Jim’s CISSP Notes
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

1: Security & Risk Management

Security Fundamentals

Goals of Information Security

  • CIA triad

    • confidentiality
      • only authorized users have access to resources
      • keeping secrets from prying eyes
      • disclosure attacks undermine confidentiality
  • integrity

    • protect information from unauthorized changes
    • alteration attacks undermine integrity
  • confidentiality

    • ensure authorized users have access
    • inability to access may impact business
    • denial attacks undermine confidentiality
  • controls are aligned with the CIA triad


  • access controls: restrict access to sensitive info w/o permission
    • encryption
      • protects info at rest or in transit
      • plaintext → ciphertext


  • ensures that info doesn’t change w/o authorization
  • sources of integrity failures
    • intentional
    • user error
    • hardware/software errors
    • acts of God
  • controls:
    • hashing:
      • creates a message digest from a large file
      • like a fingerprint
      • indicates changes in a file
    • digital signatures:
      • authenticity: recipient can be confident that the message came from the recipient
      • non-repudiation: recipient can prove to a third party that the message came from the recipient
      • to use:
        • sender:
          • hashes message
          • encrypts w/ private key
        • recipient:
          • decrypts signature w/ public key
          • computes hash
          • compares


  • failure causes

    • attackers
    • component failures
    • application failures
    • utility failures
  • redundant controls

    • protect against failures of a single part of a system
  • high availability

    • protect services against a failure of a single server
  • fault tolerance

    • protect services against disruption from small failures
  • OS and application patching act as a control against availability issues

Security Governance

Aligning security with the business

  • remember that security provides support services to the org
  • security leaders
    • act as SME on CIA for the org
    • also act as business leader the understands the mission, goals, objectives of the org
    • must balance security needs w/ business needs
      • can be difficult
      • watch for exam questions

Building a Business Case

  • need to justify time and money

  • need to balance security and business

  • need to achieve CIA

  • need to explain to management

  • admin tasks are also important to the business

    • budgets
    • meetings
    • employee performance evals
    • etc

Organizational processes

  • infosec must align w/ business functions and processes

Security governance

  • information governance committee

  • risk management committee

  • board of directors

  • Integrating security governance

    • ensure that governing bodies understand risk and controls
    • inform the of security incidents
    • review audits w/ them
  • find a security governance model that fits the org

Corporate acquisitions

  • require integration of security controls
  • security teams must come together to merge

Corporate divestitures

  • require a separation of controls
  • ties should be cut between orgs

Security roles and responsibilities

  • differ between orgs

Senior management

  • usually the COO or similar position
  • provides oversight
  • funds
  • ensures testing
  • prioritizes business functions → criticality
  • establish strategy / vision / framework
  • sign off on policy, BIA, documents

Steering committee

  • oversight of the infosec program
  • liaison between
    • management
    • business
    • IT
    • infosec

Chief information security officer (CISO)

  • senior-most infosec leader
  • may report to IT org or to the risk management leader
  • leads a team or generalists and specialists

Infosec manager

  • functional management
  • determines the “how”

Business managers

  • the customer
  • determines data classification

Security practitioner

  • in the trenches


  • evaluate controls and policies
  • the audit determines compliance
exam tip
auditors should audit and report only! they should not go in and fix issues that they find.

Security Trainers

  • raise awareness
  • create a security-positive environment
  • teach the “why” of what we are doing

Due care

  • fulfilling legal requirements and professional best practices

Due diligence

  • taking reasonable measures to investigate security risks

Control frameworks

  • security controls must cover many different risks
  • this is hard to do, can use security frameworks as a guide
  • control frameworks guide security program design

COBIT (Control Objectives for Information Technologies)

  • business focused control framework

  • six principles

    1. Provide Stakeholder Value
    2. Holistic Approach
    3. Dynamic Governance System
    4. Governance Distinct from Management
    5. Tailored to Enterprise Needs
    6. End-to-End Governance System
  • contains important guidance

