2. https://hemantpatkar.gumroad.com/l/cisspdomain1
https://www.linkedin.com/in/hemantpatkar/
OBJECTIVE
ISC2 CODE OF ETHICS
SECURITY CONCEPTS
GOVERNANCE, RISK AND COMPLIANCE (GRC)
BUDGET (FUNDING)
ORGANIZATION STRUCTURE / PROCESS
REPORTING MODEL
CONTROL FRAMEWORK
LIABILITY
COMPLIANCE
REGULATION SUMMARY
INTELLECTUAL PROPERTY (IP) Protection
EXPORT/IMPORT RESTRICTION
DRM (DIGITAL RISK MANAGEMENT)
SECURITY POLICY, STANDARDS, PROCEDURES AND
GUIDELINES
PERSONAL SECURITY POLICIES
SECURITY EDUCATION, TRAINING AND AWARENESS
RISK MANAGEMENT
UNDERSTANDING AND APPLY RISK MANAGEMENT
QUALITATIVE RISK ASSESSMENT
QUANTITATIVE RISK ASSESSMENT
RISK RESPONSE
ACCESS CONTROLS
VAPT
THREAT MODELLING (STRIDE,NIST and PASTA)
BCP / DR
3. https://hemantpatkar.gumroad.com/l/cisspdomain1
https://www.linkedin.com/in/hemantpatkar/
ISC2 CODE OF EHICS
(Understand, adhere, and promote professional ethics)
A) ISC2 Code of professional ethics
B) Organizational Code of ethics
* ISC2 Code of professional ethics supports Organizational
code of ethics *
ISC2 member is expected to do the following (Remember
with PAPA)
1. Protect society, the common goal, necessary public trust
and confidence and the infrastructure.
2. Act honourably, honestly, justly, responsibly, and legally.
3. Provide diligent and competent service to principles.
4. Advance and protect the profession.
SECURITY CONCEPTS
4. https://hemantpatkar.gumroad.com/l/cisspdomain1
https://www.linkedin.com/in/hemantpatkar/
CONFIDENTIALITY(Disclose) — Only authorised entities
have access to the data, resources, and objects. Lock on safe provides
confidentiality. Secrecy is maintained.
Controls: Least privileges, Need to know, Access control and
Encryption.
Example: Reputed Banks maintain confidentiality by NOT
disclosing customer data.
Common attacks: Social engineering, Monitoring and
Eavesdropping, Theft and Burglary.
INTEGRITY (Alter) — Ensures from unauthorized changes
preserve accuracy and completeness. Mostly Financial services data
is most important. In order it to be accurate HASH function is used
verify data has not changed.
5. https://hemantpatkar.gumroad.com/l/cisspdomain1
https://www.linkedin.com/in/hemantpatkar/
Controls: Hash, Checksum, Dual control, and Digital Signature.
Example: Ordering sealed food from Uber Eats or Just eat.
Common attacks: Software bugs, Data modification, Malicious
code.
AVAILABILITY(Destruct) — Data should be available to
authorised users always/whenever required.
Controls: RAID, Load Balancer, Backups, HA, and Remote site.
Example: Content Delivery Network such as Netflix, Amazon
Prime.
Common attacks: Natural disaster, DDoS, and Physical attacks.
8. https://hemantpatkar.gumroad.com/l/cisspdomain1
https://www.linkedin.com/in/hemantpatkar/
Security Governance
Executive management, comprising the Board of Directors, are in
charge and establish a direction to guide strategy and policy.
Provides resources to security initiatives and includes security
guidelines or practices that lower risk to a manageable degree.
** * Security is Non-Functional Requirement because it is a Process ***
Good Governance requirement
1. To support organizational goals, IT/security strategy
should be aligned with business strategy.
2. Control and reduce risk to a reasonable level.
3. Describe and control resources.
4. Analyse performance indicators in relation to
organizational goals.
5. Value delivery through information security investments
that are optimized and support organizational goals.
— -> Security should exist to support Mission, Vision, and Business
objectives of organization.
— -> Senior leadership should have support.
