Scribd
Upload
560 views

2022 CISSP Mentor Program - Class Three

The document provides an introduction to a CISSP mentor program session. It discusses quick housekeeping reminders, introduces the instructor and their background, and previews the session agenda which includes topics like policies, business continuity, personnel, risk management and security awareness.

Uploaded by

Azim Al Jabber
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
560 views

2022 CISSP Mentor Program - Class Three

The document provides an introduction to a CISSP mentor program session. It discusses quick housekeeping reminders, introduces the instructor and their background, and previews the session agenda which includes topics like policies, business continuity, personnel, risk management and security awareness.

Uploaded by

Azim Al Jabber
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 103

#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION ONE

INTRODUCTION

2022
Class #3 - Introduction
Ryan Cloutier
President of SecurityStudio & vCISO
Infosec Missionary on a Mission

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 1
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

FRSECURE CISSP MENTOR PROGRAM LIVE


STREAM THANK YOU!
Quick housekeeping reminder.
• The online/live chat that’s provided while live streaming on YouTube
is for constructive, respectful, and relevant (about course content)
discussion ONLY.
• At NO TIME is the online chat permitted to be used for disrespectful,
offensive, obscene, indecent, or profane remarks or content.
• Please do not comment about controversial subjects, and please NO
DISCUSSION OF POLITICS OR RELIGION.
• Failure to abide by the rules may result in disabling chat for you.
• DO NOT share or post copywritten materials. (pdf of book)

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 1
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION #

INTRODUCTION
Agenda –
• Welcome
• Introduction
• Questions
• Policies
• Business Continuity
• Personnel
• Third-party / Supply Chain controls
• Risk Management
• Security Awareness

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 2
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

HELLO, NICE TO MEET YOU


Ryan Cloutier, CISSP, Tonight’s Instructor @cloutiersec
@StudioSecurity
• President of SecurityStudio
• Virtual Chief Information Security Officer
• Serving the underserved is my passion
• Speaking human about tech is my superpower
• Co-host of the Security Shit Show, and Security Simplified podcast
• Infosec Missionary (helper and protector at heart)
• Published by multiple trade magazines
• Co authored academic papers
• Advisor to many

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 3
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

HELLO, NICE TO MEET YOU


Ryan Cloutier, CISSP, Tonight’s Instructor @cloutiersec
@StudioSecurity
• Passionate about your success
• Soft spot for K-12 (those who help)
• Blacksmith, Lego nut, Analog human living a digital life
• Believer, Husband, Father, Continuous learner
• May be the energizer bunny in human disguise

https://www.linkedin.com/in/ryan-cloutier/

https://www.securitystudio.com/

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 4
CISSP® MENTOR PROGRAM – SESSION THREE

GETTING GOING…
Managing Risk!

Studythrough
We’re Tips: Chapters 1, 2, 3, and part way into Chapter
4!
• Study in small amounts frequently (20-30 min)
•• Check-in.
Flash card and practice test apps help
•• How many
Take napshave read
after Chapter
heavy 1, 2(aka
topics & 3?Security Models)
•• Questions?
Write things down, say them out loud
• Use the Slack Channels
• Exercise or get fresh air in between study sessions

Let’s get going!

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 5
CISSP® MENTOR PROGRAM – SESSION THREE

GETTING GOING…
Great job last week! We’re through the introduction and ½ of the 1st
Domain (Security and Risk Management)
• Shout Out to Ron Woerner for stepping in last week!

• Every week goes so fast, it’s easy to forget what


happened. Same for you all?
• Everyone get some study time in over the break?
• Check-in.
• How many have read Domain 1 & started on Domain 2?
• Questions?
Let’s get going!

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 6
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

QUESTIONS.
The most common questions have been
about:

• About the Slack channel


• Live session links.
• Instructor slide deck.
Because of the way Slack works and normal
communications challenges, the Slack invite you received
may have “expired”. Email the FRSecure CISSP Mentor List
([email protected]) for a new invite.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 7
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

QUESTIONS.
The most common questions have been
about:

• About the Slack channel


• Live session links.
• Instructor slide deck.
All LIVE session links will be sent by email on the same day
as the LIVE session. If you have not received the live session
link it’s usually because the email went to your “Junk” folder
(or similar).

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 8
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

QUESTIONS.
The most common questions have been
about:

• About the Slack channel


• Live session links.
• Instructor slide deck.
The instructor slide decks will be sent as soon as FRSecure
receives them from the instructors. Sometimes the decks
are not available until they teach. Whenever possible, we will
try to send you the slide decks before each class.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 9
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

INTRODUCTION
Before we get too deep into this.
How about a dumb dad joke?

Why do skeletons never take any risks?


They have no guts

Yeah, I know.
That’s dumb.

Let’s get to it…

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 10
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

INTRODUCTION
Cornerstone Information Security Concepts
Definition of “information security” (don’t forget):

Information security is managing risks to the confidentiality,


integrity, and availability of information using administrative,
physical and technical controls.

“Most organizations overemphasize technical controls to protect confidentiality and do so at the


expense of other critical controls and purposes.”

