CISSP Essentials:

Mastering the Common Body of Knowledge

Class 1:
Security management
practices
Lecturer Shon Harris, CISSP, MCSE
President, Logical Security

CISSP essentials:
Mastering the Common Body of Knowledge
CISSP Essentials library:
www.searchsecurity.com/CISSPessentials
Class 1 quiz:
www.searchsecurity.com/Class1quiz
Class 1 briefing:
www.searchsecurity.com/Class1briefing

Security management practices

Security definitions and goals
Control types
Risk management and analysis
Components of a security program
Roles and responsibilities in security
Information classification
Employee management
Awareness training

Security definitions
Vulnerability
Weakness in a mechanism that can threaten the
confidentiality, integrity or availability of an asset
Lack of a countermeasure

Threat
Someone uncovering a vulnerability and exploiting it

Risk
Probability of a threat becoming real and the corresponding
potential damages

Exposure
When a threat agent exploits a vulnerability

Countermeasure
A control put into place to mitigate potential losses

Definitions relationships

Control types
Administrative controls
Management responsibilities necessary to protect
assets

Soft controls

Technical controls
Logical protection mechanisms
Built into software and hardware
Physical controls
Controls to protect the facilitys perimeter and
internal resources

A layered approach
Defense-in-depth
Providing layers of defense that an attacker must
compromise before accessing an asset

Not relying upon just one control

Understanding that compromises in one layer may take
place and having back up to compensate for this

Building foundation

Security program
Blueprint for a security program
A framework for administrative, technical and
physical controls to work within

Typical security architecture model

tends to be technical

Security roadmap

Policies with different goals

Regulatory
Ensures company is following standards set by regulations
and laws

More detailed in nature

Specific to a type of industry

Advisory
Outlines expected behaviors in a company and the
ramifications of not meeting these expectations

Informative
A tool to teach employees about specific issues
Not enforceable

Information classification
Data classification procedures
Develop classification criteria
Controls per classification
Data owner responsibilities
Data custodian responsibilities
Document exceptions
How to transfer custody and ownership of
data

Declassification procedures
Integrate into security awareness training

Information classification criteria

Criteria items
Usefulness and value of information
How long information will hold this protection
requirement

The level of damage possible if the data was disclosed,

modified or corrupted

Laws, regulations or liability responsibilities pertaining

to the data

Who should be accessing this data?

Who should maintain this data?
Who should monitor and audit the use of this data?

Examples of due diligence and due care

Due diligence
Uncovering potential dangers
Carrying out assessments
Performing analysis on assessment data
Implementing risk management
Researching and understanding the environments
vulnerabilities, threats and risks

Due care
Doing the right thing
Implementing solutions based on analysis data
Properly protecting the company and its assets
Acting responsibly

Risk management

Risk management
Reducing risk to an acceptable level
Risk cannot be eliminated, but it must be managed

Risk analysis
An assessment to:

Identify a companys assets

Assign values to assets
Identify the assets vulnerabilities and threats
Calculate their associated risks
Estimate potential loss and damages
Provide solutions

Different approaches to analysis

Quantitative
Assigning numeric and monetary values
Management usually requires results in monetary
values

May start out with a qualitative approach

Qualitative
Opinion-based
Use of a rating system
Scenario-based

ALE example
1. If an e-commerce site is attacked (value =
$300,000), it is estimated to cause 40% in damages
to a company based on
Liability costs
Confidential data being corrupted
Loss in revenue

Asset Value EF = SLE

300,000 .4

= 120,000

2. Based on current safeguards, this threat is estimated

to happen once in 12 months
SLE ARO = ALE
120,000 1.0 = 120,000
3. Management should not spend over this amount to
protect this asset

Can you get rid of all risk?

Total risk versus residual risk
Amount of risk that exists before a safeguard is put
into place is total risk.

After a safeguard is implemented, the remaining

risk is called residual risk.

Threats x Vulnerability x Asset Value = Total Risk

(Threats x Vulnerability x Asset Value) x Control Gap = Residual Risk
(Control Gap = What the control cannot protect against)

Analysis team needs to determine if residual risk is

within the acceptable risk level of the company.

Comparing cost and benefit

Cost/benefit analysis
The annualized cost of
countermeasures should not
be more than potential losses

If a server is worth $3,000, a

countermeasure that costs
$4,000 should not be used

Not as cut and dry as it may

seem

How do you determine the cost of a

countermeasure?

Countermeasure criteria
A countermeasure should
Mitigate the identified risk
Be cost-effective
(ALE before implementing countermeasure) (ALE after
implementing countermeasure) (annual cost of
countermeasure) = value of the countermeasure to the company

If ALE for a specific asset is $78,000, and after

implementation of the control the new ALE is $20,000
and the annual cost of the control is $60,000, what is
the value of the control to the company?

Calculating cost/benefit
If ALE for a specific asset is $78,000, and after
implementation of the control the new ALE is $20,000 and
the annual cost of the control is $60,000, what is the
value of the control to the company?
$78,000 - $20,000 = $58,000
$58,000 - $60,000 = -$2,000

Company should not implement this control.

Not cost-beneficial.

Employee issues

Enforcement of rules
Hiring and termination
practices

Security awareness
training

CISSP Essentials:
Mastering the Common Body of Knowledge
Lecturer Shon Harris, CISSP, MCSE
President, Logical Security
www.LogicalSecurity.com
ShonHarris@LogicalSecurity.com

Coming next: Class 2, Access control

Register at the CISSP Essentials Library:
www.searchsecurity.com/CISSPessentials