ISC2 Certified in Cybersecurity (CC) Exam Preparation PDF

Summary

This document appears to be study material for an ISC2 cybersecurity exam. It covers various security concepts, including information security, IT security, and cybersecurity, and their importance in protecting information and assets.

Full Transcript

DOMAIN 1 PART 1

SECURITY PRINCIPLES
ISC2 Certified in Cybersecurity (CC) Exam Preparation

Course : ECE150-2 (Advanced Networking)
Prepared by : Engr. Jess David A. Doria, MBA, CISSP, CC
About the Domain
Security Principles provides the foundational knowledge that anyone in information
technology needs to understand as they begin their career in cybersecurity. This
includes the following five (5) objectives:

1.1 Understand the security concepts of information assurance
1.2 Understand the risk management process
1.3 Understand security controls
1.4 Understand ISC2 Code of Ethics
AVERAGE
1.5 Understand governance process WEIGHT

26%
Contents
▪ Confidentiality
▪ Integrity
▪ Availability
▪ Non-Repudiation
▪ Authentication and Authorization
▪ Privacy
Domain 1 : Security Principles

SECURITY TRIO
EXPLAINED
✓ Information Security
✓ IT Security
✓ Cyber Security
Information Security
▪ According to the National Institute of Science and Technology (NIST), it is the
protection of information and information systems from unauthorized access,
use, disclosure, disruption, modification, or destruction to provide confidentiality,
integrity, and availability.
▪ By definition of Cisco Systems, it is often termed as InfoSec and refers to the
processes and tools designed and deployed to protect sensitive business
information from modification, disruption, destruction, and inspection.
IT Security
▪ NIST defines IT security as the technological discipline concerned with ensuring that
IT systems perform as expected and do nothing more; that information is
provided adequate protection for confidentiality; that system, data and software
integrity is maintained; and that information and system resources are available
and protected against unplanned disruptions of processing that could seriously
impact mission accomplishment.
▪ According to Cisco Systems, it is a set of cybersecurity strategies that prevents
unauthorized access to organizational assets such as computers, networks, and
data.
Cybersecurity
▪ NIST defines this as the prevention of damage to, protection of, and restoration of
computers, electronic communications systems, electronic communications
services, wire communication, and electronic communication, including information
contained therein, to ensure its availability, integrity, authentication, confidentiality,
and nonrepudiation.
▪ It is the practice of protecting systems, networks, and programs against digital
attacks (Cisco Systems).
The Difference?

The security of any information. That includes
paper documents, voice information, data,
even the knowledge that people have

The security of hardware, software, and data.
Computers, servers, networks, hardware,
software, firmware, and data being processed,
stored, and communicated.

Everything from IT security that is accessible
from the Internet.
Domain 1 : Security Principles

CIA TRIAD AND NON-
REPUDIATION
✓ CIA Triad
✓ CIA Risks and Defenses
✓ DAD Triad
✓ Non-Repudiation
Overview
▪ One of the foundational concepts of cybersecurity is
three core types of protection: Confidentiality,
Availability, and Integrity. Also known as the CIA triad.
▪ A common model that forms the basis for the
development of security systems. They are used for
finding vulnerabilities and methods for creating
solutions.
▪ When all three pillars have been met, the security
profile of the organization is stronger and better
equipped to handle threat incidents.
Confidentiality
▪ The secrecy of the information within the asset being protected.
▪ This is what most people think information Security is.
▪ It is the most common form of protection that cyber criminals seek to compromise.
▪ The goal of most cyberattacks is to steal data, which is a compromise of
confidentiality.
▪ Cyber criminals compromise confidentiality by accessing data they are not
authorized to access. Simply accessing data without proper authorization is a
compromise of confidentiality.
CONFIDENTIALITY Risks and Defenses
1. Snooping
o Description: the person wanders around the specific area and looks to see what
information they can gather hoping for exposed sensitive papers.
o Defense: enforce a clean desk policy

2. Dumpster Diving
o Description: same with snooping, but this time, the person look through the trash
if there are sensitive documents that are thrown in the garbage.
o Defense: Use a paper shredder
CONFIDENTIALITY Risks and Defenses
3. Eavesdropping
o Description: can either be physical or electronic. In physical, the attacker simply
positions themselves where they can overhear conversations. In electronic, this can
be done through wiretapping.
o Defense: (Physical) putting rules to limit where sensitive conversation can take
place. (Electronic) use encryption to protect information being sent in the network

4. Social Engineering
o Description: attacker uses psychological tricks to persuade someone to give them
sensitive information or access to internal systems.
o Defense: Conduct user training and education
Integrity
▪ The concept of protecting the reliability and correctness of data
▪ Integrity protection prevents unauthorized alterations of data. It ensures that data
remains correct, unaltered, and preserved.

▪ Cyber criminals’ goals are not always stealing data—sometimes they attempt to
alter data to achieve their goals to disrupt the operations of their target.

▪ Can be examined in three perspectives:
1. Preventing unauthorized modifications by outsiders

2. Preventing authorized users from making unintended changes
3. Maintaining data consistency for accurate representation and valid relationships
 INTEGRITY Risks and Defenses
1. Unauthorized modification of information –
o Description: attacker gains access to a system and makes changes that violate a
security policy.
o Defense: Following the principle of least privilege

2. Impersonation
o Description: attacker pretends to be someone other than who they are to convince
a person to change data in the system; an extension of social engineering.
o Defense: Conduct user training and education
 INTEGRITY Risks and Defenses
3. Man-in-the-Middle (MITM) Attacks
o Description: electronic way of impersonation where the attacker intercepts
network traffic as a user logging into a system and pretends to be that system.
o Defense: Apply encryption (e.g., use TLS to secure connection)

4. Replay Attacks
o Description: attacker finds a way to observe a legitimate user logging into a
system. Then, login information is captured and later redo it on the network to
gain access.
o Defense: Same with MITM
Availability
▪ Authorized subjects are granted timely and uninterrupted access to objects.
▪ This is as important as confidentiality and integrity because an organization’s
business depends on their systems and data being operational.
▪ Availability is a key element by which an organization’s customers judge the
organization’s services, products, and quality. If a security mechanism offers
availability, it offers a high level of assurance that the data, objects, and resources
are accessible to authorized subjects.
 AVAILABILITY Risks and Defenses
1. Denial of Service (DoS) Attacks
o Description: occurs when an attacker bombards a system with an overwhelming
amount of network traffic.
o Defense: Deploy firewalls to block illegitimate requests, partner with ISPs to block
DoS attacks before reaching the network.

2. Power Outages
o Description: can occur on a local or regional level and can be caused by increase
demand and natural disasters.
o Defense: Use redundant power sources and backup generators
 AVAILABILITY Risks and Defenses
3. Hardware Failures
o Description: devices fall occasionally and can disrupt access to information.
o Defense: Build a system that has a built-in redundancy

4. Destruction of Equipment
o Description: this can be a result of intentional or accidental physical damage, or
even by large-scale disaster like fire or typhoon.
o Defense: For small scale disaster, redundant systems would do. But for larger
disasters, a backup data center in remote or off-site locations may be needed.
 AVAILABILITY Risks
5. Service Outages
o Description: this may sometimes occur due to programming errors or equipment
failure that may disrupt user access to systems and information.
o Defense: build systems that are resilient in face of errors and hardware failures.
DAD Triad
▪ When the goals of the CIA triad are not met.
1. Disclosure – Someone not authorized getting
access to your information. This is more
commonly called a data breach.
2. Alteration – changing data or information from
its original form. This can be in the form of
encrypting information or completely deleting it.
3. Destruction/Denial – making a system
unreachable by users. Either it has been
destroyed or rendered inaccessible.
Non-Repudiation
▪ A security goal that prevents someone from falsely denying that something is true.