— -> Integrate Risk management across all process.
— -> Infosec management validates appropriate policies,
procedures, standards, and guidelines are implemented to
ensure business operations are conducted at acceptable level.
11. https://hemantpatkar.gumroad.com/l/cisspdomain1
https://www.linkedin.com/in/hemantpatkar/
REPORTING MODEL
CISO should report as high as possible in organization because:
1. To maintain visibility of the importance of the Infosec.
2. Limit disturbance or inaccurate translation of message.
Different model of reporting for Security Officer (CISO)
1. To CEO — — — — — — — — — → Best
2. To CIO/CTO (IT Department)— —> 2nd Best
3. To COO (Admin/HR) — — —->3rd Best
4. To Insurance and risk department.
5. To Internal audit department. — —> Does not take any
department under them due to Conflict of Interest.
6. To legal department. — — — -> Limited to some legal
aspects.
13. https://hemantpatkar.gumroad.com/l/cisspdomain1
https://www.linkedin.com/in/hemantpatkar/
LIABILITY
CDUE CARE (DC) — (Corrective Control) — -> Duty (Action)
The level of care that a prudent person would have used in the same
or similar circumstances is known as “Due Care.” What the
company owes the client.
Action taken by an organization to protect its
stakeholders, investors, employee, customer from
harm.
DDUE DELIGENCE (DD) — (Detective Control )— →Verify
(Checks)
Before engaging into a contract, it is customarily necessary to
perform Due Diligence on a company or individual. Any action
carried out to show or provide appropriate care.
Act of Investigation, Verification and Gap Assessment
Example
DUE CARE — Collecting data / Implementing patch (Always 1st)
DUE DELIGENCE — Verifying data / Verifying patch (After DC)
14. https://hemantpatkar.gumroad.com/l/cisspdomain1
https://www.linkedin.com/in/hemantpatkar/
COMPLIANCE
Act of faithfully following an external mandate.
Law = To protect interest of individual.
Regulations = To control industries( Bank of England, RBI,
Federal Reserve Bank, DFSA, SEBI).
Privacy = Individual while Secrecy = Organization
REGULATION SUMMARY
1. PCI-DSS ( Payment Card Industry Data Security
Standard) — Protecting credit card theft / fraud
…..(It’s a STANDARD)
American Express, Discover Financial Services, JCB International,
MasterCard, and Visa Inc. founded the Payment Card Industry
Security Standards Council with the intention of supervising the
continued development of the Payment Card Industry Data Security
Standard.
2. HIPPA (Health Insurance Portability and Accountability Act)—
Health Care Data Privacy.
It’s a high trust framework and applicable for covered entity.
15. https://hemantpatkar.gumroad.com/l/cisspdomain1
https://www.linkedin.com/in/hemantpatkar/
3. GLBA (Gramm-Leach-Bliley Act) — (For
Consumer/Individual) ……(It’s a STANDARD)
Individual Financial data
4. SOX (Sarbanes–Oxley Act) — (For Corporate /
Enterprise integrity)
Fraudulent accounting to safeguard investors
5. Privacy Shield — It is a treaty between EU and US for
data.
INTELLECTUAL PROPERTY (IP) PROTECTION
Industrial — Invention, Trademark, Industrial design
Copyright — Literacy, Art work.
16. https://hemantpatkar.gumroad.com/l/cisspdomain1
https://www.linkedin.com/in/hemantpatkar/
COPYRIGHT — 70 years after Death, 95 years after
Publication and 120 years after Creation
Instead of concept protection, expression of ideas for music such as
Feeling hurt and loved.
E.g. — Creating music or song in a particular way is Copyright.
TRADE SECRETS
Provide the company with same type of competitive value or
advantage.
E.g. — Recipe of Soft drinks major or McDonald, KFC
18. https://hemantpatkar.gumroad.com/l/cisspdomain1
https://www.linkedin.com/in/hemantpatkar/
EXPORT/IMPORT RESTRICTION
Export Restriction:
Wassenaar Arrangement: This limits the development of military
capabilities that can endanger the security and stability of the area
and the world.
