Professional Documents
Culture Documents
Cissp6010 1to4
Cissp6010 1to4
Week 1:
Introduction to the Course
•Professor, School of IT
•Room G3001
•Meetings by appointment only (no set office hours – please email me)
•jrobertson@fanshaweonline.ca
2
Our Agenda for Today
•I want you to share a comment, image, or quote that summarizes your first
term in ISM or NSA.
• Consider your favorite class, or course, or system/software/tool
• What was your most memorable learning experience?
• Ex. made new friends, learned new concepts,
• What did you NOT like about the first term?
• Maybe your most memorable part of being a student wasn’t about the program, but rater
about the college experience?
6
Current Events: What is happening in the world?
Link to article
2023-09-06 8
Active Learning Exercise (ALE) #1 (10 minutes)
•In addition to your brief article summary, Identify 3-5 key terms used in
the article that comprise the “language” of Security Management
(More details on the next slide )
6 September 2023 9
Part 1: Course Outline and Course Overview
(Please open up the Course Syllabus and Course Plan! )
INFO 6010 Course Plan (Who has read this document?)
Course Design
Please consider sharing news and other links with me (via the
discussion forum) so that I can share them with the class.
Tests will occur during class time (RLDB is required), and take the
place of a lesson (so no lectures in weeks 5 and 10)
“The CISSP CBK is like an ocean: it is very
broad, in places it is very deep while in other
places shallow, but you can be certain there
is lots of it!"
The CBK that comprises the testable material for the CISSP exam is too large to
cover in a 15-week course. Rather, this course will explore key concepts and
ideas that comprise the foundation upon which you will build your InfoSec
knowledge.
15
Student Success
17
Who Has Read the Course Outline for this Course?
Course Outline (Let’s take a look!)
•Learning Objectives – why read these and how can they help??
•Assessments
•Two Research Papers (15% each - total of 30%)
•Two Formative Tests (15% each - total of 30%)
•Final exam (40%)
•Weekly Discussion Forums (0%), but maybe some bonus marks?
19
Course Textbook (Required)
Purchase either a
physical or electronic
copy. The 9th edition
is the latest, but an
earlier version is better
than nothing.
Testing! There are THREE tests in this course and TWO written assignments
•All tests use the Respondus Lockdown Browser
•Tests are NOT open book
•Recommend you use wired ethernet and a plug-in power supply (Respondus
does not like power/network blips)
•Working AND tested PC or laptop
•Budget your time wisely during the test. Expect an average time of 30-60
seconds per question (you won’t have time to look everything up)
•Short answer, long answer, M/C, T/F, FIB, Matching, etc.
•All tests are manually graded by me.
•Testable material includes anything discussed in class (both verbally and on the
slides), in the textbook, any articles or resources I share, and in the assignments.
21
Course Outline
22
Learn to love APA
24
Sample Rubric I Created for Written Assignments
Tips on professional writing assignments
2
7
Why Have Weekly Discussion Forums?
•I use the FOL discussion forums to promote social interactions and knowledge-building
among students.
•Discussion forums allow us to build a Community of Practice (Lave & Wenger, 2007).
Communities share ideas and experiences. They allow us to critically examine and
challenge concepts, ideas, facts, methods, and opinions.
•We can all learn from each other’s experiences and ideas, but not if you don’t share
them! Everyone benefits – including you – if everyone contributes.
•Marks are given for created threads AND for replies, but not for “reads”.
•A little cheerleading is great, but please try to make sure your posts and replies
further the conversation. Ask the “why” questions! Play “devil’s advocate”. Don’t be
contrary for the sake of it, but rater build on ideas.
•Your opinion has value, but always try to SUPPORT your statements with EVIDENCE.
Don’t copy from another person – even if they allow it!
29
•Please read the full policy on the course syllabus FOL
30
Part 2:
Introduction to CISSP
•Security certifications.
• Why get certified?
• How do you choose which certification is right for you?
• Why do we require you to take this course?
•What is the ISC2 CISSP Common Body of Knowledge?
•What are the 8 CISSP Domains
•Vendor-neutral vs. Vendor-specific certifications
•Security Trends
•Hackers and Hacking
•Information Security Management
•Rather, they all work together. You need to understand how these
systems impact each other
•Jobs! People with CISSP CBK knowledge are in very high demand (and
are paid very well). It will also make you better at your current job!
2. Have you ever been involved, or publicly identified, with criminal hackers
or hacking?
4. Have you ever been known by any other name, alias, or pseudonym?
(Omit user identities or screen names with which you were publicly
identified. Also omit name changes due to marriage or adoption.)
•
Sep-23 Info 6010 66
CISSP DOMAINS
3. Security Engineering (Engineering and Management of Security)
• Engineering processes using secure design principles
• Security models fundamental concepts
• Security evaluation models
• Security capabilities of information systems
• Security architectures, designs, and solution elements vulnerabilities
• Web-based systems vulnerabilities
• Mobile systems vulnerabilities
• Embedded devices and cyber-physical systems vulnerabilities
• Cryptography
• Site and facility design secure principles
• Physical security
•https://padlet.com/jrobertsonfanshawe/info-6010-cissp-fall-
2023-78chii0tlqay1awt
• Read the Key Terms at the end of each chapter and identify
10 terms you didn’t know before.
• Then add those words (and their definitions) to your personal
flashcard deck
Week 2:
Security and Risk Management
Sep-23 INFO6010 3
News and Current Events…
• Securing the Technology at new London-area Amazon plant
• Is among the top six highly automated plants Amazon operates around the world
• What risks do you perceive that facility must consider?
• Senator seeks tech version of “GI Bill” as AI replaces jobs
• Need to re-educate a million people who will be displaced by AI
• Women are more likely to lose jobs to AI, such as customer-facing,
administrative assistant or support roles since they are “often filled by women”
• Proposed Law Would Create Responsible Emerging Tech
Leaders at Agencies
• would require a senior official at each relevant agency to oversee technologies
like AI, quantum and biotechnology to ensure responsible usage.
• Called the “‘Oversee Emerging Technology Act’’.
• These 7 items should be on your CISO checklist for 2024
•
Sep-23 Info 6010 6
CISSP DOMAINS
3. Security Engineering (Engineering and Management of Security)
• Engineering processes using secure design principles
• Security models fundamental concepts
• Security evaluation models
• Security capabilities of information systems
• Security architectures, designs, and solution elements vulnerabilities
• Web-based systems vulnerabilities
• Mobile systems vulnerabilities
• Embedded devices and cyber-physical systems vulnerabilities
• Cryptography
• Site and facility design secure principles
• Physical security
For the first 5 minutes, and without going further in your research than what you
know and what we’ve discussed so far, answer the following questions:
Now, in your group of 3 students, share your answers. Any common interests?
Lastly, share your personal answers to the questions above in the week 2 discussion
forum. Remember to respond to at least one post from another student.
•CCNA certification
• Cost $250 USD to write the test
• Must pass CCENT exam first, but any valid Cisco CCENT,
CCNA Routing and Switching, or any CCIE certification can act
as a prerequisite.
• Demonstrates the skills required to develop a security
infrastructure, recognize threats and vulnerabilities to networks,
and mitigate security threats.
• Emphasizes competency in the core security technologies, that
Cisco uses in its security structure.
•https://padlet.com/jrobertsonfanshawe/info-6010-cissp-fall-
2023-78chii0tlqay1awt
https://www.cyberseek.org/index.html#aboutit
Sep-23 INFO6010 34
•Information Security Ethics
•ITIL, Cobit, and ISO guidelines/frameworks
•Categories of Access Controls (digital and physical)
•Pen Testing
• Methodologies, stages, strategies and categories
• documentation
•Determining your security posture
•PDCA (Plan Do Check Act) aka “Deming Wheel/Cycle”
•Licences (ex. software) and lifecycle management
•SETA
Sep-23 INFO6010 35
What is Security Management?
•Security management is the core of any business security
structure
•Objective is to protect company assets
•Core components serve as foundation of a corporation’s
security program
•Goal is to reduce risk to acceptable levels
• Cannot be reduced to zero
Sep-23 INFO6010 37
•Risk management
•Information Security Policies
• Procedures, Standards, Guidelines
•Information classification
•Security organization
•Security education
Sep-23 INFO6010 38
3 main security objectives are:
•Availability
• Ensures reliability and timely access to
data and resources to authorized
individuals
•Integrity
• Assurance of the accuracy and reliability
of the information and systems is provided
with no unauthorized modification
•Confidentiality
• Necessary level of secrecy is enforced at
each data handling junction and prevents
unauthorized disclosure
Sep-23 INFO6010 39
•Confidentiality
• Data in storage or transmitted across can not be read by
unauthorized people
• Attackers can circumvent confidentiality by
• Network traffic sniffing
• Looking over someone's shoulder and stealing passwords or by tricking
someone to reveal their secret information.
