Introduction xlvii Chapter 1 Security and Risk Management 5 Security Terms 6 CIA 6 Auditing and Accounting 7 Non-repudiation 8 Default Security Posture 8 Defense in Depth 9 Abstraction 10 Data Hiding 10 Encryption 10 Security Governance Principles 10 Security Function Alignment 12 Organizational Processes 14 Organizational Roles and Responsibilities 16 Security Control Frameworks 20 Due Care and Due Diligence 38 Compliance 38 Contractual, Legal, Industry Standards, and Regulatory Compliance 40 Privacy Requirements Compliance 40 Legal and Regulatory Issues 41 Computer Crime Concepts 41 Major Legal Systems 43 Licensing and Intellectual Property 46 Cyber Crimes and Data Breaches 50 Import/Export Controls 51 Trans-Border Data Flow 51 Privacy 52 Investigation Types 62 Operations/Administrative 63 Criminal 63 Civil 64 Regulatory 64 Industry Standards 64 eDiscovery 67 Professional Ethics 67 (ISC)2 Code of Ethics 67 Computer Ethics Institute 68 Internet Architecture Board 68 Organizational Code of Ethics 69 Security Documentation 69 Policies 70 Processes 72 Procedures 72 Standards 73 Guidelines 73 Baselines 73 Business Continuity 73 Business Continuity and Disaster Recovery Concepts 73 Scope and Plan 77 BIA Development 81 Personnel Security Policies and Procedures 85 Candidate Screening and Hiring 85 Employment Agreements and Policies 87 Employee Onboarding and Offboarding Policies 88 Vendor, Consultant, and Contractor Agreements and Controls 88 Compliance Policy Requirements 89 Privacy Policy Requirements 89 Job Rotation 89 Separation of Duties 89 Risk Management Concepts 90 Asset and Asset Valuation 90 Vulnerability 91 Threat 91 Threat Agent 91 Exploit 91 Risk 91 Exposure 92 Countermeasure 92 Risk Appetite 92 Attack 93 Breach 93 Risk Management Policy 94 Risk Management Team 94 Risk Analysis Team 94 Risk Assessment 95 Implementation 100 Control Categories 100 Control Types 102 Controls Assessment, Monitoring, and Measurement 108 Reporting and Continuous Improvement 108 Risk Frameworks 109 A Risk Management Standard by the Federation of European Risk Management Associations (FERMA) 128 Geographical Threats 129 Internal Versus External Threats 129 Natural Threats 130 System Threats 131 Human-Caused Threats 133 Politically Motivated Threats 135 Threat Modeling 137 Threat Modeling Concepts 138 Threat Modeling Methodologies 138 Identifying Threats 141 Potential Attacks 142 Remediation Technologies and Processes 143 Security Risks in the Supply Chain 143 Risks Associated with Hardware, Software, and Services 144 Third-Party Assessment and Monitoring 144 Minimum Service-Level and Security Requirements 145 Service-Level Requirements 146 Security Education, Training, and Awareness 147 Levels Required 147 Methods and Techniques 148 Periodic Content Reviews 148 Review All Key Topics 148 Complete the Tables and Lists from Memory 150 Define Key Terms 150 Answers and Explanations 157 Chapter 2 Asset Security 165 Asset Security Concepts 166 Asset and Data Policies 166 Data Quality 167 Data Documentation and Organization 168 Identify and Classify Information and Assets 169 Data and Asset Classification 170 Sensitivity and Criticality 170 Private Sector Data Classifications 175 Military and Government Data Classifications 176 Information and Asset Handling Requirements 177 Marking, Labeling, and Storing 178 Destruction 178 Provision Resources Securely 179 Asset Inventory and Asset Management 179 Data Life Cycle 180 Databases 182 Roles and Responsibilities 188 Data Collection and Limitation 191 Data Location 192 Data Maintenance 192 Data Retention 193 Data Remanence and Destruction 193 Data Audit 194 Asset Retention 195 Data Security Controls 197 Data Security 197 Data States 197 Data Access and Sharing 198 Data Storage and Archiving 199 Baselines 200 Scoping and Tailoring 201 Standards Selection 201 Data Protection Methods 202 Review All Key Topics 205 Define Key Terms 205 Answers and Explanations 207 Chapter 3 Security Architecture and Engineering 213 Engineering Processes Using Secure Design Principles 214 Objects and Subjects 215 Closed Versus Open Systems 215 Threat Modeling 215 Least Privilege 216 Defense in Depth 216 Secure Defaults 216 Fail Securely 217 Separation of Duties (SoD) 217 Keep It Simple 218 Zero Trust 218 Privacy by Design 218 Trust but Verify 219 Shared Responsibility 219 Security Model Concepts 220 Confidentiality, Integrity, and Availability 220 Confinement 220 Bounds 221 Isolation 221 Security Modes 221 Security Model Types 222 Security Models 226 System Architecture Steps 230 ISO/IEC 42010:2011 231 Computing Platforms 231 Security Services 234 System Components 235 System Security Evaluation Models 244 TCSEC 245 ITSEC 248 Common Criteria 250 Security Implementation Standards 252 Controls and Countermeasures 255 Certification and Accreditation 256 Control Selection Based on Systems Security Requirements 256 Security Capabilities of Information Systems 257 Memory Protection 257 Trusted Platform Module 258 Interfaces 259 Fault Tolerance 259 Policy Mechanisms 260 Encryption/Decryption 260 Security Architecture Maintenance 261 Vulnerabilities of Security Architectures, Designs, and Solution Elements 261 Client-Based Systems 262 Server-Based Systems 263 Database Systems 264 Cryptographic Systems 265 Industrial Control Systems 265 Cloud-Based Systems 268 Large-Scale Parallel Data Systems 274 Distributed Systems 275 Grid Computing 275 Peer-to-Peer Computing 275 Internet of Things 276 Microservices 280 Containerization 281 Serverless Systems 281 High-Performance Computing Systems 282 Edge Computing Systems 28.