the effective cissp - srm · 11/28/2019 · about the author wentz wu is the co-founder of...
TRANSCRIPT
THE EFFECTIVE CISSP
SECURITY AND RISK MANAGEMENT First Edition
__________
by Wentz Wu
The Effective CISSP Security and Risk Management Copyright © 2019 by Wentz Wu
Published by Wentz Wu (https://Wentzwu.com)
All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means without written permission from the author.
Dedication
To my Father, for teaching me integrity; To my Mother, for nursing me kindness;
To my friends, Aaron, Pato, Daniel, Steve, and Tac for supporting me all the time.
About the Author
Wentz Wu is the co-founder of Amicliens and has been working in the IT industry for more than 20 years. He is devoted to applying information technologies to solve business problems, delivering training and education courses, and giving back to the community.
In his professional career, Wentz is skilled at implementing IT infrastructure and cloud services, developing quality software, conducting comprehensive business analysis, managing projects with agility, and advising and delivering practical business solutions.
With solid technical background and business savvy, Wentz comprehensively delivers the CISSP course based on the Amicliens InfoSec Conceptual Model, which effectively addresses the official ISC2 CISSP exam outline.
As a lifelong learner, Wentz demonstrates his endeavor and achievement as follows: - EMBA/CBAP/PMP/ACP/PBA/RMP - CGEIT/CISM/CRISC/CISA - CISSP-ISSMP,ISSEP,ISSAP/CCSP/CSSLP - CEH/ECSA/AWS-CSAA/MCSD/MCSE/MCDBA - SCRUM: PSM Level I/PSPO Level I/PSD Level I - ISO 27001 LA/ISO 27552 LA Courses Completed
Wentz can be reached through: Email: [email protected] Blog: https://WentzWu.com Facebook: https://www.facebook.com/groups/EffectiveCISSP YouTube: https://www.youtube.com/c/EffectiveCISSP
i
CONTENTS
Figures ........................................................................................ vii
1 Security and Risk Management ............................................. 1
1.1 Security ......................................................................... 2
1.1.1 Information Security .......................................... 2
1.1.2 Business Mindset ............................................... 3
1.2 Risk ............................................................................... 4
1.2.1 Objective Matters .............................................. 4
1.2.2 Business Driver .................................................. 5
1.2.3 Risk Context ....................................................... 5
1.2.4 Wentz’s Risk Model ........................................... 7
1.3 Assets ........................................................................... 8
1.3.1 Asset Inventory .................................................. 8
1.3.2 Asset Ownership ................................................ 9
1.3.3 Asset Valuation ................................................ 11
1.3.4 Asset Classification .......................................... 12
1.3.5 Information Systems ........................................ 13
1.3.6 The Peacock Model.......................................... 15
1.4 Objectives ................................................................... 18
1.4.1 Information Security ........................................ 18
1.4.2 Information Assurance .................................... 20
1.4.3 Cybersecurity ................................................... 22
1.5 Safeguards .................................................................. 24
1.5.1 HIPAA Safeguards ............................................ 24
ii
1.5.2 Control Categorization ..................................... 25
1.5.3 Security Control Frameworks ........................... 27
1.5.4 Access Control ................................................. 29
1.5.5 The Onion Model ............................................. 33
1.6 Threats ........................................................................ 34
1.6.1 What is a Threat?............................................. 34
1.6.2 The Ring Model................................................ 34
1.6.3 Threat Source .................................................. 35
1.6.4 Threat Event .................................................... 36
1.6.5 Threat Scenario ............................................... 37
1.6.6 Vulnerability .................................................... 38
1.6.7 Security Objectives .......................................... 38
1.6.8 Safeguards ....................................................... 38
1.7 Management .............................................................. 39
1.7.1 Goals ............................................................... 39
1.7.2 The PDCA Cycle ................................................ 39
1.7.3 SMART Goals ................................................... 40
1.7.4 Goals and Objectives ....................................... 40
1.7.5 Planning for Success ........................................ 41
1.7.6 Execution to Succeed ....................................... 42
1.7.7 Measurement of Success ................................. 44
1.7.8 Improving toward Success ............................... 47
2 Governance, Risk, and Compliance ..................................... 50
2.1 GRC as a Discipline ...................................................... 51
2.2 Governance................................................................. 52
iii
2.2.1 What is Governance? ....................................... 52
2.2.2 Governance Practices ...................................... 53
2.2.3 Governance for Values..................................... 54
2.2.4 Enterprise Architecture.................................... 54
2.2.5 Organizational Structure .................................. 57
2.2.6 Organizational Processes ................................. 61
2.3 Risk Management ....................................................... 63
2.4 Compliance ................................................................. 64
2.4.1 Explicit Requirements ...................................... 64
2.4.2 Implicit Requirements...................................... 65
