SlideShare una empresa de Scribd logo

CISSPills #3.01

Descargar como PPTX, PDF
Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation

CISSPills are short-lasting presentations covering topics to study in order to prepare CISSP exam. CISSPills is a digest of my notes and doesn't want to replace a studybook, it wants to be only just another companion for self-paced students. Every issue covers different topics of CISSP's CCBK and the goal is addressing all the 10 domains which compose CISSP. IN THIS ISSUE: Domain 3: Information Security Governance and Risk Management - Security’s Core Principles Information - A-I-C Triad - Balanced Security - Security Definitions - Security Definitions – Key Terms - Control Types - The Onion Approach (Defense-in-depth) - Control Functionalities - Control Functionalities – Incident-Time Standpoint - Information Security Management System (ISMS) - Enterprise Architecture - Enterprise Security Architecture - ISMS vs. Enterprise Security Architecture

EducaciónTecnología
1 de 16
DOMAIN 3: Information Security Governance and Risk Management # 3.01
CISSPills Table of Contents  Security Core Principles  A-I-C Triad  Balanced Security  Security Definitions  Security Definitions – Key Terms  Control Types  The Onion Approach (Defense-in-depth)  Control Functionalities  Control Functionalities – Incident-Time Standpoint  Information Security Management System (ISMS)  Enterprise Architecture  Enterprise Security Architecture  ISMS vs. Security Enterprise Architecture
CISSPills Security Core Principles Information Security aims to provide assets with protection, by assuring:  Availability  Integrity  Confidentiality This is known as A-I-C triad (somewhere else also known as C- I-A triad).
CISSPills A-I-C Triad  Availability It aims at ensuring a reliable and timely access to data and resources to authorized users. Assets have to be accessible to authorized people whenever and the way they are expected to.  Integrity It aims at preventing unauthorized modifications of the information. It assures the accuracy and reliability of the data. Integrity can be affected mistakenly or maliciously.  Confidentiality It aims at ensuring a proper level of secrecy by preventing unauthorized disclosures of information. Data have to be protected both when they are stored (data at rest) and while they are transmitted.
CISSPills Balanced Security Different systems have different priorities in terms of requirements to meet: an e- commerce company needs the website to be available all the time, an engineering company needs confidentiality in order to protect Intellectual Property, while a Bank needs to assure integrity in order to avoid frauds. A good Security strategy should rely on controls for addressing all the principles that made up A-I-C triad, so that a comprehensive protection is provided.
CISSPills Security Definitions Controls can eliminate exposures and risks, but not the threat agent. exploits poses can damage counteracts directly affects characterized by triggers
CISSPills Security Definitions – Key Terms  Threat Agent: entity willing to exploit a vulnerability;  Threat: the potential risk related to the exploitation of a vulnerability;  Vulnerability: weakness affecting an asset;  Exposure: the consequence of an exploited vulnerability that exposes the organization to a threat;  Risk: the probability that a vulnerability is exploited and the associated impact;  Control: a countermeasure implemented in order to reduce the risk.
CISSPills Control Types  Administrative (NIST: Management) Management-oriented controls (e.g. policies, documentation, training, risk management, etc.).  Technical (NIST: Logical) Hardware and software solutions (e.g. firewalls, multi-factor authentication, encryption, etc.).  Physical (NIST: Operational) Physical safeguards aimed at protecting mainly the personnel and then facilities and resources (e.g. CCTV, guards, fences, etc.)
CISSPills The Onion Approach (Defense-in-depth) Just like the coats of an onion encompass the core of the vegetable, likewise the security controls put in place to protect an asset have to ‘embrace’ it, following a layered approach and acting in a coordinated fashion. Each layer represents a security mechanism which ‘encompasses’ both the controls below and the asset. In this way, even if an attacker breaches one layer, the asset is not compromised because other layers are protecting it. The more critical the asset is, the more layers of protection are implemented.