• Users can intentionally or accidentally disclose information by
not encrypting it before transmitting it or transporting on storage
devices
• USB, DVD & Laptop
Sep-23 INFO6010 40
•Integrity
• Restrict access to only authorized users
• System configuration files
• Ensure attackers or user mistakes don’t contaminate data
integrity
• Check data input for reasonable and valid entries
• Data in transit should be encrypted
Sep-23 INFO6010 41
•Availability
• Systems and network should have enough capacity for a
acceptable level of performance.
• Able to recover from disruption in a reasonable amount of time.
• Single points of failure should be avoided
• Backup and redundancy mechanisms should be in place
• Appropriate mechanisms in place to avoid inside and outside
threats
Sep-23 INFO6010 42
CIA is about Criticality and Sensitivity
In other words:
The data (or information) need to be available at the right
time with the right content and to the right people.
Sep-23 INFO6010 43
•Vulnerability
•Software, hardware, procedural or human weakness that
may provide an entry point for an attacker leading to
unauthorized access.
• Absence or weakness of a safeguard that can be exploited
• Missing patches
• Open Firewall port
• Weak or no physical security
• Unlocked doors
• Unenforced password requirement
Sep-23 INFO6010 44
•Threat
•Any potential danger to information or systems
• A threat agent is someone or something that will take advantage
of a known vulnerability
• An intruder accessing the network through an open port on a
firewall.
• A process accessing data that violates security policy
• Natural disaster causing damage to a facility
• Tornado, hurricane, fire, flood, lightning
• Environmental control
• Power outage, heat & humidity damage
• Terrorists attack
Sep-23 INFO6010 45
•Risk
•The possibility of damage (or harm) and the likelihood that
harm can be realized.
•Measured by probability and impact
•So, risk is the likelihood of a threat agent taking
advantage of a vulnerability to cause harm to an asset
• Firewall with numerous open ports has a greater likelihood of
being exploited. Impact can range from mild to severe.
• If a network does not have an Intrusion Detection device there is
a greater likelihood of network access being unnoticed
• User lack of training in security & processes increase likelihood
of destroying or exposing data
Sep-23 INFO6010 46
•Exposure
•An instance of being exposed to losses from a threat
agent
•A vulnerability exposes an organization to possible losses
• A company does not install fire detectors or fire alarms
• Exposed to fire
• A company does not have or enforce a password policy
• Exposed to having password compromised
Sep-23 INFO6010 47
• Security Controls are parameters, safeguards or
countermeasures implemented to protect data,
infrastructure, and people in an organization.
• Goal of controls is to protect CIA
• Software configuration, hardware device or a procedure that
reduces the likelihood a threat agent will exploit a vulnerability
• A security guard
• Locked door on server rooms
• Data backup policy
• Strong password management
• Anti-Virus Software
• Firewall, AAA & IDS/IPS
Sep-23 INFO6010 48
•Identify assets. What do you have that is valuable?
• who can help us with this? Might need a team.
•Identify threats against these assets and estimates the
possible damage and potential loss
•Construct a budget with the funds to protect identified
assets and develop applicable security policies that
provide direction for security activities
• Return on investment (ROI)
•Security education and awareness keeps everyone
properly informed and working toward the same security
goal
Sep-23 INFO6010 49
1. Risk Identification
• Determine risks, identify hazards,
• Who or what can be harmed and how?
2. Implement policies and controls
3. Monitor systems and practices involved
4. Promote awareness
Sep-23 INFO6010 50
•Determine objectives, scope, policies, priorities and
strategies
•Clear direction for employees to follow
•Identifying and value company’s assets
•Implement security policies, procedures, standards and
guidelines
•Security is not solely the responsibility of the IT
department
Sep-23 INFO6010 51
•Security program requires a top-down approach
• Direction from senior management through middle management
to staff members
•Allocate necessary resources and funding
• Human, capital, hardware, training
•Assign responsibilities
•Integrate into business environment
•Monitor and measure accomplishments
Sep-23 INFO6010 52
•Building security program like building a house
• Start with blueprint or plan
• Determine goals and security level required
• Not simple matter of installing firewalls and locking down
computers
•Senior management drive the program to develop
standards, procedures & guidelines for the organization
to guide its decisions and direction
Sep-23 INFO6010 53
•Senior management appoints a Security Officer (CSO
and/or CISO)
•Security administration may be a single individual or group
of individuals
• based on size and requirement of company
•Security administration requires clear authority and
reporting structure
•Security officer ensures implementation of security policy
• Not solely responsible for development of policy
Sep-23 INFO6010 54
•Data owners determine what type of access an employee
should have
•Security administration ensures access control is
implemented and monitored
•Data owner is the senior executive or head of department
•Held responsible for data protection and assigning
security classifications
• Can be found negligent if not following due care
Sep-23 INFO6010 55
3 types of controls: Administrative, Technical, and Physical
•Administrative Controls:
• Developing and publishing of policies, standards, procedures and
guidelines
• Risk management
• Screening of personnel
• Security awareness training
• Implementing change control procedures
Sep-23 INFO6010 56
•Technical Controls (Logical Controls):
• Primarily for automated or electronic systems
• Configuration of security device & infrastructure
• Implement and maintain access control mechanisms
• Password and resource management
• Identification and authentication methods
• Security devices & infrastructure
Sep-23 INFO6010 57
•Physical Controls:
• Tangible mechanism (ex. A fence, a lock, a door)
• Controlling individual access into the facility and different
departments
• Locking systems and removing unnecessary drives
• Floppy/CD-Rom, USB
• Protecting the perimeter of the facility
• Monitor for intrusion
• Environmental controls
Sep-23 INFO6010 58
Physical Controls
Access Controls, Security guards & locks
Technical Controls:
Authentication Encryption, Security devices
Administrative Control
Policy, Standards, Guideline &
Procedures
ASSET or DATA
Sep-23 INFO6010 59
•Improper understanding of risks can lead to bad security
practices
• This leads to simple and sloppy mistakes and false sense of
security
• Lack of understanding typically leads to believing your opponent
(attacker) is less intelligent that you
•Relying on security through confusion or obscurity is
dangerous
• Example: Leaving a spare house key in your mailbox
• Example: Change web server default port to 8080
• Example: Rename directory
Sep-23 INFO6010 60
•Planning horizon – What is LIKELY coming up and how
will we prepare for it?
• Not all security systems and changes can be done at same time
•Planning can be organized into 3 areas:
1. Operational
• Short term goals
2. Tactical
• Mid term goals
3. Strategic
• Long term goals
Sep-23 INFO6010 61
•Operational •Tactical
• Daily activities • Midterm goals
• Have specific goals and • Integrate all workstations into a
timelines domain
• Perform risk assessment
• Track compliance •Strategic
• Rollout patches • Long term up to 5 years
• Implement VPNs for all branch
offices
• Install wireless
• Implement PKI
Sep-23 INFO6010 62
Information Security Governance
Ex. CobIT, COSO, ITIL, ISO27000
“Information security governance is all of the tools,
personnel and business processes that ensure that security
is carried out to meet an organization's specific needs”
-Mariana Henlea, 2021
Sep-23 INFO6010 64
•Often synonymous with terms like “management”,
“authority”, “leadership”, “accountability”, “oversight”, and
“influence”
•Governance is at the top of the organization’s hierarchy
•Governance refers to the structures, systems, and
practices an organization has in place
•Involves all the tools, personnel and processes needed to
ensure a required level of security
•Requires a defined structure of role and responsibilities,
defined tasks, performance measurements and oversight
Sep-23 INFO6010 65
•Control Objectives for Information (and related) Technology
•Set of best practices developed by
• Information Systems Audit and Control Association (ISACA)
• IT Governance Institute (ITGI)
•CobiT was derived from COSO framework developed by the
Committee of Sponsoring Organizations in 1985 to deal with
fraudulent financial reporting
•Released in 1996, there is now a CobIT 2019
•It’s a framework for examining IT management and
governance
Sep-23 INFO6010 66
•CObIT presents six principles for a governance system:
1. Meet stakeholder needs,
2. Holistic approach,
3. Dynamic governance system,
4. Distinct governance from management,
5. Tailored to enterprise needs,
6. End-to-end governance system
Sep-23 INFO6010 67
•Defines goals for the controls that should be used to
properly manage IT
• Ensure IT maps to business needs
•CobiT lays out:
• Executive summaries
• Management guidelines
• Control objectives
• Audit guidelines
• Implementation toolset
•Many compliance audits are built on CobiT framework
• Compliance roadmap has 34 control objectives
Sep-23 INFO6010 68
CobiT defines 4 domains
1. Plan and Organize
2. Acquire and
Implement
3. Deliver and Support
4. Monitor and Evaluate
•Each domain has sub
domains
https://www.slideshare.net/ImanBaradari/cobit-training-course
Sep-23 INFO6010 69
•There are 5 COSO Areas
• The Committee of Sponsoring Organizations of the Treadway
Commission (COSO)
1. Control Environment
• Management philosophy & operating style
• Company culture toward fraud and ethics
2. Risk Assessment
• Establish risk level
• Manage change
3. Control Activities
• Policies, procedures & practices to mitigate risk
Sep-23 INFO6010 70
4. Information and
Communication
• Organizational structure to ensure
information is provided to the right
levels of management
5. Monitoring
• Detect and respond to control
deficiencies
https://info.knowledgeleader.com/bid/161685/what-are-the-five-components-of-the-coso-framework
Sep-23 INFO6010 71
•CobiT is model for IT (Information Technology)
governance
•COSO model for corporate governance
•COSO deals more with strategic level
•CobiT deals more with operational level
•CobiT & COSO identify what is to be achieved not how to
achieve it
Sep-23 INFO6010 72
•The Information Technology Infrastructure Library
•De facto standard of best practices for IT
•Provides goals and general activities to achieve goals
•Provides steps at process level and expected input and
output values of each activity to achieve goals
•Customizable Framework
•Focus is on internal service level agreement (SLA)
between the IT department and it’s internal customers
• Security is only one component
Sep-23 INFO6010 73
•Set of standards for infosec that describe security processes
and mechanisms
•Provides best practices recommendations on infosec
management (ISMS)
•ISO 27001 has 14 domains (domains are similar to CISSP)
• the revised CISSP has the content from 10 squeezed into 8 new domains- nothing
has been taken away!