Sample Scenario (E-commerce Transaction)
o If you use a credit card to purchase a product and you sign the bill, the company
can use your signature to prove you are the person who made the purchase.
o You couldn’t later deny it, because your signature verifies that you purchased it.
o Similarly, e-commerce transactions require you to enter additional information
such as the expiration date and the security code on the card.
o The idea is that only someone with the card in his or her possession knows this
additional information.
Non-Repudiation
▪ Physical signatures provide non-repudiation on receipts, contracts, and other paper
documents.
▪ There’s also an electronic form of the physical signature called digital signatures. It
uses encryption technology to provide non-repudiation for electronic documents.
▪ Other ways include:
o Biometric security controls (e.g., fingerprint or facial recognition) to prove that
someone was in a facility or performed an action.
o Video surveillance (CCTV)
Domain 1 : Security Principles

AUTHENTICATION &
AUTHORIZATION
✓ Access Control System
✓ Digital Access Control
✓ Password Policies and Password Managers
✓ Authentication Factors
✓ Multi-Factor Authentication
Overview
▪ The access control process consists of three steps: Identification, Authentication,
and Authorization. It also performs another important task: Accounting.
▪ Together, the activities performed by an access control system are referred to as AAA
or “triple-A”.
o AAA stands for Authentication, Authorization, and Accounting.
o Identification is assumed to be part of the process when performing
authentication (and adding “I” would ruin an easy acronym! ☺)

▪ Authorization cannot be restricted without proper identification & authentication.
▪ Without authentication, you can’t have accounting.
Access Control System
1. Identification
o An individual makes a claim about their identity. The person trying to gain access
does not prevent any proof at this point, but simply make an assertion.
o It’s important to remember that this step is only a claim, and the user could
certainly be making a false claim.

2. Authentication
o Where proof comes into play

o An individual provides strong evidence that they are who they claim to be.
Access Control System
3. Authorization
o Just proving the identity is not enough to gain access to a system, the access
control also needs to be satisfied that you are allowed to access the system.
o This involves the rights and permissions given to an individual

4. Accounting (or Accountability)
o This allows administrators to track user activity and reconstruct it from logs.
o If a system can identify individual users, track their actions, and monitor their
behavior, then it provides accountability.
Access Control System

▪ Knowledge Principle of
Access Control
▪ Ownership (Domain 3)
▪ Characteristics
Access Control System
IDENTIFICATION AUTHENTICATION

I am John
Smith. I have an Prove it.
appointment. Here is my
driver’s
license.

AUTHORIZATION ACCOUNTING

Okay. Let me just
You’re on log this in
the list. our system.

LOG
Digital Access Control
▪ So far, the access control system discussed is in the context of physical access, but it
also applies in the electronic world.
1. When logging in to a system, an individual’s identity is through a username.
2. During authentication, the system will ask the user to enter a password tied to the
username provided.
3. In the electronic world, authentication often takes the form of access control lists
(ACL) that itemize the specific file system permissions granted to an individual.
4. Accounting is achieved by tracking user activity and even logging user web
browsing activity. Any tracking done should fit within the boundaries set by the
law and the company’s privacy policy.
Digital Access Control
IDENTIFICATION AUTHENTICATION

USERNAME PASSWORD
johnsmith ********

AUTHORIZATION ACCOUNTING

John Smith
ACCESS
is logged in
GRANTED!
at 1:11 PM
Password Policies
▪ When setting a password policy for the organization, there is several technical
controls available that allows setting requirements for how users choose and
maintain their passwords.

▪ These mechanisms include (will be discussed in the next slide):
1. Password Length
2. Password Complexity
3. Password Expiration
4. Password History
5. Password Resets
6. Password Reuse
Password Policies
1. Password Length
o The simplest and most control on passwords; the minimum number of characters
that must be included in a password.
o It’s good practice to require at least 8 characters, but the longer the password, the
harder it is to be guessed.

2. Password Complexity
o This forces users to include different types of characters in their passwords, such as
upper and lowercase letters, numbers, and special characters.
o The more character types there are in a password, the harder it is to be guessed.
Password Policies
3. Password Expiration
o Forces users to change their passwords periodically. For example, an organization
may set the user passwords to expires after 180 days (or 6 months).
o However, most organizations no longer require this, and users can keep their
passwords and only change when it is compromised.

4. Password History
o Designed to prevent users from reusing old passwords. Systems can be configured
to remember the previous passwords to prevent reuse.
o This allows administrators to identify how many old passwords are remembered
for each user.
Password Policies
5. Password Resets
o Every organizations should allow users to change their password quickly and easily
i.e., privately changing their passwords and do it if they think its compromised.
o Organizations should evaluate their password reset process for users who forgot
their passwords. If not designed securely, attackers can perform unauthorized
password resets.

6. Password Reuse
o IT should encourage users not to reuse the same passwords across multiple sites. It
is difficult to enforce but can provide a strong measure of security.
Password Managers
▪ It is difficult for users to manager unique
passwords for every site they visit and use.
▪ These tools are secure password vaults, often
protected by biometric security mechanisms,
that create and store unique passwords.
▪ These can automatically fill in passwords on
websites, so users won’t have to remember and
key-in their passwords when logging in.
▪ Tools such as KeePass and LastPass are good
password managers. For iOS 18.0, Apple devices
now has a password manager.
Authentication Factors
Computer systems offer many different authentication techniques that allow users to
prove their identity. There are three (3) common authentication factors:

1. Something You Know (Type 1 Authentication)
o Also called knowledge factors
o This is the most used form of authentication, and a password is the most common
factor. The user is required to prove knowledge of a secret to authenticate.
o It is the weakest form of authentication and can easily be compromised.
o Other examples of this factor include passphrase, PINs, and the answers to security
questions.
Authentication Factors
2. Something You Have (Type 2 Authentication)
o Also called possession factors
o Requires the user to have physical possession of a device which can generate one-
time passwords (OTP) to prove that the user has access to that device.
o Smartcards can also serve as a Type 2 authentication, requiring the user to insert a
card with a digital chip into a specialized reader.
o Other examples include identification cards, passport, magnetic stripe cards,
Authentication Factors
3. Something You Are (Type 3 Authentication)
o Also known as inherence factors, and considered as the strongest factor
o This type of authentication measure one’s physical characteristics (or called
biometrics) such as fingerprint, eye pattern, face, or voice.

There are two types of errors for biometric authentication:
a. False Rejection Rate (FRR) : also known as Type 1 error, happens when an
authorized user is rejected.
b. False Acceptance Rate (FAR) : also known as Type 2 error, happened when an
unauthorized user is granted access. This is a VERY SERIOUS error.
Authentication Factors
3. Something You Are (Type 3)

A good biometric authentication
system should have a good mix of FRR
and FAR where they meet on the graph
is the CER (Crossover Error Rate), this
is where the system should operate.
Authentication Factors
Multi-Factor Authentication
▪ The authentication factors, when used alone, can provide some level of security.
However, to improve the security of authentication, these factors can be combined.
This approach is called MFA.
▪ When evaluating MFA, it is important to remember that the techniques must be
different factors.
Domain 1 : Security Principles

PRIVACY
✓ Types of Private Information
✓ Expectation of Privacy
✓ General Data Protection Regulation
✓ Privacy Management Framework
Overview
▪ Privacy is a human right. It is the state or circumstance of being free from
observation or unauthorized interference.
▪ As a cybersecurity professional, you have a variety of interests in how firms gather
and handle personal information.
o You're concerned about the privacy of your personal information.
o You are responsible for educating users about how to protect their own personal
information.
o You are responsible for assisting privacy officials inside the organization with the
tasks necessary to preserve personal information entrusted to the organization.
Types of Private Information
Private information may come in many forms, and the most common elements are:
1. Personally identifiable information (PII) – includes all information that can be tied
back to a specific individual.
2. Protected health information (PHI) – includes healthcare records that are regulated
under the Health Insurance Portability and Accountability Act (HIPPA) [for US].
3. Payment card industry (PCI) information – any data that is used during a payment
card transaction and overlaps to include PII.

