Welcome to the Official (ISC)² Certified in Cybersecurity (CC) Self-Paced Training course!

Congratulations on your interest in pursuing a career in cybersecurity. The Certified in Cybersecurity (CC) certification will demonstrate to employers that you have foundational knowledge of industry terminology, network security, security operations and policies and procedures that are necessary for an entry- or junior-level cybersecurity role. It will signal your understanding of fundamental security best practices, policies and procedures, as well as your willingness and ability to learn more and grow on the job.     

Introduction from the (ISC)² CEO

Dear Future Cybersecurity Leader:

Congratulations! You are taking the first steps along the pathway to becoming a part of the global cybersecurity community and an (ISC)² member.

Cybersecurity is in high demand by organizations and governments globally and we need your talents to help defend and protect the information, data and systems that enable individuals, businesses and nations to thrive.

Already you have demonstrated your commitment to our mission to inspire a safe and secure cyber world. The range of roles in this profession are many and earning your entry-level cybersecurity certification from (ISC)² gives you a head start. We’re glad to have you aboard.

This course will introduce you to terminology and concepts that cybersecurity practitioners regularly use. It provides a foundation from which you can springboard into deeper learning, experience and specialization.

The domains included in our entry-level cybersecurity certification include Security Principles, Business Continuity, Disaster Recovery & Incident Response Concepts, Access Controls Concepts, Network Security and Security Operations.

I wish you the best as you engage in our learning and continue your journey to become a certified member of (ISC)².

If you need anything, do not hesitate to contact us. We are here to help you on your journey.

For help with educational materials, email learn@isc2.org
For all other support inquiries, contact us at +1-866-331-ISC2(4722) or email membersupport@isc2.org .

Sincerely,

Clar Rosso
CEO
(ISC)²

The following resources are provided to help you make the most of your experience in the (ISC)² learning management system (LMS) and the virtual classroom. If you haven’t viewed the tutorials yet, please do so now.  

https://learn.isc2.org/content/enforced/9541-CC-SPT-GLOBAL-1ED-1M/build/chapter_00/Navigate_Course/ch00_mNC-Learn_Navigation.html?ou=9541&d2l_body_type=3

https://learn.isc2.org/content/enforced/9541-CC-SPT-GLOBAL-1ED-1M/build/chapter_00/Navigate_Course/ch00_mNC-Course_Navigation.html?ou=9541&d2l_body_type=3

CHAPTER-01

This module provides an overview of the course specifications for Official (ISC)² Certified in Cybersecurity (CC) Self-Paced Training.

Course Specifications

This course provides a comprehensive review of information systems security concepts, industry best practices and terminology, covering the five domains included in the CC Exam Outline:   

Security Principles 
Incident Response, Business Continuity and Disaster Recovery Concepts 
Access Control Concepts 
Network Security 
Security Operations

This self-paced course will help you transition into the cybersecurity profession by laying the foundation of your information security knowledge. 

Course Objectives

After completing this course, you will be able to: 

Discuss the foundational concepts of cybersecurity principles. 
Recognize foundational security concepts of information assurance. 
Define risk management terminology and summarize the process. 
Relate risk management to personal or professional practices. 
Classify types of security controls. 
Distinguish between policies, procedures, standards, regulations and laws. 
Demonstrate the relationship among governance elements. 
Analyze appropriate outcomes according to the canons of the (ISC)² Code of Ethics when given examples. 
Practice the terminology of and review security policies. 
Explain how organizations respond to, recover from and continue to operate during unplanned disruptions. 
Recall the terms and components of incident response. 
Summarize the components of a business continuity plan. 
Identify the components of disaster recovery. 
Practice the terminology and review concepts of business continuity, disaster recovery and incident response. 
Select access controls that are appropriate in a given scenario. 
Relate access control concepts and processes to given scenarios. 
Compare various physical access controls. 
Describe logical access controls. 
Practice the terminology and review concepts of access controls. 
Explain the concepts of network security. 
Recognize common networking terms and models. 
Identify common protocols and port and their secure counterparts. 
Identify types of network (cyber) threats and attacks. 
Discuss common tools used to identify and prevent threats. 
Identify common data center terminology. 
Recognize common cloud service terminology. 
Identify secure network design terminology. 
Practice the terminology and review concepts of network security. 
Explain concepts of security operations. 
Discuss data handling best practices. 
Identify key concepts of logging and monitoring. 
Summarize the different types of encryption and their common uses. 
Describe the concepts of configuration management. 
Explain the application of common security policies. 
Discuss the importance of security awareness training. 
Practice the terminology and review concepts of network operations

CC Exam Domain to Course Chapter Mapping

Throughout this course, exam domains and topics may be covered in several chapters. The CC Exam Domain to Course Chapter Mapping is a useful tool to help identify the chapter and module where each topic in the exam outline is covered in the course. Unique icons are also used throughout the course materials to identify exam outline domains. Please click the link below to view the document.

https://learn.isc2.org//content/enforced/9541-CC-SPT-GLOBAL-1ED-1M/build/chapter_00/assets/pdf/EDU-CC-exam_domain_chapter_map.pdf?_&d2lSessionVal=us4KvNeZrEzhxrn60kiAcseGo&ou=9541

Acknowledgements

The development of this course would not have been possible without the participation and assistance of so many people. Their contributions are sincerely appreciated and gratefully acknowledged.   

Contributing Authors/Technical Editors

Dr. "Scuba" Steve Gary, PhD, CISSP
Ben Malisow, CISSP, CCSP, SSCP
Simon Salmon CISSP, CSSLP

Copyright Acknowledgment:

This course contains information obtained from authentic and highly regarded sources. Reprinted material is quoted with permission, and sources are indicated. A wide variety of references are listed. Reasonable efforts have been made to publish reliable data and information, but the authors and the publisher cannot assume responsibility for the validity of all materials or for the consequences of their use.   

Among the sources of quoted material in this document are United States government publications. Further information about copyright is available from the U.S. Copyright Office at https://www.copyright.gov. 

No part of this course material may be reprinted, reproduced, transmitted or utilized in any form by any electronic, mechanical or other means, now known or hereafter invented, including photocopying, microfilming and recording or in any information storage or retrieval system, without written permission from the publishers.

Course Introduction
Chapter 1: Security Principles
Chapter 2: Incident Response, Business Continuity and Disaster Recovery
Chapter 3: Access Control Concepts
Chapter 4: Network Security 
Chapter 5: Security Operations
Course Conclusion

Course Disclaimers
(ISC)² prides itself on providing a vendor neutral approach to all domains of information security. There is no shortage of open source and proprietary tools that an information security professional can utilize in practice. To enhance the learning of key concepts in our courses, we may choose to reference and/or leverage specific tools as mechanisms to facilitate your learning. We understand that the tools that (ISC)² Education utilizes as examples are among a wide array that are available. The use of a specific tool is in no way intended to be an endorsement of any particular product, service or vendor. 

In some cases, course activities are based on fictional stories/scenarios and do not depict any actual person, organization or event. Any similarities to actual persons, organizations or events are purely coincidental. 

The information provided in this course is for educational purposes only. (ISC)² accepts no responsibility or liability whatsoever for the use or misuse of any information herein. As a reminder, all (ISC)² members are required to commit to the Code of Ethics.

(ISC)² Code of Ethics
Code

All information security professionals who are certified by (ISC)² recognize that such certification is a privilege that must be both earned and maintained. In support of this principle, all (ISC)² members are required to commit to fully support this Code of Ethics (the "Code"). (ISC)² members who intentionally or knowingly violate any provision of the Code will be subject to action by a peer review panel, which may result in the revocation of certification. (ISC)² members are obligated to follow the ethics complaint procedure upon observing any action by an (ISC)² member that breach the Code. Failure to do so may be considered a breach of the Code pursuant to Canon IV.

There are only four mandatory canons in the Code. By necessity, such high-level guidance is not intended to be a substitute for the ethical judgment of the professional.

Code of Ethics Preamble

The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior. 
Therefore, strict adherence to this Code is a condition of certification. 

Code of Ethics Canons:

Protect society, the common good, necessary public trust and confidence, and the infrastructure.
Act honorably, honestly, justly, responsibly, and legally.
Provide diligent and competent service to principals.
Advance and protect the profession.
For more information on the Code of Ethics, please visit the (ISC)² website. 
Pre-Course Assesment
Chapter 1: Security Principles

Chapter 1 Agenda

Module 1: Understand the Security Concepts of Information Assurance (D1.1)

Module 2: Understand the Risk Management Process (D1.2)

Module 3: Understand Security Controls (D1.3)

Module 4: Understand Governance Elements (D1.5)

Module 5: Understand (ISC)² Code of Ethics (D1.4)

Module 6: Summary

Chapter at a Glance
While working through chapter 1, Security Principles, make sure you:

Complete the Knowledge Check: Security Concepts
Complete the Knowledge Check: Protecting Information
Complete the Knowledge Check: Risk Terms
Complete the Knowledge Check: Risk Treatment
Complete the Knowledge Check: Security Controls
Complete the Knowledge Check: Controls and the Triad
Complete the Knowledge Check: Governance Terms
Complete the Knowledge Check: Relating Governance Elements
Complete the Knowledge Check: Applying the Code
Complete the Knowledge Check: What is the Appropriate Action?
View the Chapter 1 Summary
Take the Chapter 1 Quiz
View the Terms and Definitions
Chapter 1 Overview

Learning Objectives

Domain 1: Security Principles

After completing this chapter, the participant will be able to: 

L1

Discuss the foundational concepts of cybersecurity principles.

L1.1.1

Recognize foundational security concepts of information assurance.

L1.2.1

Define risk management terminology and summarize the process.

L1.2.2

Relate risk management to personal or professional practices.

L1.3.1

Classify types of security controls.

L1.4.1

Distinguish between policies, procedures, standards, regulations and laws.

L1.4.2

Demonstrate the relationship among governance elements.

L1.5.1

Analyze appropriate outcomes according to the canons of the (ISC)² Code of Ethics when given examples.

L1.6.1

Practice the terminology and review security principles.

