CCISO Certified Chief Information Security Officer All-In-One Exam Guide
CCISO Certified Chief Information Security Officer All-In-One Exam Guide
1. Cover
2. Title Page
3. Copyright Page
4. Dedication
5. Contents
6. Acknowledgments
7. Introduction
8. Chapter 1 Governance and Risk Management
1. Governance
1. Sizing
2. Management Structure
4. Risk Management
6. Compliance
1. Compliance Team
2. Compliance Management
7. Privacy
12. Ethics
13. Chapter Review
1. Quick Review
2. Questions
3. Answers
9. Chapter 2 Information Security Controls, Compliance, and Audit
Management
1. Control Fundamentals
2. Control Frameworks
1. NIST SP 800-53
2. NIST Cybersecurity Framework
3. ISO/IEC 27002
4. CIS Critical Security Controls
5. CSA Cloud Controls Matrix
1. Audit Management
2. Audit Process
3. Control Self-Assessments
4. Continuous Auditing
5. Specific Types of Audits and Assessments
6. Chapter Review
1. Quick Review
2. Questions
3. Answers
1. Project Management
2. Project Management Fundamentals
5. Chapter Review
1. Quick Review
2. Questions
3. Answers
1. Malware
2. Scripting and Vulnerability-Specific Attacks
2. Social Engineering
3. Asset Security
4. Data Security
1. Data at Rest
2. Data in Transit
3. Data in Use
4. Data Life Cycle
7. Cryptography
1. Cryptographic Definitions
2. Cryptographic Services
3. Symmetric, Asymmetric, and Hybrid
Cryptosystems
4. Hash Algorithms
5. Message Authentication Codes
6. Digital Signatures
7. Public Key Infrastructure
8. Cloud Security
9. Physical Security
1. Relevant Law
2. Logging and Monitoring
3. Incident Response and Investigations
4. Forensics and Digital Evidence
1. Vulnerability Assessments
2. Penetration Testing
3. Regulatory Compliance Assessments
4. Security Program Assessments
1. Quick Review
2. Questions
3. Answers
1. Strategic Planning
1. Enterprise Architecture
3. Financial Management
5. Chapter Review
6. Quick Review
1. Questions
2. Answers
13. Appendix About the Online Content
1. System Requirements
2. Your Total Seminars Training Hub Account
1. Privacy Notice
14. Glossary
15. Index
Guide
1. Cover
2. Title Page
3. CCISO™ Certified Chief Information Security Officer All-in-One
Exam Guide
Page List
1. i
2. ii
3. iii
4. iv
5. v
6. vi
7. vii
8. viii
9. ix
10. x
11. xi
12. xii
13. xiii
14. xiv
15. xv
16. xvi
17. xvii
18. xviii
19. xix
20. xx
21. xxi
22. xxii
23. xxiii
24. xxiv
25. 1
26. 2
27. 3
28. 4
29. 5
30. 6
31. 7
32. 9
33. 8
34. 10
35. 11
36. 12
37. 13
38. 14
39. 15
40. 16
41. 17
42. 18
43. 19
44. 20
45. 21
46. 22
47. 23
48. 24
49. 25
50. 26
51. 28
52. 27
53. 29
54. 30
55. 31
56. 32
57. 33
58. 34
59. 35
60. 36
61. 37
62. 38
63. 39
64. 40
65. 41
66. 42
67. 43
68. 44
69. 45
70. 46
71. 47
72. 48
73. 49
74. 50
75. 51
76. 52
77. 53
78. 54
79. 55
80. 56
81. 57
82. 58
83. 59
84. 60
85. 61
86. 62
87. 63
88. 64
89. 65
90. 66
91. 67
92. 68
93. 69
94. 70
95. 71
96. 72
97. 73
98. 74
99. 75
100. 76
101. 77
102. 78
103. 79
104. 80
105. 81
106. 82
107. 83
108. 84
109. 85
110. 87
111. 88
112. 89
113. 90
114. 91
115. 92
116. 93
117. 94
118. 95
119. 96
120. 97
121. 98
122. 99
123. 100
124. 101
125. 102
126. 103
127. 104
128. 105
129. 106
130. 107
131. 108
132. 109
133. 110
134. 111
135. 112
136. 113
137. 114
138. 115
139. 116
140. 117
141. 118
142. 119
143. 120
144. 121
145. 122
146. 123
147. 124
148. 125
149. 126
150. 127
151. 128
152. 129
153. 130
154. 131
155. 132
156. 133
157. 134
158. 135
159. 136
160. 137
161. 138
162. 139
163. 140
164. 141
165. 142
166. 143
167. 144
168. 145
169. 146
170. 147
171. 148
172. 149
173. 150
174. 151
175. 152
176. 153
177. 154
178. 155
179. 156
180. 157
181. 158
182. 159
183. 160
184. 161
185. 162
186. 163
187. 164
188. 165
189. 166
190. 167
191. 168
192. 169
193. 170
194. 171
195. 172
196. 173
197. 174
198. 175
199. 176
200. 177
201. 178
202. 179
203. 180
204. 181
205. 182
206. 183
207. 184
208. 185
209. 186
210. 187
211. 188
212. 189
213. 190
214. 191
215. 192
216. 193
217. 194
218. 195
219. 196
220. 197
221. 198
222. 199
223. 200
224. 201
225. 202
226. 203
227. 204
228. 205
229. 206
230. 207
231. 208
232. 209
233. 210
234. 211
235. 212
236. 213
237. 214
238. 215
239. 216
240. 217
241. 218
242. 219
243. 220
244. 221
245. 222
246. 223
247. 224
248. 225
249. 226
250. 227
251. 228
252. 229
253. 230
254. 231
255. 232
256. 233
257. 234
258. 235
259. 236
260. 237
261. 238
262. 239
263. 240
264. 241
265. 242
266. 243
267. 244
268. 245
269. 246
270. 247
271. 248
272. 249
273. 250
274. 251
275. 252
276. 253
277. 254
278. 255
279. 256
280. 257
281. 258
282. 259
283. 260
284. 261
285. 262
286. 263
287. 264
288. 265
289. 266
290. 267
291. 268
292. 269
293. 270
294. 271
295. 272
296. 273
297. 274
298. 275
299. 276
300. 277
301. 278
302. 279
303. 280
304. 281
305. 282
306. 283
307. 284
308. 285
309. 286
310. 287
311. 288
312. 289
313. 290
314. 291
315. 292
316. 293
317. 294
318. 295
319. 296
320. 297
321. 298
322. 299
323. 300
324. 301
325. 302
326. 303
327. 304
328. 305
329. 306
330. 307
331. 308
332. 309
333. 310
334. 311
335. 312
336. 313
337. 314
338. 315
339. 316
340. 317
341. 318
342. 319
343. 320
344. 321
345. 322
346. 323
347. 324
348. 325
349. 326
350. 327
351. 328
352. 329
353. 330
354. 331
355. 332
356. 333
357. 334
358. 335
359. 336
360. 337
361. 338
362. 339
363. 340
364. 341
365. 342
366. 343
367. 344
368. 345
369. 346
370. 347
371. 348
372. 349
373. 350
374. 351
375. 352
376. 353
377. 354
378. 355
379. 356
380. 357
381. 358
382. 359
383. 360
384. 361
385. 362
386. 363
387. 364
388. 365
389. 366
390. 367
391. 368
392. 369
393. 370
394. 371
395. 372
396. 373
397. 374
398. 375
399. 376
ABOUT THE AUTHORS
Steven Bennett, CCISO, CISSP, CISA, is an engineer,
sportsman, entrepreneur, and consultant. He has worked
in the information technology field for over 40 years
helping organizations protect their most important
assets from criminal threats. Steve has spent his lifetime
studying human and animal behavior in complex
systems, the relationships between predator and prey,
and offensive and defensive survival strategies and
tactics observed in business and nature. Steve’s
information security consulting career includes
supporting clients in healthcare, manufacturing, retail,
finance, military, and government.
Jordan Genung, CCISO, CISSP, CISM, CISA, has
served as an information security officer and security
advisor for public- and private-sector organizations. His
experience includes security consulting for Fortune 100
companies and government agencies, building
information security programs, and developing
information security curriculum. Jordan holds a degree
in computer science and information security from the
University of Texas at San Antonio, which is an NSA and
DHS National Center of Academic Excellence in Cyber
Operations, Cyber Defense, and Research.
ABOUT THE TECHNICAL EDITOR
Michael Lester has worked in the information security
industry for over 20 years and currently is the chief
technology officer (CTO) of WindTalker Inc. (maker of
data-centric security encryption software products).
Previously Mike was the chief instructor and consultant
for Shon Harris’s Logical Security LLC (now Human
Element LLC), where he taught and developed courses
on CISSP, hacking/pentesting, digital forensics/e-
discovery, CISA, and others. Mike also authors and
instructs classes for LinkedIn Learning. He holds a
master’s degree in information systems security from
Boston University (a National Security Agency [NSA]
Center of Academic Excellence) as well as over 20
industry certifications, including CISSP, CISA, CCE,
Security+, MCSE:Security, CCSE+, and ITIL.
Copyright © 2021 by McGraw Hill. All rights reserved.
Except as permitted under the United States Copyright
Act of 1976, no part of this publication may be
reproduced or distributed in any form or by any means,
or stored in a database or retrieval system, without the
prior written permission of the publisher.
ISBN: 978-1-26-046393-4
MHID: 1-26-046393-1
TERMS OF USE
Index
CONTENTS
Acknowledgments
Introduction
Chapter 1 Governance and Risk Management
Governance
Information Security Governance
Information Security Management Structure
Sizing
Management Structure
Principles of Information Security
The CIA Triad
Security Vulnerabilities, Threats, Risks,
and Exposures
Cyberattack Elements
Defense-In-Depth
Risk Management
Risk Management Program
Best Practice Frameworks for Risk
Management
Management and Technical Information
Security Elements
Security Program Plan
Security Policies, Standards, and
Guidelines
Asset Security
Identity and Access Management
Security Engineering
Physical Security
Security Operations
Software Development Security
Security Assessments and Testing
Security Training and Awareness
Business Continuity and Disaster
Recovery
Compliance
Compliance Team
Compliance Management
Privacy
Privacy Impact Assessment
Privacy and Security
Laws and Regulatory Drivers
Federal Information Security
Modernization Act
Defense Federal Acquisition Regulation
Supplement 252.204-7012
Clinger-Cohen Act
Payment Card Industry Data Security
Standard
Privacy Act of 1974
Gramm-Leach-Bliley Act
Health Insurance Portability and
Accountability Act
Family Educational Rights and Privacy
Act
Sarbanes-Oxley Act
General Data Protection Regulation
North American Electric Reliability
Corporation Critical Infrastructure
Protection
Summary of Laws and Regulatory
Drivers
Standards and Frameworks
ISO/IEC 27000 Series
ISO/IEC 27001
NIST Cybersecurity Framework
Federal Information Processing
Standards
NIST Special Publications
Privacy Shield
COBIT
Information Security Trends and Best
Practices
Open Web Application Security Project
Cloud Security Alliance
Center for Internet Security
Information Security Training and
Certifications
International Information System
Security Certification Consortium
ISACA
International Council of E-Commerce
Consultants
SANS Institute
Computing Technology Industry
Association
International Association of Privacy
Professionals
Offensive Security
Ethics
Chapter Review
Quick Review
Questions
Answers
Chapter 2 Information Security Controls, Compliance,
and Audit Management
Information Security Controls
Control Fundamentals
Control Frameworks
Information Security Control Life Cycle
Frameworks
NIST Risk Management Framework
NIST Cybersecurity Framework
ISO/IEC 27000
Information Security Control Life Cycle
Step 1: Risk Assessment
Step 2: Design
Step 3: Implementation
Step 4: Assessment
Step 5: Monitoring
Exploring Information Security Control
Frameworks
NIST SP 800-53
NIST Cybersecurity Framework
ISO/IEC 27002
CIS Critical Security Controls
CSA Cloud Controls Matrix
Auditing for the CISO
Audit Management
Audit Process
Control Self-Assessments
Continuous Auditing
Specific Types of Audits and
Assessments
Chapter Review
Quick Review
Questions
Answers
Chapter 3 Security Program Management and
Operations
Security Program Management
Security Areas of Focus
Security Streams of Work
Asset Security Management
Security Projects
Security Program Budgets, Finance, and Cost
Control
Establishing the Budget
Managing and Monitoring Spending
Security Program Resource Management:
Building the Security Team
Project Management
Project Management Fundamentals
Project Management Training and
Certifications
Phases of Project Management
Initiating
Planning
Executing
Monitoring and Controlling
Closing
Chapter Review
Quick Review
Questions
Answers
Chapter 4 Information Security Core Competencies
Malicious Software and Attacks
Malware
Scripting and Vulnerability-Specific
Attacks
Social Engineering
Types of Social Engineering Attacks
Why Employees Are Susceptible to Social
Engineering
Social Engineering Defenses
Asset Security
Asset Inventory and Configuration
Management
Secure Configuration Baselines
Vulnerability Management
Asset Security Techniques
Data Security
Data at Rest
Data in Transit
Data in Use
Data Life Cycle
Identity and Access Management
Identity and Access Management
Fundamentals
Identity Management Technologies
Authentication Factors and Mechanisms
Access Control Principles
Access Control Models
Access Control Administration
Identity and Access Management Life
Cycle
Communication and Network Security
WANs and LANs
IP Addressing
Network Address Translation
Network Protocols and Communications
Wireless
Network Technologies and Defenses
Cryptography
Cryptographic Definitions
Cryptographic Services
Symmetric, Asymmetric, and Hybrid
Cryptosystems
Hash Algorithms
Message Authentication Codes
Digital Signatures
Public Key Infrastructure
Cloud Security
Cloud Computing Characteristics
Cloud Deployment Models
Cloud Service Models
Cloud Security Risks and Assurance
Levels
Cloud Security Resources
Physical Security
Physical Security Threats
Physical Security Program Planning
Physical Security Resources
Physical Security Controls
Physical Security Auditing and
Measurement
Personnel Security
Software Development Security
Integrating Security into the SDLC
Security SDLC Roles and
Responsibilities
Software Vulnerabilities
Secure Coding Practices
Software Vulnerability Analysis and
Assessments
Forensics, Incident Handling, and
Investigations
Relevant Law
Logging and Monitoring
Incident Response and Investigations
Forensics and Digital Evidence
Security Assessment and Testing
Vulnerability Assessments
Penetration Testing
Regulatory Compliance Assessments
Security Program Assessments
Business Continuity and Disaster Recovery
Continuity Planning Initiation
Business Impact Analysis
Identify Preventive Controls
Develop Recovery Strategies and
Solutions
Develop the Plan
Test the Plan
Maintain the Plan
Chapter Review
Quick Review
Questions
Answers
Chapter 5 Strategic Planning, Finance, Procurement,
and Vendor Management
Strategic Planning
Organizational Strategic Planning
Organizational Strategic Planning Teams
Strategic Planning Process
Security Strategic Plan Example
Making Security Decisions
Enterprise Architecture
Financial Management
Accounting and Finance Basics
Information Security Annual Budget
Procurement and Vendor Management
Procurement Core Principles and
Processes
Types of Contracts
Scope Agreements
Third-Party Vendor Risk Management
Chapter Review
Quick Review
Questions
Answers
Appendix About the Online Content
System Requirements
Your Total Seminars Training Hub Account
Privacy Notice
Single User License Terms and Conditions
TotalTester Online
Technical Support
Glossary
Index
ACKNOWLEDGMENTS
Steve would like to thank his incredible wife, Debby, for
her unyielding support throughout the book-writing
process. I love you, hon. Now maybe things can get back
to normal around here. Warmest thanks go to co-author
Jordan, who put up with my obstinance and made this
project fun.
Jordan would like to thank his family and friends for
their continued support and encouragement. A special
thanks to Steve for the invitation to collaborate on this
book. Your expertise and guidance were invaluable in
this undertaking. It was an honor and a pleasure.
Both authors wish to thank Wendy Rinaldi, Emily
Walters, and the extraordinary team at McGraw Hill.
Your professionalism, insight, and advice were
instrumental to the success of this project. A big thanks
to our friend Mike Lester for his excellent technical
editing, savvy, and guidance. Other friends who
counseled us and deserve our thanks include Tom
Conkle, Ray Gabler, David Goldstein, and Greg Witte.
And finally, a thank you to all of the CISOs who must
remain unnamed but who shared with us their stories,
advice, and experiences that helped us describe the life
and challenges of the CISO in the real world.
INTRODUCTION
As we Security is mortals’ chiefest enemy.
put the —Hecate, from Macbeth by William Shakespeare
CERTIFICATION PROCESS
This section outlines the EC-Council process for
becoming CCISO certified. This process is illustrated in
Figure 1. There are three main avenues for certification:
• CCISO certification through self-study
• CCISO certification through EC-Council approved
training
• EC-Council Information Security Manager (EISM)
certification program for individuals who do not
meet CCISO prerequisites
PREREQUISITES
CCISO exam eligibility is determined based on the
number of years of experience the candidate has in the
five CCISO domains:
TRAINING OPTIONS
There are two primary training avenues available to
become certified:
EXAM PROCESS
The exam process differs based on the training option
and program selected:
EXAM INFORMATION
The CCISO exam consists of 150 scenario-based
multiple-choice questions. Candidates are given 2.5
hours to complete the exam and must achieve a score of
at least 72 percent. The CCISO exam includes three types
of questions, listed here in order of increased difficulty:
EXAM TIP These targeted tips provide key information the CCISO
candidate should know for the CCISO exam. Exam Tips may include test-
taking advice or warnings of exam pitfalls.
• Governance
• Information security management structure
• Principles of information security
• Risk management
• Management and technical information security
elements
• Compliance
• Privacy
• Laws and regulatory drivers
• Standards and frameworks
• Information security trends and best practices
• Information security training and certifications
• Ethics
This chapter describes how an organization’s
information security program relates to the business as a
whole and discusses the key components and purpose of
an information security program. This chapter also
discusses how the information security program ensures
the organization is in compliance with the laws and
regulations that pertain to the business and how
frameworks are used to guide the design and
implementation of the information security program to
result in compliance success.
As security consultants, we commonly hear our clients
say, “Our organization is different, so we can’t apply
security the same way as everyone else. Our (fill in the
blank) is why we can’t do security like other companies.”
When we hear this “we are different” argument, our
response is, “Yes and no.” The fact is that every company
and organization is unique. While the principles of good
security are immutable, the application of these security
principles to an organization’s specific situation
ultimately determines success or failure. The key for
every chief information security officer (CISO) is to
understand the organization’s business, goals,
operations, and tolerance for risk so that the CISO can
create a security program that is appropriate for the
organization. This alignment of the organization’s
security program to the organization’s business and
operations is the key to the success of any security
program and is pivotal to the role of the CISO.
GOVERNANCE
Any discussion of the role of the CISO starts with a
discussion of governance. Governance is the system by
which an organization defines, implements, and controls
the business as a whole (such as organizational or
corporate governance) or a specific part of the
organization (such as IT governance, financial
governance, or information security governance). Proper
governance ensures that the organization’s strategies are
aligned with its business, regulatory, and operating
environment.
Corporate governance can be considered from two
perspectives: strategy and authority. The governance
strategy involves defining and understanding the factors
that are important to the organization. A typical
governance strategy diagram depicts what the
organization has determined are the strategic factors that
are important. The example diagram in Figure 1-1 shows
all the factors that feed into the governance strategy and,
therefore, the functions that the strategy should enable.
For instance, the organization has decided that
transparency is important and should be addressed in
the organization’s organizational structure, culture,
business processes, and business operations.
As mentioned, the other perspective of organizational
governance is governance authority. This perspective
depicts the organizational structure and lines of
authority, as shown in the example in Figure 1-2.
Figure 1-1 Governance strategy diagram showing
strategic factors of the governance program
Figure 1-2 Governance diagram showing lines of
authority
INFORMATION SECURITY
MANAGEMENT STRUCTURE
The CISO’s job is to create and lead the right
management and organizational structure to enable
security functions. If governance defines the strategy of
the information security program, the organizational
structure enables its implementation. The structure is
composed of departments, staff, resources, assigned
responsibilities, and lines of communication. These
features can be defined and arranged in limitless ways. It
is the CISO’s job to create the optimum organization to
meet the goals of the security program. This section
discusses the size and management of the information
organization. Roles and responsibilities, staffing, and
other details of the information security program
organization are discussed in Chapter 3.
SIZING
How big or small should the information security
organization be? How much security is the right
amount? Many C-level executives like to compare their
organization’s or company’s size and spending to other
similar organizations in their industry. In fact, there are
third-party and industry groups that conduct surveys of
information security leaders and managers to obtain
sizing information and then publish the results.
Comparison to other organizations provides interesting
data points but should not be used as the driving factor
for sizing the security organization. Instead, the
organization should be sized based on the organization’s
tolerance for risk. This is discussed in more detail in the
section on risk management discussed later in this
chapter. The basic principle is that the annual spending
for security should be that which is required to protect
the organization’s information assets.
Some of the third-party groups that publish industry
trends on security spending are PwC, Gartner, Forrester,
and InformationWeek, although there are many others.
These organizations publish data on how security
spending compares with other organizational metrics as
well as how those numbers change over time. Here are
some widely published sizing numbers and trends:
• One industry source reported that average annual
security spending per employee in 2018 was $1,178
(as compared to $584 in 2012).
• Information security spending can range from
$1,000 to $3,000 per full-time employee.
• Information security spending as a percentage of IT
spending ranges from 1 percent to 15 percent
depending on the reporting source and the industry
being analyzed. Many surveys report 6 percent as
an average and some report information security
spending as a percentage of IT spending as high as
30 percent.
• Information security spending can range from .2
percent to .9 percent of company revenue.
MANAGEMENT STRUCTURE
The structure of the information security organization
should be the one that best fits the organization as a
whole. Regardless of the exact structure chosen, the
management structure should have the following
elements:
PRINCIPLES OF INFORMATION
SECURITY
This section describes core principles of information
security that serve as the foundation of all information
security programs. Although most readers of this book
may already be familiar with these concepts, we include
them to establish the terminology used throughout the
book as well as to review these essential information
security elements. Key information security principles
include the following:
• Confidentiality
• Integrity
• Availability
1. Reconnaissance
2. Enumeration
3. Exploitation
4. Action on objectives
Reconnaissance
This first step in an attack is the gathering of information
about the target organization by the attacker. The
attacker conducts research to learn about the target by
performing web searches, examining social media
accounts of the organization and its employees, reading
press releases and media articles, attending conferences,
symposia, or trade shows, or even physically observing
the organization’s employees or facilities. The attacker
attempts to uncover as much information as possible
about the target, such as:
• Domain names
• Corporate information
• Network diagrams
• Names of employees and key managers
• E-mail addresses and phone numbers
• Social media activity and friends
• Facility location and layout
• Ingress/egress details
Enumeration
During this phase the attacker tries to identify the
organization’s information assets and corresponding
vulnerabilities to exploit in the next phase. Based on data
gathered from reconnaissance activities, the attacker
analyzes reconnaissance results to attempt to identify
specific targets such as people, organizations,
departments, facilities, capabilities, data, vendor names,
and information systems. The attacker may conduct
scans of the environment to produce lists of systems and
then probe further to discover vulnerabilities that could
possibly be exploited. The primary goal of this phase is
the enumeration of the organization’s systems and data
to identify vulnerabilities to exploit in the next phase.
Exploitation
Once the assets and vulnerabilities are enumerated, the
attacker can design and execute their attack. This phase
involves probing and exploiting specific vulnerabilities
with the goal of gaining unauthorized access to the
enterprise. Many times, this involves weaponization,
which is designing and creating tools to aid in the attack.
Here are some weaponization and exploitation tools and
methods commonly used by attackers:
• Phishing Obtaining sensitive information by
disguising oneself as a trusted entity, usually via e-
mail
• Fake websites Used for harvesting sensitive
information (credentials)
• Malware Software that intentionally is harmful or
malicious
• Virus A type of malware that is usually hidden
inside another application
• Trojan A virus disguised as something useful
• Worm A virus that propagates itself to other
systems
• Rootkit A virus that hides itself by modifying the
operating system
• Social engineering Tricking someone to do
something that is not in their best interest
• Scripting Manipulating data entered into fields to
produce unintended results
• Vulnerability-specific attacks Exploiting buffer
overflows or other software defects
DEFENSE-IN-DEPTH
Defense-in-depth is the concept that an organization
should not rely on just one control for protection, but
instead should use layers of controls to increase the work
factor of potential attackers. Defense-in-depth is the
coordinated use of multiple security controls in a layered
approach. A multilayered defense system minimizes the
probability of successful penetration and compromise
because an attacker would have to get through several
different types of protection mechanisms before gaining
access to critical assets.
RISK MANAGEMENT
Risk management is the process of identifying and
assessing risk, reducing it to an acceptable level, and
implementing the right controls to maintain that level.
Some organizations use risk management to strike a
balance between the value of an asset and the cost of the
controls to protect the asset, as shown in Figure 1-6. It
may be unwise for an organization to spend $1 million to
protect a $100,000 asset. Risk management ensures the
right controls are chosen that are appropriate to the
asset and the business of the organization.
ASSET SECURITY
Asset security is the concept of identifying what assets
the organization has and determining what types of
controls are appropriate for each. The types of assets in
the environment and the types of controls used for each
are identified and addressed in the organization’s
policies, standards, and procedures.
Often asset security focuses on data (information
assets). Asset security addresses implementing security
throughout the data life cycle, as shown in Figure 1-12.
SECURITY ENGINEERING
Security engineering is a vast domain that addresses the
secure design and implementation of information
systems. The key concept is that security should be an
integral part of the design of the enterprise. Security
engineering involves including all aspects of the
computing environment such as:
• Computer architecture components
• Operating system security and protection
mechanisms
• Information systems architecture and protection
mechanisms
• Network security design
• Enterprise security solutions (such as firewalls,
anti-malware, data loss prevention, endpoint
security, and secure gateways)
• Remote connectivity
• Wireless connectivity
• Cloud computing
• Cyber-physical systems
• Database security
• Mobile device security
• Security models
• Security assessment and authorization
• Cryptography
PHYSICAL SECURITY
Physical security addresses the understanding of threats
to the physical information systems, facilities, and
personnel as well as the controls to combat those threats.
Physical security is not always within the domain of
responsibilities of the CISO. Sometimes physical security
is managed separately from information security,
depending on the practices of the organization. Physical
security includes the following:
• Facility location
• Facility construction
• Physical security risks, threats, and
countermeasures
• Personnel security
SECURITY OPERATIONS
Security operations focuses on actively performing day-
to-day functions to prevent, detect, and respond to
security risks and threats. Those functions include the
following:
• Vulnerability, configuration, and patch
management All IT assets have vulnerabilities.
These assets include desktops, laptops, mobile
devices, servers, network and storage appliances,
operating systems, application software, and so on.
It’s a fulltime job to keep track of all the assets in
an organization and whether or not they have the
latest patches and the correct versions of software.
A good vulnerability, configuration, and patch
management program should give the organization
“situational awareness” or an accurate picture of all
the assets and their configuration and patch status.
• Monitoring and logging This critical function
involves capturing all significant events within the
IT enterprise to detect malicious activity and to
support investigations of previous or ongoing
security events. This function is performed by
configuring systems in the enterprise to capture
activity such as logins and access to assets, data
read/write/modify, data exfiltration, access to
external and internal systems, login attempts, and
so on. Capturing these activities and monitoring
them in real time supports intrusion detection.
Capturing these events for future analysis supports
forensic investigations. Monitoring and logging
covers deciding what events to log and monitor
based on business risk and available resources.
Capture too much and you have the high costs of
storage and network traffic. Capture too little and
you won’t capture enough data to be useful. Mature
organizations continually tune their logging and
monitoring capabilities to best fit their business.
• Incident handling The time to figure out what to
do in response to a security breach is not after one
occurs. Incident handling is all about planning for
various types of security incidents and defining
what to do ahead of time. Usually incident
handling follows a six-step model, as shown in
Figure 1-14.
COMPLIANCE
Earlier in this chapter, we covered many of the
governance practices the CISO is responsible for,
including understanding the organization’s business
drivers and creating and maintaining a security program
that facilitates these drivers. A critical aspect of
developing these drivers is understanding the
compliance requirements of the organization.
Compliance is an approach to governance designed to
ensure alignment with applicable laws, regulations,
standards, organizational policies, ethical conduct, and
other business goals. The discussion around compliance
often focuses on regulatory compliance because the
consequences of noncompliance (fines, reputational
damage, and so on) are potentially steep. However,
compliance with regulations is not the only form of
compliance. There are both internal and external
compliance requirements, as outlined in Figure 1-15, that
drive the organization to implement policies, standards,
and procedures to support compliance.
COMPLIANCE TEAM
The compliance team is typically involved in providing
guidance on internal policies and procedures as well as
evaluating current processes and technology to
determine ways to improve compliance. Depending on
the organization, the team may focus solely on internal
compliance, focus solely on external compliance, or be
responsible for both. Responsibilities of the compliance
team may include the following:
COMPLIANCE MANAGEMENT
Compliance crosses all aspects of the business and, like
any other program, must be appropriately managed to
ensure alignment. Compliance management is the
process by which an organization plans, implements, and
maintains the activities that support compliance.
Compliance management enables organizations to put
into place governance, policies, systems and processes,
and reporting and measurement. Every organization
engages in some kind of compliance management
activities, but not all organizations have a formal
compliance program, a dedicated compliance team, or
follow a defined compliance management process.
All organizations must comply with a mix of corporate
policies, standards, laws, regulations, and internal
requirements that govern their business conduct. An ad
hoc approach to compliance management may work for
small organizations with limited compliance obligations.
However, organizations with many compliance drivers
must properly manage and maintain compliance to
ensure the accuracy and completeness of their
compliance efforts. There are many processes and
methodologies for managing compliance. The process
covered in this chapter is based on ISO 19600:2014,
Compliance management systems, and focuses on a
cyclical approach similar to the Plan, Do, Check, Act
(PDCA) cycle (also known as the Deming cycle or
Shewhart cycle). The steps are as follows:
1. Plan
2. Implement
3. Evaluate
4. Maintain
The process is illustrated in Figure 1-16. The external and
internal requirements (laws, regulations, directives,
ethics, goals, and objectives) serve as input into the
compliance management process.
Figure 1-16 Compliance management process
EXAM TIP The CCISO exam will not contain questions pertaining to the
exact steps for compliance management outlined in this section. The goal is
to conceptually understand the general process for managing compliance and
be able to distinguish scenarios where a specific compliance approach is
applicable.
Plan
The first step in the compliance management process is
to determine the scope of the applicable internal and
external compliance requirements in order to
understand the full compliance landscape. This requires
having a thorough understanding of the internal
business requirements, the industry that the
organization operates in, the types of information that
the business deals with, and the geographical areas in
which the organization operates. There are different laws
and regulations at the local, state, federal, and national
level and these laws and regulations are often applicable
to specific data types. An inventory of applicable legal
and regulatory drivers as well as internal requirements
should be produced to identify compliance risk that
affects the business. The goal is to develop a strategy for
identifying, measuring, and correcting instances of
noncompliance.
Implement
After the strategy or plan of action has been developed,
steps must be taken to address instances of
noncompliance. Implementation often requires a cross-
departmental effort and can manifest in many different
activities, including requirements to
Evaluate
The next step is to evaluate or assess the compliance
program controls and measure the findings. Compliance
assessments are used to identify and measure
compliance risk due to missing controls. In some cases, a
compliance assessment may cover multiple laws,
regulations, and business requirements. In other cases,
an organization may have an assessment performed
against a specific compliance obligation such as a PCI
DSS, HIPAA, ISO/IEC 27001, or an internal ethics
survey. Compliance assessments can be both internal
and external.
Internal compliance assessments are performed by
internal staff to measure the organization’s compliance
risk and determine actions that need to be taken to
comply with laws, regulations, and other compliance
requirements. They are also used to determine whether
the organization is following internal objectives, policies,
standards, and best practices. The internal assessment
may be performed by the internal audit team, the
compliance team, or another internal resource
depending on the structure of the organization and
distribution of compliance responsibility.
External compliance assessments are performed by an
independent third party and evaluate an organization’s
alignment with a specific law, regulation, or standard
(for example, PCI DSS or HIPAA). External compliance
assessments result in a report being issued measuring
the organization’s compliance. Depending on the type of
assessment, the resulting report may be used by
regulators to assess noncompliance to determine
whether to impose a fine or other penalty. External
compliance assessments can also result in certification.
