...

Unraveling CISSP Domain 1:

Security and Risk
Management
The first CISSP domain focuses on the fundamentals of security and how to
assess and manage risk. It makes sense since both of these concepts are an
essential part of our personal and professional lives. Therefore, we have to
analyze every risk associated with every action we take.

Moreover, technology adoption growth and digitalization require

cybersecurity professionals to be aware of the topics discussed in CISSP
Domain 1. It also focuses heavily on the critical factors of governance and
compliance and how security helps by aligning and contributing to each.

Have a look at everything you need to know for the CISSP certification exam
for domain 1 in this article.

1.1 Understand, adhere to, and

promote professional ethics
Ethics
Ethics are a foundational element of a successful security program and
should be adhered to throughout the organization. Proper ethical behavior is
based upon one belief: abide by the rules and do nothing harmful to anyone
else.
Within an organization, the best way to prescribe, promote, and instill
consistent ethical behavior is through corporate rules or laws, more
appropriately referred to as policies, to ensure that all employees employ the
same set of ethics.
As a CISSP candidate, you are responsible for understanding and complying
with the ISC2 Code of Professional Ethics, which applies to CISSP holders
around the globe. In fact, the CISSP exam will most likely ask at least one
question on this topic.
The Preamble and the Code of Professional Ethics Canons must be
understood fully in the context of corporate and industry applications. The
Canons should be memorized and adhered to in the order presented.

ISC2 Code of Ethics Preamble

The safety and welfare of society and the common good, the duty to our
principals, and to each other, requires that we adhere, and be seen to
adhere, to the highest ethical standards of behavior.
Therefore, strict adherence to this Code is a condition of certification.

The ISC2 Code of Ethics consists of the Canons outlined here:

ISC2 Code of Ethics Canons

Protect society, the common good, necessary public trust and

1
confidence, and the infrastructure.
 ISC2 Code of Ethics Canons

2 Act honorably, honestly, justly, responsibly, and legally.

3 Provide diligent and competent service to principals.

4 Advance and protect the profession.

Remember, if a scenario is presented in which there's a conflict in the Canons,

they need to be applied in order.

1.2 Understand and apply security

concepts
Focus of security
Security focuses on anything that represents value, better referred to as
assets, and implements control that ultimately increases the value of those
assets.

Therefore, the focus of the security function is to:

1. Allow and enable the organization to achieve its goals and

objectives.
2. Increase the organization's value.
Confidentiality, integrity, availability, authenticity, and
nonrepudiation
The CIA triad is a foundational model that helps organizations design,
structure, and implement security functions.

The elements of the CIA triad are as follows:

Protects assets using important principles such as need-

Confidentiality to-know and least privilege; prevents unauthorized
disclosure.

Integrety Protects and adds value to assets by making them more

accurate, timely, current, and meaningful; prevents
 unauthorized or accidental changes to assets such as
information.

Protects critical assets based on value to ensure

Availability organizational assets are available when required by
stakeholders.

The traditional pillars of security have been increased to include authenticity

and nonrepudiation:

Proves assets are legitimate and bona fide and verifies

that they are trusted and verified. Proves the source
Authenticity
and origin of important, valuable assets. Also referred
to as "proof of origin."

Assures that someone cannot dispute the validity of

something; the inability to refute accountability or
Nonrepudiation
responsibility. Also, the inability to deny having done
something.

1.3 Evaluate and apply security

governance principles

Alignment of the security function to business

strategy, goals, mission, and objectives
The purpose of governance is to enhance organizational value, and corporate
governance is based on the goals and objectives of the organization.

Security needs to enable the organization's goals and objectives, not just
enforce information processes or fix technical issues, and must be managed
top down instead of bottom up.

On the other hand, scoping and tailoring are used to align security objectives
with organizational goals and objectives:
Scoping looks at potential control elements and determines which ones
are in scope—for example, security control elements that could adhere to
applicable laws and regulations—and which ones are out of scope.
Tailoring looks specifically at applicable—in scope—security control
elements and further refines or enhances them so they're most effective
and aligned with the goals and objectives of an organization.

