CISM Certification: CISM Domain 3 Video Boot Camp 2026

In this lecture, we introduce CISM Domain 3: Information Security Program Development and Management, which now accounts for 33% of the entire curriculum in the 2022 exam changes. You can expect around 50 questions primarily from this domain, reflecting the shift towards a more tactical and technical focus. This video course covers more content than the official book, as ISACA recognizes that candidates come from diverse backgrounds and may require additional resources. ISACA provides a list of 17 recommended books and publications for Domain 3, acknowledging that their official book is not comprehensive enough on its own. Domain 3 covers topics such as the information lifecycle, secure design, DevOps, DevSecOps, patch management, security assessments, access control, cryptography, the software development lifecycle, project management, physical security, and redundancy and resiliency. This content is expected to be tested on the current 2022 version of the exam until the next update in 2027, as ISACA typically follows a 5-year update cycle.

In this lecture, we will discuss the various stages of the information lifecycle, including data acquisition, data use, data archiving, and data disposal. We will explore how data is acquired, either through copying or creation, and the importance of formatting, timestamps, permissions, and encryption in ensuring data security and accessibility. We will also distinguish between data archiving and data backup and discuss the process of data disposal, including destruction methods like disk overwriting and shredding. The lecture will be high level and will be further explored in depth later on.

In this lecture, we will discuss secure design principles and go over some topics that were touched on previously in the course as a refresher. We will also cover new topics such as Least Privilege, where employees are only given the access they need and a specific process is in place for granting additional access, and Separation of Duties, where different people handle different parts of a process to reduce the chance of fraud. We will also cover Defense in Depth, also known as Layered Defense, which involves implementing multiple overlapping security measures to protect a specific asset, and Secure Defaults, where defaults are set to be as secure as possible out of the box. Through these topics, we will improve our organization's confidentiality, integrity, and availability. We will be discussing various types of threat modeling that you might encounter on the exam. First, we will discuss PASTA (Process for Attack Simulation and Threat Analysis), a 7 step process that aligns business objectives with technical requirements. The PASTA model gives us an attacker-centric view of our applications and infrastructure, which we can then use to develop an asset-centric mitigation strategy. Next, we will talk about STRIDE, which stands for Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service (DoS) and Elevation of privileges. It is often used to assess threats against applications or operating systems, and it can help answer the question "What could possibly go wrong with this system?" Lastly, we will discuss Trike, which is based on our requirements model, where stakeholders define the acceptable levels of risk for each asset and a threat model is created where threats are enumerated and assigned risk values.

In this lecture, we will be discussing Secure System Design Concepts, specifically the concept of layering. Layering is the process of separating hardware functionality into logical or physical layers, so that each layer can only interact with the layers that are directly adjacent to it. This concept is demonstrated in the model on the right, where if we change a hard disk, it may influence the kernel and the drivers, but it should not affect the operating system or the applications. This method of layering provides abstraction and hides unnecessary details from the user, making the experience seamless. Additionally, we will also be discussing security domains, which function like security clearance and only allow certain objects and subjects access to certain areas of the system. We will also be talking about open and closed systems, with open systems using open standards and standard components from multiple vendors, making them more secure than closed systems which use proprietary software and hardware.

In this lecture, we will discuss the importance of asset tracking and hardware hardening in protecting an organization's technology assets. Asset tracking involves keeping an accurate log of all hardware and software assets, including their location and serial numbers. This information is crucial for protecting assets, as it allows for the appropriate protection to be applied to each piece of hardware. The tracking system also allows for the remote wiping of lost or stolen devices, and can alert the organization when they need to order more hardware. Hardware hardening involves securing and configuring hardware before it is put into use, including deleting default accounts, applying patches, and blocking unnecessary ports. The process of hardening should be automated wherever possible to ensure that all necessary steps are taken to secure the device. It is important to not only focus on servers, but also on workstations and wireless access points, which are often overlooked in terms of security.

In this lecture, we will discuss DevOps and DevSecOps. We will look at the traditional organization structure where most things are siloed off from each other, including software development, quality assurance, and operations teams. We will examine how this structure can lead to long development times and inadequate results. We will then delve into DevOps, where we bring these teams together and use an agile approach, as well as CI/CD, to improve cooperation and efficiency. Additionally, we will cover the importance of adding security into the DevOps process and how to incorporate it throughout the entire process with DevSecOps.

In this lecture, we will discuss Configuration Management and its role as a preventative control in making our environments more secure. We will talk about the importance of closing all open ports, disabling unnecessary accounts and services, and applying patches on new systems as they are often completely open by default. We will also cover the concept of server hardening and the importance of having a formalized process to prevent security issues. We will explore the use of OS images for ease of administration and security, as well as the practice of vulnerability scanning before putting a new server into production. Additionally, we will discuss the concept of least privilege and how it applies to configuration management for all devices, not just servers.

In this lecture, we will discuss Patch Management and the importance of regularly patching our devices on our network to keep them secure. We will look at the Equifax breach as an example of how not applying a patch can lead to a security breach. We will also discuss the concept of corrective controls and how patching and patch management is a form of this control. We will discuss the importance of testing patches in a test environment and going through change management before applying patches to our systems. We will also look at common reasons why organizations do not patch their systems and the potential consequences of not patching.