For example, some organizations may pursue ISO/IEC
27001 or PCI DSS certification. In order for an
organization to become certified, a comprehensive audit
must be conducted by an accredited third party (for
example, a Qualified Security Assessor [QSA] for PCI
DSS). Upon successful completion of the audit, and given
that all the requirements are met, the organization will
be certified as compliant. Compliance is an ongoing
process of ensuring alignment with requirements, while
certification is attestation of compliance for a specific
period of time.
CISOs can use the results of compliance assessments
to improve the maturity of the organization and as a
basis for a request for funding for the implementation of
controls to mitigate risk and address findings.
Maintain
To effectively ensure compliance, the organization must
remain vigilant to ever-changing compliance
requirements. Compliance is like any other program and
requires ongoing maintenance, monitoring, and
reporting. New laws are established, new regulations are
imposed, and new internal organizational requirements
are developed as the organization evolves. As an
organization’s technical infrastructure, business
processes, or scope changes, new laws and regulations
may govern the business that previously were not
applicable. The goal is for the program to be able to
address new compliance risks, identify and examine
instances of noncompliance, and adapt to the evolving
landscape on an ongoing basis.
PRIVACY
Many of the laws and regulatory drivers discussed later
in this chapter have a common theme of a focus on
privacy. Data privacy is an important aspect of
compliance. Organizations must understand the privacy,
legal, and regulatory requirements for the industry they
operate in. It is crucial to document how privacy-related
information is processed; this includes collection, use,
sharing, archival, and disposal. Some key things to think
about to begin maturing privacy efforts are the following:
• FISMA
• DFARS 252.204-7012
• Clinger-Cohen Act
• PCI DSS
• Privacy Act
• GLBA
• HIPAA
• FERPA
• SOX
• GDPR
• NERC-CIP
EXAM TIP CCISO candidates should be familiar with the provisions of laws
that affect organizational information security.
CLINGER-COHEN ACT
The Clinger-Cohen Act of 1996 is a US federal law that
applies to federal agencies focused on improving the
acquisition, use, and disposal of information technology.
It is intended to improve IT acquisition, investment, and
expenditures to reduce waste.
Who does the Clinger-Cohen Act apply to? The
Clinger-Cohen Act applies to US federal agencies.
How does compliance impact an organization?
The Clinger-Cohen Act is composed of two laws that
were passed together: the Information Technology
Management Reform Act (ITMRA) and the Federal
Acquisition Reform Act (FARA). Some of the key
requirements of the Clinger-Cohen Act include the
following:
GRAMM-LEACH-BLILEY ACT
The Gramm-Leach-Bliley Act (GLBA), also known as the
Financial Services Modernization Act of 1999, requires
financial institutions to protect individual’s nonpublic
personal information. This includes disclosing to
customers how their private information will be
protected and whether it will be distributed to third
parties.
Who does the Gramm-Leach-Bliley Act apply
to? GLBA is mandatory for financial institutions,
including banks, mortgage brokers, real estate firms,
insurance companies, and other organizations engaged
in providing financial services or products.
How does compliance impact an organization?
There are three major provisions of GLBA that protect
customers’ information: the Financial Privacy Rule, the
Safeguards Rule, and the Pretexting Rule.
NOTE Covered entities and business associates that create, use, transmit, or
store protected health information must comply with both HIPAA and
HITECH.
SARBANES-OXLEY ACT
The Sarbanes-Oxley Act of 2002 (SOX), also referred to
as the Public Company Accounting Reform and Investor
Protection Act of 2002, is a US federal law focused on
holding board members and executives accountable for
the accuracy of the financial statements of their
organization. SOX was passed as a result of many large-
scale scandals where executives intentionally misled the
public about their financials (for example, Enron), which
resulted in the loss of billions of investor dollars.
Who does SOX apply to? SOX applies to all
publicly traded companies doing business in the United
States. This includes any company publicly traded on US
markets.
How does compliance impact an organization?
The goal of SOX is to reduce fraud and hold board
members and executives accountable for the accuracy of
financial statements. A majority of the law has to do with
accounting practices, with the exception of Section 404
of the law, which applies to information technology.
Section 404 of SOX is a driver of internal control
assessment activities by requiring
• Management responsibility for establishing and
maintaining adequate internal controls for
financial reporting
• Assessment of effectiveness of internal controls by a
public accounting firm
NOTE Post Brexit, the withdrawal of the United Kingdom (UK) from the EU,
the UK will still be subject to EU law, including GDPR, for a transition period
from January 31, 2020 to December 31, 2020 unless an additional extension
is agreed upon. This means that UK citizens are still protected under GDPR
during the transition period. Following the transition period, a UK amended
version of GDPR will be followed, known as UK GDPR, which will cover
protection of UK citizen data. However, the UK organizations will still be
subject to EU GDPR if they collect personal data of EU citizens.
ISO/IEC 27001
ISO/IEC 27001, Information technology – Security
techniques – Information security management systems
– Requirements, is the best-known framework in the
ISO/IEC 27000 series family. ISO/IEC 27001 contains
guidance on establishing a wholistic ISMS. The key
requirements that make up ISO/IEC 27001 are
organized into the following ten sections in the
publication:
• Scope
• Normative references
• Terms and definitions
• Context of the organization
• Leadership
• Planning
• Support
• Operation
• Performance evaluation
• Improvement
Figure 1-17 outlines the core components of an
information security management system according to
ISO/IEC 27001.
• Notice
• Choice
• Accountability for Onward Transfer
• Security
• Data Integrity and Purpose Limitation
• Access
• Recourse, Enforcement, and Liability
Supplemental Principles:
• Sensitive Data
• Journalistic Exceptions
• Secondary Liability
• Performing Due Diligence and Conducting Audits
• The Role of the Data Protection Authorities
• Self-Certification
• Verification
• Access
• Human Resources Data
• Obligatory Contracts for Onward Transfers
• Dispute Resolution and Enforcement
• Choice – Timing of Opt Out
• Travel Information
• Pharmaceutical and Medical Products
• Public Record and Publicly Available Information
• Access Requests by Public Authorities
COBIT
The Control Objectives for Information and Related
Technology (COBIT) is a best practice framework for
governance and management of IT developed by ISACA
and the IT Governance Institute. The most recent version
at the time of this writing is COBIT 2019. COBIT 2019 is
made up of five governance and management domain
objectives, shown in Figure 1-19. These domains are
made up of 40 objectives.
INFORMATION SECURITY
TRAINING AND CERTIFICATIONS
This section covers some of the well-known vendor-
neutral information security certification bodies. These
certification bodies provide a range of benefits to the
community, including forums, conferences, networking
opportunities, and security best practice resources, as
well as certifications and training for continuous
learning. It is important for CISOs to be aware of
continuous learning opportunities to identify training
opportunities for themselves and their teams.
ISACA
ISACA, previously known as the Information Systems
Audit and Control Association, is a nonprofit
professional association for advancing the field of
information security, assurance, risk management, and
governance. ISACA provides members with access to
best practice frameworks, documentation, conferences,
and training programs. ISACA may be best known for
developing COBIT, previously discussed. ISACA provides
training and certifications for the following:
• Certified Information Systems Auditor (CISA)
• Certified in Risk and Information Systems Control
(CRISC)
• Certified Information Security Manager (CISM)
• Certified in the Governance of Enterprise IT
(CGEIT)
• Cybersecurity Nexus (CSX)
INTERNATIONAL COUNCIL OF E-
COMMERCE CONSULTANTS
The International Council of E-Commerce Consultants
(EC-Council) is a professional security organization that
provides training and certification on a variety of IT
security topics. EC-Council is the certifying body for the
Certified Chief Information Security Officer (CCISO)
certification. EC-Council also operates several security
conferences as well as EC-Council University (ECCU).
Some of the certifications provided by EC-Council
include the following:
• Certified Ethical Hacker (CEH)
• Certified Network Defender (CND)
• EC-Council Certified Security Analyst (ECSA)
• EC-Council Certified Security Specialist (ECSS)
• EC-Council Certified Encryption Specialist (ECES)
• Certified Secure Computer User (CSCU)
• EC-Council Disaster Recovery Professional (EDRP)
• Computer Hacking Forensic Investigator (CHFI)
• EC-Council Certified Incident Handler (ECIH)
• Certified Chief Information Security Officer
(CCISO)
• Certified Application Security Engineer (CASE)
• Certified Threat Intelligence Analyst (CTIA)
• Certified SOC Analyst (CSA)
SANS INSTITUTE
The SANS Institute, officially the Escal Institute of
Advanced Technologies, is an information security
training and certification organization. SANS offers a
variety of resources, including training/certification,
conferences, webinars, articles, and other resources to
help develop security professionals. SANS is particularly
known for its hands-on training. SANS stands for
SysAdmin, Audit, Network, and Security to represent the
range of topics their certifications and training cover.
Here is a list of several of the SANS certifications:
• GIAC Security Essentials (GSEC)
• GIAC Certified Incident Handler (GCIH)
• GIAC Certified Forensic Analyst (GCFA)
• GIAC Penetration Tester (GPEN)
• GIAC Certified Intrusion Analyst (GCIA)
• GIAC Web Application Penetration Tester
(GWAPT)
• GIAC Certified Forensic Examiner (GCFE)
• GIAC Security Leadership (GSLC)
• GIAC Reverse Engineering Malware (GREM)
• GIAC Information Security Fundamentals (GISF)
• GIAC Certified Enterprise Defender (GCED)
• GIAC Systems and Network Auditor (GSNA)
• Global Industrial Cyber Security Professional
(GICSP)
• GIAC Certified Windows Security Administrator
(GCWN)
• GIAC Continuous Monitoring Certification
(GMON)
• GIAC Network Forensic Analyst (GNFA)
• GIAC Exploit Researcher and Advanced
Penetration Tester (GXPN)
• GIAC Certified Perimeter Protection Analyst
(GPPA)
• GIAC Information Security Professional (GISP)
• GIAC Critical Controls Certification (GCCC)
• GIAC Mobile Device Security Analyst (GMOB)
• GIAC Assessing and Auditing Wireless Networks
(GAWN)
• GIAC Certified UNIX Security Administrator
(GCUX)
• GIAC Cyber Threat Intelligence (GCTI)
• GIAC Secure Software Programmer-Java (GSSP-
JAVA)
• GIAC Certified Web Application Defender (GWEB)
• GIAC Python Coder (GPYC)
• GIAC Law of Data Security and Investigations
(GLEG)
• GIAC Strategic Planning, Policy, and Leadership
(GSTRT)
• GIAC Advanced Smartphone Forensics (GASF)
• GIAC Response and Industrial Defense (GRID)
• GIAC Certified Detection Analyst (GCDA)
• GIAC Secure Software Programmer-.NET
(GSSP-.NET)
• GIAC Defending Advanced Threats (GDAT)
• GIAC Certified Project Manager (GCPM)
• GIAC Security Expert (GSE)
• GIAC Critical Infrastructure Protection (GCIP)
• GIAC Defensible Security Architecture (GDSA)
• GIAC Enterprise Vulnerability Assessor (GEVA)
INTERNATIONAL ASSOCIATION OF
PRIVACY PROFESSIONALS
The International Association of Privacy Professionals
(IAPP) is a nonprofit organization focused on providing a
forum for privacy professionals to network, gain access
to resources, and pursue privacy certifications. IAPP
certifications include the following:
• Certified Information Privacy Professional/Asia
(CIPP/A)
• Certified Information Privacy Professional/Canada
(CIPP/Canada)
• Certified Information Privacy Professional/Europe
(CIPP/E)
• Certified Information Privacy Professional/US
Private-sector (CIPP/US)
• Certified Information Privacy Manager (CIPM)
• Certified Information Privacy Technologist (CIPT)
OFFENSIVE SECURITY
Offensive Security is a security company focused on
providing penetration testing professional services,
training, certifications, and tools to the security
community. Their courses focus on hand-on penetration
testing and ethical hacking. Offensive Security developed
the Kali Linux distribution with preinstalled penetration
testing and forensic tools. Their certification programs
include the following:
• Offensive Security Certified Professional (OSCP)
• Offensive Security Certified Expert (OSCE)
• Offensive Security Web Expert (OSWE)
• Offensive Security Wireless Professional (OSWP)
• Offensive Security Exploitation Expert (OSEE)
ETHICS
Organizational ethics are the principles that govern the
behavior of the organization, with a focus on acting with
integrity, accountability, and responsibility. Ethics starts
with the moral compass of the individual employee.
However, companies and organizations cannot always
trust employees to do the right thing. Therefore, many
organizations have a code of ethics, ethics policies, and
an ethics program in place. This sets the tone for the
expected behavior of the board, executives, employees,
and the organization as a whole. Ethics initiatives are
sometimes tied into an organization’s compliance
initiatives and are a focus for internal compliance.
Ultimately organizational ethics should mature beyond
simply distributing a code of conduct to creating a
culture of transparency, integrity, social responsibility,
and sound governance.
The CISO is not usually responsible for the ethical
conduct of the entire company or organization. However,
many of the ethical decisions of the CISO and the
security organization impact the company as a whole.
Therefore, ethical polices, standards, and decisions must
be well-coordinated between the CISO and the board and
leadership.
The CISO is responsible for his or her own ethical
conduct and that of their information security
organization. The CISO must set the ethical standards
for the information security program and staff. The CISO
role in particular is one that must foster trust and
credibility in the organization.
Ethics is sometimes considered in terms of the
stakeholders involved. Typically the stakeholders are
employees, customers, and owners/shareholders. These
stakeholders are the recipients, or beneficiaries, of
ethical conduct. Here are some examples of how ethics
impacts information security operations and the role of
the CISO:
• In conducting vulnerability and penetration testing,
the information security staff discovers a
previously unknown security flaw in a commercial
product. In this case the security professionals are
not under any legal obligation to report the flaw to
the product manufacturer. However, reporting the
flaw to the manufacturer would be the responsible
thing to do. In this case ethics plays a role in the
staff’s behavior.
• The security staff believes that customer data may
have been compromised, but they are not sure.
Should the customers be notified? This is an ethical
decision that should not be made on the spot—
there should be policies and guidelines to follow
that address the situation.
• A government agency requests that the
organization disclose information related to a
customer. If your organization is not required by
law to comply, should it do so anyway? What is the
ethical responsibility in this case, and to which
stakeholder: the customer or the government
agency?
CHAPTER REVIEW
Organizational governance is the top-down definition of
the strategy, organizational structure, and lines of
authority of the organization. Likewise, information
security governance is the definition of the goals and
organization of the information security program. To be
in alignment, both corporate governance and
information security governance must take into account
external and internal drivers such as regulations and
industry practices. Key to the success of organizational
and information security governance is good
communication between the leaders of the organization,
such as the CEO and the board, and the leader of the
information security program, the CISO.
The information security program should be built to
ensure that all three aspects of the confidentiality,
integrity, and availability (CIA) triad are fulfilled, taking
into account the organization’s vulnerabilities, risks,
threats, and exposures. This is accomplished by
implementing defense-in-depth based on a risk
management approach to ensure that the appropriate
controls are selected to achieve the right balance of
security versus cost. Information security programs
generally include the following elements:
QUICK REVIEW
• Alignment of the organization’s security program to
the organization’s business and operations is the
key to the success of its security program and
pivotal to the role of the CISO.
• Governance is accountability, authorization to
make decisions, and oversight. Proper governance
ensures that the organization’s strategies are
aligned with its business, regulatory, and operating
environment.
• Information security governance is the framework
for reducing information security risk to the
organization.
• External drivers that shape the information security
program include regulatory drivers, industry
practices, and risks and threats.
• Internal drivers that shape the information security
program include leadership understanding and
perception, organizational structure, culture and
climate, history, and lessons learned.
• The basic principles of information security are
confidentiality, availability, and integrity.
• A vulnerability is a weakness that could potentially
be exploited.
• A threat is any potential danger that is associated
with the exploitation of a vulnerability.
• A risk is the likelihood of a threat agent exploiting a
vulnerability and the corresponding business
impact.
• An exposure is an instance of being exposed to a
loss from a threat. A vulnerability can expose an
organization to possible damages.
• A countermeasure (or a control) is put into place to
mitigate a potential risk.
• Defense-in-depth is the concept that an
organization should not rely on just one control for
protection, but instead use layers of controls to
increase the work factor of potential attackers.
• Risk management is the process of identifying and
assessing risk, reducing it to an acceptable level,
and implementing the right mechanisms to
maintain that level.
• Organizations use either qualitative or quantitative
methods to analyze risk.
• The security program typically has a collection of
management security directives (policies,
standards, guidelines) that form a library of rules
and practices that the program personnel are to
follow.
• Asset security is the concept of identifying what
assets the organization has and determining what
types of controls are appropriate for each.
• Access controls are security features that control
how users and systems communicate and interact
with other systems and resources.
• Security engineering is a vast domain that
addresses the secure design and implementation of
information systems.
• Security operations focus on actively performing
day-to-day functions to prevent, detect, and
respond to security risks and threats.
• Software must be developed in a manner that
ensures it does not contain security vulnerabilities.
• All security programs must have an ongoing
assessment and testing component to conduct
vulnerability testing and ensure the successful
performance and management of vulnerability
remediation activities.
• All employees should be made aware of the
organization’s security policies and processes as
well as good security practices in general.
• Every organization should have a plan and
procedures in place to be able to ensure the
business can continue to operate in the event of a
security breach or other disaster.
• An information security organization should be
sized based on the organization’s tolerance for risk.
• The structure of the security organization should
have the following elements: clear lines of
authority, situational awareness, and internal and
external communication and reporting.
• Compliance is an approach to governance designed
to ensure alignment with applicable laws,
regulations, standards, organizational policies,
ethical conduct, and other business goals.
• Being compliant does not necessarily mean an
organization is secure, and a good security program
isn’t necessarily compliant.
• The compliance team is typically involved in
providing guidance on internal policies and
procedures as well as evaluating current processes
and technology to determine ways to improve
compliance.
• Compliance management is the process by which
an organization plans, implements, and maintains
the activities that support compliance.
• Privacy indicates the level of control an individual
should expect to have over their own sensitive data.
• The Federal Information Security Modernization
Act (FISMA) requires US federal agencies to build,
document, and implement an agency-wide
information security program to support agency
operations.
• The Clinger-Cohen Act of 1996 is a US federal law
that applies to federal agencies focused on
improving the acquisition, use, and disposal of
information technology.
• The Gramm-Leach-Bliley Act (GLBA), also known
as the Financial Services Modernization Act of
1999, requires financial institutions to protect
individuals’ nonpublic personal information.
• The Health Information Portability and
Accountability Act (HIPAA) is a US federal
regulation covering the handling of protected
health information (PHI) and provides a
framework for protecting the security and privacy
of health information.
• The Family Educational Rights and Privacy Act of
1974 (FERPA) is a US federal law focused on
protecting the privacy and confidentiality of
student educational records.
• The Sarbanes-Oxley Act of 2002 (SOX) is a US
federal law focused on holding board members and
executives accountable for the accuracy of the
financial statements of their organization.
• Organizational ethics are principles that govern the
behavior of the organization, with a focus on acting
with integrity, accountability, and responsibility.
QUESTIONS
1. Which of the following is the best way to
determine if an information security program
supports the organization’s business objectives?
A. Determine if the information security program
plan or charter is consistent with the management
strategy
B. Determine if the information security program is
adequately staffed
C. Determine if the information security program is
utilizing its people and equipment efficiently
D. Determine if the information security program is
able to easily adapt to change
2. A student compromises a system that contains
test grades and changes her grade on a recent test
from a D to A. Which of the following has been
compromised?
A. Integrity
B. Availability
C. Confidentiality
D. Both availability and confidentiality
3. Which of the following is the most correct?
A. A countermeasure is usually intended to reduce a
threat.
B. Risks, threats, and exposures are generally the
same.
C. Vulnerabilities are the result of poor password
management.
D. A countermeasure is a control that is put into
place to mitigate a risk.
4. A CISO must define the rules by which the
organization will meet its security objectives.
Which document or set of documents is the best
mechanism to accomplish this?
A. Security program plan
B. Security policies
C. Security guidelines
D. Security standards
5. Which of the following is most important when
defining the organizational structure of an
information security program?
A. Ensuring the CISO reports directly to the CEO
B. Showing clear lines of authority
C. Using a matrix organization to ensure situational
awareness
D. Sizing the organization similar to other
companies in the industry
6. Which of the following laws is focused specifically
on the handling of protected health information?
A. GLBA
B. SOX
C. HIPAA
D. FISMA
7. An e-commerce site that accepts online payment is
expanding and hires a CISO to ensure that the
organization is complying with industry
regulations and standards. Which of the following
frameworks is of greatest concern to the CISO for
ensuring compliance?
A. SOX
B. FISMA
C. ISO/IEC 27001
D. PCI DSS
8. An organization has a business need to receive
personal data from citizens of the EU and needs
guidance from the CISO on how to comply with
EU privacy laws. Which of the following
frameworks would be a good place for the CISO to
start in order to fulfil this requirement?
A. Privacy Shield
B. FISMA
C. FIPS
D. SOX
9. An organization is looking for best practice
guidance to secure its web applications. Which of
the following organizations would be the best
resource for the organization?
A. CSA
B. OWASP
C. CIS
D. IAPP
10. A publicly traded company collects cardholder
data in the course of business operations. The
organization’s CEO recognizes the importance of
information security and hires a CISO. Which of
the following must the CISO ensure the business is
compliant with?
A. GDPR and FISMA
B. PCI DSS and GDPR
C. PCI DSS and SOX
D. GDPR and SOX
ANSWERS
1. A. While many of these answers might
demonstrate the information security program’s
alignment with business objectives, the best way to
determine if the information security strategy
supports business objectives is to review the
information security program plan or charter for
consistency with the management strategy.
2. A. Integrity of a system is maintained when only
authorized changes are permitted. In this case the
student is not authorized to modify her own grade.
3. D. A countermeasure is put into place to mitigate
a potential risk. Also called controls,
countermeasures are features such as devices,
configurations, or products that reduce the
likelihood that a vulnerability could be exploited.
4. B. Security policies define the hard-and-fast rules
that must be followed. The security program plan
describes the overall security program and
organizational structure, while guidelines and
standards are supporting documents that are
important but do not define requirements.
5. B. The organization should prioritize having clear
lines of authority. The CISO does not always need
to report to the CEO as long as there is good
communication. A matrix type of organization is
just one of several viable approaches. The
organization should be sized according to its
tolerance for risk, not based on comparisons to
other companies.
6. C. The Health Information Portability and
Accountability Act (HIPAA) is a US federal
regulation that focuses specifically on the handling
of protected health information (PHI). HIPAA
provides a framework for protecting the security
and privacy of health information. The rules in
HIPAA apply to covered entities and business
associates.
7. D. The Payment Card Industry Data Security
Standard (PCI DSS) is a control framework
focused on the protection of credit card
information. PCI DSS applies to any organization
that handles cardholder data.
8. A. The EU-US and Swiss-US Privacy Shield
Frameworks exist to regulate exchanges of
personal information from the European Union
and Switzerland to the United States. The goal of
Privacy Shield is to enable US companies to
receive personal data from the EU while
complying with EU privacy laws.
9. B. The Open Web Application Security Project
(OWASP) is an international organization focused
on enabling organizations with the skills and tools
to plan, develop, acquire, operate, and maintain
secure applications. OWASP develops tools,
guides, best practice documents, and organized
conferences focused on application security.
10. C. The CISO must ensure that the organization is
compliant with PCI DSS and SOX. The Sarbanes-
Oxley Act (SOX) applies to all publicly traded
companies doing business in the United States.
The Payment Card Industry Data Security
Standard (PCI DSS) applies to any organization
that handles cardholder data. Since the
organization is both a publicly traded company
and handles cardholder data, the organization
must be compliant with both.
CHAPTER 2
Information Security
Controls, Compliance, and
Audit Management
This chapter discusses the following topics:
INFORMATION SECURITY
CONTROLS
This section introduces foundational details about
information security controls, including control classes,
control functionalities, and types of control frameworks.
CONTROL FUNDAMENTALS
A security control, also known as a safeguard or
countermeasure, is a mechanism put in place to mitigate
risk and protect the confidentiality, integrity, and
availability (CIA) of an asset. This section reviews
fundamental terminology such as control class and
control functionality.
Control Classes
Controls can be grouped into classes, the names of which
vary depending on the framework used. In practice, the
three classes that are most often used are
administrative, technical, and physical. However, NIST
uses a different set of classes, management, operational,
and technical. Different organizations use different
terminology. Here is a description of the terms used
most often:
• Administrative Management-oriented controls
such as policies, procedures, guidelines, training,
risk management, and employment practices
(hiring, firing, and so on). Administrative controls
are also referred to as soft controls or managerial
controls.
• Technical Hardware or software components that
provide security control functionality. Examples
include encryption, password enforcement,
multifactor authentication, intrusion detection
systems (IDSs), intrusion prevention systems
(IPSs), and firewalls. Technical controls are also
referred to as logical controls.
• Physical Tangible controls put in place to protect
people, assets, and facilities against physical
threats. This includes protecting people, assets, and
facilities. Examples include fencing, lighting, locks,
bollards, server room doors, alarms, and security
guards.
Control Functionality
The terms administrative, technical, and physical
address the class of the control but not how the control
operates and functions. Security controls can be broken
down based on their makeup and functionality. Security
functionality of controls describes what the controls do
for the organization. Functionalities of controls include
the following:
• Preventive These types of controls prevent or stop
the occurrence of an adverse event or incident.
Examples include mandatory background checks,
firewall access control lists (ACLs), door locks,
fences, bollards, and IPSs.
• Detective These types of controls discover, detect,
or identify a potential adverse activity, event,
intruder, or incident. Examples include IDSs,
security log review, mandatory vacations, and
reviewing events captured on surveillance cameras.
• Deterrent These types of controls deter or
discourage a potential adversary from performing
an attack or engaging in unwanted behavior.
Examples include system warning banners and
warning signs.
• Corrective These types of controls correct adverse
events that have occurred by fixing a system,
process, or activity. Examples include IPSs,
terminating an employee after an offense, antivirus
that quarantines malicious software, using a fire
extinguisher to extinguish a fire, and implementing
a business continuity plan or incident response
plan.
• Directive These types of controls are typically
administrative controls that communicate expected
behavior by specifying what actions are or are not
permitted. Examples include security policies,
standards, and procedures.
• Recovery These types of controls restore an
environment or operations back to regular
functionality. They are similar in function to
corrective controls but are thought of as having
advanced capability. Examples include restoring a
system from backup, removing malware from an
infected system, and utilizing a watchdog process
that can determine that a service has stalled and
restart it.
• Compensating These types of controls serve as an
alternate or secondary control implementation to a
primary control. These are often used when the
primary control is not feasible to implement due to
cost, complexity, or other business constraints.
Examples include implementing network isolation
of business-critical applications that cannot be
patched and installing fences, locks, and alarms
after a determination that a full-time security
guard is too expensive.
EXAM TIP A control can be associated with more than one control
functionality. For example, an IPS could be considered both preventive and
corrective and fencing could be considered both preventive and deterrent,
depending on the context and how the question is presented.
CONTROL FRAMEWORKS
A control framework is a catalog of controls used to
provide a foundation to aid in the implementation of a
comprehensive information security program. Control
frameworks are useful in assessing, planning,
implementing, and documenting how and what security
controls are implemented in the organization. Without a
control framework, additional time and effort would
need to be spent designing controls and developing a
methodology for implementation.
Types of Frameworks
Many different types of frameworks are used by security
professionals, but there are three fundamental types:
• Process model Describes how to implement
security controls (examples include NIST RMF,
ISO/IEC 27001, and NIST CSF).
• Determinant Describes what to implement, such
as a library of controls (examples include NIST SP
800-53, ISO/IEC 27001/27002, CIS Top 20, and
NIST CSF).
• Evaluation Describes how to assess the
implementation and can therefore be used for
auditing (examples include NIST SP 800-53A,
ISO/IEC 27007, and ISO/IEC 27008).
EXAM TIP The terms process model, determinant, and evaluation are used
here simply to discuss and categorize the different types of control
frameworks; these terms might not appear on the actual CCISO exam.
INFORMATION SECURITY
CONTROL LIFE CYCLE
FRAMEWORKS
Security professionals select the right controls by
following a life cycle that typically includes risk
assessment, design, implementation, assessment, and
monitoring. Using a life cycle framework helps an
organization by defining a formal control
implementation process. Without a defined process,
control implementation is typically done in an ad hoc
fashion. This may work for small organizations.
However, as an organization grows larger and its control
requirements and environment become more complex, a
structured control life cycle process becomes more
important. The best practice is to use a formalized
process regardless of the size of the organization. This
section explores some of the most well-known life cycles
from process model frameworks.
ISO/IEC 27000
ISO/IEC 27000 series publications, known as the
information security management systems (ISMS) family
of standards, use the Plan, Do, Check, Act (PDCA) life
cycle for the implementation of security controls as part
of an ISMS.
• Plan Establish an ISMS.
• Do Implement and operate the ISMS.
• Check Monitor and review the ISMS.
• Act Maintain and improve the ISMS.
INFORMATION SECURITY
CONTROL LIFE CYCLE
The previous section discussed several established
security control life cycle frameworks. Some
organizations tailor their own life cycle by combining
concepts from several different frameworks and
methodologies as part of their information security
program. Here we walk through a life cycle derived from
NIST RMF, NIST CSF, and ISO/IEC 27000. The process
consists of five steps:
1. Risk assessment
2. Design
3. Implementation
4. Assessment
5. Monitoring
NOTE Part of the CISO’s role is to oversee and supervise the control life
cycle process to ensure that objectives are met and projects are executed
within the defined budget, scope, and timeline. The CISO is also responsible
for ensuring that progress is communicated to key stakeholders with a vested
interest in the project (for example, system owner, executive team, board of
directors, and so on).
STEP 1: RISK ASSESSMENT
The first step is to perform a risk assessment to gain a
wholistic perspective of the risks associated with an asset
that needs to be protected. The risk assessment may be
guided by previous risk assessments or by the
organization’s risk management process. The risk
assessment provides the organization with an
understanding of the threat landscape for a particular
asset. This includes the following:
STEP 2: DESIGN
The risk assessment enables the organization to design
the proper security controls based on the risk identified
as well as the operational needs and goals of the
organization. The primary goals of the design phase are
as follows:
• Control selection Select controls to address risks
identified in the risk assessment that align with the
goals, objectives, and needs of the organization.
• Control design Identify resources required for
control implementation and maintenance (for
example, financial, staffing, architectural, and so
on).
• Control testing Test controls before they are
implemented in production to ensure control
efficacy.
Control Selection
The organization may elect to design a control from
scratch or utilize a control framework. The control
frameworks provide lists of the specific controls that
should be implemented based on the risk assessment of
the asset. Instead of, or in conjunction with, control
frameworks, controls may be selected based on best
practice recommendations, experience, judgement, or
budget requirements in order to mitigate identified risk.
Consideration should also be given as to whether the
control will be automated or manual:
Control Design
A critical part of the control design process is
determining and planning the resources required to
implement and operationalize the control. Even when a
control framework is used, there are still many design
factors to consider and document, including the
following:
• Budget and scope
• Personnel and staffing requirements
• Infrastructure and architecture requirements (for
example, OS, applications, hardware, tools, and so
on)
• Ongoing control costs and maintenance (for
example, maintenance, support, monitoring, and
so on)
• Staff responsible for design, implementation,
assessment, and monitoring of the control
• Communication plan to inform stakeholders of
project status
• Development of metrics for measuring control
success
Control Testing
Part of the control design process should also include
testing the control before it is put into production to
ensure the efficacy of the control and that it will not have
negative impacts to the environment. In addition, a
backout plan should be developed in case control
implementation has a negative impact on the
environment. While the assessment phase of the life
cycle occurs after the implementation phase, this does
not negate the need to test as part of the design process
prior to implementation. The assessment phase of the
life cycle is an ongoing phase that ensures the control is
continuously assessed.
STEP 3: IMPLEMENTATION
The next step is the implementation of the controls in
order to mitigate risk identified in the risk assessment.
Once controls are designed, it is time to execute on the
projects outlined in the design phase. Implementation
may be simple or complex depending on the control in
question. For example, developing a password security
policy is much less time and resource intensive than
standing up a vulnerability management program.
