--- 最後更新 : 2021/04/03 10:45 --- ###### tags: `CISSP` `D1` [TOC] # Domain 1 : Security and Risk Management :::warning **C、I、A + GRC** ::: ## 1.1 Understand and apply concepts of confidentiality, integrity and availability > [color=orange] Ref OSG **CH01** ### Confidentiality 機密性 > [color=blue] Ref OSG **CH01.1.1** :::success **機密性** : 資料不外洩。 ::: :::info - If a security mechanism offers **confidentiality**, it offers a high level of assurance that data, objects, or resources are **restricted from unauthorized subjects**. If a threat exists against confidentiality, unauthorized disclosure could take place. - **Confidentiality** and **integrity** ==depend on each other.== ::: ### Integrity 完整性 > [color=blue] Ref OSG **CH01.1.2** :::success **完整性** : 資料不被竄改。 - 真實性 - 不可否認性 ::: ::: info - **Integrity** protection prevents **unauthorized alterations** of data. - **Truthfulness**: Being a true reflection of reality - **Nonrepudiation**: Not being able to deny having performed an action or activity or being able to verify the origin of a communication or event ::: ### Availability 可用性 > [color=blue] Ref OSG **CH01.1.3** :::success **可用性** : 隨時可存取，系統不停擺 ::: :::info - **availability**, which means authorized subjects are granted timely and uninterrupted access to objects. - **Availability** ==depends on both integrity and confidentiality==. ::: ### 考題觀點 :::danger - Redundant Array of Independent Disks **(RAID)** uses additional hard drives to protect the server **against the failure of a single device**. - **Nondisclosure agreements (NDAs)** protect the **confidentiality** of sensitive information by requiring that employees and affiliates not share confidential information with third parties. NDAs normally remain in force after an employee leaves the company. - **Keyloggers** monitor the keystrokes of an individual and report them back to an attacker. - **Security training** is designed to provide employees with the **specific knowledge they need to fulfill their job** functions. - **Hashing** allows you to computationally verify that a file has not been modified between hash evaluations. - CIA 衝擊 **Denial-of-service (DoS)** attacks and distributed denial-of-service (DDoS) attacks try to disrupt the **availability** of information systems and networks by flooding a victim with traffic or otherwise disrupting service. ::: ## 1.2 Evaluate and apply security governance principles > [color=orange] Ref OSG **CH01** :::success - **何謂管理** 達成目標 的一套有系統的方法。 方法就是 P、D、C、A。 - **何謂治理** 公司最高經營階層的管理作為就叫做治理。(董事會 + C字輩) - **治理的目標** 治理的目標是創造價值 - **何謂價值** 價值是對利害關係人重要有意義的 - **Security** with **Business Mindset** - **T1 : Value Creation** - **T2 : Supporting Business Process** - **T3 : C、I、A** ::: :::info - Security is a **business operations** issue. - Security governance is commonly managed by a **governance committee** or at least a board of directors. - This is the group of **influential knowledge experts** whose primary task is to **oversee** and **guide** the actions of ==security and operations== for an organization. ::: ### 1.2.1 Alignment of security function to business strategy, goals, mission, and objectives > [color=blue] Ref OSG **CH01.2.1** :::success - 高階主管在於表明意圖(**戰略Strategy**)。請人執行,透過文件化 - 先有**戰略**才會有**政策**，由策略定出 Policy - **何謂政策** 書面的管理意圖 - **強制性** - 政策 Policies , 由高階主管定義,讓執行者有依據與足夠授權。 最不能變動者 - 標準 Standards , - 程序 Procedures , SOP - **參考性** - 指引 Guidelines 補充上述交代不清者 (非強制) ::: :::info - Security management planning aligns the security functions to the **strategy**, **goals**, **mission**, and **objectives** of the organization. - One of the most **effective ways** to tackle security management planning is to use a **top-down approach**. - The best security plan is useless without one **key factor**: approval by **senior management**. ==Without senior management’s== **approval** of and **commitment** to the security policy, the policy will ==not succeed==. - **strategic plan 戰略** > 5 年 - **tactical plan 戰術** > 大約 1 年 - **operational plan 操作計畫** > 大約季每月每季 常更新 - Effective security plans focus attention on **specific** and **achievable** objectives, anticipate change and potential problems, and serve as a basis for decision making for the entire organization. ::: ### 1.2.2 Organizational processes (e.g., acquisitions,divestitures, governance committees) > [color=blue] Ref OSG **CH01.2.2** :::success - **資安治理需注意組織** - 收購 - 剝離 - 治理委員會流程 - **變更管理** - **數據分類** ::: :::info - **Acquisitions** and **mergers** place an organization at an increased level of risk. Such risks include **inappropriate information disclosure**, **data loss**, **downtime**, or failure to achieve sufficient return on investment (ROI). - **Change Control/Management** - The **goal of change management** is to ensure that ==any change does not lead to reduced or compromised security==. - Change management is also responsible for making it possible to **roll back** any change to a previous secured state. - **Data classification**, or **categorization**, is the primary means by which data is protected based on its need for secrecy, sensitivity, or confidentiality. - 美國軍方  - 企業  ::: ### 1.2.3 Organizational roles and responsibilities > [color=blue] Ref OSG **CH01.2.3** :::success - 企業資料角色   - 個人資料 - Controller : 決定蒐集目的與處理方式 - Processor : 代表控制者,根據其目的與處理方式來處理個資 - Data Subject / Principal (當事人) ::: :::info - 資料角色 - Data Owner - Data Custodian - Data Steward ::: ### 1.2.4 Security control frameworks > [color=blue] Ref OSG **CH01.2.4** :::info - widely used security control frameworks is Control Objectives for Information and Related Technology (COBIT). - ISO 27002 ::: ### 1.2.5 Due care/due diligence > [color=blue] Ref OSG **CH01.2.5** :::success **Dur Diligence** : **D**o **D**etect (盡職審查) **Due Care** : **D**o **C**orrect ::: :::info - **due care** is **developing a formalized security structure** containing a security policy, standards, baselines, guidelines, and procedures. - **Due diligence** is the continued application of this security structure onto the IT infrastructure of an organization. ::: ### 考題觀點 :::danger - The **due care principle** states that an individual should react in a situation using the same level of care that would be expected from any reasonable person. It is a very broad standard. - The **due diligence principle** is a more specific component of due care that states that an individual assigned a responsibility should exercise due care to complete it accurately and in a timely manner. - **Strategic plans** have a long-term planning horizon of up to **five years** in most cases. **Operational** and **tactical** plans have shorter horizons of **a year or less**. - The **data custodian** role is assigned to an individual who is responsible for **implementing the security controls** ==defined by policy and senior management==. The **data owner** does bear ==ultimate responsibility== for these tasks, but the **data owner** is typically a senior leader who **delegates operational responsibility** to a **data custodian**. - 通知**利害關係人**在變更管理**前 Before**  - 變更管理  ::: ## 1.3 Determine compliance requirements > [color=orange] Ref OSG **CH04** :::success - FISMA 聯邦訊息安全管理法 - SOX 沙賓法案 - GLBA 解禁銀行可以賣保險、做證券(銀行或證券)集團內個資共用做了規範 - 醫療單位 - HIPPA - HITECH - 歐盟 GDPR ::: ### 1.3.1 Contractual, legal, industry standards, and regulatory requirements :::success  - **Law & Regulation**   - **Standards**  - **Contract**  ::: :::info - 法律的分類 (OSG 4.1) - **刑法 (Criminal Law)** > 維護**和平**、保障社會**安全**的法律體系基石 > 透過打擊計算機犯罪來保護社會安全 > 如 : 禁令 (謀殺、縱火、襲擊...等) - 計算機欺詐和濫用法案 - 電子通信隱私法案 - 身份盜用與侵占防治法 - **民法 (Civil Law)** >法律體系的主體，用來維護社會**秩序**。管理**不屬於犯罪行為**，但需要由公正的仲裁者解決的**個人**與**組織**間的問題 >如 : 合同糾紛、房地產交易 - 美國法典 USC (聯邦層面) - **行政法 (Administrative Law)** > 政府行政部門要求許多機構對保證政府的有效運作承擔廣泛責任 - 美國聯邦法規 CFR (Code of Federal Regulations) - 合規 - PCI DSS - SOX > 組織要接受合規稽核。 > 組織的財務稽核員可進行IT控制稽核，確保組織財務系統的訊息安全控制有遵守 SOX ::: ### 1.3.2 Privacy requirements ## 1.4 Understand legal and regulatory issues that pertain to information security in a global context > [color=orange] Ref OSG **CH04** ### 1.4.1 Cyber crimes and data breaches :::success - 計算機犯罪 (OSG 4.2.1) - **計算機詐欺和濫用法案,CFAA** - 美國針對**網路犯罪**第一項重要立法 - 對聯邦計算機系統造成惡意損失超過1000美元的行為 - 作為全面控制犯罪法 CAAA 的一部分 - **修正案** - 1994 起多次修正 - 2013 Aaron 自殺 -> CFAA 修正案 (Aaron 法案) - **聯邦量刑指南** - 為法官提供處罰指南 - **謹慎人規則** , 高級管理人員為 Due Care 承擔個人責任 - 允許組織證明 **Due Deligence** 為違規行為懲罰降至最低 - 對於疏忽的三種舉證 - **國家信息基處設施保護法案** - 為 CFAA的修正案 - **聯邦信息安全管理法案** FISMA - **2014 聯邦網路安全法案** FISMA - NIST 編制 800 系列 - NIST SP 800-53 - NIST SP 800-171 - NIST CFS ::: ### 1.4.2 Licensing and intellectual property requirements :::success - **intellectual property** (智慧財產權) - Copyright 版權 > 版權法保護原創作品的創作者，**防止**創作者的**作品遭未經授權**的**複製**。 - 創作者,版權歸作品的創作者所有 - 被保護時間,第一作者去世後的 70 年 - 受雇用而創作的作品 - 第一次發表日後的 95 年,創建之日 120年取短 - **相關法案** - 數字千年版版權法 DMCA - 防止複製數字介質 - 若罪犯使用ISP線路嘗試違反版權活動時,ISP要負責 - Patent 專利 > 保護發明者的知識產權 - 20 年 - TradeMark 商標 > 是單辭、口號、標語，被用於標示某家公司及其產品或服務 > 保護商標的宗旨在保護個人組織的知識產權同時避免混亂 - 不申請 - 可獲得保護 - 可用 TM 表示 - 申請 - 可獲得 (R) - 可以註冊一個打算使用的意向 - 初始期10年 - TradeSect 營業秘密 >用來保護極其重要 - 必須確保能存取相關資訊的人簽有 NDA - **相關法案** - 經濟間諜法案 - Licensing 許可 ::: ### 1.4.3 Import/export controls :::success - 計算機出口控制 - 現在出口高性能計算系統，不須得到批准。 - 加密技術出口控制 - 美國商務部工業和安全局向美國境外出口加密產品做了相關規定 ::: - 試題觀念 ### 1.4.4 Trans-border data flow :::info - 跨境傳輸 -當歐盟的公民訊息離開歐盟時,發送數據的人必須確保數據仍受到保護。 - 隱私盾 (Privacy Shield) , 在歐盟的美國公司提供安全港 ::: ``` (23) ‘cross-border processing’ means either: (23) 「跨境處理」係指： (a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or (a) 歐盟境內之控管者或處理者在一個以上之會員國境內成立，而在 一個以上之會員國之分支機構之活動過程中處理個人資料；或 (b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State. (b) 歐盟境內之控管者或處理者之單一分支機構之活動過程中處理 個人資料，但實質影響或可能實質影響到居住於一個以上會員國之資 料主體； ``` ### 1.4.5 Privacy :::success - 隱私權 - 美國隱私法 - **第四修正案** 隱私權的基礎是美國憲法的第四修正案 - **1974 隱私法案** 是對美國聯邦政府處理公民個人隱私信息的方式進行限制的一部最重要的隱私法 - **1986 電子通信隱私法案 ECPA** 對個人電子隱私的侵犯成為犯罪行為 - 1994 通信執法協助法案 - 1996 經濟間諜法案 - **1996 HIPAA 健康保險流通與責任法案** 規定隱私和安全法規 - **2009 HITEC 健康訊息技術促進經濟和臨床健康法案** - 1998 兒童在線隱私保護法 COPPA 兒童年齡小於13歲前須獲得父母同意 - GLBA 管制金融機構分享訊息 - Europ Union 歐盟 - GDPR 通用數據保護條例 - 洩露通知要求72小時內通知官方機構 - 可訪問自己擁有的數據 - "可移植性" - "遺忘權" - 個資角色 - 個資處理原則 ::: ### 考題觀點 :::danger - The Service Organizations Control audit program includes business continuity controls in a **SOC 2**, but not SOC 1, audit. Although FISMA and PCI DSS may audit business continuity, they would not apply to an email service used by a hospital. - The **Gramm-Leach-Bliley Act (GLBA)** places strict privacy regulations on financial institutions, including providing written notice of privacy practices to customers. - In general, companies should be aware of the **breach laws** in any **location where they do business**. - HIPAA。A health and fitness application developer would not necessarily be collecting or processing **healthcare data**(醫療保健數據), and the terms of HIPAA do not apply to this category of business. ==HIPAA regulates three types of entities== - **healthcare providers**, - **health information clearinghouses**, and - **health insurance plans—as well as the business associates of any of those covered entities**. - The **United States Patent and Trademark Office (USPTO)** bears responsibility for the registration of **trademarks**. - The Federal Information Security Management Act (FISMA) applies to **federal government agencies and contractors**. - The **Payment Card Industry Data Security Standard (PCI DSS)** governs the **storage**, **processing**, and **transmission** of **credit card information**. - The **Code of Federal Regulations (CFR)** contains the text of all **administrative laws** promulgated by federal agencies. The United States Code contains criminal and civil law. Supreme Court rulings contain interpretations of law and are not laws themselves. The Compendium of Laws does not exist. - **Trademarks** protect **words and images** that represent a product or service and ==would not protect computer software==. - The **Economic Espionage Act (經濟間諜法)** imposes fines and jail sentences on anyone found guilty of stealing trade secrets from a U.S. corporation. It gives true teeth to the intellectual property rights of trade secret owners. - **Patents** and **trade secrets** can both protect intellectual property related to a manufacturing process. Trade secrets are appropriate only when the details can be tightly controlled within an organization. - **加密技術出口控制** The export of **encryption software** to certain countries is regulated under U.S. export control laws. - **1987 誰來制定相關指引?