•Can be used as blueprint to develop security program
•Companies can implement and be certified to provide
confidence to customers and business partners
• Marketing and business advantage
Sep-23 INFO6010 74
Reminders for Next Week
• Review Chapters 1-4 (Knowledge Domain #1) of the textbook
• Read the Key Terms at the end of each chapter and identify
10 terms you didn’t know before.
• Then add those words (and their definitions) to your personal
flashcard deck
Sep-23 INFO6010 3
News and Current Events…
• Hackers Acquire Logins From SMS Phishing & Support Desk Calls
• Targeting businesses with SMS phishing & social engineering
• Goal is access critical systems to steal confidential data and use it to extort
• Australia to build “Cyber Shields” around the country
• will build six cyber shields around the country involving citizens, businesses
and governments to help better protect the country.
• “we won't be alone or in our silos trying to manage this problem”
• Citi Bank Launches Digital Asset Solution for Cash Management
• Unveiled a digital asset solution to enhance cash management and trade
finance capabilities by using blockchain and smart contracts.
• Shutdowns and the ‘avalanche of work’ for government tech shops
• Even if a shutdown doesn’t happen, planning for one has a real cost
• Google pays $93M to settle Android tracking lawsuit
Which term means a potential cause of an unwanted incident, which could result
in harm to a system or organization?
a)Vulnerability b)Exploit c)Threat d)Attacker
• For example:
You are the CISO of a large global retail chain with thousands of physical
stores and a significant online presence. The retail industry has historically
been less focused on information security, but recent cyberattacks on other
retail companies have raised concerns about your organization's vulnerability.
As the CISO, you are tasked with conducting a comprehensive cybersecurity
assessment of the retail chain's operations. While your organization recognizes
the importance of cybersecurity, specific vulnerabilities and areas requiring
improvement are not outlined, giving you the responsibility to identify them.
• How do you approach this scenario? What problems do you see and
how would you solve them (using the domains we’ve discussed)
Sep-23 INFO6010 7
Assignment #1 – What to expect
Potential problems and questions:
1. What are the critical assets in the retail chain that need protection,
and why are they essential to the company's success?
2. How would you assess and prioritize security risks and
vulnerabilities, considering the global nature of the retail chain?
3. What cybersecurity enhancements do you believe are necessary to
protect customer data, supply chain integrity, and POS systems
effectively?
4. How can the company ensure compliance with relevant data
protection regulations and maintain customer trust in its security
measures?
Sep-23 INFO6010 8
• You will be put into small breakout groups for this exercise
• Have your microphone ready! Web cameras on if at all possible
Sep-23 INFO6010 9
Domain #2: Asset Security (~10% of CISSP exam)
List of key topics (page 1 of 2):
• Information/data life cycle
•Data identification, classification and protection
•Data classification policy
•Data/asset retention policies
•Data handling and security controls
•IT Asset Management (ITAM) and Data Management
•Information/data ownership
• Roles and Responsibilities
• Data custodian vs data owner
Sep-23 INFO6010 10
Domain #2: Asset Security
List of key topics (page 2 of 2):
• Physical asset management
• Asset Management: Inventory, disposal, destruction
• QC vs QA
• (both used to ensure the quality of products or services)
• Protection of privacy information
• Asset handling requirements
• Data compliance requirements
• Data security standards, controls and modelling
• Regulatory compliance and standards: NIST, NIST SP 800
series (ex. 800-14, 800-18, 800-27, etc..), FIPS, ISO 15288
Sep-23 INFO6010 11
•Asset •Data Remnants
•Data Owner •Data Security Controls
•Data Custodian •Accountability
•Data (or asset) Lifecycle •Classification (and
categorization)
•Retention Policy
•Data Destruction
•Privacy (and protecting it)
•Purging
•Scoping
•Recovery
•Tailoring
•Responsibility
Sep-23 INFO6010 12
Domain #2…
Sep-23 INFO6010 14
Understanding the Information Life Cycle
•Acquisition
• Information is acquired by an organization in only one of two ways:
copied from elsewhere or created from scratch.
•Use
• After the information is prepared and stored, it will be read and
modified by a variety of users with the necessary access level. CIA
needs to be maintained by only allowing the right people to access
or modify it.
•Archival
• Information when no longer used regularly needs to be archived
before it is finally disposed of.
•Disposal
• Almost all data will be disposed of at some point. This usually, but
not always, means data destruction. Ensure that the appropriate
data does in fact get destroyed, and that it is destroyed correctly.
Sep-23 INFO6010 15
The Data Life Cycle (from the textbook)
Acquisition
Sep-23 INFO6010 16
What is…
Information Classification
•What does it mean to classify something?
•Information is rated/classified based on the impact if that
asset was to be compromised:
• Impact of loss
• Impact of disclosure
• Impact if unavailability
•Classification ensures data is protected in the most cost-
effective manner
•Classification indicates level of CIA
Sep-23 INFO6010 18
•Each level of classification should have its own handling
requirements and procedures
• How users access the data
• If no longer required, how to dispose of data in a safe manner
•Handling data may require encryption when moving from
one location to another
•Using data may require 2 individuals to enter their access
codes
•Destroying data may require physical destruction of
computer hard drives or simply secure wipe whereby a
series of ‘0’ and ‘1’ are written many times to each hard
drive sector
Sep-23 INFO6010 19
•Gov’t/Military vs. Private Business Classifications
• FOUO (for official use only)
•To classify data an entity must decide on the scheme it
will follow to assign classification to its data
•Military classification is can be very different from private
business, as always it depends on the organization.
Sep-23 INFO6010 20
•Commercial/Private Classification:
• Confidential
• Private
• Sensitive
• Public
•Military Classification:
• Top Secret
• Secret
• Confidential
• Sensitive but unclassified
• Unclassified
Sep-23 INFO6010 21
•Common Commercial Classification Scheme
• For Office Use Only
• Proprietary
• Privileged
• Private
•Classification scheme customized for each company
• Ensure each classification is unique and does not overlap
• Do not create too many classifications
• Include handling, usage and disposal procedures for each
classification
• Select criteria used to separate data to each classification
Sep-23 INFO6010 22
•Classification Controls:
• Ensure you have strict and granular access controls
• Encryption while in transit
• Auditing and monitoring of data usage
• Separation of duties ensuring there is no collusion between
employees
• Periodic reviews of access control processes
• Backup and recovery processes
• Marking and labeling appropriately
Sep-23 INFO6010 23
•Data Classification Procedure/Steps
1. Define classification levels
2. Criteria for how data is classified
3. Data owner should classify under their responsibility
4. Identify data custodian who will maintain data and security
5. Indicate security controls or protection for each classification
6. Document any exceptions
7. Indicate process for transferring ownership to different custodian
8. Define procedure for declassifying data
9. Integrate in security awareness training program
• (The order of these steps may change a bit, but you get the idea)
Sep-23 INFO6010 24
• Classification by itself is simply a system of classes set up by an
organization to differentiate asset values and, therefore, protection levels
• The act of assigning a classification level to an asset is called
categorization.
