DOMAIN 1- SECURITY AND RISK MANAGEMENT
1.3 Evaluate and apply security governance principles Security control frameworks ISO/IEC 27002
"Security Techniques- Code of Practice for information security controls" Guidelines for organizations to select, implement, and manage security controls based on their own security risk profile. This provides best practices to build and maintain ISMS.
1.3 Evaluate and apply security governance principles Security control frameworks NIST 800 53
"Security and Privacy Controls for Federal Information Systems and Organizations". Aids US government agencies in managing their security programs and has the most comprehensive baselines of security controls.
1.4 Determine compliance and other requirements Contractual, legal, industry standards, and regulatory requirements US Computer Security Act of 1987?
(repealed to be FISMA in 2002) Contains provisions that require establishment of minimally acceptable security practices for federal government computer systems. Security training was established as a requirement for any federal government employee using government systems.
1.1 ISC2 Code of Ethics Canons
1) protect society, the common good, necessary public trust and confidence, and the infrastructure 2) act honorably, honestly, justly, responsibly, legally 3) provide diligent and competent service to principles 4) advance and protect the profession
1.1 (ISC)2 code of ethics preamble
1) the safety and welfare of society and the common good, duty to our principles, and to each other require that we adhere, and be seen to adhere, to the highest ethical standards of behavior 2) therefore, strict adhere to this Code is a condition of certification
1.4 Determine compliance and other requirements Contractual, legal, industry standards, and regulatory requirements US Federal Information Security Management Act (FISMA)
Acknowledges the importance of information security to US economic and national security interests and requires all US federal agencies and nongovernmental organizations that provide information services to these agencies conduct risk based security assessments that align with RMF.
1.3 Evaluate and apply security governance principles Security control frameworks What are the 18 security control families?
AC (Access Control) Awareness and Training (AT) Audit and Accountability (AU) Security Assessment and Authorization (CA) Configuration Management (CM) Contingency Planning (CP) Identification and Authentication (IA) Incident Response (IR) Maintenance (MA) Media Protection (MP) Physical and Environmental Protection (PE) Planning (PL) Personnel Security (PS) Risk Assessment (RA) System and Services Acquisition (SA) System and Commuinications Protection (SC) System and Information Integrity (SI) Program Management (PM)
1.6 Understand requirements for investigation types (i.e., administrative, criminal, civil, regulatory, industry standards) Administrative?
Actions constrained to those conducted within a single organization (organization performs an administrative investigation on itself). Does not involve third parties, law enforcement, investors, or attackers. Example of Administrative Investigation: IT department contacts security office to report employee misusing internet connection for unauthorized file sharing (Violation of organization policy). Security office lets management know, and management and security gather information about the user's online activity. Personnel in IT and security gather log data about user's account/machine, and present information to management. Management consults legal and HR departments to evaluate courses of action and they decide to terminate the employee.
1.4 Determine compliance and other requirements Contractual, legal, industry standards, and regulatory requirements ISC(2) definition of compliance?
Adherence to a mandate including a set of activities that an organization conducts to understand and satisfy all applicable laws, regulatory requirements, industry standards, and contractual agreements.
1.10 Understand and apply risk management concepts Risk Response
After identifying and assessing organization's threats, vulnerabilities, and risk you have to figure out the best way to address the risk (risk treatment/response). 4 categories: -Avoid: Stopping the activity or technology that is causing the risk in the first place. -Mitigate: Risk reduction/modification; reducing likelihood of the threat being realized and lessening the impact that it would have on the organization. Most common treatment option and involves implementing policies and technologies to reduce the harm the risk might cause. (ex- moving from single factor to MFA) -Transfer: Shift responsibility of potential loss associated with a risk to a third party (ex- cyber insurance). Also risk sharing: since hard to transfer all risk, using cloud based services or managed security services is a good example because risk is split between you customer and 3rd party. -Accept: Accepting because it would cost more than the expected losses of realized threat. This should only happen if it is within an organization's risk tolerance.
1.5 Understand legal and regulatory issues that pertain to information security in a holistic context Privacy Safe Harbor
Agreement between the EU and US to reconcile differences between US and EU Privacy laws. This was replaced with the EU US Privacy Shield.
1.4 Determine compliance and other requirements Contractual, legal, industry standards, and regulatory requirements SOC - System and Organization Control
An auditing framework that gives organizations the flexibility to be audited based on their own needs. SOC 1 audit, SOC 2 audit, SOC 3 audit 1- audit and compliance report that focuses on company's financial statements and controls that can impact a customer's financial statements. 2- Audit and compliance report that evaluates an organization based on the AICPA's 5 Trust Services Principles: privacy, security, availability, processing, integrity, and confidentiality. 3- Lite version of SOC 2, removes all sensitive data. This report indicates whether an organization has demonstrated each of the 5 Trust Services Principles without disclosing specifics.
1.10 Understand and apply risk management concepts Continuous improvement (e.g., Risk maturity modeling)
As a CISSP you need to make sure organization is continuously improving the management of information security risk. Must seek to improve the return on investment (ROI). Risk maturity modeling- process allowing organization to assess the strength of its security program and create plan for continuous improvement based on the results. To determine what types of behaviors are necessary to improve.
