Thorteaches Study Guide CISM Domain 1
Thorteaches Study Guide CISM Domain 1
Thorteaches Study Guide CISM Domain 1
1|Page
https://thorteaches.com/
Domain 1 Lecture notes
Normal organizations obviously have more C-Level executives, the ones listed
here you need to know.
Also know where you fit in the organization and on the exam.
Links on all these as well as ones from previous slides in the “Extras” lecture.
2|Page
https://thorteaches.com/
Domain 1 Lecture notes
To get to data you may need to get past firewalls, routers, switches, the
server, and the applications security.
Each step may have multiple security controls.
No single security control secures an asset.
By implementing Defense in Depth you improve your organization’s
Confidentiality, Integrity and Availability.
3|Page
https://thorteaches.com/
Domain 1 Lecture notes
Awareness – Change user behavior - this is what we want, we want them to
change their behavior.
Training – Provides users with a skillset - this is nice, but if they ignore the
knowledge, it does nothing.
Hiring Practices – We do background checks where we check: References,
degrees, employment, criminal, credit history (less common, more costly). We
have new staff sign a NDA (Non-Disclosure Agreement).
Employee Termination Practices – We want to coach and train employees
before firing them. They get warnings.
When terminating employees, we coordinate with HR to shut off access
at the right time.
Vendors, Consultants and Contractor Security.
When we use outside people in our environments, we need to ensure
they are trained on how to handle data. Their systems need to be
secure enough for our policies and standards.
Outsourcing and Offshoring - Having someone else do part of your (IT in our
case) work.
This can lower cost, but a thorough and accurate Risk Analysis must be
performed. Offshoring can also pose problems with them not having to
comply with the same data protection standards.
4|Page
https://thorteaches.com/
Domain 1 Lecture notes
financials, activities and processes, and past experiences.
External factors:
Opportunities: Elements in the environment that the business or project could
exploit to its advantage.
Threats: Elements in the environment that could cause trouble for the business
or project.
Future trends, the economy, funding, our physical environment,
legislation, national, or international events
Gap analysis:
Identify the existing process:
What are we doing?
Identify the existing outcome:
How well do we do it?
Identify the desired outcome:
How well do we want to
do?
Identify and document the gap:
What is the difference
between now and desired
result?
Identify the process to achieve the desired outcome:
How can we possibly get to the desired result?
Develop the means to fill the gap:
Build the tool or processes to get the result.
Develop and prioritize Requirements to bridge the gap.
Organizational finances.
OPEX vs. CAPEX:
OPEX (Operating Expense) is the ongoing cost for running a product, business,
or system. (Keeping the lights on).
CAPEX (Capital Expenditure) is the money a company spends to buy, maintain,
or improve its fixed assets, such as buildings, vehicles, equipment, or land.
Business plans, road-maps:
We build our organizational business plans based on the organizations mission
statement and vision at the direction of senior leadership.
We have 1-year, 3-year, and 5-year business plans and roadmaps.
Fiscal years (budget year):
We plan our budgets according to our organizations fiscal year.
5|Page
https://thorteaches.com/
Domain 1 Lecture notes
Define measures that determine how well the IT process is performing in
enabling the goal to be reached.
KRI (Key Risk Indicators):
Metrics that demonstrate the risks that an organization is facing or how risky an
activity is.
They are the mainstay of measuring adherence to and establishing enterprise
risk appetite.
Key risk indicators are metrics used by organizations to provide an early signal of
increasing risk exposures in various areas of the enterprise.
KRI give an early warning to identify potential event that may harm continuity of
the activity/project.
6|Page
https://thorteaches.com/
Domain 1 Lecture notes
Confidentiality, Integrity and Availability.
System integrity and Data integrity
We use:
Cryptography (again).
Check sums (This could be CRC).
Message Digests also known as a
hash (This could be MD5, SHA1
or SHA2).
Digital Signatures – non-
repudiation.
Access control.
Threats:
Alterations of our data.
Code injections.
Attacks on your encryption (cryptanalysis).
Threats:
Malicious attacks (DDOS,
physical, system compromise, staff).
