Professional Documents
Culture Documents
IS Project Complete
IS Project Complete
70 questions(HIPAA):
Training
Access Control
End Points
2. **Hardening Endpoints:**
- Yes, all endpoints undergo hardening processes to remove unnecessary components,
enhancing security.
Event Management
2. **Logging Devices:**
- Yes, all devices within the network infrastructure generate logs that are aggregated and
stored for analysis.
Security Architecture
Cryptography
Threat Management
enterprise structures.
Testing
Policy
Physical Security
Plans
Inventory
1. **Network Diagrams:**
- Yes, comprehensive network diagrams, including WiFi infrastructure, are maintained to
provide an overview of the entire network.
2. **Asset Inventory:**
- Yes, there's a complete inventory of all assets including their criticality levels, ownership
details, restoration instructions, and recovery time objectives.
Data Management
3. **Data Classification:**
- Yes, data classification policies are enforced throughout the network to ensure sensitive
information is appropriately handled and protected.
Software Development
Mobile Devices
The course instructor, Ashley, introduces the course by summarizing the topics covered in
the previous sessions. The course focuses on Certified Information Systems Security
Professional's eight security domains, security frameworks, controls, security audits, and
basic security tools. The course aims to provide knowledge, skills, and tools to navigate the
vast world of security and cybersecurity successfully. Ashley shares her experience as a
security analyst and emphasizes the importance of securing an organization and its assets
from threats, risks, and vulnerabilities. She then discusses the focus of the first four
security domains: security and risk management, asset security, security architecture and
engineering, and communication and network security. The security and risk management
domain includes defining security goals and objectives, risk mitigation, compliance,
business continuity, and legal regulations. The asset security domain focuses on securing
digital and physical assets, including data storage, maintenance, retention, and destruction.
The security architecture and engineering domain covers designing, implementing, and
maintaining security solutions. Finally, the communication and network security domain
involves securing communication channels, including networks, devices, and protocols.
- RMF is a risk management framework primarily used by the Department of Defense and
the U.S. Government
- It has six main steps: categorize the information system, select controls, implement
controls, assess controls effectiveness, make a decision to accept risk and authorize the
system, and continuously monitor
- There is also a seventh step of preparation
- Categorization is based on the three tenants of information security: confidentiality,
integrity, and availability
- Impact values are rated low, moderate, or high, and a security category is assigned for
each information type or system
- Different organizations may use RMF differently since it is a framework, not a regulation
- Security controls are selected based on NIST 800-53, and an initial set of baseline controls
is chosen
- Implementation, assessment, and continuous monitoring of controls follow the selection
step
The Risk Management Framework (RMF) is a risk management framework used mainly by
the Department of Defense and the US Government, defined by NIST 800-37. The process
has six main steps: categorizing the information system, selecting controls, implementing
those controls, assessing their effectiveness, accepting the risk, and continuously
monitoring the controls to ensure their effectiveness. It is important to understand that the
RMF is a framework, not a regulation, and different bodies of the government or defense
organizations use it differently. The first step is categorizing the information system, which
is to categorize the system and the information on that system that's processed, stored, or
transmitted, based on the CIA triad (confidentiality, integrity, and availability) and impact
values rated low, moderate, or high. The security category is then assigned per information
type or per information system, and this helps determine how to best implement controls
to protect that data. The next step is selecting the security controls, which is defined by
NIST 800-53, where an initial set of baseline controls is selected. RMF is a continuous
process that requires preparation, and it is important to realize that the processes may
vary across different organizations.
The video, featuring Ashley, a seasoned professional serving as the Customer Engineering
Enablement Lead for Security Operations Sales at Google, unveils a robust and extensive
security course designed to equip students with an in-depth understanding of
cybersecurity. Ashley, who assumes the role of the course instructor, meticulously outlines
the diverse array of topics covered, ranging from fundamental security definitions and job
responsibilities to core skills, key events, frameworks, controls, and strategies for risk
reduction based on the fundamental principles of the CIA triad.
The overarching objective of the course is explicitly laid out: to empower students with the
knowledge and skills necessary to navigate the intricacies of the cybersecurity landscape
adeptly. Ashley underscores the importance of cultivating the ability to manage risks
effectively and comprehend the myriad threats that organizations face in today's digital
era. The curriculum encompasses critical elements such as the eight security domains
stipulated by the Certified Information Systems Security Professional (CISSP), the Risk
Management Framework (RMF) crafted by the National Institute of Standards and
Technology (NIST), security audits, and a fundamental understanding of essential security
tools.
Diving into the specifics, Ashley takes the time to break down the initial four security
domains covered in the course. These domains, namely security and risk management,
asset security, security architecture and engineering, and communication and network
security, serve as foundational pillars for comprehending the multifaceted aspects of
cybersecurity. In the security and risk management domain, Ashley elaborates on key
facets such as defining security goals, implementing risk mitigation strategies, ensuring
compliance, addressing business continuity, and navigating the complex web of legal
regulations.
The focus then shifts to asset security, a domain that delves into the meticulous
safeguarding of both digital and physical assets. This includes a keen emphasis on
protecting sensitive information such as Personally Identifiable Information (PII) and
Sensitive Personal Identifiable Information (SPII). The depth of coverage in these early
domains underscores the course's commitment to providing a holistic understanding of
cybersecurity, addressing not only theoretical concepts but also practical applications in
securing assets and managing risks effectively.
Building on this foundation, the video transitions to an exploration of the Risk Management
Framework (RMF), a comprehensive and widely utilized framework primarily adopted by
the Department of Defense and the U.S. Government. Ashley walks through the six main
steps integral to the RMF process: categorizing the information system, selecting controls,
implementing controls, assessing control effectiveness, accepting risk, and continuous
monitoring. It's highlighted that RMF, contrary to being a rigid regulation, is a flexible
framework, allowing organizations to tailor its implementation to their specific needs.
Augmenting the video content, additional information is introduced, shedding light on the
criticality of security risk assessments. This supplementary insight outlines the myriad
reasons for undertaking security risk assessments, encompassing elements such as cost
justification, productivity enhancement, organizational barrier-breaking, self-analysis, and
improved communication. The document underscores the pivotal role of security risk
assessments in identifying, quantifying, and mitigating risks, ultimately ensuring the
preservation of an organization's mission.
In summary, the video, enriched by Ashley's expertise and external insights, provides a
comprehensive and detailed overview of the security course. It meticulously covers
fundamental concepts, industry frameworks, and practical applications, presenting an
educational journey that goes beyond theoretical understanding to encompass the
practicalities of securing assets and navigating the evolving landscape of cybersecurity
threats.