Domain: Security and Risk Management

Topic 1: Understand, adhere to, and promote professional ethics

1. (ISC)² Code of Professional Ethics

Code of Ethics Preamble

“The safety and welfare of society and the common good, duty to our principles, and
to each other, requires that we adhere, and be seen to adhere, to the highest
ethical standards of behavior.

Therefore, strict adherence to this Code is a condition of certification. For our

clientele, and the public at large, to see the value in (ISC)2 certifications, they
must be able to trust our members; this trust must come from a belief that (ISC)2
members act in a manner that is correct and professional and offer benefit.”

Code of Ethics Canons

1. Protect society, the commonwealth, and the infrastructure

2. Act honorably, honestly, justly, responsibly, and legally
3. Provide diligent and competent service to principals
4. Advance and protect the profession

https://www.isc2.org/ethics#

2. Organizational code of ethics

===================================================================================
===

Topic 2: Understand and apply concepts of confidentiality, integrity and

availability

1. Confidentiality - "Keeping good data away from bad actors"

For Confidentiality to be maintained in a network, data must be protected at rest,

in use and on the wire.

Violations of Confidentiality can come from ANYWHERE, at ANY TIME... bad decisions
on the part of users, administrators and customers can all lead to a violation.
Also, remember that security policies that are not implemented properly can lead to
potential confidentiality violations.

Possible countermeasures include:

a. encryption
 b. traffic padding
c. strict access controls / authentication
d. data classification
e. awareness training

Confidentiality & Integrity depend on each other. One is not effective without the
other.

Additional concepts linked to Confidentiality:

1. sensitivity
2. discretion
3. criticality
4. concealment
5. isolation

2. Integrity - "Change control for data - no unauthorized modification without

knowledge and consent of data owner"

Three ways in which we can understand Integrity:

1. Preventing unauthorized subjects from making modifications

2. Preventing authorized subjects from making unauthorized modifications
3. Maintaining consistency of objects so that they are true and accurate

Possible countermeasures include:

a. strict access controls / authentication

b. IDS
c. encryption
d. hashing
e. interface restrictions / controls
f. input / function checks (validation)

Additional concepts linked to Integrity:

1. accuracy
2. authenticity
3. validity
4. nonrepudiation - user cannot deny having performed an action

3. Availability - authorized subjects can access objects in a timely manner without

interruption

Possible countermeasures include:

 a. strict access controls / authentication
b. continuous monitoring
c. firewalls & routers to prevent DoS / DDoS attacks
d. redundant system design
e. periodic testing of backup systems

Additional concepts linked to Availability:

1. usability
2. accessibility
3. timeliness

===================================================================================
===

Topic 3: Evaluate and apply security governance principles

Information security management validates appropriate policies, procedures,

standards, and guidelines are implemented to ensure business operations are
conducted within an acceptable level of risk.

A Security Framework
- acts as a reference point
- provides a common language for communications (CULTURE OF SECURITY)
- allows us to share information and create relevancy

Examples

Financial Reporting:

Basel II
Sarbanes-Oxley
COSO

Information Security:

BS7799 / ISO 27000 ISMS fundamentals and vocabulary, umbrella 27003 ISMS
implementation guide, 27004 ISM metrics, 27005 infosec risk management, 27006
certification agencies, 27007 audit, 27009 IS governance, 27010 critical
infrastructure

BS 7799 Part 1 ISO 17799, ISO 27002 code of practice - 133 controls, 500+ detailed
controls

BS 7799 Part 2 ISO 27001 Information Security Management System (ISMS)

COBIT 5 / COBIT 2019: A business framework for the governance and management of
enterprise IT

ISO 15408: Common Criteria for Information Technology Security Evaluation

ISO/IEC DIS 15408-1 Information security, cybersecurity and privacy protection —

Evaluation criteria for IT security — Part 1: Introduction and general model

Framework for specification of evaluation Protection Profile (PP) Evaluation

Assurance Level (EAL 1-7)

Information Security Forum: (www.securityforum.org)

Standard of Good Practice for Information Security - 5 "aspects"

Security Management
Critical Business Applications
Computer Installations
Networks
Systems Development

Broken out into 30 "areas," and 135 "sections"

NIST CyberSecurity Framework:

https://www.nist.gov/cyberframework

BSIMM:
https://www.bsimm.com/framework.html

ITIL

Management / Enterprise frameworks: NOTE... (LOOK FOR THE DEEP DIVE ON SABSA, TOGAF
& ZACHMAN BELOW)

- Zachman
- Calder-Moir
- TOGAF
- DoDAF
- MODAF
- SABSA
- COSO

NIST: A library of freely available resources (http://csrc.nist.gov)

Information Security Handbook: A Guide for Managers SP800-100

Recommended Security Controls for Federal Info Systems SP800-53R4 / R5

Risk Management Guide for Information Technology Systems SP800-30R1

An Introduction to Information Security SP800-12R1

Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
SP800-161 R1

Computer Security Incident Handling Guide SP800-61R2

Guide for Applying the Risk Management Framework to Federal Information Systems: a
Security Life Cycle Approach SP800-37R2

https://www.iso.org/standard/50341.html
https://www.iso.org/isoiec-27001-information-security.html

DEEP DIVE ON SABSA, TOGAF & ZACHMAN

SABSA -

A methodology for developing business-driven, risk and opportunity focused Security

Architectures at both enterprise and solutions level that traceably support
business objectives.

It is also widely used for Information Assurance Architectures, Risk Management

Frameworks, and to align and seamlessly integrate security and risk management into
IT Architecture methods and frameworks.

SABSA is comprised of a series of integrated frameworks, models, methods and

processes, used independently or as an holistic integrated enterprise solution,
including:

Business Requirements Engineering Framework (known as Attributes Profiling)

Risk and Opportunity Management Framework
Policy Architecture Framework
Security Services-Oriented Architecture Framework
Governance Framework
Security Domain Framework
Through-life Security Service Management & Performance Management Framework

=======================================================
| Business View | Contextual Architecture |
|======================|================================|
| Architect's View | Conceptual Architecture |
|======================|================================|
| Designer's View | Logical Architecture |
|======================|================================|
| Constructor's View | Physical Architecture |
 |======================|================================|
| Technician's View | Component Architecture |
|======================|================================|
| Manager's View | Management Architecture |
|======================|================================|

Strategy & Planning --> Design --> Implement --> Manage & Measure

=============================================================================

TOGAF Standard, Version 9.2/10

In particular, the following concepts are included:

Partitioning – a number of techniques and considerations on how to

partition the various architectures within an enterprise.

Architecture Repository – a logical information model for an Architecture

Repository which can be used as an integrated store for all outputs created by
executing the Architecture Development Method (ADM).

Capability Framework – a structured definition of the organization, skills,

roles, and responsibilities required to operate an effective enterprise
architecture capability. The TOGAF standard also provides guidance on a process
that can be followed to identify and establish an appropriate architecture
capability.

What Kinds of Architecture does the TOGAF Standard Deal with?

Business Architecture - The business strategy, governance, organization, and key

business processes.

Data Architecture - The structure of an organization’s logical and physical data

assets and data management resources.

Application Architecture - A blueprint for the individual applications to be

deployed, their interactions, and their relationships to the core business
processes of the organization.

Technology Architecture - The logical software and hardware capabilities that are
required to support the deployment of business, data, and application services.
This includes IT infrastructure, middleware, networks, communications, processing,
and standards.

==================================================================
The Zachman Framework -

The Framework for Enterprise Architecture (or Zachman Framework) as it applies to

Enterprises is simply a logical structure for classifying and organizing the
descriptive representations of an Enterprise that are significant to the management
of the Enterprise as well as to the development of the Enterprise’s systems, manual
systems as well as automated systems.