Note: All PHI is considered PII, but not all PII is PHI.
Types of Private Information
Expectation of Privacy
▪ Privacy programs are founded on the legal premise known as the reasonable
expectation of privacy. For instance, if a corporation intends to monitor its
employees' communications, reasonable safeguards must be taken to ensure that
there is no implied expectation of privacy.
▪ Some common measures to consider include:
o Employment contracts include clauses stating that employees have no
expectation of privacy while using corporate equipment.
o Similar written declarations in corporate acceptable use and privacy policies
o Logon banners warn that all communications are monitored.
o Warning labels on computers and phones warn about monitoring.
General Data Protection Regulation
▪ In 2016, the European Union (EU) passed a comprehensive legislation that addresses
personal privacy, deeming it an individual human right.
▪ The GDPR has seven (7) provisions including:
o Lawfulness, fairness, & transparency – legal basis for processing.
o Purpose limitation - document and disclose purpose of data collection
o Data minimization – data processing is adequate for stated purpose
o Accuracy – data is correct and not misleading; inaccurate data must be erased.
o Storage limitation – data is kept as long as needed and deleted once done.
o Security – appropriate integrity and confidentiality controls
o Accountability – responsibility for actions on protected data
Privacy Management Framework
▪ PMF is an attempt to establish a global framework for privacy management.
▪ It includes nine (9) principles that were developed by the American Institute of
Certified Public Accountants (AICPA) with inputs from subject matter experts.

1. Management 6. Disclosure to third parties
2. Agreement, notice and communication 7. Security for privacy
3. Collection and creation 8. Data integrity and quality
4. Use, retention, and disposal 9. Monitoring and enforcement
5. Access
Extra Section

SECURITY AS A
PROFESSION
✓ The Realm of Security
✓ Career Map
✓ Security Certification Roadmap
The Realm of Security
Career Map
Security Certification Roadmap
 Sources:
Chapple, M. (2023). CC Certified in Cybersecurity Study Guide. Wiley & Sons
Genung, J. & Bennett, S. (2023). All-in-One Certified in Cybersecurity Exam Guide First Edition. McGraw Hill.
 DOMAIN 1 PART 2

SECURITY PRINCIPLES
ISC2 Certified in Cybersecurity (CC) Exam Preparation

Course : ECE150-2 (Advanced Networking)
Prepared by : Engr. Jess David A. Doria, MBA, CISSP, CC
Contents
▪ Risk Management
▪ Security Controls
▪ Ethics
▪ Security Governance Process
Domain 1 : Security Principles

RISK MANAGEMENT
✓ Risk Terminologies
✓ Risk Types
✓ Risk Management Process (Identification, Assessment, Treatment)
✓ Risk Profile and Tolerance
Overview
▪ Risks thrive in the world of information security, and addressing each risk requires
both time and money, with cybersecurity professionals responsible for risk
management.
▪ Organizations face a variety of risks, and it is their responsibility to identify, assess,
and manage these risks to protect information and assets.
▪ Risk management is a process for determining how much to spend on security and
what types of security controls are appropriate based on their tolerance for risk.
Risk Terminology
1. Asset – anything in the environment that should be protected. It includes anything
used in a business process or task.

2. Asset Valuation - the dollar value assigned to an asset based on its actual cost and
non-monetary expenses.

3. Compromise – a security incident that results in the unauthorized access of an asset
or information resource.

4. Vulnerability – refers to any weakness that could be exploited. It can occur in
software, hardware, or even in how humans use and interact with the system.
Risk Terminology
5. Vulnerability Assessment – a planned test and review of an organization's
information system to identify security flaws.

6. Threat – a potentially damaging event associated with the exploitation of a
vulnerability. Threat actors (or threat agents) are individuals that exploit vulnerabilities

7. Exposure – refers to the possibility of a security breach..

8. Attack – occurs when a threat agent exploits a vulnerability. It refers to any deliberate
attempt to exploit a vulnerability in order to inflict damage, loss, or disclosure of assets.
Risk Terminology
9. Risk – the likelihood that a vulnerability could be exploited and the corresponding
impact of such an event. It ties the vulnerability, threat, and likelihood of
exploitation to the resulting business impact. Often measured or rated.

Risk = Threat x Vulnerability

Total Risk = Threat x Vulnerability x Asset Value

10.Countermeasure (or security control) - anything that is put in place to mitigate a
risk. Sometimes, this is also called safeguard.
Risk Terminology
Risk Types
Risk can be divided into two categories:
1. Internal Risks – those that arise from within the organization
2. External Risks – those where the threat originates outside the organization.

Risk Example Control

An employee in the accounting Adding a two-person control to the
Internal department commits fraud issuance of checks. One fills-out, and
during processing of checks the other reviews and signs it.

An attacker targets an Using MFA
External organization with a ransomware Launching a social engineering
attack. threat awareness campaign
Other Risk Types
3. Multiparty risks – these risks are shared among many different organizations. For
example, if a software provider like O365 is compromised, all customers using that
service is affected.

4. Specific Risks that are associated with:
a. Legacy Systems – systems that still in use despite their age and possible lack of
maintenance and support by the manufacturer.
b. Intellectual Property – creations of mind (e.g., invention, design, brand name, or
literary work)
c. Software License Compliance – ensure that the organization is only using
software it is authorized to use.
Risk Management Process
▪ Risk management is directed from the highest levels of the organization.
▪ Regardless of how it is governed and directed, the goal is to understand the risks to
the business so the organization can decide how the risks should be treated,
including what security controls to put in place, to defend the organization’s assets
against the risks.

▪ ISC2 advocates a three-step risk management process as follows:
1. Risk Identification (framing the risks)
2. Risk Assessment (understanding the risks)
3. Risk Treatment (taking action on what to do about the risks)
 RMP Risk Identification
▪ The first step is to identify the potential threats the organization may face.
▪ It begins with a thorough inventory of the assets of the organization. Each asset is
identified, catalogued, and described, sometimes in a database.
▪ Then threat modeling is performed where each asset is examined, including the
potential threats faced by each asset, and the adverse effects caused by the threat.
▪ For each threat, characteristics are identified, such as likelihood of occurrence and
potential impact to the organization.
▪ The asset’s value may be considered in either purely financial terms or the value of
the asset to the business, which may be intangible.
▪ All this information are fed to the next step…
 RMP Risk Assessment
▪ Once risks are identified, the next stage is to rank those risks by two factors:
1. Likelihood – the probability that the risk will actually occur
2. Impact – the amount of damage that will occur if the risk materializes.

▪ The information gathered during RMP varies on the risk assessment method.
▪ Two techniques are available for assessing the likelihood and impact of risk:
1. Quantitative Risk Assessment
2. Qualitative Risk Assessment
 RMP RA Quantitative Risk Assessment
▪ Use objective numeric ratings to assess the likelihood and impact of a risk.
▪ Performs calculations to determine the precise amount of damage in a given year.

▪ Two frequently used quantitative methods are:
1. Single Loss Expectancy (SLE) – the potential value of a loss for a single threat
event. Note that the event can apply to a single asset or a group of assets.

The formula is SLE = AV X EF, wherein:
a. Asset Value (AV) – cost of the asset or assets that are subject to the event
b. Exposure Factor (EF) – the percentage of loss that would likely occur for the
subject event.
 RMP RA Quantitative Risk Assessment
2. Annualized Loss Expectancy (ALE) – brings the element of time; used to predict the
potential value of a loss on an annual basis. Sometimes, this is used by organizations
to establish tolerance levels.

The formula is ALE = SLE X ARO, wherein:
a. Annualized Risk of Occurrence (ARO) – an estimate of how many times the
event is estimated to occur each year.

