GRC and Audit

Security and Risk Management
CIA Triad confidentiality, integrity and availability

Confidentiality and Integrity tightly coupled on each other
Security control evaluation using CIA Triad
- Scenarios which violates these security CIA triad and how to detect and address
- - For ex: weak encryption and enforce strong encryption
- DOS attacks
- BCP
IAAAA
Layering defense in depth

BCP

Data encryption

Data hiding

Security governance principles (IT and corporate governance)
- Change management (change advisory board)
- Data classification
- - Who are data owners
  - Data custodians
  - Levels of classification
Security policies and security management planning
- Strategic plan
- Tactical plan
- Operational plan
Security frameworks
- NIST 800-53 or 800-100
Org roles
- Senior manager
- Security professional
- Data owner
- Data custodian
- User
- Auditor
Security control frameworks
- COBIT
- OSSTMM
- ISO 27002/1
Security policies
Security standards
Security baselines
Security guidelines
Security procedures
Security governance
Third party governance
Threat modeling
- Proactive
- Reactive
- Stride
- Pasta

Threat reduction analysis
Threat prioritization and reduction
- DREAD
Supply chain and third party service risk assessment
Audit
- PCI
- CJIS
- SOC 2
Separation of duties
Job responsibilities
Job rotation
Cross training
Employee onboarding process
- Security awareness training
Employee termination process
- Access revoke
- Audit activity
NDA
NCA
SLA
- Vendors, contractors, contract agreements
Compliance policy requirements
Privacy policy requirement
Risk Management
- Asset
- - Asset inventory
  - Classes and criticality
  - Asset valuation
- Asset valuation
- Threats
- Vulnerability
- Exposure
- Risk
- Safeguards
- Attack
- Breach
Identifying the threats and vulnerabilities
Risk assessment
- Quantitative risk analysis
- - Exposure factor
  - Single loss expectancy
  - Annualized rate of occurrence
  - Annualized loss expectancy
  - Calculating safe guard costs
- Qualitative risk analysis
- - Risk responses
  - Risk mitigation
    Avoidance
    Etc..
  - Counter measures
  - Security controls
    Physical
    Logical/technical
    Administrative
  - Types of controls
  - Deterrent
    Preventive
    Detective
    Compensating
    Corrective
    Recovery
    Directive
- Security control assessment
- - NIST Guide for Assessing the Security Controls in Federal Information Systems
- RISK frameworks
- - NIST SP 800-37
- Security awareness training
Business continuity plan
Disaster recovery plan
Legal and regulatory requirements
Business Impact Analysis
- Business priorities
- Identifying the risk/risk assessment
- - SaaS application
  - Cloud
Law
- Cyberlaw
- Criminal activity law
- FISMA Act
Compliance
- PCI www.pcisecuritystandards.org/
- SAAS (contracting and procurement)
Asset Security
- Data classification
- - DLP
  - PII
  - PHI
  - Classification levels
- NIST SP 800-122
- Data thefts
- Asset classification
- Data security controls
- - Email data security
  - Strong encryption algo AES 256
- Data states
- - In rest
  - In transit
  - In use
- Labeling
- - Sensitive data
  - Sensitive systems
- Sensitive data destroying
- Data remanence, destruction, clearing, degaussing, purging
- Data protection policies/methods
- Ownership
- - Data owners
  - Asset owners
  - Asset owners
  - Business owners
- Data processors
- - Anonymization
- NIST 800-53
- Security baselines
- - Scoping
  - Standards
  - NISR
    CIS
    PCI

