Domain 1: Security and Risk Management

This domain encompasses the fundamental security concepts, governance principles, risk management practices, and legal/regulatory frameworks that form the foundation of information security management. As the highest-weighted domain, it requires deep understanding of security principles and their practical application in organizational contexts.

1.1 - Understand, adhere to, and promote professional ethics

ISC2 Code of Professional Ethics

The foundation of the CISSP profession, these four canons guide all professional activities:

1. Protect society, the common good, necessary public trust and confidence, and the infrastructure

   • Highest priority - society comes before employer or self
   • Maintaining public trust in information systems
   • Protecting critical infrastructure

2. Act honorably, honestly, justly, responsibly, and legally

   • Personal integrity in all professional activities
   • Compliance with applicable laws and regulations
   • Ethical decision-making processes

3. Provide diligent and competent service to principals

   • Maintaining professional competence through education
   • Providing accurate and honest advice
   • Avoiding conflicts of interest

4. Advance and protect the profession

   • Mentoring others in the profession
   • Contributing to the body of knowledge
   • Maintaining professional standards

Organizational Code of Ethics

• Organizational-specific guidelines: Tailored to company culture and industry
• Professional conduct standards: Expected behaviors and accountability measures
• Conflict of interest policies: Guidelines for identifying and managing conflicts
• Whistleblower protections: Safe reporting mechanisms for ethical violations

1.2 - Understand and apply security concepts

Five Pillars of Information Security

The cornerstone of information security, these principles must be maintained throughout all security activities:

1. Confidentiality

   • Definition: Preventing unauthorized disclosure of information
   • Controls: Encryption, access controls, data classification, steganography
   • Violations: Human error, admin mistakes, policy oversights, misconfiguration
   • Concepts: Sensitivity, discretion, criticality, concealment, secrecy, privacy, seclusion, isolation
   • Key Point: Use network traffic padding to prevent traffic analysis attacks

2. Integrity

   • Definition: Preventing unauthorized modification and maintaining data accuracy
   • Controls: Hash verification, digital signatures, input validation, change management, interface restrictions
   • Threats: Unauthorized changes, mistakes by authorized users, malicious modifications
   • Conditions: Accuracy, truthfulness, validity, accountability, responsibility, completeness, comprehensiveness
   • Key Point: Integrity includes maintaining internal consistency of data objects

3. Availability

   • Definition: Ensuring authorized access to resources when needed
   • Controls: Redundancy, backups, fault tolerance, DoS prevention, monitoring
   • Threats: System failures, attacks, natural disasters, human error
   • Conditions: Usability, accessibility, timeliness
   • Metrics: Uptime percentages (99.9%, 99.99%, 99.999%)

4. Authenticity

   • Definition: Data is genuine and originates from its claimed source
   • Implementation: Digital certificates, cryptographic signatures, chain of custody
   • Relationship: Closely tied to integrity and non-repudiation
   • Verification: Strong confidence in data source and unchanged state

5. Non-repudiation

   • Definition: Ensures subjects cannot deny their actions or involvement
   • Requirements: Strong identification, authentication, authorization, auditing, accounting
   • Technical Controls: Digital signatures, timestamps, cryptographic proofs
   • Legal Aspect: Provides evidence for legal proceedings

AAA Services (Foundation of Access Control)

• Identification: Subject claims an identity (username, account number)
• Authentication: Proving the claimed identity (password, biometric, certificate)
• Authorization: Determining what the authenticated subject may access
• Auditing: Recording activities and events for later review and accountability
• Accounting: Reviewing audit logs to ensure compliance and investigate violations

Extended Model: Some frameworks include Identification as a separate first step (I-AAA)

• Accounting: Reviewing logs to hold users accountable

Protection Mechanisms

• Defense in Depth: Multiple layered controls
• Abstraction: Grouping similar elements for collective security controls
• Data Hiding: Logical compartmentalization to prevent access
• Encryption: Hiding meaning of communications

1.3 - Evaluate and apply security governance principles

Security Governance Overview

• Collection of practices for supporting, evaluating, defining, and directing security efforts
• Should be performed by board of directors or governance committee
• Aligns security policies, solutions, and management practices
• Closely related to corporate and IT governance

Top-Down vs Bottom-Up Approach

• Top-Down (Preferred):

  • Senior management initiates and defines policies
  • Middle management creates standards and guidelines
  • Operations implements configurations
  • End users comply with policies

• Bottom-Up (Avoid):

  • IT staff makes security decisions without senior management input

Organizational Processes

Acquisitions and Divestitures

• Risks in Acquisitions:

  • Unknown state of new company's IT environment
  • Due diligence is critical
  • Integration challenges with different security standards

• Evaluation Methods:

  • On-site assessment
  • Third-party audit
  • Review of existing documentation

• Divestitures Considerations:

  • How to split IT infrastructure
  • What to do with identities and credentials
  • Data ownership and transfer

Governance Committees

• Vendor governance
• Project governance
• Architecture governance
• Executives, managers, and appointed individuals
• Review architecture, projects, incidents
• Provide approvals for new strategies

Organizational Roles and Responsibilities

Senior Manager

• Responsibility for organizational security
• Maximize profits and shareholder value
• Ultimate accountability for security decisions

Security Professional

• Day-to-day security management
• Policy implementation
• Risk assessment and mitigation

Asset Owner

• Responsible for asset classification
• Determines access requirements
• Accountable for asset protection

Custodian

• Day-to-day protection of assets
• Implements controls as directed by owner
• Maintains and operates security controls

User

• Follows security policies and procedures
• Reports security incidents
• Responsible for protecting assigned resources

Auditor

• Reviews and verifies policy implementation
• Independent assessment of security controls
• Reports compliance status