• All assets should be categorized into a classification system to allow
them to be protected based on value.
https://destcert.com/resources/domain-2-asset-security/
Sep-23 INFO6010 25
What do we mean by…
Information/data Ownership
•Layers of Responsibility
• Everyone has responsibility
• Both Managers and users should have input into best practices,
procedures and chosen controls
• This ensures agreed upon security level is successfully
implemented and maintained
•Specific roles must be assigned such as;
• Data owner/controller, Data Custodian, System Owner, Process
Owner (or data processor) and Security Administrator
Sep-23 INFO6010 27
•Unfortunately, ____ are the weakest link in the Security
chain
•Separation of duties and layers of responsibility ensure a
successful security program
•Appropriate level of training and transparency is required
for everyone to understand their responsibilities within the
company
•Clear structure and chain of command is required
Sep-23 INFO6010 28
•Clear duty descriptions ensure everyone understands their
role within the company
•Policies ensure everyone understands expected
behaviour.
• Clearly define acceptable and unacceptable behaviour including
enforcement (ex. reprimands & consequences)
•Separation of Duties ensures there is no collusion
amongst employees
• Collusion – Two or more employees working together to cause a
destructive or fraudulent act against the company
Sep-23 INFO6010 29
•CEO – Chief Executive Officer
• Day-to-day management of entire organization
• Often Chairperson of the Board of Directors and is highest
ranking officer in company
• Oversees companies finances, budget, strategic vision, business
plan
• Decides on partnerships with other vendors
• Decides how company will differentiate itself from its competitors
Sep-23 INFO6010 30
•CFO – Chief Financial Officer
• Day-to-day account and financial activities
• Responsible for overall financial structure
• Determines companies current and future financial needs
• Maintains company capital structure
•Equity, Cash, Credit, Debt
• Oversees budget and financial performance metrics
• Responsible for filing financial statements to regulatory bodies
Sep-23 INFO6010 31
•CIO – Chief Information Officer
• Reports to CEO or CFO
• Responsible for information technology infrastructure
• Oversee day-to-day technology operations
• Security policy originating from CEO and CIO helps ensure it is
properly implemented
Sep-23 INFO6010 32
•CPO – Chief Privacy Officer
• Reports to Chief Security Officer
• Newer position
• Oversee appropriate handling and usage of data
• Familiar with outside regulations and market specific legal
requirements
• Usually an attorney by training
Sep-23 INFO6010 33
•Senior management appoints a Security Officer
•Security administration may be a single individual or group
of individuals
• based on size and requirement of company
•Security administration requires clear authority and
reporting structure
•Security officer ensures implementation of security policy
• Not solely responsible for development of policy
Sep-23 INFO6010 34
•CSO – Chief Security Officer
• Responsible for understanding company specific risks and
processes used to mitigate these risks
• Must understand business drivers
• Responsible for maintaining company Security Program
• Responsible for compliance with applicable regulations and laws
• Ensures Business is NOT interrupted in any way
Sep-23 INFO6010 35
•Chief Information Security Officer
•Must have a strong understanding of business processes
and objectives
• Ability to communicate effectively with upper management
• Understand legal regulations and security frameworks
• Develop and maintain security awareness programs
• Develop security budget and report to Board of Directors or
upper management
• Respond to security incident or breach
Sep-23 INFO6010 36
•Data Owner
• Member of management in charge of specific business unit
• Responsible for specific data subset
• Has due care responsibility to ensure data/information is not
corrupted, destroyed, improperly used or transmitted
• Responsible for appropriate security controls
• Responsible for defining appropriate classification, backup
requirements, approving access controls and approving any
disclosure
• Responsible for dealing with access violations
Sep-23 INFO6010 37
•Data Custodian
• Responsible for maintaining and protecting data/information
• Responsible for performing regular backups ensuring data is
available
• Responsible for retaining data access information
• Responsible for fulfilling company security requirements
assigned to data/information
Sep-23 INFO6010 38
•System Owner
• Responsible for one or more systems
• These systems process or hold data/information owned by different
individuals
• Responsible for system purchasing decisions
• Responsible for ensuring adequate access controls and
operating system configurations
• Ensures systems are properly assessed against any
vulnerabilities
Sep-23 INFO6010 39
•Security Administrator
• Anyone with a root or administrative account to a system
• Ensures software is properly updated
• Responsible for day-to-day system management
• Ensures company policies are properly implemented at the
system level
• Ensures user access to data/information is done according to
security policy
Sep-23 INFO6010 40
•Supervisor
• Responsible for all user activity and assets created and owned
by these users
• Ensures employees understand their responsibilities
• Security policy
• Account information is accurate
• Take appropriate action when employee role changes
•Fired
•Suspended
Sep-23 INFO6010 41
•What is a Change Control Analyst?
• Responsible for approving and rejecting change control requests
• Must ensure changes will not introduce any vulnerabilities
• Ensures changes are properly tested and implemented
• Must understand how various changes impact the following
• Security
• Performance
• Productivity
Sep-23 INFO6010 42
•Data Analyst
• Ensures data is stored in a fashion that makes sense for the
company
• May design or architect a new system
• May advise in purchase of new product
• Works in conjunction with data owners
Sep-23 INFO6010 43
•User
• Uses data for work-related task
• Must have required level of access
• Responsible for following procedural and operational
requirements to ensure confidentiality, integrity and availability of
data
Sep-23 INFO6010 44
•The Auditor
• Evaluates security controls within the company
• Performs internal and external evaluation
• Performs unbiased, independent and comprehensive evaluation
of company
• Using third party (outside company) ensures ‘unbiased’ review
Sep-23 INFO6010 45
•Why So Many Roles?
•Company business processes are complex
• Not everyone is familiar with all processes and requirements
•A system administrator should not be making decisions
how to implement security and what assets to secure.
• This direction should be given by management
•A managerial position should not be implementing security
countermeasures.
• This should be done by qualified technical individuals
Sep-23 INFO6010 46
Asset Storage, Retention, and
Retention Policies
Retention Policies
•Developing a retention policy is a must.
• What data do we keep?
• How long do we keep this data?
• Where do we keep this data?
• Answer: For as long as they need it, but how do you determine that?
• To comply with laws and regulations.
• What method do we use to retain?
Sep-23 INFO6010 48
How We Retain
•In order for retained data to be useful, it must be accessible
in a timely manner.
• Taxonomy A taxonomy is a scheme for classifying data.
• Classification The sensitivity classification of the data will
determine the controls we place on it both while it is in use and
when it gets archived.
• Normalization Retained data will come in a variety of formats,
The original data needs to be tagged so that it is searchable.
• Indexing Retained data must be searchable if we are to quickly
pull out specific items of interest, this can be done by building
indexes.
Sep-23 INFO6010 49
eDiscovery
• Discovery of electronically stored information (ESI), or e-
discovery, is the process of producing for a court or external
attorney all ESI pertinent to a legal proceeding.
• The Electronic Discovery Reference Model (EDRM) identifies
eight steps, though they are not necessarily all required, nor are
they performed in a linear manner:
1. Identification of data required under the order.
2. Preservation of this data to ensure it is not accidentally or routinely
destroyed while complying with the order.
3. Collection of the data from the various stores in which it may be.
4. Processing to ensure the correct format is used for both the data and
its metadata.
5. Review of the data to ensure it is relevant.
6. Analysis of the data for proper context.
7. Production of the final data set to those requesting it.
8. Presentation of the data to external audiences to prove or disprove a
claim.
Sep-23 INFO6010 50
Data Destruction
(and Data Remanance)
Data Remanence
•Data remanence is the residual physical representation of
information that was saved and then erased in some
fashion.
•If the media does not hold confidential or sensitive
information, overwriting or deleting the files may be the
appropriate course of action.
Sep-23 INFO6010 64
Paper Records
Principles to consider when protecting paper records:
• Educate staff on proper handling of paper records.
• Minimize the use of paper records.
• Ensure workspaces are kept tidy so it is easy to tell when sensitive
papers are left exposed, and routinely audit workspaces to ensure
sensitive documents are not exposed.
• Lock away all sensitive paperwork as soon as you are done with it.
• Prohibit taking sensitive paperwork home.
• Label all paperwork with its classification level. Ideally, also include its
owner’s name and disposition (e.g., retention) instructions.