In this lecture, we will discuss Change Management, a formalized process in which we handle changes in our environment. We will touch on how it relates to configuration and patch management, and how we go through a formalized process to justify the why, where, when, and how of any changes we want to make. We will also examine how change management is similar to project management, and how change management can encompass a wide range of things such as patches, updates, new servers, and configuration changes. We will look at the role of the change review board, made up of both IT and operational units, in approving or rejecting changes, as well as the use of sub-boards for specialized changes. Additionally, we will discuss the importance of clearly articulating the reason for applying a change, and the potential risks and benefits of implementing or not implementing it. Lastly, we will explore different frameworks and models for change management and how to determine which one is best for an organization.

In this lecture, we will be discussing evaluation models, accreditation, certification, and system security procedures. We will cover how to determine the best solution for your organization, including which is the easiest to use, cheapest, and most efficient for your environment. We will also discuss the Orange Book and the Red Book from the Rainbow Series, which are the foundation for most evaluation models used today. We will also discuss ITSEC and the International Common Criteria (ISO/IEC 15408), including the concept of a Target of Evaluation (TOE) and Protection Profiles, as well as Evaluation Assurance Levels (EALs) which range from level one to seven, with the higher levels being more rigorous in testing. It is important to have a basic understanding of these concepts, but memorizing all the details is not necessary.

In this lecture, we will discuss security assessments, which are broad scopes used to evaluate the effectiveness of access controls within an organization. Security assessments can cover multiple areas of an organization and have multiple parts that provide a high-level understanding of the organization's security posture and areas for improvement. We will also look at the importance of having clear policies and procedures in place and training employees to raise their awareness about security measures. Additionally, we will talk about the balance between being secure enough for the organization's needs and minimizing intrusion in employees' daily lives. We will also cover topics such as change management, architectural reviews, penetration testing, and vulnerability assessments as part of security assessments.

In this lecture, we will discuss security audits and their role in security assessments. We will explore how security audits involve testing an environment against a published standard, such as PCI-DSS and HIPAA, which are commonly used in the finance and healthcare industries. We will also discuss the different types of audits, including internal and external, and the importance of being compliant with these standards in order to avoid fines and penalties. Additionally, we will cover the SOC 1, 2, and 3 standards and the role of external auditors in providing knowledge transfer and helping organizations improve their security posture.

In this lecture, we will discuss Security Audit Logs. One of the easiest ways to ensure that our access control mechanisms are working is to review the Security Audit Logs. We will talk about the different types of access control mechanisms such as Least Privilege, Role-Based Access Control, and Attribute-Based Access Control and how they are used in organizations. We will also look at the importance of reviewing logs and the consequences of accessing data without a need-to-know. We will discuss the importance of logging for network security hardware and software, operating systems, and Centralized Logging. Additionally, we will discuss the use of hybrid systems for logging and the importance of having a secure and automated central logging server with limited access for administrators.

In this lecture, we will discuss vulnerability scanning and testing tools. We will talk about how they are used in security assessments and how they work by accessing a network and scanning systems for common vulnerabilities using a predefined list. We will also discuss the importance of being specific on which network and vulnerabilities we are looking for, as well as going through proper change control before running a scan. Additionally, we will go over the different levels of vulnerabilities and the recommended fixes provided by the scanners, and finish by looking at an example of a Nessus scan.

In this lecture, we will discuss penetration testing, also referred to as pen testing, ethical hacking, or white hat hacking. We will explore the process of hiring a company to perform penetration testing on our company, or in larger organizations, having someone internal perform the testing. We will look at how a penetration tester's job is to see if our vulnerabilities are exploitable, and how vulnerability x threat equals risk. Additionally, we will discuss the importance of having a clearly defined statement of work, including what IP ranges can be attacked, what tools can be used, and what the tester is allowed and not allowed to do on our systems. We will also touch on the importance of senior management and legal department involvement and the fact that penetration testers are there to find vulnerabilities and make recommendations on how to fix them, not to fix them themselves.

In this lecture, we will finish up discussing penetration testing by examining various tools, attacks, and ethical considerations. We will begin by looking at war dialing, which is an outdated method of using a modem to search for answering modem carrier tones in order to access an answering system. Next, we will examine the more commonly used technique of war driving or access point mapping, where a penetration tester or attacker attempts to map access points by driving or walking around a targeted area. We will also delve into network attacks, which can be either client-side or server-side. The former occurs when a client visits a malicious website and receives a malicious payload, while the latter occurs when the attack is initiated from a server controlled by the attacker. Lastly, we will discuss web application attacks and the importance of having a strong security posture for all applications and devices, as well as conducting due diligence before implementing new web applications. We will also briefly touch on wireless tests and the importance of hardening access points by removing unnecessary ports and updating firmware.

In this lecture, we will discuss Social Engineering and how it can be used by penetration testers to exploit the weakest link in an organization's security, which is often its users. We will explore how social engineering attacks rely on manipulating human behavior and emotions to bypass security controls and gain access to sensitive information. We will also look at different social engineering techniques, such as Authority, Intimidation, and Consensus, and how they can be used to trick people into giving away their login credentials or other sensitive information. By understanding the power of social engineering and how it can be used by attackers, we can better prepare ourselves and our organizations to defend against these types of attacks.

In this lecture, we will discuss maturity models in software development. We will look at the CMM (Capability Maturity Model) which is a way to measure the formality and optimization of our processes. The CMM uses 5 levels, ranging from level 1 (initial, ad hoc, and undocumented processes) to level 5 (optimizing, well-defined processes with proven effectiveness). We will also explore how these levels correspond to the development of a process, from an unstable, chaotic environment to a sustainable, optimized one.