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 11
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Information Security Governance
Security Policy and Related Documents

Organizational Policies should


reflect compliance requirements.

Organizational Policies should


be effective and enforceable

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 12
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines
Security Policy and Related Documents
• Policy (Mandatory)
• Purpose
• Scope
• Responsibilities
• Compliance
• Policy types
• Program policy
• Issue-specific policy
• System-specific policy

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 13
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines
Security Policy and Related Documents
• Policy (Mandatory)
• Purpose
• Scope
• Responsibilities
• Compliance
• Policy types
• Program policy
• Issue-specific policy
• System-specific policy
Contrary to popular belief, policies are not meant to be read
(by everyone).
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 14
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines
Security Policy and Related Documents
• Procedures
• Mandatory
• Step-by-step guidance
• Standards
• Mandatory
• Specific use of a technology
• Guidelines
• Recommendations; discretionary
• Advice/advisory
• Baselines (or benchmarks)
• Usually discretionary
• Uniform methods of implementing a standard
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 15
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines
Security Policy and Related Documents
• Procedures
• Mandatory
• Step-by-step guidance
• Standards
• Mandatory
• Specific use of a technology
• Guidelines
• Recommendations; discretionary
• Advice/advisory
• Baselines (or benchmarks)
• Usually discretionary
• Uniform methods of implementing a standard
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 16
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines
Identify, Analyze and Prioritize Business Continuity Requirements

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 17
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION TWO

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines
Identify, Analyze and Prioritize Business Continuity Requirements

BASELINES
Minimum level

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 18
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Business Impact Analysis
Identify, Analyze and Prioritize Business Continuity Requirements

BCP Overview and Process


Business Continuity Planning and Disaster Recovery Planning are two very distinct disciplines
Business Continuity Planning (BCP)
Goal of a BCP is for ensuring that the business will continue to operate before, throughout,
and after a disaster event is experienced
Focus of a BCP is on the business as a whole
Business Continuity Planning provides a long-term strategy
Accounting for items such as people, processes and technology in addition to critical
systems and data

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 19
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Business Impact Analysis
Identify, Analyze and Prioritize Business Continuity Requirements

Unique terms and definitions


Business Continuity Plan (BCP)—a long-term plan to ensure the
continuity of business operations
Continuity of Operations Plan (COOP)—a plan to maintain
operations during a disaster.
Disaster—any disruptive event that interrupts normal system
operations
Disaster Recovery Plan (DRP)—a short-term plan to recover
from a disruptive event (more in chapter 7)

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 20
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Develop and Scope the Plan
Identify, Analyze and Prioritize Business Continuity Requirements

Unique terms and definitions


Critical Business Function (CBF)—Essential functions critical to the
business operations
Business Impact Analysis (BIA)—Analyzing impact of an over time
disruption
Maximum Tolerable Downtime (MTD)—Total length of time a critical
business function can be unavailable
Maximum Acceptable Outage (MAO)—Total length of time a critical
business function can be unavailable
Critical business function is anything the
absence of would cause business to stop
or be severely interrupted

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 21
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Develop and Scope the Plan
Identify, Analyze and Prioritize Business Continuity Requirements

Unique terms and definitions


Recovery Time Objective (RTO)—Maximum time to restoration of
minimum service expectations, must be less than or equal to MTD
Recovery Point Objective (RPO)—Tolerable amount of data loss in a
time period

*not testable
OMG—The feeling you will have executing the BCP plan
FML—what you shout if you didn’t print out the BCP plan

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 22
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Develop and Scope the Plan
Identify, Analyze and Prioritize Business Continuity Requirements

Backup Expected Recovery Required Recovery

Data Loss Downtime Significant Harm

Disaster

RPO RTO

MTD

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 23
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Information Security Governance
Identify, Analyze and Prioritize Business Continuity Requirements
Conduct Business Impact Analysis (BIA)
• Formal method for determining how a disruption to the IT
system(s) of an organization will impact the organization
• An analysis to identify and prioritize critical IT systems and
components
• Enables the BCP/DRP project manager to fully characterize
the IT contingency requirements and priorities

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 24
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Develop and Scope the Plan
Identify, Analyze and Prioritize Business Continuity Requirements

Management Support
“C”-level managers:
• Must agree to any plan set forth
• Must agree to support the action items listed in the plan if an emergency event occurs
• Refers to people within an organization like the chief executive officer (CEO), the chief
operating officer (COO), the chief information officer (CIO), and the chief financial officer
(CFO)
• Have enough power and authority to speak for the entire organization when dealing with
outside media
• High enough within the organization to commit resources

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 25
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Develop and Scope the Plan
Identify, Analyze and Prioritize Business Continuity Requirements

Develop and Document the Scope and the Plan


• Define exactly what assets are protected by the plan, which
emergency events the plan will be able to address, and
determining the resources necessary to completely create
and implement the plan
• “What is in and out of scope for this plan?”
• After receiving C-level approval and input from the rest of
the organization, objectives and deliverables can be
determined

