Domain 1 — Security and Risk Management
References to ISO standards and NIST documents begin in this domain and continue throughout the rest of the domains. You need to compile a set of lists for your study guide, we might as well start here.
As I always tell people: to be culturally aware, you should know that the Torah is the scripture of Judaism, the Quran is the scripture of Islam, the Vedas are the scripture of Hinduism, and so on. You don't have to actually read any of them to know that. Nor should you read any of these documents. Just be able to match their names or numbers to what they're about.
|ISO 15026||Systems and Software Engineering (less likely to appear)|
|ISO 15288||Systems and Software Engineering (less likely to appear)|
|ISO 17889||Defines cloud computing, like NIST plus NaaS or Network-as-a-Service.|
|ISO 27000||Not mentioned much, seems to be more or less a dictionary.|
|ISO 27001||Information Security Management System, defines what "secure" means.|
|ISO 27002||Guidance and best practices to make ISO 27001 happen.|
|ISO 27005||Information Security Risk Management.|
|ISO 31000||Risk Management — Principles and Guidelines.|
|SP 800-37||Risk Management Framework|
|SP 800-53||Catalog of security and privacy controls (security toolkit)|
|SP 800-60||Guide to Mapping Types of Information and
Information Systems to Security Categories
(less likely to appear on test)
|SP 800-63||How to do identity proofing and registration
(less likely to appear on test)
|SP 800-88||Guidelines for Media Sanitization|
|SP 800-160||System Security Engineering|
U.S. Government Federal Information Processing Standards.
|FIPS 140-2||Certifies cryptographic software and hardware.
Four levels of increasing security:
|FIPS 199||Categorizes U.S. federal information based on the impact of violations of its confidentiality, integrity, and availability.|
|FIPS 200||Minimum Security Requirements for Federal Information and Information Systems|
SCAP, OVAL, and STIGs
U.S. NIST created SCAP, a protocol and standards and nomenclature for testing and reporting on software vulnerabilities and configuration problems.
XCCDF and OVAL are reporting formats and languages.
CPE, CCE, CVE (and others) are enumerations defined by MITRE on behalf of the U.S. Government. CVSS and CCSS are related vulnerability scoring systems.
NVD or National Vulnerability Database is managed by NIST.
Other Standards and Documents and Groups
|COBIT||How to manage and document enterprise IT and IT security functions.|
|COSO||Formed in response to dramatic and severe financial industry scandals in the U.S. in the 1980s, to address financial reporting irregularities and fraud.|
|CSA STAR||A very self-important organization's list
of cloud service providers with tiers:
|ENISA||Network of network and information security expertise for the E.U., its member states, and its private sector and citizens.|
|ICASA||Publishes RISK IT framework, connects strategic business perspective with IT management.|
|ITIL||A service delivery set of best practices, focused on business goals.|
|ITU||Internal Telecommunication Union — standardizes communication technologies.|
|Uptime Institute||Certification for data centers, advice on their design.|
The (ISC)2 CCSP certification goes into further details on these. This includes how the E.U. GDPR is quite strict. And several countries already had, or soon enacted, privacy laws at least as strict as GDPR, so E.U. data can easily be exported to them for processing: Australia, New Zealand, Argentina, Japan, Switzerland, and some others.Hong Kong
APEC (or Asia-Pacific Economic Cooperation) is East Asian countries wanting to be secure enough to do business without getting in the way of the business itself. If you've seen Hong Kong business, from neon-lit glass towers to the night markets, this is easy to remember.
The OECD helps governments and organizations around the world deal with improving economic and social well-being, it also balances privacy with profit.
Meanwhile, the U.S. continues to have absolutely no guarantee of privacy. Safe Harbor got no respect, its replacement Privacy Shield wasn't much better. U.S. companies manage to do international business with specific contract clauses promising E.U.-level protection.
|FedRAMP||U.S. federal requirement connected to FISMA, regulating the purchase and use of cloud and other managed IT services.|
|FISMA||U.S. federal law applying only to Government agencies, requiring them to comply with NIST standards.|
|GDPR||E.U. strict requirements for privacy, as international law.|
|GLBA||U.S. federal law requiring banks to protect customer data.|
|HIPAA||U.S. federal law about health-related personal information.|
|PIPEDA||Canadian federal requirement to protect personal privacy.|
|U.S. federal requirements created in response to dramatic financial frauds in the 1990s.|
A hospital provides a useful setting for examples:
Data Subject — the person to whom
the sensitive data refers.
Data Owner / Data Controller —
the entity that collects or creates the sensitive information,
legally accountable for its protection.
CEO or maybe board of directors of the hospital.
If you have to distinguish the two, the Controller has been assigned the accountability — the hospital owners have somehow made someone else accountable.
Data Processor —
enters or manipulates or transforms or otherwise processes
the sensitive data, on behalf of the
owner / controller.
Contractor entering medical data, transcribing physician notes, submitting health insurance claims, etc.
Data Custodian —
manages the data day-to-day on behalf of the
owner / controller.
System administrators, database administrators, backup operators, and other IT staff at the hospital.
Data Steward —
responsible for data content, context, and the
associated business rules.
Not a required position, maybe a "data architect" for the hospital.
Due Diligence / Due Care
Due Diligence is investigation and planning carried out initially. It supports...
Due Care is an ongoing process maintaining what a well-informed, skilled, prudent person would do for their customer.
Quantitative Risk Analysis
This is elementary school analysis and math, dressed up with fancy terms and acronyms.
You have an asset that brings in $100,000 per year. A web site selling something, let's say.
A specific attack might take away 10% of that.
Given past experiences and current defenses, you estimate that the attack will probably happen once every 4 years, on average.
So, to quantitatively analyze that risk:
AV or the Asset Value is $100,000.
EF or the Exposure Factor is 10% or 0.1.
The SLE or Single Loss Expectancy
is how much one successful attack costs.
Its total value times the fraction lost, duh.
SLE = AV × EF
SLE = $100,000 × 0.1
SLE = $10,000
The ARO or Annual Rate of Occurance is the number of times it's expected to happen in a typical year. Once every four years means 0.25 per year.
The ALE or Annual Loss Expectancy
is, duh, how many times it's expected to happen in a year
times how much each event costs.
ALE = SLE × ARO
ALE = $10,000 × 0.25
ALE = $2,500
Then, make sure that defenses don't cost more than that per year. Don't spend a dollar to save a nickel.
It's a contrived acronym:
Tampering with data,
Repudiation, Information disclosure,
Denial of service,
Elevation of privilege
From CMU, for viewing overall risk across an organization — less likely to appear on test.
DLP vs DRM
DRM protects intellectual property.
You can't watch this movie.
DLP protects secrets.
This document can't leave headquarters.
Education, Training, Awareness
|Education||Formal classes, usually at an accredited academic institution.|
|Training||1-to-5 day courses presented by subject matter experts, usually working for for-profit training providers.|
|Awareness||Informal, short, to remind and encourage employees.|