Security Control Frameworks

ISO 27000 Series

• International security standard
• Basis for implementing organizational security
• Systematic approach to managing information security risks
• ISO 27001: ISMS requirements
• ISO 27701: Privacy extension for GDPR compliance

NIST Framework

• Risk Management Framework (RMF)
• Cybersecurity Framework
• Special Publications (800 series)

COBIT (Control Objectives for Information and Related Technologies)

• Framework created by ISACA
• Focuses on enterprise IT alignment with business strategies
• Comprehensive framework for managing risks
• Commonly used as audit/compliance framework

SABSA (Sherwood Applied Business Security Architecture)

• Business-driven, risk and opportunity focused
• Series of integrated frameworks, models, methods, and processes
• Can be used independently or as holistic enterprise solution

PCI DSS

• Protects credit and debit card information
• Building and maintaining network security
• Maintaining information security policies
• Regular compliance audits required

FedRAMP

• Government-wide program for cloud services
• Standardizes security assessment, authorization, monitoring
• Benefits: reduced costs, improved visibility, accelerated adoption

CIS Critical Security Controls

• Prioritized set of actions to defend against threats
• Practical steps to reduce attack surface
• Focuses on secure configurations, admin privileges, log monitoring

ITIL (Information Technology Infrastructure Library)

• Practices for IT Service Management
• Aligns IT services with business needs
• Includes security governance elements

COSO (Committee of Sponsoring Organizations)

• Framework to reduce financial fraud
• Enhances internal control networks

Due Care vs Due Diligence

Due Diligence

• Establishing a plan, policy, process to protect organizational interests
• Knowing what should be done and planning for it
• Understanding security governance principles and organizational risks
• Actions taken by vendor to demonstrate due care
• Developing formalized security structure

Due Care

• Practicing individual activities that maintain due diligence
• Legal responsibility to implement organizational controls
• Following policy and making reasonable choices
• Continued application of security structure
• Doing the right action at the right time

1.4 - Understand legal, regulatory, and compliance issues

Cybercrimes and Data Breaches

Computer Fraud and Abuse Act (CFAA) - 1986

• Protects government and interstate commerce computers
• Prohibits:
  • Accessing computer without authorization
  • Exceeding authorized access
  • Threatening computer damage or extortion

National Information Infrastructure Protection Act - 1996

• Amendment to CFAA
• Covers international commerce systems
• Protects additional national infrastructure
• Treats damage to national infrastructure as felony

Licensing and Intellectual Property

Types of Intellectual Property

1. Trademarks

   • Words, slogans, logos identifying company/products
   • Identify company and its products or services

2. Patents

   • Protection for new inventions
   • Temporary monopoly for specific items
   • Must be novel and unique
   • Types: Utility patents, Software patents (controversial)

3. Copyright

   • Protects original works of authorship
   • Books, articles, poems, songs

4. Trade Secrets

   • Operating secrets critical to business
   • Significant damage if disclosed to competitors
   • Protected by trade secret laws

5. Licensing

   • Contract between software producer and consumer
   • Limits use or distribution of software

Import/Export Controls

ITAR (International Traffic in Arms Regulations)

• US regulation for military and defense systems
• Controls manufacture, export, import of munitions

EAR (Export Administration Regulations)

• Focuses on commercial use items
• Computers, lasers, marine items
• Items with potential military applications

Wassenaar Arrangement

• Multinational agreement
• Voluntary export control regime

Transborder Data Flow

• Organizations must adhere to origin country laws
• Consider applicable laws where data is stored
• Different countries have different privacy requirements

Privacy Regulations

GDPR (General Data Protection Regulation)

Scope and Applicability

• European Union regulation effective May 25, 2018
• Applies to organizations processing EU residents' personal data
• Extraterritorial reach - applies regardless of organization location
• Covers both data controllers and data processors

Key Principles (Article 5)

1. Lawfulness, fairness, and transparency: Processing must have legal basis
2. Purpose limitation: Data collected for specified, explicit, legitimate purposes
3. Data minimization: Adequate, relevant, and limited to necessary purposes
4. Accuracy: Personal data must be accurate and kept up to date
5. Storage limitation: Kept only as long as necessary
6. Integrity and confidentiality: Appropriate security measures required
7. Accountability: Controller responsible for demonstrating compliance

Legal Bases for Processing (Article 6)

• Consent: Freely given, specific, informed, and unambiguous
• Contract: Necessary for contract performance
• Legal obligation: Required by law
• Vital interests: Protecting life or death situations
• Public task: Official authority or public interest
• Legitimate interests: Balancing test with individual rights

Data Subject Rights

• Right to information: Transparent information about processing
• Right of access: Copy of personal data and processing information
• Right to rectification: Correction of inaccurate data
• Right to erasure ("Right to be forgotten"): Deletion under specific circumstances
• Right to restrict processing: Limit processing activities
• Right to data portability: Receive data in structured, machine-readable format
• Right to object: Object to processing based on legitimate interests
• Rights related to automated decision-making: Protection from solely automated decisions

Technical and Organizational Measures

• Privacy by Design and by Default: Built-in privacy protection
• Data Protection Impact Assessments (DPIA): Required for high-risk processing
• Data Protection Officer (DPO): Mandatory for certain organizations
• Record of processing activities: Documentation requirements
• Data breach notification: 72 hours to supervisory authority, immediate to individuals if high risk

International Data Transfers

• Adequacy decisions: EU Commission approved countries
• Appropriate safeguards: Standard contractual clauses, binding corporate rules
• Derogations: Limited exceptions for specific situations

Penalties and Enforcement

• Administrative fines: Up to €20 million or 4% of annual global turnover (whichever higher)
• Two-tier system:
  • Tier 1: Up to €10 million or 2% (technical violations)
  • Tier 2: Up to €20 million or 4% (rights violations, consent issues)
• Other corrective measures: Warnings, reprimands, processing bans

