Security and Risk Management: CISSP, #1
5/5
()
About this ebook
Security and Risk Management is the first domain of the CISSP common body of knowledge. Some of the major topics that we will cover include risk assessment, security management, legal and regulatory concerns, computer crimes, threat modelling and continuity lanning and disaster recovery.
Selwyn Classen
A seasoned and highly qualified IT/IS professional with over 20 years working experience within the Petrochemical industry (i.e. Supply chain management, Knowledge management, Product and Quality management, Business analysis and processing) including the Telecommunications industry.
Read more from Selwyn Classen
Risk Management and Information Systems Control Rating: 5 out of 5 stars5/5Incident Management Rating: 0 out of 5 stars0 ratings
Related to Security and Risk Management
Titles in the series (8)
Security and Risk Management: CISSP, #1 Rating: 5 out of 5 stars5/5Asset Security: CISSP, #2 Rating: 0 out of 5 stars0 ratingsCommunication and Network Security: CISSP, #4 Rating: 0 out of 5 stars0 ratingsSecurity Engineering: CISSP, #3 Rating: 0 out of 5 stars0 ratingsIdentity and Access Management: CISSP, #5 Rating: 0 out of 5 stars0 ratingsSecurity Assessment and Testing: CISSP, #6 Rating: 2 out of 5 stars2/5Security Operations: CISSP, #7 Rating: 0 out of 5 stars0 ratingsSoftware Development Security: CISSP, #8 Rating: 0 out of 5 stars0 ratings
Related ebooks
Security Operations: CISSP, #7 Rating: 0 out of 5 stars0 ratingsAsset Security: CISSP, #2 Rating: 0 out of 5 stars0 ratingsSecurity Engineering: CISSP, #3 Rating: 0 out of 5 stars0 ratingsSoftware Development Security: CISSP, #8 Rating: 0 out of 5 stars0 ratingsBuilding a Life and Career in Security Rating: 5 out of 5 stars5/5Security Assessment and Testing: CISSP, #6 Rating: 2 out of 5 stars2/5The Manager's Handbook for Business Security Rating: 0 out of 5 stars0 ratingsIdentity and Access Management: CISSP, #5 Rating: 0 out of 5 stars0 ratingsThe Art and Science of Security: Practical Security Applications for Team Leaders and Managers Rating: 5 out of 5 stars5/5Security Leader Insights for Risk Management: Lessons and Strategies from Leading Security Professionals Rating: 0 out of 5 stars0 ratingsApplication Security in the ISO27001 Environment Rating: 0 out of 5 stars0 ratingsCyber Essentials: A Pocket Guide Rating: 5 out of 5 stars5/5Physical Security Strategy and Process Playbook Rating: 0 out of 5 stars0 ratingsCISSP Exam Study Guide: NIST Framework, Digital Forensics & Cybersecurity Governance Rating: 5 out of 5 stars5/5Infosec Management Fundamentals Rating: 5 out of 5 stars5/5Becoming a Global Chief Security Executive Officer: A How to Guide for Next Generation Security Leaders Rating: 5 out of 5 stars5/5Security Leader Insights for Success: Lessons and Strategies from Leading Security Professionals Rating: 0 out of 5 stars0 ratingsBusiness Practical Security Rating: 0 out of 5 stars0 ratingsThe Chief Information Security Officer: Insights, tools and survival skills Rating: 1 out of 5 stars1/5Security Controls Evaluation, Testing, and Assessment Handbook Rating: 5 out of 5 stars5/5Security Leader Insights for Effective Management: Lessons and Strategies from Leading Security Professionals Rating: 0 out of 5 stars0 ratingsFacility Security Principles for Non-Security Practitioners Rating: 0 out of 5 stars0 ratingsSecurity Risk Management: Building an Information Security Risk Management Program from the Ground Up Rating: 5 out of 5 stars5/5Assessing Information