Enterprise Architecture & Security Control Framework

A security program is a framework made up of many entities: logical, administrative, and physical protection mechanisms; procedures; business processes; and people that all work together to provide a protection level for an environment. Each has an important place in the framework, and if one is missing or incomplete, the whole framework may be affected. The program should work in layers: each layer provides support for the layer above it and protection for the layer below it. Below mindmap explains most of the Enterprise Architecture and Security frameworks discussed in CISSP exam.

The most important security planning steps is to consider the overall security control framework or structure of the security solution desired by the organization.

One can choose from several options in regard to security concept infrastructure; however, one of the more widely used security control frameworks is Control Objectives for Information and Related Technology (COBIT). COBIT is a documented set of best IT security practices crafted by the Information Systems Audit and Control Association (ISACA). COBIT is based on below 5 principle

Principle 1: Meeting Stakeholder Need
Principle 2: Covering the Enterprise End-to-End
Principle 3: Applying a Single, Integrated Framework
Principle 4: Enabling a Holistic Approach
Principle 5: Separating Governance From Management

There are many other standards and guidelines for IT security. A few of these are:

  • Open Source Security Testing Methodology Manual (OSSTMM): A peer-reviewed guide for the testing and analysis of a security infrastructure
  • ISO/IEC 27002 (which replaced ISO 17799): An international standard that can be the basis of implementing organizational security and related management practices
  • Information Technology Infrastructure Library (ITIL): Initially crafted by the British government, ITIL is a set of recommended best practices for core IT security and operational processes and is often used as a starting point for the crafting of a customized IT security solution

Intent Based Networking (IBN)

This blog is in continuation of my previous blog where I discussed the Business requirement of Enterprise Network Architecture. Refer to mentioned hyperlink for details. Before I start with Cisco DNA, Let’s understand Intent Based Networking.

So what’s Intent Based Networking (IBN) mean? I am sure everyone agrees with me:- this is the latest buzz word in the market we have heard from last one year. So, do you think? It is something new? – Well, if you ask me; Yes it is a new buzz word, but the concept has been there with us from the last two decades.

Then, the next question comes – What is it?

SDN framework considered for the definition of Intent-Based Networking (IBN). It begins with the expression of Business Intent. So, what is business Intent?

  • This application is very critical to my business & should be up 100%.
  • Only specific group of users can access these applications and services.
  • If one of the device is infected; It must be quarantined.

Business Intent explains only “what” you want; not how you want, e.g., placing an order of phone using an online shopping portal. In this case, you intend to get the phone; But, How this phone get delivered to you? Which retailers used to procure this phone? It does not matter at all. This decision is up to the Shopping portal.

Therefore Intent Based Networking help us to deliver this Business Intent by expressing them over Network. Below picture depicts “Behind The Scene” involved in an IBN system.

In Translation phase, the input is Business Intent which defines “what.”

In the Validation phase, IBN system validates the Business Intent to make sure It is possible & network device configuration gets generated for network devices which explains “How.”

This business intent needs to be expressed across the network; therefore this configuration must be pushed on to hundreds, or thousands of network devices such that these deployments are error-prone. Hence, it needs an Automation/Orchestration which allows a network operator to treat thousands of network devices as a single software-enabled, programmable entity.

This network state must be analyzed and provides assurance which tells us if the intent was delivered; if not, remediation action should be taken.

Additionally, IBN system should be continually self-learning, so that it can understand

  • What is normal versus abnormal?
  • What are the most common root causes of issues?
  • What are the most effective remedial actions for a given issue?

With these capabilities of IBN, such a system becomes not only smarter, but also more reliable, available, and adaptable to ever-evolving business requirements.

If you take a look at last 15 years, IT vendors have promised dynamic, self-configuring/self-optimizing infrastructures but for most enterprises, this promise remains largely unfulfilled. That’s why I said earlier, concepts of IBN has been around us with two decades.

Hence, IBN system is changing the way networking was supposed to happen in the past. It enables network managers and engineers to deal with the network less concerning port-by-port and device-by-device configurations and more in terms of the desired outcome at a higher level.

So, Are you ready for Intent Based Networking? – Understanding that IBN system benefits Enterprise organization to a great extent; we should also keep in mind the implication of it to your IT Staff.

  • Considering the new technology; it can take some of your IT staff out of their comfort zone.
  • Evolution of automation in networking is already given bitter experience to network engineers.

Cisco DNA is an IBN system which promises to fulfill all of the mentioned above.

In my next blog, we will take a close look at the mapping of the business requirement mentioned in the previous blog via IBN systems such as Cisco DNA.


Value Proposition of Cisco DNA … Part 1

In this Blog (First one in Cisco DNA); I would like to share some of the Value Proposition offered by brand new Cisco Solution for Enterprise industry, i.e. Cisco DNA (Digital Network Architecture).

Last week; my few colleagues and I were discussing over a cup of Tea (In India also known as “Chai Pe Charcha”), and suddenly This topic popped up; All of us started talking about this technology :- one said, this might be another Marketing/technology Jargon and does not help much in the real world. Blah…Blah…Blah.