ISO (International Standards Organization)

  • ISO 27001: info systems controls objectives
  • ISO 27002: info systems controls implementation
  • ISO 27701: privacy controls
  • ISO 31000: risk management programs

NIST (National Institute of Standards and Technology)

  • NIST SP 800-53

    • security and privacy controls
    • mandatory of government agencies
  • NIST CSF (Cybersecurity Framework)

    • provides common language for cybersecurity risk

    • helps identify and prioritize actions

    • aligns security actions across control types

    • five functions divided into categories

      • Identify
      • Protect
      • Detect
      • Respond
      • Recover
    • different value for different orgs

      • some use as a reference
      • some follow more rigidly

Compliance and Ethics

Types of Law

Criminal Law

  • proof beyond a reasonable doubt – makes it hard to prove in a court
  • can involve jailtime

Civil Law

  • prepondernace of evidence – a bit easier to prove

Administrative (Regulatory) Law

  • related to standards, governmental requirements
  • usually monetary penalties

Intellectual Law

  • protects “property of the mind” – ideas, designs, logos, etc.
  • WIPO – run by the UN
  • licensing is a big failure related to intellectual law

Trade Secrets

  • a resource that provides competitive value to an org ex. McDonald’s “secret sauce”
  • must be obvious and unique
  • failure to execute due care / diligence by management can be negligence

    • culpable negligence is often used to prove liability
  • prudent man rule

    • perform duties that prudent people would do in a similar situation
  • due diligence

    • doing the necessary research
  • due care

    • taking the necessary actions
  • downstream liabilities

  • national, territorial and state laws and regsulations protect sensitive info

    • can be tricky: depends on org location, customer location, cloud provider location, etc.
  • PCI DSS (Payment Card Industry Data Security Standard)

    • self-regulatory, and applies worldwide to credit card transactions
  • work with legal department to resolve jurisdiction issues

Data privacy

  • orgs must protect info throughout the data lifecycle

  • PII (personally identifiable info)

    • any info that can be traced back to an individual
  • PHI (protected health info)

    • individually identifiable health records governed by HIPPA
  • GAPP (Generally Accepted Principles and Practices):

    • developed by
      • AICPA
      • CICA
      • ISACA
      • IAA
  • governed by ten principles:

    1. Management
    2. Notice
    3. Choice and Consent
    4. Collection
    5. Use, Retention and Disposal
    6. Access
    7. Disclosure to Third Parties
    8. Security
    9. Quality
    10. Monitoring and Enforcement
  • all ten ensure development of a comprehensive info privacy program

  • ISO 27018: PII in the cloud

  • privacy impact assessments should be done regularly by orgs

Computer crimes

  • some infosec laws involve criminal penalties

  • CFAP

    • makes hacking illegal
    • prohibits:
      • unauthorized access to computer systems
      • malicious code creation
  • ECPA (Electronic Communications Privacy Act)

    • restricts government interception of electronic communications
  • ITDA

    • makes ID theft a federal crime

Software licensing

  • software is important intellectual property
  • it’s protected by software agreements

Software license agreements

  • different types based on use
    • individual use
    • amount of data use
    • location of use
    • number of servers in use
  • agreement types
    • negotiated contracts
      • usually many rounds of back-and-forth between org and vendor
    • click through agreements
      • typically not read
    • shrinkwrap agreements
      • rarely used today

Intellectual property

  • intellectual property must be protected from unauthorized use
  • protects creative works
  • automatically applied when work is created
    • don’t necessarily have to apply
  • 70 years beyond the creator’s death
  • after 70 years, moves into the public domain

Trademark (™, ®)

  • protects words and symbols
  • must register
    • renewable every 10 years
    • must be in active use, inactive use expires after 5 years of inactivity
  • ™, ® after registered with the government


