Evolution of Attacks

Modern cybercriminals operate discreetly with specific objectives, focusing on activities like identity theft and financial fraud to stay under the radar.

Common Internet Crime Schemes

  • Auction fraud
  • Ponzi/pyramid schemes
  • Counterfeit cashier’s check
  • Debt elimination
  • Lotteries
  • Nigerian letter, or “419”
  • Third-party receiver of funds
  • Reshipping
  • Parcel courier e-mail scheme
  • Investment fraud
  • Employment/business opportunities
  • Escrow services fraud

10. International Law

The Council of Europe (CoE) Convention on Cybercrime is a pioneering international treaty that aims to combat cybercrime by harmonizing national laws and enhancing cross-border cooperation. It focuses on improving investigative methods and establishes a framework for jurisdiction and extradition, requiring that the crime be recognized in both jurisdictions for extradition to occur.

The Organisation for Economic Co-operation and Development (OECD) is an international organization that promotes economic growth, stability, and improved living standards among its member countries. Its core principles include:

  • Security Safeguards principle: Implement reasonable measures to protect data from loss, unauthorized access, modification, and disclosure.
  • Openness principle: Communicate data practices and policies transparently, allowing subjects to understand what data is held, how it’s used, and the identity of the organization in possession of that data.
  • Individual Participation principle: Individuals have the right to know if an organization possesses their personal information, access that information, rectify inaccuracies, and challenge refusals to do so.
  • Accountability principle: Organizations are responsible for adhering to the principles, ensuring compliance with data protection measures.
  • Collection Limitation principle: Personal data should be lawfully and fairly collected with the subject’s knowledge and limited in scope.
  • Data Quality principle: Maintain accurate, up-to-date, and relevant personal data.
  • Purpose Specification principle: Notify subjects of the intended use of their data and only use it for the stated purpose.
  • Use Limitation principle: Personal data should only be disclosed or used as per consent or legal authority and for the intended purpose.

The General Data Protection Regulation (GDPR) is a comprehensive European Union (EU) regulation that governs the handling of personal data. Key provisions of GDPR include:

  1. Consent: Personal data cannot be used without explicit consent from data subjects.
  2. Right to Information: Data controllers and processors must inform data subjects about data usage.
  3. Right to Restrict Processing: Data subjects can permit data storage but restrict its processing.
  4. Right to be Forgotton: Data subjects can request permanent deletion of their personal data.

Data Breach Reporting: Data controllers must report data breaches within 72 hours of discovery.

11. Import/Export Legal Requirements

Import and export legal requirements govern the international movement of goods and services, ensuring compliance with trade regulations, security, and customs laws. These requirements involve obtaining proper licenses, permits, and documentation, adhering to trade sanctions and embargoes, and accurately classifying products under the Harmonized System (HS) for customs purposes.

Wassenaar Arrangement: It is an international export control regime focused on restricting the export of certain dual-use goods and technologies, which can have both civilian and military applications.

12. Types of legal Systems

  1. Civil (Code) Laws: Focus on the fundamental principles of a nation’s constitution, including the rights and powers of citizens and the government.
  2. Criminal Laws: Regulate behaviours that are harmful to society and carry penalties such as fines or imprisonment.
  3. Civil (Tort) Laws: Address civil wrongs or injuries caused by one party to another, resulting in legal liability.
  4. Administrative Laws: Govern the activities and procedures of government agencies, ensuring they act within their authority.
  5. Common Law System: Evolved in England and was later adopted by many countries, including the United States. Relies on judicial decisions and precedents to interpret and apply the law. Judges have a significant role in shaping legal principles and rulings. Emphasizes flexibility and adaptability over rigid codes.
  6. Customary Law System: Based on long-standing cultural traditions and practices. Typically oral, passed down through generations. Often governs matters related to family, property, and community disputes. Prevalent in indigenous societies and some African countries.
  7. Religious Law System: Derived from religious texts and beliefs. The legal system is intertwined with religious teachings and moral codes.  Often found in countries where a specific religion is the dominant or official faith. Examples include Islamic Sharia law and Canon law in the Christian tradition.
  8. Mixed Law System: Combines elements of multiple legal systems, often due to historical influences. May blend common law and civil law or incorporate elements of religious or customary law.

