Safety and Security: Learn CISSP Domains for Project Manager

Interrelated Information security, computer security and information assurance CIA concepts protection goals.
3.0 (2 ratings)
Instead of using a simple lifetime average, Udemy calculates a
course's star rating by considering a number of different factors
such as the number of ratings, the age of ratings, and the
likelihood of fraudulent ratings.
10 students enrolled
$19
$50
62% off
Take This Course
  • Lectures 30
  • Length 2.5 hours
  • Skill Level Intermediate Level
  • Languages English
  • Includes Lifetime access
    30 day money back guarantee!
    Available on iOS and Android
    Certificate of Completion
Wishlisted Wishlist

How taking a course works

Discover

Find online courses made by experts from around the world.

Learn

Take your courses with you and learn anywhere, anytime.

Master

Learn and practice real-world skills and achieve your goals.

About This Course

Published 9/2015 English

Course Description

Based on extensive related hands-on practical experience, this course provides you with skills and knowledge needed for effective and efficient Project Management of safety and security operations needed to provide valuable solutions for business and IT.

The "Learn CISSP Safety and Security Domains for Project Managers" course is authored by Chuck Morrison, MBA, PMP with over 25 years Program Management and Business Architecture experience in Silicon Valley California. Chuck has also authored and published other Udemy courses and Amazon eBooks.

Information security is the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. Information security, computer security and information assurance are concepts frequently used interchangeably. The concepts are interrelated and share critical information protection goals: Confidentiality, Integrity, and Availability (CIA).

The key to business and IT security and protection is due diligence through user account management; activity tracking, monitoring, and control; access rights/permission management.

All affected stakeholders including sponsors, subject matter experts, and other resources must be involved in collaborative development viable solution based on Safety and Security operations and processes for any executive decisions. This requires the leadership, skills, and knowledge or experienced analyst and architects capable of supporting an effective business solution needed to return business systems to proper operation.

Critical processes emphasized during this course are collaboration, listening, analysis, and modeling techniques needed for effective and efficient system operations solutions. This course helps you develop the skills and knowledge needed to support effective solutions and decisions regardless of your role.

If you find my course useful, please consider leaving a review and rating. Your review is much appreciated. You can go directly to the review page for this course then click and enter your review and rating.

Thank You and Best Regards,

Chuck Morrison, MBA, PMP

What are the requirements?

  • Some technical experience desired.
  • Ability to collaborate and listen for business wants and needs
  • Capability to capture and define business and technical requirements
  • Interest in the fields of business analysis and information architecture
  • Ability to collect and organize tasks, activities and resources into diagrams and graphical models

What am I going to get from this course?

  • Understand Confidentiality, Integrity, and Availability (CIA) concepts and relationships
  • Overview key principles and objectives of CISSP domains
  • Apply concepts of safety and security to portfolio, program, and project management
  • Project Management consulting and mentoring on methodology, and dealing with security and risk management
  • Apply safety and security concepts to assets, SDLC security, Communications & Networks security
  • Understand apply concepts related to identity and access management
  • Understand apply concepts related to security assessment and testing and security operations
  • Apply Personally Identifiable Information (PII), Payment Card Industry Data Security Standard (DSS/PCI) concepts

What is the target audience?

  • Subject Matter Experts (SMEs)
  • Product Owners and Sponsors
  • Business Process Managers
  • Business Process Users
  • Product, Portfolio, Project, and Program Managers
  • Business Analysts & Architects
  • Quality Assurance
  • System & Software Developers

What you get with this course?

Not for you? No problem.
30 day money back guarantee.

Forever yours.
Lifetime access.

Learn on the go.
Desktop, iOS and Android.

Get rewarded.
Certificate of completion.

Curriculum

Section 1: Welcome to my course “CISSP Domains Overview for Project Managers”
00:41

Lecture 1 – Welcome to my course “Learn CISSP Safety and Security Domains for Project Managers …”

Discussion - Hello, I'm Chuck Morrison, an MBA and PMP certified Senior Program/Projects Manager and Business Architecture Professional.

My specialties are: Business Process Engineering, Software Systems Development, Cross-Functional Program and Change Management.

My significant skills and accomplishments include:

Over 20 years of expansive and diverse experience as a Program, Project and Portfolio Manager, Consultant and Business Architect/Analyst working for companies such as VMware, HP Enterprise Services, Hawaiian Airlines and DIRECTV.

Proven success in leading multiple, complex projects, process improvements and system migrations throughout the entire project lifecycle that generate cost savings of over $50M.

Managed a total of 27 concurrent, highly visible CPUC Rule 20 projects according to schedule and timeline across multi-locations and sites with a total budget of $40M for Pacific Gas and Electric Company (PG&E).

Extensive technology background with recognized business acumen to define and deliver small to large-scale, complex business process and systems infrastructure projects.

My significant accomplishments also include:

During my youth, I had the good fortune of calling home the awesome forests near Somersworth, New Hampshire, the exciting salmon runs of Adak, Alaska, and the beautiful mountains and beaches of California – from Eureka to Yosemite to San Francisco, Los Angeles, and San Diego. It was also to my good fortune in my learning experience to see and walk in every state in the United States at least once.

Later, it was my good fortune to experience the world on a global scale from the breathtaking beauty and church bells of Frankfurt and Wurzburg Germany. Next, I found myself in experience evening sky of Tokyo, Japan and Mount Fuji for atop Tokyo Tower, followed by the bright red skies of Taipei in Taiwan and Manila Bay in the Philippines, then the busy international harbor of Kowloon near Victoria City, Hong Kong, and the intricate vistas on the Tonkin Gulf near Hai Phong as well as the rugged coastline near Ho Chi Minh City (formerly Saigon) Vietnam, and the exuberant beauty of the Sidney, Australia harbor.

And. Please. If your have any questions about any part of this training or any related questions to this course or Udemy please ask. You have my promise to find you an answer.

02:44

Introduce self to class

Welcome and thank you for joining our course. Please take a moment to introduce yourself to me and the other students in our class using our Udemy Course Discussions to add then post your introduction.

Just include a little information about yourself including your name and location You don't have to be specific about location if you prefer … just include your state or city or country. Also, please let us know where you’re coming from.

Are you working full-time, is this your first time taking or creating and online course, are you working full or part? Is this your first time creating your own online business, or making money online. Do you have a website? If so, please include your website address so we can find out a little more information about you and start following you on your own channel. If you’re on Facebook, Twitter, LinkedIn, or other social media, please let us know your contact information if you want to share.

Please contact me with any questions or suggestions you may have about our course.

If during this or any other of my courses, or after you’ve completed any of my courses, you have any questions or related suggestions for improvement; please don’t hesitate to contact me using Udemy’s Instructor Messaging system.

Simply click the Blue “Add Discussion” button then add you information and comments to the dialog box. When finished click the Green “Post” button. That’s it … it’s that easy for communication with me and other student on Udemy.

Remember, you have my promise to work with you to find an answer for your questions and suggestions, which may include course enhancements and/or adjustments or reviews and ratings. I look forward to hearing your comments and suggestions.

And, please after completing any of my courses or if you find this course or any of my courses useful, please consider leaving a review and rating. Your review is much appreciated. You can go directly to the review page for any course then click and enter your review and rating.

I'm excited to meet you and just as I did in my “Welcome” video giving information about myself, I really am excited to get to know you better. Please take just 30 seconds to introduce yourself to the course; I will highly appreciate it. See you in the next video lecture.

Thank You and Best Regards, Chuck

05:43

Lecture 2 – What are Safety & Security?

Discussion –

Information security is the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. Information security, computer security and information assurance are concepts frequently used interchangeably. The concepts are interrelated and share critical information protection goals: Confidentiality, Integrity, and Availability (CIA).

Confidentiality – Confidentiality defines prevention of information disclosure to unauthorized individuals or systems. e.g., a credit card Internet transaction requires transmission of the credit card number from buyer to merchant and from merchant to a transaction-processing network. The system enforces confidentiality using card number encryption during transmission, by limiting appearance (e.g., in databases, log files, backups, printed receipts), and by restricting storage access. When an unauthorized party obtains a card number, a confidentiality breach has occurred. Confidentiality is necessary (but not sufficient) for maintaining privacy of system stored personally identifiable information (PII).

Integrity – Integrity means data cannot be undetectably modified. Integrity is often viewed as a special case of the classic ACID (Atomicity, Consistency, Isolation, Durability) model used to ensure transaction-processing consistency, but is not the same as database referential integrity. When a message is modified in transit, integrity is violated. Typically, information security systems provide both data confidentiality and message integrity.

Availability – To serve its purpose, any information system must ensure information is available as needed. In computing systems used to store and process information, security controls protect information, and communication channels used for access must function effectively. High availability systems must always be available to provide requested information i.e., power outage service disruptions and hardware/system upgrade failures must be prevented. Ensuring availability includes preventing denial-of-service (DoS, DDoS) attacks.

Security & Safety Definitions –

Safety – Relative freedom from danger, risk, or threat of harm, injury, or loss to personnel and/or property, whether caused deliberately or by accident. Safety is the condition of being protected against physical, social, spiritual, financial, political, emotional, occupational, psychological, educational, or other types or consequences of failure, damage, error, accidents, harm, or any other event that could be considered non-desirable. Safety can also be defined to be the control of recognized hazards to achieve an acceptable level of risk. This can take the form of being protected from the event or from exposure to something that causes health or economical losses including protection of people and/or property.

Security – Process or means, physical or human, of delaying, preventing, and otherwise protecting against external or internal, defects, dangers, loss, criminals, and other individuals or actions that threaten, hinder or destroy an organization's “steady state,” and deprive it of its intended purpose for being.

The CISSP domains are drawn from various information security topics within the (ISC)² CBK. The CISSP CBK 4Ed consists of the following 8 domains:

Domain 1 — Security & Risk Management

Domain 2 — Asset Security

Domain 3 — Security Engineering

Domain 4 — Communications & Network Security

Domain 5 — Identity & Access Management

Domain 6 — Security Assessment & Testing

Domain 7 — Security Operations

Domain 8 — Security in the Software Development Life Cycle

The CISSP CBK 3Ed consists of the following 8 domains:

Domain 1 — Access Controls (v4.5)

Domain 2 — Telecommunications and Network Security (v4.4)

Domain 3 — Information Security Governance & Risk Management (v4.1)

Domain 4 — Software Development Security (4.8)

Domain 5 — Cryptography (v4.3)

Domain 6 — Security Architecture and Design (v4.3/v4.6)

Domain 7 — Security Operations (v4.7)

Domain 8 — Business Continuity and Disaster Recovery Planning (v4.2)

Domain 9 — Legal, Regulations, Investigations, and Compliance (v4.1)

Domain 10 — Physical (Environmental) Security (v4.3)

Discussion –

Model-Driven Safety-Security

Access Security – Domain 5

Identification – Domain 5

Authentication – Domain 5

Authorization – Domain 5

Integrity – Overview

Confidentiality – Overview

Availability – Overview

Cryptography – Domain 3

CISSP Security Domains

Safety & Security – Domain 0

Physical Security – Domain 3

Development Security – Domain 8

Architecture & Design – Domain 6

Risk – Domain 3

Audit – Domain 3

Vulnerability – Domain 3

Threat – Domain 3

Operations Security – Domain 7

Network Security – Domain 4

Information Security – Domain 1

Governance & Risk – Domain 1

Legal & Compliance – Domain 1

01:22

Lecture 3 – Imagine …

Discussion -

You and your team are responsible for safety and security of major, business system deliveries and were just notified that one of your deliveries crashed and everyone is waiting for your next application delivery.

You're part of a team that must support the company's production control and logistics delivery operation for several critical customers with symptoms you and your team have never seen nor heard of before.

More precisely, customers are beating down your companies doors for must-have immediate delivery of products and services without a page written about processes or procedures and people you've never met who do not know what to do next and you haven't even a clue about what happened, when, or what's the impact on time or resources or security and safety related issues.

What do you do, where do you begin …

By completing this course, you will posses the set of tools and guidelines needed create your action plan and move forward to resolving business and technical problems and issues using Safety and Security related methodologies and processes to support project needed to ensure value of safe and secure product and service delivery to customer with minimal time, costs and risks. So, are you ready to get started?

00:59

Lecture 4 – Please Allow Me to Share a Few Related Quotes …

Discussion –

Learn from yesterday, live for today, hope for tomorrow. The important thing is not to stop questioning. – Albert Einstein

Continuous improvement is not about the things you do well — that's work. Continuous improvement is about removing the things that get in the way of your work. The headaches, the things that slow you down, that's what continuous improvement is all about. ~Bruce Hamilton

Perfection is not attainable, but if we chase perfection we can catch excellence. -Vince Lombardi

The first rule of any technology used in a business is that automation applied to an efficient operation will magnify the efficiency. The second is that automation applied to an inefficient operation will magnify the inefficiency. ~Bill Gates

What gets measured, gets managed. ~Peter Drucker

01:17

Lecture 5 – Why Is a Safety and Security Needed? …

Discussion –

The CISSP© domains are interrelated and share critical information protection goals: Confidentiality, Integrity, and Availability (CIA).

The CISSP© domains are drawn from various information security topics within the (ISC©)² CBK. The CISSP© CBK 4Ed consists of the following 8 domains:

Domain 1 — Security & Risk Management

Domain 2 — Asset Security

Domain 3 — Security Engineering

Domain 4 — Communications & Network Security

Domain 5 — Identity & Access Management

Domain 6 — Security Assessment & Testing

Domain 7 — Security Operations

Domain 8 — Security in the Software Development Life Cycle

Apply Personally Identifiable Information (PII), Payment Card Industry Data Security Standard (DSS/PCI) concepts

02:52

Lecture 6 – What's This Course About?

Discussion –

Summary - Based on extensive related hands-on practical experience, this course provides you with skills and knowledge needed for effective and efficient Project Management of safety and security operations needed to provide valuable solutions for business and IT.