2.4.3 Security Assessment ........................................ 65
2.4.4 Audit................................................................ 66
3 Strategic Management ........................................................ 69
3.1 What is Strategy? ........................................................ 70
3.2 Strategic Thinking ....................................................... 72
3.3 Strategy Formulation .................................................. 74
3.3.1 Strategic Analysis ............................................. 74
3.3.2 Strategy Development ..................................... 75
3.3.3 Policy Development ......................................... 76
3.4 Strategy Execution ...................................................... 79
3.4.1 The PMI OPM .................................................. 80
3.4.2 Initiatives ......................................................... 80
3.4.3 Business Case .................................................. 82
3.4.4 Charter ............................................................ 82
iv
3.4.5 Initiative Management .................................... 83
3.4.6 Roles and Responsibilities ................................ 83
3.4.7 Change Management ...................................... 83
3.4.8 Communication and Reporting ........................ 85
3.4.9 Continuous improvement ................................ 85
3.5 Security Operations..................................................... 86
4 Risk management ................................................................ 87
4.1 What is Risk Management? ......................................... 88
4.1.1 Risk Sources ..................................................... 89
4.1.2 Risk Taxonomy ................................................. 89
4.2 Terminologies ............................................................. 92
4.2.1 Risk .................................................................. 92
4.2.2 Risk Model ....................................................... 92
4.2.3 Risk Factor ....................................................... 92
4.2.4 Risk Attitude .................................................... 93
4.2.5 Risk Capacity .................................................... 93
4.2.6 Risk Appetite ................................................... 93
4.2.7 Risk Tolerance ................................................. 94
4.2.8 Risk Threshold ................................................. 95
4.2.9 Risk Register .................................................... 95
4.2.10 Risk Owner ...................................................... 95
4.2.11 Risk Category ................................................... 95
4.2.12 Risk Aggregation .............................................. 95
4.2.13 Risk Exposure................................................... 97
4.2.14 Risk Profile ....................................................... 98
v
4.2.15 Risk Score ........................................................ 98
4.2.16 Risk Level ......................................................... 98
4.2.17 Risk Treatment ................................................ 99
4.2.18 Risk Treatment Options ................................. 101
4.2.19 Risk Response ................................................ 101
4.2.20 Risk Response Strategies ............................... 101
4.2.21 Residual Risk .................................................. 101
4.2.22 Inherent Risk ................................................. 102
4.2.23 Secondary Risk ............................................... 102
4.2.24 Risk Assessment ............................................ 102
4.3 General Processes ..................................................... 104
4.3.1 Context establishment ................................... 104
4.3.2 Risk Identification .......................................... 104
4.3.3 Risk Analysis .................................................. 104
4.3.4 Risk Evaluation .............................................. 107
4.3.5 Risk Treatment .............................................. 107
4.3.6 Risk Monitoring and Communication ............. 107
4.4 Risk Management Framework ................................... 108
4.4.1 ISO 31000 ...................................................... 108
4.4.2 The NIST FARM .............................................. 109
5 Laws and Regulations ........................................................ 112
5.1 Difference between Laws and Regulations ................ 113
5.2 Compliance as Risk Concern ...................................... 114
5.3 Legal Systems ............................................................ 115
5.3.1 Investigation and Evidence ............................ 116
vi
5.3.2 E-Discovery .................................................... 116
5.3.3 Subpoenas and Search Warrants ................... 116
5.4 Privacy ...................................................................... 118
5.5 Intelligence Property ................................................. 119
6 Business Continuity Management..................................... 120
6.1 What is Business Continuity Management? .............. 121
6.1.1 Integral Disciplines ......................................... 122
6.1.2 Terminologies ................................................ 124
6.2 BCM Standard and Practices ..................................... 128
6.2.1 The ISO 22301 Standard ................................ 129
6.2.2 The BCI BCM Lifecycle .................................... 131
6.2.3 The DRI BCM Professional Practices ............... 134
6.3 Business Continuity Planning..................................... 135
7 Conclusion ......................................................................... 138
References................................................................................ 142
Index ........................................................................................ 145
vii
