1. 1. CIA Triad
1.1. Information Security Triad
1.1.1. Confidentiality
1.1.1.1. need to know
1.1.2. Integrity
1.1.2.1. info is correct and not modified by un-authorized
1.1.3. Availability
1.1.3.1. always up and running
1.2. Three opposites
1.2.1. Destruction
1.2.2. Alteration
1.2.3. Disclosure
2. 2. Security Governance Principle
2.1. Alignment of Security Function to Strategy, Goals, Mission, and Objectives
2.1.1. Security and Risk Management Relationships
2.1.1.1. Assess risk and determine needs
2.1.1.2. Monitor and evaluate
2.1.1.3. Promote awareness
2.1.1.4. Implement policies and controls
2.1.2. Budget
2.1.3. Metrics
2.1.4. Resources
2.1.4.1. System/Network Administrators
2.1.4.2. Policy/Compliance Officers
2.1.4.3. Legal Council
2.1.4.4. Quality Assurance Testers
2.1.4.5. Budget Officers
2.1.4.6. Business Analysts
2.1.4.7. Enterprise Architects
2.1.4.8. Software Developers
2.2. Organizational Processes
2.2.1. Acquisitions and Mergers
2.2.2. Divestitures and Spinoffs
2.2.3. Governance Committees
2.3. Security Roles and Responsibilities
2.3.1. Responsibilities of the Information Security Officer
2.3.1.1. Ensuring that the security policies, procedures, baselines, standards, and guidelines are written to address the information security needs of the organization
2.3.1.2. Implementing and operating computer incident response teams (CIRTs).
2.3.1.3. Providing the leadership for the information security awareness program
2.3.1.4. Communicate Risks to Executive Management
2.3.1.5. Ensure that the information presented to executive management is based upon a real business need and the facts are represented clearly
2.3.1.6. Staying abreast of emerging regulatory developments to enable response in a timely manner.
2.3.1.7. Maintain the appropriate balance between acceptable risk and ensure that business operations are meeting the mission of the organization
2.3.2. Security Officer Reporting Models
2.3.2.1. Reporting to the CEO
2.3.2.2. Reporting to the Information Technology (IT) Department
2.3.2.3. Reporting to the Administrative Services Department
2.3.2.4. Reporting to the Insurance and Risk Management Department
2.3.2.5. Reporting to the Internal Audit Department
2.3.2.6. Reporting to the Legal Department
2.4. Control Frameworks
2.4.1. Consistent
2.4.2. Measurable
2.4.3. Standardized
2.4.4. Comprehensive
2.4.5. Modular
2.5. Control Frameworks examples
2.5.1. COSO
2.5.2. ISO27000
2.5.3. ITIL
2.5.4. COBIT
2.6. Due care
2.6.1. The care a “reasonable person” with the same training and experience would exercise under given circumstances
2.6.2. An injured party cannot prove negligence
2.7. Due Diligence
2.7.1. An act of management in furtherance of due care
2.7.2. The actions taken to ensure that policies are being properly applied
3. 3. Compliance
3.1. Legislative and Regulatory Compliance
3.1.1. Governance, Risk Management, and Compliance (GRC)
3.2. Privacy Requirements Compliance
3.2.1. European Union member nations - Data Protection Directive (DPD) 95/46/EC
3.2.2. Australia - Privacy Act
3.2.3. Argentina - Personal Data Protection Law
3.2.4. Canada - Personal Information Protection and Electronic Documents Act (PIPEDA)
3.2.5. United States - Health Insurance Portability and Accountability Act (HIPAA)
3.2.6. United States - Gramm-Leach-Bliley Act (GLBA)
3.2.7. Payment Card Industry (PCI) - PCI Data Security Standard (PCI DSS)
4. 4. Understand Legal and Regulatory Issues that Pertain to Information Security in a Global Context
4.1. Computer Crimes
4.2. Licensing and Intellectual Property
4.2.1. Industrial property
4.2.2. Copyright
4.3. Import/Export Controls
4.3.1. The Wassenaar Arrangement (AR)
4.4. Privacy
4.4.1. The rights and obligations of individuals and organizations with respect to the collection, use, retention, and disclosure of personal information
4.4.2. Personally Identifiable Information (PII)
4.4.3. Organization for Economic Cooperation and Development (OECD) Guidelines
4.4.3.1. Collection Limitation
4.4.3.2. Data Quality
4.4.3.3. Purpose Specification
4.4.3.4. Use Limitation
4.4.3.5. Security Safeguards
4.4.3.6. Openness
4.4.3.7. Individual Participation