Coincidentally I don’t agree with their thoughts & said, there must be something interesting with this product/technology because the whole Enterprise industry is shifting towards it. If most of the companies are adopting and doing pilot installation or early field trials, in that case, It must be solving some purpose. Therefore, I decided to do some research on it & share some gained knowledge among us.

Before I start with the DNA; Let’s understand the Business requirement of Enterprise Network Architecture.

Based on the industry trend most of the Organizations are in the phase of digital transformation to gain Competitive benefits. Since, the network infrastructure serves as a common point among all elements of digital change, including users, end devices, applications, and the Internet of Things (IoT) devices. Let’s take a look at the below picture:-

In a typical Enterprise environment, We can flex the “Compute” at any point in time similarly We can flex the “Storage” very quickly, but when it comes to network, it is not that easy. It will require numerous efforts to plan, design, implementation, Testing, and handing over to operations.
Therefore, the network plays one of the most significant barrier to business evolution. Traditional networks are disconnected from growing businesses, end users and application needs. Therefore we need to evolve these networks such that these are secure, agile, flexible, intelligent and simple to operate.

These evolving requirements demand a new architecture and design approach that can add significant Business value to the enterprise. There could be many business requirements for digitally transforming networks, but these all can be categorized into four categories.

  1. Cost Reduction & Innovation
  2. Risk Mitigation
  3. Meaningful Insights driving experience
  4. Agility

1. Cost Reduction & Innovation

There are two major costs associated with Network
1) Operational Expenditure (OpEx)
2) Capital Expenditure (CapEx)

Based on 2016 McKinsey study of Network Operations for Cisco – Companies spend over $60B in network operations and labor. Imagine this cost if we consult recently study on IP Traffic, IP traffic will increase by more than 2.x folds by 2020 (per the Cisco Visual Networking Index forecasts); and with the addition of more and more IoT devices; these numbers are going to increase drastically. Traditionally managing these devices is going to be a cumbersome job for IT infrastructure operation. Hence, operational cost is increasing day by day.

As the businesses are evolving, infrastructure is increasing and thus require the scale of a network as well. For example, capital expenditures can also be economized by network infrastructures that are elastic, flexible, and agile. Such gains realized when scalability is flexible and easily achieved, with seamless ability to make moves, adds, and changes (MAC) as specific network demands shift.

In the coming years, the network must operate to comply with the evolving application needs. Hence, we need an agile network which can reduce cost without the need for expensive hardware, installation man-hours.

In this article, innovation specifically refers to move resources into new business or organizational areas to drive new business. Due to the reduction in the time spent on network operations enterprise can now focus on further investment in innovation.

Another measure of innovation could be an increase in the percentage of network staff time allocated for new projects. What did those organizations do with the additional time? e.g.

  • Employees can focus on more trending technologies such as Cloud and SDN.

2. Risk Mitigation

As more and more IP devices including IoT are onboarding on networks; therefore new security challenges/threats arise. A malicious actor can exploit one of the vulnerability and breach enterprise networks to harm the organization.

However, with the rapid growth of public/private cloud–hosted applications, Bring Your Own Device (BYOD), and mobile workers, threat actors, find multiple ways to the network from both the inside and the outside; it mandates the requirement for network security to take a 360-degree approach.

Also, the Organization must comply with regulatory compliance such as PCI-DSS. Failing to do this can result in harsh fines and penalties which may further impact productivity. In such a case, organizations may benefit significantly by having an automated and systematic approach to enforcing compliance through their architecture.

Reliable and secure operations are essential not just for risk mitigation but also for enabling the organization to further its digital transformation. Another significant benefit that can provide the organization that level of confidence to roll out new digital capabilities and services with minimum risk (on-time delivery, compliance, service levels, etc.)

3. Meaningful Insights driving experience

In today’s world, every enterprise is having tons of data which is increasing very rapidly. However, very few enterprises get any meaningful insights out of it. These insights are constructive for Customer experience. For example for a retail customer might be interested to know

  • Who is buying our products?
  • Where are our customers buying it?
  • When are they buying it?
  • Why are they buying it?
  • What do they like about it?
  • What don’t they like about it?
  • Is our product or service meeting their needs?
  • Are there customer needs that our product or service doesn’t meet?

Similarly, the same customer might be interested to know insights which will help to understand employee experience.

  • Are our employees able to achieve their work goals?
  • What applications are our employees using to meet their goals? the Categories of applications could be one of the below
    • Unified communications (voice, video) and collaboration applications
    • Cloud-based/SaaS business applications
    • Mobile applications
    • IoT applications
    • Business transactions applications
  • Where are they using these applications?
  • Are these applications meeting their needs?
  • Are there any needs that are not addressed?
  • What do they like about these applications?
  • What don’t they like about these applications?
  • How well are these applications performing?
  • How much does it cost to run these applications?

Similarly, there could be many insights which could help IT Network operations team such as Compliance & Security purpose.

