DOMAIN 1 RISK AND SECURITY MANAGEMENT

CIA Triad: Confidentiality, Integrity, Avalilability

Confidentiality(op. disclouse).- Only Authorized subjects can access objects. Access control, least
privilege, need to know.
Integrity (op. alterations).- Data and configurations are not modified (without authz). Hash,
Separation of duty, dual control, parity.
Availability (op. disfunction).- Objects requested by subjects must be done in a reasonable amount
of time. BCP, DR, RAID, Load Balancers.

The priority of Information Security of Governance is maintain de CIA of assets.

ISC2 CODE OF ETHICS:

1. Protect society, commonwealth and infraestructure.

2. Act honorably, honestly,legally,..
3. Provide diligent/competent service to principals
4. Advance and protect professión

Levels in Development of security policy:

1.- Policy.- Assign roles and responsabilities.

2.- Security baselines.- defines minimum levels
3.- Security guidelines.- Recommendations.
4.- Security Procedures.- Detailed steps.

EXAM TIP: New safeguard implies new baseline.

Risk Categories.- Groups of potential causes of risk:

* Damage.- Physical loss of an asset or Can´t access to it.

* Disclosure.- Critical information is revealed.
* Losses.- Permanent of temporary. Altered data or inaccesible data.

Risk Factors.- Increases risk

* Physical damage.- Natural disaster, vandalism.

* Malfunctions.- Failure of systems, networks
* Attacks.- From inside or outside. Intentionally.
* Human errors.- Unintentionally.
* Application errors.- Failures

Security Planning.- Strategic (5 yr, annual update)

Tactical (1 yr)
Operational (montly, quarterly)

Response to Risk:
* Risk Acceptance
* Risk Mitigation
* Risk Assignment
* Risk Avoidance
* Risk Deterrence.- Some measures to keep violators of security and policies apart.
* Risk Rejection.- Ignore de risk. Unacceptable.

Framework.- Is a logical structure. A frameworks tries to document and organize processes. An

informations security framework guides the development and management of an information
security program, and includes policies, standars, processes, controls.

ISO 27001:2022: Information Security Management Systems.

ISO 27002:2022: Information Security Controls

NIST (government agency).- Cybersecurity Framework (CSF) (standards, guidelines, practices for
protection of infraestructures and cybersecurity risk).

COBIT (international IT management framework.- Help business to develop, organize and

implement strategies aroung information management and governance.

PRIMARY RISK MANAGEMENT FRAMEWORK: NIST 800-37

Steps:

1.- Prepare to execute RMF

2.- Categorize information systems.
3.- Select security controls.
4.- Implement SC.
5.- Assess SC.
6.- Authorize information system.
7.- Monitor SC.

OTHERS RMF: OCTAVE, FAIR, TARA

EXAM TIP: Human safety is the most important.

Legal issues are involved → “call an attorney”

TYPES OF RISKS:

1.- Residual Risk: Risk that remains after safeguards applied.

Management has accepted them.
2.- Inherent Risk: Risk before applying risk management strategies.
3.- Total Risk: Total amount of risk that a company would tolerate (without controls).

Total Risk = threats * vulnerabilities * asset value

Risk = threat * vulnerabilities

RISK ANALYSIS: Evaluate effectiveness of countermeasures. Qualitative (objective, in dollars),

quantitative (uses a score rating, subjective, ex: Delphi technique).

Steps quantitative:
1.- Inventory assets: assing a value (AV)
2.- Identify threats per asset (calculate EF and SL)
3.- Perform a threat analysis (calculate ARO per threat)
4.- Estimate potential loss (calculate ALE)
5.- Research countermeasures (per threat).- evaluate changes in ARO and ALE.
 6.- Perform cost/benefit analysis

DEFINITIONS:
Loss potential.- What is lost if threat agent exploits a vulnerability.
Delayed loss.- Amount of loss you lose over time.

threat agent.- Everything or everybody that cause the threats exploiting vulnerabs.
Exposure Factor (EF).- % of loss if an asset is violated.
Single Loss Expectancy (SLE).- Cost of a single realized risk for an asset.

SLE = AV($) x EF(%)

Annualized Rate of Occurrence (ARO).- %. Frequency a threat will occur in a year.

Annualized Loss Expectancy (ALE).- Cost of all instances of a threat over an asset in a year.

