Professional Documents
Culture Documents
com/Ibraheem_111
A cybersecurity assessment examines your security controls and how they stack up against
known vulnerabilities. It’s similar to a cyber risk assessment, a part of the risk management
process, in that it incorporates threat-based approaches to evaluate cyber resilience. A
complete security assessment includes a close look at the company’s overall security
infrastructure.
Cyber security threat monitoring describes the process of detecting cyber threats and
data breaches. IT infrastructure monitoring is a crucial part of cyber risk management,
enabling organizations to detect cyber-attacks in their infancy and respond to them
before they cause damage and disruption.
1
• Governance: Ensuring that organizational activities, like managing IT operations, are
aligned in a way that supports the organization's business goals.
• Risk: Making sure that any risk (or opportunity) associated with organizational activities
is identified and addressed in a way that supports the organization's business goals. In the
IT context, this means having a comprehensive IT risk management process that rolls into
an organization's enterprise risk management function.
• Compliance: Making sure that organizational activities are operated in a way that meets
the laws and regulations impacting those systems. In the IT context, this means making
sure that IT systems, and the data contained in those systems, are used and secured
properly.
2
Governance is about overall control, management of the
organization, processes, customs, and policies.
Risk involves knowing the location of critical data,
operations, and processes
Compliance(obligations) means that all the rules and regulations pertinent to
your organization have been met.
3
4
5
6
7
8
9
Risk communication
Clause 11.
Risk communication is an activity to achieve agreement on how to manage risks by exchanging
and/or sharing information about risk between the decision-makers and other stakeholders.
The information includes, but is not limited to the existence, nature, form, likelihood, severity,
treatment, and acceptability of risks.
10
Risk assessment
overall process of risk identification (3.5.1), risk analysis (3.6.1) and risk evaluation
(3.7.1)
ISO Guide 73:2009(en)
Risk management — Vocabulary
".مقدار ونوع المخاطر التي تكون المنظمة على استعداد لمتابعتها أو االحتفاظ بها أو تحملها
• Risk appetite: the amount and type of risk an organization is willing to accept in pursuit of its
business objectives
• Risk tolerance: the specific maximum risk that an organization is willing to take regarding
each relevant risk
11
ISO 27000 Risk Assessment
International Organization for Standardization (ISO)’s 27000 series documentation for risk
management, specifically ISO 27005, supports organizations using ISO’s frameworks for
cybersecurity to build a risk-based cybersecurity program.
Similar to NIST SP 800-30, using the ISO guidance is the most beneficial for organizations
pursuing or already maintaining an ISO certification.
12
Policies, Procedures, Standards, and Guidelines
Policy / High-level
- A policy is a set of mandatory directives that employees must follow, providing the basic
framework upon which a company's security program is based.
Standard
Standards are mandatory courses of action or rules that give formal policies support and
direction.
Guideline
Ref: https://frsecure.com/blog/differentiating-between-policies-standards-procedures-and-guidelines/
Baselines provide a minimum level of security that a company's employees and systems must meet. Like
standards, baselines help to ensure consistency. However, unlike standards, policies, and procedures, baselines
are somewhat discretionary. For example, a baseline might state that employees' computers must run Ubuntu
11.10 or a later version. Employees are not required to use Ubuntu 11.10; they can use any version of Ubuntu as
long as it is version 11.10 or higher. If employees must use a particular version of software, you should create a
standard instead
13
شرح مفصل
Security Policy
Policies are the top tier of formalized security documents. These high-level documents offer a
general statement about the organization’s assets and what level of protection they should have.
Well-written policies should spell out who’s responsible for security, what needs to be protected,
and what is an acceptable level of risk. They are much like a strategic plan because they outline
what should be done but don’t specifically dictate how to accomplish the stated goals. Those
decisions are left for standards, baselines, and procedures. Security policies can be written to
meet advisory, informative, and regulatory needs. Each has a unique role or function.
CAUTION
The key element in policy is that it should state management’s intention toward security.
Advisory Policy
The job of an advisory policy is to ensure that all employees know the consequences of certain
behavior and actions. Here’s an example advisory policy:
Illegal copying: Employees should never download or install any commercial software,
shareware, or freeware onto any network drives or disks unless they have written
permission from the network administrator. Be prepared to be held accountable for your
actions, including the loss of network privileges, written reprimand, probation, or
employment termination if the Rules of Appropriate Use are violated.