NOTE: The exam will not have computations on quantitative risk assessments, but it is
important you know the concepts around it
 RMP RA Qualitative Risk Assessment
▪ Use subjective judgments to assess
risks, typically categorizing them as
low, medium, or high on both
likelihood and impact scales.
▪ A risk is rated based on its
likelihood and impact and the
chart categorizes the overall risk.
▪ For example, a risk with a high
likelihood (or probability) and a low
impact would be classified as
medium risk.
 RMP Risk Treatment
▪ Once risk assessment is completed, a prioritized list of risks are already available.
▪ Risk treatment is the process of systematically analyzing potential responses to each
risk and implementing appropriate risk management techniques.
▪ There are four (4) main approaches for dealing with any risk, regardless of the type.
These are:
1. Risk avoidance
2. Risk transfer
3. Risk mitigation
4. Risk acceptance
 RMP Risk Treatment
1. Risk avoidance – changing an organization's existing business practices so that the
risk no longer has the potential to impact the firm.

2. Risk transfer – an attempt to move the impact of a risk to another company. The
most common example is a cyber-insurance coverage.

3. Risk mitigation – taking steps to lessen the likelihood and/or impact of a risk..

4. Risk acceptance – should only take place as part of a thoughtful analysis that
determines that expense of undertaking additional risk management activity
exceeds the benefit of reducing that risk.
 RMP Risk Treatment
Sample Scenario: A risk assessment is being performed on the risk of flooding posed to
an organization’s data center.

Risk Treatment Action

Risk Avoidance Relocate the data center to a different facility

Transfer the financial risk of flooding to an insurance company by
Risk Transfer
purchasing flood insurance

Engage with a flood control specialist to install systems designed to
Risk Mitigation
divert water away from the facility

If the previous actions are too costly, management decides to
Risk Acceptance
continue operation as is
Risk Profile and Tolerance
▪ Every organization must choose the appropriate mix of risk treatment strategies for
their own technical and business environment.
▪ The combination of risks that affect an organization are known as its risk profile, and
the organization adopts its treatment strategies to address the risks in that profile.

Control Risk

Residual Risk =
Total Risks – Controls
Risk Profile and Tolerance
1. Inherent Risk – original level of risk that exists in an organization before any controls
are implemented.
2. Residual Risk – the risk that remains after measures have been implemented to
lower the inherent risk.
3. Control Risk – the new risk created by the addition of controls. For example,
introducing a firewall as a control may lessen the risk, but it also creates a new risk
because the firewall may fail.

▪ Business must decide how much risk they are willing to bear. Such process is known
as determining the organization’s risk tolerance.
▪ The purpose of risk management is to ensure that the sum of residual and control
risk is less than the risk tolerance.
Domain 1 : Security Principles

SECURITY CONTROLS
✓ Technical Controls
✓ Administrative Controls
✓ Physical Controls
Overview
▪ Assets are protected from
threats by implementing
security controls.
▪ Security controls are processes
or technologies put in place to
ensure the confidentiality,
integrity, and availability of
systems, assets, and information.
▪ Security controls are sometimes
known as safeguards or
countermeasures.
Defense-in-Depth
▪ In practice, it is seldom that a single, stand-alone security control is used. Many
security controls are typically put into place to protect a given system or asset. The
use of multiple layers of security controls is referred to as defense-in-depth (DID) or
layered defense.
▪ It is the concept of coordinating and leveraging multiple layers of controls to increase
the effort required for a potential attacker to succeed in their nefarious activity.
▪ A typical organization utilizes defense-in-depth strategies to protect systems and
assets as illustrated in the next slide.
Defense-in-Depth

▪ This multilayered defense approach helps minimize the probability of a successful
attack by forcing an attacker to go through several different protection mechanisms
before gaining access to critical assets or systems.
Types of Security Controls
▪ Security professionals utilize a variety of categories to classify similar security controls.
There are two common methods:
1. Mechanism of Action Categories – the way security measures operate, namely
technical, administrative, and physical controls.
2. Purpose Categories – When security controls are classified by their purpose, they
are divided into groups based on their goal, such as whether they are intended to
prevent, detect, or recover from security incidents.
 Mechanism of Action Administrative Controls
▪ Are management-oriented controls that issue directives and instructions to
employees within the organization.
▪ Also referred to as soft controls or managerial controls.

▪ In a typical organization, examples of administrative security controls include
o User access reviews
o Log monitoring
o Security awareness training
o Human resource management (e.g., background checks, hiring, termination)
 Mechanism of Action Technical Controls
▪ The application of technology to accomplish security objectives.
▪ These are hardware or software components that secure computer and network
resources. Also known as logical controls.

▪ In a typical organization, common types of technical controls include:
o Technical data security controls (e.g., encryption, configuration and hardening)
o Technical access controls (e.g., MFA, biometrics, file system permissions)
o Network security controls (e.g., firewalls, anti-virus, intrusion detection and
prevention systems)
 Mechanism of Action Physical Controls
▪ Are tangible countermeasures put in place to protect physical assets from physical
threats. These include protections for individuals, possessions, and facilities.

▪ In a typical organization, examples of physical security controls include
o Fencing, locks, bollards, and mantraps
o Lighting
o Security guards and guard dogs
o Door locks
o Surveillance cameras
o Badge reader/badges
o Fire extinguisher
 Purpose Preventive Controls
▪ Preventive controls provide functionality that prevents an adverse event or incident.
These controls are designed to stop a security issue from occurring.

▪ Preventive controls can be administrative, technical, or physical.
▪ Examples of each are:
▪ Administrative (background checks, hiring and termination processes, etc.)
▪ Technical (network intrusion prevention system, firewall, MFA, antivirus, etc.)
▪ Physical (fences, door locks, gates, etc.)
 Purpose Detective Controls
▪ Detective controls provide functionality that helps to discover, detect, or identify
when something bad might have occurred, such as an adverse activity, event,
intruder, or incident.

▪ Detective controls can be administrative, technical, or physical.
▪ Examples of each are:
o Administrative (mandatory vacation, review of access logs, etc.)
o Technical (a system that detects unusual activity on an organization’s network)
o Physical (surveillance cameras, CCTV, motion sensor, etc.)
 Purpose Deterrent Controls
▪ Deterrent controls provide functionality that deters or discourages a potential
adversary from carrying out an attack or engaging in undesired behavior.

▪ Deterrent controls are generally administrative. Common examples are:
o System warning banner/login banner a user might see when logging into a
system notifying them that their actions on the system are being monitored
o A “No Trespassing” sign you might see on private property
o A sensitive document that is watermarked with a user’s name instructing them
to not share the document.
 Purpose Corrective Controls
▪ Corrective controls provide functionality that fixes a system, process, or activity after
an adverse event has occurred.

▪ Corrective controls can be administrative, technical, or physical.
▪ Examples of each are:
o Administrative (e.g., terminating an employee after an offense or implementing
business continuity, disaster recovery, or incident response plans)
o Technical (e.g., antivirus that quarantines malicious software, restoring a system
from backup)
o Physical (e.g., using a fire extinguisher to put out a fire, removing datacenter
badge access for a lost access card)
 Purpose Other Controls
Directive Controls
▪ Directive controls provide functionality that serves to communicate expected behavior.
▪ These controls are generally administrative in nature such as policies, standards,
procedures, training, and so on.

Compensating Controls
▪ Compensating controls serve as an alternate control to a primary control, often used
when the primary control is not feasible to implement due to cost, complexity, or other
organizational constraints.
Domain 1 : Security Principles

ETHICS
✓ Corporate Ethics Code
✓ ISC2 Code of Ethics
Overview
▪ Ethics guide the way people behave and handle personal and professional
responsibilities. While each person has their own internal sense of ethics, we are also
subject to ethical codes provided by others.
▪ Many employers have written ethical standards that apply to all employees.
▪ The International Information System Security Certification Consortium (ISC2) has
a Code of Ethics that applies to the behavior of all ISC2 members.
Corporate Ethics Code
▪ Many organizations have
internal codes of ethics that
employees must follow.
▪ These outline the principles and
guidelines that employees are
expected to follow and ensure
that they act honestly and
ethically, and that they avoid
personal conflicts of interest.
▪ Adhering to these codes can
build trust within their
colleagues and clients.
ISC2 Code of Ethics
▪ ISC2 also has a code of ethics that applies to all certified security professionals.
▪ It includes four (4) canons – four simple statements that outline what is expected of
individuals who subscribe to the code.
1. Protect society, the common good, necessary public trust and confidence, and
the infrastructure
2. Act honorably, honestly, justly, responsibly, and legally.
3. Provide diligent and competent service to principals.
4. Advance and protect the profession.

