Bruce Wentz Wu

Source: The Basics of Supply Chain Risk Management

The six steps that comprise the RMF include:

1. System Categorization;
2. Security Control Selection;
3. Security Control Implementation;
4. Security Control Assessment;
5. System Authorization; and
6. Security Control Monitoring

• Information – (1) Facts or ideas, which can be represented (encoded) as various forms of data; (2) Knowledge (e.g., data, instructions) in any medium or form that can be communicated between system entities.
• Information Security – The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to ensure confidentiality, integrity, and availability.
• Security Controls – The management, operational, and technical controls (i.e.,
  safeguards or countermeasures) prescribed for a system to protect the confidentiality, availability, and integrity of the system and its information.
• A vulnerability is a weakness in a system, system security procedure, internal controls, or implementation that could be exploited by a threat source
• A threat event is an incident or situation that could potentially cause undesirable consequences or impacts.
• Information security policy is defined as an aggregate of directives, regulations, rules, and practices that prescribes how an organization manages, protects, and distributes information.
• Because policy is written at a broad level, organizations also develop standards, guidelines, and procedures that offer users, managers, system administrators, and others a clearer approach to implementing policy and meeting organizational goals. Standards and guidelines specify technologies and methodologies to be used to secure systems. Procedures are yet more detailed steps to be followed to accomplish security-related tasks. Standards, guidelines, and procedures may be promulgated throughout an organization via handbooks, regulations, or manuals.
• Information assurance is the degree of confidence one has that security measures protect and defend information and systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation.
• Access is the ability to make use of any system resource.
• Access control is the process of granting or denying specific requests to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities (e.g., federal buildings, military establishments, border crossing entrances).
• An audit is an independent review and examination of records and activities to assess the adequacy of system controls and ensure compliance with established policies and operational procedures.
• An information security contingency is an event with the potential to disrupt system operations, thereby disrupting critical mission and business functions. Such an event could be a power outage, hardware failure, fire, or storm. Particularly destructive events are often referred to as “disasters.”
• A contingency plan is a management policy and procedure used to guide organizational response to a perceived loss of mission capability. The System Contingency Plan (SCP) is used by risk managers to determine what happened, why, and what to do. The SCP may point to the Continuity of Operations Plan (COOP) or Disaster Recovery Plan (DRP) for major disruptions. Contingency planning involves more than planning for a move offsite after a disaster destroys a data center. It also addresses how to keep an organization’s critical functions operational in the event of disruptions, both large and small. This broader perspective on contingency planning is based on the distribution of system support throughout an organization.
• Incident handling is closely related to contingency planning. An incident handling capability may be viewed as a component of contingency planning because it allows for the ability to react quickly and efficiently to disruptions in normal processing. Broadly speaking, contingency planning addresses events with the potential to interrupt system operations. Incident handling can be considered that portion of contingency planning specifically that responds to malicious technical threats.

Source:

• SoftExpert
• An Introduction to Information Security

IT security governance is the system by which an organization directs and controls IT security (adapted from ISO 38500).

IT security governance should not be confused with IT security management. IT security management is concerned with making decisions to mitigate risks; governance determines who is authorized to make decisions.

Governance specifies the accountability framework and provides oversight to ensure that risks are adequately mitigated, while management ensures that controls are implemented to mitigate risks. Management recommends security strategies. Governance ensures that security strategies are aligned with business objectives and consistent with regulations.

NIST describes IT governance as the process of establishing and maintaining a framework

1. to provide assurance that information security strategies are aligned with and support business objectives, (alignment)
2. are consistent with applicable laws and regulations through adherence to policies and internal controls, (compliance)
3. and provide assignment of responsibility, all in an effort to manage risk. (accountability)

Enterprise security governance results from the duty of care owed by leadership towards fiduciary requirements. This position is based on judicial rationale and reasonable standards of care. The five general governance areas are:

1. Govern the operations of the organization and protect its critical assets
2. Protect the organization’s market share and stock price (perhaps not appropriate for education)
3. Govern the conduct of employees (educational AUP and other policies that may apply to use of technology resources, data handling, etc.)
4. Protect the reputation of the organization
5. Ensure compliance requirements are met

“Governing for enterprise security means viewing adequate security as a non-negotiable requirement of being in business.”

Governance is doing the right thing, while management is doing things right.

The purpose of physical security is to protect against physical threats. The following physical threats are among the most common:

• fire and smoke, water (rising/ falling),
• earth movement (earthquakes, landslides, volcanoes),
• storms (wind, lightning, rain, snow, sleet, ice),
• sabotage/ vandalism,
• explosion/destruction,
• building collapse,
• toxic materials,
• utility loss (power, heating, cooling, air, water),
• equipment failure,
• theft,
• and personnel loss (strikes, illness, access, transport).

Security Engineering is a discipline to protect organizational assets with a solution of secure architectural design from being harmed by threats from attackers through vulnerabilities.

• Security
  • Security is freedom from, or resilience against, potential harm (or other unwanted coercive change) from external forces.
• Engineering
  • Engineering is the creative application of science, mathematical methods, and empirical evidence to the innovation, design, construction, operation and maintenance of structures, machines, materials, devices, systems, processes, and organizations.
• Security Engineering
  • Security engineering is a specialized field of engineering that focuses on the security aspects in the design of systems that need to be able to deal robustly with possible sources of disruption, ranging from natural disasters to malicious acts.
• Design
  • Design is the creation of a plan or convention for the construction of an object, system or measurable human interaction (as in architectural blueprints, engineering drawings, business processes, circuit diagrams, and sewing patterns).

The (ISC)² CBK

• A CBK – sometimes simply called a Body of Knowledge – refers to a peer-developed compendium of what a competent professional in their respective field must know, including the skills, techniques and practices that are routinely employed.1
• The (ISC)² CBK is a collection of topics relevant to cybersecurity professionals around the world. It establishes a common framework of information security terms and principles which enables cybersecurity and IT/ICT professionals worldwide to discuss, debate and resolve matters pertaining to the profession with a common understanding, taxonomy and lexicon.
• (ISC)² was established, in part, to aggregate, standardize and maintain the (ISC)² CBK for security professionals worldwide. Domains from the (ISC)² credentials are drawn from various topics within the (ISC)² CBK, which are used to assess a candidate’s level of mastery of the most critical aspects of information security.
• The (ISC)² CBK is updated annually by the (ISC)² CBK Committee to reflect the most current and relevant topics required to practice the profession.

Certification subject matter

From 15 April 2018, the CISSP curriculum is updated as follows:[10]

1. Security and Risk Management
   • Fundamentals
     • Clear defined goals
     • Know what to protect: at rest, in transit and while processing
     • Everything must be balanced: business needs vs CIA, accountability, and Assurance
     • Accountability: who did it, non-repudiation and legal consequences
     • Assurance: how do we know if our systems are secure and functioning as intended
   • The CIA Triad
     • Confidentiality
     • Availability
     • Integrity
   • Control Types
     • Physical
     • Technical
     • Administrative
   • Delaying, Preventing, and Detecting
   • Due Care and Due Diligence
     • Due Care: knowing what the right thing is, then doing what is right
     • Due Diligence:
2. Asset Security
3. Security Architecture and Engineering
4. Communication and Network Security
5. Identity and Access Management (IAM)
6. Security Assessment and Testing
7. Security Operations
8. Software Development Security

From 2015 to early 2018, the CISSP curriculum is divided into eight domains similar to the latest curriculum above.

Before 2015, it covered ten similar domains.