Beruflich Dokumente
Kultur Dokumente
Class 1:
Security management
practices
Lecturer Shon Harris, CISSP, MCSE
President, Logical Security
CISSP essentials:
Mastering the Common Body of Knowledge
CISSP Essentials library:
www.searchsecurity.com/CISSPessentials
Class 1 quiz:
www.searchsecurity.com/Class1quiz
Class 1 briefing:
www.searchsecurity.com/Class1briefing
Security definitions
Vulnerability
Weakness in a mechanism that can threaten the
confidentiality, integrity or availability of an asset
Lack of a countermeasure
Threat
Someone uncovering a vulnerability and exploiting it
Risk
Probability of a threat becoming real and the corresponding
potential damages
Exposure
When a threat agent exploits a vulnerability
Countermeasure
A control put into place to mitigate potential losses
Definitions relationships
Control types
Administrative controls
Management responsibilities necessary to protect
assets
Soft controls
Technical controls
Logical protection mechanisms
Built into software and hardware
Physical controls
Controls to protect the facilitys perimeter and
internal resources
A layered approach
Defense-in-depth
Providing layers of defense that an attacker must
compromise before accessing an asset
Building foundation
Security program
Blueprint for a security program
A framework for administrative, technical and
physical controls to work within
Security roadmap
Advisory
Outlines expected behaviors in a company and the
ramifications of not meeting these expectations
Informative
A tool to teach employees about specific issues
Not enforceable
Information classification
Data classification procedures
Develop classification criteria
Controls per classification
Data owner responsibilities
Data custodian responsibilities
Document exceptions
How to transfer custody and ownership of
data
Declassification procedures
Integrate into security awareness training
Due care
Doing the right thing
Implementing solutions based on analysis data
Properly protecting the company and its assets
Acting responsibly
Risk management
Risk management
Reducing risk to an acceptable level
Risk cannot be eliminated, but it must be managed
Risk analysis
An assessment to:
Qualitative
Opinion-based
Use of a rating system
Scenario-based
ALE example
1. If an e-commerce site is attacked (value =
$300,000), it is estimated to cause 40% in damages
to a company based on
Liability costs
Confidential data being corrupted
Loss in revenue
= 120,000
Countermeasure criteria
A countermeasure should
Mitigate the identified risk
Be cost-effective
(ALE before implementing countermeasure) (ALE after
implementing countermeasure) (annual cost of
countermeasure) = value of the countermeasure to the company
Calculating cost/benefit
If ALE for a specific asset is $78,000, and after
implementation of the control the new ALE is $20,000 and
the annual cost of the control is $60,000, what is the
value of the control to the company?
$78,000 - $20,000 = $58,000
$58,000 - $60,000 = -$2,000
Employee issues
Enforcement of rules
Hiring and termination
practices
Security awareness
training
CISSP Essentials:
Mastering the Common Body of Knowledge
Lecturer Shon Harris, CISSP, MCSE
President, Logical Security
www.LogicalSecurity.com
ShonHarris@LogicalSecurity.com