Certified Information Systems Security

Professional (CISSP) Certification

Training Course

CISSP® is a registered trademark of (ISC)² ®

Domain 01: Security and Risk
Management
 Learning Objectives

By the end of this lesson, you will be able to:

Analyze information security management for safeguarding

organizational assets
Implement the process of security policy development to ensure
compliance with security standards
Evaluate information risk management strategies for minimizing
potential security threats
Manage personnel security and security function processes for
protecting sensitive information
Analyze instances of computer crime to develop preventive measures
Develop a business continuity plan (BCP) for ensuring operational
resilience during disruptions
Overview of Information Security
 What Is Information Security (InfoSec)?

It is the practice of protecting information by mitigating information risks.

It is about safeguarding data from unauthorized access,

use, disclosure, disruption, modification, or destruction.

Information can be anything valuable, including customer data, financial records, intellectual
property, personal details, and even classified government information.
 Why Information Security?

• Digital transformation increases cyber threats, making

information security essential to protect sensitive data.

• Information security safeguards both business operations and

personal safety, extending beyond traditional IT concerns.

• Security breaches can lead to severe consequences, including

identity theft and financial fraud, causing extensive damage.

• Artificial intelligence and deepfakes amplify risks, making

robust information security more critical than ever.
 Factors Impacting Information Security

Nature of business Security culture Legal and regulatory

compliance

Management support Risk appetite Industry threats

 Information Security Management

It describes the controls that an organization needs to implement to ensure that it is sensibly protecting
the confidentiality, availability, and integrity of assets from threats and vulnerabilities.

It ensures the implementation of the following:

• Information security policies

• Standards
• Procedures
• Guidelines
• Baselines
• Information classification
• Risk management
• Security organization
• Security education
 Information Security Governance

It is a systematic approach used by organizations to manage and protect their information assets,
ensuring confidentiality, integrity, and availability of data.

It is a structured approach for managing and

protecting sensitive data.

It aligns information security objectives

with business goals.

It implements controls and measures for

safeguarding information assets.

It provides systematic management and

protection of information.
 Information Security Governance: Principles

The major focus of governance is on:

Risk Resource Performance Strategic

Delivery
management management measures alignment
Information Security Governance: Goals

It is intended to guarantee:

Risks are reduced.

Security activities are verified with

appropriate information.

Information security investments

are appropriately directed.

Executive management can

determine program effectiveness.
 Governance, Risk Management, and Compliance (GRC)

It is a comprehensive framework that helps organizations manage their overall risk exposure
and ensure compliance with relevant laws, regulations, and industry standards.

This framework helps organizations:

Identify, assess, and mitigate risks to

protect the organization

G R C Adhere to relevant laws, regulations, and

industry standards, ensuring compliance
GOVERNANCE RISK COMPLIANCE

Implement effective governance

processes and structures
 Governance, Risk Management, and Compliance (GRC)

The following characteristics of GRC must be considered during its implementation:

It is different for every organization and varies

based on the type of organization.

It depends on an organization’s mission (business),

size, industry, culture, and legal regulations.
G R C
GOVERNANCE RISK COMPLIANCE
Its ultimate responsibility is to protect the
organization’s assets and operations, including
their IT infrastructure and information.
 GRC: Governance

It is the responsibility of the board of directors and senior management of the organization.
 GRC: Governance

The goals of governance include:

Ascertain if risk
management is
appropriate

Ensure responsible Ensure that objectives

use of resources are achieved

Provide strategic direction

 Managing Outsourcing Governance

Outsourcing is the subcontracting of a business process to a third-party company.

• Loss of control of confidential information

• Accountability
Risks associated
with outsourcing • Compliance

• On-site assessment
• Document exchange and review
Secure
outsourcing • Policy and process review
 GRC: Risk Management

It is the process by which an organization manages risk to acceptable levels. It requires the development and
implementation of internal controls to manage and mitigate risk throughout the organization, including:

Financial and
Physical risk Cyber risk
investment risk
 GRC: Compliance

It is the act of adhering or the ability to demonstrate adherence to mandated requirements defined by
laws and regulations.

It also includes voluntary requirements resulting from contractual obligations and internal policies.
Overview of Cybersecurity
 Cybersecurity

It is the process of securing sensitive data and critical systems from cyber threats.

It safeguards enterprises from intentional attacks, data

breaches, and security incidents, and their consequences.

It protects information assets by addressing threats to data

that is processed, stored, or transmitted across
interconnected systems.
 Goal of Cybersecurity

The primary objective of cybersecurity is to preserve the confidentiality, integrity, and

availability of an organization's critical assets from attack, damage, or unauthorized access.
 Why Is Cybersecurity Important?

It is important for the following reasons:

Increase in cybercrime due to technological advancement

Shift to online business, demanding protection of generated

personal, financial, and operational data

Presence of crime syndicates, cyber armies, and financial frauds

 Difference Between Information Security and Cybersecurity

Feature Information security Cybersecurity

Protects all types of

Focuses on protecting digital
Scope information (physical and
assets and networks
digital)

Ensures confidentiality, Defends against cyber threats

Focus area
integrity, and availability like hacking and malware

Broad, covering physical and Narrow, targeting digital data

Coverage
digital information and systems

Preventing unauthorized access Securing systems and data

Primary concerns
to information from online threats

Safeguarding documents and Defending against phishing and

Examples
controlling database access securing cloud systems
 Impact of Risks of Security on Business

Reputational and Business interruption Loss of customer

financial loss loss confidence

Legal action against Intellectual property

Data breach
company loss
 Terrifying Cybercrime Statistics

The following are some recent trends that make cybersecurity more important:

• In 2023, five billion data breaches compromised approximately 867 million records.

• Over 2.8 million malicious apps were blocked from entering the Google Play Store
during the same year.

• Ransomware attacks on the healthcare industry are expected to increase fourfold soon.

• Cybercrime costs are expected to reach $23.84 trillion by 2025.

• The number of passwords worldwide is expected to reach 350 billion by 2025.

• More than 60% of fraud is projected to originate from mobile devices.

• Personal data is sold for as little as $0.20.

• Encryption is used by 90% of hackers.

 Approaches to Cybersecurity

Organizations adopt different approaches to cybersecurity based on their regulatory requirements,

specific risks, or lack of structured strategies.

These approaches guide how security measures are implemented to safeguard digital assets:

Compliance-based: Relies on regulations or standards to

determine security implementation

Risk-based: Relies on identifying the unique risk a

particular organization faces and designing and
implementing security controls to address that risk

Ad hoc: Implements security with no rationale or criteria

Overview of (ISC)2 Professional Ethics
 (ISC)2 Professional Ethics

The International Information Systems Security Certification Consortium (ISC)2 has established a
Code of Ethics outlining the ethical responsibilities of its certified members.

It serves as a guideline for professional

conduct in information security.

It is critical for maintaining integrity and

professionalism in information security.

Every certified professional is expected to adhere to these principles.

 (ISC)2 Professional Ethics: Categories

It has the following two categories:

• The safety and welfare of society require adherence to the highest

ethical standards.
Code of Ethics
Preamble • One's duty to principles and others also demands visible adherence to
these standards.
• Strict adherence to this code is a condition of certification.

• Protect society, the common good, necessary public trust and

confidence, and the infrastructure
Code of Ethics • Act honorably, honestly, justly, responsibly, and legally
Canons
• Provide diligent and competent service to principles
• Advance and protect the profession
 Code of Ethics

Ethics are the principles and values used by an individual to govern their actions
and decisions.

A code of ethics provides a general understanding of the ethical or moral

responsibilities that the governing body, employees, and volunteers are expected to
meet while working for the organization.

An organizational code of ethics expresses the overarching principles or ideals that

guide an organization’s decisions and actions when conducting operations and
service delivery.
 Organizational Code of Ethics

A code of ethics can help the organization to:

Show customers that it values integrity

Define the terms of ethical standard of behavior at work

Guide decision-making in difficult situations

 Quick Check

2
You are working as a CISSP-certified cybersecurity
professional at a nonprofit organization. Which of the
following ethical obligations are you required to
follow?

A. (ISC)2 code of ethics

B. Organizational code of ethics
C. Federal code of ethics
D. RFC 1087
Securing Information with the CIA Triad
 CIA Triad

CIA stands for confidentiality, integrity, and availability, which are the primary goals of cybersecurity.

Confidentiality CIA Availability

Integrity
 CIA Triad: Confidentiality

Confidentiality means that private or

confidential information should not be
disclosed to unauthorized individuals.

Confidentiality
 CIA Triad: Confidentiality

Intentional attacks Accidental leakage

Man-in-the-middle attack,
Untrained employees
packet sniffing, and hacking

Threats to
confidentiality
Authentication and Hardware or
authorization failures software failures

Access to a least-privileged
Improper media sanitization
entity
 CIA Triad: Confidentiality

The following are some countermeasures to ensure confidentiality:

Encryption Access control Administrative policies

Implements confidentiality
Prevents users from accessing
Converts information to an policy and non-disclosure
confidential information
unreadable format agreement (NDA) as
without permission
deterrent controls
 CIA Triad: Integrity

Integrity means that information or systems

should be protected from intentional,
unauthorized, or accidental changes.
Integrity
 CIA Triad: Integrity

The following are the various threats to integrity:

Intentional alteration Environmental factors

(Virus attack and database hack) (Electromagnetic interference)

System malfunction Accidental modifications

(Improper software configuration) (Lack of input validation and training)
 CIA Triad: Integrity

The following are some countermeasures to ensure integrity:

Cryptographic hash Checksums Database integrity

Hash value of a file can be

It can detect errors and Referential and entity integrity
used to figure out if the file has
reconstruct missing data. ensure logical consistency.
been modified.
 CIA Triad: Availability

Availability means systems or information

must be available on demand according to
agreed-upon parameters.
Availability
 CIA Triad: Availability

Threats to availability include:

Supply system failures

Malicious attackers
(Power outage and Internet
(DDoS and ransomware)
downtime)

Environmental issues
Device or system failures
(Fire, earthquake,
(System crash)
and tornadoes)
 CIA Triad: Availability

The following are some countermeasures to ensure availability:

High availability Backup procedures Security devices

Prevent DoS/DDoS attacks by

Ensure system availability at Ensure data restoration after deploying intrusion prevention
all times a disaster system (IPS) and web
application firewall (WAF)
 Quick Check

2
You are working as a web architect, designing a new
website using multiple small web servers behind a
load balancer. What principle of information security
are you enforcing?

A. Denial
B. Confidentiality
C. Integrity
D. Availability
Overview of IT Security
 IT Security

It refers to the practice of protecting an organization’s information technology systems and data from
threats such as unauthorized access, data breaches, and cyberattacks.

It aligns security strategies with the organization's goals, mission, and objectives to protect business
operations from security risks while achieving desired outcomes.
 IT Security with Organizational Goals, Mission, and Objectives

Goals: Mission: Objectives:

Define what the Help in creating Indicate how it will
organization desires long term and proceed to
to achieve short-term strategies achieve them
 Aligning IT Security with Goals, Mission, and Objectives

It can be aligned with organizational goals, mission, and objectives in the following
ways:

Reducing risk Senior management support

• It involves protecting the organization’s • It aids security professionals to be

assets and processes through involved in and influence the
appropriate activities and controls. organization’s core activities.

• It also helps to identify priority tasks

• It makes one aware of IT assets and
and divert resources to achieving
goals, mission, and objectives of
security goals.
the organization.
Overview of Control Framework
 Control Framework

It is a data structure that comprises a set of an organization's internal controls, which includes the
practices and strategies built to enhance business processes and minimize risk.

