CISSP EXAM CRAM

LIVE EXAM STUDY SERIES

WEEK 1(DOMAIN 1): Jan 17, 2024

Exam Prep Strategy

Coverage of Domain 1
Weekly homework, Q & A

with Pete Zerger vCISO, CISSP, MVP

Agenda – week 1
What to expect on the exam
Exam Prep Strategy
Exam Prep Materials (must-have and nice-to-have)
What's new in the 2024 exam?
DOMAIN 1 Highlights and Drilldown
BONUS: The READ strategy for answering tough
exam questions

Session recording and recommended study activities

for the week will be shared at the end of each session.
Agenda – week 1
Exam prep strategy and materials is unique to
week 1 of this study series
It will repay you many times over in time saved,
FAQs answered, and frustration avoided
Questions:
I will provide a form where you can submit
questions, so I can compile FAQs for group benefit

Session recording and recommended study activities

for the week will be shared at the end of each session.
WHO AM I?
Cybersecurity Strategist
vCISO for a regional bank
Speaker and Author
18-time Microsoft MVP
LinkedIn Learning Instructor
Content Developer (YouTube)
 I N T R O D U C T I O N : CISSP EXAM DOMAINS

DOMAINS 2021 2024

1. Security and Risk Management 15% 16%

2. Asset Security 10% 10%

3. Security Architecture and Engineering 13% 13%

4. Communication and Network Security 13% 13%

5. Identity and Access Management 13% 13%

6. Security Assessment and Testing 12% 12%

7. Security Operations 13% 13%

8. Software Development Security 11% 10%

 I N T R O D U C T I O N : CISSP EXAM DOMAINS

DOMAINS 2021 2024

1. Security and Risk Management 15% 16%

2. Asset Security 10% 10%

3. Security Architecture and Engineering 13% 13%

4. Communication and Network Security 13% 13%

5. Identity and Access Management 13% 13%

6. Security Assessment and Testing 12% 12%

7. Security Operations 13% 13%

8. Software Development Security 11% 10%

No impact to exam prep strategy

About the cat exam FORMAT

Starting April 15 ,
th 2024:
3 hours, 100-150 Questions (CAT exam)
Adapts based on your answer
Aims for 50-50 probability
Answers are final! No going back
Many think this makes the
CAT exam more difficult!
About the cat exam FORMAT

70% to pass the exam

Some questions are not scored
Only pass/fail reported
You can fail a domain and still
pass the exam, but probability is low
Current cat exam (before April 15)

Before April 15 ,
th 2024:
Current CISSP CAT exam contains
50 pretest (unscored) items
Exam is 4 hours, 125-175 Questions

Syllabuses for 2021 and 2024

exams are very similar
 CISSP EXAM CRAM
THE COMPLETE COURSE
GET CERTIFIED FAST!
Coverage of all 8 domains
Strategy guidance
Proven learning techniques

with Pete Zerger vCISO, CISSP, MVP

About CISSP EXAM CRAM VIDEOS
GOAL: To help you get further, faster in your CISSP exam prep!

This series gets right to the point and eliminates the fluff!
Focuses on key characteristics of each concept to help you
identify right (and wrong) answers on exam day.
Content utilizes several proven learning methods to
accelerate your learning.
I will share techniques you can apply in your study

I intentionally speak at 115-125 words a minute.

If English is not your first language, this may be perfect!
PACE If English is your 1st language, 1.25x may be better for you.
About CISSP EXAM CRAM VIDEOS
GOAL: To help you get further, faster in your CISSP exam prep!

This series gets right to the point and eliminates the fluff!
Focuses on key characteristics of each concept to help you
identify right (and wrong) answers on exam day.
Content utilizes several proven learning methods to
accelerate your learning.
I will share techniques you can apply in your study

I intentionally speak at 115-125 words a minute.

If English is not your first language, this may be perfect!
PACE If English is your 1st language, 1.25x may be better for you.
About CISSP EXAM CRAM VIDEOS
GOAL: To help you get further, faster in your CISSP exam prep!

High probability exam topics

High difficulty concepts
Frequent sources of questions
Areas that require process memorization

I want to direct your focus to high probability

and high difficulty topics to optimize your prep!
A pdf copy of the presentation is
available in the video description!

Subscribed
SUBSCRIBE

Use as a study aid to read through

or live quiz with a study partner!
CISSP EXAM CRAM
THE COMPLETE COURSE

Table of contents links to any topic

in the video available in the “pinned
comment” below the video
CISSP EXAM CRAM
THE COMPLETE COURSE

Link to additional resources, FAQs,

exam updates, and errata in the
description beneath the video
 testimonials
What are other learners saying?

“
I recently (provisionally) passed my CISSP
on first attempt with 100 questions taking
2 hours. Your YouTube videos were
absolutely invaluable!

~QSECOFR
 testimonials
What are other learners saying?

“
This was so helpful.. I feel I
owe you more than a "like"
and a "share"!
~Kris K
 testimonials
What are other learners saying?

“
Your “Think like a manager” was the single
most important video that I watched in
preparation for taking the CISSP exam.

~FB
 testimonials
What are other learners saying?

“
Great videos. Excellent
presentation. Perfect study
companion to the ISC2 book.
~Mike R
 testimonials
What are other learners saying?

“
Passed CISSP today, crammed
through these 8 videos 2 days
before. Was a great refresher!

~Tony B
 CISSP EXAM CRAM
THE COMPLETE COURSE
GET CERTIFIED FAST!
Coverage of all 8 domains
Strategy guidance
Proven learning techniques

with Pete Zerger vCISO, CISSP, MVP

CISSP Exam Cram
Supplemental sessions

All captured in the CISSP Exam Cram playlist!