13.Intellectual Property Laws

Intellectual Property (IP) law is a legal framework that safeguards the creations of the human mind and provides exclusive rights to individuals or entities for their innovative and original works. It encompasses various forms of intangible assets, including patents, copyrights, trademarks, trade secrets, and more. IP law grants creators and inventors the right to control and profit from their intellectual creations, while also protecting against unauthorized use or duplication by others. This legal framework promotes innovation and creativity by offering legal protection for intellectual property and encouraging investment in research, development, and artistic expression.

Trademarks:

  • Trademarks are identifiers for companies and products.
  • They are automatically protected, and the ™ symbol can be used publicly.
  • Registering with the US Patent and Trademark Office allows use of the ® symbol.
  • Trademarks should not be confusingly similar to others and should not be descriptive.

Patents:

  • Patents protect inventors’ IP rights for 20 years.
  • Inventions must be new, useful, and non-obvious.
  • Patent trolls manipulate patents for monetary gain.
  • Software products are often treated as trade secrets due to patent limitations.

Trade Secrets:

  • Trade secrets are critical, confidential business information.
  • Disclosure can result in significant damage.
  • They are protected by nondisclosure agreements (NDAs).
  • Trade secrets are not publicly disclosed, in contrast to patents and copyrights.

Copyright:

  • Copyright is a legal protection for original works of authorship.
  • It covers various creative forms, including literary, musical, and artistic works.
  • Copyright is automatic upon creation; registration is not required.
  • It grants creators exclusive rights to reproduce, distribute, and display their work.
  • Works for hire grant copyright to employers.
  • Copyrights typically last for 70 years after the last author’s death.
  • The Digital Millennium Copyright Act (DMCA) addresses digital copyright issues and protections.

Internal Protection of Intellectual Property:

  • Implementing access controls and limited permissions to sensitive IP.
  • Educating employees about the importance of IP protection and their role.
  • Using non-disclosure agreements (NDAs) for confidential information.
  • Employing secure storage and backup systems to prevent data loss.
  • Regularly monitoring and auditing access to intellectual property.
  • Establishing clear IP policies and procedures within the organization.

Software Piracy:

  • Unauthorized copying, distribution, or use of software without proper licensing.
  • Deprives software developers of revenue and violates copyright laws.
  • Common forms include downloading cracked software, sharing license keys, and using unlicensed copies.
  • Impacts both individuals and businesses, leading to legal consequences.
  • Industry initiatives and software licensing models aim to combat piracy.
  • Piracy can result in financial losses and security risks.

Privacy:

  • Privacy refers to an individual’s right to control their personal information and protect it from unwanted intrusion.
  • It encompasses the confidentiality, security, and autonomy of personal data.
  • Privacy is essential for safeguarding personal freedoms, dignity, and personal relationships.
  • It applies to various aspects of life, including personal, financial, and online privacy.
  • Privacy concerns have escalated in the digital age with the proliferation of data collection and online activities.

Increasing Need for Privacy Laws:

  • Technological advancements and data-driven industries have heightened the collection and sharing of personal data.
  • Privacy breaches, cybercrimes, and identity theft have become more prevalent, underscoring the need for legal protection.
  • New technologies like biometrics, IoT, and AI have expanded the scope of privacy risks.
  • The public’s awareness of privacy issues has grown, prompting calls for more stringent regulations.
  • Privacy laws, such as the GDPR and PIPEDA, aim to establish clear rules and accountability for the handling of personal data in the digital era.

Data Breach: 

  • Unauthorized access, disclosure, or loss of sensitive data, posing risks to individuals and organizations.

14. Policies, Standards, Baselines, Guidelines, and Procedures

  • Policies: High-level, strategic guidelines that outline an organization’s approach to managing data security and privacy. Categories of policies are : 
  1. Regulatory Policy: Regulatory policies are rules and guidelines set by governing bodies or authorities to legally enforce specific behaviours, actions, or standards. They often carry legal consequences and are binding for those they apply to.
  2. Advisory Policy: Advisory policies provide recommendations, suggestions, or best practices to guide behaviour or decision-making. They are not legally binding but serve as valuable guidance for achieving specific goals or compliance.
  3. Informative Policy: Informative policies are documents that provide information or education on a particular topic or issue. They aim to increase awareness and understanding without imposing rules or recommendations.
  • Standards: Specific, detailed requirements that must be followed to achieve compliance with policies.
  • Baselines: Minimum security requirements or performance standards for a specific area of data protection.
  • Guidelines: Suggested best practices or recommendations for achieving a particular goal, offering flexibility.
  • Procedures: Step-by-step instructions for implementing specific actions or processes in alignment with policies and standards.

