~ 腓立比書 (3:14)
- Ensure host and network security basics are in place
- Implement life cycle governance
- Review security features
- Use external penetration testers to find problems
- Identify personally identifiable information (PII) obligations
- Perform security feature review.
- Create or interface with incident response
- Ensure QA performs edge/boundary value condition testing
- Integrate and deliver security features
- Identify software defects found in operations monitoring and feed them back to development
- Use automated tools along with manual review
- Feed results to the defect management and mitigation system
- Feed results to the defect management and mitigation system
ISSEP is a concentration exam of CISSP. It is not that hard but intimidating because of the limited number of exam prep materials. The following official sources are crucial.
ISSEP CBK SUGGESTED REFERENCES
- IATF is obsolete.
- NIST SP 800-160 volumes 1 & 2
- INCOSE System Engineering Handbook
- NIST SP 800-37 (RMF)
- NIST SP 800-161 (Supply Chain Risk Management)
- PMI PMBOK (Free for PMI members)
- The ISSEP CBK book is outdated but good to have
Regarding security within data governance, the European Union’s General Data Protection Regulation (GDPR) and Markets in Financial Instruments Directive II (MiFID II) are applicable, as is US 31 USC 310, a regulation addressing data in the context of financial crimes.
On a broader scale, the US Dodd-Frank Act addresses record-keeping transparency. The US Comprehensive Capital Analysis and Review (CCAR) framework addresses data quality and management. In Europe, MiFID II addresses data collection processes, while Basel III contains data governance provisions within the context of risk management and capital adequacy concerns.
In China, the Banking and Insurance Regulatory Commission (CBIRC) issued guidelines in May 2018 that include provisions for financial firms, assigning responsibility for setting up data governance systems, data quality control and related incentive and accountability systems.
Although MiFID II, Basel III and the BCBS 239 rules addressing risk data aggregation come from Europe, they do influence compliance throughout Asia and globally. In addition, the International Financial Reporting Standard (IFRS) created by the International Accounting Standards Board (IASB) sets classification and accounting rules that can figure into data governance. Any firm forming their governance framework should be aware of these provisions.
So, with a good handle on data governance traits and rules, firms may also deploy enterprise data management (EDM) and master data management (MDM) systems as a means to carry out the provisions made in data governance. These systems scrub, enrich and curate data, to standardize how data is defined and produce metadata that helps implement data governance frameworks, with integrity, accountability and security.
With knowledge of the elements of data governance, both as part of a firm’s native efforts and its compliance requirements, management will be better equipped to do business in the markets and lower their operational and regulatory risk.
- Data governance
- What is Data Governance?
- What is data governance and why does it matter?
- A Guide to Data Governance for Privacy, Confidentiality, and Compliance
- Enterprise Information Management: Best Practices in Data Governance
- How to Create a Data Governance Plan to Gain Control of Your Data Assets
- What is data governance? A best practices framework for managing data assets
- Data Governance Definition, Challenges & Best Practices
- What is Data Governance (and Why Do You Need It)?
- DATA GOVERNANCE – WHAT, WHY, HOW, WHO & 15 BEST PRACTICES
~ Wentz Wu
感謝社群各位大大這些日子不吝指導與分享，讓自己有幸在上週(2/3)通過CISSP考試，整理一下自己的歷程當lesson learned，並和大家交流，謝謝~~Continue reading
CISSP is a PI journey that transforms a technical mindset into a business one, a wide plane supported by two pillars: technology and management.
T-shaped, M-shaped, PI-shaped, or Comb-shaped? No matter which shape you are, either one is a good path to your professional career.
Due Diligence (DD) is more specific than Due Care (DC) because DD has explicit “standards,” while DC is implicit and relies on a judge’s inner conviction per the prudent man rule.
Due Diligence (DD)
“Investigation” is a generally accepted “standard” of DD across industries. Some laws or regulations may define the standard of DD in certain subject domains. For example, the US regulation, 16 CFR § 682.3, defines the DD standard for the proper disposal of consumer information.