4. Agility

So, Do you think; just insights would help the enterprise in today’s world? – The answer is “No.” Because the enterprise wants to take certain actions to improve its employee/customer experience. It is something like; you visit a doctor and doctor tells; you got an infection, but Doctor does not tell you “which medicine to take”

Hence, we need to know the right set of actions that need to take if there is any abnormality. Term “Agility” varies differently with a different context. Refer to below picture to understand the Agility to different layers of Enterprise.

@ Infrastructure layer; Agility refers to Self-defending/Self-healing networks such as

  1. If one of the Access Point goes down; another access point should be able to increase their power levels automatically.
  2. Resolving the error-disable interface
  3. Patching/fixing on the known bug knowledge base.
  4. Fixing memory leak/CPU utilization issue.

@ Application layer; Agility refers to the applications interacting with network infrastructure to deploy services

  1. QoS policies for Enterprise VoIP application
  2. WAN policies for Critical Application data replication, i.e. backup and restore.

@ Operate layer; Agility refers to Automation which can help to automate the Mundane tasks. Few examples could be

  1. Executing a command script to all routers and switches.
  2. Taking a compliance report
  3. Rebooting a set of devices

@ Business layer; An agile organization can reduce the time needed to deploy new business-enabling applications and services and bring new products and services to market faster and more reliably with a higher customer acceptance rate. Below could be the examples

  1. Time to bring new branch online
  2. Time to market new product and services

Please stay tuned for my next blog in this series; We will look at How does DNA meet above mentioned Business Requirement.

Till then, appreciate your comments/feedback; I will update this blog based on your inputs.


Intellectual Property Law

So far we have seen who is “RIGHT” or who is “WRONG.” Let us take a look at how does a company or individual can protect their Intellectual Property from being Reproduced.

Intellectual property can be protected by several different laws, depending upon the type of resource it is. Intellectual property divided into two categories: industrial property—such as inventions (patents), industrial designs, and trademarks—and copyrighted property, which covers things like literary and artistic works. These topics are discussed in more details in the following mindmaps.

A simple rule of thumb to understand difference between Patent and Copyrights is; consider “Patent” is an “Idea” & “Copyrights” as “Implementation of Idea”


Computer Crimes and respective Laws

In the Cyberworld Computers are heavily used to do Cyber Crime. Hence, because of these undesirable things – Organization wanted to keep them from happening again. Accordingly, it leads to the beginning of Computer Crimes Law. Actually, this is true for all Crime Law -> Law is created to avoid Crimes to re-occur in Future.

Below mindmap explains the Computer Crimes and their objectives. To protect Organizations from Computer Crimes, U.S. has developed a series of Computer Crime Laws over the years. Refer to below mindmap for all required details.


Laws, Regulations, Compliance

Every country follows some kind of Legal system. Below figure shows different types of Legal system.

Since CISSP discuss more on U.S. Laws and Regulation; hence we will restrict our-self to U.S. only. We can observe that the U.S. follow “Common Legal System”.
As an IT professional / Security professional; we understand that Laws and regulations have a significant impact on “How we work & behave day to day”. Hence below picture depicts some of the essential laws as covered by CISSP course content.

Over the last decade, the regulatory environment governing information security has grown increasingly complex. Organisations may find themselves subject to a wide variety of below laws

  1. Computer Crime Laws
  2. Intellectual Property Law
  3. Software Licensing Law
  4. Import/Export Law
  5. Privacy Law

Also, some regulations imposed by regulatory agencies or contractual obligations such as PCI-DSS, which could be a mandate to run your Business efficiently. Refer to below screenshot to know more details about PCI-DSS.

There could be other regulatory compliance such as
Auditing – For gathering shreds of evidence, finding the weakness in a system
Reporting – In case there is a “Breach.”
Metrics – To identify the effectiveness of your control & trend identification.


Business Continuity Planning

First of all; sorry about this delayed post. In the first part of this post; we will try to answer some of the fundamental questions asked on “What is BCP? Why it is needed?” :- Refer to the below image which helps to understand BCP.

The overall goal of BCP is to provide an adequate response in the event of an emergency. Therefore BCP Process has four main steps as mentioned in below mindmap.

Documentation is a critical step in the business continuity planning process. In the above picture, some of the crucial components of the written business continuity plan are listed.

Later in further blogs; we will discuss developing and implementing a disaster recovery plan that includes Technical control required to keep business up and running.


Qualitative Risk Analysis … Delphi Technique

Purely quantitative risk assessment is hard to achieve because some items are difficult to tag to fixed dollar amounts. Absolute qualitative risk analysis is possible because it ranks the seriousness of threats and sensitivity of assets into grades or classes, such as low, medium, and high. Typically this analysis is done for Intangible assets such as Reputation associated for Enterprise.
Typically it is measured or determined with the below techniques.