Accountability versus responsibility

Accountable and responsible are two terms that are sometimes used
mistakenly and interchangeably.

If someone is accountable for something, that accountability can never be

delegated to anyone else. That person will always remain accountable. On
the other hand, responsibility can be delegated, but the delegator will remain
accountable.

Even if certain organization functions are managed by a responsible third

party, like a payroll or Cloud Service Provider (CSP), accountability still
resides with the owner of the assets being managed. A CSP will often have a
contractual-based responsibility for protecting the data. Still, the data owner
is always accountable for the data and, therefore, liable if there is a data
breach.
Organizational roles and responsibilities
The following table outlines some of the key functions typically found in an
organization and their accountabilities and responsibilities from a security
perspective:

Ensuring that appropriate

security controls, consistent
with the organization's
Owners / security policy, are
Controllers / implemented to protect the
organization's assets
Functional Accountable for:
Leaders / Senior Determining appropriate
sensitivity or classification
Management
levels
Determining access
privileges

Design, implementation,
Information management, and review of
Systems Security the organization's security
Responsible for: policies, standards,
Professionals / IT
Security Officer baselines, procedures, and
guidelines

Information Responsible for: Developing and

Technology (IT) implementing technology
Officer solutions
Reviewing and approving
new IT alternatives
 Working closely with IS and
IT Security Professionals and
Officers to evaluate security
strategies
Working closely with the
Business Continuity
Management (BCM) team to
ensure continuity of
operations should a
disruption occur

Implementing and adhering

IT Function Responsible for: to security policies

Managing, troubleshooting,
and applying hardware and
software patches to systems
as necessary
Operator / Managing user permissions
Responsible for: per the owner's
Administrator
specifications
Administering and managing
specific applications and
services

Network Responsible for: Maintaining computer

Administrator networks and resolving
issues with them
 Installing and configuring
networking equipment and
systems and resolving
problems

Providing management with

independent assurance that
the security objectives are
appropriate
Determining whether the
security policy, standards,
Information baselines, procedures, and
Responsible for:
Systems Auditors guidelines are appropriate
and effective to comply with
the organization's security
objectives
Determining whether the
objectives have been met

Users Responsible for: Developing and

implementing technology
solutions
Reviewing and approving
new IT alternatives
Working closely with IS and
IT Security Professionals and
Officers to evaluate security
strategies
Working closely with the
Business Continuity
Management (BCM) team to
ensure continuity of
 operations should a
disruption occur

The responsibility for the corruption rests with the custodian. However,
accountability for corruption rests with the asset owner.

Due care versus due diligence

Simply put:
Due care is the responsible protection of assets
Due diligence is the ability to prove due care

1.4 Determine compliance and other

requirements
Establishing the right security controls isn't just about the internal needs of an
organization. Plenty of contractual, legal, industry and regulatory
requirements should inform how different assets are protected.

The legal, privacy, and audit/compliance functions must work together to

ensure compliance, and once management understands compliance needs,
they can work with security to implement controls.

1.5 Understand legal and regulatory

issues that pertain to information
security in a holistic context
Cybercrimes and data breaches
Every organization should be asking fundamental questions like:

How is/are our information/assets protected?

What are the issues pertaining to information security for our organization
in a global context?
What does the current threat landscape look like?

This is important because cybercrime is highly profitable. This fact explains

why most organizations won't admit to being victims or prosecute the
perpetrators of cybercrime.

Not every attack can be prevented, but effective security strategies can
reduce attacks by making them:
 Not worthwhile
Too time-consuming
Too expensive

Bottom line: Don't be the low-hanging fruit that can be easily picked!

Licensing and intellectual property requirements

Intellectual property laws aim to encourage the creation of intellectual goods
(inventions, literary and artistic works, designs, symbols, and names) and to
protect the same.

The following table will show what trade secrets, patents, copyrights, and
trademarks protect.

