Table of Contents

• 1.1 - Understand, adhere to, and promote professio …

  • Code of Ethics Cannons

• 1.2 Understand and apply security concepts

• 1.3 - Evaluate and apply security governance princ …

  • COBIT

    • Key principles

  • ITIL (Information Technology Infrastructure Librar …

  • Due diligence

  • Due care

• 1.4 - Determine compliance and other requirements

• 1.5 - Understand legal and regulatory issues that …

  • Computer Fraud and Abuse Act (CFAA):

  • Electronic Communications Privacy Act (ECPA)

  • Federal Sentencing Guidelines

  • Federal Information Security Management Act (FISMA …

  • Digital Millennium Copyright Act

  • GDPR

  • Lanham Act

  • Gramm-Leach-Bliley (GLB)

  • HIPPA

  • Bureau of Industry and Security

  • Communications Assistance for Law Enforcement Act …

  • The Privacy Act of 1974

  • COPPA

  • Glass Steagall Act

  • Economic Espionage Act

  • The Code of Federal Regulations (CFR)

  • Intellectual Property Protection and Licensing

• 1.6 - Understand requirements for investigation ty …

  • Types of law

• 1.7 - Develop, document, and implement security po …

• 1.8 - Identify, analyze, and prioritize Business C …

• 1.9 - Contribute to and enforce personnel security …

  • ISO27k Series

• 1.10 - Understand and apply risk management concep …

  • Risk Management Framework

  • Quantitative Risk Analysis Steps

  • Defense in Depth

  • Risk Maturity Model (RMM)

• 1.11 - Understand and apply threat modeling concep …

  • STRIDE

  • DREAD

  • PASTA

  • VAST

• 1.12 - Apply Supply Chain Risk Management (SCRM) c …

• 1.13 - Establish and maintain a security awareness …

• Links

1.1 - Understand, adhere to, and promote professional ethics

• ISC2 Code of Professional Ethics

• Organizational code of ethics

Notes:

https://www.isc2.org/ethics

Code of Ethics Cannons

• Protect society, the common good, necessary public trust and confidence, and the infrastructure.

• Act honorably, honestly, justly, responsibly, and legally.

• Provide diligent and competent service to principals.

• Advance and protect the profession.

Distractor:

http://computerethicsinstitute.org/publications/tencommandments.html

1.2 Understand and apply security concepts

• Confidentiality, integrity, and availability, authenticity and nonrepudiation

  • Authenticity: Genuine. Verified to be from claimed origin. Not a deep fake! Hash signed by my private key, decrypted with public key

  • Non-repudiation: subject of an activity can’t deny that an event occurred or was done by someone else. Threat actor identity is known and they can’t cover their tracks.

1.3 - Evaluate and apply security governance principles

• Alignment of the security function to business strategy, goals, mission, and objectives

• Organizational processes (e.g., acquisitions, divestitures, governance committees)

• Organizational roles and responsibilities

• Security control frameworks

• Due care/due diligence

  • Governance outcome: everyone knows the company’s risk appetite, and makes decisions aligned to it

  • Starts with the Board

COBIT

https://www.isaca.org/resources/cobit 

• Governance related but in the Security Control Frameworks section

• The COBIT toolkit has a spreadsheet with objectives and practice descriptions

• E.g. Align, Plan & Organize APO07.01 “Evaluate internal and external staffing requirements…”

Key principles

• End-to-End Governance System

  • Concerned with value delivery from digital transformation and mitigation of associated business risk

• Provide Stakeholder Value

  • 3 main outcomes

    • Benefits realization

    • Risk optimization

    • Resource optimization

• Holistic Approach

  • Not limited to the IT department

• Governance Distinct from Management

• Dynamic Governance System

• Tailored to Enterprise Needs