Security: Strategies, Tactics, Logic and Framework Rating: 5 out of 5 stars5/5Information Security A Practical Guide: Bridging the gap between IT and management Rating: 5 out of 5 stars5/5CISSP:Cybersecurity Operations and Incident Response: Digital Forensics with Exploitation Frameworks & Vulnerability Scans Rating: 0 out of 5 stars0 ratingsSecurity Leader Insights for Business Continuity: Lessons and Strategies from Leading Security Professionals Rating: 0 out of 5 stars0 ratingsNine Steps to Success: An ISO27001:2013 Implementation Overview Rating: 1 out of 5 stars1/5Building a Practical Information Security Program Rating: 5 out of 5 stars5/5
Certification Guides For You
CompTIA Security+ Study Guide: Exam SY0-601 Rating: 5 out of 5 stars5/5CompTIA CySA+ Study Guide: Exam CS0-003 Rating: 0 out of 5 stars0 ratingsMike Meyers' CompTIA A+ Certification Passport, Seventh Edition (Exams 220-1001 & 220-1002) Rating: 2 out of 5 stars2/5Mike Meyers CompTIA Security+ Certification Passport, Sixth Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5Coding For Dummies Rating: 5 out of 5 stars5/5CompTIA Security+ Get Certified Get Ahead: SY0-701 Study Guide Rating: 5 out of 5 stars5/5CompTIA A+ Complete Study Guide: Exam Core 1 220-1001 and Exam Core 2 220-1002 Rating: 4 out of 5 stars4/5CompTIA Network+ Review Guide: Exam N10-008 Rating: 0 out of 5 stars0 ratingsCompTIA A+ Complete Review Guide: Core 1 Exam 220-1101 and Core 2 Exam 220-1102 Rating: 5 out of 5 stars5/5AWS Certified Cloud Practitioner All-in-One Exam Guide (Exam CLF-C01) Rating: 5 out of 5 stars5/5MC Microsoft Certified Azure Data Fundamentals Study Guide: Exam DP-900 Rating: 0 out of 5 stars0 ratingsCCNA Certification Study Guide, Volume 2: Exam 200-301 Rating: 0 out of 5 stars0 ratingsMike Meyers' CompTIA Security+ Certification Guide, Third Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5CompTIA Security+ Certification Practice Exams, Fourth Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5Coding All-in-One For Dummies Rating: 4 out of 5 stars4/5PHR and SPHR Professional in Human Resources Certification Complete Study Guide: 2018 Exams Rating: 0 out of 5 stars0 ratingsCompTIA Network+ CertMike: Prepare. Practice. Pass the Test! Get Certified!: Exam N10-008 Rating: 0 out of 5 stars0 ratingsMike Meyers' CompTIA Network+ Certification Passport, Sixth Edition (Exam N10-007) Rating: 1 out of 5 stars1/5CompTIA CySA+ Cybersecurity Analyst Certification Passport (Exam CS0-002) Rating: 5 out of 5 stars5/5Understanding Cisco Networking Technologies, Volume 1: Exam 200-301 Rating: 0 out of 5 stars0 ratingsCompTIA Network+ Certification Guide (Exam N10-008): Unleash your full potential as a Network Administrator (English Edition) Rating: 0 out of 5 stars0 ratingsCompTIA Network+ Study Guide: Exam N10-006 Rating: 0 out of 5 stars0 ratingsMike Meyers' CompTIA A+ Certification Passport, Sixth Edition (Exams 220-901 & 220-902) Rating: 4 out of 5 stars4/5CompTIA Network+ Practice Tests: Exam N10-008 Rating: 0 out of 5 stars0 ratingsMicrosoft Office 365 for Business Rating: 4 out of 5 stars4/5Concise and Simple Guide to IP Subnets Rating: 5 out of 5 stars5/5
Reviews for Security and Risk Management
2 ratings0 reviews
Book preview
Security and Risk Management - Selwyn Classen
While every precaution has been taken in the preparation of this book, the publisher assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.
SECURITY AND RISK MANAGEMENT
First edition. April 2, 2020.
Copyright © 2020 Selwyn Classen.
Written by Selwyn Classen.