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 26
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Develop and Scope the Plan
Identify, Analyze and Prioritize Business Continuity Requirements
Scoping the Project
• Objectives are usually created as “if/then” statements
• For example, “If there is a hurricane, then the organization will
enact plan H—the Physical Relocation and Employee Safety Plan.”
Plan H is unique to the organization but it does encompass all the
BCP/DRP subplans required
• An objective would be to create this plan and have it reviewed by
all members of the organization by a specific date.
• The objective will have a number of deliverables required to create
and fully vet this plan: for example, draft documents, exercise
planning meetings, table top preliminary exercises, etc.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Develop and Scope the Plan
Identify, Analyze and Prioritize Business Continuity Requirements
Scoping the Project
Executive management must at least ensure that support is given for three BCP/DRP items:
• 1. Executive management support is needed for initiating the plan.
• 2. Executive management support is needed for final approval of the plan.
• 3. Executive management must demonstrate due care and due diligence and be
held liable under applicable laws/regulations.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 28
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Develop and Scope the Plan
Identify, Analyze and Prioritize Business Continuity Requirements

Example Scope
Critical business functions
Threats, vulnerabilities, and risks
Data backup and recovery plan
BCP personnel
Communications plan
BCP testing requirements

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 29
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Develop and Scope the Plan
Identify, Analyze and Prioritize Business Continuity Requirements
People
• #1 Most important no exceptions (Life and safety above all else)
• Start with human safety then move on
• People = Any living human being that may be affected by the event
• Notifications and communications, using multiple methods
• Resources to keep people working
• Alternate work locations, food, equipment, internet, etc.
• Regular updates to leadership
• Notifications of external affected parties

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 30
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Develop and Scope the Plan
Identify, Analyze and Prioritize Business Continuity Requirements
Processes
•What resources need to be available
•Critical supplies (computers, power, internet)
•How do we maintain critical operations
•Logistics
•Continuously available resources
•Recovery site (more in chapter 7)
• Hot, Warm, Cold
• Testing and updating

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 31
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Develop and Scope the Plan
Identify, Analyze and Prioritize Business Continuity Requirements
Other Roles
Continuity Planning Project Team (CPPT)
• Comprises those personnel that will have responsibilities if/when an
emergency occurs
• Comprised of stakeholders within an organization
• Focuses on identifying who needs to play a role if a specific emergency
event were to occur
• Includes people from the human resources section, public relations
(PR), IT staff, physical security, line managers, essential personnel for
full business effectiveness, and anyone else responsible for essential
functions

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 32
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Develop and Scope the Plan
Identify, Analyze and Prioritize Business Continuity Requirements
Technologies
• Tech fails plan for it
• Backups are the #1 way to address this risk
• BCP should account for redundancy (power, water, telco, internet)
• Multiple locations for backups (on-prem and cloud)
• Need to account for external disaster (ISP, Bank, SaaS provider, etc.)
• Testing and updating

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 33
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Candidate Screening and Hiring
Contribute to and enforce personnel security policies and procedures

Humans are the biggest part of information security


• Clearly defined roles and job descriptions simplify security
• Need process and procedure for verifying background
• Education, Work history, Citizenship, Criminal record, Credit and financial
history, social media activity, and references
• More sensitive positions require further background investigation
• Have clear policies on the use of social media and business systems (appropriate
use)
• Verify before granting access to sensitive data

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 34
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Employment Agreements and Policies
Contribute to and enforce personnel security policies and procedures
Employment agreements set the stipulations the employee must abide by
• Nondisclosure
• Non compete
• Code of conduct
• Conflict of interest
• Acceptable use
• Employment polices
• Equipment use
• At home expectations (remote worker)

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 35
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Onboarding, Transfers and Termination process
Contribute to and enforce personnel security policies and procedures
Each stage of employment comes with a security component
• Onboarding sets the tone for work behavior
• Processes for training on secure habits (security awareness)
• Additional training for employees who are likely targets of attackers (C-Level, Admins)
• Process for reporting security incidents (IMO #1)
• Roles and responsibility for securing their work area
• Data classification process and training
• Awareness of monitoring controls
• Their actions matter and make the difference (good or bad)

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 36
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Onboarding, Transfers and Termination process
Contribute to and enforce personnel security policies and procedures
Transfers
• Clearly defined process for role transfer
• Employee access review (Is current access needed for new role)
• Transition period clearly defined (when is it time to cut off access to previous role)
• Least privilege (enforce)
• Legacy needs (smaller orgs)
• Temporary access (helping out)

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 37
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Onboarding, Transfers and Termination process
Contribute to and enforce personnel security policies and procedures
Termination (Voluntary and Involuntary separation)
• Voluntary separation is a planned event (2 weeks, retire, good terms)
• Use a standard checklist (equipment, access, keys, badges, changing codes)

• Involuntary separation is usually an unplanned event and threat must be assumed


• Moves very fast, being well coordinated with HR / manager is key
• It is emotional for all involved, respect that and plan for it
• When possible, recover any equipment and retain for potential forensics
• Remaining staff need to be informed of termination and loss of access (don’t reset the password for Evan)
• Process for reporting attempted access by terminated employee
• *Insider threat program established and adhered to (UEBA can alert to a rage quit)

