SlideShare une entreprise Scribd logo

CISSPills #3.01

Télécharger en tant que PPTX, PDF
Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation

CISSPills are short-lasting presentations covering topics to study in order to prepare CISSP exam. CISSPills is a digest of my notes and doesn't want to replace a studybook, it wants to be only just another companion for self-paced students. Every issue covers different topics of CISSP's CCBK and the goal is addressing all the 10 domains which compose CISSP. IN THIS ISSUE: Domain 3: Information Security Governance and Risk Management - Security’s Core Principles Information - A-I-C Triad - Balanced Security - Security Definitions - Security Definitions – Key Terms - Control Types - The Onion Approach (Defense-in-depth) - Control Functionalities - Control Functionalities – Incident-Time Standpoint - Information Security Management System (ISMS) - Enterprise Architecture - Enterprise Security Architecture - ISMS vs. Enterprise Security Architecture

FormationTechnologie
1  sur  16
DOMAIN 3: Information Security Governance and Risk Management # 3.01
CISSPills Table of Contents  Security Core Principles  A-I-C Triad  Balanced Security  Security Definitions  Security Definitions – Key Terms  Control Types  The Onion Approach (Defense-in-depth)  Control Functionalities  Control Functionalities – Incident-Time Standpoint  Information Security Management System (ISMS)  Enterprise Architecture  Enterprise Security Architecture  ISMS vs. Security Enterprise Architecture
CISSPills Security Core Principles Information Security aims to provide assets with protection, by assuring:  Availability  Integrity  Confidentiality This is known as A-I-C triad (somewhere else also known as C- I-A triad).
CISSPills A-I-C Triad  Availability It aims at ensuring a reliable and timely access to data and resources to authorized users. Assets have to be accessible to authorized people whenever and the way they are expected to.  Integrity It aims at preventing unauthorized modifications of the information. It assures the accuracy and reliability of the data. Integrity can be affected mistakenly or maliciously.  Confidentiality It aims at ensuring a proper level of secrecy by preventing unauthorized disclosures of information. Data have to be protected both when they are stored (data at rest) and while they are transmitted.
CISSPills Balanced Security Different systems have different priorities in terms of requirements to meet: an e- commerce company needs the website to be available all the time, an engineering company needs confidentiality in order to protect Intellectual Property, while a Bank needs to assure integrity in order to avoid frauds. A good Security strategy should rely on controls for addressing all the principles that made up A-I-C triad, so that a comprehensive protection is provided.
CISSPills Security Definitions Controls can eliminate exposures and risks, but not the threat agent. exploits poses can damage counteracts directly affects characterized by triggers
CISSPills Security Definitions – Key Terms  Threat Agent: entity willing to exploit a vulnerability;  Threat: the potential risk related to the exploitation of a vulnerability;  Vulnerability: weakness affecting an asset;  Exposure: the consequence of an exploited vulnerability that exposes the organization to a threat;  Risk: the probability that a vulnerability is exploited and the associated impact;  Control: a countermeasure implemented in order to reduce the risk.
CISSPills Control Types  Administrative (NIST: Management) Management-oriented controls (e.g. policies, documentation, training, risk management, etc.).  Technical (NIST: Logical) Hardware and software solutions (e.g. firewalls, multi-factor authentication, encryption, etc.).  Physical (NIST: Operational) Physical safeguards aimed at protecting mainly the personnel and then facilities and resources (e.g. CCTV, guards, fences, etc.)
CISSPills The Onion Approach (Defense-in-depth) Just like the coats of an onion encompass the core of the vegetable, likewise the security controls put in place to protect an asset have to ‘embrace’ it, following a layered approach and acting in a coordinated fashion. Each layer represents a security mechanism which ‘encompasses’ both the controls below and the asset. In this way, even if an attacker breaches one layer, the asset is not compromised because other layers are protecting it. The more critical the asset is, the more layers of protection are implemented.