Develop and document the scope and the plan People, Processes, Technology
BCP is the commitment to the organization maintaining operations of the business and the steps to do so. Plan focuses on the people, processes, and technology. Information from BIA activities should be used to document the scope of your business continuity plan. Once your organization completes Business Impact Assessment, you should have a list of CBFs and understanding of threshold and downtime loss for each. People: most valuable asset. First goal of any BCP is the safety of people. They are given the resources to continue to work as normally as possible. Processes: BCP must identify critical supplies and logistics to maintain critical operations and have process to make sure the resources are continuously available. An essential BCP process ensures that critical data processing facilities/capabilities should remain operational during disaster. Technology: Integrating risk of technology failure. Organizations address this risk by system and data backups. BCP should establish a protocol for maintaining redundant system to continue supporting business during significant negative events.
1.8 Identify, analyze, and prioritize Business Continuity (BC) requirements Business Impact Analysis (BIA) and it's steps BCP vs DRP MTD, RTO, RPO
BIA helps organization identify its essential business functions and understand the impact that a disaster would have on each of the functions. Provides primary justification for the BCP and requirements. Helps an organization identify which business functions are more resilient and which are more fragile. 1) establish BC project team, scope, and budget. "Develop and Document the Scope and the Plan" 2) Identify Critical Business Functions (CBFs); should be focused on identifying essential functions that are critical to your business operations (whether selling widgets or saving lives) --->for every CBF identified, must perform risk analysis to identify any vulnerabilities and to mitigate. BCP- methodology and set of protocols allowing an org keep key business functions running in an event of crisis (aka COOP). DRP- set of processes that deal with restoring your information systems/operations securely and efficiently after a disruptive event occurs. DR is subset of BC whose primary objective is to minimize business downtimes. Determining level of impact of a disaster done with -MTD: total length of time a critical business function can be unavailable without causing significant longterm harm to business. Exceeding MTD is unacceptable risk. -RTO: planned time necessary to restore a system to teh point where it meets the minimum service expectations of SO. Max period of time within which a CBF must be restored after disruption. Must be less or equal to MTD. -RPO: Represents the measurement of tolerable data loss (period of time).
1.3 Evaluate and apply security governance principles Security control frameworks Bottom up vs top down approach?
Bottom Up: Operations staff identify security needs and issues and push those findings to senior management to provide guidance. Top Down: Information security is evangelized by most senior executives in the company which ensures security is prioritized in alignment with the company's business strategy. This approach requires strong governance.
1.5 Understand legal and regulatory issues that pertain to information security in a holistic context Cybercrimes and data breaches Council of Europe's Convention of Cybercrime of 2001
Budapest Convention; first international treaty to address cybercrime signed by 65 countries. Treaty aims to increase cooperation among nations and establish more consistent national laws relating to prevent and prosecuting.
1.4 Determine compliance and other requirements Contractual, legal, industry standards, and regulatory requirements PCI DSS 12 requirements?
Build and maintain a Secure Network 1- Install and maintain a firewall configuration to protect cardholder data 2- Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3- Protect stored cardholder data 4- Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5- Use and regularly update anti-virus software or programs 6- Develop and maintain secure systems and applications Implement Strong Access Control Measures 7- Restrict access to cardholder data by business need to know 8- Assign a unique ID to each person with computer access 9- Restrict physical access to cardholder data Regularly Monitor and Test Networks 10- Track and monitor all access to network resources and cardholder data 11- Regularly test security systems and processes Maintain an Information Security Policy 12- Maintain a policy that addresses information security for all personnel
1.3 Evaluate and apply security governance principles Organizational roles and responsibilities CISO CSO Security Analyst Manager/PM Director
CISO: senior level executive responsible for overall management and supervision of the information security program. Drives the security strategy and vision and responsible for the security of the systems and information. CSO: Senior level executive responsible for physical security and personnel security matters. Security Analyst: Someone with technical expertise in one or more security domains doing day to day security work. (Data analysis, FW management, IR handling) PM: Someone who owns one or more processes related to information security. May be owner for compliance, vulnerability management, etc. Director: Generally a manager of managers responsible for overall strategic guidance of a group of security programs.
1.6 Understand requirements for investigation types (i.e., administrative, criminal, civil, regulatory, industry standards) Civil
Civil law governs relations/interactions between private entities. Examples of possible civil actions that a security professional may be involved in: -Your organization is the plaintiff (in addition to the criminal investigation that your org may be involved in, this is when someone unauthorized steals your data and you may oversee collection of data like logs from penetrated hosts etc) -Your organization is the defendant (if a former employee accuses your org of creating a hostile work environment, you may oversee collection of evidence like emails etc.
1.3 Evaluate and apply security governance principles Security control frameworks CSF
Collection of standards, guidelines, and best practices to manage cybersecurity risk. Identify Protect Detect Respond Recover
1.3 Evaluate and apply security governance principles Organizational processes (e.g., acquisitions, divestitures, governance committees) Mergers and acquisitions? Risk factors? What should be performed before a M&A?
Combining of two separate organizations that creates a new, joint organization. Acquistion is takeover of one organization by another. Risk factors: -Absorbing the unknown -Creating new attack vectors -Impacting resources -Disgruntled employees *Review security policies and procedures *Review company's data assets and take note of regulations that may present new requirements for your organization *Review organization's personnel security policies to identify potential issues/concerns (background checks etc) *Identify any proprietary or custom applications managed by company and request static and dynamic security tests to be run against them *Request results from recent penetration test and have remediation plans for high findings *Review the organization's use of third party and open source software to ensure software is safe
1.5 Understand legal and regulatory issues that pertain to information security in a holistic context Transborder data flow ITAR -prohibits -cloud services -Russia and China
Concept focuses on the requirements around restricting certain data to or from specific geographic locations or jurisdictions. ITAR prohibits regulated data from being sent to NK, Syria, and other countries. Some cloud services developed "GovCloud" to support ITAR. Russia- > requires all data collected inside Russia to be stored in Russia. Many companies like Twitter, Google, Apple etc have complied. China-> has restrictions to censor data made inside China. Law requires data on Chinese citizens gathered inside China to be kept inside China and not transferred abroad without permission of Chinese gov.
