Rating: 5 out of 5 stars
5/5
Ebook207 pages2 hours
Security and Risk Management: CISSP, #1
Rating: 5 out of 5 stars
5/5
()
About this ebook
Security and Risk Management is the first domain of the CISSP common body of knowledge. Some of the major topics that we will cover include risk assessment, security management, legal and regulatory concerns, computer crimes, threat modelling and continuity lanning and disaster recovery.
Author
Selwyn Classen
A seasoned and highly qualified IT/IS professional with over 20 years working experience within the Petrochemical industry (i.e. Supply chain management, Knowledge management, Product and Quality management, Business analysis and processing) including the Telecommunications industry.
Read more from Selwyn Classen
Risk Management and Information Systems Control Incident Management Rating: 0 out of 5 stars0 ratings
Related to Security and Risk Management
Titles in the series (8)
Security and Risk Management: CISSP, #1 Rating: 5 out of 5 stars5/5Asset Security: CISSP, #2 Rating: 0 out of 5 stars0 ratingsCommunication and Network Security: CISSP, #4 Rating: 0 out of 5 stars0 ratingsSecurity Engineering: CISSP, #3 Rating: 0 out of 5 stars0 ratingsIdentity and Access Management: CISSP, #5 Rating: 0 out of 5 stars0 ratingsSecurity Assessment and Testing: CISSP, #6 Rating: 2 out of 5 stars2/5Security Operations: CISSP, #7 Rating: 0 out of 5 stars0 ratingsSoftware Development Security: CISSP, #8 Rating: 0 out of 5 stars0 ratings
Related ebooks
Security Operations: CISSP, #7 Rating: 0 out of 5 stars0 ratingsAsset Security: CISSP, #2 Rating: 0 out of 5 stars0 ratingsSecurity Engineering: CISSP, #3 Rating: 0 out of 5 stars0 ratingsSoftware Development Security: CISSP, #8 Rating: 0 out of 5 stars0 ratingsBuilding a Life and Career in Security Rating: 5 out of 5 stars5/5Security Assessment and Testing: CISSP, #6 Rating: 2 out of 5 stars2/5The Manager's Handbook for Business Security Rating: 0 out of 5 stars0 ratingsIdentity and Access Management: CISSP, #5 Rating: 0 out of 5 stars0 ratingsThe Art and Science of Security: Practical Security Applications for Team Leaders and Managers Rating: 5 out of 5 stars5/5Security Leader Insights for Risk Management: Lessons and Strategies from Leading Security Professionals Rating: 0 out of 5 stars0 ratingsApplication Security in the ISO27001 Environment Rating: 0 out of 5 stars0 ratingsCyber Essentials: A Pocket Guide Rating: 5 out of 5 stars5/5Physical Security Strategy and Process Playbook Rating: 0 out of 5 stars0 ratingsCISSP Exam Study Guide: NIST Framework, Digital Forensics & Cybersecurity Governance Rating: 5 out of 5 stars5/5Infosec Management Fundamentals Rating: 5 out of 5 stars5/5Becoming a Global Chief Security Executive Officer: A How to Guide for Next Generation Security Leaders Rating: 5 out of 5 stars5/5Security Leader Insights for Success: Lessons and Strategies from Leading Security Professionals Rating: 0 out of 5 stars0 ratingsBusiness Practical Security Rating: 0 out of 5 stars0 ratingsThe Chief Information Security Officer: Insights, tools and survival skills Rating: 1 out of 5 stars1/5Security Controls Evaluation, Testing, and Assessment Handbook Rating: 5 out of 5 stars5/5Security Leader Insights for Effective Management: Lessons and Strategies from Leading Security Professionals Rating: 0 out of 5 stars0 ratingsFacility Security Principles for Non-Security Practitioners Rating: 0 out of 5 stars0 ratingsSecurity Risk Management: Building an Information Security Risk Management Program from the Ground Up Rating: 5 out of 5 stars5/5Assessing Information Security: Strategies, Tactics, Logic and Framework Rating: 5 out of 5 stars5/5Information Security A Practical Guide: Bridging the gap between IT and management Rating: 5 out of 5 stars5/5CISSP:Cybersecurity Operations and Incident Response: Digital Forensics with Exploitation Frameworks & Vulnerability Scans Rating: 0 out of 5 stars0 ratingsSecurity Leader Insights for Business Continuity: Lessons and Strategies from Leading Security Professionals Rating: 0 out of 5 stars0 ratingsNine Steps to Success: An ISO27001:2013 Implementation Overview Rating: 1 out of 5 stars1/5Building a Practical Information Security Program Rating: 5 out of 5 stars5/5
