Cissp6010 1to4

INFO 6010: CISSP Prep
Week 1:
Introduction to the Course
Prof. James Robertson

Fall 2023
Meet your Instructor: James Robertson
•Professor, School of IT
•Room G3001
•Meetings by appointment only (no set office hours – please email me)
•jrobertson@fanshaweonline.ca
•Can post short bio on FOL if you are interested 

• Started teaching part time in ISM in 2015/16
• Full-time ISM in 2019
• Program Coordinator for CYB1 from 2020-2023
• PhD(c) Researching the cyber skills of frontline law enforcement
2
Our Agenda for Today
Part 1: Introduction to the Course

•The Routine
•Course Outline
•Course Overview
Part 2: Today’s Lesson

•What is ISC’s CBK? What is CISSP (and why have a course on it?)
•Discussion on the 8 Knowledge Domains
•Domain #1:Security and Risk Management
Let’s Get Engaged! (not the wedding kind! )
•Has anyone used Google Jamboard before?

•Click on the icon on the left and then choose a spot on the canvas on the right.
•Good news! It’s anonymous.
•If the page starts to get full, then start a new page (at the top/middle of the page)
•I want you to share a comment, image, or quote that summarizes your first
term in ISM or NSA.
• Consider your favorite class, or course, or system/software/tool
• What was your most memorable learning experience?
• Ex. made new friends, learned new concepts,
• What did you NOT like about the first term?
• Maybe your most memorable part of being a student wasn’t about the program, but rater
about the college experience?
•Here is the link to the Jamboard:

https://jamboard.google.com/d/1veMEunl2sQ4toj9AFbDUCz6NOJF9BLqYU
pDQWHkio6A/edit?usp=sharing
Recordings and Lectures
•Class is online every Wednesday afternoon

•Attendance is required unless you are a registered part-time
student.
•No grades for attendance, so a doctor’s note is not required for missed
tutorials.
•Please prepare for class each week.

•Read the lecture slides beforehand. Makes notes of your questions.
•Read the book chapter for that week BEFORE the lesson
• The breakdown of what is covered each week is located in the Course Plan in FOL
•Identify new terms/concepts and define them on your own (then check it with
me )
• Create digital flashcards (Brainscape, Cram, etc)
•Plan your day so that you are on time for this class.
•A working webcam and microphone are REQUIRED
The Routine
•Lectures will usually begin with a “Housekeeping” slide.
•Usually administrative items and need-to-know stuff
•Then we’ll discuss current events

•Such as news items, and other resources relating to Information/Network
Security in general, and CISSP specifically.
•Then we’ll proceed with the lesson/tutorial

•includes activities for you to complete as part of the lesson.
•Be prepared (and willing) to participate!

•Be ready to work in groups, engage in class discussions (both in
class an on FOL), create scenarios, etc.
•The lesson conclude with a summary of key points and a few

reminders of what’s coming up in the course.
6
Current Events: What is happening in the world?
•Most mid-sized businesses lack cybersecurity experts, incident response

plans
• Watch the summary of “Cybersecurity Challenges” video (6min) at the top of the article
•Fortinet Survey Finds 78% of Organizations Felt Prepared for

Ransomware Attacks, Yet Half Still Fell Victim
•Cybercriminals Are Selling Access to Chinese Surveillance Cameras
•One-Fifth of Healthcare Organizations Do Not Enforce

Cybersecurity Protocols
•The Role of Human Resources in Cybersecurity

In the news…
Link to article
Link to article
2023-09-06 8
Active Learning Exercise (ALE) #1 (10 minutes)
Please find a partner (groups of 2 max) and do the following:
•Find ONE online article/video (or web resource) that relates to

information security or network security.
•Read the article
•Summarize the article in a discussion post (just 200 words or so) in

the Discussion Forum called “Week 1: In the News”
•In addition to your brief article summary, Identify 3-5 key terms used in
the article that comprise the “language” of Security Management
(More details on the next slide )
6 September 2023 9
Part 1: Course Outline and Course Overview
(Please open up the Course Syllabus and Course Plan!  )
INFO 6010 Course Plan (Who has read this document?)
Course Design
One class per week, 3-hours long

2 hours for the lesson and 1 hour for drop-in help (voluntary)
Class time consists of:

Discussions, Lectures and Active Learning Exercises (ALEs)
These require reflection, research, discussion, and collaboration
Please consider sharing news and other links with me (via the
discussion forum) so that I can share them with the class.
Tests will occur during class time (RLDB is required), and take the
place of a lesson (so no lectures in weeks 5 and 10)
“The CISSP CBK is like an ocean: it is very
broad, in places it is very deep while in other
places shallow, but you can be certain there
is lots of it!"
- Professor Clive Wright
Jan-20 INFO 6010 4

CISSP Prep: An Overview
The CBK that comprises the testable material for the CISSP exam is too large to
cover in a 15-week course. Rather, this course will explore key concepts and
ideas that comprise the foundation upon which you will build your InfoSec
knowledge.
Some of the topics we will cover in this course:

•InfoSec Certifications - What’s all the fuss about?
•Select ideas/concepts that comprise the 8 knowledge domains of the
ISC2’s Common Body of Knowledge (CBK)
•Application of these concepts to real-world problems, environments, and
threats
•Compare CBK with other knowledge bases related to InfoSec
Student Success
•This is a “Lecture-style” class, but I will not lecture to you.

•Lots of interactive exercises and discussions.
•Take notes during the lecture – not all test questions come from the PowerPoint
slides and textbook.
• Slides are a HANDOUT that highlights key points, but they do not cover all you need to
know.
•Not all concepts are fully explained on the slides alone. You need to do the
exercises and listen to/participate in tutorials.
•Everything in the lessons / resources / assignments is testable material.
•Use the discussion forum to Ask questions if you don’t understand something –
you likely won’t be the only person.
•Don’t try to memorize! Memory alone will not suffice. Understanding and
application are key!!
•This course is more theoretical than technical, but do not
underestimate the work required for this course
15
Student Success
•Do not try to memorize everything. There is too much material.

Focus on concepts and ideas, and the content will logically follow.
•Work in groups (online or offline). Collaboration lessens
individual work and builds learning communities.
•Study in groups as well
•Use the Discussion Forum. It’s also a great way to construct
knowledge together (and have fun doing it!)
•Be prepared to read. You read for a degree
•Guard your time! And designate sufficient time to the course.
Block it off on your calendar and stick to it.
•If you don’t know or aren’t sure, please ask!
•Create a personal slide deck (or flash cards) for key terms and
concepts. Great online tools for this!
Student Success
•Show respect for your professors and your peers
•Be active and participate in online class discussions
•HELP EACH OTHER. Create your own study groups (or use the
discussion forum). Some of you may solve problems faster than
your peers – share your success by showing them how!
•Prepare properly for lectures and tests
•Do all the required and recommended work
•Do not miss tests or assignments
•(we do not allow make-up assignments or the re-taking of missed
evaluations)
•There are no bonus marks or make-up exercises in this course
17
Who Has Read the Course Outline for this Course?
Course Outline (Let’s take a look!)
•Learning Objectives – why read these and how can they help??
•Assessments
•Two Research Papers (15% each - total of 30%)
•Two Formative Tests (15% each - total of 30%)
•Final exam (40%)
•Weekly Discussion Forums (0%), but maybe some bonus marks?
•Required and Recommended Resources.

•Course Textbook is on the next slide, but you should also consider:
Other online resources (articles, news items, forums, etc.)
Vendor white papers
Your own online/digital Flashcard deck
Find (or create) scenarios and case studies where you need to
apply what you are learning to solve those problems
19
Course Textbook (Required)
Purchase either a
physical or electronic
copy. The 9th edition
is the latest, but an
earlier version is better
than nothing. 
Learning by rote alone is not enough. You must seek

understanding if you wish to master this subject
Jan-20 Info 6010 2

0
How will you be evaluated in this course?
Testing! There are THREE tests in this course and TWO written assignments
•All tests use the Respondus Lockdown Browser
•Tests are NOT open book
•Recommend you use wired ethernet and a plug-in power supply (Respondus
does not like power/network blips)
•Working AND tested PC or laptop
•Budget your time wisely during the test. Expect an average time of 30-60
seconds per question (you won’t have time to look everything up)
•Short answer, long answer, M/C, T/F, FIB, Matching, etc.
•All tests are manually graded by me.
•Testable material includes anything discussed in class (both verbally and on the
slides), in the textbook, any articles or resources I share, and in the assignments.
Test time lost due to PC or Respondus problems is not recoverable.
21
Course Outline
•Missed Assignments and Tests

•Tests will have a designated start time. You must start within 15
minutes of the test opening
•Tests are password protected
•Students are not entitled to complete missed tests
•In case of a significant event supported by documentation AND
professor’s approval AND prior notification, a missed test may be
completed
•Re-writes & extra grade items

•Students will not be permitted to re-write tests
•Students will not be entitled to extra work or assignments in order
to raise a grade
22
Learn to love APA 
•What do you know about APA?

•APA (7th Ed.) style and formatting must be used in every
written submission
•ALL of your written work should comply with APA standards
•This is in the rubric for each assignment
•Always have a title page and a References page
•What is the difference between a citation, a quote, a source, and a reference?
•APA format includes margins, section headings, font, and more
•Discussion forum posts are exempt from APA, but you must still reference work
you use – both in-text and at the end of your discussion posts.
•See the Fanshawe College Library website for help with APA
•The reason you are required to use APA on your written work is because
professional writing is a critical skill for employment.
•(It also helps you avoid an academic offence!)
•Great APA resource for you is found HERE.
Grading with Rubrics…
•Rubrics are used for all written assignments.

•What is a rubric?
•Writing skills are graded, references are required, formatting is graded
•Content, flow, grammar/spelling
•Submit via Evaluation > Submission in FOL by the deadline
•In addition to the rubric, You will also receive detailed, specific, and
constructive feedback from me on all written submissions
•See sample rubric on next slide…
24
Sample Rubric I Created for Written Assignments
Tips on professional writing assignments
•Your assignments involve research, critical thinking, and academic writing.

These are KEY SKILLS for information security professionals, and like any skill,
practice makes perfect!
•Tips:
• Use the discussion forum to practice
• Use an editor (ex. use each other!)
• Look up online resources for APA citing and referencing (Fanshawe Library has some)
• Use credible (ideally peer-reviewed) literature in your work. Why?
• Include an introduction and conclusion
• Include a title page
• TMN font size 12, double spaced, indent paragraphs, 1” margins, etc.
• Cite your sources BOTH in the text and on the dedicated References page at the end of
your document
• You do not need an abstract or TOC
• Make sure you are thinking (and writing) critically. Challenge what you find in the literature.
• Follow the rubric!
A few dates to remember
HIGHLIGHTS:
•Study Break “week” from October 5th to 9th No classes or
assignments due during that time.
Test 1: is in Week 5 (15%)
•Assignment 1: Due Week 6 (15%)
•Test 2: is in Week 10 (15%)
•Assignment 2: Due Week 11 (15%)
•Final Exam: Due Week 15 (40%)
Discussion Forum contributions: Weekly
2
7
Why Have Weekly Discussion Forums?
•I use the FOL discussion forums to promote social interactions and knowledge-building
among students.
•Discussion forums allow us to build a Community of Practice (Lave & Wenger, 2007).
Communities share ideas and experiences. They allow us to critically examine and
challenge concepts, ideas, facts, methods, and opinions.
•Criticizing the poster is not permitted, nor is inappropriate language or content
•We can all learn from each other’s experiences and ideas, but not if you don’t share
them! Everyone benefits – including you – if everyone contributes.
•Marks are given for created threads AND for replies, but not for “reads”.
•A little cheerleading is great, but please try to make sure your posts and replies
further the conversation. Ask the “why” questions! Play “devil’s advocate”. Don’t be
contrary for the sake of it, but rater build on ideas.
•Your opinion has value, but always try to SUPPORT your statements with EVIDENCE.
Don’t copy from another person – even if they allow it!
Make sure you properly cite every source of information you

used. Credible sources include:
 Course content!!
 Books, articles, videos, websites,
 a person you spoke with,
 images you did not create, and
 Chat GPT?
If the assignment asks you to write something yourself, it is

not OK to just copy a large quote. You must write the
answer in your own words.
29
•Please read the full policy on the course syllabus FOL
Please note that the use of ChatGPT or other

generative AI tools is strictly prohibited and will
result in a zero grade.
30
Part 2:
Introduction to CISSP
•Security certifications.
• Why get certified?
• How do you choose which certification is right for you?
• Why do we require you to take this course?
•What is the ISC2 CISSP Common Body of Knowledge?
•What are the 8 CISSP Domains
•Vendor-neutral vs. Vendor-specific certifications
•Security Trends
•Hackers and Hacking
•Information Security Management
Sep-23 Info 6010 32

•Prove competency in subject area
•Prove dedication to the security discipline
• (and demonstrate your expertise as a security professional)
•Certification may be a condition of employment/promotion
• Gives you a MAJOR competitive advantage when applying!
• Some companies offer a pay increase if you get your CISSP
•Available from many organizations
• Vendor specific certification
• General knowledge certification
•Shows you are committed to continuous/lifelong learning
• Important since technology and InfoSec changes so rapidly.
Sep-23 Info 6010 33

•Certifications prove (but do not guarantee) that you have
complete skill set
•May be required as a condition for employment
• Consulting companies
• US government Department of Defense Directive 8570 requires
that select government IT positions be filled by certified personnel.
• ISO certifications may depend on this
• Note: Not all companies favor/prioritize applicants with
certifications. Some companies prefer years of experience, job
performance, personality (ex. leadership qualities),
communication skills (both written and verbal), etc.
Sep-23 Info 6010 34

•Many certifications require retesting every few years
• Prove you’ve retained the CBK knowledge (and kept up with the
changes!)
• CISSP, Cisco, Checkpoint, ASIS, all require re-testing
• Some certifications require proof of continuing education in the
subject area
• Must earn a minimum number of “Continuing education credits” (or
“continuing professional education – CPE- credits) to be eligible to
recertify.
• Often issued for courses taken or workshops and seminars attended
• CISSP, CISM, CompTIA, Microsoft
• The purpose of CPE’s is to ensure that professionals continue

learning and remain current with developments in their industries.
Sep-23 Info 6010 35

•Maybe none of them! How can you find out?
•Your certification decision may depend on:
• Your passion/interest in a topic
• Your aptitude or industry experience
• The job/role you want for your career (or promotion)
• The time and budget you can commit
• Legislative requirement
• The credibility of the certification in the IT industry
• Any other factors you can think of?
•Have any of you considered a certification? Which ones?
Sep-23 Info 6010 36

Why Do We Require You To Take This Course?
•Why do you think?
•Course acts as a quasi-capstone. All of the concepts, skills, and topics

you’ve learned so far do not exist in isolation/vacuum.
•Rather, they all work together. You need to understand how these
systems impact each other
•Jobs! People with CISSP CBK knowledge are in very high demand (and
are paid very well). It will also make you better at your current job!
•Acts as a on-stop (single resource) refresher/reminder of concepts taught

in the program.
Introducing ISC2’s CISSP Certification
ISC2 – a (very) brief history
•Non-profit org. First created in 1989 when a number of computer
security groups came together
•Created the first edition of the CBK in 1992
•First certification was the CISSP, created in 1994
•According to ISC2:
•"the CISSP CBK is a taxonomy – a collection of topics relevant to information
security professionals around the world. The CISSP CBK establishes a common
framework of information security terms and principles that allow information
security professionals worldwide to discuss, debate and resolve matters
pertaining to the profession with a common understanding."
•Certified Information Systems Security Professional
•Sponsored by the International Information Systems
Security Certification Consortium
• Also referred to as (ISC)²
•8 different subject areas often referred to as “domains”.
•Each domain can be its own area of study.
• Individuals often work exclusively and become experts in one or
more of these areas.
•These domains are constantly being updated and
reorganized. Why?
Sep-23 Info 6010 40

•Security field has grown exponentially in the last 10 years
•Governments, businesses, and organizations of all sizes
are looking for security experts.
•CISSP is a respected certification EVERYWHERE.
• As of 2022, roughly 160,000 CISSP holders worldwide. The vast
majority are in the US (around 95,000). Canada ranks 3rd with 6800.
•Viewed as having proven ability and met CISSP stringent
requirements.
•The CISSP must continuously update their knowledge and
skills to retain CISSP.
• Continuing Professional Education (CPE) credits
Sep-23 Info 6010 41