It is a set of controls that protects data within the IT infrastructure of a business or

another entity.

It acts as a comprehensive security protocol that protects against fraud or theft from
a spectrum of outside parties, including hackers and other kinds of cyber criminals.

Examples

• COBIT (Control Objectives for Information and Related Technologies)

• ISO 17799/27001
 Control Framework

Examples of a control framework can be seen here:

Function Category
Function Category
Identifier Identifier

[Link] Asset management

[Link] Business environment
[Link] Governance
ID Identify
[Link] Risk management
[Link] Risk management strategy
[Link] Supply chain risk management
[Link] Identify management and access control
[Link] Awareness and training
[Link] Data security
PR Protect
[Link] Information protection process and procedures
[Link] Maintenance
[Link] Protective technology
 Control Framework

Function Category
Function Category
Identifier Identifier

[Link] Anomalies and events

DE Detect [Link] Security continuous monitoring
[Link] Detection processes
[Link] Response planning
[Link] Communications
RS Respond [Link] Analysis
[Link] Mitigation
[Link] Improvements
[Link] Recovery planning
RC Recover [Link] Improvements
[Link] Communications
Overview of Security Frameworks and Standards
 Security Frameworks and Standards

The CISSP certification emphasizes various security frameworks and standards that are essential for
designing, managing, and governing information security programs.

The following are the key security frameworks and standards commonly referenced in CISSP:

• ISO/IEC 27000 Series

ISO/IEC 27001
ISO/IEC 27002

• COBIT (Control Objectives for Information and Related

Technologies)

• PCI DSS (Payment Card Industry Data Security Standard)

• NIST (National Institute of Standards and Technology)

Frameworks
 ISO/IEC 27001:2022

ISO 27001 is an international standard that outlines the requirements for an information
security management system, helping organizations establish, implement, maintain, and
continuously enhance their information security practices.

• 14 security domains are reduced to

four domains.
[Link] Domains Controls count
• 114 controls are reduced to 93 controls. 1 Organizational controls 37
2 People controls 8
• 57 controls are merged.
3 Physical controls 14
• 11 controls are added.
4 Technological controls 34
• Three controls are deleted.
• 35 controls remain unchanged.
 ISO/IEC 27002:2022

• It provides guidelines for organizational information security standards and

management practices, including the selection and implementation of controls.

• It considers the organization's information security risk environment when

managing these controls.

It is designed to be used by organizations that intend to:

• Select controls within the process of implementing an Information Security Management System
based on ISO/IEC 27001
• Implement commonly accepted information security controls
• Develop their own information security management guidelines
 Control Objectives for Information and Related Technologies (COBIT)

It is issued by ISACA® (Information Systems Audit and Control Association) and helps companies map
their IT process to ISACA® best practices and standards.

• Meeting stakeholder needs

• Covering the enterprise end-to-end
COBIT principles • Applying a single integrated framework
• Enabling a holistic approach
• Separating governance from management
 Payment Card Industry Data Security Standard (PCI DSS)

It is an information security standard designed to reduce payment card fraud by increasing security
controls around cardholder data.

Visa, MasterCard, and American Express established PCI DSS as a security standard.

All organizations or merchants that accept, transmit, or store cardholder data,

regardless of the size or number of transactions, must comply with this standard.
Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS merchant levels

PCI DSS merchant level 1 >6 million transactions/year

PCI DSS merchant level 2 1 – 6 million transactions/year

PCI DSS merchant level 3 20,000 – 1 million transactions/year

PCI DSS merchant level 4 <20000 transactions/year

 PCI DSS Requirements

The following are the criteria to be considered:

• Install and maintain a firewall configuration to protect cardholder data

• Do not use vendor-supplied defaults for passwords or other security parameters

• Protect stored cardholder data

• Encrypt transmission of cardholder data across open, public networks

• Protect all systems against malware and regularly update anti-virus software

• Develop and maintain secure systems and applications

• Restrict access to cardholder data

• Identify and authenticate access to system components

• Restrict physical access to cardholder data

• Track and monitor all access to network resources and cardholder data

• Regularly test security systems and processes

• Maintain a policy that addresses information security for all personnel

 NIST 800-53

It is a framework developed by NIST for securing information systems.

Goal: Safeguard organizations from cyberattacks, natural disasters, and human errors.
While non-federal organizations are not required to adhere to it, they may need to do
so as part of a contract or agreement with federal organizations.

It is designed to be used by federal organizations that intend to:

• Design to protect information systems from potential threats
• Reduce the risk of security incidents and improve overall security posture
• Be compliant with US federal government standards
• Allow customization to suit specific organizational needs
• Enhance the protection of sensitive information
 Due Care

It is a legal term that pertains to the legal duty of the organization. Lack of due care is
considered negligence.

Due care shows that a company has taken:

Responsibility for the Necessary steps to protect Reasonable care in

activities that take the company, its resources, protecting the
place within and its employees from organization
the corporation possible threats
 Due Care: Examples

Training employees in Mandating statements from the Deploying firewalls in

security awareness employees stating that they have the organization
read and understood appropriate
computer behavior
 Due Diligence

It is the act of understanding and investigating the risks the company faces and might
not be legally liable.

• It means practicing the activities that maintain

the due care efforts.

• It pertains to the best practices that a

company should follow.
 Due Diligence: Examples

In the case of firewalls, regularly

Ensuring that the security controls
monitoring security controls and
are regularly monitored and
updating rules depending
frequently updated
on the requirement
Quick Check

A company is reviewing its policies and practices to

ensure effective oversight and direction of its
information security initiatives. What primarily drives
information security governance in this context?

A. Regulatory requirements
B. Security policies
C. Business strategy
D. Threat assessment
Legal and Regulatory Issues Pertaining to
Information Security
 Cybercrimes

These are offenses committed with criminal intent to harm an individual's or group's reputation or
cause physical or mental harm directly or indirectly.

These crimes are carried out using modern

telecommunication networks, such as the Internet,
through chat rooms, emails, notice boards, groups, and
cell phones through SMS or MMS.
 Computer Crimes

It involves a computer and a network.

Computer-related crimes have increased due to the:

• Connectivity of the Internet
• Low costs of computational resources

Examples

Cracking, copyright infringement, child pornography, and child grooming

 Categories of Computer Crimes

These are criminal activities carried out using computers as mere tools and are not specific
to computers.

Examples
Computer-assisted
crime
Fraud, distributed denial of service attacks, counterfeit,
theft, and child pornography
Computer as target of
crime

Note:
Computer incidental to
crime 80% of all criminal investigations include evidence that is digital in nature.
 Categories of Computer Crimes

These are criminal activities focused on systems, servers, networks, and the data stored on
these systems.

Examples
Computer-assisted
crime
Sniffing, denial of service, password attacks, viruses, digital
identity theft, and computer hacking
Computer as target of
crime

Note:
Computer incidental to
crime These crimes target information systems and the underlying architecture.
 Categories of Computer Crimes

In these types of crimes, the computer is related or incidental to the crime.

Examples
Computer-assisted
crime
Logging and recording of the list of customers for traffickers
or online activities, whether based on the Internet or
Computer as target of cell phones
crime

Note:
Computer incidental to
crime These crimes occur without the use of computers.
 Legislative Concepts

It refers to the systems of rules and legal principles that govern relationships and regulate behaviors
within societies.
International law

Federal laws

State law

Common law

Criminal law

Tort law

Administrative law

Privacy law
Restatement (second) of
conflict of laws
 Legislative Concepts

International law

Federal laws It is a complex system of rules governing relationships between

states, international organizations, and individuals.
State law

Common law
It is derived from:
Criminal law

Tort law
International General
Administrative law Treaties Customs
organizations principles of law

Privacy law

Restatement (second)
of conflict of laws
 Legislative Concepts

International law

Federal laws These laws govern the entire country.

State law

Common law Example

• If a person robs a bank, they commit a federal crime and are therefore
Criminal law subject to federal prosecution and punishment.
• However, such cases are often handled by the states, as they have their
Tort law
own prescribed laws for such offenses.

Administrative law
Generally, the issues of jurisdiction and subsequent prosecution are worked
Privacy law
out in advance between law enforcement and court jurisdictional bodies.
Restatement (second)
of conflict of laws
 Legislative Concepts

International law

Federal laws It refers to the law of each state in the United States.

State law

Common law Examples

Speed limits, state tax laws, and criminal code

Criminal law

Tort law Note:

Administrative law Federal laws are usually more comprehensive and may often
supersede state laws.
Privacy law

Restatement (second)
of conflict of laws
 Legislative Concepts

International law
Legal systems in countries like the United States, Canada, and
Federal laws the United Kingdom emphasize on determinant of laws and sets
a judicial precedent.
State law

Common law
It has three branches of law:
Criminal law

Tort law Administrative or

Criminal law Civil law or tort law
regulatory law
Administrative law

Privacy law

Restatement (second)
of conflict of laws
 Legislative Concepts

International law

Federal laws It addresses behavior that is harmful to society.

State law

Common law

Criminal law
It includes punishments, such as monetary fines,
imprisonment, and death.
Tort law

Administrative law
It is the prosecution’s responsibility to prove guilt
beyond a reasonable doubt.
Privacy law

Restatement (second)
of conflict of laws
 Legislative Concepts

International law
It is a body of rights, obligations, and remedies that sets out
Federal laws reliefs for persons suffering harm due to the wrongful acts
of others.
State law
Tort actions are not dependent on an agreement between the parties
Common law
involved in a lawsuit.

Criminal law Tort law serves four objectives:

Tort law • Compensates victims for injuries suffered by the culpable action or
inaction of others
Administrative law • Shifts the cost of injuries to the person or persons responsible for
inflicting them
Privacy law • Discourages injurious, careless, and risky behavior in the future
• Vindicates legal rights and interests that are compromised, diminished,
Restatement (second) or emasculated
of conflict of laws
 Legislative Concepts

International law

Federal laws These are laws and legal principles that address several areas.

State law

Common law
These include:
Criminal law

Tort law

International
Administrative law Manufacturing Environment Immigration
trade

Privacy law

Restatement (second)
of conflict of laws
 Legislative Concepts

International law

Federal laws It includes language indicating that personal information must

be destroyed when its retention is no longer required.
State law

Common law

Criminal law
Privacy is the right of an individual to determine when, how,
Tort law and to what extent one releases personal information.

Administrative law

Privacy law

Restatement (second)
of conflict of laws
 Legislative Concepts

International law

Federal laws It is the basis for deciding which laws are more appropriate
when there are conflicting laws in different states.
State law

Common law

Criminal law
The conflicting legal rules come from US federal laws, the
Tort law laws of the states of the United States, or the laws of the other
countries.
Administrative law

Privacy law

Restatement (second)
of conflict of laws
 Intellectual Property (IP) Law

It is designed to protect both tangible and intangible items and properties from those who
want to copy or use them without due compensation to the inventor or creator.

IP law categories

Industrial property Copyright

Novels, poems, plays, films, musical

Inventions or patents, trademarks,
works, drawings, paintings,
industrial designs, and geographical
photographs, and sculptures and
indications of source
architectural designs
 Types of Intellectual Property (IP) Law: Patent

It grants the owner a legally enforceable right to exclude others

Patent
from practicing the invention.

After the expiry of a patent, the

It protects new, useful, and
It is applicable for 20 years. invention is open to the
nonobvious inventions.
public domain.
 Types of Intellectual Property (IP) Law: Patent

To receive a patent, the following three requirements must be satisfied:

The invention should be The invention must be The invention must not be
new and an original idea. useful. obvious.
 Types of Intellectual Property (IP) Law: Trademark

It protects the goodwill a merchant or vendor invests in the

Trademark
products.