CISSPills Control Functionalities Controls can be administrative, technical or physical. Indeed, they can be further categorized based on the protection they offer. Controls can fall into seven categories:  Directive: guidelines and rule users (internal and external) must follow if they want access systems and data;  Deterrent: controls intended to discourage malicious users from performing attacks;  Preventive: controls intended to avoid an incident to occur;  Detective: controls intended to detect an incident after it has occurred;  Corrective: controls put in place once the incident has occurred in order to limit the damage or solve the issue;  Recovery: controls put in place to bring the systems back to regular operations;  Compensating: controls intended to be an alternative to other controls that cannot be put in place because of affordability or business requirements.
CISSPills Control Functionalities – Incident-Time Standpoint TIME Incident
CISSPills Information Security Management System (ISMS) An ISMS (also known as Security Program) is a technology-independent framework composed by physical, logical and administrative controls, as well as people and processes, that work together in order to provide the organization with an adequate level of protection. The goal of a Security Program is building an holistic approach to the management of the Information Security. The most adopted ISMS framework is the ISO/IEC 27001 series, which depicts how to build and maintain an effective Security Program.
CISSPills Enterprise Architecture Organization can be very complex entities, made up of several processes and elements that work jointly, thus adding security controls to an organization requires a deep analysis of how these controls would impact the organizational flows. An Enterprise Architecture framework is a conceptual model which, through a modular representation, allows to ease the understanding of complex systems (like organizations). EAs are fundamental during the implementation of security services because take into account the environment, the business needs and the relationships within the organization. The advantages of using an EA are:  Splitting a complex model in smaller blocks easier to understand;  Providing different “views” of the same organization so that people with different roles can access information presented in a way that they can understand and that makes sense to them;  Providing an all-round view of the organization that allows to understand how a change would impact the other elements which compose the organization.
CISSPills Enterprise Security Architecture Enterprise Security Architecture are a subset of an Enterprise Architecture that allows to implement a security strategy (composed by solutions, processes and procedures) within an organization. It is a comprehensive and rigorous method which takes into account how security ties to the organization, as well as describes the structure and the behaviour of the elements that compose an ISMS. The main reason behind the adoption of an ESA is assuring that the security strategy the organization is going to implement integrates properly. By adopting an ESA, it is possible to integrate properly the security into the different organizational processes.
CISSPills ISMS vs. Enterprise Security Architecture An ISMS (Security Program) specifies the controls to implement (risk management, vulnerability management, auditing, etc.) and provides guidance about how these controls should be maintained. Basically it specifies what to put in place in order to manage security holistically and how to manage the components implemented. An Enterprise Security Architecture describes how to integrate the security components into the different elements of the organization. An ESA allows to take a generic framework, like the ISO/IEC 27001 series, and implement it into own specific environment, thanks to a model which describes the components of an organization and their interactions.
CISSPills That’s all Folks! We are done, thank you for the interest! Hope you have enjoyed these pills as much as I have had fun writing them. For comments, typos, complaints or whatever your want, drop me an e-mail at: cisspills <at> outlook <dot> com More resources:  Stay tuned on for the next issues;  Join ”CISSP Study Group Italia” if you are preparing your exam. Brought to you by Pierluigi Falcone. More info about me on Contact Details

