Cissp- Security and Risk Management

ASM EDUCATIONAL CENTER INC. (ASM)
WHERE TRAINING, TECHNOLOGY & SERVICE CONVERGE
WWW.ASMED.COM
CISSP- SECURITY & RISK MANAGEMENT

OVERVIEW OF DOMAIN:
 Addresses the framework and policies, concepts, principles, structures, and standards required for the
effective protection and management of information assets.
 It touches the issues of governance, organization behavior and security awareness, in general.
 Enterprise-wide business continuity/disaster recovery plans (BC/DRP) are also discussed
comprehensively.
 It also emphasizes the power of administrative, technical and physical controls required for the effective
protection of the confidentiality, integrity, and the availability of information assets.

SECURITY & RISK MANAGEMENT
C.I.A
The Triad
 Confidentiality
 Integrity
 Availability
C
I A

 Confidentiality:
 Ensures that Data and System resources are private and remain secure against unauthorized
 Confidentiality can be enforced by the use of passwords, activating firewalls, and the use of
to secure data.
 Confidentiality supports the principle of least privilege and need-to-know.
 A security architect must use and important measure such as data classification to ensure
confidentiality.
 Encryption may also be used to restrict the usability of information in the event it is accessed
unauthorized user.

Integrity:
 Integrity is about the trustworthiness and correctness of data.
 Ensuring the prevention of modification of data by unauthorized users.
 Prevention of the unauthorized or unintentional modification of data by authorized users.
 Applies to both data at rest and in transit.
 Controls such as “segregation of duties” may be employed to enforce integrity.

Availability:
 Information resources must be available and accessible by authorized users at all times.
 Availability may be affected by Denial-of-service attacks.
 Loss of service in times of disasters of all kinds may also affect availability.
 Controls such as up-to-date and active malicious code detection mechanisms and a robust
business continuity plan may help loss of service.

Security Governance:
 Organizational or corporate governance has existed since time immemorial to ensure the efficient
control structures.
 Since information security has become an integral part of every organization, it is absolutely necessary
governance structure to be in place.
 Information security must also be properly aligned with the mission of the organization.
 Information security governance provides a platform for upper management and the board of directors
exercise their oversight on enterprise risk management to required acceptable level.

 The intent of governance is to provide some guarantee that certain appropriate mechanisms are in
place to reduce risks (please note that risk cannot be completely eliminated).
 Executive management must be fully committed to provide the investments required for any
information security activities.

 The IT Governance Institute (ITGI) defines IT governance as being “the responsibility of the board of
directors and executive management”.
 The ITGI also proposes that information security governance must be considered part of IT governance and
that the BOD should:
 Be informed about security
 Set direction to drive policy and strategy
 Provide resources to security efforts
 Assign management responsibilities
 Set priorities
 Support changes required
 Define cultural values related to risk assessment
 Obtain assurance from internal and external auditors
 Insists that security investments are made measurable and reported on for program effectiveness.

 In addition, the ITGI suggests that the management should:
 Write security policies with business input
 Ensure that roles and responsibilities are clearly defined and understood
 Identify threats and vulnerabilities
 Implement security infrastructures and control frameworks (standards, guidelines, baselines, and procedures)
 Ensure that policy is approved by the governing body
 Establish priorities and implement security projects in a timely manner
 Monitor breaches
 Conduct periodic reviews and tests
 Reinforce awareness education as critical
 Build security into the systems development life cycle.

Security Governance:
 Goals, Mission, and Objectives of the Organization
 Information security must support and enable the vision, mission and the business objective of the organization.
 Must ensure the interrelationships among risk assessment, policy implementation, response controls, promoting
awareness, monitoring effectiveness, etc., etc.

 Organizational Processes
 Acquisitions and mergers
 Divestitures and spinoffs
 Governance committees
 Security Roles and Responsibilities
 Today’s organizational structure
 Role of the Information Security Officer
 Communicate risks to executive management

 Information Security Strategies
 Strategic planning – Long term (3 to 5 years) and must be aligned with business objectives.
 Tactical planning – Short term ( 6 to 18 months) used to achieve specific goals. May consist of multiple projects.
 Operational and project planning – Specific plans with milestones, dates, and accountabilities provide communication
and direction for project completion.