It consists of any word, name,

It grants exclusive rights to the symbol, color, sound, product It is registered with a
owner of the trademark. shape, device, or a government registrar.
combination of these.
 Types of Intellectual Property (IP) Law: Trademark

A trademark must adhere to the following conditions:

The trademark should not be

One trademark must not be similar to
descriptive of the goods or services
another trademark.
that one offers.
 Types of Intellectual Property (IP) Law: Copyright

It covers the expression of ideas and usually protects artistic

Copyright properties, such as writing, recordings, databases, and
computer programs.

Anonymous works are

Works of one or more authors
protected for 95 years from
The duration of protection are protected until 70 years
the first publication or 120
is longer. after the death of the last
years from creation,
surviving author.
whichever is shorter.
 Types of Intellectual Property (IP) Law: Copyright

Digital Millennium
DMCA takedown notice
Copyright Act (DMCA)

• It is a controversial US DRM law designed to • It is a notice given to a web host or search

update copyright laws to address the engine, informing them that they are hosting or
challenges of regulating digital material. linking to copyright-infringing material.

• Nonprofit organizations are exempted from • It provides them a notice to remove the
this act. copyrighted works.
 Types of Intellectual Property (IP) Laws: Trade Secret

It is something that is proprietary to a company and important for

Trade secret
its survival and profitability.

The trade secret law protects certain types of Trade secrets can be protected by implementing
information or resources from unauthorized use control structures depending on the type of trade
or disclosure. secret and by making the employees sign an NDA.

Example

The formula used for a soft drink such as Coke or Pepsi, a new form of mathematics, the source code of a
program, or a method of making the perfect jellybean
 Types of Intellectual Property (IP) Laws: Licenses

Software licenses are a contract between the provider of a

Licenses
software and the consumer.

The four categories of software licensing are:

• Contractual license agreement: It is a written contract between the software vendor and
the customer.
• Shrink-wrap license: A shrink-wrap license is an end-user agreement (EULA) that is enclosed with a
software in a plastic-wrapped packaging. Once the end-user opens the packaging, the EULA is
in effect.
Licenses
• Clickwrap license: This type of agreement is often used in connection with software licenses. Most
clickwrap agreements require the end-user to manifest his or her assent by clicking an OK or agree
button on a dialog box or a pop-up window.
• Cloud services license agreement: It is similar to a clickwrap agreement and is mainly concentrated
on the services provided by cloud vendors.
 US Computer Laws

Computer Fraud and Abuse Act (CFAA) of 1986

• It is a United States legislation that criminalizes unauthorized access to classified or financial

information in a federal system.

Computer Security Act of 1987

• It improved the security and privacy of sensitive information in federal computer systems by
setting minimally acceptable security practices.

• It mandated baseline security for federal agencies and made the National Institute of Science
and Technology (NIST) responsible for developing standards and guidelines.
 US Computer Laws

Federal Sentencing Guidelines 1991

• It provides punishment guidelines to help federal judges interpret computer crime laws.
• It is a prudent man rule that requires senior executives to take personal responsibility for
ensuring due care.

Federal Information Security Management Act (FISMA)

• It defines a comprehensive framework to protect government information, operations, and

assets against natural or man-made threats.
• It requires agencies to implement an information security program that covers the agencies’
operations and contractors.
• It requires contractors to be a part of the scope and makes NIST responsible for building
FISMA guidelines.
 Import or Export Controls and Transborder Data Flow

Organizations must ensure compliance with import or export controls and understand transborder data flow
regulations to navigate international laws and safeguard cross-border data transfers.

Import or export controls Transborder data flow

• They ensure that software complies with • It involves the transfer of data from one
the local laws. country to another.

• Certain applications, like encryption • An information security professional

software, are illegal to import or export. must understand data jurisdiction during
cross-border transfers.
• The UNSC can impose sanctions on any
country, strictly prohibiting technology
transfers to these countries.
 Offshoring: Privacy Requirements and Compliance

It involves outsourcing to another country, which may lead to increased privacy and regulatory issues.

Example

Data offshored to India by a US medical transcription organization is less secure.

• Health Insurance Portability and Accountability Act

(HIPAA) certification is a major regulation covering
healthcare data in the United States.
• A good contract ensures that regulations and laws
governing privacy are followed both in and beyond a
country’s jurisdiction.

Example

The Indian company to which the US Medical Transcription organization’s data is offshored can
agree to follow HIPAA rules via a contract.
 Introduction to Privacy

It is the rights and obligations of individuals and organizations with respect to the collection, use, retention,
and disclosure of personal information.

The need for more privacy laws and governance has

increased due to:

• Data aggregation and advancement of

retrieval technologies
• Loss of borders
• Advancement of convergent technologies
 Privacy Terms

Personal Identifiable Information (PII) Personal Health Information (PHI)

• It is any data that could potentially • It is any health-related information

identify a specific individual. that can be related to a
• Any information that can be used specific person.
to distinguish one person from • In the United States, HIPAA
another and can be used for de- mandates the protection of PHI.
anonymizing anonymous data can
be considered PII.
 Types of Privacy Regulations

Local or regional National Global

• They vary based on cultural, • They set privacy rights and • They set a global data
social, and legal factors. obligations for protection standard for
organizations within entire organizations processing
countries. EU citizens' data.

Example Example Example

The California Consumer

Privacy Act (CCPA) gives In the United States, HIPAA ISO 27701 offers a
Californians more control protects healthcare framework for managing
over personal data data privacy. privacy information systems.
and privacy.
 US Privacy Laws

4th Amendment to US Constitution Federal Privacy Act of 1991

• People's right to security in their homes, • It codifies data protection for US citizens
papers, and possessions is protected against used by the federal government.
unreasonable searches and seizures.
• It outlines how information can be used,
• Warrants are issued only for probable cause collected, and distributed.
and must specify the location.
• It forbids federal agencies from sending
private information without consent.
 US Privacy Laws

Electronic Communication Privacy Act

Stored Communication Act (SCA)
(ECPA)

• It criminalizes invading an individual's • It was enacted in the United States in 1986

electronic privacy. as part of ECPA.

• It broadened the Federal Wiretap Act. • It protects certain electronic

communications and computing services
• It restricts the government from putting from unauthorized access or interception.
wiretaps on phone calls and other
electronic communications. • It is now applicable to social media.
 US Privacy Laws

USA Patriot Act of 2001 Children’s Online Privacy Protection Act

• It stands for uniting and strengthening • It applies to US websites collecting privacy

America by providing tools required to information from children under the age of
intercept and obstruct terrorism. 13.

• It allows searches and seizures to be carried • It mandates the websites to have a privacy
out without immediate notification of notice stating the information collected, its
the person. use, and any third-party disclosure.

• It amends the Computer Fraud and Abuse Act • It ensures that parents give verifiable
to strengthen penalties for those convicted. consent before collecting data about
children under the age of 13.
 US Privacy Laws

The Gramm-Leach-Bliley Act of 1999 (GLBA) Sarbanes–Oxley Act of 2002

• It applies to financial institutions and is • It is directly related to the financial scandals

driven by the Federal Financial Institutions in the late 90s.
Examination Council (FFIEC).
• It is a regulatory compliance standard for
• Enacted in 1999, it requires safeguarding financial reporting.
consumer financial information.
• It imposes criminal penalties for
• It mandates financial institutions to develop intentional violations.
privacy notices and allow customers to opt
• It ensures that firms provide real-time
out of information sharing.
disclosures of any events that may affect a
• It makes the board of directors responsible firm price or financial performance.
for any security issues.
• It mandates financial institutions to have a
written security policy in place.
 US Privacy Laws

Health Insurance Portability and Health Information Technology for Economic

Accountability Act (HIPAA) and Clinical Health (HITECH) Act of 2009

• It is a US federal regulation standardizing the • It was passed in 2009 by Congress as an

storage, use, and transmission of personal amendment to HIPAA.
medical and healthcare data.
• It changed the way the law treated Bas and
• It provides a framework and guidelines to organizations that handled PHI.

ensure security, integrity, and privacy. • It also introduced new data breach
notification requirements.
• It mandates steep federal penalties
for noncompliance. • It mandates HIPAA-covered entities to notify
affected individuals of a data breach and
• A business associate (BA) is a person or entity
inform the Secretary of Health and the media
that handles PHI for a covered entity.
if over 500 people are affected.
• A business associate agreement (BAA)
protects PHI as per the HIPAA guidelines.
 Safe Harbor Privacy Principles

They were designed to prevent private organizations in the European Union or the United States from
accidentally disclosing or losing personal information about customers.

The department of commerce of the

They were developed between 1998
United States is responsible for Safe
and 2000.
Harbor.
 Safe Harbor Principle

US companies could opt into a program and be certified if they adhered to the following seven principles:

1 2 3

Notice Choice Onward Transfer

4 5 6

Security Data Integrity Access

Enforcement
Privacy Shield and Transatlantic Data Privacy Framework (TDPF)

Privacy Shield

• The European Court of Justice invalidated the International Safe

Harbor Principles in 2015, replacing them with the EU-US Privacy
Shield.
• Since August 2016, organizations started self-certifying to Privacy
Shield, an improved framework.

Transatlantic Data Privacy Framework (TDPF)

• It is a proposed agreement between European Union and the United

States that facilitates the transfer of personal data from European
Union to the United States.
• It is intended to replace the Privacy Shield Framework, which the Court
of Justice of the European Union (CJEU) invalidated in 2020.
 OECD Privacy Principles

The Organization for Economic Cooperation and Development (OECD) is a group of 34 member countries
that discuss and develop economic and social policies. It ensures:

Collection limitation

Data quality

Purpose specification

Use limitation
 OECD Privacy Principles

The OECD published a set of revised guidelines governing the protection of privacy and
transborder flows of personal data. The guidelines ensured:

Security safeguards Openness

Individual participation Accountability

 General Data Protection Regulation (GDPR)

It is a regulation that requires businesses to protect the personal data and privacy of EU citizens for
transactions that occur within the European Union.

Companies collecting data on EU citizens must comply with strict data

protection rules starting May 25, 2018.

Noncompliant organizations face fines of up to €20 million or 4% of their

global turnover, whichever is higher.
 General Data Protection Regulation (GDPR)

Organizations must report data breaches within 72 hours.

Companies must also allow users to export their data and delete it.

Under the right to be forgotten, individuals can request companies to

remove certain online data about them.
 Data Protection Principles

The EU General Data Protection Regulation (EU GDPR) outlines six data protection principles that
organizations need to follow for collecting, processing, and storing individuals’ personal data.

Lawfulness, fairness,
Purpose limitation Data minimization
and transparency

Integrity and
Accuracy Storage limitations
confidentiality

The data controller is responsible for complying with the principles and must be able to demonstrate
the organization’s compliance practices.
 EU GDPR: Roles and Responsibilities

A data subject is an identifiable natural person who can be identified by attributes such as a
name, an identification number, or other factors related to their identity.

A data controller is the legal entity that either alone or jointly determines the purpose
for and way personal data is, or will be, processed.

A data processor processes data on behalf of the data controller but does not control the
data and cannot change the purpose or use of the particular set of data.

A supervisory authority (SA) is established in each EU member state to enforce and monitor
the application of GDPR rules to protect individual rights for the processing and transfer of
personal data within the European Union.
Quick Check

A researcher is preparing to file a patent for a new

invention and is reviewing the necessary criteria for
patentability. Which of the following requirements is
NOT needed for an invention to be
considered patentable?