===================================================================================
================

Topic 4: Determine compliance requirements - (AUDITABILITY)

1. Contractual, legal, industry standards, and regulatory requirements

Governance, Risk Management, and Compliance (GRC)

U.S.- EU Safe Harbor Framework / Privacy Shield (July 16, 2020 judgment of
the Court of Justice of the European Union in the Schrems II case)

Trans-Atlantic Data Privacy Framework -- do I hear a Schrems III case?

2. Privacy requirements

- GDPR replaces Directive 95/46 EC

- Personally Identifiable Information (PII)

- Protected Health Information (PHI)

===================================================================================
================

Topic 5: Understand legal and regulatory issues that pertain to information

security in a holistic context

1. Cyber crimes and data breaches

When assessing the effect of cybercrime, you need to evaluate areas such as:

a. Loss of intellectual property and / or sensitive data

b. Damage to brand image/reputation
c. Penalties and compensatory payments
 d. Cost of countermeasures

Event - something that has happened

Incident - some sort of occurrence or event that has a negative outcome (ITIL)

Breach - an occurrence or event that has a negative outcome

Disclosure - making "secret" information public

2. Licensing and intellectual property requirements

Patent - A patent is a set of exclusive rights granted by a sovereign state or

intergovernmental organization to an inventor or assignee for a limited period of
time (typically 20 years) in exchange for detailed public disclosure of an
invention. An invention is a solution to a specific technological problem and is a
product or a process.

Copyright - protects published or unpublished original work from unauthorized

duplication without due credit and compensation. Copyright covers not only books
but also advertisements, articles, graphic designs, labels, letters (including
emails), lyrics, maps, musical compositions, product designs, etc.

Works Created on or after January 1, 1978 -

The law automatically protects a work that is created and fixed in a tangible
medium of expression on or after January 1, 1978, from the moment of its creation
and gives it a term lasting for the author’s life plus an additional 70 years. For
a “joint work prepared by two or more authors who did not work for hire,” the term
lasts for 70 years after the last surviving author’s death.

For works made for hire and anonymous and pseudonymous works, the duration of
copyright is 95 years from first publication or 120 years from creation, whichever
is shorter (unless the author’s identity is later revealed in Copyright Office
records, in which case the term becomes the author’s life plus 70 years).

According to the major international intellectual-property protection treaties

(Berne Convention, Universal Copyright Convention, and WIPO Copyright Treaty) five
rights are associated with a copyright, the right to:

(1) Reproduce the work in any form, language, or medium

(2) Adapt or derive more works from it
(3) Make and distribute its copies
(4) Perform it in public
(5) Display or exhibit it in public

Trademark - a recognizable sign, design, or unique expression related to products

or services of a particular source from those of others, usually called service
marks.

3. Import/export controls

International Traffic in Arms Regulations (ITAR) - What is considered exportable

Export Administration Regulations (EAR) - Under what conditions can we export

The Wassenaar Arrangement - Dual-Use Goods

4. Trans-border data flows

OECD Declaration on Transborder Data Flows, OECD Digital Economy Paper No. 1 (Apr.
11, 1985)

"Rapid technological developments in the field of information, computers and

communications are leading to significant structural changes in the economies of
Member countries. Flows of computerized data and information are an important
consequence of technological advances and are playing an increasing role in
national economies. With the growing economic interdependence of Member countries,
these flows acquire an international dimension, known as transborder data flows."

5. Privacy

Organization for Economic Cooperation and Development (OECD) Guidelines

Recommendation of the Council concerning Guidelines Governing the Protection of

Privacy and Transborder Flows of Personal Data:

https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0188

Eight Core Principles

1. Collection Limitation
2. Data Quality
3. Purpose Specification
4. Use Limitation
5. Security Safeguards
6. Openness
7. Individual Participation
8. Data Controller Accountability

===================================================================================
================
Spotlight on the GDPR

Overview of the General Data Protection Regulation (GDPR)

In December 2015 the process of agreeing to new legislation designed to reform the
legal framework for ensuring the rights of EU residents to enhanced privacy
protections was completed. This was ratified in early 2016 and became widely
enforceable on the 25th May 2018.

The reforms consist of two instruments:

1. The General Data Protection Regulation (GDPR) which is designed to enable

individuals to better control their personal data.

2. The Data Protection Directive which is designed to enable the police and
criminal justice sectors to ensure that the data of victims, witnesses, and
suspects of crimes are duly protected in the context of a criminal investigation or
a law enforcement action.

Key Components of the GDPR

Harmonization across and beyond the EU - The regulation is intended to establish

one single set of rules across Europe making it simpler and cheaper for
organizations to do business across the Union. Organizations outside the EU are
subject to the jurisdiction of the EU regulators just by collecting data concerning
an EU resident.

What is “Personal Data”? - “Personal data” is defined in both the Directive and the
GDPR as any information relating to an person who can be identified, directly or
indirectly, in particular by reference to an identifier such as a name, an
identification number, location data, online identifier or to one or more factors
specific to the physical, physiological, genetic, mental, economic, cultural or
social identity of that person.

As a result, in many cases online identifiers including IP address and cookies will
now be regarded as personal data if they can be (or are capable of being) linked
back to the data subject.

There is no distinction between personal data about individuals in their private,

public or work roles – the person is the person.

Controllers and Processors - The Regulation separates responsibilities and duties

of data controllers and processors, obligating controllers to engage only those
processors that provide “sufficient guarantees to implement appropriate technical
and organisational measures” to meet the Regulation’s requirements and protect data
subjects’ rights.
Controllers and processors are required to “implement appropriate technical and
organisational measures” taking into account “the state of the art and the costs of
implementation” and “the nature, scope, context, and purposes of the processing as
well as the risk of varying likelihood and severity for the rights and freedoms of
individuals.”

The regulation provides specific suggestions for what kinds of security actions
might be considered “appropriate to the risk,” including:

• The pseudonymisation and/or encryption of personal data

• The ability to ensure the ongoing confidentiality, integrity,
availability and resilience of systems and services processing personal data
• The ability to restore the availability and access to data in a timely
manner in the event of a physical or technical incident
• A process for regularly testing, assessing and evaluating the
effectiveness of technical and organizational measures for ensuring the security of
the processing

Controllers and processors that adhere to either an approved code of conduct or an

approved certification may use these tools to demonstrate compliance.

The controller processor relationships must be documented and managed with

contracts that mandate privacy obligations – however, ultimately controllers must
assure themselves of processors privacy capabilities.

Fines and Enforcement - Regulators will now have authority to issue penalties equal
to the greater of €10 million or 2% of the entity's global gross revenue for
violations of record-keeping, security, breach notification, and privacy impact
assessment obligations.

Violations of obligations related to legal justification for processing (including

consent), data subject rights, and cross-border data transfers may result in
penalties of the greater of €20 million or 4% of the entity's global gross revenue.

Data Protection Officers - Data Protection Officers must be appointed for all
public authorities, and where the core activities of the controller or the
processor involve “regular and systematic monitoring of data subjects on a large
scale” or where the entity conducts large-scale processing of “special categories
of personal data” (such as that revealing racial or ethnic origin, political
opinions, religious or philosophical beliefs, and the like).

Note: Although an early draft of the GDPR limited mandatory data protection
officer appointment to organizations with more than 250 employees, the final
version has no such restriction.

The regulation requires that they have “expert knowledge of data protection law and
practices.” The level of which “should be determined in particular according to the
data processing operations carried out and the protection required for the personal
data processed by the controller or the processor.”