The Complete & Effective Security Program
 Oversight Committee Representation
 Security council vision statement
 Mission statement
 Security program oversight
 End users
 Executive management
 Information Systems Security Professionals

 Control Frameworks
 Many organizations adopt control frameworks to ensure security and privacy.
 Frameworks provide: Consistency, Metrics, Standards, etc. (31).
 NIST SP 800-53 revision 4 is such a framework made up of 285 controls under 19 families.

 Due Care
 Exercising a “prudent man’s judgment” to protect an organization’s assets.
 Failure to exercise due care leads to legal liabilities (negligence) that may be civil, criminal, or
 Due Diligence
 Investigative steps taken by management, all in an effort to protect the assets of the organization.
 Due diligence complements the execution of due care.

Compliance – HIPAA, GLBA, PCI-DSS, etc.
 Governance, Risk Management, and Compliance (GRC)
 Legislative and Regulatory Compliance
 Privacy Requirements Compliance

 The Many Facets of Cyber laws
 Computer crimes are relatively new in our society
 Many laws and regulations, albeit inadequate, try to handle the many challenges faced in this arena of crime
 Judicial systems are experiencing growing pains at the complexities of these crimes and inadequate resources
to handle them, human and otherwise.
 The Crux of Computer Crime Laws
 Cyber laws around the world deals with incidents such as unauthorized modification or destruction of data,
disclosure of sensitive information, unauthorized access, and the distribution of malware, among many other.
 Laws have been created to deal with certain categories of computer crimes

Computer Crimes
To be able to deal effectively with computer crimes we need to understand the general categories of computer
crimes:
 Computer as a target
 Involves sabotage of computers and networks
 Involves stealing of information such as intellectual property or marketing information that are stored on computers
 Examples of crimes in this category may include DoS attacks, sniffers, and password attacks.
 Computer as the instrument
 Where computers are used as a means to perpetrate crimes or create chaos for an organization
 Includes theft of money from online bank accounts and fraudulent use of credit card information as well as telecommunications
fraud.

Computer Crimes
 Computer as incidental to other crimes
 Involves crimes where computers are not really necessary for such crimes to be committed.
these crimes and make them difficult to detect.
 Examples of crimes in this category may include money laundering and unlawful activities on
 Crimes associated with the prevalence of computers
 Includes crimes resulting from the popularity of computers
 Crime of this category are usually traditional in nature, but the targets are ever evolving
 Examples include copyright violations of computer programs, software and movie piracy, and black
peripherals.

Computer Crimes
Please bear in mind that although computer crimes can be categorized, a single criminal
in multiple crime categories. Therefore, there can be an overlap between such

Motivation for Computer Crimes
 Grudge (against a company or an individual
 Political reasons (terrorist activities, info warfare)
 Financial reasons
 Business (competitive intelligence)
 Fun (script kiddies)
M -motive
O - opportunity
M - means

Global Legal and Regulatory Issues
 Computer/Cyber Crime
 CryptoLocker Ransomware – Spreads via email and propagates rapidly. Encrypts various file types and then a pop-up
window appears to inform user about the actions performed on computer and, therefore demand a monetary
payment for files to be decrypted.
 Child Pornography Scareware – A user might visit an infected site and the scareware would lock up the computer and
threaten that laws have been violated. Then an extortion sets into motion.
 Fake or Rogue Anti-Virus Software – Victims are scared into purchasing anti-virus software that would allegedly
remove viruses from their computers via a pop-up window. By clicking on the pop message, the computer is then
infected with all kinds of malware.

Licensing and Intellectual Property
 Unlike criminal laws, intellectual property laws do not look at what is right or wrong. Instead, intellectual
property laws help to define how individuals or organizations can protect the resources that are rightfully theirs.
 Intellectual property laws also helps to define the course of action that an individual or an organization should
take in case this law is violated.
 But to be able to prosecute the offender, the individual or the organization should be able to prove that he/she/it
did everything possible to protect the resources.