Application failures (errors in the code).
Component failure (Hardware).
7|Page
https://thorteaches.com/
Domain 1 Lecture notes
Too much Availability and both the Confidentiality and Integrity can suffer.
The opposites of the CIA Triad is DAD (Disclosure, Alteration and Destruction).
Disclosure – Someone not authorized getting access to your information.
Alteration – Your data has been changed.
Destruction – Your data or systems have been destroyed or rendered
inaccessible.
8|Page
https://thorteaches.com/
Domain 1 Lecture notes
Sensitive information and Media Security:
Sensitive information
Data retention:
Data should not be kept beyond the period
of usefulness or beyond the legal
requirements (whichever is greater).
Regulation (HIPAA or PCI-DSS) may require a
certain retention of the data (1, 3, 7 years or
infinity).
Each industry has its own regulations and
company policies may differ from the
statutory requirements.
Know your retention requirements!
9|Page
https://thorteaches.com/
Domain 1 Lecture notes
We may never know who actually leaked the information. It may not be
one of the 15, but they violated HIPAA by accessing the data.
Least privilege: Users have the minimum necessary access to perform their job duties.
Ethics:
ISACA professional Code of Ethics: You sign this before the exam.
1. Support the implementation of, and encourage compliance with, appropriate
standards and procedures for the effective governance and management of
enterprise information systems and technology, including: audit, control,
security and risk management.
10 | P a g e
https://thorteaches.com/
Domain 1 Lecture notes
2. Perform their duties with objectivity, due diligence and professional care, in
accordance with professional standards.
3. Serve in the interest of stakeholders in a lawful manner, while maintaining high
standards of conduct and character, and not discrediting their profession or the
Association.
4. Maintain the privacy and confidentiality of information obtained in the course
of their activities unless disclosure is required by legal authority. Such
information shall not be used for personal benefit or released to inappropriate
parties.
5. Maintain competency in their respective fields and agree to undertake only
those activities they can reasonably expect to complete with the necessary
skills, knowledge and competence.
6. Inform appropriate parties of the results of work performed including the
disclosure of all significant facts known to them that, if not disclosed, may
distort the reporting of the results.
7. Support the professional education of stakeholders in enhancing their
understanding of the governance and management of enterprise information
systems and technology, including: audit, control, security and risk
management.
Failure to comply with this Code of Professional Ethics can result in an investigation into a member's or
certification holder's conduct and, ultimately, in disciplinary measures.
Ethics:
Computer Ethics Institute
Ten Commandments of Computer Ethics:
Thou shalt not use a computer to harm other people.
Thou shalt not interfere with other people’s computer work.
Thou shalt not snoop around in other people’s computer files.
Thou shalt not use a computer to steal.
Thou shalt not use a computer to bear false witness.
Thou shalt not copy or use proprietary software for which you have not
paid.
Thou shalt not use other people's’ computer resources without
authorization or proper compensation.
Thou shalt not appropriate other people's’ intellectual output.
Thou shalt think about the social consequences of the program you are
writing or the system you are designing.
Thou shalt always use a computer in ways that ensure consideration
and respect for your fellow humans.
Ethics:
IAB’s Ethics and the Internet
Defined as a Request For Comment (RFC), #1087 - Published in 1987
Considered unethical behavior:
11 | P a g e
https://thorteaches.com/
Domain 1 Lecture notes
Seeks to gain unauthorized access to the resources of the Internet.
Disrupts the intended use of the Internet.
Wastes resources (people, capacity, computer) through such actions :
Destroys the integrity of computer-based information.
Compromises the privacy of users.
12 | P a g e
https://thorteaches.com/
Domain 1 Lecture notes
Negligence (and gross negligence) is the opposite of Due Care.
If a system under your control is compromised and you can prove you did your
Due Care, you are most likely not liable.
If a system under your control is compromised and you did NOT perform Due
Care, you are most likely liable.
13 | P a g e
https://thorteaches.com/
Domain 1 Lecture notes
When did they handle it?
What did they do with it?
Where did they handle it?
