CISSP Domain 1 - Security And Risk Management.pdf

https://hemantpatkar.gumroad.com/l/cisspdomain1
https://www.linkedin.com/in/hemantpatkar/

OBJECTIVE
 ISC2 CODE OF ETHICS
 SECURITY CONCEPTS
 GOVERNANCE, RISK AND COMPLIANCE (GRC)
 BUDGET (FUNDING)
 ORGANIZATION STRUCTURE / PROCESS
 REPORTING MODEL
 CONTROL FRAMEWORK
 LIABILITY
 COMPLIANCE
 REGULATION SUMMARY
 INTELLECTUAL PROPERTY (IP) Protection
 EXPORT/IMPORT RESTRICTION
 DRM (DIGITAL RISK MANAGEMENT)
 SECURITY POLICY, STANDARDS, PROCEDURES AND
GUIDELINES
 PERSONAL SECURITY POLICIES
 SECURITY EDUCATION, TRAINING AND AWARENESS
 RISK MANAGEMENT
 UNDERSTANDING AND APPLY RISK MANAGEMENT
 QUALITATIVE RISK ASSESSMENT
 QUANTITATIVE RISK ASSESSMENT
 RISK RESPONSE
 ACCESS CONTROLS
 VAPT
 THREAT MODELLING (STRIDE,NIST and PASTA)
 BCP / DR

ISC2 CODE OF EHICS
(Understand, adhere, and promote professional ethics)
A) ISC2 Code of professional ethics
B) Organizational Code of ethics
* ISC2 Code of professional ethics supports Organizational
code of ethics *
ISC2 member is expected to do the following (Remember
with PAPA)
1. Protect society, the common goal, necessary public trust
and confidence and the infrastructure.
2. Act honourably, honestly, justly, responsibly, and legally.
3. Provide diligent and competent service to principles.
4. Advance and protect the profession.
SECURITY CONCEPTS

CONFIDENTIALITY(Disclose) — Only authorised entities
have access to the data, resources, and objects. Lock on safe provides
confidentiality. Secrecy is maintained.
Controls: Least privileges, Need to know, Access control and
Encryption.
Example: Reputed Banks maintain confidentiality by NOT
disclosing customer data.
Common attacks: Social engineering, Monitoring and
Eavesdropping, Theft and Burglary.
INTEGRITY (Alter) — Ensures from unauthorized changes
preserve accuracy and completeness. Mostly Financial services data
is most important. In order it to be accurate HASH function is used
verify data has not changed.

Controls: Hash, Checksum, Dual control, and Digital Signature.
Example: Ordering sealed food from Uber Eats or Just eat.
Common attacks: Software bugs, Data modification, Malicious
code.
AVAILABILITY(Destruct) — Data should be available to
authorised users always/whenever required.
Controls: RAID, Load Balancer, Backups, HA, and Remote site.
Example: Content Delivery Network such as Netflix, Amazon
Prime.
Common attacks: Natural disaster, DDoS, and Physical attacks.

GOVERNANCE
Process to manage organization which includes roles, policies, and
procedures to make informed decisions.
Strategy: 3–5 Years, Tactical: 1–3 Years
and Operational: 0–6 Months
Enterprise Governance (Corporate) — Board of Directors
has 4 major parts.
1. Business Governance — COO
2. Finance Governance — CFO
3. IT Governance — CIO
4. Security Governance — CISO

Security Governance
Executive management, comprising the Board of Directors, are in
charge and establish a direction to guide strategy and policy.
Provides resources to security initiatives and includes security
guidelines or practices that lower risk to a manageable degree.
** * Security is Non-Functional Requirement because it is a Process ***
Good Governance requirement
1. To support organizational goals, IT/security strategy
should be aligned with business strategy.
2. Control and reduce risk to a reasonable level.
3. Describe and control resources.
4. Analyse performance indicators in relation to
organizational goals.
5. Value delivery through information security investments
that are optimized and support organizational goals.
— -> Security should exist to support Mission, Vision, and Business
objectives of organization.
— -> Senior leadership should have support.
— -> Integrate Risk management across all process.
— -> Infosec management validates appropriate policies,
procedures, standards, and guidelines are implemented to
ensure business operations are conducted at acceptable level.