Intellectual Property Laws
 Copyright
 Protects “original works of authorship”
 Protects expression of an idea rather than the idea itself
 Author controls how work is distributed, reproduced or modified
 Source code and object code are all copyrightable
 Copyright lasts for the length of author’s life plus additional 70 years after the person dies.
 Patent
 A patent is a legal document issued to an inventor granting the inventor exclusive rights to the inventor for an
 The patent provides the inventor the right to exclude any other person from practicing an invention for a specified
 Invention must be novel (possess newness) and non-obvious.
 In the USA, patents are issued by the US Patent and Trade Office.

Intellectual Property Laws
 Trade Secret
 Maintains confidentiality of proprietary business-related data
 Owner must adequately protect such data
 Owner has invested substantial resources to produce such data
 Data must provide competitive value, be proprietary to a company, and important for its
 Trademark
 Protects word, name, symbol, sound, shape, color or combinations thereof which identifies a
distinguishes it from others
 Protects the “look and feel” of a company

 Import/Export
 Governmental laws that restrict import and export regimes
 Terrorism is suspected in most cases
 National security concerns, etc., etc.
 Trans-Border data Flow
 Similar concerns as above
 Privacy
 Very thorny issue here and abroad
 Data breaches – many recent examples
 Relevant Laws and Regulations
 HIPAA, GLBA, FERPA (Family Educational Rights Privacy Act), etc.

Understand Professional Ethics
 Regulatory Requirements for Ethics Programs
 Topics in Computer Ethics
 Common Computer Ethics Fallacies
 Hacking and Hacktivism
 Ethics Codes of Conduct and Resources
 (ISC)2 Code of Professional Ethics
 Support Organization’s Code of Ethics

Develop & Implement Security Policy
 Policy – High level management directives
 Security policy – Defines how security is to be managed
 Standards – Describes the specific requirements
 Procedures – Step-by-step approach to accomplish a task
 Guidelines – Recommendations (usually discretionary)
 Baselines – Uniform ways of implementing a safeguard
 Implementations – Must be well communicated

Policies, Standards, Procedures, Guidelines, & Baselines:
Document Example Mandatory or Discretionary
Policy Protect the CIA of PII by hardening the OS Mandatory
Standard Use rugged Toshiba laptop hardware Mandatory
Procedure Step 1: Install pre-hardened OS image Mandatory
Guidelines Patch installation may be automated via
the use of an installer script
Discretionary
Baselines Use the Windows Hardening benchmark Discretionary

Business Continuity (BC) & Disaster Recovery (DR)
Requirements
 Project Initiation and Management
 Develop and Document Project Scope and Plan
 Conduct the Business Impact Analysis (BIA)
 Identify and Prioritize
 Assess exposure to Outages
 Recovery Point Objectives (RPO)

BC - Proper Planning
 An organization is more vulnerable after a disaster hits
 Organization still has responsibilities even after a disaster (protection of confidential and
 Recovery is more than just having an offsite location
 People must be trained to know what to do
 Various recovery procedures need to be developed and documented
 Understand organization’s vulnerabilities, true threats, and business impact of different types of disasters
 Being proactive
 Implementing redundant power supplies
 Backing up communication mechanisms
 Identifying single points of failures
 Recognizing necessary fault tolerant solutions
 ETC., etc…….

Business Continuity Planning (BCP)
 How an organization can stay in business even in a crippled state
 Plan contains steps for continuing critical business functions using alternative mechanisms until
be resumed at the primary site or elsewhere.
 Reduce overall impact of business interruption
Disaster Recovery Planning (DRP)
 How to survive a disaster and how to handle the recovery process
 Emergency response responsibilities and procedures
 Plan lists and describes the efforts to resume normal operations at the primary site of business.
 BCP and DRP may sound like the same thing, BUT they are not the same.

Business Continuity Planning (BCP)
 Business Continuity (BC): represents the final response of the organization when faced
critical operations
 More than 50% of all organizations that close their doors for more than a week never
planning.
 BC is designed to get the organization’s most critical services up and running as quickly as
 DR rather focuses on resuming operations at the primary site; BCP concentrates on
an alternate site.