A. Novel
B. Useful
C. Inventive step
D. Obvious
Requirements for Investigation Types
 Investigation

“An investigation is a fact-finding process of logically, methodically, and lawfully gathering and
documenting information for the specific purpose of objectively developing a reasonable
conclusion based on the facts learned through the process.”
~ ANSI/ASIS INV.1-2015 Investigation Standards

The purpose of an investigation is to:

Identify and collect evidence Determine what happened

Determine who is responsible

 Investigation Types

Criminal Civil Administrative Regulatory

investigation investigation investigation investigation
 Investigation Types: Criminal Investigation

It involves Criminal cases Punishment usually

determining whether It is usually involve an action involves jail time,
a criminal law has conducted by law that is harmful monetary fines, or
been violated. enforcement to society. sometimes capital
organizations. punishment.
 Investigation Types: Civil Investigation

It deals with offense Punishment usually

committed against involves recovering
individuals or companies money to compensate the
that result in damages victim for damages.
or loss.
 Investigation Types: Administrative Investigation

It is conducted by local
It may be initiated in response to
management in response to
complaints, mishaps, misconduct,
complaints or concerns that
or violations of the organization’s
generally are personnel related
policy.
and non-criminal in nature.

If evidence reveals any malicious or

criminal activities, it could trigger
criminal or civil investigations.
 Investigation Types: Regulatory Investigation

Initial inquiries can vary

from a simple phone call
It involves determining Regulation is a law for basic information to a
whether a regulatory established by the formal regulatory
law has been violated. government body. investigation with
subpoenas for detailed
answers.
 Investigation Types: Industry Standards

Penalties may lead to

fines or other sanctions.

Investigations into violations of

industry standards (such as PCI Investigations may be
DSS) are based on contractual performed by independent
obligations between third-party.
participating organizations.
Quick Check

In a legal seminar, participants are discussing the

consequences of various legal violations. How should
the punishments be matched for violations of criminal
law, civil law, and regulatory law?
A. Financial restitution, prison sentence, and financial
penalty
B. Prison sentence, financial restitution, and financial
penalty
C. Financial penalty, prison sentence, and financial
restitution
D. Prison sentence, financial penalty, and financial
restitution
Implementing Security Policies, Standards, and Procedures
 Security Management Plan (SMP)

It is a comprehensive document that outlines the strategies, policies, procedures, and resources an
organization should employ to protect its information assets.

It serves as a roadmap for implementing and maintaining effective information security measures.
 Security Plan Components

Security policies Procedures

Standards Baselines

Guidelines Organization structure

The top management is responsible for policies, and the mid-level management is responsible for
developing standards, guidelines, and procedures aligned with the security policies.
 Approaches to Security Plan

There are several approaches to developing an SMP and the most common and effective
ones include:

Top-down approach Bottom-up approach

• Management initiates the security policy, • Operational staff initiate the process and
which is passed down to operations staff. propose policies to management.

• Top-level managers are responsible for • This approach has occasionally resulted in
implementing data protection strategy, problems due to management not being
including policy creation, procedures, and fully aware of things.
escalation plans.
• It uses a person or team's experience and
• It is more successful when compared to the expertise to handle security concerns.
bottom-up approach.
 Security Management Plan Types

Strategic plan
• Long term plan
Senior
• Defines the goals of the entire organization with a holistic approach
management
• Effective for at least five years and reviewed annually
• Example: To protect patient data and ensure compliance with HIPAA regulations

Tactical plan
• Means to activate a strategy
Middle
• Mid-term plan developed to provide more detailed goals
management
• Typically spans one to two year and is technology-oriented
• Examples: Project plans, acquisition plan, budget plan, and hiring plan

Operational plan
• Short-term plan with specific results expected from departments
and workgroups Implementation
• Highly-detailed plan team
• Updated often (monthly or quarterly)
• Examples: Resource allotment, budgetary allocation, and training plans
 Security Policy

It is a broad statement produced by the senior management that dictates the role of security within
the organization.

The characteristics of security policies are:

It must integrate security into all

business processes and functions.

It must support the vision and It must be generic, non-technical,

mission of the organization. and easily understood.

It must be reviewed and modified

periodically or as the company
environment changes.
 Types of Security Policies

There are mainly three types of security policies:

Organizational It focuses on issues relevant to every aspect of

security policy the organization.

Issue-specific It focuses on a specific service, department, or

policy function that is distinct from the organization.

System-specific It focuses on individual systems.

policy
 Security Policy Implementation

Policy documents often come with the endorsement or signature of the executive
powers within an organization.

The following must be considered when implementing a security policy:

Policy enforcement

03
Management
Policy elements
02 04 responsibilities for policy

Standard policy Policy creation

components 01 05 guidelines
 Policy Chart

A strategic goal can be viewed as the ultimate endpoint, while tactical goals are the steps
necessary to achieve it.

Laws, regulations, and requirements

General organizational policy

Functional implementation policies

Standards Procedures Guidelines Baselines

 Standards

These are established requirements or rules that describe the specific methods and practices
to be followed.

The characteristics of security standards include the following:

Explains how to implement high-level Aligns security practices with industry

guidelines operationally best practices and
regulatory requirements

Requires periodic review and Supports security policies and

modification or when related organizational objectives
policies change
 Procedures

These are a set of documented steps or guidelines designed to standardize and streamline process
within an organization.

The characteristics of procedures include the following:

Provides clarity and consistency in Serves as a roadmap for daily

tasks, decisions, and changes operations, aligning with security goals

Requires regular updates due to Includes flowcharts or diagrams written in

technological changes a step-by-step format for clarity
 Guidelines

It is a principle or instruction that helps people decide what to do or how to act in a

particular situation.

The characteristics of security guidelines include the following:

They provide a suggested course of

They are discretionary in nature. action while allowing flexibility based
on specific circumstances.

They are reviewed periodically or as They support security policies and

needed per requirements. organizational objectives.
 Baseline

It is a predefined set of configurations and best practices meticulously designed to create a resilient
and secure foundation for computing resources.

The characteristics of baseline include the following:

Enforces consistent security practices Proactively identifies and neutralizes

across the organization to decisively potential security threats by setting a
reduce the risk of vulnerabilities benchmark for acceptable risk

Streamlines security management

processes and reduces the time and Helps in reducing risks by establishing
effort required to maintain a a baseline for acceptable risk
secure environment
 Policy, Standard, Procedure, and Guideline

• Provides uniform methods for implementing

safety measures
Baselines

Discretionary • Contains additional suggestions and

recommendations in the guideline
Guideline

• Offers step-by-step instructions for

performing tasks in the procedure
Procedure

• Specifies mandatory configurations

in the standard
Mandatory Standard

• States the reasons for specific

actions within a company in
Policy the policy
 Policy, Standard, Procedure, and Guideline

Policies Standards Procedures Guidelines

A high-level statement of A detailed description Detailed, step-by-step Recommended best

Definition organizational senior of how policies should instructions for practices or advice for
management intent be implemented completing a task carrying out a task

Specific to a policy Specific to task Broad applicability, but

Scope Broad and organization-wide
or area or process not mandatory

Not enforced, but

Enforced through Enforced through
Enforced through disciplinary noncompliance may
Enforcement compliance audits or training, monitoring,
actions or penalties result in suboptimal
certification processes and corrective actions
outcomes

Annually or in case of any Periodic, based on

Review Frequent, based on Periodic or as needed
change in policies or
Frequency process changes per requirements
business objectives technology changes
 Policy, Standard, Procedure, and Guideline

Policies Standards Procedures Guidelines

Step-by-step, with Narrative, with

Formal, concise, and Technical, detailed, and
Style accompanying visuals explanations and
authoritative precise
or flowcharts examples
To reset a portal:
All employees and Passwords must be at
1. Visit the password
contractors must use strong least 12 characters long
reset portal It is recommended to
passwords and follow secure and include a
Example 2. Enter your employee use a passphrase for
management practices to combination of upper
ID and email address the password.
protect organization’s assets case, lower letters, and
3. Answer the security
and systems. special characters.
questions
Quick Check

During a discussion about organizational decision-

making, the team is evaluating different actions that
may or may not be required. Which of the following is
most likely to be a discretionary action?

A. Policy
B. Procedures
C. Standard
D. Guidelines
Quick Check

An organization decides to replace its aging firewall

from another vendor. Which of the following
documents will undergo maximum and minimal
changes?

A. Max: Policy, Min: Standard

B. Max: Policy, Min: Procedures
C. Max: Procedures, Min: Standard
D. Max: Procedures, Min: Policy
 Identify, Analyze, and Prioritize
Business Continuity (BC) Requirements
 Business Continuity

It refers to a company’s ability to keep running and minimize disruptions during unexpected
events, like natural disasters, cyberattacks, or power outages.
 Need for Business Continuity Planning (BCP)

Business operations are interrupted by unexpected events. Companies must develop business
continuity and disaster recovery plans to face these issues.

The focus areas of business continuity planning are:

Protect the lives of Minimize the Restore normal Prevent financial

employees disruptions business losses
 Basic Concepts: Disruptive Events

It is any incident, act, or occurrence that suspends normal operations.

Types of
disruptive
events
Natural Human

Environmental

Disruptive events can be intentional or unintentional, and a BCP aims at minimizing its
effects on a company.
 Basic Concepts: Business Continuity Planning

The goal of a BCP is to ensure business continuity before, during, and after a disaster strikes.

Before During After

Business Business Business

Services Functions Services Functions Services Functions

 Importance of Business Continuity Planning

The organization’s ability to respond to any disaster and recover from disruptions depends on
business continuity planning (BCP) or disaster recovery planning (DRP) as it:

Crisis
Is the last line of defense for any organization
against any threat
Change
Recovery • Ensures all planning has been considered

Organization • Helps reduce the risks faced by the

organization
Data

Example

Usage of cloud computing resources to safeguard data

 Business Continuity Planning Phases

The high-level phases as per NIST 800-34 for achieving comprehensive BCP or DRP are:

Project initiation Identify preventive

and scoping controls

Business impact
analysis
 BCP or DRP Phase 1: Project Initiation and Scoping

The following activities take place in this phase:

• Creating project scope and defining parameters

• Obtaining management’s support
• Identifying potential outages to critical systems for risk analysis to be performed
• Appointing project planner and selecting staff for plan development and execution
• Assigning the BCP or DRP project manager or coordinator as the key point of contact (POC)
• Ensuring the completions of BCP or DRP by Project Manager and testing it routinely
• Identifying the representatives of BCP committee from senior management, legal, CFO, systems and
applications, business units, systems support, communications, data center, communications, and
information security
 BCP or DRP Phase 2: Business Impact Analysis (BIA)

It is the formal method of determining the impact of disruption to the organization’s IT systems on the
business and organization’s processes and functions.

