Domain 01 - Security and Risk Management

5 pillars of information security

CIA Triad
The CIA triad is the cornerstone of information security.
Confidentiality protects assets from unauthorize access
Access controls restrict users from accessing sensitive information without permission.
Encryption protects information at rest or in transit.
Steganography hides information within images or others files.
Integration or Integrity protects assets from unauthorize modification
Hash functions create message digests from large files. Digest are finger print. Changes
in hash values indicate changes in the underlying file. Digital Signatures ( Authenticity
and Non-repudiation)
Availability ensures that information and systems are available for authorized users
when needed.
Authenticity refers to the verification that data or documents are genuine.
Non-repudiation prevents parties involved in a transaction from denying their
participation.

People Process and Technology.

Due Care fulfilling legal responsibilities and professional best practices.
Due Diligence taking responsible measures to investigate security risks.

Security controls
COBIT 6 different standard – business-focused control framework covering IT and related
technologies.
 Provide Stakeholder Value
 Holistic Approach
 Dynamic Governance System
 Governance Distinct From Management
 Tailored to Enterprise Needs
 End-to-End Governance System

ISO Standards
ISO 27001 covers cybersecurity control objectives
ISO 27002 covers cybersecurity control implementation
ISO 27701 covers privacy controls
ISO 31000 covers risk management programs

NIST 800-53 mandatory for federal agencies

NIST Cybersecurity Framework (CSF) – provides a common language for cybersecurity
risk. Helps identify and prioritize actions. Aligns security action across control types.
Offers different value to different organizations.
Framework Functions: 6 category and 23 sub-category Identity ID, Protect PR, Detect DE,
Respond RS, Recover RC
NIST SP 800-37 NIST Risk Management Framework (RMF)

FedRAMP – Federal Risk and Authorization Management Program certifies cloud service
providers for U.S. federal government use.

SABSA – Sherwood Applied Business Security Architecture

GDPR

PCI-DSS
PII Personally Identifiable Information
PHI Protected Health Information – under HIPAA
GAPP
ISO/IEC 27018:2019
National Data Privacy
PIPEDA Canada
LGPD Brazil
PIPL China
PPIA South Africa

Data Breaches SOX for public companies, HIPAA healthcare, PCi DSS credit card
records,state laws, GDPR. PII elements

Code of Ethics ISC2 also has code of ethical behavior

Security policy framework 4 standards

Security policies, Security standards (CIS), procedures are mandatory
guidelines is OPTIONAL

Business Continuity Planning (BCP) – Business continuity planning is also known as COOP
(Continuity of operations planning). A tool used is called business impact
assessment(BIA). BCP in the cloud is a partnership between providers and customers.

Business Continuity controls – Single Point of Failure Analysis (SPOFs)

HA High Availability – uses multiple systems to protect against service failure such as
cluster web server, ha firewalls
Fault Tolerance FT – Makes a single system resilient against technical failures
Most common failure are power, storage, network. Power Distribution Units (PDUs)
RAID controllers. RAID 1 disk mirroring, RAID 5 disk striping with parity blocks
RAID is fault-tolerance technique, not a backup strategy
Network Redundancy, NIC teaming, multiple internet service providers
Redundancy through diversity
Load Balancing – Spread demand across systems

Personal Security – should be an important part of the foundation of any cybersecurity

program.

Insider Threat – Employees pose a significant threat to enterprise security, known as the
“insider threat”. Example NDAs non-disclosure agreements

Social networking – social media can be a valuable business tools. Hijack corporate
account or using social engineering account. Like someone employee account to get
access facebook twitter etc. Social media management tools many organization used
such as…
Risk Analysis assessment and scope – Risk assessment identifies and prioritizes risks.
Identify the scope of of your risk assessment work in advanced.

Threat – external force jeopardizing security – threat vectors are the specific methods
that threats use to exploit a vulnerability
Vulnerability – weaknesses in security controls
Risks – are the combination of a vulnerability and a corresponding threat.

Qualitative Risk Analysis – uses subjective ratings to evaluate risk likelihood and impact
Quantitative Risk Analysis – uses objective numeric ratings to evalute risk likelihood and
impact

Assets Value AV
Exposure Factor EF
Single Loss Expectancy SLE
We compute SLE = AV x EF

ARO – Annualized Rate of Occurrence

MTTF Mean time to failure

MTTR Mean time to repair

Risk Management/Treatment – this is a process of systematically analyzing potential

responses to each risk and implementing strategies to control those risks appropriately.

Risk Management Strategies – Risk avoidance, risk transference, risk mitigation, risk
acceptance
The org risk apetite describe how much risk it is willing to accept.

Risk Appetites 3 level expansionary higher level of risk, neutral moderate or balance risk,
conservative risk focus on stability and protecting assets
Risk Threshold unacceptable quantitie
Risk Tolerance

Security Control selection and implementation – Securting your home take this as
example of security controls door lock, cctv, burglar alarm, inside out side detection
human activity.
Defense in Depth – Multiple controls for one objective
Preventive Controls – stop a security issue from occurring in the first place
Detection Controls – identify that a potential security issue has taken place
Corrective Controls – Remediate security issues that have already occurred.
Technical Controls – implemented by technology controls. use technology to achieve
security control objectives.
Operation Controls – implemented by people! use human- driven processes to manage
technology in a secure manner
Management Controls improve the security of the risk management process itself.

Continuous monitoring measurement and tunning - maintaining ongoing

awareness of information security, vulnerabilities, and threats to support organization
risk management decisions.

SIEMs assist with security data analytics and correlation.

Anomaly Analysis
Trend Analysis
Behavioral Analysis
Availability Analysis
Continuous Tuning

Risk management framework – provide proven, time-tested techniques.

NIST SP 800-37 – Risk management framework
Risk Visibility and reporting - techniques document and track risks over time
Risk Register – Tracks risk information
Threat Intelligence – shares risk information. TI may be used both strategically and
operationally
Internal reporting – provides updates to management on the status and effectiveness of
risk management activities
External reporting – meet requirement for providing information to regulators , investors,
customers and partners

Managing threat indicators – IOC indicator of Threat. pcs of information that describe
risks, properties that describe a threat
CybOX Cyber Observable eXpression
STIX Structured threat information eXpression
TAXII Trusted Automated eXchange of Intelligence Information
OpenIOC – Mandiant threat framework

Intelligence Sharing – ISACs information sharing and analysis centers. I.e aviation isac,
communication isac,
Every business industry at least has one ISAC.
ISAC are non profit organization.

Threat Reserch – uses threat intelligence to get inside the minds of our adversaries
Reputational Threat Reserch – identify potentially malicious actors based upon their
use of IP address, email address, domain etc that were previously used in attacks.
Behavioral Threat Research – Identify potentially malicious actors based upon the
similarity of their behaviors of past attackers

Identifying Threats – Threat modeling identifies and prioritizes threats.

Asset Focus – use the asset inventory as the basis for the analysis
Threat Focus – identify how specific threats may affect each information system
Service Focus – Identify the impact of various threats on a specific service

Automating Threat Intelligence – provides tremendous benefits

Incident response
Security Orchestration, Automation, and Response SOAR plateforms enhance SIEM
capabilities

Managing Vendor Relationships – Vendors play a crucial role in the IT supply chain

Vendor Agreements MOU MOA BPA MSA SOW

SLRs, SLAs and other agreements

Vendor information management

Cloud Audits SOC1 report(Type1 report, Type II report), SOC 2 report , SOC3
report

Security Awareness training – Security Training, Security Awareness

Compliance training
User habits
Measuring compliance and security posture