Security Policy: A security policy is a documented set of rules, guidelines, and principles that outline an organization’s approach to safeguarding its assets, data, and systems. It serves as a foundation for establishing security measures, controls, and procedures to protect against various threats and vulnerabilities.

15. Policies, Standards, Baselines, Guidelines, and Procedures

  • Policies: High-level, strategic guidelines that outline an organization’s approach to managing data security and privacy. Categories of policies are : 
  1. Regulatory Policy: Regulatory policies are rules and guidelines set by governing bodies or authorities to legally enforce specific behaviours, actions, or standards. They often carry legal consequences and are binding for those they apply to.
  2. Advisory Policy: Advisory policies provide recommendations, suggestions, or best practices to guide behaviour or decision-making. They are not legally binding but serve as valuable guidance for achieving specific goals or compliance.
  3. Informative Policy: Informative policies are documents that provide information or education on a particular topic or issue. They aim to increase awareness and understanding without imposing rules or recommendations.
  • Standards: Specific, detailed requirements that must be followed to achieve compliance with policies.
  • Baselines: Minimum security requirements or performance standards for a specific area of data protection.
  • Guidelines: Suggested best practices or recommendations for achieving a particular goal, offering flexibility.
  • Procedures: Step-by-step instructions for implementing specific actions or processes in alignment with policies and standards.

Security Policy: A security policy is a documented set of rules, guidelines, and principles that outline an organization’s approach to safeguarding its assets, data, and systems. It serves as a foundation for establishing security measures, controls, and procedures to protect against various threats and vulnerabilities.

16. Risk Management

Risk management is a crucial process that involves identifying, assessing, and mitigating or transferring risks to reduce their probability or impact. Understanding and evaluating risks are vital for the success of a security program. This involves assessing assets, identifying threats and vulnerabilities, and prioritizing risks. By assigning a value to each risk, informed decisions can be made regarding the best mitigation methods. Ongoing evaluation is essential as new threats continually emerge, requiring security professionals to stay updated and vigilant.

Risk Management Lifecycle:

  1. Risk Assessment: Involves system characterization, threat and vulnerability identification, and determining the likelihood and impact of risk events.
  2. Risk Analysis: Can be qualitative (using subjective terms) or quantitative (using numerical values) to assess risks.
  3. Mitigating Risk: Organizations can reduce, transfer, accept, or avoid risks.
  4. Residual Risk: The remaining risk after mitigation is performed.

Risk Perspectives:

  • Asset-based risk management focuses on protecting assets.
  • Outcomes-based risk management assesses risks based on desired outcomes.
  • Process-based risk management emphasizes safety outcomes.
  • Vulnerability-based risk management revolves around inherent weaknesses.
  • Threat-based risk management considers the entities that can perform attacks.

Risk Analysis:

  • Management prioritizes and decides how to handle risks, such as mitigation, acceptance, transfer, or avoidance.
  • Risk can be rated using impact, likelihood, and exposure.
  • Qualitative analysis is opinion-based, while quantitative analysis uses numeric values.
  • Simulations, like penetration testing, provide quantitative data.

Risk Measurement Model:

  • Asset Value (AV) is an asset’s worth.
  • Exposure Factor (EF) is the percentage of an asset that could be lost.
  • Single Loss Expectancy (SLE) is AV multiplied by EF.
  • The Annual Rate of Occurrence (ARO) indicates how often a risk event might occur.
  • The Annual Loss Expectancy (ALE) is SLE multiplied by ARO, representing potential annual losses.

Via Contracts:

  • Minimum security requirements form the baseline security configuration.
  • Service Level Agreements (SLAs) are part of contracts and contain enforceable metrics for services or products.