The data protection officer’s tasks are also delineated in the regulation to
include:

• Informing and advising the controller or processor and its employees of

their obligations to comply with the GDPR and other data protection laws
• Monitoring compliance including managing internal data protection
activities, training data processing staff, and conducting internal audits
• Advising with regard to data protection impact assessments when required
under Article 33
• Working and cooperating with the controller’s or processor’s designated
supervisory authority and serving as the contact point for the supervisory
authority on issues relating to the processing of personal data
• Being available for inquiries from data subjects on issues relating to
data protection practices, withdrawal of consent, the right to be forgotten, and
related rights

Data Protection Officers may insist upon company resources to fulfill their job
functions and for their own ongoing training.

They must have access to the company’s data processing personnel and operations,
significant independence in the performance of their roles, and a direct reporting
line “to the highest management level” of the company.

The regulation expressly prevents dismissal or censure of the data protection

officer for performance of his/her tasks and places no limitation on the length of
their tenure.

A company with multiple subsidiaries may appoint a single data protection officer
so long as they are “easily accessible from each establishment.”

The GDPR also allows the data protection officer functions to be performed by
either an employee of the controller or processor or by a third party service
provider.

Privacy Management - The regulation mandates a “Risk Based Approach:” where the
appropriate organizational controls must be developed according to the degree of
risk associated with the processing activities.

Where appropriate, privacy impact assessments must be made – with the focus on
protecting data subject rights.

Data protection safeguards must be designed into products and services from the
earliest stage of development – Privacy by Design.

There is an increased emphasis on record keeping for controllers – designed to help

demonstrate and meet compliance with the regulation and improve the capabilities of
organizations to manage privacy and data effectively. There is an exclusion for
small businesses (less thatn 250 staff) where data processing is not a significant
risk.

Consent - a basis for legal processing (along with legitimate interests, necessary
execution of a contract and others). According to the Regulation consent means “any
freely given, specific, informed and unambiguous indication of his or her wishes by
which the data subject, either by a statement or by a clear affirmative action,
signifies agreement to personal data relating to them being processed;”

The purposes for which the consent is gained does need to be “collected for
specified, explicit and legitimate purposes”. In other words it needs to be obvious
to the data subject what their data is going to be used for at the point of data
collection.

• Consent should be demonstrable – organizations need to be able to show

clearly how consent was gained and when.

• Consent must be freely given – a controller cannot insist on data that’s

not required for the performance of a contract as a pre-requisite for that
contract.

• Withdrawing consent should always be possible – and should be as easy as

giving it.

Information Provided at Data Collection - The information that must be made

available to a Data Subject when data is collected has been strongly defined and
includes;

• the identity and the contact details of the controller and DPO
• the purposes of the processing for which the personal data are intended
• the legal basis of the processing
• where applicable, the legitimate interests pursued by the controller or
by a third party
• where applicable, the recipients or categories of recipients of the
personal data
• where applicable, that the controller intends to transfer personal data
internationally
• the period for which the personal data will be stored, or if this is not
possible, the criteria used to determine this period
• the existence of the right to access, rectify or erase the personal data
• the right to data portability
• the right to withdraw consent at any time
• and the right to lodge a complaint to a supervisory authority

Where the data has not been obtained directly from the data subject the list varies
and includes:

• From which source the personal data originate

 • The existence of any profiling and meaningful information about the logic
involved, as well as the significance and the envisaged consequences of such
processing for the data subject

There are some exceptions – notably where the effort would be disproportionate and,
where the information has already been provided to the data subject.

Profiling - any automated processing of personal data to determine certain criteria

about a person. “In particular to analyse or predict aspects concerning that
natural person' s performance at work, economic situation, health, personal
preferences, interests, reliability, behaviour, location or movements”.

Individuals have the right not to be subject to the results of automated decision
making, including profiling. So, individuals can opt out of profiling.

Automated decision making will be legal where individuals have explicitly consented
to it, or if profiling is necessary under a contract between an organization and an
individual, or if profiling is authorized by EU or Member State Law.

Legitimate Interests & Direct Marketing - The regulation specifically recognizes

that the processing of data for “direct marketing purposes” can be considered as a
legitimate interest. Legitimate interest is one of the grounds, like consent, that
an organization can use in order to process data and satisfy the principle that
data has been fairly and lawfully processed.

The act says that processing is lawful if “processing is necessary for the purposes
of the legitimate interests pursued by the controller or by a third party, except
where such interests are overridden by the interests or fundamental rights and
freedoms of the data subject which require protection of personal data, in
particular where the data subject is a child.”

Breach & Notification - According to the regulation a “personal data breach” is “a

breach of security leading to the accidental or unlawful destruction, loss,
alteration, unauthorised disclosure of, or access to, personal data transmitted,
stored or otherwise processed”

It’s important to note that the wilful destruction or alteration of data is as much
a breach as theft.

In the event of a personal data breach data controllers must notify the appropriate
supervisory authority “without undue delay and, where feasible, not later than 72
hours after having become aware of it.” If notification is not made within 72
hours, the controller must provide a “reasoned justification” for the delay.

Notice is not required if “the personal data breach is unlikely to result in a risk
for the rights and freedoms of individuals,” How this translates into real-world
action is not clear however.

Importantly when a data processor experiences a personal data breach, it must

notify the controller but otherwise has no other notification or reporting
obligation.

Should the controller determine that the personal data breach “is likely to result
in a high risk to the rights and freedoms of individuals,” it must also communicate
information regarding the personal data breach to the affected data subjects. Under
Article 32, this must be done “without undue delay.”

The GDPR provides exceptions to this additional requirement to notify data subjects
in the following circumstances:

1. The controller has “implemented appropriate technical and organisational

protection measures” that “render the data unintelligible to any person who is not
authorised to access it, such as encryption”
2. The controller takes actions subsequent to the personal data breach to
“ensure that the high risk for the rights and freedoms of data subjects” is
unlikely to materialize.
3. When notification to each data subject would “involve disproportionate
effort,” in which case alternative communication measures may be used.

Data Subject Access Requests - Individuals will have more information on how their
data is processed and this information should be available in a clear and
understandable way.

DSAR’s must be executed “without undue delay and at the latest within one month of
receipt of the request.”

Subject access requests must also give all the information relating to purposes
that should have been provided upon collection.

The Right to Data Portability - Focussed on helping drive competition between

service providers this part of the regulation seeks to drive automated transfers of
data (using a common format yet to be defined) between services which primarily
process customers automatically.

Retention & The Right to be Forgotten - Controllers must inform subjects of the
period of time (or reasons why) data will be retained on collection. Should the
data subject subsequently wish to have their data removed and the data is no longer
required for the reasons for which it was collected then it must be erased.

Note: there is a “downstream” responsibility for controllers to take

“reasonable steps” to notify processors and other downstream data recipients of
such requests.
A brief introduction to the E-Privacy Regulation and why GDPR needs this:

Known by many names including ePrivacy, ePrivacy2, PECR2 and ePR this regulation
will replaces the existing EU Directive and is designed to harmonize and enhance
the GDPR. Like the GDPR it has global reach and similarly significant penalties for
non-compliance. In the UK this regulation will replace the exiting PECR laws.

This legislation is designed to regulate the use of personal information across all
electronic communications including telephony.

This legislation is still in draft with the latest version issued on the 9th
September 2017. This version still proposed the law going live simulataniously with
GDPR becoming enforceable on the 25th May 2018.

This regulation is particularly important for digital marketing activity as it

overrides the GDPR's allowance for legitimate interests and enforces consent on all
digital communications for marketing purposes. There will still be an allowance for
the so called "soft opt-in" where customers can be communicated to about similar
goods and services with an opt-out only, but it should be noted that the wording
here has been tightened restricting the use to customers only.