1.2 CIA triad
Confidentiality: -Limiting access to data to authorized users and systems and restricting access from unauthorized parties. --Least privilege (information access granted on need to know basis) --Privacy (focused on confidentiality of personal data) *Attacks: phishing, social engineering, credential theft, network sniffing, human error (failure to encrypt) *Security controls: encryption, MFA, RBAC Integrity: -Ensures data is not manipulated by anyone other than the authorized party with authorized purpose. Data remains intact, correct, and reliable. *Attacks: Viruses, poorly written code, intentional modification *Security controls: Data backups, software version control, strict access control, cryptographic hashes --Authenticity (genuine data) vs non repudiation (no party denies action) Availability: -Authorized users can access data when they need it *accessibility (ability and ease of a user to use resource or access data) *Usability (ability of a user to meet their needs with available data) *Timeliness (time expectation for availability of information and resources and is measure of time between information is expected and when available for use) ex- cloud services and their SLA *attacks: DoS, object deletion, ransomware *security controls: data backups, redundant storage, backup power supply, WAFs
1.5 Understand legal and regulatory issues that pertain to information security in a holistic context Cybercrimes and data breaches
Cybercrime: criminal activity that directly involves computers/internet. 3 categories: -Crimes against people -Crimes against property -Crimes against government Data breach: Specific cybercrime where information is accessed or stolen by a cybercriminal without authorization.
1.5 Understand legal and regulatory issues that pertain to information security in a holistic context Cybercrimes and data breaches Cybercrime Act of 2001 (Australia)
Defined serious computer offenses such as unauthorized access, modification, and impairment of electronic communications along with penalties.
1.5 Understand legal and regulatory issues that pertain to information security in a holistic context Cybercrimes and data breaches US Homeland Security Act of 2002
Dozens of government agencies/offices/services consolidated under newly created DHS. Also new cabinet level position, Secretary of Homeland Security was created. Title X of Homeland Security Act identifies several standards, tactics, and controls that should be used to secure US federal gov information.
1.3 Evaluate and apply security governance principles Due care/due diligence Due Care vs Due Diligence
Due Care: Describe the conduct that a reasonable person would exercise in a given situation; reasonable care to protect the interests of your organization. Ex- patching and scanning security vulnerabilities, enable security logging, and writing restrictive FW rules to enforce least privilege. Due Diligence: Ongoing execution and monitoring of due care. Ex- reviewing security log output for suspicious activity and conducting pentesting to determine if FW rules are sufficiently restrictive.
1.5 Understand legal and regulatory issues that pertain to information security in a holistic context US Computer Fraud and Abuse Act 1986
ECPA enacted by US Congress to extend restrictions on government wiretaps to include computer and network based communications. Prohibits eavesdropping, interception, and unauthorized monitoring of all electronic communications.
1.9 Contribute to and enforce personnel security policies and procedures Compliance policy requirements
Employees may sign that they have reviewed and agree to comply with all company policies and applicable regulations. Employees may complete security awareness training and job based training and requires annual recertification.
1.4 Determine compliance and other requirements Contractual, legal, industry standards, and regulatory requirements US Sarbanes-Oxley Act of 2002
Enacted to re establish public trust in publicly traded companies and public accounting firms. Requires companies to implement a wide range of controls intended to minimize conflicts of interest, provide investors with appropriate risk information, place criminal and civil penalties on executives for providing false financial disclosures, and provide protections for whistleblowers who report inappropriate actions to regulators.
1.5 Understand legal and regulatory issues that pertain to information security in a holistic context Cybercrimes and data breaches Information Technology Act of 2000 (India)
Established legal recognition of electronic documents and digital signatures, and established definitions and penalties for cybercrimes (data theft, identity theft, child porn, and cyber terrorism)
1.5 Understand legal and regulatory issues that pertain to information security in a holistic context Cybercrimes and data breaches US Controlling the Assault of Non Solicited Pornography and Marketing Act of 2003
Established standards for sending commercial emails in response to growing number of complaints over spam emails. This law requires companies to allow email recipients to unsubscribe from unwanted emails. CAN SPAM designated FTC as responsible for enforcing the provisions.
1.5 Understand legal and regulatory issues that pertain to information security in a holistic context Privacy Data Protection Act of 1998 (UK)
Established that UK citizens held the legal right to control their personal information and it enforces privacy of personal data stored on computing systems. This superseded by the Data Protection Act 2018 which was designed to enforce and supplement provisions within GDPR.
1.5 Understand legal and regulatory issues that pertain to information security in a holistic context Cybercrimes and data breaches US Intelligence Reform and Terrorism Prevention Act of 2004
Established the National Counterterrorism Center (NCTC) and the position of Director of National Intelligence (DNI). Agencies and DHS have to share intelligence information to help prevent terrorist acts against USA. This act also established the Privacy and Civil liberties Oversight Board to protection privacy and civil liberties of USA Citizens.