 You are expected to know quantitative risk
formulas for the exam…and how to use them!
While laws and regulations focuses almost entirely
on US law, BUT expect coverage of GDPR
Questions may drop you into the middle of a
process and test your knowledge of order
Understanding counter measures can help a
CISO understand how to respond to threats
Many candidates cite this video as
one of the keys to their success
 I N T R O D U C T I O N : CISSP EXAM DOMAINS
New in 2024 – a summary
The new syllabus for CISSP 2024 is not much
different from the earlier version of 2021.

1. NO CHANGE in EXPERIENCE REQUIREMENTS

2. NO CHANGE in NUMBER OF DOMAINS
(content in some domains has been expanded)
3. ALMOST NO CHANGE in DOMAIN WEIGHTS
4. NO MAJOR CHANGE in LINEAR EXAM INFORMATION
5. NO CHANGE in number of questions on CAT EXAM

In 2024, a few new topics have been introduced in some of

the domains to keep up with the changing times.
some existing topics may
be getting more attention !

GREATER EXAM FOCUS FOR EXISTING

existing topics?
Topics evolve over time,
so this is expected!

GREATER EXAM FOCUS FOR EXISTING

existing topics?
What’s new in 2024? A breakdown
by domain

DOMAIN 1
Sustaining security governance principles (1.3)
SABSA is new
COBIT, FedRAMP, and SABSA called out in syllabus (1.3.3) in 2024 exam
External dependencies for business continuity (1.7.2)
Issues related to privacy regulations like GDPR, CCPA, etc. (1.4.5)
Supply chain risk management concepts (1.11)
Periodic content reviews to include emerging technologies, like
cryptocurrency, AI, blockchain in security awareness training (1.12.2)

DOMAIN 2
No new major topics
What’s new in 2024? A breakdown
by domain

DOMAIN 3
Secure access service edge (3.1.11)
Information system lifecycle management (3.10)

DOMAIN 4
IP version 6 (IPv6) (4.1.2)
Virtual private cloud (VPC) (4.1.17) Due to growth in cloud
Monitoring and management concepts (4.1.18)

DOMAIN 5
No new major topics
What’s new in 2024? A breakdown
by domain

DOMAIN 6
No new major topics

DOMAIN 7
Security orchestration, automation and response (SOAR) (7.2.3)

DOMAIN 8
Scaled Agile Framework (8.1.1)
Software composition analysis (8.2.9)
Interactive application security testing (IAST) (8.2.9)
Complementary to DAST and SAST, covered in 2021 exam
There is no

AWARD
for the longest
STUDY TIME!
CISSP EXAM CRAM
THE COMPLETE COURSE

STRATEGY
Must-have resources
 CISSP EXAM CRAM
THE COMPLETE COURSE

STRATEGY
Must-have (required) resources
 CISSP
EXAM STUDY GUIDE
& PRACTICE TESTS BUNDLE

1,000 practice questions + 4 practice exams

CISSP
EXAM STUDY GUIDE
& PRACTICE TESTS BUNDLE

Link in the meeting chat

 FAQ: How do I access the online resources that come with the
CISSP Official Study Guide and Practice Tests Bundle?

YouTube video link will be sent in the post-session email

 CISSP EXAM CRAM
THE COMPLETE COURSE

STRATEGY
Nice-to-have (optional) resources
Exam Flashcards
from Inside Cloud and Security

Certification Station
Discord Community for exam candidates
Nice-to-have (optional)
Per-domain progress tracking
Nice-to-have (optional)
Multiple quiz modes
Nice-to-have (optional)
Build-your-own (choose domains)
 Includes a mobile app

Priced at ~$21/USD per month

Link in the follow-up email

Nice-to-have (optional)
 Exam Flashcards
from Inside Cloud and Security

Nice-to-have (optional)
 Over, 1,100 cards,
curated by experts

Choose to study
domain or category

Covers exam
glossary & acronyms

Works on any
desktop or mobile
Features include:
✓ Flag for review
✓ Bite-size sessions
(choose your card count)
Features include:
✓ Flag for review
✓ Bite-size sessions
(choose your card count)

✓ OSG study reference

✓ Additional reading
✓ Exam Tips
(when necessary)
Features include:
✓ Access from any
mobile browser
✓ Login with your
preferred social ID
 Features include:
✓ Access from any
mobile browser
✓ Login with your
preferred social ID
✓ $5 USD per month
(billed quarterly)

Link in the follow-up email

Why are expensive 5-day
bootcamps not a great idea?
How long does it take to memorize anything?
1st repetition Right after learning
TO MEMORIZE 2nd repetition After 15-20 min

QUICKLY
3rd repetition After 6-8 hours
4th repetition After 24 hours
5th repetition After 48 hours

1st repetition Right after learning

2nd repetition After 20-30 min TO MEMORIZE FOR
A LONG TIME
3rd repetition After 1 day
4th repetition After 2-3 weeks
5th repetition After 2-3 months
 24 hours
1 week

20 min

THE POWER OF

REPETITION
 spaced repetition
100 Spaced Repetition

1st session 2nd session 3rd session

Forgetting curve

Forgetting curve longer and

shallower with repetition
0
Spaced repetition
1st repetition Right after learning
TO MEMORIZE 2nd repetition After 15-20 min

QUICKLY
3rd repetition After 6-8 hours
4th repetition After 24 hours
5th repetition After 48 hours