Disclosure Term of
Term Protects Protects Against
Required Protection

Trade Potentially
Business information No infinitive Misappropriation
Secret

Functional innovations, novel idea, Making, using,

Patent inventions Yes Set period or selling an
invention
Expression of an idea embodied in a Copying or
fixed medium (books, movies, songs, Yes Set period of substantially
Copyright time
etc.) similar work
Color, sound, symbol, etc. used to Potentially Creating
Trademark distinguish one product/company Yes
from another infinitive confusion
Import/export controls
Import and export controls are country-based rules and laws implemented to
manage which products, technologies, and information can move in and out
of those countries, usually meant to protect national security, individual
privacy, economic well-being, and so on.

The Wassenaar Arrangement

The Wassenaar Arrangement was put in place to manage the risk that
cryptography poses while still facilitating trade. It allows certain countries to
exchange and use cryptography systems of any strength while also
preventing the acquisition of these items by terrorists.

International Traffic in Arms Regulations (ITAR)

This is a US regulation that was built to ensure control over any export of
items such as missiles, rockets, bombs, or anything else existing in the
United States Munitions List (USML).

Export Administration Regulations (EAR)

EAR predominantly focuses on commercial use-related items like computers,
lasers, marine items, and more. However, it can also include items that may
have been designed for commercial use but actually have military
applications.

Transborder data flow

Transborder data flow laws restrict the transfer of data across country
borders. When sharing data across borders, applicable laws must be
considered.
These laws primarily relate to personal data. The idea is to protect a
country/state/province/region's citizens' personal data. If an organization is
collecting citizens' data, then they are accountable for the protection of that
data.
Given these laws, organizations must consider the potential implications of
the flow of data across physical borders. This can be very challenging for
organizations to keep track of with the proliferation of service providers and
global cloud services.

Privacy
Privacy is the state or condition of being free from being observed or
disturbed by other people, and personal data is information on its own or in
combination that uniquely identifies an individual.
It's essential that personal data is well protected to comply with current
privacy laws and to protect the value of the information and of the
organization itself. This can become complex for multinational organizations
since there's a significant variation around the world in both the definition of
personal data and the laws that determine how to protect it.

Personal data
Depending on the location in the world, personal data may be referred to in
different ways, and what constitutes personal data can vary significantly.
Personal data can be referred to as:
PI: Personal Information
PII: Personally Identifiable Information
 SPI: Sensitive Personal Information
PHI: Personal Health Information

On the other hand, it's important to distinguish between direct identifiers,

which include information that relates specifically to an individual, such as
their name, address, biometric data, government ID, or other uniquely
identifying numbers, while indirect identifiers include information that on its
own cannot uniquely identify an individual but can be combined with other
information to identify specific individuals.

Privacy requirements

Privacy policy requirements

The following table contains a summary of the key roles within the privacy
realm:

Data Owners need to have clearly defined accountabilities, including:

owners Defining classification
Approving access
 Retention and destruction

Different types of owners:

Data owners
Process owners
System owners
Companies that collect personal data about customers are
accountable for the protection of the data

Need to have clearly defined responsibilities.

Data Protect data based on the input from the owners.
custodians Custodians also need tools, training, resources, etc.
And who provides all this. Typically, the owners.
Need to have clearly defined responsibilities.
Data Processes personal data on behalf of the controller/owner.
processors Protects critical assets based on value to ensure organizational
assets are available when required by stakeholders.
Data
subjects Individuals to whom personal data relates.

One privacy law that you should have a deeper understanding of is the GDPR,
which is one of the most comprehensive privacy laws in the world, and many
countries have modeled or are in the process of modeling their privacy laws
on GDPR or plan to in the future.

OECD privacy guidelines

The Organization for Economic Cooperation and Development (OECD) is an
international organization that is focused on international standards and
policies and finding solutions to social, economic, and environmental
challenges. One such challenge that they have been driving for decades is
privacy.
OECD privacy guidelines are not mandatory for organizations to comply with,
although they are considered a prudent course of action. These guidelines
are:
Collection limitation principle
Data quality principle
Purpose specification principle
Use limitation principle
Security safeguards principle
Openness principle
Individual participation principle
Accountability principle

Privacy assessments
Privacy Impact Assessment (PIA) is a process undertaken on behalf of an
organization to determine if personal data is being protected appropriately
and to minimize risks to personal data where appropriate.