In this lecture, we finish out Software Assurance Maturity Model (SAMM). SAMM consists of five pillars: Governance, Design, Implementation, Verification, and Operations, each with three categories and two subgroups. Organizations can measure their maturity level in each subgroup, allowing for customization based on their specific needs and goals. SAMM helps organizations determine their current maturity level, set targets, and create a roadmap for improvement. The model emphasizes slow, iterative changes tailored to the organization's risk profile and the importance of prescriptive guidance accessible to non-security personnel. The lecture also covers various types of software testing, including acceptance testing, user acceptance testing, operational acceptance testing, contract acceptance testing, compliance acceptance testing, and compatibility/production testing. These tests ensure that the software meets functional, security, and compliance requirements and performs as expected in the production environment. The lecture concludes with a cautionary tale about the importance of designing software for the specific environment in which it will be used to avoid vulnerabilities introduced by quick fixes.

In this lecture, we will discuss Access Control and the IAAA model. We will start with a quick overview of the importance of internal policies and procedures, as well as industry standards in determining access control. We will then delve into the different types of access control; mandatory, discretionary, role-based, or attribute-based access control and how they can be used to determine who gets access to what. We will also look at the importance of implementing access control in multiple layers of defense and how the IAAA model (identification, authentication, authorization, and accountability) can be used to ensure proper security for employees. We will specifically focus on the importance of multifactor authentication and the dangers of using group logins.

In this lesson, we will be discussing Access Control, including the categories of Administrative or Directive Controls, Technical Controls, and Physical Controls. We will also explore the different types of Access Control, including preventative, detective, corrective, recoverable, deterrent, and compensating measures. We will discuss the importance of training and awareness in the Administrative category, as well as the various technical and physical measures used for Access Control. It is important to carefully read and understand the question and answer options in order to accurately identify the type of Access Control being discussed.

In this lecture, we will be discussing the concept of IAAA: Identification, Authentication, Authorization, and Accountability in the context of security systems. We will cover the basics of each aspect, including identification methods such as names, usernames, and ID numbers, and authentication methods including knowledge factors (something you know) such as passwords and possession factors (something you have) such as ID cards or smart cards. We will also discuss biometrics as a unique form of authentication that cannot be reissued once compromised. We will delve further into these topics later in the course.

In this lesson, we will discuss the concepts of least privilege, need to know, and Non-repudiation in Information Security. We will look at least privilege as the practice of giving users the absolute minimum access they need to do their job. We will talk about how this is a form of Mandatory Access Control and how, if a user needs access to something they don't have access to, they need to justify why they need it. We will also discuss need to know and how it's related to Discretionary Access Control, where users only have access to what they need and need to have a valid reason for accessing it. Additionally, we will also talk about Non-repudiation and how it relates to accountability and auditing of user access to data. We will also touch on the concepts of subjects and objects in Information Security and how they play a role in the exam and in the industry.

In this lecture, we will discuss Type 1 Authentication, also known as something you know or a knowledge factor. We will focus on the weaknesses of knowledge-based authentication and how passwords, being the most commonly used type, are the easiest to compromise. We will also look at examples of high-profile password breaches and discuss best practices for creating secure passwords, such as using a minimum length, including upper and lowercase letters, numbers, and symbols, and avoiding common words or personal information. We will also discuss the importance of password expiration dates, reuse policies, and minimum password ages to prevent reusing of weak passwords.

In this lecture, we will discuss Type 2 Authentication, which is based on "something you have" or possession factors. We will look at examples of how it is used, such as using a passport or ID card to prove our identity. We will also examine the concept of shared trust and how this can add more certainty to the authentication process. We will also touch on single-use passwords and how they are not something you know, but rather something you have, such as a little paper card with numbers or a string of letters sent to your phone or email. Lastly, we will discuss smart cards and tokens, which can be contact or contactless and have a computer circuit, an ICC (Integrated Circuit Chip).

In this lecture, we will discuss Type 3 Authentication, also referred to as Something you are, biometrics or realistic authentication. We will look at how we use unique physiological and behavioral characteristics, such as fingerprints, iris, retina, face geometry, ear geometry, and hand geometry, to prove that someone is who they say they are. We will also discuss the challenges that come with Type 3 authentication, including the issue of false accepts and false rejects, and how to find the right balance to ensure authorized employees are able to access systems and facilities while keeping unauthorized people out. We will also look at the use of physiological and behavioral characteristics in Type 3 authentication, and how these characteristics can change over time.

In this lecture, we will discuss Authorization and access control models. We will begin by talking about Thor, who has proven his identity through multifactor authentication. The question then becomes, what do we give Thor access to and which type of access control models do we want to use to grant that access? We will look at the different types of access control models including Mandatory Access Control (MAC), Discretionary Access Control (DAC), Role-based Access Control (RBAC), and Attribute-based Access Control (ABAC). We will also discuss the importance of the CIA triad and how different access control models may be more appropriate depending on the organization's priorities. Additionally, we will examine the different types of access control models in more detail, looking at their specific characteristics and the types of organizations that typically use them.

In this lecture, we will discuss the last "A" of the IAAA model which is Accountability, but it is also referred to as Auditing. We will talk about how accountability traces an action to a subject's identity to hopefully achieve non-repudiation. We will also discuss the importance of not having group accounts, shared accounts, or allowing coworkers to use your account because if something bad happens, you are still responsible and liable. We will also look at the use of audit trails and logs to associate a subject with their actions, and the importance of limiting access to the server where access logs are stored to ensure they cannot be deleted or altered.