Watch this video to meet your hosts for this course, Manny and Tasha, and the crew at JavaSip.
Manny: Hello, my name is Manny, and welcome to (ISC)2 and the world of cybersecurity. We are so
glad you're here. As a guidance counselor at the local high school, I work with young people making
choices about their futures. I talk to them about career opportunities in cybersecurity. The demand for
cybersecurity professionals is high right now. Did you know cybersecurity jobs are growing at an
unprecedented rate, and are expected to keep growing?
Tasha: And the need is just as pressing in countries around the globe. Congratulations on taking this
step toward a dynamic and rewarding career as a cybersecurity professional. My name is Tasha, and
I'm a professor at the local university. Manny and I will be your guides through this course.
Manny: Let's get started with this first chapter, where you’ll learn about the security principles,
concepts of information assurance, and the risk management process. You'll also explore the
safeguards and countermeasures prescribed for an information system to protect the confidentiality,
integrity, and availability of the network and its information.
Tasha: Next, you'll be introduced to organizational security roles and governance. And finally, we'll
cover the (ISC)2 code of ethics, which all members of (ISC)2 commit to.
Manny: But first, we'll introduce you to JavaSip, our favorite coffee shop.
Tasha: Sandra owns and operates the coffee shop, and it's a family affair. Nate is the manager,
and her son Keith works there as well.
Manny: We're not the only regular customers. Susan comes in every day. She's also a member of
(ISC)2 and is a System Security Certified Practitioner.
Tasha: SSCP for short. Susan works in a security operations center for a nearby financial
services company.
Manny: Finally, Gabriela is a friend of Keith's. She's in her first year at the local university and
was recently hired as a barista.
Tasha: Unfortunately, Keith isn't too keen about working for his mom at the coffee shop, and he
wants to find something more meaningful that will help others and make a difference. We'll follow
Keith's story as he figures out what he wants to do
Keith's Story
Manny: It's time to check in with our friends at JavaSip.
Tasha: Keith has finished his university studies but doesn't know what to do next. He's working
at JavaSip because it's convenient. His mother, Sandra, owns the place.
Manny: But this is not his dream job. Unfortunately, he has no idea what his dream job may be.
Tasha: Let's see what he's thinking about his future.
Sandra: I don't know why you're not happy here. This is a great job. It's flexible, you get to
meet some interesting people. You get to work with your wonderful mother all day.
Keith: Ah, yes, aren't I lucky?
Sandra: Someday this could be all yours and Nate's.
Keith: Yeah, Nate loves business, and he loves it here. But Mom, I want to do something
different. I don't know what it is, but I'll figure it out.
Sandra: I know you will, Keith. You are an intelligent young man. In the meantime, I am happy
to have you working with us.
Keith: Thanks, Mom.
Manny: I remember those years. It's hard to know what you want to do when you're young.
Tasha: Sometimes it's hard to know what you want when you're older, too.
Manny: That's true. If only we could help Keith discover a rewarding career that would suit him.
Tasha: Indeed.

Domain D1.1.1, D1.1.2, D1.1.3, D1.1.4, D1.1.5, D1.1.6

Module Objective

L1.1.1 Recognize foundational security concepts of information assurance .

Manny: A career in cybersecurity is dynamic, and in this module, we'll cover the concepts at the
heart of it.
Tasha: That's right, Manny. We'll introduce the security concepts of information assurance and
cover topics like the CIA triad, authentication, and privacy.
Manny: The CIA triad? That sounds like something out of a James Bond movie.
Tasha: CIA is a basic principle behind everything we do in cybersecurity. Let's find out more.

Susan's Morning Cup of Joe

Tasha: Now that we've heard a little bit about cybersecurity as a profession, do you know who's
a great person to learn more from?
Manny: Who?
Tasha: Susan! She's an SSCP, which means she earned her Systems Security Certified
Practitioner certification from (ISC) 2 . She's working as a data security analyst, and with the SSCP
certification, her career is taking off. Susan stops into JavaSip every morning for a cup of coffee
on her way to work. This morning, she observes that Keith is looking sad.
Susan: Hey, Keith. You having a hard morning? You seem a little down.
Keith: Yeah, I was up late last night, searching the internet trying to figure out what to do with
my life. You're in cybersecurity, right?
Susan: Mm-hmm.
Keith: Yeah, I was searching the internet and found out that that's one of the fastest growing
careers, but what does that even mean?
Susan: Well, yes, I am in cybersecurity, and it means that I protect online data from being stolen
or altered. Yeah, I assess risks to our network and respond with various safeguards. You think
you might be interested in cybersecurity?
Keith: Oh, no. I'm not that good with computers. Plus, I took a computer programming class in
high school and that didn't turn out too well. So don't ask me if I was good at math because I'm
not. Besides, I couldn't sit at a desk and code all day.
Susan: Keith, cybersecurity professionals do not have to be coders, you know? I've seen you on
the coffee shop's laptop and on your own devices a lot. You seem pretty knowledgeable to me.
Keith: Yeah, but cybersecurity seems intimidating. It's like you have to be a tech expert or
something, like you.
Susan: Let me put it this way. You know the fire inspectors who come to JavaSip every year?
They check to make sure the building aligns with safety standards and that you have smoke
alarms and escape routes.
Keith: Yeah. I always appreciate a good report.
Susan: Yeah, well, part of my job is a lot like the fire inspector. I check to make sure the
infrastructure aligns with standards, both in the physical building and in the way we handle our
data, and I check to make sure that everybody knows what to do in case of an emergency. If a problem does occur, then I'm a little like a paramedic trying to assess and treat any injuries

after an accident. Then, I might behave like a detective, tracking down what happened
so it doesn't happen again. Sometimes, I even feel like a fortune teller trying to predict the
future so that we can be protected against any unknown threats.
Keith: Yeah. That seems like an interesting image, all right?
Susan: Yeah. Does that sort of thing appeal to you? Because I have heard you say that you want
to help people in a meaningful way, and in cybersecurity you can help all kinds of people,
companies, and even the world protect personal information and online data.
Keith: Yeah. I'd like to learn more about it. Thanks, Susan.
Susan: Yeah, I'd love to chat more, but I should get to the office now. I don't want any bad
actors penetrating our computer network while I'm out enjoying a cup of coffee. Have a good
day, Keith.
Keith: You, to

The CIA Triad

To define security, it has become common to use Confidentiality, Integrity and Availability, also known as the CIA triad. The purpose of these terms is to describe security using relevant and meaningful words that make security more understandable to management and users and define its purpose.

The CIA Triad Deep Dive

VIDEO:CIA in the Real World

Narrator: It’s important to have a comprehensive approach to maintaining the CIA Triad:
confidentiality, integrity, and availability. These are the foundations of the cybersecurity
domain.
Confidentiality means that no private information has been disclosed to unauthorized
individuals. We need to ensure that personally identifiable information, also known as PII, is
protected. If you are part of a security team, your goal is to protect the assets or the
information of large corporations or multiple individuals. For example, if you work in banking,
health care or insurance companies, you have multiple personal identifiers to protect.
Integrity ensures that this information is not being corrupted or changed without the
information owner’s permission. It confirms that the information being maintained is complete
and accurate and consistent with the legitimate use of that information.
Interfering with the integrity of information can have serious ramifications. For example,
someone without authority changes someone’s medical information, and now a patient may be
in jeopardy because someone changed that vital information.
Our job is to maintain the security of that information so that no one, unless authorized to do
so, changes any part of the information we are protecting.
Availability is critical because it is essential that authorized users have access to important
information in a timely manner. Cyberattacks that disrupt services often target the availability
of data. A business cannot function if its employees and customers cannot access their
information in a timely manner. A ransomware attack, for example, may lock up a system and
block access to vital information and services. That access will not be restored until a payment
is made.

Authentication

When users have stated their identity, it is necessary to validate that they are the rightful owners of that identity. This process of verifying or proving the user’s identification is known as authentication. Simply put, authentication is a process to prove the identity of the requestor.

There are three common methods of authentication:

Something you know: Passwords or paraphrases
Something you have: Tokens, memory cards, smart cards
Something you are: Biometrics , measurable characteristics

Methods of Authentication

There are two types of authentication. Using only one of the methods of authentication stated previously is known as single-factor authentication (SFA) . Granting users access only after successfully demonstrating or displaying two or more of these methods is known as multi-factor authentication (MFA) .

Common best practice is to implement at least two of the three common techniques for authentication:

Knowledge-based 
Token-based 
Characteristic-based

Knowledge-based authentication uses a passphrase or secret code to differentiate between an authorized and unauthorized user. If you have selected a personal identification number (PIN), created a password or some other secret value that only you know, then you have experienced knowledge-based authentication. The problem with using this type of authentication alone is that it is often vulnerable to a variety of attacks. For example, the help desk might receive a call to reset a user’s password. The challenge is ensuring that the password is reset only for the correct user and not someone else pretending to be that user. For better security, a second or third form of authentication that is based on a token or characteristic would be required prior to resetting the password. The combined use of a user ID and a password consists of two things that are known, and because it does not meet the requirement of using two or more of the authentication methods stated, it is not considered MFA.

VIDEO:Proving Identity

Narrator: Let us explore authentication a little more. Many of us are already accustomed to
different ways of proving who we are, and we do it perhaps without even knowing it.
Usually, we are asked to authenticate our identities by using something that we know, such as a
password or pass phrase. That is one factor of authentication. Then we use something that only
we have, such as a token or card. That gives us two different factors of authentication.
When you go to the bank and use your ATM card, you may have a username and password or a
specific code, such as a PIN. You HAVE the card, and you KNOW the PIN. So that is one form of
multifactor authentication. Someone with just the card cannot access the money.
Then, increasingly, we also provide something that we are, with biometrics. This can be a
fingerprint or another type of measurable characteristic, such as facial recognition or an iris
scan. We see these elements of the authentication process on a daily basis. This adds another
layer of multi-factor authentication.

Non-repudiation

Non-repudiation is a legal term and is defined as the protection against an individual falsely denying having performed a particular action. It provides the capability to determine whether a given individual took a particular action, such as created information, approved information or sent or received a message.

In today’s world of e-commerce and electronic transactions, there are opportunities for the impersonation of others or denial of an action, such as making a purchase online and later denying it. It is important that all participants trust online transactions. Non-repudiation methodologies ensure that people are held responsible for transactions they conducted.

