CISSP DOMAIN 1 SECURITY AND RISK MANAGEMENT

Purpose of Information Security Management
establishes the foundation of a comprehensive and proactive security program

communicates the risks accepted by the organization

1
Scope of Information Security Management
encompasses the administrative, technical, and physical controls necessary to adequately protect the confidentiality, integrity, and availability of information assets.
1
Tools used to execute Information Security Management
risk assessment, risk analysis, data classification, and security awareness.
1
Purpose of Risk Management
minimizes loss to information assets due to undesirable events through identification, measurement, and control.

provides a mechanism to the organization to ensure that executive management knows current risks, and informed decisions can be made

1
Execution of Risk Management
It encompasses the overall security review, risk analysis, selection and evaluation of safeguards, cost- benefit analysis,management decision, and safeguard identification and implementation, along with ongoing effectiveness review.
1
3 Goals of information security
CIA – Confidentiality, integrity, and availability
1.
4 Risk outcomes
risk avoidance, risk transfer, risk mitigation, or risk acceptance,
1
Security Management types of data
regulatory, customer, employee, and business partner requirements for managing data as they flow between the various parties to support the processing and business use of the information.
1.
Business continuity planning (BCP) and disaster recovery planning
address the preparation, processes, and practices required to ensure the preservation of the organization in the face of major disruptions to normal organization operations.
1
BCP and DRP Activities
the identification, selection, implementation, testing, and updating of processes and specific prudent actions necessary to protect critical organization processes from the effects of major system and network disruptions and to ensure the timely restoration of organization operations if significant disruptions occur.
1.1 CONFIDENTIALITY, INTEGRITY & AVAILABILITY
1.11
The concepts of confidentiality, integrity, and availability
core concepts of availability, integrity, and confidentiality are supported by adequate security controls designed to mitigate or reduce the risks of loss, disruption, or corruption of information.
1.12
Confidentiality
principle of “least privilege” by providing that only authorized individuals, processes, or systems should have access to information on a need-to-know basis.
1.13
Confidentiality Controls
Data classification

Access Controls -Identification, authentication, and authorization

Encryption- a same control for protecting confidentiality

1.14
Encryption Purpose

.

limits the usability of the information in the event it is accessed by an unauthorized person.
1.
Integrity
principle that information should be protected from intentional, unauthorized, or accidental changes.
1.
Integrity Controls
Segregation of duties,

Approval checkpoints in the systems development life cycle (SDLC),

Implementation of testing practices that assist in providing information integrity.

Limiting update capability to those individuals with a documented need to access limits the exposure to intentional and unintentional modification

1.
Availability
principle that ensures that information is available and accessible to users when needed.
1.
two primary areas affecting the availability of systems
1. Denial-of-Service attacks
2. Loss of service due to a disaster, which could be man-made (e.g., poor capacity planning resulting in system crash, outdated hardware, and poor testing resulting in system crash after upgrade) or natural (e.g., earthquake, tornado, blackout, hurricane, fire, and flood).
1.
Availability Controls
an up-to-date and active anti-malicious code detection system,

tested incident management plans,

disaster recovery planning or business continuity planning that ensure that the department functions using alternate processes when an outage to the computer system occurs for a defined period.

1.
Technology Design & Implementations Considerations
Security architect: “Will it enhance any of the core security principles?”
Security practitioner: “Will it impact any of the core security principles?”
1.
Examples of CIA
Confidentiality: the selection of a security token utilizing strong, two-factor authentication

Integrity: An identity management system would be best deployed to support access control in order to ensure that only the appropriate personnel have update functions commensurate with their job

Availability: The software and hardware necessary to perform the backups

SECURITY GOVERNANCE
2.
Security governance
The intent of governance is to guarantee that:

the appropriate information security activities are being performed to ensure that the risks are appropriately reduced,

the information security investments are appropriately directed, and

executive management has visibility into the program and is asking the appropriate questions to determine the effectiveness of the program.

2.
Best Practice Control Frameworks
NIST, ITIL, ISO 27000, COSO, and COBIT
2.
IT Governance Responsibility
“the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives.”
2.
Board Responsibilities
Be informed about information security
Set direction to drive policy and strategy Provide resources to security efforts
Assign management responsibilities
Set priorities
Support changes required
Define cultural values related to risk assessment
Obtain assurance from internal or external auditors
Insist that security investments are made measurable and reported on for program effectiveness.
2.
Management Responsibilities
1. Write security policies with business input
2. Ensure that roles and responsibilities are defined and clearly understood
3. Identify threats and vulnerabilities
4. Implement security infrastructures and control frameworks (standards, guidelines, baselines, and procedures)
5. Ensure that policy is approved by the governing body
6. Establish priorities and implement security projects in a timely manner
7. Monitor breaches
8. Conduct periodic reviews and tests
9. Reinforce awareness education as critical 10. Build security into the systems development life cycle
2.
Outcome of failure to protect info assets from loss, destruction or unexpected alteration
result in significant losses of productivity, reputation, or financial loss.
2.
What Info Security validates
policies, procedures, standards, and guidelines implemented to ensure business operations are conducted within an acceptable level of risk.
2.
Why Info Security exists
exists to support and enable the vision, mission, and business objectives of the organization
2.
info security management decision making judgment
requires judgment based upon:
the risk tolerance of the organization,
the costs to implement the security controls, the benefit to the business.
2.
Risk management elements for security management
risk management that includes:

a strong understanding of the business objectives of the organization,

senior management’s tolerance for risk,
the costs of the various security alternatives,

the due diligence to match the appropriate security controls to the business initiatives.