14 | P a g e
https://thorteaches.com/
Domain 1 Lecture notes
Violators of the GDPR may be fined up to €20 million or up to 4% of the annual
worldwide turnover of the preceding financial year in case of an enterprise, whichever is
greater.
Unless a data subject has provided informed consent to data processing for one or more
purposes, personal data may not be processed unless there is at least one legal basis to
do so.
15 | P a g e
https://thorteaches.com/
Domain 1 Lecture notes
You tell no one about your formula, your secret sauce. If discovered anyone can
use it; you are not protected.
Cyber Squatting – Buying an URL you know someone else will need (To sell at huge
profit – not illegal).
Typo Squatting – Buying an URL that is VERY close to real website name (Can be illegal
in certain circumstances).
16 | P a g e
https://thorteaches.com/
Domain 1 Lecture notes
BCP and DRP:
Financially Motivated Attackers (Human):
We are seeing more and more financially motivated attacks, they can be both
highly skilled or not.
The lower skilled ones could be normal phishing attacks,
social engineering or vishing, these are often a numbers
game, but only a very small percentage needs to pay to
make it worth the attack.
The ones requiring more skills could be stealing
cardholder data, identity theft, fake anti-malware tools,
or corporate espionage, ...
Ransomware is a subtype of financially motivated
attacks, it will encrypt a system until a ransom is paid,
if not paid the system is unusable, if paid the attacker
may send instructions on how to recover the system.
Attackers just want the payday, they don’t really care from whom.
17 | P a g e
https://thorteaches.com/
Domain 1 Lecture notes
Done to ensure one person is not always performing the same task,
someone else has to cover and it can keep fraud from happening or help
us detect it.
Their accounts are locked and an audit is performed on the accounts.
If the employee has been conducting fraud and covering it up, the audit
will discover it.
The best way to do this is to not give too much advance notice of
vacations.
With the combination of all 5 we minimize some of the insider threats we may have.
Programming concepts:
Machine Code:
18 | P a g e
https://thorteaches.com/
Domain 1 Lecture notes
Software executed directly by the CPU, 0's and 1's understood by the CPU.
Source Code:
Computer programming language, written in text and is human understandable,
translated into machine code.
Assembler Language:
Short mnemonics like ADD/SUB/JMP, which are matched with the full length
binary machine code; assemblers convert assembly language into machine
language. A disassembler does the reverse.
Compiler Languages:
Translates the higher level language into machine code and saves, often as
executables, compiled once and run multiple times.
Interpreted languages:
Similar to compiler languages, but interprets the code each time it is run into
machine code.
Programming concepts:
Bytecode:
An interpreted code, in intermediary form, converted from source code to
interpreted, but still needs to be converted into machine code before it can run
on the CPU.
Procedural languages (Procedure-oriented):
Uses subroutines, procedures and functions.
Object-oriented Programming (OOP):
Based on the concept of objects, which may contain data, in the form of fields,
often known as attributes, and code, in the form of procedures, often known as
methods.
An object's procedures can access and often modify the data fields of the
objects with which they are associated.
In OOP, computer programs are designed by making them out of objects that
interact with one another.
Programming concepts:
4th Generation languages (4GL):
Fourth-generation languages are designed to reduce programming effort and
the time it takes to develop software, resulting in a reduction in the cost of
software development.
Increases the efficiency by automating the creation of machine code.
Often uses a GUI, drag and drop, and then generating the code, often used for
websites, databases and reports.
19 | P a g e
https://thorteaches.com/
Domain 1 Lecture notes
Programming concepts:
CASE (Computer-Aided Software Engineering):
Similar to and were partly inspired by computer-aided design (CAD) tools used
for designing hardware products.
Used for developing high-quality, defect-free, and maintainable software.
Often associated with methods for the development of information systems
together with automated tools that can be used in the software development
process.
CASE software is classified into 3 categories:
Tools support specific tasks in the software life-cycle.
Workbenches combine two or more tools focused on a specific part of
the software life-cycle.
Environments combine two or more tools or workbenches and support
the complete software life-cycle.
Programming concepts:
Top-Down Programming:
Starts with the big picture, then breaks it down into smaller segments.