In this lecture, we will discuss access control systems and the different types of systems available such as centralized and decentralized systems. We will also look at the advantages and disadvantages of each system and how they can be used in combination as a hybrid system. We will examine the process of accessing a room by comparing credentials to an access control list and the most common types of access control systems, such as the star topology. We will also look at the use of role-based and attribute-based access control, and the typical layout of an access control system in a facility, including the use of a VLAN to segment access control from the rest of the network for security reasons. Additionally, we will compare the pros and cons of centralized and decentralized access control systems and the decision-making process in a centralized system.

In this lecture, we will discuss Identity and Access Provisioning. We will look at how each entity, whether it be a person or a company, can have different identities and each of these identities can have different attributes. We will also explore the concept of an Identity and Access Management Provisioning Lifecycle, using the IBM Tivoli Identity Manager as an example, and how organizations can use it to set up if-then statements to control access to certain resources. Additionally, we will talk about the importance of keeping good audit trails and accountability in the provisioning process.

This lecture is an introduction to cryptography, the science of securing communication. It may not sound exciting to some, but it is crucial for keeping our secrets secret and ensuring the integrity of our data. Cryptography is a big part of the confidentiality leg of the CIA triad and can also be used for authentication and non repudiation. This lecture will introduce key terms and in later lectures we will delve deeper into the different types of cryptography, their advantages and disadvantages, and where and why we would deploy them. It is important to have the right balance between confidentiality and availability, and to use a strong enough encryption that it is unbreakable or at least takes an unreasonable amount of time to break. We will also discuss the use of modular math in cryptography, and definitions of cryptology, cryptography, and cryptanalysis.

In this lecture, we will dive deeper into key terms and definitions of cryptography, specifically focusing on mono and polyalphabetic ciphers and frequency analysis. Monoalphabetic ciphers involve substituting one letter for another, which is easy to break using frequency analysis. Polyalphabetic ciphers involve substituting one letter for another every round of encryption, making it more secure than monoalphabetic ciphers. We will also look at XORing or Exclusive OR, where a simple key is added to the plaintext to make it ciphertext. It is commonly used in symmetric encryption and deals with 1s and 0s. The goal of XORing is to create confusion, diffusion, substitution, and permutation between the plaintext and the ciphertext.

In this lecture, we will be discussing the history of cryptography and its relevance to our current understanding and use of encryption methods. We will start with the Spartan Scytale, a simple encryption technique using a stick and a piece of cloth, and move on to other historical methods such as the Ceasar Cipher and Vigenère cipher. We will also discuss the use of cipher disks and the Enigma machine, which was used by Germany during WWII. The importance of understanding the evolution of encryption methods is highlighted, as it allows us to understand why certain techniques are used today and prepares us for exam questions.

In this lecture, we will be finishing the history of cryptography by discussing One-time Pads. One-time Pads are exactly what they sound like, pads that are used only once. They are a cryptographic algorithm where plaintext is combined with a random key. It is crucial that the key is truly random because if the pad is reused, it can be broken. One-time Pads are also the only mathematically unbreakable encryption, but they are impractical as they can only be used once and both sender and receiver must have identical pads. We will also be discussing the Vernam Cipher, the first known use of a one-time pad and the example of Project VENONA where the pads were reused and the messages were successfully decrypted. We will also be discussing the Jefferson Disk and the SIGABA machine, which were used during World War II and the 1950s.

In this lecture, we will explore the two main types of encryption used today: symmetric and asymmetric. Asymmetric encryption allows for secure communication without a pre-shared key, but it is much slower and weaker per bit. On the other hand, symmetric encryption is faster and stronger per bit, but it requires a pre-shared key which can be difficult to share securely. To combat these weaknesses, we will discuss hybrid encryption, which combines the use of asymmetric encryption to share a secret key and symmetric encryption for faster data transfer. Additionally, we will touch on the mathematical formula used to calculate the number of keys needed in symmetric encryption, and encourage students to practice examples to solidify their understanding.

In this lecture, we will discuss symmetric encryption and its use throughout history. One of the most commonly used encryption methods in the early days of the Internet was the Data Encryption Standard (DES) or Single DES. However, DES is no longer considered secure due to the many attack vectors that have been publicly exposed. DES uses a 64-bit block cipher, a 56-bit key, 16 rounds of encryption, and the Feistel cipher. It also has five different modes of encryption, including EBC, CBC, CFB, OFB, and CTR. Additionally, we will cover Triple DES, which is a modification of the original DES algorithm that encrypts data three times using three different keys for a total of 112-bit key strength, and is currently the only secure key mode for Triple DES.

In this lecture, we will continue our discussion on symmetric encryption, with a focus on AES (Advanced Encryption Standard/Rijndael) which is the most commonly used type. We will also delve into Blowfish and Twofish, and finish the lecture by exploring the Feistel cipher. We will explore AES in depth, including how it uses a 4x4 matrix for all bytes, and the different steps it goes through in the initial round, actual round, and final round. We will also cover the key size and number of rounds for AES, and how Blowfish and Twofish, which are also symmetric and use the Feistel cipher, differ in terms of block size and key length.