Key Concepts for CISSPs

• Controller vs. Processor: Different responsibilities and liabilities
• Pseudonymization: Technical measure to reduce privacy risks
• Cross-border data transfers: Complex compliance requirements
• Consent management: High bar for valid consent
• Breach notification: Strict timelines and requirements

California SB 1386

• Requires immediate disclosure for PII breaches
• Model for other state breach notification laws

PIPEDA (Personal Information Protection and Electronic Documents Act)

• Canadian law governing personal information use

Additional Regulatory Requirements

Gramm-Leach-Bliley Act

• Applies to insurance and financial organizations
• Requires breach notification to regulators, law enforcement, customers

CALEA (Communications Assistance to Law Enforcement Act)

• Requires communication carriers enable wiretaps when court ordered

USA PATRIOT Act (2001)

• Tightened US national security post-9/11
• Expanded surveillance abilities of law enforcement

Types of Law

Criminal Law

• Protects society against acts violating basic principles
• Violations prosecuted by federal and state governments

Administrative Law

• Used by government agencies for day-to-day business

Compliance Requirements

• PCI DSS, Sarbanes-Oxley, GLBA, HIPAA, FISMA, ECPA, DMCA
• Organizations subject to various laws and regulations
• Contractual obligations may also apply

1.5 - Understand requirements for investigation types

Administrative Investigation

• Internal investigations of operational issues
• Policy violations
• Often tied to HR scenarios
• Technical troubleshooting
• Lowest formality and documentation standards
• Focus on finding root cause

Criminal Investigation

• Crime has been committed
• Working with law enforcement
• Goal to convict perpetrator
• Gathering evidence for court
• High standards for evidence handling
• Chain of custody critical

Civil Investigation

• Private party disputes
• Preponderance of evidence standard
• Financial damages typically sought

Regulatory Investigation

• Government agency enforcement
• Industry-specific regulations
• Administrative penalties possible

Industry Standards Investigation

• Professional organization requirements
• Peer review processes
• Professional sanctions possible

1.6 - Develop, document, and implement security policy, standards, procedures, and guidelines

Policy Hierarchy

1. Policies: High-level statements of management intent
2. Standards: Mandatory requirements supporting policies
3. Baselines: Minimum security requirements
4. Guidelines: Recommended practices
5. Procedures: Step-by-step instructions

Security Planning Types

Strategic Plan

• Long-term plan (5 years)
• Establishes security purpose
• Aligns security with organizational goals
• Updated annually

Tactical Plan

• Mid-term plan (1 year)
• Provides detailed implementation
• Prescribes specific tasks

Operational Plan

• Short-term plan
• Resource allocations
• Budgetary requirements
• Staffing assignments
• Standard Operating Procedures

1.7 - Identify, analyze, assess, prioritize, and implement Business Continuity requirements

Business Impact Analysis (BIA)

Process Steps

1. Project scope and planning

   • Organizational review
   • BCP team selection
   • Resource requirements
   • External dependencies

2. Business impact analysis

   • Identify assets and asset value
   • Critical business functions
   • Priorities identification
   • Risk identification
   • Assess likelihood (quantitative vs qualitative)
   • Assess impact (ALE calculations)
   • Resource prioritization

3. Continuity strategy development

   • Determine which risks to address
   • How to address identified risks

4. Provisions and processes

   • Specific procedures for risk mitigation

5. Plan approval and implementation

   • Plan approval process
   • Implementation procedures
   • Communication, training, education
   • Documentation requirements

BCP Documentation Requirements

• BCP goals and objectives
• Statement of importance
• Statement of priorities
• Organizational responsibility statements
• Urgency and timing requirements
• Risk assessment recap
• Risk acceptance/mitigation decisions
• Vital records program
• Emergency response guidelines
• Maintenance procedures
• Testing and exercises

External Dependencies

• Third-party service providers
• Supply chain dependencies
• Utility services
• Communication services
• Transportation systems

1.8 - Contribute to and enforce personnel security policies and procedures

Candidate Screening and Hiring

• Background checks
• Reference verification
• Education verification
• Criminal history checks
• Credit checks (where appropriate)
• Social media screening

Employment Agreements

• Confidentiality agreements
• Non-disclosure agreements
• Acceptable use policies
• Code of conduct
• Security responsibilities

Onboarding Process

• Security orientation
• Policy acknowledgment
• Access provisioning
• Training requirements
• Badge/credential issuance

Transfers

• Access review and modification
• New role responsibilities
• Additional training if needed
• Privilege adjustments

Termination Process

• Access revocation immediately
• Asset return procedures
• Exit interviews
• Final security briefing
• Account deactivation

Vendor, Consultant, and Contractor Controls

• Third-party agreements
• Security requirements
• Access limitations
• Monitoring requirements
• Regular assessments

1.9 - Understand and apply risk management concepts

NIST Risk Management Framework (RMF)

The RMF provides a structured approach for integrating security and risk management activities into the system development lifecycle:

RMF Six-Step Process

1. Categorize (CAT)

   • Categorize the system and information processed, stored, transmitted
   • Use FIPS 199 standards for impact levels (Low, Moderate, High)
   • Consider confidentiality, integrity, and availability impacts
   • Document system boundaries and authorization boundaries

2. Select (SEL)

   • Select baseline security controls based on categorization
   • Use NIST SP 800-53 control catalog
   • Tailor controls based on organizational requirements
   • Document control selection decisions and rationale

3. Implement (IMP)

   • Implement selected security controls
   • Document implementation details
   • Develop system security plan
   • Establish configuration management