An overview of the system is formulated, specifying, but not detailing, any first-
level subsystems.
Each subsystem is then refined in yet greater detail, sometimes in many
additional subsystem levels, until the entire specification is reduced to base
elements.
Procedural programming leans toward Top-Down, you start with one function
and add to it.
Bottom-Up Programming:
Piecing together of systems to build more complex systems, making the original
systems a sub-system of the overarching system.
The individual base elements of the system are first specified in great detail,
they are then linked together to form larger subsystems, which then in turn are
linked, sometimes in many levels, until a complete top-level system is formed.
OOP leans tends toward Bottom-Up, you start by developing your objects and
build up.
Programming concepts:
Software release:
Open source:
We release the code publicly, where it can be tested, improved and corrected,
but it also allows attackers to find the flaws in the code.
Closed Source:
We release the software, but keep the source code a secret, may be sound
business practice, but can also be security through obscurity.
Proprietary software:
Software protected by intellectual property and/or patents, often used
interchangeably with Closed Source software, but it really is not. It can be both
Open and Closed Source software.
20 | P a g e
https://thorteaches.com/
Domain 1 Lecture notes
Any software not released into the public domain is protected by copyright.
Programming concepts:
Software release:
Free software:
Freeware:
Actually free software, it is free of charge to use.
Shareware:
Fully functional proprietary software that is initially free to use.
Often for trials to test the software, after 30 days you have to
pay to continue to use.
Crippleware:
Partially functioning proprietary software, often with key
features disabled.
The user is required to make a payment to unlock the full
functionality.
EULAs (End-User License Agreements):
Electronic form where the user clicks “I agree” to the software terms
and conditions while installing the software.
Programming concepts:
Software licenses:
Open source software can be protected by a variety of licensing agreement.
GNU (General Public License): Also called GPL or GPL
Guarantees end users the freedom to run, study, share and
modify the software.
A copyleft license, which means that derivative work can only
be distributed under the same license terms.
BSD (Berkeley Software Distribution):
A family of permissive free software licenses, imposing minimal
restrictions on the use and redistribution of covered software.
This is different than copyleft licenses, which have reciprocity
share-alike requirements.
Apache:
Software must be free, distribute, modify and distribute the modified
software.
Requires preservation of the copyright notice and disclaimer.
21 | P a g e
https://thorteaches.com/
Domain 1 Lecture notes
The individual phases are different from organization to organization, understand how
each methodology works and the phases flow.
Waterfall:
Very linear, each phase leads directly into the next.
The unmodified waterfall model does not allow us to go back to the previous
phase.
22 | P a g e
https://thorteaches.com/
Domain 1 Lecture notes
Close, daily cooperation between business people and
developers.
Projects are built around motivated individuals, who should be
trusted.
23 | P a g e
https://thorteaches.com/
Domain 1 Lecture notes
Agile software development:
Scrum:
The three core roles in the Scrum framework.
Development team:
Development teams are cross-functional, with all of the
skills as a team necessary to create a product
increment.
Scrum master:
Facilitates and accountable for removing impediments
to the ability of the team to deliver the product goals
and deliverables.
Not a traditional team lead or project manager but acts
as a buffer between the team and any distracting
influences.
The scrum master ensures that the Scrum framework is
followed.
24 | P a g e
https://thorteaches.com/
Domain 1 Lecture notes
A software project repeatedly passes
through these phases in iterations (called
Spirals in this model).
The baseline spiral, starting in the
planning phase, requirements are
gathered and risk is assessed.
Each subsequent spiral builds on the
baseline spiral.
25 | P a g e
https://thorteaches.com/
Domain 1 Lecture notes
Software Development Methodologies:
SDLC:
The aim is to produce high-quality systems that meet or exceed customer
expectations, based on customer requirements, by delivering systems which
move through each clearly defined phase, within scheduled time frames and
cost estimates.
SDLC is used during the development of a project, it describes the different
stages involved in the project from the drawing board, through the completion
of the project.
All software development methodologies follow the SDLC phases but the
method of doing that varies vastly between methodologies.