1.10 Understand and apply risk management concepts Control assessments (security and privacy)
Examine, interview, test. NIST 800-53a "Assessing security and privacy controls in federal information systems and organizations" lay out guidelines for conducting security assessments.
1.5 Understand legal and regulatory issues that pertain to information security in a holistic context US Economic Espionage Act of 1996
First federal law to broadly define and establish strict penalties for theft or unauthorized use of trade secrets.
1.3 Evaluate and apply security governance principles Security control frameworks ISO/IEC 27001
Focused on the creation and maintenance of an information security management system (ISMS) which is "a systematic approach to managing sensitive company information so that it remains secure". ISMS is a set of people, processes, and technologies that manages the overall security of a company's systems and data.
1.5 Understand legal and regulatory issues that pertain to information security in a holistic context Cybercrimes and data breaches US Identity Theft and Assumption Deterrence Act of 1998
Formally established identity theft as a criminal act under US Federal Law. "Knowingly transferring or using without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal Law or that constitutes a felony under applicable State or local law.
1.3 Evaluate and apply security governance principles Security control frameworks COBIT?
Framework from ISACA for overall information technology management and governance. Does outline end to end IT governance objectives and processes that encompass many security requirements and concepts.
1.3 Evaluate and apply security governance principles Organizational processes (e.g., acquisitions, divestitures, governance committees) Governance committees?
Group of executives and leaders who regularly meet to set the direction of the company's security function and provide guidance to help the security function align with the company's overall mission and business strategy. (provide oversight for the company's security function while ensuring the security function continues to meet the needs of the organization and stakeholders)
1.9 Contribute to and enforce personnel security policies and procedures Candidate screening and hiring
Hiring manager should work with HR. The job description and responsibilities should be clear. Identify the classification/sensitivity of the role. Have candidate complete background check and maybe drug testing.
1.6 Understand requirements for investigation types (i.e., administrative, criminal, civil, regulatory, industry standards) Industry Standards (ISO/IEC 27043 2015, ISO/IEC 27037 2012, NIST SP 800-86, NIST SP 800-101)
ISO/IEC 27043 2015- procedural steps for conducting security incident investigations. ISO/IEC 27037 2012- Provides guidelines for handling digital evidence (identification, collection, acquisition, and preservation). NIST SP 800-86- "Guide to Integrating Forensic Techniques into Incident Response" (collection, examination, analysis, and reporting) NIST SP 800-101 Rev1- "Guidelines on Mobile Device Forensics"
1.12 Apply Supply Chain Risk Management (SCRM) concepts Risks associated with hardware, software, and services and an example?
If your organization uses third party hardware, software, and services, must consider how that will impact the organization's overall security posture. Ex- If organization uses public cloud provider, there may be compliance risks if the CSP stores data outside of your country. *Widespread use of Commercial Off the Shelf (COTS) is proprietary software that requires the customer to trust the security practices of the vendor.
1.10 Understand and apply risk management concepts Monitoring and measurement
In addition to quarterly and annually security and privacy control assessments, you should monitor your controls to measure the effectiveness and assess the health of security program. Should develop a set of Key Performance Indicators (KPIs) to quantify and measure long term performance of controls.
1.5 Understand legal and regulatory issues that pertain to information security in a holistic context Privacy US Health Insurance Portability and Accountability Act of 1996
Individuals PHI is permitted to be used strictly for the purposes of performing and billing for healthcare services and must be protected against improper disclosure or use. Covered entities: -Health Plans -Healthcare providers -Healthcare clearinghouses
1.4 Determine compliance and other requirements Contractual, legal, industry standards, and regulatory requirements Jurisdiction?
Legal concept that establishes the official power to make legal decisions and judgements. In most jurisdictions, laws define what is permissible.
1.5 Understand legal and regulatory issues that pertain to information security in a holistic context Cybercrimes and data breaches Computer Misuse Act 1990 (UK)
Introduces 5 offenses: -Unauthorized access to computer material -Unauthorized access with intent to commit/facilitate commission of further offenses -Unauthorized access with intent to impar, or with recklessness as to impairing operation of computer -Unauthorized acts causing, or creating risk of, serious damage -Making/supplying/obtaining articles for use in other offenses
1.6 Understand requirements for investigation types (i.e., administrative, criminal, civil, regulatory, industry standards) Criminal
Jurisdiction first must be established (legal authority of a governmental body like a court or enforcement agency over a specific matter). Next law enforcement tries to understand what happened/the damage, etc. Law enforcement begins to understand who the potential suspects are and what evidence is available (investigator begins to narrow focus to specific laws and statutes). Typically criminal courts have highest legal standard for determining liability and guilt; referred to evidence showing accused has caused harm beyond a reasonable doubt (overwhelming majority of evidence showing defendant is guilty leaving the court with no other rational conclusion). Criminal investigator collects evidence until elements can be proven or its clear they can't be proven using digital forensics etc. Law enforcement may have to get a court order allowing gov to access property devices etc owned by private entities (warrants, subpoenas).
1.5 Understand legal and regulatory issues that pertain to information security in a holistic context Licensing and Intellectual Property (IP) requirements Licensing? Patents? Trademarks? Copyrights? Trade secrets?