  • protects inventions
  • requirements
    • novel: is it a new idea?
    • useful: is it of value?
    • non-obvious: you can’t patent the wheel!
  • usually protects for 20 years after filing
  • requires public disclosure (through filing documentation)
    • enters into free-use after patent expires

trade secret

  • alternate to a patent
  • no public disclosure

Import and export controls

  • countries have restrictions on what can come into and out of the country

  • export controls: restrict the flow of goods and data

    • ITAR (International Traffic in Arms Regulations)
      • defense articles
      • plans for defense articles
  • EAR (Export Administration Regulations)

    • covers “dual use” items
      • lasers, GPS, naval equipment, etc.
        * OFAC (Office of Foreign Assets Control)
    • covers restrictions of exports to sanctioned countries

Data breaches

  • consequences
    • reputation damage
    • identity theft
    • fines
  • laws and regulations govern response to breaches
    • industry specs.
      • HIPPA
      • SOX
      • PCI DSS
    • jurisdiction specs.
      • states
      • federal government
      • GDPR
  • common PII elements that can be breached
    • SSN
    • driver’s license
    • bank account #
  • orgs must notify victims and the government
  • encryption can protect the org
    • many notification laws/requirements have an exemption for breached encrypted data


  • infosec professionals are bound by codes of ethics
    • org code
    • (ISC)²

(ISC)² Code of Ethics

  • Preamble
    • The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
    • Therefore, strict adherence to this Code is a condition of certification.
  • Code of Ethics Canons:
    • Protect society, the common good, necessary public trust and confidence, and the infrastructure.
    • Act honorably, honestly, justly, responsibly, and legally.
    • Provide diligent and competent service to principals.
    • Advance and protect the profession.
(ISC)² members must report violations of code of ethics.

Security Policy

Security policy framework

  • written guidance is crucial to security


  • foundation of security program

  • compliance is mandatory of all employees

  • approved by highest level of the org

  • not specific — must be able to stand test of time

    • example: “must encrypt all sensitive data,” not “all sensitive data must be encrypted by 3DES”
  • three types:

    • corporate/organization
      • management’s intent
    • system-specific
      • usually for a specific system (i.e. a domain controller)
    • issue-specific
      • change management
        • how to make and track changes. only approved changes are made
      • acceptable use
        • how employees can can use company resources
      • privacy
        • expected by employees. if infringed, must be notified.
          notification is vital and best practice.
      • data/system ownership
        • making clear who owns the system and who owns the data
      • separation of duties
        • no one individual has too much power.
        • forces collusion. if more parties are involved, they are less likely to succeed
      • mandatory vacations
        • detective control. can detect a bad employee - perform an audit while they are out
      • job rotation
        • detective control. similar concept to mandatory vacations. also provides redundancy.
      • least privilege
        • action
      • need-to-know
        • data
      • dual control
        • two people are needed to perform an action
      • M of N control
        • similar concept to dual control but more people. m and n are variables. ex. 4 of 15 admins needed to make a change.


  • specific details of security controls
  • derive authority from policy
  • less vigorous approval process
  • compliance is mandatory of all employees
  • often draw on benchmarks
    • CIS benchmarks
    • vendor guidelines


  • security advice to the org
  • follow industry best practices
  • not mandatory for all employees
  • “should” not “shall”


  • step-by-step processes for activities
  • mandatory or optional
exam tip
policies and standards are mandatory.
guidelines are optional.
procedures can be either mandatory or optional.

Security policies

  • crucial component of cybersec.