  • Brainstorming
  • Delphi technique
  • Storyboarding
  • Focus groups
  • Surveys
  • Questionnaires
  • Interviews
  • Checklists
  • One on One meetings

An example of this can be seen in NIST 800-26, a document that uses confidentiality, integrity, and availability as categories of loss and then ranks each loss based on a scale of low, medium, and high. The ranking is purely subjective (Which is one of the cons of using a qualitative approach) :

Qualitative Risk Analysis – NIST

Let’s take the same example which we considered in Quantitative Risk analysis
Case Study: Datacenter
Threat: Flooding

  • How likely is Data Center gets flooded in the natural calamity of flooding?
    • I would think of Low Likelihood.
  • How bad is it if it happens?
    • That really depends on a couple of things:
  • How badly will it impact Confidentiality?
    • High
  • How badly will it impact Integrity?
    • High
  • How badly will it impact the Availability?
    • High
    • Let’s say it is Likely and a Minor issue, that puts the loss of the High-Risk category.
  • It is normal to move High and Extreme on to Quantitative risk analysis. If mitigation is implemented, we can maybe move the risk level to “Low” or “Medium”.

An Enterprise can opt one or multiple of the above methodology for Qualitative Risk Analysis. One of the popular mechanism that we shall be taking a look over is “Delphi” technique.

Delphi – It is an approach to conduct an anonymous survey to gather Truth Facts. e.g. If your company ask their employees to provide feedback on their respective manager & their responses can easily be seen by their managers as well; So imagine what will happen in this case? Will the company able to gather correct facts?
Can the Company ensure that True inputs will be provided by the employee?
The ANSWER would be “NO” – Why? – The reason is “we all know”Let’s not discuss this over here 😛
Imagine another situation if the company perform an Anonymous survey – There is a High probability of getting realistic data about employee satisfaction.
Hence we need to categorise our Intangible assets into below-mentioned categories.

Delphi Technique

Next question comes “HOW” – To understand this please follow below case study.

Case Study:

Let’s take another example; Company XYZ is an e-commerce company & has a database consisting of its customer details. Let us assume knowingly or unknowingly we put this database on a publicly available Web server. In this case
our valuable asset = Customer list
Impact = High (Because its Company XYZ customers list which can lead to high potential losses if competitors are aware of your customer)
Probability/Likelihood = High (Because this database is Publicly exposed, so it has high chances of occurrence)
Hence “Customer list” will fall into “High Impact High Likelihood” bucket.


Quantitative Risk Analysis … The four HOW?

The objective of this analysis to find out

  • How much of our Asset is compromised?
  • How much one incident/event will cost?
  • How often the incident/event occurs?
  • How much will that cost annually?

To answer these, Let us look at the Below six major element of Quantitative Risk Analysis.

  • Asset Value (AV) – How much is the asset worth?
  • Exposure factor (EF) – Percentage of Asset Value lost?
  • Single Loss Expectancy (SLE) – (AV x EF) – What does it cost if it happens once?
  • Annual Rate of Occurrence (ARO) – How often will this happen each year?
  • Annualised Loss Expectancy (ALE1) without safeguard – (SLE x ARO) – This is what it cost per year if we do nothing.
  • Annualised Loss Expectancy (ALE2) post safeguard – (SLE x ARO) – This is what it cost per year if we put countermeasure.
  • The annual cost of Safeguard (ACS)
  • Cost-Benefit Analysis: if (ALE1-ALE2-ACS) > 0 = Safeguard is Good else it is not a good choice financially.
  • Total Cost of Ownership (TCO) – The mitigation cost: upfront + ongoing price (Normally Operational)
Quantitative Risk Analysis

Lets understand this mathematical formulas of quantitative Risk analysis with below Case study:
Case Study: Data Center
Suppose Company XYZ Data Center is valued at 100,000,000 USD.
i.e. AV = 100,000,000 USD
Data Center has a risk because of Natural calamity such as Flooding.
i.e. Threat = Flooding
If a flooding happens 15% of the DC is compromised.
i.e. EF = 15%
Loss per Flooding
i.e. SLE = AV x EF = 100,000,000 x 15% = 15,000,000 USD
The flooding happens once in 5 years
i.e. ARO = 0.20
Hence Loss per year because of flooding would be
ALE = SLE x ARO = 15,000,000 x 0.20 = 3,000,000 USD

Some other examples are summarized in below table.

How SLE, ARO, ALE are used/calculated

Risk Assessment/Analysis

Risk analysis is the process of studying the risks in detail that the organisation’s assets are susceptible to due to the existence of the previously-identified vulnerabilities. Please take a look at the below mindmap for complete Risk Assessment/analysis process.

In the next blog; we will understand in detail Quantitative and Qualitative Risk analysis approaches.

Please Note: Steps 1 to 6 mentioned in the mindmap lists Risk Assessment/Analysis process.


Asset … “Valuable Information Asset”

So “What is an Asset” – We can say “An asset for Enterprise would be anything which needs to be protected”. It could be either a Business process or task. Refer to below mind map for the complete details, categorisation and their similar examples.