(NIST)** The Computer Security Act of 1987 gave the National Institute of Standards and Technology (NIST) responsibility for developing standards and guidelines for federal computer systems. For this purpose, NIST draws upon the technical advice and assistance of the National Security Agency where appropriate. - COPPA 小朋友 13 歲  ::: ## 1.5 Understand, adhere to, and promote professional ethics ISC 道德規範 :::success 要注意哪些人能告你(檢舉你)，與其依據。 只有 **被害人** 能告你 (1)任何人 (2)任何人 (3)雇主 (4)CISSP ::: :::info 1. Protect society, the common good, necessary public trust and confidence, and the infrastructure. 1. Act honorably, honestly, justly, responsibly, and legally. 1. Provide diligent and competent service to principals. 1. Advance and protect the profession. ::: ### 考題觀點 :::danger - 道德規範  ::: ## 1.6 Develop, document, and implement security policy, standards, procedures, and guidelines > [color=blue] Ref OSG **CH01.3** :::info - The security policy is used to assign **responsibilities**, **define roles**, specify **audit requirements**, outline enforcement processes, indicate **compliance requirements**, and define **acceptable risk levels**. - This document is often used as the proof that senior management has exercised **due care** in protecting itself against intrusion, attack, and disaster. - Security policies are **compulsory**(強制性).  ::: ## 1.7 Identify, analyze, and prioritize Business Continuity (BC) requirements ### Develop and Document scope and plan. :::info The overall **goal of BCP** is to provide a quick, calm, and efficient response in the event of an emergency and to enhance a company’s ability to recover from a disruptive event promptly. OSQ The BCP process has four main steps. - **A.Project scope and planning** - ==Business Organization Analysis== - BCP Team Selection > 多樣化且能和諧共處 - Resource Requirements (團隊選定後,開始評估BCP工作的資源需求) - Legal and Regulatory Requirements > Due diligence in the execution of their business continuity duties. - **B.Business impact assessment** >[color=gray]分析方法 > **Quantitative** Decision-Making 定量: 以貨幣價值表示 > **Qualitative** Decision-Making 定性 : 非數字因數 如生譽、投資者/客戶信心 (高、中、低) - Identify Priorities - Risk Identification - Likelihood Assessment >列出可能的威脅 Ex.地震帶、洪水 - Impact Assessment >計算曝險因子 >SLE = AV * EF ; 單一損失期望 = 資產價值 * 曝險因子 >ALE = SLE * ARO ; 年度損失期望 = 單一損失期望 * 年度發生率 - Impact Assessment > 定量、定性 - Resource Prioritization > 將識別出來的風險做排序 - **C.Continuity planning** - Strategy development - Provisions and processes - 有三類資產必須保護 - people, - buildings/facilities, and - infrastructure. - Plan approval - Plan implementation - Training and education - **D.Approval and implementation** - Plan Approval (由高層來簽署,證明對組織的重要性、高層對BC的承諾) - Plan Implementation - Training and Education (直接或間接參與計畫人員都應受相關培訓) - **BCP Documentation** >[color=orange] 相關文件 > - Continuity Planning Goals > - Statement of Importance > - Statement of Priorities > - Statement of Organization Responsibility > - Statement of Urgency and Timing > - Risk Acceptance/Mitigation > - Vital Records Program > - **Emergency-Response Guidelines** 描述組織與個人立即回應緊急事件的職責 > - maintenance > - Testing and Exercises ::: ### 考題觀點 :::danger - RAID technology provides fault tolerance for hard drive failures and is an example of a **business continuity action**. Restoring from backup tapes, relocating to a cold site, and restarting business operations are all **disaster recovery actions**. - Senior managers play several **business continuity planning roles**. These include **setting priorities**, **obtaining resources**, and **arbitrating disputes** among team members. - **Electronic vaulting **is a data backup task that is part of **disaster recovery**, ==not business continuity==, efforts. - The **exposure factor** is the percentage of the facility that risk managers expect will be damaged if a risk materializes. - BCP 專案範圍與規劃階段包含那些? The **project scope and planning phase** includes **four