4. Assess (ASS)

   • Assess implemented controls for effectiveness
   • Use NIST SP 800-53A assessment procedures
   • Identify control deficiencies and weaknesses
   • Generate Security Assessment Report (SAR)

5. Authorize (AUT)

   • Authorize system operation based on risk determination
   • Senior official makes risk-based decision
   • Issue Authority to Operate (ATO) or other authorization decision
   • Establish terms and conditions for operation

6. Monitor (MON)

   • Continuously monitor security controls
   • Assess changes to system and environment
   • Update security documentation
   • Report security status to appropriate officials

Risk Management Process (ISO 31000/NIST)

1. Risk identification

   • Identify assets and asset value
   • Identify threats
   • Identify vulnerabilities
   • Document risk scenarios

2. Risk analysis

   • Assess likelihood/probability
   • Assess impact/consequences
   • Calculate risk levels
   • Consider threat sources and threat events

3. Risk evaluation

   • Compare against risk tolerance/appetite
   • Prioritize risks for treatment
   • Consider organizational risk criteria
   • Document risk evaluation decisions

4. Risk treatment

   • Accept, avoid, mitigate, or transfer
   • Select appropriate controls
   • Develop risk treatment plans
   • Allocate resources for implementation

5. Monitor and review

   • Continuous monitoring
   • Periodic reassessment
   • Risk communication and reporting
   • Update risk management processes

Risk Assessment Types

Quantitative Risk Assessment

Overview

• Uses monetary values and objective calculations
• Provides financial justification for security investments
• Time-consuming and data-intensive but highly accurate
• Based on historical data and statistical analysis

Key Metrics and Formulas

Asset Value (AV)

• Total value of the asset being protected
• Includes replacement cost, lost productivity, legal liability
• Formula: AV = Replacement Cost + Business Impact Cost

Exposure Factor (EF)

• Percentage of asset value lost if threat occurs
• Expressed as decimal (0.1 = 10%, 0.5 = 50%, 1.0 = 100%)
• Based on expert judgment and historical data

Single Loss Expectancy (SLE)

• Expected monetary loss from single occurrence of threat
• Formula: SLE = AV × EF
• Example: $100,000 server × 0.4 EF = $40,000 SLE

Annual Rate of Occurrence (ARO)

• Expected frequency of threat occurrence per year
• Can be fraction (0.1 = once every 10 years) or whole number (2 = twice per year)
• Based on historical data and threat intelligence

Annual Loss Expectancy (ALE)

• Expected monetary loss per year from specific threat
• Formula: ALE = SLE × ARO
• Example: $40,000 SLE × 0.2 ARO = $8,000 ALE

Cost-Benefit Analysis

• Annual Cost of Safeguard (ACS): Yearly cost to implement and maintain control
• Value of Safeguard: ALE(before) - ALE(after) - ACS
• Return on Investment (ROI): (ALE reduction - ACS) / ACS × 100%
• Payback Period: ACS / (ALE reduction per year)

Risk Calculation Examples

Example 1: Server Protection

• Asset Value: $200,000
• Exposure Factor: 60% (0.6)
• Annual Rate of Occurrence: 0.1 (once every 10 years)
• SLE = $200,000 × 0.6 = $120,000
• ALE = $120,000 × 0.1 = $12,000

Example 2: Safeguard Justification

• Current ALE: $50,000
• Safeguard reduces EF from 80% to 20%
• New ALE: $50,000 × (20%/80%) = $12,500
• ALE reduction: $50,000 - $12,500 = $37,500
• Annual Cost of Safeguard: $15,000
• Net benefit: $37,500 - $15,000 = $22,500
• ROI: ($37,500 - $15,000) / $15,000 = 150%

Qualitative Risk Assessment

• Descriptive terms (Low, Medium, High)
• Expert judgment based
• Risk matrices
• Relative ranking system (asset 7 is more important than asset 4, but 17 is more valuable than 7, etc)
• Quick and cost-effective
• Can be subjective

Risk Response Strategies

1. Accept: Acknowledge risk and take no action
2. Avoid: Eliminate the risk by not engaging in risky activity
3. Mitigate: Reduce likelihood or impact through controls
4. Transfer: Share risk with third party (insurance, outsourcing)

Risk Types and Classifications

Inherent Risk

Definition: The level of risk present in the absence of any controls or mitigating actions

• Characteristics: Natural, uncontrolled risk level before any security measures
• Assessment: Based on threat likelihood and impact without controls
• Purpose: Establishes baseline risk level for comparison and control justification
• Calculation: Uses raw threat and vulnerability data without control considerations
• Example: Risk of data breach from SQL injection before implementing input validation

Residual Risk

Definition: The level of risk remaining after controls have been implemented and are operating effectively

• Characteristics: Remaining risk after security controls reduce the inherent risk
• Assessment: Evaluates effectiveness of implemented controls
• Purpose: Determines if additional controls are needed or if risk is acceptable
• Calculation: Inherent Risk - Control Effectiveness = Residual Risk
• Example: Reduced data breach risk after implementing input validation, WAF, and monitoring

Risk Tolerance vs Risk Appetite

Risk Appetite

• Definition: The amount of risk an organization is willing to accept in pursuit of business objectives
• Characteristics: Strategic level decision made by senior management and board
• Scope: Broad organizational statement about acceptable risk levels
• Examples: "We will accept no more than $1M in annual expected losses from cyber incidents"
• Purpose: Guides overall risk management strategy and resource allocation

Risk Tolerance

• Definition: The specific amount of risk that is acceptable for a particular activity or business process
• Characteristics: Tactical level implementation of risk appetite
• Scope: Specific thresholds for individual risks or business units
• Examples: "Database servers must have 99.9% uptime" or "No single control failure can result in >$100K loss"
• Purpose: Provides operational guidance for risk management decisions