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 38
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Vendor, Consultant and Contractor Agreements and Controls
Contribute to and enforce personnel security policies and procedures
• Vendor, Consultant and Contractor agreements and controls
• NDA’s and other agreements should be in place to protect sensitive information
• Policies that support monitoring and auditing of access by 3rd parties
• Policies that require secure connections with 3rd parties who access sensitive data
• Compliance Policy Requirements
• Ensure all employees are trained and periodical retrained on policies and regulations
they need to comply with in the fulfilment of their job duties.
• Privacy Policy Requirements
• Privacy policy should include what kind of personal data is collected, how it will or
will not be used, how it will be stored, maintained, and secured.
• Review and signature by employee that they understand and will comply with company
policies and regulations is common practice

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 39
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DAD JOKE TIME


Whew that was a lot to take in.
How about a dumb dad joke?

What’s the best way to catch a runaway robot?


Use a botnet

Yeah, I know.
That’s dumb.

Let’s get to it…

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 40
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Identify Threats and Vulnerabilities
Understand and Apply Risk Management Concepts
• Risk management provides structure for making security decisions

Risk
Threat

Asset Vulnerability

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 41
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Identify Threats and Vulnerabilities
Understand and Apply Risk Management Concepts

Information Security IS RISK MANAGEMENT!!!


Unique terms and definitions
Risk—expose (someone or something valued) to danger,
harm, or loss.

Inherent risk—risk present before any controls are applied.

Residual risk—level of risk that remains after controls are applied.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 42
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Identify Threats and Vulnerabilities
Understand and Apply Risk Management Concepts

Unique terms and definitions


Threats—Negative event leading to a negative outcome.
Examples:
• Fire or natural disaster.
• Disgruntled employee.
• Cybercriminal looking to ransom you.
• Click happy employee

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 43
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Identify Threats and Vulnerabilities
Understand and Apply Risk Management Concepts

Unique terms and definitions


Vulnerabilities—Weakness or gap in a system that may be exploited.
Examples:
• Unpatched software applications (#1)
• Weak access control mechanisms (e.g., weak passwords)
• Faulty fire suppression system
• Security unaware employee

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 44
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Identify Threats and Vulnerabilities
Understand and Apply Risk Management Concepts

Unique terms and definitions


Vulnerabilities—Weakness or gap in a system that may be exploited.
Examples:
• Unpatched software applications (#1)
• Weak access control mechanisms (e.g., weak passwords)
• Faulty fire suppression system
• Security unaware employee

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 45
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Identify Threats and Vulnerabilities
Understand and Apply Risk Management Concepts

Unique terms and definitions


Assets—Anything of value.
• Value can be Quantitative (cost or market value of asset)
• Value can be Qualitative (relative importance to you or the
organization)

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 46
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Identify Threats and Vulnerabilities
Understand and Apply Risk Management Concepts

Unique terms and definitions


Assets—Anything of value.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 47
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Identify Threats and Vulnerabilities
Understand and Apply Risk Management Concepts

Risk assessments are the gateway to good security

Risk Risk Risk Risk


Identification Analysis Evaluation Treatment

*No such thing as Risk Elimination

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 48
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Identify Threats and Vulnerabilities
Understand and Apply Risk Management Concepts

Risk assessments are the gateway to good security

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 49
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Identify Threats and Vulnerabilities
Understand and Apply Risk Management Concepts

Risk Identification
• Asset discovery (hardware, software, network, data, people)
• Asset valuation (business value of asset)
• Classification (how sensitive, how critical)
• Vulnerabilities and Threats to asset

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 50
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Identify Threats and Vulnerabilities
Understand and Apply Risk Management Concepts

Risk Analysis
Should begin with a vulnerability assessment (more in chapter 6)
and threat analysis (more on this later in this chapter)

The goal of risk analysis is to evaluate how likely identified threats are
to exploit weaknesses (i.e., vulnerabilities)

To make this evaluation we need to look at two key factors

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 51
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Identify Threats and Vulnerabilities
Understand and Apply Risk Management Concepts

Risk Analysis
Likelihood—Probability that event will occur.

Impact—How disastrous the event would be if it were to happen .

Risk = Threat x Vulnerability (likelihood and impact)


Risk = Threat × Vulnerability × Impact (another way to put it)

Human life trumps everything!

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 52
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Identify Threats and Vulnerabilities
Understand and Apply Risk Management Concepts

Risk Analysis
• Qualitative – based upon professional opinion; High,
Medium, Low…
• Quantitative – based on real values; dollars. Pure
quantitative analysis is nearly impossible (lack of data).
• Risk Analysis Matrix – Qualitative risk analysis table;
likelihood on one side, impact on the other.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 53
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Identify Threats and Vulnerabilities
Understand and Apply Risk Management Concepts
Risk Analysis

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 54
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Qualitative & Quantitative Risk Analysis
• Quantitative – based on real values; dollars. Pure
Qualitative analysis is nearly impossible (lack of data).
• Asset Value (AV) – Fair market value for an asset
• Exposure Factor (EF) - % of asset lost during an incident
(threat occurrence)
• Single Loss Expectancy (SLE) – AV x EF
• Annual Rate of Occurrence (ARO) – How many times a
bad thing is expected/year.
• Annualized Loss Expectancy (ALE) – SLE x ARO