GOVERNANCE, RISK AND COMPLIANCE (GRC)
*** Governance Process-Security steps ***
1. Stakeholder Interest.
2. Goals & Objectives.
3. Infosec policy, guidelines, and procedures.
4. Infosec program implementation.
5. Level of implementation.
6. Program result.
7. Business mission impact.
 ** Risk Capacity vs Risk Tolerance vs Risk Appetite
***

Framework comes before standards.
Budget (Funding) — → Driving factor for any
organization
1. Staff count.
2. Staff qualification.
3. Level of security controls required.
4. Task to be performed.
5. Regulations to be met.
6. Training required.
7. Degree of metric tracking.
Organization Structure / Process

REPORTING MODEL
CISO should report as high as possible in organization because:
1. To maintain visibility of the importance of the Infosec.
2. Limit disturbance or inaccurate translation of message.
Different model of reporting for Security Officer (CISO)
1. To CEO — — — — — — — — — → Best
2. To CIO/CTO (IT Department)— —> 2nd Best
3. To COO (Admin/HR) — — —->3rd Best
4. To Insurance and risk department.
5. To Internal audit department. — —> Does not take any
department under them due to Conflict of Interest.
6. To legal department. — — — -> Limited to some legal
aspects.

CONTROL FRAMEWORK
Framework is Planning to have an office.
Standard is Buying & arranging items in specific budget such as
Desk, Chair etc.

LIABILITY
CDUE CARE (DC) — (Corrective Control) — -> Duty (Action)
The level of care that a prudent person would have used in the same
or similar circumstances is known as “Due Care.” What the
company owes the client.
Action taken by an organization to protect its
stakeholders, investors, employee, customer from
harm.
DDUE DELIGENCE (DD) — (Detective Control )— →Verify
(Checks)
Before engaging into a contract, it is customarily necessary to
perform Due Diligence on a company or individual. Any action
carried out to show or provide appropriate care.
Act of Investigation, Verification and Gap Assessment
Example
DUE CARE — Collecting data / Implementing patch (Always 1st)
DUE DELIGENCE — Verifying data / Verifying patch (After DC)

COMPLIANCE
Act of faithfully following an external mandate.
Law = To protect interest of individual.
Regulations = To control industries( Bank of England, RBI,
Federal Reserve Bank, DFSA, SEBI).
Privacy = Individual while Secrecy = Organization
REGULATION SUMMARY
1. PCI-DSS ( Payment Card Industry Data Security
Standard) — Protecting credit card theft / fraud
…..(It’s a STANDARD)
American Express, Discover Financial Services, JCB International,
MasterCard, and Visa Inc. founded the Payment Card Industry
Security Standards Council with the intention of supervising the
continued development of the Payment Card Industry Data Security
Standard.
2. HIPPA (Health Insurance Portability and Accountability Act)—
Health Care Data Privacy.
It’s a high trust framework and applicable for covered entity.

3. GLBA (Gramm-Leach-Bliley Act) — (For
Consumer/Individual) ……(It’s a STANDARD)
Individual Financial data
4. SOX (Sarbanes–Oxley Act) — (For Corporate /
Enterprise integrity)
Fraudulent accounting to safeguard investors
5. Privacy Shield — It is a treaty between EU and US for
data.
INTELLECTUAL PROPERTY (IP) PROTECTION
Industrial — Invention, Trademark, Industrial design
Copyright — Literacy, Art work.

COPYRIGHT — 70 years after Death, 95 years after
Publication and 120 years after Creation
Instead of concept protection, expression of ideas for music such as
Feeling hurt and loved.
E.g. — Creating music or song in a particular way is Copyright.
TRADE SECRETS
Provide the company with same type of competitive value or
advantage.
E.g. — Recipe of Soft drinks major or McDonald, KFC

PATENT — 20 YEARS
This is the strongest form of protection for unique idea.
E.g. — Source code for any application
TRADEMARK — (Identifying business)
This is to protect Goodwill, Name, Symbol etc.
TM — In process (Takes 6month to 1 year for approvals)
R — Approved (Registered)