Table of Contents
Security and Risk Management
Introduction
Fundamental Security Principles
Introduction
Security and Risk Management Fundamentals
Balancing Business and Security
The CIA Triad
Accountability and Assurance
Control Types
Delaying, Preventing, or Detecting Attacks
Due Care and Due Diligence
Ethics
Conclusion
Legal and Regulatory
Introduction
Legal Systems
Criminal and Civil Law
Administrative Law
Important Laws
Summary
Computer Crime
Introduction
Computers Can Be Used for EVIL
Some Hack Just Because They Can
It's All About the Money
Spies Are Real
Payback and Government Hackers
Theft, Vandalism, and Trespass
Fraud, Spam, and Slander
Conclusion
Intellectual Property
Introduction
Patents
Trademarks and Trade Secrets
Copyrights
Summary
Privacy
Introduction
Privacy Matters
Privacy Law Examples
Conclusion
Licensing
Introduction
Reasons for Licensing
License Types
Open Versus Closed Source Licensing
Commercial Versus Non-commercial Licensing
End-User License Agreements
Free Software
Demo and Trial Licenses
Shareware
Academic Software Licensing
Summary
Trans-border Data Flow
Introduction
Trans-border Data Flow
Import and Export Controls
Summary
Security Awareness
Introduction
Develop a Culture of Security Awareness
Types of Security Awareness
Expected Impact of Training
Awareness Validation
Summary
Aligning Security to the Organization
Introduction
Governance
Roles and Responsibilities
Organizational Objectives
Security Goals
Security Mission
Conclusion
Creating Policies, Procedures, Guidelines, and Baselines
Introduction
Security Frameworks Introduction
Effective Policies and Procedures
Policy Sections
Procedures
Guidelines
Baselines
Summary
Continuity Planning and Disaster Recovery
Introduction
Business Continuity Process
Conducting a Business Impact Analysis
Disaster Recovery Planning vs. Business Continuity Planning
Testing Your Plans
Disaster Events
Recovering from Disaster
Disaster Recovery Controls
Conclusion
Threat Modelling
Introduction
Threat Modeling Overview
Threat Modelling Focus
Threat Model - Scoping
Reviewing the Architecture
Decomposing
Threat Identification using STRIDE
Defining and Documenting Countermeasures
Prioritization
Summary
Risk Assessment Concepts
Introduction
Threats
Threat Source
Vulnerabilities
Risk
Risk Assessments
Risk Assessment Methodologies
Real-World Threats and Vulnerabilities
Assessment Approach
Analysis Approach
Risk Acceptance and Assignment
Common Calculations
Conclusion
Countermeasure Selection Process
Introduction
What Is a Countermeasure?
Control Variations
Control Types
Control Considerations
Assessing Control Strength
Countermeasure Assurance
Example Countermeasures
Conclusion
Frameworks
Introduction
Risk Management Framework
Leveraging Frameworks
NIST Risk Management Framework RMF
FAIR
OCTAVE Allegro
Summary
Security and Risk Management
This course is based on the topics found in the first domain of the CISSP common body of knowledge. Some of the major topics that we will cover include risk assessment, security management, legal and regulatory concerns, computer crimes, and aligning security to the business. By the end of this course, you should be familiar with a broad spectrum of topics that are covered within the first domain of the CISSP.
Introduction
In this module, we will cover the key security elements that every security professional should know about, such as confidentiality, integrity, and availability. We will also cover foundational security principles, such as due care and due diligence. We then move onto legal and regulatory topics where we will discuss the terminology used, various legal and regulatory concepts, and the different definitions that you will need to be aware of before attempting your examination. Then I move onto discussing computer crime. I will talk about the different reason for computer crime and the types of computer crime that you might expect to come across throughout your career. We will talk about intellectual property. This includes intellectual property concerns and the methods of protecting intellectual property such as patents and trademarks.
Following that, we will move into a discussion about privacy. We will discuss the different laws that impact privacy, and you will learn about general privacy concerns that you should be aware of as a security professional. I will talk about licensing. This includes the different licensing practices and the business impact that different licensing types might have on your organization. And in this day and age, trans-border data flows have become more and more important. You will learn about the concerns that we have when data moves from country to country. I will also discuss imports and exports and why you should be concerned about those as a security professional.
