CISSP Domain1 - 2024
CISSP Domain1 - 2024
Objectives
• How security supports organizational mission,
goals and objectives
• Risk management
• Security governance and management
• Security standards, policies, procedures and
guidelines
• Professional ethics
• Security awareness, education, and training
program
• Disaster Recovery /Business Continuity Plans
1
Topics
• ISC Professional Ethics • Enforce personnel security
• Security Concepts policies and procedures
• Security Governance • Risk management
Principles concepts
• Legal, regulatory & • Threat modeling concepts
compliance issues to and methodologies
security • Supply chain risk
• Investigation types management (SCRM)
• Security policies, concepts
standards, procedures, and • Security awareness,
guidelines education, and training
program
Professional Ethics
2
Professional Ethics
• (ISC) code of ethics
– Protect society, the commonwealth, and
the infrastructure.
– Act honorably, honestly, justly,
responsibly, and legally.
– Provide diligent and competent service to
principals.
– Advance and protect the profession.
3
5 Pillars of Information Security
• Confidentiality,
• Integrity,
• Availability,
• Authenticity,
• Nonrepudiation
CONFIDENTIALITY
The protection of information from
unauthorized disclosure
INTEGRITY
The accuracy and completeness of
information in accordance with
business values and expectations
AVAILABILITY
The ability to access information
and resources required by the
business process
4
Confidentiality
• Preventing the information content from
being viewed by unauthorized unwanted
persons and processes
• Confidentiality breach can occur in many
ways.
• Confidentiality must be ensured in the
environment where information is stored,
transmitted and processed.
5
Confidentiality
• Confidentially levels
– Sensitivity of information.
– Grant access based on the confidentiality levels
• Access Control mechanism is needed
– ACL ( Access Control List)
• Traceability and accountability is needed
– Who is accessed information
• Determine which information is sensitive
and at what level its confidentiality will be
protected.
Ensure Confidentiality
• Encryption
• Logical access controls
– Passwords, Biometric, other factors authentications
– File based access restrictions
– VTYS Views etc
• Physical access controls
– Protecting secure areas
– Guards, CCTV etc
• Administrative controls
– Employees security awareness programs
– Security policies, procedures
6
Confidentiality Measures
• Encryption (on store, transmit, process)
• SSLv3, S/HTTP, IPSec, S/MIME, PEM, EFS’s, ssh, sRPC,....
• Nw Trafic Padding (adding or removing additional
information to real data)
• Strong Authentication
• Data Classification
• Security labels for data, users and processes
• Security awareness
• Secure destruction of media
• A breach of confidentiality is often followed by a breach of
information integrity.
• Information is generally not modified unauthoritively in a
confidentiality violation.
Integrity
• Preventing information from being changed by
unauthorized persons and processes, being
changed by authorized persons and processes
who do not have the right to change it, and
ensuring information consistency
• Threats to integrity
– Virus
– Logic Bomb
– Back Door
– Other malicious codes
– Hardware, software deficiencies
– User’s mistakes
– Wrongly configured server, nw components
– Weak access controls
– System and software vulnerabilities
7
Loss Consequences and Preservation Methods
INTEGRITY
The accuracy and completeness of information in
accordance with business values and expectations
15
Integrity Measures
• Access control
• Intrusion detection/response
• Anti-virus & malicious code software
• Correctly configured network and server components
• Digital Certificates
• Encryption
• Security Awareness
• Backup and restore
• Patch and release management
• Formal change management
• Application security controls
• Check sums, check digits, hash totals, reconciliations, DB controls, ...
8
Availability
• Access the information when needed
• Measures
– Correctly configured and up-to-date patched nw elements
• Closing unnecessary services and ports
• Modification of default parameters
• Patch management
• Log management
– Clustered and fault tolerant systems and applications
– Data backup, replications, mirroring
– Disaster Recovery and Business Continuity Plans
– Application controls
• Buffer overflows, covert channel) controls, I/O controls
– Measures against TCP/IP protocol vulnerabilities
• TCP /IP secure configuration
– Recovery Strategies (warm site, reciprocal agreements etc)
9
Achieving CIA - Best Practices
• Separation of Duties
• Mandatory Vacations
• Job Rotation
• Least Privileges
• Need to know
• Dual Control
10
Authenticity
• The ability to ensure that the information
originates or is endorsed from the source
which is attributed to that information.