Privacy

Privacy is the right of an individual to control the distribution of information about themselves. While security and privacy both focus on the protection of personal and sensitive data, there is a difference between them. With the increasing rate at which data is collected and digitally stored across all industries, the push for privacy legislation and compliance with existing policies steadily grows. In today’s global economy, privacy legislation and regulations on privacy and data protection can impact corporations and industries regardless of physical location. Global privacy is an especially crucial issue when considering requirements regarding the collection and security of personal information. There are several laws that define privacy and data protection, which periodically change. Ensuring that protective security measures are in place is not enough to meet privacy regulations or to protect a company from incurring penalties or fines from mishandling, misuse, or improper protection of personal or private information. An example of a law with multinational implications is the European Union’s General Data Protection Regulation (GDPR) which applies to all organizations, foreign or domestic, doing business in the EU or any persons in the EU. Companies operating or doing business within the United States may also fall under several state legislations that regulate the collection and use of consumer data and privacy. Likewise, member nations of the EU enact laws to put GDPR into practice and sometimes add more stringent requirements. These laws, including national- and state-level laws, dictate that any entity anywhere in the world handling the private data of people in a particular legal jurisdiction must abide by its privacy requirements. As a member of an organization's data protection team, you will not be required to interpret these laws, but you will need an understanding of how they apply to your organization.

engineer working at laptop with padlock image on screen

Privacy in the Working Environment

Narrator: Privacy is a major component of information security. Once we know how private the
information is, we know what appropriate controls can be implemented. A number of
standards, policies and procedures govern privacy in the working environment, and these vary
by geographic region. In the United States, HIPAA, the Health Insurance Portability and
Accountability Act, controls how the privacy of medical information must be maintained. In the
European Union (EU), the General Data Protection Regulation gives anyone within the borders
of the EU control over what personal information companies can compile and retain about
them. As a security professional, it’s important to be aware of privacy laws and regulations in all
jurisdictions where your company conducts business. When doing business in other countries,
we must be aware of their privacy standards and regulations and act accordingly.

Domain D1.2.1, D1.2.2
Module Objectives

    L1.2.1 Define risk management terminology and summarize the process.
    L1.2.2 Relate risk management to personal or professional practices.

Risks and security-related issues represent an ongoing concern of businesses as well as the field of cybersecurity, but far too often organizations fail to proactively manage risk. Assessing and analyzing risk should be a continuous and comprehensive exercise in any organization. As a member of an organization’s security team, you will work through risk assessment, analysis, mitigation, remediation and communication.

There are many frameworks and models used to facilitate the risk management process, and each organization makes its own determination of what constitutes risk and the level of risk it is willing to accept. However, there are commonalities among the terms, concepts and skills needed to measure and manage risk. This module gets you started by presenting foundational terminology and introducing you to the risk management process.

First, a definition of  risk  is  a measure of the extent to which an entity is threatened by a potential circumstance or event. It is often expressed as a combination of:

    the adverse impacts that would arise if the circumstance or event occurs,  and
    the likelihood of occurrence. 

Information security risk reflects the potential adverse impacts that result from the possibility of unauthorized access, use, disclosure, disruption, modification or destruction of information and/or information systems. This definition represents that risk is associated with threats, impact and likelihood, and it also indicates that IT risk is a subset of business risk.

Introduction to Risk Management

Narrator: Information assurance and cybersecurity are greatly involved with the risk
management process.
The level of cybersecurity required depends on the level of risk the entity is willing to accept;
that is, the potential consequences of what's going on in our environment. Once we evaluate
this risk, then we will implement security controls to mitigate the risk to the level that we find
acceptable.
Risks can be from cyberattacks, such as malware, social engineering, or denial-of-service
attacks, or from other situations that affect our environment, such as fire, violent crime, or
natural disasters. With well-designed risk management technologies, we can recognize
vulnerabilities and threats, and calculate the likelihood and the potential impact of each threat

Importance of Risk Management

Narrator: What do we mean when we say threats and vulnerabilities? A vulnerability is a gap or
weakness in an organization’s protection of its valuable assets, including information. A threat
is something or someone that aims to exploit a vulnerability to gain unauthorized access.
By exploiting a vulnerability, the threat can harm an asset. For example, a natural disaster, such
as a major storm, poses a threat to the utility power supply, which is vulnerable to flooding. The
IT environment where production takes place is an asset. If the utility power supply is cut off by
a storm, the asset might be made unavailable, because the IT components won’t work without
power. Our job is to evaluate how likely it is that an event will take place and take appropriate
actions to mitigate the risk.

Risk Management Terminology

Security professionals use their knowledge and skills to examine operational risk management, determine how to use risk data effectively, work cross-functionally and report actionable information and findings to the stakeholders concerned. Terms such as threats, vulnerabilities and assets are familiar to most cybersecurity professionals.

An asset is something in need of protection.
A vulnerability is a gap or weakness in those protection efforts.
A threat is something or someone that aims to exploit a vulnerability to thwart protection efforts.

Risk is the intersection of these terms. Let's look at them more closely.

hallway with servers along wall and the door open to one section

Threats

Narrator: Tourists are popular targets for pickpockets. The existence of pickpockets in a
crowded tourist spot is a threat to the people gathered there. That threat applies to everyone
in the vicinity, even other pickpockets. If you are in the vicinity and the pickpocket has
identified you as a target, you are facing a threat actor whether you know it or not.
The approach and technique taken by the pickpocket is their threat vector.

A threat is a person or thing that takes action to exploit (or make use of) a target organization’s system vulnerabilities, as part of achieving or furthering its goal or objectives. To better understand threats, consider the following scenario:

In the context of cybersecurity, typical threat actors include the following:

Insiders (either deliberately, by simple human error, or by gross incompetence).
Outside individuals or informal groups (either planned or opportunistic, discovering vulnerability).
Formal entities that are nonpolitical (such as business competitors and cybercriminals).
Formal entities that are political (such as terrorists, nation-states, and hacktivists).
Intelligence or information gatherers (could be any of the above).
Technology (such as free-running bots and artificial intelligence , which could be part of any of the above).

*Threat Vector: The means by which a threat actor carries out their objectives.

Vulnerabilities

A vulnerability is an inherent weakness or flaw in a system or component, which, if triggered or acted upon, could cause a risk event to occur. Consider the pickpocket scenario from below.

An organization’s security team strives to decrease its vulnerability. To do so, they view their organization with the eyes of the threat actor, asking themselves, “Why would we be an attractive target?” The answers might provide steps to take that will discourage threat actors, cause them to look elsewhere or simply make it more difficult to launch an attack successfully. For example, to protect yourself from the pickpocket, you could carry your wallet in an inside pocket instead of the back pant pocket or behave alertly instead of ignoring your surroundings. Managing vulnerabilities starts with one simple step: Learn what they are.

Narrator: Let's say the pick pocket chooses you as a target because they see that it will be easier or
more profitable to steal from you. Maybe you are distracted, have jewelry that is easy to snatch, or
appear weak and less likely to put up a struggle. In other words, you appear more vulnerable than the
other tourists and the pick pocket feels that they can exploit that vulnerability or weakness.

Likelihood

When determining an organization’s vulnerabilities, the security team will consider the probability, or likelihood , of a potential vulnerability being exploited within the construct of the organization’s threat environment. Likelihood of occurrence is a weighted factor based on a subjective analysis of the probability that a given threat or set of threats is capable of exploiting a given vulnerability or set of vulnerabilities.

Finally, the security team will consider the likely results if a threat is realized and an event occurs. Impact is the magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability.

 Think about the impact and the chain of reaction that can result when an event occurs by revisiting the pickpocket scenario:

Narrator: How do the pickpocket’s actions affect your ability to continue your journey? If you appear to
be a weak target and the pickpocket chooses to take your money by brute force, will you be able to
obtain more cash to complete your vacation or even return home? The downstream impact must also
be considered. What if you are injured and require medical treatment or even hospitalization? Impact
does not often stop with the incident itself.

Risk Identification

How do you identify risks? Do you walk down the street watching out for traffic and looking for puddles on the ground? Maybe you’ve noticed loose wires at your desk or water on the office floor? If you’re already on the lookout for risks, you’ll fit with other security professionals who know it’s necessary to dig deeper to find possible problems.

In the world of cyber, identifying risks is not a one-and-done activity. It’s a recurring process of identifying different possible risks, characterizing them and then estimating their potential for disrupting the organization.  

It involves looking at your unique company and analyzing its unique situation. Security professionals know their organization’s strategic, tactical and operational plans.

Takeaways to remember about risk identification:

Identify risk to communicate it clearly.
Employees at all levels of the organization are responsible for identifying risk.
Identify risk to protect against it.

As a security professional, you are likely to assist in risk assessment at a system level, focusing on process, control, monitoring or incident response and recovery activities. If you’re working with a smaller organization, or one that lacks any kind of risk management and mitigation plan and program, you might have the opportunity to help fill that planning void.

Risk Assessment

Risk assessment is defined as the process of identifying, estimating and prioritizing risks to an organization’s operations (including its mission, functions, image and reputation), assets, individuals, other organizations and even the nation. Risk assessment should result in aligning (or associating) each identified risk resulting from the operation of an information system with the goals, objectives, assets or processes that the organization uses, which in turn aligns with or directly supports achieving the organization’s goals and objectives.

A common risk assessment activity identifies the risk of fire to a building. While there are many ways to mitigate that risk, the primary goal of a risk assessment is to estimate and prioritize. For example, fire alarms are the lowest cost and can alert personnel to evacuate and reduce the risk of personal injury, but they won’t keep a fire from spreading or causing more damage. Sprinkler systems won’t prevent a fire but can minimize the amount of damage done. However, while sprinklers in a data center limit the fire’s spread, it is likely they will destroy all the systems and data on them. A gas-based system may be the best solution to protect the systems, but it might be cost-prohibitive. A risk assessment can prioritize these items for management to determine the method of mitigation that best suits the assets being protected.

The result of the risk assessment process is often documented as a report or presentation given to management for their use in prioritizing the identified risk(s). This report is provided to management for review and approval. In some cases, management may indicate a need for a more in-depth or detailed risk assessment performed by internal or external resources.

Risk Treatment

Risk treatment relates to making decisions about the best actions to take regarding the identified and prioritized risk. The decisions made are dependent on the attitude of management toward risk and the availability — and cost — of risk mitigation. The options commonly used to respond to risk are:

Select each plus sign hotspot to learn more about each topic.