Licensing: Legal protections over intellectual property that allows creators and inventors to profit from their work Patents: Government issued license or grant of property rights to an inventor that prohibits another party from making/using/importing/selling the invention for a set period of time. Trademark: "Word, phrase, symbol, design that identifies and distinguishes the source of goods of one party from those of others". Trademarks do not expire. Service mark- identifies and distinguishes source of a service rather than goods Copyrights: Legal protection granted to authors of "original works of authorship" that include books, movies, poetry, artistic works, computer software. Protects for the life of author plus 70 years. Trade Secrets: Proprietary formula, process, practice, or combo that a company has exclusive rights to. (ex- Coca Cola because the recipe provides economic value to company).
1.13 Establish and maintain a security awareness, education, and training program Program effectiveness evaluation
Methods to evaluate effectiveness of your security awareness program: -Training methods -Quizzes -Security awareness days or weeks -Inherent evaluation
1.3 Evaluate and apply security governance principles -Alignment of the security function to business strategy, goals, mission, and objectives Mission statement? Business strategy? goal in business (SMART)? Objective?
Mission statement: declaration that defines a company's function and purpose; summarizes what the company is, what it does, and why it exists to do those things. -What will be achieved Business strategy: describes the actions the company takes to achieve its goals and objectives -How the mission will be accomplished Goal: something the organization expects to achieve or accomplish -Specific, Measurable, Achievable, Relevant, Time Bound Objective: Milestone or specific step that contributes to an organization reaching its goals and achieving its mission (incremental steps towards broader goals)
1.9 Contribute to and enforce personnel security policies and procedures Employment agreements and policies
NDA- agreement that restricts employee/contractor from disclosing sensitive information to protect the confidentiality of the data and often a lifetime agreement. Non compete agreement- restricts employee/contractor from directly competing with the organization during employment and for fixed time period after. Employees may have to sign AUPs, code of conduct, etc.
1.9 Contribute to and enforce personnel security policies and procedures Vendor, consultant, and contractor agreements and controls
NDAs and policies help establish expectations with third parties and lead to additional compliance burdens on organization that must enforce. Prevents sensitive information exposure.
1.3 Evaluate and apply security governance principles Organizational processes (e.g., acquisitions, divestitures, governance committees) Divestiture? What are the actions to take prior?
Occurs when management decides a certain part of the business doesn't align with the company's business strategy or mission. Act of selling off/disposing a subset of business interests or assets. Actions to take: *Identify and categorize all assets that are involved in the divestiture (hardware, software); create the complete inventory. *Decouple impacted systems from your remaining infrastructure (they must be removed from common infrastructure and spun out for the new org to own) *Review all access permissions (revoke the unnecessary permissions) *Consult legal and compliance teams to ensure you follow required regulatory and compliance requirements around data retention/deletion etc)
1.5 Understand legal and regulatory issues that pertain to information security in a holistic context Privacy US Federal Privacy Act of 1974
Purpose is to balance the government's need to maintain information about citizens and permanent residents with the rights of those individuals to keep their information private.
1.9 Contribute to and enforce personnel security policies and procedures Onboarding, transfers, and termination processes
Onboarding- setting good work behavior expectations for employees to learn (ex- process to report incidents, their role in maintaining security in work area, etc. Transfers- Organization should have well defined process/procedures for handling employee transferring from one role to another. When getting access should enforce principle of least privilege. Termination- Organization should have well structured offboarding processes. Organization should have strong data security processes and well developed insider threat programs. User and Entity Behavior Analytics (UEBA) can help detect disgruntled employee.
1.10 Understand and apply risk management concepts Countermeasure selection and implementation 3 categories (personnel, process, and technology) When selecting countermeasure, consider security effectiveness, cost effectiveness, and operational impact.
Personnel related: Hiring/firing, restructuring, awareness training Process related: Policy, procedures, etc mitigations. Ex- Implementing separation of duties Technology related: Modifying configuration settings, and hardware/software changes. Security effectiveness- Make sure it will directly address a risk identified in risk analysis process. Consider the security risks one wants to prevent, detect, or correct and identify countermeasures to target the risks. Ex- if you are concerned about availability risks, maybe use resources for redundancy. Cost Effectiveness- Cost benefit analysis using ALE. Operational Impact- Understand organizations culture and strategy to determine the countermeasures' operational impact. Ex- orgs may require use of third party email encryption platforms to send sensitive info, and some may not be user friendly and people may accidentally send emails in the clear.
1.10 Understand and apply risk management concepts Identify threats and vulnerabilities
RM is the process associated with identifying threats and vulnerabilities and quantifying and addressing the risk associated with those threats and vulnerabilities. Risk- potential for negative impact on an organization, its goals/objectives, assets, due to a threat exploiting a vulnerability. Threat-Negative event that can lead to an undesired outcome such as damage or loss of an asset. Threat posed by threat actor who is a person that is capable of intentionally/accidentally compromising an asset's security. Vulnerability- weakness/gap that exists within a system that may be exploited by a threat actor to compromise an asset's security or trigger a risk event. Asset-Anything of value (people, property, information. Assets are the things we are trying to protect. Property assets include servers and intangible things like software code or intellectual property.
1.7 Develop, document, and implement security policy, standards, procedures, and guidelines Policies? Standards Procedures? Guidelines?
