Table of Contents
1.1 - Understand, adhere to, and promote professional ethics
ISC2 Code of Professional Ethics
Organizational code of ethics
Notes:
Code of Ethics Cannons
Protect society, the common good, necessary public trust and confidence, and the infrastructure.
Act honorably, honestly, justly, responsibly, and legally.
Provide diligent and competent service to principals.
Advance and protect the profession.
Distractor:
1.2 Understand and apply security concepts
Confidentiality, integrity, and availability, authenticity and nonrepudiation
Authenticity: Genuine. Verified to be from claimed origin. Not a deep fake! Hash signed by my private key, decrypted with public key
Non-repudiation: subject of an activity can’t deny that an event occurred or was done by someone else. Threat actor identity is known and they can’t cover their tracks.
1.3 - Evaluate and apply security governance principles
Alignment of the security function to business strategy, goals, mission, and objectives
Organizational processes (e.g., acquisitions, divestitures, governance committees)
Organizational roles and responsibilities
Security control frameworks
Due care/due diligence
Governance outcome: everyone knows the company’s risk appetite, and makes decisions aligned to it
Starts with the Board
COBIT
Governance related but in the Security Control Frameworks section
The COBIT toolkit has a spreadsheet with objectives and practice descriptions
E.g. Align, Plan & Organize APO07.01 “Evaluate internal and external staffing requirements…”
Key principles
End-to-End Governance System
Concerned with value delivery from digital transformation and mitigation of associated business risk
Provide Stakeholder Value
3 main outcomes
Benefits realization
Risk optimization
Resource optimization
Holistic Approach
Not limited to the IT department
Governance Distinct from Management
Dynamic Governance System
Tailored to Enterprise Needs
ITIL (Information Technology Infrastructure Library)
Developed by the British government
How IT and Security need to be integrated with and aligned to the objectives of the organization
ITIL - ITIL (itlibrary.org)
Due diligence
Before the decision
“Establishing a plan, policy and process to protect the interests of the organization
Knowing what should be done and planning for it” – CISSP official study guide (Sybex)
Research, plan, evaluate
Researching and acquiring the knowledge to do your job right.
Researching new systems before implementing.
Think before you act
Due care
After the decision
“Practicing the individual activities that maintain the due diligence effort
Taking the right action, at the right time” – CISSP official study guide (Sybex)
Implementation, operation, reasonable measures
Actions speak louder than words
Do what is right in the situation and your job.
Act on the knowledge.
1.4 - Determine compliance and other requirements
Contractual, legal, industry standards, and regulatory requirements
Privacy requirements
1.5 - Understand legal and regulatory issues that pertain to information security in a holistic context
Cybercrimes and data breaches
Licensing and Intellectual Property (IP) requirements
Import/export controls
Transborder data flow
Privacy
Computer Fraud and Abuse Act (CFAA):
First major US cybercrime legislation
Most commonly used law to prosecute computer crimes
Protects computers used by the US government, financial institutions, and computers committing offenses across boarders of different states
Coverage was extended with National Information Infrastructure Protection Act of 1996
Electronic Communications Privacy Act (ECPA)
Makes it a crime to invade the electronic privacy of an individual
Protects wire, oral and electronic communications on email, telephone and data stored electronically
Federal Sentencing Guidelines
Provide punishment guidelines to help federal judges interpret computer crime laws
Federal Information Security Management Act (FISMA)
Requires federal agencies to implement information security programs
Digital Millennium Copyright Act
Protects digital media
Limits liability of ISPs for activities of their users
GDPR
Highlights
Right to access
Right to erasure
Data portability
Data breach notification
Privacy by design
Data Protection Officers
Between two companies transferring data from US to Europe, standard contractual clauses are the best control. Better than:
Binding corporate rules: only works within the same company that has divisions/offices between EU and other countries
Privacy Shield: was a safe harbour agreement that would previously have allowed the transfer but is no longer valid as of 2020
Lanham Act
Gramm-Leach-Bliley (GLB)
Personal Financial Information – Financial Institutions
HIPPA
Security Rule
Privacy Rule
Breach notification rule
NOT
Encryption rule
Disclosure rule
Bureau of Industry and Security
Sets encryption export regulations
Communications Assistance for Law Enforcement Act (CALEA)
Law requiring communication service providers to cooperate with law enforcement requests
The Privacy Act of 1974
is about electronic eavesdropping
COPPA
Consent for data if kids are younger than 13
Glass Steagall Act
Banking reform
Distractor: not part of CISSP
Economic Espionage Act
Focused on stealing trade secrets from US corporations
Includes taking a customer list to another company
Harsher penalties if the individual knows the theft will benefit a foreign government or agent
The Code of Federal Regulations (CFR)
Contains all the text of all administrative laws promulgated by federal agencies
The United States Code contains criminal and civil law
Supreme Court rulings contain interpretation of law and are not laws themselves
Intellectual Property Protection and Licensing
Copyright
70 years after creator’s death
You don’t need to apply for copyrights to be protected. It’s already granted
Patents and trademarks need to be applied for.