NOTE: These are very important to the CC exam. You don’t need to be able to recite them
word-for-word, but you need to know the general idea behind each one.
 Canon 1
Protect society, the common good, necessary public trust and
confidence, and the infrastructure

▪ What actions you take, or fail to take, must support the betterment of society,
▪ As a certified security professional, you are obligated to protect the common good.

Sample Canon Violation:
Bob, a security professional, discovers a serious vulnerability in critical infrastructure
software but delays reporting it, hoping to sell the exploit to a third party. This
compromises public safety and erodes trust in the security field.
 Canon 2
Act honorably, honestly, justly, responsibly, and legally.

▪ Actions must be ethical. You must act with honor, justice, and responsibility and work
within the bounds of the law.
▪ You should not break the law, lie, or commit any other dishonorable, unjust, or
irresponsible action.

Sample Canon Violation:
Alice, a cybersecurity consultant, exaggerates findings in a security report to make the
client believe additional, costly services are urgently needed, prioritizing profit over
honest and responsible conduct.
 Canon 3
Provide diligent and competent service to principals.

▪ A security professional must carry out their duties in a responsible manner.
▪ The code uses the word principal because it is meant to apply to your employer (if
working as an employee) or to your clients (if working as a consultant).

Sample Canon Violation:
Charlie, a certified professional, is hired to conduct a security assessment but skips
several critical steps, providing a superficial report. This neglect places the client's
network at risk due to the professional’s failure to provide competent service.
 Canon 4
Advance and protect the profession.

▪ A security professional’s actions should help (not detract) the profession at large.
▪ The most common way that is canon is violated is when certified individuals provide
unauthorized assistance on exams, violate ISC2 nondisclosure agreement, or provide
false information on an applicant’s endorsement application.

Sample Canon Violation:
Dan, an experienced cybersecurity professional, publicly shares exploit techniques on
social media without any context for responsible disclosure or mitigation, enabling
malicious actors and damaging the profession's reputation.
Ethics Complaint Procedure
▪ When an individual suspects that another ISC2 member has breached the ISC2 Code
of Ethics, they should go through a formal investigation.
▪ Failure to report a known infraction constitutes a violation of the code of ethics.
▪ A written, notarized affidavit utilizing the form found on the ISC2 website should be
submitted. It should include the accused person's name, the nature of the infraction,
the precise canon(s) violated, why you have standing, and any evidence.
▪ Having standing to launch a complaint requires that the accused behavior hurt you
or your profession in some way. Standing varies depending on the canon (as seen in
the following slide).
Ethics Complaint Procedure
Canon Standing
1 Anyone may be harmed by violations related to these canons, so any member
2 of the public has standing to file a complaint.

Only the employers or clients of the individual have standing to file a
3
complaint about this canon
Other professionals have standing to file a complaint about this canon.
Anyone who is certified or licensed in any field and subscribes to a code of
4 ethics may file a complaint related to this canon

It doesn’t mean you have to be ISC2 certified of even a security professional.

▪ If ISC2 finds that the accused has violated the Code of Ethics, they may revoke their
certification.
Domain 1 : Security Principles

SECURITY GOVERNANCE
PROCESS
✓ Governance and Management
✓ Security Governance Elements
✓ Laws and Regulations
Governance
▪ Governance is the process of defining strategies to oversee the entire organization or
a specific area to meet organizational goals and objectives.
▪ Security governance is a subset of organizational governance focused on developing
strategies to oversee the security program to facilitate alignment with the goals and
objectives of the organization.
o Security governance processes are an integral part of protecting an
organization’s data and infrastructure. Laws, policies, standards, and procedures
all play an important role in directing the actions of cybersecurity professionals

▪ Every organization has some type of governance in place, although some utilize more
formalized processes than others.
Governance
▪ Having proper governance in place allows leadership to develop strategies that align
with both the external and internal requirements of the organization
Management
▪ Management consists of the processes to execute, operate, and monitor the activities
that implement the governance strategies.
▪ Governance and management are often discussed together; however, many
organizations separate these functions to allow for greater accountability.
▪ Some examples of this include having a board of directors for organizational
governance or having a security steering committee to govern the security program.
▪ A security program must be governed and managed.
Security Governance Elements
▪ An organization’s security program is made up of a collection of governance
elements used to facilitate alignment with the requirements of the organization.
▪ These governance elements include plans, policies, internal standards, and
procedures. These documents form a library of rules and practices that the
organization must follow.
o The top-level program documents are the security policies, which define
requirements that govern what will be done.
o Policies are driven by requirements from laws and regulations, external
standards, and other organizational requirements and are operationalized
through procedures and internal standards.
Security Governance Elements

→ High-level; non-specific

→ Describes specific use of technology

→ Low-level; specific

→ Suggestions on how to do it
 GOVERNANCE ELEMENTS Security Policies
▪ The bedrock documents that provide the foundation for an organization’s
information security program.
▪ Policies provide the framework for the development of procedures, internal
standards, and controls.
▪ These are often developed over a long period of time and carefully written to
describe an organization’s security expectations.
▪ Policies typically avoid describing exactly how certain activities are performed.
▪ Compliance with policies are mandatory and are often approved at the highest levels
of the organization.
 GOVERNANCE ELEMENTS Security Standards
▪ Prescribe the specific details of security controls that the company must follow.
▪ Standards derive their authority from the policy. It is often stated in the organization’s
policy that it gives the IT department authority to create and enforce standards.
▪ Even though standards might not go through as rigorous a process as policies,
compliance with them is still mandatory.

▪ There are external standards developed and published by external standards
organizations containing best practices that may be used for the development of
security program elements.
▪ Examples of standards organizations are enumerated in the next slide.
 GOVERNANCE ELEMENTS Security Standards
1. International Organization for Standardization (ISO)
2. National Institute of Standards and Technology (NIST)
3. Payment Card Industry Security Standards Council (PCI SSC)
4. Institute of Electrical and Electronics Engineers (IEEE)
5. Internet Engineering Task Force (IETF
6. Cloud Security Alliance (CSA)
7. Open Web Application Security Project (OWASP)
 GOVERNANCE ELEMENTS Security Procedures
▪ Are step-by-step instructions that employees must follow when performing a
specific security task.
▪ In a typical organization, procedures are used to operationalize the vision and
directives set forth in organizational policies by defining how a function is performed.
▪ Compliance with procedures are also mandatory.
 GOVERNANCE ELEMENTS Security Guidelines
▪ Provides non-mandatory advice or recommendations that support policies and
standards, helping users follow best practices.
▪ It is flexible and intended to offer suggestions for better compliance or
implementation without enforcing strict requirements.
▪ Compliance with guidelines are not mandatory (discretionary).
 GOVERNANCE ELEMENTS Example
Element Password Composition
All employees must use strong passwords to protect access to company systems
Policy
and data.
Minimum length: 12 characters
Must include uppercase, lowercase, numbers, and special characters
Standard
No reuse of the last 5 passwords
Passwords expire every 90 days

Avoid using easily guessable information (e.g., names, birthdates).
Procedure Use a passphrase combining unrelated words for better memorability.
Enable multi-factor authentication (MFA) wherever available.