•Meet growing demand in evolving field.
•Broaden your current security knowledge.
•Bring security to current occupation.
•Become more marketable to employers.
•Show discipline to security field.
•More employment opportunities and higher salaries.
•As a vendor neutral cert, the focus in on concepts,
technologies, risks, threats, and principles. The focus is
NOT on a specific system or software. This makes CISSP
knowledge applicable in EVERY infosec environment.
Sep-23 Info 6010 42

•For certification as CISSP requires the following:
• Pass the CISSP exam
• Obtain the endorsement of a CISSP in good standing
• Endorsement required to confirm/vouch for years of experience in (ISC)²
required domains.
• If a candidate does not have an (ISC)² professional for endorsement then
(ISC)² will endorse based on audited resume
• A minimum of 5 years of full-time work experience in 2 or more
of the 8 domains of the CISSP® CBK
• MAY be able to use college credentials as a substitute for experience
• Real world experience brings value to CISSP certification
• All (ISC)² members are required to sign a commitment to fully
support the (ISC)² Code of Ethics before being officially certified.
Sep-23 Info 6010 43

• CISSP also has a required background check. You must successfully
answer four questions regarding criminal history and related
background:
1. Have you ever been convicted of a felony, a crime based on dishonesty

(felony or misdemeanor involving lying) or a Court Martial in military
service, or is there a felony charge now pending against you? (Omit
minor traffic violations and offenses prosecuted in juvenile court.)
2. Have you ever been involved, or publicly identified, with criminal hackers
or hacking?
3. Have you ever had a professional license, certification, membership or

registration revoked, or have you ever been censured or disciplined by
any professional organization or government agency?
4. Have you ever been known by any other name, alias, or pseudonym?
(Omit user identities or screen names with which you were publicly
identified. Also omit name changes due to marriage or adoption.)
Sep-23 Info 6010 44

•Exam covers 8 domains within CISSP Common Body of
Knowledge (CBK)
• (Our course covers this material in 11 lessons)
•CISSP Exam questions typically tend to ask high-level

concepts (less detailed) looking at models and
methodologies.
•Does not expect you to be an expert in all 8 domains. But

rather be familiar with wide range of security concepts.
• Need to be a “security generalist”
Sep-23 Info 6010 45

• Exam includes a number of scenario questions.
• Questions are not vendor specific.
• Ex, Cisco, Linux, Windows, Checkpoint, Mac, etc.
• Questions are NOT scored equally.
• Each question is scored based on difficulty. Harder questions are worth
more!
• Maximum Exam Score = 1000 points.
• PASS = 700 or more points (70% grade to pass)
• Exam has 250 multiple choice questions of which 225 are graded
remaining 25 are used by ISC² for research purposes.
• Uses a system called Computerized Adaptive Testing (CAT), so
test questions adapt to the test taker’s weaknesses
Sep-23 Info 6010 46

CISSP Concentrations
•CISSP offers certification concentrating in specific
functional areas:
• Architecture (CISSP-ISSAP®)
• Engineering (CISSP-ISSEP®)
• Management (CISSP-ISSMP®)
•Passing a concentration examination demonstrates
proven capabilities and subject-matter expertise beyond
that required for the CISSP or SSCP® credentials.
Sep-23 Info 6010 48

•Information Systems Security Architecture Professional
•Demonstrate two years of professional experience in the
area of architecture
• Fundamentally the consultative and analytical process of
information security.
•Certification for those working as independent consultants
or as Chief Security Architects and Analysts in a company.
Sep-23 Info 6010 49

•Architect plays a key role within the information security
department with responsibilities that functionally fit
between the C-suite and upper managerial level
•Possible job titles
• Business Analyst
• System Architect
• Chief Technology officer
• Chief Security Officer
Sep-23 Info 6010 50

•The 6 domains of the CISSP®-ISSAP CBK® are:
1. Access Control Systems and Methodology
2. Communications & Network Security
3. Cryptography
4. Security Architecture Analysis
5. Technology Related Business Continuity Planning (BCP) &
Disaster Recovery Planning (DRP)
6. Physical Security Considerations
Sep-23 Info 6010 51

•Information Systems Security Engineering Professional
•Developed in conjunction with the U.S. National Security
Agency (NSA)
•Responsible for incorporating security into projects,
applications, business processes, and all information
systems.
•Best practices that can be used to integrate security into all
facets of business operations
Sep-23 Info 6010 52

•The 4 domains of the CISSP-ISSEP CBK® are:
1. Systems Security Engineering
2. Certification and Accreditation (C & A)
3. Technical Management
4. U.S. Government Information Assurance Governance
• Senior Security Analyst
• Senior Systems Engineer
• Information Assurance Analyst
• Information Assurance Officer
Sep-23 Info 6010 53

•Information Systems Security Management Professional
•Requires two years of professional experience in the area
of management on a larger enterprise-wide security
model.
•In depth managerial skills such as:
• Project management
• Risk management
• Business Continuity Planning
• Setting up and delivering a security awareness program
Sep-23 Info 6010 54

• Senior Security Executive
• Chief Technology officer
• Chief Information Officer
• Chief Information Security Officer
Sep-23 Info 6010 55

•The five domains of the CISSP-ISSMP CBK® are:
1. Security Management Practices
2. Systems Development Security
3. Security Compliance Management
4. Understand Business Continuity Planning (BCP) & Disaster
Recovery Planning (DRP)
5. Law, Investigation, Forensics and Ethics
Sep-23 Info 6010 56

Other ISC² Certifications
•CC: Certified in Cybersecurity (entry-level cert)
• Free exam, no experience required
•CISSP (leadership)
• 3 concentrations available
•SSCP: Systems Security Certified Practitioner
• (Security Operations)
•CCSP: Certified Cloud Security Professional
• (Cloud Security)
•CGRC (Government, Risk, and Compliance Certification)
•CSSLP: Certified Secure Software Lifecycle Professional
• (Software Security)
Sep-23 Info 6010 58

•For those who have passed the CISSP exam but don’t
have required work experience (or a sponsor)
•allows them to show industry their knowledge in
cybersecurity right away (so they can get that experience)
•Associate of (ISC)² (badge) is the formal designation
granted by passing the required CISSP examination.
• Note: You are not an “Associate CISSP, or similar. This is a
membership status, not a certification status
•Still makes you a member of ISC2, so you have access to
their resources and support, and you must still subscribe
to the (ISC)² Code of Ethics.
Sep-23 Info 6010 59

•Systems Security Certified Practitioner
•From (ISC)2
• Often seen as a pre-certification step to CISSP
• 7 domains (see next slide)
• Focused on technical application and is designed for the technical
practitioner (ex. Security and Network Administrators)
• Covers how to incorporate, build, design and apply security to
technology
• Where CISSP is broad, SSCP is deep/specific)
• Requires 1 year full time work experience in one of the 7 domains
• https://www.isc2.org/sscp/default.aspx
Sep-23 Info 6010 60

•SSCP requires experience in one or more of seven (ISC)²
SSCP domains:
1. Access Controls
2. Cryptography
3. Malicious Code and Activity
4. Monitoring and Analysis
5. Networks and Communications
6. Risk, Response and Recovery
7. Security Operations and Administration
Sep-23 Info 6010 61

•The SSCP is suited for those working towards positions
such as
• Network Security Engineers
• Security Systems Analysts
• Security Administrators.
Sep-23 Info 6010 62

•Also suitable for those other non-security disciplines that
require an understanding of security but do not have
information security as a primary part of their job
description.
•This includes
• Information Systems Auditors
• Application Programmers
• System & Network Administrators
• Database Administrators
• Business Unit Representatives
• Systems & Business Analysts.
Sep-23 Info 6010 63

Sep-23 Info 6010 64
Introducing The 8 Knowledge Domains
(a very high-level overview)

CISSP DOMAINS
1.Security and Risk Management (Security, Risk, Compliance, Law, Regulations, and
Business Continuity)
• Confidentiality, integrity, and availability concepts
• Security governance principles
• Compliance
• Legal and regulatory issues
• Professional ethic
• Security policies, standards, procedures and guidelines
2. Asset Security (Protecting Security of Assets)

• Information and asset classification
• Ownership (e.g. data owners, system owners)
• Protect privacy
• Appropriate retention
• Data security controls
• Handling requirements (e.g. markings, labels, storage)
•
Sep-23 Info 6010 66
CISSP DOMAINS
3. Security Engineering (Engineering and Management of Security)
• Engineering processes using secure design principles
• Security models fundamental concepts
• Security evaluation models
• Security capabilities of information systems
• Security architectures, designs, and solution elements vulnerabilities
• Web-based systems vulnerabilities
• Mobile systems vulnerabilities
• Embedded devices and cyber-physical systems vulnerabilities
• Cryptography
• Site and facility design secure principles
• Physical security
4. Communication and Network Security (Designing and Protecting Network Security)

• Secure network architecture design (e.g. IP & non-IP protocols, segmentation)
• Secure network components
• Secure communication channels
• Network attacks
Sep-23 Info 6010 67

CISSP DOMAINS
5. Identity and Access Management (Controlling Access and Managing
Identity)
• Physical and logical assets control
• Identification and authentication of people and devices
• Identity as a service (e.g. cloud identity)
• Third-party identity services (e.g. on premise)
• Access control attacks
• Identity and access provisioning lifecycle (e.g. provisioning review)
6. Security Assessment and Testing (Designing, Performing, and

Analyzing Security Testing)
• Assessment and test strategies
• Security process data (e.g. management and operational controls)
• Security control testing
• Test outputs (e.g. automated, manual)
• Security architectures vulnerabilities
Sep-23 Info 6010 68

CISSP DOMAINS
7. Security Operations (Foundational Concepts, Investigations, Incident Management, and Disaster
Recovery)
• Investigations support and requirements
• Logging and monitoring activities
• Provisioning of resources
• Foundational security operations concepts
• Resource protection techniques
• Incident management
• Preventative measures
• Patch and vulnerability management
• Change management processes
• Recovery strategies
• Disaster recovery processes and plans
• Business continuity planning and exercises
• Personnel safety concerns
8. Software Development Security (Understanding, Applying, and Enforcing Software Security)

• Security in the software development lifecycle
• Development environment security controls
• Software security effectiveness
• Acquired software security impact
Sep-23 Info 6010 69

• Roughly 15% of questions on the exam
• CIA
• Security Governance principles and compliance
• IT Policies
• Risk Management
• Identification of assets, the required safeguards and the return on

investment (ROI) to protect the assets
• Data Classification
• Policies, Procedures, Standards and Guidelines
• Risk assessment and management
• Personnel security, training and awareness
Sep-23 Info 6010 70

•What are computer crimes, laws and regulations.
Procedures for incident handling including investigation
and evidence handling
• Types of Laws, regulations and crimes
• Licensing and software piracy
• Export and import laws
• Evidence types and admissibility into court
• Incident handling
Sep-23 Info 6010 71

Domain #2: Asset Security
•Roughly 10% of exam questions
•Covers the physical requirements of infosec
•Asset management
•Privacy
•Data security controls and handling requirements
Sep-23 Info 6010 72

•Using Security Design Principles
•Security Models
•Assessing vulnerabilities in systems
•Cryptography
•Designing and implementing physical security
Sep-23 Info 6010 73

•Roughly 14% of questions on the test
•Network protection, design, devices and protocols.
• Network components and network design
• Securing communications
• OSI Model and network layers
• LAN, MAN, WAN
• Internet, Intranet and extranet
• Routers, Switches, Bridges and Repeaters
• Virtual Private Networks VPN
• Firewalls
• Attack Methods
Sep-23 Info 6010 74

•Roughly 13% of questions on the CISSP Exam
•Controls the way users can access data
•Physical and logical access to assets
•ID and Authentication
•Authorization mechanisms
•AAA (Authentication, Authorization and Accounting/Audit)
methods and mechanisms
• Access Control Security Models
• Identification and authentication technologies and techniques
• Access control administration
• Single sign-on technologies
• Attack methods
Sep-23 Info 6010 75

•Roughly 13% of the exam questions
•Techniques to audit and monitor controls implemented for
personnel, systems and hardware.
• Security and fault tolerance technologies
• Standards, compliance and due care concepts
• Preventive, corrective and recovery controls
• Administrative (personnel and job function) responsibilities
• Antivirus, training, auditing and protection concepts/activities
Sep-23 Info 6010 76

•Maintaining business activities in face of disruptions.
Identification of risk and countermeasures
• Business resource identification and value assignment
• Business impact analysis and possible losses
• Crisis management
• Plan development, implementation and maintenance
Sep-23 Info 6010 77

•Roughly 10% of CISSP Exam questions
•Security components of operating systems and
applications. Software life cycles and change control
• Data warehousing and data mining
• Various development practices and their risks
• Software components and vulnerabilities
• Malicious Code
•Security in the SDLC
•Security in the Dev environment
•Secure coding standards and guidelines
Sep-23 Info 6010 78

•Threats to facilities, personnel, hardware and data and
required countermeasures.
• Restricted areas, authorizations methods and controls
• Motion detectors, sensors and alarms
• Intrusion detection
• Fire detection, prevention and suppression
• Fencing and security guards
Sep-23 Info 6010 79

Vendor Neutral vs Vendor Specific
Certifications
Some examples of vendor neutral certs…
•Certified Ethical Hacker (from EC-Council)
•CISA (from ISACA)
• Certified Information Systems Auditor
•CISM (from ISACA)
• Certified Information Security Manager
•CISSP (from ISC²)
• Certified Information Systems Security Professional
•Security+ (from CompTIA)
•GSEC (from SANS GIAC)
• GIAC Security Essentials
Sep-23 Info 6010 81

Some examples of vendor specific certs…
•Amazon Web Services (AWS)
•Microsoft Certified Solutions Expert (MCSE)
•Cisco (CCNA)
•Apple Certified Support Professional (ACSP)
•Oracle (OCP)
•Red Hat
•Symantec
•IBM
•Etc…..
Sep-23 Info 6010 82

What are the advantages of each?
•Click on this link and share your ideas in the Padlet!
•https://padlet.com/jrobertsonfanshawe/info-6010-cissp-fall-
2023-78chii0tlqay1awt
Sep-23 Info 6010 83

Reminders for Next Week
• Skim Chapters 1-4 (Knowledge Domain #1) of the textbook
• Read the Key Terms at the end of each chapter and identify
10 terms you didn’t know before.
• Then add those words (and their definitions) to your personal
flashcard deck
• Contribute to the Week 1 Discussion Forum on FOL

• Share news links
• Next week we will be discussing (and finishing) the first

Domain: Security and Risk Management
INFO 6010: CISSP Prep
Week 2:
Security and Risk Management
Prof. James Robertson

Fall 2023
Where did the IT Security Officers go the last few days?
They ran somewhere!

(ran – som – ware)
Housekeeping…
•WELCOME TO WEEK 2!
• I would like to hear about your first week back. Any first
impressions?
•Reminder that this course has two assignments.

• First assignment released in week 3-4 and due in week 6.
•Test #1 is in week 5 (October 4th) at normal class time

• Test is online (remote) but requires RLDB and Respondus Monitor
•Thanks for the intro posts…. But still more to come?

