CISSP - Risk and Governance
Disclamer
These are my personal notes and not a complete course
Fundamental Principles of Security
- Availability Reliable and timely access to data and resources is provided to authorized individuals
- Integrity Accuracy and reliability of the information and systems are provided and any unauthorized modification is prevented
- Confidentiality Necessary level of secrecy is enforced and unauthorized disclosure is prevented
Security Definitions
- Vulnerability Weakness of lack of contermeasure
- Threat agend Entity that can exploit a vulnerability
- Threat The Danger of a threat agent exploiting a vulnerability
- Risk The probability of a threat agent exploiting a vulnerability and the associated impact
- Exposure Presence of a vulnerability, which is exposes the organization to a threat
- Control Safeguard that is put in place to reduce a risk, also called a countermeasure
Control Typed
- Administrative controls
- Technical controls
- Physical controls
Control Functionalities
- Deterence
- Prevention
- Corrective
- Recovery
- Detecitve
- Compensating
Security Frameworks
- ISO 27000
- ITIL
- TOGAF
- DoDAF
- MODAF
- COBIT
Risk
We have assets that treat agents may want to take advantage of through vulnerabilities
- Identify risks by their importance to the business
Risk Management
- Have a risk managment policy
- Have a risk management team
- Start by doing risk assessments
Risk Assessment
- Identify vulnerabilities of our assets face
- Create risk profile
- Main goals
- Identify assets and theire value to the organisationIdentify vulnerabilities and threatsQuantify or measure the business impactBalance economically the application of a countermeasure against the business impact
Risk Analysis Approaches
- Quantitative Risk Analysis (Numbers, CHF values)
- Qualitative Risk Analysis (Soft measures, option based)
Implementations
- Policies (High level statement of intent)
- Standards (Regulatory compliance)
- Baselines (Recommendation)
- Procedures (Step by Step Guide)