M-209 cipher machine.

CISSP Domain 1 — Security and Risk Management

Domain 1 — Security and Risk Management

References to ISO standards and NIST documents begin in this domain and continue throughout the rest of the domains. You need to compile a set of lists for your study guide, we might as well start here.

As I always tell people: to be culturally aware, you should know that the Torah is the scripture of Judaism, the Quran is the scripture of Islam, the Vedas are the scripture of Hinduism, and so on. You don't have to actually read any of them to know that. Nor should you read any of these documents. Just be able to match their names or numbers to what they're about.

ISO Standards

ISO 15026 Systems and Software Engineering (less likely to appear)
ISO 15288 Systems and Software Engineering (less likely to appear)
ISO 17889 Defines cloud computing, like NIST plus NaaS or Network-as-a-Service.
ISO 27000 Not mentioned much, seems to be more or less a dictionary.
ISO 27001 Information Security Management System, defines what "secure" means.
ISO 27002 Guidance and best practices to make ISO 27001 happen.
ISO 27005 Information Security Risk Management.
ISO 31000 Risk Management — Principles and Guidelines.

NIST Documents

SP 800-37 Risk Management Framework
SP 800-53 Catalog of security and privacy controls (security toolkit)
SP 800-60 Guide to Mapping Types of Information and Information Systems to Security Categories
(less likely to appear on test)
SP 800-63 How to do identity proofing and registration
(less likely to appear on test)
SP 800-88 Guidelines for Media Sanitization
SP 800-160 System Security Engineering

FIPS

U.S. Government Federal Information Processing Standards.

FIPS 140-2 Certifies cryptographic software and hardware. Four levels of increasing security:
  1. FIPS 140-2 Level 1 = correct implementation
  2. FIPS 140-2 Level 2 = tamper-evident
  3. FIPS 140-2 Level 3 = tamper-resistant
  4. FIPS 140-2 Level 4 = automatic zeroizing, strongly tamper-resistant even in a sophisticated lab environment
FIPS 199 Categorizes U.S. federal information based on the impact of violations of its confidentiality, integrity, and availability.
FIPS 200 Minimum Security Requirements for Federal Information and Information Systems

SCAP, OVAL, and STIGs

U.S. NIST created SCAP, a protocol and standards and nomenclature for testing and reporting on software vulnerabilities and configuration problems.

XCCDF and OVAL are reporting formats and languages.

CPE, CCE, CVE (and others) are enumerations defined by MITRE on behalf of the U.S. Government. CVSS and CCSS are related vulnerability scoring systems.

NVD or National Vulnerability Database is managed by NIST.

Other Standards and Documents and Groups

COBIT How to manage and document enterprise IT and IT security functions.
COSO Formed in response to dramatic and severe financial industry scandals in the U.S. in the 1980s, to address financial reporting irregularities and fraud.
CSA STAR A very self-important organization's list of cloud service providers with tiers:
  1. "We're secure because we did a questionnaire so trust us."
  2. Assessed by an external auditor certified by CSA.
  3. Continuously monitored, this tier has been promised vaporware since maybe 2015.
ENISA Network of network and information security expertise for the E.U., its member states, and its private sector and citizens.
ICASA Publishes RISK IT framework, connects strategic business perspective with IT management.
ITIL A service delivery set of best practices, focused on business goals.
ITU Internal Telecommunication Union — standardizes communication technologies.
Uptime Institute Certification for data centers, advice on their design.

Regulations

The (ISC)2 CCSP certification goes into further details on these. This includes how the E.U. GDPR is quite strict. And several countries already had, or soon enacted, privacy laws at least as strict as GDPR, so E.U. data can easily be exported to them for processing: Australia, New Zealand, Argentina, Japan, Switzerland, and some others.

Hong Kong

APEC (or Asia-Pacific Economic Cooperation) is East Asian countries wanting to be secure enough to do business without getting in the way of the business itself. If you've seen Hong Kong business, from neon-lit glass towers to the night markets, this is easy to remember.

The OECD helps governments and organizations around the world deal with improving economic and social well-being, it also balances privacy with profit.

Meanwhile, the U.S. continues to have absolutely no guarantee of privacy. Safe Harbor got no respect, its replacement Privacy Shield wasn't much better. U.S. companies manage to do international business with specific contract clauses promising E.U.-level protection.

FedRAMP U.S. federal requirement connected to FISMA, regulating the purchase and use of cloud and other managed IT services.
FISMA U.S. federal law applying only to Government agencies, requiring them to comply with NIST standards.
GDPR E.U. strict requirements for privacy, as international law.
GLBA U.S. federal law requiring banks to protect customer data.
HIPAA U.S. federal law about health-related personal information.
PIPEDA Canadian federal requirement to protect personal privacy.
Sarbanes-Oxley
Sarbox, SOX
U.S. federal requirements created in response to dramatic financial frauds in the 1990s.

Roles

A hospital provides a useful setting for examples:

Data Subject — the person to whom the sensitive data refers.
The patient.

Data Owner / Data Controller — the entity that collects or creates the sensitive information, legally accountable for its protection.
CEO or maybe board of directors of the hospital.
If you have to distinguish the two, the Controller has been assigned the accountability — the hospital owners have somehow made someone else accountable.

Data Processor — enters or manipulates or transforms or otherwise processes the sensitive data, on behalf of the owner / controller.
Contractor entering medical data, transcribing physician notes, submitting health insurance claims, etc.

Data Custodian — manages the data day-to-day on behalf of the owner / controller.
System administrators, database administrators, backup operators, and other IT staff at the hospital.

Data Steward — responsible for data content, context, and the associated business rules.
Not a required position, maybe a "data architect" for the hospital.

Due Diligence / Due Care

Due Diligence is investigation and planning carried out initially. It supports...

Due Care is an ongoing process maintaining what a well-informed, skilled, prudent person would do for their customer.

Quantitative Risk Analysis

This is elementary school analysis and math, dressed up with fancy terms and acronyms.

You have an asset that brings in $100,000 per year. A web site selling something, let's say.

A specific attack might take away 10% of that.

Given past experiences and current defenses, you estimate that the attack will probably happen once every 4 years, on average.

So, to quantitatively analyze that risk:

AV or the Asset Value is $100,000.

EF or the Exposure Factor is 10% or 0.1.

The SLE or Single Loss Expectancy is how much one successful attack costs. Its total value times the fraction lost, duh.
SLE = AV × EF
SLE = $100,000 × 0.1
SLE = $10,000

The ARO or Annual Rate of Occurance is the number of times it's expected to happen in a typical year. Once every four years means 0.25 per year.

The ALE or Annual Loss Expectancy is, duh, how many times it's expected to happen in a year times how much each event costs.
ALE = SLE × ARO
ALE = $10,000 × 0.25
ALE = $2,500

Then, make sure that defenses don't cost more than that per year. Don't spend a dollar to save a nickel.

STRIDE

It's a contrived acronym:
Spoofing identity,
Tampering with data,
Repudiation, Information disclosure,
Denial of service,
Elevation of privilege

Octave

From CMU, for viewing overall risk across an organization — less likely to appear on test.

DLP vs DRM

DRM protects intellectual property.
You can't watch this movie.

DLP protects secrets.
This document can't leave headquarters.

Education, Training, Awareness

Education Formal classes, usually at an accredited academic institution.
Training 1-to-5 day courses presented by subject matter experts, usually working for for-profit training providers.
Awareness Informal, short, to remind and encourage employees.

Government Examples

Visiting
Estonia