Data Security Policy Criteria

  • foundational authority for data security efforts
  • sets clear expectations for data security responsibility
  • guidance for requiring access to data
  • process for granting exceptions to policy

Data Storage Policy

  • appropriate storage locations
  • access control requirements
  • encryption requirements

Data Transfer Policy

  • what data can be transferred
  • transport encryption requirements
  • acceptable transfer mechanisms

Data Lifecycle Policy

  • Data Retention Policy

    • minimum/maximum periods that org will retain different data
      • keep data as long as needed, but no longer
  • Data Disposal Policy

    • proper techniques for disposing of data

Cloud Security Policy

  • what data can be moved / stored in the cloud
  • how the org approves cloud use

Business Continuity

Business continuity planning

  • core responsibility of cybersec professionals
  • controls are designed to keep business running in the face of adversity
  • sometimes called COOP (continuity of operations plan)
  • primary control for maintaining availability

Define scope

  • what business activities should be covered?
  • what systems should be covered?
  • what controls should be considered?

Business impact analysis

  • goal

    • identify and prioritize risk
  • results

    • list of risks and ALE
  • BCP in the cloud is a partnership between the org and cloud provider

Business continuity controls

  • redundancy protects against a failure of a single component

  • single point of failure (SPOF) analysis

    • identifies and removes SPOF
      • examples:
        • web server → replace w/ cluster
        • firewall → add another for high availability pair
    • continues until cost of addressing risk outweighs benefits of implementing fix
    • analysis should consider multiple risks
    • remember to perform succession planning for staff as well
      • who would replace someone if they left?

High availability and fault tolerance

High availability

  • multiple systems protect against a service failure

Fault tolerance

  • protect services against disruption from small failures

Load balancing

  • spreads demand across systems

Common failure services

  • power supplies
    • moving parts (fans, etc.)
    • high failure rates
    • can be redundant
      • two PSUs on one server
    • data centers can use multiple power suppliers
  • storage
    • RAID
      • RAID-1: stores same data on two disks
      • RAID-5 data striping with parity, 3+ disks
      • RAID provides fault tolerance, it is not a backup plan
  • networking
    • multiple ISPs
    • NIC teaming
    • redundant networking
    • multi-path networking (especially storage)

Redundancy through diversity

  • use diverse…
    • technologies
    • vendors
    • cryptography
    • security controls

Personnel Security

  • important part of the foundation of security
  • security program should be built around it
  • handle security policy violations carefully
    • never handle alone w/o HR, legal, management
  • question to ask: what personal use of org resources are acceptable on the org network w/ org data?
  • education is the best defense against social engineering attacks
  • insider threats are significant
    • 25% of data breaches are from an insider
    • defense
      • background investigation
      • monitoring
      • manager training
      • data loss prevention

Security in the hiring process

  • hiring is an important decision
  • poses a significant threat to the org re: insider threats
  • pre-employment screening new employees prior to hiring

Pre-employment screening

  • criminal record check
  • sex offender registry
  • reference checks
  • education and employment history verification
  • credit check
    • will need candidate consent

Employment agreements

  • should include an NDA
  • should include provisions for asset return
  • include security policy in new hire training and orientation
  • ensure that vendors / contractors / consultants are subject to similar rigorous personnel security program

Internal employee transfers

  • should be trained on new security requirements of new position
  • old privileges should be revoked

Employee termination process

  • all employees will leave
    • voluntarily
    • retirement
    • firings
  • exit interviews are a good tool for gathering info and to debrief employees
    • remind them of their NDA
  • access should be revoked promptly… but not prematurely
    • voluntary/retirement: end of their last day
    • involuntary
      • too soon: show your hand and they will know that they are getting canned
      • too late: disgruntled employee will still have access
  • retrieving property — do so as quickly as possible, likely not to get items back after they are gone
    • keys
    • access badge
    • laptop
    • papers / electronic documents

Employee privacy

  • orgs collect sensitive info about employees
    • sensitive personal info:
      • background check results
      • SSN
      • salary and pay details
      • health / benefits info
  • orgs have a legal and ethical responsibility to protect that info
  • protection is acheived by:
    • minimization

      • collect the minimal amount of info about an employee
      • keep that info for the shortest amount of time needed
    • limited access

      • as few employees as possible should have access to sensitive employee info
    • encryption