Cookies and similar tracking technologies, when used for non-essential processes
(like profiling and advertising) will require prior consent. Browser and interface
manufacturers are set to bear the burdon of responsibility here by providing new
mechanisms to allow individuals to manage their consent more easily. The goal is to
lead to much more open dialogue between advertisers and data subjects - with
advertisers needing to make much clearer the "value exchange".

What information does the GDPR apply to?

Personal data - Like the DPA, the GDPR applies to ‘personal data’. However, the
GDPR’s definition is more detailed and makes it clear that information such as an
online identifier can be personal data. The more expansive definition provides for
a wide range of personal identifiers to constitute personal data.

You can assume that if you hold information that falls within the scope of the DPA,
it will also fall within the scope of the GDPR.

The GDPR applies to both automated personal data and to manual filing systems where
personal data are accessible according to specific criteria. This is wider than the
DPA’s definition and could include chronologically ordered sets of manual records
containing personal data.

Note: Personal data that has been pseudonymised can fall within the scope of the
GDPR depending on how difficult it is to attribute the pseudonym to a particular
individual.
Sensitive personal data - The GDPR refers to sensitive personal data as “special
categories of personal data” (see Article 9). These categories are broadly the same
as those in the DPA, but there are some minor changes.

For example, the special categories specifically include genetic data, and
biometric data where processed to uniquely identify an individual.

Personal data relating to criminal convictions and offences are not included, but
similar extra safeguards apply to its processing (see Article 10).

===================================================================================
================

Topic 6: Understand requirements for investigation types

Investigation Types:

1. Administrative - internal investigations of operational or policy

violation issues

2. Criminal - conducted by law enforcement to verify violation(s) of

criminal law

3. Civil - internal employees and consultants working together on behalf of

a legal team looking to present a case in a civil trial

4. Regulatory - government agency investigation when they believe that

violations have occurred

5. Industry standards - Electronic Discovery (eDiscovery) used to

facilitate the processing of electronic information for disclosure

Electronic Discovery Reference Model (9 steps):

1. Information Governance - ensures information is well organized

2. Identification - locates information covered by a discovery request

3. Preservation - protects discoverable information against deletion and/or

alteration

4. Collection - gathers information centrally for use in the discovery

process

5. Processing - screens collected information to filter out unnecessary

information prior to review
 6. Review - examination of remaining information to determine what
information needs to be provided to comply with discovery request, and which
information may be protected, and therefore would not be provided

7. Analysis - deep inspection of content & context of remaining information

8. Production - places information into form that can be shared

9. Presentation - displays information to people

BONUS TIME !!!!

What are the types of Legal Systems?

Civil (code law systems)

- system of law used in continental Europe
- rule based law (not precedence based)
- focused on codified or written laws
- most widespread legal system in the world

Common law
- developed in England
- based on previous interpretation of laws
- it reflects the communities morals and expectations
- uses judges and juries to decide cases

Subtypes of common law systems:

Criminal
- based on common law, statutory law, or a combination of both
- addresses behavior considered harmful to society
- punishment usually involves loss of freedom or monetary fines

Civil / tort
- under civil law the defendant owes a legal duty to the victim
- the defendants breach of that duty causes injury to the victim

Other types of law systems:

Administrative (regulatory law)

 - laws created by administrative agencies
- innocent until proven guilty

Customary law
- based on traditions and customs
- restitution is commonly in the form of monetary fine or service

Religious law
- rather than creating laws, scholars and lawmakers attempt to
discover the truth of the law

Mixed law systems

- two or more of the previous systems mixed together

===================================================================================
================

Topic 7: Develop, document, and implement security policy, standards, procedures,

and guidelines

Security Policy - Direction from senior management (Strategic - Why & What)

Standard - Formalized (Regulatory / Statutory)

Process - A series of related tasks or methods that together turn inputs into
outputs. (Operational - Who & When & Where)

Procedure - Step by step method of accomplishing something (Tactical - How)

Guideline - Best Practice recommendation

===================================================================================
================

Topic 8: Identify, analyze, and prioritize Business Continuity (BC) requirements

1. Develop and document scope and plan

Project Management
Senior Management Support (*)
Project Scope
 Resources
Timeline

2. Business Impact Analysis (BIA) ISO/TS 22317:2021

Security and resilience — Business continuity management systems — Guidelines for
business impact analysis & NIST SP800-34R1 - (pages 15 - 20)

Used to determine what impact a disruptive event would have on an organization

Goals:

1. Determine Criticality/Estimate Maximum Downtime

2. Evaluate Resource Requirements
3. Identify recovery priorities for system resources

Process Steps:

1. Gather requirements/information
2. Vulnerability assessment
3. Risk Analysis
Quantitative - ALE = SLE * ARO ===> ALE = (AV*EF) * ARO
Qualitative
4. Communicate findings - Audience relevancy

Determining Downtime:

Maximum Allowable Downtime (MAD) / Maximum Tolerable Downtime (MTD)

Recovery Time Objective (RTO)

Work Recovery Time (WRT)

Recovery Point Objective (RPO)

===================================================================================
================

Topic 9: Contribute to and enforce personnel security policies and procedures

1. Candidate screening and hiring

2. Employment agreements and policies
3. Onboarding and termination processes
4. Vendor, consultant, and contractor agreements and controls
5. Compliance policy requirements
6. Privacy policy requirements

Job Rotation - Cross-training | knowledge documentation

Separation of Duties - prevent one person from having ALL the power

Need to Know - Amount of knowledge required to execute job

Least Privilege - Level of access (permissions) required to execute job

===================================================================================
================

Topic 10: Understand and apply risk management concepts

MUST KNOW CONCEPTS !!: NIST SP800-30R1 page 12

Risk: The probability (likelihood) that a given threat source will exercise a
particular vulnerability and the resulting impact should that occur

Threat - an event or situation that if it occurred, would prevent the organization

from operating in its normal manner

Vulnerability - weakness

Likelihood - chance something might happen

Impact - what a threat will cost (quantitative/qualitative)

Countermeasure (control) - mechanism applied to minimize risk

Residual Risk - remaining risk(s) after all countermeasures/controls have been

applied

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

1. Identify threats and vulnerabilities - NIST SP800-30R1

A vulnerability is “an inherent weakness in an information system, security
procedures, internal controls, or implementation that could be exploited by a
threat source"

2. Risk assessment/analysis - NIST SP800-30R1 page 23

Step 1 - Prepare for Assessment
Step 2 - Conduct Assessment
a. Identify threat sources & events
b. Identify vulnerabilities & predisposing conditions
c. Determine likelihood of occurrence
d. Determine magnitude of impact
e. Determine Risk
Step 3 - Communicate Results
 Step 4 - Maintain Assessment

3. Risk response - treatment/treat

1. Avoid
2. Accept
3. Transfer (Share)
4. Mitigate
5. Recast (reclassifcation)
6. Ignore

4. Countermeasure selection and implementation

Cost
Effectiveness
Appropriateness

5. Applicable types of controls (e.g., preventive, detective, corrective)

Control Categories
• Physical
• Administrative
• Logical (Technical)

The seven main types of functional controls are:

1. Directive: attempt to specify action(s) to ensure compliance with

security policy

2. Deterrent: attempt to discourage security policy violations. Key

difference between Preventative and Deterrent is that preventative blocks action
while deterrent relies on individual making the right choice

3. Preventive: attempt to stop unwanted access

4. Compensating: attempt to provide an alternate control in absence of

primary

5. Detective: attempt to identify unauthorized access AFTER occurrence of

unauthorized activity

6. Corrective: modifies environment to return to normal operation AFTER

occurrence of unauthorized activity

7. Recovery: attempt to repair or restore after a security violation -

extension of corrective controls, but have more advanced capabilities
6. Security Control Assessment (SCA) - Monitor your controls to assess how well
they are performing