If ALE exceeds Total Cost of Ownership (TCO), there is a positive Return on


Investment (ROI), or Return on Security Investment (ROSI).
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 55
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION TWO

INTRODUCTION
Terms and Definitions to Memorize
• Risk – The likelihood of something bad happening and the impact if it
did; threats (source) and vulnerabilities (weakness)
• Annualized Loss Expectancy (or ALE) - the cost of loss due to a risk over
a year
• Safeguard (or “control”) - a measure taken to reduce risk
• Total Cost of Ownership (or TCO) – total cost of a safeguard/control
• Return on Investment (or ROI) - money saved by deploying a safeguard
Another term is Return on Security Investment or “ROSI”.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 56
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Risk Response / Treatment
Understand and Apply Risk Management Concepts

Unique terms and definitions


Risk Tolerance—How much risk the organization is willing to take on.
Risk Profile—How much risk the organization is willing to take on.

Risk Treatment—Best way to address the risk.


Risk Response—Best way to address the risk.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 57
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Risk Response / Treatment
There are only four; risk acceptance criteria should be
documented. Risk decisions should ALWAYS be made by
management, NOT information security.
• Accept – the risk is acceptable without additional control
or change.
• Mitigate – the risk is unacceptable (to high) and requires
remediation. (Most common)
• Transfer – the risk can be transferred to someone else;
3rd-party provider, insurance.
• Avoid – the risk will be avoided by discontinuing the
action(s) that led to the risk.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 58
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Countermeasure Selection and Implementation (Security Controls)
Risk mitigation involves ONE or MORE countermeasures with the
goal of reducing the likelihood of an adverse event.

• Personnel-related – Hiring, Roles, Awareness training.


• People are the #1 Security risk and #1 Security control
• Process-related – Policy, procedure, and workflow-based
• Separation of duties, dual control
• Technology-related – Most of the attention.
• Encryption, configuration settings, hardware, software,
change detection.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 59
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE


DOMAIN 1: SECURITY AND RISK MANAGEMENT
Personnel Security Considerations
• Security Awareness and Training Information security isn’t about
information or security…
• Actually two different things
• Training teaches specific skills
As much as it is about people.
• Awareness activities are reminders
• Background Checks
• Criminal history, driving records, credit checks, employment verification,
references, professional claims, etc.
• More sensitive roles require more thorough checks; one-time and
ongoing
1. If people didn’t suffer when
• Employee Termination things go wrong, nobody would
• Formalized disciplinary process (progressive) (or should) care.
• Exit interviews, rights revocation, account reviews, etc.
2. People are the most
• Dealing with Vendors, Contractors, 3rd Parties significant risk
• Outsourcing and Offshoring
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 60
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Risk Response / Treatment
Understand and Apply Risk Management Concepts

Unique terms and definitions


Security-Effectiveness—How effective are the controls selected in
addressing the specific risk, and are the controls inline with the kind
of security risk your addressing (prevent, detect, or correct)

Cost-Effectiveness—is calculated by performing a cost benefit


analysis comparing cost of countermeasure(s) to the cost the would
be realized by a compromise of the risks the countermeasures are
intended to mitigate.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 61
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Risk Response / Treatment
Understand and Apply Risk Management Concepts

ALE from ransomware event = $200,000


Countermeasure of backups = $50,000
Value added to organization = $150,000

*Countermeasures generally have ongoing costs to factor

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 62
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 1: SECURITY AND RISK MANAGEMENT


Operational Impact
Understand and Apply Risk Management Concepts

• Countermeasures must be evaluated for impact to the organization

• Difficult to implement or use countermeasures increases risk

• People will circumvent difficult countermeasures

• Understanding culture and strategy is important to selecting


countermeasures that don't have a negative operational impact

*Culture and strategy alignment, are a countermeasures best friend


This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 63
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE


DOMAIN 1: SECURITY AND RISK MANAGEMENT
Applicable Types of Controls
• Categories
See! Also in our
• Administrative Controls
• Technical Controls
definition.
• Physical Controls
• Types VERY TESTABLE: you may be given a
scenario or control description and
• Preventive need to provide the category and
• Detective type.
• Corrective
In order to be sure of the control type,
• Recovery you need to clearly understand
• Deterrent context.
• Compensating

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 64
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE


DOMAIN 1: SECURITY AND RISK MANAGEMENT
Applicable Types of Controls
• Types
• Preventive – First line controls (firewall, validation, training)
• Detective – Identify negative security event (alarm, IDS, audit)
• Corrective – Minimize and repair damage
(patching, config management, new or updated policies)
• Recovery – Return to normal ASAP (backups, DR plans)
• Deterrent – Discourage (generally policy, and physical measures)

• *Compensating – Put in place to satisfy a security requirement


deemed to difficult or impractical to implement at the present time.
Not a full mitigation of risk (encourage vs enforce)

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 65
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE


DOMAIN 1: SECURITY AND RISK MANAGEMENT
Control Assessments
Understand and Apply Risk Management Concepts

Examine – Inspecting, reviewing, observing, studying or analyzing


assessment objects.(specifications, mechanisms or activities)
Interview – Talking to people for clarity and obtaining evidence
provided during the examine phase.
Test – Comparing actual with expected behavior of the security control,
confirming security controls are implemented as they are documented and
operating effectively as intended.