    • masking

      • removing portions of sensitive data

Social networking

  • social media can be a valuable business tool
    • outreach
    • advertising
    • recruiting
  • many attacks target legitimate accounts
  • accounts should be protected
    • use MFA

Social media management tools

  • offer post approval flow

  • can schedule posts

  • offer comment management and moderation

  • stats on engagement

  • orgs should evaluate social media carefully

    • treat like a cloud service
  • orgs should adopt a social media policy

    • cover personal use
    • official stances

Conducting investigations

  • security professionals often conduct investigations

Operational or administrative investigations

  • seek to resolve technical issues
  • seek to restore normal operations
  • have a low standard of evidence
  • should end with a root cause analysis

Criminal investigations

  • look into possible crimes
  • involve fines / jail time
  • use the “beyond a reasonable doubt” standard

Civil investigations

  • resolve issues between two parties
  • no fines / jail time
  • use the “preponderance of evidence” standard

Regulatory investigations

  • conducted by government or industy regulators

  • may be civil or criminal in nature

  • interviews are a valuable tool for investigations

    • should always be voluntary
    • involuntary interviews are an interrogation — this should be left to law enforcement

Risk management

Risk identification


  1. assets
  2. threats
  3. existing controls
  4. vulnerabilities
  5. consequences

feeds ↓ into

risk assessment process

Methods to ID risk

  • look!
    • risk docuementation
    • incident reports
    • SMEs
    • media

Align with business goals and objectives

  • need to understand the business
  • risk is measured by the business, not the IT system

Org structure and impact on risk

  • risk context – every org is different
  • risk management framework/strategy is universal throughout the org!
  • there are three lines of defense:
    • senior management
    • users
    • audit

Risk assessment

  • orgs face a wide variety of cybersecurity risks
  • addressing these risks takes time and money
  • risk assessment identifies and priorizes risks to make best use of time and money

Key terms

  • asset
    • anything of value to the organization
  • threat
    • external force that jeopardizes security
    • out of the org’s control
  • threat agent
    • an actor who carries out an attack
  • exploit
    • an instance of compromise
  • threat vector
    • way that an external force gains access to a system
  • vulnerability
    • weakness in a security control
    • a lack of a safeguard
    • org can control
  • risk
    • a combination of a vulnerability and a corresponding threat
    • the probability/likelihood of a threat occurring
    • total risk
      • risk before any controls
    • residual risk
      • leftover risk after controls are implemented
    • secondary risk
      • when one risk response triggers another
  • controls
  • physical, administrative or technical protections against a threat
    • safeguard
      • proactive
    • countermeasure
      • reactive
  • incident
    • a risk event that has happened
risk should be prioritized by likelihood and impact:
  • likelihood
    • probability that a risk will occur
  • impact
    • amount of damage expected
  • qualitative
    • subjective judgement to evaluate risk likelihood and impact
  • quantitative
    • objective numberic value

Qualitative Assessment

  • subjective analysis to help prioritize probability and impact of risk
  • can use the Delphi technique to measure
    • Delphi technique
      • using anonymous surveys
  • uses terms like: high, medium, low
  • inexpensive / quick way to begin prioritization of risks

Quantitative risk assessment

  • aids in data-driven decision making
  • perform quantitative risk assessment for a single risk and asset

Asset Value (AV)

  • dollar value of an asset
  • techniques for determining
    • original cost
    • depreciated cost (an accounting favorite)
    • replacement cost (a risk manager’s favorite)

Exposure Factor (EF)

  • expected percentage damage to an asset

Single Loss Expectency (SLE)

  • expected dollar loss if a risk materializes one time
  • SLE = AV × EF

Annual Rate of Occurance (ARO)

  • number of times a risk is expected to occur each year
  • can be a decimal if not expected annually
    • ex.: once every 20 years = 0.05 ARO

Annual Loss Expectency (ALE)

  • expected dollar loss of any given year
  • ALE = SLE × ARO


  • time to restore a service depends on whether a component is repairable

    mean time to failure (MTTF)