CISSPills Control Functionalities Controls can be administrative, technical or physical. Indeed, they can be further categorized based on the protection they offer. Controls can fall into seven categories:  Directive: guidelines and rule users (internal and external) must follow if they want access systems and data;  Deterrent: controls intended to discourage malicious users from performing attacks;  Preventive: controls intended to avoid an incident to occur;  Detective: controls intended to detect an incident after it has occurred;  Corrective: controls put in place once the incident has occurred in order to limit the damage or solve the issue;  Recovery: controls put in place to bring the systems back to regular operations;  Compensating: controls intended to be an alternative to other controls that cannot be put in place because of affordability or business requirements.
CISSPills Control Functionalities – Incident-Time Standpoint TIME Incident
CISSPills Information Security Management System (ISMS) An ISMS (also known as Security Program) is a technology-independent framework composed by physical, logical and administrative controls, as well as people and processes, that work together in order to provide the organization with an adequate level of protection. The goal of a Security Program is building an holistic approach to the management of the Information Security. The most adopted ISMS framework is the ISO/IEC 27001 series, which depicts how to build and maintain an effective Security Program.
CISSPills Enterprise Architecture Organization can be very complex entities, made up of several processes and elements that work jointly, thus adding security controls to an organization requires a deep analysis of how these controls would impact the organizational flows. An Enterprise Architecture framework is a conceptual model which, through a modular representation, allows to ease the understanding of complex systems (like organizations). EAs are fundamental during the implementation of security services because take into account the environment, the business needs and the relationships within the organization. The advantages of using an EA are:  Splitting a complex model in smaller blocks easier to understand;  Providing different “views” of the same organization so that people with different roles can access information presented in a way that they can understand and that makes sense to them;  Providing an all-round view of the organization that allows to understand how a change would impact the other elements which compose the organization.
CISSPills Enterprise Security Architecture Enterprise Security Architecture are a subset of an Enterprise Architecture that allows to implement a security strategy (composed by solutions, processes and procedures) within an organization. It is a comprehensive and rigorous method which takes into account how security ties to the organization, as well as describes the structure and the behaviour of the elements that compose an ISMS. The main reason behind the adoption of an ESA is assuring that the security strategy the organization is going to implement integrates properly. By adopting an ESA, it is possible to integrate properly the security into the different organizational processes.
CISSPills ISMS vs. Enterprise Security Architecture An ISMS (Security Program) specifies the controls to implement (risk management, vulnerability management, auditing, etc.) and provides guidance about how these controls should be maintained. Basically it specifies what to put in place in order to manage security holistically and how to manage the components implemented. An Enterprise Security Architecture describes how to integrate the security components into the different elements of the organization. An ESA allows to take a generic framework, like the ISO/IEC 27001 series, and implement it into own specific environment, thanks to a model which describes the components of an organization and their interactions.
CISSPills That’s all Folks! We are done, thank you for the interest! Hope you have enjoyed these pills as much as I have had fun writing them. For comments, typos, complaints or whatever your want, drop me an e-mail at: cisspills <at> outlook <dot> com More resources:  Stay tuned on for the next issues;  Join ”CISSP Study Group Italia” if you are preparing your exam. Brought to you by Pierluigi Falcone. More info about me on Contact Details