• Measures
– Digital Signatures
– Logging
– Time Stamping
Non-repudiation
• Non-repudiation refers to the concept of
ensuring that a message or other information is
genuine.
• In cybersecurity, information received must be
verified as coming from the actual sending
source indicated.
• It is also important that neither sender nor
receiver can later deny that they sent or
received the information.
• Non-repudiation is implemented through digital
signatures and transactional logs.
11
IAAAA
• Identification Unique user identification
• Authentication Validation of identification
• Authorization Verification of privileges and
permissions for authenticated user
• Accountability Only authorized users are
accessing and use the system accordingly
• Auditing Tools, processes, and activities used
to achieve and maintain compliance
Layered Defense
Deploying controls in layers is good practice
• Defense in depth
Uses:
• To provide additional protection in the event of a
control failure
• Because a single control is known to be inadequate
12
Layered Security/Defence in Depth
The use of multiple controls in a series
• Level1: Network Layer Security
• Level2: Platform Layer Security
• Level3: Application Layer Security
• Level4: Data Layer Security
• Level5: Response Layer Security
Layered Defense
13
Single Points of Failure
• A single point of failure (SPOF)
– Failure of a single component results in the failure of
the entire system
14
Fail Open / Fail Closed (cont.)
• Principles
– Different types of failures will have
different results
– Both fail open and fail closed
are undesirable, but sometimes one or
the other is catastrophic
– Security devices generally fail closed
COUNTERMEASURES
Designed to
reduce a single
vulnerability or
a threat
Should be
considered Can be
from a passive or
strategic active
perspective
15
? Review Question
31
? Review Question
32
16
? Review Question
33
? Review Question
17
Security Governance
Principles
Topics
• Alignment of the security function to business
strategy, goals, mission, and objectives
• Organizational processes (e.g., acquisitions,
divestitures, governance committees)
• Organizational roles and responsibilities
• Security control frameworks
• Due care/due diligence
18
Information Security Governance Overview
19
Importance of Information Security
Governance
– Improving trust in customer relationships
– Protecting the organization’s reputation
– Providing accountability for safeguarding information
during critical business activities
– Reducing losses from security-related events
– Providing assurance that security incidents and
breaches are not catastrophic
20
Organizational Mission,
Objectives, and Goals
Mission
• Statement of its ongoing purpose and
reason for existence.
• Usually published, so that employees,
customers, suppliers, and partners are
aware of the organization’s stated
purpose.
21
Mission (cont.)
• Should influence how we will approach
the need to protect the organization’s
assets.
22
Goals and Strategy
• Business goals are set by the
board of directors
• Senior management builds the strategy
to achieve these goals
• Governance ensures business
strategy remains consistent with
Goals
business goals
• Information security governance
Objectives provides strategic guidance for
security
• Information security strategy should be
linked to the overall business strategy
Strategy
Strategy Planning
Tactical
Operational
4
6
23
Information Security Strategy Overview
Question
24
Question
BREAK
25
ROLES AND RESPONSIBILITIES
• Need to be
aware of • Ensure needed
information functions/resour
assets ces are
available
• Provided with
high-level • Ensure
Board of
results of risk Senior resources are
Directors Management properly utilized
assessments
and BIAs. • Promote
• Exercise due cooperation,
care in arbitrate when
protecting key needed and set
assets priorities
Steering committee
• Comprised of senior representatives of groups impacted by
information security
• Ensures alignment of security program with business objectives
Common topics:
• Security strategy and integration efforts
• Specific actions and progress related to business unit support of
information security program functions
• Emerging risk, business unit security practices and compliance
issues
26
IS STEERING COMMITTEE
53
27
INTERNAL STAKEHOLDERS
EXTERNAL STAKEHOLDERS
Service providers
Critical vendors
Regulators
Outsourcing partners
Consumers/members External
Stakeholders
Regulatory bodies
Business
Partners
28
QUESTION
QUESTION
29
? Question
? Question
A. Senior management
B. Business unit management
C. Chief risk officer
D. Board of directors
30
IS Standards, Policies and Procedures
Part of
Governance Management
security
tools tools
architecture
31
POLICIES, STANDARDS AND CONTROLS
POLICIES
32
POLICIES
POLICIES
Broad enough to not require regular revision, but should be periodically reviewed
33
POLICIES
A security policy for information and related technology is a first step toward building the
security infrastructure for technology-driven organizations.