Avoidance:Risk avoidance is the decision to attempt to eliminate the risk entirely. This could include ceasing operation for some or all of the activities of the organization that are exposed to a particular risk. Organization leadership may choose risk avoidance when the potential impact of a given risk is too high or if the likelihood of the risk being realized is simply too great.

Acceptance:Risk acceptance is taking no action to reduce the likelihood of a risk occurring. Management may opt for conducting the business function that is associated with the risk without any further action on the part of the organization, either because the impact or likelihood of occurrence is negligible, or because the benefit is more than enough to offset that risk.

Mitigation:Risk mitigation is the most common type of risk management and includes taking actions to prevent or reduce the possibility of a risk event or its impact. Mitigation can involve remediation measures, or controls, such as security controls, establishing policies, procedures, and standards to minimize adverse risk. Risk cannot always be mitigated, but mitigations such as safety measures should always be in place.

Transfer:Risk transference is the practice of passing the risk to another party, who will accept the financial impact of the harm resulting from a risk being realized in exchange for payment. Typically, this is an insurance policy.

Risk Management Process

Narrator: As we mentioned before, an asset is something that we need to protect. It can be
information, or it can be an actual physical piece of equipment, such as a rack in the server
room or a computer or tablet or even a phone. A vulnerability is a weakness in the system. It
can be due to lack of knowledge, or possibly outdated software. For example, perhaps we don't
have a current operating system, or our awareness training is lacking. A threat is something or
someone that could cause harm once they learn that we have a weakness. For example, if we
have a back door open, either logically, in our website, or even physically in the back office,
someone can exploit that weakness and take advantage of that gap in our defenses to access
information.
The likelihood or the probability of that happening depends on the overall environment. In an
environment that's extremely secure, such as a data center or a bank, the likelihood that
someone can come in and rob the bank is very low. Whether they are seeking access through a
web browser, or physically into the actual bank, their likelihood of success is not high because
security is very strong.
In other situations, where we have fewer levels of security, the likelihood that the environment
can be compromised is much higher. In our daily accounts, we often only have one username
and a password and that is the extent of our defenses. Anyone who obtains that username and
password can gain access; therefore, the likelihood that this environment can be compromised
is very high.
As a first step in the risk management process, organizations need to figure out how much risk
they are willing to take. This is called a risk appetite or risk tolerance. For a very trivial example,
if you are a big fan of football or a particular TV program, you will have a low tolerance for
having a power outage during a big game or your favorite program. You also need to have
power when you are trying to access important documents or sites for your business, so your
risk appetite depends on how important that asset is. If your data is extremely sensitive, you
will naturally be extremely averse to having any risk of a breach. To mitigate the risk, one
option is to hire another company with the expertise to help you maintain the security of your
environment. This will help reduce the risk. You would also consider implementing some
security controls, which we will explore shortly.
If we don't have the competence or the means to protect sensitive information, sometimes we
need to avoid the risk. This means removing ourselves from a situation that can result in
problems and refraining from initiating risky activities until we achieve a certain level of
comfort with our security. We can also share or transfer the risk by obtaining cybersecurity
insurance, so the insurance company assumes the risk. While it is nearly impossible to remove
all risk, once we have done enough to reduce or transfer the risk, and we are comfortable with
the situation, then we can accept the level of risk that remains.

Risk Treatment

When a company chooses to ignore a risk and proceed with a risky activity, which treatment is being applied by default? (D1, L1.2.2)

A. Mitigation

Incorrect. Mitigation involves taking action to remove or lessen the effects of risks.

B. Avoidance

Incorrect. Avoidance is halting the risky activity.

C. Acceptance

Correct. Acceptance is choosing to ignore a risk and proceed with a risky activity.

D. Transference

Incorrect. Transference is shifting the risk via legal agreement, usually to another party such as a service or insurance provider

Risk Management: Susan’s Good News

Manny: The last time we saw Susan, she stepped into JavaSip for a cup of coffee and spoke to
Keith about her job as a data security analyst in a security operations center.
Tasha: Or, as Susan calls it, the SOC.
Manny: But what is a SOC, anyway?
Tasha: It's like headquarters for an information security team. That's where they monitor,
detect, and analyze events on the network so they can prevent and resolve issues before they
disrupt the business.
Manny: That sounds cool. Well, I bet with her coffee in hand, Susan is ready for another busy
day at the fast-paced environment of the SOC.
Tasha: That's right. Let's see how it's going for her.
Manny: It's a good day for Susan. Upon arriving at the SOC where she's worked for two years as
a senior data security analyst, Susan hears that she's just been promoted to manager.
Tasha: That's so exciting! Now, she reports directly to the chief information security
officer, known as a CISO.
Manny: And she's now responsible for the management, operations, safety, and security of the
SOC.
Tasha: That must have been some cup of coffee. Let's listen in as she makes a presentation to
her boss and colleagues just a few days after the promotion.
Susan: Hi, everyone. Thank you all for coming. Okay, so one of my first goals in my new role was
assessing the skill set of our current staff and highlighting the current and future needs of the
SOC.
Using a template provided by our CISO, I carefully considered the company's goals, as well as
the milestones of the larger projects and considered staffing needs. During this process, I
identified a risk in relation to staffing and conducted an assessment. I plan to make a
recommendation on whether the company should mitigate, avoid, transfer, or accept this risk.
Tasha: Evaluating risk is a big part of Susan's new job. Let's hear a little more about how she
does this.
Susan: As we all know, our staff is a dynamic team challenged by the volume and growing
sophistication of the cyber threat alerts that they are receiving. Because of the fast pace and
the high level of manual triage needed to address these threats, there is a potential for high
turnover among the Tier One and the Tier Two incident response teams. And because hiring,
onboarding, and training new staff takes time, turnover could mean that there are fewer
trained associates available to triage or escalate these threats. The training of new staff is not
only time-consuming and costly, but it also represents an increased cyber risk to the company.
Now, I have access to some data, including quarterly hiring reports from HR and the number of
incidents that are triaged each week, but I decided that I didn't have enough information to do
a quantitative risk assessment. However, a qualitative risk assessment may be well-suited for
this situation because it allows us to rank or estimate the probability of a particular risk
occurring and the loss or impact of that risk using terms such as high, low, moderate, and
severe. This will provide me with enough information in my report to allow the leadership team
to decide if any further analysis is needed.
Tasha: Susan can use a graphical representation to help her evaluate and communicate
potential risk.
Susan: Now, I'm going to use a risk matrix to determine the likelihood of the operational risk
occurring. Having worked in the SOC myself for several years, I have personally witnessed
a high turnover rate among the SOC staff. So, I think that there is a moderate to high chance of
the risk occurring, meaning this risk belongs in the upper quadrants of the matrix. And I just
need to figure out if the risk carries a high or low impact on the organization as a whole.
Manny: When Susan determines the quadrant, which will be covered more shortly, she can
include in her report a recommendation suggesting risk mitigation, avoidance, transference, or
acceptance.
Tasha: This recommendation could also help company management to prioritize the risk and
enable the organization to balance immediate and longer-term cost and benefits.
Manny: Good work, Susan. We know you'll do great in your new position.

Risk in Our Lives

Narrator: On a personal level, one example of a threat and its impact is unauthorized charges
on your credit card. It’s a good idea not to store your credit information in your phone or on
your web browser, even though that is convenient for online shopping. Most banks won’t
charge you for unauthorized purchases, but it may result in your account being frozen when
you are trying to use it, or the hassle of replacing a card that has been compromised and
updating any subscriptions or bills that were paid directly with that card. If you identify a risk
beforehand, you can mitigate it by adding layers of security, such as multifactor authorization.
Most bank websites either require or at least encourage you to set up multifactor
authentication when you access your account, so you need a username and password and also
a code sent to your email or your cellphone.
Another example of handling risk is when you book a vacation. For example, you might be
considering a Caribbean cruise where the weather can be a factor and your trip could be
cancelled. In that case, you purchase travel insurance to transfer the risk, so you don’t lose out
on your prepaid expenses and deposits if something happens to prevent the trip.
Other types of insurance are also ways to transfer risk. You might purchase additional health
care coverage, to cover your expenses if you have an accident. If you are concerned about
identity theft, there are companies that offer an insurance policy for managing your identity.
These companies are involved in their own form of financial risk management, calculating that
your premium payments or subscription payments will exceed the payouts they will have to
make in the event of a claim.

Risk Priorities

When risks have been identified, it is time to prioritize and analyze core risks through qualitative risk analysis and/or quantitative risk analysis. This is necessary to determine root cause and narrow down apparent risks and core risks. Security professionals work with their teams to conduct both qualitative and quantitative analysis.

Understanding the organization’s overall mission and the functions that support the mission helps to place risks in context, determine the root causes and prioritize the assessment and analysis of these items. In most cases, management will provide direction for using the findings of the risk assessment to determine a prioritized set of risk-response actions.

One effective method to prioritize risk is to use a risk matrix, which helps identify priority as the intersection of likelihood of occurrence and impact. It also gives the team a common language to use with management when determining the final priorities. For example, a low likelihood and a low impact might result in a low priority, while an incident with a high likelihood and high impact will result in a high priority. Assignment of priority may relate to business priorities, the cost of mitigating a risk or the potential for loss if an incident occurs.

Decision Making Based on Risk Priorities

When making decisions based on risk priorities, organizations must evaluate the likelihood and impact of the risk as well as their tolerance for different sorts of risk. A company in Hawaii is more concerned about the risk of volcanic eruptions than a company in Chicago, but the Chicago company will have to plan for blizzards. In those cases, determining risk tolerance is up to the executive management and board of directors. If a company chooses to ignore or accept risk, exposing workers to asbestos, for example, it puts the company in a position of tremendous liability.

Risk Tolerance

The perception management takes toward risk is often likened to the entity’s appetite for risk. How much risk are they willing to take? Does management welcome risk or want to avoid it? The level of risk tolerance varies across organizations, and even internally: Different departments may have different attitudes toward what is acceptable or unacceptable risk.

Understanding the organization and senior management’s attitude toward risk is usually the starting point for getting management to take action regarding risks.

Executive management and/or the Board of Directors determines what is an acceptable level of risk for the organization. Security professionals aim to maintain the levels of risk within management’s limit of risk tolerance.