Recomendados

Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
Ben Rothke
 
1. security management practices
1. security management practices1. security management practices
1. security management practices
7wounders
 
Slide Deck – Class Session 1 – FRSecure CISSP Mentor Program
Slide Deck – Class Session 1 – FRSecure CISSP Mentor ProgramSlide Deck – Class Session 1 – FRSecure CISSP Mentor Program
Slide Deck – Class Session 1 – FRSecure CISSP Mentor Program
FRSecure
 
Risk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningRisk Management and Security in Strategic Planning
Risk Management and Security in Strategic Planning
Keyaan Williams
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration Testing
FRSecure
 
Forum ICT Security 2016 - Regolamento EU 2016/679: le tecnologie a protezione...
Forum ICT Security 2016 - Regolamento EU 2016/679: le tecnologie a protezione...Forum ICT Security 2016 - Regolamento EU 2016/679: le tecnologie a protezione...
Forum ICT Security 2016 - Regolamento EU 2016/679: le tecnologie a protezione...
Par-Tec S.p.A.
 
CISSPills #3.02
CISSPills #3.02CISSPills #3.02
CISSPills #3.02
Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 
Oss. Informaton Security & Privacy
Oss. Informaton Security & PrivacyOss. Informaton Security & Privacy
Oss. Informaton Security & Privacy
Alessandro Piva
 

Recomendados

Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
Ben Rothke
 
1. security management practices
1. security management practices1. security management practices
1. security management practices
7wounders
 
Slide Deck – Class Session 1 – FRSecure CISSP Mentor Program
Slide Deck – Class Session 1 – FRSecure CISSP Mentor ProgramSlide Deck – Class Session 1 – FRSecure CISSP Mentor Program
Slide Deck – Class Session 1 – FRSecure CISSP Mentor Program
FRSecure
 
Risk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningRisk Management and Security in Strategic Planning
Risk Management and Security in Strategic Planning
Keyaan Williams
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration Testing
FRSecure
 
Forum ICT Security 2016 - Regolamento EU 2016/679: le tecnologie a protezione...
Forum ICT Security 2016 - Regolamento EU 2016/679: le tecnologie a protezione...Forum ICT Security 2016 - Regolamento EU 2016/679: le tecnologie a protezione...
Forum ICT Security 2016 - Regolamento EU 2016/679: le tecnologie a protezione...
Par-Tec S.p.A.
 
CISSPills #3.02
CISSPills #3.02CISSPills #3.02
CISSPills #3.02
Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 
Oss. Informaton Security & Privacy
Oss. Informaton Security & PrivacyOss. Informaton Security & Privacy
Oss. Informaton Security & Privacy
Alessandro Piva
 
Cyber risk e assicurazioni
Cyber risk e assicurazioniCyber risk e assicurazioni
Cyber risk e assicurazioni
Giulio Coraggio
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
Sam Bowne
 
AIS Lecture 1
AIS Lecture 1AIS Lecture 1
AIS Lecture 1
Cheng Olayvar
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk Managment
Securestorm
 
Metodology Risk Assessment ISMS
Metodology Risk Assessment ISMSMetodology Risk Assessment ISMS
Metodology Risk Assessment ISMS
blodotaji
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk Management
Hamed Moghaddam
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
Julia Urbina-Pineda
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Services
tschraider
 
Why ISO-27001 is a better choice?
Why ISO-27001 is a better choice? Why ISO-27001 is a better choice?
Why ISO-27001 is a better choice?
Patten John
 
CIS Audit Lecture # 1
CIS Audit Lecture # 1CIS Audit Lecture # 1
CIS Audit Lecture # 1
Cheng Olayvar
 
Rothke Patchlink
Rothke PatchlinkRothke Patchlink
Rothke Patchlink
Ben Rothke
 
Iso27001 Approach
Iso27001 ApproachIso27001 Approach
Iso27001 Approach
tschraider
 
Slide Deck CISSP Class Session 3
Slide Deck CISSP Class Session 3Slide Deck CISSP Class Session 3
Slide Deck CISSP Class Session 3
FRSecure
 
IS Audit and Internal Controls
IS Audit and Internal ControlsIS Audit and Internal Controls
IS Audit and Internal Controls
Bharath Rao
 
Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2
FRSecure
 
Social Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessSocial Engineering Audit & Security Awareness
Social Engineering Audit & Security Awareness
CBIZ, Inc.
 
CISSP Prep: Ch 3. Asset Security
CISSP Prep: Ch 3. Asset SecurityCISSP Prep: Ch 3. Asset Security
CISSP Prep: Ch 3. Asset Security
Sam Bowne
 
Security and Audit Report Sign-Off—Made Easy
Security and Audit Report Sign-Off—Made EasySecurity and Audit Report Sign-Off—Made Easy
Security and Audit Report Sign-Off—Made Easy
HelpSystems
 
CISSP Prep: Ch 2. Security and Risk Management I (part 2)
CISSP Prep: Ch 2. Security and Risk Management I (part 2)CISSP Prep: Ch 2. Security and Risk Management I (part 2)
CISSP Prep: Ch 2. Security and Risk Management I (part 2)
Sam Bowne
 