Where Do We Start From:
Project Initiation
 Management Support sought
 Make a business case
 Cost vs. benefit
 Regulatory requirement
 Current inherent vulnerabilities of organization
 Ramifications of similar organizations not having such plans
 Business issues of partners, insurance, and obtaining capital

Where Do We Start
Senior Executive Management’s Role
 Due diligence and Due care
 Drive all phases of the plan
 Consistent support and final approval
 Ensure that testing takes place
 Create a budget for this work

 Why Is BCP/DRP a Hard Sell to Mgmt.
 Resource intensive and takes years to complete
 Direct return on investment (ROI) not perceived
 Rather a drain on organization’s bottom line
 Importance of Plan
 Organization could vanish if not prepared
 Capability of staying “up and running”, avoiding any significant down time
 Lack of plan could affect insurance, liability, and business opportunities
 Part of business decisions today (Partners need to know, Shareholders/Board of trustees demand it, A Regulatory MUST)
 9/11 Has Fueled Change of Attitudes About BCP

Who Does It?
BCP/DRP Teams
 Group that will perform risk assessment and analysis
 Representatives from different organization’s departments
 Analysis must be performed before developing plan
 A BCP coordinator must be appointed to oversee and execute:
 A Business Impact Analysis
 Plan development and implementation
 Testing and plan maintenance

BC Team Organization
 Emphasis should be on generalized business and technology skills
 BC team should have representatives from:
 Senior management
 Corporate functional units, including HR, Legal, and Accounting
 IT managers and a few technical specialists with broad technical skill sets
 InfoSec managers and a few technical specialists
 BC team members cannot also be on the DR team

 BC team may be divided into sub-teams:
 BC management team
 Operations team
 Computer setup (hardware) team
 Systems recovery (OS) team
 Network recovery team
 Applications recovery team
 Data management team
 Logistics team

 BC Management team:
 Command and control group responsible for all planning and coordination
 Facilitates the transfer to the alternate site
 Handles communications, business interface, and vendor contact functions
 Operations team:
 Works to establish core business functions needed to sustain critical business operations
 Computer setup (hardware) team:
 Sets up hardware in the alternate location

 Systems recovery (OS) team:
 Installs operating systems on hardware, sets up user accounts and remote
team
 Network recovery team:
 Establishes short- and long-term networks, including hardware, wiring, and
connectivity
 Applications recovery team:
 Responsible to get internal and external services up and running

 Data management team:
 Responsible for data restoration and recovery
 Logistics team:
 Provides any needed supplies, materials, food, services, or
alternate site

BC Planning process
 Develop the BC planning policy statement
 Review the BIA
 Identify preventive controls
 Develop relocation strategies
 Develop the continuity plan
 Testing, training, and exercises
 Plan maintenance

BC Planning process
 Purpose:
 Executive vision
 Primary purpose of the BC program
 Scope:
 Organizational groups and units to which the policy applies
 Roles and responsibilities:
 Identifies key players and their responsibilities
 Resource requirements:
 Allocates specific resources to be dedicated to the development of the BC

BC Planning process
 Training requirements:
 Training for various employee groups
 Exercise and testing schedule:
 Stipulation for the frequency and type of testing for the BC plan
 Plan maintenance schedule:
 Frequency of review and who is involved
 Special considerations:
 Overview of information storage and retrieval plans and who is responsible

Review the BIA
 BIA contains the prioritized list of critical business functions
 Should be reviewed for compatibility with the BC plan
 BIA is usually acceptable as it was prepared and released by the
Contingency Planning Management Team Contingency Planning Management Team

Identify Preventive Controls
 Preventive controls should already have been identified and implemented as part of the
security activities
 BC team should review and verify that data storage and recovery techniques are
maintained

Forming the Disaster Recovery Team
 Should include members from IT, InfoSec, and other departments
 DR team is responsible for planning for DR and for leading the DR process when a disaster
 Must consider the organization of the DR team and the needs for documentation and

 DR team
 Should include representatives from every major organizational unit
 Should be separate from other contingency-related teams
 May include senior management, corporate support units, facilities, fire and safety,
 May be advisable to divide the team up into sub teams.