Policies: Formal set of statements that establish a system of principles to guide decisions and actions. Security policy is a set of statements that identifies the principles/rules that govern an organization's protection of information systems and data. Ex- AUP, ACP, CMP, Remote access policy, disaster recovery policy Standards: Specific and granular requirements that give direction to support broader, higher level policies. Standards may be mandatory for an organization. Ex- FIPS for US gov agencies ***Baselines- minimum level of security for a system/network/device. Security baseline is minimum set of security controls necessary to safeguard the CIA. Scoping defines the range fo deviation from the baseline that is acceptable for a particular baseline. Procedures: Detailed step by step guide to achieve particular goal/requirement. It tells you 'how' to meet your standards and baselines. Ex- Vulnerability scanning procedures, backup and restore procedures, account provisioning procedures, patch management procedures. Guidelines: Recommendation rather than mandatory. Flexible suggestions for meeting the intent of the policy or recommendations to implement the requirements in standards and baselines.
1.4 Determine compliance and other requirements Privacy requirements Privacy Requirements?
Privacy entails limiting access to personal information to authorized parties for authorized uses, in essence privacy is maintaining the confidentiality of personal information
1.5 Understand legal and regulatory issues that pertain to information security in a holistic context Privacy US Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009
Promote the expanded use of electronic health records (EHR) which increased security and privacy risks. Imposed tougher penalties for HIPAA violations and introduced a new HIPAA Breach Notification Rule (must disclose a breach of unsecured protected health information to affected parties within 60 days of breach discovery . Breach Notification rule also requires entities to report breaches affecting 500 or more people to US DHS.
1.4 Determine compliance and other requirements Contractual, legal, industry standards, and regulatory requirements Payment Card Industry Data Security Standard (PCI DSS)
Proprietary security standard from 2004. Establishes technical and operational requirements for merchants and service providers that accept or process cardholder data and or sensitive authentication data, as well as for software developers and manufacturers of the applications and devices used in payment card transactions. Not a legal requirement, it is a contractual requirement.
1.5 Understand legal and regulatory issues that pertain to information security in a holistic context Privacy Data Protection Directive (EU)
Regulating the processing of personal data of EU citizens (but superseded by GDPR). This was the first major privacy law in the European Union and considered the foundational privacy regulation in all of Europe.
1.5 Understand legal and regulatory issues that pertain to information security in a holistic context Import/export controls
Regulation that establishes import/export controls is US International Traffic in Arms Regulations (ITAR). Includes satellites, aircraft, spacecraft, and even sending an email containing ITAR controlled data (like blueprint or 3D design file)
1.6 Understand requirements for investigation types (i.e., administrative, criminal, civil, regulatory, industry standards) Regulatory
Regulatory evidence involve determining whether an organization is compliant with a given regulation or legal requirement. Written under the auspices of protecting the average citizen/consumer, protecting the environment, or making an industry safer/more equitable. Regulations have the force of law, burden of proof for regulatory investigations is the preponderance of the evidence and involves fines/penalties.
1.5 Understand legal and regulatory issues that pertain to information security in a holistic context Privacy US Gramm-Leach-Bliley Act (GLBA) of 1999
Requires financial institutions to safeguard their customer's PII. Requires organizations to implement proper security controls to protect their customer's personal data.
1.10 Understand and apply risk management concepts Risk assessment/analysis
Risk assessment- Set of activities that involve identifying the threats and vulnerabilities that exist and determining the impact and likelihood of those threats exploiting the identified vulnerabilities. Risk Identification- First step in risk assessment; identify your assets and determine the value (classify the sensitivities and find the assets that need protection and identify and describe the vulnerabilities and threats that pose a risk to each asset) Risk Analysis- This stage of the RA, focused on likelihood (identified by evaluating each threat and assessing the probability that threat might exploit a vulnerability) and impact (establish the value associated with each potentially affected asset and determine how the value will be destroyed). Assets value can be quantitative or qualitative (relativity of importance to your organization). --> two formulas for risk analysis: SlE- Monetary Loss you would expect from a single adverse event. How much you would lose from one occurrence of a single adverse event. Multiple AV by EF (EF is percentage of loss to an asset if a threat is realized). ARO is estimated annual frequency of occurrence for given adverse event. The number of times you expect a risk event to occur annually. Risk Evaluation- In this stage, you compare the results of your risk analysis to establish risk profile/risk tolerance (how must risk is your organization willing to take on)
1.10 Understand and apply risk management concepts Reporting
SCAs create formal reports to detail findings for each control assessed. Security program reports: -Internal and external audits -Significant changes to organization's risk posture -Significant changes to security or privacy controls -Suspected or confirmed security breaches
1.9 Contribute to and enforce personnel security policies and procedures Privacy policy requirements
Should be available to everyone. This explains what kind of personal data is collected, how your organization will/won't use it, and how the personal data will be stored, maintained, and secured.
1.3 Evaluate and apply security governance principles Security control frameworks Security Controls
Technical, operational, or management safeguard used to prevent, detect, minimize or counteract security threats. This maintains the CIA of the company's assets. ISC(2) definition: "notional construct outlining the organization's approach to security including a list of specific security processes, procedures, and solutions used by the organization" *technical- FW, DLP, IDS/IPS *operational- safeguards primarily implemented and executed by people (security guards) *management- aka administrative; policies, procedures, etc that manage the information security risk.