Quantitative Risk:

Quantitative risk assessment involves assigning numerical values to various risk factors, allowing for a more precise and objective evaluation of risk. It’s particularly useful for making data-driven decisions and conducting cost-benefit analyses. Key components include:

  1. Single Loss Expectancy (SLE): This is the expected monetary loss from a single occurrence of a risk event. The formula for SLE is SLE = Asset Value (AV) x Exposure Factor (EF).
    • AV: The monetary value of the asset.
    • EF: The percentage of the asset’s value that could be lost if a risk event occurs.
  2. Annual Rate of Occurrence (ARO): ARO represents the expected number of times a specific risk event is likely to occur in a year. It’s typically expressed as a decimal.
  3. Annual Loss Expectancy (ALE): ALE calculates the expected annual loss from a risk event. The formula for ALE is ALE = SLE x ARO.

Quantitative risk analysis provides concrete values that help organizations prioritize risks and make informed decisions regarding mitigation strategies.

Qualitative Risk:

Qualitative risk analysis typically uses terms like “high,” “medium,” and “low” to describe the likelihood and severity of risk events.
In qualitative risk analysis, risks are not quantified numerically but are ranked and categorized based on expert judgment and experience. This approach is useful for quick, high-level risk assessments and for gaining an initial understanding of the risk landscape. However, it may not be as effective for precise risk management or decision-making as quantitative methods.

Business continuity and Disaster Recovery:

Business Continuity (BC): BC focuses on ensuring that essential business functions continue to operate during and after disruptions. It includes measures to maintain core operations, safeguard critical data, and reduce the impact of disruptions on business processes. BC planning encompasses activities like risk assessments, business impact analysis, and the development of strategies for continuity, such as alternate facilities, data backup, and remote working solutions.


Disaster Recovery (DR): DR is a subset of BC that deals specifically with recovering IT systems and data after a disaster or significant disruption. It involves the creation of comprehensive recovery plans, backup and restore procedures, and testing to ensure data and systems can be quickly restored to minimize downtime. DR aims to mitigate the risks posed by hardware failures, data corruption, natural disasters, or malicious attacks.

Disaster Recovery Plan (DRP): DRP is a documented strategy and set of procedures designed to restore an organization’s IT systems, data, and technology infrastructure in the event of a disaster or significant disruption. This plan focuses on mitigating the impact of IT-related incidents, such as hardware failures, data breaches, natural disasters, or cyberattacks.
Key elements of a DRP typically include data backup and recovery procedures, redundant hardware and software systems, offsite data storage, and testing and validation of recovery processes. The primary goal of a DRP is to minimize downtime, data loss, and ensure the rapid recovery of critical IT systems and services.

Business Continuity Plan (BCP): BCP is a comprehensive strategy and framework that addresses the organization’s ability to continue essential business operations in the face of various disruptions, including IT-related incidents, natural disasters, cyber threats, or other crises. BCP is broader in scope than a DRP and encompasses all aspects of business operations.

Business Continuity Management (BCM): It involves the development, implementation, and maintenance of strategies, plans, and procedures to safeguard an organization’s ability to operate effectively, even when faced with unexpected and potentially disruptive events. BCM encompasses various components, such as risk assessment, business impact analysis, continuity planning, and ongoing testing and training. It extends beyond IT recovery and includes all aspects of an organization’s operations.
Key Components of BCM:
Risk Assessment: Identify and assess potential risks and threats that could disrupt business operations. These can range from natural disasters to cyberattacks and supply chain interruptions.
Business Impact Analysis (BIA): Determine the critical functions and processes that are vital for the organization’s survival. Understand the financial, operational, and reputational impact of disruptions to these functions.
Continuity Planning: Develop detailed plans and strategies to ensure the uninterrupted operation of critical functions. This includes crisis management, emergency response, and recovery plans.
Crisis Management and Communication: Establish procedures and teams for effectively managing and communicating during a crisis to minimize confusion and ensure a coordinated response.
Testing and Exercises: Regularly test and conduct drills to validate the effectiveness of continuity plans and train employees on their roles during a disruption.
Training and Awareness: Ensure that employees are aware of the BCM processes, their roles in executing the plans, and are adequately trained to respond to disruptions.
Documentation and Documentation Management: Maintain up-to-date documentation of all BCM-related activities, plans, and procedures.