In this lecture, we will discuss asymmetric encryption, a newer technology compared to symmetric encryption, which has been used for thousands of years. Asymmetric encryption has only been used for practical purposes for around 40-50 years, with the development of different methods such as Diffie-Hellman in 1976 and RSA in 1977. Unlike symmetric encryption, where the same key is used for encryption and decryption, asymmetric encryption requires two keys per person: a public key and a private key. With asymmetric encryption, messages can be securely sent over unsecured mediums like the internet without a pre-shared key. It is important to keep the private key secure as it is the key used for decryption and if compromised, an attacker can read all the messages. Asymmetric encryption is also used for digital signatures and can provide authenticity, non-repudiation, and confidentiality.

In this lecture, we will discuss hashing, which is a form of cryptography that is primarily used for integrity. Hashing is a one-way function that ensures that a file or system has not been altered. We use it to take a bit-level copy of a drive, hash the original and copy, and ensure that they match before conducting forensics on the copy. Hashing is not reversible and does not provide confidentiality or non-repudiation. It's important to note that the size of the input text does not affect the fixed-length output, called a message digest or hash. Hashing is used in various places, including hard drives and downloading software from the internet. It's crucial to be aware of collisions, which occur when two different sets of data produce the same hash. The MD5 algorithm has a flaw that makes collisions possible, which is why it is no longer widely used and has been replaced by SHA2 and SHA3.

In this lecture, we will discuss hashing and its role in cryptography. Hashing is a one-way function that is used for integrity and ensuring that a file or system is unaltered. However, it does not provide confidentiality, non-repudiation, or any other feature. We briefly touched on hashing when discussing compromised hard drives and how a bit-level copy of the drive is taken and hashed, with the original and copy's hashes being compared before doing any forensics. It's important to remember that hashing is a one-way function and cannot be reversed, so the only goal is to ensure that no files have been altered. Hashing is used in many places such as on websites where software or patches can be downloaded, and a hash is provided for the file for comparison. It's important to note that there is a possibility of collisions, where two sets of data produce the same hash, which is why we should not use the outdated MD5 algorithm, but rather the more secure SHA2/3 algorithm.

In this lecture, we will finish discussing hash functions and their various algorithms. We will start by looking at the SHA (Secure Hash Algorithm) family of algorithms, specifically SHA1, SHA2, and SHA3. We will discuss the pros and cons of each algorithm, including the length of the hash value produced and the level of collision resistance. Next, we will discuss the HAVAL (Hash of Variable Length) algorithm, which allows for a variable output length but is not widely used. We will also cover RIPEMD and RIPEMD160, which were created in response to concerns about potential back doors in hash functions developed by the military or for government contractors. Finally, we will discuss the concept of salting and nonces, which are used to further secure stored passwords by adding a random value to the hash.

In the next couple of lectures, we will explore various attacks on our cryptography. We will focus on two specific attacks: Steal the Key and Brute Force. Steal the Key is exactly what it sounds like, an attacker stealing our encryption key. This is more efficient and faster than attempting to break the encryption. On the other hand, Brute Force uses the entire key space and tries every single combination to decrypt the ciphertext. However, this method takes a lot of time and can be countered by simple measures such as adding a timer or locking the account after a certain number of incorrect attempts. We will also cover Digraph Attacks and Man-in-the-Middle attacks in future lectures. Overall, it is important to have the right amount of security in place and to always be aware of potential vulnerabilities in our systems.

In this lecture, we will continue to discuss cryptographic attacks and focus on the tactic of social engineering. Social engineering is the act of convincing someone to give away their password or other sensitive information. It can be extremely successful because people want to be helpful and don't want to get in trouble, and when someone poses as an authority figure or creates a sense of urgency, people are more likely to comply. We will also discuss different approaches to social engineering such as authority, intimidation, consensus, scarcity, and familiarity. This is important because it highlights the need for training and raising awareness for employees to be able to detect and avoid these types of attacks.

In this lecture, we will conclude our discussion on cryptographic attacks by focusing on known key attacks, differential cryptanalysis, linear cryptanalysis, and the combination of both known as differential linear cryptanalysis. Known key attacks involve having some prior knowledge about the key, such as its length or format, that makes it easier to break. Differential cryptanalysis involves searching for differences between related plaintexts to find non-randomness in the ciphertext, while linear cryptanalysis studies plaintext and ciphertext pairs created with the same key to discern information about the key. Additionally, we will discuss side channel attacks, implementation attacks, and key clustering, emphasizing the importance of proper implementation and automation in securing systems.

In this lecture, we will discuss digital signatures and Public Key Infrastructure (PKI). PKI uses both symmetric and asymmetric encryption as well as hashing to provide and manage digital certificates. It is important to keep our private key secret, but in PKI, we also store a copy of the key pair in a secure location, known as a key repository. This is important in case the private key is lost or destroyed. We will also discuss key escrow, which is a backup of our key pairs kept by a third party, often at the request of law enforcement. Finally, we will go over the flow of data in a digital signature, which ensures message integrity and non-repudiation.

In this lecture, we will delve into the topic of Message Authentication Codes (MAC) and the Secure Socket Layer (SSL) and Transport Layer Security (TLS). Starting with MAC, we will discuss how it is a hash function that uses a key, specifically the Cipher Block Chaining (CBC) method from the Data Encryption Standard (DES) symmetric encryption. MAC provides integrity and authenticity, however, it does not reveal what has been changed, only that the integrity has been compromised. We will also discuss Hashed Message Authentication Code (HMAC) which combines MAC with hashing, and both parties must have a shared key before exchanging information. Moving on to SSL and TLS, we will learn about how these protocols provide confidentiality and authentication for web traffic such as web browsing, email, and voice over IP. We will examine the process of the TCP 3-way handshake and the client hello, and how the server can authenticate the client if necessary. Finally, we will discuss the current prevalence of TLS over SSL and its use in internet chats and email clients.