Recommandé

Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeterBen Rothke
 
1. security management practices
1. security management practices1. security management practices
1. security management practices7wounders
 
Slide Deck – Class Session 1 – FRSecure CISSP Mentor Program
Slide Deck – Class Session 1 – FRSecure CISSP Mentor ProgramSlide Deck – Class Session 1 – FRSecure CISSP Mentor Program
Slide Deck – Class Session 1 – FRSecure CISSP Mentor ProgramFRSecure
 
Risk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningRisk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningKeyaan Williams
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
 
Forum ICT Security 2016 - Regolamento EU 2016/679: le tecnologie a protezione...
Forum ICT Security 2016 - Regolamento EU 2016/679: le tecnologie a protezione...Forum ICT Security 2016 - Regolamento EU 2016/679: le tecnologie a protezione...
Forum ICT Security 2016 - Regolamento EU 2016/679: le tecnologie a protezione...Par-Tec S.p.A.
 
CISSPills #3.02
CISSPills #3.02CISSPills #3.02
CISSPills #3.02Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 
Oss. Informaton Security & Privacy
Oss. Informaton Security & PrivacyOss. Informaton Security & Privacy
Oss. Informaton Security & PrivacyAlessandro Piva
 

Recommandé

Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeterBen Rothke
 
1. security management practices
1. security management practices1. security management practices
1. security management practices7wounders
 
Slide Deck – Class Session 1 – FRSecure CISSP Mentor Program
Slide Deck – Class Session 1 – FRSecure CISSP Mentor ProgramSlide Deck – Class Session 1 – FRSecure CISSP Mentor Program
Slide Deck – Class Session 1 – FRSecure CISSP Mentor ProgramFRSecure
 
Risk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningRisk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningKeyaan Williams
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
 
Forum ICT Security 2016 - Regolamento EU 2016/679: le tecnologie a protezione...
Forum ICT Security 2016 - Regolamento EU 2016/679: le tecnologie a protezione...Forum ICT Security 2016 - Regolamento EU 2016/679: le tecnologie a protezione...
Forum ICT Security 2016 - Regolamento EU 2016/679: le tecnologie a protezione...Par-Tec S.p.A.
 
CISSPills #3.02
CISSPills #3.02CISSPills #3.02
CISSPills #3.02Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 
Oss. Informaton Security & Privacy
Oss. Informaton Security & PrivacyOss. Informaton Security & Privacy
Oss. Informaton Security & PrivacyAlessandro Piva
 
Cyber risk e assicurazioni
Cyber risk e assicurazioniCyber risk e assicurazioni
Cyber risk e assicurazioniGiulio Coraggio
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesSam Bowne
 
AIS Lecture 1
AIS Lecture 1AIS Lecture 1
AIS Lecture 1Cheng Olayvar
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurestorm
 
Metodology Risk Assessment ISMS
Metodology Risk Assessment ISMSMetodology Risk Assessment ISMS
Metodology Risk Assessment ISMSblodotaji
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk ManagementHamed Moghaddam
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overviewJulia Urbina-Pineda
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Servicestschraider
 
Why ISO-27001 is a better choice?
Why ISO-27001 is a better choice? Why ISO-27001 is a better choice?
Why ISO-27001 is a better choice? Patten John
 
CIS Audit Lecture # 1
CIS Audit Lecture # 1CIS Audit Lecture # 1
CIS Audit Lecture # 1Cheng Olayvar
 
Rothke Patchlink
Rothke PatchlinkRothke Patchlink
Rothke PatchlinkBen Rothke
 
Iso27001 Approach
Iso27001 ApproachIso27001 Approach
Iso27001 Approachtschraider
 
Slide Deck CISSP Class Session 3
Slide Deck CISSP Class Session 3Slide Deck CISSP Class Session 3
Slide Deck CISSP Class Session 3FRSecure
 
IS Audit and Internal Controls
IS Audit and Internal ControlsIS Audit and Internal Controls
IS Audit and Internal ControlsBharath Rao
 
Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2FRSecure
 
Social Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessSocial Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessCBIZ, Inc.
 
CISSP Prep: Ch 3. Asset Security
CISSP Prep: Ch 3. Asset SecurityCISSP Prep: Ch 3. Asset Security
CISSP Prep: Ch 3. Asset SecuritySam Bowne
 
Security and Audit Report Sign-Off—Made Easy
Security and Audit Report Sign-Off—Made EasySecurity and Audit Report Sign-Off—Made Easy
Security and Audit Report Sign-Off—Made EasyHelpSystems
 
CISSP Prep: Ch 2. Security and Risk Management I (part 2)
CISSP Prep: Ch 2. Security and Risk Management I (part 2)CISSP Prep: Ch 2. Security and Risk Management I (part 2)
CISSP Prep: Ch 2. Security and Risk Management I (part 2)Sam Bowne
 