CISSPills #1.03
CISSPills #1.03CISSPills #1.03
CISSPills #1.03
Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 
CISSPills #1.02
CISSPills #1.02CISSPills #1.02
CISSPills #1.02
Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 
CISSPills #1.01
CISSPills #1.01CISSPills #1.01
CISSPills #1.01
Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 

Más contenido relacionado

Destacado

Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Services
tschraider
 
CIS Audit Lecture # 1
CIS Audit Lecture # 1CIS Audit Lecture # 1
CIS Audit Lecture # 1
Cheng Olayvar
 
Iso27001 Approach
Iso27001 ApproachIso27001 Approach
Iso27001 Approach
tschraider
 

Destacado (19)

Cyber risk e assicurazioni
Cyber risk e assicurazioniCyber risk e assicurazioni
Cyber risk e assicurazioni
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
 
AIS Lecture 1
AIS Lecture 1AIS Lecture 1
AIS Lecture 1
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk Managment
 
Metodology Risk Assessment ISMS
Metodology Risk Assessment ISMSMetodology Risk Assessment ISMS
Metodology Risk Assessment ISMS
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk Management
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Services
 
Why ISO-27001 is a better choice?
Why ISO-27001 is a better choice? Why ISO-27001 is a better choice?
Why ISO-27001 is a better choice?
 
CIS Audit Lecture # 1
CIS Audit Lecture # 1CIS Audit Lecture # 1
CIS Audit Lecture # 1
 
Rothke Patchlink
Rothke PatchlinkRothke Patchlink
Rothke Patchlink
 
Iso27001 Approach
Iso27001 ApproachIso27001 Approach
Iso27001 Approach
 
Slide Deck CISSP Class Session 3
Slide Deck CISSP Class Session 3Slide Deck CISSP Class Session 3
Slide Deck CISSP Class Session 3
 
IS Audit and Internal Controls
IS Audit and Internal ControlsIS Audit and Internal Controls
IS Audit and Internal Controls
 
Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2
 
Social Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessSocial Engineering Audit & Security Awareness
Social Engineering Audit & Security Awareness
 
CISSP Prep: Ch 3. Asset Security
CISSP Prep: Ch 3. Asset SecurityCISSP Prep: Ch 3. Asset Security
CISSP Prep: Ch 3. Asset Security
 
Security and Audit Report Sign-Off—Made Easy
Security and Audit Report Sign-Off—Made EasySecurity and Audit Report Sign-Off—Made Easy
Security and Audit Report Sign-Off—Made Easy
 
CISSP Prep: Ch 2. Security and Risk Management I (part 2)
CISSP Prep: Ch 2. Security and Risk Management I (part 2)CISSP Prep: Ch 2. Security and Risk Management I (part 2)
CISSP Prep: Ch 2. Security and Risk Management I (part 2)
 

Más de Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation

Más de Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation (8)

CISSPills #1.03
CISSPills #1.03CISSPills #1.03
CISSPills #1.03
 
CISSPills #1.02
CISSPills #1.02CISSPills #1.02
CISSPills #1.02
 
CISSPills #1.01
CISSPills #1.01CISSPills #1.01
CISSPills #1.01
 
Annex 01
Annex 01Annex 01
Annex 01
 
CISSPills #3.06
CISSPills #3.06CISSPills #3.06
CISSPills #3.06
 
CISSPills #3.05
CISSPills #3.05CISSPills #3.05
CISSPills #3.05
 
CISSPills #3.04
CISSPills #3.04CISSPills #3.04
CISSPills #3.04
 
CISSPills #3.03
CISSPills #3.03CISSPills #3.03
CISSPills #3.03
 

Último

MSc Ag Genetics & Plant Breeding: Insights from Previous Year JNKVV Entrance ...
MSc Ag Genetics & Plant Breeding: Insights from Previous Year JNKVV Entrance ...MSc Ag Genetics & Plant Breeding: Insights from Previous Year JNKVV Entrance ...
MSc Ag Genetics & Plant Breeding: Insights from Previous Year JNKVV Entrance ...
Krashi Coaching
 
會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文
會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文
會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文
中 央社
 