Informative Policy
This type of policy isn’t designed with enforcement in mind; it is developed for education. Its
goal is to inform and enlighten employees. The following is an example informative policy:
CAUTION
Good policy strikes a balance and is both relevant and understandable. If a policy is too generic,
no one will care what it says because it doesn’t apply to the company. If a policy is too complex,
no one will read it—or understand, it if they did.
14
Regulatory Policy
These policies are used to make certain that the organization complies with local, state, and
federal laws. An example regulatory policy might state:
Because of recent changes to Texas State law, The Company will now retain records of
employee inventions and patents for 10 years; all email messages and any backup of such
email associated with patents and inventions will be stored for one year.
Standards
Standards are much more specific than policies. Standards are tactical documents because they
lay out specific steps or processes required to meet a certain requirement. As an example, a
standard might set a mandatory requirement that all email communication be encrypted. So
although it does specify a certain standard, it doesn’t spell out how it is to be done. That is left
for the procedure.
Baselines
A baseline is a minimum level of security that a system, network, or device must adhere to.
Baselines are usually mapped to industry standards. As an example, an organization might
specify that all computer systems comply with a minimum Trusted Computer System Evaluation
Criteria (TCSEC) C2 standard. TCSEC standards are discussed in detail in Chapter 5, "System
Architecture and Models."
Guidelines
CAUTION
Don’t confuse guidelines with best practices. Whereas guidelines are used to determine a
recommended course of action, best practices are used to gauge liability. Best practices state
what other competent security professionals would have done in the same or similar situation.
Procedures
A procedure is the most specific of security documents. A procedure is a detailed, in-depth, step-
by-step document that details exactly what is to be done. As an analogy, when my mom sent my
wife the secret recipe for a three-layer cake, it described step by step what needed to be done and
how. It even specified a convection oven, which my mom stated was an absolute requirement.
Procedures are detailed documents; they are tied to specific technologies and devices (see Figure
3.4). You should expect to see procedures change as equipment changes. As an example,
15
imagine that your company has replaced its Checkpoint firewall with a Cisco PIX. Although the
policies and standards dictating the firewalls’ role in your organization probably will not change,
the procedure for configuration of the firewall will.
It’s unfortunate that sometimes instead of the donkey leading the cart, the cart leads the donkey.
By this, I mean that sometimes policies and procedures are developed as a result of a negative
event or an audit. The audit or policy shouldn’t be driving the process; the assessment should be.
The assessment’s purpose is to give management the tools needed to examine all currently
identified concerns. From this, management can prioritize the level of exposure they are
comfortable with and select an appropriate level of control. This level of control should then be
locked into policy.
- Risk assessment
Data Ownership
Data ownership and responsibility has some newer terms since the 2018 refresh.
16
CISSP Study Notes @ibraheem_111
___________________________________________________________________
Data Owner
The data owner role is assigned to the person who is responsible for classifying
information for placement and protection within the security solution. The data owner is
typically a high-level manager who is ultimately responsible for data protection.
However, the data owner usually delegates the responsibility of the actual data
management tasks to a data custodian.
Data Custodian
The data custodian role is assigned to the user who is responsible for the tasks of
implementing the prescribed protection defined by the security policy and senior
management.
Data Custodian
testing backups, validating data integrity, deploying security solutions, and managing
data storage based on classification.
Data Custodians
In an organization, the data governance process should include a role for the data
custodian
Data custodian
Data custodians are typically part of IT departments. They are usually divided further in
their areas of expertise, such as: data modeling, data architecture, database
administration, etc. They are mainly responsible for maintaining, archiving, recovering,
backing up data, preventing data loss/ corruption, etc.
Data steward
Most data stewards come from their respective business departments, not IT. In fact,
besides the System Data Steward.
