Your company decides to start the business of selling toys online and shipping globally. The E-Commerce system that supports the new business will be developed in-house, while portions of the solution will be outsourced to an external software vendor. The project team is evaluating software outsourcing candidates. As a security professional, which of the following is the least concern?
A. The financial history
B. Foreign ownership, control, and influence
C. Key escrow agreement
D. Right to conduct code reviews

Continue reading →

Standard

A policy may mandate that all devices must be adequately protected. A standard supporting this policy requires that all operating systems on PCs must be Windows 8 or higher.

Baseline

A snapshot of PCs with Windows 8 is taken as the configuration baseline. Let’s call it baseline version 1.0.

Change Management

One year goes by, a change request to upgrade the PCs to Windows 8.1 is submitted. It is approved and implemented; the baseline version 1.0 is changed to baseline version 1.1, Windows 8.1.

Now, the latest baseline is version 1.1 (Windows 8.1), while the standard remains intact, Windows 8 or higher.

Summary

In this case, a standard is a document, while a baseline is a snapshot that meets the standard. A baseline can be changed only through the change management process.

NIST SP 800-30 R1

According to the generic risk model introduced in NIST SP 800-30 R1, a risk is decomposed into a couple of factors as the diagram denotes.

Threat Event and TTP

A threat event involves tactics, techniques, and procedures (TTP for short). It’s a good practice to describe a threat event by starting with a verb so that it can be matched with threat sources to shape threat scenarios.

Good Practice

This good practice can be found in Table E-2 of Appendix E.

Questions to Ponder

What is a threat?

Do you have a definition in your mind that is shared, communicated, and agreed upon?

Risk Model vs Threat Model

Since we are talking about the threat, why it relates to risk and the model is called a generic risk model that includes threat things, instead of being called a generic threat model?

Related Posts

• WENTZ’S INFORMATION RISK MODEL V1.1

Your company decides to start the business of selling toys online and shipping globally. The E-Commerce system that supports the new business will be developed in-house. The development team is implementing the data persistence solution based on the relational database. The customer privacy data and credentials shall be protected from the access of the database administrator (DBA). Which of the following best addresses the requirement?
A. Limit the DBA’s access by joining tables into views
B. Use electronic codebook (ECB) cipher to protect data at rest
C. Implement role-based access control (RBAC)
D. Enable TLS/SSL transportation between clients and the server

Continue reading →

Amazon DynamoDB is a key-value and document database (NoSQL) that supports ACID transactions.

It’s a big achievement!!

DynamoDB

Amazon DynamoDB is a key-value and document database that delivers single-digit millisecond performance at any scale. It’s a fully managed, multiregion, multimaster, durable database with built-in security, backup and restore, and in-memory caching for internet-scale applications. DynamoDB can handle more than 10 trillion requests per day and can support peaks of more than 20 million requests per second.

https://aws.amazon.com/dynamodb/

ACID Transactions

DynamoDB transactions provide developers atomicity, consistency, isolation, and durability (ACID) across one or more tables within a single AWS account and region. You can use transactions when building applications that require coordinated inserts, deletes, or updates to multiple items as part of a single logical business operation.

https://aws.amazon.com/tw/blogs/aws/new-amazon-dynamodb-transactions

My ISSAP and ISSMP certificates were finally received today!

It is because the original delivery in February is missing and I forgot they didn’t come until late August this year, even though I passed the exams last year (2018/11/6 and 2018/11/14 respectively).

I can’t believe it that I should have forgotten this important thing:)

It’s about time to put them on my wall!!😄😄😄🏆🏆🏆

As a CISO, you decide to implement Information security management systems and to be certified as compliant with ISO 27001 standard, in which actions to address risks and opportunities are required. You realize this requirement is about risk management and start evaluating risk management frameworks to meet the requirement. To implement a risk management program, which of the following least meets the requirement?
A. NIST FARM Framework (Frame, Assess, Respond, and Monitor)
B. ISO 27002
C. ISO 27005
D. ISO 31000

Continue reading →