1.12 Apply Supply Chain Risk Management (SCRM) concepts Service level requirements (SLAs etc)
SLA: Contractual agreement between service provider and customers establishing minimum performance standards that the provider is obligated to meet. The customer can use to hold the third party accountable. Ex- If you have SLA with a cloud provider that commits to a certain level of uptime/availability, in the event of an outage, you may be entitled to financial compensation or right to terminate services. Frameworks explicitly address supply chain risks but it is evolving. NIST IR 7622: "Notional Supply Chain Risk Management Practices for Federal Information Systems". This documents 10 practices that should be taken into account when addressing SC risk: *Uniquely identifying supply chain elements, processes, and actors *Limit access and exposure with supply chain *Establish and maintain the provenance of elements, processes, tools, and data *Share information within strict limits *Perform supply chain risk management awareness and training *Use defensive design for systems, elements, and processes *Strengthen delivery mechanisms *Assure sustainment activities and processes *Manage disposal and final disposition activities throughout the system or element lifecycle. Committee on National Security Systems Directive 505- "Supply Chain Risk Management" addressing security requirements for strategic national systems and Comprehensive National Cybersecurity Initiative No 11 (provides tools to agencies to manage cyber supply chain with risk driven approach) ISO 28000:2007- "Specification for security management systems for the supply chain" is a framework for managing supply chain risk. This is useful for organizations that leverage other ISO like ISO 9001 or 27001 that seek a standardized risk based approach to evaluating supply chain risk. UK National Cybersecurity Centre (NCSC)- Help organizations establish and maintain an effective control of supply chain. The 12 supply chain principles are divided into the stages: -Understand the risks (Identifying vendors in supply chain and establishing what needs to be protected and why) -Establish control (minimum security requirements and communicating security expectation to supplier) -Check your arrangements (audits, KPIs, testing/validation) -Continuous Improvement (build trust with your suppliers)
1.5 Understand legal and regulatory issues that pertain to information security in a holistic context Privacy EU-US Privacy Shield
Second attempt by EU and US to agree upon principles to mutually regulate the exchange of personal data between two jurisdictions. Safe Harbor and EU US Privacy Shield were declared invalid by the courts later.
1.13 Establish and maintain a security awareness, education, and training program Methods and techniques to present awareness and training (e.g., social engineering, phishing, security champions, gamification)
Security Awareness Program- formal program to train users of potential threats to an organization's information and systems. Social Engineering: Human manipulation that involves an attacker pretending to be someone else to retrieve sensitive data. Ex- Phishing (conducted over email). Security Champions: Liaison between organization's security team and rest of company. They are tasked with raising security awareness. An advocate of security best practices for employees. Gamification: Use of game techniques in nongame applications to engage and educate an audience.
1.10 Understand and apply risk management concepts Applicable types of controls (e.g., preventive, detective, corrective) 5 major types of controls
Security control- safeguard to positively impact security. Automatic or manual. Technical, operational (day to day operations like security guards etc) or management (policies etc). Preventative- Designed to keep adverse security events from occurring. Ex- software apps have input validation to avoid invalid inputs, system backups, security awareness training. Detective- Identify a negative security event in progress or shortly after. Ex- door alarms, IDS, security guards. Corrective- Minimize and repair damages. Ex- Software patches, configuration file modifications, and new policies targeting the cause of the incident. Recovery- Complements corrective controls to get the system back to normal quickly. Ex- Data and system backups and disaster recovery sites. Deterrent- Designed to discourage attackers making them think twice. Ex- wired fences, security guards, and guard dogs.
1.3 Evaluate and apply security governance principles -Alignment of the security function to business strategy, goals, mission, and objectives Security governance? Applying security governance principles?
Set of responsibilities, policies, and procedures related to defining, managing, and overseeing security practices at an organization. Applying security governance principles involves: -Aligning organization's security function to company's business strategy, goals, mission, and objectives -Defining and managing organizational processes that require security involvement or oversight -Developing security roles and responsibilities throughout the organization -Identifying one or more security control frameworks to align your organization with -Conducting due diligence and due care activities on an ongoing basis
1.5 Understand legal and regulatory issues that pertain to information security in a holistic context Cybercrimes and data breaches US Patriot Act of 2001 and the following sections: -Section 202 -Section 209 -Section 210 -Section 212 -Section 214 -Section 217 -Section 220 -Section 808 -Section 814 -Section 815 -Section 816
Signed in 2001 in response to the terrorist attacks that took place. Attempts to strengthen provisions in the CFAA and ECPA to give law enforcement further authority to protect the United States against terrorist attacks. -Section 202- Authority to intercept wire, oral, and electronic communications to computer fraud and abuse offenses. (amends CFAA) -Section 209- Seizure of voicemail messages pursuant to warrants -Section 210- Scope of subpoenas for records of electronic communications -Section 212- Emergency disclosure of electronic communications to protect life and limb -Section 214- Pen register and trap and trace authority under FISA (pen is showing outgoing calls from a phone and trap and trace device is showing incoming numbers that called a phone) -Section 217- Interception of computer trespasser communications -Section 220- Nationwide service of search warrants for electronic evidence -Section 808- Definition of federal crime of terrorism -Section 814- Deterrence and prevention of cyber terrorism -Section 815- Additional defense to civil actions relating to preserving records in response to government requests -Section 816- Development and support for cybersecurity forensic capabilities
1.10 Understand and apply risk management concepts Risk frameworks
Structured process for identifying, assessing, and managing an organization's risk. To effectively address risk, the standard processes to evaluate risks of information systems should take into account changing threat environments, potential and actual vulnerabilities of systems, likelihood that the risk will occur, and the impact realized. The controls environment should be: -Consistent -Measurable -Standardized -Comprehensive -Modular (the framework should withstand changes of an organization) *ISO - ISO 31000 series of standards to identify principles for general RM and guidelines for implementation. -->ISO 31000:2018 has a set of eight principles to drive the development of the risk framework: -Customized -Inclusive -Comprehensive -Integrated -Dynamic -Best available information -Human and cultural factors -Continual improvement *ISO 31004 is "Risk Management: Guidance for the implementation of ISO 31000" *ISO 27005:2011 is "Information Technology- Security techniques- Information Security Risk Management". This does not provide risk assessment process but a inputs to and outputs from the risk assessment process. Emphasizes the need for communication with stakeholders and for the processes to be continuously monitored for risk environment changes. *NIST provides direction to US government agencies in implementing information security practices. NIST 800 37 "Guide for Applying the Risk Management Framework to Federal Information Systems" six step process through which federal government manages the risks. Categorization, Select, Implement, Assess, Authorize, Monitor. *ISACA developed COBIT (Control Objectives for Information and Related Technology) into either Enterprise IT (5 processes) or Management of Enterprise IT (32 processes). *RiskIT framework's 3 domains: risk governance, risk evaluation, and risk response each has processes. The framework provides a structure for the identification, evaluation, and monitoring of information technology risk.
