CISSP Study Session

Welcome!
• Module 1 – Introduction, Security & Risk Management
• Module 2 – Asset Security, Security Architecture & Engineering
• Module 3 – Communication & Network Security, Identify & Access
Management
• Module 4 – Security Assessment & Testing, Security Operations,
Software Development Security
• Assessment
Introduction to the CISSP certification
Overview
• Issued by (ISC)2
• Vendor agnostic
• Considered to be the ‘gold standard’ certification
• Often described as ‘mile-wide, inch-deep’
Getting Certified
• Professional experience requirements in the CISSP domains
• Prepare for the exam
• Sit and pass the exam
• Find an endorser
• Apply for certification
• Annual Maintenance Fee (AMF)
• Associate of ISC(2)
CISSP domains
CISSP domains
• Domain 1 – Security and Risk Management
• Domain 2 – Asset Security
• Domain 3– Security Architecture and Engineering
• Domain 4 – Communication and Network Security
• Domain 5 – Identity and Access Management (IAM)
• Domain 6 – Security Assessment and Testing
• Domain 7 – Security Operations
• Domain 8 – Software Development Security
Recommended Text
(ISC)2 CISSP Certified Information Systems Security
Professional Official Study Guide, 9th Edition
Mike Chapple, James Michael Stewart, Darril Gibson

Official Wiley Link

Domain 1 – Security and Risk Management
CIA triad

Confidentiality

Integrity Availability
When CIA fails…
DAD triad

Disclosure

Alteration Destruction
Policies, Standards, Procedures, etc.
Policy

Standard &
Frameworks

Procedures

Tools, guidelines, templates

Policies
• Top tier
• High level
• Best described as the “Why?”
Standards
• Contain specific requirements
• Best described as the “What?”
• Consider frameworks and any legal/regulatory/contractual
requirements
Procedures
• Step-by-step
• Could discuss an entire system or an aspect
• Ensures a consistent approach
• Best described as the “How?”
• Also referred to as Standard Operating Procedures (SOP)
Guidelines
• Provides guidance and recommendations
• Flexible
• Not compulsory
Baselines
• Is a minimum level of security that a system must meet
• Useful for identifying changes or “baseline drift”
• Many free templates available (e.g. Microsoft, CIS)
Nonrepudiation
• What is it?
• Why is it important?
Nonrepudiation
Simply put:

“Nonrepudiation ensures that the subject of an activity or who caused

an event cannot deny that the event occurred”.
(Chapple, Stuart and Gibson, 2021 p8)
What controls could help ensure nonrepudiation?
• Digital signing
• Logs and auditing
• Blockchain?
Threat Modelling
• The process of identifying, categorising and analysing threats
• Best to be done at the start of the project lifecycle (but isn’t always)
• Should be undertaken periodically
• Approaches
• Defensive/proactive
• Reactive
Risk Management
• Risk management is the identification, evaluation and prioritisation of
risk.
• Risk Standards/Frameworks
• ISO 31000:2018
• ISO 27005:2018
• NIST Special Publication 800-37
• Information Security Risk Management Toolkit
• Risks can be positive or negative
Risk Management Lifecycle

Monitor Identify

Treat Analyse

Evaluate
Identify - Risk Sources
• Assets
• Threats
• Existing controls
• Vulnerabilities
• Consequence
• Other
Analysis and Evaluation
• Risk Appetite
• the total amount of risk an organisation is willing to aggregate.
• Risk Tolerance
• The amount of risk an organisation is willing to accept per asset/system
• Risk Limit
• The maximum level of risk before further actions are taken.
Analysis and Evaluation
• Calculating risk
• Qualitative vs quantitative risk
• Can you put a value on it?

SLE=AV x EF Consequence
Low Medium High Extreme Catastrophic
ALE=SLE x ARO Almost Certain Low Medium High Very High Very High

Likelihood
Likely Low Low Medium High Very High
Possible Low Low Medium Medium High
Unlikely Very Low Low Low Medium High
Rare Very Low Very Low Low Low Medium
Quantitative Risk
SLE=AV x EF
SLE = Single Loss Expectancy
AV = Asset Value
EF = Exposure Factor
ALE=SLE x ARO
ALE = Annual Loss Expectancy
SLE = Single Loss Expectancy
ARO = Annual Rate of Occurrence
Qualitative Risk

Consequence
Low Medium High Extreme Catastrophic
Almost Certain Low Medium High Very High Very High
Likelihood

Likely Low Low Medium High Very High

Possible Low Low Medium Medium High
Unlikely Very Low Low Low Medium High
Rare Very Low Very Low Low Low Medium
Risk Treatment
• Prioritise Risk Treatment
• Develop Treatment Plans
• Treatment Options
• Mitigation
• Assignment/Transfer
• Acceptance
• Avoidance
• Deterrence
• Rejection
Personnel Security
• People are often considered the weakest link.
• Increase in people-centric attacks such as:
• Phishing
• Vishing
• Smishing
• Insider threats (malicious or accidental)
Mitigating Controls
• Security Awareness & Education
• Phishing Tests
• Social Engineering Tests
• Background Screening
Laws, Regulations & Compliance
• The CISSP is issued by (ISC)2, which is a US-based organization.
• Consequentially, many US laws/regulations are referred to.
Categories of Law
• Civil Law
• Criminal Law
• Administrative Law
Some Relevant Laws
• Computer Fraud & Abuse Act (CFAA)
• National Information Infrastructure Protection Act of 1996
• Federal Information Security Management Act (FISMA)
• Copyright & Digital Millennium Copyright Act
• Health Insurance Portability and Accountability Act of 1996 (HIPAA)
• International Traffic in Arms Regulation (ITAR)
• EU General Data Protection Regulation (GDPR)
• Australian Privacy Act 1988 (Cth)
• USA PATRIOT Act
• CLOUD ACT
Readings
• CISSP Official Study Guide (Ninth Edition) – Chapters 1-4.

Attention Attendees:
Remember to type your messages to all panellists and attendees
Questions & Quiz?
About Me
Dr. Georg Thomas
Senior Manager, Deloitte Australia
20+ years industry experience
DInfoTech, MMgmt(InfoTech),
BInfoTech(SysAdmin)
CCISO, CDPSE, CISM, CISSP, ISO27001 Lead linkedin.com/in/georgthomas
Implementer, GRCP, MACS Snr. CP (Cyber @georgathomas
Security), MCSE scholar.google.com/citations?user=z72s_9
ACS Profession Advisory Board Member MAAAAJ
References
• Chapple, M., Stewart, J. M., Gibson, D. (2021). (ISC)2 CISSP Certified Information
Systems Security Professional Official Study Guide, 9th Edition. Wiley. 8