Depending on the control in question, implementation
may require changes to the following:
Documentation Example
One of the methods used for control documentation is
the development of a system security plan (SSP), which
describes and documents how controls are
implemented for a given system. An SSP typically
contains, at a minimum, the following:
• Description A description of the system,
including name, purpose, information owner,
custodians, security categorization, data flows,
and so on
• Environment and boundaries A description of the
boundary of the system environment, including
description of the architecture, topology,
hardware and software assets, ports, protocols,
services, and so on
• Security control implementation A description of
how each applicable security control is
implemented as well as the implementation
status of each control
STEP 4: ASSESSMENT
Control assessment is an ongoing phase of the life cycle.
Controls must be assessed to ensure that they are
effective, implemented and operating correctly,
addressing their intended purpose, and operating in
accordance with the organization’s policies, standards,
and procedures. The assessment phase consists of three
main components:
• Assessment and testing
• Reporting
• Remediation
Reporting
After an assessment has been completed, any
deficiencies discovered should be documented and
analyzed. The findings should state what aspect of the
control was not operating as expected and how the
implementation differs from what was planned or
expected. The findings produced by the assessment are
used to determine the overall effectiveness of the
controls associated with the asset that was evaluated.
Assessment results typically are reviewed by the
information owner and senior management (CISO,
executive leadership, and so on) to determine the
appropriate course of action to remedy the situation in a
timely manner. The results of the assessment should
include the following:
• List of applicable controls
• Assessment and test plans for the controls
• Report indicating pass or fail per control tested
• Identification of corrective action and mitigation
required for deficiencies
Remediation
Remediation begins after findings have been
documented and a process to remedy the situation has
been identified. The remediation activities and
methodology are typically determined by many vested
stakeholders (information owner, custodian, system
maintainers, CISO, and others as required). Remediation
is typically prioritized based on a variety of factors,
including the following:
• Resources required for remediation
• Risk and severity level of the asset
• Risk associated with the finding
• Scope of the finding
• Type of assessment (internal versus external audit)
• Visibility of the finding internally and externally to
the organization
STEP 5: MONITORING
The final phase of the security control life cycle is
continuous monitoring. Controls must be monitored on a
continuous basis to determine the following:
• Control performance and effectiveness
• Alignment with organization strategies and
objectives
• Changes to information systems and environment
• Compliance with legislation, regulation, and
organizational policy and procedures
EXPLORING INFORMATION
SECURITY CONTROL
FRAMEWORKS
This section explores the makeup and structure of some
of the most commonly used information security control
frameworks:
• NIST SP 800-53
• NIST Cybersecurity Framework
• ISO/IEC 27002
• CIS Critical Security Controls
• CSA Cloud Controls Matrix
NIST SP 800-53
NIST SP 800-53, Security and Privacy Controls for
Federal Information Systems and Organizations, is a
well-known NIST publication consisting of a catalog of
security and privacy controls used to assist US federal
government agencies in meeting the requirements of
FISMA and serves as a best practice framework for other,
non-federal entities.
NIST controls are organized into 18 different control
families, listed in Table 2-3. In addition to these control
families, a Privacy Control Catalog was added in SP 800-
53 Rev. 4 (Appendix J) to address the ever-growing
concerns around privacy and to establish a link between
the relationship of security and privacy controls.
Table 2-3 NIST SP 800-53 Security Control Families
ISO/IEC 27002
As discussed in Chapter 1, ISO/IEC 27001, Information
technology – Security techniques – Information security
management systems – Requirements, is a best practice
framework used for implementing an information
security management system (ISMS) and determining
which controls to adopt. ISO/IEC 27002, Information
technology – Security techniques – Code of practice for
information security controls, is a supplementary
standard focused on recommended controls that the
organization may decide to implement to address
security objectives. A summary of ISO/IEC 27002
controls is included in Annex A of ISO/IEC 27001 but
describes each control in only a few sentences. ISO/IEC
27002 on the other hand goes into much greater detail,
discussing each control, how the control works, what the
control objective is, and how to implement the control.
Unlike ISO/IEC 27001, an organization cannot become
certified against ISO/IEC 27002. It is simply a reference
and guidance document for information security
controls.
ISO/IEC 27002 consists of 14 security control clauses
made up of 35 security control categories and 114
controls. Each security control category consists of a
control objective to be achieved and one or more controls
that may be implemented to achieve the objective. The
security control clauses in ISO/IEC 27002 are as follows:
EXAM TIP There may not be questions regarding specific auditing terms or
techniques. Having a good understanding of auditing practices and processes
should be sufficient for the exam.
AUDIT MANAGEMENT
Security auditing can be accomplished in isolation but is
usually managed as part of a larger auditing program
that includes examining other aspects of the organization
such as the organization’s financial or information
systems functions.
Some organizations have an audit committee that
oversees the organization’s audit program (usually for
the primary purpose of financial auditing). In a
corporation, the audit committee usually reports to the
board of directors. The committee ensures that the audit
program is in compliance with regulations such as the
United States’ Sarbanes-Oxley Act or the European
Union’s Directives. Depending on the organization, the
information security audit function may be part of the
organization’s overall audit program or may be within
the security department and under the purview of the
CISO.
Audit Planning
Before an audit is conducted, it is important to plan all
the necessary activities and identify the resources that
will be required. Most audits are quite broad and involve
the collection and analysis of large amounts of data. Such
an activity can get out of hand if it isn’t well planned.
Before audit planning can begin, the auditors must
first define the audit universe, which is an important
term when describing the scope and size of an audit. The
audit universe describes all the business processes and
assets that are included in the audit. A CISO friend used
to say, “You can’t boil the ocean”; likewise, you can’t
audit everything, so one must choose what items are
most relevant to support the goals of the organization.
The audit universe defines everything that is in scope of
the audit.
The first criteria for determining the audit universe is
to identify the business processes and associated assets
that are essential to meeting regulatory compliance
requirements. For instance, if the purpose of the audit is
to determine HIPAA compliance, and the company
stores patient data in a database, the database and
associated security controls would likely be part of the
audit universe.
Some organizations determine the audit universe
using a risk-based approach. Using this method, the
business processes, and corresponding assets, are ranked
by risk level (such as high, medium, low). The business
processes or functions that present the greatest risk to
the business (have the most business impact) would have
the highest priority in audit planning.
Audit planning is sometimes captured in two
documents: the audit strategy and the audit plan. The
audit strategy defines the scope, timing, and direction of
the audit, whereas the audit plan defines the nature,
timing, and extent of the audit activities. Figure 2-5
shows an overview of a typical audit planning process.
The following provides an explanation of each numbered
step in the figure.
AUDIT PROCESS
Auditing cannot be accomplished without a carefully
crafted plan. The plan should include documented steps
for each activity and the identification and/or creation of
a repository for all auditing artifacts to be stored and
maintained. The goal is to define a repeatable audit
process that can continually evolve and improve. An
audit process provides a mechanism to convey the scope
and requirements of the audit to ensure the audit is
fulfilling its intended purpose. The process should
include the following auditing best practices:
• Checks and balances One method for mitigating
the risk of auditing errors is to implement
separation of duties using checks and balances. In
this approach the person(s) responsible for
executing a task is separate from the person(s)
responsible for verifying the task was done
correctly.
• Two-person rule Wherever practical, audit
activities should be performed by two-person
teams whereby one person does a task and a
second person looks over their shoulder to make
sure it was done correctly. The key part of a two-
person rule is that it is a rule, meaning an activity
that falls under the two-person rule is not
permitted to be performed by just one person.
• Independent validators Similar to checks and
balances, the idea is that auditing should be
performed by individuals that do not have an
interest in the audit outcome. For instance, if Joe
designed and implemented a security control, he
shouldn’t be the person auditing the
implementation to make sure it was done correctly.
Instead, a noninterested party should perform the
audit.
• Checklists “Back in the day” auditors carried
clipboards with checklists of items to be examined
and verified. Nowadays they use spreadsheets and
databases, but the concept is the same—create and
use checklists of actions with corresponding boxes
to check or data to capture. Detailed checklists are
the auditor’s best friend as they define each audit
action aligned with the corresponding result.
• Establish audit records There should always be
a record of who checked what and when the check
occurred. Audit records permit the organization to
look back and verify what was done and that it was
performed properly.
• Securely store audit records Audit records are
highly sensitive because they contain information
about vulnerabilities in the environment. This
information could be exploited if shared with the
wrong individuals or organizations. Audit records
should be properly secured and access to them
should be tightly controlled so that only authorized
persons are permitted to see the information.
• NIST SP 800-53A
• ISO/IEC 27007
• ISO/IEC 27008
NIST SP 800-53A The NIST Risk Management
framework contains an auditing component outlined in
the assessment phase of the process that references NIST
SP 800-53A, Assessing Security and Privacy Controls in
Federal Information Systems and Organizations:
Building Effective Assessment Plans. NIST SP 800-53A
contains a set of procedures for conducting assessments
of security and privacy controls (outlined in NIST SP
800-53) at various phases of the system development life
cycle.
ISO/IEC 27007:2017 ISO/IEC 27007, Information
technology – Security techniques – Guidelines for
information security management systems auditing, is
a standard that provides guidance for information
security management systems. ISO/IEC 27007 advises
on how to apply ISO 19011:2018, Guidelines for auditing
management systems, within the context of an ISMS.
The standard covers the following:
• Managing an ISMS audit program (who, what,
where, when, and how to audit)
• Performing internal or external ISMS audits (audit
process)
• Managing ISMS auditors (skills, competence)
Benefits of CSAs
Without a CSA program, an organization won’t know
where it stands until an audit takes place. Therefore,
problems and security vulnerabilities could be left
exposed for long periods of time before they are
discovered. The CSA gives the organization a continuous
view and enables continuous remediation and
improvement of controls.
The CSA also provides an opportunity to merge audit
functions into the actual implementation of controls.
This provides the opportunity to make the controls
stronger. CSAs also enable organizations to assign staff
to integrate control implementation and monitoring
functions. After all, who is better able to define metrics
for measuring the success of security controls than the
people that design and implement the controls?
Before CSAs we had silos. Implementers would
implement and auditors would assess. This proved to be
very inefficient and made the remediation process slow.
By allowing assessments to be performed by the
operations staff, controls can be better aligned with
business and organizational goals. CSAs improve the
quality and knowledge of the implementation staff. They
make the employees more invested in the quality of
controls.
Many regulatory agencies require CSA programs (such
as the FDIC). And many organizations use CSAs to help
them meet the internal control reporting requirements of
the Sarbanes-Oxley Act. Benefits of using CSAs include
the following:
• Brings auditing into the organization’s day-to-day
functions
• Integrates control implementation with control
monitoring
• Allows better definition and use of metrics
• Better enables addressing of problems at their
source
• Allows the organization to detect problems earlier
CSA Pitfalls
Some organizations may resist doing CSAs because it is
perceived as making more work for the operations staff.
In many organizations, the operations staff (and staff in
other departments) already have a full plate. However,
the concept is that the organization will have to
remediate problems found by the auditors anyway, so if
the organization identifies them and fixes them
internally, the process becomes more efficient and causes
less work overall for the operations staff. That’s the idea
and, in practice, if the CSA program is implemented
properly, it can provide this efficiency.
Having the same staff implement and assess can lead
to failure to evaluate objectively. This can be due to the
employees being too close to the problem or being too
invested in the control’s creation or implementation.
This situation can be addressed by implementing
auditing best practices such as using a two-person rule
and ensuring that audit processes are peer reviewed
prior to implementation.
Another potential pitfall is that operations staff may
be reluctant to call out issues created by their own
department, peers, or supervisors. To address this, some
organizations permit employees to participate in the CSA
anonymously or have their names redacted from the
audit reports. However, the best way to address this is by
management fostering a culture of openness and a spirit
of improvement within the workplace.
CONTINUOUS AUDITING
Continuous auditing is essentially auditing on a more
frequent basis. It is often made possible by technology
that can rapidly collect and analyze data. In fact,
continuous auditing is typically automated to provide
real-time or near real-time results.
Continuous auditing almost always uses an agent such
as a piece of software or a hardware sensor built into the
business process. The agent operates in real time, pulling
information or detecting something and sending the
results to a database or data warehouse where it is
stored, sorted, and normalized. Then the data is mined to
find relationships and draw conclusions. Applications
that are transaction-based use transaction logging to
feed into the database.
SOC Audits
A Service Organization Controls (SOC) audit is an audit
performed on a service organization (such as a cloud
service provider) by a third party who assesses the
internal controls of the service organization. These
internal controls may include IT controls, security
controls, or other systematic controls of the organization.
After the audit is completed, the third-party auditor
issues a report attesting to the service organization’s
internal controls. The service organization provides this
report to customers, partners, and regulators as an
attestation.
The SOC audit matured from the Statement of
Auditing Standards No. 70 (SAS 70) audit standard
developed by the American Institute of Certified Public
Accountants (AICPA). In 2010, the SAS 70 standard was
superseded by the Statement on Standards for
Attestation Engagements No. 16 (SSAE 16) standard in
the United States and the International Standards for
Assurance Engagements No. 3402 (ISAE 3402) outside
the United States. In 2017, SSAE 16 was superseded by
SSAE 18.
There are three types of SOC audits and reports:
• SOC 1 Pertains to financial controls.
• Type I A single point-in-time examination of
service organization controls and design. Focuses
on determining if controls are designed properly.
• Type II An audit over a period of time (typically
six months to one year). Expands the scope of
type 1 to include assessing control effectiveness.
• SOC 2 Pertains to trust services (security,
availability, confidentiality, process integrity, and
privacy).
• Type I A single point-in-time examination of
service organization controls and design. Focuses
on determining if controls are designed properly.
• Type II An audit over a period of time (typically
six months to one year). Expands the scope of
type 1 to include assessing control effectiveness.
• SOC 3 Like SOC 2, also pertains to trust services.
SOC 3 is similar to SOC 2 but goes into much less
detail and is primarily used as a marketing tool to
provide to customers.
FedRAMP Audits
The Federal Risk and Authorization Management
Program (FedRAMP) is a US federal government
program that provides a standard approach for
assessing, authorizing, and continuous monitoring of
cloud-based products and services. In order for a cloud
service provider (CSP) to sell services to the US federal
government, the CSP must be FedRAMP authorized.
FedRAMP is essentially a cybersecurity approval process
for cloud-based products and services. As discussed in
Chapter 1, the Federal Information Security
Management Act (FISMA) requires that US federal
government agencies authorize the information systems
they use (the process used for this is the NIST RMF).
FedRAMP is essentially FISMA for the cloud. The goal is
to aid in the authorization process using a “do once, use
many times” approach so that each US federal agency
doesn’t need to conduct redundant security assessments.
A CSP becomes FedRAMP authorized by being
assessed by an accredited Third-Party Assessment
Organization (3PAO). The 3PAO assesses and certifies
the CSP’s controls. FedRAMP security baselines (low,
moderate, and high) are derived from the NIST SP 800-
53 controls, with a set of control enhancements to
address the unique security requirements of cloud
services. FedRAMP documentation and information can
be found at https://www.fedramp.gov.
Industry-Specific Audits
Chapter 1 discussed many of the legal and regulatory
drivers that may affect a CISO’s organization. Many of
these drivers contain their own set of control and
auditing requirements that must be implemented for
compliance. These include but are not limited to
• PCI DSS for organizations accepting payment card
information
• HIPAA or HITECH for health care “covered
entities” under HIPPA
• FISMA for federal government
• GDPR for organizations collecting EU customer
data
CHAPTER REVIEW
Organizations perform risk management to understand
each asset’s importance to the business. Assets are first
categorized to determine the nature of each asset’s risk
and the sensitivity of the information stored, processed,
or transmitted. Organizations commonly use frameworks
that provide libraries of suggested controls for each
security category. Organizations use or tailor these
libraries to determine the set of security controls to apply
to a given asset. The organizations can then design the
implementation of the controls, implement and test
them, and then monitor the asset for ongoing
compliance throughout the asset’s life cycle.
Auditing is a formal process used to determine
compliance with regulatory requirements or an
organization’s internal policies, or both. Security
auditing is usually part of an organization’s overall
auditing program, which may, or may not, be under the
authority of the CISO. Traditional auditing is done
periodically using auditors that are independent of the
organization or department being audited. Alternatively,
some organizations use control self-assessments to
accomplish auditing. CSAs are performed regularly and
utilize the operations staff to perform the audit to
provide audit efficiency. Common security audits include
SOC audits, ISO/IEC 270001 certification audits,
FedRAMP audits, and other, industry-specific audits.
QUICK REVIEW
• A security control, also known as a safeguard or
countermeasure, is a mechanism put into place to
mitigate risk and protect the confidentiality,
integrity, and availability of information or an
information asset.
• Controls are selected by first categorizing an asset
based on risk and the asset’s value to the enterprise
and the impact of potential loss of confidentiality,
integrity, and/or availability of the asset.
• Controls are classified into three main groups:
• Administrative controls, also known as soft
controls, are management-oriented controls such
as policies, procedures, guidelines, training, risk
management, and employment practices (hiring,
firing, and so on).
• Technical controls, also referred to as logical
controls, are hardware or software components
that provide security control functionality.
• Physical controls are tangible controls put in
place to protect against threats in the realm of
physical security.
• NIST defines a different set of classes:
• Management controls focus on the management
of risk and the management of information
system security.
• Operational controls are primary implemented
and executed by people (as opposed to systems).
• Technical controls are primarily implemented
and executed by the information system through
mechanisms contained in the hardware,
software, or firmware components of the system.
• A control family is a grouping of controls in a
framework that typically address the same security
domain or function.
• Security functionality of controls describes what the
controls do for the organization. Functionalities of
controls include the following:
• Preventive controls prevent or stop the
occurrence of an adverse event or incident.
• Detective controls discover, detect, or identify a
potential adverse activity, event, intruder, or
incident.
• Deterrent controls deter or discourage a potential
adversary from performing an attack or engaging
in unwanted behavior.
• Corrective controls correct adverse events that
have occurred by fixing a system, process, or
activity.
• Directive controls are typically administrative
controls that communicate expected behavior by
specifying what actions are or are not permitted.
• Recovery controls restore an environment or
operations back to regular functionality. They are
similar in function to corrective controls but are
thought of as having advanced capability.
• Compensating controls serve as an alternate or
secondary control implementation to a primary
control. These are often used when the primary
control is not feasible to implement due to cost,
complexity, or other business constraints.
• A control framework is a catalog of controls used to
provide a foundation to aid in the implementation
of a comprehensive information security program.
The three fundamental types of control frameworks
are process model, determinant, and evaluation.
• Common information security control frameworks
include the following:
• NIST SP 800-53
• NIST Cybersecurity Framework
• ISO/IEC 27001/27002
• CIS Critical Security Controls/CIS Top 20
• CSA Cloud Controls Matrix
• Security professionals select controls by following a
security control life cycle that typically includes risk
assessment, design, implementation, assessment,
and monitoring.
• Security auditing is a careful examination of the
security function to verify its correctness and
effectiveness and to identify any shortcomings.
• Audits may be performed by internal or external
entities or a combination of both.
• The audit charter defines the requirements for an
audit, while the engagement letter serves to define
the terms of the audit engagement, set proper
expectations, and prevent any misunderstandings.
• The audit universe describes all the business
processes and assets that are included in the audit.
• Audit planning is sometimes captured in two
documents: the audit strategy, which defines the
scope, timing, and direction of the audit, and the
audit plan, which defines the nature, timing, and
extent of the audit activities.
• A method for mitigating the risk of auditing errors
is to implement separation of duties using checks
and balances.
• Audit records should be properly secured, and
access to them should be tightly controlled so that
only authorized persons are permitted to see the
information.
• Commonly used auditing frameworks include NIST
SP 800-53A, ISO/IEC 27007, and ISO/IEC 27008.
• In sampling, instead of auditing an entire system or
department, a representative sample or subset of
the system is examined. There are two types of
sampling: statistical and nonstatistical.
• Evaluation evidence is data that is collected by the
auditor as the result of audit activities. The
evidence is then compared against requirements or
analyzed to determine compliance.
• Evaluation of audit results should take into account
the materiality of the findings. Materiality is the
concept that just because a test uncovers an error,
that does not necessarily mean a control objective
is not met. Thresholds should be established to
enable the assessment of control objectives; minor
errors may be permitted if they do not indicate the
failure of a control objective.
• In contrast to traditional audits, a control self-
assessment is performed by operations staff of the
organization.
• Continuous auditing is essentially auditing on a
more frequent basis and is typically automated to
provide real-time or near real-time results.
• The following are common types of audits a CISO
may encounter:
• An SOC audit is an audit performed on a service
organization by a third party who assesses the
internal controls of the service organization.
• An ISO/IEC 27001 certification audit is a third-
party assessment of an organization’s
information security management system.
• A FedRAMP assessment is a cybersecurity
approval process for cloud-based products and
services that support the US government.
• Industry-specific audits include the following:
• PCI DSS for organizations accepting payment
card information
• HIPAA or HITECH for health care “covered
entities” under HIPPA
• FISMA for federal government
• GDPR for organizations collecting EU customer
data
QUESTIONS
1. A security analyst is reviewing the security logs of
a web server for indicators of compromise. Which
of the following control functionalities is this an
example of?
A. Detective
B. Preventive
C. Recovery
D. Directive
2. The CISO is tasked with determining whether a
control is sufficient. Which of the following would
the CISO use to determine this?
A. Business drivers
B. Regulatory drivers
C. Assessment results
D. Determinant framework
3. A newly hired CISO is performing a physical
security review of the organization’s datacenter. In
the process of the assessment, the CISO
determines that the organization has implemented
server room door locks, fences, and bollards.
Which type of control do these controls represent?
A. Directive
B. Recovery
C. Preventive
D. Technical
4. Under the direction of the CISO, the security team
is implementing a preventive technical control to
address risks to an information system. At which
point in the control life cycle should the control be
tested?
A. Prior to implementation
B. Prior to implementation and regularly thereafter
C. After the risk assessment
D. After implementation
5. NIST SP 800-53 outlines management,
operational, and technical classes. Which of the
following NIST control families is an example of a
management control class?
A. Risk Assessment
B. Awareness and Training
C. Physical and Environmental Protection
D. Personnel Security
6. The CISO of an organization is looking for an
impartial assessment of the information security
program. Which of the following would provide
the most impartial assessment?
A. Internal audit
B. Control self-assessment
C. External audit
D. Financial audit
7. Which of the following steps must be completed
before the others in the audit planning process?
A. Set scope and objectives
B. Develop strategy
C. Designate resources
D. Understand the business
8. Which of the following includes the processes,
assets, entities, users, and resources that are in
scope for an audit?
A. Engagement letter
B. Audit review
C. Audit universe
D. Audit checklist
9. The CISO is writing an organization security
policy. This is an example of which of the following
control types?
A. Administrative
B. Technical
C. Physical
D. Detective
10. An organization has fallen victim to an attack
that altered the e-commerce web page on its
website so that customers can no longer use it to
make a purchase. This has impacted which
security fundamental(s)?
A. Both integrity and availability
B. Availability
C. Integrity
D. Neither integrity nor availability
ANSWERS
1. A. Reviewing security logs of a system for
indicators of compromise is an example of a
detective control, as this type of control is used to
identify potential adverse events or activity.
Preventive controls stop the occurrence of an
adverse event, recovery controls restore an
environment to regular functionality, and directive
controls communicate expected behavior.
2. C. The CISO would use assessment results to
determine if a control is meeting its planned
purpose and operating as intended. Business
drivers and regulatory drivers would serve as the
foundation for security strategy and may assist in
deciding on a determinant framework and be used
as criteria for assessment, but they would not be
used to assess control sufficiency.
3. C. Server room door locks, fences, and bollards
are examples of preventive controls because they
serve to prevent the occurrence of an adverse
event. Directive controls communicate expected
behavior, and recovery controls restore an
environment to regular functionality. The controls
listed are examples of physical controls, not
technical controls.
4. B. Controls should be tested, as part of the control
life cycle, prior to implementation and should be
tested regularly thereafter at an organization-
defined interval. While the assessment phase of
the life cycle occurs after the implementation
phase, this does not negate the need to test as part
of the design process prior to implementation. The
assessment phase of the life cycle is an ongoing
phase that ensures the control is continuously
assessed.
5. A. The Risk Assessment control family is
considered a management control class.
Awareness and Training, Physical and
Environmental Protection, and Personnel Security
are considered operational control classes.
6. C. An external audit would provide the most
impartial assessment of the security program.
Internal audits and control self-assessments are
performed by internal staff, who may be
influenced by their close association with the
organization and tend to be less impartial. A
financial audit does not address the impartiality
requirement of the question.
7. D. The first step in audit planning is to
understand the business. The other steps in the
audit planning process cannot be completed
without an understanding of the business.
8. C. The audit universe describes all the business
processes and assets that are included in the audit.
The audit universe defines everything that is in
scope of the audit.
9. A. Developing an organizational security policy is
an example of an administrative control.
Administrative controls are management-oriented
controls such as policies, procedures, guidelines,
and training. Technical controls, also referred to as
logical controls, are hardware or software
components that provide security control
functionality. Physical controls are tangible
controls put in place to protect against threats in
the realm of physical security. Detective controls
discover, detect, or identify a potential adverse
activity, event, intruder, or incident.
10. A. Both integrity and availability have been
impacted, as the e-commerce site has been altered
(which impacts integrity) and the site is no longer
accessible for the customers (which impacts
availability).
CHAPTER 3
Security Program
Management and
Operations
This chapter discusses the following topics:
SECURITY PROGRAM
MANAGEMENT
Chapter 1 introduced the components that make up a
typical security program. To review, a synopsis of the
components follows (see Figure 3-1):
• Well planned
• Performed in accordance with a plan
• Measured against criteria for success
• Continuously improved to address any
shortcomings and get better over time
Plan
Ongoing streams of work should be well planned, both
individually and together, as a coordinated portfolio of
activities. The CISO should build a roadmap for
accomplishing these activities based on priorities
established from performing the governance and risk
analysis activities described in Chapter 1. The roadmap
should be reflected in a document such as a security
charter or security program plan. The roadmap reflects
both short-term and long-term plans and should be
updated on at least an annual basis.
Planning should reflect areas of emphasis based on
the organization’s business, stakeholder needs, or the
results of security audits or assessments. For instance, if
a vulnerability assessment indicates the organization has
many unpatched systems, the organization may need to
give its patch management program a higher priority in
the short term. Plans should be updated frequently based
on real needs of the organization.
Planning streams of work includes scoping the
resources needed to accomplish the activities that
comprise the security program. Resources may include
the following:
Do
Based on the plans described in the previous section, the
streams of work proceed with activities to meet the
defined goals. All activities should follow the processes
and procedures identified or defined in the plans. Each
stream of work is staffed with a stream owner or stream
manager, which may be the CISO or a designated
manager or supervisor.
The security organization under the direction of the
CISO should develop and refine an operating (or
operational) rhythm, which refers to communications,
usually reports and meetings, that occur on a regular
basis but do not adversely impact the operational flow of
the stream of work or other activity. Meetings are needed
to enable team members to communicate and
collaborate, resolve problems, report status, and discuss
improvements. Reporting is needed to provide data and
metrics to management and decision-makers. These
communications must occur on a regular cadence and in
a defined and repeatable manner. The security
organizations that tend to perform the best are those that
understand the value of an optimal operational rhythm
and adjust their programs accordingly.
Stream activities should be accomplished with self-
awareness. This means that everyone working on the
stream should know not only what they are doing and
how it fits with what everybody else is doing, but also
how well the stream is performing against its goals.
Streams that fail tend to be ones in which the only
person that knows what is really going on is the boss.
Successful streams are enabled when everyone has a
stake in the outcome and knows how they can contribute
to the stream’s success.
The stream of work staff should document everything,
including plans, procedures, guidelines, reports, and
metrics. To create a living library of useful information,
stream of work data should be stored in a document
repository. These documents, while important to the
organization, also contain information about the
organization’s security vulnerabilities and weaknesses.
Therefore, access to stream of work documents and data
should be available only to those people with a need to
know.
Security Liaisons
To be successful, security activities, including streams
of work, must be performed in close collaboration with
the other groups and personnel in the organization.
Therefore, the security team needs to build a security
relationship with other orga-nizations. Many security
groups use security liaisons, members of the security
team that conduct outreach to the rest of the
organization. Security liaisons provide two-way
communications, providing security messaging,
expertise, and advise to spread the word about
information security practices, including what the
organization is doing to improve security, and act as
the eyes and ears of the CISO to listen to what
employees think and feel about security policies,
practices, and initiatives. We all know that people are
the weakest link in information security. Security
liaisons can help to improve the security culture of the
organization and, in turn, reduce security incidents.
Check
How does a CISO determine if the streams of work are
working? They must be measured against criteria for
success. Every stream of work should have a clear set of
goals along with metrics to measure how well those goals
are being met. Stream of work planning includes
establishing how success is measured and reported.
However, the PDCA check phase involves more than just
performance metrics against the primary goals of the
activity. It also includes ways to assess all aspects of the
activity. This may include measuring things like
accuracy, usefulness, suitability, resiliency, or
adaptability. The CISO should always be looking for ways
to measure and understand how well each aspect of the
security program is performing.
Some indicators of performance are measured daily,
such as monitoring logs and detecting alerts. Other
indicators are measured as part of assessments or audit
actions. As explained in Chapter 2, security auditing is
usually accomplished as part of a larger auditing
program, but these audits can be used as a tool to assess
stream of work performance. However, there may also be
other measures outside of the auditing program. Many
organizations use a security dashboard to show the
status of stream activity, such as statistics on tickets from
the security monitoring function or patched/unpatched
systems from the patch management stream.
Assessments should be part of the operational
rhythm, which, as previously described, is a cadence of
communication reporting that includes measures of how
well streams are performing.
Act
The purpose of the act phase is to maintain the quality of
the security functions (streams) and to seek ways to
improve them. This is accomplished by reviewing and
analyzing the results and data from the check phase. The
results are compared with the defined goals and
objectives of each stream of work. Shortcomings and
gaps are then scoped for remediation.
Some organizations formalize the remediation process
using a Plan of Actions & Milestones (POA&M) or a
Corrective Action Plan (CAP). These terms are from
FISMA and the various guides and publications that
support FISMA; however, they are also used generically
to describe methods for capturing, tracking, and
communicating security remediation activities. POA&Ms
and CAPs are created on a system-by-system basis to
track resolution of issues uncovered during security
testing as part of the Risk Management Framework
(RMF) process, but they can also be used to support
resolution of deficiencies or needed improvements in
security streams of work. The POA&M is a plan that
describes the course of treatment to resolve deficiencies.
It contains a CAP that describes exactly what will be
done (or has been done) to resolve the deficiencies.
Part of the act phase of the PDCA cycle includes
looking at the aggregation of results across the streams
of work to uncover trends and determine root causes.
The activities performed during the act phase include
tracking the actions undertaken to address gaps, resolve
root causes, and implement improvements. If the
tracking data is stored in a database, the organization
will have a repository and living record of how well the
streams are performing and improving over time.
ASSET SECURITY MANAGEMENT
Chapter 1 discussed security categorization and risk
mitigation of assets. Chapter 4 describes the core
competency of asset security along with other core
competencies. The security management of assets is
discussed in this section and illustrated in Figure 3-3.
SECURITY PROJECTS
Security projects are activities within the security
program that have a beginning and an end. Whereas
streams of work are continuous, security projects have
an end in mind, and when the end is achieved, the
project is over. The list of active security projects for an
organization is ever changing. Each year new security
projects are needed as older ones are completed.
Example projects that may be part of a security program
include the following:
• Acquiring and implementing a vulnerability
scanning tool
• Performing a network security architecture review
• Developing a security tool
• Deploying an incident response capability
• Designing physical security controls for a
datacenter
• Performing a risk assessment of a service provider
• Developing software development security
standards
• Aligning security practices with an industry
framework (for example, ISO/IEC 27001, NIST SP
800-53, and so on)
PROJECT MANAGEMENT
Project management is the lowest level in the
management hierarchy (portfolio, program, and project).
The goal of project management is to ensure that every
project achieves the desired outcome on time and within
budget. Project management includes identifying and
controlling resources, measuring progress, and adjusting
the plan as needed as progress is made. The CISO may
directly serve as the project manager for some or all
security projects, or the CISO may delegate others to
serves as project managers. In either case, the CISO
should be familiar with project management principles
and techniques.
It is important to apply good project management
practices to projects of all sizes. Some organizations
focus project management efforts on large projects and
tend to neglect small projects. These small projects can
end up costing the organization significant time and
resources if they are not properly managed. Project
management may not be formalized for all projects. The
extent of formalization may be governed by project size
or importance; however, good project management
principles should be applied to all projects. This
includes, at a minimum, identifying the scope,
developing criteria for measuring success, monitoring
and controlling resources, and documenting these items
in a plan. This section discusses some of the fundamental
tenants of project management and provides a
walkthrough of the project management process.