Contingency Planning: It plays a crucial role in safeguarding an organization’s ability to respond effectively to unforeseen events, minimize downtime, protect assets, and ensure the continuity of essential functions.

NIST SP 800-34, Revision 1, is a document from the National Institute of Standards and Technology (NIST). It provides guidance on contingency planning for federal information systems. This guide helps federal agencies establish plans and procedures to ensure the availability and resilience of critical information systems in case of disruptions or disasters.
Relevant standards include ISO 22301 (specifies requirements for a BCM system), ISO 22313 (provides guidance for incident response and recovery), ISO 27031 (focuses on IT continuity), and ISO 22317 (offers guidelines for business impact analysis).

Business Continuity Institute’s Good Practice Guidelines (GPG): It is a globally recognized framework for BCM. BCI’s GPG provides detailed guidance and best practices for establishing and maintaining effective business continuity programs within organizations.

Business Continuity Planning (BCP) Project Components: BCP project components refer to the key elements that make up a comprehensive business continuity plan. They include risk assessment, business impact analysis (BIA), continuity planning and strategy development, crisis management, recovery and resumption plans, testing and training, communication plans, documentation, and ongoing maintenance and improvement. Understanding these components is crucial for effective BCP.

The “Scope of the Project” in Business Continuity Planning (BCP) refers to the clearly defined boundaries and objectives of the planning effort within an organization. It outlines what parts of the organization and its operations will be covered by the BCP and what specific goals the plan aims to achieve. The scope is a critical element in the BCP process, and it helps ensure that the planning effort is well-defined, focused, and aligned with the organization’s priorities and resources.


A BCP policy is a foundational document that outlines an organization’s commitment to business continuity and sets the strategic direction for the BCP program.
Creating a Business Continuity Planning (BCP) policy involves several concise steps:

Initiate: Recognize the need for a BCP policy and gain management support.
Define: Objectives: Clearly state BCP policy objectives in alignment with business goals.
Appoint a Policy Owner: Assign responsibility for the policy to a designated individual or team.
Scope: Specify the areas, functions, and processes covered by the policy.
Compliance: Ensure the policy complies with regulations and standards.
Risk Assessment: Evaluate risks and threats that may impact business continuity.
Roles and Responsibilities: Define the responsibilities of BCP program stakeholders.
Resources and Budget: Allocate resources and budget for BCP planning and activities.
Incident Response: Describe how incidents will be reported and managed.
Testing: Outline the frequency and types of testing and exercises.
Communication: Address communication during disruptions.
Documentation: Stress the importance of accurate record-keeping.
Review: Set a schedule for policy review and revision.
Approval: Seek senior management approval and implement the policy.
Training and Awareness: Ensure personnel are aware and adequately trained.

Project Management:
Project management in BCP involves the structured planning, execution, and control of activities to develop and maintain effective business continuity plans. It ensures that BCP projects are well-organized, meet their objectives, and are completed on time and within budget. Project management in BCP encompasses tasks like risk assessment, business impact analysis, plan development, testing, and training.


SWOT Analysis in BCP:

A SWOT analysis is a strategic planning tool used to assess an organization’s Strengths, Weaknesses, Opportunities, and Threats. When applied to BCP project management, it provides a comprehensive evaluation of the project’s internal and external factors:


Strengths (S): These are the positive attributes and resources within the BCP project. For example, experienced project managers, sufficient budget, and strong stakeholder support.

Weaknesses (W): These are internal challenges and limitations. In the context of BCP project management, this may include a lack of expertise, limited resources, or inadequate communication.

Opportunities (O): These are external factors that can benefit the project. Opportunities may include favorable regulatory changes, advanced BCP technologies, or new training methods.

Threats (T): Threats are external factors that could hinder the project’s success. In BCP, this might involve emerging risks, such as evolving cybersecurity threats, changing regulations, or supply chain disruptions.
By conducting a SWOT analysis in BCP project management, you can identify areas of focus and develop strategies to leverage strengths, address weaknesses, seize opportunities, and mitigate threats. This analysis helps in making informed decisions to improve the effectiveness and resilience of the BCP program.

