everyone. Welcome to domain To lesson two of the S S C P exam print.
I'm your host, Peter Simple. In
so far in lesson in domain tombs are we've looked at the code of ethics, which is the standard for acceptable behavior. We examined the C I A. Triad, which is the most important aspect of stocks. Security. CIA track consist of confidentiality, integrity
Now, in this lesson, we take a look at security architecture,
which is the practice of designing a framework for security systems.
which are safeguards implemented to deal with risk.
And we examined system security plans which are comprehensive documents, he telling the security requirements and controls off a system.
A security architecture is the practice of designing a framework for the structure and function off all information security systems in the organization.
And when designing a security architecture, it's always very important to use best practices whenever possible.
Best practices for a security architecture of things like defence in depth,
risk based controls, please privilege, authorization and accountability and separation duties.
Let's take a look at each one of these components in more detail.
Defence in depth is the implementation of multiple controls, so that successful penetration and compromise is more difficult to eight to obtain.
Security's not perfect. We all knew this. That's why it's important to add layers that make up for the imperfections. In security defense.
are effective because it minimizes the different ways and attack can occur. So when there are email security for email, tak factors led security for browser attack factors. And so
this also applies to outside in attacks and inside out attacks. So, in other words,
defensive depth prevents attacks on the outside coming in your organization and also insider threats. Employees in the organization who want to attack the organization.
These defenses back each other up, and they avoid single point of failure so that even if one defense goes down for whatever reason, there are plenty of other defenses to protect the organization.
component or security architecture are risk based controls,
so risk is defined as
the combination off threats,
vulnerabilities and the impact of both
Where is basically shoes?
The damage that could be done if security controls do not exist?
Controls are definitely needed because all organizations face prints.
Now there are tangible and intangible consequences
if this risk is not dealt with, um, you can have things such as stolen assets
as a tangible risk. Or you can have off of investor confidence
as an intangible risk.
Controls are implemented based on risk assessments and analysis
and the value of the assets. The management decides what controls are necessary, but to do that, they need tohave correct risk information. They need to be able to correctly assess the risk
using a standard process, which is needed for consistent results.
That's why there are things such as
These two are standard processes for
determining risk and provide consistent results time after time.
Accurate results are consistent. Success factor in getting an organization's buying for security measures,
please progress. We talked a little bit about this in the last lesson, but at least privilege is the concept of need to know
people can only access enough information to do their jobs properly.
Leave privilege reduces the number off authorized users doing things they shouldn't be doing,
but it also reduces the number of accidental errors to, For example, you can't delete a file that you don't have access to
least privilege is great because it makes Actor's job much more difficult. So, for example, in an organization, if a hacker breaks into the payroll system, they would only have access to things in payroll. They would not have access to anything in marketing anything from the legal department
or in the I T department.
So with least privilege,
their ability a hacker's ability to move about the organization's network is much harder
at three. Part about these privilege is that it can be implemented at different security levels, such as the operating system level, the application process file or physical levels.
Least privilege is usually set by groups, which is great, too. So everyone has the group off
If everyone has a building label, they only have access to materials needed. Four. Building
authorization and accountability
authorization determines what's a person can do. Once authenticated,
it is the third step in the access control system, and authorization records are kept for validation purposes.
These records were kept to determine if the process of accessing data is working as intended.
They're also kept for determining breaches or any type of forensic evidence.
Accountability is a principle that ties users to their actions.
This is enforced through user account and event box.
Always protect your credentials from unauthorized use.
Anything done with your account credentials will be attributed to you, even if it was, even if it wasn't you. If your account credentials were used to do something you shouldn't have been doing, it will always be traced back to you.
Separation of duties. A security mechanism for preventing fraud and unauthorized use that requires two or more individuals to complete the task or perform a specific function.
So this is when a task is broken up into two separate parts
and two people are required to complete the entire task. So one person, just one part and the other person does the other part.
This isn't This is an important concept off internal control.
This is also different from dual control in the sense
that dual control you need two people to perform the same thing at the same time, whereas with separation of duties you do not. So, for an example,
with separation of duties,
if a person submits an access request to look at a document, they cannot be the same person to approve that request to look at the document. It needs to be two separate people, one person that request it and the other person to grant that access.
Dual control. The best example of dual control is nuclear codes. I don't know if you ever seen the movies where two people have to turn the key at the same time in order to send off the nuclear missile.
Separation of duties is also used with dual control, as we mentioned mandatory vacation, which is
thio required by the organization to take some time off and job rotation where different employees in the organization take turns doing different functions.
Controls are safeguards and counter measures which are created and implemented to deal with risk their group together depending on their function. So there's three major
rooms of controls. There are management,
technical and operational.
Let's take a look at these in more detail.
our controls that are based upon the management off systems on dhe security.
These air control's made by people there decided by people, and they usually exist in the form of policies and procedures,
technical controls, our controls that are executed by the system itself. There is no actual human involvement. The only human involvement in the technical control would be setting enough oven that the execution of that control is done by the system.
An example of a technical control. Access control, which you are all professionals and fair. Familiar with
the last type of control is an operational control. This these air any tough controls that are operated or done by people. So personal security. There's a security guard
outside of the door who's checking badges to make sure no one gets in
to an organization that would be an example of an operational control.
Within the three control categories are different control types. So in each category, management,
technical and operational there are seven different types of controls.
The controls are directive which specify acceptable rules. Be here.
Deterrent, which discourages people from violating security directions.
controls for stopping a security incident.
which are substitute controls
for a loss of primary controls.
Corrective controls which are implemented to mitigate any damage.
Detective controls, which signal warning when something has been breached, and recovery controls which restore conditions
The table on this slide is a great example of how controlled types and control groups and intermingle. So just random example. If we have a technical control
with a detective type,
we can determine that. An example of that would be logs logs would determine whether or not somebody had broken into the system or whether or not a breach had happened.
System security plants.
So systems security plans are comprehensive document that details the requirements
or a system controls established to meet those requirements and the responsibility of those administrating or accessing the system.
The rules of responsibilities
off a system security plan are the system owner, which is the person responsible for the creation of the system, the implementation, the integration in the maintenance. He has the overall responsibility for the cyst.
The information owner who has the overall authority on the information stored process. They're transmitted by the system.
The security officer who is responsible for coordinating development review and the acceptance off the security plans,
and the AUTHORISING official, which is usually a manager or a senior executive with the authority to assume full responsibility
for the system covered in the system Security point.
Parts of a system security plan include people of their roles, which we just mentioned
contacts of people who have knowledge of the configuration or operation of the system,
which are the requirements for confidentiality, integrity and availability off. The resource is of that system
any type of controls which have been implemented to back up and force the requirements of the system
and procedures for maintenance and review.
In summary today, we look at security architectures, which are the framework for developing security systems and their components. We looked at controls, which are the safeguards,
um, to deal with risk. And we looked at system security plans,
which are comprehensive documents that provide detail for a specific security system.
this type of control was activated when the existing controls do not work.
the correct answer is a compensating controls.
Thanks for watching guys. I hope you learned a lot and I'll see you next time