Import Restrictions:
Law: To import of commodities, data, etc.
DRM (Digital Rights Management)
This solution regulates the transfer of intellectual property. DLP is
frequently combined with DRM (Data Leak Prevention).
Data at Transit — Yes
Data in Use — Yes
Data at Rest — No
DRM’s primary function is to safeguard IP.
E.g.: Netflix and its controls
21. https://hemantpatkar.gumroad.com/l/cisspdomain1
https://www.linkedin.com/in/hemantpatkar/
PERSONAL SECURITY POLICIES
1. Employee screening — Job descriptions, reference checks,
examinations of credentials (education and certifications),
and background checks.
2. Vendor consultation and contractor controls.
3. Employee agreement and policies — Code of conduct, gift
handling, ethics statement, non-disclosure, non-compete
(cannot work for competitor), and acceptable use.
4. Employee Termination policies.
5. Privacy.
Separation of Duties (SoD)
This is the main to AVOID fraud — — — Since it prevents one
individual from being able to complete all steps of a procedure.
Person1 — ->Creates Purchase Order
Person2 — ->Sign Cheque
Person3 → Authorize and Pass
Mandatory Vacations
This is primarily to DETECT fraud.
Job Rotations (People movement)
This is to PREVENT fraud — — decreases the likelihood of a
collision between people.
22. https://hemantpatkar.gumroad.com/l/cisspdomain1
https://www.linkedin.com/in/hemantpatkar/
Termination
1. Lock user account.
2. Recover property (Laptop, Desktop etc).
3. Exit interview.
4. Review NDA.
Onboarding
1. Review contract terms and Job description.
2. Sign NDA.
3. Training.
4. Process and Policies awareness.
ESTABLISH AND MANAGE SECURITY EDUCATION,
TRAINING AND AWARENESS
Policy — Specify what to do.
Education — Modify Career. ( Formal Class — Long Term)
Training — Upgrade/Boost skills. (Semi Formal — Mid Term)
Awareness — Alter behaviours. (Information — Short Term)
CORE AREAS
Program Effective Evaluation — Depends upon
1. Participant testing.
2. Penetration testing.
3. Log review.
24. https://hemantpatkar.gumroad.com/l/cisspdomain1
https://www.linkedin.com/in/hemantpatkar/
UNDERSTANDING AND APPLY RISK MANAGEMENT
Risk — It is the end result of the functions of threat, vulnerability,
event likelihood, and probable organizational effects of an event.
Threat — Action (Malicious actors)
Vulnerability — A flaw / Weakness
Impact — Potential harm
Risk (Event to occur) = Vulnerability(Exposure) + Threat
source (Intentional / Unintentional)
RISK = IMPACT x LIKELIHOOD x THREAT
(Likelihood and impact are the by-products that determine risk)
25. https://hemantpatkar.gumroad.com/l/cisspdomain1
https://www.linkedin.com/in/hemantpatkar/
LIKELIHOOD DETERMINATION
Determine the likelihood that each threat can exploit a
vulnerability.
Determine how the value of the affected asset will be eliminated.
Definition of impact to an organization often include loss of
1. Life
2. Dollar $$
3. Prestige
4. Market share
Threats and Vulnerabilities
Natural, Criminal, Software, Physical, Personal, User Error (Unskilled worker)
QUALITATIVE RISK ASSESSMENT (Low, Med, High)
Organizations use qualitative risk assessment in 70–80% of
cases. Best example is Internal Audit
Condition of Qualitative Risk Assessment
1. A lack of competence among risk assessors.
2. There is not much time to finish the risk assessment.
3. Insufficient or limited data available.
4. Available assessors are seasoned workers with extensive
knowledge of crucial business and IT systems.
26. https://hemantpatkar.gumroad.com/l/cisspdomain1
https://www.linkedin.com/in/hemantpatkar/
QUANTITATIVE RISK ASSESSMENT ($$)
Considering there is a virus attack on Database Server hosting
critical data.