Tailoring - filtering

Scoping - what is in & what is out

Supplementation - making additions (adding on) to add value and support for
mission objectives

Types of assessments:

a. Vulnerability
Scanning
Analysis
Communicate results

b. Penetration

Strategies:
• External testing
• Internal testing
• Blind testing
• Double-blind testing

Categories:
• Zero knowledge - Black Box
• Partial knowledge - Grey Box
• Full knowledge - White Box

Methodology:
1. Reconnaissance
2. Enumeration
3. Vulnerability analysis
4. Execution / Exploitation
5. Document findings

c. Application
d. DoS / DDoS
e. WAR...
f. Wireless
g. Social Engineering
h. Telephony

7. Monitoring and measurement - The 2 Q's

Quantitative - measures "tangibles" | Numerical assessment

Annualized Loss Expectancy (ALE) = Single Loss Expectancy (SLE) * Annual

Rate Occurrence (ARO)
 SLE * ARO = ALE
$ 1,000.00 * 3 = $3,000

Qualitative - measures "intangibles" | the product of likelihood and impact

produces the level of risk. The higher the risk level, the more immediate the need
for the organization to address the issue. (Risk Matrix)

Process steps:
• Approval - Senior Management gives us this
• Form a Risk Assessment Team
• Analyze Data
• Calculate Risk
• Countermeasure Recommendations

8. Asset valuation - understanding tangible / intangible worth

9. Reporting - Gotta have it !!! (timeliness and understandability)

10. Continuous improvement - Deming Cycle (PDCA)

P lan
D o
C heck
A ct

11. Risk frameworks -

COSO - identifies 5 areas necessary to meet the financial reporting and disclosure
objectives; These include:
a. Control environment
b. Risk assessment
c. Control activities
d. Information and communication
e. Monitoring

ITIL - showing how controls can be implemented for the service management IT
processes

5 Lifecycle phases:
1. Service Strategy
2. Service Design
3. Service Transition
4. Service Operation
5. Continual Service Improvement (CSI)

COBIT - examines the effectiveness, efficiency, confidentiality, integrity,

availability, compliance, and reliability aspects of the high-level control
objectives.

ISO 27001 / 27002 series (ISO 17799/BS7799) - ISMS (01) and Controls (02)

ISO 73:2009 - Risk Management Vocabulary

ISO 31010:2009 - Risk Assessment Techniques

ISO 31000:2018 - Risk Management Guidelines

NIST: (https://csrc.nist.gov/publications/sp800)

NIST SP800-12R1 An Introduction to Information Security

NIST SP800-30R1 Guide for Conducting Risk Assessments

NIST SP800-34R1 Contingency Planning Guide for Federal Information Systems

NIST SP800-37R2 Risk Management Framework for Information Systems and

Organizations: A System Life Cycle Approach for Security and Privacy

NIST SP800-53R5 Security and Privacy Controls for Information Systems and
Organizations

NIST SP800-53AR4 Assessing Security and Privacy Controls in Federal Information

Systems and Organizations: Building Effective Assessment Plans

NIST SP800-88R1 Guidelines for Media Sanitization

NIST SP800-121R2 Guide to Bluetooth Security

NIST SP800-125AR1 Security Recommendations for Server-based Hypervisor Platforms

NIST SP800-160 Vol1 | Vol2 Systems Security Engineering: Considerations for a

Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems

NIST SP800-161R1 Cybersecurity Supply Chain Risk Management Practices for Systems
and Organizations

NIST SP800-171R1 Protecting Controlled Unclassified Information in Nonfederal

Systems and Organizations

NIST SP800-193 Platform Firmware Resiliency Guidelines

===================================================================================
================

Spotlight on the Risk Management Framework (RMF)

Risk Management Framework (RMF) Overview -

The selection and specification of security controls for a system SHOULD BE

accomplished as part of an organization-wide information security program that
involves the management of organizational risk.

THE RISK MANAGEMENT FRAMEWORK PROVIDES A PROCESS THAT INTEGRATES SECURITY & RISK
MANAGEMENT ACTIVITIES INTO THE SYSTEM DEVELOPMENT LIFE CYCLE.

Risk-Based Approach -

The risk-based approach to security control selection and specification considers

effectiveness, efficiency, and constraints due to applicable laws, directives,
Executive Orders, policies, standards, or regulations.

The following activities related to managing organizational risk are paramount to

an effective information security program and can be applied to both new and legacy
systems within the context of the system development life cycle:

1. Prepare Step -

Prepare carries out essential activities at the organization, mission and business
process, and information system levels of the enterprise to help prepare the
organization to manage its security and privacy risks using the Risk Management
Framework.

2. Categorize Step -

Categorize the system and the information processed, stored, and transmitted by
that system based on an impact analysis (*1).

3. Select Step -

Select an initial set of baseline security controls for the system based on the
security categorization; tailoring and supplementing the security control baseline
as needed based on organization assessment of risk and local conditions.

4. Implement Step -

Implement the security controls and document how the controls are deployed within
the system and environment of operation.

5. Assess Step -
Assess the security controls using appropriate procedures to determine the extent
to which the controls are implemented correctly, operating as intended, and
producing the desired outcome with respect to meeting the security requirements for
the system.

6. Authorize Step -

Authorize system operation based upon a determination of the risk to organizational

operations and assets, individuals, other organizations and the Nation resulting
from the operation of the system and the decision that this risk is acceptable
(*2).

7. Monitor Step -

Monitor and assess selected security controls in the system on an ongoing basis
including assessing security control effectiveness, documenting changes to the
system or environment of operation, conducting security impact analyses of the
associated changes, and reporting the security state of the system to appropriate
organizational officials (*3).

Footnotes:

1. The RMF categorize step, including consideration of legislation, policies,

directives, regulations, standards, and organizational mission/business/operational
requirements, facilitates the identification of security requirements.

2. NIST Special Publication 800-37 Revision 2 provides guidance on authorizing

system to operate.

3. NIST Special Publication 800-37 Revision 2 provides guidance on monitoring the

security controls in the environment of operation, the ongoing risk determination
and acceptance, and the approved system authorization to operated status.

===================================================================================
================

Topic 11: Understand and apply threat modeling concepts and methodologies

What is Threat Modeling? - a process by which potential threats, such as structural

vulnerabilities can be identified, enumerated, and prioritized – all from a
hypothetical attacker’s point of view.

The purpose of threat modeling is to provide defenders with a systematic analysis

of the probable attacker’s profile, the most likely attack vectors, and the assets
most desired by an attacker.
The threat risk modeling process has five steps:
1. Identify Security Objectives
2. Survey the Application / system
3. Decompose it
4. Identify Threats
5. Identify Vulnerabilities

1. Threat modeling methodologies-

What are the most well known models:

STRIDE Methodology - characterizing known threats according to the kinds of exploit

that are used (or motivation of the attacker).

STRIDE stands for

S poofing
T ampering
R epudiation
I nformation Disclosure
D enial of Service
E levation of Privilege

DREAD Methodology - quantifying, comparing and prioritizing the amount of risk

presented by each evaluated threat. The DREAD algorithm, shown below, is used to
compute a risk value, which is an average of all five categories.

Risk_DREAD = (DAMAGE + REPRODUCIBILITY + EXPLOITABILITY + AFFECTED USERS +

DISCOVERABILITY) / 5

The calculation always produces a number between 0 and 10; the higher the number,
the more serious the risk.