ALE = SLE * ARO

Safeguard Evaluation.- A sec. control is good if: mitigate risk, transparent to users, difficult
to bypass and cost effective.

Value of safeguard = ALE before SG – ALE after SG – cost safeguard

Controls gap.- Amount of risk reduced after implemented safeguards.

Total Risk – controls gap = residual risk

SUPPLY CHAIN.- Most services are delivered through a chain of multiple entities. Ex. A car

We must secure that supply chain, evaluating 3rd parties(take into account):
* On-site assesment.- visit organization, interviews, observe
* Document exchange and review. How they manage datasets, execute assesments, reviews
and doc exchange.
* Process/policy review
* 3rd party audit

THREAT MODELING.- Proactive or reactive. The goal is to eliminate or reduce threats.

3 ways to focus:
* Focused on assets.- We start with the most valuable assets.
* Focused on attackers.- We start with attackers goals.
* Focused on Software.- We start with potential threats the org develops.

THREAT MODELS:
* STRIDE: Spoofing, Tampering (modif datos o software instalado), Repudiation, Information
Disclosure, DoS, Elevation of Privilege. Centered in potential threats.

* PASTA: developes countermeassures based on asset value:

1.- Def of Objectives.
2.- Def of Technical Scope.
3.- App decomposition & Analysis.
4.- Threat Analysis.
5.- Weakness & vulnerabilities
 6.- Attack Modeling & Simulation
7.- Risk Analysis & Management

* VAST (based on Agile): Visual, Agile, Simple, Threat. Integrates threat modeling in an Agile
programming environment.

* DREAD.- Tries to answer these questions:

1.- Damage potential
2.- Reproducibility
3.- Explotability
4.- Affected users
5.- Discoverability
* TRIKE.- Focused on Acceptable risk. Open source.

SECURITY CONTROL FRAMEWORK

* COBIT.- For IT management and governance framework.

Principles:
* Meet stakeholder needs.
* Cover enterprise end-to-end.
* Apply a single, integrated framework.
* Enable a Holistic Approach.
* Separate Governance from Management

DEFINITIONS:
Diagramming Potential Attacks.- Potential attacks can be detected by diagramming our
infraestructure (inputs / outputs of every layer in the infraestruc).

Reduction Analysis: Mechanism that It helps us to detect threats.

* Trust boundaries.- Any location where level of trsut /security changes.
* Data flow Paths.- Movement of data to different locations.
* Input points.- Locations where we receive external inputs.
* Privileged Operations.- Activities where is required a higher privilege.
* Security stance and approach (postura y enfoque de seguridad).- sec policy, sec
foundations and asumptions.

SECURITY CONTROLS.- Countering(contrarrestar) and minimizing loss or unavailability or

services.

Can be: safeguards (proactive), countermeasure (reactive)

Categories of Security Controls:

* Technical.- Are logical. Involves hardware or software.

* Administrative.- Policies and procedures, regulations, requierements.
* Physical.- Items you can touch.

Types of Security Controls:

* Deterrent (disuasorios)
 * Preventative .- It is a barrier to avoid unwanted or unauthz activity.
* Detective.- to Discover / detect something in progress. ex. Job rotation, vacations
* compensating.- Complement other security controls. Ex. Encrypt data in transit.
* Corrective.- Modify the env to return system to normal.
* Recovery.- extension of corrective. More advance or complex. ex. Server clustering.
* Directive.- Direct, control actions of subjects to comply security policies.

LEGAL & REGULATORY

Types of Law:
* Criminal law: Prohibits murder, assault, robbery, arson (incendio)
* civil law: Include contract disputes, employment, real estate, probe (testamentos)
* administrative law: standards of conduct are set by government agencies. Covers
utilities, communications, banking, env protection, healthcare.

Laws:

* Computer Fraud and Abuse Act (CFAA).- US Cybercrime legislation.

* Federal sentencing guidelines.- Guidelines to help judges interpret computer laws.
* Federal Information Security Management Act (FISMA).- It requires the federal agencies
to implement a security program.
* Copyright and the Digital Millennium Copyright Act.- For literary, musical and dramatic works.

The Code of Federal Regulations (CFR) contains the text of all administrative laws promulgated by
federal agencies. The United States Code contains criminal and civil law. Supreme Court rulings
contain interpretations of law and are not laws themselves.