Monitoring and Measurement –periodic measuring of security control


effectiveness and health (ongoing, annual or quarterly)
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 66
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE


DOMAIN 1: SECURITY AND RISK MANAGEMENT
Reporting
Understand and Apply Risk Management Concepts

• Process to report to leadership, regulators, and other stakeholders –


Important discoveries or metrics
• Specific reporting requirements (DHS, Legal, Regulatory, Industry specific)
• A well managed risk-based security program has reporting on
• Internal audits (self assessment)
• External audits (regulators or any other third-party audits)
• Significant changes to organization’s risk posture
• Significant changes to security or privacy controls
• Suspected or confirmed security incidents (or breaches)

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 67
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE


DOMAIN 1: SECURITY AND RISK MANAGEMENT
Continuous Improvement
Understand and Apply Risk Management Concepts

Strive to improve efficiency of security management program.


Seek to continuously improve the ROI associated with security.

Risk maturity modeling assess strength of security program.


and informs plans for continuous improvement.
Not secure enough
Using a predefined scale helps with focus on specific Too much risk
behavior to improve vs getting caught up in individual security Too much security
gaps. Burdensome

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 68
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE


DOMAIN 1: SECURITY AND RISK MANAGEMENT
Risk frameworks governance considerations
Understand and Apply Risk Management Concepts

• Consistent (same way)

• Measurable (progress and goals)

• Standardized (meaningful comparisons)

• Comprehensive (cover the minimum and be extensible)

• Modular (withstand change, only modify what you need)

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 69
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE


DOMAIN 1: SECURITY AND RISK MANAGEMENT
Risk frameworks
Understand and Apply Risk Management Concepts

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 70
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE


DOMAIN 1: SECURITY AND RISK MANAGEMENT
Risk frameworks
Understand and Apply Risk Management Concepts

• International Standards Organization


• ISO 31000:2018 is intended to be applicable to all Customized

• There are eight principals Continual


Improvement Inclusive

• ISO 31004 guidance on implementing ISO


31000:2018
• ISO 31000 series address general risk, ISO 31000
information security practices are addressed in
Human and
Comprehensive
Cultural Factors
Principles
ISO 27000 series
• ISO 27005 does not provide a risk assessment
practice Best Available
Integrated
• ISO 27005 provides Inputs to, and outputs
Information

from the risk assessment practice used by Dynamic

the organization

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 71
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE


DOMAIN 1: SECURITY AND RISK MANAGEMENT
Risk frameworks ISO 31000:2018
Understand and Apply Risk Management Concepts

• Customized - and proportionate to level of risk


• Inclusive - timely involvement of stakeholders
• Comprehensive – structured approach is required
• Integrated – part of organizational activities
• Dynamic – detects, acknowledges and responds to change
• Best available information – consider limitations of available information
• Human and cultural factors – humans influence all factors
• Continual Improvement - improvement through learning
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 72
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE


DOMAIN 1: SECURITY AND RISK MANAGEMENT
Risk frameworks
Understand and Apply Risk Management Concepts

• US National Institute of Standards and


Technology
• Risk Management Framework (RMF)

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 73
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE


DOMAIN 1: SECURITY AND RISK MANAGEMENT
Risk frameworks COBIT and RISKIT
Understand and Apply Risk Management Concepts

• Control Objectives for Information and Related Technology


• Developed by ISACA in the 90’s
• Governance of Enterprise IT has 5 processes
• Management of Enterprise IT has 32 processes
• Closely aligned to ISO 20000, ISO 27001, ITIL, Prince2, SOX and
TOGAF

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 74
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE


DOMAIN 1: SECURITY AND RISK MANAGEMENT
Risk frameworks COBIT and RISKIT
Understand and Apply Risk Management Concepts

• RiskIT consists of three domains each with three processes


• Risk governance
• Risk evaluation
• Risk response
• Identifies Organizational responsibilities
• Identifies information flows between processes
• Processes performance management activities
• Additional details in RiskIT Practitioner Guide

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 75
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE


DOMAIN 1: SECURITY AND RISK MANAGEMENT
Threat modeling concepts
Understand and Apply Threat Modeling Concepts and Methodologies
Unique terms and definitions
Threat modeling— Technique to identify potential threats
Threat—Vulnerabilities or absence of necessary security controls
Attack surface— Total area an attacker could execute a compromise
-Information system examples (communications, access control,
weakness in system or architecture)
-Physical example (means of entrance egress, construction
techniques, location)

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 76
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE


DOMAIN 1: SECURITY AND RISK MANAGEMENT
Threat modeling concepts
Understand and Apply Threat Modeling Concepts and Methdologies