CISSP Domains Overview for Project Managers course is authored by Chuck Morrison, MBA, PMP with over 25 years Program Management and Business Architecture experience in Silicon Valley California.

Authored and Published Udemy professional training courses and Amazon Kindle books: Learn to Transform Requirements into UML Use Cases, Learn to Analyze Business Application Issues Root Causes, Learn Agile SCRUM Development for Project Managers, Learn How the Project Management Office (PMO) Operate

Information security is the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. Information security, computer security and information assurance are concepts frequently used interchangeably. The concepts are interrelated and share critical information protection goals: Confidentiality, Integrity, and Availability (CIA).

The key to business and IT security and protection is due diligence through user account management; activity tracking, monitoring, and control; access rights/permission management.

All affected stakeholders including sponsors, subject matter experts, and other resources must be involved in collaborative development viable solution based on Safety and Security operations and processes for any executive decisions. This requires the leadership, skills, and knowledge or experienced analyst and architects capable of supporting an effective business solution needed to return business systems to proper operation.

Critical processes emphasized during this course are collaboration, listening, analysis, and modeling techniques needed for effective and efficient system operations solutions. This course helps you develop the skills and knowledge needed to support effective solutions and decisions regardless of your role.

If you find my course useful, please consider leaving a review and rating. Your review is much appreciated. You can go directly to the review page for this course then click and enter your review and rating.

Thank You and Best Regards,

Chuck Morrison, MBA, PMP

01:11

Lecture 7 – What's Do You Get from This Course?

Discussion –

Understand Confidentiality, Integrity, and Availability (CIA) concepts and relationships

Overview key principles and objectives of CISSP domains

Apply concepts of safety and security to portfolio, program, and project management

Project Management consulting and mentoring on methodology, and dealing with security and risk management

Apply safety and security concepts to assets, SDLC security, Communications & Networks security

Understand & apply concepts related to identity and access management

Understand & apply concepts related to security assessment and testing and security operations

Enables identifying, assigning, tracking, controlling, and managing activities based on Safety & Security domains methodology.

Aids capture & development of safe and secure portfolio/program/project scope, effort, risk, budget and schedule.

00:39

Lecture 8 – What are the course requirements? Intermediate technical level

Discussion –

*Some technical experience desired.

*Ability to collaborate and listen for business wants and needs

*Capability to capture and define business and technical requirements

*Interest in the fields of business analysis, information architecture, and related technical professions

*Ability to collect and organize tasks, activities and resources into diagrams and graphical models

00:28

Lecture 9 – Target Audience:

¥ Subject Matter Experts (SMEs)

¥ Product Owners and Sponsors

¥ Business Process Managers

¥ Business Process Users

¥ Product, Portfolio, Project, and Program Managers

¥ Business Analysts & Architects

¥ Quality Assurance

¥ System & Software Developers

2 questions

Why Is a Safety and Security Needed?

Section 2: Overview Privacy & Information Protection
06:37

Section 2 – Overview Privacy & Information Protection

Goals …

Understand Confidentiality, Integrity, and Availability (CIA) concepts and relationships and related Safety and Security Methodologies and processes.

Overview key principles and objectives of CISSP domains

Apply concepts of safety and security to portfolio, program, and project management

Understand Personally Identifiable Information (PII), Payment Card Industry Data Security Standard (DSS/PCI) at a conceptual level

Lecture 10 – “Overview of Safety and Security”

Discussion –

Information security is the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. Information security, computer security and information assurance are concepts frequently used interchangeably. The concepts are interrelated and share critical information protection goals: Confidentiality, Integrity, and Availability (CIA).

Confidentiality – Confidentiality defines prevention of information disclosure to unauthorized individuals or systems. e.g., a credit card Internet transaction requires transmission of the credit card number from buyer to merchant and from merchant to a transaction-processing network. The system enforces confidentiality using card number encryption during transmission, by limiting appearance (e.g., in databases, log files, backups, printed receipts), and by restricting storage access. When an unauthorized party obtains a card number, a confidentiality breach has occurred. Confidentiality is necessary (but not sufficient) for maintaining privacy of system stored personally identifiable information (PII).

Integrity – Integrity means data cannot be undetectably modified. Integrity is often viewed as a special case of the classic ACID (Atomicity, Consistency, Isolation, Durability) model used to ensure transaction-processing consistency, but is not the same as database referential integrity. When a message is modified in transit, integrity is violated. Typically, information security systems provide both data confidentiality and message integrity.

Availability – To serve its purpose, any information system must ensure information is available as needed. In computing systems used to store and process information, security controls protect information, and communication channels used for access must function effectively. High availability systems must always be available to provide requested information i.e., power outage service disruptions and hardware/system upgrade failures must be prevented. Ensuring availability includes preventing denial-of-service (DoS, DDoS) attacks.

Security & Safety Definitions –

Safety – Relative freedom from danger, risk, or threat of harm, injury, or loss to personnel and/or property, whether caused deliberately or by accident. Safety is the condition of being protected against physical, social, spiritual, financial, political, emotional, occupational, psychological, educational, or other types or consequences of failure, damage, error, accidents, harm, or any other event that could be considered non-desirable. Safety can also be defined to be the control of recognized hazards to achieve an acceptable level of risk. This can take the form of being protected from the event or from exposure to something that causes health or economical losses including protection of people and/or property.

Security – Process or means, physical or human, of delaying, preventing, and otherwise protecting against external or internal, defects, dangers, loss, criminals, and other individuals or actions that threaten, hinder or destroy an organization's “steady state,” and deprive it of its intended purpose for being.

PCI/DSS – The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and J.C. Bamford Excavators Limited (JCB).

PII – Personally identifiable information (PII), or Sensitive Personal Information (SPI) as used in US privacy law and information security, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. PII has four common variants based on personal / personally, and identifiable / identifying.

The CISSP domains are drawn from various information security topics within the (ISC)² CBK. The CISSP CBK 4Ed consists of the following 8 domains:

Domain 1 — Security & Risk Management

Domain 2 — Asset Security

Domain 3 — Security Engineering

Domain 4 — Communications & Network Security

Domain 5 — Identity & Access Management

Domain 6 — Security Assessment & Testing

Domain 7 — Security Operations

Domain 8 — Security in the Software Development Life Cycle

The CISSP CBK 3Ed consists of the following 8 domains:

Domain 1 — Access Controls (v4.5)

Domain 2 — Telecommunications and Network Security (v4.4)

Domain 3 — Information Security Governance & Risk Management (v4.1)

Domain 4 — Software Development Security (4.8)

Domain 5 — Cryptography (v4.3)

Domain 6 — Security Architecture and Design (v4.3/v4.6)

Domain 7 — Security Operations (v4.7)

Domain 8 — Business Continuity and Disaster Recovery Planning (v4.2)

Domain 9 — Legal, Regulations, Investigations, and Compliance (v4.1)

Domain 10 — Physical (Environmental) Security (v4.3)

02:51

Lecture 11 – Safety and CISSP Knowledge Domains Relationships BOK v3 & v4

Discussion –

This discussion does not endorse (ISC) ² ®, Inc. The contents of the following discussion does not claim in any way you'll pass the CISSP® exam and is not a substitute for CISSP® study materials.

CISSP® domains are based on information security topics within (ISC)²® CBK versions 3 and 4 at the links below.

Current Version: Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) – March 11, 2015 ***

Previous Version: Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) – Dec 21, 2012 ****

The CISSP® CBK v3 consists of the following ten domains:

Domain 1 — Access Controls (v4.5)

Domain 2 — Telecommunications and Network Security (v4.4)

Domain 3 — Information Security Governance & Risk Management (v4.1)

Domain 4 — Software Development Security (4.8)

Domain 5 — Cryptography (v4.3)

Domain 6 — Security Architecture and Design (v4.3/v4.6)

Domain 7 — Security Operations (v4.7)

Domain 8 — Business Continuity and Disaster Recovery Planning (v4.2)

Domain 9 — Legal, Regulations, Investigations, and Compliance (v4.1)

Domain 10 — Physical (Environmental) Security (v4.3)

Note: The version numbers to the right of the domain listed are the associated domain in the (ISC)²® CISSP CBK v4

The CISSP® CBK v4 consists of the following ten domains:

Domain 1 — Security & Risk Management

Domain 2 — Asset Security

Domain 3 — Security Engineering

Domain 4 — Communications & Network Security

Domain 5 — Identity & Access Management

Domain 6 — Security Assessment & Testing

Domain 7 — Security Operations

Domain 8 — Security in the Software Development Life Cycle

08:07

Lecture 12 – Domain 1 – Security & Risk Management – Information Security Governance & Risk Management, Legal Regulations, Investigations and Compliance

Discussion –

The diagram shows general relationships involved Security & Risk Management for CISSP knowledge domains discussed in BOK versions 3 & 4 needed to understand Information Governance & Risk Management. During discussion in the course, comparison of BOK 3 & 4 are continued through lectures 12-19 for Domains 1-8 of the CISSP BOK versions.

Note: Diagrams in the discussion of the 8 Domains may not contain all the processes for CISSP BOK 3 & 4. This course is intended as an overview of related topics and processes. It is up to you the student to use the diagrams as a baseline for future review and exploration of the Safety & Security processes. Please refer to CISPP BOK 3 & 4 for related in-depth discussions.

Current Version: Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) – March 11, 2015 ***

Previous Version: Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) – Dec 21, 2012 ****

Information Security Governance & Risk Management

Identification organization information assets and development, policy documentation and implementation, standards, procedures and guidelines.

Security governance and policy – Information Technology (IT) governance ensures a firm's execution of security policies and procedures. IT governance is a subset of Corporate Governance focused IT systems performance and risk management. Because policies require human involvement, goals are met only when human activities are controlled and monitored using effective policies and procedures. This is the challenge to IT governance i.e., will IT security controls to be centralized or decentralized.

Information classification/ownership – Many companies consider risk analysis and information classification initiatives connecting protection measures to business need as too expensive and unwarranted. Instead IT support organizations must identify information requiring protection, level of protection provided, and appropriate technology solution. Because only the business community knows the information importance, this practice results in inefficient and ineffective information protection planning not specifically focus on addressing business needs.

Contractual agreements and procurement processes – Procurement is acquisition of goods and services. Appropriate goods/services are acquired at best possible cost to meet purchaser's quality, quantity, time, and location business requirements. Corporations and public agencies define processes to promote fair and open competition while minimizing exposure to fraud and collusion. Purchasing decisions include delivery and handling, marginal benefit, and price fluctuation factors. Procurement involves buying decisions under conditions of scarcity. Good practice uses economic analysis methods such as cost-benefit analysis or cost-utility analysis. Distinction must be made between analyses with risk and without risk. The concept of expected value is employed, where either costs or benefits risk is involved.

Risk management concepts – Risk management identifies, assesses, and prioritizes risks (defined in International Organization for Standardization (ISO) 31000 as objective uncertainty effect either positive or negative) coordinating economical resources application to minimize, monitor, and control probability/impact of unfortunate events or maximize opportunity realization. Risks arise from uncertainty in financial markets, project failures (at any phase: initiation, design, development, monitoring and control, closure, or maintenance), legal liabilities, credit risk, accidents, natural causes and disasters, adversary attack, or uncertain or unpredictable root-cause events. Risk management standards developed include Project Management Institute (PMI), National Institute of Standards and Technology (NIST), actuarial societies, and ISO standards. Methods, definitions and goals are in context of project management, security, engineering, industrial processes, financial portfolios, actuarial assessments, or public health and safety. Risk management strategies include risk transfer, risk avoidance, negative effect or probability of risk reduction, or even risk acceptance of potential or actual consequences. Aspects of risk management standards are often criticized for no measurable risk improvement.

Personnel security – Personnel security refers to the procedures established to ensure all personnel with access to sensitive information have required authority as well as appropriate clearances.

Security education, training and awareness – The Security Education, Training and Awareness (SETA) program is an educational program is designed to reduce the number of security breaches occurring through lack of employee security awareness. The SETA program sets security tone for employees of an organization, especially one providing employee orientation. Awareness programs explain their role in Information Security to employees. Security awareness efforts support participation. Technology alone cannot solve problems controlled by individuals.

Certification and accreditation – Certification provides comprehensive evaluation of technical and non-technical security controls (safeguards) of information systems by supporting accreditation process establishing extent a design and implementation meets specified security requirements. Accreditation is declaration by a senior agency official (Designated Accrediting Authority (DAA) or Principal Accrediting Authority (PAA)) an information system operation at an acceptable risk level is approved for implementation technical, managerial, and procedural security controls (safeguards).

The CISSP® CBK v3 consists of the following ten domains:

Domain 1 — Access Controls (v4.5)

Domain 2 — Telecommunications and Network Security (v4.4)

Domain 3 — Information Security Governance & Risk Management (v4.1)

Domain 4 — Software Development Security (4.8)

Domain 5 — Cryptography (v4.3)

Domain 6 — Security Architecture and Design (v4.3/v4.6)

Domain 7 — Security Operations (v4.7)

Domain 8 — Business Continuity and Disaster Recovery Planning (v4.2)

Domain 9 — Legal, Regulations, Investigations, and Compliance (v4.1)

Domain 10 — Physical (Environmental) Security (v4.3)

Note: The version numbers to the right of the domain listed are the associated domain in the (ISC)²® CISSP CBK v4

The CISSP® CBK v4 consists of the following ten domains:

Domain 1 — Security & Risk Management

Domain 2 — Asset Security

Domain 3 — Security Engineering

Domain 4 — Communications & Network Security

Domain 5 — Identity & Access Management

Domain 6 — Security Assessment & Testing

Domain 7 — Security Operations

Domain 8 — Security in the Software Development Life Cycle

03:53

Lecture 13 – Domain 2 – Asset Security – Business Continuity and Disaster Recovery Planning

Discussion –

Asset Security – Business Continuity and Disaster Recovery Planning

This domain addresses preservation of the business in face of major disruptions to normal business operations.

