Sec Ops and Administration

![[Pasted image 20240312103449.png]]

Code of Ethics 1.1 https://www.isc2.org/ethics Preamble ISC2 members are professionals and are expected to behave in an ethical manner. They are expected to make difficult ethical decisions and to support one another in doing so. While the board recognizes its obligation to provide the certificate holder with guidance on making ethical decisions, it does not expect to supervise or judge professionals in making these difficult decisions. The board recognizes its responsibility to maintain the integrity of the certification. It accepts that, from time to time, the good of the profession may require it to disassociate the profession from egregious behavior on the part of a particular certificate holder. It intends to deal with necessary complaints in a timely manner. This document describes the procedure to be used when complaints are necessary. By publishing these procedures, the board does not expect, invite, solicit, or encourage such complaints. The use of these procedures is for the sole purpose of protecting the reputation of the profession. They are not intended to be used to coerce or punish certificate holders. Confidentiality The board and its agents undertake to keep the identity of the complainant and respondent in any complaint confidential from the general public. While disclosure of the identity of the complainant will be avoided where possible, upon filing a complaint, the complainant implies consent to disclose his identity to the respondent, where the board or its agents deem it necessary for due process. Actions of the board may be published at its discretion. Parties are encouraged to maintain confidentiality and certificate holders are reminded of their obligation to protect the profession. Specificity of Complaints The committee will consider only complaints that specify the canon of our ISC2 Code of Ethics that has been violated. If you are unsure of the canon violated, file the complaint to the best of your ability or contact the Ethics Committee contact listed at the end of these procedures. Professional Conduct Committee The Professional Conduct (Ethics) Committee is a standing committee to assist ISC2 in the review of allegations of ethical misconduct of ISC2 members. It is established to oversee the application of the ISC2 Code of Ethics as it relates to exam candidate eligibility, deliver recommendations concerning the enforcement of the ISC2 Code of Ethics, and periodically review and recommend revisions to the Code. Learn more about the Professional Conduct (Ethics) Committee. Standing of Complainant Complaints will be accepted only from those who claim to be injured by the alleged behavior. While any member of the public may complain about a breach of Canons I or II, only principals (those with an employer/contractor relationship with the certificate holder) may complain about violations of Canons III, and only other professionals (those who are certified or licensed as a professional AND also subscribe to a code of ethics) may complain about violations of Canon IV. Form of Complaints All complaints must be in writing. The committee is not an investigative body and does not have investigative resources. Only information submitted in writing will be considered. Two copies must be submitted. One in written form and the other in PDF.
Complaints must be in the form of a sworn affidavit. The committee will not consider allegations in any other form. - Download an Ethics Complaint Affidavit Form
Complaints should be sufficiently complete to enable the board to reach an appropriate judgment. At a minimum, the affidavit should specify the respondent, the behavior complained of, the canon breached, the standing of the complainant, and any corroborating evidence.
Neither the board nor its committee is an investigative body and neither has the authority to compel testimony. We can consider only evidence submitted to us voluntarily. There may be many cases where this evidence is not sufficient to support any action. We can proceed only where a prima facie case is made. Where no such case is made, the committee will close the complaint without prejudice to either party. Committee Procedures Where a prima facie case has been made, the Ethics Committee will review and tender a recommendation to the board. Rights of Respondents Respondents to complaints are entitled to timely notification of complaints. It is the intent of the board and its agents to notify the respondent within thirty days from receipt of the complaint. The respondent is entitled to see all complaints, evidence, and other documents. The respondent will have thirty days from accepting and acknowledging delivery to submit information in defense, explanation, rebuttal, extenuation, or mitigation. As with the complaint, in order to be considered this information must be in the form of a sworn affidavit. As in the law, silence implies consent. That is, to the extent that the respondent is silent, the committee may assume that he does not dispute the allegations. The committee may grant necessary extensions of time to the respondent upon request. Disagreement on the Facts Where there is disagreement between the parties over the facts alleged, the Ethics Committee, at its sole discretion, may invite additional corroboration, exculpation, rebuttals and sur-rebuttals in an attempt to resolve such dispute. The committee is not under any obligation to make a finding where the facts remain in dispute between the parties. Where the committee is not able to reach a conclusion on the facts, the benefit of all doubt goes to the respondent. That is to say, where the respondent disputes the facts alleged, then the burden of proof is on the complainant. Findings and Recommendations The Ethics Committee will submit findings and recommendations for action to the board. In reaching its findings, the committee will consider any published guidance that has been given to certificate holders. In reaching its recommendations, the committee will prefer the most limited and conservative action consistent with its findings. Notification and Right of Comment The Ethics Committee will notify the parties of its recommendation prior to any board action. Parties have 14 days submit a response or comments on the recommendations for consideration by the board. Disciplinary Action Discipline of certificate holders is at the sole discretion of the board. Decisions of the board are final. Final Disposition Parties will be notified of the final disposition within thirty days of board action. All complaints should comply with the procedure stated and be mailed to the following address:

Understand 1.2 CIA Accountability: "audit" can a transaction be ascribed to a given user/system Privacy: How information about someone may be gathered or used Nonrepudiation: A user cannot deny taking part in a transaction Least Privilege Segregation of duties: purposefully adding inefficiency to a process such that no one person can complete a given task

Understand 1.3 Technical controls Anything done with or by an IT system ie session timeout, password aging, firewalls, AV solutions Physical controls Anything with a tangible presence ie cameras, mantraps, locks, turnstiles, fences, bollards Administrative controls Any government / procedures that restrain activity security policies - how the org approaches a given topic and names that standard that it follows standards - a set of directives that an org follows (ISO / NIST) or internal processes - detailed set of steps on how to do something, written by offices conducting those processes baselines - a set of configs / settings that should be applied for similar tech around the org Assessing compliance ways an org can determine if the standards are being met both for performance and security should be continual see 7.4* Periodic audit and review

Understand 1.4 Deterrent controls Dissuades an attacker ie Barbed wire Preventative controls Prevent access or exfiltration ie a Wall Detective controls Sense attack/anomalous activity Corrective controls Changes a non-secure state to a more secure state Compensating controls replaces a required control with a substitute

Understand 1.5 Asset management lifecycle Process planning design and initiation Asset is anything that has value tangible or intangible Must be based on policies Development and Acquisition Assets can be acquired any way - direct sale COTS (commercial off the shelf) or - custom built internally If using a contract process - ENSURE SECURITY IS AN ASPECT OF EVERY PHASE:** define requirements - posting the request for proposal - scoring responses - negotiating terms - monitoring/inspecting delivered assets - operational lifetime support Inventory and licensing Asset inventory is crucial You cant protect what you don't know you have should be part of the secure acquisition process Intellectual property (software) often requires licensing Site/seat/enterprise freeware/trial/adware open source/creative commons Custodial/library are essential Often open to unannounced vendor audits Implementation/Assessment All tasks must be assigned to specific parties For enforcement, activities must be monitored and audited Operation/Maintenance Continual assessment is crucial performance security controls Long term maintenance is important vendor updates/upgrades/patches re-assessment to determine if current needs are met Everything breaks Archiving and retention Moving data/systems from production environment to long-term storage Retention: amount of time data/systems are kept statutory/regulations contractual best practice: minimize retention periods- reduces cost and risk Disposal and destruction Secure removal is essential hardware/software ensure dependencies are addressed ensure no data remanence data secure sanitization overwriting degaussing cryptoshredding/cryptographic erasure physical destruction

Understand 1.6 Change management lifecycle Configs/inventories don't stay constant; changes need to go through a formal secure process dictated by policy Typically use a Change Management Board (CMB) or Change Control Board (CCB) composed of participants from different stakeholders within the org (IT, security, HR, management, finance) Typical process: request, review, approval/disapproval, test, implementation, long-term maintenance and operation, disposal Security impact analysis Concept of reviewing proposed changes to determine whether they will have adverse impact to enterprise security is valid and sensible Term "Business impact analysis" is widely used, and very worthwhile to understand. BIA is a very important tool for many security and non-security purposes Configuration management Practice of creating and maintaining an inventory of assets and settings for each provisioning: should be part of secure acquisition process baseline: a selection of settings for a particular system, type of system, group of systems, or enterprise - designed to create uniformity and security automation- application of the baseline and monitoring to check configurations

Understand 1.7 Implementing security awareness and training Awareness: general knowledge. for all personnel Training: specific skills for participants Social engineering: using techniques to leverage users/personnel instead of systems Phishing: a form of social engineering using email Methods and techniques to present awareness and training self-paced/online/CBT gamification Periodic content reviews Program effectiveness evaluation

Understand 1.8 Collaborate with physical security operations (defense in depth) One entrance, many exits Badges can incorporate biometrics (photos), barcodes, RFID, magnetic keys, etc... Different coded badges for different users/purposes Two-person integrity for sensitive areas Visitors should be treated differently Lighting discourages attackers and enhances observation Secure architecture is boring Physical security should be provided by physical security professionals (CPP - Certified Protection Professional)