7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 1/60
CISSP (Certifed Inormation Systems Security Proessional)Kelly Handerhan, Subject Matter E!ert"ellyhanderhan#$mail%comC&SP, CISSP, PMP
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 2/60
The 10 Domains of CISSP
CISSP Course Syllabus Cha!ter ' Inormation Security o*ernance and
+is" Mana$ement Cha!ter -!erations Security
Cha!ter . Cry!to$ra!hy Cha!ter / &ccess Control Cha!ter 0 Physical Security Cha!ter 1 2elecommunications
Cha!ter 3 4e$al, Ethics and In*esti$ations Cha!ter 5 Sot6are 7e*elo!ment Security Cha!ter 8 9usiness Continuity and 7isaster
+eco*ery Plannin$ Cha!ter ': Security &rchitecture and 7esi$n
2
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 3/60
Exam Specifics
0: ;uestions (0 are <beta= and are not$raded)
1 hours to com!lete the eam
>ou can mar" ?uestions or re*ie6 >ou 6ill be !ro*ided 6ith '<6i!e= board
5'' and a !en% materials% >ou 6ill alsoha*e access to an on@screen calculator%
Many test centers !ro*ide ear!lu$s ornoise cancellin$ head !hones% Call yourcenter ahead o time to *eriy
;uestions are 6ei$hted (+ememberAsecurity transcends technolo$y)
3
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 4/60
The CISSP Mindset
>our +ole is a +is" &d*isor
7o B-2 f Problems
ho is res!onsible or securityD
Ho6 much security is enou$hD
&ll decisions start 6ith ris" mana$ement% +is"
mana$ement starts 6ith Identiyin$Faluatin$ yourassets%
<Security 2ranscends 2echnolo$y=
Physical saety is al6ays the frst choice
2echnical ;uestions are or Mana$ers% Mana$ement?uestions are or technicians
Incor!orate security into the desi$n, as o!!osed toaddin$ it on later
4ayered 7eenseG
4
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 5/60
Test Taking Tips
I you ha*ent already, SCHE74E 2HE 2ES2GGG
Start 6ith the ?uestion mar"% -ten thebe$innin$ o the scenario is a distraction
Choose an ans6er or EFE+> ?uestion% E*enthose you mar" or re*ie6, just in case yourun out o time%
9e cautious about chan$in$ ans6ers% >ourfrst instinct is oten ri$ht% 2rust yoursel andyour "no6led$e and 6hat 6e do in class%7ont second $uessG
2a"e 9rea"s as needed% Plan on 0: ?uestions!er hour%
5
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 6/606
Information Securityand Risk Management
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 7/60
Agenda
Jundamentals o Security 2y!es o &ttac"s
+is" Mana$ement
Security 9lue!rints
Policies, Standards, Procedures, uidelines
+oles and +es!onsibilities
S4&s
7ata Classifcation Certifcation &ccreditation and &uditin$
Kno6led$e 2ranser
7
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 8/60
Well Knon Exploits
8
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 9/60
The !ole of Info"mation
Sec#"it$ Within an%"gani&ation Jirst !riority is to su!!ort the mission o
the or$aniation
+e?uires jud$ment based on ris"tolerance o or$aniation, cost andbeneft
+ole o the security !roessional is thato a ris" ad*isor, not a decision ma"er%
9
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 10/60
Planning Horizon
Strategic Goals
Over-arching - supported by tactical goals and operational
Tactical Goals
id-Ter! - lay the necessary "oundation to acco!plish Strategic Goals
Operational Goals
#ay-to-day - "ocus on productivity and tas$-oriented activities
10
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 11/60
Sec#"it$ '#ndamentals
C@I@& 2riad
Confdentiality
Inte$rity
&*ailability
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 12/60
Confidentialit$
Prevent unauthorized disclosure Social En$ineerin$
2rainin$, Se!aration o 7uties, EnorcePolicies and Conduct Fulnerability
&ssessments
Media +euse
Pro!er Sanitiation Strate$ies
Ea*esdro!!in$
Encry!t
Kee! sensiti*e inormation oL the net6or"
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 13/60
Integ"it$
Detect modication ofinformation
Corru!tion Intentional or Malicious Modifcation
Messa$e 7i$est (Hash)
M&C
7i$ital Si$natures
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 14/60
A(aila)ilit$