P.A.S.T.A. - Process for Attack Simulation and Threat Analysis (PASTA). A

seven-step process for aligning business objectives and technical requirements,
taking into account compliance issues and business analysis. Provides a dynamic
threat identification, enumeration, and scoring process. Once the threat model is
completed security subject matter experts develop a detailed analysis of the
identified threats. Finally, appropriate security controls can be enumerated.
Provides an attacker-centric view of the application and infrastructure from which
defenders can develop an asset-centric mitigation strategy.

Trike - Threat models are used to satisfy the security auditing process. Threat
models are based on a “requirements model.” The requirements model establishes the
stakeholder-defined “acceptable” level of risk assigned to each asset class.
Analysis of the requirements model yields a threat model form which threats are
enumerated and assigned risk values. The completed threat model is used to
construct a risk model based on asset, roles, actions, and calculated risk
exposure.

VAST - Visual, Agile, and Simple Threat modeling. Focuses on the necessity of
scaling the threat modeling process across the infrastructure and entire SDLC, and
integrating it seamlessly into an Agile software development methodology. The
methodology seeks to provide actionable outputs for the unique needs of various
stakeholders: application architects and developers, cybersecurity personnel, and
senior executives.

AS/NZS 4360:2004 Risk Management - the world’s first formal standard for
documenting and managing risk.

The five steps of the AS/NZS 4360 process are:

1. Establish Context: Establish the risk domain, i.e., which assets/systems are
important?

2. Identify the Risks: Within the risk domain, what specific risks are apparent?

3. Analyze the Risks: Look at the risks and determine if there are any supporting
controls in place.

4. Evaluate the Risks: Determine the residual risk.

5. Treat the Risks: Describe the method to treat the risks so that risks selected
by the business will be mitigated.

Note: AS/NZS 4360 assumes that risk will be managed by an operational risk group,
and that the organization has adequate skills and risk management resources in
house to identify, analyze, and treat the risks.

CVSS - The US Department of Homeland Security (DHS) established the NIAC

Vulnerability Disclosure Working Group, which incorporates input from Cisco
Systems, Symantec, ISS, Qualys, Microsoft, CERT/CC, and eBay.

2. Threat modeling concepts -

Visual Representations based on Data Flow Diagrams (PASTA | TRIKE)

Visual Representations based on Process Flow Diagrams (VAST)

What do you need to know about Intelligence Types? -

 Threat intelligence - continual processes used to understand the threats faced by
an organization

• Tactical - focused on Tactics, Techniques, & Procedures (TTPs) of a threat

actor; used by operations teams to augment vulnerability remediation,
alerting/reporting & architectural design considerations (commodity malware)

• Strategic – senior leadership focused information; used to help identify

motivations, capabilities, & intentions of threat actors (targeted attacks)

• Operational - collected from the organization's infrastructure including

logs & information reported by SIEM platforms; used to identify current attacks &
Indicators of Compromise (IOCs)

What do you need to know about Threat & Adversary Emulation & Threat Hunting? -

Threat emulation - emulating known TTPs to mimic the actions of a threat in a

realistic way, without emulating a specific threat actor; help identify elements
related to the TTPs & aid in future detection efforts

Adversary emulation - emulating known adversary TTPs in a realistic way in order

to mimic the actions of a specific threat actor or group

Threat hunting - assessment technique utilizing insights from threat intelligence

to proactively discover IOCs present within the environment using an "assume
breach" mindset; likely to be led by senior staff & include:

• Advisories & bulletins

• Intelligence fusion & threat data

What do you need to know about Intelligence Collection Methods? -

Intelligence Feeds - some feeds are freely available & others are available only
as part of a subscription service, often associated with proprietary hardware &
software tools

Deep Web - unindexed & hidden locations on the Internet generally associated with
malicious activity & criminal operations

Open-Source Intelligence (OSINT) - using publicly available information sources to

collect & analyze data
 Human Intelligence (HUMINT) - collection of intelligence through interactions with
people

What do you need to know about Augmented Reality, Big Data & Deep Learning? -

Augmented Reality - emulates a real-life environment through computer-generated

sights & sounds & sometimes computer-generated smell & touch

Big Data - data collections that are so large & complex that they are difficult
for traditional database tools to manage

Deep Learning - machine learning that deconstructs knowledge into a series of

smaller, simpler parts

• the system is not provided with human-directed facts, filters, or rules but
instead is left to independently interpret data & classify it as a certain category

• determines which simpler concepts are applicable in order to identify a

solution to an abstract problem

What do you need to know about Threat Actor Groups? -

• Script Kiddies
• Insider Threats
• Competitors
• Organized Crime
• Hacktivists
• Nation States
• State Actors
• Advanced Persistent Threats (APTs)
• Supply Chain Access

What do you need to know about Threat Management Frameworks? -

MITRE Adversarial Tactics, Techniques, & Common Knowledge (ATT&CK) - knowledge

base of information regarding real world adversary tactics & techniques; describes
the specifics regarding how adversaries perform attacks & break down into logical
groupings
 • used to develop accurate threat models & defensive controls
• visually depicts the relationships between tactics & techniques
• documents behavior profiles of various well-known adversarial groups to
show the techniques used by each group

MITRE ATT&CK for ICS - describes a set of tactics & techniques specific to
industrial control systems & lists the elements described in the ATT&CK for ICS
knowledge base

ATT&CK Matrix is available at https://attack.mitre.org/

Diamond Model of Intrusion Analysis - focuses on events & describes them in terms
of four core & interrelated base features:

• Adversary
• Capability
• Infrastructure
• Victim

Adversaries achieve goals by using a capability over infrastructure against a

victim

• this relationship is visualized using a diamond to demonstrate that

identifying any of the features can lead an analyst to the other connected points
• Meta-features are included as ovals on the extended diamond model diagram &
describe the specific details that may be present in the base features

Available at https://apps.dtic.mil/sti/citations/ADA58696

Cyber Kill Chain - steps/actions an adversary must complete in order to achieve

their goals; includes seven steps:

1. Reconnaissance - seeking information regarding weaknesses with people &

technology in the target organization
2. Weaponization - developing the tool &/or technique to be used against the
organization based upon information gathered during reconnaissance
3. Delivery - method by which the tool will be delivered
4. Exploitation - step that results in a breach
5. Installation - post-exploitation work needed in order to maintain access
6. Command & Control (C2) - methods used to communicate with the exploited
system in order to further the attack
7. Actions on Objectives - perform the tasks initially identified as the
attack's goals

Steps identify several opportunities for the detection of adversarial action; goal
is to detect these activities as early in the kill chain as possible
===================================================================================
================

Topic 12: Apply Supply Chain Risk Management (SCRM) concepts

1. Risks associated with hardware, software, and services

NIST SP800-161 - Supply Chain Risk Management Practices for Federal Information
Systems and Organizations (page 7)

Supply chain risks include insertion of counterfeits, unauthorized production,

tampering, theft, insertion of malicious software and hardware (e.g., GPS tracking
devices, computer chips, etc.), as well as poor manufacturing and development
practices in the supply chain. These risks are realized when threats in the supply
chain exploit existing vulnerabilities.

NIST SP-800 161 R1 - Cybersecurity Supply Chain Risk Management Practices for
Systems and Organizations (page 7)

C-SCRM encompasses activities spanning the entire system development life cycle,
(SDLC), including research and development, design, manufacturing, acquisition,
delivery, integration, operations and maintenance, disposal, and overall management
of an enterprise’s products and
services. C-SCRM is the organized and purposeful management of cybersecurity risk
in the supply chain.