• Only 6 out of 20 have created posts…
Sep-23 INFO6010 3
News and Current Events…
• Securing the Technology at new London-area Amazon plant
• Is among the top six highly automated plants Amazon operates around the world
• What risks do you perceive that facility must consider?
• Senator seeks tech version of “GI Bill” as AI replaces jobs
• Need to re-educate a million people who will be displaced by AI
• Women are more likely to lose jobs to AI, such as customer-facing,
administrative assistant or support roles since they are “often filled by women”
• Proposed Law Would Create Responsible Emerging Tech
Leaders at Agencies
• would require a senior official at each relevant agency to oversee technologies
like AI, quantum and biotechnology to ensure responsible usage.
• Called the “‘Oversee Emerging Technology Act’’.
• These 7 items should be on your CISO checklist for 2024
Sep-23 Info 6010 4

Introducing The 8 Knowledge Domains
(a very high-level overview)

CISSP DOMAINS
1.Security and Risk Management (Security, Risk, Compliance, Law, Regulations, and
Business Continuity)
• Confidentiality, integrity, and availability concepts
• Security governance principles
• Compliance
• Professional ethic
• Security policies, standards, procedures and guidelines
2. Asset Security (Protecting Security of Assets)

• Information and asset classification
• Ownership (e.g. data owners, system owners)
• Protect privacy
• Appropriate retention
• Data security controls
• Handling requirements (e.g. markings, labels, storage)
•
Sep-23 Info 6010 6
CISSP DOMAINS
3. Security Engineering (Engineering and Management of Security)
• Engineering processes using secure design principles
• Security architectures, designs, and solution elements vulnerabilities
• Cryptography
4. Communication and Network Security (Designing and Protecting Network Security)

• Secure network architecture design (e.g. IP & non-IP protocols, segmentation)
• Secure network components
• Secure communication channels
• Network attacks
Sep-23 Info 6010 7

CISSP DOMAINS
5. Identity and Access Management (Controlling Access and Managing
Identity)
• Physical and logical assets control
• Identification and authentication of people and devices
• Identity as a service (e.g. cloud identity)
• Third-party identity services (e.g. on premise)
• Access control attacks
• Identity and access provisioning lifecycle (e.g. provisioning review)
6. Security Assessment and Testing (Designing, Performing, and

Analyzing Security Testing)
• Assessment and test strategies
• Security process data (e.g. management and operational controls)
• Security control testing
• Test outputs (e.g. automated, manual)
• Security architectures vulnerabilities
Sep-23 Info 6010 8

CISSP DOMAINS
7. Security Operations (Foundational Concepts, Investigations, Incident Management, and Disaster
Recovery)
• Investigations support and requirements
• Logging and monitoring activities
• Provisioning of resources
• Foundational security operations concepts
• Resource protection techniques
• Incident management
• Preventative measures
• Patch and vulnerability management
• Change management processes
• Recovery strategies
• Disaster recovery processes and plans
• Business continuity planning and exercises
• Personnel safety concerns
8. Software Development Security (Understanding, Applying, and Enforcing Software Security)

• Security in the software development lifecycle
• Development environment security controls
• Software security effectiveness
• Acquired software security impact
Sep-23 Info 6010 9

• Roughly 15% of questions on the exam
• CIA
• Cybersecurity Governance, principles and compliance
• IT Policies and frameworks
• Risk Management
• Identification of assets, the required safeguards and the return on

investment (ROI) to protect the assets
• Data Classification
• Policies, Procedures, Standards and Guidelines
• Risk assessment and management
• Personnel security, training and awareness
Sep-23 Info 6010 10

•What are computer crimes, laws and regulations.
•Procedures for incident handling including investigation
and evidence handling
• Types of Laws, regulations and crimes
• Licensing and software piracy
• Export and import laws
• Evidence types and admissibility into court
• Incident handling
Sep-23 Info 6010 11

•Covers the physical requirements of infosec
•Asset management
•Privacy
•Data security controls and handling requirements
Sep-23 Info 6010 12

•Using Security Design Principles
• Site and Facility Security
•Designing and implementing physical security
•Assessing vulnerabilities in systems
•Cryptography
•Systems Architectures
•Security Models/Architectures
Sep-23 Info 6010 13

•Roughly 14% of questions on the test
•Network protection, design, devices and protocols.
• Network components and network design
• Securing the network and secure communications channels
• Fundamentals of networking
• OSI Model and network layers
• LAN, MAN, WAN
• Internet, Intranet and extranet
• Routers, Switches, Bridges and Repeaters
• Virtual Private Networks VPN
• Firewalls
• Attack Methods
• Wireless networking
Sep-23 Info 6010 14

•Roughly 13% of questions on the CISSP Exam
•Controls the way users can access data
•Physical and logical access to assets
•ID and Authentication
•Authorization mechanisms
•AAA (Authentication, Authorization and Accounting/Audit)
methods and mechanisms
• Access Control Security Models
• Identification and authentication technologies and techniques
• Access control administration
• Single sign-on technologies
• Attack methods
Sep-23 Info 6010 15

•Roughly 13% of the exam questions
•Techniques to audit and monitor controls implemented for
personnel, systems and hardware.
• Security and fault tolerance technologies
• Standards, compliance and due care concepts
• Preventive, corrective and recovery controls
• Administrative (personnel and job function) responsibilities
• Antivirus, training, auditing and protection concepts/activities
Sep-23 Info 6010 16

•Maintaining business activities in face of disruptions.
Identification of risk and countermeasures
• Business resource identification and value assignment
• Business impact analysis and possible losses
• Crisis management
• Plan development, implementation and maintenance
Sep-23 Info 6010 17

•Roughly 10% of CISSP Exam questions
•Security components of operating systems and
applications. Software life cycles and change control
• Data warehousing and data mining
• Various development practices and their risks
• Software components and vulnerabilities
• Malicious Code
•Security in the SDLC
•Security in the Dev environment
•Secure coding standards and guidelines
Sep-23 Info 6010 18

•Threats to facilities, personnel, hardware and data and
required countermeasures.
• Restricted areas, authorizations methods and controls
• Motion detectors, sensors and alarms
• Intrusion detection
• Fire detection, prevention and suppression
• Fencing and security guards
Sep-23 Info 6010 19

Short Group Discussion:
Your Fav CISSP Domain?
For the first 5 minutes, and without going further in your research than what you
know and what we’ve discussed so far, answer the following questions:
1. Which knowledge domain do you find the most interesting?

2. Why was this your favorite domain?
3. Which knowledge domain is the least interesting? (and why?)
Now, in your group of 3 students, share your answers. Any common interests?
Lastly, share your personal answers to the questions above in the week 2 discussion
forum. Remember to respond to at least one post from another student.
Sep-23 Info 6010 20

Vendor-Neutral Certifications
Some examples of vendor neutral certs…
•Certified Ethical Hacker (from EC-Council)
•CISA (from ISACA)
• Certified Information Systems Auditor
•CISM (from ISACA)
• Certified Information Security Manager
•CISSP (from ISC²)
• Certified Information Systems Security Professional
•Security+ (from CompTIA)
•GSEC (from SANS GIAC)
• GIAC Security Essentials
Sep-23 Info 6010 22

Vendor-Specific Certifications
Some examples of vendor specific certs…
• Amazon Web Services (AWS)
• Microsoft Certified Solutions Expert (MCSE)
• Microsoft Azure Security
• Cisco (CCNA)
• Apple Certified Support Professional (ACSP)
• Oracle (OCP)
• Symantec (250-series of certifications)
• IBM has 15 different security certifications
• Kali – KLCP certification
• Google Cloud Security
• Redhat (EX415 – Specialist in Security: Linux)
• Juniper (associate, specialist, professional, expert)
• Palo Alto (PCCSA, PCNSA, PCNSE)
Sep-23 Info 6010 24

Vendor Specific Certifications
•Come in all sorts of shapes and sizes

• How to choose?!?
Jan-20 Info 6010 25

• https://www.cisco.com/c/en/us/training-events/training-certifications/certifications/security.html
Sep-23 Info 6010 26

•Cisco Certified Network Associate (CCNA Security)
•CCNA certification
• Cost $250 USD to write the test
• Must pass CCENT exam first, but any valid Cisco CCENT,
CCNA Routing and Switching, or any CCIE certification can act
as a prerequisite.
• Demonstrates the skills required to develop a security
infrastructure, recognize threats and vulnerabilities to networks,
and mitigate security threats.
• Emphasizes competency in the core security technologies, that
Cisco uses in its security structure.
Sep-23 Info 6010 27

•Certifications Include:
• CCSA - Check Point Certified Security Administrator
• CCSE - Check Point Certified Security Engineer
• CCSI - Check Point Certified Instructor
• CCAE - Check Point Certified Addressing Engineer
• CCQE - Check Point Certified Quality of Service Expert
• CCMSE - Check Point Certified Managed Security Expert
Sep-23 Info 6010 28

•Exam Content
•80% course materials
•20% real world experience
•Requires product experience
•Multiple choice and scenario questions
• Length: 90 minutes
• Passing Scoring: 70%
• Check Point certifications are considered valid for 4 years.
Sep-23 Info 6010 29

•Are certifications required? Well, yes and no…
•Yes
• Some employers require employees to be certified
• Consultants, high secure networks
• Demonstrates a dedication to the career
•No
• Does not guarantee or translate into practical job skills
•Maintaining certification requires time to prepare and write

tests
•Money to pay for tests and/or continuing certifications
•Requirement for this field of work
• Competitive advantage, pay increases, promotions, etc.
Sep-23 Info 6010 30

What are the pros/cons of each?
•Click on this link and share your ideas in the Padlet!
•https://padlet.com/jrobertsonfanshawe/info-6010-cissp-fall-
2023-78chii0tlqay1awt
Sep-23 Info 6010 31

ALE: What’s your Cybersecurity Career Pathway?
Close the cybersecurity talent gap with interactive tools and

data. Map you path using this great tool!
https://www.cyberseek.org/index.html#aboutit
Create a discussion post (in Week 2 forum) that outlines

your path! What are your thoughts?
Jan-20 Info 6010 32

Domain #1: Security and Risk Management
• Security Management
• CIA as security objectives
• Risk (ex. ISO 27005 Risk Management Framework)
• Risk management concepts (threat, risk, vulnerability, impact, etc)
• Risk analysis and Risk Assessments (types, process, results)
• Qualitative and quantitative risk assessments
• Risk response and countermeasures
• BCP, BIA,
• Controls and control frameworks
• Governance
• Laws (ex. Intellectual property, statues, )
• Regulations (ex. Sarbanes Oxley, 2002, aka “SOX”)
• Legislative drivers
Sep-23 INFO6010 34
•Information Security Ethics
•ITIL, Cobit, and ISO guidelines/frameworks
•Categories of Access Controls (digital and physical)
•Pen Testing
• Methodologies, stages, strategies and categories
• documentation
•Determining your security posture
•PDCA (Plan Do Check Act) aka “Deming Wheel/Cycle”
•Licences (ex. software) and lifecycle management
•SETA
Sep-23 INFO6010 35
What is Security Management?
•Security management is the core of any business security
structure
•Objective is to protect company assets
•Core components serve as foundation of a corporation’s
security program
•Goal is to reduce risk to acceptable levels
• Cannot be reduced to zero
•RISK is the primary element of this domain.

• What is risk? Is it all bad? How do we deal with risk?
Sep-23 INFO6010 37
•Risk management
•Information Security Policies
• Procedures, Standards, Guidelines
•Information classification
•Security organization
•Security education
Sep-23 INFO6010 38
3 main security objectives are:
•Availability
• Ensures reliability and timely access to
data and resources to authorized
individuals
•Integrity
• Assurance of the accuracy and reliability
of the information and systems is provided
with no unauthorized modification
•Confidentiality
• Necessary level of secrecy is enforced at
each data handling junction and prevents
unauthorized disclosure
Sep-23 INFO6010 39
•Confidentiality
• Data in storage or transmitted across can not be read by
unauthorized people
• Attackers can circumvent confidentiality by
• Network traffic sniffing
• Looking over someone's shoulder and stealing passwords or by tricking
someone to reveal their secret information.
• Users can intentionally or accidentally disclose information by
not encrypting it before transmitting it or transporting on storage
devices
• USB, DVD & Laptop
Sep-23 INFO6010 40
•Integrity
• Restrict access to only authorized users
• System configuration files
• Ensure attackers or user mistakes don’t contaminate data
integrity
• Check data input for reasonable and valid entries
• Data in transit should be encrypted
Sep-23 INFO6010 41
•Availability
• Systems and network should have enough capacity for a
acceptable level of performance.
• Able to recover from disruption in a reasonable amount of time.
• Single points of failure should be avoided
• Backup and redundancy mechanisms should be in place
• Appropriate mechanisms in place to avoid inside and outside
threats
Sep-23 INFO6010 42
CIA is about Criticality and Sensitivity
•Criticality is about •Sensitivity deals with