Open the login page of the company system.
Click “Forgot Password” if resetting is required.
Guideline Enter your username and follow the steps to create a new password.
Confirm the password meets the standard.
Test the new password by logging in.
Laws and Regulations
▪ Many organizations are subject to laws and regulations that impact the security
program. They are rules typically established by a governmental body or similar
agency that specify requirements that are legally enforceable.
▪ These shape an organization’s behavior and often have direct implications on the
security practices of the organization.
▪ Laws and regulations are often specific to a certain region, locale, industry, or data
type. This is why it is important to have mechanisms in place to ensure alignment
with laws and regulations relevant to the organization.
▪ One example is the GDPR discussed in the Privacy section. Next slide enumerates
other examples of commonly encountered cybersecurity-related laws and regulations
Laws and Regulations
1. Sarbanes-Oxley Act of 2002 (SOX) – a US law enacted to hold executives and board
members accountable for the accuracy of their organization’s financial statements.

2. Federal Information Security Management Act of 2002 (FISMA) and Federal
Information Security Modernization Act of 2014 (FISMA 2014) – a US law enacted to
govern federal cybersecurity programs. The standards for compliance are developed
and managed by NIST.

3. Health Insurance Portability and Accountability Act of 1996 (HIPAA) – a US law
with requirements around protecting the security and privacy of PHI.
 Sources:
Chapple, M. (2023). CC Certified in Cybersecurity Study Guide. Wiley & Sons
Genung, J. & Bennett, S. (2023). All-in-One Certified in Cybersecurity Exam Guide First Edition. McGraw Hill.
 DOMAIN 2

BUSINESS CONTINUITY
MANAGEMENT
ISC2 Certified in Cybersecurity (CC) Exam Preparation

Course : ECE150-2 (Advanced Networking)
Prepared by : Engr. Jess David A. Doria, MBA, CISSP, CC
About the Domain
Business Continuity Management is the second domain of ISC2 CC exam which covers
business continuity, disaster recovery, and incident response. Students are expected to
learn the purpose, importance, and components of each area of the BCM.

2.1 Understand business continuity (BC)
2.2 Understand disaster recovery (DR)
2.3 Understand incident response (IR)

AVERAGE
WEIGHT

10%
Contents
▪ Business Continuity (BC)
✓ Covers planning, controls, high availability, and fault tolerance

▪ Disaster Recovery (DR)
✓ Covers planning, backups, DR sites, and testing

▪ Incident Response (IR)
✓ Covers IR program, team composition, communication plan, and incident
identification and response
Domain 2 : Business Continuity Management

BUSINESS CONTINUITY
✓ BC Planning
✓ BC Controls
✓ High Availability and Fault Tolerance
Business Continuity Planning
▪ Also known as BCP, is one of the core responsibilities of the infosec profession.
▪ BC efforts are activities designed to keep a business running during a crisis. It may
come in the form of a small-scale incident (e.g., system failure) or a catastrophic
incident (e.g., earthquake, tornado).
▪ BCP may also be activated by hazards caused by humans (e.g., terrorism, hacking).
▪ BCP is sometimes referred to as continuity of operations planning (COOP).
▪ This area of the business supports the security objective of availability.
 PLANNING Scope Definition
▪ When an organization launches a BC initiative, it is easy to become overwhelmed by
the numerous situations and controls that the project may consider.
▪ As a result, the team developing the BCP should take the time up front to clearly
define their scope. Here are three questions that help with scoping:
1. Which business activities will the plan cover?
2. What types of systems will the plan cover?
3. What types of controls will the plan consider?

▪ The answers to these questions will assist in making critical prioritization decisions
in the later stages.
 PLANNING Business Impact Analysis
▪ Continuity planners use this process to help make scope decisions.
▪ BIA is an impact assessment that starts with defining the organization's mission-
critical functions and works backward to identify the critical IT systems that
support those processes.
▪ After identifying the affected IT systems, planners conduct a risk assessment to
determine the risks, likelihood, and impact to those systems as part of the risk
assessment.
▪ The output of a BIA is a prioritized list of risks and potential impacts that could
disrupt the organization's business.
▪ Planners use those information to help select controls that lessen the risks the
business faces while remaining within acceptable expense limits.
 PLANNING Business Impact Analysis
PAYROLL PROCESS
Mission-Critical Function Ensure timely and accurate payroll processing for all employees.

Payroll software (including server, backup)
Critical IT Systems
HR Management System (HRMS)

Risk Likelihood Impact Risk Rating
Software failure Low (1) High (3) Medium (3)

Data corruption Medium (2) Medium (2) Medium (4)

Ransomware attack Medium (2) High (3) High (6)

Internet outage High (3) High (3) High (9)

Insider threats Low (1) Medium (2) Low (2)
 PLANNING Business Impact Analysis
PAYROLL PROCESS
Prioritized List Risk Treatment Options
Mitigate
1. Internet outage Implement redundant internet connections or backup
communication systems.
Mitigate
2. Ransomware attack Deploy endpoint detection, train employees, and ensure
encrypted backups.
Mitigate
3. Data corruption
Regularly test backups and establish data validation procedures.
Accept
4. Software failure Ensure regular software maintenance and updates to minimize
occurrence.
Transfer
5. Insider threats
Use insurance coverage to address potential insider-related risks.
Business Continuity Controls
▪ BC professionals have a variety of tools to help remediate potential availability issues.
▪ One of the most important strategies to protect availability is to ensure that they are
redundant and fault-tolerant.
▪ That simply implies that they are constructed so that a single component failure
does not bring the entire system down.
▪ Business is still operational despite a single predictable component failure.
▪ The single point of failure (SPOF) analysis process provides security professionals
with a mechanism to identify and remove single points of failure from their systems
and processes.
 CONTROLS SPOF Analysis

▪ When analyzing a network of system
for SPOF, here are some steps that a
security professional can do:
o Examine the components and
its connections
o Physical inspection
o Analyzing the network diagram

▪ The figure on the right shows a
sample diagram with SPOF.
 CONTROLS SPOF Analysis

▪ Avoiding SPOF entails cost. It is up to
the security professionals to weigh
the need for each controls against
the cost to avoid each SPOF.
▪ Risk management strategy can help
in the decision-making.
▪ SPOF determined to be worth the
cost of preventing can be mitigated
and even eliminated.
Business Continuity Controls
▪ Personnel succession planning is a last component of BC planning that is
sometimes overlooked.
▪ IT relies on highly experienced team members to develop, configure, and manage
systems and procedures.
▪ IT leaders should collaborate with their HR departments to identify team members
who are critical to ongoing operations and identify potential successors to those
positions.
▪ So, if someone leaves the organization, management has previously considered
potential replacements and, hopefully, given those successors with the necessary
professional development chances to fill the leaving employee's shoes.
High Availability
▪ Often referred to as HA, uses multiple systems to protect against failures. These are
techniques like those previously discussed in SPOF analysis.
▪ The primary principle of HA is to have operationally redundant systems, sometimes
at different locations. The geographic spread of systems in multiple locations
safeguards an organization's facility from destruction.

▪ Load balancing is a related but different concept from HA. It employs many systems
to distribute the load of delivering service among various systems, resulting in a
scalable computing environment.
Fault Tolerance
▪ Often referred to as FT, helps prevent a single system from collapsing in the first
place by making it resilient to technical problems.
▪ The three most typical failure points in a computer system are:
o Power supply
o Storage media
o Networking components

▪ FT controls can keep the system running even if one of these components fails
simultaneously.
 FT Power Supplies
▪ Have moving parts and hence are common points of failure.
▪ If it fails, the consequences could be devastating. As a result, server manufacturers
frequently incorporate dual power supplies into their designs.

▪ For added redundancy, data centers with two separate sources of power can
connect each power supply to a different power source.
 FT Power Supplies
▪ Data centers also employ uninterruptible power supplies (UPS) to give battery
power to systems in the event of a momentary outage. These power sources may also
be fed by a generator for long-term power backup.
▪ Managed power distribution units (PDUs) control power inside a rack, ensuring that
the power sent to devices is clean and managed.
 FT Storage
▪ The second priority of many FT efforts is to protect against the failure of a single
storage device. This is achieved using a technology known as redundant arrays of
inexpensive disks (RAID).
▪ RAID comes in several different forms, but each of them is designed to provide
redundancy by having more disks than needed to meet business needs.
▪ Common RAID technologies are discussed in the next slide.