Provide Timely and reliableaccess to resources +edundancy, redundancy, redundancy
Pre*ent sin$le !oint o ailure
Com!rehensi*e ault tolerance (7ata,Hard 7ri*es, Ser*ers, Bet6or" 4in"s,
etc)
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 15/60
*est P"actices +to p"otect C,I,A-
Se!aration o 7uties (S-7) Mandatory Facations ob rotation 4east !ri*ile$e Beed to "no6 7ual control
15
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 16/60
Defense in Depth
&lso Kno6n as layered 7eense
Bo -ne 7e*ice 6ill P+EFEB2 an
attac"er 2hree main ty!es o controls
2echnical (4o$ical)
&dministrati*e
Physical
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 17/60
!isk
E*ery decision starts 6ith loo"in$ at ris"
7etermine the *alue o your assets
4oo" to identiy the !otential or loss
Jind cost eLecti*e solution reduce ris"to an acce!table le*el (rarely can 6eeliminate ris")
Sae$uards are !roacti*e Countermeasures are reacti*e
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 18/60
!isk Definitions
&sset &nythin$ o Falue to the com!any
Fulnerability & 6ea"nessN the absence o asae$uard
2hreat Somethin$ that could !ose loss to all or!art o an asset
2hreat &$ent hat carries out the attac"
E!loit &n instance o com!romise
+is" 2he !robability o a threat materialiin$
Controls Physical, &dministrati*e, and 2echnicalProtections Sae$uards Countermeasure
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 19/60
So#"ces of !isk
ea" or non@eistin$ anti@*irus sot6are
7is$runtled em!loyees
Poor !hysical security
ea" access control
Bo chan$e mana$ement
Bo ormal !rocess or hardenin$
systems
4ac" o redundancy
Poorly trained users
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 20/60
!isk Management
Processes o identiyin$, analyin$,
assessin$, miti$atin$, or transerrin$
ris"% Its main $oal is the reduction o!robability or im!act o a ris"% Summary to!ic that includes all ris"@
related actions Includes &ssessment, &nalysis,
Miti$ation, and -n$oin$ +is" Monitorin$
20
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 21/60
!isk Management
+is" Mana$ement% +is" &ssessment
% Identiy and Faluate &ssets
% Identiy 2hreats and Fulnerabilities
% +is" &nalysis% ;ualitati*e
% ;uantitati*e
% +is" Miti$ation+es!onse% +educe &*oid
% 2ranser
% &cce!t +eject
% -n$oin$ +is" Monitorin$
%
21
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 22/60
!isk Assessment
4oo"s at ris"s or a s!ecifc !eriod in time andmust be reassessed !eriodically
+is" Mana$ement is an on$oin$ !rocess 2he ollo6in$ ste!s are !art o a +is"
&ssessment !er BIS2 5::@.: System Characteriation 2hreat Identifcation Fulnerability Identifcation Control &nalysis
4i"elihood 7etermination Im!act analysis +is" determination Control +ecommendation +esults 7ocumentation
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 23/60
!isk Anal$sis
7eterminin$ a *alue or a ris"
;ualitati*e *s% ;uantitati*e
+is" Falue is Probability O Im!act Probability Ho6 li"ely is the threat
to materialieD
Im!act Ho6 much dama$e 6illthere be i it doesD Could also be reerred to as li"elihood
and se*erity%
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 24/60
!isk Anal$sis
;ualitati*e &nalysis (subjecti*e, jud$ment@based) Probability and Im!act Matri
;uantitati*e &nalysis (objecti*e, numbersdri*en &F (&sset Falue) EJ (E!osure Jactor) &+- (&nnual +ate o -ccurrence) S4E (Sin$le 4oss E!ectancy)&F O EJ &4E (&nnual 4oss E!ectancy) S4EO&+- Cost o control should be the same or less than
the !otential or loss
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 25/60
.#alitati(e Anal$sis
Subjecti*e in Bature ses 6ords li"e <hi$h=
<medium= <lo6= to
describe li"elihood andse*erity (or !robabilityand im!act) o a threate!osin$ a
*ulnerability 7el!hi techni?ue is
oten used to solicitobjecti*e o!inions
25
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 26/60
.#antitati(e Anal$sis
More e!erience re?uired than 6ith;ualitati*e
In*ol*es calculations to determine a dollar
*alue associated 6ith each ris" e*ent 9usiness 7ecisions are made on this ty!eo analysis
oal is to the dollar *alue o a ris" and