Certification Guides For You
CompTIA Security+ Study Guide: Exam SY0-601 Rating: 5 out of 5 stars5/5CompTIA CySA+ Study Guide: Exam CS0-003 Rating: 0 out of 5 stars0 ratingsMike Meyers' CompTIA A+ Certification Passport, Seventh Edition (Exams 220-1001 & 220-1002) Rating: 2 out of 5 stars2/5Mike Meyers CompTIA Security+ Certification Passport, Sixth Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5Coding For Dummies Rating: 5 out of 5 stars5/5CompTIA Security+ Get Certified Get Ahead: SY0-701 Study Guide Rating: 5 out of 5 stars5/5CompTIA A+ Complete Study Guide: Exam Core 1 220-1001 and Exam Core 2 220-1002 Rating: 4 out of 5 stars4/5CompTIA Network+ Review Guide: Exam N10-008 Rating: 0 out of 5 stars0 ratingsCompTIA A+ Complete Review Guide: Core 1 Exam 220-1101 and Core 2 Exam 220-1102 Rating: 5 out of 5 stars5/5AWS Certified Cloud Practitioner All-in-One Exam Guide (Exam CLF-C01) Rating: 5 out of 5 stars5/5MC Microsoft Certified Azure Data Fundamentals Study Guide: Exam DP-900 Rating: 0 out of 5 stars0 ratingsCCNA Certification Study Guide, Volume 2: Exam 200-301 Rating: 0 out of 5 stars0 ratingsMike Meyers' CompTIA Security+ Certification Guide, Third Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5CompTIA Security+ Certification Practice Exams, Fourth Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5Coding All-in-One For Dummies Rating: 4 out of 5 stars4/5PHR and SPHR Professional in Human Resources Certification Complete Study Guide: 2018 Exams Rating: 0 out of 5 stars0 ratingsCompTIA Network+ CertMike: Prepare. Practice. Pass the Test! Get Certified!: Exam N10-008 Rating: 0 out of 5 stars0 ratingsMike Meyers' CompTIA Network+ Certification Passport, Sixth Edition (Exam N10-007) Rating: 1 out of 5 stars1/5CompTIA CySA+ Cybersecurity Analyst Certification Passport (Exam CS0-002) Rating: 5 out of 5 stars5/5Understanding Cisco Networking Technologies, Volume 1: Exam 200-301 Rating: 0 out of 5 stars0 ratingsCompTIA Network+ Certification Guide (Exam N10-008): Unleash your full potential as a Network Administrator (English Edition) Rating: 0 out of 5 stars0 ratingsCompTIA Network+ Study Guide: Exam N10-006 Rating: 0 out of 5 stars0 ratingsMike Meyers' CompTIA A+ Certification Passport, Sixth Edition (Exams 220-901 & 220-902) Rating: 4 out of 5 stars4/5CompTIA Network+ Practice Tests: Exam N10-008 Rating: 0 out of 5 stars0 ratingsMicrosoft Office 365 for Business Rating: 4 out of 5 stars4/5Concise and Simple Guide to IP Subnets Rating: 5 out of 5 stars5/5
Related podcast episodes
Is enhanced hardware security the answer to ransomware? [CyberWire-X] 100% found this document usefulCISSP Training - Domain 1 - Lecture 1 0% found this document usefulcybersecurity maturity model certification (CMMC) (noun) [Word Notes] 0% found this document usefulCyberWire Pro Interview Selects: Jaclyn Miller from NTT, Ltd. 0% found this document useful083: SMS Pt 4 - What Does ISO 45001 Require?: Safety Management System overview 0% found this document useful060: 4 Ways to Use Data to Improve Your Safety Culture: How a Digital Safety Dashboard Can Help You 0% found this document useful
Related articles
Cyber Security IS A SHARED RESPONSIBILITY AT THE C-LEVEL Inc.Article
Cyber Security IS A SHARED RESPONSIBILITY AT THE C-LEVEL
Sep 21, 2016
Data breaches can have far-reaching repercussions; protecting against them is a companywide mandate
2 min readVulnerability Assessments PC Pro MagazineArticle
Vulnerability Assessments
Jan 7, 2021
3 min readWhy Is Cybersecurity So Important? TechfastlyArticle
Why Is Cybersecurity So Important?