• Conduct random searches of employees’ bags as they leave the office to
ensure sensitive materials are not being taken home. Not legal
everywhere!
• Destroy unneeded sensitive papers using a crosscut shredder. For very
sensitive papers, consider burning them instead.
Sep-23 INFO6010 65
Safes
• Safes are used to store backup data tapes, original contracts, or
other types of valuables. The safe should be penetration resistant
and provide fire protection. The types of safes an organization
can choose from are:
• Wall safe Embedded into the wall and easily hidden
• Floor safe Embedded into the floor and easily hidden
• Chests Stand-alone safes
• Depositories Safes with slots, which allow the valuables to be easily
slipped in
• Vaults Safes that are large enough to provide walk-in access
• Combination lock should be changed periodically, need to know
or access basis.
• The safe should be in a visible location, so anyone who is
interacting with the safe can be seen.
Sep-23 INFO6010 66
Data Leakage
•Data leakage will happen! Leaks of personal information
can cause large financial losses. The costs include:
• Investigating the incident and remediating the problem
• Contacting affected individuals to inform them about the incident
• Penalties and fines to regulatory agencies
• Contractual liabilities
• Mitigating expenses (such as free credit monitoring services for
affected individuals)
• Direct damages to affected individuals
Sep-23 INFO6010 67
Data Leak Prevention
•Data leak prevention (DLP) aimed at preventing the loss of
sensitive information. By focusing on the:
• location, classification and monitoring of information at rest,
in use and in motion, to stop the numerous leaks of
information that occur each day.
• The successful implementation of this DLP requires
significant preparation and diligent ongoing maintenance.
•Those implementing the solution must take a strategic
approach that addresses risks, impacts and mitigation
steps, along with appropriate governance and assurance
measures
Sep-23 INFO6010 68
Summary: Expect to be tested on…
• Value of asset classification
• Asset classification steps
• Main differences between labeling and marking
• Cost-effectiveness of different labeling approaches
• The classification process begins with identifying the owners
• Owners are ultimately accountable for an asset
• Understand different roles and responsibilities
• Categories of sanitization
• Most effective/secure method of sanitization
• The best method for dealing with data remanence in the cloud
• Considerations related to data archiving
• Elements of data archiving policies
• Protecting the confidentiality of data being migrated to the cloud
• Why obfuscation is used
Sep-23 INFO6010 69
Homework
• Review your notes from today’s lesson and update your personal
flashcard deck with any new terms, etc.
• Strategically read the relevant chapters (ch. 5 and 6) in the textbook ‘All
In One CISSP Exam Guide’ 9th Ed.
• Depending on which edition you have, the relevant sections will be in different
places – so use the index.
Sep-23 INFO6010 70
Reminders for Next Week
Sep-23 INFO6010 2
1. Plan & Organize
• Establish management commitment
• Establish oversight committees
• Management steering & oversight
• Assess business drivers / goals
• Create a threat profile for the organization
• Conduct a risk assessment
• Develop security architecture at an organizational, application,
network and component level
• Identify solutions per architecture level
• Obtain management approval to move forward
Sep-23 INFO6010 3
2. Implement
• Assign roles & responsibilities
• Develop and implement security policies, procedures, standards,
baselines & guidelines
• Identify sensitive data (at rest and in transit)
• Implement safeguards/programs
• Implement solutions (per program)
• Develop auditing and monitoring solutions per program (for
compliance purposes)
• Change control procedures
• Incident response
• Establish goals and metrics per program
Sep-23 INFO6010 4
3. Operate & Maintain
• Follow procedures to ensure that all baselines are met in each
implemented program
• Carry out internal and external audits
• Carry out tasks outlined per program
• Manage service level agreements per program
Sep-23 INFO6010 5
•Physical Damage •Misuse of Data
• Fire, Water, Vandalism, Power • Sharing trade secrets,
Loss, Natural Disasters Fraud, Espionage and
•Equipment Malfunction Theft
• Failure of Systems or •Loss of Data
Peripherals • Intentional or unintentional
•Human Interaction loss of data (destructive)
• Accidental or intentional action •Application Error
or inaction • Computation errors, input
•Inside and Outside Attacks errors and buffer overflows
• Hacking, Cracking, Attacking
Sep-23 INFO6010 6
•Companies usually focus on:
• business processes
• Efficiencies
• generating revenue
•Very few people in business are trained in risk management
•Slowly penetrating corporate culture as security becomes
recognized as a business issue
Sep-23 INFO6010 7
Proper Risk Management
•Requires commitment from senior management
•Requires a documented process
•Must align with and support the corporate mission
•Must have a designated Information Risk Management
Team
•Must have a documented Information Risk Management
Policy
• IRM – Information Risk Management
Sep-23 INFO6010 8
•Objectives of IRM Policy
• Set objective for IRM team
• Determine level of risk acceptable to company
• Set formal processes of risk identification
• Identify connection between IRM and Corporate Planning
• Define roles and responsibilities that fall under IRM
• Mapping of risk to internal controls
• Set approach to change staff behaviors and resource allocation to
reduce risk
• Mapping of risks to performance, targets and budgets
• Monitoring the effectiveness of controls
Sep-23 INFO6010 9
•Risk Analysis is a part of overall Risk Management
•Risk Analysis is used to determine whether security is cost
effective, relevant, timely and responsive to threats
•Risk Analysis helps prioritize their risks and how much
money should be spent to safeguard against risks
Sep-23 INFO6010 10
•Goal of risk analysis
• Identify assets and their value to organization
• Identify vulnerabilities and threats
• Quantify the probability and impact of these threats
• Provide economic balance between the impact and cost of
countermeasure
•Risk analysis provides a COST/BENEFIT comparison
• Return on investment for installing safeguards
Sep-23 INFO6010 11
•Risk analysis team must include individuals from all
departments
•Risk analysis team members must understand the
processes within their own departments
•Risk analysis includes
• What event could occur?
• What could be the potential impact?
• How often could it happen?
• What level of confidence do we have to answers of above three
questions?
• Most answers to above questions is gathered through interviews,
internal surveys and workshops
Sep-23 INFO6010 12
•Assets can have either or both a qualitative and
quantitative value
•Actual value is determined by cost to acquire, develop
and maintain
•Value may be determined by the importance it has to the
owner or user
•Value should reflect all identifiable costs that would arise if
asset were destroyed or impaired
Understanding true value of an asset is first
step in determining what security mechanism
should be in place to protect the asset
Sep-23 INFO6010 13
•The following should be considered when assigning value
to an asset
• Cost to acquire
• Cost to maintain and protect
• Value to owners and users
• Value of asset to adversaries
• Value of Intellectual Property during development of asset
• Price others are willing to pay for the asset
• Operational and production activities affected if asset is
unavailable
• Liability issues if the asset is compromised
• Usefulness and role of the asset in the organization
Sep-23 INFO6010 14
•Tangible assets
• Computers
• Facilities
• Supplies
•Intangible assets
• Reputation
• Data
• Intellectual property
• Difficult to put a value on intangible assets
Sep-23 INFO6010 15
•Some threats may be easier to identify
•Many different types of threat agents can affect different
vulnerabilities
•There may be a delay before a threat or vulnerability is
identified
•Some threats may affect other assets in the form of a
cascading error
• Output from one process may be used as input in second
process
• If first process output has a computational error it affects the
accuracy of second process
Sep-23 INFO6010 16
•There may be a delayed loss due to a threat
• Such loss may not always be immediate, may be delayed from
few minutes to years
•Example: web server is offline
• Online store is impacted now
• Customers may go to competitor
• Current and future revenue suffers
• May impact year-end bottom line
•These types of issues make identifying and qualifying
threats hard
Sep-23 INFO6010 17
Quantitative Risk Analysis
•Assign real and meaningful numbers to all elements of
risk analysis process
• Provides concrete probability of threats
• Physical, Network, Software, Internet, Component Failure
•Assign dollar value to risk analysis process
• Asset value
• Safeguard cost
• Business impact
• Threat frequency
• Safeguard effectiveness
• Exploit probabilities
Sep-23 INFO6010 19
Step 1: Assign Value to Assets
•For each asset answer the following questions
• What is the value of the asset to the company?
• How much does it cost to maintain?
• How much does it make in profits?
• How much would it be worth to my competitors?
• How much would it cost to recreate or recover?
• How much did it cost to acquire or develop?
• How much liability do you face if the asset is compromised?
Sep-23 INFO6010 20
Step 2: Estimate Potential Loss per Threat
•For each asset answer the following questions
• What physical damage could the threat cause and how much
would it cost?
• What is the value lost if confidential information is disclosed?