1st repetition Right after learning

2nd repetition After 20-30 min TO MEMORIZE FOR
A LONG TIME
3rd repetition After 1 day
4th repetition After 2-3 weeks
5th repetition After 2-3 months
 MEMORIZING VS UNDERSTANDING

UNDERSTANDING
CONCEPTS
Studies show understanding BEFORE you
memorize greatly improves retention
 or memory device, is a
learning technique that makes
MNEMONIC memorizing information easier

device
 A common technique is the
expression mnemonic aka
MNEMONIC an acronym
device
 The best mnemonic devices are
simple, relevant, and visual
MNEMONIC
device
 We’ll start with an example
using a first letter mnemonic
MNEMONIC
device
THE OSI MODEL
Away 7 Application All

Pizza 6 Presentation People

Sausage 5 Session Seem

Throw 4 Transport To
|
Not 3 Network Need

Do 2 Data Link Data

Please 1 Physical Processing

THE OSI MODEL
Aside 7 Application All

Processes 6 Presentation People

Security 5 Session Seem

Toss 4 Transport To
|
Not 3 Network Need

Do 2 Data Link Data

Please 1 Physical Processing

INCIDENT MANAGEMENT framework
1 Detection

2 Response

3 Mitigation

4 Reporting
|
5 Recovery

6 Remediation

7 Lessons Learned
INCIDENT MANAGEMENT framework
1 Detection
DRMRRRL
2 Response

3 Mitigation

4 Reporting
|
5 Recovery

6 Remediation

7 Lessons Learned
INCIDENT MANAGEMENT framework
1 Detection
DRMRRRL
2 Response

3 Mitigation

4 Reporting
|
5 Recovery

6 Remediation

7 Lessons Learned
 Chunking is a technique of
breaking info into smaller
MNEMONIC pieces that make sense
device
chunking

cryptography
Asymmetric Hashes
Block ciphers
Symmetric

break into “chunks” based on a unique property

cryptography
NAME TYPE HASH VALUE LENGTH STILL IN USE? REPLACED BY
HMAC Hash Variable Very Strong -
HAVAL Hash 128, 160, 192, 224, 256

MD2 Hash 128 No MD6, et. Al.

Hash MD4 Hash 128 No MD6, et. Al.

Algorithms MD5 Hash 128 No MD6, et. Al.

SHA-1 Hash 160 No SHA-2

MD* SHA-224* Hash 224 Yes -

SHA-256* Hash 256 Yes -
Message Digest SHA-384* Hash 384 Yes -
SHA-512* Hash 512 Yes -
cryptography
NAME TYPE HASH VALUE LENGTH STILL IN USE? REPLACED BY
HMAC Hash Variable Very Strong -
HAVAL Hash 128, 160, 192, 224, 256

MD2 Hash 128 No MD6, et. Al.

Hash MD4 Hash 128 No MD6, et. Al.

Algorithms MD5 Hash 128 No MD6, et. Al.

SHA-1 Hash 160 No SHA-2

MD* SHA-224* Hash 224 Yes -

SHA-256* Hash 256 Yes -
Message Digest SHA-384* Hash 384 Yes -
SHA-512* Hash 512 Yes -
cryptography
NAME TYPE HASH VALUE LENGTH STILL IN USE? REPLACED BY
HMAC Hash Variable Very Strong -
HAVAL Hash 128, 160, 192, 224, 256

MD2 Hash 128 NO MD6, et. Al.

Hash MD4 Hash 128 NO MD6, et. Al.

Algorithms MD5 Hash 128 NO MD6, et. Al.

SHA-1 Hash 160 No SHA-2

MD* SHA-224* Hash 224 Yes -

SHA-256* Hash 256 Yes -
Message Digest SHA-384* Hash 384 Yes -
SHA-512* Hash 512 Yes -
cryptography
NAME TYPE HASH VALUE LENGTH STILL IN USE? REPLACED BY
HMAC Hash Variable Very Strong -
HAVAL Hash 128, 160, 192, 224, 256

MD2 Hash 128 No MD6, et. Al.

Hash MD4 Hash 128 No MD6, et. Al.

Algorithms MD5 Hash 128 No MD6, et. Al.

SHA-1 Hash 160 No SHA-2

SHA* SHA-224* Hash 224 Yes -

SHA-256* Hash 256 Yes -
Secure Hash SHA-384* Hash 384 Yes -
Algorithm
SHA-512* Hash 512 Yes -
cryptography
NAME TYPE HASH VALUE LENGTH STILL IN USE? REPLACED BY
HMAC Hash Variable Very Strong -
HAVAL Hash 128, 160, 192, 224, 256

MD2 Hash 128 No MD6, et. Al.

Hash MD4 Hash 128 No MD6, et. Al.

Algorithms MD5 Hash 128 No MD6, et. Al.

SHA-1 Hash 160 No SHA-2

SHA* SHA-224* Hash 224 Yes -

SHA-256* Hash 256 Yes -
Secure Hash SHA-384* Hash 384 Yes -
Algorithm
SHA-512* Hash 512 Yes -
cryptography
NAME TYPE HASH VALUE LENGTH STILL IN USE? REPLACED BY
HMAC Hash Variable Very Strong -
HAVAL Hash 128, 160, 192, 224, 256

MD2 Hash 128 No MD6, et. al.

Hash MD4 Hash 128 No MD6, et. al.

Algorithms MD5 Hash 128 No MD6, et. al.

