Professional Documents
Culture Documents
Welcome!
• Module 1 – Introduction, Security & Risk Management
• Module 2 – Asset Security, Security Architecture & Engineering
• Module 3 – Communication & Network Security, Identify & Access
Management
• Module 4 – Security Assessment & Testing, Security Operations,
Software Development Security
• Assessment
Introduction to the CISSP certification
Overview
• Issued by (ISC)2
• Vendor agnostic
• Considered to be the ‘gold standard’ certification
• Often described as ‘mile-wide, inch-deep’
Getting Certified
• Professional experience requirements in the CISSP domains
• Prepare for the exam
• Sit and pass the exam
• Find an endorser
• Apply for certification
• Annual Maintenance Fee (AMF)
• Associate of ISC(2)
CISSP domains
CISSP domains
• Domain 1 – Security and Risk Management
• Domain 2 – Asset Security
• Domain 3– Security Architecture and Engineering
• Domain 4 – Communication and Network Security
• Domain 5 – Identity and Access Management (IAM)
• Domain 6 – Security Assessment and Testing
• Domain 7 – Security Operations
• Domain 8 – Software Development Security
Recommended Text
(ISC)2 CISSP Certified Information Systems Security
Professional Official Study Guide, 9th Edition
Mike Chapple, James Michael Stewart, Darril Gibson
Confidentiality
Integrity Availability
When CIA fails…
DAD triad
Disclosure
Alteration Destruction
Policies, Standards, Procedures, etc.
Policy
Standard &
Frameworks
Procedures
Monitor Identify
Treat Analyse
Evaluate
Identify - Risk Sources
• Assets
• Threats
• Existing controls
• Vulnerabilities
• Consequence
• Other
Analysis and Evaluation
• Risk Appetite
• the total amount of risk an organisation is willing to aggregate.
• Risk Tolerance
• The amount of risk an organisation is willing to accept per asset/system
• Risk Limit
• The maximum level of risk before further actions are taken.
Analysis and Evaluation
• Calculating risk
• Qualitative vs quantitative risk
• Can you put a value on it?
SLE=AV x EF Consequence
Low Medium High Extreme Catastrophic
ALE=SLE x ARO Almost Certain Low Medium High Very High Very High
Likelihood
Likely Low Low Medium High Very High
Possible Low Low Medium Medium High
Unlikely Very Low Low Low Medium High
Rare Very Low Very Low Low Low Medium
Quantitative Risk
SLE=AV x EF
SLE = Single Loss Expectancy
AV = Asset Value
EF = Exposure Factor
ALE=SLE x ARO
ALE = Annual Loss Expectancy
SLE = Single Loss Expectancy
ARO = Annual Rate of Occurrence
Qualitative Risk
Consequence
Low Medium High Extreme Catastrophic
Almost Certain Low Medium High Very High Very High
Likelihood
Attention Attendees:
Remember to type your messages to all panellists and attendees
Questions & Quiz?
About Me
Dr. Georg Thomas
Senior Manager, Deloitte Australia
20+ years industry experience
DInfoTech, MMgmt(InfoTech),
BInfoTech(SysAdmin)
CCISO, CDPSE, CISM, CISSP, ISO27001 Lead linkedin.com/in/georgthomas
Implementer, GRCP, MACS Snr. CP (Cyber @georgathomas
Security), MCSE scholar.google.com/citations?user=z72s_9
ACS Profession Advisory Board Member MAAAAJ
References
• Chapple, M., Stewart, J. M., Gibson, D. (2021). (ISC)2 CISSP Certified Information
Systems Security Professional Official Study Guide, 9th Edition. Wiley. 8