Basic Civil Engineering notes on Transportation Engineering, Modes of Transpo...
Basic Civil Engineering notes on Transportation Engineering, Modes of Transpo...Basic Civil Engineering notes on Transportation Engineering, Modes of Transpo...
Basic Civil Engineering notes on Transportation Engineering, Modes of Transpo...
Denish Jangid
 
Sternal Fractures & Dislocations - EMGuidewire Radiology Reading Room
Sternal Fractures & Dislocations - EMGuidewire Radiology Reading RoomSternal Fractures & Dislocations - EMGuidewire Radiology Reading Room
Sternal Fractures & Dislocations - EMGuidewire Radiology Reading Room
Sean M. Fox
 
SPLICE Working Group: Reusable Code Examples
SPLICE Working Group: Reusable Code ExamplesSPLICE Working Group: Reusable Code Examples
SPLICE Working Group: Reusable Code Examples
Peter Brusilovsky
 

Último (20)

How to Manage Closest Location in Odoo 17 Inventory
How to Manage Closest Location in Odoo 17 InventoryHow to Manage Closest Location in Odoo 17 Inventory
How to Manage Closest Location in Odoo 17 Inventory
 
An Overview of the Odoo 17 Knowledge App
An Overview of the Odoo 17 Knowledge AppAn Overview of the Odoo 17 Knowledge App
An Overview of the Odoo 17 Knowledge App
 
Mattingly "AI and Prompt Design: LLMs with Text Classification and Open Source"
Mattingly "AI and Prompt Design: LLMs with Text Classification and Open Source"Mattingly "AI and Prompt Design: LLMs with Text Classification and Open Source"
Mattingly "AI and Prompt Design: LLMs with Text Classification and Open Source"
 
UChicago CMSC 23320 - The Best Commit Messages of 2024
UChicago CMSC 23320 - The Best Commit Messages of 2024UChicago CMSC 23320 - The Best Commit Messages of 2024
UChicago CMSC 23320 - The Best Commit Messages of 2024
 
Championnat de France de Tennis de table/
Championnat de France de Tennis de table/Championnat de France de Tennis de table/
Championnat de France de Tennis de table/
 
Dementia (Alzheimer & vasular dementia).
Dementia (Alzheimer & vasular dementia).Dementia (Alzheimer & vasular dementia).
Dementia (Alzheimer & vasular dementia).
 
Major project report on Tata Motors and its marketing strategies
Major project report on Tata Motors and its marketing strategiesMajor project report on Tata Motors and its marketing strategies
Major project report on Tata Motors and its marketing strategies
 
DEMONSTRATION LESSON IN ENGLISH 4 MATATAG CURRICULUM
DEMONSTRATION LESSON IN ENGLISH 4 MATATAG CURRICULUMDEMONSTRATION LESSON IN ENGLISH 4 MATATAG CURRICULUM
DEMONSTRATION LESSON IN ENGLISH 4 MATATAG CURRICULUM
 
MSc Ag Genetics & Plant Breeding: Insights from Previous Year JNKVV Entrance ...
MSc Ag Genetics & Plant Breeding: Insights from Previous Year JNKVV Entrance ...MSc Ag Genetics & Plant Breeding: Insights from Previous Year JNKVV Entrance ...
MSc Ag Genetics & Plant Breeding: Insights from Previous Year JNKVV Entrance ...
 
When Quality Assurance Meets Innovation in Higher Education - Report launch w...
When Quality Assurance Meets Innovation in Higher Education - Report launch w...When Quality Assurance Meets Innovation in Higher Education - Report launch w...
When Quality Assurance Meets Innovation in Higher Education - Report launch w...
 
會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文
會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文
會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文
 
Basic Civil Engineering notes on Transportation Engineering, Modes of Transpo...
Basic Civil Engineering notes on Transportation Engineering, Modes of Transpo...Basic Civil Engineering notes on Transportation Engineering, Modes of Transpo...
Basic Civil Engineering notes on Transportation Engineering, Modes of Transpo...
 