EXPORT/IMPORT RESTRICTION
Export Restriction:
Wassenaar Arrangement: This limits the development of military
capabilities that can endanger the security and stability of the area
and the world.
Import Restrictions:
Law: To import of commodities, data, etc.
DRM (Digital Rights Management)
This solution regulates the transfer of intellectual property. DLP is
frequently combined with DRM (Data Leak Prevention).
Data at Transit — Yes
Data in Use — Yes
Data at Rest — No
DRM’s primary function is to safeguard IP.
E.g.: Netflix and its controls

SECURITY POLICY, STANDARDS, PROCEDURES
AND GUIDELINES
Policy = Written aspects of governance / Intent of Senior
management / To be reviewed Yearly
Senior management responsible for policy approvals.
Example 1
Policy = Using a password that is encrypted.
Standard = 8 character long
Procedure = Step by step process
Baseline = 128 bit size
Guideline = Do not share

PERSONAL SECURITY POLICIES
1. Employee screening — Job descriptions, reference checks,
examinations of credentials (education and certifications),
and background checks.
2. Vendor consultation and contractor controls.
3. Employee agreement and policies — Code of conduct, gift
handling, ethics statement, non-disclosure, non-compete
(cannot work for competitor), and acceptable use.
4. Employee Termination policies.
5. Privacy.
Separation of Duties (SoD)
This is the main to AVOID fraud — — — Since it prevents one
individual from being able to complete all steps of a procedure.
Person1 — ->Creates Purchase Order
Person2 — ->Sign Cheque
Person3 → Authorize and Pass
Mandatory Vacations
This is primarily to DETECT fraud.
Job Rotations (People movement)
This is to PREVENT fraud — — decreases the likelihood of a
collision between people.

Termination
1. Lock user account.
2. Recover property (Laptop, Desktop etc).
3. Exit interview.
4. Review NDA.
Onboarding
1. Review contract terms and Job description.
2. Sign NDA.
3. Training.
4. Process and Policies awareness.
ESTABLISH AND MANAGE SECURITY EDUCATION,
TRAINING AND AWARENESS
Policy — Specify what to do.
Education — Modify Career. ( Formal Class — Long Term)
Training — Upgrade/Boost skills. (Semi Formal — Mid Term)
Awareness — Alter behaviours. (Information — Short Term)
CORE AREAS
Program Effective Evaluation — Depends upon
1. Participant testing.
2. Penetration testing.
3. Log review.

Periodic Content Reviews
1. Security Tools.
2. Applicable Laws.
3. Organization Security Policy.
4. Recent attack styles and methodologies
Best awareness Training — As Security decreases, Incident
reports increases.
RISK MANAGEMENT

UNDERSTANDING AND APPLY RISK MANAGEMENT
Risk — It is the end result of the functions of threat, vulnerability,
event likelihood, and probable organizational effects of an event.
Threat — Action (Malicious actors)
Vulnerability — A flaw / Weakness
Impact — Potential harm
Risk (Event to occur) = Vulnerability(Exposure) + Threat
source (Intentional / Unintentional)
RISK = IMPACT x LIKELIHOOD x THREAT
(Likelihood and impact are the by-products that determine risk)

LIKELIHOOD DETERMINATION
Determine the likelihood that each threat can exploit a
vulnerability.
Determine how the value of the affected asset will be eliminated.
Definition of impact to an organization often include loss of
1. Life
2. Dollar $$
3. Prestige
4. Market share
Threats and Vulnerabilities
Natural, Criminal, Software, Physical, Personal, User Error (Unskilled worker)
QUALITATIVE RISK ASSESSMENT (Low, Med, High)
Organizations use qualitative risk assessment in 70–80% of
cases. Best example is Internal Audit
Condition of Qualitative Risk Assessment
1. A lack of competence among risk assessors.
2. There is not much time to finish the risk assessment.
3. Insufficient or limited data available.
4. Available assessors are seasoned workers with extensive
knowledge of crucial business and IT systems.

QUANTITATIVE RISK ASSESSMENT ($$)
Considering there is a virus attack on Database Server hosting
critical data.
1. Asset Value (AV) of Database server = $1000
2. Exposure factor (EF) to threat i.e. Virus attack = 70% of
server data lost
3. Single Loss Expectancy (SLE) = $1000 x 70% = $700
4. Annual Risk Occurrence (ARO) = 4 times a year
5. Annual Loss Expectancy (ALE) = $700 X 4 = $2800
Always take decision based on ALE not SLE.