Often, risk tolerance is dictated by geographic location. For example, companies in Iceland plan for the risks that nearby volcanoes impose on their business. Companies that are outside the projected path of a lava flow will be at a lower risk than those directly in the path’s flow. Similarly, the likelihood of a power outage affecting the data center is a real threat in all areas of the world. In areas where thunderstorms are common, power outages may occur more than once a month, while other areas may only experience one or two power outages annually. Calculating the downtime that is likely to occur with varying lengths of downtime will help to define a company’s risk tolerance. If a company has a low tolerance of the risk of downtime, they are more likely to invest in a generator to power critical systems. A company with an even lower tolerance for downtime will invest in multiple generators with multiple fuel sources to provide a higher level of assurance that the power will not fail.

Risk Tolerance Drives Decision Making

Narrator: Here are a few examples of how risk tolerance can drive decision making for
organizations.
• An organization is required to build a bid package to gain a contract. The time
and effort of personnel building a bid package will cost the organization $10,000
USD. If the organization wins the contract, the contract pays $2,000,000 USD. The
organization decides to accept the risk of losing the cost of the bid package, because
the benefit of winning the contract is appealing. The risk of losing the bid (and the
cost of building the bid package) is within the organization’s risk threshold.
• A trauma center has three critical-care units where patients are provided life-
sustaining services (breathing and heart activity) through the use of machines.
Inactivity of these machines could mean that people will die. The trauma center has
zero tolerance for power failure, so creates redundant emergency power supplies,
through the use of multiple utility power providers, battery backup, and multiple
generators with secure fuel supplies and solid contracts with fuel providers to
deliver additional fuel during emergency situations.
• Liza and Krith think they can build a business that is profitable and enjoyable;
they decide to quit their jobs and start the business together. They tolerate the risk
that their business might fail because the reward they perceive is significant.

Podcast:Swimming with Sharks

Josh: Welcome to Dancing with Danger. A travel podcast about risk-loving people doing risky
things. I'm Joshua Justin and today I'm talking with Sarah McMillan who runs the Swimming
with Sharks attraction here in sunny Key West, Florida. Hi Sarah, how you doing today?
Sarah: It's a beautiful day to be swimming with sharks in Florida, Josh.
Josh: Some might disagree. Wouldn't you say this is a particularly risky thing to do? Downright
dangerous in fact.
Sarah: Everything is risky, Josh, from driving in a car to giving your credit card number to a
telemarketer. Well in our business, people are lowered into the water in steel cages to observe
and photograph sharks. Obviously this has some risk attached. The key is that we take risk very
seriously and we take steps to make our attraction as safe as possible, both for the participants
and for those who have invested in the business. If something were to happen, the bad
publicity and the legal liability would take a big bite out of our livelihood. If you pardon the pun.
Josh: I don't actually, but tell me more about the different ways you address the dangers of
your enterprise. Like, the sharks are tame or mechanical or something, right?
Sarah: No, these are absolutely real wild sharks. That's what's exciting about it. And part of the
fun is the danger, or the perception of danger.
Josh: So it's only a perception?
Sarah: No, of course not. Well, mostly.
Josh: I don't think I'm following. Is it dangerous or not?
Sarah: Okay. Okay. We're going to accept that there are some risks involved here, right? If we
weren't willing to accept a little danger we wouldn't be in this business and the customers
wouldn't be signing up to participate. Customers who aren't feeling very brave can obviously
avoid the risk by not participating. We have a video feed so they can watch other people in the
cages. So they get to share the experience. We also avoid risk by not going out in certain
weather conditions or when particularly dangerous shark activity has been observed. We keep
a very close eye both on the weather and the animal's behavior so we don't take unnecessary
chances with our crew or our customers or even our equipment.
Josh: So you don't go out unless conditions are ideal. What other safeguards do you take?
Sarah: We mitigate our risk by having very strong cages and testing them often. And we train
our crews rigorously to adhere to our safety policies and procedures and to abide by Florida
laws and federal safety regulations.
Josh: What if something happens in spite of all your preparation? People love to sue businesses
when accidents happen.
Sarah: That's why all our participants are required to sign waivers. That serves to mitigate the
risk of liability.
Josh: Do people object to the waivers?
Sarah: Not really. This sort of risk management approach is very common. Everything you do
has fine print, from downloading an app to flying in a plane or staying at a hotel. Even at other
attractions, like those run by animated mice and ducks that we will not name, the ticket
includes a disclaimer in the fine print that the park is not responsible for theft or accidents on
the property. You are responsible for keeping track of your own belongings and your own kids
and so on and so on. So people are quite used to accepting such conditions whenever they do
just about anything. But we also have an insurance policy to handle any liability claims. This
allows us to transfer our risk to another party. The insurance company is taking the gamble that
our premiums and those of other businesses, will bring in more income than a potential claim
would make them pay out.
Josh: So you've been in business here for a couple of years now.
Sarah: That's correct. About two years.
Josh: And in that time, have you had any liability claims?
Sarah: Not regarding the sharks. However, we did have a breach regarding our credit card
information. That was a headache. Now we outsource our customer management system to a
cloud based third party. So they assume the risk for cybersecurity. We discover that human
sharks are a much bigger risk than marine sharks. The beach is safer than the breach, I guess
you'd say.
Josh: I don't think I would, but thank you Sarah for taking the time to talk to our listeners today.
I know we've learned a lot about shark related safety issues.
Sarah: You're welcome, Joshua. Thank you again for having me and let me know when you are
ready to swim with the sharks.
Josh: That's all for today's Dancing with Danger episode. Tune into next week when we go
bungee jumping with bears.

What are Security Controls?

Security controls pertain to the physical, technical and administrative mechanisms that act as safeguards or countermeasures prescribed for an information system to protect the confidentiality, integrity and availability of the system and its information. The implementation of controls should reduce risk, hopefully to an acceptable level.

triangle graphic with Security Controls at center, Physical Controls at top, Administrative Controls at left, Tehcnical Controls at right

Physical Controls

Physical controls address process-based security needs using physical hardware devices, such as badge readers, architectural features of buildings and facilities, and specific security actions to be taken by people. They typically provide ways of controlling, directing or preventing the movement of people and equipment throughout a specific physical location, such as an office suite, factory or other facility. Physical controls also provide protection and control over entry onto the land surrounding the buildings, parking lots or other areas that are within the organization’s control. In most situations, physical controls are supported by technical controls as a means of incorporating them into an overall security system.

Visitors and guests accessing a workplace, for example, must often enter the facility through a designated entrance and exit, where they can be identified, their visit’s purpose assessed, and then allowed or denied entry. Employees would enter, perhaps through other entrances, using company-issued badges or other tokens to assert their identity and gain access. These require technical controls to integrate the badge or token readers, the door release mechanisms and the identity management and access control systems into a more seamless security system.

Technical Controls

Technical controls (also called logical controls) are security controls that computer systems and networks directly implement. These controls can provide automated protection from unauthorized access or misuse, facilitate detection of security violations and support security requirements for applications and data. Technical controls can be configuration settings or parameters stored as data, managed through a software graphical user interface (GUI), or they can be hardware settings done with switches, jumper plugs or other means. However, the implementation of technical controls always requires significant operational considerations and should be consistent with the management of security within the organization. Many of these will be examined in more depth as we look at them in later sections in this chapter and in subsequent chapters.

Administrative Controls

Administrative controls (also known as managerial controls) are directives, guidelines or advisories aimed at the people within the organization. They provide frameworks, constraints and standards for human behavior, and should cover the entire scope of the organization’s activities and its interactions with external parties and stakeholders.

It is vitally important to realize that administrative controls can and should be powerful, effective tools for achieving information security. Even the simplest security awareness policies can be an effective control, if you can help the organization fully implement them through systematic training and practice.

Many organizations are improving their overall security posture by integrating their administrative controls into the task-level activities and operational decision processes that their workforce uses throughout the day. This can be done by providing them as in-context ready reference and advisory resources, or by linking them directly into training activities. These and other techniques bring the policies to a more neutral level and away from the decision-making of only the senior executives. It also makes them immediate, useful and operational on a daily and per-task basis.

Controls and the Triad

Making Connections

Narrator: What sorts of activities can threaten the elements of the CIA Triad?
Consider a coworker sharing passwords. Perhaps Joe gives Joanne his password because he is
home sick and needs Joanne to sign on to his work computer to get information he needs. But
later, Joanne is fired from her job. The employer cancels Joanne’s credentials but isn’t aware
that Joanne also knows Joe’s password. Joanne is disgruntled and decides to take revenge on
her old company by using Joe’s credentials to change or delete important files. Or in less hostile
circumstances, improper use of the password could accidentally result in the introduction of
unauthorized software that is riddled with malware.
Another example is the laptop of a remote worker being left unattended or unlocked in the
worker’s home. Children or other family members may decide to play games on the computer.
They upload legal but contaminated software or files, leading to a corrupt workstation with
compromised integrity.
The elements of the CIA Triad can also be compromised by ill-preparedness against acts of
nature. For instance, a long-term power outage may lead to backup generators that run out of
fuel or that suffer mechanical failures if not properly maintained.
As a final example, improper fire suppression methods can affect the CIA Triad by irreparably
damaging or destroying both digital and analog information.
All these examples show that a comprehensive risk assessment of technical, human and
environmental threats must be completed, then appropriate mitigation options must be put in
place to protect the security and integrity of an organization’s information.

Domain D1.5.1, D1.5.2, D1.5.3, D1.5.4

Module Objectives

L1.4.1 Distinguish between policies, procedures, standards, regulations and laws.
L1.4.2 Demonstrate the relationship among governance elements.

Governance Elements

Any business or organization exists to fulfill a purpose, whether it is to provide raw materials to an industry, manufacture equipment to build computer hardware, develop software applications, construct buildings or provide goods and services. To complete the objective requires that decisions are made, rules and practices are defined, and policies and procedures are in place to guide the organization in its pursuit of achieving its goals and mission.

When leaders and management implement the systems and structures that the organization will use to achieve its goals, they are guided by laws and regulations created by governments to enact public policy. Laws and regulations guide the development of standards, which cultivate policies, which result in procedures.

How are regulations, standards, policies and procedures related? It might help to look at the list in reverse.