use that amount to determine 6hat thebest control is or a !articular asset Becessary or a costbeneft analysis
26
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 27/60
Mitigating !isk
2hree &cce!table +is" +es!onses +educe 2ranser
&cce!t Secondary +is"s
+esidual +is"s
Continue to monitor or ris"s Ho6 6e decide to miti$ate businessris"s becomes the basis or Securityo*ernance and Policy
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 28/60
Sec#"it$ /o(e"nance
2he I2 o*ernance Institute in its BoardBriefng on IT Governance, 2nd Edition, defnesSecurity governance as ollows:
“Security governance is the set oresponsiilities and practices e!ercised y theoard and e!ecutive "anage"ent with thegoal o providing strategic direction, ensuringthat o#ectives are achieved, ascertaining that
ris$s are "anaged appropriately and veriyingthat the enterprise%s resources are usedresponsily&'
28
l
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 29/60
Sec#"it$ *l#ep"ints
or achieving !Security"overnance#
9S 3388, IS- '3388, and 3::: Series C-9I2 and C-S- -C2&FE I2I4
29
C%*IT d C%S%
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 30/60
C%*IT and C%S%
C-9I2 (Control -bjecti*es orInormation and related 2echnolo$y%
C-S- (Committee o S!onsorin$-r$aniations)
30
ITI
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 31/60
ITI
Inormation 2echnolo$y Inrastructure 4ibrary (I2I4) isthe de acto standard or best !ractices or I2 ser*icemana$menet
0 Ser*ice Mana$ement Publications
Strate$y 7esi$n 2ransition -!eration Continual Im!ro*ement
OOhile the Publications o I2I4 are not testable, itQs !ur!oseand com!rehensi*e a!!roach are testable% It !ro*ides best!ractices or or$aniation and the means in 6hich toim!lement those !ractices
31
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 32/60
*S 2233 IS% 12233 52000
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 33/60
*S 22334 IS% 122334 52000Se"ies
9S 3388@', 9S 3388@ &bsorbed by IS- '3388 +enamed IS- 3:: to ft into the IS-
numberin$ standard
33
IS% 52000 S i
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 34/60
IS% 52000 Se"ies
IS- 3::' Establishment, Im!lementation,Control and im!ro*ement o the ISMS% Jollo6s the
P7C& (Plan, 7o, Chec", &ct)
IS- 3:: +e!laced IS- '3388% Pro*ides
!ractical ad*ice or ho6 to im!lement securitycontrols% ses ': domains to address ISMS%
IS- 3::/ Pro*ides Metrics or measurin$ thesuccess o ISMS
IS- 3::0 & standards based a!!roach to ris"mana$ement
IS- 3388 7irecti*es on !rotectin$ !ersonalhealth inormation
34
The Plan #o &hec$ 'ct (P#&') odel
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 35/60
( )
IB2E+ES2E7P&+2IES
InormationSecurity+e?uirements
&ndE!ectations
IB2E+ES2E7P&+2IES
Mana$edInormationSecurity
35
App"oach to Sec#"it$
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 36/60
App"oach to Sec#"it$Management
2o!@7o6n &!!roach
Security !ractices are directed andsu!!orted at the senior
mana$ement le*el
9ottom@! &!!roach
2he I2 de!artment tries toim!lement security
36
Senior anage!ent
Sta""
iddle anage!ent
Senior anage!ent
Sta""
iddle anage!ent
Info"mation Sec#"it$
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 37/60
Info"mation Sec#"it$Management P"og"am Senior mana$ementQs In*ol*ement o*ernance PoliciesStandardsProceduresuidelines
+oles and +es!onsibilities S4&Qs Ser*ice 4e*el
&$reements-utsourcin$
7ata ClassifcationSecuritiy CR& (Certifcation and &ccreditation &uditin$
37
Senio" Management !ole
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 38/60
Senio" Management !ole
CE-, CS-, CI-, etc ltimately res!onsible or Security 6ithin
an or$aniation
7e*elo!ment and Su!!ort o Policies &llocation o +esources 7ecisions based on +is" Prioritiation o business !rocesses
38
ia)ilities
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 39/60
ia)ilities 4e$al liability is an im!ortant consideration or ris"
assessment and analysis% &ddresses 6hether or not a com!any is res!onsible or
s!ecifc actions or inaction%
ho is res!onsible or the security 6ithin an or$aniationD Senior mana$ement