In this and the next lecture, we will discuss software testing and the importance of including security as a requirement and design aspect rather than an afterthought. We will look at how building software without considering security is like building a house or car without including doors or windows, making it structurally less strong and less secure. We will also talk about the difference between static testing and dynamic testing and different tools that can be used for static testing. We will also discuss the concept of white box and black box software testing and how it relates to penetration testing.

In this lecture, we will discuss the various phases of software testing before release into a production environment. We will look at Unit Testing, where we test a specific section of code for functionality, and Integration Testing, where we verify the interfaces between components against our software design to ensure that all units function together. We will also delve into Component Interface Testing, where we verify that interfaces can speak to each other as they should and handle data passing between them. We will also discuss the role of the business unit in testing the software, Installation Testing, and the ongoing process of Regression Testing to ensure that software updates do not introduce new vulnerabilities or break functionality.

In this lecture we will discuss the security implications that come with buying software from other companies, whether it's commercial off the shelf (COTS) software or if we have another company custom build it for us. We need to make sure that the software is secure enough for whatever our organization needs and do our due diligence and due care, never accepting the vendor's claim of how secure it is. We will also discuss the importance of proper software testing, as well as the potential issues that can arise when buying software based on a C-level executive's recommendation without proper planning and analysis of the organization's needs.

In this lecture, we will discuss designing security into software. Historically, software design has focused primarily on functionality rather than security, which is a significant issue. Security requirements for software should be just as important as functional requirements. With the increasing number of security breaches happening on a daily basis, there is now a shift towards designing more secure software, rather than adding security later on. This is critical as software is used in nearly every aspect of our lives and having it be both functional and secure is essential. Even if an organization has strong defense-in-depth, poor software design can make them vulnerable. Software designed with security in mind from the beginning is inherently more secure than software where security is added later on. Additionally, the programming maturity framework can help lower the number of mistakes made in code, which can reduce vulnerabilities. However, even with these measures in place, we must also address the use of old, legacy code that is vulnerable to attacks. This is particularly important as these systems control nearly everything and the consequences of a successful attack can be severe.

In this and the next couple of lectures, we will discuss software development methodologies. We will look at the different technologies and methodologies that are available for developing software, and how to pick the right tool for the job. The main focus of these lectures is on project management, as it is a crucial aspect of software development and IT security professionals are likely to use it in their day-to-day job. We will also discuss how the Waterfall methodology, which is linear and does not work well with changing requirements, is no longer the best tool to use in software development. Instead, we will look at other methodologies such as the Spiral method, Sashimi, Agile, and Scrum, which are better suited for software development. Regardless of which methodology we choose, it must fit the project and the organization. We will also discuss the importance of education and communication within the organization when implementing a new methodology.

In this lecture, we will continue discussing software development methodologies. We will start with Agile and more specifically, Scrum. Scrum is an agile methodology that is designed for small teams of about 10 people, and relies on 2-week sprints or development cycles. Daily stand-up meetings are used in Scrum teams, as they are more efficient. The scrum framework includes three core roles: the Product Owner, the Development Team, and the Scrum Master. The Product Owner represents the product stakeholders and is accountable for the end result. The Development Team is responsible for delivering the end product at the end of each sprint. The Scrum Master's primary role is to make sure the framework is followed and to remove roadblocks for the Development Team. Next, we will discuss XP (Extreme Programming), another agile software development methodology, which uses programming pairs, excessive code reviews, unit testing, and frequent communication with customers. We will also look at the spiral model, which is a risk-driven process model for software projects that goes through four distinct phases.

In this lecture, we will continue discussing software development methodologies with a focus on the Software Development Life Cycle (SDLC). SDLC is not a methodology itself, but rather a description of the different phases that software development goes through. We will review the phases of investigation, analysis, design, build, test, implement, and maintenance and support. It's important to understand the flow of these phases, rather than memorizing specific names as they may differ across different methodologies. However, it is essential to know that security is built into every phase of SDLC, and if it's not specifically mentioned in a question, assume it is incorrect. Furthermore, we will also look at the similarities and differences between software development methodologies such as waterfall, spiral, agile, RAD, and scrum, and how they align with the SDLC phases. We will also briefly touch on the concept of projects, programs, and portfolios in this lecture, which will help in understanding how software development methodologies fit into the bigger picture of project management.

In this lecture, we will be finishing out software development methodologies by looking at Source Code Escrow and Source Code Repositories. We will examine the importance of owning the source code and the use of source code escrow as a means of ensuring access to it in the event that the company that developed the software goes out of business. We will also differentiate source code escrow from source code repositories and their use in large, open source software projects. Additionally, we will delve into API security and the importance of making sure that APIs are just as secure as the components they connect to. We will also touch on the importance of configuration and change management in software development, tracking all changes and configuration changes throughout the software's life cycle.

In this lecture, we will be discussing physical security, which is a broad topic that encompasses various aspects of defense in depth. We will begin by examining the different types of controls that can be implemented for physical security, including preventative, detective, deterrent, and compensating controls. Each type of control serves a specific purpose, such as preventing an attack, detecting an attack, deterring an attacker, or compensating for other controls that may be too costly or impossible to implement. These controls can include things like locked doors, bollards, CCTV cameras, alarm systems, and security guards. It is important to note that many countermeasures can fall into multiple categories, and the type of control used will depend on the specific situation and the indicators or keywords present in the question.