It enables the BCP or DR project manager to plan the requirements and priorities for IT
contingencies by identifying and prioritizing critical IT systems and components.
 BCP or DRP Phase 2: Business Impact Analysis (BIA)

It necessitates the analysis of the following internal and external environments:

External context Internal context

• Economic condition • Strategic objectives

• Political landscape • Organizational structure
• Technological advancements • Company cultures
• Legal regulations • Resources
• Social trends • Standards, guidelines, and models of the
• Competitors actions organization
• Contractual relationship
 BCP or DRP Phase 2: Business Impact Analysis (BIA)

The three major goals of BIA are:

• Identifying and prioritizing every critical business unit process

Criticality • Evaluating the impact of a disruptive event
prioritization • Assigning higher priority rating for time-critical business processes over non–
critical business processes

• Estimating Maximum Tolerable Downtime (MTD) using the BIA

Downtime • Determining the downtime required for the business to remain viable
estimation • Identifying non-recovery if the interruption of a critical process extends the
maximum tolerable downtime

• Estimating resource requirements

Resource
• Allocating more resources to time-sensitive processes as compared to less
requirements
critical processes
 BCP or DRP Phase 2: Business Impact Analysis (BIA)

The steps of a BIA are outlined here:

Identify the resources on

Select individuals to
which the critical Calculate risk for each
interview for data
business functions business function
gathering
depend

Gather, analyze, and

Calculate the longevity of
Create and use data interpret the qualitative
these functions without
gathering techniques and quantitative impact
the resources
information

Identify the company’s Identify vulnerabilities

Document and report to
critical business and threats to these
the management
functions functions
 BCP or DRP Phase 2: Business Impact Analysis (BIA)

For each major business unit within the organization, the following steps will be performed:

Identify business components

or activities that, if disrupted Determine the required
or unavailable, could Maximum Tolerable
jeopardize the Downtime (MTD)
company’s operations
 Maximum Tolerable Downtime (MTD)

It is the maximum period for which the organization’s key processes and functions are unavailable,
after which the organization would suffer significant losses.

It is measured in minutes,
hours, days, or longer, It is revised several times during
depending on the nature of the course of a project.
the business.
 Maximum Tolerable Downtime (MTD)

The alternate terms for MTD include Maximum Allowable Downtime (MAD), Maximum Acceptable
Outage (MAO), and Maximum Tolerable Outage (MTO).

Business Continuity and Disaster Recovery Timeline

(RPO, RTO, and MTD)

Recovery Point Objective (RPO) Recovery Time Objective (RTO)

App and Normal

Disaster Infrastructure Test Critical Business is
Data Backup Data Loss Data Business
Strikes Recovery Apps Hurt
Recovery Resumes

Maximum Tolerable Downtime (MTD)

 Failure and Recovery Metrics

A number of metrics are used to quantify the frequency of system failures.

Recovery Point Objective

• Level of data, work loss, or system inaccessibility resulting from a disruptive event
• Usually expressed in units of time

Recovery Time Objective

• Maximum time allowed to recover business or IT systems

• Expressed in units of time such as minutes, hours, or days

Work Recovery Time

• Time required to configure a recovered system

• Consists of the system’s recovery time and the work recovery time
 Failure and Recovery Metrics

A number of metrics are used to quantify the frequency of system failures.

Mean Time between Failures

• Predicted elapsed time between inherent failures of a system during operation

• Calculated as the arithmetic mean time between failures of a system

Mean Time to Repair

• Duration to recover a specific failed system
• Total corrective maintenance time divided by the total number of corrective
maintenance actions during a given period

Minimum Operating Requirements

• Minimum environmental and connectivity requirements for a computer
equipment to operate
• Documentation is important for each IT critical asset
 Examples of RTO and RPO

An organization can accept An organization takes a data An organization takes a data

data loss for up to four hours backup twice daily. The first backup three times a day. The
and cannot afford to have any backup is at 12 am and the first backup is at 8 am, the
downtime. second is at 12 pm. second is at 4 pm, and the third
is at 12 am.

What is the RTO and RPO? What is the RPO? What is the RPO?

RTO is zero hours, and RPO is Since a data backup is done Since the data backup is done
four hours. every 12 hours, the maximum every eight hours, the
data loss is 12 hours. Hence, maximum data loss is eight
the RPO is 12 hours. hours. Hence, the RPO is
eight hours.
 Examples of RTO and RPO

Following an incident, primary The BCP mandates no data loss The BCP requires no service
site systems went down at 3 and service restoration within outage and permits up to one
pm and resumed from the 36 hours for hour of data loss.
alternate site at 6 pm, as per critical systems.
the defined RTO.

What is the RTO? What is the RTO and RPO? What is the RTO and RPO?

Since the system was down for RTO is 36 hours, and RPO is RTO is zero hour, and RPO is
three hours, the RTO is zero hour. one hour.
three hours.
 Failure and Recovery

The various stages of failure and recovery are shown in the figure.

Normal Normal
operations Disruptive Recovery time frame operations
Event

RPO RTO WRT

MTD

1 2 3 4
 BCP or DRP Phase 3: Identify Preventive Controls

Preventive controls avert the potential impact of disruptive events.

The types of preventive controls include:

It is the process or device that mitigates the effect of a threat but

Existing controls
cannot prevent the occurrence.

It refers to the fire suppression or sprinkler systems, access

Physical controls
control systems, and security guards.

It refers to the hiring and termination policies and clean

Procedural controls
desk policy.

It is the data storage protection and protection given to assets

Logical controls
based on their location.
Quick Check

A business continuity team is analyzing to understand

the potential effects of a disruption. Which of the
following metrics is best used to determine the impact
on critical business operations?

A. Residual risk
B. Total cost of ownership
C. Return on security investment
D. Priority of restoration
Overview of Personnel Security Controls
 Managing Personnel Security

It implements measures to ensure that an organization’s employees are capable of meeting their
security responsibilities.
 Importance of Managing Personnel Security

The people inside the organization need access to data and resources to complete their assigned
work and, therefore, have the potential to abuse these access privileges. It is important to:

• Protect sensitive information by securely managing

the life cycle of employment

• Hire qualified and trustworthy individuals to reduce

the risk to information assets

• Screen out individuals whose past actions indicate

undesirable behavior to avoid potential risks to
the organization
 Personnel Management Controls

Job description Separation of duties Job rotation

• Defines security needs • Divides critical, significant, • Rotates employees among

related to personnel and sensitive work tasks multiple job functions
• Defines the roles to which an among several individuals • Provides knowledge
employee needs to • Helps protect against redundancy
be assigned collusion • Reduces risk of fraud, data
• Defines the type and extent • Works as a preventive modification, theft,
of access the control and misuse
position requires
 Personnel Management Controls

Cross-training Employee candidate screening Non-disclosure agreement

• Prepares employees for • Screens candidates based on • Protects confidential

multiple job positions criticality and sensitivity agreement within an
• Helps with knowledge defined by the job organization
redundancy description
• Completes before the
candidate is onboarded into
the organization
 Personnel Management Controls

Non-compete agreement Mandatory vacation Employee termination process

• Legal contract that restricts • Administrative control that • Takes place with at least one
an employee's ability to work provides operational eyewitness
for a competitor or start a security by mandating • Disables all access (logical or
competing business employees to take vacations physical) of the terminated
• Protects company trade to identify any unethical employee and escorts them
secrets and proprietary activities out of office
information
 Managing Personnel Security: Hiring Practices

Implementing these practices helps attract, select, and integrate the right candidates, ultimately
enhancing the organization’s success and productivity.

• Perform background checks on education, prior

employment, financial history, and criminal history
• Get the confidentiality agreements, such as non-
disclosure agreement and intellectual property
agreement, signed
• Get Conflict of Interest Agreements for the
positions handling competitive information
• Get the Non-Compete Agreements for the positions
in charge of unique corporate processes
 Managing Personnel Security: Employee Termination

Employee termination policies include:

• Voluntary: Return of all access keys and badges,

exit interview, and removal of system access

• Involuntary: Escort from premises, restriction of

access immediately upon notification, and change
of system passwords in the user’s area
 Managing Relationships

Controls for vendors, contractors, and consultants mostly act as preventive controls.

• Vendors and temporary employees should be given

limited access to the information.

• Contractors should always be escorted within

the organization.

• Consultants must be escorted whenever they visit

your facility.
 Acceptable Usage Policy (AUP)

It outlines the acceptable and unacceptable activities in the workplace and establishes
employee expectations on how to use the company resources.

• Inappropriate use exposes the organization to risks What should an acceptable use policy contain?
including virus attacks, compromise of network • Introducing malicious programs
systems and services, and legal issues.
• Disclosing confidential information

• Employees should be aware of the consequence of • Sharing passwords

noncompliance with their company's AUP. • Unauthorized security scanning
• Sending unsolicited email
• Employees should know that violation of this policy
may be subject to disciplinary action, up to and • Circumventing security
including termination of employment. • Making unauthorized representations
 Privacy Policy Requirements

A privacy policy is a statement that discloses how a particular organization collects,

stores, and utilizes the personal information provided by its users.

Any organization collecting any personal information from their customers, clients,
or end users are legally required to publish a privacy policy on their site.

The exact content of a privacy policy will depend on the nature of the business,
location of the business, location of the users, and the applicable laws.

At a minimum, an organization’s privacy policy should disclose what personal or

sensitive information they collect, how they collected it, how they intend to use it, and
whether they will disclose some or all the information to any third parties.
Quick Check

An organization is developing a new security policy,

and the team is seeking approval. Why is it essential
for senior management to endorse the security policy?

A. So that the management will accept ownership for

security within the organization
B. So that employees will follow the policy directives
C. So that the management fulfills their due diligence
requirements
D. So that external bodies will recognize the
organization's commitment to security
Overview of Risk Management Concepts
 Risk Management

It is the process of identifying and assessing risk, reducing it to an acceptable level, and
implementing the right mechanisms to maintain it at that level.

Threat Recognition of Annualized

impact the uncertainty cost

Threat Threat Risk Cost-benefit

event frequency mitigation analysis
 Risk Management: Steps

There are four steps in the risk management life cycle:

Risk response and Risk and control monitoring

mitigation 3 and reporting
4

Risk
management
life cycle
IT risk assessment 2 IT risk identification
1
 Risk Identification

It is the process of identifying any risks that could prevent an organization or program from reaching
its objectives.

It helps companies understand and plan for potential risks.

It enables an organization to discover, categorize, and document risks.

Only identified risks can be evaluated and addressed with suitable responses, making this step crucial.
 Risk Identification Method

Brainstorming Interviews Questionnaires

OEM updates Regular testing Subscriptions to blogs

 Introduction to Risk Analysis

It is the analysis of the probability and consequences of each known risk.

• It prioritizes risks and calculates the cost of safeguards.

• It provides a cost-benefit comparison between the cost

of safeguards and the cost of loss.

• It identifies and prioritizes the risk factors with

great impact.

• It also integrates the security program objectives with the

organization’s business objectives and requirements.
 Goals of Risk Analysis

To identify organizational
assets and their value

To identify vulnerabilities To balance the cost of

and threats countermeasure and the
impact of threats

Goals of risk analysis

To measure probability and

the impact of latent threats
 Asset and Information Valuation

It involves assessing the value of an organization’s assets and information to prioritize

security measures, manage risks, and ensure effective resource allocation.
 Asset and Information Valuation

The following issues should be considered when assigning values to an asset:

• Cost to acquire or develop the asset

• Cost to maintain and protect the asset
• Value of the asset to owners and users
• Value of the asset to adversaries
• Value of intellectual property that went into
developing the information
• Price others are willing to pay for the asset
• Cost to replace the asset if lost or damaged
• Operational and production activities that are affected if
the asset is unavailable
• Liability issues if the asset is compromised
• Usefulness and role of the asset in the organization
 Risk Analysis Team

An organization needs to form a risk analysis team to analyze risks effectively.