SHA-1 Hash 160 NO SHA-2

SHA* SHA-224* Hash 224 YES -

SHA-256* Hash 256 YES -
SHA-384* Hash 384 YES -
SHA-512* Hash 512 YES -
80/20 STRATEGY
TARGETED POWERPOINT
READING REVIEW

PRACTICE LIVE QUIZ

EXAM (or flashcards)
HOW
to best use the
PRACTICE quizzes
to assess your
EXAM readiness?
S T U D Y G U I D E : CHAPTER-TO-DOMAIN MAPPINGS

DOMAIN CHAPTERS
1. Security and Risk Management 1-4
2. Asset Security 5
3. Security Architecture and Engineering 6 – 10
4. Communication and Network Security 11 – 12
5. Identity and Access Management 13 – 14
6. Security Assessment and Testing 15
7. Security Operations 16 – 19
8. Software Development Security 20 - 21
80/20 STRATEGY
TARGETED POWERPOINT
READING REVIEW

PRACTICE LIVE QUIZ

EXAM (or flashcards)
80/20 STRATEGY
TARGETED POWERPOINT
READING REVIEW

PRACTICE LIVE QUIZ

EXAM (or flashcards)
80/20 STRATEGY
TARGETED POWERPOINT
READING REVIEW

PRACTICE LIVE QUIZ

EXAM (or flashcards)
Use multiple sources

TARGETED LIVE QUIZ VIDEO

READING (or flashcards) CONTENT

PRACTICE POWERPOINT
EXAM REVIEW
THE “READ” Strategy

REVIEW

ELIMINATE An easy-to-remember strategy

for choosing the correct answer
ANALYZE on the CISSP exam.

DECIDE
THE “READ” Strategy

REVIEW GOAL: Find "What is the core issue

you are solving for?"
ELIMINATE Read through the details of:
✓ What is being asked?
ANALYZE ✓ Requirements and context?
✓ Is a process or framework being
DECIDE referenced specifically?
THE “READ” Strategy

REVIEW GOAL: Find “Which answers are

definitely not correct?”

ELIMINATE Identify and remove:

✓ Unimportant details
ANALYZE (distractors)
✓ Wrong answers
DECIDE This step will often eliminate 1
or 2 answers immediately!
THE “READ” Strategy

REVIEW GOAL: Prioritize solution

requirements based on context.
ELIMINATE Identify:
✓ All requirements (there may be
ANALYZE one or multiple)
✓ Sort requirements in priority
DECIDE order
THE “READ” Strategy
TIPS for this step:
REVIEW
Remember CISO priorities:
1. Human safety
ELIMINATE
2. Keep the business running
securely
ANALYZE 3. Managing risk, while exercising
due diligence and due care
DECIDE REMEMBER: As a leader, “call
an outside expert” is an option!
THE “READ” Strategy

REVIEW GOAL: Select the best answer

(based on the previous steps)
ELIMINATE For the remaining answers:
✓ Evaluate each answer by itself.
ANALYZE ✓ Identify why you do/don't like
each
DECIDE Be wary of answers that call for
a technical (hands-on) response
CISSP EXAM CRAM
THE COMPLETE COURSE

Security and Risk

Management
 D O M A I N 1 : SECURITY & RISK MANAGEMENT

Exam Outline
1.1 Understand and apply concepts of confidentiality,
integrity and availability aka “the CIA triad”
1.2 Evaluate and apply security governance principles
1.3 Determine compliance requirements
1.4 Understand legal and regulatory issues that pertain to
information security in a global context
1.5 Understand, adhere to, and promote professional ethics
1.6 Develop, document, and implement security policy,
standards, procedures, and guidelines
 D O M A I N 1 : SECURITY & RISK MANAGEMENT

1.7 Identify, analyze, and prioritize Business Continuity

(BC) requirements
1.8 Contribute to and enforce personnel security
policies and procedures
1.9 Understand and apply risk management concepts
1.10 Understand and apply threat modeling concepts
and methodologies
1.11 Apply risk-based management concepts to the
supply chain
1.12 Establish and maintain a security awareness,
education, and training program
 D O M A I N 1 : SECURITY & RISK MANAGEMENT

Some key areas:

Understand risk and apply risk analysis process
Threat modeling concepts and processes
Compliance, legal, regulatory, and privacy
Professional ethics – Know the ISC2 code by heart
Security governance principles (ITIL, oversight)
Security policies, standards, procedures and
guidelines (know “suggested” vs. “mandatory”)
 D O M A I N 1 : SECURITY & RISK MANAGEMENT

Some key areas:

Understand risk and apply risk analysis process
Threat modeling concepts and processes
Compliance, legal, regulatory, and privacy
Professional ethics – Know the ISC2 code by heart
Security governance principles (ITIL, oversight)
Security policies, standards, procedures and
guidelines (know “suggested” vs. “mandatory”)
what’s new in domain 1 in 2021?

1.1 Understand, adhere to, and promote

professional ethics

This is a non-event.

For more cybersecurity exam prep tutorials, follow us on Youtube at Inside Cloud and Security
D O M A I N 1 : SECURITY & RISK MANAGEMENT

KNOW

BY HEART!
 D O M A I N 1 : SECURITY & RISK MANAGEMENT

C onfidentiality

I ntegrity

A vailability
 D O M A I N 1 : SECURITY & RISK MANAGEMENT

1
C onfidentiality
2 3
I ntegrity A vailability
D O M A I N 1 : SECURITY & RISK MANAGEMENT

C onfidentiality
Access controls help ensure that only
authorized subjects can access objects
 D O M A I N 1 : SECURITY & RISK MANAGEMENT

I ntegrity
Ensures that data or system configurations
are not modified without authorization
D O M A I N 1 : SECURITY & RISK MANAGEMENT

