If the Internet were a city street, I would not travel it in daylight.” ~ CISSP Guide to Security Essentials by Peter Gregory 1

It is a good introductory book to learn security concepts. It covers a lot of ground, is well written. It can be used as a textbook to teach foundational concepts at an undergraduate level. Also, since people are introduced to technology way ahead in their life in today’s times, I think this book could also be a reference to high school teachers.

Notes 2

Chapter 1. Information Security and Risk Management

Organizational Purpose

  • Mission - An overarching statement of purpose and reason for existence of a company.
  • Objectives - An objective is something that needs to be achieved
  • Goals - A goal (or a Key Result) is a specific and time-bound activity that is measurable and contributes to accomplishing an objective.
  • Security Support of M/O/G - Security professionals develop processes and practices to protect assets. They assess risk and put risk mitigation plans in place.

Risk Management

  • Process of identifying and managing risks, minimizing losses.

Risk Management Principles

  • Risk Assessment - How to assess risk?
    • Qualitative Risk Assessment - Assess risk in relative terms using descriptive information that is generally not precisely measurable. Characteristics - Classification based on risk, Vulnerabilities, Threats, Threat Probability (L/M/H), Impact (L/M/H), Countermeasures
    • Quantitative Risk Assessment - Assess risk using measurable values (metrics). Elements of Quant Risk Assessment - Asset Value (AV), Exposure Factor (EF), Single loss expectancy (SLE) = AV ($) x EF (%), Annualized Rate of Occurrence (ARO), Annual loss expectancy (ALE) = ARO x SLE.
      • Quantifying Countermeasures - Countermeasures that were expressed as ‘list of things to do’ in Qualitative Assessment can be quantified using ALE. The benefit from countermeasures can be expressed in terms of costs of countermeasures, changes in EF or SLE.
      • Geographic considerations - Organizations can up-level their quantitative assessments by calculating the metrics per geographic location.
    • Specific Risk Assessment Methodologies - For complex organizations, there are many formal risk assessment methodologies developed by governmental organizations and large companies. Some of them are - OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) developed by CMU’s SEI, FRAP (Facilitated Risk Analysis Process), Spanning Tree Analysis (similar to a mind map), and NIST 800-30, Risk Management Guide for Information Technology Systems.
  • Risk Treatment - How to manage assessed risks? Four general approaches - Avoid, Mitigate, Accept, Transfer.
    • Risk Avoidance - Remove the activity/asset that introduces the risk from the system.
    • Risk Mitigation - Use countermeasures to reduce the impact.
    • Risk Acceptance - Accept the risk, especially if it is below some acceptance threshold.
    • Risk Transfer - Transfer the cost of impact to someone else, say an insurance company.
    • Residual Risk - Risk that remains after doing the above strategies (avoid, mitigate, transfer).

Security Management Concepts

  • Security moved from a task to a standalone professional discipline. So there are frameworks and foundational concepts that one needs to know.
  • ISO 27001 (specifically ISO/IEC 27000:2018) is a widely known standard and provides and overview of information security management systems (ISMS).
  • Security Controls - Controls that are put in place in an organization to ensure adherence to security policies. Measures to reduce risk.
  • CIA Triad - Confidentiality (Only authorized people can access data), Integrity (Data is not tampered with unless authorized), Availability (System is available for users to use).
  • Defense in Depth - Do not rely on a single method of protecting assets. Use multiple layers (comprehensive), different types (heterogeneity).
  • Single Points of Failure (SPOF) - Failure of one component results in failure of the entire system.
  • Fail open, Fail closed, Fail safe - Fail open - A security control fails, but the system functions, Fail closed - A security control fails and the system stops working, Fail safe - A security control fails, but the system functions
  • Privacy - PII

Security Management

Security Strategies

Personnel Security

Chapter 2. Access Controls

Chapter 3. Software Development Security

Chapter 4. Business Continuity and Disaster Recovery

Chapter 5. Cryptography

Chapter 7. Security Operations

Chapter 8. Physical and Environmental Security

Chapter 9. Security Architecture and Design

Chapter 10. Telecommunications and Network Security

Appendix A: Ten Domains of CISSP

Footnotes

  1. Gregory, P. (2014). CISSP Guide to Security Essentials. United States: Cengage Learning.

  2. CISSP Guide to Security Essentials - Table of Contents