Business impact analysis – Business impact analysis (BIA) predicts consequences of business function and process disruption gathering information needed for developing recovery strategies. Potential loss scenarios are identified during risk assessment. Operations are interrupted by supplier delivery failure or delay of goods or services. Possible scenarios must be considered identifying and evaluating disaster business impact and providing investment basis of recovery strategies for prevention investment and mitigation strategies. The BIA (Business Impact Analysis) identifies operational and financial impacts resulting from disruption of business functions and processes. Impacts considered include:

*Lost sales and income

*Delayed sales or income

*Increased expenses (e.g., overtime labor, outsourcing, expediting costs, etc.)

*Regulatory fines

*Contractual penalties or loss of contractual bonuses

*Customer dissatisfaction or defection

*Delay of new business plans.

Recovery strategy – Methodology defining restoration of critical operations and systems to normal status following a disaster including: restoring manual operations, suspending data processing for repair of onsite systems, arranging for temporary data processing facilities by a service provider, and offsite facility back-up of essential data.

Disaster recovery process – Disaster recovery fights Mother Nature to restore order in a community. The disaster recovery process is not a set of orderly actions triggered by impact of disaster upon a community. Rather, disaster recovery is a set activities occurring before, during, and after a disastrous event. Activities include:

*Warning and ongoing public information

*Evacuation and sheltering

*Search and rescue

*Damage assessments

*Debris clearance, removal and disposal

*Utilities and communications restoration

*Re-establishment of major transport linkages

*Temporary housing

*Financial management

*Economic impact analyses

*Detailed building inspections

*Redevelopment planning

*Environmental assessments

*Demolition

*Reconstruction

*Hazard mitigation

*Preparation for the next disaster.

Provide training – Training is acquisition of knowledge, skills, and competencies as a result of teaching of vocational or practical skills and knowledge related to useful competencies. Training improves capability, capacity, and performance. Training provides content at institutes of technology. In addition to basic training required for a trade, occupation or profession, need for continued training is required to maintain, upgrade and update skills throughout working life. People in many professions and occupations refer to training as professional development.

The CISSP® CBK v3 consists of the following ten domains:

Domain 1 — Access Controls (v4.5)

Domain 2 — Telecommunications and Network Security (v4.4)

Domain 3 — Information Security Governance & Risk Management (v4.1)

Domain 4 — Software Development Security (4.8)

Domain 5 — Cryptography (v4.3)

Domain 6 — Security Architecture and Design (v4.3/v4.6)

Domain 7 — Security Operations (v4.7)

Domain 8 — Business Continuity and Disaster Recovery Planning (v4.2)

Domain 9 — Legal, Regulations, Investigations, and Compliance (v4.1)

Domain 10 — Physical (Environmental) Security (v4.3)

Note: The version numbers to the right of the domain listed are the associated domain in the (ISC)²® CISSP CBK v4

The CISSP® CBK v4 consists of the following ten domains:

Domain 1 — Security & Risk Management

Domain 2 — Asset Security

Domain 3 — Security Engineering

Domain 4 — Communications & Network Security

Domain 5 — Identity & Access Management

Domain 6 — Security Assessment & Testing

Domain 7 — Security Operations

Domain 8 — Security in the Software Development Life Cycle

15:23

Lecture 14 – Domain 3 – Security Engineering – Security Architecture and Design, Cryptography, Physical Security

Discussion –

Security Architecture and Design

Concepts, principles, structures and standards used for design, implement, monitor, and secure, operating systems, equipment, networks, applications, and controls used to enforce confidentiality, integrity and availability.

Fundamental concepts of security models – The Security Architecture and Design domain contains the concepts, principles, structures, and standards used to design, implement, monitor, and secure operating systems, equipment, networks, and applications as well as those controls used to enforce various levels of Confidentiality, Integrity, and Availability (CIA).

Capabilities of information systems (e.g. memory protection, virtualization) – Information is a finished product using data as raw material. Information is processed data used to trigger actions or understand data implications. Broad level classification of Information systems includes: Hardware, Software, Databases, and Communication Systems. Memory protection controls memory access rights, and is part of modern operating systems. Memory protection prevents a process from accessing memory not allocated to the process. This prevents process bugs from affecting other processes, or operating systems. Memory protection security includes techniques including address space layout randomization and executable space protection.

Virtualization simulates software and hardware run by other software. This simulated environment is referred to as virtual machine (VM). Virtualization is distinguished by computing architecture layer, and virtualized components include hardware platforms, operating systems (OS), storage devices, network devices, or other resources. Virtualization is a key baseline for cloud computing in Desktop or Database as a Service (DaaS), Infrastructure as a service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS), and Business Continuity/Disaster Recovery as a Service (BC-DRaaS.

Countermeasure principles – A countermeasure is an action, device, procedure, or technique reducing threats, vulnerabilities, or attacks through elimination or prevention, by minimizing harm, or by discovering and reporting attacks so corrective action is taken.

Vulnerabilities and threats (e.g. cloud computing, aggregation, data flow control) – Vulnerability is inability to withstand effects of a hostile environment. A window of vulnerability (WoV) is a time frame when defensive measures are reduced, compromised or lacking. Threats are danger exploiting a security breach vulnerability and cause harm. Threats are either “intentional” (i.e., intelligent; e.g., an individual cracker or a criminal organization) or “accidental” (e.g., the possibility of a computer malfunctioning, or the possibility of an “act of God” such as an earthquake, a fire, or a tornado) or a circumstance, capability, action, or event. Cloud computing uses computing resources (hardware and software) delivered as a service over a network (e.g., Internet). Cloud comes from the cloud-shaped symbol for complex infrastructure used in system diagrams. Cloud computing entrusts remote services with a user's data, software and computation. Aggregation is object composition in object-oriented programming (OOP). Flow control manages data transmission rate between two nodes preventing fast senders from overrunning slow receiver, in data communications. Flow control provides a mechanism for receivers controlling transmission speed, so a receiving node isn't overwhelmed with data from transmitting nodes. Flow control is distinguished from congestion control, used for controlling data flow when congestion actually occurred. Flow control mechanisms are classified by whether receiving nodes send feedback to sending nodes.

Policies – Policies guide decisions for achieving rational outcomes. Policy is intent, and is implemented as procedure or protocol. A Board or senior governance body of an organization adopts policies. Procedures or protocols are developed and adopted by senior executive officers. Policies assist both subjective and objective decision-making. Policies assist senior management with decisions considering relative merits factors before decisions-making and often hard to objectively as a result e.g. work-life balance policy. In contrast policies assisting objective decision-making are operational in nature and are objectively tested e.g. password policy.

Requirements – A requirement is a documented physical and functional need a particular product or service must perform. Requirements are used in systems engineering, software engineering, or enterprise engineering. Requirements are statements identifying necessary attributes, capabilities, characteristics, or system quality of value and utility to users.

Functions – Business functions or methods are collections of related, structured activities or tasks producing a specific service or product (serve a particular goal) for customers. Flowcharts provide visualization of activity sequences with interleaving decision points. A Process Matrix provides visualization of activity sequences using relevance rules based on process data.

Features – A feature model is a compact representation of all products of a Software Product Line (SPL) in terms of “features”. Feature models visually represent using feature diagrams. Feature models are used during product line development process commonly used as input for producing related assets such as documents, architecture definition, or code.

Stories – User stories are one or more sentences in everyday or business language of end users or system user capturing user behaviors, needs, or job functions. User stories are used in Agile software development methodologies to define functions a business system must provide facilitating requirements management. User stories capture 'who', 'what' and 'why' of requirements in a simple, concise way, limited by hand-written notes. User stories are written by or for business users as the user's influence on developed system functionality. User stories are written by developers to express non-functional requirements (security, performance, quality, etc.). The product manager ensures user stories are captured then backlogged for development.

Use Cases (also Scenario) – Document actions or event steps, typically defining the interactions between a role (known in the Unified Modeling Language as an actor or persona) and a system, to achieve a goal including pre/post conditions/events. The actor can be a human, an external system, or time.

Collaboration – Collaboration is working together to achieve a goal. Collaboration is an iterative, incremental process using a team of two or more people working to realize shared goals, (Collaboration is a deep, collective, determination to reach an identical objective by a team) —by sharing knowledge, learning and building consensus. Collaboration requires shared leadership within self-forming teams. Teams working collaboratively obtain greater resources, recognition and reward when facing competition for finite resources. Collaboration is present in opposing goals as adversarial collaboration, though this is not common.

Consensus – a group decision-making process in which group members develop, and agree to support, a decision in the best interest of the whole. Consensus may be defined professionally as an acceptable resolution, one that can be supported, even if not the "favorite" of each individual.

Pattern – A pattern ('template') is theme of recurring events or objects. Patterns are based on templates or models generating pattern elements, especially common elements for underlying inferred patterns exhibiting a unique pattern.

Cryptography

Principles, means and methods of disguising information ensuring Confidentiality, Integrity and Authenticity (CIA).

Encryption concepts – Encryption is the process of transforming data into an unintelligible form so the original data either cannot be obtained or can only be obtained using a decryption. Encrypted data is called cipher-text. Data not encrypted is called plaintext. The data that is encrypted into cipher-text is considered securely secret from anyone who does not have the decryption key. The following encryption algorithms exist:

Symmetric encryption algorithm – Common keys are used both to encrypt and decrypt data. An encryption key is calculated from the decryption key and the decryption key is calculated from the encryption key.

Asymmetric encryption algorithm – Two keys are used to encrypt and decrypt data. A public key known to everyone and a private key only known to the receiver or sender of a message. Public and private keys relate so only the public key is used for encryption and only the corresponding private key is used for decryption.

Digital signatures – Digital signatures or digital signature schemes are mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature provides recipients reason to believe a non-reputable message created by a known sender (authentication and non-repudiation); the message was not altered in transit (integrity). Digital signatures are used for software distribution, financial transactions, and cases in which forgery or tampering detection are important.

Cryptanalytic attacks – Cryptanalytic attacks are classified by type of information available to attackers. It's normally assumed the general algorithm is known per Shannon's Maxim “the enemy knows the system” — which is, equivalent to Kirchhoff's' principle; a reasonable assumption in practice — throughout history, secret algorithms fall into wider knowledge, variously through espionage, betrayal and reverse engineering. (On occasion, ciphers were reconstructed through pure deduction; e.g.,, the German Lorenz cipher, Japanese Purple code, and classical schemes).

Public Key Infrastructure (PKI) – A public-key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. PKI binds public keys with respective user identities using a certificate authority (CA). User identity must be unique for each CA domain. The third-party Validation Authority (VA) provides information to CA. Binding is established using the registration and issuance process, depending on binding assurance level carried out by CA software, or under human supervision. The PKI role assuring this binding is called Registration Authority (RA). RA ensures a public key is bound to the individual assigned ensuring non-repudiation.

Information hiding alternatives – Information hiding is the design decision segregation principle for applications most likely to change, protecting application parts from extensive modification when design decisions change. Protection involves providing a stable interface protecting the remainder of an application from implementation (details most likely to change). Information hiding prevents certain aspects of a class or software component from accessibility by clients, using programming language features (i.e., private variables) or an explicit exporting policy.

The CISSP® CBK v3 consists of the following ten domains:

Domain 1 — Access Controls (v4.5)

Domain 2 — Telecommunications and Network Security (v4.4)

Domain 3 — Information Security Governance & Risk Management (v4.1)

Domain 4 — Software Development Security (4.8)

Domain 5 — Cryptography (v4.3)

Domain 6 — Security Architecture and Design (v4.3/v4.6)

Domain 7 — Security Operations (v4.7)

Domain 8 — Business Continuity and Disaster Recovery Planning (v4.2)

Domain 9 — Legal, Regulations, Investigations, and Compliance (v4.1)

Domain 10 — Physical (Environmental) Security (v4.3)

Note: The version numbers to the right of the domain listed are the associated domain in the (ISC)²® CISSP CBK v4

The CISSP® CBK v4 consists of the following ten domains:

Domain 1 — Security & Risk Management

Domain 2 — Asset Security

Domain 3 — Security Engineering

Domain 4 — Communications & Network Security

Domain 5 — Identity & Access Management

Domain 6 — Security Assessment & Testing

Domain 7 — Security Operations

Domain 8 — Security in the Software Development Life Cycle

04:19

Lecture 15 – Domain 4 – Communications & Network Security – Telecommunications and Network Security

Discussion –

Telecommunications and Network Security

This domain includes network structures, transmission methods, transport formats and security measures providing Availability, Integrity and Confidentiality (CIA).

Network architecture and design – Network architecture is the design of a communications network. Network architecture design provides a specification framework of a network's physical components, functional organization and infrastructure configuration, operational principles and procedures, data formats and relationships, and network operations. Specification of network telecommunication architecture also includes detailed products and services delivery description and detailed billing and rate structures for services compensation. Internet network architecture is expressed using the Internet Protocol Suite, rather than a specific interconnecting network model or network nodes, or usage of specific hardware link types.

Communication channels – A communication channel (aka, channel) is either a physical transmission medium (e.g., wire), or a logical multiplexed medium connection (e.g., radio). Channels convey information signals (e.g., digital bit streams from transmitters to receivers. Channels employ information transmitting capacity measured as bandwidth in Hertz or data rate measured as bits per second (BPS). Communicating data from location to location requires a pathway or medium. Pathways, called communication channels, use two types of media: cable (twisted-pair wire, cable, and fiber-optic cable). Broadcast pathways include microwave, satellite, radio, and infrared. Cable or wire-line media uses physical wire cables for data and information transmission. Twisted-pair wire and coaxial cables use copper, and fiber-optic cables use glass. A channel uses a theoretical channel model having specific error characteristics. A storage device is also a sending channel (written) and receiving channel (read).