Many different SDLC methodologies have been created, Waterfall, Spiral, Agile,
Rapid Prototyping, ...
In Scrum project a single user story goes through all the phases of the SDLC
within a single two-week sprint, where Waterfall projects can take many
months or several years to get through the phases.
While very different they both contain the SDLC phases in which a requirement
is defined, then pass through the life cycle phases ending in the final phase of
maintenance and support.
26 | P a g e
https://thorteaches.com/
Domain 1 Lecture notes
IPTs are created most often as part of structured systems engineering
methodologies, focusing attention on understanding the needs and desires of
each stakeholder.
27 | P a g e
https://thorteaches.com/
Domain 1 Lecture notes
As with many of the concepts we cover they are to some extend logical,
configuration management tracks changes to a specific piece of software where
change management is all changes in the entire software development process.
AI (Artificial intelligence):
Intelligence exhibited by machines, rather than humans
or other animals.
What true AI is, is a topic of discussion, what was
considered AI years ago we have achieved and when
once goal is reached the AI definition is tweaked a little.
From what we are seeing published we do in my mind
not currently have true AI, but very highly simulated
intelligence, that being said IBM and Google do seem to
be getting a lot closer.
28 | P a g e
https://thorteaches.com/
Domain 1 Lecture notes
It is also used when a machine mimics cognitive functions that humans associate with
other human minds, such as learning and problem solving.
AI currently defined as advice that perceives its environment and takes actions that
maximize its chance of success at some goal, not through experience/programming, but
through reasoning.
AI (Artificial intelligence):
Expert systems:
A computer system that emulates the decision-making ability of a human
expert.
Designed to solve complex problems by reasoning about knowledge,
represented mainly as if–then rules rather than through conventional
procedural code.
An expert system is divided into two subsystems:
The knowledge base represents facts and rules.
The inference engine applies the rules to the known facts to deduce new facts,
and can also include explanation and debugging abilities.
AI (Artificial intelligence):
ANN's (Artificial neural networks):
Computing systems inspired by the biological neural networks that constitute
animal brains, we make decisions based on 1000’s of memories, stories, the
situation and many other factors, the ANN tries to emulate that.
The systems learn and progressively improve their performance, to do tasks,
generally without task-specific programming.
They can learn to identify images that contain geckos by analyzing example
images that have been manually labeled as "gecko" or "no gecko" and using the
analytic results to identify geckos in other images.
They are mostly used in areas that are difficult to express in a traditional
computer algorithm using rule-based programming.
An ANN is based on a collection of connected units called artificial neurons.
Each connection (synapse) between neurons can transmit a signal to another
neuron.
Typically, neurons are organized in layers, different layers may perform different
transformations on their inputs.
Signals travel from the first input, to the last output layer, at times after
traversing the layers multiple times.
AI (Artificial intelligence):
GP (Genetic Programming):
A technique where computer programs are encoded as a set of genes that are
then modified (evolved) using an evolutionary algorithm often a GA (Genetic
Algorithm).
The results are computer programs able to perform well in a predefined task.
29 | P a g e
https://thorteaches.com/
Domain 1 Lecture notes
The methods used to encode a computer program in an artificial chromosome
and to evaluate its fitness with respect to the predefined task are central in the
GP technique and still the subject of active research.
GP evolves computer programs, traditionally represented in memory as tree
structures.
Trees can be easily evaluated in a recursive manner.
Every tree node has an operator function and every terminal node has an
operand, making mathematical expressions easy to evolve and evaluate.
Traditionally GP favors the use of programming languages that naturally
embody tree structures for example, Lisp or other functional programming
languages.
AI (Artificial intelligence):
GP (Genetic Programming):
The process is in its simple form like this:
Generate an initial population of random computer programs.
Execute each program in the population and assign it a fitness value
according to how well it solves the problem.
Create a new population of computer programs.
Copy the best existing programs
Create new computer programs by mutation.
Create new computer programs by crossover.
Genetic Algorithms and Genetic Programming have been used to program a
Pac-Man playing program, robotic soccer teams, networked intrusion detection
systems, and many others.
30 | P a g e
https://thorteaches.com/