availability integrity and confidentiality
In other words:
The data (or information) need to be available at the right
time with the right content and to the right people.
Sep-23 INFO6010 43
•Vulnerability
•Software, hardware, procedural or human weakness that
may provide an entry point for an attacker leading to
unauthorized access.
• Absence or weakness of a safeguard that can be exploited
• Missing patches
• Open Firewall port
• Weak or no physical security
• Unlocked doors
• Unenforced password requirement
Sep-23 INFO6010 44
•Threat
•Any potential danger to information or systems
• A threat agent is someone or something that will take advantage
of a known vulnerability
• An intruder accessing the network through an open port on a
firewall.
• A process accessing data that violates security policy
• Natural disaster causing damage to a facility
• Tornado, hurricane, fire, flood, lightning
• Environmental control
• Power outage, heat & humidity damage
• Terrorists attack
Sep-23 INFO6010 45
•Risk
•The possibility of damage (or harm) and the likelihood that
harm can be realized.
•Measured by probability and impact
•So, risk is the likelihood of a threat agent taking
advantage of a vulnerability to cause harm to an asset
• Firewall with numerous open ports has a greater likelihood of
being exploited. Impact can range from mild to severe.
• If a network does not have an Intrusion Detection device there is
a greater likelihood of network access being unnoticed
• User lack of training in security & processes increase likelihood
of destroying or exposing data
Sep-23 INFO6010 46
•Exposure
•An instance of being exposed to losses from a threat
agent
•A vulnerability exposes an organization to possible losses
• A company does not install fire detectors or fire alarms
• Exposed to fire
• A company does not have or enforce a password policy
• Exposed to having password compromised
Sep-23 INFO6010 47
• Security Controls are parameters, safeguards or
countermeasures implemented to protect data,
infrastructure, and people in an organization.
• Goal of controls is to protect CIA
• Software configuration, hardware device or a procedure that
reduces the likelihood a threat agent will exploit a vulnerability
• A security guard
• Locked door on server rooms
• Data backup policy
• Strong password management
• Anti-Virus Software
• Firewall, AAA & IDS/IPS
Sep-23 INFO6010 48
•Identify assets. What do you have that is valuable?
• who can help us with this? Might need a team.
•Identify threats against these assets and estimates the
possible damage and potential loss
•Construct a budget with the funds to protect identified
assets and develop applicable security policies that
provide direction for security activities
• Return on investment (ROI)
•Security education and awareness keeps everyone
properly informed and working toward the same security
goal
Sep-23 INFO6010 49
1. Risk Identification
• Determine risks, identify hazards,
• Who or what can be harmed and how?
2. Implement policies and controls
3. Monitor systems and practices involved
4. Promote awareness
Sep-23 INFO6010 50
•Determine objectives, scope, policies, priorities and
strategies
•Clear direction for employees to follow
•Identifying and value company’s assets
•Implement security policies, procedures, standards and
guidelines
•Security is not solely the responsibility of the IT
department
Sep-23 INFO6010 51
•Security program requires a top-down approach
• Direction from senior management through middle management
to staff members
•Allocate necessary resources and funding
• Human, capital, hardware, training
•Assign responsibilities
•Integrate into business environment
•Monitor and measure accomplishments
Sep-23 INFO6010 52
•Building security program like building a house
• Start with blueprint or plan
• Determine goals and security level required
• Not simple matter of installing firewalls and locking down
computers
•Senior management drive the program to develop
standards, procedures & guidelines for the organization
to guide its decisions and direction
Sep-23 INFO6010 53
•Senior management appoints a Security Officer (CSO
and/or CISO)
•Security administration may be a single individual or group
of individuals
• based on size and requirement of company
•Security administration requires clear authority and
reporting structure
•Security officer ensures implementation of security policy
• Not solely responsible for development of policy
Sep-23 INFO6010 54
•Data owners determine what type of access an employee
should have
•Security administration ensures access control is
implemented and monitored
•Data owner is the senior executive or head of department
•Held responsible for data protection and assigning
security classifications
• Can be found negligent if not following due care
Sep-23 INFO6010 55
3 types of controls: Administrative, Technical, and Physical
•Administrative Controls:
• Developing and publishing of policies, standards, procedures and
guidelines
• Risk management
• Screening of personnel
• Security awareness training
• Implementing change control procedures
Sep-23 INFO6010 56
•Technical Controls (Logical Controls):
• Primarily for automated or electronic systems
• Configuration of security device & infrastructure
• Implement and maintain access control mechanisms
• Password and resource management
• Identification and authentication methods
• Security devices & infrastructure
Sep-23 INFO6010 57
•Physical Controls:
• Tangible mechanism (ex. A fence, a lock, a door)
• Controlling individual access into the facility and different
departments
• Locking systems and removing unnecessary drives
• Floppy/CD-Rom, USB
• Protecting the perimeter of the facility
• Monitor for intrusion
• Environmental controls
Sep-23 INFO6010 58
Physical Controls
Access Controls, Security guards & locks
Technical Controls:
Authentication Encryption, Security devices
Administrative Control
Policy, Standards, Guideline &
Procedures
ASSET or DATA
Source: All-In-One CISSP Exam Guide by Shon Harris
Sep-23 INFO6010 59
•Improper understanding of risks can lead to bad security
practices
• This leads to simple and sloppy mistakes and false sense of
security
• Lack of understanding typically leads to believing your opponent
(attacker) is less intelligent that you
•Relying on security through confusion or obscurity is
dangerous
• Example: Leaving a spare house key in your mailbox
• Example: Change web server default port to 8080
• Example: Rename directory
Sep-23 INFO6010 60
•Planning horizon – What is LIKELY coming up and how
will we prepare for it?
• Not all security systems and changes can be done at same time
•Planning can be organized into 3 areas:
1. Operational
• Short term goals
2. Tactical
• Mid term goals
3. Strategic
• Long term goals
Sep-23 INFO6010 61
•Operational •Tactical
• Daily activities • Midterm goals
• Have specific goals and • Integrate all workstations into a
timelines domain
• Perform risk assessment
• Track compliance •Strategic
• Rollout patches • Long term up to 5 years
• Implement VPNs for all branch
offices
• Install wireless
• Implement PKI
Sep-23 INFO6010 62
Information Security Governance
Ex. CobIT, COSO, ITIL, ISO27000
“Information security governance is all of the tools,
personnel and business processes that ensure that security
is carried out to meet an organization's specific needs”
-Mariana Henlea, 2021
Sep-23 INFO6010 64
•Often synonymous with terms like “management”,
“authority”, “leadership”, “accountability”, “oversight”, and
“influence”
•Governance is at the top of the organization’s hierarchy
•Governance refers to the structures, systems, and
practices an organization has in place
•Involves all the tools, personnel and processes needed to
ensure a required level of security
•Requires a defined structure of role and responsibilities,
defined tasks, performance measurements and oversight
Sep-23 INFO6010 65
•Control Objectives for Information (and related) Technology
•Set of best practices developed by
• Information Systems Audit and Control Association (ISACA)
• IT Governance Institute (ITGI)
•CobiT was derived from COSO framework developed by the
Committee of Sponsoring Organizations in 1985 to deal with
fraudulent financial reporting
•Released in 1996, there is now a CobIT 2019
•It’s a framework for examining IT management and
governance
Sep-23 INFO6010 66
•CObIT presents six principles for a governance system:
1. Meet stakeholder needs,
2. Holistic approach,
3. Dynamic governance system,
4. Distinct governance from management,
5. Tailored to enterprise needs,
6. End-to-end governance system
Sep-23 INFO6010 67
•Defines goals for the controls that should be used to
properly manage IT
• Ensure IT maps to business needs
•CobiT lays out:
• Executive summaries
• Management guidelines
• Control objectives
• Audit guidelines
• Implementation toolset
•Many compliance audits are built on CobiT framework
• Compliance roadmap has 34 control objectives
Sep-23 INFO6010 68
CobiT defines 4 domains
1. Plan and Organize
2. Acquire and
Implement
3. Deliver and Support
4. Monitor and Evaluate
•Each domain has sub
domains
https://www.slideshare.net/ImanBaradari/cobit-training-course
Sep-23 INFO6010 69
•There are 5 COSO Areas
• The Committee of Sponsoring Organizations of the Treadway
Commission (COSO)
1. Control Environment
• Management philosophy & operating style
• Company culture toward fraud and ethics
2. Risk Assessment
• Establish risk level
• Manage change
3. Control Activities
• Policies, procedures & practices to mitigate risk
Sep-23 INFO6010 70
4. Information and
Communication
• Organizational structure to ensure
information is provided to the right
levels of management
5. Monitoring
• Detect and respond to control
deficiencies
https://info.knowledgeleader.com/bid/161685/what-are-the-five-components-of-the-coso-framework
Sep-23 INFO6010 71
•CobiT is model for IT (Information Technology)
governance
•COSO model for corporate governance
•COSO deals more with strategic level
•CobiT deals more with operational level
•CobiT & COSO identify what is to be achieved not how to
achieve it
Sep-23 INFO6010 72
•The Information Technology Infrastructure Library
•De facto standard of best practices for IT
•Provides goals and general activities to achieve goals
•Provides steps at process level and expected input and
output values of each activity to achieve goals
•Customizable Framework
•Focus is on internal service level agreement (SLA)
between the IT department and it’s internal customers
• Security is only one component
Sep-23 INFO6010 73
•Set of standards for infosec that describe security processes
and mechanisms
•Provides best practices recommendations on infosec
management (ISMS)
•ISO 27001 has 14 domains (domains are similar to CISSP)
• the revised CISSP has the content from 10 squeezed into 8 new domains- nothing
has been taken away!
•Can be used as blueprint to develop security program
•Companies can implement and be certified to provide
confidence to customers and business partners
• Marketing and business advantage
Sep-23 INFO6010 74
• Review Chapters 1-4 (Knowledge Domain #1) of the textbook
• Read the Key Terms at the end of each chapter and identify
10 terms you didn’t know before.
flashcard deck

• Share news links
• Next week we will be discussing Domain #2: Asset Security

Info 6010 Lesson 3
Domain 2: Asset Security
Information Security Management &

Network Security and Architecture
Fall 2023
What type of asset is a river?
….A current asset

Housekeeping…
• I would like to hear how your courses are going so far. Any happy
surprises? Any not-so-happy ones?
•First assignment will be released on Friday

• It is due in week 6 (after the first test).
•Test #1 is in week 5 (October 4th) during normal class time

•Thanks for the Week 2 posts!

• Favorite (and least favorite) domains included…
Sep-23 INFO6010 3
• Hackers Acquire Logins From SMS Phishing & Support Desk Calls
• Targeting businesses with SMS phishing & social engineering
• Goal is access critical systems to steal confidential data and use it to extort
• Australia to build “Cyber Shields” around the country
• will build six cyber shields around the country involving citizens, businesses
and governments to help better protect the country.
• “we won't be alone or in our silos trying to manage this problem”
• Citi Bank Launches Digital Asset Solution for Cash Management
• Unveiled a digital asset solution to enhance cash management and trade
finance capabilities by using blockchain and smart contracts.
• Shutdowns and the ‘avalanche of work’ for government tech shops
• Even if a shutdown doesn’t happen, planning for one has a real cost
• Google pays $93M to settle Android tracking lawsuit
Sep-23 Info 6010 4

Quick Review: Domain #1
• What do you remember about Domain #1
• Ex. What was the domain called? 
• Governance, Compliance, Risk Management, Frameworks
POP QUIZ – Domain 1:

If the bank wants to make sure that fraud can’t/won’t happen unless collusion
occurs, what should they put into place?
1.Split knowledge
2.Separation of Duties
3.Job Rotation
4.Social engineering
Which term means a potential cause of an unwanted incident, which could result
in harm to a system or organization?
a)Vulnerability b)Exploit c)Threat d)Attacker
Sep-23 Info 6010 5

Flashcard update!
• Which key words, terms, concepts, or ideas did you add to your
study notes (flashcard deck)?
• Some possibilities include:
• Security Program
• Definition of risk, asset, vulnerability, threat, exposure
• Risk options (accept, mitigation/reduction, transfer, avoid)
• Risk assessment types (ex. probability vs impact)
• CIA triad
• Professional ethics
• BCP
• What are security controls? Any others you noted?
• ITIL, COBIT, COSO, ISO27000
• Governance (laws, regs, industry req)
• Security posture
Sep-23 Info 6010 6

Assignment #1 – What to expect
• You may want to spend the last hour of the lesson (self-study time)
thinking about and preparing for the first written assignment.
• It will involve a scenario that you need to read and interpret
• For example:
You are the CISO of a large global retail chain with thousands of physical
stores and a significant online presence. The retail industry has historically
been less focused on information security, but recent cyberattacks on other
retail companies have raised concerns about your organization's vulnerability.
As the CISO, you are tasked with conducting a comprehensive cybersecurity
assessment of the retail chain's operations. While your organization recognizes
the importance of cybersecurity, specific vulnerabilities and areas requiring
improvement are not outlined, giving you the responsibility to identify them.
• How do you approach this scenario? What problems do you see and
how would you solve them (using the domains we’ve discussed)
Sep-23 INFO6010 7
Potential problems and questions:
1. What are the critical assets in the retail chain that need protection,
and why are they essential to the company's success?
2. How would you assess and prioritize security risks and
vulnerabilities, considering the global nature of the retail chain?
3. What cybersecurity enhancements do you believe are necessary to
protect customer data, supply chain integrity, and POS systems
effectively?
4. How can the company ensure compliance with relevant data
protection regulations and maintain customer trust in its security
measures?
What are your next steps in completing this assignment?

• Check the rubric and assignment description. What do they tell you?
Sep-23 INFO6010 8
• You will be put into small breakout groups for this exercise
• Have your microphone ready! Web cameras on if at all possible
1. Choose someone in your group to be the “scribe”

• This is the person who will share your work in the discussion forum
2. Together, devise a scenario that involves a company, its
assets (physical and digital), and an incident that
impacted that/those asset(s).
• Remember that scenarios are complex. They may involve details about
locations, people, processes, policies, information, systems, risks, etc.
3. Share this scenario description in the Week 3 discussion forum
• I will put one (or more) of these scenarios on your first test!
Sep-23 INFO6010 9
Domain #2: Asset Security (~10% of CISSP exam)
List of key topics (page 1 of 2):
• Information/data life cycle
•Data identification, classification and protection
•Data classification policy
•Data/asset retention policies
•Data handling and security controls
•IT Asset Management (ITAM) and Data Management
•Information/data ownership
• Roles and Responsibilities
• Data custodian vs data owner
Sep-23 INFO6010 10
• Physical asset management
• Asset Management: Inventory, disposal, destruction
• QC vs QA
• (both used to ensure the quality of products or services)
• Protection of privacy information
• Asset handling requirements
• Data compliance requirements
• Data security standards, controls and modelling
• Regulatory compliance and standards: NIST, NIST SP 800
series (ex. 800-14, 800-18, 800-27, etc..), FIPS, ISO 15288
Sep-23 INFO6010 11
•Asset •Data Remnants
•Data Owner •Data Security Controls
•Data Custodian •Accountability
•Data (or asset) Lifecycle •Classification (and
categorization)
•Retention Policy
•Data Destruction
•Privacy (and protecting it)
•Purging
•Scoping
•Recovery
•Tailoring
•Responsibility
Sep-23 INFO6010 12
Domain #2…
What is “Asset Security”?

What is an “Asset”?
• An asset is, anything of worth to an organization. This includes people,
partners, equipment, facilities, reputation, and information.
Why is Asset Security Important?

