This post serves as a review for domain 1 of the CISSP. This domain covers security and risk management.
Before we start, here is a list that will help you navigate through the different sections of this domain review.
- CIA Triad.
- Security Governance.
- Organizational Documents.
- Security Risk Management.
- Threat Modeling.
- Personnel Security.
- Awareness, Training, and Education.
- Legal Systems.
- Intellectual Property.
- Privacy Laws.
- Business Continuity and Disaster Recovery.
The CIA Triad is a combination of three pillars that form the end goals of cybersecurity: Confidentiality, Integrity, and Availability.
- Confidentiality: It involves preventing unauthorized access to data. One way to help achieve this is by implementing proper access control measures and enforcing encryption when data is not in use.
- Integrity: This ensures that data is not altered (intentionally or accidentally). You can use Hashing/Message digests mechanism to detect alteration of data and ensure integrity.
- Availability: This means having the information accessible to authorized individuals when needed. To ensure this, you can use availability measures such as redundancy, backups, and fault tolerance.
When learning about the CIA, you should also consider the opposite model: DAD (Disclosure, Alteration, and Denial). You, as a security professional, should always seek to prevent DAD and achieve CIA.
In its general meaning, governance is the process that defines how decisions are made within an organization.
In the context of security, governance is the set of practices that management develops to guide and direct the security of an organization.
By the means of effective security governance, a security manager should align security with the organization’s mission, goals, and objectives.
- Governance Committee: They are a group of personnel who determine how decisions should be made within an organization.
- Senior Management (Also called C-level): These include the CEO, CFO, COO, CIO…
- Security Manager: Responsible for advising senior management on security matters.
When exercising security governance practices, it is important for the security manager to consider, and distinguish between, two important concepts:
- Due Care: Address any risk as would a reasonable person do given the same set of facts. Do the right thing (The prudent man rule)
- Due Diligence: Making sure that the right thing was done. An example of this is performing audits and investigations.
The CISSP exam requires the candidate to be familiar with four important organizational documents: Policies, Standards, Procedures, and Guidelines. The properties and characteristics of each document are described below.
- Policies: These are high-level documents. They do not get into technical details. However, they do need to include Scope, purpose, responsibilities, and compliance. There are 3 types of policies: Regulatory (Mandatory), advisory and Informative.
- Standards: These documents should be tied directly to the organization’s policies. They contain requirements that are mandatory to follow.
- Procedures: They contain Step by step instructions, and are Highly detailed as opposed to policies. Procedures can either be mandatory or optional.
- Guidelines: These documents only contain recommendations and best practices, and so, they are not mandatory. You should produce guidelines instead of procedures whenever flexibility is necessary, and whenever multiple methods may exist to achieve a certain task.
Security Risk Management
Assets contain vulnerabilities, Threats exploit vulnerabilities, and Risk exists when both vulnerability and threat are present.
Security Risk Management is the process of identifying, assessing, and treating these risks.
To be able to identify and assess risk, you should first identify valuable assets and the degree of their exposure. A security professional should always aim to reduce exposure.
There are 2 types of risk assessment methodologies:
- SLE (Single Loss Expectancy) = Asset Value x Exposure Factor
- ALE (Annual Loss Expectancy) = SLE x ARO.
- if ALE is less than the price of the mitigation control, then risk can be accepted.
- In this type, we calculate the probability and impact of risks based on a defined scale (For example, from 1 to 5, or low, medium, and high)
- When budget, time, and trained personnel are not available.
After the assessment phase, the next step would be to treat the resulted risk. There are 4 different types of risk treatment :
- Risk acceptance: Do nothing.
- Risk mitigation: Apply controls to reduce risk. These controls can be administrative, physical, or technical.
- Risk transfer: Transfer the risk to an external entity (Like insurance).
- Risk avoidance: Remove the thing that is creating the risk.
After implementing the proper controls to treat risk, we generally end up with a reduced risk called Residual Risk. Business owners can then accept this risk, or ask for another round of risk treatment to further reduce it.
There are many frameworks out there that can guide you in the information security risk management process. Here are some examples: ISO 31000 (This covers organization risk management, not just information security risk), ISO 27005, COSO, NIST SP 800-37, ISACA RiskIT…
Threat modeling is an approach for identifying potential threats to a system, application, or process, and then providing security controls to mitigate these identified threats.
There are 3 types of methodologies for threat modeling.
- System-centric: This focuses on the system to protect. STRIDE is an example of a system-centric methodology. STRIDE is actually an acronym that stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of privilege.
- Attacker-centric: As its name implies, this second type focuses on the attackers. A famous attacker-centric methodology is PASTA (Process for Attack Simulation and Threat Analysis).
- Data-centric: This type focuses on protecting data within systems. NIST SP 800-154 is a guide to data-centric threat modeling that organizations can use.
Humans are the weakest link that might compromise the security of an organization. Therefore, personnel security should be considered and incorporated into HR processes: During hiring, on-boarding, employment, and termination.
Domain 1 of CISSP presents some considerations during each of these processes.
- During Candidate screening and hiring:
- Scope what skills are needed
- Background investigations: Financial info, social media, criminal history, driving records, drug testing, prior employment.
- Employment agreement and policies: NDA, Acceptable use, conflict of interest (Actual or potential), gift handling, mandatory vacations.
- Interviewing: Never interview a candidate alone.
- On-boarding: Orientation, tribal knowledge.