This policy should be used by IS auditors as a reference framework for performing audit
assignments.
The adequacy and appropriateness of the policy is also an area of review during an IS
audit.
34
POLICY COMPONENTS
The information security policy may comprise a set of policies, generally addressing the
following concerns:
• High-level information security policy — Includes statements on confidentiality, integrity and
availability
• Data classification policy — Provides classifications and levels of control at each classification
• End-user computing policy — Identifies the parameters and usage of desktop, mobile and other
tools
• Access control policy — Describes methods for defining and granting access to users of various
IT resources
• Acceptable use policy (AUP) — Controls the use of information system resources through
defining how IT resources may be used by employees
SETTING STANDARDS
35
STANDARDS
STANDARDS
• Support Policies
36
PROCEDURES
PROCEDURES
37
PROCEDURES
Ensure an organization can continue operations even if regular staff are unavailable
GUIDELINES
76
38
GUIDELINES
Can be helpful when an outcome needs to be achieved, but the how does not matter
QUESTION
A. risk management.
B. compliance.
C. IT management.
D. governance.
39
QUESTION
QUESTION
40
QUESTION
QUESTION
41
INFORMATION SECURITY CONTROL
FRAMEWORKS
42
STRATEGY AND FRAMEWORK
43
RELATIONSHIP OF GOVERNANCE ELEMENTS
THIRD-PARTY RESOURCES
May derive benefit from certified compliance with third-party standards (e.g., ISO)
44
SABSA SECURITY ARCHITECTURE MATRIX
Source: The Open Group; TOGAF, Version 9.1., United Kingdom 2011
45
BUILDING CONSISTENCY
46
Legal, regulatory, and
compliance issues that pertain
to information security
Potentially
Trade Secret Business information No Misappropriation
infinitive
Making, using, or
Functional innovations, novel idea,
Patent Yes Set period selling an
inventions
invention
47
Import/Export Controls
• Import and export controls are country-based rules and
laws implemented to manage which products,
technologies, and information can move in and out of
those countries, usually meant to protect national security,
individual privacy, economic well-being, and so on.
• The Wassenaar Arrangement
– It allows certain countries to exchange and use cryptography systems of
any strength while also preventing the acquisition of these items by terrorists
• International Traffic in Arms Regulations (ITAR)
– US regulation that was built to ensure control over any export of items
such as missiles, rockets, bombs, or anything else existing in the
United States Munitions List (USML).
• Export Administration Regulations (EAR)
– Commercial use-related items like computers, lasers, marine items,
and more. However, it can also include items that may have been
designed for commercial use but actually have military applications.
• Transborder data flow laws restrict the transfer of data across country
borders. When sharing data across borders, applicable laws must be
considered.
• These laws primarily relate to personal data. The idea is to protect a
country/state/province/region's citizens' personal data. If an
organization is collecting citizens' data, then they are accountable for
the protection of that data.
• Given these laws, organizations must consider the potential
implications of the flow of data across physical borders. This can be
very challenging for organizations to keep track of with the proliferation
of service providers and global cloud services.
48
Privacy Information
49
PRIVACY TERMS
Owners need to have clearly defined accountabilities, including:
•Defining classification
•Approving access
•Retention and destruction
Data owners Different types of owners:
•Data owners
•Process owners
•System owners
Companies that collect personal data about customers are accountable for the protection of the data
PRIVACY PRINCIPLES
• Consent
• Collection limitation principle
• Data quality principle
• Purpose specification principle
• Use limitation principle
• Security safeguards principle
• Openness principle
• Individual participation principle
• Accountability principle
50
PRIVACY IMPACT ASSESSMENT
QUESTION
51
BREAK
Business Continuity
52
BCP PROCESS
The BCP process can be divided into life cycle phases, as shown here.
BC
Awareness
Training
BC
Plan
Development
Business
Impact BC Strategy
Development
Analysis Strategy
Execution (Risk
Countermeasures
Implementation)
A business continuity policy should be proactive, delivering the message that all possible
controls to both detect and prevent disruptions should be used.