Network components – Network hardware or network equipment (components) are devices facilitating use of a computer network. This includes gateways, routers, network bridges, switches, hubs, and repeaters. Hybrid network devices include multilayer switches, protocol converters, bridges, routers, proxy servers, firewalls, network address translators, multiplexers, network interface controllers, wireless network interface controllers, modems, ISDN terminal adapters, line drivers, wireless access points, networking cables and other related hardware. Computer networking devices mediate data in computer networks. Computer networking devices are also called network equipment, Intermediate Systems (IS) or Inter-working Unit (IWU). The last receivers generating data are hosts or data terminal equipment. Most networking hardware today is copper-based Ethernet adapters included as standard for most modern computer systems. However, wireless networking is increasingly popular, especially for portable and handheld devices.

Network attacks – Computer and computer network attacks are attempts to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of assets.

The CISSP® CBK v3 consists of the following ten domains:

Domain 1 — Access Controls (v4.5)

Domain 2 — Telecommunications and Network Security (v4.4)

Domain 3 — Information Security Governance & Risk Management (v4.1)

Domain 4 — Software Development Security (4.8)

Domain 5 — Cryptography (v4.3)

Domain 6 — Security Architecture and Design (v4.3/v4.6)

Domain 7 — Security Operations (v4.7)

Domain 8 — Business Continuity and Disaster Recovery Planning (v4.2)

Domain 9 — Legal, Regulations, Investigations, and Compliance (v4.1)

Domain 10 — Physical (Environmental) Security (v4.3)

Note: The version numbers to the right of the domain listed are the associated domain in the (ISC)²® CISSP CBK v4

The CISSP® CBK v4 consists of the following ten domains:

Domain 1 — Security & Risk Management

Domain 2 — Asset Security

Domain 3 — Security Engineering

Domain 4 — Communications & Network Security

Domain 5 — Identity & Access Management

Domain 6 — Security Assessment & Testing

Domain 7 — Security Operations

Domain 8 — Security in the Software Development Life Cycle

08:41

Lecture 16 – Domain 5 – Identity & Access Management – Identity & Access Controls Types

Discussion –

Access Management Context Diagram

Identity Management

*Logon Visitor

*Authenticate Identity

*Register Profile

*Notify Identity

Access Management

*Authorize Role

*Manage Provisioning

*Configure Roles

*Configure Permissions

*Assign Role(s)

*Manage Presentation

Identity & Access Control Types

Preventive – Preventive controls avoid occurrence of unwanted events. Preventive controls inhibit free use of computing resources and therefore are applied only to the degree users want to accept. Effective security awareness programs increase users' tolerance level for preventive controls by helping to understand how these controls enable trust of their computing systems.

Deterrent – Deterrent controls discourage individuals from intentionally violating information security policies or procedures. They provide constraints making it difficult or undesirable to perform unauthorized activities or threats leading to consequences influencing potential intruders not to violate security (e.g., threats range from embarrassment to severe punishment).

Detective – Detective controls attempt to identify unwanted events once they've occurred. Common detective controls include audit trails, intrusion detection methods, and check-sums.

Corrective – Corrective controls either remedy circumstances allowing unauthorized activity or return to conditions as before violation. Corrective control execution may result in changes to existing physical, technical, and administrative controls. Recovery controls restore lost computing resources or capabilities and help organizations recover monetary losses caused by security violations.

Compensation (Deterrent) – Deterrent controls are intended to discourage individuals from intentionally violating information security policies or procedures. These usually take the form of constraints that make it difficult or undesirable to perform unauthorized activities or threats of consequences that influence a potential intruder not to violate security (e.g., threats ranging from embarrassment to severe punishment).

Recovery – Recovery controls restore lost computing resources or capabilities and help the organization recover monetary losses caused by a security violation. Finally, recovery controls are neither preventive nor detective but are included in administrative controls as disaster recovery or contingency plans.

Directive – Directive Control is an approach to management that combines the two components of the definition of management: direct and control of resources to meet business objectives and needs. It makes use of principles and control theory (unknowingly, it seems) to provide an agile management style.

Administrative – The management constraints and supplemental controls established to provide an acceptable level of protection for data.

Policy and Procedures – A security policy is a high-level plan that states management's intent pertaining to how security should be practiced within an organization, what actions are acceptable, and what level of risk the company is willing to accept. This policy is derived from the laws, regulations, and business objectives that shape and restrict the company. The security policy provides direction for each employee and department regarding how security should be implemented and followed, and the repercussions for noncompliance. Procedures, guidelines, and standards provide the details that support and enforce the company's security policy.

Personnel Controls – Personnel controls indicate how employees are expected to interact with security mechanisms, and address noncompliance issues pertaining to these expectations.

Change of Status: These controls indicate what security actions should be taken when an employee is hired, terminated, suspended, moved into another department, or promoted.

Separation of duties: The separation of duties should be enforced so that no one individual can carry out a critical task alone that could prove to be detrimental to the company.

Logical/Technical – Logical access controls are tools used for identification authentication, authorization, and accountability in computer information systems. They are components that enforce access control measures for systems, programs, processes, and information. Logical access controls can be embedded within operating systems, applications, add-on security packages, or database and telecommunication management systems.

Logical access control can be contrasted with physical access control (an example of which is a mechanical lock and key controlling access to a room), but the line between the two can be blurred when physical access is controlled by software. For example, room entry is controlled by chip & PIN card and an electronic lock controlled by software. Only those in possession of an appropriate card, with an appropriate security level and with knowledge of the PIN are permitted entry to the room. On swiping the card into a card reader and entering the correct PIN, the user's security level is checked against a security database and compared to the security level required to enter the room. If the user meets the security requirements, entry is permitted. Having logical access controlled centrally in software allows a user's physical access permissions to be rapidly amended or revoked.

Access Control is any mechanism by which a system grants or revokes the right to access some data, or perform some action. Normally, a user must first Login to a system, using some Authentication system. Next, the Access Control mechanism controls what operations the user may or may not make by comparing the User ID to an Access Control database. Access Control systems include:

File permissions, such as create, read, edit or delete on a file server.

Program permissions, such as the right to execute a program on an application server.

Data rights, such as the right to retrieve or update information in a database.

Physical – Physical access control is a matter of whom, where, and when. An access control system determines who is allowed to enter or exit, where they are allowed to exit or enter, and when they are allowed to enter or exit. Historically this was partially accomplished through keys and locks. When a door is locked only someone with a key can enter through the door depending on how the lock is configured. Mechanical locks and keys do not allow restriction of the key holder to specific times or dates. Mechanical locks and keys do not provide records of the key used on any specific door and the keys can be easily copied or transferred to an unauthorized person. When a mechanical key is lost or the key holder is no longer authorized to use the protected area, the locks must be re-keyed.

**Authentication Factors

Passwords – Types: Know, Have, Are – A password is a secret word or string of characters that is used for user authentication to prove identity or for access approval to gain access to a resource (example: an access code is a type of password). The password should be kept secret from those not allowed access. The use of passwords is known to be ancient. Sentries would challenge those wishing to enter an area or approaching it to supply a password or watchword, and would only allow a person or group to pass if they knew the password. In modern times, user names and passwords are commonly used by people during a log in process that controls access to protected computer operating systems, mobile phones, cable TV decoders, automated teller machines (ATMs), etc. A typical computer user has passwords for many purposes: logging in to accounts, retrieving e-mail, accessing applications, databases, networks, web sites, and even reading the morning newspaper online.

Tokens – A security token (or sometimes a hardware token, authentication token, USB token, cryptographic token, or key fob) may be a physical device an authorized user of computer services is given to ease authentication. A token may also refer to software tokens. Security tokens are used to prove one's identity electronically (as in the case of a customer trying to access their bank account). The token is used in addition to or in place of a password to prove that the customer is who they claim to be. The token acts like an electronic key to access something.

Biometrics – Biometrics (or biometric authentication) refers to the identification of humans by their characteristics or traits. Biometrics is used in computer science as a form of identification and access control. It is also used to identify individuals in groups that are under surveillance. Biometric identifiers are the distinctive, measurable characteristics used to label and describe individuals. Biometric identifiers are often categorized as physiological versus behavioral characteristics. A physiological biometric would identify by one's voice, DNA, handprint or behavior. Behavioral biometrics is related to the behavior of a person, including but not limited to: typing rhythm, gait, and voice. Some researchers have coined the term behavior-metrics to describe the latter class of biometrics.

Tickets – In IT Security, a ticket is a number generated by a network server for a client, which can be delivered to itself, or a different server as a means of authentication or proof of authorization, and cannot easily be forged. This usage of the word originated with MIT's Kerberos protocol in the 1980s. Tickets may either be transparent, meaning they can be recognized without contacting the server that generated them; or opaque, meaning the original server must be contacted to verify that it issued the ticket. Some magic cookies provide the same functionality as a ticket.

Single Sign On (SSO) – Single sign-on (SSO) is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them. Conversely, Single sign-off is the property whereby a single action of signing out terminates access to multiple software systems. As different applications and resources support different authentication mechanisms, single sign-on has to internally translate to and store different credentials compared to what is used for initial authentication.

Access Control Techniques

Discretionary – In computer security, discretionary access control (DAC) is a type of access control defined by the Trusted Computer System Evaluation Criteria “as a means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject (unless restrained by mandatory access control)”. Discretionary access control is commonly discussed in contrast to mandatory access control (MAC, sometimes termed non-discretionary access control). Occasionally a system as a whole is said to have “discretionary” or “purely discretionary” access control as a way of saying that the system lacks mandatory access control. On the other hand, systems can be said to implement both MAC and DAC simultaneously, where DAC refers to one category of access controls that subjects can transfer among each other, and MAC refers to a second category of access controls that imposes constraints upon the first.

Non-discretionary – mandatory access control (MAC, sometimes termed non-discretionary access control) – see Discretionary.

Rule-based – Rule-based Access Control is a strategy for managing user access to one or more systems, where business changes trigger the application of Rules, which specify access changes. Implementation of Rules Based Access Control systems is feasible so long as the number of triggering business events and the set of possible actions that follow those events are both small.

Role-based – In computer systems security, role-based access control (RBAC) is an approach to restricting system access to authorized users. It is used by the majority of enterprises with more than 500 employees, and can implement mandatory access control (MAC) or discretionary access control (DAC). Role-based access control (RBAC) is sometimes referred to as role-based security.

Mandatory – In computer security, mandatory access control (MAC) refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target. In practice, a subject is usually a process or thread; objects are constructs such as files, directories, Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports, shared memory segments, etc. Subjects and objects each have a set of security attributes. Whenever a subject attempts to access an object, an authorization rule enforced by the operating system kernel examines these security attributes and decides whether the access can take place. Any operation by any subject on any object is tested against the set of authorization rules (aka policy) to determine if the operation is allowed. A database management system, in its access control mechanism, can also apply mandatory access control; in this case, the objects are tables, views, procedures, etc.

Lattice Based – In computer security, lattice-based access control (LBAC) is a complex access control model based on the interaction between any combination of objects (such as resources, computers, and applications) and subjects (such as individuals, groups or organizations). In this type of label-based mandatory access control model, a lattice is used to define the levels of security that an object may have and that a subject may have access to. The subject is only allowed to access an object if the security level of the subject is greater than or equal to that of the object.

**Access Control (Other)

No more access needed to do a task – In information security, computer science, and other fields, the principle of least privilege (also known as the principle of minimal privilege or the principle of least authority) requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user or a program depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose. The principle means giving a user account only those privileges which are essential to that user's work. For example, a backup user does not need to install software: hence, the backup user has rights only to run backup and backup-related applications. Any other privileges, such as installing new software, are blocked. The principle applies also to a personal computer user who usually does work in a normal user account, and opens a privileged, password protected account (that is, a superuser) only when the situation absolutely demands it.

Need to know – The term “need to know”, when used by government and other organizations (particularly those related to the military or espionage), describes the restriction of data which is considered very sensitive. Under need-to-know restrictions, even if one has all the necessary official approvals (such as a security clearance) to access certain information, one would not be given access to such information, or read into a clandestine operation, unless one has a specific need to know; that is, access to the information must be necessary for the conduct of one's official duties.

The CISSP® CBK v3 consists of the following ten domains:

Domain 1 — Access Controls (v4.5)

Domain 2 — Telecommunications and Network Security (v4.4)

Domain 3 — Information Security Governance & Risk Management (v4.1)

Domain 4 — Software Development Security (4.8)

Domain 5 — Cryptography (v4.3)

Domain 6 — Security Architecture and Design (v4.3/v4.6)

Domain 7 — Security Operations (v4.7)

Domain 8 — Business Continuity and Disaster Recovery Planning (v4.2)

Domain 9 — Legal, Regulations, Investigations, and Compliance (v4.1)

Domain 10 — Physical (Environmental) Security (v4.3)

Note: The version numbers to the right of the domain listed are the associated domain in the (ISC)²® CISSP CBK v4

The CISSP® CBK v4 consists of the following ten domains:

Domain 1 — Security & Risk Management

Domain 2 — Asset Security

Domain 3 — Security Engineering

Domain 4 — Communications & Network Security

Domain 5 — Identity & Access Management

Domain 6 — Security Assessment & Testing

Domain 7 — Security Operations

Domain 8 — Security in the Software Development Life Cycle

04:38

Lecture 16 – Domain 5 – Identity & Access Management – Identity & Access Controls Types

Discussion –

Access Management Context Diagram

Identity Management

*Logon Visitor

*Authenticate Identity

*Register Profile

*Notify Identity

Access Management

*Authorize Role

*Manage Provisioning

*Configure Roles

*Configure Permissions

*Assign Role(s)

*Manage Presentation

Identity & Access Control Types

Preventive – Preventive controls avoid occurrence of unwanted events. Preventive controls inhibit free use of computing resources and therefore are applied only to the degree users want to accept. Effective security awareness programs increase users' tolerance level for preventive controls by helping to understand how these controls enable trust of their computing systems.

Deterrent – Deterrent controls discourage individuals from intentionally violating information security policies or procedures. They provide constraints making it difficult or undesirable to perform unauthorized activities or threats leading to consequences influencing potential intruders not to violate security (e.g., threats range from embarrassment to severe punishment).