RISK RESPONSE
CONSIDERATION FOR SELECTION OF CONTROLS
1. Strong business justification for Security measures i.e.
cost-effective
2. Cost-benefit evaluation.
3. Investment return on security.
4. Risk assessment team must evaluate the security controls
functionality and effectiveness.
5. You must take operational impact, cost
effectiveness, and security effectiveness into
account while choosing countermeasures.

ACCESS CONTROLS
SECURITY CONTROL CATEGORIES
Vulnerability Assessment and Penetration Testing (VAPT)
VA — Only identifies vulnerability / weakness.
PT — Exploits vulnerability
You should have a limited configuration template and a complete asset
inventory as a CISO (1 configuration template for 100 servers and not
100 servers with 100 different configuration)
VAPT Steps

THREAT MODELLING (STRIDE,NIST and PASTA)
Scope — Network, System, Application and Data.
1. Identify threat agents and threats.
2. Understand current controls.
3. Identify exploitable vulnerabilities.
4. Prioritize identifies risks.
5. Identify controls to reduce risks to acceptable levels.
Threat modelling @ design stage before build
STRIDE (Spoofing, Tampering, Repudiation, Info Disclosure, DoS, and
Elevation of Privilege) — Developed by Microsoft
Microsoft’s STRIDE methodology seeks to guarantee that an application satisfies the
security standards of Confidentiality, Integrity, and Availability (CIA) in addition to
Authorization, Authentication, and Non-Repudiation.

NIST (National Institute of Standards and Technology)
PASTA (Process for Attack Simulation and Threat Analysis)
PASTA threat modelling combines an attacker perspective of a
business with risk and impact analysis to create a complete picture
of the threats to products and applications, their vulnerability to
attack, and informing decisions about risk and priorities for fixes.

RISK MANAGEMENT METHODOLOGIES
1. Governance review — Process, Certifications.
2. Site security reviews — Client visit.
3. Formal security audit — End to end audit.
4. Penetration testing — Planning to use product/cloud
platform.
REGULAR 3RD PARTY ASSESSMENT
1. On-site assessment.
2. Document exchange and review.
3. Process / Policy review.
SLA vs ASSURANCE vs SLR
Service Level Requirement (SLR)
Service Level Agreement (SLA)

BUSINESS CONTINUITY PLANNING (BCP) AND
DISASTER RECOVERY (DR)
BCP (Business Continuity Plan)— For Business
The documentation of predetermined set of instructions or
procedures that describes how a company’s business operations will
continue to function in the event of a major disruption.
DR (Disaster Recovery)— For System / IT Infrastructure
A defined strategy for recovering one or more information systems
at a different location in the event of a significant hardware or
software failure.

BIA — (Business Impact Analysis)
Things to do if any change in business applications.
1. Develop contingency policy.
2. Conduct BIA.
3. Identify preventive controls.
4. Create contingency strategies.
5. Develop contingency plan.
6. Plan, Testing, Training and Exercise.
7. Plan maintenance.
MTD — Max Tolerable Downtime (Acceptable downtime agreed with customer
without significant harm to business)
RTO — Recovery Time Objective (Time to restore services e.g. from Secondary DC)
RPO — Recovery Point Objective (Acceptable Data Loss). This only deals with Data
and its Backup.
WRT — Work Recovery Time (Back to Primary DC)

All CISSP Domain Notes Links.
CISSP Domain 1 - Security And Risk Management (34 pages)
https://hemant6552.gumroad.com/l/cisspdomain1
CISSP Domain 2 - Asset Security (14 pages)
CISSP Domain 3 - Security Architecture & Engineering (59 pages)
CISSP Domain 4 - Communications & Network Security (50 pages)
CISSP Domain 5 - Identity and Access Management (32 pages)
CISSP Domain 6 - Security Assessment and Testing (21 pages)
CISSP Domain 7 - Security Operations (37 pages)
CISSP Domain 8 - Software Development Security (59 pages)

CISSP Domain 1 - Security And Risk Management.pdf

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to CISSP Domain 1 - Security And Risk Management.pdf

Similar to CISSP Domain 1 - Security And Risk Management.pdf (20)

Recently uploaded

Recently uploaded (20)

CISSP Domain 1 - Security And Risk Management.pdf