actions**: a structured analysis of the organization, the creation of a BCP team, an assessment of available resources, and an analysis of the legal and regulatory landscape. - BCP Stakeholder 不常包括高階 CEO  ::: ## 1.8 Contribute to and enforce personnel security policies and procedures > [color=orange] Ref OSG **CH02** :::success  ::: ::: info - **Humans** are the ==weakest element== in any **security solution**. - Hiring new staff typically involves several distinct steps: - creating a job description or position description, - setting a classification for the job, - screening employment candidates, - Crafting **job descriptions** is the ==first step== in defining security needs related to personnel and being able to seek out new hires. - Important elements in constructing **job descriptions** that are in line with organizational processes include - Separation of Duties (SOD) - job responsibilities - job rotation. - 員工召募的步驟 1. **建立職責描述** Job Description - **職責分離 (seperation of duties)** > 將關鍵敏感的資訊 分給幾個不同的管理員或高級操作員 > 防阻**串通 Collusion**的保護措施 - **工作職責 (job responsibilities)** > 最大安全 最小權限 - **崗位輪換 (job rotation)** > 提供知識備份 > 降低詐欺、數據更改、竊盜破壞與訊息濫用的風險 3. **設定工作級別** 4. **篩選應聘者** > 候選者的篩選基於**職責描述**所定義的敏感性和分類。 > 現在許多公司做線上的背景調查還有社交網路審查已成為標準作法 - 候選人篩選 - 背景調查 - 推薦信調查 - 學歷驗證 - 安全調查 6. **招募和培訓最合適該職位的人員** - 雇傭的協議 - 入職和離職程序 - 入職 > 雇傭協議 > **NDA** - 離職 > 解雇過程維持控制和風險最小化 > 離職面談,主要對於雇員的責任和限制進行審查 > 應在通知被解雇時**同時**進用和刪除其系統的訪問權限 ::: ### 1.8.1 Candidate screening and hiring > [color=blue] Ref OSG **CH02.1.1** :::info - 候選者的篩選基於**職責描述**所定義的敏感性和分類。 - 現在許多公司做線上的背景調查還有社交網路審查已成為標準作法 - 候選人篩選 - 背景調查 - 推薦信調查 - 學歷驗證 - **安全調查 (security clearance)** ::: ### 1.8.2 Employment agreements and policies > [color=blue] Ref OSG **CH02.1.2** :::info - Employment agreements 須簽署 - Such a document outlines the rules and restrictions of the organization, the security policy, the acceptable use and activities policies, details of the job description, violations and consequences, and the length of time the position is to be filled by the employee. - Nondisclosure Agreement, NDA 保密協議, - 防止員工洩漏機密 - 注意因職務轉換造成特權淺變 (privilege creep) ::: ### 1.8.3 Onboarding and termination processes > [color=blue] Ref OSG **CH02.1.3** :::info - Onboarding - IAM 流程(特權與訪問權限)控管 - Offboarding 離職 - IAM 取消、刪除帳戶、撤銷證書、通知保安 - **解雇 termination**過程維持控制和風險最小化 - 離職面談(Exit interview),主要對於雇員的**責任**和**限制**進行審查 - 應在通知被解雇時==**同時**禁用和刪除==其系統的訪問權限 ::: ### 1.8.4 Vendor, consultant, and contractor agreements and controls > [color=blue] Ref OSG **CH02.1.4** :::success 對於供應商的**合約**中要另外確認是否有與**資訊安全合約** 保留稽核權利 ::: :::info - Using **SLAs** is an increasingly popular way to ensure that organizations providing services to internal and/or external customers maintain an appropriate level of service agreed on by both the service provider and the vendor. - The following issues are commonly addressed in SLAs: - System uptime (as a percentage of overall operating time) - Maximum consecutive downtime (in seconds/minutes/and so on) - Peak load - Average load - Responsibility for diagnostics - Failover time (if redundancy is in place) - SLAs and vendor, consultant, and contractor controls are an important part of risk reduction and risk avoidance. ::: ### 1.8.5 Compliance policy requirements > [color=blue] Ref OSG **CH02.1.5** :::info - Compliance is the act of conforming to or adhering to **rules**, **policies**, **regulations**, **standards**, or **requirements**. - **Compliance** is an **important concern** to **security governance**. - 員工需要遵守、培訓以便知道他們要做什麼、如何遵守 ::: ### 1.8.6 Privacy policy requirements > [color=blue] Ref OSG **CH02.1.6** :::info - When addressing **privacy** in the realm of IT, there is usually a balancing act between **individual rights** and the **rights or activities of an organization**. - 隱私合規性議題 - HIPPA - SOX - FERPA Family Educational Rights and Privacy Act - PCI DSS - 發生問題時都要通知到個人與公司否則會面臨到法律糾紛 ::: ### 考題觀點 :::danger - When following the **separation of duties principle**, organizations ==divide critical tasks into discrete components== and ensure that no one individual has the ability to perform both actions. This **prevents** a **single rogue individual** from performing that task in an **unauthorized** manner. ::: ## 1.9 Understand and apply risk management concepts > [color=orange] Ref OSG **CH02** :::success  - 風險管理 - **風險評鑑** - **識別** : 用來識別是否與**目標**有關，有關才進行分析。 - 風險識別後,存在**風險登錄表**/風險清單 - **分析** : **機率**(不確定性)/**影響** 決定 **曝險值(Risk Explosion)** - 發生**機率**為何? (表達方式可能有 質化、量化) (用頻率表達機率) Ex.20年防洪計畫,1年1/20 - 造成的**影響**多大? - (質化/量化) > 風險分析的手法都是為了**排序** - **評估** : 上述過程產生清單、與曝險值經過排序。 - ==根據風險**分析結果**，來決定是否進入處置階段。== > 不是每一個被識別與分析的風險都會處理 - **風險處置** ATMA - 避免(**A**void) : 放棄原本要做的事情 - 移轉(**T**ransfer) : 第三方,Ex. 買資訊安全險。 風險可以轉移，擔責任不行。 - 緩解(**M**itigate) : 處理不確定因素(降低發生可能性)，或處理影響。 - 接受(**A**ccept) : 僅留在風險登錄表。**考量成本效益分析。** - **監控與審視** - **溝通** ::: :::info - **Security governance** is closely related to and often intertwined with corporate and IT governance. - **Third-party governance** is the system of oversight that may be mandated by law, regulation, industry standards, contractual obligation, or licensing requirements. - **Documentation review** is the process of reading the exchanged materials and verifying them against standards and expectations. - A portion of the **documentation review** is the **logical** and **practical** ==investigation== of the **business processes** and **organizational policies**. - The ==primary goal== of **risk management** is to **reduce risk** to an **acceptable level**. - 風險術語 - **Asset Valuation** is a dollar value assigned to an asset based on actual cost and nonmonetary expenses. - **Threats** Any potential occurrence that may cause an undesirable or unwanted outcome for an organization or for a specific asset is a threat. - **Vulnerability** The weakness in an asset or the absence or the weakness of a safeguard or countermeasure is a vulnerability. - **Safeguards** A safeguard, security control, or countermeasure is anything that **removes** or **reduces** a vulnerability or **protects against** one or more **specific threats**. - **Attack** An attack is the exploitation of a vulnerability by a threat agent. - **Breach** A breach is the occurrence of a **security mechanism** being **bypassed** or **thwarted** by a **threat agent**. - BCP 程序 - 風險評鑑 - 定量分析與定性分析 - **Quantitative risk assessment** excels at analyzing financial risk (適合有形資產) - **qualitative risk assessment** is a good tool for intangible risks. (適合無形資產) - 風險處置 - 接受風險 (放在風險登錄表) Whenever you choose to accept a risk, you should maintain detailed documentation of the risk acceptance process to satisfy auditors in the future. This should happen before implementing security controls, designing a disaster recovery plan, or repeating the business impact analysis (BIA). ::: ### 1.9.1 Identify threats and vulnerabilities > [color=blue] Ref OSG **CH02.2** :::success - 思考 IT的威脅不限於IT - NIST Generic Risk Model - 資安人員對於風險的描述 - **誰**用什麼**方式**用**什麼**做到 - Threat Source - Threat Event - Vulnerability - 威脅**情境** Threat Scenario > **一個**威脅來源(Threat Source)對應到**一個**威脅事件(Threat Event)的組合 > Ex. 一個小屁孩 可能會有多個威脅情境 > 同樣小屁孩(威脅來源),做 SQL Injection(Event)、XSS(Event)、DDoS(Event) ...等  ::: ### 1.9.2 Risk assessment/analysis > [color=blue] Ref OSG **CH02.3.3** ::: info - OSG 的觀點 - 定量風險分析 Quantitative Risk Analysis - 定性風險分析 Qualitative Risk Analysis - 定性風險的計算  **SLE = AV * EF** **ALE = ARO * SLE** ::: ### 1.9.3 Risk response > [color=blue] Ref OSG **CH02.3.4** :::info - 避免(**A**void) : 放棄原本要做的事情 - 移轉(**T**ransfer) : 第三方,Ex. 買資訊安全險。 > 風險可以轉移，擔責任不行。 - 緩解(**M**itigate) : 處理不確定因素(降低發生可能性)，或處理影響。 - 接受(**A**ccept) : 僅留在風險登錄表。**考量成本效益分析。