Detective – Detective controls attempt to identify unwanted events once they've occurred. Common detective controls include audit trails, intrusion detection methods, and check-sums.

Corrective – Corrective controls either remedy circumstances allowing unauthorized activity or return to conditions as before violation. Corrective control execution may result in changes to existing physical, technical, and administrative controls. Recovery controls restore lost computing resources or capabilities and help organizations recover monetary losses caused by security violations.

Compensation (Deterrent) – Deterrent controls are intended to discourage individuals from intentionally violating information security policies or procedures. These usually take the form of constraints that make it difficult or undesirable to perform unauthorized activities or threats of consequences that influence a potential intruder not to violate security (e.g., threats ranging from embarrassment to severe punishment).

Recovery – Recovery controls restore lost computing resources or capabilities and help the organization recover monetary losses caused by a security violation. Finally, recovery controls are neither preventive nor detective but are included in administrative controls as disaster recovery or contingency plans.

Directive – Directive Control is an approach to management that combines the two components of the definition of management: direct and control of resources to meet business objectives and needs. It makes use of principles and control theory (unknowingly, it seems) to provide an agile management style.

Administrative – The management constraints and supplemental controls established to provide an acceptable level of protection for data.

Policy and Procedures – A security policy is a high-level plan that states management's intent pertaining to how security should be practiced within an organization, what actions are acceptable, and what level of risk the company is willing to accept. This policy is derived from the laws, regulations, and business objectives that shape and restrict the company. The security policy provides direction for each employee and department regarding how security should be implemented and followed, and the repercussions for noncompliance. Procedures, guidelines, and standards provide the details that support and enforce the company's security policy.

Personnel Controls – Personnel controls indicate how employees are expected to interact with security mechanisms, and address noncompliance issues pertaining to these expectations.

Change of Status: These controls indicate what security actions should be taken when an employee is hired, terminated, suspended, moved into another department, or promoted.

Separation of duties: The separation of duties should be enforced so that no one individual can carry out a critical task alone that could prove to be detrimental to the company.

Logical/Technical – Logical access controls are tools used for identification authentication, authorization, and accountability in computer information systems. They are components that enforce access control measures for systems, programs, processes, and information. Logical access controls can be embedded within operating systems, applications, add-on security packages, or database and telecommunication management systems.

Logical access control can be contrasted with physical access control (an example of which is a mechanical lock and key controlling access to a room), but the line between the two can be blurred when physical access is controlled by software. For example, room entry is controlled by chip & PIN card and an electronic lock controlled by software. Only those in possession of an appropriate card, with an appropriate security level and with knowledge of the PIN are permitted entry to the room. On swiping the card into a card reader and entering the correct PIN, the user's security level is checked against a security database and compared to the security level required to enter the room. If the user meets the security requirements, entry is permitted. Having logical access controlled centrally in software allows a user's physical access permissions to be rapidly amended or revoked.

Access Control is any mechanism by which a system grants or revokes the right to access some data, or perform some action. Normally, a user must first Login to a system, using some Authentication system. Next, the Access Control mechanism controls what operations the user may or may not make by comparing the User ID to an Access Control database. Access Control systems include:

File permissions, such as create, read, edit or delete on a file server.

Program permissions, such as the right to execute a program on an application server.

Data rights, such as the right to retrieve or update information in a database.

Physical – Physical access control is a matter of whom, where, and when. An access control system determines who is allowed to enter or exit, where they are allowed to exit or enter, and when they are allowed to enter or exit. Historically this was partially accomplished through keys and locks. When a door is locked only someone with a key can enter through the door depending on how the lock is configured. Mechanical locks and keys do not allow restriction of the key holder to specific times or dates. Mechanical locks and keys do not provide records of the key used on any specific door and the keys can be easily copied or transferred to an unauthorized person. When a mechanical key is lost or the key holder is no longer authorized to use the protected area, the locks must be re-keyed.

**Authentication Factors

Passwords – Types: Know, Have, Are – A password is a secret word or string of characters that is used for user authentication to prove identity or for access approval to gain access to a resource (example: an access code is a type of password). The password should be kept secret from those not allowed access. The use of passwords is known to be ancient. Sentries would challenge those wishing to enter an area or approaching it to supply a password or watchword, and would only allow a person or group to pass if they knew the password. In modern times, user names and passwords are commonly used by people during a log in process that controls access to protected computer operating systems, mobile phones, cable TV decoders, automated teller machines (ATMs), etc. A typical computer user has passwords for many purposes: logging in to accounts, retrieving e-mail, accessing applications, databases, networks, web sites, and even reading the morning newspaper online.

Tokens – A security token (or sometimes a hardware token, authentication token, USB token, cryptographic token, or key fob) may be a physical device an authorized user of computer services is given to ease authentication. A token may also refer to software tokens. Security tokens are used to prove one's identity electronically (as in the case of a customer trying to access their bank account). The token is used in addition to or in place of a password to prove that the customer is who they claim to be. The token acts like an electronic key to access something.

Biometrics – Biometrics (or biometric authentication) refers to the identification of humans by their characteristics or traits. Biometrics is used in computer science as a form of identification and access control. It is also used to identify individuals in groups that are under surveillance. Biometric identifiers are the distinctive, measurable characteristics used to label and describe individuals. Biometric identifiers are often categorized as physiological versus behavioral characteristics. A physiological biometric would identify by one's voice, DNA, handprint or behavior. Behavioral biometrics is related to the behavior of a person, including but not limited to: typing rhythm, gait, and voice. Some researchers have coined the term behavior-metrics to describe the latter class of biometrics.

Tickets – In IT Security, a ticket is a number generated by a network server for a client, which can be delivered to itself, or a different server as a means of authentication or proof of authorization, and cannot easily be forged. This usage of the word originated with MIT's Kerberos protocol in the 1980s. Tickets may either be transparent, meaning they can be recognized without contacting the server that generated them; or opaque, meaning the original server must be contacted to verify that it issued the ticket. Some magic cookies provide the same functionality as a ticket.

Single Sign On (SSO) – Single sign-on (SSO) is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them. Conversely, Single sign-off is the property whereby a single action of signing out terminates access to multiple software systems. As different applications and resources support different authentication mechanisms, single sign-on has to internally translate to and store different credentials compared to what is used for initial authentication.

Access Control Techniques

Discretionary – In computer security, discretionary access control (DAC) is a type of access control defined by the Trusted Computer System Evaluation Criteria “as a means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject (unless restrained by mandatory access control)”. Discretionary access control is commonly discussed in contrast to mandatory access control (MAC, sometimes termed non-discretionary access control). Occasionally a system as a whole is said to have “discretionary” or “purely discretionary” access control as a way of saying that the system lacks mandatory access control. On the other hand, systems can be said to implement both MAC and DAC simultaneously, where DAC refers to one category of access controls that subjects can transfer among each other, and MAC refers to a second category of access controls that imposes constraints upon the first.

Non-discretionary – mandatory access control (MAC, sometimes termed non-discretionary access control) – see Discretionary.

Rule-based – Rule-based Access Control is a strategy for managing user access to one or more systems, where business changes trigger the application of Rules, which specify access changes. Implementation of Rules Based Access Control systems is feasible so long as the number of triggering business events and the set of possible actions that follow those events are both small.

Role-based – In computer systems security, role-based access control (RBAC) is an approach to restricting system access to authorized users. It is used by the majority of enterprises with more than 500 employees, and can implement mandatory access control (MAC) or discretionary access control (DAC). Role-based access control (RBAC) is sometimes referred to as role-based security.

Mandatory – In computer security, mandatory access control (MAC) refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target. In practice, a subject is usually a process or thread; objects are constructs such as files, directories, Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports, shared memory segments, etc. Subjects and objects each have a set of security attributes. Whenever a subject attempts to access an object, an authorization rule enforced by the operating system kernel examines these security attributes and decides whether the access can take place. Any operation by any subject on any object is tested against the set of authorization rules (aka policy) to determine if the operation is allowed. A database management system, in its access control mechanism, can also apply mandatory access control; in this case, the objects are tables, views, procedures, etc.

Lattice Based – In computer security, lattice-based access control (LBAC) is a complex access control model based on the interaction between any combination of objects (such as resources, computers, and applications) and subjects (such as individuals, groups or organizations). In this type of label-based mandatory access control model, a lattice is used to define the levels of security that an object may have and that a subject may have access to. The subject is only allowed to access an object if the security level of the subject is greater than or equal to that of the object.

**Access Control (Other)

No more access needed to do a task – In information security, computer science, and other fields, the principle of least privilege (also known as the principle of minimal privilege or the principle of least authority) requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user or a program depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose. The principle means giving a user account only those privileges which are essential to that user's work. For example, a backup user does not need to install software: hence, the backup user has rights only to run backup and backup-related applications. Any other privileges, such as installing new software, are blocked. The principle applies also to a personal computer user who usually does work in a normal user account, and opens a privileged, password protected account (that is, a superuser) only when the situation absolutely demands it.

Need to know – The term “need to know”, when used by government and other organizations (particularly those related to the military or espionage), describes the restriction of data which is considered very sensitive. Under need-to-know restrictions, even if one has all the necessary official approvals (such as a security clearance) to access certain information, one would not be given access to such information, or read into a clandestine operation, unless one has a specific need to know; that is, access to the information must be necessary for the conduct of one's official duties.

The CISSP® CBK v3 consists of the following ten domains:

Domain 1 — Access Controls (v4.5)

Domain 2 — Telecommunications and Network Security (v4.4)

Domain 3 — Information Security Governance & Risk Management (v4.1)

Domain 4 — Software Development Security (4.8)

Domain 5 — Cryptography (v4.3)

Domain 6 — Security Architecture and Design (v4.3/v4.6)

Domain 7 — Security Operations (v4.7)

Domain 8 — Business Continuity and Disaster Recovery Planning (v4.2)

Domain 9 — Legal, Regulations, Investigations, and Compliance (v4.1)

Domain 10 — Physical (Environmental) Security (v4.3)

Note: The version numbers to the right of the domain listed are the associated domain in the (ISC)²® CISSP CBK v4

The CISSP® CBK v4 consists of the following ten domains:

Domain 1 — Security & Risk Management

Domain 2 — Asset Security

Domain 3 — Security Engineering

Domain 4 — Communications & Network Security

Domain 5 — Identity & Access Management

Domain 6 — Security Assessment & Testing

Domain 7 — Security Operations

Domain 8 — Security in the Software Development Life Cycle

06:53

Lecture 16 – Domain 5 – Identity & Access Management – Identity & Access Controls Types

Discussion –

Access Management Context Diagram

Identity Management

*Logon Visitor

*Authenticate Identity

*Register Profile

*Notify Identity

Access Management

*Authorize Role

*Manage Provisioning

*Configure Roles

*Configure Permissions

*Assign Role(s)

*Manage Presentation

Identity & Access Control Types

Preventive – Preventive controls avoid occurrence of unwanted events. Preventive controls inhibit free use of computing resources and therefore are applied only to the degree users want to accept. Effective security awareness programs increase users' tolerance level for preventive controls by helping to understand how these controls enable trust of their computing systems.

Deterrent – Deterrent controls discourage individuals from intentionally violating information security policies or procedures. They provide constraints making it difficult or undesirable to perform unauthorized activities or threats leading to consequences influencing potential intruders not to violate security (e.g., threats range from embarrassment to severe punishment).

Detective – Detective controls attempt to identify unwanted events once they've occurred. Common detective controls include audit trails, intrusion detection methods, and check-sums.

Corrective – Corrective controls either remedy circumstances allowing unauthorized activity or return to conditions as before violation. Corrective control execution may result in changes to existing physical, technical, and administrative controls. Recovery controls restore lost computing resources or capabilities and help organizations recover monetary losses caused by security violations.

Compensation (Deterrent) – Deterrent controls are intended to discourage individuals from intentionally violating information security policies or procedures. These usually take the form of constraints that make it difficult or undesirable to perform unauthorized activities or threats of consequences that influence a potential intruder not to violate security (e.g., threats ranging from embarrassment to severe punishment).

Recovery – Recovery controls restore lost computing resources or capabilities and help the organization recover monetary losses caused by a security violation. Finally, recovery controls are neither preventive nor detective but are included in administrative controls as disaster recovery or contingency plans.

Directive – Directive Control is an approach to management that combines the two components of the definition of management: direct and control of resources to meet business objectives and needs. It makes use of principles and control theory (unknowingly, it seems) to provide an agile management style.

Administrative – The management constraints and supplemental controls established to provide an acceptable level of protection for data.

Policy and Procedures – A security policy is a high-level plan that states management's intent pertaining to how security should be practiced within an organization, what actions are acceptable, and what level of risk the company is willing to accept. This policy is derived from the laws, regulations, and business objectives that shape and restrict the company. The security policy provides direction for each employee and department regarding how security should be implemented and followed, and the repercussions for noncompliance. Procedures, guidelines, and standards provide the details that support and enforce the company's security policy.

Personnel Controls – Personnel controls indicate how employees are expected to interact with security mechanisms, and address noncompliance issues pertaining to these expectations.

Change of Status: These controls indicate what security actions should be taken when an employee is hired, terminated, suspended, moved into another department, or promoted.

Separation of duties: The separation of duties should be enforced so that no one individual can carry out a critical task alone that could prove to be detrimental to the company.

Logical/Technical – Logical access controls are tools used for identification authentication, authorization, and accountability in computer information systems. They are components that enforce access control measures for systems, programs, processes, and information. Logical access controls can be embedded within operating systems, applications, add-on security packages, or database and telecommunication management systems.

Logical access control can be contrasted with physical access control (an example of which is a mechanical lock and key controlling access to a room), but the line between the two can be blurred when physical access is controlled by software. For example, room entry is controlled by chip & PIN card and an electronic lock controlled by software. Only those in possession of an appropriate card, with an appropriate security level and with knowledge of the PIN are permitted entry to the room. On swiping the card into a card reader and entering the correct PIN, the user's security level is checked against a security database and compared to the security level required to enter the room. If the user meets the security requirements, entry is permitted. Having logical access controlled centrally in software allows a user's physical access permissions to be rapidly amended or revoked.