 Sub-teams may include:
 Disaster management team: command and control, responsible for planning and
 Communications: public relations and legal representatives to interface with senior
general public
 Computer recovery (hardware): recovers physical computing assets
 Systems (OS) recovery: recovers operating systems
 Network recovery: recovers network wiring and hardware

 Sub-teams (continued):
 Business interface: works with remainder of organization to assist in recovery of non-
 Logistics: provides supplies, space, materials, food, services, or facilities needed at the
 Other teams needed to reestablish key business functions as needed

Disaster Recovery Team
 Guidelines are found in NIST Contingency Planning Guide for Information Technology
 Planning process steps:
 Develop the DR planning policy statement
 Review the business impact analysis (BIA)
 Identify preventive controls
 Develop recovery strategies
 Develop the DR plan document
 Test, train, and rehearse
 Plan maintenance

 Purpose:
 Provide for the direction and guidance of any and all DR operations
 Must include executive vision and commitment
 Business disaster recovery policy should apply to the entire organization
 Scope:
 Identifies the organizational units and groups of employees to which the policy
 Roles and responsibilities:
 Identifies the key players and their responsibilities

 Resource requirements:
 Identifies any specific resources to be dedicated to the development of the DR
 Training requirements:
 Details training related to the DR plan
 Exercise and testing schedules:
 Specifies the frequency of testing of the DR plan
 Plan maintenance schedules:
 Details the schedule for review and update of the plan

 Special considerations:
 May include issues such as information storage and retrieval plans, off-
backup schemes, or other issues
 Review the BIA within the DR context
 Ensure that the BIA is compatible with the DR specific plans and operations
 BIA is usually acceptable as it was prepared and released by the
 Contingency Planning Management Team Contingency Planning Management Team

Business Impact Analysis (BIA)
 Identify organization’s critical business functions
 Identify functions resource requirements
 Calculate how long these functions can operate without such resources
 Identify vulnerabilities and threats to the functions
 Calculate risk for each different business function
 Develop backup solutions based on tolerable outage times
 Develop recovery solutions for the organization’s individual departments and for the

Identifying the Most Critical Functions
If Function “X” Is Not Up and Running………..
 How much will this affect the revenue stream?
 How much will this affect the production environment?
 How much will it increase operational expenses?
 How much it affect the organization’s reputation and public confidence?
 How much will the organization possibly lose its competitive edge?
 How much will it result in violations of contract agreements or regulations?
 What delayed costs could be endured?
 What hidden costs are not accounted for?

Identifying Interdependencies
It is difficult but very important
 When the activities of functions A and B are mutually reliant on each other to successfully
activities.
 When activities of function B cannot be performed without the input from the activities of
receive input from A results in incomplete or inadequate implementation of B activities.
 Identifying interdependencies is difficult because an organization truly needs to
work together
 Many times there are subtle interdependencies that are easily missed in the equation

Identifying Functions’ Resources
Critical Items for Certain Functions to Run…..
 Specific types of technologies
 Necessary software
 Communication mechanisms
 Electrical power
 Safe environment for workers
 Access to specific outside entities
 Networked production environment
 Physical production environment
 Specific supplies
 Interdepartmental communications
 Etc., etc.

Identifying Vulnerabilities and Threats
Threats Types
 Man-made
 Strikes, riots, fires, terrorism, hackers, vandals, burglars
 Natural
 Fires, tornado, floods, hurricanes, earthquakes
 Technical
 Power outage, device failure, loss of communication lines

Categories
Disaster Types
 Non-disaster
 Disruption of service
 Device failure
 Software malfunction
 Disaster
 Entire facility unusable for a day or more
 Catastrophe
 Facility totally destroyed

Survival Without Resources?
Maximum Tolerable Downtime (MTD) NIST Guidelines
 Non-essential = 30 days
 Normal = 7 days
 Important = 72 hours
 Urgent = 24 hours
 Critical = Minutes to hours
Each Function/Resource Must Have an MTD Calculated
 It outlines the criticality of individual function and resources
 It also helps indicate which function or resources need backup options developed
 Hot swappable devices
 Software and data backups
 Facility space

Alternate Sites
Organization-owned & Subscription Services (Exclusive Use Strategies):
 Hot site - fully configured computer facility with all services, communication links, and
 Warm site - similar to hot site, but software and/or client workstations may not be
 Cold site - provides only rudimentary services and facilities, no computer hardware
 Mobile site – configured like hot site except that this is on wheels.
The major deciding factor for exclusive use strategies is cost.

