三叉戟

Know the three objectives of cybersecurity. Confidentiality ensures that unauthorized individuals are not able to gain access to sensitive information. Integrity ensures that there are no unauthorized modifications to information or systems, either intentionally or
unintentionally. Availability ensures that information and systems are ready to meet the needs of legitimate users at the time those users request them.
Describe how information security strategies should be aligned with organizational goals and objectives. As information security managers develop their plans, they should use
reliable techniques to assess the current state of the program, such as threat research, SWOT analysis, and gap analysis. They may then identify the initiatives that will move the organization from the current state to its desired state.
Explain how security strategies are influenced by internal and external factors. Security strategies must be aligned with the business, but they must also incorporate other influences. Information security managers must remain abreast of emerging technologies, social media, the business environment, the organization's risk tolerance, regulatory requirements, third-party considerations, and the threat landscape as they develop, monitor, and revise cybersecurity
strategies.
Know why stakeholder commitment and communication are essential to success. As information security leaders roll out new strategies, they must ensure that they have the support of senior leaders and other stakeholders. They may do this by clearly outlining how information security supports the organization's broader goals and objectives, identifying the business impact of security initiatives, and identifying clear success criteria.
Explain how security controls may be categorized based on their mechanism of action and their intent. Controls are grouped into the categories of managerial, operational, and technical
based on the way that they achieve their objectives. They are divided into the types of preventive, detective, corrective, deterrent, compensating, and physical based on their intended purpose.
Describe the diverse impacts of data breaches on organizations. When an organization suffers a data breach, the resulting data loss often results in both direct and indirect damages.
The organization suffers immediate financial repercussions due to the costs associated with the incident response, as well as long-term financial consequences due to reputational damage. This reputational damage may be difficult to quantify, but it may also have a lasting impact. In some cases, organizations may suffer operational damage if they experience availability damages, preventing them from accessing their own information.
Explain why data must be protected in transit, at rest, and in use.Attackers may attempt to eavesdrop on network transmissions containing sensitive information. This information is highly vulnerable when in transit unless protected by encryption technology. Attackers also might attempt to breach data stores, stealing data at rest.
Encryption serves to protect stored data as well as data in transit. Data is also vulnerable while in use on a system and should be protected during data processing activities.
Know how data loss prevention (DLP) systems block data exfiltration attempts. DLP technology enforces information handling policies to prevent data loss and theft. DLP systems may function at the host level, using software agents to search systems for the presence of sensitive information. They may also work at the network level, watching for transmissions of unencrypted sensitive
information. DLP systems detect sensitive information using pattern-matching technology and/or digital watermarking.
Explain how data minimization reduces risk by reducing the amount of sensitive information that we maintain. In cases where we cannot simply discard unnecessary information, we can protect information through de-identification and data obfuscation. The tools used to achieve these goals include hashing, tokenization, and masking of sensitive fields.

Governance programs guide and direct security efforts. Information security governance efforts should integrate with other corporate governance programs to support both the business's
goals and its security strategy. Organizations should draw on existing governance frameworks, such as COBIT and the ISO standards, to avoid redundant effort and to align with industry best practices.
Policy frameworks consist of policies, standards, procedures,and guidelines. Policies are high-level statements of management intent for the information security program. Standards describe the detailed implementation requirements for policies. Procedures offer step-by-step instructions for carrying out security activities. Compliance with policies, standards, and procedures is mandatory. Guidelines offer optional advice that complements other elements of
the policy framework.
Organizations often adopt a set of security policies covering different areas of their security programs. Common policies used in security programs include an information security policy, an
acceptable use policy, a data ownership policy, a data retention policy,an account management policy, and a password policy. The specific policies adopted by any organization will depend on that organization's culture and business needs.
Policy documents should include exception processes. Exception processes should outline the information required to receive an exception to security policy and the approval
authority for each exception. The process should also describe the requirements for compensating controls that mitigate risks associated with approved security policy exceptions.
Organizations face a variety of security compliance requirements. Merchants and credit card service providers must comply with the Payment Card Industry Data Security Standard (PCI
DSS). Organizations handling the personal information of European Union residents must comply with the EU General Data Protection Regulation (GDPR). All organizations should be familiar with the national, territory, and state laws that affect their operations.
Standards frameworks provide an outline for structuring and evaluating cybersecurity programs. Organizations may choose to base their security programs on a framework, such as the NIST
Cybersecurity Framework (CSF) or International Organization for Standardization (ISO) standards. U.S. federal government agencies and contractors should also be familiar with the NIST Risk Management Framework (RMF). These frameworks sometimes include maturity models that allow an organization to assess its progress. Some frameworks also offer certification programs that provide independent assessments of an organization's progress toward adopting a framework.
Audits and assessments monitor compliance with requirements. Audits are externally commissioned, formal reviews of the capability of an organization to achieve its control objectives.
Assessments are less rigorous reviews of security issues, often performed or commissioned by IT staff. Organizations providing services to other entities may wish to conduct a service organization controls (SOC) audit under SSAE 18.