Access Control is any mechanism by which a system grants or revokes the right to access some data, or perform some action. Normally, a user must first Login to a system, using some Authentication system. Next, the Access Control mechanism controls what operations the user may or may not make by comparing the User ID to an Access Control database. Access Control systems include:

File permissions, such as create, read, edit or delete on a file server.

Program permissions, such as the right to execute a program on an application server.

Data rights, such as the right to retrieve or update information in a database.

Physical – Physical access control is a matter of whom, where, and when. An access control system determines who is allowed to enter or exit, where they are allowed to exit or enter, and when they are allowed to enter or exit. Historically this was partially accomplished through keys and locks. When a door is locked only someone with a key can enter through the door depending on how the lock is configured. Mechanical locks and keys do not allow restriction of the key holder to specific times or dates. Mechanical locks and keys do not provide records of the key used on any specific door and the keys can be easily copied or transferred to an unauthorized person. When a mechanical key is lost or the key holder is no longer authorized to use the protected area, the locks must be re-keyed.

**Authentication Factors

Passwords – Types: Know, Have, Are – A password is a secret word or string of characters that is used for user authentication to prove identity or for access approval to gain access to a resource (example: an access code is a type of password). The password should be kept secret from those not allowed access. The use of passwords is known to be ancient. Sentries would challenge those wishing to enter an area or approaching it to supply a password or watchword, and would only allow a person or group to pass if they knew the password. In modern times, user names and passwords are commonly used by people during a log in process that controls access to protected computer operating systems, mobile phones, cable TV decoders, automated teller machines (ATMs), etc. A typical computer user has passwords for many purposes: logging in to accounts, retrieving e-mail, accessing applications, databases, networks, web sites, and even reading the morning newspaper online.

Tokens – A security token (or sometimes a hardware token, authentication token, USB token, cryptographic token, or key fob) may be a physical device an authorized user of computer services is given to ease authentication. A token may also refer to software tokens. Security tokens are used to prove one's identity electronically (as in the case of a customer trying to access their bank account). The token is used in addition to or in place of a password to prove that the customer is who they claim to be. The token acts like an electronic key to access something.

Biometrics – Biometrics (or biometric authentication) refers to the identification of humans by their characteristics or traits. Biometrics is used in computer science as a form of identification and access control. It is also used to identify individuals in groups that are under surveillance. Biometric identifiers are the distinctive, measurable characteristics used to label and describe individuals. Biometric identifiers are often categorized as physiological versus behavioral characteristics. A physiological biometric would identify by one's voice, DNA, handprint or behavior. Behavioral biometrics is related to the behavior of a person, including but not limited to: typing rhythm, gait, and voice. Some researchers have coined the term behavior-metrics to describe the latter class of biometrics.

Tickets – In IT Security, a ticket is a number generated by a network server for a client, which can be delivered to itself, or a different server as a means of authentication or proof of authorization, and cannot easily be forged. This usage of the word originated with MIT's Kerberos protocol in the 1980s. Tickets may either be transparent, meaning they can be recognized without contacting the server that generated them; or opaque, meaning the original server must be contacted to verify that it issued the ticket. Some magic cookies provide the same functionality as a ticket.

Single Sign On (SSO) – Single sign-on (SSO) is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them. Conversely, Single sign-off is the property whereby a single action of signing out terminates access to multiple software systems. As different applications and resources support different authentication mechanisms, single sign-on has to internally translate to and store different credentials compared to what is used for initial authentication.

Access Control Techniques

Discretionary – In computer security, discretionary access control (DAC) is a type of access control defined by the Trusted Computer System Evaluation Criteria “as a means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject (unless restrained by mandatory access control)”. Discretionary access control is commonly discussed in contrast to mandatory access control (MAC, sometimes termed non-discretionary access control). Occasionally a system as a whole is said to have “discretionary” or “purely discretionary” access control as a way of saying that the system lacks mandatory access control. On the other hand, systems can be said to implement both MAC and DAC simultaneously, where DAC refers to one category of access controls that subjects can transfer among each other, and MAC refers to a second category of access controls that imposes constraints upon the first.

Non-discretionary – mandatory access control (MAC, sometimes termed non-discretionary access control) – see Discretionary.

Rule-based – Rule-based Access Control is a strategy for managing user access to one or more systems, where business changes trigger the application of Rules, which specify access changes. Implementation of Rules Based Access Control systems is feasible so long as the number of triggering business events and the set of possible actions that follow those events are both small.

Role-based – In computer systems security, role-based access control (RBAC) is an approach to restricting system access to authorized users. It is used by the majority of enterprises with more than 500 employees, and can implement mandatory access control (MAC) or discretionary access control (DAC). Role-based access control (RBAC) is sometimes referred to as role-based security.

Mandatory – In computer security, mandatory access control (MAC) refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target. In practice, a subject is usually a process or thread; objects are constructs such as files, directories, Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports, shared memory segments, etc. Subjects and objects each have a set of security attributes. Whenever a subject attempts to access an object, an authorization rule enforced by the operating system kernel examines these security attributes and decides whether the access can take place. Any operation by any subject on any object is tested against the set of authorization rules (aka policy) to determine if the operation is allowed. A database management system, in its access control mechanism, can also apply mandatory access control; in this case, the objects are tables, views, procedures, etc.

Lattice Based – In computer security, lattice-based access control (LBAC) is a complex access control model based on the interaction between any combination of objects (such as resources, computers, and applications) and subjects (such as individuals, groups or organizations). In this type of label-based mandatory access control model, a lattice is used to define the levels of security that an object may have and that a subject may have access to. The subject is only allowed to access an object if the security level of the subject is greater than or equal to that of the object.

**Access Control (Other)

No more access needed to do a task – In information security, computer science, and other fields, the principle of least privilege (also known as the principle of minimal privilege or the principle of least authority) requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user or a program depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose. The principle means giving a user account only those privileges which are essential to that user's work. For example, a backup user does not need to install software: hence, the backup user has rights only to run backup and backup-related applications. Any other privileges, such as installing new software, are blocked. The principle applies also to a personal computer user who usually does work in a normal user account, and opens a privileged, password protected account (that is, a superuser) only when the situation absolutely demands it.

Need to know – The term “need to know”, when used by government and other organizations (particularly those related to the military or espionage), describes the restriction of data which is considered very sensitive. Under need-to-know restrictions, even if one has all the necessary official approvals (such as a security clearance) to access certain information, one would not be given access to such information, or read into a clandestine operation, unless one has a specific need to know; that is, access to the information must be necessary for the conduct of one's official duties.

The CISSP® CBK v3 consists of the following ten domains:

Domain 1 — Access Controls (v4.5)

Domain 2 — Telecommunications and Network Security (v4.4)

Domain 3 — Information Security Governance & Risk Management (v4.1)

Domain 4 — Software Development Security (4.8)

Domain 5 — Cryptography (v4.3)

Domain 6 — Security Architecture and Design (v4.3/v4.6)

Domain 7 — Security Operations (v4.7)

Domain 8 — Business Continuity and Disaster Recovery Planning (v4.2)

Domain 9 — Legal, Regulations, Investigations, and Compliance (v4.1)

Domain 10 — Physical (Environmental) Security (v4.3)

Note: The version numbers to the right of the domain listed are the associated domain in the (ISC)²® CISSP CBK v4

The CISSP® CBK v4 consists of the following ten domains:

Domain 1 — Security & Risk Management

Domain 2 — Asset Security

Domain 3 — Security Engineering

Domain 4 — Communications & Network Security

Domain 5 — Identity & Access Management

Domain 6 — Security Assessment & Testing

Domain 7 — Security Operations

Domain 8 — Security in the Software Development Life Cycle

12:45

Lecture 19 – Domain 6 – Security Assessment & Testing – Security Architecture and Design

Discussion –

Penetration Testing & Security Audits – Before discussing Security Assessment & Testing it's important to discuss Penetration Testing & Security Audits – Penetration Test (PA), or sometimes “pentest”, is a software attack on a computer system that looks for security weaknesses, potentially gaining access to the computer's features and data.

The process typically identifies the target systems and a particular goal—then reviews available information and undertakes various means to attain the goal. A penetration test target may be a white box (which provides background and system information) or black box (which provides only basic or no information except the company name). A penetration test can help determine whether a system is vulnerable to attack, if the defenses were sufficient, and which defenses (if any) the test defeated.

Security issues that the penetration test uncovers should be reported to the system owner. Penetration test reports may also assess potential impacts to the organization and suggest countermeasures to reduce risk.

The goals of penetration tests are:

*Determine feasibility of a particular set of attack vectors

*Identify high-risk vulnerabilities from a combination of lower-risk vulnerabilities exploited in a particular sequence

*Identify vulnerabilities that may be difficult or impossible to detect with automated network or application vulnerability scanning software

*Assess the magnitude of potential business and operational impacts of successful attacks

*Test the ability of network defenders to detect and respond to attacks

*Provide evidence to support increased investments in security personnel and technology

*Penetration tests are a component of a full security audit. For example, the Payment Card Industry Data *Security Standard requires penetration testing on a regular schedule, and after system changes.

Security Audit – A computer security audit is a manual or systematic measurable technical assessment of a system or application. Manual assessments include interviewing staff, performing security vulnerability scans, reviewing application and operating system access controls, and analyzing physical access to the systems.

Security Architecture and Design

Concepts, principles, structures and standards used for design, implement, monitor, and secure, operating systems, equipment, networks, applications, and controls used to enforce confidentiality, integrity and availability.

Fundamental concepts of security models – The Security Architecture and Design domain contains the concepts, principles, structures, and standards used to design, implement, monitor, and secure operating systems, equipment, networks, and applications as well as those controls used to enforce various levels of Confidentiality, Integrity, and Availability (CIA).

Capabilities of information systems (e.g. memory protection, virtualization) – Information is a finished product using data as raw material. Information is processed data used to trigger actions or understand data implications. Broad level classification of Information systems includes: Hardware, Software, Databases, and Communication Systems. Memory protection controls memory access rights, and is part of modern operating systems. Memory protection prevents a process from accessing memory not allocated to the process. This prevents process bugs from affecting other processes, or operating system. Memory protection security includes techniques including address space layout randomization and executable space protection.

Virtualization simulates software and hardware run by other software. This simulated environment is referred to as virtual machine (VM). Virtualization is distinguished by computing architecture layer, and virtualized components include hardware platforms, operating systems (OS), storage devices, network devices, or other resources.

Countermeasure principles – A countermeasure is an action, device, procedure, or technique reducing threats, vulnerabilities, or attacks through elimination or prevention, by minimizing harm, or by discovering and reporting attacks so corrective action is taken.

Vulnerabilities and threats (e.g. cloud computing, aggregation, data flow control) – Vulnerability is inability to withstand effects of a hostile environment. A window of vulnerability (WoV) is a time frame when defensive measures are reduced, compromised or lacking. Threats are danger exploiting a security breach vulnerability and cause harm. Threats are either “intentional” (i.e., intelligent; e.g., an individual cracker or a criminal organization) or “accidental” (e.g., the possibility of a computer malfunctioning, or the possibility of an “act of God” such as an earthquake, a fire, or a tornado) or a circumstance, capability, action, or event. Cloud computing uses computing resources (hardware and software) delivered as a service over a network (e.g., Internet). Cloud comes from the cloud-shaped symbol for complex infrastructure used in system diagrams. Cloud computing entrusts remote services with a user's data, software and computation. Aggregation is object composition in object-oriented programming (OOP). Flow control manages data transmission rate between two nodes preventing fast senders from overrunning slow receiver, in data communications. Flow control provides a mechanism for receivers controlling transmission speed, so a receiving node isn't overwhelmed with data from transmitting nodes. Flow control is distinguished from congestion control, used for controlling data flow when congestion actually occurred. Flow control mechanisms are classified by whether receiving nodes send feedback to sending nodes.

Policies – Policies guide decisions for achieving rational outcomes. Policy is intent, and is implemented as procedure or protocol. A Board or senior governance body of an organization adopts policies. Procedures or protocols are developed and adopted by senior executive officers. Policies assist both subjective and objective decision-making. Policies assist senior management with decisions considering relative merits factors before decisions-making and often hard to objectively as a result e.g. work-life balance policy. In contrast policies assisting objective decision-making are operational in nature and are objectively tested e.g. password policy.

Requirements – A requirement is a documented physical and functional need a particular product or service must perform. Requirements are used in systems engineering, software engineering, or enterprise engineering. Requirements are statements identifying necessary attributes, capabilities, characteristics, or system quality of value and utility to users.

Functions – Business functions or methods are collections of related, structured activities or tasks producing a specific service or product (serve a particular goal) for customers. Flowcharts provide visualization of activity sequences with interleaving decision points. A Process Matrix provides visualization of activity sequences using relevance rules based on process data.

Features – A feature model is a compact representation of all products of a Software Product Line (SPL) in terms of “features”. Feature models visually represent using feature diagrams. Feature models are used during product line development process commonly used as input for producing related assets such as documents, architecture definition, or code.

Stories – User stories are one or more sentences in everyday or business language of end users or system user capturing user behaviors, needs, or job functions. User stories are used in Agile software development methodologies to define functions a business system must provide facilitating requirements management.

User stories capture 'who', 'what' and 'why' of requirements in a simple, concise way, limited by hand-written notes. User stories are written by or for business users as the user's influence on developed system functionality. User stories are written by developers to express non-functional requirements (security, performance, quality, etc.). The product manager ensures user stories are captured then backlogged for development.

Collaboration – Collaboration is working together to achieve a goal. Collaboration is an iterative, incremental process using a team of two or more people working to realize shared goals, (Collaboration is a deep, collective, determination to reach an identical objective by a team) —by sharing knowledge, learning and building consensus. Collaboration requires shared leadership within self-forming teams. Teams working collaboratively obtain greater resources, recognition and reward when facing competition for finite resources. Collaboration is present in opposing goals as adversarial collaboration, though this is not common.