Additional Risk Classifications

Total Risk

• Definition: The complete risk exposure including all possible threats and vulnerabilities
• Formula: Total Risk = Threats × Vulnerabilities × Asset Value
• Consideration: Theoretical maximum risk if no controls existed
• Use: Baseline for measuring control effectiveness

Acceptable Risk

• Definition: Level of risk that an organization considers tolerable given business objectives
• Determination: Based on risk appetite and tolerance levels
• Balance: Between security costs and business functionality
• Management: Must be formally acknowledged and documented

Unacceptable Risk

• Definition: Risk levels that exceed organizational tolerance limits
• Response: Requires immediate attention and additional controls
• Escalation: May require business process changes or risk transfer
• Documentation: Must be reported to appropriate management levels

Risk Treatment Impact on Risk Types

Risk Mitigation Effects:

• Control Implementation: Reduces inherent risk to create residual risk
• Control Effectiveness: Determines the gap between inherent and residual risk
• Control Failure: May cause residual risk to approach inherent risk levels
• Defense in Depth: Multiple controls provide layered risk reduction

Risk Assessment Progression:

1. Identify Inherent Risk: Assess threats and vulnerabilities without controls
2. Evaluate Current Controls: Determine existing control effectiveness
3. Calculate Current Residual Risk: Apply control effectiveness to inherent risk
4. Compare to Risk Tolerance: Determine if additional controls needed
5. Design Additional Controls: Plan controls to achieve target residual risk
6. Project Future Residual Risk: Estimate post-implementation risk levels

Risk Management Decision Framework

Accept Residual Risk When:

• Residual risk is within organizational tolerance
• Cost of additional controls exceeds potential loss
• Business requirements prevent additional security measures
• Formal risk acceptance documented by appropriate authority

Implement Additional Controls When:

• Residual risk exceeds organizational tolerance
• Cost-benefit analysis supports additional investment
• Regulatory requirements mandate specific risk levels
• Business impact justifies control implementation

Transfer Risk When:

• Specialized expertise required for effective management
• Financial instruments (insurance) available and cost-effective
• Third-party can better manage specific risk types
• Residual risk concentration exceeds organizational capacity

Practical Risk Assessment Example

Scenario: E-commerce website with customer payment processing

Step 1: Inherent Risk Assessment

• Threat: Credit card data theft via SQL injection
• Asset Value: $500,000 (regulatory fines, customer loss, remediation)
• Vulnerability: Web application with database connectivity
• Likelihood: High (8/10) due to common attack vector
• Inherent Risk: High impact, high likelihood = High risk

Step 2: Current Controls Assessment

• Existing Controls: Basic firewall, standard coding practices
• Control Effectiveness: Limited (30% risk reduction)
• Current Residual Risk: Still high due to insufficient controls

Step 3: Enhanced Controls Implementation

• Additional Controls: Input validation, WAF, encryption, monitoring
• Enhanced Control Effectiveness: Significant (80% risk reduction)
• Target Residual Risk: Medium level within organizational tolerance

Step 4: Risk Management Decision

• Residual Risk Level: Acceptable for business operations
• Ongoing Monitoring: Regular control effectiveness assessment
• Risk Acceptance: Formally documented by management

Risk Communication and Reporting

Inherent Risk Reporting

• Purpose: Demonstrate the value of existing security investments
• Audience: Senior management and board members
• Content: Baseline risk levels without security controls
• Frequency: Annual or during major risk assessments

Residual Risk Reporting

• Purpose: Show current organizational risk posture
• Audience: Operational management and risk committees
• Content: Current risk levels after control implementation
• Frequency: Quarterly or after significant control changes

Risk Trending Analysis

• Inherent Risk Trends: Changes in threat landscape and business environment
• Residual Risk Trends: Impact of control improvements and degradation
• Gap Analysis: Difference between current and target residual risk levels
• Investment Justification: ROI of security control implementations

Types of Controls (Safeguards)

By Function

Preventive Controls

• Definition: A preventive or preventative control is deployed to thwart or stop unwanted or unauthorized activity from occurring
• Purpose: Proactively prevent security incidents before they happen
• Examples: Firewalls, access controls, encryption, security guards, locked doors
• Timing: Operate before incidents occur
• Key Characteristic: Block or prevent unauthorized actions

Deterrent Controls

• Definition: A deterrent control is deployed to discourage security policy violations; deterrent and preventative controls are similar, but deterrent controls often depend on individuals being convinced not to take an unwanted action
• Purpose: Psychologically discourage potential attackers or policy violators
• Examples: Warning signs, security cameras (visible), audit logs, sanctions policies
• Timing: Operate before incidents occur through psychological influence
• Key Characteristic: Rely on fear of consequences to prevent actions

Directive Controls

• Definition: A directive control is deployed to direct, confine, or control the actions of subjects to force or encourage compliance with security policies
• Purpose: Guide or mandate specific behaviors and actions
• Examples: Security policies, procedures, training programs, acceptable use policies
• Timing: Establish behavioral expectations before actions are taken
• Key Characteristic: Provide guidance and mandatory requirements for compliance

Countermeasures (Reactive Controls):

Detective Controls

• Definition: A detective control is deployed to discover or detect unwanted or unauthorized activity; detective controls operate after the fact
• Purpose: Identify and alert on security incidents as they occur or after they have occurred
• Examples: IDS/IPS, audit logs, security monitoring, motion detectors, video surveillance
• Timing: Operate during or after incidents occur
• Key Characteristic: Identify violations and generate alerts or evidence