“STRIDE” Threat Model … Useful Methodology for Categorization

“STRIDE” is the Threat Model used to Categorize different types of attack. Refer to below mind-mapper diagram for detailed understanding.

I personally feel, this is a very good model to categorize the threats in Real-world implementation and hoping to use it very soon in my Job.


Threat Modeling … A Step by Step Guide

Threat modelling is the process where potential threats are identified, categorized, and analyzed. There are two approaches for Threat Modeling as described below

The overall objective of any enterprise organization is to Reduce Risk. Now, let us discuss the Framework/Methodology/Phases involved in Threat Modeling.

  1. Identify the Assets
  2. Describe the Architecture
  3. Breakdown the applications if any.
  4. Identify Threats.
  5. Categorization of Threats.
  6. Threat Analysis
  7. Determining and Diagramming potential attacks.
  8. Reduction analysis
  9. Threat prioritization
  10. Technologies and Process used to Re-mediate threats.

Below mind map list the details and corresponding framework used in the Threat Modeling Phases.


Data Classification … Why? What? How?

The First question that comes to my mind is “why do we need Data Classification” is it required? Or if it is required “What would be the Criteria to classify the Data in my environment” and last would be “How do we Implement this”.

An answer to this question is YES. Because some DATA need more security than other data. Hence, it is inefficient to treat all data the same way when designing and implementing a security system.

More sensitive data, such as human resources or customer information, can be classified in a way that shows that disclosure has a higher risk. Information data, such as those used for marketing, would be classified as a lower risk. Data classified at a higher risk can create security and access requirements that do not exist for lower risks, which might not require much protection altogether.

Data classification helps ensure that the data is protected most cost-effectively.

The classification is different in every company, but in general, there are two main groups:

Now, we understand the importance of Data Classification. Immediate question would be What would be the Criteria to classify the Data into the categories as mentioned above? Below are some of the general consideration points that can be utilized for classification of Data.

Data Classification Criteria

After the classification scheme is identified, the organization must create the criteria for setting the classification. No established guidelines exist for setting the requirements, but some considerations are as follows:

  • Who should be able to access or maintain the data?
  • Which laws, regulations, directives, or liability might be required in protecting the data?
  • For government organizations, what would the effect on national security be if the data were disclosed?
  • For non-government organizations, what would the level of damage be if the data was disclosed or corrupted?
  • Where is the data to be stored?
  • What is the value or usefulness of the data?

And the final step would be “How do we Implement this”? Refer to the below steps to implement Data classification in your organisation.

Data Classification Procedures

  1. Identify Data custodian responsible for maintaining data and its security level and define responsibilities
  2. Specify the criteria of how the information will be classified and labelled.
  3. Specific the owner set of the classification
  4. Document exceptions
  5. Select the security controls that will be applied to each classification level.
  6. Procedures to declassifying the data
  7. Create Security awareness program

Protection Mechanism

Lets take a look at the common Protection Mechanism or Protection controls defined common characteristics of security controls. Please remember, Not all security controls have all of them, but many have them.

Protection Mechanism

Also, I was having difficulty to understand the Abstraction concept; Special Thanks to Ravikumar for explaining me Abstraction with Real world example e.g. Cisco SDA solution (Data Traffic is abstracted from Physical underlying infrastructure), AP – WLC joining via CAPWAP( Wireless Client traffic is abstracted within CAPWAP tunnel all the way to Wireless LAN controller irrespective of underlying infrastructure)  etc.


Domain 1: Security & Risk Management

The first domain according to the CISSP exam outline I am approaching during my CISSP exam preparation study is called ‘Security and Risk Management”. 

My initial thoughts on this chapter: ‘Ufff, It sounds a too boring, I am actually rather interested into some techie stuff and Keep my hands engaged in configuration, troubleshooting’. But in reality, It turns out that chapter is written very nicely and systemically. It contains nice explanation about Important security concepts. This builds the framework for other chapters and respective domains. Also, Domain 1 consists of First 4 chapters of CISSP official study guide.

Let’s dig deeper into some of the sub topics in this domain. With each Sub-topic, I have also added the appropriate Hyperlink for its respective Blog.

  1. Understand and Apply concepts of CIA
    1. Summary of CIA Triad
    2. IAAAA
    3. Protection Mechanism
  2. Evaluate and Apply Security Governance
    1. Enterprise Governance … Its need
    2. Enterprise Architecture & Security Framework
    3. Security Control Documentation
    4. Organizational Goals/Mission/Objective & Roles/Responsibility
    5. Due Care vs Due Diligence
    6. Organizational Process – Data Classification
  3. Asset
  4. Threat Modeling
    1. STRIDE Model
  5. Risk Management
    1. Risk Management Framework – NIST
    2. Risk Assessment/Analysis
      1. Quantitative Methodology
      2. Qualitative Methodology
    3. Selection of Countermeasure
  6. Business Continuity Planning
  7. Personnel Security
  8. Laws, Regulations and Compliance
    1. Computer Crimes Law
    2. Intellectual Property Law
    3. Software Licensing & Import/Export Law
    4. Privacy Law

Please Note: We will keep on updating this List as progressed to subsequent chapters.