Alternate Sites
Other Options:
 Reciprocal agreements
 Prefabricated facility
 Time-share

Results from the BIA
Result contains:
 Identified critical functions and required resources
 MTD for each function and resource
 Identified threats and vulnerabilities
 Impact the company will endure with each threat
 Calculation of risk
 Protection and recovery solutions
Document and present to management for approval
The results from the BIA are used to create a BCP/DRP.

BCP/DRP Plan design and development – Some Items to include
 Emergency response
 Personnel responsibility/notification
 Backups and off-site storage
 Communications
 Utilities
 Logistics and supplies
 Documentation
 Business resumption planning

Implementation
 Training
 Testing/Drills and assessment
 Recovery procedures
 Maintenance

Training
 Systematic approach to training is required to support the BCP/DRP plans
 A sufficient number of qualified staff members must be cross-trained to ensure coverage
 Trained staff must also have the required credentials to be able to execute the actions required by the

Testing and Drills
Testing Characteristics
 Testing helps to indicate if an organization can actually recover
 Testing should be an annual affair or after significant changes have occurred in the environment
 Identifies items that need to be improved upon (expect mistakes)
Action
 Decide on the type of drill (Classroom/tabletop or Functional)
 Create a disaster scenario
 Create goals to be accomplished during drill
 Run drill
 Report results to management

Types of Tests
 Checklist Test
 Copies of BCP/DRP distributed to functional managers
 They review parts that address their department
 Structured Walk-Through
 A meeting is held where functional managers go (walk) through the entire plan
 Simulation Test
 Carry out or practice a disaster scenario
 Could involve the actual offsite facility
 Parallel Test
 Test conducted including parallel processing from offsite facility
 Full-Interruption Test
 Original site shut down
 All processing takes place at offsite facility

Recovery Procedures
 Procedures on what to do, when to do, and in which sequence
 Procedures should cover several different types of events
 Copies of recovery plans should be kept offsite or another safe location
 Employees must be taught and drilled
 The least critical department/function/resources should be moved first to restored primary

 BCP/DRP Plan Maintenance
 Ongoing maintenance of the BC/DR plan is a major commitment for an organization
 Maintenance includes:
 Effective after-action review meetings
 Plan review and maintenance
 Ongoing training of staff involved in incident response
 Rehearsal process to maintain readiness of the BC/DR plan

The After-Action Review
 After-action review (AAR): a detailed examination of events that occurred from incident detection to recovery
 Identify areas of the BC/DR plans that worked, didn’t work, or need improvement
 AAR’s are conducted with all participants in attendance
 AAR is recorded for use as a training case
 AAR brings the BCP/DRP teams’ actions to a close

The After-Action Review (AAR)
 AAR serves several purposes:
 Documents the lessons learned and generates BC/DR plan improvements
 Is a historical record of events, for possible legal proceedings
 Becomes a case training tool
 Provides closure to the incident

Manage Personnel Security
 Employment Candidate Screening
 Employment Agreements and Policies
 Employee Termination Processes
 Vendor, Consultant, and Contractor Controls
 Privacy

Risk Management Concepts
 Organizational Risk Management Concepts
 Risk Assessment Methodologies
 Identify Threats and Vulnerabilities
 Risk Assessment/Analysis
 Countermeasure Selection
 Implementation of Risk Countermeasures
 Types of Controls
 Access Control Types
 Controls Assessment/Monitoring and Measuring

 Risk Analysis
 Quantitative Analysis (ALE=SLE x ARO)
 ALE = Annualized Loss Expectancy (A dollar amount that estimates the loss potential from a risk in a span of year)
 SLE = Single Loss Expectancy (A dollar amount that is assigned to a single event that represents the company’s potential loss)
 ARO = Annualized Rate of Occurrence (Frequency of a threat expected to occur in a period of one year)
 Qualitative Analysis (Delphi Method)
 Quantitative vs. Qualitative (Pros & Cons)
 Protection Mechanisms/Countermeasures Selection
 Total Risk vs. Residual Risk
 Risk Control Strategies

Risk Control Strategies
 Avoidance
 Apply safeguards that eliminate or reduce the remaining uncontrolled risks for a particular vulnerability.
 Transfer
 Transfer risks to outside entities or other areas of the organization.
 Acceptance
 Understand the consequences and accept risk.
 Mitigation
 Putting in place some controls to reduce impact should vulnerabilities be exploited