Know how risk identification and assessment helps organizations prioritize cybersecurity efforts. Cybersecurity analysts try to identify all of the risks facing their organization and then
conduct a business impact analysis to assess the potential degree of risk based on the probability that it will occur and the magnitude of the potential effect on the organization. This work allows security professionals to prioritize risks and communicate risk factors to othersin the organization.
Know that vendors are a source of external risk. Organizations should conduct their own systems assessments as part of their risk assessment practices, but they should conduct supply
chain assessments as well. Performing vendor due diligence reduces the likelihood that a previously unidentified risk at a vendor will negatively impact the organization. Hardware source authenticity techniques verify that hardware was not tampered with after leaving the vendor's premises.
Be familiar with the risk management strategies that organizations may adopt. Risk avoidance strategies change business practices to eliminate a risk. Risk mitigation techniques
reduce the probability or magnitude of a risk. Risk transference approaches move some of the risk to a third party. Risk acceptance acknowledges the risk and continues normal business operations
despite the presence of the risk.
Understand how disaster recovery planning builds resiliency. Disaster recovery plans activate when an organization experiences a natural or human-made disaster that disrupts normal
operations. The disaster recovery plan helps the organization quickly recover its information and systems and resume normal operations.
Be familiar with the privacy controls that protect personal information. Organizations handling sensitive personal information should develop privacy programs that protect that information from misuse and unauthorized disclosure. The plan should cover personally identifiable information (PII), protected health information (PHI), financial information, and other records maintained by the organization that might impact personal privacy.

Be able to describe several key attributes in which threat actors differ. We can classify threat actors using four major criteria. First, threat actors may be internal to the organization, or they may come from external sources. Second, threat actors differ in their level of sophistication and capability. Third, they differ in their available resources and funding. Finally, different threat actors have different motivations and levels of intent.
Know the many different sources of threat actors. Threat actors may be very simplistic in their techniques, such as script kiddies using exploit code written by others, or quite sophisticated, such as the advanced persistent threat posed by nation-state actors and criminal syndicates. Hacktivists may seek to carry out political agendas,whereas competitors may seek financial gain. We can group hackers into white-hat, gray-hat, and black-hat categories based on their
motivation and authorization.
Be able to explain how attackers exploit different vectors to gain initial access to an organization. Attackers may attempt to gain initial access to an organization remotely over the Internet,through a wireless connection, or by attempting direct physical access.
They may also approach employees over email or social media. Attackers may seek to use removable media to trick employees into unintentionally compromising their networks, or they may seek to
spread exploits through cloud services. Sophisticated attackers may attempt to interfere with an organization's supply chain.
Know how threat intelligence provides organizations with valuable insight into the threat landscape. Security teams may leverage threat intelligence from public and private sources to learn about current threats and vulnerabilities. They may seek out detailed indicators of compromise and perform predictive analytics on their own data. Threat intelligence teams often supplement open source and closed source intelligence that they obtain externally with their own
research.
Be able to explain why security teams must monitor supply chain risks. Modern enterprises depend on hardware, software, and cloud service vendors to deliver IT services to their internal and external customers. Vendor management techniques protect the supply chain against attackers seeking to compromise these external links into an organization's network. Security professionals should pay particular attention to risks posed by outsourced code development, cloud data
storage, and integration between external and internal systems.

Be able to describe the purpose of the charter. The core of the charter is the scope statement, which defines the security objectives included in the program and the portion of the organization covered by the program. The charter should also address the business purpose of
the program, a statement of authority, roles and responsibilities,governance structures, documentation, enforcement mechanisms, and processes for periodic program reviews.
Know how metrics are used to assess the efficiency and effectiveness of the information security program. Key performance indicators (KPIs) are metrics that demonstrate the success
of the security program in achieving its objectives. KPIs look at historical performance. Key goal indicators (KGIs) measure progress toward defined goals. Key risk indicators (KRIs) try to quantify the security risk facing an organization. KRIs look forward at future potential risks.
Be able to explain how security training and awareness ensures that individuals understand their responsibilities. Security training programs impart new knowledge to employees and other stakeholders. They should be tailored to meet the specific requirements of an individual's role in the organization.Security awareness programs seek to remind users of the information
they have already learned, keeping their security responsibilities top-of-mind.
Know that security managers are people managers. Security managers lead a team of professionals and are responsible for the motivation, development, and management of those team members.
This includes providing training that helps employees keep their skills current and certifications that help employees validate their skills.
Know that security managers are financial managers. Security managers bear responsibility for managing a budget allocated to the information security program. They must understand how the fiscal year used by their organization affects funds availability and how to work within the budgeting and accounting processes used by their organization.
Be able to explain how information security must work closely with other business functions. Security managers should cultivate relationships with other business leaders to ensure that
security is well integrated with other business functions. This includes integrating with the human resources function for employee hiring,transfers, and termination. It also includes aligning with procurement and accounting functions for product and service acquisitions. Security
leaders should also work carefully with other information technology leaders and the organization's auditors.