• Attacker-centric
• Identify various actors' characteristics, skillset, and
motivation
• Profile attackers to specific attacks
• Generally, part of a BCP/DR planning process
• Understanding how the attacker operates

Example: Anti-money laundering process(AML)

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 77
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE


DOMAIN 1: SECURITY AND RISK MANAGEMENT
Threat modeling concepts
Understand and Apply Threat Modeling Concepts and Methdologies

• Asset-centric
• Identify asset value to organization and to the attacker
• The means by which the asset is managed, manipulated,
used, and stored
• Evaluate and identify how an attacker might compromise
the asset
• Many compliance regimes focus on asset protection
(HIPAA,GDPR, PCI-DSS)
• Helpful in protecting other assets such as intellectual
property

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 78
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE


DOMAIN 1: SECURITY AND RISK MANAGEMENT
Threat modeling concepts
Understand and Apply Threat Modeling Concepts and Methdologies

• Software-centric (or System-centric)


• This model is most useful
• Systems are represented as asset of interconnected
diagrams such as dataflow diagrams (DFD) or
component diagrams
• Diagrams are evaluated for potential attacks against
each component
• Determine whether a security control is necessary, exists,
and achieves the control effect

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 79
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE


DOMAIN 1: SECURITY AND RISK MANAGEMENT
Threat modeling Methodologies STRIDE, PASTA, NIST 800-154 and DREAD
Understand and Apply Threat Modeling Concepts and Methodologies

• STRIDE
• Spoofing
• Tampering
• Repudiation
• Information disclosure
• Denial of service
• Elevation of privilege

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 80
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE


DOMAIN 1: SECURITY AND RISK MANAGEMENT
Threat modeling Methodologies
Understand and Apply Threat Modeling Concepts and Methodologies

• PASTA (Process for Attack Simulation and Threat Analysis)


• Define objectives
• Define technical scope
• Application decomposition
• Threat analysis
• Vulnerability analysis
• Attack enumeration
• Risk and impact analysis

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 81
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE


DOMAIN 1: SECURITY AND RISK MANAGEMENT
Threat modeling Methodologies
Understand and Apply Threat Modeling Concepts and Methodologies

• NIST 800-154 (Guide to Data-Centric System Threat Modeling)

1. Identify and characterize the system and data of interest


2. Identify and select the attack vectors to be included in the model
3. Characterize the security controls for mitigating the attack
vectors
4. Analyze the threat model

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 82
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE


DOMAIN 1: SECURITY AND RISK MANAGEMENT
Threat modeling Methodologies
Understand and Apply Threat Modeling Concepts and Methodologies

• DREAD mnemonic quantitative risk rating

• Damage
• Reproducibility
• Exploitability
• Affected users
• Discoverability

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 83
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE


DOMAIN 1: SECURITY AND RISK MANAGEMENT
Threat modeling Methodologies Other Models
Understand and Apply Threat Modeling Concepts and Methodologies

• Operational Critical Threat, Asset, and Vulnerability Evaluation


(OCTAVE) *developed by Software Engineering Institute (SEI)
• Trike focuses on threat models as risk management tool
*open-source
• Construct a platform for Risk Analysis of Security Critical
Systems (CORAS) *European project heavy reliance on Unified Modeling
Language (UML)

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 84
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE


DOMAIN 1: SECURITY AND RISK MANAGEMENT
Frameworks
Apply Supply Chain Risk Management Concepts

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 85
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE


DOMAIN 1: SECURITY AND RISK MANAGEMENT
Risks Associated with Hardware, Software and Services
Apply Supply Chain Risk Management Concepts

• Most systems are interconnected and reliant on multiple


vendors spread across the globe.
• Must evaluate the entirety of your supply chain and
ensure appropriate security controls are in place to
manage risk.
• Ensure security controls are aligned to legal, contractual
obligations as well as organization polices.

• *cloud is still your responsibility to secure.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 86
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE


DOMAIN 1: SECURITY AND RISK MANAGEMENT
Third-Party Assessment and Monitoring
Apply Supply Chain Risk Management Concepts

• Third-parties need to be assessed for risk


• Have a third-party risk management policy that enforces
assessing, monitoring and controlling risks.
• Governance and oversight activities should include onsite
security surveys, formal security audits of third-party
systems and penetration testing.
• New third-parties should be assessed against the
organization’s security requirements.
*More in chapter 6

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 87
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE


DOMAIN 1: SECURITY AND RISK MANAGEMENT
Minimum Security Requirements (MSR)
Apply Supply Chain Risk Management Concepts

• Similar to baselines and standards


• Least acceptable security standards for vendors and
others in your supply chain
• Should factor in legal, contractual, or regulatory
requirements.
• Ensure the MSR is not below and external security
compliance requirement
• Audit and assess third-party compliance with any MSR
established

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 88
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE


DOMAIN 1: SECURITY AND RISK MANAGEMENT
Service-Level Requirements (SLA)
Apply Supply Chain Risk Management Concepts

• Contractual agreement between service provider and it’s


customers
• Establishes the minimum performance standards
• Serves as documented and agreed-upon performance
requirements
• Generally related to uptime and availability
• Established financial compensation or right to terminate
if SLA is not met

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 89
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE


DOMAIN 1: SECURITY AND RISK MANAGEMENT
Frameworks NIST IR 7622 Notional Supply Chain Risk Management
Practices for Federal Information Systems
Apply Supply Chain Risk Management Concepts

• Uniquely identify supply chain elements, process, and actors.