Oct 21, 2020
3 min readSecurity And Access Guide Facility ManagementArticle
Security And Access Guide
Feb 25, 2018
8 min readArtificial Intelligence: The Next Step for Cybersecurity Cannabis & Tech TodayArticle
Artificial Intelligence: The Next Step for Cybersecurity
Apr 1, 2019
3 min readWhy Leaders Need To Take A Risk-based Approach To Data Security NZBusiness and ManagementArticle
Why Leaders Need To Take A Risk-based Approach To Data Security
Jul 21, 2021
5 min readWeb App Security Linux FormatArticle
Web App Security
Jun 29, 2021
8 min readEverything You May Have Wanted to Know About Ethical/Whitehat Hackers TechfastlyArticle
Everything You May Have Wanted to Know About Ethical/Whitehat Hackers
Oct 21, 2020
5 min readHow Do You Know You Are Okay? NZBusiness and ManagementArticle
How Do You Know You Are Okay?
May 27, 2019
2 min readCyber Safe Facility ManagementArticle
Cyber Safe
Dec 23, 2018
4 min readStarting a Successful Home Security Company: Step-By-Step Guide Home Business MagazineArticle
Starting a Successful Home Security Company: Step-By-Step Guide
Mar 30, 2023
4 min readZero Trust PC Pro MagazineArticle
Zero Trust
Sep 11, 2022
2 min readProtect Yourself Online Saturday StarArticle
Protect Yourself Online
Dec 9, 2023
2 min readReal World Computing PC Pro MagazineArticle
Real World Computing
May 11, 2023
The tale of Chicken Licken provides Davey with some perspective on the likelihood of a cyber-attack bringing everything crashing down I’m going to kick off this month with some potentially patronising home truth-telling, so apologies in advance. It’s
7 min readBolster Your Cyber Security MoneyWeekArticle
Bolster Your Cyber Security
Apr 5, 2024
2 min readPrivacy: The Price Of Trust Inc.Article
Privacy: The Price Of Trust
Aug 17, 2021
How will cybersecurity and data privacy evolve over the next decade? We’re hearing from our customers that cybersecurity and data privacy are increasingly becoming board-level conversations. Companies will start to think about privacy, security, vend
1 min readFirms Must Test Cyber Resilience Plans, Policies Business TodayArticle
Firms Must Test Cyber Resilience Plans, Policies
Jul 9, 2020
4 min read“DORA Is A Force For Good And Will Help Businesses To Make Better Decisions, Faster” PC Pro MagazineArticle
“DORA Is A Force For Good And Will Help Businesses To Make Better Decisions, Faster”
Apr 10, 2022
6 min readCybersecurity Made Simple: Taming The Password The European Business ReviewArticle
Cybersecurity Made Simple: Taming The Password
Mar 1, 2022
8 min readThe Role Of AI In Cybersecurity NZBusiness and ManagementArticle
The Role Of AI In Cybersecurity
Apr 18, 2023
4 min readEverything You Should Know About Cybersecurity Automation TechfastlyArticle
Everything You Should Know About Cybersecurity Automation
Jun 1, 2021
6 min readUnderstanding The Weight On Security Leaders' Shoulders, And How To Shift It NZBusiness and ManagementArticle
Understanding The Weight On Security Leaders' Shoulders, And How To Shift It
Jul 20, 2022
4 min read“Why Are The Stupid Rules There In The First Place? Because Someone Had To Tick A Compliance Box” PC Pro MagazineArticle
“Why Are The Stupid Rules There In The First Place? Because Someone Had To Tick A Compliance Box”
Jul 9, 2022
I hate passwords with a vengeance. In the main because they are so badly abused, from a security perspective, by so many people. I’m not just talking about the person on the Clapham omnibus who keeps their passwords simple and shared between multiple
7 min readBusiness Endpoint Protection 2023 PC Pro MagazineArticle
Business Endpoint Protection 2023
Nov 9, 2023
3 min read4 Ways To Protect Your Small Business From Cyberattacks TechLife NewsArticle
4 Ways To Protect Your Small Business From Cyberattacks
May 14, 2022
3 min readHow Do you Know If You’ve Been Hacked PC Pro MagazineArticle
How Do you Know If You’ve Been Hacked
Apr 4, 2024
8 min readHow Do You Know If You’ve Been Hacked APCArticle
How Do You Know If You’ve Been Hacked
Apr 29, 2024
8 min readDETER, DETECT, DELAY: Thwarting The Digital Intruders The European Business ReviewArticle
DETER, DETECT, DELAY: Thwarting The Digital Intruders
Nov 25, 2021
6 min read4 Ways To Protect Your Small Business From Cyberattacks AppleMagazineArticle
4 Ways To Protect Your Small Business From Cyberattacks
May 20, 2022
3 min readBusiness Endpoint Protection PC Pro MagazineArticle
Business Endpoint Protection
Nov 11, 2021
3 min read
Reviews for Security and Risk Management
Rating: 5 out of 5 stars
5/5
2 ratings0 reviews
Book preview
Security and Risk Management - Selwyn Classen
While every precaution has been taken in the preparation of this book, the publisher assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.