- Employment: Periodic investigations and screening.
- Termination: Voluntary or involuntary.
In addition, to further reduce the risk of an insider threat, you should also consider the following security principles:
- Separation of Duties: Ensure one person does not act alone.
- Least Privilege: Only grant the necessary privileges for a person to perform their work, but no more.
- Need-to-Know: Information is shared with a person only if it is needed to do the work.
Awareness, Training, and Education
The CISSP exam requires the candidate to know the difference between awareness, training, and education.
- Awareness: Issue-specific. Generally for all employees. It helps them recognize security incidents.
- Training: Teaching specific skills to address known circumstances.
- Education: Developing a conceptual understanding of a Common Body of Knowledge.
CISSP certification holders agree to follow the (ISC)² Code of Ethics. This code includes 2 preambles and 4 mandatory canons
- Protect society, the common good, necessary public trust and confidence, and the infrastructure.
- Act honorably, honestly, justly, responsibly, and legally.
- Provide diligent and competent service to principals.
- Advance and protect the profession.
Other standards for ethical conduct include :
- IAB (Internet Architecture Board) “Ethics and the Internet”.
- CEI (Computer Ethics Institute) “The Ten Commandments of Computer Ethics”.
There are multiple systems of law, and an understanding of the following laws is requireed if you intend to sit for the CISSP exam.
- Common Law: This originated in England and is now used in the US, Canada, UK, and others. Common law relies on precedent and particular cases.
- Civil Law: It relies on a legal code, and is the most p. This law provides impartial arbitration to civil cases such as contract disputes.
- Religious Law: This system of law is based on religion. There are some countries that derive their law from a religious source, but the extent and degree of this vary widely.
- Mixed Law: This system is a combination of all other legal systems.
Computer systems can be involved in crimes. Depending on the degree and type of their involvement, computer crimes can be one of these 3 categories:
- Computer-assisted crimes: This is when a computer is used as a tool or to facilitate a crime.
- Computer as target: In this case, the crime is conducted against a computer system.
- Computers incidental. Computers only play a minor role in this category of crime.
People often confuse between different types of intellectual property. However, it is important to distinguish between four main types: Copyright, Patent, Trademark, and Trade Secret.
- Copyright: This intellectual property protects the artistic expression of an idea. The protection duration varies, but it generally extends for at least 50 years after the author’s death.
- Patent: This protects the owner of an invention, process, or design, for a designated period (Generally extending to 20 years). However, the owner should register his invention in order to benefit from the patent.
- Trademark: The trademark should also be registered, and it can be renewed indefinitely as long as the organization is in business.
- Trade Secret: Contrary to other intellectual properties, trade secrets do not have to be registered, but they should be kept secret. Any disclosure of this might impact the business of the organization (e.g Coca-cola recipe…)
Intellectual Property protection is enforced thanks to organizations and laws that exist both internationally and in the U.S. Examples of these are:
- WIPO: World International Property Organization.
- WTO: World Trade Organization.
- DMCA: Digital Millennium Copyright Act.
In addition to the above intellectual properties, it is important to differentiate between different types of software licenses: Freeware, Shareware (Trialware), Commercial Software, and Academic Software.
One important law that the CISSP candidate should be familiar with is the GDPR or General Data Protection Regulation. This law protects EU citizens outside the boundaries of the EU.
The GDPR defines three roles in relation to data : Data Controller, Data Processor, and Supervisory Authority.
- Data controller.
- Data processor.
- Supervisory authority.
The GDPR relies on a set of 6 privacy principles:
- Lawfulness, fairness, and transparency.
- Purpose limitation.
- Data minimization.
- Storage limitation.
- Integrity and confidentiality.
If an orgnazitation fails to comply with the GDPR regulation, it may incur fines which may vary within the below range.
- Lower level: Up to 10 Million euros or 2 percent of the worldwide annual revenue of the prior financial year, whichever is higher.
- Upper level: Up to 20 Million euros or 4 percent of the worldwide annual revenue of the prior financial year, whichever is higher.
The OECD is the Organization for Economic Cooperation and Development, and it also presents a set of privacy principles.
- Collection Limitation.
- Data Quality.
- Purpose Specification.
- Use Limitation.
- Security Safeguards.
- Individual Participation.
In the US, there are multiple sector-specific privacy laws, but there is no general law as is the case in the EU.
- Federal Privacy Act: Applies to federal institutions.
- FTC Act: The Federal Trade Commission Act.
- GLBA: For Financial Institutions.
- FCRA: The Fair Credit Reporting Act.
- HIPAA: For medical and healthcare information.
- ECPA: The Electronica Communications Privacy Act (It details how the government may access electronic communications).
- GINA: Genetic Information Non-discrimination Act.
Business Continuity and Disaster Recovery
NIST SP 800-34 defines the process of planning for Business Continuity. This process consists of the following steps:
- Contingency planning.
- Business Impact Analysis.
- Define CBFs: Critical Business Functions.
- Measures of impact: MTD, RPO, RTO. (RTO < MTD).
- Identify dependencies.
- Identify preventive controls.
- Create contingency strategies.
- Develop information systems contingency plan.
- Plan testing, training and exercises.
- Plan maintenance.
It is important to note that failing to have a BCM policy violates the fiduciary standard of due care.
We have now gone through all concepts that are covered in domain 1 of the CISSP. If you notice that there is some important element that I have forgotten to mention in this review, please let me know in the comments below.