4.4.3.8. Data Controller Accountability
4.5. Data Breaches
4.5.1. Incident
4.5.2. Breach
4.5.3. Data disclosure
4.5.4. Vocabulary for Event Recording and Incident Sharing (VERIS)
4.6. Relevant Laws and Regulations
4.6.1. The Privacy Act (Australia: 1988)
4.6.2. Health Insurance Portability and Accountability Act (US:1996)
4.6.3. Sarbanes-Oxley Act (US:2002)
4.6.4. Regulation for Electronic Communication Service (EU:2013)
4.6.5. Privacy and Electronic Communications Regulations (UK: 2013)
5. 5. Understand Professional Ethics
5.1. Ethical Considerations for a CISSP
5.1.1. (ISC)2 Code of Ethics Canons
5.1.1.1. Protect society, the commonwealth, and the infrastructure
5.1.1.2. Act honorably, honestly, justly, responsibly, and legally
5.1.1.3. Provide diligent and competent service to principals
5.1.1.4. Advance and protect the profession
5.2. Ethical Standards
5.2.1. Global responsibility
5.2.2. National
5.2.3. Organizational
5.2.4. Personal
6. 6. Develop and Implement Documented Security Policy, Standards, Procedures, and Guidelines
6.1. Procedures, standards, guidelines, and baselines are components that support the implementation of the security policy.
7. 7. Understand Business Continuity Requirements
7.1. Develop and Document Project Scope and Plan
7.1.1. Project initiation and management
7.1.1.1. Obtain senior management
7.1.1.2. Define a project scope
7.1.1.3. Estimate project resources needed
7.1.1.4. Define timeline and major project deliverables
7.1.2. Risks
7.1.2.1. Financial
7.1.2.2. Reputational
7.1.2.3. Regulatory
7.2. Conduct Business Impact Analysis
7.2.1. Three primary goals
7.2.1.1. Determine Criticality
7.2.1.2. Estimate Maximum Tolerable Downtime (MTD)
7.2.1.3. Evaluate Internal and External Resource Requirements
7.2.2. The BIA Process
7.2.2.1. Gather Information
7.2.2.1.1. Quantitative
7.2.2.1.2. Qualitative
7.2.2.2. Analyze the Information
7.2.2.2.1. maximum allowable downtime (MAD)
7.2.2.2.2. Maximum Tolerable Downtime (MTD)
7.2.2.2.3. Recovery Time Objective (RTO)(RTO < MTD)
7.2.2.2.4. Recovery Time Objective (RTO)
7.2.2.2.5. Recovery Point Objective (RPO)
7.2.2.3. Perform a Threat Analysis
7.2.2.4. Document Results and Present Recommendations
8. 8. Contribute to Personnel Security Policies
8.1. Employment Candidate Screening
8.1.1. Job Descriptions
8.1.2. Reference checks
8.1.3. Education, licensing, certification and verification
8.1.4. Background investigations
8.2. Employment Agreements and Policies
8.2.1. Code of Conduct
8.2.2. Conflict of Interest
8.2.3. Gift-Handing
8.2.4. Ethics Statements
8.2.5. Non-Disclosure
8.2.6. Non-Compete
8.2.7. Acceptable Use
8.2.8. Job rotation
8.2.9. Separation of Duties
8.2.10. Need to Know
8.2.11. Mandatory Vacations
8.3. Employment Termination Processes
8.3.1. Voluntary
8.3.2. Involuntary
8.4. Third party Controls
8.4.1. Vendor
8.4.2. Consultant
8.4.3. Contractor
8.4.4. Non-disclosure agreement
8.5. Privacy
8.5.1. Reasonable Expectation of Privacy (REP)
9. 9. Understand and Apply Risk Management Concepts
9.1. Risk
9.1.1. The probability (likelihood) that a given threat source will exercise a particular vulnerability and the resulting impact should that occur
9.2. Risk Concepts
9.2.1. Threats
9.2.2. Vulnerability
9.2.3. Likelihood
9.2.4. Impact
9.2.5. Countermeasures
9.2.6. Residual risk
9.3. Security and Audit Frameworks and Methodologies
9.3.1. COSO (Committee of Sponsoring Organizations of the Treadway Commission)
9.3.1.1. Control environment
9.3.1.2. Risk assessment
9.3.1.3. Control activities
9.3.1.4. Information and communication
9.3.1.5. Monitoring
9.3.2. ITIL (IT Infrastructure Library)
9.3.2.1. Service Strategy
9.3.2.2. Service Design
9.3.2.3. Service Transition
9.3.2.4. Service Operation
9.3.2.5. Continual Service Improvement
9.3.3. COBIT (Control Objectives for Information and Related Technology)
9.3.3.1. COBIT 5.0
9.3.3.2. Val IT 2.0
9.3.3.3. Risk IT
9.3.3.4. IT Assurance Framework (ITAF)
9.3.3.5. Business Model for Information Security (BMIS)
9.3.4. ISO 27002:2013
9.3.4.1. Information security policy
9.3.4.2. Organization of information security
9.3.4.3. Human resources security
9.3.4.4. Asset management