I then move onto discussing security awareness. I will describe why security awareness is important to your organization and what you should expect the impact of a good security awareness program to be in the long run. And throughout all of your security efforts, you should always consider that security needs need to be balanced with the needs of the business. In the Aligning Security to the Business module, I will discuss items such as business mission statements, organizational objectives, and other items that will help you align your security goals with the goals of the business. I then move on to discussing policies, procedures, and guidelines. And then follow-up with a module on continuity planning.
We will discuss the important terms that you need to be aware of and what exactly continuity planning is and how it's different from disaster recovery. In the Threat Modelling module, we will talk about the methods of identifying threats proactively. I will show you how threats can be mapped to assets, and you will learn about the different methodologies that can be used for threat modelling. I will then discuss risk assessment concepts. We will cover the different risk assessment terminology that is commonly used, and we'll talk about several different risk assessment calculations. I will also discuss the different risk assessment types that you will run across throughout your career. And simply identifying that a risk exists is not enough.
In the Countermeasure Selection module, we will talk about the different types of countermeasures that are available and the varying degrees of effectiveness that such countermeasures might have and how you should go about implementing these controls. In the final module of the course, we will cover security frameworks. You'll be introduced to security frameworks, and I will briefly discuss why we need them and then give you a few examples of the different frameworks that are available to you. In this course introduction, I provided you with a high-level overview of the different areas and topics that we will be covering.
Fundamental Security Principles
Introduction
The Certified Information System Security Professional certification (CISSP), is the leading IT security certification. If you take a look at any of the various job websites and use CISSP as the search term, you will see the types of positions where the CISSP is either preferred or sometimes even required to get into the door for an interview. As you will see, many of these positions are exciting and typically have one thing in common; they pay well. But to get into the security profession or to advance your career as a security professional, you will be expected to understand a common body of knowledge. The first step down this road is to get a grasp on the basic concepts and principles commonly used and seen in the security industry. In this module, we address this need and set the foundation to fully understand the concepts that are included in the Security and Risk Management CISSP domain.
Before we begin, we should discuss what is meant by foundational security. For one, we will need to discuss security and risk management fundamentals. This includes all of the different areas that security professionals must deal with on a day-to-day basis. This will address some of the items in the examination overview, such as understanding confidentiality, integrity, and availability and how these should be handled in different organizations. We will also take a brief look at some of the basics around control types such as what they are and what we mean when we reference a control or a countermeasure. These include learning about preventing, deterring, or delaying attacks and why those concepts are important to understand. We then take a look at the concepts of due care and due diligence and then follow that up with a review of ethics and what they mean in the context of the security industry.
Security and Risk Management Fundamentals
Now that the preliminaries are over let's dive in and talk about the security and risk management fundamentals for a few minutes. Before we can start to dig into the detailed controls and terminology that security is built upon, some very basic items are important to understand so that they are not missed during our day-to-day security activities or on the exam for that matter. These include the importance of planning, how we should think about data, and how security fits into the big picture.
So let's get started and take a look at a couple of these. As with most problems of high complexity, security is something that is best tackled by decomposing it into its individual parts and pieces. And the odds are that you will find that as you decompose security issues, you'll run into repeated patterns of what it is you're trying to protect and how it should be protected. For the sake of simplicity, these parts can be referred to as the building blocks of security. And they include areas of focus such as confidentiality, integrity, availability, and concepts such as risk management, assurance, controls, countermeasures, and many other foundational building blocks. We must have a good understanding of what these foundational building blocks are and how they impact us and the environments that we may have to access or secure. The very first concept that I would like to share is that clearly defined goals pave the road to success when it comes to creating environments that are both secured and balanced with the needs of the business. These things do not just happen on their own. So we need to keep in mind that implementing security is a process that needs to be well defined and considered at all stages of the product lifecycle.
Another key item that must be considered when it comes to foundational security concerns is that in most cases, we can no longer just think about wrapping perimeters around our networks. We need to understand what exactly it is that we are trying to protect and why we are protecting it in the first place. This may vary based on your organization. But as