A PIA is performed with the goal to:

1. Identify/evaluate risks relating to privacy breaches.

2. Identify what controls should be applied to mitigate privacy risks.
3. Offer organizational compliance with privacy legislation.

These are the PIA steps:

1. Identify the need for a DPIA

2. Describe the data processing
3. Assess necessity and proportionality
4. Consult interested parties
5. Identify and assess risks
6. Identify measures to mitigate the risks
7. Sign off and record outcomes
 8. Monitor and review

1.6 Understand requirements for

investigation types
To understand the requirements for investigation types, read our domain 7
article (section 7.1.7), in which we explain everything you need to know in this
regard.

1.7 Develop, document, and

implement security policies,
procedures, standards, baselines, and
guidelines
Policies, procedures, standards, baselines, and guidelines
The compendium of functional policies will be defined, supported, and
informed by many standards, procedures, baselines, and guidelines, as seen
in the following model:
For the CISSP certification exam, you must be aware of the differences
between policies, procedures, baselines, and guidelines:

Documents that communicate management's goals and

objectives
Provide authority to security activity
Policie Define the elements, functions, and scope of the security
s team
Must be approved and communicated
Corporate law

Specific hardware and software solutions, mechanisms, and

products
Examples:
Standa Specific antivirus software, e.g., MCAfree
rds Specific access control system, e.g., Forescout
Specific firewall system, e.g., Cisco ASA
Publishing guideline (e.g., ISO 27001) adopted by an
organization as a standard
 Step-by-step descriptions on how to perform a task; mandatory
actions
Examples:
Proced User registration or new hire onboarding
ure Contracting for security purposes
Information system material destruction
Incident response

Defined minimal implementation methods/levels for security

mechanisms and products
Baselin Examples:
es Configurations for intrusion detection systems
Configurations for access control system

Recommended or suggested actions

Examples:
Government recommendations
Security configuration recommendations
Guideli
Organizational guidelines
nes
Product/system evaluation criteria

(Note: Guidelines allow an organization to suggest something

be done without making it a hard requirement and thus cause a
negative audit finding.)

The committee, reporting to the Board of Directors and CEO, should develop
an overarching security policy that is aligned with organizational goals and
objectives that covers the entire organization and clearly articulates the goals
and objectives of the security function.
While policies don't need to be reviewed every year, standards, procedures,
baselines, and guidelines may need to be updated frequently.

1.8 Identify, analyze, and prioritize

business continuity (BC)
requirements
Please check section 7.11 of our article on Domain 7 to know more about
this topic.

1.9 Contribute to and enforce

personnel security policies and
procedures
Personal security policies
Some of the best practices for protecting the business and its important
assets are listed below.

Candidate screening and hiring

New personnel represents a risk to security; every organization needs
personnel security policies that address and mitigate this risk with the right
security controls.

Employment agreements and policies

As part of bringing a new employee into an organization—also referred to as
onboarding—company security policies, acceptable use policies, and similar
agreements should be reviewed and agreed upon prior to giving a new
employee their badge and any system credentials.
Prior to an employee leaving, or in conjunction with it, user system access
should be disabled, and the fact that the employee's employment is being
terminated should be conveyed to all relevant parties within the organization.

Employee duress
An employee acting under duress may be forced to perform an action or set
of actions that they wouldn't do under normal circumstances. One common
practice to handle these stressful situations is to have keywords that denote
that an employee is acting under duress.

Personnel security controls

Here is a list of important personnel security controls:

Job rotation. Job rotation is quite useful for protecting against fraud and
provides cross-training. It entails rotating staff (especially individuals in
key positions) so that an individual can't commit fraud and cover it up.
Mandatory vocation. Mandatory vacation is a control also used by
organizations to detect fraud. Employees are required to go on vacation
for a set period of time, during which time another employee can step
into the role and determine if any malicious or nefarious activity has
taken place or is actively taking place.
Separation of duties. Separation of duties is used to prevent fraud by
requiring more than one employee to perform critical tasks.
 Need-to-know and Least privilege. Least privilege ensures that only
the minimum permissions needed to complete the work are granted to
any employee. Need to know ensures that access to sensitive assets is
restricted only to those who require the information to complete the work.