9.3.4.5. Access control
9.3.4.6. Cryptography
9.3.4.7. Physical and environmental security
9.3.4.8. Operations security
9.3.4.9. Communications and operations management
9.3.4.10. Systems acquisition, development, and maintenance
9.3.4.11. Supplier relationships
9.3.4.12. Information security incident management
9.3.4.13. Information security aspects of business continuity management
9.3.4.14. Compliance
9.4. Qualitative Risk Assessment
9.4.1. Description
9.4.1.1. Ordinal scales (such as high, medium, and low) must be used to express risk
9.4.2. Phases
9.4.2.1. Approval
9.4.2.2. Form a risk assessment team
9.4.2.3. Analyze data
9.4.2.4. Calculate risk
9.4.2.5. Countermeasure recommendations
9.5. Quantitative Risk Assessment
9.5.1. Description
9.5.1.1. The hallmark of a quantitative assessment is the numeric nature of the analysis
9.5.2. Phases
9.5.2.1. Management approval
9.5.2.2. Construction of a risk assessment team
9.5.2.3. Review of information currently anailable within the organization
9.5.3. Components
9.5.3.1. Annualized Loss Expectancy (ALE) = SLE x ARO
9.5.3.2. Single Loss Expectancy (SLE) = Asset Value (in $) × Exposure Factor (loss due to successful threat exploit, as a %)
9.5.3.3. Annual Rate of Occurrence (ARO)
9.5.4. Goal
9.5.4.1. No countermeasure should be greater in cost than the risk it mitigates, transfers, or avoids.
9.6. Identify Threats and Vulnerabilities
9.6.1. Vulnerabilities
9.6.1.1. An inherent weakness in an information system, security procedures, internal controls, or implementation that could be exploited by a threat source
9.6.2. Threat sources
9.6.2.1. Environmental
9.6.2.2. Human
9.6.2.3. Nature
9.6.2.4. Technical
9.6.2.5. Physical
9.6.2.6. Operational
9.6.3. Likelihood
9.6.3.1. Likelihood is the chance that something might happen.
9.6.4. Impact
9.6.4.1. Definitions of impact in an organization often include loss of life, monetary loss, loss of market share, system down time, and others.
9.7. Risk Response
9.7.1. Risk Avoidance
9.7.2. Risk Transference
9.7.3. Risk Acceptance
9.7.4. Risk Mitigation
9.8. Risk Assignment
9.8.1. The organization owns the risks that are present during operation of the company
9.9. Risk Frameworks
9.9.1. COSO:2013
9.9.1.1. Internal environment
9.9.1.2. Objective setting
9.9.1.3. Event identification
9.9.1.4. Risk assessment
9.9.1.5. Risk response
9.9.1.6. Control activities
9.9.1.7. Information and communication
9.9.1.8. Monitoring
9.9.2. ISO 27005:2008
9.9.3. AS/NZS and 31000:2009
9.9.4. ISO Guide 73:2009
9.9.5. NIST Special Publications 800-37 and 800-39
9.9.6. ISACA (2009) Risk IT Framework
9.10. Countermeasure Selection
9.10.1. Accountability
9.10.2. Auditability
9.10.3. Whether source is trusted
9.10.4. Cost-effectiveness
9.10.5. Security
9.10.6. Protections for confidentiality, integrity, and availability of assets
9.10.7. If it creates additional issues during operation
9.10.8. If it leaves residual data from its function
9.11. Implementation
9.11.1. Design Considerations for Security Architects
9.11.1.1. What framework(s) should I use as points of reference?
9.11.1.2. What business issues do I need to take into account?
9.11.1.3. Who are my stakeholders?
9.11.1.4. Why am I only addressing this and not that area of the business?
9.11.1.5. How will I be able to integrate this system design into the overall architecture?
9.11.2. Deployment Considerations for Security Practitioners
9.11.2.1. What tool(s) should I use to set up and deploy these systems?
9.11.2.2. Who are the end users of this system going to be?
9.11.2.3. Why am I only being given “x” amount of time to get this done?
9.11.2.4. How will I be able to integrate this system design into my existing network?
9.11.2.5. Where will I manage this from?
9.11.3. Management Considerations for Security Professionals
9.11.3.1. What are the metrics that I have available to manage these systems?
9.11.3.2. Who do I need to partner with to ensure successful operation of the system?
9.11.3.3. Why are we not addressing this or that concern?
9.11.3.4. How will I be able to communicate the appropriate level of information regarding the system to each of my user audiences?
