 my name is Kevin Henry. Over the next few moments I'll take you through an overview of what is covered in the first domain of the exam outline. The first domain is security and risk management. It is noteworthy, however, to remember that many of the topics covered in one domain are also covered in other domains as well, perhaps from a different perspective or a different angle. In this domain we look at the fundamentals of security. This is the first domain and sets out the foundation upon which the security program is built. One of those fundamentals is definitely risk management. In many cases, in security, we are attempting to address risk to identify the risks we face and make sure that those have been properly managed in accordance with the culture, regulations, and desires of management. A part of this is understanding what are the threats and modeling of the threats that we face every day, whether or not those threats are intentional or accidental. A core part of security management today is governance. It must be remembered that the whole purpose of a security program is to support the business. In the end, the objective of the CISSP is very much to align with business priorities and be able to incorporate security principles into the business. We must remember never to create a hindrance or an impediment to the business being able to operate in an effective and efficient way. Our job is to secure the business no matter which direction it is going and no matter which technologies it decides to use. We may not agree with that direction. We may not really like some of the technologies. However, our job is to support and secure the business as best we can. This requires proper oversight and governance is a very important part of this. The reporting to management and understanding from management, the direction that they would like the security program to go. In many cases today we're bound by regulations and compliance can actually make up a large part of a CISSP's job to ensure that we are compliant with best practices, standards, and regulations. As an information systems security professional, we are expected to behave in an ethical manner. However, ethics is a very difficult term, a term that is very much subject to personal interpretation. And in our organizations we must encourage the adoption of ethical principles and make sure that those ethical principles are communicated so everyone is aware of their responsibilities in that regard. A core part of the foundation of security is always having policies in place that state what is management's intention that provide the basis and authority for the implementation of the security program. And an important part of security is people and the security of personnel. Now let's look at each of the major areas within then the exam outline. These key areas of knowledge must be addressed by every CISSP. We can expect questions from every one of the key areas of knowledge. And there's one way to measure whether or not we are ready for the exam is to ensure that we can explain and understand what each of these key areas of knowledge addresses. The first within this domain is to understand and apply the concepts of confidentiality, integrity and availability. These three core terms have been used for over 40 years to describe what is information security. To give security a way that it can be measured, a way that it can be assessed to ensure that security is delivering on a defined set of objectives. In fact, we could say that these three terms confidentiality, integrity and availability actually describe the very core concept of what security really is. And provide a way then to report to management on the progress and development of the security program. The second of the key areas of knowledge within this domain is to apply security governance principles. We mentioned already the importance that security is aligned with business goals. If security is truly aligned with thinking strategically and is invested into helping the business to succeed, that is much more likely will have the senior management support we require. Security like everything else needs a budget and that budget must be based on clearly defined deliverables. These are often described in a business case. And we must remember that the CISSP is the certification for security managers. We are expected to be able to manage a security department. That often requires the creation of business cases to justify investment. The management of budget to ensure that we find a correct balance between security and cost and the efficient use of the resources we have, whether or not those are people, equipment and time. Our goal is to build security into every organizational process. In the end, security is everybody's job and every part of the organization must deliver a consistent level of security. This means in many cases as the business grows and evolves, we have to ensure that security is being considered in those developments and changes within the business. These can include, for example, acquisitions of other companies, divestitures, and of course this core concept of governance to show that security is being considered within the organizational processes. And the success of that is being reported to management. Security does not happen by magic. It must be somebody's job. We must have clearly defined security roles and responsibilities. Those roles vary according to a person's level of responsibility within the organization. But everyone must realize that security is actually a part of their job requirement. We will look in later domains at system ownership and information ownership and those that have a specific and higher level of responsibility for the protection of the information assets of the organization. One of the great things we have available today is a wealth of control frameworks, a wealth of proven standards that can be used when we put together a security program. The CISSP should consider the use of some of these control frameworks. They should be familiar with what frameworks and best practices are available so those can be considered in developing then our security strategy and from that security strategy our security plan. Our responsibility as managers is to protect others from unreasonable harm. We should do what we can to exercise due care to put in place the protective measures to try to avoid any type of a harmful situation to a person, the organization, a process or the assets of the