CISSP Notes

Domain one: Security and risk management

All organizations must develop their security posture. Security posture is an organization’s
ability to manage its defence of critical assets and data and react to change. Elements of the
security and risk management domain that impact an organization's security posture
include:

 Security goals and objectives

 Risk mitigation processes
 Compliance
 Business continuity plans
 Legal regulations
 Professional and organizational ethics
Information security, or InfoSec, is also related to this domain and refers to a set of
processes established to secure information. An organization may use playbooks and
implement training as a part of their security and risk management program, based on their
needs and perceived risk. There are many InfoSec design processes, such as:

 Incident response
 Vulnerability management
 Application security
 Cloud security
 Infrastructure security

Domain two: Asset security

Asset security involves managing the cybersecurity processes of organizational assets,
including the storage, maintenance, retention, and destruction of physical and virtual data.
Because the loss or theft of assets can expose an organization and increase the level of risk,
keeping track of assets and the data they hold is essential. Conducting a security impact
analysis, establishing a recovery plan, and managing data exposure will depend on the level
of risk associated with each asset. Security analysts may need to store, maintain, and retain
data by creating backups to ensure they are able to restore the environment if a security
incident places the organization’s data at risk.
Domain three: Security architecture and engineering
This domain focuses on managing data security. Ensuring effective tools, systems, and
processes are in place helps protect an organization’s assets and data. Security architects
and engineers create these processes.

One important aspect of this domain is the concept of shared responsibility. Shared
responsibility means all individuals involved take an active role in lowering risk during the
design of a security system. Additional design principles related to this domain, which are
discussed later in the program, include:

 Threat modelling

 Least privilege

 Défense in depth

 Fail securely.

 Separation of duties

 Keep it simple.

 Zero trust

 Trust but verify.

Domain four: Communication and network security

This domain focuses on managing and securing physical networks and wireless
communications. This includes on-site, remote, and cloud communications.

Organizations with remote, hybrid, and on-site work environments must ensure data
remains secure, but managing external connections to make certain that remote workers
are securely accessing an organization’s networks is a challenge. Designing network security
controls—such as restricted network access—can help protect users and ensure an
organization’s network remains secure when employees travel or work outside of the main
office.

Domain five: Identity and access management

The identity and access management (IAM) domain focuses on keeping data secure. It does
this by ensuring user identities are trusted and authenticated and that access to physical
and logical assets is authorized. This helps prevent unauthorized users, while allowing
authorized users to perform their tasks.

Essentially, IAM uses what is referred to as the principle of least privilege, which is the
concept of granting only the minimal access and authorization required to complete a task.
As an example, a cybersecurity analyst might be asked to ensure that customer service
representatives can only view the private data of a customer, such as their phone number,
while working to resolve the customer's issue; then remove access when the customer's
issue is resolved.

Domain six: Security assessment and testing

The security assessment and testing domain focuses on identifying and mitigating risks,
threats, and vulnerabilities. Security assessments help organizations determine whether
their internal systems are secure or at risk. Organizations might employ penetration testers,
often referred to as “pen testers,” to find vulnerabilities that could be exploited by a threat
actor.

This domain suggests that organizations conduct security control testing, as well as collect
and analyze data. Additionally, it emphasizes the importance of conducting security audits
to monitor for and reduce the probability of a data breach. To contribute to these types of
tasks, cybersecurity professionals may be tasked with auditing user permissions to validate
that users have the correct levels of access to internal systems.

Domain seven: Security operations

The security operations domain focuses on the investigation of a potential data breach and
the implementation of preventative measures after a security incident has occurred. This
includes using strategies, processes, and tools such as:

 Training and awareness

 Reporting and documentation
 Intrusion detection and prevention
 SIEM tools
 Log management
 Incident management
 Playbooks
 Post-breach forensics
 Reflecting on lessons learned
Domain eight: Software development security
The software development security domain is focused on using secure programming
practices and guidelines to create secure applications. Having secure applications helps
deliver secure and reliable services, which helps protect organizations and their users.

Security must be incorporated into each element of the software development life cycle,
from design and development to testing and release. To achieve security, the software
development process must have security in mind at each step. Security cannot be an
afterthought.