In this lecture, we will continue to explore physical security measures. We will delve deeper into the different types of controls we have in place, specifically focusing on fences, gates, bollards, and lights. Fences can be used as a deterrent or preventative measure, with the height determining their level of effectiveness. Gates are also placed in fences to control the points of entry and exit, and come in various classes such as residential, commercial, industrial, and restrictive access. Bollards are used to prevent vehicles from entering a specific area, and lights serve both a detective and deterrent purpose by fully illuminating the entire area and making it difficult for intruders to sneak in undetected. Overall, these different physical security measures work together in a layered defense to provide the necessary security posture for the facility being protected.

In this lecture, we will continue to explore physical security and specifically focus on locks. Locks are a preventative measure that only prevents access by requiring a physical key to unlock the door. However, keys can be shared, copied, picked, or bumped, making locks less secure. We will delve into how a lock works, specifically looking at the bitting code and the alignment of tumblers. We will also cover the topic of lock picking and lock bumping and their potential ease of use. Additionally, we will discuss Master Keys and Core Keys, which are keys that can open multiple doors within a certain area or security zone and the importance of keeping them secure.

In this lecture, we will continue discussing physical security, specifically focusing on the different types of cards used for identification and access control. We will explore the different uses of smart cards and magnetic stripe cards and their level of security. Smart cards can be used for identification and access to buildings or programs and can be either contact or contactless. Both types of smart cards have an ICC chip, which stores all the information. Contact cards need to be in contact with the device that reads them, while contactless cards can be read by proximity. Magnetic stripe cards, on the other hand, are commonly used but are not very secure as they can easily be copied. To ensure maximum security, it is best to use smart cards with RFID blocking and avoid the use of magnetic stripe cards in areas where security is important.

In this lecture, we will be discussing physical security and specifically motion detectors as a means of detection and deterrence. We will delve into how motion sensors can be used in various ways, from simple triggers such as turning on a light to being connected to a back-end system that checks for authorized access and sounds an alarm if needed. We will also cover different types of motion sensors such as light-based sensors, ultrasound, microwave, infrared and laser sensors, and how they function. The instructor will also address some misconceptions about motion sensors from movies and their real-world applications.

In this lecture, we will conclude our discussion on physical security by discussing guards, dogs, and restrictive work areas. We will begin by discussing the role of guards as a deterrent, detective, preventative, and compensating measure for security. We will differentiate between professional guards, amateur guards, and pseudo guards and the importance of training them with clear rules and regulations. Next, we will discuss the use of dogs as a security measure, highlighting their deterrent abilities and potential liability issues. Lastly, we will discuss the process of allowing authorized visitors access to restricted areas and the importance of proper security clearance and identification verification.

In this lecture, we will discuss the importance of proper site selection, design, and configuration when building a new facility. We have previously discussed security measures, but when constructing a new facility from scratch, there are numerous considerations to take into account such as power reliability, internet providers, crime in the area, and natural disasters. These are all factors that must be researched and taken into account to ensure the location is the most convenient and secure for the organization. Additionally, it is important to not advertise the location of the data center as it is a part of security through obscurity. This lesson will cover the importance of considering all factors when choosing a location and the importance of hiding critical information.

In this lecture, we will delve deeper into the topic of site selection, design, and configuration for server rooms and data centers. We will discuss the challenges of designing and building data centers that can accommodate the ever-growing number of servers and the need for cooling and power. Additionally, we will explore the issue of "pop up" data centers, which are often created by utilizing whatever space is available, rather than a space that is specifically designed for a data center. Thor will also touch on the importance of considering future cooling and air conditioning requirements, and the consequences of not doing so. Overall, the aim of this lecture is to stress the importance of due diligence and proper planning in the design and construction of data centers, to ensure the safety and security of the servers and data.

In this lecture, we will discuss the importance of clean, uninterrupted power in a data center. A lack of clean power can compromise the availability of servers and data integrity. To ensure this, we use UPSs (uninterruptible power supplies) and PDUs (power distribution units). UPSs provide backup power in case of a power outage and PDUs ensure the voltage is not too high or too low. We will also discuss common power fluctuation terms such as blackouts, brownouts, and surges and how they can affect a data center. We will also explore how power is set up in a data center, including the use of a utility transformer, transfer switch, and backup generator to ensure clean power and redundancy.

In this lecture, we will discuss environmental controls in data centers and specifically focus on HVACs - heating, ventilation, and air conditioning. It has long been a common practice to keep data centers very cold, but it is not necessary and can waste a lot of money. The optimal range for equipment to function is between 68-77 Fahrenheit or 20-25 degrees Celsius, with allowable ranges being between 59-90 degrees Fahrenheit or 15-32 Celsius. Additionally, keeping data centers too cold can raise humidity levels and increase the cost of pulling humidity out of the room. It is important to also maintain a positive pressure in data centers to keep contaminants such as dust and dirt out and to prevent unnecessary activation of fire suppression systems.

In this lecture, we will be finishing our discussion on environmental controls by focusing on the different types of detectors used in fire detection such as heat, flame, particle, and smoke sensors. We will examine how each sensor detects potential fires and their potential limitations. It is important to note that all sensors should be connected to warning lights, sirens, and the suppression system. We will also discuss the use of a delay button, where staff can check for an actual fire before the suppression system kicks in. Additionally, we will touch on the need to keep the data center clean to prevent false alarms from smoke sensors, and why flame detectors are not as commonly used in data centers. Overall, this lecture will provide a comprehensive understanding of the various types of fire detectors used in data centers and the importance of regular maintenance.