    • average time a non-repairable component will last

    mean time between failures (MTBF)

    • average time gap between failures of a repairable component

    mean time to repair (MTTR)

    • average time to return a repairable component to service

Risk management

  • risk management and treatment
    • systematic analysis of potential responses to each risk

    • implementing strategies to control those risks

    • risk profile

      • the full set of risks facing an org
    • inherent, residual and control risk

      • inherent → control applied → residual + control
    • risk appetite

      • how much risk an org is willing to accept
      • control + residual risk ≤ risk appetite

Risk management strategies

Risk reduction / avoidance
  • lessen the probability or the impact of risk
  • may require several controls
  • reducing risk to zero is avoiding the risk
Risk transference
  • shift the impact of risk to another org
  • insurance policy
  • SLAs and contracts determine how much risk is transferred
  • can’t transfer risk completely
you can’t transfer liability!
Risk mitigation
  • reduce the likelihood or impact of a risk
Risk acceptance
  • accept risk w/o taking further action
  • no mitigation
  • after cost/benefit analysis, cost of the control is determined to be more than the cost of the potential loss
  • sometimes this is the only choice
  • due diligence is still used, we can show that good business decisions were made
  • risk levels and impacts are changing – regular reviews are needed on accepted risk
  • only after thoughtful analysis
Risk rejection
  • not acceptable
  • ignoring the problem… putting your head in the sand

Risk Monitoring/Reporting

  • risk response is based on a risk assessment at a set point in time
  • risk is everchanging
    • controls can become less effective
    • there are new threats, technology, vulnerabilities
  • monitoring is needed

Key Risk Indicators

  • early warning
  • backwards-looking view on risk events
  • documentation and analysis of trends
  • indicates risk appetite / tolerance
  • increase likelihood of achieving strategic objectives
  • assist in risk governance
  • KRIs support:
    • risk appetite
    • risk identification
    • risk mitigation
    • risk culture of the org
    • risk measurement / reporting
    • regulatory compliance
Risk must be managed because it can’t be eliminated!

Security control selection and implementation

  • security controls

    • procedures and mechanisms that an org uses to manage security risks
  • defense-in-depth

    • multiple controls for one objective
  • controls can be categorized by purpose or mechanism of action

    • purpose
      • preventative controls

        • stop a security issue from stopping in the first place
        • ex. fences, gates, firewalls
        • detective controls
        • identify a potential security issue that has already happened
        • ex. log reviews, CCTV reviews
        • corrective controls
        • remediate a security issue that has occured
        • ex. AV software
      • mechanism of action

      • technical controls

        • use technology to achieve security control objectives
      • operational controls

        • human-driven procedures to manage technology in a secure manner
        exam tip
        technical controls are implemented by technology.
        operational controls are implemented by people
      • management controls

        • improve the security of the risk management program itself
  • false positives and negatives

    • false positive
      • control inadvertently triggers when it shouldn’t
      • reduces confidence in the control
    • false negative
      • control fails to trigger when it should
      • gives admins a false sense of confidence

Ongoing risk management

  • risk control assessments only look at a single point in time

  • control assessments test controls effectiveness

  • ways to measure control effectiveness

    • compromised end-user accounts
    • vulnerabilities in public-facing systems
    • critical findings in web application scans
    • number of data breaches requiring notification

Risk Maturity Model

  • assesses the state of a risk management program

  • five levels of maturity

    1. Ad hoc
    2. Initial
    3. Repeatable
    4. Managed
    5. Leadership
  • security programs should embrace continuous improvement

Risk management frameworks

  • provide proven, time-tested techniques

NIST SP 800-37

  • risk mangagement framework
  • inputs:
    • architectural description
    • organizational inputs
  • steps:
    1. categorize the info system
    2. select security controls
    3. implement security controls
    4. assess security controls
    5. authorize info system
    6. monitor security controls