FIGURES FIGURE 1-1 HIERARCHY OF OBJECTIVES ....................................................................... 2 FIGURE 1-2 RISK FACTORS ....................................................................................... 4 FIGURE 1-3 BUSINESS MINDSET ............................................................................... 5 FIGURE 1-4 WENTZ'S RISK MODEL ........................................................................... 7 FIGURE 1-5 ASSET OWNERS .................................................................................... 9 FIGURE 1-6 CLASSIFICATION SCHEME ...................................................................... 12 FIGURE 1-7 INFORMATION SYSTEM ......................................................................... 13 FIGURE 1-8 SYSTEM DEVELOPMENT LIFE CYCLE.......................................................... 13 FIGURE 1-9 INFORMATION SYSTEM COMPONENTS....................................................... 15 FIGURE 1-10 CISSP CBK DOMAINS ........................................................................ 16 FIGURE 1-11 CIA TRIAD AS SECURITY OBJECTIVES ....................................................... 18 FIGURE 1-12 INFORMATION ASSURANCE .................................................................. 20 FIGURE 1-13 DOD 8500.01 INSTRUCTION ............................................................... 21 FIGURE 1-14 THE NSPD-54/HSPD-23 POLICY ........................................................ 22 FIGURE 1-15 SECURITY KERNEL .............................................................................. 29 FIGURE 1-16 REFERENCE MONITOR CONCEPT ........................................................... 30 FIGURE 1-17 IDENTIFICATION + 3A ......................................................................... 31 FIGURE 1-18 LAYERED DEFENSE ............................................................................. 33 FIGURE 1-19 THE RING MODEL ............................................................................. 35 FIGURE 1-20 NIST GENERIC RISK MODEL ................................................................ 35 FIGURE 1-21 THREAT SCENARIO............................................................................. 38 FIGURE 1-22 MANAGEMENT ................................................................................. 39 FIGURE 1-23 GOALS AND OBJECTIVES...................................................................... 40 FIGURE 1-24 PERFORMANCE MEASUREMENT ............................................................ 44 FIGURE 1-25 KPI AND KGI ................................................................................... 46 FIGURE 1-26 WEIGHT AS A KRI FOR HEALTH MANAGEMENT......................................... 46 FIGURE 2-1 GRC AS A DISCIPLINE ........................................................................... 51 FIGURE 2-2 THE GOVERNANCE LEVEL ...................................................................... 52 FIGURE 2-3 GOVERNANCE PRACTICES ...................................................................... 53 FIGURE 2-4 ORGANIZATION TYPES .......................................................................... 57 FIGURE 2-5 GOVERNANCE STRUCTURE..................................................................... 58 FIGURE 2-6 COMPLIANCE CONCERNS ...................................................................... 64 FIGURE 2-7 SECURITY ASSESSMENT ......................................................................... 66 FIGURE 2-8 TYPES OF AUDITS ................................................................................ 66 FIGURE 2-9 AUDIT PARTIES ................................................................................... 67 FIGURE 3-1 LEVELS OF STRATEGIES .......................................................................... 70
viii
FIGURE 3-2 STRATEGIC THINKING ........................................................................... 72 FIGURE 3-3 AMICLIENS MISSION STATEMENT ............................................................ 73 FIGURE 3-4 SWOT ANALYSIS ................................................................................ 74 FIGURE 3-5 STRATEGY DEVELOPMENT ..................................................................... 75 FIGURE 3-6 STRATEGY EXECUTION ........................................................................... 79 FIGURE 3-7 VALUE .............................................................................................. 79 FIGURE 3-8 THE PMI OPM .................................................................................. 80 FIGURE 3-9 PORTFOLIOS, PROGRAMS, PROJECTS, OPERATIONS ....................................... 81 FIGURE 3-10 RACI MATRIX .................................................................................. 83 FIGURE 4-1 RISKS AT DIFFERENT TIERS ..................................................................... 89 FIGURE 4-2 ENTERPRISE RISK TYPES ........................................................................ 89 FIGURE 4-3 RISK CAPACITY AND RISK APPETITE .......................................................... 93 FIGURE 4-4 ISO 31000 ..................................................................................... 108 FIGURE 4-5 NIST FARM ................................................................................... 109 FIGURE 4-6 NIST GENERIC RISK MODEL ................................................................ 110 FIGURE 6-1 ISO, DRI, AND BCI ........................................................................... 128 FIGURE 6-2 BCI BCM LIFECYCLE .......................................................................... 131 FIGURE 6-3 DRI PROFESSIONAL PRACTICES ............................................................. 134
ix
Tables
TABLE 1-1 ISC2 ACCESS CONTROLS ........................................................................ 26 TABLE 1-2 NIST CONTROL FAMILIES ....................................................................... 27 TABLE 1-3 ISO CONTROL CATEGORIES ..................................................................... 27 TABLE 1-4 GOALS AND OBJECTIVES ......................................................................... 41 TABLE 1-5 CATEGORIES OF MEASURES ..................................................................... 45