Professional Documents
Culture Documents
SEI-CMMI
#1) SEI
SEI stands for ‘Software Engineering Institute' at Carnegie-Mellon University, initiated by
the U.S. Defense Department to help improve software development processes.
#2) CMM
CMM stands for ‘Capability Maturity Model', developed by the SEI. It's a model of 5 levels of
organizational ‘Maturity' that determine effectiveness in delivering quality software.
Process - document that describes the OVERALL ACTIVITIES TO TAKE PLACE ON A PARTICULAR ACTIVITY
Standard – document that describe config settings or sepcs use of particular protocols, tech, or products
Business case – current state, desired end state, reqs, approach, and plan
AUDIT REPORTS ARE THE BEST WAY TO UNDERSTAND EFFECTIVENESS OF CONTROLS!!!
RACI Chart – specifies the responsible, accountable, consulted, and informed parties in org
Best way to engage execs is to understand their perspective and learn more about the business
CHAPTER 2
RISK REGISTER
- Recording risk assignees
- Categorizing risks
- Recording risk treatment decisions
CVSS – Common Vulnerability Scoring System most common method used to score SEVERITY of vuln
THE BUSINESS OWNER SHOULD OWN A RISK IDENTIFIED IN AN IT SYSTEM (they’re in charge of)
Requirements classified as ADDRESSABLE in HIPAA are OPTIONAL ONLY IF THE ORG HAS CONDUCTED A
RISK ASSESSMENT AND DOCUMENTED JUSTIFICATION FOR NOT USING A CONTROL
Threat assessment – used to understand damaging events that could take place
Policy – defines what must be done or not done, without specifying HOW it is to be done. How is often
specified in a procedure or standard
Trailing – historic
Leading - future
Charter – formally defines a team or function and often includes descriptions of services provided / SLAs
An access owner needs user role info, time to perform access cert, and some way to record results
SOC Audit – qualified opinion means auditee has failed in one or more of it’s HIHG LEVEL CONTROL OBJ.
In control assessment, presence of an exception means one or more events managed by the control
were not performed correctly
After a sec pol has been updated it should bbe published and you should infor workers of org
A periodic review of sec prog with management can help ensure the prog is in align w prog strat
Chapter 4
Tabletop exercises should occur as frequently as needed to ensue that responders are familiar w procs
Forensic analysis tools – ID events and artifcats on a system/network that could be incident related
Consultant reading steps in an incident resp plan and solicits discussion = INCIDENT RESP TRAINING
Escalation procedure is used to ID execs that should be contacts in various sits and sev levels
Create templated with prewritten comms as part of incident resp planning to save time and imp comms
Purpose of incident escalation process – PROPER NOTIFICAITON OF BIZ EXEC OF INCIDENT IN PROGRESS
Incident responoders should be provided with incident resp plans via SOFT COPY
Incident severity helps determine the levels of management that need to be inform of incident.
Classificaiton of an incident generally indicates the sytems apps, or locatons involved in an incident
which hekps ID which responders may be needed
Data replication could result in data encrypted by ransomware to be replicated to other storage sites
Main steps of sec incident response: DETECT, INITIATE, EVAL, ERADICATE, RECOVERY, REMEDIATE,
CLOSURE, REVIEW
Main group of personnel who need incident severity and classification info are those authorized to
declare an incident