Security Control Documentation …

To reduce the likelihood of a security failure, the process of implementing security has been somewhat formalized with a hierarchical organization of documentation. Each level focuses on a specific type or category of information and issues.

Now, let’s stitch all the pieces together to view the complete picture.

Case Study: 

  • The security policy dictates in general words that the organization must maintain a malware-free computer system environment.
  • A standard states in strict words that every computer in the organization’s network must have an antivirus installed and updated with the latest virus definitions.
  • A baseline sets the threshold below which a computer will be considered insecure, and above which it will be considered as secure. The baseline could be for example a computer fully-patched, with antivirus installed, having virus definitions not older than 7 days from the latest published definitions from the vendor.
  • Guidelines could be instructions like:
    • When you receive an email from untrusted or unknown sender, don’t open any attachments in the mail.
    • Use of USB flash memories, hard disks, CD-ROM is prohibited in the organization’s computers.
    • Don’t attempt to disable or hinder the antivirus operation.
  • Procedures could be the antivirus installation and configuration steps on network hosts

Organizational Goals … Roles and Responsibilities

Purposes of organizational goals are to provide direction to employees of the organization. It is also called as Planning-horizon. There are three types of organizational goals called as strategic, tactical, and operational goals.


Strategic Plan:

Strategic plans are designed with the entire organization in mind and begin with an organization’s mission. Top-level managers, such as CEOs or presidents, will design and execute strategic plans to paint a picture of the desired future and long-term goals of the organization. Essentially, strategic plans look ahead to where the organization wants to be in three, five, even ten years.

Tactical Plan:

Once we have an idea of how an organisation if planning to evolve; Tactical plans support strategic plans by translating them into specific plans relevant to a distinct area of the organization.

Operational Plan

These plans are carried out by Low-level management & these plans are focused on specific procedure and processes.

Lets review below case study to understand these different plans.

Case Study: 

Lets assume Person “A” is a CEO for “XYZ Burger”. As a top-level manager, “A” must use strategic planning to ensure the long-term goals of the organization should achieve. For “A”, that means developing long-term strategies for achieving growth would be

  • Improving productivity and increasing profitability
  • Increasing ROI (Return on Investment)
  • Improving customer Service

When Person “B” mid-level manager learns about CEO strategic plan for increasing productivity, “B” immediately start to think about the possible tactical plan for increasing productivity. Possible Tactical planning could be

  • Testing a new process in making Burger that will take short time.
  • Possibility of purchasing a better oven
  • Optimizing the delivery time with the help of Map navigation.

Lets say “C” person works as a manager for operational planning. Some of the operational plans for “C” would be

  • Scheduling employees duty each week for 24×7 support (Depends on business requirement)
  • Evaluating, ordering and stocking inventory
  • Preparing for monthly budget.
  • Defining employee’s performance goal for the month/year.

Roles and Responsibilities

A security role is the part an individual plays in the overall scheme of security implementation and administration within an organization.

The following roles are presented in the logical order in which they appear in a secured environment:

Apart from these, Auditor is another role is responsible for reviewing and verifying that the security policy is properly implemented and the derived security solutions are adequate.


Enterprise Governance … Its need

Security governance is the collection of practices related to supporting, defining, and directing the security efforts of an organization. Security governance principles are often closely related to and often intertwined with corporate and IT governance.

Below figure explains the responsibilities, Priorities of Governance committee and also discuss the need/driving factor for Security Governance. This is a Top-Down approach of Enterprise Governance.

ceo.governance committee1 (2)

In our Next blog, I will discuss about the Roles & Responsibilities of CISO/CSO/ISO and elements of “Designing Security Framework”.


CIA Triad … A Quick Glance

I realized that CISSP has tons of terminology and Hence it require multiple round Revision. It is also very difficult to go through book pages every time for Revision. Hence, I have created this below mind mapper chart to get a Quick Glance. After this It was very easy & smooth to recall all the concepts I read & wrote in previous blog.

Please share your ideas/strategy for keeping concepts on your tips. As always feedback/comments would be highly appreciated.

CIA Triad

CIA Triad in Details… Looks Simple but Actually Complex

CIA stands for confidentiality, integrity and availability, which are said to be the three most important elements of reliable security.

In simple terms, the three parts of the CIA triad can be summarized as follows:

  • Confidentiality: limit who has access to information
  • Integrity: governs how and when information is modified
  • Availability: ensure people who are authorized to access information are able to do so.

Image result for cia triad

A complete security solution should adequately address each of these tenets.


The objective of Confidentiality is to prevent or minimize unauthorized access to data, objects or resources and ensure that no other than the intended recipient receive it or is able to read it.