• What is the cost of recovering from this threat?
• What is the value lost if critical devices were to fail?
• What is the Single Loss Expectancy (SLE) for each asset and
each threat?
Sep-23 INFO6010 21
•SLE = (asset value) x (exposure factor)
•EF (exposure factor) = percentage of loss
• For example a Server room worth $100,000 is protected by a fire
suppression system. You estimate 10% loss in case of fire (EF =
10% or 0.10)
Sep-23 INFO6010 22
Step 3: Perform a Threat Analysis
•Gather information from all departments about the
likelihood of a threat
•Examine past records and official security resources
•Calculate the Annualized Rate of Occurrence (ARO)
•How many times a threat can take place in a 12 month
period
•ARO = estimated frequency of threat taking place within 1
year period
Sep-23 INFO6010 23
Step 4: Derive the Overall Annual Potential Loss Per
Threat
•Combine potential loss and probability
•Calculate the Annualized Loss Expectancy (ALE)
•Using information from first 3 steps
•Choose measures to counteract each threat
•Include Cost/Benefit Analysis for each countermeasure
•ALE = (SLE) x (ARO)
•ALE = economical dollar value company can spend annually
to safeguard asset
Sep-23 INFO6010 24
STEP 5: Reduce, Transfer, Avoid or Accept the Risk
•Risk Reduction Methods
• Install Security Controls and Components
• Improve Procedures
• Alter the Environment
• Provide Early Detection Methods to catch the Threat as its
happening
• Erect barriers to the threat
• Carry-out security awareness training
Sep-23 INFO6010 25
STEP 5: Avoid, Transfer, Mitigate/Reduce, or accept the
Risk
•Risk Avoidance
• Discontinue the activity causing risk
•Risk Transfer
• Buy Insurance
•Mitigate
• Implement controls
•Risk Acceptance
• Live with risk and spend no more money
Sep-23 INFO6010 26
Qualitative Risk Analysis
•Qualitative analysis does not assign monetary values to
components or losses
•Qualitative examine different scenarios or risk possibilities,
•Rank the seriousness of the threats and the validity of the
different possible countermeasures based on opinions
Sep-23 INFO6010 28
•Qualitative Techniques Include:
• Judgment
• Best Practices
• Intuition
• Experience
•Examples of Qualitative Techniques:
• Brainstorming, Storyboarding
• Focus groups
• Interviews, surveys & questionnaires
• Team performing the analysis must gather people with
experience and education on the threats being examined
Sep-23 INFO6010 29
Qualitative analysis drawbacks
• Assessments and results are subjective
• Eliminates the opportunity for cost/benefit discussions
• Difficult to track Risk Management objectives with subjective
measures
• Standards are not available
• Calculations are more complex
• Process is extremely labour intensive
• More preliminary work is required to gather detailed information
• Standards are not available
Sep-23 INFO6010 30
STEP 1 STEP 2 STEP 3
Sep-23 INFO6010 31
•Total Risk vs. Residual Risk
•No one or company is safe from risk 100%
•No countermeasure will give you 100% risk reduction
•Risk level remaining after implementing a countermeasure
is referred to as Residual Risk
•If a company chooses against implementing nya
countermeasure they are 100% at risk
• This is often referred to as Total Risk
Sep-23 INFO6010 32
•Once a company knows the risk exposure level they can
choose 1 of 4 actions;
•Transfer Risk
•Reject Risk
•Reduce Risk
•Accept Risk
•Or put another way: Avoid, Transfer, Mitigate or
Accept
Sep-23 INFO6010 33
•Risk Transfer
• Purchasing Insurance transfers risk to Insurance Company
•Risk Avoidance
• Cease activity which creates or increases level of risk
•Risk Mitigation
• Risk is reduced to level considered acceptable
• Implement Countermeasure
•Risk Acceptance
• Understand level of risk as well as the potential cost of damage
and live with it
• Do Not Implement Countermeasure
Sep-23 INFO6010 34
•An effective security program must be initiated by senior
management, given appropriate level of authority,
implemented, explained to all employees and monitored
for effectiveness
•Because each employee comes to the company with a
unique set of personal values and experiences senior
management must implement a top down approach
ensuring everyone understands their role in implementing
an effective Security Program
Sep-23 INFO6010 35
Security Policy(ies)
•An overall general statement produced by senior
management that dictates what role security plays within
the organization
•Security policy can address one of the following:
• Organizational Policy
• Issue Specific Policy
• System Specific Policy
Sep-23 INFO6010 37
•Organizational Policy
• Management determines goals and assigns responsibilities,
• Shows the strategic value of security and outlines how
enforcement should be carried out.
•Organizational Policy Example
• Management outlines general employee conduct policy
addressing local, provincial or federal laws
• This policy may also include vendor specific market regulations.
Sep-23 INFO6010 38
•Issue Specific Policy
• Also called a functional policy
• Addresses specific security issue(s) that management feels
need more detailed explanation and attention to make sure a
comprehensive structure is built and all employees understand
how they are to comply with these security issues.
•Issue Specific Policy Example
• Email monitoring policy outlining what management may do with
employees email.
• May also state employees cannot share confidential information
or state company issued email cannot be used for non business
websites, forums or chat groups.
Sep-23 INFO6010 39
•System Specific Policy
• Managements decisions that are specific to computers,
networks, applications and data
•System Specific Policy Example
• Managements provides an approved software list
• It may also address how computers are to be locked down or
how firewalls and Intrusion Detection systems are implemented
and monitored.
Sep-23 INFO6010 40
•Identifies assets the company considers valuable
•Provides authority to the security team and its activities
•States the company security goals and objectives
•Outlines personal responsibility
• Provides a reference when conflicts arise
•Helps to prevent unaccounted for events
•Outlines incident response
Sep-23 INFO6010 41
•Regulatory Policy
• Ensures company is following legal and industry specific
regulations. (Health Care, Financial)
•Advisory Policy
• Outlines acceptable and unacceptable employee behavior.
• Includes possible consequences should policy be broken.
•Informative Policy
• Informs employees of certain topics
• This policy is NOT enforceable
• Used for training
Sep-23 INFO6010 42
•Standards
• Mandatory activities, actions or rules
• Standards support Policies.
• Standards can be company specific (derived internally) or
mandated by regulatory bodies or governments
•Baselines
• Minimum level of protection required
• Baseline can be a point in time reference for comparison for
future changes.
• All patches and upgrades must be checked and tested to ensure
baseline compliance
Sep-23 INFO6010 43
•Guidelines
• General guide and recommended actions when a specific
Standard does not apply
•Procedures
• Step by step detailed instruction on specific tasks
• Set up new user accounts
• Lowest level of security policy
• Details of how standards and guidelines are implemented
Sep-23 INFO6010 44
Security
Policy Strategic Goal
End result
Standards
Tactical Goal
Baselines
Steps Required to
Achieve End
Result
Guidelines
Sep-23 INFO6010 45
•Security policy is a modular document
• It has many parts, or modules
•Parts such as a standard or procedure can be modified as
required without changing the whole document
Sep-23 INFO6010 46
•Example #1
•Policy
• All corporate data must be backed up
•Standard
• Full back up every week
• Incremental every day
• Store off site
•Procedure
• Step by step instructions for how backup performed
• Detail on how to store backup
Sep-23 INFO6010 47
•Example #2
•Policy
• All employee user accounts requires password protection
•Standard
• Passwords 10 characters long
• Change every 45 days
• Complex
•Procedure
• Steps for setting up user account
• Password change on first login
Sep-23 INFO6010 48
•Due Diligence
•Determining vulnerabilities and risks.
•Risk analysis
•Due Care
•Implementing countermeasures against risks and
threats
•By developing Policies, Standards, Baselines and
Guidelines a company has taken responsibility for
activities under its control.
•Taken steps to protect assets, employees and resources
from threat.
•Company that does not practice Due Care and Due
Diligence may be legally responsible for its activities
Sep-23 INFO6010 49
•Information is rated based on
• Impact of loss
• Impact of disclosure
• Impact if unavailability
•Classification ensures data is protected in the most cost
effective manner
•Classification indicates level of CIA
Sep-23 INFO6010 50
•Each level of classification should have its own handling
requirements and procedures
• How users access the data
• If no longer required, how to dispose of data in a safe manner
•Handling data may require encryption when moving from
one location to another
•Using data may require 2 individuals to enter their access
codes
•Destroying data may require physical destruction of
computer hard drives or simply secure wipe whereby a
series of ‘0’ and ‘1’ are written many times to each hard
drive sector
Sep-23 INFO6010 51
•Military vs. Private Business Classifications
•To classify data an entity must decide on the scheme it will
follow to assign classification to its data
•Military classification is can be very different from private
business, as always it depends on the organisation.