SECURITY AND RISK MANAGEMENT
First edition. April 2, 2020.
Copyright © 2020 Selwyn Classen.
Written by Selwyn Classen.
Table of Contents
Security and Risk Management
Introduction
Fundamental Security Principles
Introduction
Security and Risk Management Fundamentals
Balancing Business and Security
The CIA Triad
Accountability and Assurance
Control Types
Delaying, Preventing, or Detecting Attacks
Due Care and Due Diligence
Ethics
Conclusion
Legal and Regulatory
Introduction
Legal Systems
Criminal and Civil Law
Administrative Law
Important Laws
Summary
Computer Crime
Introduction
Computers Can Be Used for EVIL
Some Hack Just Because They Can
It's All About the Money
Spies Are Real
Payback and Government Hackers
Theft, Vandalism, and Trespass
Fraud, Spam, and Slander
Conclusion
Intellectual Property
Introduction
Patents
Trademarks and Trade Secrets
Copyrights
Summary
Privacy
Introduction
Privacy Matters
Privacy Law Examples
Conclusion
Licensing
Introduction
Reasons for Licensing
License Types
Open Versus Closed Source Licensing
Commercial Versus Non-commercial Licensing
End-User License Agreements
Free Software
Demo and Trial Licenses
Shareware
Academic Software Licensing
Summary
Trans-border Data Flow
Introduction
Trans-border Data Flow
Import and Export Controls
Summary
Security Awareness
Introduction
Develop a Culture of Security Awareness
Types of Security Awareness
Expected Impact of Training
Awareness Validation
Summary
Aligning Security to the Organization
Introduction
Governance
Roles and Responsibilities
Organizational Objectives
Security Goals
Security Mission
Conclusion
Creating Policies, Procedures, Guidelines, and Baselines
Introduction
Security Frameworks Introduction
Effective Policies and Procedures
Policy Sections
Procedures
Guidelines
Baselines
Summary
Continuity Planning and Disaster Recovery
Introduction
Business Continuity Process
Conducting a Business Impact Analysis
Disaster Recovery Planning vs. Business Continuity Planning
Testing Your Plans
Disaster Events
Recovering from Disaster
Disaster Recovery Controls
Conclusion
Threat Modelling
Introduction
Threat Modeling Overview
Threat Modelling Focus
Threat Model - Scoping
Reviewing the Architecture
Decomposing
Threat Identification using STRIDE
Defining and Documenting Countermeasures
Prioritization
Summary
Risk Assessment Concepts
Introduction
Threats
Threat Source
Vulnerabilities
Risk
Risk Assessments
Risk Assessment Methodologies
Real-World Threats and Vulnerabilities
Assessment Approach
Analysis Approach
Risk Acceptance and Assignment
Common Calculations
Conclusion
Countermeasure Selection Process
Introduction
What Is a Countermeasure?
Control Variations
Control Types
Control Considerations
Assessing Control Strength
Countermeasure Assurance
Example Countermeasures
Conclusion
Frameworks
Introduction
Risk Management Framework
Leveraging Frameworks
NIST Risk Management Framework RMF
FAIR
OCTAVE Allegro
Summary
Security and Risk Management
This course is based on the topics found in the first domain of the CISSP common body of knowledge. Some of the major topics that we will cover include risk assessment, security management, legal and regulatory concerns, computer crimes, and aligning security to the business. By the end of this course, you should be familiar with a broad spectrum of topics that are covered within the first domain of the CISSP.
Introduction
In this module, we will cover the key security elements that every security professional should know about, such as confidentiality, integrity, and availability. We will also cover foundational security principles, such as due care and due diligence. We then move onto legal and regulatory topics where we will discuss the terminology used, various legal and regulatory concepts, and the different definitions that you will need to be aware of before attempting your examination. Then I move onto discussing computer crime. I will talk about the different reason for computer crime and the types of computer crime that you might expect to come across throughout your career. We will talk about intellectual property. This includes intellectual property concerns and the methods of protecting intellectual property such as patents and trademarks.