CISSPills #1.03
CISSPills #1.03CISSPills #1.03
CISSPills #1.03Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 
CISSPills #1.02
CISSPills #1.02CISSPills #1.02
CISSPills #1.02Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 
CISSPills #1.01
CISSPills #1.01CISSPills #1.01
CISSPills #1.01Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 

Contenu connexe

En vedette

Cyber risk e assicurazioni
Cyber risk e assicurazioniCyber risk e assicurazioni
Cyber risk e assicurazioniGiulio Coraggio
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesSam Bowne
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurestorm
 
Metodology Risk Assessment ISMS
Metodology Risk Assessment ISMSMetodology Risk Assessment ISMS
Metodology Risk Assessment ISMSblodotaji
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk ManagementHamed Moghaddam
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overviewJulia Urbina-Pineda
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Servicestschraider
 
Why ISO-27001 is a better choice?
Why ISO-27001 is a better choice? Why ISO-27001 is a better choice?
Why ISO-27001 is a better choice? Patten John
 
CIS Audit Lecture # 1
CIS Audit Lecture # 1CIS Audit Lecture # 1
CIS Audit Lecture # 1Cheng Olayvar
 
Rothke Patchlink
Rothke PatchlinkRothke Patchlink
Rothke PatchlinkBen Rothke
 
Iso27001 Approach
Iso27001 ApproachIso27001 Approach
Iso27001 Approachtschraider
 
Slide Deck CISSP Class Session 3
Slide Deck CISSP Class Session 3Slide Deck CISSP Class Session 3
Slide Deck CISSP Class Session 3FRSecure
 
IS Audit and Internal Controls
IS Audit and Internal ControlsIS Audit and Internal Controls
IS Audit and Internal ControlsBharath Rao
 
Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2FRSecure
 
Social Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessSocial Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessCBIZ, Inc.
 
CISSP Prep: Ch 3. Asset Security
CISSP Prep: Ch 3. Asset SecurityCISSP Prep: Ch 3. Asset Security
CISSP Prep: Ch 3. Asset SecuritySam Bowne
 
Security and Audit Report Sign-Off—Made Easy
Security and Audit Report Sign-Off—Made EasySecurity and Audit Report Sign-Off—Made Easy
Security and Audit Report Sign-Off—Made EasyHelpSystems
 
CISSP Prep: Ch 2. Security and Risk Management I (part 2)
CISSP Prep: Ch 2. Security and Risk Management I (part 2)CISSP Prep: Ch 2. Security and Risk Management I (part 2)
CISSP Prep: Ch 2. Security and Risk Management I (part 2)Sam Bowne
 

En vedette (19)

Cyber risk e assicurazioni
Cyber risk e assicurazioniCyber risk e assicurazioni
Cyber risk e assicurazioni
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
 
AIS Lecture 1
AIS Lecture 1AIS Lecture 1
AIS Lecture 1
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk Managment
 
Metodology Risk Assessment ISMS
Metodology Risk Assessment ISMSMetodology Risk Assessment ISMS
Metodology Risk Assessment ISMS
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk Management
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Services
 
Why ISO-27001 is a better choice?
Why ISO-27001 is a better choice? Why ISO-27001 is a better choice?
Why ISO-27001 is a better choice?
 
CIS Audit Lecture # 1
CIS Audit Lecture # 1CIS Audit Lecture # 1
CIS Audit Lecture # 1
 
Rothke Patchlink
Rothke PatchlinkRothke Patchlink
Rothke Patchlink
 
Iso27001 Approach
Iso27001 ApproachIso27001 Approach
Iso27001 Approach
 
Slide Deck CISSP Class Session 3
Slide Deck CISSP Class Session 3Slide Deck CISSP Class Session 3
Slide Deck CISSP Class Session 3
 
IS Audit and Internal Controls
IS Audit and Internal ControlsIS Audit and Internal Controls
IS Audit and Internal Controls
 
Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2
 
Social Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessSocial Engineering Audit & Security Awareness
Social Engineering Audit & Security Awareness
 
CISSP Prep: Ch 3. Asset Security
CISSP Prep: Ch 3. Asset SecurityCISSP Prep: Ch 3. Asset Security
CISSP Prep: Ch 3. Asset Security
 
