CISSP® - Security and Risk Management

ISC(2)'s CISSP examination is one of the most highly valued certifications in the information security profession. Take the first step towards gaining the knowledge needed to tackle the first domain of the CISSP.
Course info
Rating
(44)
Level
Beginner
Updated
Apr 18, 2016
Duration
4h 3m
Table of contents
Course Overview
Introduction
Fundamental Security Principles
Legal and Regulatory
Computer Crime
Intellectual Property
Privacy
Licensing
Trans-border Data Flow
Security Awareness
Aligning Security to the Organization
Creating Policies, Procedures, Guidelines, and Baselines
Continuity Planning and Disaster Recovery
Threat Modeling
Risk Assessment Concepts
Countermeasure Selection Process
Frameworks
Description
Course info
Rating
(44)
Level
Beginner
Updated
Apr 18, 2016
Duration
4h 3m
Description

If you are looking to begin your journey towards the highly respected CISSP credential, then you have come to the right place! This course covers a broad range of topics listed in ISC2's Certified Information System Security Professional (CISSP) Common Body of Knowledge (CBK) - Security and Risk Management domain. In this course, you will learn the foundations of security and risk management, including topics such as cyber crime, legal and regulatory concerns, threat modeling, and much, much more. When you are finished with this course, you will have a good security and risk management foundation that will provide you with the context and knowledge needed to be successful in the information security profession.

About the author
About the author

Lee Allen is a penetration tester by trade. Lee has authored four books about penetration testing and has created several Pluralsight courses.

More from the author
Threat Modeling: The Big Picture
Beginner
1h 5m
27 Jun 2017
Section Introduction Transcripts
Section Introduction Transcripts

Course Overview
Hi everyone! My name is Lee Allen, and welcome to my course, CISSP - Security and Risk Management. I am a certified information system security professional, currently employed as an associate director for enterprise security at a large U. S. -based university. I have authored three books about penetration testing and run a game company that is focused on bringing security training into the gaming world. Security and risk management is the foundation for all of the other (ISC)2 CISSP common body of knowledge domains. This course is based on the topics found in the first domain of the CISSP common body of knowledge. Some of the major topics that we will cover include risk assessment, security management, legal and regulatory concerns, computer crimes, and aligning security to the business. By the end of this course, you should be familiar with a broad spectrum of topics that are covered within the first domain of the CISSP. This course will provide you with the background information that you will need when addressing questions related to risk and security management. I hope you'll join me on this journey to learn the foundational security and risk management topics with the CISSP Security and Risk Management course at Pluralsight.

Legal and Regulatory
As an information security professional, it is important to have a basic understanding of the legal and regulatory requirements for information systems. This is also important when preparing for the CISSP examination as it is one of the areas that you will be tested on. In this module, we will review three different law categories. We will discuss examples of regulations and laws that are noteworthy to anyone that works with computers. Please understand that I am not a lawyer, and I am just providing an overview of the different laws and regulations that I've found to be important throughout my career in information security. If you need further information about the specifics of the laws and regulations and how they impact your own environments, I highly recommend that you seek legal counsel and regulatory subject matter experts. As a matter of fact, that is the exact advice that I give whenever someone asks me in person about the specifics of any of the laws that we are about to discuss.

Computer Crime
Welcome back! In this module, we are going to take a look at computer crime. We will review who it is we should be wary of and why they are doing the things that they do. One thing is for sure--computer crime is not going away anytime soon, so we may as well try to understand it and get a grasp on the types of activities that we should expect to see during our careers as security professionals. We will start out the module by reviewing the primary reasons for computer crime. Basically, what is it that motivates attackers and why do they do the things they do? We then take a look at the types of computer crime that we might expect to see. After all, if you don't know what types of things that you should be worried about, then how can you expect to try to protect your people, information, and systems from them?