A vailability
Authorized requests for objects must
be granted to subjects within a
reasonable amount of time
 D O M A I N 1 : ISC 2 CODE OF ETHICS

Memorize the ISC2 code of ethics

1
Protect society, the commonwealth,
and the infrastructure

2
Act honorably, honestly, justly,
responsibly, and legally

3 Provide diligent and competent

service to principals
4 Advance and protect the profession
 D O M A I N 1 : SECURITY POLICY DEVELOPMENT

There are four levels of security policy development:

Security procedures
Detailed step-by-step
Security guidelines
Offer recommendations
Security baselines
Define “minimum levels”
Acceptable use policy
Assign roles and responsibilities
FOR THE When developing new safeguards,
EXAM you are establishing a new baseline
 FOR THE
EXAM
…so, compliance with existing baselines
is not a valid consideration point.
 D O M A I N 1 : RISK CATEGORIES

Risk Categories
Category is a group of potential causes of risk.
Damage. Results in physical loss of an asset or
the inability to access the asset.
Disclosure. Disclosing critical information
regardless of where or how it was disclosed.
Losses. These might be permanent or temporary,
including altered data or inaccessible data
 D O M A I N 1 : RISK FACTORS

Risk Factors
Something that increases risk or susceptibility
Physical damage. Natural disaster, power loss or
vandalism.
Malfunctions. Failure of systems, networks, or
peripherals.
Attacks. Purposeful acts whether from the inside or
outside, such as unauthorized disclosure.
 D O M A I N 1 : RISK FACTORS

Risk Factors (cont.)

Something that increases risk or susceptibility
Physical damage. Natural disaster, power loss or
vandalism.
Malfunctions. Failure of systems, networks, or
peripherals.
Attacks. Purposeful acts whether from the inside or
outside, such as unauthorized disclosure.
 D O M A I N 1 : SECURITY PLANNING

Security Planning
Should include three types of plans
Strategic. Long term, stable plan that should include a
risk assessment. (5-yr horizon, annual updates)
Tactical. Midterm plan developed to provide more
details on goals of the strategic plan. (usually ~1 year)
Operational. Short-term, highly detailed plan based
on the strategic and tactical plans. (monthly, quarterly)
 D O M A I N 1 : SECURITY PLANNING

Security Planning
Should include three types of plans
Strategic. Long term, stable plan that should include a
risk assessment. (5-yr horizon, annual updates)
Tactical. Midterm plan developed to provide more
details on goals of the strategic plan. (usually ~1 year)
Operational. Short-term, highly detailed plan based
on the strategic and tactical plans. (monthly, quarterly)
 D O M A I N 1 : RESPONSE TO RISK

Response to Risk
Risk Acceptance. Do nothing, and you must
accept the risk and potential loss if threat occurs.
Risk Mitigation. You do this by implementing a
countermeasure and accepting the residual risk.
rd
Risk Assignment. Transfer (assign) risk to 3 party,
like by purchasing insurance against damage.
Risk Avoidance. When costs of mitigating or
accepting are higher than benefits of the service
 D O M A I N 1 : RESPONSE TO RISK

Response to Risk (cont)

Risk Deterrence. Implementing deterrents to
would-be violators of security and policy
Risk Rejection. An unacceptable possible
response to risk is to reject risk or ignore risk.

REMEMBER:
Handling risk is not a one-time process!
D O M A I N 1 : RISK MANAGEMENT FRAMEWORK

The primary risk management

framework referenced in CISSP is

NIST 800-37
 D O M A I N 1 : RISK MANAGEMENT FRAMEWORK

From the CISSP Study Guide

Consider the following RMFs “for use in the real world”:

OCTAVE
operationally critical threat, asset, and
vulnerability evaluation

FAIR
Factor Analysis of Information Risk

TARA
Threat Agent Risk Assessment
 D O M A I N 1 : RISK MANAGEMENT FRAMEWORK

“7 steps of NIST 800-37”

1. Prepare to execute the RMF
2. Categorize information systems
3. Select security controls
4. Implement security controls
5. Assess the security controls
6. Authorize the system
7. Monitor security controls
 D O M A I N 1 : RISK MANAGEMENT FRAMEWORK

“7 steps of NIST 800-37”

1. Prepare to execute the RMF
2. Categorize information systems
3. Select security controls
| 4. Implement security controls
5. Assess the security controls
6. Authorize the system
7. Monitor security controls
 D O M A I N 1 : RISK MANAGEMENT FRAMEWORK

“7 steps of NIST 800-37”

1. Prepare to execute the RMF
2. Categorize information systems
3. Select security controls
| 4. Implement security controls
5. Assess the security controls
6. Authorize information system
7. Monitor security controls
FOR THE You should remember that
EXAM not every risk can be mitigated
FOR THE It is management’s job to
EXAM decide how that risk is handled
FOR THE When multiple priorities present,
EXAM human safety is most important
FOR THE When legal issues are involved,
EXAM “call an attorney” is a valid choice
 D O M A I N 1 : TYPES OF RISK

Residual
Inherent
Total
 D O M A I N 1 : TYPES OF RISK

Residual Risk
The risk that remains even with all
conceivable safeguards in place.
 D O M A I N 1 : TYPES OF RISK

Residual Risk
The risk management has chosen
to accept rather than mitigate.
 D O M A I N 1 : TYPES OF RISK

Inherent Risk
Newly identified risk not yet addressed
with risk management strategies
 D O M A I N 1 : TYPES OF RISK

Inherent Risk
The amount of risk that exists
in the absence of controls.
 D O M A I N 1 : TYPES OF RISK