• Asset protection requires security professionals to be vigilant about
protecting assets.
• Even a minor vulnerability can cause a whole system to be exposed to a
potential attack, resulting in loss of funds and data and potentially
compromising the entire company
• A good security professional protects their assets by knowing what they
have, classifying them, and protecting them based on their importance
to the organization.
Sep-23 INFO6010 14
Understanding the Information Life Cycle
•Acquisition
• Information is acquired by an organization in only one of two ways:
copied from elsewhere or created from scratch.
•Use
• After the information is prepared and stored, it will be read and
modified by a variety of users with the necessary access level. CIA
needs to be maintained by only allowing the right people to access
or modify it.
•Archival
• Information when no longer used regularly needs to be archived
before it is finally disposed of.
•Disposal
• Almost all data will be disposed of at some point. This usually, but
not always, means data destruction. Ensure that the appropriate
data does in fact get destroyed, and that it is destroyed correctly.
Sep-23 INFO6010 15
The Data Life Cycle (from the textbook)
Acquisition
Sep-23 INFO6010 16
What is…
Information Classification
•What does it mean to classify something?
•Information is rated/classified based on the impact if that
asset was to be compromised:
• Impact of loss
• Impact of disclosure
• Impact if unavailability
•Classification ensures data is protected in the most cost-
effective manner
•Classification indicates level of CIA
Sep-23 INFO6010 18
•Each level of classification should have its own handling
requirements and procedures
• How users access the data
• If no longer required, how to dispose of data in a safe manner
•Handling data may require encryption when moving from
one location to another
•Using data may require 2 individuals to enter their access
codes
•Destroying data may require physical destruction of
computer hard drives or simply secure wipe whereby a
series of ‘0’ and ‘1’ are written many times to each hard
drive sector
Sep-23 INFO6010 19
•Gov’t/Military vs. Private Business Classifications
• FOUO (for official use only)
•To classify data an entity must decide on the scheme it
will follow to assign classification to its data
•Military classification is can be very different from private
business, as always it depends on the organization.
Sep-23 INFO6010 20
•Commercial/Private Classification:
• Confidential
• Private
• Sensitive
• Public
•Military Classification:
• Top Secret
• Secret
• Confidential
• Sensitive but unclassified
• Unclassified
Sep-23 INFO6010 21
•Common Commercial Classification Scheme
• For Office Use Only
• Proprietary
• Privileged
• Private
•Classification scheme customized for each company
• Ensure each classification is unique and does not overlap
• Do not create too many classifications
• Include handling, usage and disposal procedures for each
classification
• Select criteria used to separate data to each classification
Sep-23 INFO6010 22
•Classification Controls:
• Ensure you have strict and granular access controls
• Encryption while in transit
• Auditing and monitoring of data usage
• Separation of duties ensuring there is no collusion between
employees
• Periodic reviews of access control processes
• Backup and recovery processes
• Marking and labeling appropriately
Sep-23 INFO6010 23
•Data Classification Procedure/Steps
1. Define classification levels
2. Criteria for how data is classified
3. Data owner should classify under their responsibility
4. Identify data custodian who will maintain data and security
5. Indicate security controls or protection for each classification
6. Document any exceptions
7. Indicate process for transferring ownership to different custodian
8. Define procedure for declassifying data
9. Integrate in security awareness training program
• (The order of these steps may change a bit, but you get the idea)
Sep-23 INFO6010 24
• Classification by itself is simply a system of classes set up by an
organization to differentiate asset values and, therefore, protection levels
• The act of assigning a classification level to an asset is called
categorization.
• All assets should be categorized into a classification system to allow
them to be protected based on value.
https://destcert.com/resources/domain-2-asset-security/
Sep-23 INFO6010 25
What do we mean by…
Information/data Ownership
•Layers of Responsibility
• Everyone has responsibility
• Both Managers and users should have input into best practices,
procedures and chosen controls
• This ensures agreed upon security level is successfully
implemented and maintained
•Specific roles must be assigned such as;
• Data owner/controller, Data Custodian, System Owner, Process
Owner (or data processor) and Security Administrator
Sep-23 INFO6010 27
•Unfortunately, ____ are the weakest link in the Security
chain
•Separation of duties and layers of responsibility ensure a
successful security program
•Appropriate level of training and transparency is required
for everyone to understand their responsibilities within the
company
•Clear structure and chain of command is required
Sep-23 INFO6010 28
•Clear duty descriptions ensure everyone understands their
role within the company
•Policies ensure everyone understands expected
behaviour.
• Clearly define acceptable and unacceptable behaviour including
enforcement (ex. reprimands & consequences)
•Separation of Duties ensures there is no collusion
amongst employees
• Collusion – Two or more employees working together to cause a
destructive or fraudulent act against the company
Sep-23 INFO6010 29
•CEO – Chief Executive Officer
• Day-to-day management of entire organization
• Often Chairperson of the Board of Directors and is highest
ranking officer in company
• Oversees companies finances, budget, strategic vision, business
plan
• Decides on partnerships with other vendors
• Decides how company will differentiate itself from its competitors
Sep-23 INFO6010 30
•CFO – Chief Financial Officer
• Day-to-day account and financial activities
• Responsible for overall financial structure
• Determines companies current and future financial needs
• Maintains company capital structure
•Equity, Cash, Credit, Debt
• Oversees budget and financial performance metrics
• Responsible for filing financial statements to regulatory bodies
Sep-23 INFO6010 31
•CIO – Chief Information Officer
• Reports to CEO or CFO
• Responsible for information technology infrastructure
• Oversee day-to-day technology operations
• Security policy originating from CEO and CIO helps ensure it is
properly implemented
Sep-23 INFO6010 32
•CPO – Chief Privacy Officer
• Reports to Chief Security Officer
• Newer position
• Oversee appropriate handling and usage of data
• Familiar with outside regulations and market specific legal
requirements
• Usually an attorney by training
Sep-23 INFO6010 33
•Senior management appoints a Security Officer
•Security administration may be a single individual or group
of individuals
• based on size and requirement of company
•Security administration requires clear authority and
reporting structure
•Security officer ensures implementation of security policy
• Not solely responsible for development of policy
Sep-23 INFO6010 34
•CSO – Chief Security Officer
• Responsible for understanding company specific risks and
processes used to mitigate these risks
• Must understand business drivers
• Responsible for maintaining company Security Program
• Responsible for compliance with applicable regulations and laws
• Ensures Business is NOT interrupted in any way
Sep-23 INFO6010 35
•Chief Information Security Officer
•Must have a strong understanding of business processes
and objectives
• Ability to communicate effectively with upper management
• Understand legal regulations and security frameworks
• Develop and maintain security awareness programs
• Develop security budget and report to Board of Directors or
upper management
• Respond to security incident or breach
Sep-23 INFO6010 36
•Data Owner
• Member of management in charge of specific business unit
• Responsible for specific data subset
• Has due care responsibility to ensure data/information is not
corrupted, destroyed, improperly used or transmitted
• Responsible for appropriate security controls
• Responsible for defining appropriate classification, backup
requirements, approving access controls and approving any
disclosure
• Responsible for dealing with access violations
Sep-23 INFO6010 37
•Data Custodian
• Responsible for maintaining and protecting data/information
• Responsible for performing regular backups ensuring data is
available
• Responsible for retaining data access information
• Responsible for fulfilling company security requirements
assigned to data/information
Sep-23 INFO6010 38
•System Owner
• Responsible for one or more systems
• These systems process or hold data/information owned by different
individuals
• Responsible for system purchasing decisions
• Responsible for ensuring adequate access controls and
operating system configurations
• Ensures systems are properly assessed against any
vulnerabilities
Sep-23 INFO6010 39
•Security Administrator
• Anyone with a root or administrative account to a system
• Ensures software is properly updated
• Responsible for day-to-day system management
• Ensures company policies are properly implemented at the
system level
• Ensures user access to data/information is done according to
security policy
Sep-23 INFO6010 40
•Supervisor
• Responsible for all user activity and assets created and owned
by these users
• Ensures employees understand their responsibilities
• Security policy
• Account information is accurate
• Take appropriate action when employee role changes
•Fired
•Suspended
Sep-23 INFO6010 41
•What is a Change Control Analyst?
• Responsible for approving and rejecting change control requests
• Must ensure changes will not introduce any vulnerabilities
• Ensures changes are properly tested and implemented
• Must understand how various changes impact the following
• Security
• Performance
• Productivity
Sep-23 INFO6010 42
•Data Analyst
• Ensures data is stored in a fashion that makes sense for the
company
• May design or architect a new system
• May advise in purchase of new product
• Works in conjunction with data owners
Sep-23 INFO6010 43
•User
• Uses data for work-related task
• Must have required level of access
• Responsible for following procedural and operational
requirements to ensure confidentiality, integrity and availability of
data
Sep-23 INFO6010 44
•The Auditor
• Evaluates security controls within the company
• Performs internal and external evaluation
• Performs unbiased, independent and comprehensive evaluation
of company
• Using third party (outside company) ensures ‘unbiased’ review
Sep-23 INFO6010 45
•Why So Many Roles?
•Company business processes are complex
• Not everyone is familiar with all processes and requirements
•A system administrator should not be making decisions
how to implement security and what assets to secure.
• This direction should be given by management
•A managerial position should not be implementing security
countermeasures.
• This should be done by qualified technical individuals
Sep-23 INFO6010 46
Asset Storage, Retention, and
Retention Policies
Retention Policies
•Developing a retention policy is a must.
• What data do we keep?
• How long do we keep this data?
• Where do we keep this data?
• Answer: For as long as they need it, but how do you determine that?
• To comply with laws and regulations.
• What method do we use to retain?
Sep-23 INFO6010 48
How We Retain
•In order for retained data to be useful, it must be accessible
in a timely manner.
• Taxonomy A taxonomy is a scheme for classifying data.
• Classification The sensitivity classification of the data will
determine the controls we place on it both while it is in use and
when it gets archived.
• Normalization Retained data will come in a variety of formats,
The original data needs to be tagged so that it is searchable.
• Indexing Retained data must be searchable if we are to quickly
pull out specific items of interest, this can be done by building
indexes.
Sep-23 INFO6010 49
eDiscovery
• Discovery of electronically stored information (ESI), or e-
discovery, is the process of producing for a court or external
attorney all ESI pertinent to a legal proceeding.
• The Electronic Discovery Reference Model (EDRM) identifies
eight steps, though they are not necessarily all required, nor are
they performed in a linear manner:
1. Identification of data required under the order.
2. Preservation of this data to ensure it is not accidentally or routinely
destroyed while complying with the order.
3. Collection of the data from the various stores in which it may be.
4. Processing to ensure the correct format is used for both the data and
its metadata.
5. Review of the data to ensure it is relevant.
6. Analysis of the data for proper context.
7. Production of the final data set to those requesting it.
8. Presentation of the data to external audiences to prove or disprove a
claim.
Sep-23 INFO6010 50
Data Destruction
(and Data Remanance)
Data Remanence
•Data remanence is the residual physical representation of
information that was saved and then erased in some
fashion.
•If the media does not hold confidential or sensitive
information, overwriting or deleting the files may be the
appropriate course of action.
Sep-23 Info 6010 52

Data Destruction
•When data are no longer needed, they should be destroyed
in such a way to ensure there is no data remanence left on
electronic media.
Sep-23 Info 6010 53

•When media is erased (cleared of its contents), it is said to
be sanitized
•Media can be sanitized in several ways:
•Overwriting with a pattern designed to ensure that the
data formerly on the media are not practically recoverable.
•Degaussing: magnetic scrambling of the patterns on a
tape or disk that represent the information stored there.
•Encryption quickly and securely render data unusable. To
render the data unrecoverable, the system simply needs
to securely delete the encryption key.
•Physical Destruction (shredding, crushing, burning)
Sep-23 Info 6010 54

•Proper media management requires the following tasks:
• Tracking (audit logging) who has custody of each piece of
media at any given moment
• This creates the same kind of audit trail as any audit logging
activity—to allow an investigation to determine where information
was at any given time, who had it, and, for particularly sensitive
information, why they accessed it
• This enables an investigator to focus efforts on particular people,
places, and time, if a breach is suspected or known to have
happened
Sep-23 Info 6010 55

• Effectively implementing access controls
• Restrict who can access each piece of media to only those people
defined by the owner of the media/information on the media
• Enforce the appropriate security measures based on the classification
of the media/information on the media
• Certain media, due to the physical type of the media, and/or the nature
of the information on the media, may require “special handling”
• Access controls will include
• physical (locked doors, drawers, cabinets, or safes)
• technical (access and authorization control of any automated system
for retrieving contents of information in the library)
• administrative (the actual rules for who is supposed to do what to
each piece of information)
Sep-23 Info 6010 56

•Tracking the number and location of backup versions
(both onsite and offsite)
• This is necessary to ensure proper disposal of information when
the information reaches the end of its lifespan; to account for the
location and accessibility of information during audits; and to find
a backup copy of information if the primary source of the
information is lost or damaged
•Documenting the history of changes to media
• For example when a particular version of a software application
kept in the library has been deemed obsolete, this fact must be
recorded so the obsolete version of the application is not used
unless that particular obsolete version is required
Sep-23 Info 6010 57

•Ensuring environmental conditions do not endanger
media
• Each media type may be susceptible to damage from one or
more environmental influences
• For example, all media formats are susceptible to fire, and most
are susceptible to liquids, smoke, and dust
• Magnetic media formats are susceptible to strong magnetic
fields
• Magnetic and optical media formats are susceptible to variations
in temperature and humidity
Sep-23 Info 6010 58

•Ensuring media integrity
• Verifying each piece of media remains usable, and transferring
still-valuable information from pieces of media reaching their
obsolescence date to new pieces of media
• Every type of media has an expected lifespan under certain
conditions, after which it can no longer be expected that the
media will reliably retain information
Sep-23 Info 6010 59

•Inventorying the media on a scheduled basis
• Detect if any media has been lost/changed
• This can reduce the amount of damage a violation of the other
media protection responsibilities could cause by detecting such
violations sooner rather than later, and is a necessary part of the
media management life cycle by which the controls in place are
verified as being sufficient
Sep-23 Info 6010 60

•Carrying out secure disposal activities
• Disposition includes the lifetime after which the information is no
longer valuable and the minimum necessary measures for the
disposal of the media/information
• Secure disposal of media/ information can add significant cost to
media management
Sep-23 Info 6010 61

•Internal and external labeling of each piece of media in
the library should include
• Date created
• Retention period
• Classification level
• Who created it
• Date to be destroyed
• Name and version
Sep-23 Info 6010 62

Physical Security Considerations
Protecting Mobile Devices
• Protect mobile devices and the data they hold:
• Inventory all mobile devices, including serial numbers.
• Harden the operating system by applying baseline secure configurations.
• Password-protect the BIOS on laptops.
• Register all devices with their respective vendors, and file a report with the
vendor when a device is stolen.
• Do not check mobile devices as luggage when flying.
• Never leave a mobile device unattended,
• Engrave the device with a symbol or number for proper identification.
• Use a slot lock with a cable to connect a laptop to a stationary object
whenever possible.
• Back up all data on mobile devices to an organizationally controlled
repository.
• Encrypt all data on a mobile device.
• Enable remote wiping of data on the device.
• Tracing software can be installed so that your device can “phone home”
if it is taken from you.
Sep-23 INFO6010 64
Paper Records
Principles to consider when protecting paper records:
• Educate staff on proper handling of paper records.
• Minimize the use of paper records.
• Ensure workspaces are kept tidy so it is easy to tell when sensitive
papers are left exposed, and routinely audit workspaces to ensure
sensitive documents are not exposed.
• Lock away all sensitive paperwork as soon as you are done with it.
• Prohibit taking sensitive paperwork home.
• Label all paperwork with its classification level. Ideally, also include its
owner’s name and disposition (e.g., retention) instructions.
• Conduct random searches of employees’ bags as they leave the office to
ensure sensitive materials are not being taken home. Not legal
everywhere!
• Destroy unneeded sensitive papers using a crosscut shredder. For very
sensitive papers, consider burning them instead.
Sep-23 INFO6010 65
Safes
• Safes are used to store backup data tapes, original contracts, or
other types of valuables. The safe should be penetration resistant
and provide fire protection. The types of safes an organization
can choose from are:
• Wall safe Embedded into the wall and easily hidden
• Floor safe Embedded into the floor and easily hidden
• Chests Stand-alone safes
• Depositories Safes with slots, which allow the valuables to be easily
slipped in
• Vaults Safes that are large enough to provide walk-in access
• Combination lock should be changed periodically, need to know
or access basis.
• The safe should be in a visible location, so anyone who is
interacting with the safe can be seen.
Sep-23 INFO6010 66
Data Leakage
•Data leakage will happen! Leaks of personal information
can cause large financial losses. The costs include:
• Investigating the incident and remediating the problem
• Contacting affected individuals to inform them about the incident
• Penalties and fines to regulatory agencies
• Contractual liabilities
• Mitigating expenses (such as free credit monitoring services for
affected individuals)
• Direct damages to affected individuals
Sep-23 INFO6010 67
Data Leak Prevention
•Data leak prevention (DLP) aimed at preventing the loss of
sensitive information. By focusing on the:
• location, classification and monitoring of information at rest,
in use and in motion, to stop the numerous leaks of
information that occur each day.
• The successful implementation of this DLP requires
significant preparation and diligent ongoing maintenance.
•Those implementing the solution must take a strategic
approach that addresses risks, impacts and mitigation
steps, along with appropriate governance and assurance
measures
Sep-23 INFO6010 68
Summary: Expect to be tested on…
• Value of asset classification
• Asset classification steps
• Main differences between labeling and marking
• Cost-effectiveness of different labeling approaches
• The classification process begins with identifying the owners
• Owners are ultimately accountable for an asset
• Understand different roles and responsibilities
• Categories of sanitization
• Most effective/secure method of sanitization
• The best method for dealing with data remanence in the cloud
• Considerations related to data archiving
• Elements of data archiving policies
• Protecting the confidentiality of data being migrated to the cloud
• Why obfuscation is used
Sep-23 INFO6010 69
Homework
• Review your notes from today’s lesson and update your personal
flashcard deck with any new terms, etc.
• Strategically read the relevant chapters (ch. 5 and 6) in the textbook ‘All
In One CISSP Exam Guide’ 9th Ed.
• Depending on which edition you have, the relevant sections will be in different
places – so use the index.
Reading strategically involves:

1. Read the section headings (and 1-2 paragraph per section) as you page through the chapter
2. Carefully read the “chapter review” section
3. Identifying areas that are new to you do the practice m/c questions relating to this subject.
4. Complete the review questions at the end of the chapter.
5. Check your answers against the answer key to find what you got wrong, then go back in the
chapter and read about areas/topics/concepts/definitions, etc.
Sep-23 INFO6010 70
• Read the review at the end of each chapter and identify 10

terms you didn’t know before.
flashcard deck

• You can also share news links
• Next week we will be discussing Domain #3: Architecture

and Engineering
Supplemental slides for Domain #1:
Security and Risk Management
• A documented set of your organization's information security policies,
procedures, tools, controls, guidelines, and standards.
• Helps an organization ensure CIA objectives are met
• the full, multi-faceted security strategy and governance that protects
your organization’s sensitive data and capabilities.
•A Security Program lifecycle has 4 stages:

Plan & organize
1.
Implement
2.
Operate & Maintain
3.
Monitor & Evaluate
4.
• Slides on each of these to follow…
https://searchsecurity.techtarget.com/tip/Steps-in-the-information-security-program-life-cycle
Sep-23 INFO6010 2
1. Plan & Organize
• Establish management commitment
• Establish oversight committees
• Management steering & oversight
• Assess business drivers / goals
• Create a threat profile for the organization
• Conduct a risk assessment
• Develop security architecture at an organizational, application,
network and component level
• Identify solutions per architecture level
• Obtain management approval to move forward
Sep-23 INFO6010 3
2. Implement
• Assign roles & responsibilities
• Develop and implement security policies, procedures, standards,
baselines & guidelines
• Identify sensitive data (at rest and in transit)
• Implement safeguards/programs
• Implement solutions (per program)
• Develop auditing and monitoring solutions per program (for
compliance purposes)
• Change control procedures
• Incident response
• Establish goals and metrics per program
Sep-23 INFO6010 4
3. Operate & Maintain
• Follow procedures to ensure that all baselines are met in each
implemented program
• Carry out internal and external audits
• Carry out tasks outlined per program
• Manage service level agreements per program
4. Monitor & Evaluate

