My CISSP Notes Information Security Governance and Risk Management. October, 2. 01. 2Note This notes were made using the following books CISPP Study Guide and CISSP for dummies. The Information Security Governance and Risk Management domain focuses on risk analysis and mitigation. This domain also details security governance, or the organizational structure required for a successful information security program. Confidentiality seeks to prevent the unauthorized disclosure of information. In other words, confidentiality seeks to prevent unauthorized read access to data. Integrity seeks to prevent unauthorized modification of information. In other words, integrity seeks to prevent unauthorized write. Availability ensures that information is available when needed. The CIA triad may also be described by its opposite Disclosure, Alteration, and Destruction DAD. The term AAA is often used, describing cornerstone concepts Authentication, Authorization, and Accountability. I/51tjK8swIOL.jpg' alt='Connect 4 Program Python Dummies' title='Connect 4 Program Python Dummies' />Authorization describes the actions you can perform on a system once you have identified and authenticated. Accountability holds users accountable for their actions. This is typically done by logging and analyzing audit data. Nonrepudiation means a user cannot deny repudiate having performed a transaction. It combines authentication and integrity nonrepudiation authenticates the identity of a user who performs a transaction, and ensures the integrity of that transaction. You must have both authentication and integrity to have nonrepudiation. Least privilege means users should be granted the minimum amount of access authorization required to do their jobs, but no more. Need to know is more granular than least privilege the user must need to know that specific piece of information before accessing it. Defense in Depth also called layered defenses applies multiple safeguards also called controls measures taken to reduce risk to protect an asset. Risk analysis. Assets are valuable resources you are trying to protect. A threat is a potentially harmful occurrence, like an earthquake, a power outage, or a network based worm. A threat is a negative action that may harm a system. A vulnerability is a weakness that allows a threat to cause harm. Risk Threat Vulnerability. Google is stepping up its effort to block phishing attempts that use app permissions to gain access to users Gmail accounts. These phishing attacks invite users to. Throwing things out of anger is never a smart move, but it can also lead to more serious consequences. Especially when youre at an airport and what youre. Hadoop Ecosystem and Components. BMCs complete guide to Hadoop Big Data Last Updated 462016. Free Download Dummies Guide to Hadoop. Python Pandas Quick Guide Learn Python Pandas in simple and easy steps starting from basic to advanced concepts with examples including Introduction, Environment. InformationWeek. com News, analysis and research for business technology professionals, plus peertopeer knowledge sharing. Engage with our community. To have risk, a threat must connect to a vulnerability. The Risk Threat Vulnerability equation sometimes uses an added variable called impact Risk Threat Vulnerability Impact. Impact is the severity of the damage, sometimes expressed in dollars. Loss of human life has near infinite impact on the exam. When calculating risk using the Risk Threat Vulnerability Impact formula, any risk involving loss of human life is extremely high, and must be mitigated. The Annualized Loss Expectancy ALE calculation allows you to determine the annual cost of a loss due to a risk. Python-for-Google-App-Engine.jpg' alt='Connect 4 Program Python Dummies' title='Connect 4 Program Python Dummies' />Once calculated, ALE allows you to make informed decisions to mitigate the risk. The Asset value AV is the value of the asset you are trying to protect. PII  Personally Identifiable Information. The Exposure Factor EF is the percentage of value an asset lost due to an incident. The Single Loss Expectancy SLE is the cost of a single loss. SLE   AV x EF. The Annual Rate of Occurrence ARO is the number of losses you suffer per year. The Annualized Loss Expectancy ALE is your yearly cost due to a risk. It is calculated by multiplying the Single Loss Expectancy SLE times the Annual Rate of Occurrence ARO. The. Total Cost of Ownership TCO is the total cost of a mitigating safeguard. TCO combines upfront costs often a one time capital expense plus annual cost of maintenance, including staff hours, vendor maintenance fees, software subscriptions, etc. The Return on Investment ROI is the amount of money saved by implementing a safeguard. Risk Choices. Once we have assessed risk, we must decide what to do. Options include accepting the risk, mitigating or eliminating the risk, transferring the risk, and avoiding the risk. Quantitative and Qualitative Risk Analysis are two methods for analyzing risk. Quantitative Risk Analysis uses hard metrics, such as dollars. Qualitative Risk Analysis uses simple approximate values. Glibc 2.3 Download Rpm more. Quantitative is more objective qualitative is more subjective. The risk management process. Risk Management Guide for Information Technology Systems see http csrc. The guide describes a 9 step Risk Analysis process 1. System Characterization  System characterization describes the scope of the risk management effort and the systems that will be analyzed. Threat Identification Threat Identification and Vulnerability Identification, identify the threats and vulnerabilities, required to identify risks using the Risk Threat Vulnerability formula. Vulnerability Identification. Control Analysis  Control Analysis, analyzes the security controls safeguards that are in place or planned to mitigate risk. Likelihood Determination. Impact Analysis. 7. Risk Determination. Control Recommendations. Results Documentation. Information Security Governance. Information Security Governance is information security at the organizational level. Security Policy and related documents. Policies are high level management directives. Policy is high level it does not delve into specifics. All policy should contain these basic components Purpose, Scope, Responsibilities, Compliance. NIST Special Publication 8. Program policy establishes an organizations information security program. A procedure is a step by step guide for accomplishing a task. They are low level and specific. Like policies, procedures are mandatory. A standard describes the specific use of technology, often applied to hardware and software. Standards are mandatory. They lower the Total Cost of Ownership of a safeguard. Standards also support disaster recovery. Guidelines are recommendations which are discretionary. Baselines are uniform ways of implementing a safeguard. Roles and responsibilities. Primary information security roles include senior management, data owner, custodian, and user. Senior Managementcreates the information security program and ensures that is properly staffed, funded, and has organizational priority. It is responsible for ensuring that all organizational assets are protected. The Data Owner also called information owner or business owner is a management employee responsible for ensuring that specific data is protected. Data owners determine data sensitivity labels and the frequency of data backup. The Data Owner capital O is responsible for ensuring that data is protected. A user who owns data lower case o has readwrite access to objects. A Custodian provides hands on protection of assets such as data. They perform data backups and restoration, patch systems, configure antivirus software, etc. The Custodians follow detailed orders they do not make critical decisions on how data is protected. Users must follow the rules they must comply with mandatory policies procedures, standards, etc. Complying with laws and regulations is a top information security management priority both in the real world and on the exam. The exam will hold you to a very high standard in regard to compliance with laws and regulations. We are not expected to know the law as well as a lawyer, but we are expected to know when to call a lawyer. The most legally correct answer is often the best for the exam. Privacy is the protection of the confidentiality of personal information. Due care and Due Diligence.