&re 6e liable in the instance o a lossD 7ue dili$ence Continuously monitorin$ an or$aniations
!ractices to ensure they are meetin$eceedin$ the securityre?uirements%
7ue care Ensurin$ that <best !ractices= are im!lemented and
ollo6ed% Jollo6in$ u! 7ue 7ili$ence 6ith action% Prudent man rule &ctin$ res!onsibly and cautiously as a
!rudent man 6ould 9est !ractices -r$aniations are ali$ned 6ith the a*ored
!ractices 6ithin an industry
39
%"gani&ational Sec#"it$
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 40/60
%"gani&ational Sec#"it$Polic$ aka Program Policy Mandatory Hi$h le*el statement rom mana$ement
Should su!!ort strategic $oals o anor$aniation E!lain any le$islation or industry s!ecifc
dri*ers
&ssi$ns res!onsibility Should be inte$rated into all businessunctions
Enorcement and &ccountability
40
Iss#e and S$stem Specific
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 41/60
Iss#e and S$stem SpecificPolic$ Issue S!ecifc !olicy, sometimes called
Junctional Im!lementation !olicy 6ouldinclude com!anyQs stance on *arious
em!loyee issues% &P, Email, Pri*acy6ould all be co*ered under issue s!ecifc System S!ecifc !olicy is $eared to6ard
the use o net6or" and system
resources% &!!ro*ed sot6are lists, useo fre6alls, I7S, Scanners,etc
41
%the" T$pes of Policies
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 42/60
%the" T$pes of Policies
+e$ulatory &d*isory Inormati*e
42
Security Policy #ocu!ent *elationships
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 43/60
Standards Procedures 9aselines uidelines
Junctional (Issue andSystem S!ecifc) Policies
Pro$ram or-r$aniational Policy
4a6s, +e$ulationsand 9est Practices
M an a g em
en t ’ s S e c
ur i t y S t a t
em en t
D r i v e r
s
Management’sSecurity Directives
43
Standa"ds
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 44/60
Standa"ds
Mandatory Created to su!!ort !olicy, 6hile
!ro*idin$ more s!ecifcs% +einorces !olicy and !ro*ides direction Can be internal or eternal
44
P"oced#"es
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 45/60
P"oced#"es
Mandatory Ste! by ste! directi*es on ho6 to
accom!lish an end@result%
7etail the <ho6@to= o meetin$ the!olicy, standards and $uidelines
45
/#idelines
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 46/60
/#idelines
Bot Mandatory Su$$esti*e in Bature +ecommended actions and $uides to
users <9est Practices=
46
*aselines
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 47/60
*aselines
Mandatory Minimum acce!table security
conf$uration or a system or !rocess
2he !ur!ose o security classifcation isto determine and assi$n the necessarybaseline conf$uration to !rotect the
data
47
Pe"sonnel Sec#"it$ Policies
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 48/60
Pe"sonnel Sec#"it$ Policies+examples-
Hirin$ Practices and Procedures 9ac"$round Chec"sScreenin$ B7&Qs Em!loyee Handboo"s Jormal ob 7escri!tions &ccountability 2ermination
48
!oles and !esponsi)ilities
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 49/60
!oles and !esponsi)ilities
SeniorEecuti*e Mana$ement CE- Chie 7ecision@Ma"er CJ- +es!onsible or bud$etin$ and fnances CI- Ensures technolo$y su!!orts com!anyQs objecti*es IS- +is" &nalysis and Miti$ation
Steerin$ Committee 7efne ris"s, objecti*es anda!!roaches
&uditors E*aluates business !rocesses
7ata -6ner Classifes 7ata
7ata Custodian 7ay to day maintenance o data
Bet6or" &dministrator Ensures a*ailability o net6or"resources
Security &dministrator +es!onsible or all security@relatedtas"s, ocusin$ on Confdentiality and Inte$rity
49
!esponsi)ilities of the
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 50/60
!esponsi)ilities of theIS% +es!onsible or !ro*idin$ C@I@& or all
inormation assets%
Communication o +is"s to Senior
Mana$ement +ecommend best !ractices to inuence
!olicies, standards, !rocedures, $uidelines
Establish security measurements
Ensure com!liance 6ith $o*ernment andindustry re$ulations
Maintain a6areness o emer$in$ threats
50
A#diting !ole
