Know about security boundaries. A security boundary is the line of intersection between any two areas, subnets, or environments that have different security requirements or needs.
Understand security governance. Security governance is the collection of practices related to supporting, defining, and directing the security efforts of an organization.
Know about third-party governance. Third-party governance is the system of external entity oversight that may be mandated by law, regulation, industry standards, contractual obligation, or licensing requirements. The actual method of governance may vary, but it generally involves an outside investigator or auditor.
Understand documentation review. Documentation review is the process of reading the exchanged materials and verifying them against standards and expectations. In many situations, especially related to government or military agencies or contractors, failing to provide sufficient documentation to meet requirements of third-party governance can result in a loss of or a voiding of authorization to operate (ATO).
Understand alignment of security function to business strategy, goals, mission, and objectives. Security management planning ensures proper creation, implementation, and enforcement of a security policy. Security management planning aligns the security functions to the strategy, goals, mission, and objectives of the organization. This includes designing and implementing security based on business cases, budget restrictions, or scarcity of resources.
Know what a business case is. A business case is usually a documented argument or stated position in order to define a need to make a decision or take some form of action. To make a business case is to demonstrate a business-specific need to alter an existing process or choose an approach to a business task. A business case is often made to justify the start of a new project, especially a project related to security.
Understand security management planning. Security management is based on three types of plans: strategic, tactical, and operational. A strategic plan is a long-term plan that is fairly stable. It defines the organization's goals, mission, and objectives. The tactical plan is a midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan. Operational plans are short-term and highly detailed plans based on the strategic and tactical plans.
Know the elements of a formalized security policy structure. To create a comprehensive security plan, you need the following items in place: security policy, standards, baselines, guidelines, and procedures.
Understand organizational process. Security governance needs to address every aspect of an organization. This includes the organizational processes of acquisitions, divestitures, and governance committees.
Understand key security roles. The primary security roles are senior manager, security professional, asset owner, custodian, user, and auditor.
Know the basics of COBIT. Control Objectives for Information and Related Technology (COBIT) is a security concept infrastructure used to organize the complex security solutions of companies.
Understand due diligence and due care. Due diligence is establishing a plan, policy, and process to protect the interests of an organization. Due care is practicing the individual activities that maintain the due diligence effort. Due diligence is knowing what should be done and planning for it; due care is doing the right action at the right time.
Know the basics of threat modeling. Threat modeling is the security process where potential threats are identified, categorized, and analyzed. Threat modeling can be performed as a proactive measure during design and development or as a reactive measure once a product has been deployed. Key concepts include assets/attackers/software, STRIDE, PASTA, VAST, diagramming, reduction/decomposing, and DREAD.
Understand supply chain risk management (SCRM) concepts. SCRM is a means to ensure that all the vendors or links in the supply chain are reliable, trustworthy, reputable organizations that disclose their practices and security requirements to their business partners. SCRM includes evaluating risks associated with hardware, software, and services; performing third-party assessment and monitoring; establishing minimum security requirements; and enforcing service-level requirements.
Written Lab
1 Discuss and describe the CIA Triad.
2 What are the requirements to hold a person accountable for the actions of their user account?
3 Name the six primary security roles as defined by (ISC)2 for CISSP.
4 What are the four components of a complete organizational security policy and their basic purpose?
Review Questions
1 Confidentiality, integrity, and availability are typically viewed as the primary goals and objectives of a security infrastructure. Which of the following is not considered a violation of confidentiality?Stealing passwords using a keystroke logging toolEavesdropping on wireless network communicationsHardware destruction caused by arsonSocial engineering that tricks a user into providing personal information to a false website
2 Security governance requires a clear understanding of the objectives of the organization as the core concepts of security. Which of the following contains the primary goals and objectives of security?A network's border perimeterThe CIA TriadAAA servicesEnsuring that subject activities are recorded
3 James recently discovered an attack taking place against his organization that prevented employees from accessing critical records. What element of the CIA Triad was violated?IdentificationAvailabilityEncryptionLayering
4 Optimally, security governance is performed by a board of directors, but smaller organizations may simply have the CEO or CISO perform the activities of security governance. Which of the following is true about security governance?Security governance ensures that the requested activity or access to an object is possible given the rights and privileges assigned to the authenticated identity.Security governance is used for efficiency. Similar elements are put into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective.Security governance is a documented set of best IT security practices that prescribes goals and requirements for security controls and encourages the mapping of IT security ideals to business objectives.Security governance seeks to compare the security processes and infrastructure used within the organization with knowledge and insight obtained from external sources.
5 You have been tasked with crafting a long-term security plan that is fairly stable. It needs to define the organization's security purpose. It also needs to define the security function and align it to the goals, mission, and objectives of the organization. What are you being asked to create?Tactical planOperational planStrategic planRollback plan
6 Annaliese's organization is undergoing a period of increased business activity where they are conducting a large number of mergers and acquisitions. She is concerned about the risks associated with those activities. Which of the following are example of those risks? (Choose all that apply.)Inappropriate information disclosureIncreased worker complianceData lossDowntimeAdditional insight into the motivations of inside attackersFailure to achieve sufficient return on investment (ROI)
7 Which security framework was initially crafted by a government for domestic use but is now an international standard, which is a set of recommended best practices for optimization of IT services to support business growth, transformation, and change; which focuses on understanding how IT and security need to be integrated with and aligned to the objectives of an organization; and which is often used as a starting point for the crafting of a customized IT security solution within an established infrastructure?ITILISO 27000CISCSF
8 A security role is the part an individual plays in the overall scheme of security implementation and administration within an organization. What is the security role that has the functional