Corrective Controls

• Definition: A corrective control modifies the environment to return systems to normal after an unwanted or unauthorized activity has occurred; it attempts to correct any problems resulting from a security incident
• Purpose: Repair damage and restore normal operations after minor incidents
• Examples: Antivirus software remediation, account lockouts, patch management, incident response procedures
• Timing: Operate after incidents to correct immediate problems
• Key Characteristic: Address immediate consequences and restore basic functionality

Recovery Controls

• Definition: An extension of corrective controls but have more advanced or complex abilities; a recovery control attempts to repair or restore resources, functions, and capabilities after a security policy violation. Recovery controls typically address more significant damaging events compared to corrective controls, especially when security violations may have occurred
• Purpose: Restore full operations after major incidents or disasters
• Examples: Backup and restore systems, disaster recovery procedures, business continuity plans, system rebuilds
• Timing: Operate after significant incidents to restore complete functionality
• Key Characteristic: Address comprehensive restoration after major damage or violations

Compensating Controls

• Definition: A compensating control is deployed to provide various options to other existing controls, to aid in enforcement and support of security policies. They can be any controls used in addition to, or in place of, another control. They can be a means to improve the effectiveness of a primary control or as the alternative or failover option in the event of a primary control failure
• Purpose: Supplement, enhance, or substitute for primary controls when they cannot be implemented or fail
• Examples: Manual procedures when automated controls fail, additional monitoring when encryption cannot be used, segregation of duties when technical controls are insufficient
• Timing: Operate alongside primary controls or when primary controls are unavailable
• Key Characteristic: Provide alternative or additional protection methods

By Implementation

• Administrative: Policies, procedures, training
• Technical: Firewalls, encryption, access controls
• Physical: Guards, locks, cameras

Control Assessments

• Security control testing
• Privacy control assessment
• Gap analysis
• Compliance verification
• Effectiveness measurement

Continuous Monitoring

• Real-time security monitoring
• Regular vulnerability scans
• Performance metrics tracking
• Incident trend analysis
• Risk posture updates

Reporting

Internal Reporting

• Executive dashboards
• Risk registers
• Incident reports
• Compliance status

External Reporting

• Regulatory submissions
• Third-party assessments
• Customer reports
• Industry benchmarking

Risk Frameworks

• Already covered in section 1.3 (ISO, NIST, COBIT, SABSA, PCI)

Safeguards (Security Controls)

Security controls are safeguards or countermeasures designed to preserve confidentiality, integrity, and availability. Controls are categorized by their functional purpose and implementation method.

Functional Categories of Controls

Preventive Controls

• A preventive or preventative control is deployed to thwart or stop unwanted or unauthorized activity from occurring
• Purpose: Stop incidents before they happen
• Examples: Firewalls, access controls, encryption, security awareness training
• Timing: Proactive - operates before incidents occur
• CISSP Focus: Primary line of defense in defense-in-depth strategy

Deterrent Controls

• A deterrent control is deployed to discourage security policy violations
• Deterrent and preventative controls are similar, but deterrent controls often depend on individuals being convinced not to take an unwanted action
• Purpose: Psychologically discourage potential attackers or policy violators
• Examples: Warning banners, security cameras (visible), security guards, audit logs
• Timing: Proactive - influences behavior before incidents
• Key Point: Effectiveness depends on awareness and perceived consequences

Directive Controls

• A directive control is deployed to direct, confine, or control the actions of subjects to force or encourage compliance with security policies
• Purpose: Guide users toward compliant behavior through mandates and instructions
• Examples: Security policies, procedures, training programs, acceptable use policies
• Timing: Proactive - establishes expected behavior patterns
• Implementation: Often administrative controls that set behavioral expectations

Countermeasures (Reactive Controls)

Detective Controls

• A detective control is deployed to discover or detect unwanted or unauthorized activity
• Detective controls operate after the fact
• Purpose: Identify security incidents as they occur or after they have occurred
• Examples: IDS/IPS, SIEM systems, audit logs, surveillance cameras, motion detectors
• Timing: During or after incidents - provides alerting and evidence
• Critical Role: Essential for incident response and forensic analysis

Corrective Controls

• A corrective control modifies the environment to return systems to normal after an unwanted or unauthorized activity has occurred
• It attempts to correct any problems resulting from a security incident
• Purpose: Fix immediate problems and restore normal operations
• Examples: Antivirus software (removing malware), account lockouts, patch management
• Timing: Immediate response after incident detection
• Scope: Addresses specific, localized security violations

Recovery Controls

• An extension of corrective controls but have more advanced or complex abilities
• A recovery control attempts to repair or restore resources, functions, and capabilities after a security policy violation
• Recovery controls typically address more significant damaging events compared to corrective controls, especially when security violations may have occurred
• Purpose: Restore full functionality after major incidents or disasters
• Examples: Backup restoration, disaster recovery procedures, failover systems, business continuity plans
• Timing: Extended response after major incidents
• Scope: Comprehensive restoration of services and data

Compensating Controls

• A compensating control is deployed to provide various options to other existing controls, to aid in enforcement and support of security policies
• They can be any controls used in addition to, or in place of, another control
• They can be a means to improve the effectiveness of a primary control or as the alternative or failover option in the event of a primary control failure
• Purpose: Provide alternative protection when primary controls are insufficient or fail
• Examples: Manual procedures when automated controls fail, additional authentication factors, increased monitoring
• Implementation: Secondary or backup controls that maintain security posture
• Use Cases: Regulatory compliance when standard controls cannot be implemented

Implementation Categories of Controls

Administrative Controls

• Policies, procedures, standards, guidelines
• Security awareness training
• Background checks
• Separation of duties

Technical Controls

• Hardware and software mechanisms
• Firewalls, encryption, access controls
• Intrusion detection systems
• Authentication systems

Physical Controls

• Environmental and facility protections
• Guards, locks, badges
• Surveillance cameras
• Environmental controls (HVAC, fire suppression)