In this lecture and following lectures, we will be discussing fire suppression methods, particularly in regards to data centers. The "fire triangle" illustrates that fire needs three elements to burn: oxygen, heat, and fuel. A common method for extinguishing fires in data centers is to remove or lower the oxygen content in the room. This can be achieved through systems such as FM200, Halon or Argon, which replace a certain percentage of the air's oxygen with other gases. The objective is to lower the oxygen percentage enough to put out the fire, but not to the point of endangering human life. This approach is considered the safest, cheapest and most efficient way to suppress a fire in a data center. Additionally, it is important to note that fire classification varies by region and when answering exam questions it may be necessary to provide an Americanized perspective, with a focus on Class A and Class C fire extinguishers as they are relevant to regular offices and data centers respectively.

In this lecture, we will be finishing up our discussion on fire suppression for data centers by exploring the different types of gases that can be used to lower the oxygen content in a room and put out a fire before the water sprinklers activate. We will begin by discussing CO2, which is not commonly used but can be appropriate in certain areas, but it is crucial that these areas are unmanned as the gas is colorless and odorless and can be dangerous if people are unaware of its presence. We will also touch on the use of Halon 1301, which was once the industry standard for protecting high value assets but is now banned due to its negative effects on the ozone layer and potential harm to people. Lastly, we will discuss commonly used gases such as FM200, Argon, FE-13, and Inergen, and their role in fire suppression. We will also go over the importance of having the appropriate fire extinguishers in each area of the building based on its fire rating.

In this lecture, we will discuss Fault Tolerance and specifically, Backups. We will talk about how to determine the right amount of redundancy and resiliency on our systems through the use of internal SLAs (Service Level Agreements) and discuss the importance of regularly restoring from backups and checking for issues with them. We will also look at the different types of backups including full, incremental, differential and copy backups, and how to build a backup policy that tells the system how much and what to back up, how long to keep the data and different categories for different types of data and retention periods, including infinite retention for certain industries such as banking and healthcare.

In this lecture, we will continue to discuss fault tolerance, redundancy, and resiliency by looking at RAID (Redundant Array of Independent Disks). The goal in building any system is to have as high as possible uptime and system and hardware redundancy, especially on critical devices. RAID comes in two basic forms: Disk Mirroring and Disk Striping. Disk Mirroring involves making a mirror of a disk and writing the same data to both disks. If one disk fails, we have a copy on the other. Disk Striping involves writing data across multiple disks. It writes faster but does not provide any redundancy. To achieve redundancy in Disk Striping, we use parity with our Striping. This gives us resiliency and we often get it by using XORing. We will also look at different types of RAIDs such as RAID 0 and RAID 1. RAID 0 is striping with no parity and no fault tolerance while RAID 1 is mirroring which gives us redundancy but makes it slower. In the business world, it is not common to see RAID 0 or 1 being used.

In this lecture, we will continue to discuss fault tolerance, redundancy, and resiliency in the context of network systems. We have already talked about how backups can be used to restore systems in the event of a failure, as well as RAID. We will now look at the systems themselves, including the paths they take out of the network and the power they are connected to. We will discuss how the parts that move, such as fans, are more prone to failure, and why it makes sense to have redundant power supplies and fans in servers. We will also talk about the importance of redundant NICs and switches, and how they are connected to redundant service providers. Additionally, we will discuss the importance of designing servers, networks, and data centers to avoid a single point of failure and to accommodate future usage. We will also discuss how the majority of data center issues are caused by not thinking ahead and not designing for future usage.

In this lecture, we will delve into the topic of storage media and discuss best practices for securing our backups. Thor highlights the importance of knowing how much data is stored, where it is located, and who has access to it. They also stress the need for offsite storage, as keeping tapes in the same building as the data center can be risky if the building is lost. Thor also emphasizes the need for climate control, encryption, and security measures in the offsite storage facility, as well as strict background checks for the personnel handling the tapes. They also mention that paying for offsite storage may seem like a cost, but it is necessary to ensure the safety of the data. Thor concludes with some horror stories of tapes being stored in unsecured locations, such as an employee's home, and stresses the importance of these lessons still being relevant today.

In this lecture, we will be discussing the security implications of purchasing third party software for our organization, as well as what happens when we acquire other companies or our company is divided into smaller divisions. We will examine the importance of having Service Level Agreements in place to ensure that the security of third party software and hardware meets our standards and policies, and discuss the process of conducting risk analyses and audits before acquiring other companies to ensure their security posture is sufficient. We will also touch on the importance of having a holistic security approach and considering the cost benefit analysis when determining the level of security for different assets.

In this lecture, we conclude our study of CISM Domain 3, which constitutes a significant portion of the exam, accounting for 33% of the weighted questions. You can expect around 50 questions from Domain 3 on your exam. Remember that the CISM Review Manual is a lean version of what you need to know, and ISACA provides a comprehensive list of additional resources to study if you're unclear on certain topics. Domain 3 focuses on security programs and the various components required to ensure their effective functioning, including the information lifecycle, secure design, DevOps, DevSecOps, configuration management, security assessments, access control, cryptography, software development, project management, physical security, and redundancy and resiliency. This content is expected to be tested on the current 2022 version of the exam until the next update in 2027. As we wrap up Domain 3, reflect on your progress and identify any areas that may require further study before moving on to Domain 4.