Business Continuity Planning Requirements: BCP requirements in the context of CISSP encompass the essential criteria and components necessary for creating a robust Business Continuity Plan. This includes defining the scope of the plan, setting clear objectives, identifying and prioritizing critical business functions, allocating necessary resources, establishing testing and communication plans, maintaining thorough documentation, and ensuring compliance with relevant regulations. BCP requirements are vital for building a comprehensive strategy to maintain business operations during disruptions and recover effectively.

Business Impact Analysis (BIA): Business Impact Analysis, or BIA, is a fundamental step within Business Continuity Planning (BCP) that evaluates and quantifies the potential consequences of disruptions on an organization’s vital business functions. This process identifies these critical functions, assesses the impact of various disruptions (e.g., financial losses, operational disruptions, legal issues), sets priorities for recovery, determines resource requirements, and documents the results. BIA helps organizations prioritize their recovery efforts and allocate resources effectively to ensure continuity in the face of unexpected events.

Risk Assessment: Risk assessment in the context of Business Continuity Planning (BCP) is the process of identifying, analyzing, and evaluating potential risks and threats that could impact an organization’s operations. It involves understanding the likelihood and potential impact of these risks on critical business functions and processes, providing a basis for informed decision-making in risk mitigation and continuity planning.

Risk Evaluation: Risk evaluation within BCP involves assessing the risks identified during the risk assessment process to determine their significance and potential consequences. This evaluation helps prioritize risks based on their severity and likelihood of occurrence, enabling organizations to allocate resources and implement strategies to manage and mitigate the most critical risks effectively.


Assigning Values to Assets: In BCP, assigning values to assets involves determining the significance of organizational assets for the continuity of business operations. This assessment helps prioritize assets based on their criticality and impact on the organization’s functions. Valuable assets, including data, systems, and physical resources, are identified to ensure that resources are allocated appropriately for protection and recovery in the event of a disruption.


MTD (Maximum Tolerable Downtime): MTD is the maximum allowable duration an organization can endure a disruption or downtime for a specific asset before it significantly affects its operations. Assigning MTD values to assets helps in defining the acceptable recovery timeframes and the level of effort required to ensure that downtime remains within acceptable limits.

MPTD (Maximum Point of Tolerable Disruption): MPTD represents the threshold beyond which a disruption to an asset would lead to unacceptable consequences for an organization. Assigning MPTD values to assets sets the point at which a disruption becomes intolerable, triggering the need for immediate recovery efforts. It helps in determining the criticality of assets and the urgency of their restoration to maintain business continuity.

Interdependencies: Interdependencies in BCP refer to the relationships and dependencies between various business processes, systems, and functions. Identifying and understanding these interdependencies is critical for creating effective business continuity plans. It ensures that all critical elements are considered, and the organization can maintain essential operations during disruptions.

Personnel security involves safeguarding an organization’s information assets by addressing the human element. It includes practices such as background checks, security clearances, and awareness training to protect against insider threats and ensure that personnel adhere to security policies and procedures.

Rotation of Duties: Rotation of duties is a security practice where employees periodically switch roles or responsibilities to prevent fraud or misconduct by reducing the likelihood of any single individual having prolonged access to sensitive systems or information.

Separation of Duties: Separation of duties is a control principle that ensures critical tasks are divided among multiple individuals, reducing the risk of unauthorized activities. It enforces a checks-and-balances approach within an organization.

Collusion: Collusion refers to unethical cooperation or conspiracy among individuals to bypass security controls or commit fraudulent activities. It often involves two or more parties working together to achieve a malicious goal.

Dual Control: Dual control is a security practice that requires the presence of at least two authorized individuals to perform a sensitive or critical operation, ensuring accountability and reducing the risk of misuse or fraud.

Split Knowledge: Split knowledge is a security measure where sensitive information is divided into multiple components, with each component held by a different person or system. Combining these components is necessary to access the information.

Mandatory Vacation: Mandatory vacation is a security control that requires employees to take time off from work, during which their responsibilities are temporarily reassigned. This practice helps uncover irregularities or unauthorized activities that may be concealed in an employee’s absence.

Hiring Practices: Hiring practices focus on the recruitment and selection of employees who can meet security requirements. This includes conducting background checks, assessing candidates’ security knowledge, and ensuring they align with the organization’s security culture and policies.