Security Architecture
Cryptography
- FIPS 140
- Ciphers
- One time pads
- Symmetric key
- Asymmetric key
- Hashing
Data encryption standards
Key management
- PKI
- Public key encryption
- Private key encryption
- Key distribution
- Key escrow and recover
- RSA
- Elliptic curve
- Digital signatures
- HMAC
- Public key infra
- Certificate authority
- Certificates
- Digital signing
- TPM
- Portable device encryption
- PGP
- TLS/SSL
- Networking
- - IPSEC
  - Wpa2
  - Wireless
- Cryptographic attacks
- Man in middle attacks
Security architecture references
- Perimeter security
- Access controls
- ITSEC
- Org certification and accreditation
- TPM
- Protection
- - Os level
  - Application
  - Firmware
  - BIOS
  - UEFI

Memory
- Browser
- System/RAM
- Pendrives
- Storage
Client based systems
- Applets
- Java
Server based systems
Cache based attacks
- ARP
- DNS
Database security
Backup monitoring
Distributed systems security
DMZ
Endpoint security
Cloud security
Virutual machines security
Paas
Saas
Iaas
Cloud acces security broker
Peer to peer
IOT https://www .nist.gov/itl/applied-cybersecurity/nist-initiatives-iot
ICS
SCADA
PLC
SAML
HIDS
USB security
Device security
- Device encryption
- Remote wiping
- Lockout
- Screen locks
- GPS
- Application control
- Storage segmentation
- Asset Tracking
- Inventory control
- Mobile Device Management
- BYOD
- Device Access Control
- Removable storage media
Application security
- Key Management
- Credential Management
- Authentication
- Geo tagging
- Encryption
- Application whitelisting
- Corporate mobile devices
- Virtual mobile infrastructure

Mobile
- Android
- ios
Web app security
- OWASP
- TLS/SSL
DLP
Data Ownership
Forensics
Patch Management
System Engineering
Vulnerability Management
Antivirus Management
User acceptance and policies
Asset on boarding and off boarding
Embedded systems security
Cyber physical security
Network segmentation
Application firewalls
Security layers
Version control
Monitoring

Network Security
- OSI
- TCP/IP
- Port numbers
- Tcp three way handshake
- Protocol discovery using sniffer
- Organization ipv 4 ranges
- Network diagram
- Attacks
- - Dos
  - Dns poisoning
  - Domain hijacking
- Wireless networks
- Secure encryption protocols
- Wireless attacks
- Network access control
- Attacks on networks
- Firewalls
- Secure communication protocols
- Authentication protocosl
- Vedio/audio communication protocols
- Social engineering attacks
- Email security
- Remote access security
- Vpn
- Tunneling
- Virtualization
- NAT
Identity and access management
- Assets access
- CIA triad for authentication/authorization/identification
- Password manament
- Best practices
- Single sign on
- Kerberos
- Azure dc
Security Assessment and training
- Security testing and assessment
- External audits
- Third party audits
- Vulnerability assessments
- Scap
- Scom
- Network discovery scanning
- Network vulnerability scanning
- Database vulnerability scanning
- Penetrations testing
- Secure code review
- Log monitoring
- Account management
- Backup reviews
Security operations
- Privilege management
- Os baselining
- Incident response
- Preventive measure
- Logging and monitoring
Security assessment and testing
Cyber Investigations
Forensics
- https://www.nist.gov/publications/guide-integrating-forensic-techniques-incident-response

Asset Security
Security Architecture and Engineering
Communication and Network Security
Identity and Access Management (IAM)
Security Assessment and Testing
Security Operations
Software Development Security

References:

https://blog.rsisecurity.com/what-is-the-purpose-of-cybersecurity-architecture/

https://blog.rsisecurity.com/what-is-cybersecurity-architecture/

https://www.simplilearn.com/book-resources-to-read-for-cissp-certification-exam-article

https://www.conqueryourexam.com/best-cissp-study-guides/https://www.reddit.com/r/cissp/comments/c6d0jt/my_personal_cissp_journey_and_recommended_study/

https://www.reddit.com/r/cissp/comments/fdd33d/received_4_books_which_ones_are_best/

PreviousPenetration Testing NextFile Integrity Monitoring

Last updated 1 year ago

Was this helpful?