Risk Management Concepts Cont’d
 Controls Assessment/Monitoring and Measuring
 Tangible and Intangible Asset Valuation
 Continuous Improvement
 Risk Management Frameworks
 A risk framework is a guideline or recipe for how risk is to be assessed, resolved, and monitored. The
framework referenced by the CISSP exam is that defined by NIST in Special Publication 800-37.
 This publication provides guidelines for applying the Risk Management Framework (RMF) to federal
six-step RMF includes security categorization, security control selection, security control
assessment, information system authorization, and security control monitoring.

Threat Modeling
 Threat modeling is the security process where potential threats are identified,
 Threat modeling can be performed as a proactive measure during design and
measure once a product has been deployed
 Whether a proactive or reactive measure, the process identifies the potential harm, the
occurrence, the priority of concern, and the means to eradicate or reduce the threat.
 Determining Potential Attacks and Reduction Analysis
 Technologies & Processes to Remediate Threats

Acquisitions Strategy and Practice
 Hardware, Software & Services
 Organizations must implement supply chain risk management programs to proactively address certain exposures
 Manage Third-Party Governance (i.e. Cloud Computing, etc).
 When evaluating a third party for your security integration, consider the following processes: On-site assessment;
Process/Policy reviews
 Minimum Security & Service-Level Requirements
 For all acquisitions, establish minimum security requirements. These should be modeled from your existing security
 When purchases are made without security considerations, the risks inherent in those products remain throughout

Security Education, Training, & Awareness
 Policies define what an organization needs to accomplish with regards to information security.
 Formal security awareness training is usually included in organization’s information security
 Security awareness training is a method by which organizations inform employees and all
roles, expectations involving their roles, in the observance of information security
 Additionally, training provides guidance in the performance of certain risk management
 Educated (security-aware) users help an organization to fulfill its security program objectives
facilitate certain regulatory compliance (such as HIPAA, SOX, GLBA, etc.), if so required.

Training Topics
 Corporate security policies
 The organization’s security program
 Regulatory compliance requirements for the organization
 Social engineering
 Malware
 Business continuity
 Disaster recovery
 Security incidence response
 Data classification
 Personnel security
 Appropriate use of computing resources
 Ethics
 Physical security, etc., etc.

Awareness Activities & Methods – Creating Culture of Awareness
 Formalized courses, delivered in the classroom , using slides, handouts, or books, or via a
(CBT).
 Use of posters that call attention to security awareness, such as emphasizing on password
security, social engineering, among other issues.
 Business unit walk-through to aid employees to identify unacceptable practices, such as
notes in conspicuous places, etc.
 Emphasis on maintaining “clean desk” practices as acceptable
 Use organizations intranet to post security reminders
 Appoint security awareness mentors to aid with FAQs and concerns from employees

Awareness Activities & Methods – Creating Culture of
Awareness – cont’d
 Sponsor an enterprise-wide security awareness day, complete with security activities,
recognition of the winners.
 Sponsor an event with an external partner such as the ISSA, ISACA, ISC2, SANS, etc.
 Provide trinkets for the users within an organizations.
 Consider a special event day, week, or month that coincides with industry or world
the Global Security Awareness Week (annually in September) and the Security
October).
 Provide security management videos, books/pamphlets, etc.

Job Training
 Security training to assist security personnel to enhance and develop their skills sets relative to the
functions.
 Training must be clearly aligned with security risk management activities.
Performance Metrics
 It is important that the organization tracks performance relative to security for the purpose of both
of risk management initiatives.
 Users must acknowledge their security responsibilities by signing off after the training and also provide
 Measurement can include periodic walk-through of business units, periodic quizzes to keep staff up to
mentors, etc.

GOOD LUCK!
ASM EDUCATIONAL CENTER INC. (ASM)
WHERE TRAINING, TECHNOLOGY & SERVICE CONVERGE
WWW.ASMED.COM

Cissp- Security and Risk Management

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Cissp- Security and Risk Management (20)

More from Hamed Moghaddam (20)

Recently uploaded (20)

Cissp- Security and Risk Management