Module 1: Security Management

Lesson 1: Confidentiality, Integrity, and Availability

The Fundamental Principles of Information Security are Confidentiality, Integrity, and Availability
Also known as the CIA (or ICA) Triad or the Big 3.
Confidentiality: To ensure data/information is not disclosed to unauthorized persons or processes
o Common Implementation Methods: Data encryption/cryptography, Identification and Authentication (I&A),
Access controls and permissions, Hiding or concealing information
Integrity: To ensure data/information is not altered or changed by an unauthorized person or process
o Common Implementation Methods: Cryptographic hashing, Configuration and change management, Access
controls and permissions, Trusted communication paths
Availability: Ensure data/information is available for use by authorized persons or processes
o Common Implementation Methods: System architecture and design, Protected system data backups,
Dependable facility services, Disaster recovery and business continuity planning

Lesson 2: Important Security Principles

Due Care: A reasonable effort to protect system assets and/or people. “Do Correct”
o Examples: Posting warning signs, Installing door locks / badge readers, Creating a system architecture design,
Installing and using anti-virus, Conducting security assessments
Due Diligence: The ongoing effort to ensure an organization’s assets and/or people remain protected. “Do Maintain”
o Examples: Updating governance and compliance artifacts, Installing system updates and patches, Applying
security best practices, Installing anti-virus updates, Performing frequent security assessments
Need-to-know: A subject may not access information unless it is necessary to perform their duties
o Examples of enforcing: Access to highly guarded projects, Access to human resources information, Accessing
other users personal or private information, Access to classified information

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
 Module 1: Security Management

Least Privilege: Provides subjects with privilege levels necessary to perform their tasking
o Examples of enforcing: Separating administrators, privileged, and other users. Appropriate privileges to
directories, applications, etc.
Authorization (Privilege) Creep: User privileges exceed what is needed to perform their job
o Examples to prevent: Remove or revoke privileges when they are no longer needed, Remove upon personnel
changes, Review all system privileges at least annually
Separation of Duties: Restricts a single subject from having sole responsibility or excessive control
o Examples of application: Banking transactions, Military weapons, User’s Personally Identifiable Information (PII),
Implementing system changes
Job Rotation: Prevents a single person from having excessive control of their responsibilities within the organization
o Examples of roles: Security managers, Bank managers, System administrators, Government officials, Human
resource personnel
Mandatory Vacation: Aimed at detecting or uncovering fraudulent activities
o Examples of roles: Department managers, System administrators, Account managers, Government officials

Lesson 3: Aligning Security To Your Organization

Security must align with organizational goals and cannot impact an organizations business processes
Use strategic, tactical, and operational plans align with organizational goals
o Strategic Plan: High level, Long-range security goals and objectives (Valid for 3-5 years)
o Tactical Plan: Detailed, mid-range security goals and objectives (Valid for about 1 year)
o Operational Plan: Very detailed, short-range security goals and objectives (Valid for 1-3 months)
Use the top-down approach to get proper support
Plan and implement proper governance that aligns with the security plan

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
 Module 1: Security Management

Lesson 4: Key Roles and Responsibilities

Executive Roles and Responsibilities

Information Security Roles and Responsibilities

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
 Module 1: Security Management

Information System Roles and Responsibilties

Lesson 5: Managing Personnel Security

Personnel are one of the biggest risks of security
Security professionals should contribute to personnel security, especially for the hiring and terminating of personnel
o Support human resources or hiring managers
o Contribute to creating job descriptions
o Participate in candidate screening
o Help in termination of employees
Job description meet all security objectives, policies, and regulations
Ensure an NDA, NCC, or any other agreements are required for employment
Have a clear, well defined, termination policy in place

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
 Module 1: Security Management

Lesson 6: Acquisition And Supply Chain Management

Acquiring or creating assets can introduce security risk
Acquisition Strategy: reduce security risks and related incidents
Evaluate any acquisitions to ensure it will meet security objectives
Use only Trusted Vendors And Suppliers
Service Level Agreement: legal contract that defines the expected level of service
Supply Chain Management: Tracking everything for the manufacture and sale of a physical or digital product or service

Lesson 7: Risk Management Concepts

The purpose of security is to reduce the possibility of a risk becoming a reality
Risk: The possibility of unwanted damage occurring
Risk Management: Identifying, assessing, and reducing risk to an acceptable level
Threat: Unwanted damage could happen
Threat Actor: Individual or object that can carry out a threat
Vulnerability: A flaw that can cause damage
Threats * Vulnerabilities = Risk
Due care: reasonable effort to protect (do correct). Due diligence: Ongoing effort to remain protected (due maintain)
Risk Policy: Contains overall risk management objectives or policies
Risk assessment can be qualitative (categories) , quantitative (numbers), or hybrid (both)

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
 Module 1: Security Management

Lesson 8: Risk Assessment And Analysis

Risk Assessment: Research and analysis of threats and vulnerabilities to identify, estimate, and prioritize risks
Assessment Purpose: Identify assets, determine the value, assess threats and vulnerabilities, analyze the probability
and impact of a risk
Quantitative: use of numeric and values to assess risk
o Asset Value (AV): How much an asset is worth or cost to repair/replace
o Exposure Factor (EF): Percentage of potential loss
o Single Loss Expectancy (SLE): Cost of a single loss of an asset
o Annualized Rate of Occurrence (ARO): Estimated number of a threat occurrence per year
o Annualized Loss Expectancy (ALE): Cost of overall loss per year
o Annual cost of safeguard (ACS): Cost of a countermeasure for the asset
o AV * EF = SLE
o ARO = Number of occurrences per year
o SLE * ARO = ALE
o ACS = Amount spent on safeguard per year
o (ALE1 – ALE2) – ACS = ACS Value
Qualitative: use of nonnumeric data to assess risk
o Use categories or other ranking systems (colors, high/med/low, etc.
Hybrid: both quantitative and qualitative
Delphi Method: consensus based method that relies on anonymous data from experts

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
 Module 1: Security Management

Lesson 9: Managing Security Risks

Managing Risk: deciding what to do with a risk
Accept: do nothing and accept the consequences
Avoid: don't introduce new/more risk
Mitigate: reduce to an acceptable level
Transfer or Assign: risk managed by someone else
Reject: Refuse to address or acknowledge
Making the risk decision using all data (cost/benefit analysis, etc.)
Cost/benefit Analysis: Comparing the costs and benefits of risk decision over a certain period of time
Monitor the risk by tracking your risk decision and compare the results over time
Make changes based on monitoring results
Document and report any/all risk changes

Lesson 10: Security Training and Awareness

Training must be driven by senior management
Training method is not as important as the content
Awareness: Provides general security information on current security risks
Training: Provides the knowledge on how to respond or handle security threats
Education: A continuous process to provide understanding of security risks
Focus training on specific roles
Make sure employees acknowledge training attendance
Keep records private and retain per legal and/or organizational policy

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.