Vulnerabilities and Threat Identification When we’re determining vulnerabilities and threats to an asset, considering the threat agent first is often the easiest. There are essentially six categories of threat agents. So we have human, which can be both malicious and no malicious internal and external threats natural threat agents, of course floods, fires, hurricanes, et cetera. Technical, which is going to include hardware and software failure malicious code as well as new technologies. Then you have physical, which includes perimeter measures that are failed biometric failures, et cetera. Environmental, which…

Risk Impact Risk impact or the magnitude of the impact is just an estimate of how much damage a negative risk can have or the potential opportunity cost if a positive risk is realized. So we’re measuring these in financial terms if it’s quantitative or with a subjective measurement if, if it’s qualitative. Risk are then usually ranked on a scale that’s determined by the organization. So high level risk would result in significant loss, low level risk would result in negligible loss. Now, if the magnitude of the impact…

Categorizing Data Let’s start by what should be a review for most of you at this point. Most don’t come directly into the CASP exam. So you’ve probably heard of the three fundamentals or triads of security, and that is CIA confidentiality, integrity, and availability. So what is confidentiality? Well, that’s keeping something secure, preventing the disclosure of data or information to those that aren’t authorized to see it. As a part of this, the sensitivity level needs to be determined before we can put any access controls in place,…

Process Life Cycle A process is a collection of related activities that produce a specific service or product. That is, they serve a particular goal for the organization. Change management and risk management are examples of processes. So once the policy is written, then the appropriate processes should be written and those are based on a life cycle as well. The first step is analyze the policy. The second step is to design the process based on the policy. So when a new process is implemented, all personnel involved in…

Integrating Diverse Industries There are a lot of cases today where companies are integrating business models that are significantly different from one another. So we’ve got the integration of diverse industries. In some cases, these organizations are entering new fields, sometimes they’re going into new areas. So you’ve got different cultures, different regulatory requirements, and that can open up a lot of new business opportunities, but it also can introduce a number of security weaknesses. And so these are some of the considerations that we need to take into account…

Chapter Introduction In this first chapter, we’re going to be looking at the concepts of risk management. And risk management is going to be a big part of the life of a security professional because as security professionals in the information technology business, we’re surrounded by risk every day. And the way that we handle that risk will really prove the efficiency that we have at our job. In this chapter, we’re are going to discuss a number of different topics. The first will be understanding business and industry influences….

Preparing for Contract administration Let’s talk about procurement administration. When we get into procurement administration, it’s things like making sure people are being paid on time and invoicing properly and using the right system to do a request for payment. The seller’s compensation might be linked to progress. So they hit these milestones, then they get paid. If that’s the case, as the buyer, I can’t stall. If they hit their milestones and it requires a review, then I need to get out there and review it and make sure…

Creating the Procurement Documents There are many documents that you will need to be familiar with for your exam. And they’re not tough to understand or nail down, they just have some different characteristics here. So in this table are the documents you really need to know. This is in addition to the contracts. So let’s walk through these. Now. A bid said in a quotation are nearly identical. A bid is from the seller to the buyer. And it’s all about just a price. Same thing with a quote….

Planning for the Project Requirements When we do procurement, we need to think about the project requirements. What are we purchasing and how does that satisfy our project requirements? So we’ll look at the project scope statement first. That defines the high level requirements and, well, it really defines exactly what we’re going to create the Project Scope Statement. The work breakdown structure in the WBS dictionary, though, gives us even more detail down to the work package level. So this helps us define what do we need to procure…

Section Overview: Code of Ethics and Professional Responsibility Welcome to this section on the PMI code of Ethics and Professional Conduct. You will have questions on your exam about ethics that are related to this PMI Code of Ethics and Professional Conduct. In the past, this was its own category of questions. Not anymore. Now these questions are integrated into the different knowledge areas. So it’s not as clear-cut that this may be an ethics question on the Code of conduct, that it’s integrated. Just like in your role as…