5/5/2020
17
حوكمة األمن السيبراني : •
إن إدارة األمن السيبراني هي نموذج عمل أمني ،يتكون من مرحلتين ،إدارة األمن والحوكمة األمنية .تضمن إدارة األمن التقليل
من مخاطر األمن السيبراني بشكل كافٍ من خالل نشر الضوابط األمنية ،في حين أن الحوكمة األمنية تربط بسهولة بين
استراتيجيات األمن العامة مع أهداف العمل الرئيسية واللوائح األساسية .إن لدى شركة اإللكترونيات ال ُمتقدّمة إطار عمل ُمستقل
من أجل صياغة سياسات وإجراءات حوكمة األمن السيبراني.
تنطوي إدارة المخاطر على تحديد األصول المعلوماتية مثل األجهزة وبيانات العمالء والملكية الفكرية التي يمكن اختراقها نتيجة
الهجمات السيبرانية .ومن ثَ ّم ،يتم تقييم المخاطر المحتملة التي يمكن أن تؤثر على هذه األصول لتطبيق عناصر التحكم األمني
المناسبة.
تُر ّكز خدمات التدقيق وااللتزام على تقييم مدى التزام ال ُمنشآت باإلرشادات التنظيمية المتعلقة باألمن السيبراني .ونقوم في شركة
اإللكترونيات ال ُمتقدّمة بإجراء هذا التقييم ال ُمتخصص في برامج حوكمة األمن السيبراني بشكل سنوي أو حسب رغبة العميل من
أجل فحص مدى جاهزية تنفيذ هذه البرامج.
18
مصفوفة RACIتحديد المسؤوليات واألدوار والعالقات
ببساطة مصفوفة RACIعبارة عن قائمة باألنشطة ،ومعلومات عن دور كل فرد فيما يتعلق بهذه األنشطة ،وأمام كل نشاط يعين
اسم الشخص المختص بحسب دوره في العمود المخصص لهذا الدور.
يعتبر نموذج RACIطريقة جيدة لتوضيح دور كل عضو في الفريق بغض النظر عن حجم المشروع ،ويجب تحديد المهام
بوضوح وأن يفهم كل شخص دوره ويجب أن يتمكن كل موظف من إكمال المهام واألنشطة.
نموذج RACIهو نموذج للمسؤولية ،يجعل تكاليف المشروع واضحة عند أدنى مستوى ،وهو أداة لتقليل االرتباك حول التوقعات
من ناحية وزيادة الكفاءة من ناحية أخرى .وبفضل استخدام هذا النموذج يتم اتخاذ القرارات بسرعة أكبر ،وتصبح المسؤوليات
واضحة .باإلضافة إلى ذلك يتم توزيع حمل العمل بالتساوي .وكلمة RACIباللغة االنجليزية هي اختصار ألربعة كلمات باللغة
االنجليزية إذ تمثل األحرف األولى من هذه الكلمات.
الحرف األول Rهو الحرف األول من كلمة Responsibleبمعني منفذ ،وهو الشخص المكلف بأداء العمل .وباختصار المسؤول •
)(Rالذي كلف إلكمال المهمة (المراقب المالي).
الحرف الثاني Aهو الحرف األول من كلمة Accountableبمعني المساءل ،وهو الشخص المسؤول عن التأكد من أداء العمل •
بشكل كافي .وباختصار المساءل ) (Aمن يتخذ القرارات والتدابير داخل المشروع.
الحرف الثالث Cهو الحرف األول من كلمة Consultedبمعنى يستشار وهو الشخص (أو األشخاص) الذي يطلب مدخالته •
إلتمام العمل .وباختصار المشاور )(Cمن الذي يجري التشاور فيما يتعلق بالقرارات.
الحرف الرابع واألخير Iوهو الحرف األول من كلمة Informedبمعني يخطر وهو الشخص (أو األشخاص) الذي يجب أن •
يخطر بشان هذا العمل .وباختصار أبلغ )(Iمن هو على علم بشأن القرارات واإلجراءات خالل المشروع.
تضيف بعض المؤسسات مسؤوليات مثل Supportiveوغيرها •
19
مصادر مهمة
What Is Information Security Management?
https://www.eccouncil.org/information-security-management/
https://www.youtube.com/watch?v=LTAIrFN35dc
https://www.youtube.com/watch?v=EvQmdMYeFVI
https://securityboulevard.com/2020/07/3-templates-for-a-comprehensive-cybersecurity-risk-
assessment/
20