• Review logs, audit results, and SLAs per program
• Assess goal accomplishments per program
• Quarterly Steering Committee meetings
• Recommend changes for improvement
Sep-23 INFO6010 5
•Physical Damage •Misuse of Data
• Fire, Water, Vandalism, Power • Sharing trade secrets,
Loss, Natural Disasters Fraud, Espionage and
•Equipment Malfunction Theft
• Failure of Systems or •Loss of Data
Peripherals • Intentional or unintentional
•Human Interaction loss of data (destructive)
• Accidental or intentional action •Application Error
or inaction • Computation errors, input
•Inside and Outside Attacks errors and buffer overflows
• Hacking, Cracking, Attacking
Sep-23 INFO6010 6
•Companies usually focus on:
• business processes
• Efficiencies
• generating revenue
•Very few people in business are trained in risk management
•Slowly penetrating corporate culture as security becomes
recognized as a business issue
Sep-23 INFO6010 7
Proper Risk Management
•Requires commitment from senior management
•Requires a documented process
•Must align with and support the corporate mission
•Must have a designated Information Risk Management
Team
•Must have a documented Information Risk Management
Policy
• IRM – Information Risk Management
Sep-23 INFO6010 8
•Objectives of IRM Policy
• Set objective for IRM team
• Determine level of risk acceptable to company
• Set formal processes of risk identification
• Identify connection between IRM and Corporate Planning
• Define roles and responsibilities that fall under IRM
• Mapping of risk to internal controls
• Set approach to change staff behaviors and resource allocation to
reduce risk
• Mapping of risks to performance, targets and budgets
• Monitoring the effectiveness of controls
Sep-23 INFO6010 9
•Risk Analysis is a part of overall Risk Management
•Risk Analysis is used to determine whether security is cost
effective, relevant, timely and responsive to threats
•Risk Analysis helps prioritize their risks and how much
money should be spent to safeguard against risks
Sep-23 INFO6010 10
•Goal of risk analysis
• Identify assets and their value to organization
• Identify vulnerabilities and threats
• Quantify the probability and impact of these threats
• Provide economic balance between the impact and cost of
countermeasure
•Risk analysis provides a COST/BENEFIT comparison
• Return on investment for installing safeguards
Sep-23 INFO6010 11
•Risk analysis team must include individuals from all
departments
•Risk analysis team members must understand the
processes within their own departments
•Risk analysis includes
• What event could occur?
• What could be the potential impact?
• How often could it happen?
• What level of confidence do we have to answers of above three
questions?
• Most answers to above questions is gathered through interviews,
internal surveys and workshops
Sep-23 INFO6010 12
•Assets can have either or both a qualitative and
quantitative value
•Actual value is determined by cost to acquire, develop
and maintain
•Value may be determined by the importance it has to the
owner or user
•Value should reflect all identifiable costs that would arise if
asset were destroyed or impaired
 Understanding true value of an asset is first
step in determining what security mechanism
should be in place to protect the asset
Sep-23 INFO6010 13
•The following should be considered when assigning value
to an asset
• Cost to acquire
• Cost to maintain and protect
• Value to owners and users
• Value of asset to adversaries
• Value of Intellectual Property during development of asset
• Price others are willing to pay for the asset
• Operational and production activities affected if asset is
unavailable
• Liability issues if the asset is compromised
• Usefulness and role of the asset in the organization
Sep-23 INFO6010 14
•Tangible assets
• Computers
• Facilities
• Supplies
•Intangible assets
• Reputation
• Data
• Intellectual property
• Difficult to put a value on intangible assets
Sep-23 INFO6010 15
•Some threats may be easier to identify
•Many different types of threat agents can affect different
vulnerabilities
•There may be a delay before a threat or vulnerability is
identified
•Some threats may affect other assets in the form of a
cascading error
• Output from one process may be used as input in second
process
• If first process output has a computational error it affects the
accuracy of second process
Sep-23 INFO6010 16
•There may be a delayed loss due to a threat
• Such loss may not always be immediate, may be delayed from
few minutes to years
•Example: web server is offline
• Online store is impacted now
• Customers may go to competitor
• Current and future revenue suffers
• May impact year-end bottom line
•These types of issues make identifying and qualifying
threats hard
Sep-23 INFO6010 17
Quantitative Risk Analysis
•Assign real and meaningful numbers to all elements of
risk analysis process
• Provides concrete probability of threats
• Physical, Network, Software, Internet, Component Failure
•Assign dollar value to risk analysis process
• Asset value
• Safeguard cost
• Business impact
• Threat frequency
• Safeguard effectiveness
• Exploit probabilities
Sep-23 INFO6010 19
Step 1: Assign Value to Assets
•For each asset answer the following questions
• What is the value of the asset to the company?
• How much does it cost to maintain?
• How much does it make in profits?
• How much would it be worth to my competitors?
• How much would it cost to recreate or recover?
• How much did it cost to acquire or develop?
• How much liability do you face if the asset is compromised?
Sep-23 INFO6010 20
Step 2: Estimate Potential Loss per Threat
•For each asset answer the following questions
• What physical damage could the threat cause and how much
would it cost?
• What is the value lost if confidential information is disclosed?
• What is the cost of recovering from this threat?
• What is the value lost if critical devices were to fail?
• What is the Single Loss Expectancy (SLE) for each asset and
each threat?
Sep-23 INFO6010 21
•SLE = (asset value) x (exposure factor)
•EF (exposure factor) = percentage of loss
• For example a Server room worth $100,000 is protected by a fire
suppression system. You estimate 10% loss in case of fire (EF =
10% or 0.10)
Sep-23 INFO6010 22
Step 3: Perform a Threat Analysis
•Gather information from all departments about the
likelihood of a threat
•Examine past records and official security resources
•Calculate the Annualized Rate of Occurrence (ARO)
•How many times a threat can take place in a 12 month
period
•ARO = estimated frequency of threat taking place within 1
year period
Sep-23 INFO6010 23
Step 4: Derive the Overall Annual Potential Loss Per
Threat
•Combine potential loss and probability
•Calculate the Annualized Loss Expectancy (ALE)
•Using information from first 3 steps
•Choose measures to counteract each threat
•Include Cost/Benefit Analysis for each countermeasure
•ALE = (SLE) x (ARO)
•ALE = economical dollar value company can spend annually
to safeguard asset
Sep-23 INFO6010 24
STEP 5: Reduce, Transfer, Avoid or Accept the Risk
•Risk Reduction Methods
• Install Security Controls and Components
• Improve Procedures
• Alter the Environment
• Provide Early Detection Methods to catch the Threat as its
happening
• Erect barriers to the threat
• Carry-out security awareness training
Sep-23 INFO6010 25
STEP 5: Avoid, Transfer, Mitigate/Reduce, or accept the
Risk
•Risk Avoidance
• Discontinue the activity causing risk
•Risk Transfer
• Buy Insurance
•Mitigate
• Implement controls
•Risk Acceptance
• Live with risk and spend no more money
Sep-23 INFO6010 26
Qualitative Risk Analysis
•Qualitative analysis does not assign monetary values to
components or losses
•Qualitative examine different scenarios or risk possibilities,
•Rank the seriousness of the threats and the validity of the
different possible countermeasures based on opinions
Sep-23 INFO6010 28
•Qualitative Techniques Include:
• Judgment
• Best Practices
• Intuition
• Experience
•Examples of Qualitative Techniques:
• Brainstorming, Storyboarding
• Focus groups
• Interviews, surveys & questionnaires
• Team performing the analysis must gather people with
experience and education on the threats being examined
Sep-23 INFO6010 29
Qualitative analysis drawbacks
• Assessments and results are subjective
• Eliminates the opportunity for cost/benefit discussions
• Difficult to track Risk Management objectives with subjective
measures
• Standards are not available
• Calculations are more complex
• Process is extremely labour intensive
• More preliminary work is required to gather detailed information
• Standards are not available
Sep-23 INFO6010 30
STEP 1 STEP 2 STEP 3
Asset and Countermeasur

Information Risk Analysis e Selection and
Value and Assessment Implementation
Assignment
Source: All-In-One CISSP Exam Guide 5th Edition by Shon Harris
Sep-23 INFO6010 31
•Total Risk vs. Residual Risk
•No one or company is safe from risk 100%
•No countermeasure will give you 100% risk reduction
•Risk level remaining after implementing a countermeasure
is referred to as Residual Risk
•If a company chooses against implementing nya
countermeasure they are 100% at risk
• This is often referred to as Total Risk
Sep-23 INFO6010 32
•Once a company knows the risk exposure level they can
choose 1 of 4 actions;
•Transfer Risk
•Reject Risk
•Reduce Risk
•Accept Risk
•Or put another way: Avoid, Transfer, Mitigate or
Accept 
Sep-23 INFO6010 33
•Risk Transfer
• Purchasing Insurance transfers risk to Insurance Company
•Risk Avoidance
• Cease activity which creates or increases level of risk
•Risk Mitigation
• Risk is reduced to level considered acceptable
• Implement Countermeasure
•Risk Acceptance
• Understand level of risk as well as the potential cost of damage
and live with it
• Do Not Implement Countermeasure
Sep-23 INFO6010 34
•An effective security program must be initiated by senior
management, given appropriate level of authority,
implemented, explained to all employees and monitored
for effectiveness
•Because each employee comes to the company with a
unique set of personal values and experiences senior
management must implement a top down approach
ensuring everyone understands their role in implementing
an effective Security Program
Sep-23 INFO6010 35
Security Policy(ies)
•An overall general statement produced by senior
management that dictates what role security plays within
the organization
•Security policy can address one of the following:
• Organizational Policy
• Issue Specific Policy
• System Specific Policy
Sep-23 INFO6010 37
•Organizational Policy
• Management determines goals and assigns responsibilities,
• Shows the strategic value of security and outlines how
enforcement should be carried out.
•Organizational Policy Example
• Management outlines general employee conduct policy
addressing local, provincial or federal laws
• This policy may also include vendor specific market regulations.
Sep-23 INFO6010 38
•Issue Specific Policy
• Also called a functional policy
• Addresses specific security issue(s) that management feels
need more detailed explanation and attention to make sure a
comprehensive structure is built and all employees understand
how they are to comply with these security issues.
•Issue Specific Policy Example
• Email monitoring policy outlining what management may do with
employees email.
• May also state employees cannot share confidential information
or state company issued email cannot be used for non business
websites, forums or chat groups.
Sep-23 INFO6010 39
•System Specific Policy
• Managements decisions that are specific to computers,
networks, applications and data
•System Specific Policy Example
• Managements provides an approved software list
• It may also address how computers are to be locked down or
how firewalls and Intrusion Detection systems are implemented
and monitored.
Sep-23 INFO6010 40
•Identifies assets the company considers valuable
•Provides authority to the security team and its activities
•States the company security goals and objectives
•Outlines personal responsibility
• Provides a reference when conflicts arise
•Helps to prevent unaccounted for events
•Outlines incident response
Sep-23 INFO6010 41
•Regulatory Policy
• Ensures company is following legal and industry specific
regulations. (Health Care, Financial)
•Advisory Policy
• Outlines acceptable and unacceptable employee behavior.
• Includes possible consequences should policy be broken.
•Informative Policy
• Informs employees of certain topics
• This policy is NOT enforceable
• Used for training
Sep-23 INFO6010 42
•Standards
• Mandatory activities, actions or rules
• Standards support Policies.
• Standards can be company specific (derived internally) or
mandated by regulatory bodies or governments
•Baselines
• Minimum level of protection required
• Baseline can be a point in time reference for comparison for
future changes.
• All patches and upgrades must be checked and tested to ensure
baseline compliance
Sep-23 INFO6010 43
•Guidelines
• General guide and recommended actions when a specific
Standard does not apply
•Procedures
• Step by step detailed instruction on specific tasks
• Set up new user accounts
• Lowest level of security policy
• Details of how standards and guidelines are implemented
Sep-23 INFO6010 44
Security
Policy Strategic Goal
End result
Standards
Tactical Goal
Baselines
Steps Required to
Achieve End
Result
Guidelines
Source: All-In-One CISSP Exam Guide 5th Edition by Shon Harris
Sep-23 INFO6010 45
•Security policy is a modular document
• It has many parts, or modules
•Parts such as a standard or procedure can be modified as
required without changing the whole document
Sep-23 INFO6010 46
•Example #1
•Policy
• All corporate data must be backed up
•Standard
• Full back up every week
• Incremental every day
• Store off site
•Procedure
• Step by step instructions for how backup performed
• Detail on how to store backup
Sep-23 INFO6010 47
•Example #2
•Policy
• All employee user accounts requires password protection
•Standard
• Passwords 10 characters long
• Change every 45 days
• Complex
•Procedure
• Steps for setting up user account
• Password change on first login
Sep-23 INFO6010 48
•Due Diligence
•Determining vulnerabilities and risks.
•Risk analysis
•Due Care
•Implementing countermeasures against risks and
threats
•By developing Policies, Standards, Baselines and
Guidelines a company has taken responsibility for
activities under its control.
•Taken steps to protect assets, employees and resources
from threat.
•Company that does not practice Due Care and Due
Diligence may be legally responsible for its activities
Sep-23 INFO6010 49
•Information is rated based on
• Impact of loss
• Impact of disclosure
• Impact if unavailability
•Classification ensures data is protected in the most cost
effective manner
•Classification indicates level of CIA
Sep-23 INFO6010 50
•Each level of classification should have its own handling
requirements and procedures
• How users access the data
• If no longer required, how to dispose of data in a safe manner
•Handling data may require encryption when moving from
one location to another
•Using data may require 2 individuals to enter their access
codes
•Destroying data may require physical destruction of
computer hard drives or simply secure wipe whereby a
series of ‘0’ and ‘1’ are written many times to each hard
drive sector
Sep-23 INFO6010 51
•Military vs. Private Business Classifications
•To classify data an entity must decide on the scheme it will
follow to assign classification to its data
•Military classification is can be very different from private
business, as always it depends on the organisation.
Sep-23 INFO6010 52
•Commercial Classification:
• Confidential
• Private
• Sensitive
• Public
•Military Classification:
• Top Secret
• Secret
• Confidential
• Sensitive but unclassified
• Unclassified
Sep-23 INFO6010 53
•Common Commercial Classification Scheme
• For Office Use Only
• Proprietary
• Privileged
• Private
•Classification scheme customized for each company
• Ensure each classification is unique and does not overlap
• Do not create too many classifications
• Include handling, usage and disposal procedures for each
classification
• Select criteria used to separate data to each classification
Sep-23 INFO6010 54
•Classification Controls:
• Ensure you have strict and granular access controls
• Encryption while in transit
• Auditing and monitoring of data usage
• Separation of duties ensuring there is no collusion between
employees
• Periodic reviews of access control processes
• Backup and recovery processes
• Marking and labeling appropriately
Sep-23 INFO6010 55
•Data Classification Procedure Steps
• Define classification levels
• Criteria for how data is classified
• Data owner should classify under their responsibility
• Identify data custodian who will maintain data and security
• Indicate security controls or protection for each classification
• Document any exceptions
• Indicate process for transferring ownership to different custodian
• Define procedure for declassifying data
• Integrate in security awareness training program
Sep-23 INFO6010 56
Roles and Responsibilities
•Layers of Responsibility
• Everyone has responsibility
• Managers and users should have input into best practices,
procedures and chosen controls
• This ensures agreed upon security level is successfully
implemented and maintained
• Specific roles must be assigned such as;
• Data owner,
• Data Custodian,
• System Owner,
• Process Owner
• Security Administrator, and more (in the slides to follow…)
Sep-23 INFO6010 58
•Data Owner
• Member of management in charge of specific business unit
• Responsible for specific data subset
• Has due care responsibility to ensure data/information is not
corrupted, destroyed, improperly used or transmitted
• Responsible for appropriate security controls
• Responsible for defining appropriate classification, backup
requirements, approving access controls and approving any
disclosure
• Responsible for dealing with access violations
Sep-23 INFO6010 59
•Data Custodian
• Responsible for maintaining and protecting data/information
• Responsible for performing regular backups ensuring data is
available
• Responsible for retaining data access information
• Responsible for fulfilling company security requirements
assigned to data/information
Sep-23 INFO6010 60
•System Owner
• Responsible for one or more systems
• These systems process or hold data/information owned by
different individuals
• Responsible for system purchasing decisions
• Responsible for ensuring adequate access controls and
operating system configurations
• Ensures systems are properly assessed against any
vulnerabilities
Sep-23 INFO6010 61
•Process Owner
• Responsible for properly defining business processes
• Responsible for improving business processes
• Responsible for monitoring processes
• May not be tied to single business unit
Sep-23 INFO6010 62
•Application Owner
• Business unit managers
• Decide who can and cannot access their applications
• Responsible for security of application
• Ensures right control is in place for application
• Responsible for change control, patching and testing of
application
Sep-23 INFO6010 63
•Security Administrator
• Anyone with a root or administrative account to a system
• Ensures software is properly updated
• Responsible for day to day system management
• Ensures company policies are properly implemented at the
system level
• Ensures user access to data/information is done according to
security policy
Sep-23 INFO6010 64
•Security Analyst
• Higher more strategic level
• Helps develop policies, standards and guidelines
• Works at the design level than implementation
•The Auditor
• Evaluates security controls within the company
• Performs internal and external evaluation
• Performs unbiased, independent and comprehensive evaluation
of company
• Using third party (outside company) ensures ‘unbiased’ review
Sep-23 INFO6010 65
•Change Control Analyst
• Responsible for approving and rejecting change control requests
• Must ensure changes will not introduce any vulnerabilities
• Ensures changes are properly tested and implemented
• Must understand how various changes impact the following
• Security
• Performance
• Productivity
Sep-23 INFO6010 66
•Data Analyst
• Ensures data is stored in a fashion that makes sense for the
company
• May design or architect a new system
• May advise in purchase of new product
• Works in conjunction with data owners
Sep-23 INFO6010 67
•Product Line Manager
• Responsible for explaining business requirements to vendors
• Evaluates different products in the market place
• Ensures vendor product and service meets company
requirements
• Ensures all licensing requirements are met
• Must understand company business drivers, advises business
units and management
Sep-23 INFO6010 68
•Supervisor
• Responsible for all user activity and assets created and owned
by these users
• Ensures employees understand their responsibilities
• Security policy
• Account information is accurate
• Take appropriate action when employee role changes
•Fired
•Suspended
Sep-23 INFO6010 69
•User
• Uses data for work-related task
• Must have required level of access
• Responsible for following procedural and operational
requirements to ensure confidentiality, integrity and availability of
data
Sep-23 INFO6010 70
•Solution Provider
• Works with business unit managers, data owners and senior
managers to develop and deploy a solution
• Helps reduce identified problems by offering solutions
Sep-23 INFO6010 71
•Board of Directors
• Elected individuals that oversee the fulfillment of the corporation
charter
• Usually a part time position
• Ensure shareholders’ interests are being protected
• Independent and unbiased
• Have direct authority over senior management
• Evaluate senior management performance reviews
• Can be held personally responsible for improper corporate
governance
Sep-23 INFO6010 72
•CEO – Chief Executive Officer
• Day-to-day management of entire organization
• Often Chairperson of the Board of Directors and is highest
ranking officer in company
• Oversees companies finances, budget, strategic vision, business
plan
• Decides on partnerships with other vendors
• Decides how company will differentiate itself from its competitors
Sep-23 INFO6010 73
•CFO – Chief Financial Officer
• Day-to-day account and financial activities
• Responsible for overall financial structure
• Determines companies current and future financial needs
• Maintains company capital structure
•Equity, Cash, Credit, Debt
• Oversees budget and financial performance metrics
• Responsible for filing financial statements to regulatory bodies
Sep-23 INFO6010 74
•CIO – Chief Information Officer
• Reports to CEO or CFO
• Responsible for information technology infrastructure
• Oversee day-to-day technology operations
• Security policy originating from CEO and CIO helps ensure it is
properly implemented
Sep-23 INFO6010 75
•CPO – Chief Privacy Officer
• Reports to Chief Security Officer
• Newer position
• Oversee appropriate handling and usage of data
• Familiar with outside regulations and market specific legal
requirements
• Usually an attorney by training
Sep-23 INFO6010 76
•CSO – Chief Security Officer
• Responsible for understanding company specific risks and
processes used to mitigate these risks
• Must understand business drivers
• Responsible for maintaining company Security Program
• Responsible for compliance with applicable regulations and laws
• Ensures Business is NOT interrupted in any way
Sep-23 INFO6010 77
•Under Sarbanes-Oxley legislation
• SOX – US law
• CEO and CFO have personal responsibility
• Can be fined or jailed if not following due care & due diligence
for their company
Sep-23 INFO6010 78
•IS Security Steering Committee
• Responsible for making tactical and strategic security decisions
• Committee members are individuals from different company
departments
• Is not part of any one business unit within company
• Senior management should be part of this committee
• Committee should meet on a regular basis with well defined
agenda
• Should have a clearly defined vision which falls in line with
company security program
Sep-23 INFO6010 79
•Appointed by the Board of Directors
•Evaluate company operations, perform internal audit verify
accuracy of financial reporting
•Responsible for integrity of company financial statements
•Company internal controls
•Verify company legal and regulatory compliance with
respect to ethical conduct
Sep-23 INFO6010 80
•Why So Many Roles?
•Company business processes are complex
• Not everyone is familiar with all processes and requirements
•A system administrator should not be making decisions
how to implement security and what assets to secure.
• This direction should be given by management
•A managerial position should not be implementing security
countermeasures.
• This should be done by qualified technical individuals
Sep-23 INFO6010 81
•Unfortunately people are the weakest link in the Security
chain
•Separation of duties and layers of responsibility ensure a
successful security program
•Appropriate level of training and transparency is required
for everyone to understand their responsibilities within the
company
•Clear structure and chain of command is required
Sep-23 INFO6010 82
•Clear duty descriptions ensure everyone understands their
role within the company
•Policies ensure everyone understands expected
behaviour.
• Clearly define acceptable and unacceptable behaviour including
reprimand
•Separation of Duties ensures there is no collusion
amongst employees
• Collusion – Two or more employees working together to cause a
destructive or fraudulent act against the company
Sep-23 INFO6010 83
•Management hierarchy must be in place
• Ensure everyone has a manager or supervisor scrutinizing their actions
and work performance
•Rotation of duty
• Tool to not only cross train employee in many different roles
• If an employee stays in a single position for too long they may become
complacent and have too much influence over a specific process
•Mandatory vacation
• Should be enforced for all employees
• Required for employee health
• Also tool for the company to detect fraud or destructive practices within
the company
Sep-23 INFO6010 84
•Appropriate screening should be completed before an
employee is hired to ensure the right person is hired for
the job
•Non Disclosure Agreement should be discussed and
signed by all employees before hiring
•Complete reference checks should be
completed including;
• Employment , criminal, education, professional credentials
• By completing a comprehensive background check you are
mitigating possible risk brought to company by the employee
Sep-23 INFO6010 85
•Appropriate Drug Testing should be performed
•Employment history
• Look for unexplained gaps
•Use search engine -- search candidates full name
•Review social websites like Facebook
•Typically it is harder to do background checks after the
individual is hired
• There must be legal ground for background checks after the fact
Sep-23 INFO6010 86
•Termination can occur for many reasons
•Company should have documented procedure
• This can mitigate legal law suits against the company
•Employee must surrender all company issued items
including security badges
•All user privileges should be revoked
•User accounts disabled
•Passwords must be changed
Sep-23 INFO6010 87
•Security requirements are established by management
through policies, standards and guidelines
•Training outlines expected behaviour and reinforces
common goals and sets appropriate expectations
• Everyone should be familiarized with expected behaviour and
action results based on policies, standards and guidelines
•Security can only be successful if everyone is informed
•Because everyone has different experiences and values,
formal training ensures employees are taught identical
curriculum
Sep-23 INFO6010 88
•Training is created for 3 types of audience
•Management
• Concerned with High Level Business Goals
•Staff
• Operational business processes and their results
•Technical Staff
• Concerned with operational implementation and monitoring of
processes
Sep-23 INFO6010 89
•Management
• Short and focused training
• Corporate Assets
• Financial Gains and Losses related with Security
• Negative Impact of Security Breach
• Explain Possible Threats and their Impact
Sep-23 INFO6010 90
•Mid-Management
• More in depth and detailed training
• Detailed explanation of policies, standards and guidelines
• Explain why security is important to their departments
• Explain their specific responsibility with enforcement
• Understand consequences of non compliance
Sep-23 INFO6010 91
•Staff
• Detailed training with many examples
• Outline acceptable and unacceptable behavior
• Outline why security is important with examples of
consequences when security is not enforced
• Explain in detail any reprimand or non compliance
consequences
• Use signed document (by each staff) confirming they’ve been
given training and understand consequences of non compliance
• This reinforces Policies, standards and Guidelines
Sep-23 INFO6010 92
•Tech Staff
• Training requirements which correspond to their daily tasks
• Detailed technical configurations
• Recognizing security breach or compromise situation
• Understand detailed incident handling procedures
• Understand incident reporting structure
• who they report to
Sep-23 INFO6010 93
•Risk management requires
• Risk analysis to identify assets, vulnerabilities and threats and
consequences
• ROI required to determine business case for safeguards
• Quantitative & qualitative
•Security policy is modular document
• Consists of standards, guidelines, procedures & baselines
•Information classification
• Determines level of protection and responsibility
Sep-23 INFO6010 94
•Compliance to regulations and policy
• CobiT, ITIL, ISO27000
•Responsibilities
• All employees have a role
• CEO, CFO to staff
•Security training
• Required to ensure success of security program
Sep-23 INFO6010 95
Info 6010 (Week 4)
Domain 3: Security Architecture