Procedures are the detailed steps to complete a task that support departmental or organizational policies.
Policies are put in place by organizational governance, such as executive management, to provide guidance in all activities to ensure that the organization supports industry standards and regulations.
Standards are often used by governance teams to provide a framework to introduce policies and procedures in support of regulations.
Regulations are commonly issued in the form of laws, usually from government (not to be confused with governance) and typically carry financial penalties for noncompliance.

Now that we see how they are connected, we’ll look at some details and examples of each.

Click on each tab to learn more.

Regulations and Laws Standards Policies Procedures

Regulations and Laws

Regulations and associated fines and penalties can be imposed by governments at the national, regional or local level. Because regulations and laws can be imposed and enforced differently in different parts of the world, here are a few examples to connect the concepts to actual regulations.

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is an example of a law that governs the use of protected health information (PHI) in the United States. Violation of the HIPAA rule carries the possibility of fines and/or imprisonment for both individuals and companies.

The General Data Protection Regulation (GDPR) was enacted by the European Union (EU) to control use of Personally Identifiable Information (PII) of its citizens and those in the EU. It includes provisions that apply financial penalties to companies who handle data of EU citizens and those living in the EU even if the company does not have a physical presence in the EU, giving this regulation an international reach.

Finally, it is common to be subject to regulation on several levels. Multinational organizations are subject to regulations in more than one nation in addition to multiple regions and municipalities. Organizations need to consider the regulations that apply to their business at all levels—national, regional and local—and ensure they are compliant with the most restrictive regulation.

Standards

Organizations use multiple standards as part of their information systems security programs, both as compliance documents and as advisories or guidelines. Standards cover a broad range of issues and ideas and may provide assurance that an organization is operating with policies and procedures that support regulations and are widely accepted best practices.

The International Organization for Standardization (ISO) develops and publishes international standards on a variety of technical subjects, including information systems and information security, as well as encryption standards. ISO solicits input from the international community of experts to provide input on its standards prior to publishing. Documents outlining ISO standards may be purchased online.

The National Institute of Standards and Technology (NIST) is a United States government agency under the Department of Commerce and publishes a variety of technical standards in addition to information technology and information security standards. Many of the standards issued by NIST are requirements for U.S. government agencies and are considered recommended standards by industries worldwide. NIST standards solicit and integrate input from industry and are free to download from the NIST website.

Finally, think about how computers talk to other computers across the globe. People speak different languages and do not always understand each other. How are computers able to communicate? Through standards, of course!

Thanks to the Internet Engineering Task Force (IETF), there are standards in communication protocols that ensure all computers can connect with each other across borders, even when the operators do not speak the same language.

The Institute of Electrical and Electronics Engineers (IEEE) also sets standards for telecommunications, computer engineering and similar disciplines.

Policies

Policy is informed by applicable law(s) and specifies which standards and guidelines the organization will follow. Policy is broad, but not detailed; it establishes context and sets out strategic direction and priorities. Governance policies are used to moderate and control decision-making, to ensure compliance when necessary and to guide the creation and implementation of other policies.

Policies are often written at many levels across the organization. High-level governance policies are used by senior executives to shape and control decision-making processes. Other high-level policies direct the behavior and activity of the entire organization as it moves toward specific or general goals and objectives. Functional areas such as human resources management, finance and accounting, and security and asset protection usually have their own sets of policies. Whether imposed by laws and regulations or by contracts, the need for compliance might also require the development of specific high-level policies that are documented and assessed for their effective use by the organization.

Policies are implemented, or carried out, by people; for that, someone must expand the policies from statements of intent and direction into step-by-step instructions, or procedures.

Procedures

Procedures define the explicit, repeatable activities necessary to accomplish a specific task or set of tasks. They provide supporting data, decision criteria or other explicit knowledge needed to perform each task. Procedures can address one-time or infrequent actions or common, regular occurrences. In addition, procedures establish the measurement criteria and methods to use to determine whether a task has been successfully completed. Properly documenting procedures and training personnel on how to locate and follow them is necessary for deriving the maximum organizational benefits from procedures.

Governance Terms

Governance Elements

Importance of Governance Elements

Narrator: Regulations and laws can affect the day-to-day operations of many organizations. As
we mentioned before, one example of a law with a broad impact is the General Data
Protection Regulation (GDPR), which affords data protection and control to individuals within
the territorial boundaries of the EU regardless of citizenship.
As another example, in the United States, patient medical information is governed by the
Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA) and must be closely
guarded. From the information security perspective, a high standard of professionalism is
expected in safeguarding data on the patients’ behalf. Information security is based on trust
and credibility. If something goes wrong, the stakeholders’ trust evaporates, and organizations’
credibility is damaged—sometimes without cure. HIPAA also carries significant criminal and
financial penalties for noncompliance for both the organization and the individuals involved.
Fortunately, there are published frameworks, or standards, to guide the organizational policies
that support the compliance effort. Many departments or workgroups within the organization
implement procedures that detail how they complete day-to-day tasks while remaining
compliant. Among these groups is the International Organization for Standardization (ISO). ISO
is an international standards body; one of the standards that ISO publishes is how to destroy
data in a secure fashion.

Domain D1.4.1

Module Objective

L1.5.1 Analyze appropriate outcomes according to the canons of the (ISC)²  Code of Ethics when given examples.

Manny: We've made it to the last module of our first chapter.
Tasha: That's right. And we've learned that cybersecurity professionals have a lot of
responsibility when it comes to protecting information systems and the data that is stored and
used on them.
Manny: Yes, we put a lot of trust in them that they will do the right thing. I'd feel more
comfortable knowing that they must take some kind of oath or something, so we could rest
assured they’re acting in the best interest of their organizations and the public.
Tasha: I agree, Manny. Ethical guidelines are extremely important. It gives the profession
credibility. And you know what?
Manny: What?
Tasha: All members of (ISC) 2 commit to adhere to its code of ethics.
Manny: That makes me feel better. Let’s find out more about it.