Total Risk
The amount of risk an organization would
face if no safeguards were implemented.
 D O M A I N 1 : RISK MANAGEMENT

Residual
Inherent
Total
 D O M A I N 1 : TYPES OF RISK

Residual AFTER
Inherent BEFORE
Total WITHOUT
FOR THE Be able to explain total risk,
EXAM residual risk, and controls gap
FOR THE
EXAM FORMULAS
To calculate TOTAL RISK, know this formula:
threats * vulnerabilities * asset value = total risk
FOR THE
EXAM FORMULAS
RISK can be defined as follows:
risk = threat * vulnerability
 D O M A I N 1 : RISK ANALYSIS

RISK ANALYSIS
Two ways to evaluate risk to assets:

| qualitative and quantitative

 D O M A I N 1 : RISK ANALYSIS

RISK ANALYSIS
Two ways to evaluate risk to assets:

| qualitative and quantitative

 QUANTITATIVE
Assigns a dollar value to evaluate
effectiveness of countermeasures

|
D O M A I N 1 : RISK ANALYSIS
 QUANTITATIVE
Assigns a dollar value to evaluate
effectiveness of countermeasures

| OBJECTIVE
D O M A I N 1 : RISK ANALYSIS
 D O M A I N 1 : RISK ANALYSIS STEPS

Risk Analysis Steps

The six major steps in quantitative risk analysis
1. Inventory assets and assign a value (asset value, or AV).
2. Identify threats. Research each asset and produce a list of all
possible threats of each asset. (and calculate EF and SLE)
3. Perform a threat analysis to calculate the likelihood of each threat
being realized within a single year. (the ARO)
4. Estimate the potential loss by calculating the annualized loss
expectancy (ALE).
5. Research countermeasures for each threat, and then calculate the
changes to ARO and ALE based on an applied countermeasure.
6. Perform a cost/benefit analysis of each countermeasure for each
threat for each asset.
 D O M A I N 1 : RISK ANALYSIS

QUALITATIVE
Uses a scoring system to rank threats

| and effectiveness of countermeasures

 D O M A I N 1 : RISK ANALYSIS

QUALITATIVE
Uses a scoring system to rank threats
and effectiveness of countermeasures

SUBJECTIVE
 D O M A I N 1 : RISK ANALYSIS

DELPHI TECHNIQUE
An anonymous feedback-and-response
process used to arrive at a consensus.
 D O M A I N 1 : RISK ANALYSIS

Should also consider:

Loss potential
What would be lost if the threat agent is
successful in exploiting a vulnerability.

Delayed loss
This is the amount of loss that can occur
over time.
THREAT AGENTS
are what cause the threats by
exploiting vulnerabilities.

D O M A I N 1 : RISK ANALYSIS
THREAT AGENTS
are what cause the threats by
exploiting vulnerabilities.

D O M A I N 1 : RISK ANALYSIS
 D O M A I N 1 : CALCULATING RISK

Terms and formulas:

Important elements in quantifying potential loss
exposure factor (EF)
single loss expectancy (SLE)
annualized rate of occurrence (ARO)
annualized loss expectancy (ALE)
Safeguard evaluation
 D O M A I N 1 : CALCULATING RISK

Exposure Factor (EF)

Percentage of loss that an organization
would experience if a specific asset
were violated by a realized risk
 D O M A I N 1 : CALCULATING RISK

Single Loss
Expectancy (SLE)
Represents the cost associated with a
single realized risk against a specific asset
 D O M A I N 1 : CALCULATING RISK

Single Loss
Expectancy (SLE)
SLE = Asset Value (AV) X Exposure Factor (EF)
 D O M A I N 1 : CALCULATING RISK

Single Loss
Expectancy (SLE)
AV EF SLE
$100,000 X .3 (30%) = $30,000
 D O M A I N 1 : CALCULATING RISK

Annualized Rate
of Occurrence (ARO)
The expected frequency with which a specific
threat or risk will occur within a single year.
 D O M A I N 1 : CALCULATING RISK

Annualized Loss
Expectancy (ALE)
The possible yearly cost of all instances of a
specific realized threat against a specific asset.
 D O M A I N 1 : CALCULATING RISK

Annualized Loss
Expectancy (ALE)
ALE = single loss expectancy (SLE) *
annualized rate of occurrence (ARO)
 D O M A I N 1 : CALCULATING RISK

ALE Example
Office Building = $200,000
Hurricane damage estimate 50%
Hurricane probability is one every 10 years 10%

(AV x EF = SLE) $200,000 x .50 = $100,000

(SLE x ARO = ALE) $100,000 x .10 = $10,000

value of the safeguard (annually)
 D O M A I N 1 : CALCULATING RISK

Safeguard
Evaluation
Good security controls mitigate risk,
are transparent to users, difficult to
bypass, and are cost effective
 D O M A I N 1 : CALCULATING RISK

Safeguard
Evaluation
Good security controls mitigate risk,
are transparent to users, difficult to
bypass, and are cost effective
 D O M A I N 1 : CALCULATING RISK

Safeguard
Evaluation
ALE before safeguard – ALE after safeguard
– annual cost of safeguard = value of safeguard
 D O M A I N 1 : CALCULATING RISK

Safeguard
Evaluation
value of safeguard = ALE1 – ALE2 - ACS
 D O M A I N 1 : CONTROLS

Controls Gap
The amount of risk reduced by
implementing safeguards
 D O M A I N 1 : CONTROLS

Controls Gap

total risk – controls gap = residual risk

QUANTITATIVE RISK ANALYSIS

JUST THE FORMULAS!