• Limit access and exposure within the supply chain
• Establish and maintain the provenance of elements, processes,
tools, and data
• Share information within strict limits
• Perform supply chain risk management awareness and training

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 90
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE


DOMAIN 1: SECURITY AND RISK MANAGEMENT
Frameworks NIST IR 7622 Notional Supply Chain Risk Management
Practices for Federal Information Systems
Apply Supply Chain Risk Management Concepts

• Use defensive design for systems, elements, and processes


• Perform continuous integrator review
• Strengthen delivery mechanisms
• Assure sustainment activities and processes.
• Manage disposal and final disposition activities throughout the
system or element lifecycle.

• *National Security Systems Directive 505 “Supply Chain Risk Management”

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 91
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE


DOMAIN 1: SECURITY AND RISK MANAGEMENT
Frameworks ISO 28000:2007
Apply Supply Chain Risk Management Concepts

• Not specific to cybersecurity


• Good for organizations using other ISO standards (ISO
9001, ISO 27001)
• Relies heavily on continuous improvment model of Plan,
Do, Check, Act (PDCA)

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 92
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE


DOMAIN 1: SECURITY AND RISK MANAGEMENT
Frameworks U.K. National Cyber Security Center (NCSC)
Apply Supply Chain Risk Management Concepts

• 12 principals divided into three stages


• Understand your risks
• Establish control
• Check your arrangements
• Continuous improvement

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 93
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE


DOMAIN 1: SECURITY AND RISK MANAGEMENT
Methods and Techniques to Present Awareness and Training
Establish and Maintain a Security Awareness, Education and Training Program

• Social Engineering
• Security Champions
• Gamification

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 94
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE


DOMAIN 1: SECURITY AND RISK MANAGEMENT
Methods and Techniques to Present Awareness and Training
Establish and Maintain a Security Awareness, Education and Training Program

• Social Engineering – Technique of exploiting human weakness


• Phishing is most common method
• Vishing (voice-based phishing)
• Smishing (SMS or text-based phishing)
• Social media (spirit animal survey)
• Impersonation (deep fake, mimicking writing styles)
• User must be trained on what to look for and how to
report suspected attempts of social engineering

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 95
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE


DOMAIN 1: SECURITY AND RISK MANAGEMENT
Methods and Techniques to Present Awareness and Training
Establish and Maintain a Security Awareness, Education and Training Program

• Security Champions act as a liaison between security and the rest


of the company
• Is an advocate of security best practices
• Does not work on security team as part of their primary job
• Should have one per team/ department if team /department is
large enough

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 96
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE


DOMAIN 1: SECURITY AND RISK MANAGEMENT
Methods and Techniques to Present Awareness and Training
Establish and Maintain a Security Awareness, Education and Training Program

• Gamification is using game techniques in a nongame applications


• Helps bring some fun to awareness training
• Makes security more relatable
• Improves engagement

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 97
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE


DOMAIN 1: SECURITY AND RISK MANAGEMENT
Periodic Content Reviews
Establish and Maintain a Security Awareness, Education and Training Program

• Constant change is the norm


• Review and update awareness content regularly to ensure
alignment to and coverage of emerging threats
• At a minim annual reviews should be conducted
• Remove any outdated terms and or technology references
• Should reflect current security trends, concepts, and
concerns.
• CISSP’s should be involved in the development of training
content

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 98
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE


DOMAIN 1: SECURITY AND RISK MANAGEMENT
Program Effectiveness Evaluation
Establish and Maintain a Security Awareness, Education and Training Program

• Security awareness training programs should


be formally evaluated for effectiveness
• Training metrics (completed, not started)
• Quizzes (testing to understanding)
• Security awareness day or week (capture
feedback)
• Inherent evaluation (reporting of suspected
security events)

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 99
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION TWO

SESSION 2 – FIN YOU MADE IT!


Domain 1 is a done WHOOT HECK YA!! YALL!

Domain 1 can be a challenge because it’s so disjointed.

Next Session - Domain 2 (Asset Security) – Not Ryan


• Identification and classification Information and Assets
• Asset handling requirements
• Provision and inventory
• Management
• Roles
• Data Lifecyle and controls

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 100
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION TWO

SESSION 2 – FIN YOU MADE IT!


Domain 1 is a done WHOOT HECK YA!! YALL!

Domain 1 can be a challenge because it’s so disjointed.

Homework:
• Read Domain 2.
• Take practice tests.
• Review at least two of the references we provided in this
class (download for later use).
• Post at least one question/answer in the Slack Channel.

See you next Monday!


This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 101
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION ONE

INTRODUCTION

2022
Class #3 - Introduction
Ryan Cloutier
President of SecurityStudio & vCISO
Infosec Missionary on a Mission

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 1

You might also like