1.10 - Understand and apply threat modeling concepts and methodologies

General Threat Modeling Process

1. Identify assets/components
2. Identify threats
3. Identify vulnerabilities
4. Analyze risks
5. Determine mitigations
6. Prioritize actions

STRIDE Methodology

• Spoofing: Impersonating users or systems
• Tampering: Modifying data or code
• Repudiation: Denying actions
• Information Disclosure: Exposing information
• Denial of Service: Disrupting availability
• Elevation of Privilege: Gaining unauthorized access

PASTA (Process for Attack Simulation and Threat Analysis)

1. Define objectives
2. Define technical scope
3. Application decomposition
4. Threat analysis
5. Vulnerability analysis
6. Attack modeling
7. Risk and impact analysis

DREAD Risk Assessment Model

DREAD is a quantitative risk assessment methodology that provides a structured approach to evaluating and prioritizing security threats identified through other threat modeling techniques.

DREAD Components

Damage Potential (D)

• Scale: 0-10 (0 = No damage, 10 = Complete system compromise)
• Evaluation Criteria:
  • Data loss or corruption severity
  • System availability impact
  • Financial and operational consequences
• Examples:
  • 2-3: Minor information disclosure
  • 7-8: Significant data breach
  • 9-10: Complete system takeover

Reproducibility (R)

• Scale: 0-10 (0 = Very difficult to reproduce, 10 = Easy to reproduce)
• Evaluation Criteria:
  • Complexity of attack steps
  • Required tools and expertise
  • Environmental dependencies
• Examples:
  • 2-3: Requires specialized tools and deep expertise
  • 7-8: Reproducible with publicly available tools
  • 9-10: Simple attack requiring minimal skills

Exploitability (E)

• Scale: 0-10 (0 = Very difficult to exploit, 10 = Easy to exploit)
• Evaluation Criteria:
  • Attack vector accessibility
  • Authentication requirements
  • User interaction needed
• Examples:
  • 2-3: Requires physical access and privileged credentials
  • 7-8: Remote exploitation with user interaction
  • 9-10: Remote exploitation without authentication

Affected Users (A)

• Scale: 0-10 (0 = No users affected, 10 = All users affected)
• Evaluation Criteria:
  • Percentage of user base impacted
  • Criticality of affected user roles
  • Scope of system compromise
• Examples:
  • 2-3: Small subset of users
  • 7-8: Significant portion of user base
  • 9-10: All users or critical administrative accounts

Discoverability (D)

• Scale: 0-10 (0 = Very difficult to discover, 10 = Very easy to discover)
• Evaluation Criteria:
  • Visibility of vulnerability
  • Public knowledge of attack methods
  • Tool availability for discovery
• Examples:
  • 2-3: Obscure vulnerability requiring deep analysis
  • 7-8: Vulnerability discoverable with standard scanning tools
  • 9-10: Obvious vulnerability visible to casual observers

DREAD Risk Calculation

Formula: Risk Score = (Damage + Reproducibility + Exploitability + Affected Users + Discoverability) / 5

Risk Categories:

• High Risk: 7.0-10.0 (Immediate attention required)
• Medium Risk: 4.0-6.9 (Address in next release cycle)
• Low Risk: 0.0-3.9 (Address when resources available)

Example DREAD Assessment: SQL Injection Vulnerability

• Damage: 9 (Database compromise possible)
• Reproducibility: 8 (Well-documented attack)
• Exploitability: 7 (Requires moderate skill)
• Affected Users: 9 (All application users)
• Discoverability: 6 (Detectable with automated tools)
• Risk Score: (9+8+7+9+6)/5 = 7.8 (High Risk)

Integrated Threat Modeling Approach: PASTA + STRIDE + DREAD

How the Methodologies Complement Each Other

PASTA as the Framework

• Provides Structure: Seven-stage process for comprehensive threat analysis
• Business Context: Aligns security analysis with business objectives
• Methodology Agnostic: Can incorporate other techniques like STRIDE and DREAD
• Comprehensive Coverage: From high-level strategy to technical implementation

STRIDE for Threat Categorization

• Threat Identification: Systematic approach to identify threat types
• Technical Focus: Detailed analysis of specific attack vectors
• Completeness: Ensures all major threat categories are considered
• Integration Point: STRIDE fits into PASTA Stage 4 (Threat Analysis)

DREAD for Risk Prioritization

• Quantitative Assessment: Numerical risk scoring for objective comparison
• Resource Allocation: Helps prioritize remediation efforts
• Stakeholder Communication: Provides clear risk metrics for management
• Integration Point: DREAD fits into PASTA Stage 7 (Risk and Impact Analysis)

Integrated Workflow Process

Stage 1-3: PASTA Foundation

1. Define Objectives: Business goals and security requirements
2. Define Technical Scope: System boundaries and architecture
3. Application Decomposition: Components, data flows, trust boundaries

Stage 4: STRIDE-Enhanced Threat Analysis

• For Each Component/Data Flow:
  • Apply STRIDE categories systematically
  • Spoofing: Identity verification weaknesses
  • Tampering: Data integrity vulnerabilities
  • Repudiation: Logging and audit gaps
  • Information Disclosure: Confidentiality breaches
  • Denial of Service: Availability threats
  • Elevation of Privilege: Authorization bypass

Stage 5-6: PASTA Continuation 5. Vulnerability Analysis: Technical weakness identification 6. Attack Modeling: Attack tree and scenario development

Stage 7: DREAD-Enhanced Risk Assessment

• For Each STRIDE Threat:
  • Evaluate using DREAD criteria
  • Calculate quantitative risk scores
  • Prioritize threats by risk level
  • Map to business impact