and Engineering
Information Security Management (ISM)

Network Security and Architecture (NSA)
Fall 2023
Housekeeping…
• Sharing is caring! How are your courses going?
•First assignment has been released

• It is due in week 6 (after the first test) on October 11th.
• We will discuss the assignment right after the “Current Events”
•Test #1 is in week 5 (October 4th) during normal class time

•Thanks for the Week 3 posts!

• Three breakout groups shared their scenarios. All were fantastic!
Sep-23 INFO6010 3
• Watch your step: A new robot will police the NYC subway
• robot is part of a broader push to incorporate emerging technology into the
operations of the nation’s largest police department.
• BORN Ontario child registry data breach affects 3.4 million people
• Better Outcomes Registry & Network suffer ransomware attack
• Boeing is using Fortnite’s game engine to upgrade B-52s
• Gaming engine is helping Boeing to refit 60-year-old B-52. How will security
architecture play a role?
• What to See at Tech Tactics in Education 2023
• highlights offer the AI, data, and cybersecurity insights you need to navigate
today's evolving technology landscape.
• International Criminal Court attacked by cyber criminals
• Hackers access confidential data of lawyers, court staff, defendants, and
victims.
Sep-23 Info 6010 4

Quick Review: Domain #2
• What do you remember about Domain #2?
• What was the domain called?
• Asset ID and Classification, Data life cycle, data retention, ownership (roles)…
POP QUIZ – Domain 2:

Which term best describes the flow of data assets to an unauthorized external
party?
1.Data leakage
2.Data in motion
3.Data flow
4.Steganography
Data at rest is commonly

a)Using RESTful protocols for transmission b)Stored in registers
c)Being transmitted across the network d) Stored in external storage devices
Sep-23 Info 6010 5

Flashcard update!
• Which key words, terms, concepts, or ideas did you add to your
study notes (flashcard deck)?
• Some possibilities from last week include:
• Asset
• Classification (and categorization)
• Data Owner
• Data Destruction
• Data Custodian
• Purging
• Data (or asset) Lifecycle • Recovery
• Retention Policy • Responsibility
• Privacy (and protecting it)
• Scoping
• Tailoring Any others you noted?
• Data Remnants
• Data Security Controls
• Accountability
Sep-23 Info 6010 6

• Scenario:
You are early in your career as an IT consultant working for a large consulting firm
that specializes in cybersecurity. Your client, a large manufacturing company that is
lacking a well-established IT department, has approached your consulting firm for
assistance with their information security methods, systems, and policies. The
company has recently secured a contract to manufacture exoskeletons for the
Canadian Armed Forces, but the contract depends on the client’s cybersecurity
posture. The client has faced cybersecurity challenges in the past, including a
recent cyberattack that briefly disrupted production and supply chain operations but
was thankfully thwarted by one of their IT employees.
Your bosses have put you on the team assigned to this client. Your role is to
conduct a comprehensive cybersecurity assessment of the manufacturing
company's operations. The manufacturing company recognizes its vulnerability to
cyber threats (given the recent attack) and seeks expert advice to strengthen its
security posture. The challenge is to provide effective recommendations and
solutions, considering the organization's unique challenges and limited IT
resources.
• How do you approach this scenario? What/which gaps do you see?
Sep-23 INFO6010 7
Questions from Assignment #1
Scenario questions:
1. How would you assess the manufacturing company's cybersecurity needs,
considering its limited IT resources and the recent cyber incidents it has
experienced?
2. What cybersecurity enhancements would you recommend to protect critical
assets, such as production systems and supply chain data, while staying within
the organization's tight budgetary constraints?
3. In what way would you assist the manufacturing company in the development of
a robust cybersecurity culture and awareness among its employees?
4. What strategies would you propose to ensure that cybersecurity improvements
align with the organization's business objectives and do not disrupt production
operations?
5. How will you measure the success of your cybersecurity recommendations and
ensure ongoing security monitoring and improvement?
Sep-23 INFO6010 8

2. Together, and without using the internet or the textbook,
brainstorm the term “Security Architecture”
• Which words, concepts, phrases, ideas, examples, or systems did your
group identify as being connected to “Security Architecture”
• NOTE: If your group get’s really stuck, THEN you can use the internet 
3. Once your group has created a word list, post your work in the Week
4 Discussion Forum. Remember to include your names in the title!
Sep-23 INFO6010 9
Domain #3…
What is “Security Architecture & Engineering”?
“Computer systems analysis is like raising a child; you can

do grievous damage, but you cannot ensure success”
- Tom DeMarco
Domain #3: Security Architecture and
Engineering (~14% of CISSP exam)
• Engineering processes using secure Design Principles
• Includes Site and Facility Security design principles
• Assessing vulnerabilities in systems (physical and digital)
• Cryptography
• General Systems Architectures
• Security Models and Architectures
• Fundamental concepts of security models
• Virtualized and cloud-based systems
Sep-23 INFO6010 11
Domain #3: SA&E
• Security architectures, designs, and solution elements
vulnerabilities
• Industrial control systems
• Designing and implementing physical security (ex. CPTED)
Sep-23 INFO6010 12
In the first tutorial on Domain #3 (I call it “Part 1”), we’ll discuss:
•System architecture
• Computer Architecture
•System Security Architecture
•Trusted computing base and security mechanisms
•Information security software models
• Assurance evaluation criteria and ratings
•Certification and accreditation processes
•Systems Security
• Distributed systems security
•Cloud Computing
Sep-23 INFO 6010 13

Part 2 (Week 6)
•Cryptography components and their relationships
•Steganography
•Public key infrastructure (PKI)
•Part 3 Will be covered later in the course

•Site and facility design considerations
•Physical security risks, threats, and countermeasures
•Electric power issues and countermeasures
•Fire prevention, detection, and suppression
Sep-23 INFO 6010 14

• Plaintext • Non-Repudiation
• Frequency Analysis • Private Key & Public Key
• Cryptanalisys • In Band
• Out-of-band • Key Escrow
• Key (and Key Generation) • Encoding and Encryption
• Substitution/transposition Cipher • Decoding and Decryption
• Algorithm • Key Space
• Block Mode Encryption • Cryptography
• Ciphertext • Hashes and hash function
• Key Pair (Asymmetric Enc) • Collision
• Message Digest • Symmetric/Asymmetric Encryption
• RNG • CPTED
• Session Key
Sep-23 INFO6010 15
• Research, implement and manage engineering processes using secure
design principles
• Understand the fundamental concepts of security models (e.g., Biba, Star
Model, Bell-LaPadula)
• Select controls based upon systems security requirements
• Understand security capabilities of Information Systems (IS) (e.g., memory
protection, Trusted Platform Module (TPM), encryption/decryption)
• Assess and mitigate the vulnerabilities of security architectures, designs
and solution elements
• Select and determine cryptographic solutions
• Understand methods of cryptanalytic attacks
• Apply security principles to site and facility design
• Design site and facility security controls
Sep-23 INFO6010 16
Part 1: The basics
Systems Architecture
(key components of the architecture)
•Security is best if it is designed and built into the
foundation of anything we build and not added as an
afterthought. Once security is integrated as an important
part of the design, it has to be engineered, implemented,
tested, evaluated, and potentially certified and accredited.
•The security of a product must be evaluated against the
availability, integrity, and confidentiality it claims to provide.
Sep-23 INFO 6010 18