9.11.3.5. Where will I find the time to be able to do this?
9.12. Controls
9.12.1. Directive
9.12.2. Deterrent
9.12.3. Preventive
9.12.4. Compensating
9.12.5. Detective
9.12.6. Corrective
9.12.7. Recovery
9.13. Access control types
9.13.1. Administrative
9.13.2. Physical
9.13.3. Logical / Technical
9.14. Control Assessment
9.14.1. Effectiveness Assessment Methods
9.14.1.1. Vulnerability Assessment
9.14.1.2. Penetration testing
9.14.1.2.1. Strategies
9.14.1.2.2. Categories
9.14.1.2.3. Methodology
9.14.1.3. Application security testing
9.15. Asset Valuation
9.15.1. Types
9.15.1.1. Tangible
9.15.1.2. Intangible
9.16. Continuous Improvement
9.16.1. Plan
9.16.2. Do
9.16.3. Check
9.16.4. Act
10. 10. Understand and Apply Threat Modeling
10.1. Identification of Threats
10.1.1. Potential Attacks
10.1.1.1. Social Engineering
10.1.1.1.1. An attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems
10.1.1.2. Pretexting Attacks
10.1.1.2.1. The act of creating and using an invented scenario (the pretext) to engage a targeted victim in a manner that increases the chance the victim will divulge information
10.1.1.3. Phishing Attacks
10.1.1.3.1. Use e-mail or malicious websites to solicit personal information by posing as a trustworthy organization
10.1.1.4. Baiting Attacks
10.1.1.4.1. the attacker leaves a malware infected CD-ROM or USB flash drive in a location sure to be found, gives it a legitimate looking and curiosity-piquing label, and simply waits for the victim to use the device
10.1.1.5. Tailgating Attacks
10.1.1.5.1. Attacker walks in behind a person who has legitimate access
10.1.2. Perform Reduction Analysis
10.1.2.1. Establish frameworks of trust on an employee/personnel level
10.1.2.2. Identify sensitive information and exposure to social engineering
10.1.2.3. Establish security protocols, policies and procedures for handling sensitive information
10.1.2.4. Train employees in security protocols relevant to their position
10.1.2.5. Perform unannounced, periodic tests of the security framework
10.1.2.6. Review the above steps regularly
10.1.2.7. Use a waste management service
11. 11. Integrate Security Risk Considerations into Acquisitions Strategy and Practice
11.1. Hardware, Software, and Services
11.2. Regular Third-Party Assessment
11.2.1. On-site assessments
11.2.2. Document exchange and review
11.2.3. Process / Policy review
11.2.4. SLA
11.2.4.1. SLAs define the agreed upon level of performance and compensation or penalty between the provider and the customer
11.3. Minimum Security Requirements
11.3.1. Understanding fully what a project will deliver is critical to its success
11.4. Service Level Requirements (SLR)
11.4.1. Contains the requirements for a service from the client viewpoint
12. 12. Establish and Manage Security Education, Training, and Awareness
12.1. Appropriate Levels of Awareness, Training, and Education in the Organization
12.1.1. Security awareness
12.1.1.1. Addresses the why of policy
12.1.2. Awareness Activities and Methods
12.1.2.1. Courses
12.1.2.2. Posters
12.1.2.3. Intranet
12.1.2.4. Awareness mentor
12.1.2.5. Reference
12.1.2.6. Business unit walk-throughs
12.1.3. Training topics
12.1.3.1. Corporate security policies
12.1.3.2. Organizational security program
12.1.3.3. Regulatory compliance requirements
12.1.3.4. Social engineering
12.1.3.5. Business continuity/ Disaster recovery
12.1.3.6. Security incident response
12.1.3.7. Information labeling and handling
12.1.3.8. Physical security
12.1.3.9. Proper care and handling of security credentials
12.1.3.10. Risk assessment
12.1.4. Job Training and Content Relevancy