PROJECT MANAGEMENT
FUNDAMENTALS
Similar to the CIA triad (confidentiality, integrity, and
availability) of information security, project management
also has a triad, composed of the following elements:
AXELOS
AXELOS is a global best practice organization that
provides certification and training in a variety of subject
areas, including project management, IT service
management, and cybersecurity. The AXELOS
certification tracks include the following:
INITIATING
Before a project can begin, up-front work must be
completed in the initiating phase. First, a business need
or problem must be identified, and a potential solution
discussed. Depending on the feasibility of the solution,
this may warrant the creation of a project. The key
initiatives that take place in the initiating phase include
the following:
• Collect requirements
• Define the project scope
• Identify and interview stakeholders
• Define assumptions and constraints
• Establish the general project budget and timeline
• Develop the project scope document
Collect Requirements
Every project must have a set of requirements, a
collection of capabilities or items that are required in the
final deliverable to meet the project objectives. The
requirements provide the foundation for defining the
project scope. The work required in collecting the
requirements can vary. In some cases, the requirements
are provided by the customer or defined prior to the
beginning of the project. Other times the requirements
are developed as part of the project. The requirements
that are provided may vary in detail, and additional
information gathering sessions may be required to create
clear and complete requirements.
• Scope definitions
• Stakeholder inputs
• Assumptions and constraints
• Budget and time frame
• Initial schedule and resources
NOTE Not all projects use an SDLC within the project processes. For
example, if a CISO is managing a project to map the company’s security
controls to NIST SP 800-53, the CISO may follow the project processes
(initiating, planning, executing, monitoring and controlling, and closing) but
most likely would not use an SDLC, because no system, product, or service is
being developed. However, if the project includes developing and
implementing new controls, such as security tools, systems, or applications,
the CISO might choose to incorporate an SDLC within the project processes.
• Internal resources
• Select and assign resources to each WBS element
• Tailor the WBS to the resources that are available
• May require new hires or new training of staff
• May require acquisition of hardware and
software
• External resources
• Conduct competitive selection process if
time/resources allow
• Establish contracts and statements of work
(SOWs)
• Define deliverables, milestones, and obligations
• Establish service-level agreements (SLAs)
Responsibility Matrix
A responsibility matrix can be used to demarcate
responsibilities for each activity or task involved in
meeting project deliverables. The responsibility matrix
is often known as a RACI chart, with the acronym
representing the following:
• Responsible Individuals responsible for
completing specific project tasks or activities
• Accountable Typically implies management of
an activity or task
• Consulted Individuals whose opinions are
consulted regarding specific activities or tasks,
typically subject matter experts (SMEs)
• Informed Individuals informed on progression
of specific tasks or activities
Figure 3-12 shows an example of a high-level RACI
chart.
Figure 3-12 RACI chart representation
Quality Management
Project quality management is the practice of ensuring
that all project activities meet a defined level of
excellence. It involves defining quality standards and
putting processes in place to ensure the standards are
applied correctly on the project. A quality management
system (QMS) is a collection of processes and activities
intended to ensure desired levels of quality are met. The
QMS incorporates quality assurance and quality control
practices, as illustrated in Figure 3-13. These terms are
sometimes used interchangeably in discussions of quality
management, but there are some key differences:
Figure 3-13 Quality management concepts
CLOSING
The last phase of the project is project closing. The
closing phase includes the following activities:
CHAPTER REVIEW
The CISO is responsible for managing the information
security program of the organization. The key aspects of
a security program include security areas of focus
(internal and external drivers that impact how the
streams of work and security projects are carried out,
such as PCI DSS, HIPAA, and internal policies and
requirements); security streams of work (subprograms
such as the vulnerability management program, incident
response program, and risk management program),
often managed using the PDCA approach; security
project management; asset and data security
management; and security program budget and resource
management. Managing these elements in a cohesive
and coordinated manner is not simple and requires a
thoughtful approach.
Project management is a critical skill for the CISO to
master. Although the CISO typically is not the project
manager for every security project, the CISO must
oversee and be accountable for the projects being
undertaken within the information security program.
The triad for project management includes scope,
schedule, and budget. If one of these components
changes, the other two components usually are affected.
Projects follow a project management model, which
typically includes initiating, planning, executing,
monitoring and controlling, and closing processes.
QUICK REVIEW
• Security program management is focused on
overseeing and managing security areas of focus,
security streams of work, security projects, asset
and data security, and security program budget and
resources.
• Security areas of focus are internal and external
organizational drivers that impact how the streams
of work and security projects are carried out, such
as PCI DSS, HIPAA, and internal policies and
requirements.
• Security streams of work (aka subprograms) of the
information security program are activities that are
ongoing and do not have a beginning, middle, and
end, such as identity and access management,
vulnerability management, and incident
management.
• The triad for project management includes scope,
schedule, and budget.
• The traditional project management model is made
up of the following processes: initiating, planning,
executing, monitoring and controlling, and closing.
• The scope of a project defines the boundary of the
project. It is the work that is required to fulfill the
customer requirements.
• Scope creep is uncontrolled growth in a project’s
scope due to the addition of requirements, desires,
or targets.
• The systems development life cycle (SDLC) refers
to the phases within the project that are associated
with the development of a system, software,
service, or product. The SDLC typically occurs
within the planning and executing processes of the
project management model.
• SDLC models include waterfall, iterative,
incremental, and agile.
• A work breakdown structure (WBS) is a
hierarchical decomposition of the work to be
performed by the project team to accomplish and
deliver against the project goals. It is a project
management tool used to break down the project
into organized individual work elements (tasks,
subtasks, and deliverables).
• The critical path of a project is the series of events
or activities that, if changed, would change the
overall end date of the project.
• A Gantt chart illustrates a project schedule and
shows the dependencies of tasks.
• A responsibility assignment matrix or RACI chart
can be used to demarcate responsibilities for each
activity or task involved in meeting project
deliverables. RACI is an acronym for responsible,
accountable, consulted, and informed.
• Configuration management focuses on the
requirements, specifications, and standard
configurations of the product or deliverable.
• Change management focuses on identifying,
tracking, monitoring, and controlling changes to
the project plan and baseline.
• Six Sigma is a process improvement methodology
focused on improving process quality by using
statistical methods of measuring operational
efficiency and reducing variation, defects, and
waste.
• The ISO 9000 family of standards is focused on
various aspects of quality management and
implementing quality management systems
(QMSs).
QUESTIONS
1. Which of the following activities is an example of a
subprogram or stream of work?
A. Conduct network monitoring
B. Deploy an intrusion detection system
C. Build an identity management system
D. Conduct a penetration test
2. When creating an information security budget,
which of the following is the least important factor
to consider?
A. What your boss’s perception is about security
B. Ensuring the budget grows each year so the
security department can continue to grow
C. The costs of labor to staff all the streams of work
D. How much the organization spent on security last
year
3. Which of the following is not a good approach to
use to build a strong security team?
A. Provide career paths for employees
B. Select people based on character, not just
technical skills
C. Limit employee training so that employees do not
increase their skills and decide to leave the
company
D. Provide an environment that encourages
communication and collaboration
4. What is essential to determining how well a
security subprogram is performing?
A. Use the “two-person rule” whenever possible
B. Establish criteria for success and measure the
activity against it
C. Bring in outside experts to review the activity
D. Interview the subprogram staff
5. Which of the following statements regarding
project management is the most accurate?
A. Project management is only important for small
projects.
B. Project management is important for large
projects, while program management is important
for ongoing projects.
C. Project management is only important for large
projects.
D. Project management is important for projects of
all sizes.
6. Which of the following terms describes the
uncontrolled growth of a project’s requirements?
A. Stakeholder input
B. Scope creep
C. Definitions creep
D. Organic growth
7. Which of the following best describes the critical
path in project management?
A. Activities that, if changed, will change the end
date of the project
B. Activities that will change the end date of the
project
C. Activities that are critical to the project
D. Activities that are not critical to the project
8. A CISO reviewing current security projects
determines that the security project manager for a
network redesign did not use the approved WBS.
What is this an example of?
A. Scope creep
B. Waterfall method
C. Alternate WBS
D. Not following the plan
9. Which of the following activities should occur
during project closeout?
A. Conduct lessons learned
B. Outline the scope
C. Requirements gathering
D. Continue billing to the project
10. Which of the following is the main difference
between a program and a project?
A. There is no difference.
B. A program consists of projects, and a project
consists of activities.
C. Unlike a program, a project has no end.
D. A program may consist of many projects, while a
project consists of only one project.
ANSWERS
1. A. An information security program includes
streams of work (aka subprograms) that continue
throughout the life of the organization.
Conducting network monitoring is an ongoing
activity that continues for the life of the
organization and security program. Building
systems and deploying systems are most often
projects rather than ongoing subprograms or
streams of work. Penetration tests have a defined
end to the activity.
2. B. It is a good idea to start the information
security budget process by looking at what was
spent the previous year, include all labor costs,
and present the budget to management in terms
they can understand. The desire to expand the
security staff should not be a factor in defining the
security budget.
3. C. The organization should not limit employee
training for fear that employees may leave the
company. That is always a risk, but if the
employees aren’t properly trained, the
organization won’t be able to build a strong team.
Providing career paths, choosing people based on
character, and encouraging communication are all
good things to do.
5. B. Although interviewing the subprogram staff is
always a good idea, the most essential way to
determine how well a security subprogram is
performing is to establish criteria for success and
measure against that criteria.
6. D. Although a project may seem trivial, project
management is critical for projects of all sizes, not
only larger projects.
7. B. Scope creep describes the uncontrolled growth
of a project’s scope.
8. A. The critical path of a project is the series of
events or activities that, if changed, would change
the end date of the project. If any of the activities
in the critical path is delayed, the end date of the
overall project delivery is impacted.
9. D. The security project manager not using the
approved work breakdown structure (WBS) is an
example of an employee not following the
approved plan. Scope creep is when the scope
increases during the project, and waterfall is a type
of software development methodology. Alternate
WBS is an incorrect option intended as a
distractor.
10. A. The lessons learned component of project
closeout is often overlooked. This is a critical
activity to learn from past mistakes and improve
future projects.
11. D. A program may consist of multiple projects,
while a project is self-contained.
CHAPTER 4
Information Security Core
Competencies
This chapter discusses the following topics:
NOTE Some of these core competencies may not fall under the CISO’s area
of responsibility in some organizations. For example, not all CISOs are
responsible for physical security of the organization or for business
continuity planning. These areas may be the responsibility of other leaders or
may be shared with other departments.
1. Reconnaissance
2. Enumeration
3. Exploitation
4. Action on objectives
• Malware
• Scripting and vulnerability-specific attacks
EXAM TIP The CCISO exam may not contain questions about specific types
of attacks. However, we included this section because every CISO should
have a good understanding of how attacks are planned and executed in order
to be able to appropriately defend against them.
MALWARE
Malware, a contraction for malicious software, is any
software designed to infiltrate and gain unauthorized
access to computer systems to cause damage or
disruption. Attackers use malware to compromise
systems and carry out objectives such as the following:
• Viruses
• Trojans
• Worms
• Botnets
• Ransomware
• Rootkits
Viruses
A virus is a program or segment of code that infects a
legitimate program to carry out its malicious job. Viruses
use other programs as vehicles to deliver their payload or
reproduce themselves. The payload is the portion of the
virus that carries out the malicious activity, such as
deleting, exfiltrating, or encrypting data, modifying files,
or sending spam. Here are a few common types of
viruses:
Ransomware
Ransomware is a particularly insidious type of malware
that forces its victim to choose between paying a ransom
or losing valuable assets. Ransomware is delivered
through any of the usual mechanisms: phishing e-mails,
social engineering tricks, or by exploiting known
vulnerabilities in operating systems or other programs.
Once the ransomware infects a system, it usually
encrypts files and notifies the user that unless a ransom
is paid, usually with bitcoins or other difficult-to-trace
transaction methods, the data will remain encrypted and
lost to the user and their organization.
Variants of a ransomware attack include threatening
to reveal sensitive information or pornographic material
(which may have been stored by the victim on their
system or placed there by the attacker). But all
ransomware presents the organization with a dilemma:
pay the ransom or something bad will happen.
Paying a ransom doesn’t always mean the user or
organization will get their assets back. After all, they are
dealing with criminals. However, sometimes when the
ransom is paid, the cybercriminals follow through on
their promise to provide decryption keys or otherwise
help the victim recover from the attack. This is because
the cybercriminals want to be able to continue their
operation, and its success is more likely if future victims
know that the criminals will do what they promised if the
ransom is paid. In fact, some cybercriminal
organizations have “call centers” that help their victims
make payments and decrypt their data.
Ransomware puts the organization in a difficult
position in which it must weigh the impacts of two very
bad options: pay the ransom or lose the assets. The CISO
is right in the middle of this decision. Like all responses
to security breaches, the response to ransomware attacks
should be well planned and practiced. The time to decide
how to respond to such a crisis is not while it is
happening, as the intensity of the situation can cloud the
judgment of even the coolest leaders. The organization
should plan ahead of time by understanding the value of
various information assets and how much ransom the
organization might be willing to pay in the event of an
attack. Ransomware planning should also include when
to involve law enforcement as part of the incident
response. Ransomware planning also includes having a
good BCP/DR plan and associated measures to be able to
restore lost data and recover from an attack.
Ransomware Examples
• SamSam This is “ransomware-as-a-service”
whereby an organization of cybercriminals
exploits targets and sells the compromised
targets to other cybercriminals that try to further
exploit the victims for ransom. It is estimated
that SamSam has been responsible for over
$30M in losses by US firms.
• Zeppelin This ransomware avoids systems
running in Russia, Kazakhstan, Ukraine, and
Belarus. It has been deployed in many ways,
including through exploited managed security
service providers (MSSPs).
• Ryuk Ryuk was widely prevalent in 2018 and
2019 and was used in conjunction with relatively
high demands for payment by the criminals. One
feature of Ryuk is that it disables the Windows
System Restore feature, thereby preventing the
victim organization from going back to an earlier,
noninfected point in time in an attempt to
recover from the attack without paying a ransom.
• PureLocker This is malware that is installed by
taking advantage of backdoors installed by other
malware programs. It targets Windows or Linux
systems that are high-value assets such as
enterprise servers and, as a result, these attacks
usually involve high ransom demands.
Rootkits
Rootkits are tools that enable and maintain privileged
access to an operating system. Rootkits are not always
malicious (they can have legitimate uses), but this
discussion covers only rootkits that carry malicious code.
Rootkits, like other malware, must be delivered to the
target in some manner. Therefore, a rootkit is always
combined with some other type of exploit in order to get
the rootkit installed. Once installed, the rootkit can hide
itself from detection. Rootkits can be difficult or
impossible to detect, especially when they reside inside
the kernel. Sometimes removal can be accomplished only
by reinstalling the operating system or even replacing
hardware in cases where the rootkit has impacted
firmware or caused damage to electronics.
There are many kinds of rootkits, but most fall into
either of two categories: kernel mode or user mode.
These modes refer to the modes of an operating system,
such as Windows.
Kernel-mode rootkits operate at the kernel level by
adding code or replacing parts of the core operating
system. The modification of the core OS is accomplished
by using modified OS features, such as Windows device
drivers or Linux loadable kernel modules (LKMs).
Because these types of rootkits modify the core OS, they
are difficult to write and can seriously damage system
operation. Since these rootkits operate at the system’s
highest security level, they can subvert security controls
and hide from detection.
User-mode rootkits modify or replace applications
such as system libraries instead of modifying the low-
level core like a kernel-mode rootkit. For instance, the
rootkit may inject a dynamic link library (DLL) into a
process that forces an application to invoke unauthorized
functions that the attacker desires.
Buffer Overflows
When a program is expecting input, either from another
program or from a user entering text into a field, it stores
that data in a buffer, or area of memory. The program
usually expects the data to be of a given size and
therefore creates a buffer of the right size to accept the
expected data. If the data received is greater in size than
the size of the buffer, the extra data overflows into other
buffers or areas of memory, which can cause erroneous
operation. Cyberattackers craft attacks to take advantage
of programs that do not perform proper checking of
input data and are therefore vulnerable to buffer
overflow attacks.
When a buffer overflow occurs, the data that exceeds
the size of the buffer overflows into adjacent areas of
memory. If that memory is another buffer, the data can
corrupt the operation of the program that uses it. In
some cases, the overflowed data is executed by the
system as if it were a command or even an executable
program. Buffer overflows can be used for denial-of-
service attacks but more often are used to force a system
to execute commands without the correct authorization.
Often the attacker injects into the buffer malicious code
that will be executed on the attacker’s behalf but under
the context of the program that is currently executing.
This can lead to the attacker taking control of the system
and escalating privileges, resulting in major security
breaches.
Buffer overflows can be prevented during the
development phase of software engineering by
implementing proper input checking to ensure only the
right type and size of data is accepted by the program.
Buffer overflows can also be mitigated by preventing
data to be written to certain areas of memory, thus
minimizing the potential impact of an overflow. One
common approach is to simply use programs that have
automatic boundary checking such as Java.
Backdoors
A backdoor is not a specific type of attack but rather a
feature of many different kinds of attacks. Backdoor is a
broad term used to describe any method whereby an
unauthorized user can bypass security controls to gain
access to a system or program. Backdoors can be present
when a system or program is not designed or coded
correctly, or they can be created by a cybercriminal using
malware. The backdoor facilitates communication
between an infected or compromised system and an
unauthorized system or user.
Cross-Site Scripting
Cross-site scripting (XSS) is a type of attack whereby the
attacker injects a malicious script into a website that is
trusted by the intended victim(s) of the attack. Then,
when an unsuspecting victim visits the site, the script is
executed by the victim’s browser. Such scripts can access
the victim’s cookies, tokens, or other sensitive
information. XSS attacks take advantage of a trust
relationship between a web page and a browser.
Generally, there are two types of XSS: persistent (or
stored) and nonpersistent (or reflected).
A persistent XSS attack occurs when the malicious
script is stored on the target server. Attackers typically
use websites that allow them to enter information which
is stored and then presented to other users who become
the victims. Examples are message boards, forums, or
other social media sites such as dating sites. The attacker
may post legitimate information for the victim to see
alongside a script that is hidden to the victim but is
executed by the victim’s browser to carry out the attack.
A nonpersistent XSS attack occurs when the malicious
script is reflected back to the victim’s browser. One
example is where a user receives a malicious e-mail
message that entices the victim to click a link. The e-mail
not only contains the link to a web server but also
contains the malicious script that is reflected by the
server to the victim’s browser. The browser then executes
the script, carrying out the malicious activity.
SQL Injection
Many times the data that a user enters into a form on a
web page is sent by the web server to a database such as
one that uses Structured Query Language (SQL). If the
web server software does not properly check the data
input by the user, it could allow an attacker to put SQL
commands in the field, which are then executed by the
SQL database. Such an attack may be used to take
control of the database, escalate privileges, and modify
or exfiltrate data from the database without the proper
authorization.
SOCIAL ENGINEERING
Today’s cybercriminals know that people are the weakest
link in information security and thus craft their attacks
accordingly using social engineering. The term social
engineering refers to the use of deception to trick
someone into doing something that may not be in their
best interest. Social engineering has been used by scam
artists for years and now is an integral part of
cyberattacks. The bad guys figured out long ago that it is
easier to trick someone into revealing their password
than it is to break into a system using technical means.
To combat this requires a cyber defense program that
focuses on defending against the things humans do that
result in security breaches. This section covers the
following topics:
• Types of social engineering attacks
• Why employees are susceptible to social
engineering
• Social engineering defenses
Pretexting
Pretexting refers to using a fake scenario to deceive
someone. Many people have heard of the Nigerian prince
scam, where a criminal tells a victim that he is a Nigerian
prince who is due a large sum of money but is unable to
receive it unless he can use the victim’s bank account to
do so. The scammer convinces the victim to let the
“prince” use the victim’s bank account with the promise
of paying the victim a fee. Of course, once the victim
gives the scammer access to his bank account, the
scammer steals his money. This is a non-cyber example
of pretexting. Pretexting is now used in the cyberworld.
Here are a few examples:
• A user receives a call from “Tech Support” telling
them that their computer has a virus and that the
technician needs remote access to their computer
to “fix” the problem. The attacker convinces the
victim to provide remote access or to share their
login credentials. Of course, the caller is not from
Tech Support.
• A company CFO gets an e-mail from the “CEO”
telling him to transfer a large sum of money to a
new vendor’s bank account. The CFO follows the
CEO’s instructions, only to find out later that the e-
mail came not from the CEO but from a
cyberattacker, by which time the transfer to the
foreign bank account has taken place. This attack
happened recently to a large US manufacturer,
resulting in the loss of millions of dollars.
• A user receives an e-mail from their bank telling
them their password has expired and they should
click a link to change it. The e-mail looks legitimate
to the user, as does the web page used to change
the password. But the e-mail and the web page are
fake, and the bad guys used the web page to steal
the user’s login credentials. The attackers then use
the credentials to access the user’s bank account
and steal their money.
Baiting
Baiting is simply luring someone into a trap. We’ve all
heard the story of the famous Trojan horse sent by the
Greeks as a gift to the city of Troy in the 12th century BC.
When the Trojans brought the giant horse sculpture into
the city, it contained Greek soldiers hidden inside, and
the rest, as they say, is history. Here are a few cyber
examples of baiting:
• An unsuspecting person finds a keychain on the
floor and turns it in to the front desk receptionist.
It has a USB drive attached to it. The receptionist
decides to plug the drive into his computer to see
who it might belong to. But it contains malware
and infects the receptionist’s system and then
spreads to other systems on the network. Dropping
USB drives onto the ground is a very common
method of attack by hackers. It’s the bait some
people just can’t resist.
• An employee receives an e-mail announcing that
they are the lucky winner of a new computer game.
But the e-mail lures the victim to a website which
contains an exploit that runs from the user’s
browser. This is another successful attack using a
combination of social engineering and cross-site
scripting.
Leadership
The degree to which security is important (or not
important) to the organization’s leadership will drive the
number and extent of social engineering vulnerabilities
and resulting security breaches. The security culture
starts at the top of the organization. We know that if an
employee’s compliance with security policies is part of
their annual performance evaluation, the employee is
much more likely to follow the policies. However,
making security part of the evaluation usually requires
the approval or sponsorship of leadership. Buy-in at the
top of the organization in large part drives the extent to
which good information security practices are part of the
organization’s culture.
Testing
Social engineering tests are a subset of tests that should
be performed as part of an ongoing vulnerability
assessment and penetration testing program. The
purpose of conducting these tests is to improve the
security posture of the organization by revealing
weaknesses and providing useful information that can
guide security improvement. These tests progress the
same way a real attacker works, by testing, probing, re-
testing, and re-probing. Each success is an incremental
step toward the goal of compromising sensitive
information. Here is a list of some social engineering
testing activities an organization should have in its
toolbox.
• USB drive drops In this scenario the
organization places USB drives in various locations
throughout the facility. The drives contain COTS or
custom-developed software that simulates malware
by providing the testers with remote control of the
system, similar to a real attack. However, the
software is not real malware and is completely
removed at the conclusion of the test.
• Phishing e-mails The testers send specially
crafted e-mails to selected persons or groups in the
organization enticing them to do something or click
a link. These e-mails may appear to be from
external third parties or from impersonated
persons of authority.
• Phishing text messages Like phishing e-mails,
these messages appear legitimate and entice the
person to do something or reveal information.
• Fake websites (fictitious and impersonated)
Usually used in conjunction with an e-mail or text
message, these sites appear legitimate and entice
the person into revealing sensitive information.
• Phone calls to employees to conduct
pretexting attacks The testers use a variety of
fake scenarios that use telephone calls as the attack
vector. Each call seeks to establish trust and
convince the victim to reveal sensitive information
that can be used in an attack.
• Tailgating This is a physical intrusion in which
test personnel follow employees through normally
secured doors to gain unauthorized physical access.
The employee uses their authorized access method,
such as a badge, and then the tester sneaks through
the already opened door without using a badge.
• Physical impersonation In this test, testing staff
use a variety of techniques to appear as a legitimate
visitor, in order to gain access to a physical area.
Techniques include wearing uniforms and carrying
tools to look like service personnel or using fake
badges to pose as real employees.
• Social media employee reviews One key part
of a cyberattack is reconnaissance or collecting
information about the target. Social media is a key
reconnaissance tool used by cyberattackers. During
these tests, test personnel use a variety of means to
learn about the organization based on corporate or
personal social media posts. Cyberattackers also
engage with employees via social media to get them
to reveal information that can help with an attack.
The test staff will test employee resilience against
such techniques.
• Inspection of trash (dumpster diving) Test
staff can use this tried-and-true method to conduct
reconnaissance about the target organization or
seek ways to gain access.
• Inspection of disposed or donated
equipment Many organizations do not properly
sanitize unneeded equipment or storage media
prior to its disposal. The testing staff can use
techniques of the cyberattacker to follow the trail of
such items and look for sensitive data.
ASSET SECURITY
The domain of asset security is focused on the
organization’s understanding of its assets and the
determination of the appropriate controls for each asset
based on risk and classification. Essentially this entails
knowing what the organization has and how each asset is
being protected. The focus is often on assets that support
information-related activities, such as storing or
processing data. These assets may include hardware
(laptops, desktops, mobile devices, servers, network
equipment, and so on), software (databases,
applications, and so on), and information (files,
documents, and so on). The types of assets in the
environment and the types of controls used for each are
identified and addressed in the organization’s policies,
standards, and procedures.
Asset security controls are often implemented as part
of an information security control life cycle framework,
as described in Chapter 2. For example, the
categorization step of the NIST Risk Management
Framework is used to determine the baseline security
controls for a system, which are influenced by the types
of data stored on the system. An organization may
perform a risk assessment to determine the risks
associated with an information system, as well as the
information the system stores, and select controls to
mitigate identified risk. The risk assessment may be
guided by previous risk assessments or by the
organization’s risk management process.
The formal risk management process (discussed in
Chapter 1) is where the organization performs ongoing
risk management of the enterprise to keep track of
assets, assign values to them, evaluate risk, and decide
how to handle the risk (avoidance, acceptance,
transference, or mitigation). The outputs of the risk
management process provide the organization with
information that it can use to make decisions around
asset security, such as:
VULNERABILITY MANAGEMENT
Another core function of asset management is
monitoring the assets in the environment for known
vulnerabilities. This is done through a well-managed
vulnerability management program. Vulnerability
management is an ongoing process to identify, prioritize,
remediate, and mitigate known vulnerabilities in the
organization’s environment. Known vulnerabilities are
defects or configuration settings in products that can be
exploited to cause a security compromise. Security
organizations must check their assets continually to see if
known vulnerabilities exist so they can be remediated.
Here are some key components of a vulnerability
management program:
• Vulnerability scanner Scanners are programs
that examine devices on the network for known
weaknesses (vulnerabilities or other weaknesses
such as configuration errors). Scanner
manufacturers maintain libraries of products and
their associated weaknesses. These libraries are
used by the scanners to perform scans and are
constantly being updated. The product vendors and
scanner manufacturers share vulnerability
information to enable organizations to detect and
remediate vulnerabilities by patching systems or
changing configuration settings. NIST maintains a
national database of vulnerabilities (the National
Vulnerability Database) that many vendors use for
the latest vulnerability information. (Because
unknown vulnerabilities have not been identified
and documented by the community at large,
vulnerability scanning tools can’t scan for them.)
Many scanners also serve as tracking tools that
maintain a database of identified and remediated
vulnerabilities.
• Patch management Vulnerability scanning tools
can assist with verifying that assets have been
properly patched. Automated patch management
tools should be utilized to ensure operating
systems, third-party software, and other assets are
running up-to-date software.
• Configuration management Vulnerability
scanners can also assist with configuration
management by scanning assets against known
configuration profiles to determine if they are
hardened according to specifications.
• Authenticated scanning Some vulnerabilities
cannot be detected without authenticating (logging
in as an approved user) to the device. This is
because some vulnerabilities can be seen only by a
privileged (or administrative level) user.
Vulnerability scanning returns the most accurate
results when authenticated scans are performed.
This can be accomplished through an agent
installed on the system or by providing the scanner
with elevated rights on the system being scanned.
• Regular review Vulnerability scans should be
performed regularly at an organization-defined
interval. Scans should be reviewed and compared
to past scans to ensure vulnerabilities have been
remediated.
• Risk-based prioritization Vulnerability results
should be ranked based on risk to determine the
priority for remediation.
NOTE The Center for Internet Security (CIS) is a great resource for guidance
on hardening assets. CIS provides secure hardening benchmarks for a variety
of systems, including operating systems, network devices, databases, mobile
applications, cloud environments, printers, and more.
Endpoint Security
Every endpoint on the organization’s network must be
properly secured, hardened, and managed throughout its
life cycle to ensure that it is patched and its
vulnerabilities are remediated. Endpoints include
servers, desktop computers, laptops, network
infrastructure devices, and other assets on the
organization’s network. Here are some key endpoint
security controls that should be considered when
hardening assets:
• Endpoint protection software Servers,
desktops, laptops, and mobile devices should be
configured with endpoint protection software to
protect them against viruses, malware, and other
attacks. Traditionally this protection was
accomplished with antivirus software, but modern
endpoint protection software provides antivirus
protection plus additional tools that give the
organization insight into what is going on
internally on the endpoint. This information can be
used to facilitate investigations and provide
visibility into security-related events on the
endpoint device.
• Remove unnecessary software and services
Systems should be configured with the minimum
amount of software and services enabled to
perform their intended function. Unneeded
software or services are potential attack vectors
even if they are not used during normal operation.
To be safe, all unneeded software should be
removed or disabled and unneeded services should
be turned off.
• Encryption Ensure that data is encrypted at rest
(for example, full disk encryption) and in transit
(for example, SFTP, HTTPS, and so on).
• Vulnerability management Regularly scan
systems to identify and remediate known
vulnerabilities.
• Patch management Ensure systems are running
up-to-date software and firmware to protect
against known vulnerabilities.
• Configuration baselines Maintain secure
baseline configurations for devices for use in the
provisioning process and follow configuration and
change control practices.
• Data and configuration backups Data should
be regularly backed up to ensure its availability in
the case of an emergency or system failure. This
includes system images for servers, desktops,
laptops, and so on, as well as device configuration
files for network equipment.
• Network access control (NAC) NAC is an
integrated approach to endpoint management that
allows for specific policies to be defined that govern
the security requirements for network access as
well as the access levels for specific roles. For
example, a NAC policy may not allow devices to
connect to the network unless they meet specific
security requirements such as having antivirus
installed and recent patches applied.
• Access control Assets should be configured with
properly authenticated access control such as
passwords, smart card, biometrics, multifactor
authentication, and so on.
Media Controls
Media controls include a variety of measures to provide
physical protection and accountability for tapes, disks,
USBs, and other physical media. Media controls include
• Media marking Media should be clearly marked
and labeled to indicate the data classification of the
stored information.
• Media access Access to organization media
should be restricted to authorized individuals with
a need to know.
• Media storage Policies and procedures should be
developed around media handling, including
storage. These should include measures such as the
use of cryptography to protect data at rest as well
as physical access control protection through the
use of locked cabinets, safes, and so on.
• Media transport Media should be protected
during transport using appropriate security
measures defined by the organization, such as
cryptographic measures or locked containers for
transport.
• Media sanitization When media is no longer
needed, it should be securely disposed of according
to the organization’s media sanitization policies
and procedures. This includes methods discussed
later in the “Data Security” section of this chapter.
Data Remanence
When media is not properly sanitized, it can contain
remanence of data. Data remanence is data that can be
reconstructed after being erased. When data is erased
or deleted, the data itself is typically still present on the
medium. The pointer to the data has simply been
removed and that storage space has been marked as
free to be used. Even after erasure, sensitive data may
still be available for retrieval with the right tools and
expertise. Proper techniques to sanitize data include
purging, overwriting/zeroization, degaussing, and
physical destruction.
Facsimile Security
Fax machines may be used to transfer sensitive data and
can present their own unique data security challenges.