Then, the question comes “How to violate/break confidentiality”; There are numerous intentional attacks focused on such as

  • Capturing Network traffic
  • Stealing password files from social engineering
  • Port scanning
  • Shoulder surfing
  • Eavesdropping  such as listening of telephone lines, network sniffing
  • Escalation of privileges

In Many instances, unauthorized disclosure of sensitive or confidential information could be because of following unintentional reasons

  • Human error
  • Oversight – An unintentional mistake resulting from failure to notice something.
  • Ineptitude – Lack on training
  • Failing to properly encrypt a transmission
  • Failing to fully authenticate a remote system before transferring data
  • Writing malicious code that opens a back door
  • Mis-routed faxes
  • Documents left on Printers
  • Walking away from an access terminal while data is displayed on the monitor.
  • Mis-configured security control.
  • Dumpster diving – the things we throw away such as Hard disk, Documents

There are also numerous countermeasures that can help to increase confidentiality against possible threats.

  • Encryption
  • Network traffic padding
  • Strict access control such as Locked Door, Security Guard, Permission on File/Folder/Database
  • Rigorous authentication procedures
  • Data classification
  • Extensive personnel training.

Sensitivity: It refers to the quality of information, which could cause harm or damage if disclosed. e.g. Nuclear Facility

Criticality: The level to which information is mission critical. The higher the level of Criticality, the more likely the need to maintain it.

Discretion: It is an act of decision where an operator can influence or control disclosure.

Concealment: It is an act of Hiding i.e. think of it as “camoflage” e.g. steganography i.e. hiding information under the guise of something else.   Often concealment can be viewed as a cover, Obfuscation or distraction.

Secrecy: It is an act of keeping something secret. e.g. protecting information with the help of encryption. Because without the encryption key, the information is not going to be accessible. another example could be a Coke Formula.

Privacy: It is an act of keeping information about person under safe custody. e.g. Personally Identifiable Information (PII)

Seclusion: It is an act of storing something in an “out of the way” location. e.g. Password Vault, Storage Vault

Isolation: It is an act of keeping something separate from the Rest. e.g. DMZ


Accuracy: Integrity makes sure that the information Alteration should not occour wile the Object is in storage, in transit or in process.

Authenticity: Who is sending this information? Is the source Trusted?

Completeness: Having all needed and necessary parts e.g. Database Query

Consistency: Maintaining Data consistency e.g. Database replication

Integrity Protection: Keep bad person away from Data, Prevent Unauthorized Modification, Prevent Unauthorized modification from authorized users.

Integrity Verification: Verification of Data at the time of use e.g. Message Digest

Non-repudiation: It ensure that a Subject on an entity or who caused an event cannot deny that event occurred because of Subject.  e.g. Activity Logging, Digital certificates, session identifiers, Transaction Logs, Access Control mechanism.

Then, the question comes “How to violate/break Integrity”; There are numerous intentional attacks focused on such as

  • Viruses
  • Logic Bombs
  • Unauthorized Access
  • Errors in Coding and Application
  • Malicious Modification
  • System Back doors

In Many instances, there are numerous unintentional reasons lead to Integrity breaches include modifying/deleting files, entering invalid data, altering configurations, including errors in commands, codes and scripts

  • Human error
  • Oversight – An unintentional mistake resulting from failure to notice something.
  • Ineptitude – Lack on training
  • Introducing virus
  • Executing malicious code such as Trojan Horse
  • Writing malicious code that opens a back door
  • Mis-configured security control.

There are also numerous countermeasures that can help to increase Integrity against possible threats.

  • Object/Data Encryption
  • Strict access control such as Locked Door, Security Guard, Permission on File/Folder/Database
  • Rigorous authentication procedures
  • Intrusion detection system
  • Hash total verification
  • Interface restriction
  • Input/Function checks
  • Extensive personnel training.
  • Activity Logging


It means Authorized Subjects are granted timely and uninterrupted access to objects.

Usability: The state of being easy to use

Accessibility: The assurance that the widest range of subjects can interact with a resource regardless of their capability.

Timeliness: Being prompt, on time

Then, the question comes “How to violate/break Availability”; There are numerous intentional attacks focused on such as

  • DoS/DDoS attacks
  • Object destruction
  • Communication Interruption
  • Device Failure
  • Software errors
  • Environmental issues i.e. Heat, Power Loss, Static, Flooding

In Many instances, there are numerous unintentional reasons lead to Availability breaches include accidentally deleting files, over-utilizing a hardware or software component, under-allocating resources and mislabeling or incorrectly classifying objects.

  • Human error
  • Oversight – An unintentional mistake resulting from failure to notice something.
  • Ineptitude – Lack on training
  • Mis-configured security control.

There are also numerous countermeasures that can help to increase Availability against possible threats.

  • Monitoring Performance and network traffic
  • Use of Firewall/Router to prevent DoS/DDoS attacks
  • Implementing Redundancy for critical system (Clustering)
  • Maintaining and testing backup systems.
  • BCP/DR site
  • Fault Tolerance design.
  • RAID


The importance of the complete CIA Triad is equally very important, however, sometimes we need to give importance to one of them or a combination of them over the other as per the context and organisation needs. e.g.

