Chapter 1

CPO = chief PRIVACY officer

SEI-CMMI
#1) SEI
SEI stands for ‘Software Engineering Institute' at Carnegie-Mellon University, initiated by
the U.S. Defense Department to help improve software development processes.

#2) CMM
CMM stands for ‘Capability Maturity Model', developed by the SEI. It's a model of 5 levels of
organizational ‘Maturity' that determine effectiveness in delivering quality software.

It is geared to large organizations such as large U.S. Defense Department contractors.

However, many of the QA processes involved are appropriate to any organization, and if
reasonably applied can be helpful.

Organizations can receive CMM ratings by undergoing assessments by qualified auditors.

Level 1 – Characterized by chaos, periodic panics, and heroic efforts required by

individuals to successfully complete projects. Few if any processes in place; successes may
not be repeatable.
Level 2 – Software project tracking, requirements management, realistic planning, and
configuration management processes are in place, successful practices can be repeated.
Level 3 – Standard software development and maintenance processes are integrated
throughout an organization, a Software Engineering Process Group is in place to oversee
software processes, and training programs are used to ensure understanding and
compliance.
Level 4 – Metrics are used to track productivity, processes, and products. Project
performance is predictable, and quality is consistently high.
Level 5 – The focus is on continuous process improvement. The impact of new processes
and technologies can be predicted and effectively implemented when required.

Process - document that describes the OVERALL ACTIVITIES TO TAKE PLACE ON A PARTICULAR ACTIVITY

Standard – document that describe config settings or sepcs use of particular protocols, tech, or products

Policy – statement that defines desired behavior (acceptable use)

Procedure – step by step instructions to perform a task

Business case – current state, desired end state, reqs, approach, and plan
AUDIT REPORTS ARE THE BEST WAY TO UNDERSTAND EFFECTIVENESS OF CONTROLS!!!

RACI Chart – specifies the responsible, accountable, consulted, and informed parties in org

Best way to engage execs is to understand their perspective and learn more about the business

CHAPTER 2
RISK REGISTER
- Recording risk assignees
- Categorizing risks
- Recording risk treatment decisions

ONLY LEGAL COUNSEL SHOULD DETERMINE APLICABILITY OF POTENTIALLY RELEVANT LAWS/REGS

CVSS – Common Vulnerability Scoring System most common method used to score SEVERITY of vuln

Controls shouldn’t be so specific that changings SW makes you non-compliant

THE BUSINESS OWNER SHOULD OWN A RISK IDENTIFIED IN AN IT SYSTEM (they’re in charge of)

Requirements classified as ADDRESSABLE in HIPAA are OPTIONAL ONLY IF THE ORG HAS CONDUCTED A
RISK ASSESSMENT AND DOCUMENTED JUSTIFICATION FOR NOT USING A CONTROL

ORGANIZATIONS CANNOT OPT OUT OF PCI-DSS CONTROLS!!!!

Threat assessment – used to understand damaging events that could take place

Risk response = risk treatment in NIST 800-39

Control self-assessment – determines compliance with internal policies

Document marking – labeling the document according to classification

Virtualization Sprawl – uncontrolled proliferation of virtual assets (VMS)

Chapter 3

Policy – defines what must be done or not done, without specifying HOW it is to be done. How is often
specified in a procedure or standard

DIFFERENCE BETWEEN TRAILING AND LEADING INDICATORS?!?

Trailing – historic
Leading - future

24/7/365 event monitoring needs 12 fucking people or some shit

Charter – formally defines a team or function and often includes descriptions of services provided / SLAs

An access owner needs user role info, time to perform access cert, and some way to record results

SOC Audit – qualified opinion means auditee has failed in one or more of it’s HIHG LEVEL CONTROL OBJ.

In control assessment, presence of an exception means one or more events managed by the control
were not performed correctly

After a sec pol has been updated it should bbe published and you should infor workers of org

A periodic review of sec prog with management can help ensure the prog is in align w prog strat

Chapter 4

Severity – describes incident impact

Classification – describes type or location of incident

Dedicated conference bridge / war room facilitates communication during incident

Dwell time – time required to recognize an incident

LEGAL IS COMMONLY THE RIGHT GROUP TO APPROVE EXTERNAL COMMS

Tabletop exercises should occur as frequently as needed to ensue that responders are familiar w procs

Forensic analysis tools – ID events and artifcats on a system/network that could be incident related

Consultant reading steps in an incident resp plan and solicits discussion = INCIDENT RESP TRAINING

Escalation procedure is used to ID execs that should be contacts in various sits and sev levels

Inicdent response plan docs should be reiewed AT LEAST ONCE A YEAR

Create templated with prewritten comms as part of incident resp planning to save time and imp comms

Purpose of incident escalation process – PROPER NOTIFICAITON OF BIZ EXEC OF INCIDENT IN PROGRESS

Incident responoders should be provided with incident resp plans via SOFT COPY

SIEM can create alarms when actionable events occur

Incident severity helps determine the levels of management that need to be inform of incident.

Classificaiton of an incident generally indicates the sytems apps, or locatons involved in an incident
which hekps ID which responders may be needed

Data replication could result in data encrypted by ransomware to be replicated to other storage sites

Main steps of sec incident response: DETECT, INITIATE, EVAL, ERADICATE, RECOVERY, REMEDIATE,
CLOSURE, REVIEW

Main group of personnel who need incident severity and classification info are those authorized to
declare an incident