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 51/60
A#diting !ole
-bjecti*e E*aluation o controls and!olicies to ensure that they are bein$im!lemented and are eLecti*e%
I internal auditin$ is in !lace, auditorsshould not re!ort to the head o abusiness unit, but rather to le$al orhuman resources@@some other entity6ith out direct sta"e in result
51
Data Classification
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 52/60
7e*elo!ment o sensiti*ity labels ordata and the assi$nment o those labelsor the !ur!ose o conf$urin$ baseline
security based on *alue o data Cost Falue o the 7ata Classiy Criteria or Classifcation
Controls 7eterminin$ the baselinesecurity conf$uration or each
52
Conside"ations fo" Asset
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 53/60
al#ation
hat ma"es u! the *alue o an assetD Falue to the or$aniation 4oss i com!romised
4e$islati*e dri*ers $iabilities Falue to com!etitors &c?uisition costs &nd many others
53
Assessment
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 54/60
Identiy and Faluate &ssets Identiy 2hreats and Fulnerabilities
Methodolo$ies -C2&FE an a!!roach 6here analysts identiy assets
and their criticality, identiy *ulnerabilities and threatsand base the !rotection strate$y to reduce ris"
J+&P Jacilitated +is" &nalysis Process% ;ualitati*eanalysis used to determine 6hether or not to !roceed6ith a ?uantitati*e analysis% I li"elihood or im!act is
too lo6, the ?uantitati*e analysis i ore$one% BIS2 5::@.: +is" mana$ement uide or Inormation
2echnolo$y systems
54
!isk Anal$sis
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 55/60
$
;ualitati*e Subjecti*e analysis to hel! !rioritie !robability and
im!act o ris" e*ents% May use 7el!hi 2echni?ue
;uantitati*e Pro*idin$ a dollar *alue to a !articular ris" e*ent% Much more so!histicated in nature, a ?uantitati*e
analysis i much more diTcult and re?uires a s!ecials"ill set
9usiness decisions are made on a ?uantitati*eanalysis
CanQt eist on its o6n% ;uantitati*e analysis de!endson ?ualitati*e inormation
55
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 56/60
+no,ledge Trans"er
',areness Training .ducation
/People are o"ten the ,ea$est lin$ in securing in"or!ation0 ',areness o" the need to protect in"or!ation training in thes$ills needed to operate the! securely and education insecurity !easures and practices are o" critical i!portance "orthe success o" an organization1s security progra!0
The Goal o" +no,ledge Trans"er is to !odi"y e!ployeebehavior
56
*eing Aa"e of the !#les
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 57/60
*eing Aa"e of the !#les
Security &6areness 2rainin$
Em!loyees cannot and 6ill not ollo6 thedirecti*es and !rocedures, i they do not
"no6 about themEm!loyees must "no6 e!ectations and
ramifcations, i not met
Em!loyee reco$nition a6ard !ro$ram
Part o due care
&dministrati*e control
57
Aa"eness6T"aining6
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 58/60
Aa"eness6T"aining6Ed#cation *enefits
-*erridin$ 9enefts
Modifes em!loyee beha*ior and im!ro*esattitudes to6ards inormation security
Increases ability to hold em!loyeesaccountable or their actions
+aises collecti*e security a6areness le*elo the or$aniation
58
Aa"eness6T"aining6
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 59/60
Aa"eness6T"aining6Ed#cation Implement
Im!lementation
9asic security trainin$ should be re?uired or allem!loyees%
&d*anced trainin$ may be needed or mana$ers%
S!ecialied trainin$ is necessary or systemadministrators and inormation systemsauditors%
S!ecialied trainin$ is normally deli*ered
throu$h eternal !ro$rams%
Should be re$arded as !art o careerde*elo!ment%
59
Info"mation Sec#"it$
7/23/2019 CISSP - 1 Information Security & Risk Management
http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 60/60
$/o(e"nance and !isk Management
!e(ie Jundamentals o Security 2y!es o &ttac"s +is" Mana$ement
Security 9lue!rints Policies, Standards, Procedures,uidelines
+oles and +es!onsibilities
S4&s 7ata Classifcation Certifcation &ccreditation and &uditin$ Kno6led$e 2ranser