Risk visibility and reporting

  • orgs need to document and track risk over time

Risk register

  • tracks risk information

    • can be organization-wide or system-specific
    • contains the nature and status of risk
  • contents

    • description
    • category
    • probability / impact
    • risk rating
    • risk management actions taken
  • sources

    • audit findings
    • team members
    • threat intelligence
  • threat intel

    • sharing of risk info
    • may be used strategically or operationally
  • risk matrices / heatmaps

    • used to provide easily deigestable information to sr. mangement

Threat Modeling

Threat intel

  • set of activities that an org takes to…
    • educate itself about the threat landscape
    • adapt security controls to threats
  • allows the security team to stay current on cybersec threats

Open source intel

  • uses publicly available info from various open sources
    • security websites
    • vulnerability databases
    • news media
    • social media
    • darkweb
    • info sharing centers
    • file repos
    • code repos
    • security researchers

Closed source intel

  • many security companies offer proprietary threat intel solutions
    • these solutions may feed into firewalls, proxy servers, IDSs, etc.
  • criteria for evaluating these solutions
    • timeliness
    • accuracy
    • reliability

Intel sharing

  • use TAXII, STIX, CybOX
  • functions supported by intelligence:
    • incidence response
    • vulnerability management
    • risk management
    • security engineering
    • detection and monitoring


  • Information Sharing and Analysis Centers
  • bring together teams from competing businesses to share intelligence
  • usually non-profit organizations

Identifying threats

  • threat modeling identifies and prioritizes threats
  • use a structured approach for identification
    • asset-focsued
      • use asset inventory for basis
    • threat-focused
      • identify specific threats that may affect each info system
    • service-focused
      • identify impact of threats on a specific service

Threat hunting

  • cybersec used to see role as building an impenetrable defense

  • that’s a naïve approach

    • need to make the “assumption of compromise”
  • threat hunting

    • organized systemic approach to seeking out indicators of compromise using expertise and analytic techniques
    • threat hunters must think like attacker
    • develop a hypothosis, then go hunting
  • indicators of a compromose

    • unusual binary files
    • unexpected processes running or system consumption (CPU, RAM)
    • deviation in network traffic
    • unexplained log entries
    • unapproved configuration changes

Supply Chain Risk Management

Managing vendor relationships

  • vendors play crucial role in the IT supply chain

  • business partner due diligence

    • security professionals should pay attention to business partnerships to protect CIA
    • ensure that vendors’ security policies are at least on par with the org’s

Vendor management lifecycle

  • Vendor selection

    • may be formal (using an RFP)
    • may be informal
    • should include…
      • security requirements
      • assessment of vendor’s risk management policies
  • Vendor onboarding

    • verify contract details
    • arrange for secure data transfer
    • establish incident procedures
  • Vendor monitoring

    • conduct site visits
    • review independent audits
    • handle security incidents
  • Vendor offboarding

    • destroy confidential info
    • unwind business relationship
  • may start process again w/ same or different vendor

  • ISO 27036: infosec for supplier relationships

Vendor agreements

  • help facilitate vendor relationships

  • NDAs protect confidential info

  • service level requirements (SLRs)

    • describe requirements of vendor’s services
    • examples:
      • response time
      • availability
      • data preservation
    • SLRs should be documented in an SLA
  • other agreement types

    • MOU: memorandum of understanding
    • BPA: business partnership agreement
    • ISA: interconnection service agreement
    • MSA: master service agreement
    • SOW: statement of work

Security and compliance teams

  • document security and compliance requirements
  • facilitate customer monitoring of compliance
  • ensure the right of audit and assessment

Vendor information management

  • agreements should contain clear data ownership language

Data ownership provisions

  • customer should retain uninhibited ownership of their data
  • vendor’s right to data use should be limited to…
    • activities performed on behalf of the customer
    • activities performed with the customer’s consent
  • agreements should
    • limit data sharing with third parties
    • include data protection provisions