Intellectual Property
Intellectual property can include works created by inventors, graphic artists, game designers, and lots and lots of others. In order to encourage our innovators to keep, well, innovating, there need to be protections put into place to ensure that others do not misuse the creator's works or use them without express permission. In this module, we will take a look at some of the protections that have been put into place. We will begin with the a definition of what intellectual property means and then quickly move onto how intellectual property is protected using tools such as patents, trademarks, trade secrets, and even copyrights.

Privacy
In this module, we are going to take a look at protecting the confidentiality of private information. It is commonplace for information systems to store personally identifiable information. And as such, you will need to know how to identify private information and how to apply the proper security controls to protect it when needed. There are many information systems out there collecting your private information. Some of these may be systems that your organization uses, and other may be systems that are housed in the cloud. As you can probably imagine, this has led to an erosion of privacy over the years. Attackers find value in this personally identifiable information and will target and attack systems that house this data. As an information security professional, you will need to be able to identify when your systems are storing or processing private data, and you will need to understand how to protect it. You should have a decent grasp on what the concerns about privacy are. And you should have some idea of the types of laws that are in place to legally protect private data. No one expects you to be a lawyer, but you should definitely understand when something needs to be looked at by someone that is a lawyer.

Licensing
Organizations will often ask security professionals to provide feedback during technology purchasing activities. The software and hardware vendors you will review will typically have licensing that will need to be assessed as part of this process. You may also run into situations that require you to determine if certain applications have licensing that is in alignment with the policies of your organization. I will begin this module by introducing you to the definition of licensing and then familiarize you with the various types of licensing currently used to protect intellectual property.

Trans-border Data Flow
Hi, and welcome to Pluralsight. My name is Lee Allen. In this module, I will introduce you to the implications of trans-border data flows and general import and export concerns. Many organizations now are global. Information containing corporate details, personally identifiable information, and even export restricted data elements must be consumed by various organizational departments and partners to keep things moving along. As an information security professional, you may at some point be charged with ensuring that your organization is playing by the rules and not sending data to places where it does not belong. I begin this module by discussing why you should be concerned with trans-border data communication flow, and then move on to discussing the basics of import and export controls.

Security Awareness
One of the most effective means of protecting our assets involves educating our users. Regardless of how efficient our security operation teams are, how powerful the intrusion detection system is, or even how often we patch, all it usually takes for an attacker to compromise our networks is for our users to click on the wrong link or to fall for a social engineering attack. Unless you are working with an environment that does not have any employees and operates in a completely automated fashion, you will need to understand security awareness and why it is important for you to ensure that your users have it. We will start out by taking a look at what security awareness is and what the different types of security awareness are. We then move on to look at the impact that we may expect to see if we were to launch a successful security awareness campaign in our organizations, and we then move on to addressing how exactly we can measure or validate the success of our security awareness campaigns.

Aligning Security to the Organization
As a CISSP, it is not enough to simply understand the ins and outs of the security industry. In order to be successful at improving the security posture of your environments, you'll also need to ensure that your security efforts are aligned with the needs of the organization. In order to accomplish this task, you must be familiar with how the organization operates. This includes having a clear understanding of the roles and responsibilities of everyone at the organization. Keep in mind this means not only the security department but also all of the other members of the organization such as the CEO and even the end users. You will need to define clear security goals that are aligned with the strategies of your organization, and you also want to ensure that you are complying with the overall organizational mission when performing security-related activities. This will involve understanding what the organizational objectives are and how you can align your security mission with the needs of the organization.

Creating Policies, Procedures, Guidelines, and Baselines
Information security will need to address risk management, accountability, and even reporting in order to ensure the security posture of the environment is in line with the risk appetite of the organization. Frameworks, policies, procedures--they all add up to helping you address this need. I will begin with explaining the reason that security frameworks exist and then move on to highlighting what an effective policy must contain and how it should be structured. After that, I will examine the importance of procedures and what it takes to make sure that they are actionable. You will then learn about guidelines and how they differ from policies and procedures. And after that, I will finish up with covering security baseline documents. These are all important aspects that you will need to know when preparing for the CISSP exam.