Onboarding: Onboarding is the process of integrating new employees into an organization. From a security perspective, it involves educating new hires about security policies, procedures, and best practices to ensure they are aware of their role in maintaining a secure environment.

Termination: Termination refers to the process of ending an employee’s association with an organization. Proper termination procedures involve revoking access to systems, data, and physical facilities to prevent unauthorized access or data breaches upon an employee’s departure. This ensures that departing employees do not pose security risks to the organization.

Ethics: Ethics are a fundamental aspect of a successful security program, emphasizing adherence to rules and the avoidance of harm. They are best enforced through corporate policies, ensuring consistent ethical behavior across an organization. CISSP candidates must understand and comply with the ISC2 Code of Professional Ethics, a global standard, and are likely to encounter related questions on the CISSP exam. The Preamble and the Code of Professional Ethics Canons should be thoroughly understood and followed in both corporate and industry contexts, and memorized in the order they are presented.


ISC2 Code of Ethics Preamble:

These commandments serve as a guideline for ethical behavior in the digital age and emphasize the importance of responsible and respectful use of computer resources and technology.
The Internet Architecture Board (IAB) is a part of the Internet Society (ISOC) that provides oversight and guidance on the architecture of the Internet. It plays a significant role in shaping the design and development of the Internet’s protocols and standards. The IAB works closely with the Internet Engineering Task Force (IETF) and other organizations to ensure the continued stability, security, and efficiency of the Internet’s infrastructure.
RFC 1087, titled “Ethics and the Internet,” is an informational document within the Request for Comments (RFC) series. Published in January 1989, RFC 1087 addresses ethical considerations and principles related to the use of the Internet. It emphasizes the importance of responsible and ethical behavior in online interactions and communications. This RFC serves as a reminder of the ethical aspects of using the Internet and encourages good conduct in the digital realm.
A corporate ethics program, is a structured framework within an organization that promotes and enforces ethical behavior and values among its employees and stakeholders. It encompasses policies, procedures, and training to ensure that individuals adhere to ethical standards, conduct themselves responsibly, and make ethical decisions in the context of information security and data protection.


The safety and welfare of society and the common good, the duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
Therefore, we require strict adherence to this Code is a condition of certification.
The ISC2 Code of Ethics consists of the Canons outlined here:
Protect society, the common good, necessary public trust and confidence, and the infrastructure.
Act honorably, honestly, justly, responsibly, and legally.
Provide diligent and competent service to principals.
Advance and protect the profession.

The Computer Ethics Institute:

Now known as the Institute for Business and Professional Ethics, published the “Ten Commandments of Computer Ethics” in 1992. These guidelines provide ethical principles for the responsible use of computer technology.

Here are the Ten Commandments:
Thou shalt not use a computer to harm people: Do not engage in activities that harm individuals or their property through the use of computer technology.
Thou shalt not interfere with other people’s computer work: Avoid disrupting or tampering with others’ data, files, or computer systems.
Thou shalt not snoop around in other people’s computer files: Respect individuals’ privacy and do not access or read their files without permission.
Thou shalt not use a computer to steal: Refrain from unauthorized access, data theft, or fraudulent activities using computer technology.
Thou shalt not use a computer to bear false witness: Avoid spreading false information, rumors, or engaging in deceptive practices online.
Thou shalt not copy or use proprietary software for which you have not paid: Adhere to copyright and licensing agreements when using software, ensuring that you have the proper permissions.
Thou shalt not use other people’s computer resources without authorization or proper compensation: Do not use computer resources, including processing power and network bandwidth, without permission or payment.
Thou shalt not appropriate other people’s intellectual output: Respect intellectual property rights and give credit to the creators of content or ideas you use.
Thou shalt think about the social consequences of the program you write or the system you design: Consider the potential impact of your work on society and take steps to minimize negative consequences.
Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans: Prioritize ethical conduct, empathy, and respect for others when using computer technology.

References:

Shon Harris : “All IN ONE” CISSP Guide

-Author

Manvir Kaur

manvir@globaldigitalsecurity.ca

Leave a Reply

Your email address will not be published. Required fields are marked *

Social media & sharing icons powered by UltimatelySocial
YouTube
YouTube
LinkedIn
LinkedIn
Share