CISSP Assignment 1 from Ahmed Pinger

(Introduction To CISSP from 1.1 – 1.9)

There are two topic covered in these lectures the first one is Cyber Security Governance and the
second one is Risk Management.

The First Chapter:

In first chapter we have several topics, the first one is about CIA Trade which is the abbreviation
Confidentiality, Integrity and Availability. Confidentiality mean to keep data secure and prevent
from unauthorized access, Integrity means making sure that there is there is no alteration in data by
Hacker, Availability means the service or data is available to the users all the time (24/7).
Then the next topic is about some security definitions e.g, Vulnerability means A weakness in a
System, Threat means any potential danger about exploiting a vulnerability by a hacker, Threat
Actor (Yes You Guess it Right) means the person who is exploiting vulnerability,
Risk means that the Probability of a threat becoming real, Countermeasure means that a control
put into place to prevent potential loss, and Social Engineering is just a skill of lying that how can
you trick peoples, so that it for this topic.
The next topic is about Security Policies, Security Policies are some policies in an Organization
which has to be followed by the peoples (The Security Policies in an Organization are called
Organizational Policies) . And there are part of security policies that makes up whole policy, the
first part is Standard it describes a specific requirement that has to be followed by all employees,
Baseline is actually the minimum level of security, Guidelines are simply the instructions to the
employees, and Procedures are step by step process to achieve task, and that it for this part.
The next part is about Legal Issues, In Legal issues we have a rule a government which is called
Prudent Person Rule, the rule indicates how you're going to be judge on the level of effort that you
give to provide the necessary protection, that’s it for this part and now we have our last part for this
chapter before getting into Risk Management, the last part is Security Awareness Training,
Security Awareness Training is for everybody in the company, every employee in the company
should be trained. Security Awareness Training is not just training, its a legal protection.
The Second Chapter:

The second chapter is all about Risk Management.

The First topic start with the definition of Risk Management, it defines that the process of
identifying and assessing risk to reduce it to the acceptable level and ensure that it remains to it’s
acceptable level.
Now next we have what is Acceptable Risk Level? So its not a big deal, its just a level of security
defined by Management, we can understand it by the simple example which is: Every company has
different Acceptable Risk Level, a grocery store compared to NASA.
Now on-wards we have some Risk Assessment Methodology, but before understanding this firstly
we have to understand what is Risk Assessment, its just a process to identify possible impacts and
what will happen if impact occur, now there are mainly 4 risk assessment methodologies which are
NIST SP 800-30; FRAP; OCTAVE; and FMEA.
Now we have our next topic which is about Risk Analysis
There are mainly 2 types of Risk Analysis, 1. Quantitative risk analysis, 2. Qualitative risk analysis
Number 1 the Quantitative Risk Analysis tries to assign monetary values to components with the
analysis
Number 2 the Qualitative Risk Analysis does not use numbers instead it uses judgments and
intuition.
Now we have some formulae in Quantitative Risk Analysis which are listed below
1. Single Loss Expectancy (SLE):
The Formula to come up with this is the Asset Value * Exposure Factor(EF) = SLE.
2. Annualized Loss Expectancy (ALE):
The formula to come up with this is the SLE * Annualized Rate of Occurrence (ARO) = ALE
We have Another thing in Quantitative Risk Analysis which is Uncertainty Risk Analysis, it
indicates the level of confidence of the team and Management.
We can Deal Risk in 4 ways, Number 1 is Risk Mitigation which means when you get risk
implement controls and countermeasures, Number 2 is Risk Transference which means that
transfer the risk to any third party by purchasing insurance, Number 3 is Risk Acceptance which
means that accepting the risk because the control cost is more than the loss cost, Risk Acceptance
has 2 – 3 more options to accept risk, Number 4 is Risk Avoidance means you can do anything to
stop risk or decide to stop risk.
After Dealing with Risk we have Types Of Security Controls, there are mainly 3 types of controls
No 1. Administrative Controls, No 2. Technical Controls, No 3. Physical Controls, and these all
controls can be classified more and more.
And Finally The Last Thing is Hiring And Firing Issues, While hiring the peoples we have to
follow some rules e.g check the back ground of a person secondly check his/her drug screening and
thirdly we have to check his/her Security Clearance and the last one is Credit Card Check.
These are all these things to follow while hiring the peoples but there are different rules for firing
peoples which are given below.
Firstly Complete his/her exit interview and secondly get your ID badges, Keys and company assets
back and Disable individual’s account on must basis and change the password as well.