These are the stakeholders in a risk analysis team:

Information
Risk
security
manager
officer

Executive System or
sponsor network
administrator

System System
technical business
owner owner
 Risk Analysis: Steps

It involves the following steps:

Risk analysis and assessment

Asset and information Countermeasure selection

value assignment 1 3 and implementation
 Types of Risk Analysis

There are two major types of approaches to risk analysis, and their features are as follows:

• Uses risk calculations that attempt to predict the level of

monetary losses and the percentage of chance for each
Quantitative type of threat
Analysis
• Objective in nature

• Situation and scenario-based

Qualitative • Subjective in nature

Analysis
• Does not assign numbers and monetary values to
components and losses
 Quantitative Risk Analysis

It provides a framework for organizations to quantify the potential impact of risks and
make informed decisions based on data.
 Key Terms in Quantitative Risk Analysis

Asset value
• Total value of assets
(AV)

• Percentage of loss the organization would suffer if a

Exposure
factor (EF) risk materializes
• Also referred to as the loss potential

• Cost associated with a single-realized risk against a specific asset

Single loss
expectancy • SLE = AV * EF
(SLE) • Calculated in dollars
 Key Terms in Quantitative Risk Analysis

Annualized • Frequency with which a specific threat occurs within a single year
rate of
• Ranges from 0 (threat will not occur) to large numbers
occurrence
(ARO) • Also known as probability determination

Annualized • Possible yearly cost of all instances of a specific threat

loss realized against a specific asset
expectancy
(ALE) • ALE = SLE * ARO

Annual cost • Cost associated in procuring, developing, and maintaining

of safeguard control against a potential threat
(ACS) • Should not exceed the ALE
 Quantitative Risk Analysis: Steps

Step 4: Assess Step 6: Perform cost-

Step 2: Calculate
annualized rate of benefit analysis of
exposure factor
occurrence countermeasure

Step 1: Assign asset Step 3: Calculate Step 5: Derive annualized

value single loss expectancy loss expectancy
 Quantitative Risk Analysis: Problem

?
Problem
Fire destroys a server with encrypted data.
Consider the following conditions:
• Asset value = $6,000
• EF = 50%
• ARO = 10% chances of fire in one year

Solution

• Single Loss Expectancy (SLE) = $6,000 x 50% = $3,000

• Annual Loss Expectancy (ALE) = 10% x $3,000 = $300
 Qualitative Risk Analysis

Qualitative analysis techniques include judgment, best practices, intuition, and experience. Some of the
qualitative techniques used to gather data include:

Delphi Brainstorming Storyboarding

Focus groups Surveys Questionnaires

Checklists One-on-one meetings Interviews

 Qualitative Risk Analysis

The following table deals with some of the threats, the level of threat, and countermeasures:

Threat
Threat Impact Countermeasure
probability

Fire Low High Fire extinguishers

Theft Medium High Key cards and guards

Intrusion prevention
Logical intrusion Medium High
system
 Qualitative Risk Analysis

The type of approach to risk analysis will be decided based on the risk analysis team, management,
risk analysis tools, and culture of the company.

The chart below sorts different attributes into qualitative and quantitative risk analysis.

Attributes Quantitative Qualitative

Requires complex calculations √ X

Requires high degree of guess work X √

Provides credible cost/benefit analysis √ X

Provides opinions of the individuals who know the process well X √

Shows clear-cut losses that can be accrued within one year √ X

 Hybrid Analysis

It uses both quantitative and qualitative analysis.

The following are some points about why hybrid analysis is required:

• It is almost impossible to carry out only

quantitative assessment.

• Qualitative analysis does not provide sufficient

data to make financial decisions.

• Quantitative evaluation is used for financial

values of tangible assets.

• Qualitative assessment can be used for priority

values of intangible assets.
 Cost-Benefit Analysis

It is a critical component of risk management that involves evaluating the potential costs
associated with a risk against the benefits of implementing a countermeasure.

By comparing the two, organizations can make informed decisions about which risks to
prioritize and how to allocate resources for mitigation.
 Cost-Benefit Analysis: Problem

A commonly used cost-benefit calculation for a given safeguard:

Value of the safeguard to the company = (ALE before implementing safeguard) – (ALE after
implementing safeguard) – (Annual cost of safeguard)

Problem

• ALE of the threat of a fire bringing down a web server prior to implementing the
suggested safeguard = $10,000
• ALE after implementing the safeguard= $2,000
• Annual cost of maintenance and operation of the safeguard = $500

Solution

• Value of the safeguard to the company = $10,000 - $2,000 - $500

= $7,500
 Countermeasure Selection: Other Factors

Some of the factors that influence the selection of countermeasures or safeguards:

Total Cost of
It is the total cost of a mitigating safeguard.
Ownership (TCO)

Return on It is the amount of money saved by implementing a safeguard.

Investment (ROI)

It refers to the degree of lack confidence in an estimate. This is expressed as

Uncertainty a percentage, from 0 to 100 percent. For example, a 25 percent confidence
level in something indicates a 75 percent uncertainty level.
 Risk Response

Responding to risk involves the following:

Evaluating countermeasures, safeguards, and security

controls using a cost-benefit analysis

Providing a proposal of response options in a report

to the senior management

Adjusting findings based on other conditions, concerns,

priorities, and resources
 Handling Risk

Risk treatment can be done in the following four ways:

Risk mitigation

Risk acceptance 4 2 Risk avoidance

3
Risk transfer
 Risk Mitigation

It involves implementing safeguards and countermeasures to eliminate vulnerabilities or

block threats.

Examples

• Implementing intrusion prevention systems (IPS)

and data loss prevention (DLP)

• Implementing a web application firewall (WAF) to

address the shortcomings of a network firewall
in handling web application attacks
 Risk Avoidance

It involves terminating the associated activity that introduces the risk.

Examples

• Not buying a property or business to avoid

taking on the liability that comes with it

• Not flying to avoid the risk of the airplane

being hijacked
 Risk Transfer

It involves shifting the cost of loss a risk represents onto another entity or organization.

Examples

• Cyber Insurance: Purchasing insurance to cover

potential cyber-related losses

• Outsourcing: Contracting out certain business

functions to third-party organizations,
transferring the associated risks
 Risk Acceptance

It occurs when the cost-benefit ratio indicates that the cost of the countermeasure outweighs the
potential loss value.

Examples

• When the cost of the asset is less than the cost

of the countermeasure
• When there are changes in government policies

• When the client changes their policies

This strategy involves recognizing the risk and deciding not to take any action to mitigate it.
 Residual Risk

It is the risk that remains after countermeasures and controls have been implemented.

Inherent risk
Examples

Impact of risk
controls
It acknowledges that it is not always possible to
eliminate the risks entirely.

Residual risk
 Risk Calculation

Conceptual formulas to calculate total risk and residual risk:

Visitor’s perspective Online strategy

Total risk Total risk = Threats x Vulnerabilities x Asset value

Residual risk Residual risk = Total risk x Control gap

Residual risk = Total risk – Countermeasures
 Residual Risk Mitigation

Here is a flowchart that explains the steps in the risk mitigation process:

Risk < Acceptable Yes

level?

No

Mitigation cost > Yes

Mitigate risk No Accept risk
Asset
value
 Risk Capacity, Risk Appetite, and Risk Tolerance

Risk capacity It is the maximum risk an organization can afford to take.

Risk appetite It is the amount of risk that an organization is willing to take.

Risk tolerance It is the acceptable level of deviations from the risk appetite.
 Risk Capacity, Risk Appetite, and Risk Tolerance

Risk capacity is always greater compared to tolerance Risk

and appetite. capacity

Risk
tolerance
Risk tolerance can either be equal to or greater
than appetite.

Risk appetite
Risk appetite generally should be within the risk appetite
of the organization. In no case should it exceed the
risk capacity.
 Aggregated Risk And Cascading Risk

Aggregated risk Cascading risk

• It is a significant impact caused by a • It happens when one failure leads to a

large number of minor vulnerabilities. chain reaction of failures and is more
relevant where IT operations have
• These minor vulnerabilities would not close dependencies.
have any major impact individually.
However, when exploited at the same • The security manager should consider
time, they can cause a huge impact. the impact of the failure of one activity
on other dependent systems.
 Controls or Countermeasures

Security controls are the measures taken to safeguard an information system from attacks
against the confidentiality, integrity, and availability of the information system.

Physical control

Controls based on
Technical control
Security controls are selected and applied implementation
based on a risk assessment of the Administrative
control
information system.
Deterrent control
Categories of
controls
Preventive control
The risk assessment process identifies
Detective control
system threats and vulnerabilities, and then, Controls based on
security controls are selected to reduce or functionality
Corrective control
mitigate the risk.
Recovery control

Compensating
control
 Controls Based on Implementation

There are three types of controls based on implementation:

Administrative controls Technical controls Physical controls

• Also known as soft • Also called logical • Items put into place to
controls as they are more controls and are the protect a facility,
management-oriented software or personnel, and
hardware components resources

Examples Examples Examples

Security documentation, risk Firewalls, IDS, encryption,

Security guards, locks,
management, personnel identification, and
and fencing
security, and training authentication mechanisms
 Controls Based on Functionality

The six controls based on functionality are:

Deterrent Intends
• Usesto discourage
risk a potential
calculations attacker
that attempt to predict the level of

Preventive Intends to avoid an incident from occurring

• Uses risk calculations that attempt to predict the level of

Corrective
Corrective Fixes components or systems after an incident has occurred

Recovery Intends
Recovery
• Uses to
riskbring the environment
calculations backtotopredict
that attempt regularthe
operations
level of

Detective
•Helps
Usesidentify an incident’s
risk calculations thatactivities
attemptand potentially
to predict an intruder
the level of
Detective

Compensating
Compensating
Uses risk
•Provides an calculations that attempt
alternative measure to predict the level of
of control
 Security Control Assessment (SCA)

It evaluates the effectiveness of security measures in protecting an organization's information assets by

identifying, assessing, and testing them to mitigate identified risks.

It is a comprehensive evaluation or
Its goal is to determine the extent to
assessment of the management,
which the controls are meeting the
operational, and technical security
security requirements of the system.
controls of an information system.
 Security Control Assessment (SCA)

The types of system tests conducted Security control assessments are

include audits, security reviews, conducted before the system is put
vulnerability scanning, and into production and annually
penetration testing. thereafter.
Security Control Assessment (SCA)

The results of an SCA provide:

Evidence of the effectiveness of implemented controls

An indication of the quality of the risk management

processes employed within the organization

Information about the strengths and weaknesses of

information systems that are supporting organizational
missions and business functions
 Assurance for Security Control Effectiveness

To ensure security control effectiveness, one should compile evidence that the controls are:

Implementing correctly

Operating as intended

Meeting the security requirements

of the information system
 Security Control Assessment Team

The SCA team is an individual, group, or organization responsible for conducting a

comprehensive security control assessment of an information system.

• They may also provide a risk assessment of the severity

of weaknesses or deficiencies discovered in the
information system and recommend corrective actions
to address the identified vulnerabilities in the system.

• They prepare the final security assessment report

containing the results and findings of the assessment.

Note:

Common controls utilized for high and moderate impact systems must be performed by an
independent assessment team.
 Risk Monitoring and Measurement

The risk environment is dynamic because the organization’s internal and

external environments are constantly changing.

Organizations should continuously monitor the IT risks and controls to ensure the efficiency and effectiveness
of the IT risk management strategy and its alignment with business objectives.
 Risk Register

It is a centralized repository that records identified risks, their characteristics, and their
management plans.

It is a crucial document in risk management processes that

provides a detailed log of risks identified during a
risk assessment.

It is a critical risk management tool that provides a

structured way to track and evaluate risks over time.

It includes key risk indicators (KRIs), identifies risk owners,

and specifies the risk threshold, helping organizations
monitor and manage risks effectively
 Components of Risk Registers

Risk ID KRIs

Description Risk owners

Current status Risk thresholds

 Sample Risk Register

Risk ID Description Indicator Owner Threshold Status Plan

1 Data breach Financial loss IT Dept $10,000 Under threshold Implement 2FA

Non Review compliance

2 Legal penalties Legal Dept 2 incidents Over threshold
compliance policy

Supply chain Operational

3 Ops Dept 5 days Under threshold Diversify suppliers
disruption delay

Reputational Crisis communication

4 Customer churn Marketing 10% Under threshold
damage plan
 Reporting Significant Changes

Risk assessments should be done at regular intervals to address emerging risks and
understand trends in the risk factor.

