Top BSIMM Activities

  1. Ensure host and network security basics are in place
  2. Implement life cycle governance
  3. Review security features
  4. Use external penetration testers to find problems
  5. Identify personally identifiable information (PII) obligations
  6. Perform security feature review.
  7. Create or interface with incident response
  8. Ensure QA performs edge/boundary value condition testing
  9. Integrate and deliver security features
  10. Identify software defects found in operations monitoring and feed them back to development
  11. Use automated tools along with manual review
  12. Feed results to the defect management and mitigation system
  13. Feed results to the defect management and mitigation system


CISSP-ISSEP Preparation

NIST SP 800-160 V1 and ISO 15288

ISSEP is a concentration exam of CISSP. It is not that hard but intimidating because of the limited number of exam prep materials. The following official sources are crucial.


  1. ISSEP Certification Exam Outline
  2. ISSEP CBK Suggested References


  • IATF is obsolete.
  • NIST SP 800-160 volumes 1 & 2
  • INCOSE System Engineering Handbook
  • NIST SP 800-37 (RMF)
  • NIST SP 800-161 (Supply Chain Risk Management)
  • PMI PMBOK (Free for PMI members)
  • The ISSEP CBK book is outdated but good to have

Data Governance for Regulation

Regarding security within data governance, the European Union’s General Data Protection Regulation (GDPR) and Markets in Financial Instruments Directive II (MiFID II) are applicable, as is US 31 USC 310, a regulation addressing data in the context of financial crimes.

On a broader scale, the US Dodd-Frank Act addresses record-keeping transparency. The US Comprehensive Capital Analysis and Review (CCAR) framework addresses data quality and management. In Europe, MiFID II addresses data collection processes, while Basel III contains data governance provisions within the context of risk management and capital adequacy concerns.

In China, the Banking and Insurance Regulatory Commission (CBIRC) issued guidelines in May 2018 that include provisions for financial firms, assigning responsibility for setting up data governance systems, data quality control and related incentive and accountability systems.

Although MiFID II, Basel III and the BCBS 239 rules addressing risk data aggregation come from Europe, they do influence compliance throughout Asia and globally. In addition, the International Financial Reporting Standard (IFRS) created by the International Accounting Standards Board (IASB) sets classification and accounting rules that can figure into data governance. Any firm forming their governance framework should be aware of these provisions.

So, with a good handle on data governance traits and rules, firms may also deploy enterprise data management (EDM) and master data management (MDM) systems as a means to carry out the provisions made in data governance. These systems scrub, enrich and curate data, to standardize how data is defined and produce metadata that helps implement data governance frameworks, with integrity, accountability and security.

With knowledge of the elements of data governance, both as part of a firm’s native efforts and its compliance requirements, management will be better equipped to do business in the markets and lower their operational and regulatory risk.

Source: GoldenSource

PI-shaped CISSP

CISSP is a PI journey that transforms a technical mindset into a business one, a wide plane supported by two pillars: technology and management.

Credit: Marian Sigler

T-shaped, M-shaped, PI-shaped, or Comb-shaped? No matter which shape you are, either one is a good path to your professional career.

Source: People Centre
Source: Ben M Roberts

Due Diligence (DD) and Due Care (DC)

Due Diligence (DD) is more specific than Due Care (DC) because DD has explicit “standards,” while DC is implicit and relies on a judge’s inner conviction per the prudent man rule.

Due Diligence (DD)

“Investigation” is a generally accepted “standard” of DD across industries. Some laws or regulations may define the standard of DD in certain subject domains. For example, the US regulation, 16 CFR § 682.3, defines the DD standard for the proper disposal of consumer information.

Generally speaking, DD emphasizes investigation as a preventive/proactive measure, establishing and maintaining the management system (policies, standards, procedures, controls, etc.) and ensuring its effectiveness.

