CISSP Notes

Written By LD

Confidentiality is: least privilege and privacy

Integrity is: authentic and genuine, you cannot deny it.

Availability is: easy to use (tap to pay), meeting goals with the data requested (getting paid when card is tapped), timely or within expected timeframe (for card transactions it happens instantly, but returns may take days)

The CIA Cake includes those basic ingredients but can also include other ingredients. You might want to sprinkle in some Assurance (confidence), Accountability (Unique actions traced), Authenticity (proper attribution) and Utility (usefulness)

Parkerian Hexad Cake: CIA + Authenticity, Utility and Possession

SECURITY GOVERNANCE

Security governance defines and manages the security policies and procedures. This is determined at the Executive level.

The mission statement is WHAT. What the company is, what they do and why they exist.

Business strategy is HOW. How will I align my security posture with our mission statement. —- I need a goal or goals.

How do I create goals? Goals should be:

  • Specific

  • Measurable

  • Attainable

  • Relevant

  • Timely

How will I get to my goals?

  • Create objectives/milestones that will track my progress.

Objectives will get me to my goals, and reaching my goals will align our business strategy with our mission statement.

Governance committee is important for mergers and Acquisitions. They need to resolve the security posture between the companies.

Merger is: combining 2 different areas. Acquisition is: a takeover of a business.

For ANY merger or acquisition, you should review:

  • the other company’s thoroughness creating a Security Policy

  • their data assets and their compliance with standards like PCI (credit card payments), GDPR (EU data), HIPAA (US healthcare portability)

  • personnel security policies, such as thoroughness of background checks

  • custom apps they use (including integration with 3rd party and/or open-source)

  • recent pentest results (if any)

For mergers and acquisitions, you should consider:

  • absorbing the unknown and creating new attack vectors

  • overworking the IT department in an effort to keep things running

  • disgruntled employees

If the security posture can not be reconciled, RECONSIDER the merger/acquisition

LD
Previous

HIPAA Privacy Notes
Next

Tiny Notes on GDPR