ISSMP Notes

Legal Notes

  • Tort Law
    • A tort is simply a civil wrong.
    • There are three general types of torts that may cause injury to another person: Intentional torts, Negligence torts, and Strict liability
  • Common Law
    • judge made law, not legislation

Threat Intelligence Management

intelligencecycle

The Evolvement of Certification and Accreditation Process

rmf_transition_860

Vision, Goal, Objectives, and Strategy

strategicplanmodel

  • An organization establishes goals that will move it towards its vision.
  • These goals will have objectives that are measures of goal achievement.
  • Strategies are developed for how the goals will be achieved.
  • Theses strategies direct the execution of work intended to achieve the goals.
  • Organizational strategy is a plan that describes how the organization’s strengths and core competencies will be used to:
    • Manage resources effectively;
    • Manage stakeholder value;
    • Capitalize on opportunities;
    • Minimize the impact of threats;
    • Respond to changes in the market, legal, and regulatory environments; and
    • Reinforce focus on critical operational activities.
  • Business value is defined as the entire value of the business – the total sum of all tangible and intangible elements.
  •  References
    • The Standard for Portfolio Management

Security Activities in SDLC

SDLC

Source: NIST SP 800-64R2

  • Information Security Policy [NIST SP 800-100 2.2.5]
    An aggregate of directives, rules, and practices that prescribes how an organization manages, protects, and distributes information.
  • Information Security Architecture [NIST SP 800-39 2.4.3]
    A description of the structure and behavior for an enterprise’s security processes, information security systems, personnel and organizational sub-units, showing their alignment with the enterprise’s mission and strategic plans.
  • Generally Accepted Principles and Practices for Securing Information Technology Systems [NIST SP 800-14]
    SP 800-14 is withdrawn in its entirety. Revised content from the original publication can now be found in the following publications:

  • Information Security Program
    Building an information security program means designing and implementing security practices to protect critical business processes and IT assets. These security practices that make up this program are meant to mature over time. An information security program also helps to define policies and procedures for assessing risk, monitoring threats, and mitigating attacks.

The Most Giant Book I’ve Ever Had!

GiantBook

This book, published in 2007, is enlisted in the CISSP suggested references and I bought it as a used one from Amazon. It takes 37 days to be delivered.

I was surprised by the wrap-up or “package” and the giant size. As thick as 8 cm and with 3231 pages, it’s the most giant book I’ve ever had.