Enforce personnel security controls

Enforcing personnel security controls commences with the hiring process,
extends through the employment period, and ends only after the employee
has left the organization.
Additionally, personnel-focused policies are often further supported by things
like:

Nondisclosure agreements (NDA). Contracts through which the parties

agree not to disclose information covered by the agreement.
Noncompete agreements (NCA)
Ethical guideline and requirement questionnaires and agreements
Vendor, consultant, and contractor agreements and controls

1.10 Understand and apply risk

management concepts
Risk management
Risk management is the identification, assessment, and prioritization of risks
and the economical application of resources to minimize, monitor, and control
the probability and/or impact of these risks.
Here's an overview of the risk management process:

Value. identifying the assets of the organization and ranking those assets
from most to least valuable. This process is referred to as asset valuation,
and the ranking of assets can be achieved via two methods or, most
commonly, a combination of both quantitative value analysis and
qualitative value analysis.
Risk analysis. Determine the risks associated with each asset via the risk
analysis process. The four key components are threat, vulnerability,
impact, and probability/likelihood.
Treatment. There are four risk treatment methods: avoid, transfer,
mitigate, and accept.

Asset valuation
Before risks can be identified and managed, valuable assets of the
organization must first be identified.
Two different forms of analysis can be used to rank the assets of the
organization from most to least valuable: qualitative and quantitative:

Qualitative analysis Quantitative analysis

Does not attempt to assign

monetary value Assign objective monetary values

Relative ranking system, based on Fully quantitative process when all

professional judgment elements are quantified
Uses words like "Low," "Medium,"
"High," "1–5," "Probability," or
"Likelihood" to express value
Qualitative analysis is relatively Purely quantitative is difficult to
simple and efficient achieve and time-consuming
Risk analysis

After the asset valuation process, related threats and vulnerabilities must be
identified for each asset, and owners must be deeply involved in the risk
analysis process.

Threats and vulnerabilities

There are three main components to risk being present:

Asset: anything of value to the organization

Threat: any potential danger; anything that causes damage to an asset,
like hackers, earthquakes, ransomware, social engineering, denial-of-
service attacks, disgruntled employees, and many others.
Vulnerability: a weakness that exists; anything that allows a threat to
take advantage of it to inflict damage to the organization. Examples
include open ports with vulnerable services, lack of network segregation,
lack of patching, and OS updating.
Risk management terms
The following list contains a list of core terms used in risk management and
how they fit together.

The entity that has the potential to cause damage to

Threat Agent an asset (e.g., external attackers, internal attackers,
disgruntled employees)

Threat Any potential danger

Attack Any harmful action that exploits a vulnerability

 A weakness in an asset that could be exploited by a
Vulnerability
threat

Significant exposure to a threat or vulnerability (a

Risk weakness that exists in an architecture, process,
function, technology, or asset)

Asset Anything that is valued by the organization

Negative consequences to an asset if the risk is

Exposure/Impact realized (e.g., loss of life, reputational damage,
downtime, etc.)

Countermeasures Controls implemented to reduce threat agents,

threats, and vulnerabilities and reduce the negative
and Safeguards impact of a risk being realized

Residual Risk The risk that remains after countermeasures and

safeguards (controls) are implemented

Annualized Loss Expectancy (ALE) calculation

Quantitative analysis as part of ranking risks requires calculating how much
risk is expected to cost the organization annually—the Annualized Loss
Expectancy (ALE). The ALE can be calculated using this formula:

ALE = SLE (AV x EF) x ARO

The acronyms pertain to:

Asset Value (AV)

Exposure Factor (EF)
 Single Loss Expectancy (SLE)
Annualized Rate of Occurrence (ARO)
Annualized Loss Expectancy (ALE)

Risk response/ treatment

After the risk analysis process, security should implement the most cost-
effective treatments. The right approach depends on the value of the asset
and the type of risk identified in the previous steps.