Due Care (DC)

DC focuses on exercising best effort and reasonable care to conduct activities and take preventive, detective, corrective, or recovery actions. However, it is not easy to measure the degree of the endeavor of DC. That’s why a defender in the court has to justify he or she has exercised “due care” to the judge.

DD and DC

It’s common for CISSP aspirants to use the following mnemonics:

  • DD: Do Detect
  • DC: Do Correct

Ethics as Priority Cybersecurity Topic

I really love this old textbook, Ethics and the Conduct of Business by John R. Boatright! 

Cybersecurity education is now promoted in high schools in Taiwan. Students are learning the basic concept of cybersecurity and red team and blue team things. I seriously consider our Cybersecurity 101 shall start with “ETHICS.”

The new CISSP exam outline moving ethics to the very first topic has done an excellent job!!

The new CISSP Exam Outline, effective on May 1st.

Investigation Types

An investigation is the collection and analysis of evidence for specific purposes.

Administrative Investigation

  • Administrative investigation means an internal investigation of alleged misconduct by an employee. (Law Insider)
  • Administrative Investigations are conducted by local management, local Personnel Representatives and/or Employee Relations in response to complaints or concerns that generally are personnel related and non-criminal in nature. For example, an administrative investigation may be initiated in response to any of the following conditions or allegations.
    – A grievance or complaint
    – Property misuse/damage/theft
    – Misconduct
    – Prohibited harassment or discrimination
    – Threatening, intimidating, or violent behavior
    – Violation of university policies, rules and/or standards of conduct, or
    – Violation of law. (NC State University)

Civil Investigation

  • A civil investigation uncovers and assembles evidence necessary for a civil trial.
    A civil trial is a type of court case involving two individual citizens who disagree on an issue that relates to their rights as citizens. For example, if one person sues another for damages caused by a domestic accident, the case will likely be conducted as a civil trial. Civil investigators are responsible for gathering the evidence essential to such a trial. (PI Now)
  • When civil matters occur, it is the responsibility of each party to properly prepare to defend its position whether going to trial or trying to settle outside of court. Civil cases are disputes between two parties where one party or both parties failed to fulfill an agreement, service, or uphold their legal obligation. (Global Intelligence Consultants)

Regulatory Investigation

  • Regulatory investigation meansa formal hearing, official investigation, examination, inquiry, legal action or any other similar proceeding initiated by a governmental, regulatory, law enforcement, professional or statutory body against you. (Law Insider)

Criminal Investigation

  • Criminal investigation is an applied science that involves the study of facts that are then used to inform criminal trials. (Wikipedia)
  • Applied to the criminal realm, a criminal investigation refers to the process of collecting information (or evidence) about a crime in order to:
    (1) determine if a crime has been committed;
    (2) identify the perpetrator;
    (3) apprehend the perpetrator; and
    (4) provide evidence to support a conviction in court. (JRank)

Investigation Standards, Guidelines, and Protocols

  1. WHO – Investigation Protocol
  2. CHS Alliance – Guidelines for Investigations
  3. Ombudsman Western Australia – Guidelines on Conducting Investigations
  4. Uniform Guidelines for Investigations
  5. The Australian Government Investigations Standards (AGIS)
  6. UNHCR Investigation Resource Manual
  7. ISO/IEC 27043:2015 — Information technology — Security techniques — Incident investigation principles and processes
  8. ISO/IEC 27041:2015 — Information technology — Security techniques — Guidance on assuring suitability and adequacy of incident investigative method
  9. Accident and incident investigation (ISO 9001:2015, ISO 14001:2015, and ISO 45001:2018)


Happy Lunar New Year!

Happy New Year! Ox’s Coming!

Today is the last day of the “mouse” year! The coming one is the Ox., a year of hard work.
I hope you enjoy your CISSP journey and get it done soon!

Best regards,


今天除夕, 農曆鼠年最後一天. 明天就進入牛年了, 剛好可以趁著全球經濟因疫情減緩之際辛勤耕耘, 為下一個機會作好準備! 祝大家身體健康, 學習愉快!!