Following that, we will move into a discussion about privacy. We will discuss the different laws that impact privacy, and you will learn about general privacy concerns that you should be aware of as a security professional. I will talk about licensing. This includes the different licensing practices and the business impact that different licensing types might have on your organization. And in this day and age, trans-border data flows have become more and more important. You will learn about the concerns that we have when data moves from country to country. I will also discuss imports and exports and why you should be concerned about those as a security professional.
I then move onto discussing security awareness. I will describe why security awareness is important to your organization and what you should expect the impact of a good security awareness program to be in the long run. And throughout all of your security efforts, you should always consider that security needs need to be balanced with the needs of the business. In the Aligning Security to the Business module, I will discuss items such as business mission statements, organizational objectives, and other items that will help you align your security goals with the goals of the business. I then move on to discussing policies, procedures, and guidelines. And then follow-up with a module on continuity planning.
We will discuss the important terms that you need to be aware of and what exactly continuity planning is and how it's different from disaster recovery. In the Threat Modelling module, we will talk about the methods of identifying threats proactively. I will show you how threats can be mapped to assets, and you will learn about the different methodologies that can be used for threat modelling. I will then discuss risk assessment concepts. We will cover the different risk assessment terminology that is commonly used, and we'll talk about several different risk assessment calculations. I will also discuss the different risk assessment types that you will run across throughout your career. And simply identifying that a risk exists is not enough.
In the Countermeasure Selection module, we will talk about the different types of countermeasures that are available and the varying degrees of effectiveness that such countermeasures might have and how you should go about implementing these controls. In the final module of the course, we will cover security frameworks. You'll be introduced to security frameworks, and I will briefly discuss why we need them and then give you a few examples of the different frameworks that are available to you. In this course introduction, I provided you with a high-level overview of the different areas and topics that we will be covering.
Fundamental Security Principles
Introduction
The Certified Information System Security Professional certification (CISSP), is the leading IT security certification. If you take a look at any of the various job websites and use CISSP as the search term, you will see the types of positions where the CISSP is either preferred or sometimes even required to get into the door for an interview. As you will see, many of these positions are exciting and typically have one thing in common; they pay well. But to get into the security profession or to advance your career as a security professional, you will be expected to understand a common body of knowledge. The first step down this road is to get a grasp on the basic concepts and principles commonly used and seen in the security industry. In this module, we address this need and set the foundation to fully understand the concepts that are included in the Security and Risk Management CISSP domain.
Before we begin, we should discuss what is meant by foundational security. For one, we will need to discuss security and risk management fundamentals. This includes all of the different areas that security professionals must deal with on a day-to-day basis. This will address some of the items in the examination overview, such as understanding confidentiality, integrity, and availability and how these should be handled in different organizations. We will also take a brief look at some of the basics around control types such as what they are and what we mean when we reference a control or a countermeasure. These include learning about preventing, deterring, or delaying attacks and why those concepts are important to understand. We then take a look at the concepts of due care and due diligence and then follow that up with a review of ethics and what they mean in the context of the security industry.
Security and Risk Management Fundamentals
Now that the preliminaries are over let's dive in and talk about the security and risk management fundamentals for a few minutes. Before we can start to dig into the detailed controls and terminology that security is built upon, some very basic items are important to understand so that they are not missed during our day-to-day security activities or on the exam for that matter. These include the importance of planning, how we should think about data, and how security fits into the big picture.
So let's get started and take a look at a couple of these. As with most problems of high complexity, security is something that is best tackled by decomposing it into its individual parts and pieces. And the odds are that you will find that as you decompose security issues, you'll run into repeated patterns of what it is you're trying to protect and how it should be protected. For the sake of simplicity, these parts can be referred to as the building blocks of security. And they include areas of focus such as confidentiality, integrity, availability, and concepts such as risk management, assurance, controls, countermeasures, and many other foundational building blocks. We must have a good understanding of what these foundational building blocks are and how they impact us and the environments that we may have to access or secure. The very first concept that I would like to share is that clearly defined goals pave the road to success when it comes to creating environments that are both secured and balanced with the needs of the business. These things do not just happen on their own. So we need to keep in mind that implementing security is a process that needs to be well defined and considered at all stages of the product lifecycle.
Another key item that must be considered when it comes to foundational security concerns is that in most cases, we can no longer just think about wrapping perimeters around our networks. We need to understand what exactly it is that we are trying to protect and why we are protecting it in the first place. This may vary based on your organization. But as
Enjoying the preview?
Page 1 of 1