For example, if a sensitive document is faxed, the paper
may end up sitting in the bin for anyone to see. Often
times organizations put a classification mark on the
document, but printing a classification banner or cover
sheet may not provide enough protection. Here are some
controls that may be implemented to secure faxed
information:
• Implement a fax server rather than a fax machine
to allow OS-level access controls
• Disable the print feature so that sensitive
documents remain digital
• Harden the fax server using full disk encryption
and access controls
Printer Security
A printer is simply another computer on the network
that is designed to print hardcopy representations of
files. While printers may seem like unimportant assets
on the surface, they are often troves of valuable sensitive
information and often run their own web server. When a
printer is retired, it becomes a serious security and
privacy concern because of the potential sensitive
information stored on the printer. Printers should be
hardened like any other asset with the following controls
being considered:
• Secure jobs with a unique pin requiring users to
enter their pin at the printer to print
• Utilize an approved destruction process to properly
sanitize and dispose of printers
• Utilize encryption for the transmission of data to
and from the printer (such as HTTPS for print
servers)
• Utilize a vulnerability scanner to scan printers for
vulnerabilities
• Ensure the printer is running up-to-date software
with the most recent security patches
Safes
Safes are commonly used for asset security for the
physical protection of drives, disks, tapes, paper
contracts, and other valuable media. In addition to being
penetration resistant to prevent theft, safes should also
provide fire protection to ensure the contents are
protected from fire. Commonly used safes range from
floor safes and wall safes to vaults that encompass an
entire room and provide walk-in access. The following
controls should be considered when using safes:
• Ensure only those with a “need to know” have
access to the safe key or combination
• Ensure that if a combination is used that is it
changed periodically
• Consider placing the safe in a badge access room or
in view of a camera to provide an audit trail of
access
DATA SECURITY
Data security controls are applied to information to
protect it from unauthorized access, disclosure, and
modification. These controls are applied as part of the
data life cycle, discussed later in this section. Data
security controls vary based on the state of the data. Data
states include data at rest, data in transit, and data in
use. This is a conceptual model used by security
professionals as a way to describe where and how data
must be protected in various states. Data security
controls are implemented by properly configuring and
hardening assets that store and process the information,
such as servers, network equipment, applications, and so
on. This section discusses the following topics:
• Data at rest
• Data in transit
• Data in use
• Data life cycle
DATA AT REST
The term data at rest refers to data residing on
persistent storage devices such as hard drives, flash
drives, optical disks, magnetic tape, or other storage
media. Many organizations today have policies that
require certain data to be encrypted whenever it is stored
in an information system. Data at rest security controls
include the following:
• Whole disk encryption
• Database encryption
• Specific data structure encryption (file, record, or
field encryption)
DATA IN TRANSIT
The term data in transit (also known as data in motion)
refers to data that is moving between computing nodes
on a network or between networks. This includes data
flowing over public untrusted networks as well as data
flowing over private enterprise networks, such as a local
area network (LAN). Data-in-transit security controls are
focused on utilizing encrypted network connection
protocols, including the following:
• Transport Layer Security (TLS)
• IPSec (IP Security)
• Virtual private network (VPN) encryption
DATA IN USE
The term data in use refers to data currently being
processed or used by the system or applications. This
primarily refers to data residing in system memory that
is being accessed for processing. This includes data
residing in primary storage such as volatile memory
(RAM), CPU registers, and memory caches that are being
processed. The challenging part about protecting data in
use is that even if proper encryption is utilized for
storage and transmission, the data typically must be
unencrypted to be used and processed. Protecting data in
use includes implementing good access controls, using
antivirus software that specifically looks for, alerts on, or
prevents improper writing to and reading from memory,
and designing applications to prevent unauthorized or
improper access of application data (such as preventing
cut and paste functions or screen captures of certain
applications).
• Acquisition
• Data classification and marking
• Use and archival
• Destruction
Acquisition
The first phase concerns the origin of the data. Data is
generally obtained by one of two methods:
• Acquisition Acquired from an external source
such as a vendor, customer, or other stakeholder
• Creation Created or developed from scratch
within the organization
Destruction
When data has passed its useful lifetime and retention
requirements, it must be securely destroyed. As security
professionals well know, when data is erased by pressing
the DELETE key on a computer, that data storage location
on the drive is essentially being marked as free for use by
the operating system. This tells the OS that that sector of
the drive, cluster, or block (depending on what filesystem
is being used) is now free to be re-consumed. However,
all the “deleted” data is still on the drive. This method is
known as erasure. Since all the data is still on the media,
erasure is not a secure method of data disposal. When
media is securely cleared of its contents, it is said to be
sanitized. This means erasing information so that it is
not readily retrievable using routine OS commands or
commercially available forensic/data recovery software.
Media can be sanitized in several ways: purging,
overwriting/zeroization, degaussing, and physical
destruction. These methods are used to securely sanitize
data in assets such as hard drives and other storage
media. Each of these methods is defined and discussed
here:
Hardcopy Example
The concept of access can be illustrated by considering
how it might apply not just to digital data but also to
hardcopy data. For example, if an organization stores
sensitive documents in a safe, the organization must
limit who has access to the safe through the use of a
combination lock only provided to authorized
employees (access management). In order for someone
to be provided with the combination, the organization
must know who the person is and verify their identity
to ensure they are who they say they are (identity
management). In this example the authorized
employee with access to open the safe using the
combination is the subject and the safe is the object.
TIP In terms of “best bang for your buck,” the implementation of multifactor
authentication has been shown time and time again to significantly increase
security posture and reduce the risk of compromise. This is due to the fact
that each factor increases the amount of work required for the cybercriminal
to implement an attack. For instance, even if a user is tricked into giving up
their password, the attacker still needs the additional authentication factor in
order to gain access.
WAN Topologies
The service provider provides the WAN infrastructure
using a choice of topologies, including
• Point-to-point A point-to-point topology consists
of a single path or circuit between two endpoints.
In this case the organization connects to the service
provider’s network that provides a single path
through the network to the other side, which may
be a peer facility or another LAN.
• Hub and spoke A hub and spoke arrangement is
used when the organization’s facility requires
connections to multiple locations. In this case,
while using multiple point-to-point connections is
an option, hub and spoke provides a lower-cost
alternative. The organization connects to a hub that
maintains connections with multiple sites. This
topology is also called single homed, which refers
to the use of a single hub. A dual-homed
arrangement uses two hubs at the organization’s
facility, each of which maintains its own spoke of
connections to the other locations for redundancy
and improved performance.
• Full mesh A full-mesh network is also used to
provide connectivity between multiple locations. It
is implemented when each location (node) has
circuits connecting it to every other location. This
arrangement provides the greatest redundancy and
flexibility.
WAN Technologies
The portion of the WAN link that interfaces with (or
terminates at) the organization’s LAN perimeter is called
the local loop and is sometimes referred to as the “last
mile” of the connection. Figure 4-4 provides an
illustration.
LAN Infrastructure
A typical LAN consists of one or more external
connections enabled by border equipment and an
internal network that is usually segmented to achieve
performance and/or security objectives. The internal
network may be a wired network, almost always Ethernet
nowadays, or wireless, or a combination of wired and
wireless. Figure 4-5 depicts a typical network. Some of
the components shown in the diagram are introduced
here while others are discussed later in this section.
Figure 4-5 A typical LAN
IP ADDRESSING
Addresses enable how data is sent and received
throughout Ethernet networks. Much like the address of
a house enables mail to be delivered to the intended
recipient, IP addressing enables data to be sent to the
right place on a network. And just like houses are
addressed using multiple elements (such as city name,
street name, house number), components on the
network are addressed using two elements: network and
node (or host). In fact, every IP address contains two
parts: the network identifier and the node identifier.
In IPv4 the IP address is composed of 32 bits
consisting of four octets. There are public and private IP
addresses; public IP addresses are routed throughout the
Internet and private IP addresses are used within
corporations, organizations, and government entities
(private IP addresses cannot be routed on the Internet).
Public IP addresses are assigned by the Internet
Assigned Numbers Authority (IANA), which is the
organization responsible for managing IP addresses
worldwide. Private IP addresses are freely assigned by
any company, organization, or individual for their own
use. The following are the ranges of private IP addresses
that are nonroutable on the Internet:
• 10.0.0.0–10.255.255.255
• 172.16.0.0–172.31.255.255
• 192.168.0.0–192.168.255.255
Application Layer
Application layer protocols handle file transfers, perform
network management functions, and fulfill networking
requests from applications. The following are some
common application layer protocols:
Presentation Layer
Presentation services are those that handle the
translation of data into standard formats for
transmission. These services usually perform
compression, decompression, encryption, and
decryption. These functions are really services rather
than protocols. The following lists a few of the most
common presentation layer standards:
• ASCII The American Standard Code for
Information Interchange is a character encoding
standard. Every time a user types on a keyboard, an
ASCII code is the representation of the key. It is
primarily used to transmit alphabetic and numeric
information.
• TIFF, GIF, JPEG These are formats used for
compressing images for easier storage and
transmission.
• MIME Multipurpose Internet Mail Extensions
(MIME) establishes formats for mail message
content other than ASCII.
Session Layer
Session layer protocols are used to set up connections
between applications. They set up and tear down
connections and do housekeeping to help
communications operate smoothly. The following are
some common session layer protocols:
• Network File System (NFS) This is a method of
sharing files using a client/server relationship.
• Network Basic Input/Output System
(NetBIOS) NetBIOS provides services that allow
applications on separate computers to
communicate over a LAN. NetBIOS runs over
TCP/IP but has its own method of identifying
applications that use it using NetBIOS names. It
has three distinct services: naming service,
datagram distribution service, and session service.
• Remote Procedure Call (RPC) This is a
protocol that an application can use to request a
service from another program located on another
system.
Transport Layer
Transport layer protocols handle end-to-end
transmission and segmentation of data. The following
protocols, among others, operate at this layer:
• Transmission Control Protocol (TCP) TCP is
a connection-oriented protocol that uses a three-
way handshake to establish a connection between
two systems. The establishment of a connection
ensures reliability, and the protocol periodically
checks the connection to make sure it is still
established.
• User Datagram Protocol (UDP) In contrast to
TCP, UDP is not connection-oriented. As such, it is
used in situations in which it is not important for
the sender to know if the message was actually
delivered or not. While not as reliable, UDP
requires less overhead than TCP.
Network Layer
The network layer protocols are primarily involved in
routing and other networking and internetworking
services. The following are commonly used network layer
protocols:
• Internet Protocol (IP) IP is responsible for the
delivery of packets, also called datagrams, from a
source to a destination based on an IP address.
Routers maintain tables that keep track of IP
addresses and corresponding systems and follow IP
rules and other protocols to route traffic
throughout the network.
• Internet Group Management Protocol
(IGMP) IGMP is used to manage multicast
groups. When a system wants to participate in
multicast traffic, it becomes a member of a
multicast group. IGMP is used to inform the
routers the system is part of a group. Once
membership is established, the Protocol
Independent Multicast (PIM) service is used to
direct the multicast traffic to the member systems.
Physical Layer
The physical layer doesn’t really have protocols, but
instead has standards that define the physical aspects of
transmission. These standards include EIA-232, 422,
423, 449, and so on for serial transmission, Ethernet
physical layers (10BASE-T, 10BASE2, 10BASE5, others),
Optical Transport Network (OTN), and other physical
technologies capable of carrying OSI-compliant
protocols.
WIRELESS
Wireless technologies allow computers and other devices
to connect to LANs using radio frequency (RF)
communications. This provides great flexibility in the
physical layout and location of the computers. Today’s
wireless LANs follow the IEEE 802.11 LAN protocol and
most operate in two RF frequency bands: 2.4 GHz and 5
GHz. Wireless is implemented on LANs using two
components:
• Wireless router (access point)
• Wireless network adapter, implemented as either
an add-on or built into computers, cellphones, and
other devices
Firewalls
Figure 4-5 in the earlier “LAN Infrastructure” section
shows a network with a single point of egress for data
protected by a firewall. Firewalls are a versatile and
widely used technology used to control access between
two networks or two segments of a network. There are
three general types of firewalls: packet filter, proxy, and
stateful/dynamic packet filter. Sometimes these types are
referred to as generations 1, 2, and 3, respectively.
Packet Filter Packet filters are the most basic and least
expensive firewall. A packet filter is a router that screens
traffic based on an internal access control list (ACL). The
router screens all traffic and makes decisions as to
whether to allow or deny traffic to pass from one of its
interfaces to another based on the network and transport
layer header information of each message. The firewall
can make access decisions based on criteria including
• Source and destination IP addresses
• Source and destination port numbers
• Protocol
• Direction of traffic
IDS/IPS
Intrusion detection systems (IDSs) and intrusion
prevention systems (IPSs) are companion technologies
involving specialized tools to detect (IDS) and prevent
(IPS) malicious activity. Both deploy sensors throughout
the network that communicate with a control or
reporting system that allows the security staff to view
indicators of malicious activity and take measures to
prevent security breaches.
A network-based IDS (NIDS) uses sensors deployed
throughout the network in the form of computers or
specialized appliances. A host-based IDS (HIDS) uses
agents installed on host computers that monitor for, and
detect, malicious activity on the host. HIDS agents look
for host- or OS-specific activities such as running
processes, registry changes, file alteration, and so on.
Whether network or host based, there are several
detection methods employed by IDSs. Modern IDS
products usually take advantage of more than one of
these methods:
CRYPTOGRAPHY
Cryptography is one of the most fundamental
information security practices, and possibly the oldest.
Modern cryptography is the practice of using
mathematics to secure information by rendering it
unintelligible to unauthorized parties. This section
presents the following cryptographic topics and
concepts:
• Cryptographic definitions
• Cryptographic services
• Symmetric, asymmetric, and hybrid cryptosystems
• Hash algorithms
• Method authentication codes
• Digital signatures
• Public key infrastructure
Steganography
Steganography is a technique used to hide secret
information in plain sight, typically in innocuous
looking digital files. This is accomplished through the
use of special software that embeds messages inside
images, videos, audio, text, or other files.
Steganography and cryptography are two sides of
the same coin. Although both are used to communicate
secret information, the method for doing so varies.
Steganography hides the fact that the communication
has even taken place, as an unintended recipient of a
file is unaware that the file contains a hidden message.
Cryptography does not hide the communication but
hides the data itself through encryption. If an
unintended recipient receives an encrypted message,
they know the message is there but they cannot read it.
Steganography does not encrypt the message; it simply
hides the message in another file.
CRYPTOGRAPHIC DEFINITIONS
Some fundamental definitions must be established to
facilitate the discussion of cryptography. The
foundational components of cryptography include the
following:
• Cryptographic key A string of values used in
conjunction with cryptographic algorithms for
operations such as encryption and decryption. In
general, the longer the key size the more security
that is provided; however, this also depends on the
algorithm and the implementation used.
• Cryptographic algorithm A mathematical
equation that can be used for encryption,
decryption, or hashing.
• Plaintext Information in a readable format that
has not been encrypted or has been decrypted.
• Ciphertext Information in an unreadable format
that has been encrypted.
• Encryption The process of transforming plaintext
to ciphertext using cryptographic keys and
algorithms.
• Decryption The process of transforming
ciphertext to plaintext using cryptographic keys
and algorithms.
• Hashing A one-way function that uses algorithms
to transform information to a string of data, often
used for integrity checking.
• Cryptosystem Includes all the necessary system
components for encryption and decryption such as
software, protocols, algorithms, keys, key
management, and so on.
The cryptographic key values are used by the
cryptographic algorithms to indicate which equations to
use, in what order, and with what values. Together, keys
and algorithms allow for encryption and decryption
operations to take place to transfer plaintext to
ciphertext and vice versa. The encryption and decryption
operations are illustrated in Figure 4-9.
CRYPTOGRAPHIC SERVICES
One of the beautiful aspects of cryptography is the range
of security services that can be provided, including
Symmetric Encryption
Symmetric encryption, also known as symmetric key
cryptography, is characterized by the use of a single key
for encryption and decryption. This means that the
sender and receiver of an encrypted message must both
have a copy of the same key. Because anyone with access
to the key will be able to decrypt the message, the key
must be kept private. This is why it is referred to as a
private key. For example, in Figure 4-10, Alice and Bob
want to exchange confidential information. To send the
message to Bob, Alice encrypts the message with the
shared private key to convert the message from plaintext
to ciphertext. Bob in turn must have a copy of the same
private key to decrypt the message from ciphertext to
plaintext. Likewise, if Bob wants to send a message to
Alice, he encrypts the message with the shared private
key and Alice decrypts the message with the same private
key.
Asymmetric Encryption
Asymmetric encryption, also known as public key
cryptography, is characterized by the use of two
mathematically related keys: a public key and a private
key. The public key may be provided to anyone that the
owner is interested in securely communicating with, but
the private key must be known only to the owner. For
example, in Figure 4-11, Alice and Bob want to exchange
confidential information. To send the message to Bob,
Alice encrypts the plaintext message with Bob’s public
key, which has been shared with her. Bob in turn must
decrypt the message from ciphertext to plaintext using
his private key known only to him. Likewise, if Bob wants
to send a message to Alice, he encrypts the message with
Alice’s public key and Alice decrypts the message with
her private key. In terms of security services, asymmetric
cryptography provides confidentiality through
encryption and provides authenticity and
nonrepudiation by utilizing digital signatures (discussed
later in this section).
Figure 4-11 Asymmetric encryption example
Hybrid
As discussed, symmetric and asymmetric cryptography
have their own strengths and weaknesses. Modern
cryptosystems typically utilize a hybrid model that makes
use of both. The use of these two techniques is often
referred to as hybrid cryptography or as a digital
envelope. Figure 4-12 provides an illustration for how
common hybrid cryptosystems operate. The steps are as
follows:
• SSL/TLS
• SSH
• OpenPGP
Cryptosystems Summary
Table 4-3 provides a summary and comparison of the
fundamental differences between symmetric and
asymmetric cryptographic functionality.
Table 4-3 Comparison of Symmetric and Asymmetric
Cryptography
HASH ALGORITHMS
Hashing was briefly introduced in the “Cryptographic
Definition” section. To recap, a hash algorithm is a one-
way function that maps information to a fixed-length
string of data, referred to as a hash value, fingerprint, or
message digest. It is referred to as a one-way function
because the original message cannot be reproduced from
the hash value, unlike encryption where the ciphertext
can be converted back to plaintext using the decryption
operation. In addition, there is no key involved when
using hash algorithms. For example, consider the MD5
hash values for the text strings “my-secret” and “My-
secret” illustrated in Figure 4-13.
Figure 4-13 MD5 hash example
Collisions
If a hash algorithm creates the same hash output for two
different messages, this is known as a collision. To
reduce the risk of collisions occurring, a hash algorithm
with a larger message digest output (in bits) should be
used. This means that a hash algorithm that produces a
256-bit hash value is typically more resilient to collisions
than a hash algorithm of 128 bits.
Collisions can cause security problems depending on
how a hash is used. MD5 has been shown to be
susceptible to collisions. Does this mean that MD5
should not be used? The answer is, it depends. A hash
value can be used for a variety of purposes. It can be used
for performing an integrity check of a file or for hashing
a password before it is stored in a database. For a simple
file integrity check, MD5 may be suitable, but for hashing
passwords in an application, a more secure algorithm
such as SHA-256 may be a better choice.
Password Hashing
Plaintext passwords should not be stored in a system. If
an attacker compromises such a system or password
database, they would have access to the plaintext
passwords. In modern-day operating systems, password
hashes are stored instead of storing the plaintext
password. This reduces the risk of an attacker accessing
the plaintext password if the system is compromised and
also prevents system administrators from knowing the
passwords that are stored (as only the hashes are stored).
In Windows, users and password hashes are stored in the
Security Account Manager (SAM) database or Active
Directory. On Unix/Linux systems, user account
information and password hashes are stored in the
/etc/passwd and /etc/shadow files.
Password Attacks
There are a few different methods that attackers use to
attack passwords:
• Dictionary attack An attacker utilizes a tool
that has a dictionary list of words and terms to
try as password attempts into a system. For this
reason, it is important to discourage or prevent
the use of dictionary words as passwords. Some
systems can perform checks on passwords to
prevent dictionary words from being used.
• Brute-force attack An attacker tries all possible
combinations of characters, one at a time, as
password attempts to break into a system. This is
why password complexity is important. The
longer and more complex the password (a
combination of uppercase and lowercase letters,
numbers, special characters, and so on), the
greater the work factor in performing a successful
brute-force attack.
• Rainbow table attack An attacker uses a
precomputed table of plaintext input and
corresponding hashed values for cracking
password hashes. For example, if an attacker has
stolen or compromised a system’s hashed
password database, they can compare the hashes
to the values in the rainbow table to determine
the plaintext password. This risk is often
mitigated through the use of cryptographic salts.
DIGITAL SIGNATURES
A digital signature is a hash value that is encrypted with
the sender’s private key. Digital signatures provide
integrity, authenticity, and nonrepudiation. This
provides assurance that the message has not been
modified (integrity), provides assurance that the
message came from the sender (authenticity), and
prevents the sender from denying that they sent it since
only the sender should have access to their private key to
perform the encryption (nonrepudiation). The general
steps involved in this process, based on the hashing steps
discussed earlier, are as follows:
1. Alice puts the message through a hashing function
to generate a message digest.
2. The message digest is encrypted with Alice’s
private key and appended to the message sent to
Bob.
3. Bob decrypts the message digest with Alice’s
public key and runs the message through the same
hashing function to generate his own separate
message digest.
4. Bob then compares the two message digest values
(the one he received from Alice and the one he
created). If they are the same, the message has not
been altered (integrity), it must have come from
Alice (authenticity), and she can’t deny sending it
(nonrepudiation).
PHYSICAL SECURITY
Physical security is often the first line of defense for an
organization’s personnel and assets. The responsibility
for physical security varies from organization to
organization and may not fall under the CISO’s purview.
Some organizations have a separate chief security officer
(CSO) or other individual responsible for physical and/or
personnel security. Therefore, information security
functional responsibilities may overlap or be integrated
with physical security. Regardless of the implementation
and organizational structure, the CISO should be aware
of physical security and its relationship with information
security. This section discusses the following topics:
Security Zones
Internally, buildings may be built to provide security
zones. Much like networks can be segmented with access
controls to support the concept of least privilege,
buildings can be designed in a similar fashion. In this
case the building is divided into zones with different
security levels depending on who needs to be in each
zone and the associated risk.
Doors and walls are the widely used methods of
controlling access between security zones, rooms, or
other areas of segmentation in the building. Construction
and materials of doors, walls, flooring, and ceilings are
chosen based on the predicted threat and the assets
under protection. The least amount of protection is
provided by hollow walls and doors; the strongest are
built of solid materials reinforced with stronger materials
such as concrete or steel.
The key is to balance the impact of a threat against the
cost of the countermeasures against it.
Prevent or Detect?
Sometimes it may not be important to keep the bad
guys out as long as you know that they were there.
Many buildings use drop ceilings that have easily
removed tiles that can be used to gain access to the
area above the ceiling. Walls may be built just high
enough to stop at the drop ceiling, allowing someone to
climb into the ceiling area, over the wall, and into the
adjacent room, bypassing doors and locks. But this
may be okay if ceiling clips are used. These clips ensure
that if someone removes a ceiling tile, the tile is
destroyed, leaving a hole in the ceiling and a trail of
debris on the floor. In this case there is no way an
intruder can access the room in the described manner
without someone knowing it occurred. Depending on
what the room is used for, this level of security may be
good enough.
Locks and Access Control
Doors control ingress to and egress from a building or
room. However, doors don’t provide authentication
unless they have a lock. Locks limit who can open a door
and are the physical equivalent of identity management
because only certain people, or groups of people, have
the key, combination, or other method to open the door.
Therefore, locks can be used to enforce the principal of
least privilege for a physical facility. Locks have been
around for centuries and there are many types from
which to choose to provide different levels of protection
and usability features. Here are a few:
Mantraps
Another commonly used building or room access control
mechanism is a mantrap (sometimes called a person-
trap), which is a small area or vestibule with two doors
built so the first door must be closed before the second
door can be opened. Mantraps require the visitor to go
through two doors and open two locks in order to gain
access to a secure area and are used in situations that
require a higher degree of security. Datacenters often use
mantraps.
Fences
Fencing provides a physical barrier and access control to
the area around a building or group of buildings. Similar
to the construction of walls and doors, the strength of
materials, thickness and size, and construction methods
determine the level of protection provided by the fence.
The type of fence that is suitable for a given situation is
based on risk. For instance, a three-foot-high fence may
deter casual trespassers but can easily be climbed, but an
eight-foot-high fence with barbed wire at the top is a
challenge for most people. Most critical areas have fences
at least eight feet high.
Lighting
Lighting is used for security in critical areas, parking lots,
and near doors, windows, and building perimeters.
Lighting provides several important security functions; it
discourages intruders since they don’t usually want to be
seen, it provides safety for personnel, and, most
importantly, it provides a way for security guards,
employees, and security cameras to see and record
people and activities. Lighting features and types include
the following:
• Glare protection Light is directed toward areas
where potential intruders are most likely to be but
not toward guards or cameras that may be
impaired by glare.
• Continuous lighting An array of lights provides
an even amount of light across an area such as a
parking lot or field.
• Controlled lighting Lighting does not bleed over
property lines, so only the organization’s area is lit
and not their neighbor’s area.
• Standby lighting Different lights turn on and off
automatically, so it appears that people are in the
building when they may not be.
• Responsive area illumination Lights turn on
automatically in response to detection of a possible
intruder.
Security Guards
Security guards are an expensive tool to use in security
but they have special value in that they can perform all
three of the core physical access control functions at the
same time:
• Deterrence The mere presence of a guard can
deter an intruder.
• Delay Guards can physically challenge an intruder
and provide an obstacle the intruder must
overcome to carry out their exploit.
• Detection Guards have eyes and ears and can use
them to detect an intrusion and then sound an
alarm to alert others.
Detective Controls
Detective controls most often are deployed as a
monitoring or alarm system. Similar to a network IDS, a
physical monitoring system uses sensors that report to a
central point to provide information to the organization
that an event has occurred. Depending on the event
details, it can be further investigated.
Physical intrusion sensors include motion detectors
that detect a possible intruder and security cameras that
record a possible intrusion and store video for later
inspection. Various other types of sensors include ones
that can detect when doors or windows are opened or
broken, detect sounds above the ambient noise levels,
and detect heat given off by bodies.
Like logging and monitoring systems discussed
elsewhere in this chapter, physical security monitoring
systems must be tuned to provide the right level of
detection and information to the organization.
Datacenters
Datacenters often hold the crown jewels of an
organization’s information assets. In addition,
datacenters concentrate many of an organization’s high-
value assets in an enclosed space, which increases the
vulnerability associated with a single threat event.
Therefore, the impact of a serious physical security
incident or environmental disaster is potentially massive.
Datacenter security controls should be highly resilient
and redundant to provide maximum protection. The
following are some aspects of datacenters that require
special consideration:
Fire Suppression
Fires start for a variety of reasons, including electrical
failures or ignition of combustible materials due to
carelessness and even arson. To ignite and burn, fire
requires four things:
• Heat
• Fuel
• Oxygen
• Chemical reaction
Remove any of these four things and the fire stops.
Modern fire suppression systems perform two functions:
detect the fire and deploy an agent. The agent works by
accomplishing one of the following:
• Reducing the temperature
• Removing the fuel or the oxygen
• Disrupting the chemical reaction
Fire detectors operate by detecting smoke (smoke
activated), heat (temperature activated), or flames
(infrared-flame activated). Upon detection of a fire, the
system sends an alert to a central console or directly to
the fire stations and deploys an agent (liquid or
chemical) to put out the fire. There are generally three
types of fire suppression systems in use today:
• Wet pipe Wet pipe systems are simple
arrangements of pipes mounted on or above the
ceiling that are filled with water and are ready to be
released onto whatever is below them. Putting out a
fire in this manner is quite destructive, especially to
electronic equipment.
• Pre-action Pre-action systems are much like wet
pipe systems except the pipes do not contain water
until a fire is detected and then the pipes are
quickly filled and the water is deployed. Dry pipes
are considered safer than wet pipes because there
is less chance of an accidental leak and dry pipes
may be less likely to drip moisture due to
condensation.
• Gaseous Gaseous systems deploy gas agents to
remove oxygen and heat. Since these agents are
gaseous, no water is used and therefore gaseous
systems are much more friendly to electronic and
office equipment. Most modern gaseous systems
use agents such as FM-200 or similar agents.
For datacenters, gaseous systems are preferable
because they are the least destructive; however, they are
also the most expensive of the three types. To reduce
costs, some organizations choose pre-action systems for
datacenters.
PERSONNEL SECURITY
A physical security program should take into account
personnel safety and security. As stated earlier in the
chapter, personnel safety should be a top priority for the
organization. Personnel security is a broad topic that
includes implementing general safety practices,
employment procedures, and vendor, consultant, and
contractor procedures.
Employment Procedures
Part of personnel security includes managing the life
cycle of the employment process, which includes the
following:
• Employment screening procedures These are
procedures that are followed as part of the hiring
process to determine employee suitability. These
may include
• Background checks
• Drug screenings
• Security clearance requirements
• Credit checks
• Employment agreements and policies These
are documents such as the following that
employees sign that communicate expected
behavior:
• Nondisclosure agreement (NDA)
• Code of conduct policy
• Ethics agreement
• Conflict of interest policy
• Employment termination procedures These
procedures are followed when an
employee/employer relationship is terminated.
These include procedures such as
• Completing an exit interview
• Reviewing the nondisclosure agreement
• Revoking ID badges, keys, and company assets
• Disabling the user’s accounts
• Changing passwords, combinations, or pin
numbers that the user had access to
• Escorting the individual out of the office/facility
SOFTWARE DEVELOPMENT
SECURITY
Many organizations, especially medium and large ones,
build their own software applications to perform
business functions. For those organizations that choose
to go down the path of software development, addressing
information security during development is sometimes
taken lightheartedly, which can lead to bad
consequences. Organizations that fail to address security
early and correctly during the software development
process end up introducing vulnerabilities into their
enterprise. It’s one thing for an attacker to introduce risk
into the environment but it’s yet another for the
organization to introduce risk by its own doing. As the
guardian of the organization, it is the CISO’s job to make
sure this doesn’t happen. Building in security is better
than adding it later on. Addressing security during the
development effort rather than afterward is cheaper,
easier, and, in most cases, more secure.
Even in today’s environment in which cybercriminals
are active and cyberattacks are prevalent and widely
reported, some engineering organizations fail to include
security requirements in the planning phases of a
software development project. Here are a few of the
reasons why security is frequently not addressed during
the SDLC:
SOFTWARE VULNERABILITIES
The “Malicious Software and Attacks” section at the
beginning of this chapter describes scripting and
vulnerability-specific attacks that take advantage of
vulnerabilities in software. Many of these attacks take
advantage of vulnerabilities resulting from system design
or coding errors. The following sections provide a brief
summary of some of the most common software
vulnerabilities from the most recent OWASP Top Ten
application vulnerabilities list (https://owasp.org/www-
project-top-ten/).
Injection
Injection is a software vulnerability that allows an
attacker to send untrusted data to an interpreter. The
data can be crafted to cause the interpreter to execute
unintended commands without authorization. There are
various types of injection flaws depending on the back-
end system being exploited, which include SQL, NoSQL,
OS commands, LDAP, and others. Developers can
prevent injection vulnerabilities by applying the
following practices:
• Use a safe API instead of an interpreter
• Filter input fields by only allowing certain strings or
characters
• Include controls in the commands to back-end
systems to limit available functions to only those
that are allowed (such as the SQL LIMIT control)
Broken Authentication
Broken authentication is a family of problems all related
to identity management, authentication, and session
management being implemented incorrectly. Attackers
use these weaknesses to compromise passwords, keys,
and tokens and take advantage of other flaws to assume
user’s identities. Applications are vulnerable if they
contain any of the following weaknesses:
• Permit automated authentication attacks that allow
an attacker to attempt logins with many usernames
and passwords
• Permit the use of simple or easily guessable
passwords
• Use weak password recovery features
• Do not store or transmit passwords in a secure
manner
• Have poorly implemented authentication, including
multifactor
• Expose, do not rotate, or invalidate session IDs
• Deny by default
• Enforce access controls in accordance with the
organization’s policies
• Avoid using CORS
• Disable web server directory listing
Security Misconfiguration
Misconfigured software and operating systems are
certainly the most commonly encountered
vulnerabilities. Operating systems and software are often
incorrectly configured due to the use of default settings,
incorrect security settings, unneeded features, and even
being out of date or unpatched. Applications are
vulnerable if they contain any of the following
weaknesses:
• Out-of-date or unpatched software
• Default accounts enabled
• Unneeded functions enabled
• Security features not enabled
• Security settings or values incorrectly set
• Overly verbose error messages (reveal more
information than necessary)
Insecure Deserialization
Serialization is the process of converting an object to
bytes of data; deserialization is the reverse. If an attacker
enters specially crafted data into a web page field of a
vulnerable application, when the object is deserialized it
can cause any number of exploits, including remote code
execution, SQL injection, or other malicious
unauthorized functions. Applications are vulnerable if
they accept serialized objects from untrusted sources.