Although risk can never be entirely eliminated, it can be managed via the
following approaches:

Avoid. Choosing to stop doing whatever exposes the asset to risk. Not
jumping can avoid the risk, but you can miss significant opportunities (the
opportunity cost).
Transfer. Transferring risk means sharing some risk with another party,
usually an insurance company.
Mitigate. Mitigate risk means implementing controls that reduce the risk
to an acceptable level.
 Accept. Accepting risk simply means taking no action or no further action
where the risk to a particular asset is concerned.

Types of controls

Seven major types of controls can be put in place, as shown in the following
table:

Directive controls direct, confine, or control the

Directive actions of subjects to force or encourage
compliance with security policies.

Deterrent controls discourage violation of security

Deterrent
policies
 Preventive controls can prevent undesired actions
Preventive or events

Detective controls are designed to identify if a risk

Detective has occurred. Importantly, detective controls
operate after an event has already happened

Corrective controls are used to minimize the

negative impact of a risk occurring—minimize the
Corrective damage. They are used to alleviate the effects of an
event that has resulted in a loss and to respond to
incidents to minimize risk.

Recovery Restore to normal

Compensating Make up for lack (e.g. supervision)

A concept that is pervasively used in security is complete control. Complete

control is a combination of preventive, detective, and corrective controls at a
minimum.
In addition, in defense-in-depth (layered security), complete control should
be implemented at each layer.

Categories of controls
A way to categorize the security controls is as safeguards or as
countermeasures.

Safeguards are proactive controls; they are put in place before the risk has
occurred to deter or prevent it from manifesting.
Countermeasures are reactive controls. They are put in place after risk has
occurred and aim to allow us to detect and respond to it accordingly.

Controls can be further classified into three main categories:

Administrative
Logical/Technical
Physical

Functional and assurance

A good security control should always include two aspects: the functional
aspect and the assurance aspect.

Functional Assurance

Control performs the function it Control can be proven to be

was designed to address/does functioning properly on an ongoing
what it is meant to do—for example, basis, usually proven through
a firewall filtering traffic between testing, assessments, logging,
different subnets. monitoring, etc.
Selecting controls
Selected controls must support organizational goals and objectives and be
cost-effective.
Security is usually a balancing act between achieving the maximum level of
security with the least cost and, at the same time allowing proper
functionality.
Security controls make systems more difficult to use, slower, more
complicated, and so on.

Measuring control effectiveness and reporting

Once a control, or set of controls, has been decided upon and implemented,
it is important to understand how well they're working. One of the best ways
to do this is by using metrics.
To identify the metrics that will matter, the metrics that will be useful to
implement and monitor, and the target audience must be identified.

Continuous improvement

Risk management is a continuous, arduous, and time-consuming process

that needs to be continually updated.

The Deming Cycle, sometimes also referred to as Plan Do Check Act

(PDCA), shown in the next figure, outlines the cyclical nature of many
processes in security, including risk management.
 Determine which controls to implement based on the risks
Plan identified

Do Implement the controls

Monitoring and assurance; are the controls operating

Check effectively?
Based upon findings during the "Check" step, take additional
Act actions as necessary (react), which leads back to planning

Apply supply chain risk management concepts

Risk management methodologies should be applied to all vendors, suppliers,

and service providers, and it should include the following items:
 Governance review
Site security review
Formal security audit
Penetration testing
Adherence to the security baseline
Evaluation of hardware and software
Adherence to security policies
Development of an assessment plan
Identification of assessment requirements and which party will perform it
Preparation of assessment and reporting templates

Risk management frameworks

Risk management frameworks provide comprehensive guidance for
structuring and conducting risk management. The four risk management
frameworks are shown in the following table:

This guide describes the risk management framework

NIST SP 800-
37 (RMF) (RMF) and provides guidelines for applying the RMF to
information systems and organizations.

ISO 31000 is a family of standards relating to risk

ISO 31000
management.