Security and Audit Report Sign-Off—Made Easy
Security and Audit Report Sign-Off—Made EasySecurity and Audit Report Sign-Off—Made Easy
Security and Audit Report Sign-Off—Made Easy
 
CISSP Prep: Ch 2. Security and Risk Management I (part 2)
CISSP Prep: Ch 2. Security and Risk Management I (part 2)CISSP Prep: Ch 2. Security and Risk Management I (part 2)
CISSP Prep: Ch 2. Security and Risk Management I (part 2)
 

Plus de Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation

Plus de Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation (8)

CISSPills #1.03
CISSPills #1.03CISSPills #1.03
CISSPills #1.03
 
CISSPills #1.02
CISSPills #1.02CISSPills #1.02
CISSPills #1.02
 
CISSPills #1.01
CISSPills #1.01CISSPills #1.01
CISSPills #1.01
 
Annex 01
Annex 01Annex 01
Annex 01
 
CISSPills #3.06
CISSPills #3.06CISSPills #3.06
CISSPills #3.06
 
CISSPills #3.05
CISSPills #3.05CISSPills #3.05
CISSPills #3.05
 
CISSPills #3.04
CISSPills #3.04CISSPills #3.04
CISSPills #3.04
 
CISSPills #3.03
CISSPills #3.03CISSPills #3.03
CISSPills #3.03
 

Dernier

POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphThiyagu K
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppCeline George
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...RKavithamani
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfJayanti Pande
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpinRaunakKeshri1
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 

Dernier (20)

POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website App
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 