8 Tips for Effective Working Capital Management
8 Tips for Effective Working Capital Management8 Tips for Effective Working Capital Management
8 Tips for Effective Working Capital Management
 
ANTI PARKISON DRUGS.pptx
ANTI PARKISON DRUGS.pptxANTI PARKISON DRUGS.pptx
ANTI PARKISON DRUGS.pptx
 
e-Sealing at EADTU by Kamakshi Rajagopal
e-Sealing at EADTU by Kamakshi Rajagopale-Sealing at EADTU by Kamakshi Rajagopal
e-Sealing at EADTU by Kamakshi Rajagopal
 
Graduate Outcomes Presentation Slides - English (v3).pptx
Graduate Outcomes Presentation Slides - English (v3).pptxGraduate Outcomes Presentation Slides - English (v3).pptx
Graduate Outcomes Presentation Slides - English (v3).pptx
 
Andreas Schleicher presents at the launch of What does child empowerment mean...
Andreas Schleicher presents at the launch of What does child empowerment mean...Andreas Schleicher presents at the launch of What does child empowerment mean...
Andreas Schleicher presents at the launch of What does child empowerment mean...
 
How To Create Editable Tree View in Odoo 17
How To Create Editable Tree View in Odoo 17How To Create Editable Tree View in Odoo 17
How To Create Editable Tree View in Odoo 17
 
Sternal Fractures & Dislocations - EMGuidewire Radiology Reading Room
Sternal Fractures & Dislocations - EMGuidewire Radiology Reading RoomSternal Fractures & Dislocations - EMGuidewire Radiology Reading Room
Sternal Fractures & Dislocations - EMGuidewire Radiology Reading Room
 
SPLICE Working Group: Reusable Code Examples
SPLICE Working Group: Reusable Code ExamplesSPLICE Working Group: Reusable Code Examples
SPLICE Working Group: Reusable Code Examples
 