53
BUSINESS IMPACT ANALYSIS
107
BIA is a process used to determine the impact of losing the support of any resource.
It is an important adjunct to the risk analysis, often uncovering vital but less visible
components that support critical processes.
The IS auditor should be able to evaluate the BIA, requiring a knowledge of BIA
development methods.
54
BUSINESS IMPACT ANALYSIS
• BIA Inputs
• BCP Policy
• Risk Assessment (BCP based)
• Business Process Owners List
• Business Objectives and Goals
• BIA Outputs:
• List of critical business processes and important tasks
• Recovery Time Objective RTO
• Recovery Point Objective RPO
• Maximum Tolerable Outage MTO
110
55
RPO AND RTO DEFINED
Both RPO and RTO are based on time parameters. The nearer the time requirements
are to the center, the more costly the recovery strategy. Note the strategies employed at
each time mark in the graphic below.
4-24 hrs 1-4 hrs 0-1 hr 0-1 hr 1-4 hrs 4-24 hrs
• Tape • Disk-based • Mirroring • Active- • Active- • Cold
backups backups • Real-time active passive standby
• Log • Snapshots replication clustering clustering
shipping • Delayed • Hot standby
replication
• Log
shipping
56
RECOVERY ALTERNATIVES
Hot sites
Reciprocal
arrangements
with other Warm sites
organizations
Reciprocal
arrangements Cold sites
Occupant Emergency
Evacuation plan
emergency plan relocation plan
57
PLAN TESTING
Assessing the results and value of the BCP tests is an important responsibility for the IS
auditor.
QUESTION
58
Personnel Security
59
Hiring Practices and Procedures
60
Termination
• Immediate termination of all logical and
physical access
• Change passwords known to the
employee
• Recovery of all company assets
• Notification of the termination to affected
staff, customers, other third parties
• And possibly: code reviews, review of
recent activities prior to the termination
Work Practices
• Separation of duties
– Designing sensitive processes so that two
or more persons are required to
complete them
• Job rotation
– Good for cross-training, and also reduces
the likelihood that employees will collude
for personal gain
• Mandatory vacations
– Detect / prevent irregularities that violate policy
and practices
61
Risk Management
62
Enterprise Risk Management
Risk Terminology
• A derived value that refers to the
likelihood (frequency) and magnitude
Risk (impact) of loss that exists from a
combination of assets, threats, and control
conditions.
63
Risk Terminology
• Risk Level: Threat Probability x Risk
Impact
• Inherent Risk= Risk without controls
applied
• Residual Risk= Risk after controls applied
• Risk Profile= Current overall risk
Risk Identification
Process used to determine and examine type and nature of viable
threats to enterprise vulnerabilities
Identify :
• Enterprises operate in a
constantly changing environment all information assets including
third-party assets (service
• Potential threats and resulting risk providers, outsourcers,
also evolve contractors)
• Only identified risk can be •Viable threats (potential and
assessed and treated realized)
appropriately
64
Risk Identification Methods and
Techniques
Methods and Tools
• Threat modeling
• Checklists
Techniques
• Judgements based on experience
• Flowcharts • Workshops
Vulnerabilities Threats
Circumstances or events
with potential to cause
Technical Business harm
Weaknesses Processes
Internal External
Anywhere
Employees
Lack of Outsourced Legal,
Awareness Services Intentional or
Environmental
Unintentional
or Technical
65
Identifying Vulnerabilities
Derive from: Approaches include:
Outsourced Services
MODEL BENEFITS
STRIDE (Spoofing identity, Tampering with • Helps identify relevant mitigating techniques
data, Repudiation, Information disclosure, • Most mature
Denial of service, Elevation of privilege) • Easy to use but time consuming
PASTA (Process for Attack Simulation and • Helps identify relevant mitigating techniques
Threat Analysis) • Directly contributes to risk management
• Encourages collaboration among stakeholders
• Contains built-in prioritization of threat mitigation
• Laborious, but has rich documentation
LINDDUN (Linkability, Identifiability, • Helps identify relevant mitigating techniques
Nonrepudiation, Detectability, Disclosure of • Contains built-in prioritization of threat mitigation