organization. To follow up with that we should also exercise due diligence. Whereas due care is much more about trying to prevent and taking steps to try to ensure that adverse events don't happen. We have to, through due diligence, follow up and make sure that those controls are actually working effectively. A key area and a lot of our work today focuses on this idea of compliance, demonstrating that we are compliant or in aligned with the various legislative and regulatory requirements we are faced with. A key area of this of course today are all of the regulations related to privacy and ensuring we protect the privacy of our employees, of our customers and the privacy of the intellectual property of the organization. The CISSP as a security manager must understand the legal and regulatory environment we operate in. Very often we operate in more than one country and that means we have to be aware of the different cultures and different regulations that may exist in another area of operations. The CISSP should strive for an enterprise security program, one with a global viewpoint, attempts to ensure compliance with legal and regulatory issues no matter where in the world we operate. A key issue of course is computer crime, costing organizations in the billions of dollars every year. And whereas we will look at computer crime in more detail later on, we see here already that we should be aware as part of our security management program to ensure that we've understood the types of crime and what steps we can take to try to avert or avoid some type of a breach. We need to protect our various forms of intellectual property, patents and trademarks to ensure that we are ourselves following licensing agreements, but also making sure that those licensing agreements are also being followed up on. As we move data around the world, there are many different regulations that come into play. The area of transporter data flow quite often means that I could have a potential conflict between the ability to conduct business but still be compliant with the various regulations in different countries, especially where some of those regulations may actually contradict one another. One of the areas applying to this, of course, is the area of cryptography and the need to ensure that we have important export controls in place, to ensure we're not violating the laws of any one country, especially with the movement of cryptographically protected materials and cryptographic algorithms around the world. This includes algorithms that may be built into our hardware or software. We need to protect the privacy and ensure that we are in compliance with the regulations and reporting requirements about privacy issues, especially if we had some form of a suspected or very real data breach. Ethics are persons' personal beliefs of what is right and wrong, and those are very much based on that person's background, culture, religion, based on many cases their perception of right and wrong. But for our organizations we need to have an ethical stand and an ethical position where we can ensure that all of our employees know what is acceptable from our corporate or organizational perspective. How do we ensure that people are behaving in an ethical manner? That is through setting out what our ethical position is and making sure that is communicated with all of our staff. That should also be enforced through due diligence to make sure that people are abiding by those organizational ethical positions we have established. A key part of any security program is having policy, developing a policy that states management's direction, that states in many cases the authority and the scope of the security program. These policies must be developed but furthermore must be implemented. In order to implement a policy, we will often implement the good words of policy through procedures, step-by-step actions, through standards, the development of hardware or software standards that we enforce within our organization to achieve a consistent level of configuration and security. We can also put in place guidelines which will attempt to give instruction on how to be compliant with our policies, standards and procedures. An important part of security as we looked at at the beginning of this chapter is availability. The availability of our information and the availability of our systems. So the systems and information are there when the business needs them. This means that as a security manager we should support business continuity efforts to ensure that data is being backed up, to ensure that our various applications have been addressed as far as their criticality and sensitivity. We support the development of business impact analysis initiatives to determine what level of impact any outage would have on the business. From this we can support business continuity efforts helping them in many cases to document what the scope of the project will be as well as assisting in the creation of a business continuity plan. A key area of security is protecting our people and we should have personnel security policies that deal with the entire development of staff from the day they're first hired through their various movements within the organization until the day they leave. This means that we do employment candidate screening so we look at who could be a suitable employee based on perhaps reference checks, background checks and whatever other types of screening is suitable and legal within our jurisdiction. A part of ensuring compliance is to ensure that everyone knows what the rules, regulations and policies are and having employment agreements and policies that are communicated with employees is essential for that. When an employee leaves whether or not that leaving is voluntary or involuntary we should have an employment termination process that gets followed to ensure we've recovered any assets that employee has. We remind them perhaps of non-disclosure agreements that they are bound by and we ensure that any corporate assets they have have been recovered as well as their access having been turned off so they're not able to continue using their accounts once they have left the premises. All of our security policies apply to anybody within our business not just to employees but also to contractors, vendors and consultants that may be coming in to do work within our building. These people also should be aware of what our personnel security policies are, how to work in a safe manner and one which is