1. Asset Value (AV) of Database server = $1000
2. Exposure factor (EF) to threat i.e. Virus attack = 70% of
server data lost
3. Single Loss Expectancy (SLE) = $1000 x 70% = $700
4. Annual Risk Occurrence (ARO) = 4 times a year
5. Annual Loss Expectancy (ALE) = $700 X 4 = $2800
Always take decision based on ALE not SLE.
27. https://hemantpatkar.gumroad.com/l/cisspdomain1
https://www.linkedin.com/in/hemantpatkar/
RISK RESPONSE
CONSIDERATION FOR SELECTION OF CONTROLS
1. Strong business justification for Security measures i.e.
cost-effective
2. Cost-benefit evaluation.
3. Investment return on security.
4. Risk assessment team must evaluate the security controls
functionality and effectiveness.
5. You must take operational impact, cost
effectiveness, and security effectiveness into
account while choosing countermeasures.
29. https://hemantpatkar.gumroad.com/l/cisspdomain1
https://www.linkedin.com/in/hemantpatkar/
THREAT MODELLING (STRIDE,NIST and PASTA)
Scope — Network, System, Application and Data.
1. Identify threat agents and threats.
2. Understand current controls.
3. Identify exploitable vulnerabilities.
4. Prioritize identifies risks.
5. Identify controls to reduce risks to acceptable levels.
Threat modelling @ design stage before build
STRIDE (Spoofing, Tampering, Repudiation, Info Disclosure, DoS, and
Elevation of Privilege) — Developed by Microsoft
Microsoft’s STRIDE methodology seeks to guarantee that an application satisfies the
security standards of Confidentiality, Integrity, and Availability (CIA) in addition to
Authorization, Authentication, and Non-Repudiation.
30. https://hemantpatkar.gumroad.com/l/cisspdomain1
https://www.linkedin.com/in/hemantpatkar/
NIST (National Institute of Standards and Technology)
PASTA (Process for Attack Simulation and Threat Analysis)
PASTA threat modelling combines an attacker perspective of a
business with risk and impact analysis to create a complete picture
of the threats to products and applications, their vulnerability to
attack, and informing decisions about risk and priorities for fixes.
31. https://hemantpatkar.gumroad.com/l/cisspdomain1
https://www.linkedin.com/in/hemantpatkar/
RISK MANAGEMENT METHODOLOGIES
1. Governance review — Process, Certifications.
2. Site security reviews — Client visit.
3. Formal security audit — End to end audit.
4. Penetration testing — Planning to use product/cloud
platform.
REGULAR 3RD PARTY ASSESSMENT
1. On-site assessment.
2. Document exchange and review.
3. Process / Policy review.
SLA vs ASSURANCE vs SLR
Service Level Requirement (SLR)
Service Level Agreement (SLA)
32. https://hemantpatkar.gumroad.com/l/cisspdomain1
https://www.linkedin.com/in/hemantpatkar/
BUSINESS CONTINUITY PLANNING (BCP) AND
DISASTER RECOVERY (DR)
BCP (Business Continuity Plan)— For Business
The documentation of predetermined set of instructions or
procedures that describes how a company’s business operations will
continue to function in the event of a major disruption.
DR (Disaster Recovery)— For System / IT Infrastructure
A defined strategy for recovering one or more information systems
at a different location in the event of a significant hardware or
software failure.
33. https://hemantpatkar.gumroad.com/l/cisspdomain1
https://www.linkedin.com/in/hemantpatkar/
BIA — (Business Impact Analysis)
Things to do if any change in business applications.
1. Develop contingency policy.
2. Conduct BIA.
3. Identify preventive controls.
4. Create contingency strategies.
5. Develop contingency plan.
6. Plan, Testing, Training and Exercise.
7. Plan maintenance.
MTD — Max Tolerable Downtime (Acceptable downtime agreed with customer
without significant harm to business)
RTO — Recovery Time Objective (Time to restore services e.g. from Secondary DC)
RPO — Recovery Point Objective (Acceptable Data Loss). This only deals with Data
and its Backup.
WRT — Work Recovery Time (Back to Primary DC)