COSO provides a definition of essential enterprise risk

management components, reviews ERM principles and
COSO concepts, and provides direction and guidance for
enterprise risk management.
 ISACA's Risk IT Framework contains guidelines and
practices for risk optimization, security, and business
ISACA Risk IT
value. The latest version places greater emphasis on
Framework
cybersecurity and aligns with the latest version of
COBIT

1.11 Understand and apply threat

modeling concepts and
methodologies
Threat modeling is used to systematically identify, enumerate, and prioritize
threats related to an asset.
Three major threat modeling methodologies you need to know about
for the exam are STRIDE, PASTA, and DREAD.

STRIDE
STRIDE is a threat-focused methodology that's less strategic and thorough
than PASTA. It is an acronym of:
Spoofing
Tampering
Repudiation
Information disclosure
Denial-of-service
Elevation of privilege
PASTA
Process for Attack Simulation and Threat Analysis (PASTA), contrary to
STRIDE, is an attacker-focused, risk-centric methodology. It is much more
detailed than STRIDE and performs threat analysis from a strategic
perspective.
The stages in PASTA are as follows:

Define objectives
Define technical scope
Application decomposition
Threat analysis
Vulnerability and weakness analysis
Attack modeling
Risk and impact analysis

DREAD
DREAD is a threat model primarily used to measure and rank the severity of
threats. DREAD is often used in combination with the STRIDE model, where
STRIDE identifies the threats, and DREAD is then used to rank the severity
of threats. The acronym means:

Damage
Reproducibility
Exploitability
Affected users
Discoverability

Social engineering
Social engineering can be defined as using deception or intimidation to get
people to provide sensitive information that they shouldn't in order to
facilitate fraudulent activities.
It is a prevalent means of attack against organizations and employees (the
biggest security weakness that exists in most companies) because it's very
effective. Common social engineering tactics include intimidation, deception,
and rapport.
Social engineering attacks can be mitigated through awareness, training,
and education.

1.12 Apply supply chain risk

management (SCRM) concepts
SLR, SLA, and service level reports
Security must be considered for all acquisitions and be part of the
procurement process. Even if the acquisition is of a well-known brand,
product, or service, risks exist and must be evaluated as part of the
acquisition, or procurement, process. This evaluation should occur as early
as possible and include security considerations that minimize the risk.

Service level requirements (SLR)

With the acquisition of a service, additional organizational requirements must
be considered, which is done through an SLR document. Specifically, an
SLR outlines:
 Detailed service descriptions
Detailed service level targets
Mutual responsibilities

Security requirements must be clearly communicated (e.g., SLAs) to

suppliers/vendors/service providers.

Service Level Agreement (SLA)

After a service is acquired, an SLA must be put in place between the
customer and the service provider.
SLAs often include expectations and stipulations related to:
Service levels
Governance
Security
Compliance with law and regulations

Service level reports

Service level reports are issued by a vendor or service provider to a client
and provide insight and information about the service provider's ability to
deliver services as defined by the SLA.

It might contain any of the following components:

Achievement of metrics defined in the SLA

Identification of issues
Reporting channels
Management
Third-party SOC reports
1.13 Establish and maintain
security awareness, education,
and training programs
Everyone is responsible for security; however, they must know what to do.
Awareness within an organization is fostered to create cultural sensitivity to
a given topic or issue.
In addition, education helps people understand fundamental concepts and
therefore develop decision-making skills and abilities.

Methods and techniques to provide awareness and

training
Common methods to provide awareness and training are:
Live in-person sessions
Live online sessions
Pre-recorded sessions
Requirements/rewards
Regular communications/campaigns

The topics selected should directly align with the organization's goals and
objectives. At the same time, training and education programs and materials
should also evolve and be updated accordingly to be most effective.

Program effectiveness evaluation

Program participants should be surveyed from time to time. Some key
metrics to consider are:
Total number of people completing the awareness program
Number of people providing feedback in comparison to total attendees
Number of people reporting suspicious activities after training completion
Tracking of how well staff members performed
Total number of attempts each person took the course