Importance of a Professional Code of Ethics

Chad: Good morning, good afternoon, or good evening, depending on where and when you're
listening. Welcome to the discussion on the role of ethics in cybersecurity. I'm your host, Chad
Kliewer, holder of the CISSP and CCSP certifications, and current (ISC) 2 member, and I'll be
facilitating our experience. I am extremely excited to welcome our special guest for today's
discussion, Eder de Mattos, who holds the CISSP with the ISSAP endorsement, ISSMP, and CCSP
credentials, and is also an active (ISC) 2 member. Eder joins us today from Brazil, where he's
worked in communications, now works for an international cloud services organization, and
he's also the treasurer for the (ISC) 2 Sao Paulo chapter. So let's get started. And today we'll
start our discussion by illuminating an example code of ethics. So in this example, for all
information security professionals who are certified by (ISC) 2 , are required to adhere to (ISC) 2
Code of Ethics, there are only four canons, and we'll paraphrase them now. "To protect society,
the common good, and infrastructure." The second one is "act honorably, honestly, justly,
responsibly, and legally." And the third, "provide diligent and competent service to principals."
And the final canon is "advance and protect the profession." So this is just one example of
professional ethics, and it can take many forms. So, Eder, I'm curious, how do you define
professional ethics, based on your experience?
Eder: Hi, Chad. Hi, everyone. Thank you for this, for inviting me for this session. It's a pleasure to
be here with you today. And about this question, I think it's, ethics is mandatory for everyone in
cybersecurity nowadays. And we are in face of a lot of different situations. And we need to have
a strong feeling of ethics, because dealing with different conditions, I think what I learn about
(ISC) 2 , and with complementary, with my background, ethics are fundamental to keep working
in our area nowadays. I think (ISC) 2 gives us a solid pillars, for pillars about ethics. And during
my profession or in my career, I was learning that it's important, incorporate these conditions
about (ISC) 2 , reinforce in every certification, in every document, in every publication, and join
with feelings about what I learned when I was a kid, about my father told me in the past, my
family, I think it's a, the role is a, we need to join any point that you learn, and apply in our
market, in cybersecurity. I think it's the main point.
Chad: Okay, great. And I would like to hear a little bit more about, in your experience, and how
those ethics influence your concept of right and wrong?
Eder: A lot, a lot. Because the market and the conditions of economic and wars and stuff like
that, we have different situations for dealing about this point. Recently, last year, I received a
bribery. Someone invite me to disclose sensitive informations, and will pay a huge amount of
money. And no, no thanks. It was a very different situation for me. And I call the legal
authorities here in Brazil, and I sent them all the informations about the communication. I was
invited by email, you know, it's a point that, it's me. My honor is not on sale. And I think this
point is mandatory. And in the profession, we have daily, we are in face with these situations
daily, because we have many criminal organizations interesting in achieve our information,
because we are in face of customers' information, company information. And in the black
market, these information have paramount value. It's a, it's this. I think that's it.
Chad: And that's a great story. And that's part of why I was so excited to talk to you, and talk to
you about ethics, is so we could gather more of the international perspective. And you
mentioned that somebody had contacted you through the mail for a bribe. Is that something,
and I don't want to single out Brazil, and say this only happens in Brazil, because I know it
happens other places, it happens here in the U.S. as well, but is that something, do you think
that's more commonplace in Brazil, or is it still somewhat rare to happen?
Eder: I think in Brazil, happens a lot, because we have problem with our society here. It's a
society that, if someone have the opportunity to achieve advantage, or some gifts or whatever,
the people are in face, and sometimes they accept the offer. It's not my case in this situation.
And as I mentioned, my honor is not for sale, but here in Brazil we have this difficulty, because
the corruption in our society is, it's hard.
Chad: Yeah, absolutely, so I'm trying to figure, you know, I'm really curious, does that, you
know, you said it's something that does happen often in Brazil. So is it also something that, is it,
I want to say people from Brazil that are making those bribery offers, is it something that seems
to be domestic, or is it international, is it other countries that are, and you don't need to name
other countries if that's the case, I'm just curious if that's something that's internal to the
country, or something that's other countries?
Eder: We have both scenarios here. We have competitors here. We have scenarios of malware
or ransom groups. It's like criminal groups, like Conti or other groups responsible for hijacking
or ransom inside main companies, very important companies around the world. And it's
common in both cases, from international and from internal national, internal nation here,
because the culture here is a point for difficult dealing. And we have specific areas in our police
departments, and fiscalizations for avoid corruption and bribery. It's a sad point, present in our
society here in Brazil.
Chad: Okay, great. And from what you've talked about so far, you definitely believe in the (ISC) 2
code of ethics. You obviously have your own code of ethics that might be apart from what your
country is. And obviously you have been in cybersecurity for a while, and you are a great
cybersecurity practitioner, but what do you think makes your chosen profession, a
professional? What makes you a professional in cybersecurity?
Eder: About describing about my roles or my activities or why I chose working for cybersecurity,
is this question?
Chad: Yes.
Eder: I think I start working for cybersecurity, or for security area, because cybersecurity doesn't
exist 10 years ago. When I start working for this area, why, for why, or why I decided to work in
this area, because, the first point, in security you have people with strong feelings about what is
correct. And this is my point. My father recommend me in the past for become a judge,
because I, to enforce the correctness, enforce the correct points about situations. But it's too
many papers. No, it's not for me. In cybersecurity, you have a lot of papers, these
documentation policies and whatever, but it's more applicable, or it's feasible with our reality.
Apply something and affect a lot of people and companies about this point. And this is for, this
is, was, this was my mainly reason for decide for cybersecurity, because strong feeling about
what's correct, enforce the correctness, enforce what is possible. And yes, now we have some
situations that are not totally correct, but we are in face of risk and risk analysis. And we need
to deal about a project in face of our appetite of risk. And I think this point.
Chad: All right, and that's a great story. And we are so glad you chose cybersecurity over being a
judge, because we're happy to have you here today. And we might not be talking if you had
chosen that judge path. So that's great. I'm curious, though, in your perception, what makes the
code of ethics in cybersecurity different from those in other professions?
Eder: I think in cybersecurity, we need to follow in more restrict way all points of ethics,
because we are in face about the whole information, the company's, because we are security
area. And security area needs to protect the company. In this case, we need to be a simple
example for other people inside the company, as strong professionals, professionals that have a
very good position in face of any problems or any circumstance that is not following the right
way. I think it's, and security area, cybersecurity area, we enforce all points about ethics for
other areas. About courses, about internal communication, about trainings for other areas
that's not in face daily with problems with security or whatever, but show them about ethics,
and why is important to keep ethics in current work, day to day.
Chad: That is great. And I really like that you see cybersecurity professionals as being a basically
a role model in the world of ethics. And that's super, I really like that. So I want to know if you
can share a specific situation, and I know you already shared one with us, about the bribery, but
if you can share a situation where ethics played an impactful role in your decision making.
Eder: Yes, of course, in many projects the teams ask me, "Oh, let's forget these points about
security, because will impact our work. We need to work a lot for compliance with these points.
It's possible to forget this point." No. Because we need to enforce all points for security. And in
every project, someone tries to resume the way of security, not implement all features, or
avoid some important point. And I used to tell these guys, "No, if you commit some mistake
here, or you produce a code without a compliant, without a wrong, a right check about this
code, probably we will have a large problem in front." And is not the case, we need to have a
strong feeling about security, about ethics, about condition for improve security, not for reduce
security. I think this is the condition that I'm facing in many situations nowadays.
Chad: Yep, you are absolutely right. And that's something that we constantly, as cybersecurity
professionals, have to apply our ethics to, to produce, or basically to make our decisions based
on what may be best for the company, not necessarily what's best for the cybersecurity
professional.
Eder: Yes.
Chad: And I think that's something that oftentimes is very difficult for the cybersecurity
professional to do. Sometimes we have to, you know, sometimes we do have to make those
decisions that are better for the organization than maybe for us personally, or make our life a
little bit more difficult to better protect the organization.
Eder: Yes, yes. I agree, I agree.
Chad: Yep. You are absolutely right. Ethics play a huge part in that. Go ahead.
Eder: Yes, in another case, when some project, "No, we are not able to fill all security points." In
this case, we produce a letter about risks, and request approval for a senior manager, senior
management, or director, or vice president, or yes, if you are not compliant and you need to go
ahead with this project, with this poor condition of security, you need to agree with this point,
and agree that this is your responsibility. If you have some fail or some problem in the future,
you are charged about this point.
Chad: Yep. Absolutely. And I think we, you know, for our listeners, I think we did cover part of
that in our risk management section, we'll cover that. In talking about, you know, when there is
risk, when we're introducing new risk, part of our ethics are to make sure that we are raising
the awareness of that risk, and making sure that the business owners fully understand that risk.
Whether it makes us popular or not, doesn't matter. Sometimes we have to take the unpopular
road, and at least raise that up. So that's some great discussion, and we're gonna wrap up here
in just a moment, Eder. It's been great talking to you, but I do want to give you one last chance,
if you have anything else you'd like to say to our listeners.
Eder: Yes, I think for anyone that is interesting in starting cybersecurity, cybersecurity is a code
of life, because someone that start working for cybersecurity, or someone that worked for a
long time in cybersecurity, we use these concepts in our life, in our society. And we are
advocates. We are people to transmit security and cybersecurity and ethic codes for people
around us. And I think it's a point to everyone that is starting cybersecurity, pay attention in the
code of ethics, and strong feeling about what is right. I think it's the main point, and our society
needs this condition, a strong, or improve these values now.
Chad: All right, absolutely. Thank you. And I think it is just absolutely great the way you put
that, that underline and that highlight, that ethics really does lie underneath everything we do
as cybersecurity professionals. And I thank you very much for helping us put an international
eye on this. So we can see, a lot of times we think of terms in our own country, and how things
happen in our own countries. And that's part of what (ISC) 2 strives to do, not only here, but for
the cybersecurity profession as a whole, to make sure that we are one team and we have one
common goal, one common set of ethics across the world. But I thank you many, many times,
Eder, thank you for spending time with us today. Thanks for sharing your knowledge and your
perspective on ethics, and everybody, please join me in thanking Eder de Mattos for
volunteering his time with us here today. Thank you very much.
Eder: Thank you. Thank you, Chad. It was a pleasure to be here. And thank you, guys, and enjoy
the cybersecurity.

Professional Code of Conduct

Theoretical Example: Code of Ethics

Narrator: Here is an example of an ethical question that might come up for cyber security
professionals. An organization handling Top Secret and other sensitive information was hiring
new employees. At its facility, it used a retinal scanner to grant access to high-security areas,
including where prospective employees were interviewed. Retinal scanners, unbeknownst to
most people, can not only match blood vessels on an individual’s retina, but they can also tell
the difference between males and females. Further, they can tell whether a female is
pregnant.
The organization used this information gathered by its access control system to discriminate
against female candidates for the positions it was seeking to fill. Allowing this data to be
accessed by those making hiring decisions was indisputably in violation of the (ISC) 2 Code of
Ethics, which states that information security professionals must act honorably, honestly, justly,
responsibly and legally.
Here is another example: The security manager for an organization heard from a network
administrator who reported another user for violating the organization’s acceptable use policy.
When the security manager investigated the matter, he discovered several pertinent facts:
• The user did violate the policy.
• The violation was not a criminal matter.
• The network administrator had the IT permissions to monitor the user.
• The network administrator was not tasked with monitoring the user, nor was the
administrator tasked with randomly monitoring all users.
• The network administrator would not say how the administrator came to learn
that the user was violating policy.
• In talking with colleagues of both people, it became clear that there was a
personal conflict between the administrator and the user.
In many jurisdictions, the organization can use any information, regardless of source, to make
labor decisions. So yes, the organization could use this information against the user. The user
violated the policy but did not break the law. Depending on how egregious the infraction was,
the organization may choose to punish the user for the violation.
Because the administrator would not explain why he was monitoring the user, it makes his
actions suspect at best, and nefarious at worst. The administrator violated the trust given to
him by the organization; as an IT professional, the administrator was expected to use authority
and permissions in an adult and objective manner. This situation is almost certainly an example
of the administrator using authority to settle a personal grievance. The administrator should be
punished much more severely than the user (firing the administrator is not untoward; this
person may have opened the organization up to a lawsuit for creating a hostile work
environment, which may have an impact/risk that exceeds whatever policy violation the user
committed).
Whether the administrator was terminated or not, his actions were in clear contradiction of the
Code of Ethics.

Domain D1.1, D1.1.1, D1.1.2, D1.1.3, D1.1.4, D1.1.5

Module Objective

L1.6.1 Practice the terminology and review security principles.

In this chapter, we covered security principles, starting with concepts of information assurance. We highlighted the CIA triad as the primary components of information assurance. The “C” stands for confidentiality; we must protect the data that needs protection and prevent access to unauthorized individuals. The “I” represents integrity; we must ensure the data has not been altered in an unauthorized manner. The “A” symbolizes availability; we must make sure data is accessible to authorized users when and where it is needed, and in the form and format that is required. We also discussed the importance of privacy, authentication, non-repudiation and authorization.

You explored the safeguards and countermeasures prescribed for an information system to protect the confidentiality, integrity and availability of the system and its information. By applying risk management, we were able to assess and prioritize the risks (asset vulnerabilities that can be exploited by threats) to an organization. An organization can decide whether to accept the risk (ignoring the risks and continuing risky activities), avoid the risk (ceasing the risky activity to remove the likelihood that an event will occur), mitigate the risk (taking action to prevent or reduce the impact of an event), or transfer the risk (passing risk to a third party).

You then learned about three types of security controls: physical, technical and administrative. They act as safeguards or countermeasures prescribed for an information system to protect the confidentiality, integrity and availability of the system and its information. The implementation of security controls should reduce risk, hopefully to an acceptable level. Physical controls address process-based security needs using physical hardware devices, such as a badge reader, architectural features of buildings and facilities, and specific security actions taken by people. Technical controls (also called logical controls) are security controls that computer systems and networks directly implement. Administrative controls (also known as managerial controls) are directives, guidelines or advisories aimed at the people within the organization.

You were then introduced to organizational security roles and governance, the policies and procedures that shape organizational management and drive decision-making. As discussed, we typically derive procedures from policies, policies from standards, standards from regulations. Regulations are commonly issued in the form of laws, usually from government (not to be confused with governance) and typically carry financial penalties for noncompliance. Standards are often used by governance teams to provide a framework to introduce policies and procedures in support of regulations. Policies are put in place by organizational governance, such as executive management, to provide guidance in all activities to ensure the organization supports industry standards and regulations. Procedures are the detailed steps to complete a task that will support departmental or organizational policies.

Finally, we covered the (ISC)2 Code of Ethics, which members of the organization commit to fully support. Bottom line, we must act legally and ethically in the field of cybersecurity.