Developers can prevent insecure deserialization
vulnerabilities by applying the following practices:
• Do not accept serialized objects from untrusted
sources
• Perform integrity checking of serialized objects
• Run deserialization functions on separate isolated
systems
• Restrict network traffic from systems that
deserialize
• Monitor deserialization operation
RELEVANT LAW
Although the CCISO is an international certification, this
discussion about relevant security laws has an admittedly
US orientation.
EXAM TIP The CCISO exam may not contain questions about specific laws,
but CISOs should be well aware of the laws that apply to their organizations
in the jurisdictions in which they operate.
• Unauthorized access
• Insertion of malicious code
• Unauthorized modification or destruction of data
• Unauthorized disclosure of information
Logging
Logging is the capturing and storing of activities for later
analysis. Logging is used to support auditing,
troubleshooting, functional/operational analysis of
systems, and of course security. Logs can capture events
that occur throughout the enterprise and include the
following types:
• Input/output failures
• Authentication/authorization events
• OS and application errors
• System startup and shutdown events
• Security indicators such as adding/deleting users,
changing privileges, and adding/deleting tokens
• Actions performed by administrators or privileges
users
Monitoring
Once events are captured as part of the logging process,
they can be examined to detect security-related events,
such as breaches, and to support investigation of those
events. Most organizations employ some kind of security
information and event management (SIEM) system that
aggregates and correlates event logs from a variety of
sources into a central repository. SIEM systems facilitate
event analysis and provide a big-picture view of the
enterprise. SIEM functions include
• Log aggregation The monitoring solution collects
event data from a variety of sources, including
systems and servers, network devices, databases,
and applications.
• Secure storage The SIEM central repository must
be in a secure location, such as a properly secured
database, as the logged information is sensitive. In
fact, the SIEM database often is more secure than
the original source of the logs.
• Correlation and analysis The biggest value and
possibility the biggest discriminator when
comparing different SIEM solutions is how well it
helps the security staff to draw conclusions from
the event data. The SIEM software analyzes the
data to build trends and establish relationships to
be able to detect anomalies activities. The better
SIEMs continuously build trend data to provide an
evolving capability that improves over time.
• Alerts SIEMs have the capability to sift through
the noise and send or display an alert when
something happens that requires the operator’s
attention. Most SIEMs allow the organization to
tune the thresholds to provide alerts for the
organization’s most critical events.
• Compliance One selling point of SIEMs touted by
vendors is their ability to help an organization
determine and report compliance with regulatory
drivers. Usually this feature is enabled with
templates or plug-ins to help build reports that are
specific to the regulations important to the
organization.
EXAM TIP CCISO candidates should be familiar with the purpose and
functions of SIEM systems as well as IDSs and IPSs.
Anti-Forensic Techniques
Cybercriminals are aware of the forensic methods
investigators use to discover digital evidence. In
response, cybercriminals use techniques to try to cover
their tracks. Here are a few anti-forensic tricks the bad
guys use that the CISO should be aware of:
• Overwriting data One way cybercriminals cover
their tracks is to overwrite data or metadata with
patterns or randomized data. If they do it right, it is
hard or impossible for the forensic analysts to
know this has been done. However, the challenge
for the attackers is to know what data to erase in
order to cover their tracks. If they aren’t thorough,
they may miss something and leave evidence
behind.
• Hiding data Data can be hidden inside of file
system structures such as in unused portions of file
tables, inside of directories, or in slack space of
disks. Cybercriminals can also hide data using
steganography or encryption. Encrypting data can
render it unreadable, but if the associated
metadata, such as file headers, is not encrypted, the
existence of the encrypted data can be revealed,
which may indicate to the investigator that
something has happened. Steganography, on the
other hand, hides the data inside of a container
that is normally used for another purpose, such as
an image file. In this case the very existence of the
data may be hard to detect.
• Hiding behaviors Operating systems and
applications create metadata that indicates when
files are created, modified, or accessed.
Cybercriminals use a variety of methods to cover
up their activities by obfuscating metadata that
could normally be used to indicate behaviors.
VULNERABILITY ASSESSMENTS
Vulnerability assessments are tests that are focused on
finding and identifying vulnerabilities in a defined
environment. These assessments vary in scope and
technical depth. For example, a physical vulnerability
assessment may simply consist of a checklist of physical
security controls, whereas a network or system
vulnerability assessment may consist of using a
vulnerability scanning tool to identify technical
vulnerabilities in an environment. Testing may be done
from inside the organization (internal testing) or
external to the organization (external testing).
Vulnerability assessment engagements may include one
or all of the vulnerability assessment testing types:
PENETRATION TESTING
While vulnerability assessments provide a
comprehensive view of an organization’s vulnerabilities
(identify the vulnerabilities), penetration testing shows
how specific vulnerabilities can be exploited to
compromise data or otherwise adversely impact the
organization (demonstrates impact of compromise).
Penetration testing is a targeted test focused on
providing real examples of how an attacker can exploit
vulnerabilities to gain access, escalate privileges, and
ultimately compromise customer or other organization
data. Penetration testing personnel take advantage of
configuration errors, missing patches, and overly
accessible services to try to gain remote access to internal
systems. They also evaluate how deep within the internal
network they can penetrate by taking advantage of
additional discovered vulnerabilities on internal systems,
which can allow external attackers to leap-frog their way
from system to system to gain access to more sensitive
systems or data. Penetration testing methods vary but
typically follow the methodology outlined here:
1. Reconnaissance/discovery Assessors attempt
to gain information about the organization and its
systems. In this step reconnaissance is typically
passive. Passive reconnaissance focuses on being
as covert as possible, collecting information
through web searches and other methods so as to
not directly alert the organization.
2. Enumeration Assessors attempt to gain more
information about systems using active
reconnaissance. Active reconnaissance involves
actively scanning and probing systems to gain
information.
3. Vulnerability analysis Vulnerabilities are
identified and analyzed.
4. Execution/exploitation Vulnerabilities are
exploited to gain a foothold into the system.
5. Documentation of findings Findings are
documented and reported to management as part
of the final report.
• Senior management
• IT department
• Security department
• Risk management department
• Facilities management
• Organizational leaders and executives
• Public relations and communications department
• Legal department
NOTE It is important that the team be made up of people from all key areas
of the organization. In addition, the people responsible for carrying out the
BCP must be involved in the development of the BCP. All these stakeholders
should have input and discuss what is needed from their perspectives.
Together they can work to come up with a plan that addresses the
organization’s critical business needs.
EXAM TIP Although CCISO candidates may not be tested on these exact
BIA steps, they should be familiar with BIA terminology, the purpose of
conducting a BIA, and how the BIA is used for business continuity
management.
NOTE The backup site location should be far enough away from the primary
site that it is not affected by the same disaster, but not too far that moving
costs are extreme. Like everything, the proper distance is a balancing act
based on organizational objectives and priorities.
EXAM TIP CCISO candidates should be familiar with the various facility
and site recovery options and be able to select options based on recovery
objectives or cost considerations.
Data Restoration
The traditional approach to restoration of data lost due
to a disaster is to use a data backup solution. With this
approach, data is backed up to centralized storage such
as cloud storage, network attached storage (NAS), or
storage area networks (SANs). Backup procedures
should be documented, with regular backups taking
place on a daily, weekly, and/or monthly basis. The three
main types of data backups are as follows:
• Full Backs up all files on the system. Provides the
fastest restoration but takes the longest to perform
the backup.
• Incremental Backs up all files that have changed
since the last backup of any type. Backups can be
performed more quickly but restoration takes
longer because the full backup must be restored as
well as each incremental backup performed
thereafter.
• Differential Backs up all files that have changed
since the last full backup. For restoration, the full
backup is restored and then the most recent
differential is restored.
EXAM TIP CCISO candidates should be familiar with the different types of
backups.
NOTE For some organizations utilizing cloud services, the cloud service
provider may provide automated backup and recovery functionality as part of
the subscription. This may be included in the offering or available as an add-
on. In either case, it is important to ensure that data in the cloud is backed up
and can be restored just as reliably as data stored locally.
BCP Confidentiality
Most organizations have two versions of their business
continuity plan, an internal version and a sanitized
version to share with customers and other critical
partners. Customers in particular may be interested to
know that the organization has a BCP, and some may
require receiving a version of it to satisfy their own
compliance requirements. However, the BCP by its
very nature is a sensitive document that could cause
harm to the organization if released. It details the
recovery technologies, solutions, and strategies utilized
by the organization in the event of a disaster. This
information could be very valuable to an attacker. This
is why a sanitized “public” version is developed. The
sanitized BCP should not contain
• Contact lists
• Business recovery procedures
• Process flows
• Risk mitigation methods
• BIA results
EXAM TIP CCISO candidates should be familiar with the different types of
business continuity and disaster recovery plan tests.
After a test is completed, the team should conduct and
document a lessons learned session. The lessons learned
should indicate any deficiencies identified or other
significant findings that need to be remediated. This
information should be reviewed, reported to
management, and added to the plan to improve its
effectiveness where applicable. As part of plan testing, it
is crucial to ensure that recovery personnel are trained
on their roles and responsibilities regarding plan
execution. Training frequency will vary from
organization to organization based on the needs of the
organization and risks identified. However, training
should occur upon hire and typically annually, at a
minimum. Recovery personnel should be trained on the
following plan elements, at a minimum:
• Purpose of the plan
• Communication and coordination process
• Reporting process
• Security requirements
• Individual responsibilities as well as team-specific
responsibilities and processes
• Responsibilities in each phase of the plan
(initiation, activation, recovery, reconstitution)
CHAPTER REVIEW
The CISO should have a solid understanding of the core
competencies of information security. The core
competencies can be considered in three groups:
• Threats from cyberattacks
• Technical security domains
• Management and procedural security domains
QUICK REVIEW
• Ransomware is a type of malware that forces its
victim to choose between paying a ransom or losing
valuable assets.
• Social engineering is more effective and used more
successfully by cybercriminals than purely
technical attacks.
• Organizations can best defend against social
engineering attacks with a comprehensive program
consisting of employee training, testing, practicing,
and monitoring.
• Asset security controls are often implemented as
part of an information security control life cycle
framework, as described in Chapter 2.
• The term data at rest refers to data residing on
persistent storage devices such as hard drives, flash
drives, optical disks, magnetic tape, or other
storage devices.
• The term data in transit (also known as data in
motion) refers to data that is moving between
computing nodes on a network.
• The term data in use refers to data currently being
processed or used by the system or applications.
• The three main types of authentication include
something you know (such as a password,
passphrase, or PIN), something you have (such as a
token device, smart card, or USB drive), and
something you are (biometrics such as voice,
fingerprint, or palm scan).
• The use of only one of these factors is known as
single-factor authentication. The use of two
authentication factors is known as dual-factor
authentication (such as a smart card and PIN,
password and biometric, or password and physical
token). Multifactor authentication is the use of two
or more factors.
• The primary access control models include
mandatory, discretionary, attribute-based, and
role-based access control.
• Identity and access management follows a general
life cycle that includes provisioning the identity and
accounts, reviewing the identity and accounts, and
revoking the accounts.
• Key security features of networks include network
segmentation, firewalls, DMZs, VPNs, and
IDS/IPS.
• Symmetric encryption, also known as symmetric
key cryptography, is characterized by the use of a
single key for encryption and decryption.
• Asymmetric encryption, also known as public key
cryptography, is characterized by the use of two
keys, a public key and a private key that are
mathematically related.
• The three primary cloud service models include
Infrastructure as a Service (IaaS), Platform as a
Service (PaaS), and Software as a Service (SaaS).
• There are four types of cloud deployment models:
public, private, hybrid, and community.
• When it comes to physical security, the most
important thing is protecting the safety of
employees and other people within the work
environment.
• Software developers should receive specialized
training in how to create applications that do not
contain security vulnerabilities.
• Most computer crime laws contain provisions to
protect the public against the following:
• Unauthorized access
• Insertion of malicious code
• Unauthorized modification or destruction of data
• Unauthorized disclosure of information
• Security assessments include vulnerability
assessments, penetration testing, regulatory
compliance assessments, and security program
assessments.
• Business continuity planning is long-term planning
focused on continuity of critical business functions.
The goal is to ensure the business can continue to
operate in the event of a disaster.
• Disaster recover planning is typically very IT
focused and concentrated on returning resources to
an operational state after a disaster occurs to
ensure the continuity of an organizational process.
• The business impact analysis (BIA) is a functional
risk analysis for continuity planning to determine
organizational and system requirements,
interdependencies, contingency requirements, and
priorities in the event of a significant interruption.
It is essentially the risk analysis for business
continuity management.
QUESTIONS
1. An organization’s security team discovers a
computer virus that is replicating itself and
spreading from one computer to the next on the
network. This is an example of what type of
malware?
A. Worm
B. Trojan
C. Botnet
D. Ransomware
2. Of the methods listed, what is the best
countermeasure against social engineering
attacks?
A. Training
B. Practice and drills
C. Observation
D. Reading
3. Which of the following is an integrated approach
to endpoint management that allows for specific
policies to govern the security requirements for
assets connecting to the organization’s network?
A. Antivirus
B. Mobile device management
C. Network access control
D. Configuration baselining
4. The CISO of an organization wants to ensure that
sensitive data is not recoverable from media before
a system is disposed of. Which of the following is
not an appropriate data sanitization technique to
accomplish this goal?
A. Physical destruction
B. Zeroization
C. Purging
D. Erasure
5. A CISO is reviewing the organization’s access
control policies and procedures. The organization
implements access control based on who the
requestor is, what resource is being requested, and
the time of access. What type of access control
model is this?
A. Centralized
B. Mandatory
C. Attribute-based
D. Role-based
6. The security operations staff has adjusted the
thresholds of the IDS because staff members were
unable to keep up with all the nonintrusive
activities being reported. This is an example of
what practice?
A. Packet filtering
B. IDS scaling
C. IDS tuning
D. IDS resource adjustment
7. Which of the following is a disadvantage of
symmetric cryptography compared to asymmetric
cryptography?
A. It encrypts data quickly.
B. It can encrypt only small amounts of data.
C. It uses weak encryption.
D. It does not scale well with large numbers of users.
8. The CISO is working with the CIO to evaluate a
new cloud-based hosted e-mail service provider.
Which of the following cloud service models best
represents this offering?
A. IDaaS
B. PaaS
C. SaaS
D. IaaS
9. What is the best way to determine whether a web
application developed in-house is vulnerable to
scripting attacks?
A. Conduct static testing of the deployed software
B. Conduct dynamic testing of the deployed software
C. Both A and B
D. Neither A nor B
10. A disgruntled employee breaks into the
organization and steals critical data after finding
out he will be laid off due to downsizing. This is an
example of what type of physical security threat?
A. Manmade threat
B. Natural threat
C. Environmental threat
D. Supply system threat
11. The CISO decides a laptop should be forensically
investigated to see if plaintext customer data is
stored on it. Which of the following best describes
how to analyze the data?
A. To preserve the evidence on the laptop’s hard
drive, make a digital copy of it and analyze the
copied data
B. Reboot the system to clear out any scripts or
malware
C. Analyze the data directly on the laptop’s hard
drive, as copying the data may alter it
D. Follow chain of custody by labeling the laptop and
hard drive
12. A CISO of a health care organization is reviewing
the organization’s policies and procedures to
ensure they comply with HIPAA. What type of
security assessment is this an example of?
A. Regulatory compliance assessment
B. Application security assessment
C. Vulnerability assessment
D. Penetration testing
13. The CISO is working with the BCP coordinator to
perform a business impact analysis for the
organization. They must determine the maximum
amount of time that a resource can be unavailable
before affecting critical functions or processes.
Which of the following terms best represents this?
A. Maximum tolerable downtime (MTD)
B. Recovery point objective (RPO)
C. Recovery delimiter objective (RDO)
D. Business impact analysis (BIA)
ANSWERS
1. A. A computer virus that makes copies of itself
and sends them to other computers is called a
worm. The other types of malware listed in the
question have other characteristics: a Trojan
disguises itself as another program, a botnet is a
network of infected systems under the control of
cybercriminals, and ransomware is a type of attack
in which cybercriminals attempt to collect a
ransom from the victim.
2. B. Training, observation, and reading can all be
helpful, but practice and drills provide reinforcing
knowledge that helps people prepare for how to
act in a particular situation.
3. C. Network access control (NAC) is an integrated
approach that allows for specific policies to be
defined that govern the requirements for network
access. For example, a NAC policy may disallow
devices on the network that do not meet specific
security requirements such as having antivirus
installed.
4. D. Erasure is not a secure method of data
disposal. When an erasure command is issued, the
data storage location on the drive is marked as free
for use but the data is still on the media until it is
overwritten by a subsequent operation.
5. C. Attribute-based access control (ABAC) is based
on defined policies specifying which subjects can
access certain objects and how they can access
them, based on the specific objects being accessed
and other environmental conditions, like time and
location. Centralized access control is a type of
access control administration, not an access
control model. Mandatory access control (MAC)
decisions are based on the clearance of the subject
and the classification of the object. In role-based
access control (RBAC), the user’s access is based
on their role in the organization.
6. C. Intrusion detection system (IDS) tuning is
performed to achieve the optimum level of
detection and reporting.
7. D. One disadvantage of symmetric cryptography
is that it does not scale well with large numbers of
users. This is one of the main reasons that hybrid
cryptosystems are utilized, which use symmetric
keys for encryption and are shared using
asymmetric cryptography.
8. C. Software as a Service (SaaS) offerings provide
the customer the finished product as a service,
such as a cloud-based e-mail service. All the
maintenance of the infrastructure, OS, databases,
storage, and such is handled by the SaaS provider.
Identity as a Service (IDaaS) is a cloud-based
service that provides a set of identity and access
management functions and is not one of the
primary service models. Platform as a Service
(PaaS) is a form of cloud computing that allows
customers to manage applications without
managing the infrastructure in-house.
Infrastructure as a Service (IaaS) is a form of
cloud-based computing that provides virtualized
computing resources.
9. C. All developed applications should undergo
both static and dynamic testing prior to
deployment in the enterprise.
10. A. A disgruntled employee breaking into an
organization to steal critical data is an example of
a manmade threat.
11. A. Make a digital copy of the data and analyze it.
Do not reboot suspected equipment, as rebooting
will alter data on the storage media in some
fashion. Never perform analysis directly on the
suspect media. While labeling the laptop and hard
drive is a good idea, it is not the best answer to the
question of how to analyze the data.
12. A. Reviewing an organization’s policies and
procedures to ensure compliance against a
regulatory driver such as the Health Insurance
Portability and Accountability Act (HIPAA) is an
example of a regulatory compliance assessment.
13. A. The maximum tolerable downtime (MTD) is
the maximum amount of time that a resource can
be unavailable before affecting critical functions or
processes.
CHAPTER 5
Strategic Planning, Finance,
Procurement, and Vendor
Management
This chapter discusses the following topics:
• Strategic planning
• Making security decisions
• Financial management
• Procurement and vendor management
STRATEGIC PLANNING
The previous chapters discussed the myriad of activities
that can be conducted as part of an organization’s
information security program. These activities include
streams of work (or subprograms), security projects, and
core competencies addressing threats, external and
internal drivers, and compliance requirements. But how
does an organization know what to do, when to do it, the
amount of resources to apply, and what takes priority?
Some of these decisions can be aided by the risk analysis
portion of the risk management activities discussed in
Chapter 1. But risk analysis is only part of the solution
because it only addresses specific assets and does not
address the organization’s business strategy. To
determine how to execute the security program,
prioritize security activities, and establish a roadmap for
accomplishing security goals, strategic planning is a
useful tool.
Strategic planning helps an organization understand
what is most important and therefore determine what to
do when and what resources to apply. You can’t boil the
ocean, so you have to prioritize. The organization’s
culture and workplace climate should be shaped into
what leadership wants them to be; they can’t be left up to
chance. These things are addressed through a well-
conceived and well-implemented strategic plan.
Strategic planning for the entire organization is
performed by the organization’s leadership. The CISO
may very well be part of the team that creates the
organization’s strategic plan. Security strategic planning
is a subset of the organization’s strategic planning.
This section discusses the following topics:
• Drive
• Creativity
• Curiosity
• Integrity
• Adaptability
• Humility
• Accountability
For each action, the CISO and the security team can
define measurable goals to be used to monitor and track
performance and success. In addition, each action can be
scoped to determine the resources required. Resource
estimates include staffing, hardware, software, and
outside services to be procured. Then, cost estimates can
be prepared to establish the budgets to support these
activities. In practice, one of the key uses for a strategic
plan is to establish budgets for the security organization.
By linking the security budget to the strategic plan,
spending can be allocated to activities the organization
feels are the most important and spending priorities can
be established.
ENTERPRISE ARCHITECTURE
One method used to translate security business drivers
to security decisions is to follow a framework to produce
an enterprise information security architecture (EISA).
Enterprise architecture (EA) is the practice of
diagramming and documenting the architecture of the
enterprise to assist decision makers with aligning the
organization’s strategy around the business’s people,
processes, and technologies. EISA is simply applying an
EA approach to the security program. The CISO can use
an EA model to break down and document the
information security program architecture and how it
relates to the enterprise from a high-level business
architecture perspective (such as an organizational
chart) all the way down to low-level technical
architecture processes (such as data flow diagrams or
network architecture diagrams). The goal is to ensure
that these components (such as security software,
hardware, solutions, technologies, projects, processes,
and operations) align and integrate with the
organization’s enterprise architecture, strategy, and
business drivers. This allows for proactive decision
making around solutions and technologies to enable
efficiency and alignment.
An organization’s enterprise architecture can
generally be split into sub-architectures, such as
business, information, application, and technical
architecture, with information security components and
implications throughout these layers, as illustrated in
Figure 5-2. EA is essentially a conceptual framework for
architecture analysis that includes a documenting and
diagramming exercise that occurs at different layers of
the enterprise.
Zachman
The Zachman Framework is a model for the development
of enterprise architectures that was developed by John
Zachman. It is not a methodology as it does not prescribe
a specific process to be used. Rather, it provides a
schema that can be used to define and document the
enterprise architecture of the organization around
specific functions, elements, and processes by creating
specific artifacts (such as inventory lists, design
documents, process lists, data flow diagrams, and other
documentation).
The model consists of a matrix of classification names
(What, How, Where, Who, When, and Why) intersected
with audience perspectives (Executive, Business
Management, Architect, Engineer, Technician, and
Enterprise). This allows for the documentation and
integration of differing enterprise viewpoints and
perspectives of the organization by answering the
questions outlined in the classification names. For
example, the executive team (business context) will have
a different view of the enterprise from that of the
technicians (business component implementers).
Documenting these perspectives helps to achieve an
integrated and holistic approach to enterprise
architecture. A simplified instance of the framework is
illustrated in Table 5-1. Remember that an EA is
essentially an exercise in documenting and diagramming
the architecture of the enterprise. The Zachman schema
in Table 5-1 is essentially a list of all the artifacts that
should be documented or diagramed and how they relate
to the various perspectives of the enterprise architecture.
Table 5-1 Zachman Framework Example
FEAF
The Federal Enterprise Architecture Framework (FEAF)
is an enterprise architecture framework developed by the
Federal CIO Council in response to requirements
outlined in the Clinger-Cohen act of 1996 requiring
branches of the US government to develop and maintain
an enterprise architecture framework. The goal was to
help federal agencies utilize a common language to
analyze their enterprise architecture investments and
identify what “good” looks like. The framework consists
of six reference models, illustrated in the FEAF Version 2
Consolidated Reference Model (CRM) in Figure 5-3,
describing these architecture domains:
Figure 5-3 Federal Enterprise Architecture Framework
Version 2 Consolidated Reference Model
(Source:
https://obamawhitehouse.archives.gov/sites/default/file
s/omb/assets/egov_docs/fea_v2.pdf)
• Performance
• Business
• Data
• Application
• Infrastructure
• Security
Similar to the architecture layers discussed earlier in
this section (business, information, application, and
technical), each layer in FEAF drives and prescribes
requirements to the next layer with security implications
throughout (indicated with the security reference
model).
SABSA
The Sherwood Applied Business Security Architecture
(SABSA) framework is a model and methodology for
developing an enterprise information security
architecture. It is similar to the Zachman Framework in
terms of the structure of the framework model (as shown
in Table 5-1), but SABSA is also a methodology, meaning
it includes process and life cycle guidance for building
and maintaining the EISA. The SABSA framework breaks
down concepts and requirements from the high-level
perspective (Contextual) down to the low-level
technologies and applications (Component) with an
overlay of the Management architecture. The goal is to
remove abstraction, increase granular definition, and
build upon the concepts of other architecture levels.
TOGAF
The Open Group Architecture Framework (TOGAF) is an
enterprise architecture framework based on the US DoD
Technical Architecture Framework for Information
Management (TAFIM). TOGAF provides a process life
cycle methodology for designing, implementing, and
governing an enterprise architecture using the TOGAF
Architecture Development Method (ADM). Figure 5-4
provides an illustration of an architecture development
cycle based on TOGAF ADM. The process is an iterative
one with a focus on requirements and objectives. This is
evident in the fact that each phase of the life cycle
includes requirements and objectives checks.
Figure 5-4 Example architecture development cycle
FINANCIAL MANAGEMENT
CISOs are business leaders and the scorecard for the
success of any business is money. This is why the CISO
not only should possess good leadership and technical
skills but should also have a strong grasp of business
accounting and finance fundamentals. The CISO needs
to be able to speak the language of finance with all of the
other leaders of the organization. Every CISO should
know how to read a balance sheet and income statement
and grasp key concepts such as capital expenses and
operating expenses. In addition, the CISO must be able
to manage the finances of the security department, which
may have an annual budget of tens of millions of dollars
or more. This section presents an overview of financial
management concepts and terminology that are relevant
to the CISO:
• Accounting and finance basics:
• The accounting system
• Key concepts and terms
• Income statement
• Balance sheet
• Capital expenses and operating expenses
• The accounting cycle
• Information security annual budget
Income Statement
The income statement generally has two sections:
Balance Sheet
The balance sheet generally has three sections that
report the organization’s financial state as of a certain
date, most often at the end of an accounting period:
• Assets Assets are things of value held by the
organization. Examples of assets are cash, accounts
receivable, equipment, and furniture.
• Liabilities Liabilities are what the organization
owes to other businesses or individuals. Examples
are accounts payable, payroll taxes payable, and
loans payable.
• Equity The net worth of the business. Also called
owner’s equity or capital, equity consists of cash
put into the organization by investors, plus net
profits of the business that have not been paid out
to the owners (called retained earnings).
Initiate
The procurement process begins with the identification
of a requirement or set of requirements for a new item,
group of items, or service. The requirement may be as
simple as “we need a Phillips screwdriver” or may be
complex enough to require an entire specification.
During the initiate step, it is not uncommon for the
requestor (the person or team that needs the item) to
engage with potential vendors to further develop the
requirement(s) and/or develop cost estimates for the
item.
Once the requirement is identified, the requestor
performs an estimate of the approximate cost for the
purpose of obtaining approval to proceed with the
procurement. Cost estimates may be developed in-house,
may be based on historical data, or may come from
vendors. Each organization has its own requirements for
how cost estimates are prepared and how they are to be
presented to the people in the approval cycle.
In addition to requirements and cost estimates,
justification for the purchase of the item may be
required, depending on the rules of the organization. The
justification for the item states the reason for the request
and may include backup material or attachments if the
organization requires supporting documentation.
Once the requestor prepares the required information
describing the requirement, justification, and cost
estimate, the request is routed to the proper people for
review and approval according to the organization’s
approval rules. Once approval is obtained, the purchase
can move on to the next step.
Solicit
Once the procurement is approved, the organization’s
procurement group can release or publish the
requirement to industry and obtain bids. To do this, the
procurement group needs a list of potential suppliers.
Some organizations, such as US federal agencies, may
publish a Request for Information (RFI) or a Sources
Sought request, asking for parties who may be interested
in bidding to identify themselves. Sometimes these
requests contain a requirement whereby potential
bidders are asked to submit their qualifications and
capabilities, or respond to a questionnaire, in order to
get on a bidders list. The organization should do as much
outreach as possible to line up potential bidders that can
provide the products or services that meet the
organization’s standards.
The requestor prepares the solicitation documents to
be provided to bidders. This may be as simple as a line of
text such as “screwdriver, Phillips #2” or an entire
solicitation package that includes a specification,
statement of work (SOW), and list of deliverables. For
procurement of a system or service, here is a list of items
that may be included in the solicitation package sent to
potential bidders:
• Statement of work Included in the solicitation
package will be some form of document that
defines the scope of the effort that will be the
subject of the contract between the buyer and the
seller. This may be in the form of a statement of
work, but some organizations use performance
work statements or other documents. The SOW
defines the scope of the services or a description of
the product to be provided, along with supporting
information such as schedules, lists of items to be
delivered, assumptions, and constraints.
• Specification For more complex needs a
specification or list of requirements may be
developed. The specification contains a description
of the requirements of the product or system.
Specifications are most helpful when the need is for
an item (hardware or software) to be developed,
although specifications can also be helpful for
procuring off-the-shelf items.
• Contract or terms and conditions The
solicitation package should contain a draft of the
proposed contractual agreement the organization
intends to use. The contract will be the legal
agreement between the buyer and seller that sets
forth the terms, conditions, and obligations of each
party for the fulfillment of the requirements by the
seller and the payments by the buyer.
• Evaluation and award criteria Sometimes the
organization publishes a description of how it will
go about choosing the winner of the competitive
procurement. Such a description is helpful to
bidders as it can guide them to propose a solution
that is tuned to the organization’s needs. There are
several types of evaluation methods, but these are
the most common:
• Lowest price technically acceptable
(LPTA) LPTA simply means the bidder with the
lowest price wins. All of the bidders that offer a
solution (product or service) that meets the
requirement qualify, and whichever bidder has
the lowest price is awarded the purchase. Note,
however, that the criteria is simply “technically
acceptable.” With LPTA there is no concept of
comparing proposals to determine if one bidder’s
solution is better or worse than another’s. For
that kind of comparison, best value is used.
• Best value A best value evaluation takes into
account how well an offeror’s proposal meets the
requirement or evaluation factor. It allows for a
comparison of the extent to which the
requirement, or each of the requirements, is met
and permits an award to the bidder that provides
the best solution even if the bidder did not
propose the lowest price. Many procurements for
development projects or for the acquisition of
complex products or systems use best value
criteria.
• Proposal submission instructions The
solicitation package should contain instructions for
how the bidders should prepare and submit
proposals. The purpose of this is twofold. First, it
ensures that each bidder provides the essential
information needed by the organization to choose a
winner. Second, it enables an easier comparison of
the bids because they will all look similar and
contain similar information about each bidder’s
offering. Providing clear proposal preparation
instructions is one way to ensure a level playing
field and a fair competition.
The solicitation package is provided to all potential
bidders and includes a specific due date and time.
This ensures all bidders have the same amount of
time to prepare their bid and is another way to
ensure fairness.
Award
The organization evaluates all proposals in accordance
with the predetermined evaluation criteria. It is
important to follow such criteria and to ensure that it is
applied consistently to all proposals. If during the
evaluation the organization discovers that it needs
additional information from some or all of the bidders, it
can make requests for additional information or revised
proposals. In such a circumstance, the organization may
decide to release an updated SOW or other corrected
information, as it is not uncommon for the organization
to discover errors or shortcomings in the solicitation
package.
During the period when information is being
exchanged with offerors regarding their proposals, the
organization should adhere to the following ethics rules:
• Exchange information in writing. The organization
should avoid verbal instructions to offerors and
always provide them in writing.
• Provide the same information to all offerors except
when doing so would reveal proprietary
information about one offeror’s bid to another. For
instance, if there is a shortcoming in one offeror’s
bid that requires an update, that request should not
be revealed to another bidder (although it should
be documented so it can be reviewed later if
necessary).
• Provide the same opportunity to all offerors. For
instance, if the due date for a proposal is extended
for one bidder, it should be extended for all.