2. Third-party assessment and monitoring

SLA's vs. Assurance via Due Diligence

3. Minimum security requirements

Requirements gathering

4. Service-level requirements

SLA vs SLR

In addition:

Onsite Assessment
Document Exchange and Review
Process/Policy Review
Third Party Audit
Managing known risks

1. Identify and document risks

2. Build a supply-chain risk-management framework
3. Monitor risk
4. Institute governance and regular review

Supply Chain Risk Management Strategies

1. PPRR risk management model - a popular global supply chain risk management
strategy and is used by retailers around the world. “PPRR” stands for:

Prevention - Take precautionary measures for supply chain risk

mitigation.
Preparedness - Develop and implement a contingency plan in case of an
emergency.
Response - Execute on your contingency plan in order to reduce the impact
of the disruptive event.
Recovery - Resume operations and get things running at normal capacity as
quickly as possible.

2. Manage environmental risk in your supply chain - single vs. multi supplier

Supply chain risk assessment software enables you to take a proactive approach to
risk management by providing you with greater visibility into the structure of your
supply chain. With such a solution, you will be able to identify weak points in
your supply chain and receive data-driven insights into how you can strengthen
them.

3. Improve your cyber supply chain risk management:

Establish compliance standards for all third-party vendors, including

manufacturers, suppliers, and distributors.

Define user roles and implement security controls to restrict who is able
to access your system and what level of clearance they are given.

Perform a thorough vendor risk assessment prior to signing any contracts.

Implement data stewardship standards that define who owns certain data
and what they are able to do with that data.

Provide comprehensive training for all employees about cybersecurity

protocols.
 Implement a software solution that provides you with total visibility
into your supply chain, so you can quickly identify unusual activity.

Work with vendors in your supply chain network to develop a unified

disaster recovery plan to ensure business continuity.

Establish backup controls to safeguard your data backups.

Regularly update your company’s anti-virus, anti-spyware, and firewall

software solutions, as well as look into more advanced cybersecurity measures, such
as DNS filtering and network access control.

4. Gain visibility into suppliers’ financial stability

5. Track the right freight carrier metrics:

Transit Time - the number of hours or days it takes for a shipment to

arrive at the customer’s location after leaving your facility.

Number of Stops & Average Stop Time - The more stops a freight carrier
takes in route to delivering a shipment, the longer it will take your product to
reach your customer. Even if a route only includes a few stops, a long average stop
time could still jeopardize on-time delivery and disrupt your supply chain. These
metrics are important to monitor for the sake of supply chain efficiency.

[Note: It’s important to look for a low number of stops and low average stop time
while still being mindful of drivers’ legally regulated hours of service.]

Average Loading Time - This refers to the amount of time it takes to load
a carrier with freight, as well as fill out any necessary paperwork, once it has
arrived at the loading dock. Like the previous item on this list, this is a key
indicator of supply chain efficiency.

Route Optimization - It’s important that retailers consider how field

carriers optimize routes for fuel usage and travel time because these have a direct
effect on supply chain costs and efficiency. If a retailer has its own fleet, it
can monitor this metric closely; if it partners with a third-party carrier, it can
monitor this metric through costs charged for shipping.

Maintenance Schedule - A freight carrier with a consistent maintenance

schedule is less likely to break down, which can prevent unnecessary supply chain
disruption.

6. Implement a logistics contingency plan - Similar to an emergency response plan,

it’s imperative that retailers have a logistics contingency plan in place to ensure
business continuity in the event of supply chain disruption.
Some tips when creating a contingency plan for supply chain risk mitigation:

Map out your supply chain to get a clear understanding of which entities
are most vulnerable to risk.

Perform a full assessment of suppliers based on factors such as political

risk, geographic risk, and economic risk.

Diversify your supplier network so that you are not reliant on a single
supplier.

Audit logistics providers based on their disaster plans.

Establish a crisis response team to make critical decisions in the event

of an emergency.

Develop solid communications channels so that your employees know what

their responsibilities are in the event of supply chain disruption.

Carefully document all processes and create a single source of truth that
employees can refer to when executing on your contingency plan.

Stay up to date on current events and adapt your contingency plan

accordingly.

7. Conduct internal risk awareness training - Management is not the only area of
your organization that can assist in supply chain risk mitigation. In fact,
building a risk-aware culture requires buy-in at all levels of your business. The
easiest way to achieve this is to conduct risk awareness training for your entire
workforce. Training curriculum should include the following:

Common supply chain management risks and challenges

Risk management best practices
Computer and internet best practices to improve cybersecurity awareness
Supply chain risk assessment software training to encourage end user
adoption

8. Consistently monitor risk

9. Use data to model key risk event scenarios

10. Consolidate your data for easy access

There is no single approach to TPRM, but some commonly used frameworks serve as a
solid starting point. These include frameworks provided by organizations such as
the National Institute of Standards and Technology (NIST) and the International
Standards Organization (ISO).

Third-party risk management policies guide organizations on building, applying,

managing, and implementing best practices.

When implementing a third-party risk management framework, companies must examine

the nature of the risk involved and deal with the changing business, regulatory and
legal environments – and their potential impact on the organization’s operation.

Effectively utilizing TPRM frameworks will reduce risks to both your organization
and your customers.

Key documents to be aware of:

Shared Assessments Frameworks -

Shared Assessments TPRM Framework - a comprehensive set of TPRM best practices.

This framework is designed to help organizations establish, monitor, optimize and
mature their TPRM program using a standardized set of controls. The framework is
divided into two sections: fundamentals and processes. Fundamentals include four
sections; introduction, basics, buy-in, and governance. Processes include 8
families ranging from outsourcing analysis and due diligence to ongoing monitoring.

Shared Assessments is one of the few frameworks that is focused solely on

third-party risk rather than on broader topics such as supply chain risk management
or organizational information security.

NOTE: Accessing the framework requires a membership fee.

Shared Assessments Standardized Information Gathering Questionnaire (SIG) - Shared

Assessments also publishes a standardized information gathering questionnaire that
can enable organizations to easily employ a standardized third-party risk
assessment that is pre-mapped to other standards such as ISO, HIPAA, NIST, GDPR and
PCI DSS. It also includes a management tool that can enable you to draw from a
predefined set of questions, an implementation checklist, and guidance on what
documentation to request from third-party vendors. SIG can be particularly useful
for organizations that are just beginning their TPRM program.

NIST -
NIST Cybersecurity Framework (CSF) Version 1.1 - voluntary guidance, based on
existing standards, guidelines, and practices for organizations to better manage
and reduce cybersecurity risk. In addition to helping organizations manage and
reduce risks, it was designed to foster risk and cybersecurity management
communications amongst both internal and external organizational stakeholders

FIPS 199, Standards for Security Categorization of Federal Information and

Information Systems - categorizing federal information and information systems
according to an agency's level of concern for confidentiality, integrity, and
availability and the potential impact on agency assets and operations should their
information and information systems be compromised through unauthorized access,
use, disclosure, disruption, modification, or destruction

NIST SP 800-30, Revision 1, Guide for Conducting Risk Assessments - guidance for
conducting risk assessments of federal information systems and organizations,
amplifying the guidance in Special Publication 800-39. Risk assessments, carried
out at all three tiers in the risk management hierarchy, are part of an overall
risk management process — providing senior leaders/executives with the information
needed to determine appropriate courses of action in response to identified risks

NIST SP 800-37, Revision 2, Risk Management Framework for Information Systems and
Organizations - A System Life Cycle Approach for Security and Privacy - describes
the Risk Management Framework (RMF) and provides guidelines for applying the RMF to
information systems and organizations. The RMF provides a disciplined, structured,
and flexible process for managing security and privacy risk that includes
information security categorization; control selection, implementation, and
assessment; system and common control authorizations; and continuous monitoring