Chapter 1: Terms and Definitions

Adequate Security - Security commensurate with the risk and the magnitude of harm resulting from the loss, misuse or unauthorized access to or modification of information. Source: OMB Circular A-130

Administrative Controls - Controls implemented through policy and procedures. Examples include access control processes and requiring multiple personnel to conduct a specific operation. Administrative controls in modern environments are often enforced in conjunction with physical and/or technical controls, such as an access-granting policy for new users that requires login and approval by the hiring manager.

Artificial Intelligence - The ability of computers and robots to simulate human intelligence and behavior.

Asset - Anything of value that is owned by an organization. Assets include both tangible items such as information systems and physical property and intangible assets such as intellectual property.

Authentication - Access control process validating that the identity being claimed by a user or entity is known to the system, by comparing one (single factor or SFA) or more (multi-factor authentication or MFA) factors of identification.

Authorization - The right or a permission that is granted to a system entity to access a system resource. NIST 800-82 Rev.2

Availability - Ensuring timely and reliable access to and use of information by authorized users.

Baseline - A documented, lowest level of security configuration allowed by a standard or organization.

Bot - Malicious code that acts like a remotely controlled “robot” for an attacker, with other Trojan and worm capabilities.

Classified or Sensitive Information - Information that has been determined to require protection against unauthorized disclosure and is marked to indicate its classified status and classification level when in documentary form.

Confidentiality - The characteristic of data or information when it is not made available or disclosed to unauthorized persons or processes. NIST 800-66

Data Integrity - The property that data has not been altered in an unauthorized manner. Data integrity covers data in storage, during processing and while in transit. Source: NIST SP 800-27 Rev A
Encryption - The process and act of converting the message from its plaintext to ciphertext. Sometimes it is also referred to as enciphering. The two terms are sometimes used interchangeably in literature and have similar meanings.
General Data Protection Regulation (GDPR) - In 2016, the European Union passed comprehensive legislation that addresses personal privacy, deeming it an individual human right.
Governance -The process of how an organization is managed; usually includes all aspects of how decisions are made for that organization, such as policies, roles, and procedures the organization uses to make those decisions.
Health Insurance Portability and Accountability Act (HIPAA) - This U.S. federal law is the most important healthcare information regulation in the United States. It directs the adoption of national standards for electronic healthcare transactions while protecting the privacy of individual's health information. Other provisions address fraud reduction, protections for individuals with health insurance and a wide range of other healthcare-related activities. Est. 1996.
Impact - The magnitude of harm that could be caused by a threat’s exercise of a vulnerability.
Information Security Risk - The potential adverse impacts to an organization’s operations (including its mission, functions and image and reputation), assets, individuals, other organizations, and even the nation, which results from the possibility of unauthorized access, use, disclosure, disruption, modification or destruction of information and/or information systems.
Institute of Electrical and Electronics Engineers - IEEE is a professional organization that sets standards for telecommunications, computer engineering and similar disciplines.
Integrity - The property of information whereby it is recorded, used and maintained in a way that ensures its completeness, accuracy, internal consistency and usefulness for a stated purpose.
International Organization of Standards (ISO) - The ISO develops voluntary international standards in collaboration with its partners in international standardization, the International Electro-technical Commission (IEC) and the International Telecommunication Union (ITU), particularly in the field of information and communication technologies.
Internet Engineering Task Force (IETF) - The internet standards organization, made up of network designers, operators, vendors and researchers, that defines protocol standards (e.g., IP, TCP, DNS) through a process of collaboration and consensus. Source: NIST SP 1800-16B

Likelihood - The probability that a potential vulnerability may be exercised within the construct of the associated threat environment.
Likelihood of Occurrence - A weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability or set of vulnerabilities.
Multi-Factor Authentication - Using two or more distinct instances of the three factors of authentication (something you know, something you have, something you are) for identity verification.
National Institutes of Standards and Technology (NIST) - The NIST is part of the U.S. Department of Commerce and addresses the measurement infrastructure within science and technology efforts within the U.S. federal government. NIST sets standards in a number of areas, including information security within the Computer Security Resource Center of the Computer Security Divisions.
Non-repudiation - The inability to deny taking an action such as creating information, approving information and sending or receiving a message.
Personally Identifiable Information (PII) - The National Institute of Standards and Technology, known as NIST, in its Special Publication 800-122 defines PII as “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, Social Security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial and employment information.”
Physical Controls - Controls implemented through a tangible mechanism. Examples include walls, fences, guards, locks, etc. In modern organizations, many physical control systems are linked to technical/logical systems, such as badge readers connected to door locks.
Privacy - The right of an individual to control the distribution of information about themselves.
Probability - The chances, or likelihood, that a given threat is capable of exploiting a given vulnerability or a set of vulnerabilities. Source: NIST SP 800-30 Rev. 1
Protected Health Information (PHI) - Information regarding health status, the provision of healthcare or payment for healthcare as defined in HIPAA (Health Insurance Portability and Accountability Act).

Qualitative Risk Analysis - A method for risk analysis that is based on the assignment of a descriptor such as low, medium or high. Source: NISTIR 8286
Quantitative Risk Analysis - A method for risk analysis where numerical values are assigned to both impact and likelihood based on statistical probabilities and monetarized valuation of loss or gain. Source: NISTIR 8286
Risk - A possible event which can have a negative impact upon the organization.
Risk Acceptance - Determining that the potential benefits of a business function outweigh the possible risk impact/likelihood and performing that business function with no other action.
Risk Assessment - The process of identifying and analyzing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals and other organizations. The analysis performed as part of risk management which incorporates threat and vulnerability analyses and considers mitigations provided by security controls planned or in place.
Risk Avoidance - Determining that the impact and/or likelihood of a specific risk is too great to be offset by the potential benefits and not performing a certain business function because of that determination.
Risk Management - The process of identifying, evaluating and controlling threats, including all the phases of risk context (or frame), risk assessment, risk treatment and risk monitoring.
Risk Management Framework - A structured approach used to oversee and manage risk for an enterprise. Source: CNSSI 4009
Risk Mitigation - Putting security controls in place to reduce the possible impact and/or likelihood of a specific risk.
Risk Tolerance - The level of risk an entity is willing to assume in order to achieve a potential desired result. Source: NIST SP 800-32. Risk threshold, risk appetite and acceptable risk are also terms used synonymously with risk tolerance.
Risk Transference - Paying an external party to accept the financial impact of a given risk.
Risk Treatment - The determination of the best way to address an identified risk.

Security Controls - The management, operational and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity and availability of the system and its information. Source: FIPS PUB 199
Sensitivity - A measure of the importance assigned to information by its owner, for the purpose of denoting its need for protection. Source: NIST SP 800-60 Vol 1 Rev 1
Single-Factor Authentication - Use of just one of the three available factors (something you know, something you have, something you are) to carry out the authentication process being requested.
State - The condition an entity is in at a point in time.
System Integrity - The quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation of the system, whether intentional or accidental. Source: NIST SP 800-27 Rev. A
Technical Controls - Security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software or firmware components of the system.
Threat- Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image or reputation), organizational assets, individuals, other organizations or the nation through an information system via unauthorized access, destruction, disclosure, modification of information and/or denial of service.
Threat Actor - An individual or a group that attempts to exploit vulnerabilities to cause or force a threat to occur.
Threat Vector - The means by which a threat actor carries out their objectives.
Token- A physical object a user possesses and controls that is used to authenticate the user’s identity. Source: NISTIR 7711
Vulnerability - Weakness in an information system, system security procedures, internal controls or implementation that could be exploited by a threat source. Source: NIST SP 800-30 Rev 1

Official (ISC)2 Certified in Cybersecurity (CC) Self-Paced Training. (Course Introduction and Chapter 1: Security Principles)

Course Introduction

Welcome to the Official (ISC)² Certified in Cybersecurity (CC) Self-Paced Training course!

Introduction from the (ISC)² CEO

Navigate the Course

CHAPTER-01

Module 1: Getting Started

Course Specifications

Module 2: Course Introduction

Course Objectives

CC Exam Domain to Course Chapter Mapping

Acknowledgements

Contributing Authors/Technical Editors

Copyright Acknowledgment:

Table of Contents

Course Disclaimers

(ISC)² Code of Ethics

Code

Code of Ethics Preamble

Code of Ethics Canons:

Chapter 1: Security Principles

Chapter 1 Agenda

Chapter at a Glance

Chapter 1 Overview

Learning Objectives

Domain 1: Security Principles

Watch this video to meet your hosts for this course, Manny and Tasha, and the crew at JavaSip.

Keith's Story

Module 1: Understand the Security Concepts of Information Assurance

Module Objective

Susan's Morning Cup of Joe

The CIA Triad

The CIA Triad Deep Dive

VIDEO:CIA in the Real World

Authentication

Methods of Authentication

VIDEO:Proving Identity

Non-repudiation

Privacy

Privacy in the Working Environment

Module 2: Understand the Risk Management Process

Introduction to Risk Management

Importance of Risk Management

Risk Management Terminology

Threats

Vulnerabilities

Likelihood

Risk Identification

Risk Assessment

Risk Treatment

Risk Management Process

Risk Treatment

Risk Management: Susan’s Good News

Risk in Our Lives

Risk Priorities

Decision Making Based on Risk Priorities

Risk Tolerance

Understanding the organization and senior management’s attitude toward risk is usually the starting point for getting management to take action regarding risks.

Executive management and/or the Board of Directors determines what is an acceptable level of risk for the organization. Security professionals aim to maintain the levels of risk within management’s limit of risk tolerance.

Risk Tolerance Drives Decision Making

Podcast:Swimming with Sharks

Module 3: Understand Security Controls

What are Security Controls?

Physical Controls

Technical Controls

Administrative Controls

Controls and the Triad

Making Connections

Module 4: Understand Governance Elements and Processes

Module Objectives

Governance Elements

Regulations and Laws

Standards

Policies

Procedures

Governance Terms

Governance Elements

Importance of Governance Elements

Module 5: Understand (ISC)² Code of Ethics

Module Objective

Understanding the organization and senior management’s attitude toward risk is usually the starting point for getting management to take action regarding risks.

Executive management and/or the Board of Directors determines what is an acceptable level of risk for the organization. Security professionals aim to maintain the levels of risk within management’s limit of risk tolerance.