• 0 – No data
• 1 – Unsatisfactory
• 2 – Satisfactory
• 3 – Good
• 4 – Excellent
Acquire
Once the purchase order or contract is signed, the offeror
is obligated to deliver the product or service in
accordance with the terms and conditions. Usually the
quality assurance function within the organization is
involved in assessing the item or items that are delivered
to ensure that they are in compliance with the
requirements of the contract. Testing may be a part of
the quality assurance process to ensure that the delivered
item or items meet requirements. Security testing to
validate any security requirements may also occur.
TYPES OF CONTRACTS
Products and services subject to the procurement
process can be acquired using any number of contract
vehicles. The term contract vehicle refers to the legal
mechanism that establishes the business relationship
between the buyer and the seller. This section introduces
common kinds of contract vehicles available to the
organization and the CISO. These contracts can be used
to acquire any product or service, including security
products and services procured by the CISO.
Contract delivery terms can take one of two forms:
• Completion A completion contract is one in which
the work (meaning the product or service) must be
delivered or completed before payment is due. For
instance, if the contract is for the acquisition of an
IDS solution, payment may be due upon delivery of
the IDS. This is completion terms.
• Level of effort (LOE) An LOE contract is one in
which payments are made over a stated period of
time. Usually used for services contracts, an LOE
contract allows the seller to receive payments
during the term of the work instead of having to
wait until all the work is completed. LOE payments
may be based on a variety of methods, including
hours worked, incremental deliveries of
capabilities, the achievement of milestones, or
simply a percentage of the total effort.
SCOPE AGREEMENTS
Contracts have some method of defining the scope of
work or description of services to be performed. The
most common method for defining the scope of the work
is to use one of the following document types:
• Statement of work (SOW) An SOW is a
description of the work to be performed. It
describes what work is required and how it is to be
done. Therefore, the SOW is very prescriptive in
that it tells the seller not only what should be done
but how to do it.
• Performance work statement (PWS) In
contrast to an SOW, a PWS does not describe how
the work is to be done. Instead, the PWS lays out
the work in terms of the outcomes or results that
are to be produced. The PWS also defines
measurable performance standards and identifies
how the buyer will measure the outcomes. Since
the outcomes are clearly defined, it is entirely up to
the seller to decide how they will accomplish the
work and meet the outcomes.
• Statement of objectives (SOO) An SOO is used
when the organization (buyer) does not want to
define how the work is to be accomplished (as in an
SOW) and does not have enough information to be
able to define measurable performance outcomes
(as in a PWS). Instead, the buyer outlines general
objectives for the seller to achieve, and it is up to
the seller to create the SOW or PWS (or both).
• Service-level agreement (SLA) An SLA is used
to define the services a contractor will perform for
the buyer. It is especially helpful for x-as-a-service
contracts in which the seller provides a service that
is traditionally performed by the organization in-
house. Similar to a PWS, the SLA lays out the
provider’s performance obligations in measurable
terms. However, the SLA contains additional
features that provide remedies for the seller’s
failure to achieve objectives, such as fee reductions,
service credits, or termination provisions.
CHAPTER REVIEW
Strategic planning helps an organization understand
what is most important and use that information to
make decisions. Strategic planning for the entire
organization is performed by the organization’s
leadership. The CISO may very well be part of the team
that creates the organization’s strategic plan. Security
strategic planning is a subset of the organization’s
strategic planning.
Understanding, interpreting, and translating security
business drivers allows the CISO to make important
decisions regarding aspects of the security program
(such as security goals, objectives, policies, procedures,
architecture, and controls). To accomplish this decision-
making process, some organizations use informal
approaches (such as casual conversations, meetings, or
informal assessments) while others use more rigorous
structured approaches (such as a formal process,
framework, risk assessment, or enterprise architecture
model).
The CISO should have a strong grasp of business
accounting and finance fundamentals. The CISO needs
to be able to speak the language of finance, know how to
read a balance sheet and an income statement, and grasp
key concepts such as capital expenses and operating
expenses. In addition, the CISO must be able to manage
and justify the finances of the security department.
The security department should be involved in all
acquisitions of products and services by the organization
in order to ensure vulnerabilities are not introduced into
the environment. The basic steps of the procurement
process are initiate, solicit, award, and acquire. Security
should be involved in each step of the process. CISOs
should ensure that the use of third parties does not
introduce vulnerabilities into the environment by
implementing a third-party risk management program.
QUICK REVIEW
• In security strategic planning, it is important for
each goal to be necessary, attainable, and
verifiable.
• Following an enterprise architecture framework is
one method for translating security business
drivers to security decisions to produce an
enterprise information security architecture
(EISA).
• An EA model can be used to break down and
document the information security program
architecture and how it relates to the enterprise
from a high-level business architecture perspective
to low-level technical architecture processes.
• The accounting cycle is a workflow followed by the
finance/accounting staff to implement the process
of creating, organizing, and recording the financial
transactions of the organization.
• Organization accounting systems include a data
processing system used in conjunction with
accounting policies and procedures following
GAAP.
• An income statement is a summary of the
organization’s financial activity during a period of
time.
• A balance sheet is a snapshot of the organization’s
financial position at a given point in time.
• Many CISOs use a combination of zero-based
budgeting, baselining, and value-based methods to
create and justify the information security budget.
• Procurement is the process of acquiring goods and
services.
• The most common method for defining the scope of
the work performed by a vendor is by using a
document such as a statement of work,
performance work statement, statement of
objectives, or service-level agreement.
QUESTIONS
1. Which of the following would not be considered an
essential component of the strategic planning
process?
A. Select the right people to be on the team
B. Acquire a planning tool
C. Select a model to follow
D. Set a schedule
2. Which of the following techniques might a CISO
use to translate security business drivers to
security decisions?
A. Informal meetings
B. Enterprise architecture frameworks
C. Risk management exercises
D. All of the above
3. Which of the following are most commonly found
on a balance sheet?
A. Revenue, liabilities, and equity
B. Revenue, liabilities, and profits
C. Revenue, expenses, and profits
D. Assets, liabilities, and equity
4. Which of the following are foundational pillars of
procurement?
A. Source selection, proposal, evaluation
B. Revenue, liabilities, and profits
C. Competition, ethics, value
D. Accountability, ethics, source selection
5. An organization wants to purchase a turnkey
inventory management system consisting of
hardware and software. The organization wants to
keep the price low, but its most important criteria
are the experience and capabilities of the
contractor. Which procurement method is best for
this situation?
A. Best value
B. Lowest price technically acceptable (LPTA)
C. Cost plus
D. Time and materials
ANSWERS
1. B. A planning tool is useful but is not essential. It’s
more important to select the right people to be
involved, select an established model to follow,
and choose a schedule and stick with it.
2. D. All of the above. A CISO may utilize informal
meetings, an enterprise architecture framework,
or a risk management exercise to facilitate the
translation of security business drivers to security
decisions.
3. D. A balance sheet most commonly shows the
organization’s assets, liabilities, and equity at a
given point in time. Revenue, expenses, and
profits are shown on an income statement.
4. C. Foundational pillars of procurement include
competition, ethics, fairness, value, accountability,
and reporting. Source selection, proposal, and
evaluation are not pillars of procurement.
Revenue, liabilities, and profits are features of
accounting, not procurement.
5. A. The best value procurement method allows the
organization to choose the vendor whose proposal
best meets the requirements. LPTA would force
the organization to choose the lowest price
proposal as long as it meets the minimum
requirements. Cost plus and time and materials
are contract term methods, not procurement
methods.
APPENDIX
SYSTEM REQUIREMENTS
The current and previous major versions of the following
desktop browsers are recommended and supported:
Chrome, Microsoft Edge, Firefox, and Safari. These
browsers update frequently, and sometimes an update
may cause compatibility issues with the TotalTester
Online or other content hosted on the Training Hub. If
you run into a problem using one of these browsers,
please try using another until the problem is resolved.
PRIVACY NOTICE
McGraw Hill values your privacy. Please be sure to read
the Privacy Notice available during registration to see
how the information you have provided will be used. You
may view our Corporate Customer Privacy Policy by
visiting the McGraw Hill Privacy Center. Visit the
mheducation.com site and click Privacy at the
bottom of the page.
TOTALTESTER ONLINE
TotalTester Online provides you with a simulation of the
CCISO exam. Exams can be taken in Practice Mode or
Exam Mode. Practice Mode provides an assistance
window with hints, references to the book, explanations
of the correct and incorrect answers, and the option to
check your answer as you take the test. Exam Mode
provides a simulation of the actual exam. The number of
questions, the types of questions, and the time allowed
are intended to be an accurate representation of the
exam environment. The option to customize your quiz
allows you to create custom exams from selected
domains or chapters, and you can further customize the
number of questions and time allowed.
To take a test, follow the instructions provided in the
previous section to register and activate your Total
Seminars Training Hub account. When you register you
will be taken to the Total Seminars Training Hub. From
the Training Hub Home page, select CCISO™ All-in-
One Exam Guide TotalTester from the Study drop-
down menu at the top of the page, or from the list of
Your Topics on the Home page. You can then select the
option to customize your quiz and begin testing yourself
in Practice Mode or Exam Mode. All exams provide an
overall grade and a grade broken down by domain.
TECHNICAL SUPPORT
For questions regarding the TotalTester or operation of
the Training Hub, visit www.totalsem.com or e-mail
[email protected].
For questions regarding book content, visit
www.mheducation.com/customerservice.
GLOSSARY
B
backdoors, 171
backups
asset security, 183
data restoration, 283
baiting in social engineering, 173
balance sheets, 318–319
baselines
budgets, 133, 324
configuration, 180–181, 183
security control framework, 88
security policies, 29
BCP/DR. See business continuity and disaster recovery
(BCP/DR)
best value in procurement process, 329
BIA. See business impact analysis (BIA)
biometric locks, 237
black box penetration testing, 271
blind penetration testing, 271
book of final entry, 322
boot sector viruses, 165
botnets, 166
bottom-up budgeting, 323
boundaries element in SSPs, 82
bowtie method in risk management, 25
breach notification rule in HIPAA, 46
bring your own device (BYOD) concept, 184
broad network access in cloud computing, 229
broken access control software vulnerability, 249
broken authentication software vulnerability, 247–248
brute-force password attacks, 225
budgets
assigning, 151
establishing, 133–136
information security, 323–325
monitoring, 136
overrun risks, 152
projects, 139, 145
responsibility, 132
buffer overflows, 170
build vs. buy software development issues, 244
business architecture in strategic plans, 308
business continuity and disaster recovery (BCP/DR)
BCP, 272–274
business impact analysis, 275–279
confidentiality, 285
continuity planning initiation, 274–275
plans, 34
preventive controls, 279
questions, 291–295
recovery strategies and solutions, 279–284
review, 288–291
business continuity management (BCM), 272–274
business disruptions, managing, 266
business drivers, security, 307
business impact analysis (BIA)
critical functions and supporting resources, 276–277
recovery objectives, 277–278
recovery priorities, 278–279
steps, 275–276
vulnerabilities and threats, 278
business judgment rule in security breach liability, 8
BYOD (bring your own device) concept, 184
C
cable for WANs, 202
Capability Maturity Model Integration (CMMI) model,
19, 313–314
capital expenses (CAPEX), 135, 320–321
CAPs (Corrective Action Plans), 129
career paths, 137
CAs (certificate authorities), 228
cash accounting vs. accrual, 318
categories in NIST Cybersecurity Framework, 88
Categorize phase in third-party risk management, 335–
336
CBAC (claims-based access control), 196
CBC-MAC (Cipher Block Chaining Message
Authentication Code), 226
CCOs (chief compliance officers), 36
Center for Internet Security, 92–94, 232
Center for Internet Security Critical Security Controls
(CIS CSC), 92–94
centralized access control administration in IAM, 197
CEOs
information security governance, 5
organizational strategic plan teams, 303–304
certificate authorities (CAs), 228
certificate revocation lists (CRLs), 228
certificates in cryptography, 227–228
certifications
projects, 140–142
security, 59–63
CFAA (Computer Fraud and Abuse Act), 256
CFOs (chief financial officers), 5
chain of command in security management structure, 10
chain of custody for evidence, 263
change management for projects, 154
charters
audit, 97
CSA programs, 110
charts of accounts, 316
check step in PDCA process, 128–129
checklist tests in BCP plans, 286
checklists in auditing, 100
checks and balances in auditing, 100
chief compliance officers (CCOs), 36
chief financial officers (CFOs), 5
chief information officers (CIOs), 5
CIA triad, 12–13
CIDR (Classless Inter-Domain Routing) notation for IP
addresses, 205
CIOs (chief information officers), 5
CIP (Critical Infrastructure Protection) standard, 49
Cipher-based Message Authentication Code (CMAC),
226
Cipher Block Chaining Message Authentication Code
(CBC-MAC), 226
ciphertext, 217
circuit-switched networks, 201–202
CIs (configuration items), 179
Citadel program, 333
claims-based access control (CBAC), 196
classes in security controls, 72–74
classification
assets, 131
data, 189–190
Classless Inter-Domain Routing (CIDR) notation for IP
addresses, 205
climate in information security governance, 5–6
Clinger-Cohen Act, 43
closing
accounting books, 323
audits, 108
closing phase in PMBOK, 142, 156–157
cloud security
computing characteristics, 229
deployment models, 230
resources, 232
risks and assurance levels, 231–232
service models, 230–231
third-party risk management, 334
Cloud Security Alliance (CSA)
cloud security, 232
description, 58
Cloud Security Alliance Cloud Controls Matrix (CSA
CCM), 94–96
CMAC (Cipher-based Message Authentication Code),
226
CMDBs (configuration management databases), 179
CMMI (Capability Maturity Model Integration) model,
19, 313–314
COBIT (Control Objectives for Information and Related
Technology), 57–58
code in software development
description, 246
reviews, 253
secure practices, 252–253
Code Red virus, 166
cold sites, 281
collisions in hash algorithms, 224
communication
auditing results, 107–108
information security governance, 5
network security. See network security
recovery strategies and solutions, 282
security management structure, 10
community cloud deployment models, 230
compensating controls
description, 74
software development security, 244
competition in procurement process, 326
completion procurement contracts, 331
compliance, 34–35
assessments, 271–272
auditing, 105–107
budgets, 134, 136
GRC programs, 123
incident handling, 259
management, 36–39
and security, 35
teams, 36
components with known vulnerabilities, 251
compression viruses, 165
compromise types in risk management, 24
CompTIA (Computing Technology Industry Association),
62
Computer Fraud and Abuse Act (CFAA), 256
computing characteristics in cloud, 229
Computing Technology Industry Association (CompTIA),
62
conclusions in audit reports, 107
confidentiality
BCP, 285
CIA triad, 12–13
cryptography for, 218
potential impact definitions, 79
configuration items (CIs), 179
configuration management
description, 31
projects, 154
configuration management databases (CMDBs), 179
conformity in social engineering training, 176
Consensus Assessments Initiative Questionnaire (CAIQ),
95–96
consistency principle in accounting, 315
constraints in projects, 144–145
consultants
physical security procedures, 242–243
RACI charts, 151
risk management, 334
contain phase in incident handling, 32, 261
containerization for mobile devices, 183
continuity. See business continuity and disaster recovery
(BCP/DR)
continuity of operations (COOP) plans, 34
continuity principle in accounting, 315
continuous auditing, 110–111
continuous improvement in risk management, 19
continuous lighting, 238
contractors, physical security procedures for, 242–243
contracts in procurement, 328–329, 331–332
Control Objectives for Information and Related
Technology (COBIT), 57–58
control self-assessments (CSAs), 108–110
controlled lighting, 238
controlling phase in PMBOK, 142, 154–156
controls
access. See access controls
asset security, 184
business impact analysis, 279
physical security, 235–236
security. See security controls
software development security, 244
third-party risk management, 336
COOP (continuity of operations) plans, 34
core competencies
asset security, 179–186
business continuity and disaster recovery. See business
continuity and disaster recovery (BCP/DR)
cloud security, 229–232
communication and network security. See network
security
cryptography. See cryptography
data security, 186–192
forensics, 263–265
identity and access management, 192–199
incident handling. See incident handling and response
malicious software and attacks, 164–172
overview, 163
physical security. See physical security
security assessment and testing, 265–272
social engineering, 172–179
software development security. See software
development security
core values in organizational strategic plans, 300–301,
304
corporations, security breach liability for, 7–8
Corrective Action Plans (CAPs), 129
corrective controls, 74
correlation in incident handling, 258
cost control in budgets, 132–136
cost of goods sold, 316
cost overruns, 144
cost plus contracts, 332
countermeasure controls, 13
COVID-19, 287
criteria in procurement process, 329
critical functions in business impact analysis, 276–277
Critical Infrastructure Protection (CIP) standard, 49
critical paths in schedules, 150
Critical Security Controls (CIS CSC), 92–94
CRLs (certificate revocation lists), 228
cross-site scripting (XSS)
overview, 171
software vulnerability, 250
cryptography, 216
asset security, 183
asymmetric encryption, 220–221
definitions, 217–218
digital signatures, 226
hash algorithms, 223–225
hybrid, 221–222
message authentication codes, 225–226
PKI, 227–228
salts, 225
services, 218
symmetric encryption, 218–220
cryptosystems, 217
CSA (Cloud Security Alliance)
cloud security, 232
description, 58
CSA CCM (Cloud Security Alliance Cloud Controls
Matrix), 94–96
CSAs (control self-assessments), 108–110
CSF (Cybersecurity Framework), 53–54
life cycle frameworks, 77
security control framework, 88, 91
culture
information security governance, 5–6
in social engineering, 174
cyberattack elements, 14–15
Cybersecurity Framework (CSF), 53–54
life cycle frameworks, 77
security control framework, 88, 91
D
DAC (discretionary access control), 30, 196
DAST (dynamic application security testing), 269
data communications equipment (DCE), 201
data custodians, 189
Data Encryption Standard (DES), 219
data handling in asset security management, 131
data life cycle in security policies, 29
Data Link layer in OSI model, 207, 210
data owners, 189
data remanence, 184
data restoration in recovery, 283–284
data security
acquisition, 188
data at rest, 187
data classification and marking, 189–190
data in transit, 187
data in use, 187
data life cycle, 187–188
destruction, 191–192
use and archival, 191
data terminal equipment (DTE), 201
datacenters, 239
DCE (data communications equipment), 201
decentralized access control administration in IAM, 197–
198
decision tree analysis in risk management, 25
decryption, 217
Defense Federal Acquisition Regulation Supplement
(DFARS), 42
defense-in-depth, 15
define, measure, analyze, design, verify (DMADV)
methodology, 155
define, measure, analyze, improve, control (DMAIC)
methodology, 155
defined maturity level in CMMI, 19
degaussing data, 192
degree of significance in evidence assessment, 106
delaying controls in physical security, 235
Delphi method, 24
demilitarized zones (DMZs), 213–214
Deming, William Edwards, 125
Deming cycle, 37
demonstrations of auditing evidence, 105
denial of service (DoS) attacks, 13
Department of Defense (DoD) data overwriting, 191
dependencies schedule factor, 150
deployment models for cloud, 230
depreciation, 320–321
DES (Data Encryption Standard), 219
description element
security control frameworks, 86
SSPs, 82
descriptions, job, 137
deserialization software vulnerability, 251
design
security control life cycle, 80–81
software development, 246
Design Thinking method in strategic plans, 305
destruction of data, 191–192
detective controls, 74, 235, 238–239
determinant frameworks for security controls, 75
deterrent controls
description, 74
physical security, 235
developer knowledge in software development security,
244
DFARS (Defense Federal Acquisition Regulation
Supplement), 42
dictionary password attacks, 225
differential backups, 283
Diffie-Hellman algorithm, 220
digital certificates in cryptography, 227–228
digital envelopes in hybrid cryptography, 221
digital evidence, 263–265
digital signatures in cryptography, 226
digital subscriber line (DSL), 202
directive controls, 74
directories
certificates, 228
IAM, 194
disaster recovery. See business continuity and disaster
recovery (BCP/DR)
Disaster Recovery as a Service (DRaaS), 281
disaster recovery planning (DRP), 272–274
discovery in penetration testing, 270
discretionary access control (DAC), 30, 196
disk mirroring, 283
disposed equipment risk, 177
DMADV (define, measure, analyze, design, verify)
methodology, 155
DMAIC (define, measure, analyze, improve, control)
methodology, 155
DMZs (demilitarized zones), 213–214
DNS (Domain Name System), 207
do step in PDCA process, 127–128
documentation
penetration testing, 271
project plans, 152–153
recovery strategies and solutions, 282
SSPs, 82
DoD (Department of Defense) data overwriting, 191
Domain Name System (DNS), 207
donated equipment risk, 177
DoS (denial of service) attacks, 13
double blind penetration testing, 271
DRaaS (Disaster Recovery as a Service), 281
drills in physical security, 241
DRP (disaster recovery planning), 272–274
DSL (digital subscriber line), 202
DTE (data terminal equipment), 201
dual-factor authentication, 195
dual-homed arrangement for WANs, 200
dumpster diving
for data, 192
social engineering testing, 177
duty of care responsibility, 8
dynamic analysis in software development, 254
dynamic application security testing (DAST), 269
E
EA (enterprise architecture) strategic plans, 308–312
EC-Council (International Council of E-Commerce
Consultants), 60
EC-Council University (ECCU), 60
ECC (elliptic curve cryptography) algorithm, 221
EI-ISAC (Elections Infrastructure Information Sharing
and Analysis Center), 58
EISA (enterprise information security architecture), 6
elasticity in cloud computing, 229
Elections Infrastructure Information Sharing and
Analysis Center (EI-ISAC), 58
Electric Reliability Organization (ERO), 49
elliptic curve cryptography (ECC) algorithm, 221
e-mails in social engineering testing, 177
employees
employment procedures, 242
organizational strategic plan teams, 304
policy violations, 259–260
encryption. See cryptography
endpoint containment in incident handling, 261
endpoint security for assets, 182
engagement letters, 97
enhancements in security control framework, 88
enterprise architecture (EA) strategic plans, 308–312
enterprise information security architecture (EISA), 6
enumeration
cyberattacks, 14
penetration testing, 270
environment factors
datacenters, 239
SSPs, 82
environmental threats, 233
equipment, recovery strategies and solutions for, 282
equity in balance sheets, 318
eradicate phase in incident handling, 32, 261–262
erasing data, 191
ERO (Electric Reliability Organization), 49
Escal Institute of Advanced Technologies (SANS
Institute), 60–61
Ethernet, 210
ethics
overview, 63–64
procurement process, 327
evaluation
compliance, 38–39
procurement process, 329
evaluation evidence in auditing, 104–105
evaluation frameworks for security controls, 75
event logs in incident handling, 257
evidence
auditing, 105–107
forensics, 263–265
executing phase in PMBOK, 142, 153
executive succession planning, 282
executive summaries in audit reports, 107
exit interviews for audit reports, 107–108
expenses
accounting systems, 316
capital and operating, 320–321
income statements, 316
vs. investments, 135
experts on organizational strategic plan teams, 304
exploitation
cyberattacks, 15
penetration testing, 271
Exposure Factor (EF), 23
exposure threats, 13
Extensible Markup Language (XML), 195, 248–249
external audits, 96–97
external compliance, 35, 39
external drivers in information security governance, 4–5
external entities in XML, 248–249
external facilitators on organizational strategic plan
teams, 304
external resources, assigning, 151
external stakeholders, identifying and interviewing, 144
F
facilitators on organizational strategic plan teams, 304
facility
protecting, 269
recovery, 280–281
security controls, 235–236
facsimile security, 185
Factor Analysis of Information Risk (FAIR) framework,
25
fail-safe security, 234
fail-secure security, 234
FAIR (Factor Analysis of Information Risk) framework,
25
fairness in procurement process, 327
fake websites
description, 15
social engineering testing, 177
families of controls, 86
Family Educational Rights and Privacy Act (FERPA), 47
FAR (Federal Acquisition Regulation), 42
FARA (Federal Acquisition Reform Act), 43
FASB (Financial Accounting Standards Board), 315
FEAF (Federal Enterprise Architecture Framework),
310–311
Federal Acquisition Reform Act (FARA), 43
Federal Acquisition Regulation (FAR), 42
Federal Energy Regulation Commission (FERC), 49
Federal Enterprise Architecture Framework (FEAF),
310–311
Federal Information Processing Standards (FIPS)
list of, 54
publication 199, 79
publication 200, 72
Federal Information Security Modernization Act
(FISMA)
elements, 41–42
risk management, 26
Federal Risk and Authorization Management Program
(FedRAMP)
audits, 113
cloud security, 232
federated identity management (FIM), 195
fences, 237–238
FERC (Federal Energy Regulation Commission), 49
FERPA (Family Educational Rights and Privacy Act), 47
FFP (firm fixed price) contracts, 332
fiber to the premises (FTTP) technology, 202
File Transfer Protocol (FTP), 207
FIM (federated identity management), 195
Financial Accounting Standards Board (FASB), 315
financial management, 314
accounting and finance basics, 314–323
budgets, 132–136, 323–325
questions, 339–340
review, 338–339
tips, 325–326
financial plans for budgets, 323
Financial Privacy Rule, 45
financial resources in PDCA plans, 127
Financial Services Modernization Act, 45
financial statements, 323
findings in audit reports, 107
FIPS (Federal Information Processing Standards)
list of, 54
publication 199, 79
publication 200, 72
fire suppression, 239–240
firewall logs in incident handling, 257
firewalls, 204, 212–213
firm fixed price (FFP) contracts, 332
FISMA (Federal Information Security Modernization
Act)
elements, 41–42
risk management, 26
flat security management structure, 10
forecasts for budgets, 134
forensic investigations, 263–265
logging, 32
security operations, 33
Frame Relay for WANs, 200
Framework for Improving Critical Infrastructure
Cybersecurity, 4–5
frameworks
auditing, 101–102
security controls, 75–76, 86–96
fraud, laws for, 256
FTP (File Transfer Protocol), 207
FTTP (fiber to the premises) technology, 202
full backups, 283
full interruption tests, 286
full knowledge penetration testing, 271
full-mesh networks for WANs, 200
function-oriented WBSs, 149
functionality of security controls, 74–75
functions in NIST Cybersecurity Framework, 88
fuzz testing, 269
G
GAAP (Generally Accepted Accounting Principles), 315
Gameover ZeuS Trojan, 166
Gantt charts, 150
gaseous fire suppression systems, 240
General Data Protection Regulation (GDPR), 35, 48–49,
256
general ledgers, 316, 322
general safety practices, 241
Generally Accepted Accounting Principles (GAAP), 315
GIF format, 208
glare protection for lighting, 238
GLBA (Gramm-Leach-Bliley Act), 45, 256
global controls for third-party risk management, 336
goals
organizational strategic plans, 301–302, 304
projects, 148
good faith principle in accounting, 316
governance, 1–2
compliance, 34–39
ethics, 63–64
information security, 4–7
information security management structure, 9–11
information security training and certifications, 59–63
information security trends and best practices, 58
laws and regulatory drivers, 40–50
management and technical information, 26–34
overview, 2–4
principles of information security, 12–15
privacy, 39–40
questions, 67–70
review, 64–67
risk management. See risks and risk management
standards and frameworks, 50–58
strategy, 2–4
governance, risk management, and compliance (GRC)
systems, 123–124
Gramm-Leach-Bliley Act (GLBA), 45, 256
gray box penetration testing, 271
GRC (governance, risk management, and compliance)
systems, 123–124
gross margin in accounting, 316
guards, 238
Guidance for the Governance of Organizations, 4
guidelines
security policies, 29
third-party risk management, 335
Gutman data overwriting method, 192
H
hardening assets, 180
hardware recovery strategies and solutions, 282
Hash-based Message Authentication Code (HMAC), 226
hashing in cryptography, 217, 223–225
HDSL (high data rate DSL), 202
Health Information Technology for Economic and
Clinical Health Act (HITECH), 46
Health Insurance Portability and Accountability Act
(HIPAA), 46, 256
hiding data and behaviors, anti-forensic techniques, 265
HIDSs (host-based IDSs), 215
hierarchical security management structure, 10–11
high data rate DSL (HDSL), 202
HIPAA (Health Insurance Portability and Accountability
Act), 46, 256
HITECH (Health Information Technology for Economic
and Clinical Health Act), 46
HMAC (Hash-based Message Authentication Code), 226
horizontal security management structure, 10
host-based IDSs (HIDSs), 215
hosts in IP addresses, 205
hot sites, 281
HTTP (Hypertext Transfer Protocol)
description, 208
response splitting, 171
HTTP Secure (HTTPS), 208
hub and spoke WAN arrangements, 200
human-based vulnerability assessments, 269–270
human nature in social engineering, 174
hybrid access control administration in IAM, 198
hybrid cloud deployment models, 230
hybrid cryptography, 221–222
Hypertext Transfer Protocol (HTTP)
description, 208
response splitting, 171
I
IaaS (Infrastructure as a Service), 230
IAM. See identity and access management (IAM)
IANA (Internet Assigned Numbers Authority), 205
IAPP (International Association of Privacy
Professionals), 62
IDaaS (Identity as a Service), 195
identification in IAM, 194
identifiers in security control frameworks, 86
identify phase in incident handling, 32, 261
identifying stakeholders, 144
identity and access management (IAM), 192–193
access control administration, 197–198
access control models, 196–197
access control principles, 195–196
authentication factors and mechanisms, 195
fundamentals, 193–194
life cycle, 198–199
technologies, 194–195
Identity as a Service (IDaaS), 195
identity management, 30
Identity Theft Enforcement and Restitution Act, 256
IDSs (intrusion detection systems) and intrusion
prevention systems (IPSs), 215–216
IEC (International Electrotechnical Commission), 51–53
IFRS (International Financial Reporting Standards), 315
IGMP (Internet Group Management Protocol), 210
ignorance issue in software development security, 243
ILOVEYOU virus, 166–167
impact definitions, 79
impersonation in social engineering testing, 177
Implement phase in third-party risk management, 337
implementation
compliance, 37–38
CSA programs, 110
risk management, 18
security control life cycle, 81–82
incident handling and response, 255
employee policy violations, 259–260
forensics, 263–265
incident response teams, 262
law enforcement, 259
laws, 255–256
logging, 257–258
monitoring, 258–259
physical security, 241
process, 260–262
steps, 32
teams, 262
income statements, 316–317
incremental backups, 283
incremental life cycle model in SDLC, 147
independent assurance in third-party risk management,
336
independent validators, auditing, 100
industry practices in information security governance, 4
industry-specific audits, 113
information architecture in strategic plans, 308
information assets in security management, 131
information collection in risk management, 22
information security governance, 4
external drivers, 4–5
internal drivers, 5–7
regulatory drivers, 4
information security management structure, 9
elements, 10
sizing, 9–10
types, 10–11
Information Systems Audit and Control Association
(ISACA), 59
information systems in risk management, 17
Information technology — Cloud computing —
Overview and vocabulary, 229
Information Technology Management Reform Act
(ITMRA), 43
informing RACI charts, 151
infrastructure
PDCA plans, 127
recovery strategies and solutions, 282
wireless technologies, 212
Infrastructure as a Service (IaaS), 230
inherent risk, 25