Practical Integration Example

Web Application Threat Analysis

PASTA Stages 1-3: E-commerce application, user data processing, payment handling

STRIDE Analysis (Stage 4):

• Spoofing: Weak authentication mechanisms
• Tampering: Unvalidated input parameters
• Information Disclosure: Sensitive data in error messages
• Denial of Service: Resource exhaustion attacks

DREAD Assessment (Stage 7):

• SQL Injection (Tampering):
  • D=9, R=8, E=7, A=9, D=6 → Risk=7.8 (High)
• Session Fixation (Spoofing):
  • D=7, R=6, E=5, A=8, D=4 → Risk=6.0 (Medium)
• XSS (Information Disclosure):
  • D=6, R=7, E=8, A=7, D=8 → Risk=7.2 (High)

Benefits of Integrated Approach

Comprehensive Coverage

• PASTA ensures business alignment and complete process
• STRIDE ensures technical completeness
• DREAD ensures objective prioritization

Stakeholder Communication

• Technical teams understand STRIDE categories
• Management understands DREAD risk scores
• Business teams understand PASTA business context

Resource Optimization

• Focus resources on highest DREAD scores
• Ensure all STRIDE categories are addressed
• Maintain business focus through PASTA framework

Quality Assurance

• Multiple perspectives reduce blind spots
• Quantitative scores enable tracking and comparison
• Structured process ensures repeatability

Implementation Best Practices

Team Composition

• Business Analysts: PASTA business requirements
• Security Architects: STRIDE threat identification
• Risk Analysts: DREAD scoring and assessment
• Developers: Technical vulnerability analysis

Tool Integration

• Threat Modeling Tools: Microsoft Threat Modeling Tool, OWASP Threat Dragon
• Risk Assessment Tools: Spreadsheets, specialized risk management platforms
• Documentation: Centralized threat model repository

Continuous Improvement

• Regular Updates: Reassess DREAD scores based on changing threat landscape
• Lessons Learned: Update STRIDE analysis based on actual incidents
• Business Alignment: Refresh PASTA objectives with business changes

When to Perform Threat Modeling

• Early in SDLC
• When introducing new changes
• New technologies implementation
• New regulatory compliance requirements
• Post-incident analysis
• Regular review cycles (annually or bi-annually)
• Significant architecture changes
• New threat intelligence availability

1.11 - Apply Supply Chain Risk Management (SCRM) concepts

Supply Chain Risks

• Product tampering: Malicious modification during manufacturing
• Counterfeits: Fake components with unknown security properties
• Implants: Hardware or software backdoors
• Substandard components: Poor quality affecting security
• Third-party dependencies: Risks from vendors and suppliers

Risk Mitigation Strategies

Third-party Assessment

• Vendor security assessments
• On-site evaluations
• Security questionnaires
• Compliance verification

Minimum Security Requirements

• Contractual security standards
• Technical specifications
• Compliance mandates
• Regular auditing

Service Level Requirements

• Availability guarantees
• Performance standards
• Security incident response times
• Breach notification requirements

Technical Controls

• Silicon Root of Trust: Hardware-based security foundation
• Physically Unclonable Function (PUF): Unique hardware identifiers
• Software Bill of Materials (SBOM): Inventory of software components

Monitoring and Oversight

• Continuous supplier monitoring
• Regular assessments
• Performance metrics
• Incident tracking

1.12 - Establish and maintain a security awareness, education, and training program

Program Development Steps

1. Evaluate current security posture

   • Understand organizational security limits
   • Identify training needs
   • Assess current awareness levels

2. Define program objectives

   • Align with business goals
   • Address identified gaps
   • Set measurable targets

3. Develop content and methods

4. Implement training programs

5. Evaluate effectiveness

Methods and Techniques

Social Engineering Awareness

• Phishing simulation exercises
• Pretexting scenarios
• Tailgating awareness
• Vishing (voice phishing) training

Training Methods

• Security Champions: Peer advocates in each department
• Gamification: Points, badges, competitions
• Interactive workshops: Hands-on exercises
• E-learning modules: Self-paced online training
• Simulations: Real-world scenario practice

Content Areas

Emerging Technologies

• Cryptocurrency: Security implications and risks
• Artificial Intelligence: AI security concerns and opportunities
• Blockchain: Distributed ledger security considerations
• IoT devices: Internet of Things security challenges
• Cloud computing: Shared responsibility models

Traditional Security Topics

• Password security
• Email security
• Physical security
• Data handling
• Incident reporting

Periodic Content Reviews

• Regular curriculum updates
• Emerging threat landscape
• New technology adoption
• Regulatory changes
• Lesson learned integration

Program Effectiveness Evaluation

Metrics

• Training completion rates
• Phishing simulation click rates
• Security incident reduction
• Knowledge retention testing
• Behavioral change indicators

Assessment Methods

• Pre/post training assessments
• Simulated attacks
• Surveys and feedback
• Incident analysis
• Performance indicators

Continuous Improvement

• Regular program review
• Stakeholder feedback
• Industry benchmarking
• Best practice adoption
• Resource optimization

Key Memorization Items

Risk Management Process

1. Identify assets and threats
2. Assess likelihood and impact
3. Calculate risk levels
4. Select risk treatment
5. Monitor and review

AAA Services

• Identification → Authentication → Authorization → Auditing → Accounting

CIA Triad Plus

• Confidentiality, Integrity, Availability, Authenticity, Non-repudiation

Investigation Types

• Administrative (lowest formality)
• Civil (preponderance of evidence)
• Criminal (beyond reasonable doubt)
• Regulatory (agency enforcement)

BCP Process

1. Project scope and planning
2. Business impact analysis
3. Continuity strategy development
4. Provisions and processes
5. Plan approval and implementation