NIST SP 800-39, Managing Information Security Risk: Organization, Mission, and

Information System View - provides guidance for an integrated, organization-wide
program for managing information security risk to organizational operations (i.e.,
mission, functions, image, and reputation), organizational assets, individuals,
other organizations, and the Nation resulting from the operation and use of federal
information systems

NIST SP 800-53 Revision 5, Security and Privacy Controls for Information Systems
and Organizations - provides a catalog of security and privacy controls for
information systems and organizations to protect organizational operations and
assets, individuals, other organizations, and the Nation from a diverse set of
threats and risks, including hostile attacks, human errors, natural disasters,
structural failures, foreign intelligence entities, and privacy risks

NIST SP 800-53B Revision 5, Control Baselines for Information Systems and

Organizations - provides security and privacy control baselines for the Federal
Government. There are three security control baselines (one for each system impact
level—low-impact, moderate-impact, and high-impact), as well as a privacy baseline
that is applied to systems irrespective of impact level

NIST SP 800-160 Vol. 1, Systems Security Engineering - addresses the engineering

driven perspective and actions necessary to develop more defensible and survivable
systems, inclusive of the machine, physical, and human components comprising the
systems, capabilities and services delivered by those systems

NIST SP 800-160 Vol. 2, Developing Cyber Resilient Systems: A Systems Security

Engineering Approach - a handbook for achieving the identified cyber resiliency
outcomes based on a systems engineering perspective on system life cycle processes
in conjunction with risk management processes, allowing the experience and
expertise of the organization to help determine what is correct for its purpose

NIST SP 800-181 Revision 1, National Initiative for Cybersecurity Education (NICE)

Cybersecurity Workforce Framework - a fundamental reference for describing and
sharing information about cybersecurity work. It expresses that work as Task
statements and describes Knowledge and Skill statements that provide a foundation
for learners including students, job seekers, and employees

NISTIR 7622, Notional Supply Chain Risk Management Practices for Federal
Information Systems - provides a wide array of practices that, when implemented,
will help mitigate supply chain risk to federal information systems. It seeks to
equip federal departments and agencies with a notional set of repeatable and
commercially reasonable supply chain assurance methods and practices that offer a
means to obtain an understanding of, and visibility throughout, the supply chain

NISTIR 8179, Criticality Analysis Process Model: Prioritizing Systems and

Components - helps organizations identify those systems and components that are
most vital, and which may need additional security or other protections

NISTIR 8276, Key Practices in Cyber Supply Chain Risk Management: Observations from
Industry - provides the ever-increasing community of digital businesses a set of
Key Practices that any organization can use to manage cybersecurity risks
associated with their supply chains. The Key Practices presented in this document
can be used to implement a robust C-SCRM function at an organization of any size,
scope, and complexity

NISTIR 8286, Identifying and Estimating Cybersecurity Risk for Enterprise Risk
Management (ERM) - helps individual organizations within an enterprise improve
their cybersecurity risk information, which they provide as inputs to their
enterprise’s ERM processes through communications and risk information sharing

ISO/IEC -

ISO 27001 is an international standard for the stringent evaluation of cyber and
information security practices. It provides requirements for establishing,
implementing, maintaining and continually improving an information security
management system. Based on an international set of requirements, it outlines a
systematic approach to managing sensitive company information so that it remains
secure. It includes people, processes and IT systems by applying a risk management
process.

There are three supplements to consider as important corollaries to ISO 27001,

including:

ISO 27002 is a supplementary standard that provides advice on how to implement the
security controls listed in Annex A of ISO 27001. It helps organizations consider
what they need to put in place to meet these requirements.

ISO 27018, when used in conjunction with the information security objectives and
controls in ISO 27002, creates “a common set of security categories and controls
that can be implemented by a public cloud computing service provider acting as a
PII processor.”

ISO 27036-2 is a related framework that specifies information security requirements

for "defining, implementing, operating, monitoring, reviewing, maintaining and
improving supplier and acquirer relationships." This standard extends the
information security requirements defined in previous ISO standards adding specific
guidance to ensure secure acquirer-supplier relationships.

ISO 27701 was the first international standard on privacy information management,
which helps organizations to demonstrate the methods and controls used in
protecting both their internal and customers’ personal data. It augments security
guidance published in ISO 27001 an ISO 27002.

With respect to managing information security in supplier (third-party)

relationships, Section 15 of 27001 and 27002 summarize the requirements for
securely dealing with various types of third parties. Using a top-down, risk-based
approach, the specification provides the following guidance for managing suppliers:

• Create an information security policy for supplier relationships that outlines

specific policies and procedures and mandates specific controls be in place to
manage risk.

• Establish contractual supplier agreements for any third party that may access,
process, store, communicate, or provide IT infrastructure to an organization’s
data.

• Include requirements to address the information security risks associated with

information and communications technology services and product supply chain.

• Monitor, review and audit supplier service delivery.

• Manage changes to the supplier services, considering re-assessment of risks.

REMEMBER ... Organizations choose to become certified against these standards in

order to benefit from the best practice guidance and to reassure customers and
clients that their recommendations have been followed.

Clauses 6 and 7 in ISO 27036-2 define fundamental and high-level information

security requirements applicable to the management of several supplier
relationships at any point in that supplier relationship lifecycle.

ISO 27036 is designed to manage the entire business relationship lifecycle to

include:

• Initiation - scoping, business case/cost-benefit analysis, comparison of

insourcing versus outsource options as well as a variant or hybrid approaches such
as co-sourcing

• Definition of requirements including the information security requirements

• Procurement including selecting, evaluating, and contracting with supplier/s

• Transition to or implementation of the supply arrangements, with enhanced risks

around the implementation period

• Operation including aspects such as routine relationship management, compliance,

incident and change management, monitoring

• Refresh - an optional stage to renew the contract, perhaps reviewing the terms
and conditions, performance, issues, working processes

• Termination and exit

===================================================================================
================

Topic 13: Establish and maintain a security awareness, education, and training
program

Security awareness:

Establishing an understanding of the importance of, and need to, comply with
security policies within the organization

Addresses the "WHY" of policy

1. Methods and techniques to present awareness and training

2. Periodic content reviews

3. Program effectiveness evaluation

===================================================================================
================

Risk terminology and concepts - Know the vocab !!!

Asset - anything within the organization that has value and should be afforded CIA
protections

Asset valuation - dollar value assigned to an asset

Threats - a potential occurrence that may cause an undesirable outcome vis-a-vis an

asset

Vulnerability - weakness to be exploited

Exposure - degree to which you are susceptible to asset loss due to a threat

Risk - possibility or likelihood that a threat will exploit a vulnerability to

cause harm to an asset

risk = threat * vulnerability

Threat agent | actor | event - the bad thing looking to do harm

Safeguard | control | countermeasure - something deployed or used to mitigate risk

Attack - the exploitation of a vulnerability by a threat agent (bad actor)

Breach - a countermeasure being bypassed or rendered ineffective

Quantitative Risk Analysis: ALE = SLE * ARO

1. Exposure Factor (EF) - % of loss experienced IF a specific asset were

attacked

2. Single Loss Expectancy (SLE) - the cost associated with a single

realized risk against a single asset -

SLE = asset value (AV) × exposure factor (EF)

3. Annualized Rate of Occurrence (ARO) - frequency @ which a specified risk

will be realized over a single year

4. Annualized Loss Expectancy (ALE) - potential yearly cost of all

instances of a specified threat

5. Asset Value (AV) - $$$ amount asset is worth to the organization

$10.00 $1.00 10
ALE = SLE * ARO

$1.00 * 10 ($10.00) = $ 1.00 * 10 TIMES (FIREWALL FAILURE)

1. Countermeasure is less than ALE Do this

2. Countermeasure is equal to ALE Do this
3. Countermeasure is greater than ALE Think before acting