Pattern – A pattern ('template') is theme of recurring events or objects. Patterns are based on templates or models generating pattern elements, especially common elements for underlying inferred patterns exhibiting a unique pattern.

The CISSP® CBK v3 consists of the following ten domains:

Domain 1 — Access Controls (v4.5)

Domain 2 — Telecommunications and Network Security (v4.4)

Domain 3 — Information Security Governance & Risk Management (v4.1)

Domain 4 — Software Development Security (4.8)

Domain 5 — Cryptography (v4.3)

Domain 6 — Security Architecture and Design (v4.3/v4.6)

Domain 7 — Security Operations (v4.7)

Domain 8 — Business Continuity and Disaster Recovery Planning (v4.2)

Domain 9 — Legal, Regulations, Investigations, and Compliance (v4.1)

Domain 10 — Physical (Environmental) Security (v4.3)

Note: The version numbers to the right of the domain listed are the associated domain in the (ISC)²® CISSP CBK v4

The CISSP® CBK v4 consists of the following ten domains:

Domain 1 — Security & Risk Management

Domain 2 — Asset Security

Domain 3 — Security Engineering

Domain 4 — Communications & Network Security

Domain 5 — Identity & Access Management

Domain 6 — Security Assessment & Testing

Domain 7 — Security Operations

Domain 8 — Security in the Software Development Life Cycle

07:21

Lecture 20 Domain 7 – Operations Security – Security Operations

Discussion –

Operations Security

Identifies hardware controls, media and operators with access privileges to these resources.

Resource protection – Resource protection focuses on data protection against loss or damage including data processing and storage. Resource protection of data depends on: Data value to an organization, Data need. As a result, resource protection must be carefully planned. Resource protection is balanced enabling an organization and users to complete jobs while preventing intruders from unqualified access and misuse of resources. Resource protection is accomplished by clarification and user responsibility setup and access control transparency.

Incident response – Incident response addresses and manages aftermath of security breaches or attacks (aka, incidents). The goal is to limit damage and reduce recovery time and cost. Incident response plans include a policy defining incidents and provides a step-by-step process to be followed when an incident occurs. A computer incident carefully selected response team conducts organization incident response with security and general IT staff including representatives from legal, human resources, and public relations departments.

Attack prevention and response – A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) renders a machine or network resource unavailable to intended users. DoS/DDoS attacks are efforts of one or more people to temporarily or indefinitely interrupt or suspend services of hosts connected to the Internet. Perpetrators of DoS attacks target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and root name-servers. The term relates to computer networks, but not limited to computer networks e.g., the term references CPU resource management.

Patch and vulnerability management – The vulnerability and patch Management goal is keeping information technology infrastructure components (hardware, software and services) patches and updates up to date. Vulnerability and patch management keeps information technology infrastructure components available to end-users. Without regular vulnerability testing and patching, information technology infrastructure fails to avoid problems fixed by regularly updating software, firmware and drivers. Poor patching allows viruses and spyware to infect the network allowing exploitation of security vulnerabilities.

Business Continuity and Disaster Recovery Planning

This domain addresses preservation of the business in face of major disruptions to normal business operations.

Business impact analysis – Business impact analysis (BIA) predicts consequences of business function and process disruption gathering information needed for developing recovery strategies. Potential loss scenarios are identified during risk assessment. Operations are interrupted by supplier delivery failure or delay of goods or services. Possible scenarios must be considered identifying and evaluating disaster business impact and providing investment basis of recovery strategies for prevention investment and mitigation strategies. The BIA identifies operational and financial impacts resulting from disruption of business functions and processes. Impacts considered include:

Lost sales and income

Delayed sales or income

Increased expenses (e.g., overtime labor, outsourcing, expediting costs, etc.)

Regulatory fines

Contractual penalties or loss of contractual bonuses

Customer dissatisfaction or defection

Delay of new business plans.

Recovery strategy – Methodology defining restoration of critical operations and systems to normal status following a disaster including: restoring manual operations, suspending data processing for repair of onsite systems, arranging for temporary data processing facilities by a service provider, and offsite facility back-up of essential data.

Disaster recovery process – Disaster recovery fights Mother Nature to restore order in a community. The disaster recovery process is not a set of orderly actions triggered by impact of disaster upon a community. Rather, disaster recovery is a set activities occurring before, during, and after a disastrous event. Activities include:

Warning and ongoing public information

Evacuation and sheltering

Search and rescue

Damage assessments

Debris clearance, removal and disposal

Utilities and communications restoration

Re-establishment of major transport linkages

Temporary housing

Financial management

Economic impact analyses

Detailed building inspections

Redevelopment planning

Environmental assessments

Demolition

Reconstruction

Hazard mitigation

Preparation for the next disaster.

Provide training – Training is acquisition of knowledge, skills, and competencies as a result of teaching of vocational or practical skills and knowledge related to useful competencies. Training improves capability, capacity, and performance. Training provides content at institutes of technology. In addition to basic training required for a trade, occupation or profession, need for continued training is needed to maintain, upgrade and update skills throughout working life. People in many professions and occupations refer to training as professional development.

The CISSP® CBK v3 consists of the following ten domains:

Domain 1 — Access Controls (v4.5)

Domain 2 — Telecommunications and Network Security (v4.4)

Domain 3 — Information Security Governance & Risk Management (v4.1)

Domain 4 — Software Development Security (4.8)

Domain 5 — Cryptography (v4.3)

Domain 6 — Security Architecture and Design (v4.3/v4.6)

Domain 7 — Security Operations (v4.7)

Domain 8 — Business Continuity and Disaster Recovery Planning (v4.2)

Domain 9 — Legal, Regulations, Investigations, and Compliance (v4.1)

Domain 10 — Physical (Environmental) Security (v4.3)

Note: The version numbers to the right of the domain listed are the associated domain in the (ISC)²® CISSP CBK v4

The CISSP® CBK v4 consists of the following ten domains:

Domain 1 — Security & Risk Management

Domain 2 — Asset Security

Domain 3 — Security Engineering

Domain 4 — Communications & Network Security

Domain 5 — Identity & Access Management

Domain 6 — Security Assessment & Testing

Domain 7 — Security Operations

Domain 8 — Security in the Software Development Life Cycle

04:31

Lecture 21 – Domain 8 – Security in the Software Development Life Cycle – Application Software Development Security

Discussion –

Controls included within systems and applications software and steps used in their development.

Systems development life cycle (SDLC) – The Systems development life cycle (SDLC), or Software development process is a process for creating or altering information systems, and models and methodologies used to develop applications and systems. The SDLC concept underpins many software development methodologies. Methodologies form the framework for planning and controlling creation and maintenance of an information system.

Application environment and security controls – Information technology (IT) controls are activities performed by persons or systems designed to ensure business (customers/stakeholders) objectives are met. IT controls are a subset of enterprise internal controls. IT control objectives include information confidentiality, integrity, and availability (CIA) and overall IT function management of the business enterprise. IT controls consist or two categories: IT general controls (ITGC) and IT application controls. ITGC includes IT environment, computer operations, access to programs and data, program development and program change controls. IT application controls are transaction-processing controls, sometimes called “input-processing-output” controls. IT controls are prominence in corporations listed by the Sarbanes-Oxley Act. The Control Objectives for Information Technology (COBIT) Framework is a framework promulgated by the IT Governance Institute, which defines application control objectives, and recommends evaluation approaches. Organization IT departments are often led by a Chief Information Officer (CIO) responsible for ensuring effective information technology controls are utilized.

Effectiveness of application security – Business environment risks and international regulations cause companies to incorporate information security as an aspect of their business process. As with all business process resources assignment and budgeting ensure proper implementation. Because the security process objective is minimization of risk exposure, it's important to determine implemented controls effectiveness. How can in place security controls be measured as effective? How is budget justified to augment or improve existing controls? It's important to show organizations requested funds are to be invested in preventing issues that materialize as an information risk against any of the core business processes.

Configuration – Software configuration management (SCM) tracks and controls software changes. Configuration management practices include revision control and baseline establishment. SCM answers the question “Somebody did something, how can one reproduce it?” Often this involves not reproducing “it” identically, but with controlled, incremental changes. Answering this question is comparing different results and then analyzing differences. Traditional configuration management focuses on controlling relatively simple product creation. Implementers of SCM now face a challenge of dealing with relatively minor increments within context of complex system development. SCM is control of software project evolution.

The CISSP® CBK v3 consists of the following ten domains:

Domain 1 — Access Controls (v4.5)

Domain 2 — Telecommunications and Network Security (v4.4)

Domain 3 — Information Security Governance & Risk Management (v4.1)

Domain 4 — Software Development Security (4.8)

Domain 5 — Cryptography (v4.3)

Domain 6 — Security Architecture and Design (v4.3/v4.6)

Domain 7 — Security Operations (v4.7)

Domain 8 — Business Continuity and Disaster Recovery Planning (v4.2)

Domain 9 — Legal, Regulations, Investigations, and Compliance (v4.1)

Domain 10 — Physical (Environmental) Security (v4.3)

Note: The version numbers to the right of the domain listed are the associated domain in the (ISC)²® CISSP CBK v4

The CISSP® CBK v4 consists of the following ten domains:

Domain 1 — Security & Risk Management

Domain 2 — Asset Security

Domain 3 — Security Engineering

Domain 4 — Communications & Network Security

Domain 5 — Identity & Access Management

Domain 6 — Security Assessment & Testing

Domain 7 — Security Operations

Domain 8 — Security in the Software Development Life Cycle

11:32

Lecture 22 – Domain 0 – Public and Private Safety

Discussion –

Safety is protection against physical, social, and spiritual, financial, political, emotional, occupational, psychological, educational or other types or consequences of failure, damage, error, accidents, harm or any other event, which could be considered non-desirable. Safety is also control of recognized hazards achieving an acceptable risk level. Safety also protects against events or from exposures causing health or economic losses. Safety includes protection of people and possessions. The Public Safety Spectrum Trust Corporation (PSST) is a non-profit organization representing radio spectrum needs of police, fire and ambulance agencies in the United States.

Risk Assessment – Risk assessment is a step in a risk management procedure. Risk assessment is determination of quantitative or qualitative value of risk related to a concrete situation and recognized threats (hazards). Quantitative risk assessment requires calculations of two components of risk (R): magnitude of potential loss (L), and probability (p) loss occurs. In complex systems risk assessments are in Safety engineering and Reliability engineering when threats to life, environment or machine functioning are concerned. Nuclear, aerospace, oil, rail and military industries have a long history dealing with risk assessment. Medical, hospital, and food industries control risks and perform risk assessments on a continual basis. Methods for risk assessment differ among industries and when pertaining to general financial decisions or environmental, ecological, or public health risk assessment.

Emergency Response – Emergency are unplanned events causing death or significant injuries to faculty, staff, students, or the public. Emergencies shut down business; disrupt operations; cause physical or environmental damage; or can threaten an organization's financial standing or public image. An Emergency Response Plan (ERP) is activated when a crisis, man-made or natural, disrupts operations, threatens life, or creates major damage.

Business Continuity – Business continuity ensures critical business functions are available to customers, suppliers, regulators, and other entities. Activities include project management, system backups, change control, and help desk. Business continuity is not implemented when disaster occurs; Business Continuity is activities performed daily maintaining service, consistency, and recoverability. Business continuity includes standards, program development, supporting policies, guidelines, and procedures needed to ensure a firm to continue operation regardless of adverse circumstances or events. All system design, implementation, support, and maintenance must be based on this foundation to ensure achieving business continuity, disaster recovery, or system support. Business continuity is not disaster recovery. Disaster recovery is a subset of business continuity. Business continuity is also not Work Area Recovery (loss of a physical building housing the business).

Disaster Recovery – Disaster recovery (DR) is the process, policies and procedures related to an organization's vital technology infrastructure recovery or continuation following a natural or human-induced disaster. Disaster recovery is a subset of business continuity. While business continuity involves planning for keeping a business functioning during disruptive events, disaster recovery focuses on IT or technology systems supporting business functions.

Public security – Public security is a government function ensuring protection of citizens, organizations, and institutions against threats to well being – and to community prosperity.

Emergency Management – Emergency management protects communities by coordinating and integrating all activities necessary to build, sustain, and improve the capability to mitigate against, prepare for, respond to, and recover from threatened or actual natural disasters, acts of terrorism, or other man-made disasters.

Emergency management is:

Comprehensive – emergency managers consider and take into account all hazards, all phases, all stakeholders and all impacts relevant to disasters.

Progressive – emergency managers anticipate future disasters and take preventive and preparatory measures to build disaster-resistant and disaster-resilient communities.

Risk-driven – emergency managers use sound risk management principles (hazard identification, risk analysis, and impact analysis) in assigning priorities and resources.

Integrated – emergency managers ensure unity of effort among all levels of government and all elements of a community.

Collaborative – emergency managers create and sustain broad and sincere relationships among individuals and organizations to encourage trust, advocate a team atmosphere, build consensus, and facilitate communication.

Coordinated – emergency managers synchronize the activities of all relevant stakeholders to achieve a common purpose.

Flexible – emergency managers use creative and innovative approaches in solving disaster challenges.

Professional – emergency managers value a science and knowledge-based approach based on education, training, experience, ethical practice, public stewardship and continuous improvement.

Law Enforcement – Law enforcement broadly is system organized to promote adherence to law by discovering and punishing persons violating rules and norms governing society. Law enforcement encompass courts and prisons, people directly engaged in patrols or surveillance for dissuading and discovering criminal activity, and people investigating crimes and apprehending offenders. Law enforcement if concerned with prevention and punishment of crimes. Organizations also exist to discourage non-criminal violations of rules and norms, effected through imposition of less severe consequences.