Performing application security tests can help ensure vulnerabilities are identified and
mitigated accordingly. Having a system in place to test the programming conventions,
software executables, and security measures embedded in the software is necessary. Having
quality assurance and pen tester professionals ensure the software has met security and
performance standards is also an essential part of the software development process. For
example, an entry-level analyst working for a pharmaceutical company might be asked to
make sure encryption is properly configured for a new medical device that will store private
patient data.

Controls
Controls are used alongside frameworks to reduce the possibility and impact of a security
threat, risk, or vulnerability. Controls can be physical, technical, and administrative and are
typically used to prevent, detect, or correct security issues.

Examples of physical controls:

 Gates, fences, and locks

 Security guards

 Closed-circuit television (CCTV), surveillance cameras, and motion detectors

 Access cards or badges to enter office spaces

Examples of technical controls:

 Firewalls
  MFA

 Antivirus software

Examples of administrative controls:

 Separation of duties

 Authorization

 Asset classification

Additional OWASP security principles

Next, you’ll learn about four additional OWASP security principles that cybersecurity
analysts and their teams use to keep organizational operations and people safe.

Establish secure defaults

This principle means that the optimal security state of an application is also its default state
for users; it should take extra work to make the application insecure.

Fail securely
Fail securely means that when a control fails or stops, it should do so by defaulting to its
most secure option. For example, when a firewall fails it should simply close all connections
and block all new ones, rather than start accepting everything.

Don’t trust services

Many organizations work with third-party partners. These outside partners often have
different security policies than the organization does. And the organization shouldn’t
explicitly trust that their partners’ systems are secure. For example, if a third-party vendor
tracks reward points for airline customers, the airline should ensure that the balance is
accurate before sharing that information with their customers.

Avoid security by obscurity

The security of key systems should not rely on keeping details hidden. Consider the
following example from OWASP (2016):

The security of an application should not rely on keeping the source code secret. Its security
should rely upon many other factors, including reasonable password policies, defense in
depth, business transaction limits, solid network architecture, and fraud and audit controls.
Internal Audit
Internal security audits help security teams identify organizational risk, assess controls, and
correct compliance issues.

some common elements of internal audits. These includes:

 Establishing the scope and goals of the audit,
 conducting a risk assessment
 of the organization's assets,
 completing a controls assessment,
 assessing compliance,
 and communicating results to stakeholders.

Establishing the scope and goals of the audit:

Scope requires organizations to identify people, assets, policies, procedures, and
technologies that might impact an organization's security posture. Goals are an outline of
the organization's security objectives, or what they want to achieve in order to improve
their security posture.

Audit questions
 What is the audit meant to achieve?
 Which assets are most at risk?
 Are current controls sufficient to protect those assets?
 If not, what controls and compliance regulations need to be implemented?

Considering questions like these can support your ability to complete the next element: a
controls assessment.

A controls assessment involves closely reviewing an organization's existing assets, then

evaluating potential risks to those assets, to ensure internal controls and processes are
effective. To do this, entry-level analysts might be tasked with classifying controls into the
following categories:
 Administrative controls
 Technical controls
 Physical controls

Administrative controls are related to the human component of cybersecurity. They include
policies and procedures that define how an organization manages data, such as the
implementation of password policies.

Technical controls are hardware and software solutions used to protect assets, such as the
use of intrusion detection systems, or IDS's, and encryption.
Physical controls refer to measures put in place to prevent physical access to protected
assets, such as surveillance cameras and locks.

The final common element of an internal security audit is communication.

Security audits
A security audit is a review of an organization's security controls, policies, and procedures
against a set of expectations. Audits are independent reviews that evaluate whether an
organization is meeting internal and external criteria.

 Internal criteria include outlined policies, procedures, and best practices.

 External criteria include regulatory compliance, laws, and federal regulations.

Factors that affect audits

Factors that determine the types of audits an organization implements include:

 Industry type
 Organization size
 Ties to the applicable government regulations
 A business’s geographical location
 A business decision to adhere to a specific regulatory compliance.

Audit checklist
It’s necessary to create an audit checklist before conducting an audit. A checklist is generally
made up of the following areas of focus:

Identify the scope of the audit.