Sep-23 INFO6010 52
•Commercial Classification:
• Confidential
• Private
• Sensitive
• Public
•Military Classification:
• Top Secret
• Secret
• Confidential
• Sensitive but unclassified
• Unclassified
Sep-23 INFO6010 53
•Common Commercial Classification Scheme
• For Office Use Only
• Proprietary
• Privileged
• Private
•Classification scheme customized for each company
• Ensure each classification is unique and does not overlap
• Do not create too many classifications
• Include handling, usage and disposal procedures for each
classification
• Select criteria used to separate data to each classification
Sep-23 INFO6010 54
•Classification Controls:
• Ensure you have strict and granular access controls
• Encryption while in transit
• Auditing and monitoring of data usage
• Separation of duties ensuring there is no collusion between
employees
• Periodic reviews of access control processes
• Backup and recovery processes
• Marking and labeling appropriately
Sep-23 INFO6010 55
•Data Classification Procedure Steps
• Define classification levels
• Criteria for how data is classified
• Data owner should classify under their responsibility
• Identify data custodian who will maintain data and security
• Indicate security controls or protection for each classification
• Document any exceptions
• Indicate process for transferring ownership to different custodian
• Define procedure for declassifying data
• Integrate in security awareness training program
Sep-23 INFO6010 56
Roles and Responsibilities
•Layers of Responsibility
• Everyone has responsibility
• Managers and users should have input into best practices,
procedures and chosen controls
• This ensures agreed upon security level is successfully
implemented and maintained
• Specific roles must be assigned such as;
• Data owner,
• Data Custodian,
• System Owner,
• Process Owner
• Security Administrator, and more (in the slides to follow…)
Sep-23 INFO6010 58
•Data Owner
• Member of management in charge of specific business unit
• Responsible for specific data subset
• Has due care responsibility to ensure data/information is not
corrupted, destroyed, improperly used or transmitted
• Responsible for appropriate security controls
• Responsible for defining appropriate classification, backup
requirements, approving access controls and approving any
disclosure
• Responsible for dealing with access violations
Sep-23 INFO6010 59
•Data Custodian
• Responsible for maintaining and protecting data/information
• Responsible for performing regular backups ensuring data is
available
• Responsible for retaining data access information
• Responsible for fulfilling company security requirements
assigned to data/information
Sep-23 INFO6010 60
•System Owner
• Responsible for one or more systems
• These systems process or hold data/information owned by
different individuals
• Responsible for system purchasing decisions
• Responsible for ensuring adequate access controls and
operating system configurations
• Ensures systems are properly assessed against any
vulnerabilities
Sep-23 INFO6010 61
•Process Owner
• Responsible for properly defining business processes
• Responsible for improving business processes
• Responsible for monitoring processes
• May not be tied to single business unit
Sep-23 INFO6010 62
•Application Owner
• Business unit managers
• Decide who can and cannot access their applications
• Responsible for security of application
• Ensures right control is in place for application
• Responsible for change control, patching and testing of
application
Sep-23 INFO6010 63
•Security Administrator
• Anyone with a root or administrative account to a system
• Ensures software is properly updated
• Responsible for day to day system management
• Ensures company policies are properly implemented at the
system level
• Ensures user access to data/information is done according to
security policy
Sep-23 INFO6010 64
•Security Analyst
• Higher more strategic level
• Helps develop policies, standards and guidelines
• Works at the design level than implementation
•The Auditor
• Evaluates security controls within the company
• Performs internal and external evaluation
• Performs unbiased, independent and comprehensive evaluation
of company
• Using third party (outside company) ensures ‘unbiased’ review
Sep-23 INFO6010 65
•Change Control Analyst
• Responsible for approving and rejecting change control requests
• Must ensure changes will not introduce any vulnerabilities
• Ensures changes are properly tested and implemented
• Must understand how various changes impact the following
• Security
• Performance
• Productivity
Sep-23 INFO6010 66
•Data Analyst
• Ensures data is stored in a fashion that makes sense for the
company
• May design or architect a new system
• May advise in purchase of new product
• Works in conjunction with data owners
Sep-23 INFO6010 67
•Product Line Manager
• Responsible for explaining business requirements to vendors
• Evaluates different products in the market place
• Ensures vendor product and service meets company
requirements
• Ensures all licensing requirements are met
• Must understand company business drivers, advises business
units and management
Sep-23 INFO6010 68
•Supervisor
• Responsible for all user activity and assets created and owned
by these users
• Ensures employees understand their responsibilities
• Security policy
• Account information is accurate
• Take appropriate action when employee role changes
•Fired
•Suspended
Sep-23 INFO6010 69
•User
• Uses data for work-related task
• Must have required level of access
• Responsible for following procedural and operational
requirements to ensure confidentiality, integrity and availability of
data
Sep-23 INFO6010 70
•Solution Provider
• Works with business unit managers, data owners and senior
managers to develop and deploy a solution
• Helps reduce identified problems by offering solutions
Sep-23 INFO6010 71
•Board of Directors
• Elected individuals that oversee the fulfillment of the corporation
charter
• Usually a part time position
• Ensure shareholders’ interests are being protected
• Independent and unbiased
• Have direct authority over senior management
• Evaluate senior management performance reviews
• Can be held personally responsible for improper corporate
governance
Sep-23 INFO6010 72
•CEO – Chief Executive Officer
• Day-to-day management of entire organization
• Often Chairperson of the Board of Directors and is highest
ranking officer in company
• Oversees companies finances, budget, strategic vision, business
plan
• Decides on partnerships with other vendors
• Decides how company will differentiate itself from its competitors
Sep-23 INFO6010 73
•CFO – Chief Financial Officer
• Day-to-day account and financial activities
• Responsible for overall financial structure
• Determines companies current and future financial needs
• Maintains company capital structure
•Equity, Cash, Credit, Debt
• Oversees budget and financial performance metrics
• Responsible for filing financial statements to regulatory bodies
Sep-23 INFO6010 74
•CIO – Chief Information Officer
• Reports to CEO or CFO
• Responsible for information technology infrastructure
• Oversee day-to-day technology operations
• Security policy originating from CEO and CIO helps ensure it is
properly implemented
Sep-23 INFO6010 75
•CPO – Chief Privacy Officer
• Reports to Chief Security Officer
• Newer position
• Oversee appropriate handling and usage of data
• Familiar with outside regulations and market specific legal
requirements
• Usually an attorney by training
Sep-23 INFO6010 76
•CSO – Chief Security Officer
• Responsible for understanding company specific risks and
processes used to mitigate these risks
• Must understand business drivers
• Responsible for maintaining company Security Program
• Responsible for compliance with applicable regulations and laws
• Ensures Business is NOT interrupted in any way
Sep-23 INFO6010 77
•Under Sarbanes-Oxley legislation
• SOX – US law
• CEO and CFO have personal responsibility
• Can be fined or jailed if not following due care & due diligence
for their company
Sep-23 INFO6010 78
•IS Security Steering Committee
• Responsible for making tactical and strategic security decisions
• Committee members are individuals from different company
departments
• Is not part of any one business unit within company
• Senior management should be part of this committee
• Committee should meet on a regular basis with well defined
agenda
• Should have a clearly defined vision which falls in line with
company security program
Sep-23 INFO6010 79
•Appointed by the Board of Directors
•Evaluate company operations, perform internal audit verify
accuracy of financial reporting
•Responsible for integrity of company financial statements
•Company internal controls
•Verify company legal and regulatory compliance with
respect to ethical conduct
Sep-23 INFO6010 80
•Why So Many Roles?
•Company business processes are complex
• Not everyone is familiar with all processes and requirements
•A system administrator should not be making decisions
how to implement security and what assets to secure.
• This direction should be given by management
•A managerial position should not be implementing security
countermeasures.
• This should be done by qualified technical individuals
Sep-23 INFO6010 81
•Unfortunately people are the weakest link in the Security
chain
•Separation of duties and layers of responsibility ensure a
successful security program
•Appropriate level of training and transparency is required
for everyone to understand their responsibilities within the
company
•Clear structure and chain of command is required
Sep-23 INFO6010 82
•Clear duty descriptions ensure everyone understands their
role within the company
•Policies ensure everyone understands expected
behaviour.