A security manager should present the status of the organization's

updated risk profile to management at regular intervals.

Management should also be updated about any significant

events or incidents impacting the organization.
 Risk Communication

It is key to the effective implementation of the risk management strategy.

Communication should involve all relevant

stakeholders, and communication channels should
enable interaction in both directions.
 Risk Measurement

KRIs and KPIs can be used to measure, monitor, and report risk.

• It is a measure used in risk management to indicate how risky an

activity is.
Key risk indicator
(KRI) • By comparing an appropriate set of KRIs with defined thresholds,
organizations receive an early warning when a risk approaches an
unacceptable level.

• They are used to measure how well a process is performing in

Key
terms of its stated goal.
performance
indicators (KPIs) • They are used to set benchmarks for risk management goals and
to monitor whether those goals are being met.
 Risk Reporting

A risk report includes information on current risk

management capabilities and actual status and trends
about risk.

Results of the risk monitoring process need to be

documented and reported to the senior management
on a regular basis.

A significant security incident or significant changes in

risk should trigger a report to the senior management
and a reassessment of the risk controls.
 Continuous Improvement

A risk maturity model helps

A mature risk management
organizations improve their risk
program helps prevent, detect, and
management processes by
respond to security incidents.
identifying their capabilities.

Maturity and growth comes from

practice and learning from past
experiences.
 Continuous Improvement

Risk management impact on

Optimizing
business value

Quantitatively
managed

Defined
Initial Managed

Stages of risk management maturity

Focus Risk management is

Basic risk management
Standardized risk Quantitative risk Continuous risk
informal and ad hoc management process management process management process

Result Lowest quality / highest risk Low quality/ high risk

Medium quality/
High quality / low risk Highest quality / lowest risk
medium risk
 Risk Frameworks

They are used to identify, measure, manage, monitor, and report significant risks
to the achievement of business objectives.

There are three risk frameworks, namely:

ENISA Risk
NIST Risk Management Management or
ISO 31000
Framework Risk Assessment
(RM/RA) Framework
Quick Check

While conducting a risk assessment, the security team

is prioritizing various factors. What is the most
important consideration during this process?

A. Assets have been identified and

appropriately valued.
B. Appropriate risk response has been identified.
C. Single loss expectancy has been calculated.
D. Priority of restoration is maintained.
Understand and Apply Threat Modeling Concepts
and Methodologies
 Threat Modeling

It is a security process where potential threats in a system are identified,

quantified, and addressed.

It can be performed as a proactive measure during the

planning and design phase of the SDLC and is
continued throughout the life cycle.

A reactive approach to threat modeling takes place

after a product has been created and deployed.
 Threat Modeling

Goals of threat modeling

Reducing the number of security- Reducing the severity of

related coding and design defects remaining defects
 Threat Modeling

Approaches to threat modeling:

Proactive approach Reactive approach

• Also known as the defensive approach • Also known as the adversarial approach

• Takes place during early stages of • Takes place after a product has been
systems development created and deployed

• Based on predicting threats and • Core concept behind ethical hacking, PT,
design-specific countermeasures source code review, and fuzz testing
during the coding and crafting process
 Threat Modeling Steps

• Focused on assets
Identifying threats • Focused on attackers
• Focused on software

Categorizing threats • STRIDE model

Determining and • Data flow diagrams

diagramming • Privilege boundaries
potential attacks • Elements

• Trust boundaries
• Data flow path
Performing reduction
• Input points
analysis
• Privilege operation
• Security stance and approach

Prioritizing and
• DREAD model
responding
 Step 1: Identification of Threats

• Frames the threats based on the mindset of the perceived attacker

Focused on
attackers • Determines and addresses the attacker’s characteristics, skill sets,
motivations, and intentions

• Identifies the elements of the system that have risk associated with them
Focused on
assets • Classifies assets according to their intrinsic value to a potential attacker

• Establishes a system structure first and then identifies relevant

Focused on system
attack vectors on the macro- and micro-levels of interaction
or software
between subsystems
 Step 2: Categorization of Threats (STRIDE Approach)

Gaining access to a target system through the use of a

Spoofing
falsified identity

Tampering Falsifying communications or altering static information

Repudiation Denying having performed an action or activity

Information Revealing or distributing private, confidential, or controlled

disclosure information to external or unauthorized entities

Denial of service
Preventing an authorized use of a resource
(DoS)

Elevation of Transforming a limited user account into an account with

privilege greater privileges, powers, and access
 Step 3: Determining and Diagramming Potential Attacks

Once the threats are identified, the next step is to determine the potential attack
concepts that could materialize.

It is often accomplished by data flow diagrams,

privilege boundaries, and the elements involved.

Once a diagram has been crafted, all the involved

technologies are identified.

Attacks that could be targeted at each element of the

diagram are identified.

Note:

Attacks should include all forms: logical, physical, and social.

 Step 3: Determining and Diagramming Potential Attacks

The given diagram shows the privilege boundaries and the elements involved:

Authenticate
User or web server Login request user()
boundary

Web Login
Users servlet process
Authenticate User
Result

Authenticate user
Login response Authenticate user SQL query
SQL query result
Pages
Web server or
database boundary
Data

Web pages College Database

library files
database

Data
 Step 4: Performing Reduction Analysis

It involves decomposing the application, system, or environment.

Input points

Data flow paths Privilege operations

Trust boundaries Security stance and approach

 Step 5: Prioritization and Response

This step involves rating the threats to prioritize and address the most significant threats first.

Risk posed by a particular threat is equal to the probability of the threat occurring against the
potential damage.
Risk = Probability * Potential damage

If a threat is rated as high, it poses a significant risk and needs to be addressed as soon
as possible.

Medium threats need to be addressed but with less urgency.

Low-level threats can be ignored depending upon the effort and cost required to
address these.
 Step 5: Prioritization and Response

The DREAD rating system is a risk assessment framework used to evaluate the severity of
threats and vulnerabilities.

Damage
How severe is the damage likely to be if the threat is realized?
potential

Reproducibility How complicated is it for attackers to reproduce the exploit?

Exploitability How hard is it to perform the attack?

Affected users How many users are likely to be affected by the attack?

Discoverability How hard is it for an attacker to discover the weakness?

 DREAD Rating

Threat description D R E A D Total Rating

An attacker obtains authentication

3 3 2 2 2 12 High
credentials by monitoring the network.

Injection of SQL commands 3 3 3 3 2 14 High

 Threat Template

It is a structured document that outlines potential security threats to a system, along with key details

Threat description Injection of SQL commands

Threat target Data access component

Risk rating -

An attacker appends SQL commands to username, which is used to form an

Attack techniques
SQL query.

Use a regular expression to validate the username and use a stored procedure
Countermeasures
that uses parameters to access the database
 Threat Template

Threat description Attacker obtains authentication credentials by monitoring the network

Threat target User authentication process in a web application

Risk rating High

Attack techniques An attacker uses a network monitoring software.

Countermeasures Use SSL to provide an encrypted channel

 Threat Modeling Outcomes

Outcome of a threat modeling activity is a threat module document that identifies:

Countermeasures

Assets, actors, and

use cases

Weakness that could

be exploited

Relevant threats
 PASTA

It stands for Process for Attack Simulation and Threat Analysis and outlines
the seven steps for risk-based threat analysis.

It integrates security and business objectives in threat

modeling and allows security teams to leverage existing
work such as business impact analysis (BIA).
 PASTA: Steps

Objective Technical scope Application

Threat analysis
definition definition decomposition

Risk and impact Vulnerability

Attack modelling
analysis analysis
Quick Check

During a security workshop, a team is using the

STRIDE model to assess threats to their applications.
Which of the following is NOT an element of the
STRIDE threat model?

A. Spoofing
B. Elevation of privilege
C. Repudiation
D. Disclosure
Overview of Supply Chain Risk Management (SCRM) Concepts
 Supply Chain

It is the network of all the individuals, organizations, resources, activities, and technology involved in
the creation and sale of a product.

It starts with the delivery of source materials from the supplier to the manufacturer, eventually
delivering to the end user.

A supply chain compromise is an occurrence within the supply chain where an adversary jeopardizes
the confidentiality, integrity, or availability of a system or the information the system processes, stores,
or transmits.
 Supply-Chain Risk Management (SCRM)

It is a process to help identify, monitor, detect, and mitigate threats to supply chain continuity
and profitability.

A security chain compromise can occur anywhere within the system development life cycle of the
product or service.
 Risks Associated with Hardware, Software, and Services

Here are a few risks associated with hardware, software, and services:

Counterfeit hardware or Poor information

hardware with security practices by
embedded malware lower-tier suppliers

Software security
Compromised software
vulnerabilities in supply
or hardware purchased
chain management or
from suppliers
supplier systems
Mitigating Risks Associated with Hardware, Software, and Services

These supply-chain risks can be mitigated during acquisition life cycle by:

Ensure supplier has good security development and

Supplier capability
management practices

Perform an assessment of the risk of the product for critical

Product security
security compromise and mitigation requirements

Control access to the product in transit at each step in the

Product logistics
supply chain

Operational product Implement appropriate configuration and monitoring controls

control during the operational use of the product or service
 Service-Level Agreement (SLA)

It is a formally defined level of service provided by an organization.

Service requirements
SLAs may be defined for:

• Security incident response

SLA
• Security alert delivery
• Security investigation
• Policy and procedure review Service delivery

Client Provider
 Silicon Root of Trust (SiRoT)

It is a security concept that embeds cryptographic hardware directly into silicon chips, providing a secure
foundation for various security-critical applications. Key components of SiRoT include:

Hardware-based key Trusted execution

Secure storage
generation environments (TEEs)
 Software Bill of Materials (SBOM)

It is a comprehensive list of the components required to create a software product, resembling a

detailed recipe. Key components of SBOM include:

Direct dependencies

Indirect dependencies

Version information

License information
 Third-Party Management

A third party is a company that is not under direct business control of the organization that engages it.

A third-party relationship is any business arrangement, by contract or

otherwise, between a company and another entity.

Outsourcing is the subcontracting of a business process to a third-party company.

Organizations are outsourcing systems, processes, and data to focus on core

competencies, reduce costs, and speed up application deployment.

Third-party risk management is a comprehensive plan to identify and mitigate

potential business and legal risks from hiring third-party services.
 Third-Party Risks

These are the potential risks that an organization faces due to its reliance on external vendors,
suppliers, or partners:

Information security or data

Business continuity
privacy

A third party has insufficient experience and A third party cannot continuously maintain
controls to protect the company's and its services due to business disruption (such
customer's information from unauthorized as ineffective redundancy procedures).
access, disclosure, modification, or destruction.

Financial viability

A third party is not financially secure to

continue to provide the services at
acceptable levels.
 Third-Party Risks

Contract compliance Legal or regulatory

Third-party products, services, or systems A third party lacks the necessary licenses
are not consistent with the policies and and the expertise to keep the company
procedures, applicable laws, regulations, compliant with domestic and international
and ethical standards. laws and regulations.
 Third-Party Risk Management

The given diagram helps understand the third-party risk management.