Continuity Planning and Disaster Recovery
It would be wonderful if we lived in a world where everything always worked as planned. Unfortunately, that's not the world we live in. And as such, we need to understand and perform continuity planning and disaster recovery so that our organizations can survive if bad situations do occur. In this module, we are going to take a look at the overall business continuity process. We'll talk a little bit about why we need it and what it is. We will also discuss business impact analysis, and then move onto comparing disaster recovery to continuity planning. These two items are often misunderstood, so I'll take a few moments and ensure that these have been clarified for you. We'll also take a look at disaster events and the recovery steps that you should take whenever a disaster does occur. We will close out the module with a brief overview of some popular disaster countermeasures that people typically put into place.

Threat Modeling
Threat modelling is one of the most important information security skills that I've picked up throughout the years. Being able to identify potential threats in the form of visual diagrams allows me to hold valuable security- related conversations with anyone regardless of their security or even their technical knowledge. In this module, we will review the practice of threat modelling to identify threats in our environments. We will begin with a review of what exactly is meant by threat modelling, how threat modelling relates to vulnerabilities, and what exploits are and why we should be aware of them. We will then take a look at Microsoft's threat modelling methodology followed by a brief overview of what attack trees are. And we then finalize with a brief introduction to using a freely available tool to help us prioritize where we should focus our limited security resources.

Risk Assessment Concepts
Odds are that your organization is completely reliant on its information security platforms. These systems could range from anything from voice over IP networks to complex data analysis platforms. In order to assure the security posture of these environments, you must perform a risk assessment. In this module, we will address the foundational risk assessment concepts that you will need to know about in order to accomplish this task. There are a lot of different things that you will need to understand in order to perform a risk assessment. The first of these involves having a good understanding of threats and vulnerabilities. I will describe these concepts and talk about subjects such as threat events and threat sources. I will also discuss vulnerabilities and other concepts such as vulnerability complexity. You will then learn about the different types of risk assessments that are out there. I will cover risk assessment methodologies and talk about the different approaches that one can take when performing risk assessments. This will be followed by a brief discussion about accepting and assigning risk. And last but not least, we will discuss some of the more common calculations that you should be familiar with before you attempt your CISSP examination.

Countermeasure Selection Process
Once a threat has been identified, you will be challenged with finding a method of countering it. In this module, we're going to discuss what you need to know in order to select the right controls to counter threats and how the controls that you do choose might impact your organization. It is not enough to simply call out the threats that you find in your organization. You will also need to understand how an attacker thinks and what you as a CISSP can do to reduce the impact that an attack may have to the confidentiality, integrity, and availability of your system. I will begin with a discussion and explanation of what a countermeasure is and why you need to know about them. You will then learn about the primary countermeasure variations such as physical or administrative. And then we will move on to the most common types of controls that you will need to know about for the CISSP exam, such as detective controls or recovery controls. Once you have reviewed these foundational items, you will learn more about how the controls that you choose might impact your organization. I will discuss some of the things that you should know and think about when trying to determine if your controls are effective and will then close out with a couple of real-life examples that show how the different countermeasures can be used in conjunction with each other to build a solid defense in-depth model.

Frameworks
There are so many different concerns that security professionals need to be aware of and manage on a day-to-day basis. There comes a time and place where you may even need to be audited by third parties. When that time comes, I really hope that you have established some type of enterprise level security framework at your organization. In this module, I'm going to discuss why it is important for organizations to adopt a security framework, and then I will move on to describing the features of some of the more common frameworks that are being used throughout the world such as the Risk Management Framework by the National Institute of Standards and Technology, which is commonly known as the NIST RMF. I will also review FAIR, which stands for Factor Analysis of Information Risk and claims to be able to complement other frameworks. We will also take a look at OCTAVE Allegro, which stands for Operationally Critical Threat, Asset, and Vulnerability Evaluation. There are many other risk management frameworks available to the public. But odds are that for the CISSP examination, you will not be asked specific details about each framework but, rather, be provided with context that may include information about a type of framework that is being used. The selection we cover in this module covers a broad range of framework types that should help you understand the background information that you may need to know for the exam.