CISSPills #3.01

  • 1. DOMAIN 3: Information Security Governance and Risk Management # 3.01
  • 2. CISSPills Table of Contents  Security Core Principles  A-I-C Triad  Balanced Security  Security Definitions  Security Definitions – Key Terms  Control Types  The Onion Approach (Defense-in-depth)  Control Functionalities  Control Functionalities – Incident-Time Standpoint  Information Security Management System (ISMS)  Enterprise Architecture  Enterprise Security Architecture  ISMS vs. Security Enterprise Architecture
  • 3. CISSPills Security Core Principles Information Security aims to provide assets with protection, by assuring:  Availability  Integrity  Confidentiality This is known as A-I-C triad (somewhere else also known as C- I-A triad).
  • 4. CISSPills A-I-C Triad  Availability It aims at ensuring a reliable and timely access to data and resources to authorized users. Assets have to be accessible to authorized people whenever and the way they are expected to.  Integrity It aims at preventing unauthorized modifications of the information. It assures the accuracy and reliability of the data. Integrity can be affected mistakenly or maliciously.  Confidentiality It aims at ensuring a proper level of secrecy by preventing unauthorized disclosures of information. Data have to be protected both when they are stored (data at rest) and while they are transmitted.
  • 5. CISSPills Balanced Security Different systems have different priorities in terms of requirements to meet: an e- commerce company needs the website to be available all the time, an engineering company needs confidentiality in order to protect Intellectual Property, while a Bank needs to assure integrity in order to avoid frauds. A good Security strategy should rely on controls for addressing all the principles that made up A-I-C triad, so that a comprehensive protection is provided.
  • 6. CISSPills Security Definitions Controls can eliminate exposures and risks, but not the threat agent. exploits poses can damage counteracts directly affects characterized by triggers
  • 7. CISSPills Security Definitions – Key Terms  Threat Agent: entity willing to exploit a vulnerability;  Threat: the potential risk related to the exploitation of a vulnerability;  Vulnerability: weakness affecting an asset;  Exposure: the consequence of an exploited vulnerability that exposes the organization to a threat;  Risk: the probability that a vulnerability is exploited and the associated impact;  Control: a countermeasure implemented in order to reduce the risk.
  • 8. CISSPills Control Types  Administrative (NIST: Management) Management-oriented controls (e.g. policies, documentation, training, risk management, etc.).  Technical (NIST: Logical) Hardware and software solutions (e.g. firewalls, multi-factor authentication, encryption, etc.).  Physical (NIST: Operational) Physical safeguards aimed at protecting mainly the personnel and then facilities and resources (e.g. CCTV, guards, fences, etc.)
  • 9. CISSPills The Onion Approach (Defense-in-depth) Just like the coats of an onion encompass the core of the vegetable, likewise the security controls put in place to protect an asset have to ‘embrace’ it, following a layered approach and acting in a coordinated fashion. Each layer represents a security mechanism which ‘encompasses’ both the controls below and the asset. In this way, even if an attacker breaches one layer, the asset is not compromised because other layers are protecting it. The more critical the asset is, the more layers of protection are implemented.
  • 10. CISSPills Control Functionalities Controls can be administrative, technical or physical. Indeed, they can be further categorized based on the protection they offer. Controls can fall into seven categories:  Directive: guidelines and rule users (internal and external) must follow if they want access systems and data;  Deterrent: controls intended to discourage malicious users from performing attacks;  Preventive: controls intended to avoid an incident to occur;  Detective: controls intended to detect an incident after it has occurred;  Corrective: controls put in place once the incident has occurred in order to limit the damage or solve the issue;  Recovery: controls put in place to bring the systems back to regular operations;  Compensating: controls intended to be an alternative to other controls that cannot be put in place because of affordability or business requirements.
  • 11. CISSPills Control Functionalities – Incident-Time Standpoint TIME Incident
  • 12. CISSPills Information Security Management System (ISMS) An ISMS (also known as Security Program) is a technology-independent framework composed by physical, logical and administrative controls, as well as people and processes, that work together in order to provide the organization with an adequate level of protection. The goal of a Security Program is building an holistic approach to the management of the Information Security. The most adopted ISMS framework is the ISO/IEC 27001 series, which depicts how to build and maintain an effective Security Program.
  • 13. CISSPills Enterprise Architecture Organization can be very complex entities, made up of several processes and elements that work jointly, thus adding security controls to an organization requires a deep analysis of how these controls would impact the organizational flows. An Enterprise Architecture framework is a conceptual model which, through a modular representation, allows to ease the understanding of complex systems (like organizations). EAs are fundamental during the implementation of security services because take into account the environment, the business needs and the relationships within the organization. The advantages of using an EA are:  Splitting a complex model in smaller blocks easier to understand;  Providing different “views” of the same organization so that people with different roles can access information presented in a way that they can understand and that makes sense to them;  Providing an all-round view of the organization that allows to understand how a change would impact the other elements which compose the organization.
  • 14. CISSPills Enterprise Security Architecture Enterprise Security Architecture are a subset of an Enterprise Architecture that allows to implement a security strategy (composed by solutions, processes and procedures) within an organization. It is a comprehensive and rigorous method which takes into account how security ties to the organization, as well as describes the structure and the behaviour of the elements that compose an ISMS. The main reason behind the adoption of an ESA is assuring that the security strategy the organization is going to implement integrates properly. By adopting an ESA, it is possible to integrate properly the security into the different organizational processes.
  • 15. CISSPills ISMS vs. Enterprise Security Architecture An ISMS (Security Program) specifies the controls to implement (risk management, vulnerability management, auditing, etc.) and provides guidance about how these controls should be maintained. Basically it specifies what to put in place in order to manage security holistically and how to manage the components implemented. An Enterprise Security Architecture describes how to integrate the security components into the different elements of the organization. An ESA allows to take a generic framework, like the ISO/IEC 27001 series, and implement it into own specific environment, thanks to a model which describes the components of an organization and their interactions.
  • 16. CISSPills That’s all Folks! We are done, thank you for the interest! Hope you have enjoyed these pills as much as I have had fun writing them. For comments, typos, complaints or whatever your want, drop me an e-mail at: cisspills <at> outlook <dot> com More resources:  Stay tuned on for the next issues;  Join ”CISSP Study Group Italia” if you are preparing your exam. Brought to you by Pierluigi Falcone. More info about me on Contact Details