Planning

Termination Due diligence

Ongoing Contract
monitoring negotiation

Oversight and accountability

 Third-Party Risk Management

The risk management plan should oversee the full life cycle of a third-party relationship including:

• The company's strategy for why it is using the third party and the inherent risks the relationship
presents
• Proper due diligence in selecting the third party
• Written contracts outlining the rights and responsibilities of all parties
• Ongoing monitoring of the third party’s activities and performance
• Contingency plans for effectively terminating the relationship
• Clear roles and responsibilities for overseeing and managing the relationship and risk
management process
• Documentation and reporting to facilitate oversight, accountability, monitoring, and
risk management
• Independent reviews to ensure that the processes align with the organization’s strategy and
effectively manage risks
 Third-Party Risk Management Life Cycle

Contract Ongoing
Planning Due diligence Termination
negotiation monitoring

Develop a plan to manage the relationship. This is often the first step in the third-party risk
management process.

• Identify regulatory requirements

• Identify need for third-party service
• Determine inherent risks of activities
• Determine business requirements
• Analyze risk or benefit
• Incorporate risk strategy
• Establish a third-party risk profile
• Identify and qualify third parties
 Third-Party Risk Management Life Cycle

Contract Ongoing
Planning Due diligence Termination
negotiation monitoring

Review a potential third party before signing a contract to ensure they align with the organization’s risk
appetite. On-site visits may be useful to fully understand their operations and capability to serve.

• Audited financial statements

• Business reputation and litigation
• Risk management procedures
• Compliance capabilities
• Internal audit coverage
• Information security
• Reliance on subcontractors
• Insurance coverage
 Third-Party Risk Management Life Cycle

Contract Ongoing
Planning Due diligence Termination
negotiation monitoring

A written contract that defines the third party’s expectations and responsibilities must be developed to
ensure the contract’s enforceability, limit the organization’s liability, and mitigate performance
disputes.

• Scope of the arrangement

• Performance measures or benchmarks
• Responsibilities
• Regulatory compliance requirements
• Default and termination
• Subcontracting
• Confidentiality and security
• Indemnification
 Third-Party Risk Management Lifecycle

Contract Ongoing
Planning Due diligence Termination
negotiation monitoring

After contracting with a third party, management should dedicate sufficient staff with the necessary
expertise, authority, and accountability to oversee and monitor their activities and performance.

• Process or policy review

• Ongoing performance and risk monitoring
• Ongoing due diligence and assessments
• Ongoing site visits and reviews
• Oversight and supervision
• Third-party contingency plans
• Financial reviews for viability
• Ability to recover from service disruptions
 Third-Party Risk Management Lifecycle

Contract Ongoing
Planning Due diligence Termination
negotiation monitoring

A contingency plan must be developed to ensure a smooth transition of activities to another third
party, bring the activities in-house, or discontinue the activities upon contract expiry, fulfillment, or
changes to business strategy.

• Finalize exit strategy

• Provide notifications
• Risk exposure assessment
• Continuity planning
• Transition planning and execution
• Transfer of assets and information
• Legal confirmation of transition
• Payments, penalties, and final billings
 Minimum Security Requirements

Third-party security requirements standard document sets out the minimum information security
requirements expected of third parties.

• Product or service specifications must include the requirements for security controls.

• Contracts with the third party must address the identified security requirements.

• If a product’s security functionality does not satisfy specific requirements, the risk introduced
must be evaluated, and additional controls must be reconsidered before purchase.

• If additional functionality causes a security risk, it must be disabled or reviewed to determine

if an advantage can be taken of the available enhanced functionality.
 Service-Level Requirements (SLR)

It provides the requirements for a service from a client

viewpoint, defining service-level targets, responsibilities, and
other specific requirements to manage the service.

A service provider prepares a service-level agreement

(SLA) based on the SRL.
Quick Check

An organization is reviewing its supply chain to ensure

compliance with its information security standards.
Which of the following is the most effective way to
achieve this compliance?

A. Periodic audits
B. Service level monitoring
C. Penetration testing
D. Security awareness trainings
Establishing Security Awareness, Education, and
Training Program
 Social Engineering

It is the exploitation of human behavior and trust.

It is a strategy that relies on human emotion,

deceptive tricks, and outright lies.

Social engineers predate on people's intrinsic wants

and needs.

They are more knowledgeable of attributes and

tailor their attacks accordingly.
 Social Engineering: Examples

An intruder
An attacker creates an An intruder sets off a
impersonates a remote
executable file that fire alarm and connects
sales agent seeking help
prompts a user for their a surveillance system to
to set up remote access
password and records a network port, while
and contacts the
whatever they type. everyone is distracted.
help desk.
 Social Engineering: Principles

Social engineering attacks rely on one or more of the following principles to be persuasive:

Familiarity or liking Consensus or social proof

• It creates trust. • It utilizes courteous behaviors.

• It makes the request appear • It creates fabricated
reasonable and natural. testimonials or contacts.

Authority and intimidation Scarcity and urgency

• It makes the target fearful • It convinces the target to

of refusing. make a choice.
• It takes advantage of a lack of
knowledge or awareness.
 Phishing

It is a cybercrime where attackers obtain sensitive information by pretending to be

trustworthy entities.

It is a form of social engineering that often involves

misleading emails, messages, or websites.

It involves distributing phishing messages to many

targets in a campaign.

It varies in complexity and scale, from simple email blasts

to highly targeted attacks.

It aims to compromise as many accounts or

systems as possible.
 Types of Phishing

Spear phishing is a scam where the attacker uses data to make an individual target
more likely to be tricked.

Whaling is a spear phishing attack targeting upper management in an organization.

Vishing is a phishing attack conducted through a voice channel.

Smishing uses text messages (SMS) as the attack vector.

 Indicators of Phishing

Several indicators of phishing to look out for include:

Mismatched Poor grammar Requests for Unsolicited Too good to

URLs and spelling sensitive attachments be true
information
Process to Counter Phishing

Isolate the threat

Analyze the content

Notify IT security

Make users aware

Update security measures

Importance of Security Awareness Training

Security awareness training is important to:

Understand the importance of security

Understand expected responsibilities, acceptable

behaviors, and noncompliance consequences

Modify employees’ behavior and attitude toward security

Improve the overall security of the organization

Implement the controls in a better way

 Security Awareness Training

The given table describes the three parts of security awareness training:

Basis of
Awareness Training Education
distinction
To integrate security skills
To produce required and relevant and competencies into a
Objective To focus on security
security skills and competencies common body of
knowledge

• Training provides guidance in

Organizations can inform
the performance of particular
employees about their Educated employees can
security or risk management
roles and expectations in aid the organization in
Advantages functions.
observing the fulfilling security program
• Training provides information
information security objectives.
on the security and risk
requirements.
management functions.
 Implementation of Security Awareness Training Program

The following table represents the steps to develop and implement a good security
awareness training program:
Basis of
Awareness Training Education
difference
Attribute What How Why
Level Information Knowledge Insight
Objective Exposure Skills Understanding
Teaching Media Practical instructions Theoretical instructions
• Lecture • Discussion
• Videos
• Case study • Seminar
Method • Newsletter
• Workshop • Background reading
• Posters
• Hands-on practice • Research
• True or false
Problem solving
Test measure • Multiple choice (identify Essay (interpret learning)
(apply learning)
learning)
Impact
Short term Intermediate Long term
timeframe
 Methods and Techniques to Present Awareness and Training

Security awareness training could help organizations protect against social engineering attacks.

Organizations should identify and train a security champion within a team who then
becomes an enabler and promoter of security best practices.

The security champion should be the single point of contact within a department
and should act as a liaison between the security team and the employees.

Security leaders can use gamification to enhance cybersecurity

training for their employees.

Employees can use a simulated environment to test and improve their

readiness for cyber incidents.
 Business Scenario

PwC launches Game of Threats

• In 2016, global accountancy firm PwC launched Game of Threats to help senior executives and directors
assess and enhance their readiness for cyber incidents.

• Game of Threats is an interactive digital game that simulates a real-world cyber breach to help executives
better understand the steps they can take to protect their companies.

• The game was based on others’ real-life experience with cyberattacks.

• Designed to be nontechnical, the game environment creates a realistic experience where participants are
required to make quick, high-impact decisions with minimal limited resources.

• The participants are provided with a detailed summary of each game with a review of their strategy,
actions, and missed opportunities.
 Periodic Content Reviews

The training content must be periodically reviewed, kept up to date, and tailored to meet the needs of
the target audience.

A security policy is added or updated.

Reviews A major new threat is identified.

could be
triggered
when: A major security incident occurs, which could have been
avoided through better security awareness.

A major change is introduced to the information systems,

 Program Effectiveness Evaluation

A security awareness training program is crucial for fostering a security culture within an organization
and must be assessed for its effectiveness.

Calculate the return on investment (ROI) by comparing training costs to

potential benefits, such as reduced losses due to security incidents

Assess knowledge retention, behavioral changes, positive attitude, reduced

incidents, and cost-effectiveness

Regularly review and update the program based on evaluation results and
evolving security threats

Incorporate gamification elements for more engaging training and

encourage active participation during training sessions
 Methods to Assess Program Effectiveness

Reaction
To what degree participants react favorably to the training

Learning Sample questions:

• Was the course relevant and useful?
• Was the training enjoyable?
Behavior • Does the training accommodate their learning styles and paces?
• How likely would they recommend the course to their colleagues?

Results
 Methods to Assess Program Effectiveness

To what degree participants acquire the intended knowledge, skills,

Reaction
attitudes, confidence, and commitment based on their participation in a
training event
Learning
Methods:
• Use assessments or tests before and after the training to check
Behavior performance changes due to the program
Sample questions:
Results • Has their knowledge increased as a result of the training?
 Methods to Assess Program Effectiveness

Reaction
To what degree participants apply what they learned during training when
they are back on the job
Learning
Sample questions:
• Have the trainees put any of their learnings to use?
Behavior
• Are trainees able to teach their new knowledge, skills, or attitudes
to other people?
• Are trainees aware that they have changed their behavior?
Results
 Methods to Assess Program Effectiveness

Reaction To what degree targeted outcomes occur as a result of the training event
and subsequent reinforcement

Learning Sample key metrics to measure results:

• Improved work quality and productivity
Behavior • Improved business results (such as sales, customer satisfaction,
and retention)
• Increased employee engagement, satisfaction, and retention
Results • Reduced production cost, duration, and error and rework
 AI in Cyber Security Training

AI is revolutionizing cybersecurity by efficiently processing large amounts of data, significantly impacting

the training of cybersecurity professionals.

AI-powered platforms offer adaptive learning, real-time feedback, simulation

training, threat intelligence, ethical training, virtual tutors, and microlearning.

AI can tailor training content to individual learners, provide immediate feedback,

simulate cyberattacks, analyze threat data, and provide ethical training.

AI-powered tutors offer personalized guidance and can be easily integrated into
busy schedules.
Quick Check

As a security team plans an IT security awareness

program, they consider various elements for its
effectiveness. What is the most important success
factor in designing this program?

A. Content is tailored to the target attendees.

B. It is represented by senior management.
C. Employees across all hierarchical levels are trained.
D. It is focused on hands-on-training rather than
theoretical knowledge.
 Key Takeaways

Information security governance provides strategic direction and

ensures security objectives are achieved.
Security policy guides the security program in the organization.
Information risk management is the process of identifying and
assessing the risk, reducing it to an acceptable level, and
implementing the right mechanisms to maintain it at that level.
When selecting the right control to reduce a particular risk, the
functionality, viability, and the available budget must be assessed.
Also, a cost-benefit analysis must be performed.
Computer crimes refer to any crime that involves a computer
and a network.
An organization’s ability to respond to any disaster and recover from
disruptions depends on the business continuity plan (BCP).
Thank You