** ::: ### 1.9.4 Countermeasure selection and implementation > [color=blue] Ref OSG **CH02.3.5** :::info - **類型一、A defense-in-depth implementation**  - **Physical** 實體類 >[color=orange]**Examples of physical controls** include guards, fences, motion detectors, locked doors, sealed windows, lights, cable protection, laptop locks, badges, swipe cards, guard dogs, video cameras, mantraps, and alarms. - **Logical / Technical** 邏輯/技術類 >[color=orange]**Examples of logical or technical controls** include authentication methods (such as usernames, passwords, smartcards, and biometrics), encryption, constrained interfaces, access control lists, protocols, firewalls, routers, intrusion detection systems (IDSs), and clipping levels. - **Administrative** 行政管理類 >[color=orange]**Examples of administrative controls** include policies, procedures, hiring practices, background checks, data classifications and labeling, security awareness and training efforts, vacation history, reports and reviews, work supervision, personnel controls, and testing. ::: ### 1.9.5 Applicable types of controls (e.g., preventive,detective, corrective) > [color=blue] Ref OSG **CH02.3.6** :::info - **類型二、以時間序列來看** - **事前** - 指示類 Directive (行政管理類) : 管理意圖表現 - 嚇阻類 Deterren (告知你後果，不要這樣做) : 打消動機 - 預防措施 Preventive (Ex. 門禁管制) : 提高門檻 - **事中** - 偵測措施 Detective (一直測密碼) - 矯正措施 Corrective (保全來看) - **事後** - 復原措施 Recovery (已被破壞) - 補償措施 Compensating (現行的不好用) ::: ### 1.9.6 Security Control Assessment (SCA) > [color=blue] Ref OSG **CH02.3.7** :::info - The **goals** of an SCA are to **ensure the effectiveness of the security mechanisms**, evaluate the **quality** and thoroughness of the risk management processes of the organization, and produce a report of the relative strengths and weaknesses of the deployed security infrastructure. ::: ### 1.9.7 Monitoring and measurement > [color=blue] Ref OSG **CH02.3.8** ### 1.9.8 Asset valuation > [color=blue] Ref OSG **CH02.3.9** :::info - The **value of an asset** directly affects and guides the level of **safeguards** and **security** deployed to **protect** it. - As a rule, the **annual costs of safeguards** ==should not exceed the expected annual cost of asset loss.== - Understanding the value of assets also helps to prevent negligence of **due care** and **encourages compliance** with legal requirements, industry regulations, and internal security policies. ::: ### 1.9.9 Reporting > [color=blue] Ref OSG **CH02.3.9** :::info - **Risk reporting** involves the production of a risk report and a presentation of that report to the inter ested/relevant parties. For many organizations, risk reporting is an internal concern only, whereas other organizations may have regulations that mandate third-party or public reporting of their risk findings. ::: ### 1.9.10 Continuous improvement > [color=blue] Ref OSG **CH02.3.10** ### 1.9.11 Risk frameworks > [color=blue] Ref OSG **CH02.3.11** :::info - A **risk framework** is a guideline or recipe for how risk is to be **assessed**, **resolved**, and **monitored**. - **RMF**  ::: ### 考題觀點 :::danger - **Purchasing insurance** is a means of **transferring** risk. - **Baselines** provide the minimum level of security that every system throughout the organization must meet. - After developing a **list** of assets, the business impact analysis team should assign **values** to each asset. - **Risk mitigation strategies** attempt to **lower** the **probability** and/or **impact** of a risk occurring. - In a risk **acceptance strategy**, the organization decides that **taking no action** is the most **beneficial** route to managing a risk. - 遇到一個 成本的問題  - 各種成本的定義 - **重置成本**：指保險標的物以同品質或類似品質之物，依原設計、原規格在當時當地重建重置所需成本之金額。 - **機會成本（Opportunity Cost, OC**是 指決策過程中面臨多項選擇，當中被放棄而價值最高的選擇（Highest-valued Option Forgone），又稱為「替代性成本（Alternative Cost）」，就是俗語的「世界上沒有白吃的午餐」、魚與熊掌不可兼得。簡單來說，機會成本就是「所犧牲的代價」 - **購入成本**是指為了在預定地點（如倉庫）獲得貨物的所有權而發生的成本，即貨物本身的成本，它包括：貨物的購價，運輸、裝卸費及裝卸過程中的損耗等。 - **Depreciated Cost** 什麼是折舊費用？折舊成本是固定資產的價值減去已針對該資產記錄的所有累計折舊。 - 問你歸哪一類 Security Control  - Compensating 補償措施  - 計算題  ::: ## 1.10 Understand and apply threat modeling concepts and methodologies > [color=blue] Ref OSG **CH01.4** :::success >[color=orange] 威脅**分類** **STRIDE** 影響評估，從影響做分類 > - Spoofing 仿冒 > - Tampering 竄改 > - Repudiation 否認 > - Information disclosure 資訊泄露 > - Denial of service 阻斷服務攻擊 > - Elevation of privilege 特權提升 >[color=blue] 威脅**分析** **DREAD** 評價威脅 > - Damage Potential 淺在損害：如果利用漏洞造成的損害有多大 > - Reproducibility 重現性 : 重複產生攻擊的難度有多大 > - Exploitability 可利用性 : 發起攻擊的難度有多大 > - Affected users 受影響用戶 > - Discoverability 可發現性 ::: :::info - 結構化方法識別 - Focused on Assets - Focused on Attackers - Focused on Software - STRIDE - Spoofing 欺騙 - Tampering 竄改 - Repudiation 否認 - Information Disclosure 信息洩漏 - DoS 拒絕服務 - Elevation of Privilege 特權提升 - 執行簡化分析 - 優先及排序 - DREAD ::: ### 考題觀點 :::danger - ST**R**IDE **Repudiation** threats allow an attacker to deny having performed an action or activity without the other party being able to prove differently. - STRID**E** In an **elevation of privilege** attack, the attacker transforms a limited user account into an account with greater privileges, powers, and/or access to the system. Spoofing attacks falsify an identity, while repudiation attacks attempt to deny accountability for an action. Tampering attacks attempt to violate the integrity of information or resources. - DAID RAID level 5, disk striping with parity, requires a minimum of three physical hard disks to operate. - STRIDE, PASTA, and VAST are all threat modeling methodologies. - **STRIDE** was designed for applications and operating systems (but can be used more broadly), **PASTA** is a risk-centric modeling system, and **VAST** is a threat modeling concept based on Agile project management and programming techniques. - 簡化分析  ::: ## 1.11 Apply risk-based management concepts to the supply chain > [color=blue] Ref OSG **CH01.5** :::info - **On-Site Assessment** Visit the site of the organization to interview personnel and observe their operating habits. - **Document Exchange and Review** Investigate the means by which datasets and documen tation are exchanged as well as the formal processes by which they perform assessments and reviews. - **Process/Policy Review** Request copies of their security policies, processes/procedures, and documentation of incidents and responses for review. - **Third-Party Audit** Having an independent third-party auditor - SOC-1 - SOC-2 ::: ### 考題觀點 :::danger **Supply chain management** can help ensure the security of hardware, software, and services that an organization acquires. Chris should focus on each step that his laptops take from the original equipment manufacturer to delivery. ::: ## 1.12 Establish and maintain a security awareness, education, and training program > [color=orange] Ref OSG **CH02** :::info - **意識、培訓、教育** - **Awareness** establishes a common baseline or foundation of security understanding across the entire organization and focuses on key or ==basic topics and issues related to security== that all employees must understand and comprehend. - Many tools can be used to create awareness, such as posters, notices, newsletter articles, screen savers, T-shirts, rally speeches by managers, announcements, presentations, mouse pads, office supplies, and memos as well as the traditional instructor-led training courses. - **Training** is teaching employees to perform their work tasks and to comply with the security policy. Training is typically hosted by an organization and is targeted to **groups of employees** with ==similar job functions==. - **Education** is a more detailed endeavor in which students/users learn much more than they actually need to know to perform their work tasks. Education is most often associated with users pursuing ==certification== or seeking ==job promotion==. It is typically a requirement for personnel seeking security professional positions. - An assessment of the appropriate levels of awareness, training, and education required within the organization should be revised on a regular basis using **periodic content reviews**. (定期審查內容) - Training efforts need to be **updated** and **tuned** as the organization evolves over time. - Additionally, new bold and subtle means of awareness should be implemented as well to keep the **content fresh** and **relevant**. (新鮮/相關) ::: ### 考題觀點 :::danger - Security Control A fence does not have the ability to detect intrusions. It does, however, have the ability to prevent and deter an intrusion. Fences are an example of a physical control. ::: ### D1 考題觀點 :::danger - Cold Site 選址完畢 有空間可放 但無設備  - **CFAA** 5,000  - **Communications Assistance to Law Enforcement Act ,CALEA** 通訊協助執行法  - Wireshirk 對機密性有影響  - 選址  ::: ---