CISSPills #3.01

  • 1. DOMAIN 3: Information Security Governance and Risk Management # 3.01
  • 2. CISSPills Table of Contents  Security Core Principles  A-I-C Triad  Balanced Security  Security Definitions  Security Definitions – Key Terms  Control Types  The Onion Approach (Defense-in-depth)  Control Functionalities  Control Functionalities – Incident-Time Standpoint  Information Security Management System (ISMS)  Enterprise Architecture  Enterprise Security Architecture  ISMS vs. Security Enterprise Architecture
  • 3. CISSPills Security Core Principles Information Security aims to provide assets with protection, by assuring:  Availability  Integrity  Confidentiality This is known as A-I-C triad (somewhere else also known as C- I-A triad).
  • 4. CISSPills A-I-C Triad  Availability It aims at ensuring a reliable and timely access to data and resources to authorized users. Assets have to be accessible to authorized people whenever and the way they are expected to.  Integrity It aims at preventing unauthorized modifications of the information. It assures the accuracy and reliability of the data. Integrity can be affected mistakenly or maliciously.  Confidentiality It aims at ensuring a proper level of secrecy by preventing unauthorized disclosures of information. Data have to be protected both when they are stored (data at rest) and while they are transmitted.
  • 5. CISSPills Balanced Security Different systems have different priorities in terms of requirements to meet: an e- commerce company needs the website to be available all the time, an engineering company needs confidentiality in order to protect Intellectual Property, while a Bank needs to assure integrity in order to avoid frauds. A good Security strategy should rely on controls for addressing all the principles that made up A-I-C triad, so that a comprehensive protection is provided.
  • 6. CISSPills Security Definitions Controls can eliminate exposures and risks, but not the threat agent. exploits poses can damage counteracts directly affects characterized by triggers
  • 7. CISSPills Security Definitions – Key Terms  Threat Agent: entity willing to exploit a vulnerability;  Threat: the potential risk related to the exploitation of a vulnerability;  Vulnerability: weakness affecting an asset;  Exposure: the consequence of an exploited vulnerability that exposes the organization to a threat;  Risk: the probability that a vulnerability is exploited and the associated impact;  Control: a countermeasure implemented in order to reduce the risk.
  • 8. CISSPills Control Types  Administrative (NIST: Management) Management-oriented controls (e.g. policies, documentation, training, risk management, etc.).  Technical (NIST: Logical) Hardware and software solutions (e.g. firewalls, multi-factor authentication, encryption, etc.).  Physical (NIST: Operational) Physical safeguards aimed at protecting mainly the personnel and then facilities and resources (e.g. CCTV, guards, fences, etc.)
  • 9. CISSPills The Onion Approach (Defense-in-depth) Just like the coats of an onion encompass the core of the vegetable, likewise the security controls put in place to protect an asset have to ‘embrace’ it, following a layered approach and acting in a coordinated fashion. Each layer represents a security mechanism which ‘encompasses’ both the controls below and the asset. In this way, even if an attacker breaches one layer, the asset is not compromised because other layers are protecting it. The more critical the asset is, the more layers of protection are implemented.
  • 10. CISSPills Control Functionalities Controls can be administrative, technical or physical. Indeed, they can be further categorized based on the protection they offer. Controls can fall into seven categories:  Directive: guidelines and rule users (internal and external) must follow if they want access systems and data;  Deterrent: controls intended to discourage malicious users from performing attacks;  Preventive: controls intended to avoid an incident to occur;  Detective: controls intended to detect an incident after it has occurred;  Corrective: controls put in place once the incident has occurred in order to limit the damage or solve the issue;  Recovery: controls put in place to bring the systems back to regular operations;  Compensating: controls intended to be an alternative to other controls that cannot be put in place because of affordability or business requirements.
  • 11. CISSPills Control Functionalities – Incident-Time Standpoint TIME Incident
  • 12. CISSPills Information Security Management System (ISMS) An ISMS (also known as Security Program) is a technology-independent framework composed by physical, logical and administrative controls, as well as people and processes, that work together in order to provide the organization with an adequate level of protection. The goal of a Security Program is building an holistic approach to the management of the Information Security. The most adopted ISMS framework is the ISO/IEC 27001 series, which depicts how to build and maintain an effective Security Program.
  • 13. CISSPills Enterprise Architecture Organization can be very complex entities, made up of several processes and elements that work jointly, thus adding security controls to an organization requires a deep analysis of how these controls would impact the organizational flows. An Enterprise Architecture framework is a conceptual model which, through a modular representation, allows to ease the understanding of complex systems (like organizations). EAs are fundamental during the implementation of security services because take into account the environment, the business needs and the relationships within the organization. The advantages of using an EA are:  Splitting a complex model in smaller blocks easier to understand;  Providing different “views” of the same organization so that people with different roles can access information presented in a way that they can understand and that makes sense to them;  Providing an all-round view of the organization that allows to understand how a change would impact the other elements which compose the organization.
  • 14. CISSPills Enterprise Security Architecture Enterprise Security Architecture are a subset of an Enterprise Architecture that allows to implement a security strategy (composed by solutions, processes and procedures) within an organization. It is a comprehensive and rigorous method which takes into account how security ties to the organization, as well as describes the structure and the behaviour of the elements that compose an ISMS. The main reason behind the adoption of an ESA is assuring that the security strategy the organization is going to implement integrates properly. By adopting an ESA, it is possible to integrate properly the security into the different organizational processes.
  • 15. CISSPills ISMS vs. Enterprise Security Architecture An ISMS (Security Program) specifies the controls to implement (risk management, vulnerability management, auditing, etc.) and provides guidance about how these controls should be maintained. Basically it specifies what to put in place in order to manage security holistically and how to manage the components implemented. An Enterprise Security Architecture describes how to integrate the security components into the different elements of the organization. An ESA allows to take a generic framework, like the ISO/IEC 27001 series, and implement it into own specific environment, thanks to a model which describes the components of an organization and their interactions.
  • 16. CISSPills That’s all Folks! We are done, thank you for the interest! Hope you have enjoyed these pills as much as I have had fun writing them. For comments, typos, complaints or whatever your want, drop me an e-mail at: cisspills <at> outlook <dot> com More resources:  Stay tuned on for the next issues;  Join ”CISSP Study Group Italia” if you are preparing your exam. Brought to you by Pierluigi Falcone. More info about me on Contact Details