• Clearly define acceptable and unacceptable behaviour including
reprimand
•Separation of Duties ensures there is no collusion
amongst employees
• Collusion – Two or more employees working together to cause a
destructive or fraudulent act against the company
Sep-23 INFO6010 83
•Management hierarchy must be in place
• Ensure everyone has a manager or supervisor scrutinizing their actions
and work performance
•Rotation of duty
• Tool to not only cross train employee in many different roles
• If an employee stays in a single position for too long they may become
complacent and have too much influence over a specific process
•Mandatory vacation
• Should be enforced for all employees
• Required for employee health
• Also tool for the company to detect fraud or destructive practices within
the company
Sep-23 INFO6010 84
•Appropriate screening should be completed before an
employee is hired to ensure the right person is hired for
the job
•Non Disclosure Agreement should be discussed and
signed by all employees before hiring
•Complete reference checks should be
completed including;
• Employment , criminal, education, professional credentials
• By completing a comprehensive background check you are
mitigating possible risk brought to company by the employee
Sep-23 INFO6010 85
•Appropriate Drug Testing should be performed
•Employment history
• Look for unexplained gaps
•Use search engine -- search candidates full name
•Review social websites like Facebook
•Typically it is harder to do background checks after the
individual is hired
• There must be legal ground for background checks after the fact
Sep-23 INFO6010 86
•Termination can occur for many reasons
•Company should have documented procedure
• This can mitigate legal law suits against the company
•Employee must surrender all company issued items
including security badges
•All user privileges should be revoked
•User accounts disabled
•Passwords must be changed
Sep-23 INFO6010 87
•Security requirements are established by management
through policies, standards and guidelines
•Training outlines expected behaviour and reinforces
common goals and sets appropriate expectations
• Everyone should be familiarized with expected behaviour and
action results based on policies, standards and guidelines
•Security can only be successful if everyone is informed
•Because everyone has different experiences and values,
formal training ensures employees are taught identical
curriculum
Sep-23 INFO6010 88
•Training is created for 3 types of audience
•Management
• Concerned with High Level Business Goals
•Staff
• Operational business processes and their results
•Technical Staff
• Concerned with operational implementation and monitoring of
processes
Sep-23 INFO6010 89
•Management
• Short and focused training
• Corporate Assets
• Financial Gains and Losses related with Security
• Negative Impact of Security Breach
• Explain Possible Threats and their Impact
Sep-23 INFO6010 90
•Mid-Management
• More in depth and detailed training
• Detailed explanation of policies, standards and guidelines
• Explain why security is important to their departments
• Explain their specific responsibility with enforcement
• Understand consequences of non compliance
Sep-23 INFO6010 91
•Staff
• Detailed training with many examples
• Outline acceptable and unacceptable behavior
• Outline why security is important with examples of
consequences when security is not enforced
• Explain in detail any reprimand or non compliance
consequences
• Use signed document (by each staff) confirming they’ve been
given training and understand consequences of non compliance
• This reinforces Policies, standards and Guidelines
Sep-23 INFO6010 92
•Tech Staff
• Training requirements which correspond to their daily tasks
• Detailed technical configurations
• Recognizing security breach or compromise situation
• Understand detailed incident handling procedures
• Understand incident reporting structure
• who they report to
Sep-23 INFO6010 93
•Risk management requires
• Risk analysis to identify assets, vulnerabilities and threats and
consequences
• ROI required to determine business case for safeguards
• Quantitative & qualitative
•Security policy is modular document
• Consists of standards, guidelines, procedures & baselines
•Information classification
• Determines level of protection and responsibility
Sep-23 INFO6010 94
•Compliance to regulations and policy
• CobiT, ITIL, ISO27000
•Responsibilities
• All employees have a role
• CEO, CFO to staff
•Security training
• Required to ensure success of security program
Sep-23 INFO6010 95
Info 6010 (Week 4)
Sep-23 INFO6010 3
News and Current Events…
• Watch your step: A new robot will police the NYC subway
• robot is part of a broader push to incorporate emerging technology into the
operations of the nation’s largest police department.
• BORN Ontario child registry data breach affects 3.4 million people
• Better Outcomes Registry & Network suffer ransomware attack
• Boeing is using Fortnite’s game engine to upgrade B-52s
• Gaming engine is helping Boeing to refit 60-year-old B-52. How will security
architecture play a role?
• What to See at Tech Tactics in Education 2023
• highlights offer the AI, data, and cybersecurity insights you need to navigate
today's evolving technology landscape.
• International Criminal Court attacked by cyber criminals
• Hackers access confidential data of lawyers, court staff, defendants, and
victims.
Your bosses have put you on the team assigned to this client. Your role is to
conduct a comprehensive cybersecurity assessment of the manufacturing
company's operations. The manufacturing company recognizes its vulnerability to
cyber threats (given the recent attack) and seeks expert advice to strengthen its
security posture. The challenge is to provide effective recommendations and
solutions, considering the organization's unique challenges and limited IT
resources.
Sep-23 INFO6010 7
Questions from Assignment #1
Scenario questions:
1. How would you assess the manufacturing company's cybersecurity needs,
considering its limited IT resources and the recent cyber incidents it has
experienced?
2. What cybersecurity enhancements would you recommend to protect critical
assets, such as production systems and supply chain data, while staying within
the organization's tight budgetary constraints?
3. In what way would you assist the manufacturing company in the development of
a robust cybersecurity culture and awareness among its employees?
4. What strategies would you propose to ensure that cybersecurity improvements
align with the organization's business objectives and do not disrupt production
operations?
5. How will you measure the success of your cybersecurity recommendations and
ensure ongoing security monitoring and improvement?
Sep-23 INFO6010 8
• You will be put into small breakout groups for this exercise
• Have your microphone ready! Web cameras on if at all possible
Sep-23 INFO6010 9
Domain #3…
Sep-23 INFO6010 11
Domain #3: SA&E
List of key topics (page 2 of 2):
• Security capabilities of information systems
• Security architectures, designs, and solution elements
vulnerabilities
• Web-based systems vulnerabilities
• Mobile systems vulnerabilities
• Embedded devices and cyber-physical systems vulnerabilities
• Industrial control systems
• Site and facility design secure principles
• Designing and implementing physical security (ex. CPTED)
Sep-23 INFO6010 12
In the first tutorial on Domain #3 (I call it “Part 1”), we’ll discuss:
•System architecture
• Computer Architecture
•System Security Architecture
•Trusted computing base and security mechanisms
•Information security software models
• Assurance evaluation criteria and ratings
•Certification and accreditation processes
•Systems Security
• Distributed systems security
•Cloud Computing
Sep-23 INFO6010 15
• Research, implement and manage engineering processes using secure
design principles
• Understand the fundamental concepts of security models (e.g., Biba, Star
Model, Bell-LaPadula)
• Select controls based upon systems security requirements
• Understand security capabilities of Information Systems (IS) (e.g., memory
protection, Trusted Platform Module (TPM), encryption/decryption)
• Assess and mitigate the vulnerabilities of security architectures, designs
and solution elements
• Select and determine cryptographic solutions
• Understand methods of cryptanalytic attacks
• Apply security principles to site and facility design
• Design site and facility security controls
Sep-23 INFO6010 16
Part 1: The basics
Systems Architecture
(key components of the architecture)
•Security is best if it is designed and built into the
foundation of anything we build and not added as an
afterthought. Once security is integrated as an important
part of the design, it has to be engineered, implemented,
tested, evaluated, and potentially certified and accredited.
•The security of a product must be evaluated against the
availability, integrity, and confidentiality it claims to provide.
Sep-23 INFO6010 52
System Evaluation Models/Methods
•There have been different methods of evaluating and
assigning assurance levels to systems. Methods and
ideologies have evolved over time.
•Now there is a framework known as the Common Criteria
which is the only one of global significance.
•First version was in 1993
•Also called ISO 15408
•The most used/popular of the evaluation criteria systems.
Sep-23 INFO6010 59
Homework
•Review your notes from today’s lesson and update your
personal flashcard deck with any new terms, etc.
Sep-23 INFO6010 60
Details on Test #1
• Covers all of the material (tutorial lessons, slides, textbook)
from Domains 1, 2, and part of 3
• Domain 1: Security and Risk Management
• Domain 2: Asset Management
• Domain 3: Security Architecture and Engineering (not crypto)
• Out of 90 marks. You will have 120 minutes to complete the test
• Mix of question types (M/C, T/F) (No Short/Long answer )
• NOT OPEN BOOK
• Test is taken remotely, but you must start at 12:00pm Eastern
• If you don’t start by 12:15pm you will receive a zero grade
• Must use a laptop with Respondus LDB and Respondus Monitor
• Password will be provided in an FOL announcement prior to test
Studying for Test #1
• Study in groups (if you can). Discuss/share your flashcards
• Create your own test questions (stump your friends!)
• Maybe even make it a contest!
• Make sure you dedicate time to study. How long do you need?