• Architecture Fundamental organization of a system embodied
in its components, their relationships to each other and to the
environment, and the principles guiding its design and
evolution.
• Architecture description (AD) Collection of document types to
convey an architecture in a formal manner.
• Stakeholder Individual, team, or organization (or classes
thereof) with interests in, or concerns relative to, a system.
• View Representation of a whole system from the perspective of
a related set of concerns.
• Viewpoint A specification of the conventions for constructing
and using a view. A template from which to develop individual
views by establishing the purposes and audience for a view and
the techniques for its creation and analysis.
Sep-23 INFO 6010 19

•Computer architecture encompasses all of the parts of a
computer system that are necessary for it to function
• Operating system
• Memory chips
• Logic circuits
• Storage devices
• Input and output devices
• Networking component
• Data, memory and control buses
Sep-23 INFO 6010 20

•CPU – central processing unit (the brain!)
•ALU – Arithmetic Logic Controllers (the executioner)
•Control Unit
•CPU Registers
•PSW – Program status word. Register holds condition bits
for 2 modes (User mode and Privilege mode)
•Bus
•Multiprocessing (more than one CPU)
•Memory
• Types include RAM, SRAM, SDRAM, EDO DRAM, BEDO
DRAM, DDR SDRAM, ROM, PROM, EPROM, Flash, Cache,
Sep-23 INFO 6010 21

•Memory Mapping (absolute and relative addresses)
•Buffer Overflows – Too much data!
•Operating Systems (processes, process states, process
isolation, and process scheduling)
•Memory Stack (stack pointer and return pointer)
•Threads
•Interrupts (both hardware and software interrupts)
•Memory Management (what is memory management?)
•Virtual Memory
•I/O Devices (either block devices or character devices)
•CPU Modes and Protection Rings
Sep-23 INFO 6010 22

Memory Management
Goals of memory management:
•To provide an abstraction level for programmers
• Abstraction means the details are hidden
•Maximize performance with the limited amount of memory
available
•Protect the operating system and applications loaded into
memory
Sep-23 INFO 6010 24

The FIVE responsibilities of memory manager are:
1. Relocation
2. Protection
3. Sharing
4. Logical Organization
5. Physical Organization
To make sure a process only interacts with its memory

segment the CPU uses two registers:
Base register ad Limit Register
Sep-23 INFO 6010 25

•Secondary storage is nonvolatile storage
media
• Includes the computer’s hard drive, floppy disks, and CD-ROMs
•The OS uses hard drive secondary storage
space to extend its RAM space
• When a system fills up its RAM space it writes data from
memory onto the hard drive
•Swap space is the reserved hard drive space
used to extend RAM capabilities
• Windows systems use the pagefile.sys file to reserve this space
• When a program requests access to this data it is brought from
the hard drive back into memory in specific units called pages
Sep-23 INFO 6010 26

•Secondary storage is nonvolatile storage
media
• Includes the computer’s hard drive, floppy disks, and CD-ROMs
•The OS uses hard drive secondary storage
space to extend its RAM space
• When a system fills up its RAM space it writes data from
memory onto the hard drive
•Swap space is the reserved hard drive space
used to extend RAM capabilities
• Windows systems use the pagefile.sys file to reserve this space
• When a program requests access to this data it is brought from
the hard drive back into memory in specific units called pages
Sep-23 INFO 6010 27

CPU Modes and Protection Rings
•Protection rings provide strict boundaries and definitions
for what the processes within each ring can access and
what operations they can execute
•Processes that operate within the inner rings have more
privileges than the processes operating in the outer rings
•Inner rings only permit the most trusted components and
processes to operate within them
• Processes that execute within the inner rings are usually referred
to as privileged or supervisor mode
• Processes working in the outer rings are said to execute in user
mode
Sep-23 INFO 6010 29

•Most commonly used architecture provides four protection
rings:
• Ring 0 Operating system kernel
• Ring 1 Remaining parts of the operating system
• Ring 2 I/O drivers and utilities
• Ring 3 Applications and user activity
Sep-23 INFO 6010 30

More trusted processes operate within lower numbered rings.
Sep-23 INFO 6010 31

OS Architecture
•A monolithic operating system architecture is commonly
referred to as “The Big Mess” because of its lack of
structure
• Operating system is mainly made up of various procedures that
can call upon each other in a haphazard manner
•Communication between the different modules is not
structured and controlled
•Data hiding is not provided
•MS-DOS is an example of a monolithic operating system
Sep-23 INFO 6010 33

•A Layered operating system architecture separates
system functionality into hierarchical layers
•Called THE
• Technische Hogeschool Eindhoven multiprogramming system
• Has FIVE layers of functionality
•Processes at the different layers have interfaces to be used
by processes in layers below and above them.
Sep-23 INFO 6010 34

•A monolithic operating system provides only one layer of
security
•With a Layered system each layer provides its own
security and access control
• Modularizing software (and its code) increases the assurance
level of the system
• If one module is compromised it does not mean all other
modules are now vulnerable
• Examples of layered operating systems include VAX/VMS,
Multics, and Unix
Sep-23 INFO 6010 35

Virtualization and Virtual Machines
What is a VM?
•Original virtual machine was a 16 bit operating system
environment created by a 32 bit operating system
•Allowed 32 bit Windows NT to run older DOS applications
•Multiple 16 bit virtual machines could be running on one
host operating system
•Backwards compatibility was continued with the
introduction of 64 bit operating systems.
Sep-23 INFO 6010 37

•Virtual machines can be used to consolidate the
workloads of several under-utilized servers to fewer
machines
•Related benefits
• Savings on hardware
• Under-utilized server (DHCP)
• Environmental costs
• Rack space, power consumption
• Management and administration
• Legacy applications can run in virtual machines
Sep-23 INFO 6010 38

• Virtual machines can be used to provide secure, isolated
sandboxes for running untrusted applications
• Virtualization is an important concept in building secure computing
platforms
• Virtual machines can be used to run multiple and different
operating systems simultaneously
• Virtualization can make tasks such as system migration, backup,
and recovery easier
• Virtual machines can provide the illusion of hardware
• Sometimes hardware that you do not have (SCSI devices, floppy drives or multiple
processors)
• Virtualization can also be used to simulate networks of
independent computers
Sep-23 INFO 6010 39

• Virtual machines allow for testing, debugging and
performance monitoring
•Virtual machines can isolate what they run and provide
fault and error containment
• You can inject faults proactively into software to study its
subsequent behaviour
•Virtual machines are great tools for research and
academic experiments
•Since they provide isolation, they are safer to work with
Sep-23 INFO 6010 40

Security Models
What is a Security Model?
Essentially there are 2 types of security models: lattice-based
or rule-based
• a lattice-based model is a layer-based model. It requires
layers of security to address the requirements.
• Only two lattice-based models (Bell LaPadula and Biba)
• All other models are rule-based models
• specific rules dictate how security operates
Sep-23 INFO 6010 42

• Developed in the 1970s by the US military
• They were concerned about the security of their systems and
leakage of classified information
• The Bell-LaPadula model is a state machine model that enforces
the confidentiality aspects of access control
• A system that employs the Bell-LaPadula model is called a
multilevel security system
• Users with different clearances use the system
• System processes data with different classifications
• Level at which information is classified determines the handling
procedures
• Three main rules are used and enforced in the Bell-LaPadula
model: Simple Security, Star Property, and Strong Star Property
Sep-23 INFO 6010 43

Bell-LaPadula Model
• Developed after the Bell-LaPadula model
• It’s a state machine model and is very similar to the Bell-Lap model
• The Biba model is not concerned with security levels and
confidentiality, so it uses a lattice of integrity levels
• Biba prevents data from any integrity level from flowing to a higher
integrity level
Biba has three main rules to provide this type of protection:

• *-integrity axiom
• Simple integrity axiom
• Invocation property
Sep-23 INFO 6010 45

Biba Model
•Was developed after Biba and takes some different
approaches to protecting the integrity of information
•Separates data into subsets

• Highly protected data is referred to as a constrained data item (CDI)
• data that does not require a high level of protection which is called an
unconstrained data item (UDI)
• Users cannot modify critical data (CDI) directly
•Clark Wilson model uses the following elements:
• Users, Transformation procedures (TPs), Constrained data items
(CDIs), Unconstrained data items (UDIs), and Integrity verification
procedures (IVPs)
• This model also outlines how to incorporate separation of duties
into the architecture of an application
Sep-23 INFO 6010 47

•Also called the Chinese Wall model was created to
provide access controls that can change dynamically
depending upon a user’s previous actions
• The main goal of the model is to protect against conflicts of
interest by users’ access attempts
•User A works on confidential files in directory Z
• User A should not have access to files in Directory X
• If user A does get read access to directory X it cannot write to
directory Z
Sep-23 INFO 6010 48

•Addresses and defines a set of basic rights in terms of
commands that a specific subject can execute on an
object
• These things may sound insignificant but when you’re building a
secure system, they are critical!
•Has 3 parts:
• Set of objects (O), a set of subjects (S), and a set of rights (R)
•This model is primarily concerned with
how subjects and objects are created,
how subjects are assigned rights/privilege, and
how ownership of objects is managed
Sep-23 INFO 6010 49

•This model has eight primitive protection rights (or
rules) of how these types of functionalities should take
place securely:
1. How to securely create an object
2. How to securely create a subject
3. How to securely delete an object
4. How to securely delete a subject
5. How to securely provide the read access right
6. How to securely provide the grant access right
7. How to securely provide the delete access right
8. How to securely provide transfer access rights
Sep-23 INFO 6010 50

• Also called the HRU Security Model
• Named after its three authors, Michael A. Harrison,
Walter L. Ruzzo and Jeffrey D. Ullman.
• It is an operating system level computer security model,

which deals with the integrity of access rights in the system.
• It is an extension of the Graham-Denning model, based

around the idea of a finite set of procedures being available
to edit the access rights of a subject on an object .
Sep-23 INFO 6010 51


2. Your group will review and discuss the Security Models
we just covered in this lesson.
• Which model interests you the most? Why? It’s OK if your group does
not agree on this! Just note the various comments made (anonymized).
3. Once your group has finished this discussion, please post your work
in the Week 4 Discussion Forum. Remember to include your names
in the title!
Sep-23 INFO6010 52
System Evaluation Models/Methods
•There have been different methods of evaluating and
assigning assurance levels to systems. Methods and
ideologies have evolved over time.
•Now there is a framework known as the Common Criteria
which is the only one of global significance.
•First version was in 1993
•Also called ISO 15408
•The most used/popular of the evaluation criteria systems.
Sep-23 INFO 6010 54

Seven Evaluation Assurance Levels (EAL)
•EAL1 – Functionally tested
•EAL2 – Structurally tested
•EAL3 – Methodically tested and checked
•EAL4 – Methodically designed, tested, and reviewed
•EAL5 – Semi formally designed and tested
•EAL6 – Semi formally verified design and tested
•EAL7 – Formally verified design and tested
Sep-23 INFO 6010 55

Sep-23 INFO 6010 56
•Certification is the comprehensive technical evaluation of
the security components and their compliance for the
purpose of accreditation
•A company that specializes in certification will perform the
necessary procedures to certify the systems
• An evaluation team will perform tests on the software
configurations, hardware, firmware, design, implementation,
system procedures, and physical and communication controls
•Accreditation is the formal acceptance of the adequacy
of a system’s overall security and functionality by
management
Sep-23 INFO 6010 57

•Open Systems - built upon standards, protocols, and
interfaces that have published specifications,
•Closed Systems – proprietary, does not follow standards
•Client based Systems – installed locally on the PC
• (no network required)
•Client-Server Systems – application needs server access
•Distributed Systems - components are located on different
networked computers
•Cloud-Based Systems - network based computing that
takes place over the Internet
•Cyber-Physical Systems
Sep-23 INFO 6010 58

Summary: Expect to be tested on…
The CISSP exam will test the following areas:
• System architecture
• Operating system and hardware
• CPU, registers, RAM, ROM interrupts & I/O functions
• Information security software models
• Bella-LaPadula, Biba etc
• Trusted computing base and security mechanisms
• Assurance evaluation criteria and ratings
• Certification and accreditation processes
• Distributed systems security
Sep-23 INFO6010 59
Homework
•Review your notes from today’s lesson and update your
personal flashcard deck with any new terms, etc.
•Strategically read Chapter 3 of the course textbook (8th Ed)

• If you have the 9th Ed, please read chapters 7 and 10
Next week is our first test

1. Read the question carefully – maybe even more than once to be sure
2. Budget your time wisely – which questions are worth more marks?
3. If a question is work 4 marks, make sure you make at least 4 separate
points.
4. Try not to second-guess your answers!
Sep-23 INFO6010 60
Details on Test #1
• Covers all of the material (tutorial lessons, slides, textbook)
from Domains 1, 2, and part of 3
• Domain 1: Security and Risk Management
• Domain 2: Asset Management
• Domain 3: Security Architecture and Engineering (not crypto)
• Out of 90 marks. You will have 120 minutes to complete the test
• Mix of question types (M/C, T/F) (No Short/Long answer )
• NOT OPEN BOOK
• Test is taken remotely, but you must start at 12:00pm Eastern
• If you don’t start by 12:15pm you will receive a zero grade
• Must use a laptop with Respondus LDB and Respondus Monitor
• Password will be provided in an FOL announcement prior to test
Studying for Test #1
• Study in groups (if you can). Discuss/share your flashcards
• Create your own test questions (stump your friends!)
• Maybe even make it a contest! 
• Use the chapter summaries and chapter questions. Your test

questions will be similar
• Make sure you dedicate time to study. How long do you need?
• Do not rely solely on the slides
• Email/Ask me if you have any questions that arise while studying

Cissp6010 1to4

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cissp6010 1to4

Uploaded by

Copyright:

Available Formats

INFO 6010: CISSP Prep

Prof. James Robertson

•Can post short bio on FOL if you are interested 

Part 1: Introduction to the Course

Part 2: Today’s Lesson

•Has anyone used Google Jamboard before?

•Here is the link to the Jamboard:

•Class is online every Wednesday afternoon

•Please prepare for class each week.

•Then we’ll discuss current events

•Then we’ll proceed with the lesson/tutorial

•Be prepared (and willing) to participate!

•The lesson conclude with a summary of key points and a few

•Most mid-sized businesses lack cybersecurity experts, incident response

•Fortinet Survey Finds 78% of Organizations Felt Prepared for

•Cybercriminals Are Selling Access to Chinese Surveillance Cameras

•One-Fifth of Healthcare Organizations Do Not Enforce

•The Role of Human Resources in Cybersecurity

Please find a partner (groups of 2 max) and do the following:

•Find ONE online article/video (or web resource) that relates to

•Read the article

•Summarize the article in a discussion post (just 200 words or so) in

One class per week, 3-hours long

Class time consists of:

- Professor Clive Wright

Jan-20 INFO 6010 4

Some of the topics we will cover in this course:

•This is a “Lecture-style” class, but I will not lecture to you.

•Do not try to memorize everything. There is too much material.

•There are no bonus marks or make-up exercises in this course

•Required and Recommended Resources.

Learning by rote alone is not enough. You must seek

Jan-20 Info 6010 2

Test time lost due to PC or Respondus problems is not recoverable.

•Missed Assignments and Tests

•Re-writes & extra grade items

•What do you know about APA?

•Rubrics are used for all written assignments.

•See sample rubric on next slide…

•Your assignments involve research, critical thinking, and academic writing.

•Criticizing the poster is not permitted, nor is inappropriate language or content

Make sure you properly cite every source of information you

If the assignment asks you to write something yourself, it is

Please note that the use of ChatGPT or other

Sep-23 Info 6010 32

Sep-23 Info 6010 33

Sep-23 Info 6010 34

• The purpose of CPE’s is to ensure that professionals continue

Sep-23 Info 6010 35

•Have any of you considered a certification? Which ones?

Sep-23 Info 6010 36

•Course acts as a quasi-capstone. All of the concepts, skills, and topics

•Acts as a on-stop (single resource) refresher/reminder of concepts taught

Sep-23 Info 6010 40

Sep-23 Info 6010 41

Sep-23 Info 6010 42

Sep-23 Info 6010 43

1. Have you ever been convicted of a felony, a crime based on dishonesty

3. Have you ever had a professional license, certification, membership or

Sep-23 Info 6010 44

•CISSP Exam questions typically tend to ask high-level

•Does not expect you to be an expert in all 8 domains. But

Sep-23 Info 6010 45