  • Proprietary Information: Let’s assume we are dealing or examining proprietary information and finding priority among CIA Triad to assign to. In this case, since it is proprietary, the priority and importance should be Confidentiality i.e. limiting access to the underlying information itself.
  • Financial Information: In another example consider the scenario of financial information in a bank which is supposed to be protected. In this specific case, importance will be to protect the Integrity of the underlying information so that all the transactions remains at their true value.
  • Information Available to Public Consumption: Let’s now consider the case when some type of information is available for public consumption. Now in this case Availability will hold the priority because that is the main motive for this information to the public. Confidentiality will not be an issue in this since it is available to everyone whereas Integrity holds lower priority than Availability.

Hence, an interesting generalization of this concept of CIA prioritization is that in many cases Military and Government organizations tend to prioritize confidentiality above Integrity and Availability; whereas private companies tend to prioritize Availability over others.














CISSP Study Strategy

Initially I struggled to decide what would be the best approach for this exam & took different initiatives. (Read one chapter, went through YouTube Videos) but as soon as I move on to the new chapter my concepts from previous chapter start to fade away. Even though all of those helps, It was difficult me to judge whether those thing covered what I suppose to know.

The CISSP exam covers eight domains from the (ISC)2 Common Body of Knowledge (CBK):

  1. Security and Risk Management
  2. Asset Security
  3. Security Engineering
  4. Communications and Network Security
  5. Identity and Access Management
  6. Security and Assessment Testing
  7. Security Operations
  8. Software Development Security

At the end I realized the following strategy best suited me in preparing for this exam.

  1. Focus only on “ONE DOMAIN” at a time:
    • Correlate each concept with Real-world Case study.  – To stitch the concepts with my brain.
    • Inculcate a habit of Speaking CISSP language frequently.
    • Make use of “Sybex Official Study Guide 8th Ed”
  2. Revising the Concepts every next day : This exam consists tons of theoretical concepts which is very hard to digest at times. Hence “Revision again and again is my Key”
  3. Practice sample questions : After all practice sample questions available on the web or in books just to verify my understandings and search on the topics case by case.
  4. Buddy up with peers who passed this Exam or even appearing for this exam : I had great group discussions with people who recently passed this exam & also studying for this exam in which we could review the domains together and talk over the things we did not understand. This kind of exam preparation is useful because I can take advice and guides from other people who are about to take the exam, even over drinks while sitting in a bar. D’not worry if one does not have a Buddy – “I am always available” 🙂

Therefore, my preparation process would be by going through each domain one after another in the study guides to make sure I understand the language of the exam, the content of the questions and the concepts CISSP aims to teach.

Please feel free to contribute with your own Strategy of Study & feedback. After all as I mentioned Its a Journey, and it gets easier if one proceed in a Swarm.


On to my Next Journey … CISSP

Having started my career with Cisco primarily on Cisco Security & Wireless Technologies such as Wi-Fi, LoRA, 6lowpan, ACS, ISE, NAC, ASA; I completed my CCIE Wireless in 2014 looked for some challenges… Having mastered that i’ve decided to study for my next Journey i.e. CISSP. My target is to achieve this by early 2020 , preferably by Q1 2020. In wireless I had got an opportunity to Architect, Design, Implement, Test complex Wireless Networks with Multiple verticals such as Enterprise, Manufacturing,  Stadiums, Healthcare etc. I also had the opportunity to go through CCNA -> CCNP -> CCIE with lots of hands on job experience.

This makes it is a real challenge for me and looking forward to face it.

After doing lot of research on the internet, I realized there are very good books available which cover good amount of Theory portion of it But it is going to be challenging to understand CISSP concepts via Case Study & Real-world scenarios to help me on my way.  Therefore started this blog primarily to assist me on this difficult journey and also to help others wishing to walk down the same track.

Please feel free to contribute with your thoughts, understanding & feedback.

Software Licensing & Import/Export Law

As a Security professional should also be familiar with the legal issues surrounding software licensing agreements. There are four main types of License Agreement in use today. Refer to below mindmap for details.

Also, Import/Export law will help company to control their Information across multiple countries.

Case Study:
Below case study will help us to understand “why” encryption export control is required for a Company/Enterprise.

  • Let us assume one of the Hosts in South Africa is trying to communicate to one of the hosts in India & traffic exit from your Perimeter router via the Internet.
  • Also assume this host in South Africa is using some form of an encryption algorithm which is allowed in South Africa, India but “not” in “Singapore.” Because different country may have different laws regarding the transmission of data or encryption standard.
  • Considering the nature of the IP packet flow, this traffic stream may take many many different routes – let us assume in this case via Singapore.
  • In this case, your end to end host communication is violating the Law of Singapore;
  • Hence, if there are chances to break a foreign national’s data laws; we must control data flow to avoid violations & this must be included in “Risk Management.”
  • The solution of such a problem could be to use Pinned Path(Avoiding flow via Singapore) in WAN Technologies: MPLS, Frame Relay, ATM.