Generally speaking, DD emphasizes investigation as a preventive/proactive measure, establishing and maintaining the management system (policies, standards, procedures, controls, etc.) and ensuring its effectiveness.
Due Care (DC)
DC focuses on exercising best effort and reasonable care to conduct activities and take preventive, detective, corrective, or recovery actions. However, it is not easy to measure the degree of the endeavor of DC. That’s why a defender in the court has to justify he or she has exercised “due care” to the judge.
DD and DC
It’s common for CISSP aspirants to use the following mnemonics:
- DD: Do Detect
- DC: Do Correct
I really love this old textbook, Ethics and the Conduct of Business by John R. Boatright!
Cybersecurity education is now promoted in high schools in Taiwan. Students are learning the basic concept of cybersecurity and red team and blue team things. I seriously consider our Cybersecurity 101 shall start with “ETHICS.”
The new CISSP exam outline moving ethics to the very first topic has done an excellent job!!
An investigation is the collection and analysis of evidence for specific purposes.
- Administrative investigation means an internal investigation of alleged misconduct by an employee. (Law Insider)
- Administrative Investigations are conducted by local management, local Personnel Representatives and/or Employee Relations in response to complaints or concerns that generally are personnel related and non-criminal in nature. For example, an administrative investigation may be initiated in response to any of the following conditions or allegations.
– A grievance or complaint
– Property misuse/damage/theft
– Prohibited harassment or discrimination
– Threatening, intimidating, or violent behavior
– Violation of university policies, rules and/or standards of conduct, or
– Violation of law. (NC State University)
- A civil investigation uncovers and assembles evidence necessary for a civil trial.
A civil trial is a type of court case involving two individual citizens who disagree on an issue that relates to their rights as citizens. For example, if one person sues another for damages caused by a domestic accident, the case will likely be conducted as a civil trial. Civil investigators are responsible for gathering the evidence essential to such a trial. (PI Now)
- When civil matters occur, it is the responsibility of each party to properly prepare to defend its position whether going to trial or trying to settle outside of court. Civil cases are disputes between two parties where one party or both parties failed to fulfill an agreement, service, or uphold their legal obligation. (Global Intelligence Consultants)
- Regulatory investigation meansa formal hearing, official investigation, examination, inquiry, legal action or any other similar proceeding initiated by a governmental, regulatory, law enforcement, professional or statutory body against you. (Law Insider)
- Criminal investigation is an applied science that involves the study of facts that are then used to inform criminal trials. (Wikipedia)
- Applied to the criminal realm, a criminal investigation refers to the process of collecting information (or evidence) about a crime in order to:
(1) determine if a crime has been committed;
(2) identify the perpetrator;
(3) apprehend the perpetrator; and
(4) provide evidence to support a conviction in court. (JRank)
Investigation Standards, Guidelines, and Protocols
- WHO – Investigation Protocol
- CHS Alliance – Guidelines for Investigations
- Ombudsman Western Australia – Guidelines on Conducting Investigations
- Uniform Guidelines for Investigations
- The Australian Government Investigations Standards (AGIS)
- UNHCR Investigation Resource Manual
- ISO/IEC 27043:2015 — Information technology — Security techniques — Incident investigation principles and processes
- ISO/IEC 27041:2015 — Information technology — Security techniques — Guidance on assuring suitability and adequacy of incident investigative method
- Accident and incident investigation (ISO 9001:2015, ISO 14001:2015, and ISO 45001:2018)
Happy New Year! Ox’s Coming!
Today is the last day of the “mouse” year! The coming one is the Ox., a year of hard work.
I hope you enjoy your CISSP journey and get it done soon!
今天除夕, 農曆鼠年最後一天. 明天就進入牛年了, 剛好可以趁著全球經濟因疫情減緩之際辛勤耕耘, 為下一個機會作好準備! 祝大家身體健康, 學習愉快!!