Digital Millennium Copyright Act for a copyright complaint
NOT:
Lanham Act (trademark)
GLB (Personal Financial Info)
Prudent Man Rule (executives take responsibility)
Trade secrets+
Need to be tightly controlled within a single company
E.g. KFC blend of herbs and spices
Trademarks
Needs to be registered
Valid for 10 years and can be renewed indefinitely
Patents
Protects inventions for 20 years
From when applied for
NOT when granted
Patent protection does not apply to mathematical algorithms
Crypto algorithms can be patented
Must be novel, useful, nonobvious
A patent is optimal choice if collaboration between multiple companies
Licensing
Contractual, shrink-wrap, click through
1.6 - Understand requirements for investigation types (i.e., administrative, criminal, civil, regulatory, industry standards)
Types of law
Criminal
Murder, assault, robbery, arson
Proof “beyond a reasonable doubt”
Civil
Contracts, real estate, employment
“the majority of proof”
Administrative
Enacted by government agencies: e.g. taxes, minimum wage
HIPPA, FDA, FAA
1.7 - Develop, document, and implement security policy, standards, procedures, and guidelines
1.8 - Identify, analyze, and prioritize Business Continuity (BC) requirements
Business Impact Analysis (BIA)
Develop and document the scope and the plan
Notes:
BCP approval is best from CEO. Even thought they are not on the team
The BCP team should include at least one member of senior management
Cold sites have communication but no hardware
Warm and hot sites have hardware
RAID is fault tolerance for Business Continuity, not DR
Moving to a cold site is DR
1.9 - Contribute to and enforce personnel security policies and procedures
Candidate screening and hiring
Employment agreements and policies
Onboarding, transfers, and termination processes
Vendor, consultant, and contractor agreements and controls
Compliance policy requirements
Privacy policy requirements
ISO27k Series
ISO27001: ISMS, PDCA
ISO27002: Implementation guidance for security controls
A.5.1.1: A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties.
ISO27004: Metrics for measuring the success of your ISMS
ISO27005: Risk Management
ISO27799: Protecting PHI
1.10 - Understand and apply risk management concepts
Identify threats and vulnerabilities
Risk assessment/analysis
Risk response
Countermeasure selection and implementation
Applicable types of controls (e.g., preventive, detective, corrective)
Control assessments (security and privacy)
Monitoring and measurement
Reporting
Continuous improvement (e.g., Risk maturity modeling)
Risk frameworks
Risk Management Framework
NIST 800-37
People
Can
See
I
Am
Always
Monitoring
Quantitative Risk Analysis Steps
Assign AV
Assign EF (loss potential)
Calculate SLE = AV*EF
Assess ARO
Calculate ALE = SLE*ARO
Analyze cost of fence vs horse
Defense in Depth
Expense in depth?
Includes ALL of these:
Layering
Classifications
Zones
Realms
Compartments
Silos
Segmentations
Lattice Structure
Protection rings
Risk Maturity Model (RMM)
An industry standard approach for assessing the processes used to manage risk
RMM was specifically designed for the purpose of assessing enterprise risk management programs
Not CMM (more generic Capability Maturity Model),
1.11 - Understand and apply threat modeling concepts and methodologies
“Threat modelling is the security process where potential threats are identified, categorized and analyzed” – CISSP Official Study Guide
STRIDE
To inventory and categorize threats
What Could Go Wrong?
Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of privilege
Software focus
DREAD
Attacker objective focused
Damage
Reproducibility
Exploitability
Affected users
Discoverability
Dermines a risk value
Risk Value = (Damage + Affected users) x (Reproducibility + Exploitability + Discoverability)
PASTA
Asset value focused
Risk centric approach: select or develop controls in relation to the value of the assets to be protected
VAST
Visual
Agile
Simple
Threat
Based on agile principles
Goal of scalable integration of threat management into an Agile programming environment
1.12 - Apply Supply Chain Risk Management (SCRM) concepts
Risks associated with hardware, software, and services
Third-party assessment and monitoring
Minimum security requirements
Service level requirements
If supplier doesn’t meet minimum requirements to protect the service or customers, e.g. inadequate encryption or MFA: void the ATO
NOT: send the CIO a report (it would have been the CISO)
Hacking a web server in IaaS is not a supply chain attack because the web server is in the company’s direct control
1.13 - Establish and maintain a security awareness, education, and training program
Methods and techniques to present awareness and training (e.g., social engineering, phishing, security champions, gamification)
Periodic content reviews
Program effectiveness evaluation