compliant with the policies of our organization with regard to information, information access, information sharing and of course network access as well. We work with HR to ensure compliance with the policies procedures we have such as an acceptable uses policy. We of course through all of this still have to maintain privacy and an important part when we do investigations and when we deal with our employees is to maintain the confidentiality of those investigations. A very important part of any security program is to use the limited resources we have to the places that will provide the most benefit and one of the ways to determine what those areas are is through a process of risk management. Risk management should be something a CISSP is very familiar with, able to understand and apply the risk management concepts in an effective way. This means being able to identify threats and vulnerabilities we may face and from that being able to assess and analyze the levels of risk to the organization. As a CISSP we may use a quantitative, a qualitative or even a hybrid of a semi qualitative type of approach towards then risk assessment and analysis. The results of our risk assessment will be the delivery of a risk assessment report, outlining the risks as well as the prioritization of those risks. This will drive the selection of countermeasures and the decisions what to do about risks that are at an unacceptable level. We implement various controls and the intention of those controls is to specifically address any of those risks that are outstanding. There are many different types of controls we use, those which are much more proactive in nature such as a preventative control or those which are more reactive in nature such as a detective or a corrective control. In understanding and applying risk management concepts we will put in place controls that are designed to mitigate risk. However almost no control is enough on its own. It requires regular monitoring and measurement to be able to determine the effectiveness of that control. We should do asset valuation and review the value of assets on a periodic basis since an asset which was maybe insignificant before has now become critically important where other assets which at one point were very important have faded in significance. This means we should adjust the risk management program to protect the areas that are most critical for the organization. We do regular reporting on the results of our risk assessments back to management seeking for continuous improvement in how we then look after our security program. There are a number of different risk management frameworks we can use. As a CISSP we should be familiar with several of these risk frameworks so we're able then to provide advice to management on how to actually manage risk in an effective but should we say also accepted manner. Threat modeling takes a look at the attitude and the approach of a hacker. It takes a look at the things that could go wrong. Many of these of course could be based on adversaries but a lot are based on contractors or employees who may have done something yeah unintentional or even a trusted partner who themselves was breached. We should understand the source of threats as well as to be able to look at the ways that many attacks could actually happen. We should be familiar with the concepts of social engineering and spoofing, masquerading and pretending to be somebody I'm not and then we should look at the ways to reduce threats to reduce either the impact of a threat or the likelihood of a threat through some form of reduction. The analysis of the effectiveness of our controls can help us to measure the amount of residual risk we still face as an organization. We should be able to understand how technology can help us in many cases to remediate the various threats we face. The technology which will then be built into our software architectural models into our day-to-day operations of our systems. We integrate security risk considerations into the entire business including new developments, new acquisitions and all of our practices. We enhance the security capabilities that our hardware and software has. We ensure that our various business services are built with proper security and risk management concepts integrated and woven into those business operations. We do third-party assessments and monitoring which includes on-site assessment of what types of issues maybe a third-party supplier may have. We do document exchange to ensure that they have attestations of compliance and we'll do a regular review of their processes and policies to ensure that a third-party is not going to pose a risk to our business operations. In all of this we need to ensure that minimum security requirements are met at the very least so that we have a consistent baseline of security across the organization. Quite often when dealing with third parties we'll put in place service level agreements to ensure that they meet the required standards of response time, risk mitigation, reporting and compliance. It has often been said that people are the weakest part of a security program but in many cases they are also one of the best parts of our security program. Ensuring that our staff has been properly trained is an important role of the CISSP. A person cannot be expected to do a job if they've not been trained and how to do it properly. So part of the CISSP will be ensuring that our staff has an appropriate level of awareness of security issues. They have the training how to use our various tools or follow various security processes and they'll have the education necessary to make the right decisions about what to do or how various you say security risks should be mitigated. An awareness program should be ongoing at least on an annual basis and we should ensure that all of our staff has of course received both awareness and training as necessary to conduct their job. This means that our training and education programs will be reviewed on a periodic basis to ensure that the content of those programs is relevant and up to date with what is a course required today. In a summary this is a very important foundational level domain. The CISSP we know is a management level certification and the CISSP candidate must therefore understand the importance of being a leader in security, understanding the principles of security management, what is security and what is risk and being able then to manage budget priorities and personnel effective.