1.13 Establish and maintain a security awareness, education, and training program Periodic content reviews
The content within the security awareness training should be reviewed and updated constantly to ensure the training materials reflect current trends, concepts, and concerns. Security awareness training should be "live".
1.11 Understand and apply threat modeling concepts and methodologies Threat Modeling? -Attacker Centric -Asset Centric -Software Centric Threat Modeling Methodologies? -STRIDE -PASTA -DREAD *NIST 800 154
Threat Modeling: Technique which you can identify potential threats to your systems and applications and identify countermeasures. The attack surface is the area where an attacker can potentially execute a compromise (access controls, weakness in underlying architecture, methods of communication) Attacker Centric: Identify various actors who can potentially cause harm to your system. Profile potential attacker's characteristics, skillset, and motivation. Asset Centric: Identifies the assets first. Should be characterized by their value to the organization as well as value to potential attackers. By which asset is managed, manipulated, used, and stored and how an attacker might compromise. Software Centric: System is represented as a set of interconnected processes, using architecture diagrams such as dataflow diagrams (DFDs) or component diagrams. Diagrams are evaluated by threat analysts to identify potential attacks and determine whether a security control is needed. STRIDE: -Spoofing: attack that assumes the identity of another party. -Tampering -Repudiation: Ability of a party to deny they are responsible for their action. -Information Disclosure: Information is shared with an unauthorized party -DoS: available attack that denies access to resources to legit users. -Elevation of Privilege: unprivileged user is able to upgrade their privileges higher like a system admin (need strong access control) PASTA: -Process for Attack Simulation and Threat Analysis *Define Objectives *Define Technical Scope *Application Decomposition *Threat Analysis *Vulnerability Analysis *Attack Enumeration *Risk and Impact Analysis NIST 800 154: "Guide to Data Centric System Threat Modeling": has four major steps for data centric threat modeling: 1) identify and characterize the system and data of interest 2) Identify and select the attack vectors to be included in the model 3) Characterize the security controls for mitigating the attack vector 4) Analyze the threat model DREAD is used for quantitative risk rating security threats into 5 categories: -Damage -Reproducibility -Exploitability -Affected users -Discoverability Other models: -OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is an approach to manage information security risks developed at the Software Engineering Institute -Trike (an open source threat modeling approach that focuses on using threat models as a risk management tool) -CORAS (Construct A Platform for Risk Analysis of Security Critical Systems) which is an open source European project using Unified Modeling Language (UML) as front end for visualizing threat. -VAST (Visual, Agile, and Simple Threat Modeling) is proprietary approach that leverages Agile concepts.
1.12 Apply Supply Chain Risk Management (SCRM) concepts Minimum security requirements
To minimize supply chain risk, controls need to be applied to verify the security practices of all involved parties. Governance and oversight activities should include onsite security surveys, formal security audits of 3rd party systems, and pentesting.
1.5 Understand legal and regulatory issues that pertain to information security in a holistic context Privacy US Children's Online Privacy Protection Act (COPPA) of 1998
To protect the privacy of children under the age of 13, the law sets requirements for seeking parental consent and establishes restrictions on marketing to children under 13.
1.5 Understand legal and regulatory issues that pertain to information security in a holistic context US Child Pornography Prevention Act of 1996
To restrict and punish the production and distribution of child pornography on the internet.
1.5 Understand legal and regulatory issues that pertain to information security in a holistic context Privacy General Data Protection Regulation (GDPR) /EU Article 5 (7 principles for processing personal data) Article 17 Chapter 4 Article 25 Article 33
Worlds strongest data privacy law. Regulations that require organizations around the world to protect the privacy of EU citizens. Companies that do business with EU customers must rethink their approach to data security and privacy. 7 principles: -Lawfulness, fairness, and transparency -Purpose limitation -Data minimization -Accuracy -Storage limitation -Integrity and confidentiality -Accountability Article 18- Person's right to be forgotten/data deleted Chapter 4- several articles that establish requirements related to data controller and processor and required that data processor (org that stores/processes PII on behalf of data controller) prioritize privacy and security. Article 25- requires data protection by design and default (huge directive that codifies the recommendations by security professionals for years) Article 33- Establishes rules that require data controllers to notify proper authorities within 72 hours of awareness of personal data breaches.