CISSP
EXAM
real-world example!
Available on CRAM
 D O M A I N 1 : SUPPLY CHAIN

Supply Chain
Today, most services are delivered
through a chain of multiple entities
 D O M A I N 1 : SUPPLY CHAIN

Supply Chain
A secure supply chain includes vendors who
are secure, reliable, trustworthy, reputable
 D O M A I N 1 : SUPPLY CHAIN

Supply Chain Evaluation

When evaluating 3rd parties in the chain, consider:
On-Site Assessment . Visit organization, interview
personnel, and observe their operating habits.
Document Exchange and Review . Investigate dataset
and doc exchange, review processes
Process/Policy Review . Request copies of their security
policies, processes, or procedures.
Third-party Audit. Having an independent auditor provide
an unbiased review of an entity’s security infrastructure
 D O M A I N 1 : THREAT MODELING

Threat Modeling
Security process where potential threats
are identified, categorized, and analyzed.
 D O M A I N 1 : THREAT MODELING

Threat Modeling
Security process where potential threats
are identified, categorized, and analyzed.
 D O M A I N 1 : THREAT MODELING

Threat Modeling
Can be proactive or reactive, but in either
case, goal is to eradicate or reduce threats
 D O M A I N 1 : THREAT MODELING

Model focus
Common approaches to threat modeling:
Focused on Assets . Uses asset valuation results
to identify threats to the valuable assets.
Focused on Attackers . Identify potential attackers
and identify threats based on the attacker’s goals
Focused on Software . Considers potential threats
against the software the org develops.
FOR THE There are a few threat modeling
EXAM methodologies you should review:
FOR THE The STRIDE model, which
EXAM comes from Microsoft
 Spoofing
Tampering
FOR THE Repudiation
EXAM Information disclosure
Denial of service
Elevation of privilege
FOR THE The PASTA model, which focuses
EXAM on controls relative to asset value
 Stage I: Definition of Objectives
Stage II: Definition of Technical Scope
Stage III: App Decomposition and Analysis
FOR THE Stage IV: Threat Analysis
EXAM Stage V: Weakness and Vulnerability Analysis
Stage VI: Attack Modeling & Simulation
Stage VII: Risk Analysis & Management
Stage I: Definition of Objectives
Stage II: Definition of Technical Scope
Stage III: App Decomposition and Analysis
Stage IV: Threat Analysis
Stage V: Weakness and Vulnerability Analysis
Stage VI: Attack Modeling & Simulation
Stage VII: Risk Analysis & Management
FOR THE The VAST model, based on
Agile project management and
EXAM programming principles
 Visual
FOR THE Agile
EXAM Simple
Threat
FOR THE The Trike model, which focuses
EXAM on a risk-based approach
 The DREAD rating system is a
FOR THE rating solution that is based on
EXAM the answers to five main
questions about each threat:
 Damage potential
FOR THE Reproducability
EXAM Exploitability
Affected users
Discoverability
 D O M A I N 1 : THREAT MODELING

Threat Modeling
Can be proactive or reactive, but in either
case, goal is to eliminate or reduce threats
 D O M A I N 1 : THREAT MODELING

3 approaches to threat modeling

Common approaches to threat modeling:
Focused on Assets . Uses asset valuation results
to identify threats to the valuable assets.
Focused on Attackers . Identify potential attackers
and identify threats based on the attacker’s goals
Focused on Software . Considers potential threats
against the software the org develops.
 D O M A I N 1 : THREAT MODELING

Spoofing
Tampering
Repudiation
STRIDE Information disclosure
developed by
Microsoft Denial of service
Elevation of privilege
 D O M A I N 1 : THREAT MODELING

Stage I: Definition of Objectives

Stage II: Definition of Technical Scope
Stage III: App Decomposition & Analysis

PASTA Stage IV: Threat Analysis

Stage V: Weakness & Vulnerability Analysis
Stage VI: Attack Modeling & Simulation
Stage VII: Risk Analysis & Management

focuses on developing countermeasures based on asset value

 D O M A I N 1 : THREAT MODELING

Visual
Agile
VAST Simple
based on Agile
PM principles Threat

GOAL: Scalable integration of threat management

into an Agile programming environment
 D O M A I N 1 : THREAT MODELING

Damage potential
Reproducibility
DREAD Exploitability
based on answer Affected users
to 5 questions
Discoverability
 D O M A I N 1 : THREAT MODELING

An open-source threat modeling process

that implements a requirements model.
TRIKE Ensures the assigned level of risk for each
asset is “acceptable” to stakeholders.
focused on
“acceptable risk”
COBIT security control framework

IT management and governance framework

Principle 1: Meeting Stakeholder Needs

Principle 2: Covering the Enterprise End-to-End
Principle 3: Applying a Single, Integrated Framework
Principle 4: Enabling a Holistic Approach
Principle 5: Separating Governance from Management

little coverage and no depth on CISSP !

