Security and Risk Management Key Points

Objectives:

At the end of this episode, I will be able to:

Understand and identify the key points and items from Domain 1 that need to be
mastered as part of your preparation to take and pass the CISSP exam.

External Resources:

Security and Risk Management - Key points

1. CODE OF ETHICS !!!

2. CIA Triad

3. What is Governance?

4. SABSA, TOGAF & Zachman

5. Privacy, PII, PHI & GDPR

6. Intellectual Property

7. The 8 Core Principles (OECD)

8. Collection Limitation

9. Data Quality

10. Purpose Specification

11. Use Limitation

12. Security Safeguards

13. Openness

14. Individual Participation

15. Data Controller Accountability

16. GDPR ...

17. Different types of investigations

a. Administrative - INTERNAL
b. Criminal - conducted by law enforcement
c. Civil - present a case in a civil trial
d. Regulatory - government agency
e. Industry standards - Electronic Discovery (eDiscovery) used to facilitate
the processing of electronic information for disclosure

10. Electronic Discovery Reference Model (9 steps):

11. Information Governance

12. Identification

13. Preservation

14. Collection

15. Processing

16. Review
17. Analysis

18. Production

19. Presentation

BONUS - types of Legal Systems

11. Security policy & standards & procedures & guidelines

12. What is the Business Impact Analysis (BIA)?

13. Determining Downtime - (MAD/MTD | RPO | RTO | WRT)

14. Personnel security policies and procedure concepts:

a. separation of duties
b. least privilege
c. need to know
d. job rotation

15. Risk, Risk, Risk (EVERYTHING !!)

16. Controls (3 Categories & 7 Types)

Control Categories

• Physical
• Administrative
• Logical (Technical)

Control Types

1. Directive
2. Deterrent
3. Preventive
4. Compensating
5. Detective
6. Corrective
7. Recovery

17. The Risk Management Framework (RMF) ... 7 steps

18. Prepare

19. Categorize

20. Select

21. Implement

22. Assess

23. Authorize

24. Monitor

18. Threat Modeling - Process & Methodologies

Process has five steps:

1. Identify Security Objectives

2. Survey the Application / system
3. Decompose it
4. Identify Threats
5. Identify Vulnerabilities

Methodologies:
STRIDE
DREAD
(Risk_DREAD = (DAMAGE + REPRODUCIBILITY + EXPLOITABILITY + AFFECTED USERS + DISCOVERABILITY) / 5
Process for Attack Simulation and Threat Analysis (PASTA)
Trike
Visual, Agile, and Simple Threat modeling (VAST)

19. What is Supply Chain Risk ?

20. What are Supply Chain Risk Management Strategies ?

• PPRR risk management model

P revention
P reparedness
R esponse
R ecovery
• Manage environmental risk in your supply chain - single vs. multi supplier
• Improve your cyber supply chain risk management
• Gain visibility into suppliers’ financial stability
• Track the right freight carrier metrics
• Implement a logistics contingency plan
• Conduct internal risk awareness training
• Consistently monitor risk
• Use data to model key risk event scenarios
• Consolidate your data for easy access