information, Unawareness, Noncompliance) • Can be labor intensive and time consuming
Attack Trees • Helps identify relevant mitigating techniques
• Has consistent results when repeated
• Easy to use if a thorough understanding of the system is already in place
132
66
Risk Assessment Process
Risk
Analysis
Risk Risk
Identificatio Evaluation
n Risk
Assessment
• COBIT • ITIL®
• OCTAVE® • CRAMM
• NIST 800-39 • FAIR
• HB 158-2010 • HARM
• ISO • VAR
27005:2022
• ISO/IEC 31000
67
Using Risk Analysis Methods
Gap Analysis
Qualitative Analysis
Quantitative Analysis
Value at Risk
Bayesian Analysis
Delphi Method
Markov Analysis
Monte-Carlo Analysis
68
Qualitative Risk Assessment
• For a given scope of assets, identify:
– Vulnerabilities
– Threats
– Threat probability (Low / medium / high)
– Impact (Low / medium / high)
– Countermeasures
69
Quantitative Risk Assessment
• Extension of a qualitative risk
assessment. Metrics for each risk are:
– Asset value: replacement cost and/or income
derived through the use of an asset
– Exposure Factor (EF): portion of asset's value lost
through a threat (also called impact)
– Single Loss Expectancy (SLE) = Asset ($) x EF (%)
70
Example of Quantitative Risk
Assesment
• Theft of a laptop computer, with the data
encrypted
• Asset value: $4,000
• Exposure factor: 100%
• SLE = $4,000 x 100% = $4,000
• ARO = 10% chance of theft in a year
• ALE = 10% x $4,000 = $400
71
Quantifying Countermeasures
• Goal: reduction of ALE
(or the qualitative losses)
• Impact of countermeasures:
– Cost of countermeasure
– Changes in Exposure Factor (EF)
– Changes in Single Loss Expectancy (SLE)
– Benefit of countermeasure
• Always cost/benefit analysis when
selecting countermeasures
Risk
Acceptance
Should not exceed Risk appetite deviations
the risk appetite of that are not desirable but
the enterprise, but it sufficiently below risk
must not exceed the capacity
risk capacity
72
Risk Treatment/Response
• One or more outcomes from a
risk assessment
– Risk Acceptance
• “yeah, we can live with that”
– Risk Avoidance/termination
• Discontinue the risk-related activity -- the most extreme form of
risk treatment
– Risk Reduction (also called Risk Mitigation)
• Using countermeasures such as firewalls, IDS systems, etc., to
reduce risks
– Risk Transfer/Share
• Buy insurance
Residual Risk
• After risk treatment, some risk remains
• Risk can never be eliminated entirely
• The remaining risk is called Residual
Risk
73
Security Management Concepts
ISO 27001
• Standard for Information Security
Management System
• Plan-Do-Check-Act cycle
– Plan = define requirements, assess risks, decide
which controls are applicable
– Do = implement and operate the ISMS
– Check = monitor and review the ISMS
– Act = maintain and continuously improve the ISMS
• Documents and records are required
74
ISO 27001
Security Controls
• Detective (records events)
• Deterrent (scares evil-doers away)
• Preventive (stops attacks)
• Corrective (after an attack, prevents another
attack)
• Recovery (after an attack, restores operations)
• Compensating (substitutes for some other
control that is inadequate)
75
Service Level Agreements
• SLAs define a formal level of service
• SLAs for security activities
– Security incident response
– Security alert / advisory delivery
– Security investigation
– Policy and procedure review
Secure Outsourcing
• Outsourcing risks
– Control of confidential information
– Loss of control of business activities
– Accountability – the organization that outsources
activities is still accountable for their activities and
outcomes
76
Data Classification and Protection
• Components of a classification and
protection program
– Sensitivity levels
• “confidential”, “restricted”, “secret”, etc.
– Criticality levels (importance)
– Marking procedures
• How to indicate sensitivity on various forms of information
– Access procedures
– Handling procedures
• E-mailing, faxing, mailing, printing, transmitting, destruction
77
Internal Audit
• Evaluation of security controls and
policies to measure their effectiveness
– Performed by internal staff
– Objectivity is of vital importance
– Formal methodology
– Required by some regulations, laws and external
standards
78