Vendor audits and assessments

  • verify that security controls function properly

  • evaluates security controls

  • provides a report

  • should always begin with a planning process

    • outlines scope of engagement
    • timeline for completion
    • expected deliverables
    • reduces the likelihood of misunderstandings later
  • assessments vs. audits

    • assessment
      • usually requested internally
        • IT staff, management, etc.
    • audit
      • often imposed by external requirements
        • board of directors, regulators, etc.
  • internal vs. external auditors

    • internal auditors
      • work for the org
      • report independently from area being audited
      • work at the request of org leadership
    • external auditors
      • independent firms
      • work at the request of external groups (board, regulators)
  • audits should always have clearly defined scopes

  • user access reviews

    • validate rights and permissions of users’ accounts
  • gap analysis

    • provides a roadmap of future work
    • provides a list of controls that are missing or not functioning

Cloud audits

  • cloud service use adds complexity to audits and assessments
  • use of cloud services expands audit scope
    • not possible to physically do
      • can’t visit every location that a cloud provider maintains
    • cloud providers couldn’t keep up with audit requests from all of their customers
    • must rely on SOC reports

SOC reports

  • system and org controls
assurance required for customer financial audits detailed assurance of CIA controls high-level public reporting of CIA controls
Type I Type II
describes controls that are in place and the suitability of those controls describes controls that are in place and the suitability of those controls, and results of control testing by the auditor
  • covered by SSAE 18 in the US
  • covered by ISAE 3402 internationally

Security service providers

Managed service provider (MSP)

  • offer managed IT services to customers

Managed security service providers (MSSPs)

  • offer managed IT security services to customers
  • if used, must be carefully monitored and documented
  • examples of services offered
    • management of entire security infrastructure
    • monitoring of system logs
    • management of firewalls and network security
    • performance of IAM
exam tip
MSSPs may also be referred to as security as a service (SECaaS)

Cloud access security brokers (CASBs)

  • add a third party security layer between an org and their cloud service provider
    • network-based CASBs
      • intercepts network traffic between the org and cloud
      • monitors traffic for security issues
      • can block access if issue discovered
  • API-based CSABs
    • queries cloud service by API and monitors
    • may be limited by API access and what information is available from API

Awareness and Training

  • train your people
  • … through awareness, training and education
  • the goal is to modify employee behavior

Security awareness training

  • security training programs help educate users about risks
  • users can’t follow procedures and rules if they don’t know about them
  • can increase reporting after training… because users now have knowledge of procedures and how to report issues

Security training

  • provides users with detailed info about how to protect the org’s info

  • security training methods

    • in-person classes
    • integration into orientation and onboarding
    • online learning
    • vendor-provided classroom training
  • should use a diversity of training techniques

    • phishing simulations
    • gamification
    • capture-the-flag events
    • security champions that share cybersec messages w/ peers
    • training should be customized based on user roles
  • training frequency

    • initial training during onboarding
    • updated training when users change roles
    • annual refreshers
    • awareness campaigns during the year
  • remember to review training materials periodically to ensure relevancy

Security awareness

  • reminders of lessons learned to keep training in mind

Compliance training

  • orgs often face external requirements to implement security controls

  • complaince programs

    • ensure that org’s infosec controls are consistant w/ laws/regs/standards that govern the org
  • compliance obligations should be a part of security training

  • begin compliance efforts with gap analysis

User habits

  • security training should educate users on good security practices
    • secure password practices
    • clean desk polices
    • data handling practices
    • reminders of NDA terms
    • physical security
      • reminders about tailgating
    • BYOD policy
      • acceptable use
      • security policy
    • acceptable use policy
      • violations
    • social media policies
    • peer-to-peer network policies

Measuring compliance and security posture

  • should measure the effectiveness of security training/awareness efforts
    • simulated phishing
      • directly measures user awareness
  • security awareness surveys
    • measures awareness over time
    • can use results to change training and tactics as needed