I am currently preparing for CISM certification.
But my puppy is by far cuter.
CISSP SECURITY ENGINEERING
Security engineering lifecycle
Stages
Requirements and Engineering
Detailed Design
Implementation
Integration and Verification
System Verification and Validation
Operation and Maintenance
ISO/IEC 15288:2015, Systems and software engineering — System life cycle processes


CISSP SECURITY ENGINEERING
Security engineering book
Available for free online
I discovered a very helpful book on Security Engineering available at https://www.cl.cam.ac.uk/~rja14/book.html
It covers:
- Chapter 1: What is Security Engineering?
- Chapter 2: Usability and Psychology
- Chapter 3: Protocols
- Chapter 4: Access Control
- Chapter 5: Cryptography
- Chapter 6: Distributed Systems
- Chapter 7: Economics
- Chapter 8: Multilevel Security
- Chapter 9: Multilateral Security
- Chapter 10: Banking and Bookkeeping
- Chapter 11: Physical Protection
- Chapter 12: Monitoring and Metering
- Chapter 13: Nuclear Command and Control
- Chapter 14: Security Printing and Seals
- Chapter 15: Biometrics
- Chapter 16: Physical Tamper Resistance
- Chapter 17: Emission Security
- Chapter 18: API Security
- Chapter 19: Electronic and Information Warfare
- Chapter 20: Telecom System Security
- Chapter 21: Network Attack and Defence
- Chapter 22: Copyright and DRM
- Chapter 23: The Bleeding Edge
- Chapter 24: Terror, Justice and Freedom
- Chapter 25: Managing the Development of Secure Systems
- Chapter 26: System Evaluation and Assurance
- Chapter 27: Conclusions

CYBER RISK
- Key risk indicators (KRIs) are measures that seek to quantify the security risk facing an organization. KRIs, unlike KPIs and KGIs, are a look forward.
- They attempt to show how much risk exists that may jeopardize the future security of the organization.
- Key performance indicators (KPIs) are metrics that demonstrate the success of the security program in achieving its objectives.
- KPIs are mutually agreed-upon measures that evaluate whether a security program is meeting its defined goals. Generally speaking, KPIs are a look back at historical performance, providing a measuring stick to evaluate the past success of the program.
- Key goal indicators (KGIs) are similar to KPIs but measure progress toward defined goals. For example, if an organization has a goal to eliminate all stored Social Security numbers (SSNs), a KGI might track the percentage of SSNs removed.
- KMIs are not a standard metric for cybersecurity programs.
Reputational risk
Recovery point objective (RPO) is the amount of acceptable data loss in the event of a disaster, expressed as the period of time from which data may be lost.
Recovery time objective (RTO) is the amount of time that may elapse between when a system fails and when it is recovered before causing substantial harm to the business.
Mail transfer agents (MTAs) are a component of email infrastructure.
Reputational risk occurs when the negative publicity surrounding a security breach causes the loss of goodwill among customers, employees, suppliers, and other stakeholders. Financial risk is the risk of monetary damage to the organization as the result of a data breach. Strategic risk is the risk that an organization will become less effective in meeting its major goals and objectives as a result of the breach. Operational risk is risk to the organization’s ability to carry out its day-to-day functions. While the breach may affect all of these things, Renee is most concerned about the loss of confidence, which is most accurately described as a reputational risk.
The defacement of a website alters content without authorization and is, therefore, a violation of the integrity objective.
The most important questions that a threat researcher can ask.
- First, it is important to know whether the information is timely or not. A feed that is operating on delay can cause you to miss a threat, or to react after the threat is no longer relevant.
- Second, you need to know whether the information is accurate. You must know whether you can you rely on what it says, and how likely is it that the assessment is valid.
- Finally, you must know whether the information is relevant to your organization. If it describes the wrong platform, software, or reason for the organization to be targeted, the data may be very timely, very accurate, and completely irrelevant to your organization. It is less important to know whether the information is proprietary or open source.