Intellectual Property and Licensing:

* Trademarks.- words, slogans, logos of companies / products / services. (government office:

USPTO)
* Patents.- Protect intellectual property rights of inventors.
* Trade secrets.- IP critical for their business. Must not be disclosed.
* Copyright.- The work is protected to any kind of reproduction or use without consent. Last longer
than a patent.
* Licensing: 4 types:
1.- contractual.
2.- shrink wrap.- new and right out-of-the-box
3.- click-through
4.- cloud services

Regulations about Encryption and Privacy

* Computer Export Controls.- US Companies can´t export to Cuba, Iran, North Korea, Sudan and
Syria.
* Encryption Export Controls.- Limitations on export of encryption products outside US.
* Privacy (US).- Basis for privacy rights are in 4th amendment of US Constitution.
* Privacy (EU).- GDPR regulation-→ Applies to companies with customers in EU.

US Privacy laws:
* HIPAA (Health Insurance Portability and Accountability Act).- Establish requirements for
Healthcare providers, Health information clearinghouse and health insurance plan. Privacy and
Security
* HITECH (Health Information Technology for Economic and Clinical Health).- Privacy and
Security
* Gram-Leach-Bliley Act (GLBA) → Privacy and Security For financial institutions.
* Children´s Online Privacy Protection Act (COPPA)
* Electronic Communications Privacy Act (ECPA) → For communications
* Communications Assistance for Law Enforcement (CALEA) → For communications.
* PCI DSS (Payment Card Industry Data Security Standard) → Security control framework for
Credit card information.
* FedRAMP.- Promotes the adoption of secure cloud services across the federal government.
* FERPA.- regulates security and privacy for student educational records.

In the EU → NIS2 Directive: Provides legal measures to boost overall level of cybersecurity in EU.

BUSINESS CONTINUITY

Business Continuity Planning.- Includes:

1.- Strategy development
2.- Provisions and processes
3.- Plan approval
4.- Plan implementation
5.- Training and education

DEFINITIONS

BCP (Business Continuity Plan).- Overall organizational plan for continuing the business.
DRP (Disaster Recovery Plan).- Plan for recovering from a disaster impacting IT. Return IT
infrastructure.
COOP (Continuity of Operations Plan).- Plan for continuing business until IT infraestructure can
be restored.

Differences BCP vs DRP

* BCP → whole business. Cover communications and process broaderly.

* DRP → technical aspects of recovery

Service Organizations Control audit program includes business continuity controls in a SOC2, not
SOC1 audit.

Business continuity plan documentation normally includes the continuity planning goals, a
statement of importance, statement of priorities, statement of organizational responsibility,
statement of urgency and timing, risk assessment and risk acceptance and mitigation
documentation, a vital records program, emergency response guidelines, and documentation for
maintaining and testing the plan.

USER EDUCATION

Establish and maintain security awareness with education and training program.
The program includes:
* Methods and techniques for awareness and training.
* Periodic content reviews.
* Program effectiveness evaluation

Consequences of privacy and data breaches

1.- Reputational damage.- loss of customer trust, loss of revenue.

2.- Identity theft.- Use of person´s private information to impersonate him.
3.- Intellectual Property (IP) theft.- Cost in customers, credit ratings, brand reputation.
4.- Fines.- Failint to report a breach results in fines. GDPR outlines fines of 4% annual global
revenues or 20 million euros.

Notifications of breaches

The EU sets in GDPR that notifications must be reported within 72 hours.

Escalations.- To external resources (ex. Law enforcement) or outside experts → Will help stop /
investigate breach.

Some delays are allowed for criminal investigation.

Functional Roles in an Organization

Data Custodian.- Responsible for implementing security controls defined by senior management.
Owners.- Responsible for oversight and decisions related to classification, access control and
protection. (advise, implement, manage and monitor data protection controls).
Users.- Treat with data and interact with information systems following standars and policies.

How do we measure that our cibersecurity program is working well? We use KGI and KPI:

* KGI.- Key Goal Indicators.- Are metrics used to measure progress towards achieving key goals,
strategies or high-level objectives. They measure outcomes.
* KPI.- Key Performance Indicators.- Are metrics to evaluate performance. More focused and
granular than KGIs.(for an specific process).

In reduction analysis the security professional breaks the system into:

* Trust boundaries
* Data flow paths
* Input points
* privileged operations
* details about security controls.