Corrections – In criminal justice correction, corrections, and correctional describe functions performed by government agencies involving punishment, treatment, and supervision of persons convicted of crimes. These functions include imprisonment, parole and probation. A correctional institution is a prison. A correctional (penal) system refers to a network of agencies administering a jurisdiction's prisons and community-based programs including parole and probation boards; the system also includes police, prosecution and courts. Jurisdictions have departments of corrections, correctional services, or similar agencies.

Crime Prevention – Crime prevention reduces victimization and deters crime and criminals. Crime prevention is applied to efforts made by governments to reduce crime, enforce the law, and maintain criminal justice.

Border Management – Border management are measures countries use to monitor or regulate borders. Border controls control both inflow and outflow of people, animals and goods across borders. Government agencies are created to perform border controls. Agencies perform functions including customs, immigration, security, and quarantine. Official designations, jurisdictions and command structures of related agencies vary considerably by location.

Internal Services – Internal services control processes effected by an organization's structure, work and authority flows, people and management information systems, designed accomplish specified goals or objectives. Internal services direct, monitor, and measure resource performance. Internal services support preventing and detecting fraud and protecting organization resources, both physical (e.g., machinery and property) and intangible (e.g., reputation or intellectual property such as trademarks). At an organizational level, internal control objectives support reliability of financial reporting, timely feedback on the achievement of operational or strategic goals, and compliance with laws and regulations. At a transaction level, internal control is actions taken to achieve an objective (e.g., how to ensure the organization's payments to third parties are for valid services rendered.) Internal control procedures reduce process variation, leading to more predictable outcomes. Internal control is a key element of the Foreign Corrupt Practices Act (FCPA) of 1977 and Sarbanes–Oxley Act of 2002, requiring internal control improvements in United States public corporations. Internal controls in business entities are called operational controls.

The CISSP® CBK v3 consists of the following ten domains:

Domain 1 — Access Controls (v4.5)

Domain 2 — Telecommunications and Network Security (v4.4)

Domain 3 — Information Security Governance & Risk Management (v4.1)

Domain 4 — Software Development Security (4.8)

Domain 5 — Cryptography (v4.3)

Domain 6 — Security Architecture and Design (v4.3/v4.6)

Domain 7 — Security Operations (v4.7)

Domain 8 — Business Continuity and Disaster Recovery Planning (v4.2)

Domain 9 — Legal, Regulations, Investigations, and Compliance (v4.1)

Domain 10 — Physical (Environmental) Security (v4.3)

Note: The version numbers to the right of the domain listed are the associated domain in the (ISC)²® CISSP CBK v4

The CISSP® CBK v4 consists of the following ten domains:

Domain 1 — Security & Risk Management

Domain 2 — Asset Security

Domain 3 — Security Engineering

Domain 4 — Communications & Network Security

Domain 5 — Identity & Access Management

Domain 6 — Security Assessment & Testing

Domain 7 — Security Operations

Domain 8 — Security in the Software Development Life Cycle

©1998-2015 Chuck Morrison, South SF Bay Area & North Central Coast, CA, All rights reserved

What are the 3 three CIA information protection goals?
2 questions
Section 3: Security Risk Management
03:50

Section 3 – Security Risk Management

Goals:

Understand Confidentiality, Integrity, and Availability (CIA) concepts and relationships

Overview key principles and objectives of CISSP domains

Apply concepts of safety and security to portfolio, program, and project management

Project Management consulting and mentoring on methodology, and dealing with security and risk management

Apply safety and security concepts to assets, SDLC security, Communications & Networks security

Understand apply concepts related to identity and access management

Understand apply concepts related to security assessment and testing and security operations

Apply Personally Identifiable Information (PII), Payment Card Industry Data Security Standard (DSS/PCI) concepts

Lecture 23– Security Risk Management

Discussion –

Federal Emergency Management Agency (FEMA)

FEMA directed the Risk Management Series (RMS) at providing design guidance for mitigating multi-hazard events. The series includes a large cadre of man-made disaster publications directed at strengthening the building inventory to reduce the potential impact from the forces that might be anticipated in a terrorist assault. The objective of the series is to reduce physical damage to structural and nonstructural components of buildings and related infrastructure, and to reduce resultant casualties from impact by conventional bombs, chemical, biological, and radiological (CBR) agents; earthquakes; floods; and high winds. The underlying issue is that by improving mitigation and security of high occupancy buildings, we will be better positioned to protect the nation from potential threats and hazards. The intended audience includes architects and engineers working for private institutions, building owners/operators/managers, and state and local government officials working in the building sciences community.

Federal Security Risk Management

Purpose

Evaluate risk to facility

Quantify risk and establish acceptable risks

Determine measures & costs required to reduce unacceptable risk to acceptable level

Identify Assets & Mission

Determine Credible Threats

Determine Risk Level for Each Threat

Vulnerability to Threat

Very High

High

Moderate

Low

Loss Impact

Devastating

Severe

Noticeable

Minor

Determine Acceptability of Risk

Risk Rating Interpretation

Red – These risks are very high. Countermeasures recommended to mitigate these risks should be implemented as soon as possible (ASAP)

Yellow – These risks are very moderate. Countermeasures implementation should be planned in near future.

Green – These risks are very low. Countermeasures implementation will enhance security, but is less urgent than above risks.

Identify Upgrades

Re-evaluate Threats based on upgraded Countermeasures

Repeat if Risk ratings Not reduced

Proceed with Upgrades

00:43

Lecture 24 – Security Management …

Discussion –

Laws, Regulations, Requirements, Organizational Policies, Goal, Objectives, & Strategies

General Organizational Policy – Management's Security Statement

Functional Implementing Policies – Management's Security Directives

Standards – Specific Hardware & Software

Procedures – Step-by-Step Instructions

Baselines – Minimum Level of Security

Guidelines - Recommendations

01:36

Lecture 25 – Security Risk Management Methodology …

Discussion –

Security Risk Management Methodology

Purpose

Evaluate risk to facility

Quantify risk and establish acceptable risks

Determine measures & costs required to reduce unacceptable risk to acceptable level

Identify Assets & Mission

Determine Credible Threats

Determine Risk Level for Each Threat

Vulnerability to Threat

Very High

High

Moderate

Low

Loss Impact

Devastating

Severe

Noticeable

Minor

Determine Acceptability of Risk

Risk Rating Interpretation

Red – These risks are very high. Countermeasures recommended to mitigate these risks should be implemented as soon as possible (ASAP)

Yellow – These risks are very moderate. Countermeasures implementation should be planned in near future.

Green – These risks are very low. Countermeasures implementation will enhance security, but is less urgent than above risks.

Identify Upgrades

Re-evaluate Threats based on upgraded Countermeasures

Repeat if Risk ratings Not reduced

Proceed with Upgrades

02:37

Lecture 26 – CISSP Process Groups Knowledge Areas (PMBOK Template) …

Discussion –

CISSP Process Groups Knowledge Areas

Knowledge Areas

Domain 5 – Identity & Access Management (v4) – Identity & Access Control (v3)

Domain 8 – Security in the Software Development Life Cycle (v4) – Application Software Development Security (v3)

Domain 3 – Cryptography (v3) … see below

Domain 7 – Operations Security (v4 – Operations Security (v3

Domain 3 – Security Engineering (v4) – Security Architecture & Design (v3), Cryptography (v3), Physical (Environmental) Security

Domain 4 – Communications & Network Security (v4) – Telecommunications and Network Security (v3)

Domain 0 – Public & Private Safety

Domain 3 – Security Engineering (v4) – Security Architecture & Design (v3), Cryptography (v3), Physical (Environmental) Security (v3)

Domain 1 – Security & Risk Management (v4) – Information Security, Governance & Risk Management (v3), Legal Regulations, Investigations and Compliance (v3)

Domain 2 – Asset Security (v4) – Business Continuity & Disaster Recovery Planning (v3)

Domain 6 – Security Assessment & Testing (v4) – Security Architecture and Design (v3) … see Security Management (Lecture 22) & Security Risk Management Methodology (Lecture 23)

Process Groups

Initiating

Planning

Executing

Monitoring & Controlling

Closing

Which of the following are Safety and Security Critical Success Factors
1 question
Section 4: CISSP Domains Overview for Project Managers – Conclusion
01:53

Lecture 27 – CISSP Domains Overview for Project Managers – Conclusion …

Congratulations!! You've made it! …. you've completed all Course Goals …

Course Goals

Creation and maintenance of standards and methods

Understand Confidentiality, Integrity, and Availability (CIA) concepts and relationships

Overview key principles and objectives of CISSP domains

Apply concepts of safety and security to portfolio, program, and project management

Project Management consulting and mentoring on methodology, and dealing with security and risk management

Apply safety and security concepts to assets, SDLC security, Communications & Networks security

Understand apply concepts related to identity and access management

Understand apply concepts related to security assessment and testing and security operations

Apply Personally Identifiable Information (PII), Payment Card Industry Data Security Standard (DSS/PCI) concepts

Thank you and congratulations for taking this opportunity for yourself to expand your skills and knowledge. Thank you for your decision to complete this course successfully.

And, please, if your have any questions about any part of this training or any related questions to this course or Udemy please ask. You have my promise to find you an answer.

If you found my course useful, please consider leaving a review and rating. Your review is much appreciated. You can go directly to the review page for this course then click and enter your review and rating.

Thank You and Best Regards, Chuck Morrison, MBA, PMP

http://www.linkedin.com/in/chuckmorrison

http://www.chuckmorrison.com

11 pages

Lecture 28 – Glossary …

For definitions of terms used in this course, please see downloadable Glossary

2 pages

Lecture 29 – For Further Reading …

OO UML developed by “The 3 Amigos” Grady Booch, Ivar Jacobson and James Rumbaugh at Rational Software during 1994–95 with further development led by them through 1996. … Rational Software transferred to IBM … OO UML accepted by OMG & ISO

References:

A Guide to the Project Management Body of Knowledge (PMBOK Guide) Fourth Edition, Project Management Institute, 2008

A Guide to the Business Analysis Body of Knowledge® (BABOK® Guide), 2ed, International Institute of Business Analysis, 2009

A Guide to the Project Management Body of Knowledge (PMBOK Guide) Fourth Edition, Project Management Institute, 2008

Advanced Use Case Modeling: Software Systems (v. 1), Frank Amour, Addison Wesley, 2001

Getting It Right: Business Requirement Analysis Tools and Techniques, Kathleen B. Hass, Management Concepts, 2007

Mastering the Requirements Process (2nd Edition), Suzanne Robertson, et al, Addison-Wesley, 2006

Object-Oriented Analysis and Design with Applications (3rd Edition), Grady Booch, Addison-Wesley, 2007

Patterns for Effective Use Cases (The Agile Software Development Series), Alistair Cockburn, et al, Addison-Wesley, 2002

Practice Standard for Work Breakdown Structures, 2ed, Project Management Institute, 2006

Professionalizing Business Analysis: Breaking the Cycle of Challenged Projects, Kathleen B. Hass, Management Concepts, 2007

Seven Steps to Mastering Business Analysis, Barbara A. Carkenord, J. Ross Publishing, 2008

The Art and Power of Facilitation: Running Powerful Meetings, Kathleen Hass, Management Concepts, 2007

The Business Analyst as Strategist: Translating Business Strategies into Valuable Solutions, Kathleen Hass, Management Concepts, 2007

The Elements of UML(TM) 2.0 Style, Scott Ambler, Cambridge University Press, 2005

The Unified Software Development Process, Ivar Jacobson, et al, Addison-Wesley, 1999

The Unified Modeling Language Reference Manual (2nd Edition) (The Addison-Wesley Object Technology Series), James Rumbaugh, et al, Addison-Wesley, 2004

Unified Modeling Language User Guide, The (2nd Edition), Grady Booch, et al, Addison-Wesley, 2005

UML Distilled: A Brief Guide to the Standard Object Modeling Language (3rd Edition), Martin Fowler, Addison-Wesley, 2003

UML 2 and the Unified Process: Practical Object-Oriented Analysis and Design (2nd Edition), Jim Arlow, et al, Addison-Wesley, 2005

Unearthing Business Requirements: Elicitation Tools and Techniques, Kathleen Hass, Management Concepts, 2007

What Not How: The Business Rules Approach to Application Development, C. J. Date, Addison-Wesley Professional, 2000

Writing Effective Use Cases, Alistair Cockburn, Addison-Wesley, 2000

Students Who Viewed This Course Also Viewed

  • Loading
  • Loading
  • Loading

Instructor Biography

Chuck Morrison, Program/Project Manager & Business/IT Architect (MBA, PMP)

“A working model using mission-driven measures in a team approach enables focus on profitable customer-driven solutions."

With extensive Program Management and Business Architecture experience in Silicon Valley California it's been my good fortune and opportunity to experience working with many Fortune 500 companies. Workflow modeling is my expertise, joy and passion. As a seasoned professional my enjoyment is using and sharing the skills and knowledge with others through teaching and writing. Chuck has also authored and published other Udemy courses, Amazon eBooks, Linked SlideShare, and YouTube videos.

PMI PMP certified: Principal Strategist, Architect, and Leader with MBA and extensive experience in business and technology consulting, planning, designing, mentoring, negotiating, and delivering project, product, program, and process solutions. Successful track record planning, managing, and leading small to multi-site, concurrent, complex cross-functional projects and portfolios requiring business process engineering, Internet and information technology, quality management, instrumentation, and training.

Specialties: -Programs/Projects Management (PMI PMP): Program, Product, Project, and Process (SDLC, Agile, PMBOK, DMAIC, RUP, ITIL, InfoSec, NetSec, CISSP)-Business/Technical Process/Systems Modeling, Analysis, and Design (UML, OOA/D, BRD, MRD, FRD, HLD, ERD)-Web Portal Planning, Design, Documentation, and QA (Web 2.0, HTML, TCP/IP, HTTP, B2B, B2C)-Client/Team-Focused Consultant, Mentor, and Communicator-Inventory/Supply Chain Modeling/Management (APICS CPIM)

Thank You and Best Regards,
Chuck Morrison, MBA, PMP, CPIM, WWISA

Ready to start learning?
Take This Course