initial maturity level in CMMI, 19
initiating step
procurement process, 327–328
projects, 142–145
injection
software vulnerability, 247
SQL, 171–172
insights in evidence assessment, 105
insourcing physical security, 234
inspecting auditing evidence, 104
insufficient logging and monitoring as software
vulnerability, 251–252
Integrated Services Digital Network (ISDN), 201–202
integrity
CIA triad, 12–13
cryptography, 218
evidence assessment, 106
potential impact definitions, 79
integrity laws in incident handling, 256
interactive training, 270
interior protection, 269
internal audits, 96–97
internal compliance, 35, 39
internal containment in incident handling, 261
internal drivers in information security governance, 5–7
internal resources, assigning, 151
internal stakeholders, identifying and interviewing, 144
International Association of Privacy Professionals
(IAPP), 62
International Council of E-Commerce Consultants (EC-
Council), 60
International Electrotechnical Commission (IEC), 51–53
International Financial Reporting Standards (IFRS), 315
International Information System Security Certification
Consortium (ISC)2, 59
International Organization for Standardization (ISO)
ISO/IEC 9000 series, 156
ISO/IEC 17788, 229
ISO/IEC 19600, 37
ISO/IEC 27000 series, life cycle frameworks, 77
ISO/IEC 27000 series, overview, 51–52
ISO/IEC 27000 series, standards, 51–52
ISO/IEC 27001 series, asset security management, 130
ISO/IEC 27001 series, certification audits, 112–113
ISO/IEC 27001 series, cloud security, 232
ISO/IEC 27001 series, control frameworks, 75
ISO/IEC 27001 series, sections, 52–53
ISO/IEC 27002, 75, 90–92
ISO/IEC 27005, 26
ISO/IEC 27007, 101
ISO/IEC 27008, 102
ISO/IEC 37000, 4
Internet Assigned Numbers Authority (IANA), 205
Internet fax security, 185
Internet Group Management Protocol (IGMP), 210
Internet Protocol (IP)
addresses, 204–206
Network layer, 210
Internet routers, 204
Internet service providers (ISPs), 202
interviewing stakeholders, 144
intrusion detection, monitoring, 32
intrusion detection systems (IDSs) and intrusion
prevention systems (IPSs), 215–216
inventory in asset security management, 131
investigations in incident handling. See incident
handling and response
IP (Internet Protocol)
addresses, 204–206
Network layer, 210
IP Security (IPSec), 215
IPv4, 206
IPv6, 206
ISACA (Information Systems Audit and Control
Association), 59
ISACA Risk IT Framework, 26
ISC2 (International Information System Security
Certification Consortium), 59
ISDN (Integrated Services Digital Network), 201–202
ISO. See International Organization for Standardization
(ISO)
ISPs (Internet service providers), 202
issuers of digital certificates, 227
ITMRA (Information Technology Management Reform
Act), 43
J
job analyses in team building, 137
job priority in social engineering, 174
journal entries in accounting, 322
JPEG format, 208
K
kernel-mode rootkits, 169
key performance indicators (KPIs) in security control life
cycle, 84–85
key stakeholders, 144
keyed hash, 226
keys
asymmetric encryption, 220–221
cryptographic, 217–218
symmetric encryption, 218–219
KPIs (key performance indicators) in security control life
cycle, 84–85
L
L2TP (Layer 2 Tunneling Protocol), 215
LANs. See local area networks (LANs)
law enforcement in incident response, 259
laws and regulatory drivers, 40–41
Clinger-Cohen Act, 43
DFARS, 42
FERPA, 47
FISMA, 41–42
GDPR, 48–49
GLBA, 45
HIPAA, 46
incident handling, 255–256
NERC, 49–50
PCI DSS, 43–44
Privacy Act, 44–45
SOX, 47–48
Layer 2 Tunneling Protocol (L2TP), 215
leadership in social engineering, 175
leadership understanding and perception in information
security governance, 5
leased lines, 201
least privilege model
IAM, 196
software development security, 33
legal agreements in third-party risk management, 336
lessons learned in incident handling, 32, 262
level of effort (LOE) procurement contracts, 331
liabilities on balance sheets, 318
life cycle costs in budgets, 134
life cycles
data, 187–188
IAM, 198–199
security controls, 78
security controls, assessment, 82–84
security controls, design, 80–81
security controls, frameworks, 76–77
security controls, implementation, 81–82
security controls, monitoring, 84–86
security controls, risk assessment, 78
lighting, 238
likelihood factor in risk management, 24
limited liability companies (LLCs), security breach
liability in, 8
lines of authority in security management structure, 10
LLC (Logical Link Control), 210
LLCs (limited liability companies), security breach
liability in, 8
local area networks (LANs)
description, 199–200
infrastructure, 203–204
risks, 212–216
wireless, 202, 211
local loops in WANs, 200–201
location issues for datacenters, 239
locks, 237
LOE (level of effort) procurement contracts, 331
log aggregation in monitoring, 258
Logical Link Control (LLC), 210
logs and logging
fax services, 185
incident handling, 257–258
physical security, 240
security operations, 32
software vulnerability, 251–252
LPTA (lowest price technically acceptable) procurement
process, 329
M
MAC (mandatory access control), 30, 196
MAC (Media Access Control), 210
macro viruses, 165
MACs (message authentication codes), 225–226
maintenance
compliance, 39
organizational strategic plans, 303
malware, 164–165
botnets, 166
description, 15
ransomware, 167–168
rootkits, 169
scripts, 170–172
Trojans, 166
viruses, 165–167
worms, 166
managed maturity level in CMMI, 19
management and technical information
business continuity and disaster recovery, 34
identity and access management, 30
physical security, 31
security assessments and testing, 33
security engineering, 30
security operations, 31–33
security policies, standards, and guidelines, 28–29
security program plans, 26–28
security training and awareness, 33–34
software development security, 33
management controls, 73
management directives, 4
management reserves in budgets, 134
management structure in information security
governance, 5
managers on organizational strategic plan teams, 304
Managing Information Security Risk, 17
mandatory access control (MAC), 30, 196
manmade threats, 233
MANs (metropolitan area networks), 199
mantraps, 237
manual controls, 80
mappings in security control frameworks, 87
marking
data, 189–190
media, 184
matching principle of accounting, 320
Materiality in Planning and Performing an Audit, 106
materiality of evidence assessment, 105–106
materiality principle in accounting, 316
matrix security management structure, 10–11
maturity in risk management, 19
maximum tolerable downtime (MTD), 277
MD5 (message-digest algorithm version 5), 223–224
MDM (mobile device management), 183–184
measurable goals
organizational strategic plans, 301–302
projects, 148
measured services in cloud computing, 229
measurement
evidence assessment, 106
physical security, 240–241
Media Access Control (MAC), 210
media, sanitized, 191
media controls in asset security, 184
message authentication codes (MACs), 225–226
message-digest algorithm version 5 (MD5), 223–224
methods in risk management, 21
metro Ethernet (MetroE), 200
metropolitan area networks (MANs), 199
Microsoft Project, 150
MIME (Multipurpose Internet Mail Extensions), 208
Minimum Security Requirements for Federal
Information and Information Systems, 72
mirrored sites, 281
misconfiguration
network vulnerabilities, 267
software vulnerability, 250
mission/business process in risk management, 17
mission statements in organizational strategic plans,
300, 304
mitigation
audit risk, 102
risk management strategy, 22
mobile device management (MDM), 183–184
mobile facility sites, 281
models in risk management, 21
modularity in social engineering training, 175
monitoring
incident handling, 258–259
PMBOK, 142, 154–156
risk management, 19
security control life cycle, 84–86
security operations, 32
software vulnerability, 251–252
spending, 136, 324
third-party risk management, 337
MTD (maximum tolerable downtime), 277
Multi-State Information Sharing & Analysis Center (MS-
ISAC), 58
multifactor authentication, 195
multipartite viruses, 165
Multipurpose Internet Mail Extensions (MIME), 208
multitenancy in cloud computing, 229
Mydoom Trojan, 167
N
NAC (network access control), 183
names in security control frameworks, 86
NAT (network address translation), 205
National Initiative for Cybersecurity Education (NICE)
Cybersecurity Workforce Framework, 137
National Institute of Standards and Technology (NIST)
Cybersecurity Framework, 53–54
Cybersecurity Framework, life cycle frameworks, 77
Cybersecurity Framework, security control framework,
88, 91
Framework for Improving Critical Infrastructure
Cybersecurity, 4–5
Managing Information Security Risk, 17
NIST SP 800-53, assessment procedures, 84–85
NIST SP 800-53, classes, 72–74
NIST SP 800-53, control frameworks, 75–76
NIST SP 800-53, security control framework, 87–89
NIST SP 800-53A, 101
NIST SP 800-145, 229
NIST SP 800-171, 42
NIST SP 800-181, 137
NIST Special Publications list, 55–56
Risk Management Framework, life cycle frameworks,
76–77
Risk Management Framework, risk assessment, 79
National Security Agency (NSA) data erasing, 192
natural access control, 235
natural surveillance, 236
natural threats, 233
necessary goals in organizational strategic plans, 302
need to know principle, 196
NERC (North American Electric Reliability Corporation),
49–50
NetBIOS (Network Basic Input/Output System), 209
network access control (NAC), 183
network address translation (NAT), 205
network-based IDSs (NIDSs), 215
Network Basic Input/Output System (NetBIOS), 209
Network File System (NFS), 209
Network layer in OSI model, 207, 210
network security, 199
defenses, 212–216
IP addresses, 204–206
LANs, 203–204
NAT, 205
network protocols, 206–216
vulnerability assessments, 267–268
WANs, 199–202
wireless technologies, 211–212
new initiatives in budgets, 134
NFS (Network File System), 209
NICE (National Initiative for Cybersecurity Education)
Cybersecurity Workforce Framework, 137
NIDSs (network-based IDSs), 215
NIST. See National Institute of Standards and
Technology (NIST)
NIST Definition of Cloud Computing, 229
non-compensation principle in accounting, 315
nonpersistent XSS attacks, 171
nonprofit organizations, security breach liability in, 8
nonrepudiation, cryptography for, 218
nonstatistical sampling in audits, 103
North American Electric Reliability Corporation (NERC),
49–50
NSA (National Security Agency) data erasing, 192
O
objectives
audit reports, 107
organizational strategic plans, 301–302, 304
objects in IAM, 192–193
observations for evidence assessment, 105
OCTAVE (Operationally Critical Threat, Asset, and
Vulnerability Evaluation) framework, 25
Offensive Security company, 62–63
on-demand cloud computing, 229
open port vulnerabilities, 267
Open Systems Interconnection (OSI) model, 206–207
Application layer, 207–208
Data Link layer, 210
Network layer, 210
Physical layer, 211
Presentation layer, 208–209
Session layer, 209
Transport layer, 209–210
Open Web Application Security Project (OWASP), 58,
172
operating expenses (OPEX)
vs. capital investments, 135
overview, 320–321
operating rhythm in PDCA process, 128
operational controls, 73
operational monitoring and remediation in social
engineering, 178–179
operational security (OPSEC), 241
Operationally Critical Threat, Asset, and Vulnerability
Evaluation (OCTAVE) framework, 25
OPEX (operating expenses)
vs. capital investments, 135
overview, 320–321
OPSEC (operational security), 241
optimizing maturity level in CMMI, 19
organization in risk management, 18
organizational process recovery, 280
organizational strategic planning, 298–299
actions, 302–303
core values, 300–301
maintaining and updating, 303
measurable goals and objectives, 301–302
mission statements, 300
teams, 303–304
vision statements, 299–300
organizational structure, 9
organizational tier in risk management, 17
OSI model. See Open Systems Interconnection (OSI)
model
outbriefs in audit reports, 107–108
outsourcing physical security, 235
overflows, buffer, 170
oversight in software development security, 243
overwriting data
anti-forensic technique, 265
data security, 191
OWASP (Open Web Application Security Project), 58,
172
owner’s equity on balance sheets, 318
P
PaaS (Platform as a Service), 230
packet filters for firewalls, 212
packet-switched networks, 202
packets in LANs, 204
paper records, security for, 185
parallel tests in recovery strategies, 286
partial knowledge penetration testing, 271
partnerships, security breach liability in, 7
passive reconnaissance penetration testing, 270
passwords
attacks, 225
hash algorithms, 224–225
IAM, 194
patch management, 31
asset security, 181, 183
priority, 126
responsibility, 132
security testing, 33
Patch Tuesday, 170
payloads in viruses, 165
Payment Card Industry Data Security Standard (PCI
DSS), 35, 43–44
PBAC (policy-based access control), 196
PDCA (Plan, Do, Check, Act) cycle
compliance, 37
risk management, 18
streams of work, 125–126
penetration testing
description, 33
methodology, 270–271
software development, 254
people factor in recovery strategies and solutions, 282
performance work statements (PWSs) in contracts, 332
perimeter containment in incident handling, 261
perimeter protection, 269
periodicity principle in accounting, 315
permanence of methods principle in accounting, 315
permissions in data security, 188
persistent digital evidence, 264
persistent XSS attacks, 171
personnel issues
security, 241–242
team building, 138
phased methodology in SDLC, 146–147
PHI (protected health information), 46
phishing
description, 15
social engineering testing, 177
physical controls, 72
physical destruction of data, 192
Physical layer in OSI model, 207, 211
physical security, 31, 232–233
auditing and measurement, 240–241
control types, 235–236
datacenters, 239
detective controls, 238–239
fences, 237–238
fire suppression, 239–240
guards, 238
lighting, 238
locks and access control, 237
mantraps, 237
personnel security, 241–242
program planning, 234
resources, 234–235
security zones, 236
threats, 233
physical vulnerability assessments
physical security, 240
reviews in, 269
PIAs (privacy impact assessments), 40
PKI (public key infrastructure), 227–228
Plan, Do, Check, Act (PDCA) cycle
compliance, 37
risk management, 18
streams of work, 125–126
Plan of Actions & Milestones (POA&M), 129
plans and planning
audit, 97–99
business continuity, 284–288
compliance, 37
executive succession, 282
PDCA process, 126–127
physical security, 234
PMBOK, 142, 145–153
projects, 152–153
risk management, 19–20
software development, 245
strategic. See strategic planning
Platform as a Service (PaaS), 230
PMBOK process groups. See Project Management Body
of Knowledge (PMBOK) process groups
PMI (Project Management Institute), 140–141
PMP (Project Management Professional), 141
POA&M (Plan of Actions & Milestones), 129
Point-to-Point Protocol (PPP), 210
point-to-point topologies, 200
Point-to-Point Tunneling Protocol (PPTP), 214
poisoning, ARP, 210
PoisonIvy virus, 167
policies
BCP, 275
employment, 242
security, 28–29
third-party risk management, 334–335
violations, 259–260
policy-based access control (PBAC), 196
political threats, 233
polymorphic viruses, 165
port vulnerabilities, 267
potential impact definitions, 79
PPP (Point-to-Point Protocol), 210
PPTP (Point-to-Point Tunneling Protocol), 214
practice and exercises for social engineering, 178
pre-action fire suppression systems, 240
preparation
audits, 103
incident handling, 32, 261
third-party risk management, 334–335
Presentation layer in OSI model, 206, 208–209
pretexting in social engineering, 172–173, 177
Pretexting Rule in GLBA, 45
preventive controls
business impact analysis, 279
description, 74
principle of least privilege model, 196
principles of information security
CIA triad, 12–13
cyberattack elements, 14–15
defense-in-depth, 15
relationships, 13
printer security, 185–186
priorities
business impact analysis, 278–279
security control framework, 88
vulnerabilities, 182
privacy
HIPAA, 46
incident handling laws, 256
laws and regulatory drivers, 39–40
Privacy Act of 1974, 44–45
Privacy Control Catalog, 87
privacy impact assessments (PIAs), 40
Privacy Shield Frameworks, 56–57
private cloud deployment models, 230
private IP addresses, 205
private keys in symmetric encryption, 218
privilege creep, 199
procedures in security policies, 29
process model frameworks in security controls, 75
processes
CSA programs, 110
security policies, 29
procurement, 326
contracts, 331–332
core principles and processes, 326–331
questions, 339–340
review, 338–339
scope agreements, 332–333
product controls in third-party risk management, 336
proficiency tests, 270
Project Management Body of Knowledge (PMBOK)
process groups, 142–143
closing phase, 156–157
executing phase, 153
initiating phase, 142–145
monitoring and controlling phase, 154–156
planning phase, 145–153
Project Management Institute (PMI), 140–141
project management life cycle in security program plans,
28
Project Management Professional (PMP), 141
project scope documents, 145
projects
closing phase, 156–157
considerations, 140
executing phase, 153
initiating phase, 142–145
monitoring and controlling phase, 154–156
phases overview, 142–145
planning phase, 145–153
plans, 152–153
resources and budgets, 151
risk assessment, 151–152
security program management, 131–132
security program plans, 28
training and certifications, 140–142
proposal submission instructions, 329
protected health information (PHI), 46
Protecting Controlled Unclassified Information in
Nonfederal Systems and Organizations, 42
protocols for LANs, 204
provisioning in IAM, 198
proxy firewalls, 213
prudence principle in accounting, 315
public cloud deployment models, 230
Public Company Accounting Reform and Investor
Protection Act, 47–48, 256
public IP addresses, 205
public key certificates, 227
public key infrastructure (PKI), 227–228
public keys in asymmetric encryption, 220–221
PureLocker ransomware, 168
purging data, 191
PWSs (performance work statements) in contracts, 332
Q
QA (quality assurance) for projects, 155
QC (quality control) for projects, 155
QMSs (quality management systems), 154–155
QPQ (quid pro quo) social engineering, 173
qualitative analysis and methods in risk management,
21, 23–25
quality assurance (QA) for projects, 155
quality control (QC) for projects, 155
quality management systems (QMSs), 154–155
quantitative analysis and methods
evidence assessment, 106
risk management, 21–23
quantitatively managed maturity level in CMMI, 19
quid pro quo (QPQ) social engineering, 173
R
race conditions, 170–171
RACI charts, 151
RAID (redundant array of independent disks), 283
rainbow table password attacks, 225
RAIT (redundant array of independent tapes), 283
ransomware, 167–168
RAs (registration authorities), 228
RBAC (role-based access control), 30, 197
RCA (root cause analysis), 105–106
reciprocal agreements in facility and site recovery, 280–
281
recommendations
audit reports, 107
risk management, 22
reconnaissance
cyberattacks, 14
penetration testing, 270
recovery controls, 74
recovery in incident handling, 32, 262
recovery objectives in business impact analysis, 277–278
recovery point objective (RPO), 277
recovery priorities in business impact analysis, 278–279
recovery strategies and solutions, 279–280
data restoration, 282–283
facility and site recovery, 280–281
organizational process recovery, 280
plan tests, 285–286
plans, 284–288
user environment, 281–282
recovery time objective (RTO), 277
redundant array of independent disks (RAID), 283
redundant array of independent tapes (RAIT), 283
redundant facility sites, 281
references for security control framework, 88
registration authorities (RAs), 228
regularity principle in accounting, 315
regulatory compliance assessments, 271–272
regulatory drivers in information security governance, 4
relationships in PDCA plans, 127–128
relevance of social engineering training, 176
relevant evidence, 263
reliable evidence, 263
remediation step
CSA programs, 110
security control life cycle, 83
Remote Procedure Call (RPC), 209
removing unnecessary software and services, 183
reports
accounting systems, 316
auditing results, 107–108
cloud security, 232
penetration testing, 271
procurement process, 327
risk management, 19
security control life cycle, 83
security management structure, 10
spending, 325
reputation factor in third-party risk management, 336
Request for Information (RFI), 328
requirements
projects, 143
software development, 246
reserves in budgets, 134
resident viruses, 165
residual risk, 21, 25
resources
assigning, 151
business impact analysis, 276–277
pooling in cloud computing, 229
schedule factor, 150
software development security, 243
responsibilities
RACI charts, 151
SDLC, 246
responsibility matrices, 151
responsive area illumination, 238
reviews
IAM, 199
vulnerabilities, 182
revocation
certificates, 228
IAM, 199
RFI (Request for Information), 328
risk-based prioritization for vulnerabilities, 182
Risk Management Framework (RMF)
life cycle frameworks, 76–77
PDCA process, 129
risk assessment, 79
risks and risk management, 4, 16–17
audits, 102
best practice frameworks, 25–26
budgets, 133, 135
risks and risk management (cont.)
cloud security, 231–232
GRC programs, 123
information security governance, 5
programs approach, 18–19
programs overview, 17–18
programs process, 19–22
projects, 151–152
qualitative methods, 23–25
quantitative methods, 22–23
real world, 16
recovery strategies and solutions, 282
relationships, 13
security control life cycle, 78
third-parties, 333–337
Rivest-Shamir-Adleman (RSA) algorithm, 221
RMF (Risk Management Framework)
life cycle frameworks, 76–77
PDCA process, 129
risk assessment, 79
ROI budgeting, 324
role-based access control (RBAC), 30, 197
roles
SDLC, 246
team building, 137
rolling budget forecasts, 134, 324
rolling hot sites, 281
root cause analysis (RCA), 105–106
rootkits, 15, 169
routers, 204
RPC (Remote Procedure Call), 209
RPO (recovery point objective), 277
RSA (Rivest-Shamir-Adleman) algorithm, 221
RTO (recovery time objective), 277
Ryuk ransomware, 168
S
S.M.A.R.T. metrics, 84–85
SaaS (Software as a Service), 231
SABSA (Sherwood Applied Business Security
Architecture) framework, 311
Safeguards Rule, 45
safes, 186
safety
general practices, 241
physical security, 234
salts in cryptography, 225
SAML (Security Assertion Markup Language), 195
sampling in audits, 102–103
SamSam ransomware, 168
sanitized media, 191
sanitizing media, 184
SANS Institute (Escal Institute of Advanced
Technologies), 60–61
Sapphire worm, 167
Sarbanes-Oxley Act (SOX), 47–48, 256
SAST (static application security testing), 269
satellite technology, 202
scanners, vulnerability, 181
schedule risk in projects, 152
schedules
developing, 150
overruns, 144
planning, 145
projects, 139
scope
audit reports, 107
procurement, 332–333
projects, 139, 143–144
risk management, 20
scope creep, 144
screening procedures for employment, 242
scripting
attacks, 170–172
description, 15
SDLC. See systems development life cycle (SDLC)
SDSL (symmetrical DSL), 202
secure coding practices, 252–253
secure configuration baselines in asset security, 180–181,
183
Secure Hash Algorithm 1 (SHA-1), 223
Secure Hash Algorithm 2 (SHA-2), 223
Secure Hash Algorithm 3 (SHA-3), 223
Secure Sockets Layer (SSL)/Transport Layer Security
(TLS), 208
security
and compliance, 35
liaisons, 128
misconfiguration, 250
operations, 31–33
policies, 28–29
and privacy, 40
trends and best practices, 58
Security and Privacy Controls for Federal Information
Systems and Organizations
assessment procedures, 84
classes, 72–73
security control framework, 87–89
Security Assertion Markup Language (SAML), 195
security assessment and testing, 33, 265–266
penetration testing, 270–271
regulatory compliance assessments, 271–272
security program assessments, 272
vulnerability assessments, 267–270
security awareness, responsibility for, 132
security charters, 6
security controls, 71–72
audits. See audits and auditing
classes, 72–74
frameworks, 75–76, 86–96
functionality, 74–75
life cycle frameworks, 76–77
life cycles, 78–86
questions, 117–120
review, 114–117
self-assessments, 108–110
security decisions in strategic plans, 307–312
security engineering, 30
security information and event management (SIEM)
systems, 258–259
security operations centers (SOCs), 33
security program management, 121–122
asset security management, 129–131
budgets, finance, and cost control, 132–136
focus areas, 122–124
projects. See projects
questions, 159–161
review, 157–159
streams of work, 125–129
teams, 136–138
security program plans
description, 6
management and technical information, 26–28
security rule in HIPAA, 46
security training and awareness, 33–34
security training and certifications, 59–63
Security Trust Assurance and Risk (STAR) program, 232
security zones, 236
segmentation, network, 213–214
selection step
security control life cycle, 80
third-party risk management, 336
self-assessments, control, 108–110
sensitive data exposure as software vulnerability, 248
separation issues in datacenters, 239
separation of duties
IAM, 196
software development security, 33
service level agreements (SLAs)
cloud security, 231
contracts, 333
service models for cloud, 230–231
Service Organization Controls (SOC) audits, 112
service providers in risk management, 334, 336
Session layer in OSI model, 206, 209
SHA-1 (Secure Hash Algorithm 1), 223
SHA-2 (Secure Hash Algorithm 2), 223
SHA-3 (Secure Hash Algorithm 3), 223
Shamoon virus, 167
Sherwood Applied Business Security Architecture
(SABSA) framework, 311
Shewhart cycle, 37
SIEM (security information and event management)
systems, 258–259
signature-based IDSs, 215
signatures in cryptography, 226
significance in evidence assessment, 106
Simple Network Management Protocol (SNMP), 207–
208
simulation tests in recovery strategies and solutions, 286
sincerity principle in accounting, 315
single-factor authentication, 195
single-homed WANs, 200
Single Loss Expectancy (SLE) value, 23
single pass overwriting, 191
single points of failure, 284
single sign-on (SSO), 194
site recovery, 280–281
situational awareness
CSA programs, 110
security management structure, 10
social engineering, 178
Six Sigma process, 155
sizing security management structure, 9–10
skills in social engineering training, 176
SLAs (service level agreements)
cloud security, 231
contracts, 333
SLE (Single Loss Expectancy) value, 23
smart locks, 237
SNMP (Simple Network Management Protocol), 207–
208
SOC (Service Organization Controls) audits, 112
SOC 2/SOC 3 reports for cloud security, 232
social engineering
baiting, 173
defenses, 174–179
description, 15
pretexting, 172–173
quid pro quo, 173
susceptibility, 174
testing, 176–177, 270
social media in social engineering testing, 177
SOCs (security operations centers), 33
software
recovery strategies and solutions, 282
vulnerabilities, 267
Software as a Service (SaaS), 231
software developer controls, 336
software development security, 33
SDLC, 243–246
secure coding practices, 252–253
vulnerabilities, 247–252
vulnerability analysis and assessments, 253–254
sole proprietorships, security breach liability for, 7
solicit step in procurement process, 328–329
SONET, 200
SOOs (statements of objectives) in contracts, 332–333
Sources Sought requests, 328
SOWs (statements of work)
contracts, 332
procurement process, 328
SOX (Sarbanes-Oxley Act), 47–48, 256
specifications in procurement process, 328
spending
monitoring, 136
security management structure, 9–10
sprints in project development, 148
SQL Slammer worm, 167
SQL (Structured Query Language) injection, 171–172
SSL (Secure Sockets Layer)/Transport Layer Security
(TLS), 208
SSO (single sign-on), 194
SSPs (system security plans)
description, 42
documentation, 82
staffing
PDCA plans, 127
strategy for, 136–137
stakeholders
evidence assessment, 106
identifying and interviewing, 144
organizational strategic plan teams, 304
standards and frameworks
auditing, 101–102
COBIT, 57–58
FIPS, 54
ISO/IEC 27000 Series, 51–52
ISO/IEC 27001 Series, 52–53
NIST Cybersecurity Framework, 53–54
NIST Special Publications, 55–56
Privacy Shield, 56–57
security policies, 29
third-party risk management, 335
Standards for Security Categorization of Federal
Information and Information Systems, 79
standby lighting, 238
STAR (Security Trust Assurance and Risk) program, 232
stateful/dynamic packet filters, 213
Statement of Auditing Standards No. 70 (SAS 70)
standard, 112
Statement on Standards for Attestation Engagements
No. 16 (SSAE 16) standard, 112
statements of objectives (SOOs) in contracts, 332–333
statements of purpose in audit reports, 107
statements of work (SOWs)
contracts, 332
procurement process, 328
static analysis in software development, 253
static application security testing (SAST), 269
stations in wireless technologies, 212
statistical sampling in audits, 102
stealth viruses, 165
steganography, 217
storage
audit records, 100
incident handling, 258
media, 184
straight-line depreciation, 320
strategic planning, 297–298
budgets, 323
example, 305–307
organizational, 298–304
process, 305
questions, 339–340
review, 338–339
security decisions, 307–312
strategy, audit, 98
streams of work, 125–126
Structured Query Language (SQL) injection, 171–172
structured walk-through tests, 286
Structured What If Technique (SWIFT), 24
student records, FERPA for, 47
subcategories in NIST Cybersecurity Framework, 88
subjects
digital certificates, 227
IAM, 192–193
subnet masks for IP addresses, 205
succession planning, 241, 282
sum of years depreciation, 320
supervisors on organizational strategic plan teams, 304
supplemental guidance for security control frameworks,
86
supplies in recovery strategies and solutions, 282
supporting resources in business impact analysis, 276–
277
surveillance in physical security, 236
SWIFT (Structured What If Technique), 24
switches, 204
symmetric encryption, 218–220
symmetrical DSL (SDSL), 202
SYN-ACKs in three-way handshakes, 209
system logs for incident handling, 257
system security plans (SSPs)
description, 42
documentation, 82
system use notification in IAM, 196
systems development life cycle (SDLC)
integrating security into, 245–246
methodologies, 146–148
overview, 243–244
roles and responsibilities, 246
T
T&M (time and materials) contracts, 332
tabletop walkthroughs, 286
TAFIM (Technical Architecture Framework for
Information Management), 312
tailgating, 177
Target security breach, 333
task-oriented WBSs, 149
TCP (Transmission Control Protocol), 209
TCP/IP (Transmission Control Protocol/Internet
Protocol) model, 206–207
teams
compliance, 36
incident response, 262
organizational strategic plans, 303–304
risk management, 19–20
security program management, 136–138
Technical Architecture Framework for Information
Management (TAFIM), 312
technical architecture in strategic plans, 308
technical controls, 72–73
technical risk, 152
termination procedures for employment, 242
terms and conditions in procurement process, 328–329
territorial reinforcement in physical security, 236
tertiary facility sites, 281
tests
auditing evidence, 105
penetration, 270–271
proficiency, 270
recovery strategies and solutions, 285–286
security. See security assessment and testing
security control life cycle, 81–83
social engineering, 176–177, 270
software development, 246
text messages in social engineering testing, 177
The Open Group Architecture Framework (TOGAF), 312
third-party vendors in risk management, 333–337
threats
business impact analysis, 278
information security governance, 5
relationships, 13
three-way handshakes in TCP, 209
tiered security management structure, 10–11
TIFF format, 208
time and materials (T&M) contracts, 332
time of check/time of use (TOC/TOU) attacks, 170–171
timelines in budgets, 134
timing and race conditions, 170–171
TOC/TOU (time of check/time of use) attacks, 170–171
TOGAF (The Open Group Architecture Framework), 312
tools
PDCA plans, 127
risk management, 21, 335
topologies for LANs, 203–204
traditional methodology in SDLC, 146–147
training
interactive, 270
physical security, 241
projects, 140–142
security, 33–34, 59–63
social engineering, 175–176
team building, 138
transactions in accounting cycle, 322
transference risk management strategy, 22, 102
transient viruses, 165
Transmission Control Protocol (TCP), 209
Transmission Control Protocol/Internet Protocol
(TCP/IP) model, 206–207
Transport layer in OSI model, 207, 209–210
transport media, 184
travel, physical security for, 241
trends and best practices, 58
trial balances in accounting, 322
Triple-DES (3DES), 219
Trojans
characteristics, 166
description, 15
tuning
IDSs and IPSs, 215–216
logging and monitoring, 257
two-person rule in auditing, 100
U
UAC (User Account Control), 197
UBA (user behavior analytics), 178
UDP (User Datagram Protocol), 209
units of production depreciation, 321
universe, audit, 98
unnecessary software and services, removing, 183
updating organizational strategic plans, 303
USB drive drops, 176
User Account Control (UAC), 197
user behavior analytics (UBA), 178
User Datagram Protocol (UDP), 209
user environment in recovery strategies and solutions,
281–282
user-mode rootkits, 169
V
validation of audit plans, 99
value-based budgeting, 324
value engineering in budgets, 134
value in procurement process, 327
VDSL (very high data rate DSL), 202
vendors, 326
contracts, 331–332
physical security procedures, 242–243
procurement core principles and processes, 326–331
questions, 339–340
review, 338–339
risk management, 333–337
scope agreements, 332–333
verifiable goals in organizational strategic plans, 302
very high data rate DSL (VDSL), 202
virtual networks (VLANs), 214
virtual private LAN service (VPLS), 200
virtual private networks (VPNs), 214–215
viruses
description, 15
types, 165–167
vision statements in organizational strategic plans, 299–
300
VLANs (virtual networks), 214
volatile digital evidence, 264
VPLS (virtual private LAN service), 200
VPNs (virtual private networks), 214–215
vulnerabilities
assessments, 267–270
business impact analysis, 278
penetration testing, 271
relationships, 13
software, 246–252
vulnerability assessments, 33
physical security, 240
software development security, 253–254
vulnerability management
asset security, 181–183
security operations, 31
vulnerability-specific attacks
description, 15
types, 170–172
W
W32.DisTrack virus, 167
walk-through tests, 286
WANs, 199–200
technologies, 200–201
topologies, 200
warm sites, 281
waterfall methodology, 146–147
WBSs (work breakdown structures)
budgets, 133
developing, 148–149
weaponization, 15, 164
wet pipe fire suppression systems, 240
white box tests, 269, 271
wireless technologies, 202, 211–212
work breakdown structures (WBSs)
budgets, 133
developing, 148–149
workpapers, audit, 107–108
workplace culture in social engineering, 174
worms, 15, 166
X
X.25, 200
XML external entities, 195, 248–249
XSS (cross-site scripting)
overview, 171
software vulnerability, 250
Z
Zachman Framework, 309–310
Zeppelin ransomware, 168
zero-based budgeting, 323
zero-knowledge penetration testing, 271
ZeroAccess rootkit, 169
zeroizing data, 191
zones, security, 236