 D O M A I N 1 : THREAT MODELING

Diagramming
Potential Attacks
Determining potential attack concepts is
often achieved through diagramming
 D O M A I N 1 : THREAT MODELING

user / web SQL injection

server boundary

users
1

Login Auth and data

retrieval
web
service

SQL
Brute force, dictionary

DIAGRAMMING POTENTIAL ATTACKS

 D O M A I N 1 : THREAT MODELING

Reduction Analysis
Trust Boundaries. Any location where the level of trust
or security changes
Data Flow Paths. The movement of data between
locations
Input Points. Locations where external input is received
Privileged Operations. Any activity that requires
greater privileges than of a standard user account
Details about Security Stance and Approach.
declaration of security policy, security foundations, and
security assumptions.
 D O M A I N 1 : THREAT MODELING

Prioritization
and Response
Then threats are ranked or rated using
DREAD, high/medium/low rating, etc.
 D O M A I N 1 : CONTROLS

Security Controls
Security measures for countering and
minimizing loss or unavailability of
services or apps due to vulnerabilities
 D O M A I N 1 : CONTROLS

Security Controls
The terms safeguards and
countermeasure may seem to
be used interchangeably
 D O M A I N 1 : CONTROLS

Security Controls
safeguards are proactive (reduce
likelihood of occurrence)
countermeasure are reactive
(reduce impact after occurrence)
 D O M A I N 1 : SECURITY CONTROLS

Control Categories
There are three categories of security controls:
Technical. aka “logical”, involves the hardware or
software mechanisms used to manage access.
Administrative. Policies and procedures defined
by org’s security policy, other regulations and
requirements.
Physical. Are items you can physically touch.
 D O M A I N 1 : SECURITY CONTROLS

Control Types
Deterrent. Deployed to discourage violation of
security policies.
Preventative. Deployed to thwart or stop
unwanted or unauthorized activity from occurring.
Detective. Deployed to discover or detect
unwanted or unauthorized activity.
Compensating. Provides options to other existing
controls to aid in enforcement of security policies.
 D O M A I N 1 : SECURITY CONTROLS

Control Types
Deterrent. Deployed to discourage violation of
security policies.
Preventative. Deployed to thwart or stop
unwanted or unauthorized activity from occurring.
Detective. Deployed to discover or detect
unwanted or unauthorized activity.
Compensating. Provides options to other existing
controls to aid in enforcement of security policies.
 D O M A I N 1 : SECURITY CONTROLS

Control Types (cont)

Corrective. modifies the environment to return
systems to normal after an unwanted or
unauthorized activity has occurred.
Recovery. an extension of corrective controls but
have more advanced or complex abilities.
Directive. direct, confine, or control the actions of
subjects to force or encourage compliance with
security policies.
 D O M A I N 1 : SECURITY CONTROLS

Control Types (cont)

Corrective. modifies the environment to return
systems to normal after an unwanted or
unauthorized activity has occurred.
Recovery. an extension of corrective controls but
have more advanced or complex abilities.
Directive. direct, confine, or control the actions of
subjects to force or encourage compliance with
security policies
 D O M A I N 1 : LEGAL & REGULATORY

legal and regulatory issues that pertain to

information security in a global context
➢ Cyber crimes and data breaches
➢ Trans-border data flow
➢ Licensing and intellectual property
requirements
➢ Privacy
➢ Import/export controls
 D O M A I N 1 : LEGAL & REGULATORY

Types of Law
Criminal Law. contains prohibitions against acts
such as murder, assault, robbery, and arson.
Civil Law. include contract disputes, real estate
transactions, employment, estate, and probate.
Administrative Law. Government agencies have
some leeway to enact administrative law.
CISSP exam focuses on security-related generalities
of law, regulations, investigations, and compliance
 D O M A I N 1 : LEGAL & REGULATORY

Laws
Computer Fraud and Abuse Act (CFAA) . The first major
piece of US cybercrime-specific legislation
Federal Sentencing Guidelines. provided punishment
guidelines to help federal judges interpret computer crime
laws.
Federal Information Security Management Act (FISMA).
Required a formal infosec operations for federal gov’t
Copyright and the Digital Millennium Copyright Act
(DMCA). Covers literary, musical, and dramatic works.
 D O M A I N 1 : LEGAL & REGULATORY

IP and Licensing
Trademarks. covers words, slogans, and logos used
to identify a company and its products or services.
Patents. Patents protect the intellectual property
rights of inventors.
Trade Secrets. intellectual property that is absolutely
critical to their business and must not be disclosed.
Licensing. 4 types you should know are contractual,
shrink-wrap, click-through, and cloud services.
 D O M A I N 1 : LEGAL & REGULATORY

Encryption and Privacy

Computer Export Controls. US companies can’t export to
Cuba, Iran, North Korea, Sudan, and Syria.
Encryption Export Controls. Dept of Commerce details
limitations on export of encryption products outside the US.
Privacy (US). The basis for privacy rights is in the Fourth
Amendment to the U.S. Constitution.
Privacy (EU). General Data Protection Regulation (GDPR) is
not a US law, but very likely to be mentioned!
Applies to any company with customers in the EU!
 D O M A I N 1 : LEGAL & REGULATORY

Other US privacy laws

HIPAA (Health Insurance Portability and Accountability Act)
HITECH (Health Information Technology for Economic and
Clinical Health)
Gramm-Leach-Bliley Act (financial institutions)
Children’s Online Privacy Protection Act (COPPA)
Electronic Communications Privacy Act (ECPA)
Communications Assistance for Law Enforcement Act
(CALEA)
 D O M A I N 1 : BUSINESS CONTINUITY

Business continuity planning issues that

pertain to information security in
1. Strategy development
2. Provisions and processes
3. Plan approval
4. Plan implementation
5. Training and education
 D O M A I N 1 : BUSINESS CONTINUITY

Business continuity planning issues that

pertain to information security in
1. Strategy development
2. Provisions and processes
3. Plan approval
4. Plan implementation
5. Training and education
 D O M A I N 1 : USER EDUCATION

Establish and maintain a security awareness,

education, and training program
➢ Methods and techniques to present
awareness and training
➢ Periodic content reviews
➢ Program effectiveness evaluation
INSIDE AZURE
M A N A G E M E N T

THANKS
F O R W A T C H I N G!