NOTE: RAID is a fault-tolerance mechanism that, depending on the approach, protects
against either a single or double disk failure. It is NOT a backup strategy. Organizations still
need to perform frequent backups.
 FT Storage
1. Disk Striping (RAID Level 0)
o Breaking data into multiple blocks and storing those blocks
on several storage disks.
o Minimum of 2 disks are required and does not provide
redundancy.

2. Disk Mirroring (RAID Level 1)
o Technique of storing a copy of the same data in another
disk. Data is not broken into blocks, but rather duplicated.
o Minimum of 2 disks are required
 FT Storage
3. Disk Striping with Parity (RAID Level 5)
o The system contains 3 or more disks and writes
data across all those disks but includes a parity.
o If one disk fails, the parity will be used to regenerate
its content.

4. Disk Striping and Mirroring (RAID Level 10)
o A nested RAID level that combines RAID 0 and 1 to
support both mirroring and striping features.
o Minimum of 4 disks are required.
 FT Networking Components
▪ These can also be an SPOF, thus, organizations
should consider implementing redundancy at
different points of the network.
▪ This ranges from having multiple ISP entering
a facility. Or using dual NICs in critical servers
known as NIC teaming.

▪ Redundancy should be introduced throughout
the network. Multipath techniques add
redundancy to these pathways, ensuring
uninterrupted access to storage.
Domain 2 : Business Continuity Management

DISASTER RECOVERY
✓ DR Planning
✓ Backups
✓ DR Sites
✓ Testing DR Plans
Disaster Recovery Planning
▪ DR is a subset of business continuity actions that aims to return a business to
normal operations as soon as feasible after an interruption.
▪ DR plans (or DRPs) may contain quick measures to restore operations temporarily,
but the DR efforts do not end until the organization is totally back to normal.

▪ DRP can be triggered by:
o environmental natural disasters (e.g., typhoon)
o technological failure (e.g., power outage)
o health emergency (e.g., pandemic)
o hazard caused by humans (e.g., ransomware attack)
 PLANNING Initial Response
▪ Once the DRP is initiated, the initial response to an emergency disruption is
intended to contain the damage to the organization and recover whatever
capability can be restored immediately.
▪ The activities during this period will differ based on the type of disaster.

During DR, many employees will be working in temporary jobs
that may be different from their normally assigned duties.
Staffing Flexibility is key during a disaster response, and the organization
should plan disaster responsibilities in advance and provide
training
Responders must have a secure and reliable means to
communicate with each other and the organization’s leadership.
Communication
This also includes the initial and ad-hoc communication to activate
and discuss DR, respectively.
 PLANNING Assessment
▪ After the immediate threat to the company has passed, the DR team transitions
from initial response to assessment mode.
▪ The purpose of this phase is to assess the damage and implement functional
recovery plans to resume operations on a continuous basis.
▪ In other situations, it may also comprise interim procedures that temporarily restore
operations on the path to long-term and stable recovery.
 PLANNING DR Metrics
The following four metrics are used to help an organization plan DR efforts:
1. Recovery point objective (RPO) - determines the maximum acceptable amount of
data loss measured in time.
2. Recovery time objective (RTO) - determines the maximum tolerable amount of
time needed to bring all critical systems back online.
3. Work Recovery Time (WRT) - determines the maximum tolerable amount of time
that is needed to verify the system and/or data integrity.
4. Maximum Tolerable Downtime (MTD) - defines the total amount of time that a
business process can be disrupted without causing any unacceptable
consequences. Usually defined by the top management. Sum of RTO and WRT.
 PLANNING DR Metrics

▪ The recovery service level (RSL) is the required percentage of availability during a
disaster. For example, a website's RSL is set to 50%, realizing that reduced capacity is
acceptable during a disaster recovery.
 PLANNING Training and Awareness
▪ These are critical components of a DRP. All individuals involved in DR activities
should get periodic training on their roles in the plan.
▪ These staff should participate in more frequent awareness programs to keep their
disaster recovery responsibilities top of mind.

NOTE: Disaster recovery activities are only considered complete when the organization
returns to normal operations in its normal and primary operating environment.
Backups
▪ These are perhaps the most critical component of any DRP, as most organizations
nowadays are built upon data.
▪ Data drives business. For many organizations, the complete loss of data would be a
disaster that can impede its operations.
▪ Backups provide companies with a fail-safe method of recovering data in the case
of a technological failure, human error, natural disaster, or other events that cause
unintentional or intentional destruction or change.
▪ Three (3) of the most common backup methods are:
1. Tape backups
2. Disk backups
3. Cloud backups
 BACKUPS Methods
1. Tape Backups
o Organizations used magnetic tapes to
store backups, which is still a common
practice today.
o One common example is linear tape-
open (LTO) tapes, as seen on the right.
o Difficult to manage, and contemporary
backup approaches frequently use
alternate storage, which has grown
significantly less expensive in recent years.
 BACKUPS Methods
2. Disk Backups
o Some businesses perform disk-to-disk
backups, which include writing data
from the primary to a dedicated
backup disks.
o These backup disks may be stored in a
separate facility, making it unlikely that
the same physical disaster will damage
both the primary and backup sites.
o Backups sent to a storage area
network (SAN), or network-attached
storage (NAS) fall under this category.
 BACKUPS Methods
3. Cloud Backups
o A newer trend in backups is to write data directly to storage provided by cloud
computing vendors, such as Amazon Web Services (AWS), Microsoft Azure,
Google Cloud Platform (GCP), etc.
o This provides significant geographic diversity because backup data is stored in
separate managed facilities, and cloud providers typically maintain their own
backups of their systems, adding an extra layer of safety for customer data.
 BACKUPS Types
1. Full Backup – covers all the media being backed up. It creates a complete replica of
the data. Snapshots are a form of full backup are a type of full backup that uses the
hardware platform’s specialized features.

2. Differential Backup –all files that have changed since the last full backup are
backed up. Data restoration is done by restoring the last full backup first and then
the most recent differential backup is restored.

3. Incremental Backup – backs up any files that have changed from the previous
backup of any type. Restoration takes longer because last full backup is restored first
and then you each incremental backup since the last full backup is restored.
 BACKUPS Types
Sample Scenario 1:
Bob, a storage administrator, performs a full backup of the organization’s systems
every Sunday afternoon. He then makes differential backups every weekday evening. If
the system crashes on Friday morning, which backups would he need to restore?

Answer:
o Bob needs a base, so the full backup
(Sunday) is restored first.
o For differential, all changes made to data
from the last full backup are backed up,
FAIL
only the most recent differential
backup (Thursday) should be restored.
 BACKUPS Types
Sample Scenario 2:
If Bob used incremental backups, which backups would he need to restore?

Answer:
o Bob begins the same way, full backup
(Sunday) is restored first.
o For incremental, changes made from
the last full or incremental backup is
FAIL
backed up. So Bob must restore all
incremental backups from Monday to
Thursday.
Disaster Recovery Sites
▪ During a disaster, businesses may need to transfer operations (e.g., computing
functions) from their main data center to an alternate facility intended to handle the
load when the primary site is inaccessible or not operational.
▪ DR sites are alternative processing facilities that have been built specifically for this
purpose. Most of the time, They are set to be idle, ready to respond when an
emergency or crisis occurs.