 The audit should:

o List assets that will be assessed (e.g., firewalls are configured correctly, PII is
secure, physical assets are locked, etc.)

o Note how the audit will help the organization achieve its desired goals.

o Indicate how often an audit should be performed.

o Include an evaluation of organizational policies, protocols, and procedures to

make sure they are working as intended and being implemented by
employees.

Complete a risk assessment.

 A risk assessment is used to evaluate identified organizational risks related to

budget, controls, internal processes, and external standards (i.e., regulations).

Conduct the audit.

 When conducting an internal audit, you will assess the security of the identified
assets listed in the audit scope.
Create a mitigation plan.

 A mitigation plan is a strategy established to lower the level of risk and potential
costs, penalties, or other issues that can negatively affect the organization’s security
posture.

Communicate results to stakeholders.

 The end result of this process is providing a detailed report of findings, suggested
improvements needed to lower the organization's level of risk, and compliance
regulations and standards the organization needs to adhere to.

Control types
Control types include, but are not limited to:

1. Preventative

2. Corrective

3. Detective

4. Deterrent

These controls work together to provide defence in depth and protect assets.
Preventative controls are designed to prevent an incident from occurring in the first
place.
Corrective controls are used to restore an asset after an incident.
Detective controls are implemented to determine whether an incident has occurred or is in
progress.
Deterrent controls are designed to discourage attacks.

More Resources:
Control types
Disaster Recovery Plan
Playbooks

A playbook is a manual that provides details about any operational action.

Playbooks also clarify what tools should be used in response to a security
incident. In the security field, playbooks are essential.

Playbooks ensure that people follow a consistent list of actions in a prescribed way,
regardless of who is working on the case.

Incident response is an organization's quick attempt to identify an attack, contain the

damage, and correct the effects of a security breach.

Playbooks are generally used alongside SIEM tools. If, for example, unusual user behavior
is flagged by a SIEM tool, a playbook provides analysts with instructions about how to
address the issue.

An incident response playbook is a guide with six phases used to help mitigate and manage
security incidents from beginning to end.
 Preparation
 Detection & Analysis
 Containment
  Eradication & Recovery
 Post-incident activity
 Coordination

Scottish government playbook template

GRC Notes

Manager’s tasks can be broken down into five principal areas:

 planning
 organizing
 staffing
 directing
 controlling.

Planning involves developing, creating, and implementing strategies to help the organization
meet its goals. Planning can be broken down into three levels:

 Strategic – Strategic planning is designed to lead the entire organization over a long
period of time.
 Tactical - Tactical planning is designed to guide a portion of the organization for a
shorter period of time.
 Operational - operational planning structures the day-to-day operations of a small
group within the organization, like a department.

Cybersecurity professionals can be grouped into three types based on their focus and
expertise.
  Those that define cybersecurity - This group consists of the senior executives
and managers hat handle planning, policy, and risk management.
 Those that build cybersecurity - This group consists of the engineers, programmers,
and other technical specialists that create security solutions.
 Those that administrate or operate cybersecurity - This group consists of the
cybersecurity managers and analysts responsible for the day-to-day monitoring and
operations of the cybersecurity program. This category includes firewall, VPN, and
IDPS administrators, security operations centre staff, incident response teams, and
pretty much everyone else the organization has that doesn't fall into one of the
previous two categories.

There are two main tools the organization can use to help its employees,
 Training programs
 Awareness programs.
These are part of a set of programs known as SETA or CyberSETA(Education, Training &
Awareness) programs.

CyberSETA programs offer three major benefits :

 They can help improve employee behaviour.
 They can teach members of the organization how and where to report policy
violations.
 They can help the organization make employees responsible and accountable for
their actions.
The approach to making cybersecurity, the responsibility and direction of upper levels of
management, to include any boards of directors is called governance.

The standard is the more detailed statement of what must be done to comply with policy.
Guidelines are recommendations the user may want to use to help comply with policy.
A procedure is a defined set of steps to comply with the policy and the practice or rather
best practice.

SysSps are policies designed to guide in the configuration of an organization's technology.

They provide guidance on how to implement the technology so that it benefits the
organization and doesn't interfere with operations.