▪ There are three major types of alternate processing facilities:
1. Hot site
2. Cold site
3. Warm site
 DR SITES Hot Site
▪ This DR site is fully operational data centers and ready to
go in a moment’s notice, fully equipped and configured
with up-to-date software.
▪ The only thing required to make this DR site fully
operational is data, which is restored from backup
storage at the time it is needed.
▪ Expensive due to initial and ongoing costs. The
organization is doubling its cost to achieve significant
recovery ability. As a result, most hot sites are rented or
leased, to lower operating expenses.
 DR SITES Cold Site
▪ This DR site is just an empty building without any
equipment or infrastructure.
▪ It is less expensive but requires the most time and effort
to achieve normal operations.
▪ The site usually takes several weeks or longer to get up
and running.
 DR SITES Warm Site
▪ This DR site is a compromise. It has the hardware and
software necessary to support an organization in the
event of a disaster, but it is not running in parallel.
▪ The hardware costs to maintain a warm site is same as a
hot site, but much less operational expense in terms of
time from IT personnel.
▪ Activating a warm site can take several hours or days. It
could be a risk, since equipment is not fully operational
prior to incident.
 DR SITES Offsite Storage
▪ DR sites can also function as an offsite storage repository for company data.
▪ Backing up business data is important and storing them in a facility that is far from
the primary site ensures that the same disaster will not damage both facilities. This
is all part of performing a site risk assessment when selecting locations. This process
is known as site resiliency.
▪ Backups can be physically moved to the DR site on a regular basis, or they can be
transmitted digitally via a process called as site replication.

▪ When planning offsite backup storage, companies should choose either online or
offline formats. Online backups can be restored immediately but require significant
investment, while offline backups require manual intervention but are cheaper.
DRP Testing
▪ DR plans are crucial to ensure business continuity. Like any security control, these
plans should be checked to ensure that they work properly and are prepared to
store company processes in the case of a disruption.
▪ Each test of DR plan has the following to goals:
1. To ensure that the plan functions correctly and that the technology will
function if a disaster happens.
2. To identify possible updates or revisions to the plan due to technology or
business process changes

▪ The five (5) major types of DR testing are discussed in the next slide.
DRP Testing
1. Read-Through
o The simplest type of DR testing, often called as checklist reviews.
o DR staff share copies of the current plan to all individuals involved in DR
activities and request that they review their procedures. Team members
provide feedback on any necessary adjustments to keep the plan updated.

2. Walk-Through
o Gets everyone around the same table to review the plan together.
o This is commonly referred to as a tabletop exercise, and it produces the same
results as read-throughs, but it is generally more effective because it allows the
team to discuss the plan collectively.
DRP Testing
3. Simulation
o As with the structured walk-through, this brings together the DR team.
o Instead of discussing the plan, the team discusses how they would respond to a
specific event. The test planners create a simulation of an emergency event,
and the DR team discusses how they would respond.

▪ The first three tests are all theoretical exercises. Disaster recovery is discussed but
the personnel involved don’t use any DR technology.
▪ The next slide shows how both parallel and full-interruption tests actually activate
the DR strategy.
DRP Testing
4. Parallel Test
o Activates the disaster recovery plan, including an alternate cloud or physical
environment, in response to a simulated disaster.
o An organization’s operations are not switched to the backup environment;
rather, the DR environment runs in parallel with the original site.

5. Full Interruption Test
o The most effective test type, but also the most disruptive to the business.
o This test simulates a disaster by shutting down the primary site and attempting
to operate in the alternate facility. It can also highlight deficiencies in the plan
but is rarely used due to its disruptive approach.
Domain 2 : Business Continuity Management

INCIDENT RESPONSE
✓ Creating IR Program
✓ Building IR Team
✓ Incident Communications Plan
✓ Incident Identification and Response
Incident Response Program
▪ This section will focus on the IR process from NIST in their Special Publication
entitled ”Computer Security Incident Handling Guide” (NIST SP 800-61).
▪ This is a widely used as a standard reference throughout the cybersecurity field.
Incident Response Program
1. Preparation – includes the the activities required to create an IR plan and team.
2. Detection and Analysis – recognizes that an incident is occurring and
determines the extent of the incident’s impact
3. Containment, Eradication and Recovery – reduce the damage caused by an
incident, remove its effects, and resume normal activities.
4. Post-Incident Activity – analyzes the response process and identifies lessons
learned to improve future response efforts.

▪ Every organization should create an IR plan that outlines the policies, procedures,
and guidelines it will follow in the event of an incident. This planning is essential
because it gives structure and organization amid a crisis.
 IR PROGRAM Planning
A formalized IR plan should include several common elements:
1. Statement of purpose: Outlines the purpose and scope of the IR plan.
2. Clear strategies and goals: Outlines the priorities for first responders and
strategic incident handlers.
3. Organizational approach to incident response: Outlines the responsibility and
authority of incident handling.
4. Communication: Covers team, organizational groups, and third parties.
5. Approval: Provides senior management's approval for unpopular actions during
incident response.

▪ NIST 800-61 is a good reference when developing the IR plan.
Incident Response Team
▪ Building an IR team is one of the most important tasks in an IR program.
▪ This team will likely need to be available on a 24/7 basis, and there should be a
primary and backup personnel assigned to cover vacations as well as extended
periods of operation.
▪ For team composition, groups that should be included are:
Incident Response Team
▪ It is not required to activate all team members for any specific incident; nonetheless,
each group should have representatives trained and ready to engage before the
incident occurs.
▪ If the organization lacks some of the necessary capabilities to address security
incidents, it may consider partnering with an external incident response provider.
▪ Once the team is assembled, distribute the IR plan and perform regular training and
testing to make sure that they worked together well and are prepared to respond
promptly in the case of an incident.
Incident Communications Plan
▪ One of the critical components of an IR program is the incident communications
plan that covers both internal and external communications.

1. Internal Communications – incident notification and escalation procedures
help ensure that the appropriate people within the organization know about
the incident at the right time and are provided with the right information

2. External Communications – this can be a difficult task since sharing sensitive
information must be limited to trusted parties. This is important when there
might be public or media interest in an incident. If in case an organization has a
legal obligation to report an incident, the legal team should be included.
Incident Identification
▪ Once the IR plan is in place and a team is assembled, the IR process enters a state of
continuous monitoring, which means it checks for indications that an event is
about to occur or has already happened.

▪ Incidents can be identified in several ways:
1. Security Data Sources
2. Correlating Security Information
3. Receiving Incident Reports
 IDENTIFICATION Security Data Sources
▪ A holistic security monitoring infrastructure is critical for successful incident
identification. Data is critical to incident detection, and organizations are responsible
for collecting, analyzing, and retaining security information.

▪ Many information sources can give data vital to spotting and assessing a prospective
security incident, including:

o Intrusion detection and prevention systems o Vulnerability scanners
o Firewalls o System even logs
o Authentication systems o NetFlow connection records
o System integrity monitors o Antimalware packages
 IDENTIFICATION Correlating Security Information
▪ Security specialists oversee the gathering and correlating log information. By
practice, it is nearly impossible to be done on their own.
▪ Fortunately, security information and event management (SIEM) technology can
help with this task. SIEM systems provide as a centralized log repository and
analytics solution.
▪ Security experts can direct the stream of data they receive from security-related logs
to the SIEM, which will then perform the tedious task of analysis.
▪ SIEM systems can detect potential incidents based on rules and algorithms and alert
security administrators for further investigation. They also serve as a vital centralized
information source for investigators looking into a security incident.
 IDENTIFICATION Receiving Incident Reports
▪ Sometimes monitoring systems fail to detect an occurrence, and we learn about a
security breach via employees, customers, and other organizations who notice signs
of a breach.
▪ The IR team should have a consistent approach to receiving, recording, and
evaluating these reports. Channels to report potential security incidents include:
o A designated email address (e.g., [email protected])
o An online form or portal
o A dedicated 24/7 hotline or phone number
Incident Response
▪ Response begins when a security professional identifies an incident. A team
member who recognizes an incident and others on duty have first responder duties.
▪ Responders should contain the damage by separating the suspected compromised
system or set of systems from the network.
▪ If necessary, they may isolate the system by removing it from the network, keeping
it running to preserve evidence, and preventing it from communicating with
attackers or infecting other business systems.
▪ As you are building out your incident response capabilities, be sure to integrate
them with your threat intelligence program as well.

NOTE: This is a popular topic for exam questions. Remember that the first responder’s
highest priority should be to contain the damage by isolating the impacted systems.