2.
Security Professionals role
relied upon for their knowledge of security and risk management principles.

risk advisors to the organization, as they should not be the final decision makers when it comes to risk management.

2.
residual risk
risk remaining after the safeguard is properly implemented and sustained
2.
security and risk management relationships
assess risk and determine need
monitor and evaluate
promote awareness
implement policies and controls
2.
common organizational activities impacting security
1. acquisitions and mergers
2. divestitures and spinoffs
2.
governance committee objectives
responsible for recruiting and maintaining the governance board for an organization.

responsible for determining missing qualifications and characteristics needed to enhance the efficiency and effectiveness of the board.

2.
Security Professionals responsibility in relation to committee
Ensure the committee understands at a high level the importance of information security and risk management.

Ensure committee recruitment exercises for new board members include requirements for information security and risk aptitude where needed.

Maintain a working relationship with committee members and be available to respond to specific risk, privacy, and information security questions as needed

2.
Info Security Officer Responsibilities
ensuring the protection of all business information assets from intentional and unintentional loss, disclosure, alteration, destruction, and unavailability.

ensuring that the security policies,procedures, baselines, standards, and guidelines are written to address the information security needs of the organization.
(requires input from depts.)

staying abreast of emerging technologies to ensure that the appropriate solutions are in place for the company based upon its risk profile, corporate culture, resources available, and desire to be an innovator.

implementing and operating computer incident response teams (CIRTs).

providing the leadership for the information security awareness program by ensuring that the program is delivered in a meaningful, understandable way to the intended audience.

responsible for understanding the business objectives of the organization, ensuring that a risk assessment is performed, taking into consideration the threats and vulnerabilities impacting the particular organization, and subsequently communicating the risks to executive management

2.
Executive Management Focus
cost/ benefit of the solution and what residual risk will remain after the safeguards are implemented.

What is the real perceived threat (problem to be solved)?
What is the risk (impact and probability) to business operations?
What is the cost of the safeguard?
What will be the residual risk (risk remaining after the safeguard is properly implemented and sustained)?
How long will the project take?

Each of these must be evaluated along with the other items competing for resources (time, money, people, and systems).

2.
Rationale for Info Security Officer Reporting to highest level
Maintain visibility of the importance of information security.

Limit the distortion or inaccurate translation of messages that can occur due to hierarchical, deep organizations.

2.
Info Security Officer Reporting Line Pros/Cons
CEO
pro: greatly reduces the filtering of messages
con:the CEO may be preoccupied

IT Dept
pro: the individual to which the security officer is reporting has an understanding of the technical issues often impacted by information security and typically has the clout with senior management to make the desired changes.
con:The downside of the reporting structure is the conflict of interest.

Corporate Security
pro: like goals
con: being associated with the physical security group is that it could result in the perception of a police-type mentality.

Administrative Service
pro: provide focus on security for all forms of information
con: the leaders of this area would have a limited knowledge of information technology, and this could make it more difficult to understand both the business strategies and security requirements and to communicate technical solutions to senior executives and the CEO.

Internal Audit
pro: both areas are focused on improving the controls of the company.
con: conflict of interest

Insurance and Risk Management
pro:already concerned with the risks to the organization and the methods to control those risks through mitigation, acceptance, insurance,
con:the risk officer may not be conversant in information systems technology, and the strategic focus of this function may give less attention to day-to-day operational security projects.

Legal
pro: Attorneys are concerned with compliance with regulations, laws, and ethical standards, performing due diligence, and establishing policies and procedures that are consistent with many of the information security objectives.
con:due to the emphasis on compliance activities, the information security department may end up performing more compliance-checking activities (versus security consulting and support), which are typically the domain of internal audit.

2.
Info Security Plans
Strategic plans are aligned with the strategic business and information technology goals. These plans have a longer-term horizon (three to five years or more) to guide the long-term view of the security activities.

Tactical plans provide the broad initiatives to support and achieve the goals specified in the strategic plan.effort. Tactical plans are shorter in length, such as 6- 18 months to achieve a specific security goal of the company.

Operational Plans -Specific plans with milestones, dates, and accountabilities provide the communication and direction to ensure that the individual projects are completed

2.
Oversight Committee Council Representation
HR department is essential to provide knowledge of the existing code of conduct, employment and labor relations, termination and disciplinary action policies, and practices that are in place.

Legal department is needed to ensure that the language of the policies states what is intended and that applicable local, state, and federal laws are appropriately followed.

IT department provides technical input and information on current initiatives and the development of procedures and technical implementations to support the policies.

The individual business unit representation is essential to understand how practical the policies may be in carrying out the mission of the business.

Compliance department representation provides insight on ethics, contractual obligations, and investigations that may require policy creation.

Security officer, who typically chairs the council, should represent the information security department and members of the security team for specialized technical expertise.

2.
Security Program Oversight- Council Activities
Decide on Project Initiatives
Prioritize Information Security Efforts
Review and Recommend Security Policies
Review and Audit the Security Program
Champion Organizational Security Efforts
Recommend Areas Requiring Investment
2.
End User Responsibilities
responsible for protecting information assets on a daily basis through adherence to the security policies that have been communicated.
2.
Executive Management Responsibilities
maintains the overall responsibility for protection of the information assets of the enterprise.
Management must be aware of the risks that they are accepting for the organization. Risk must be identified through risk assessment and
communicated clearly so that management can make informed decisions.
2.
Info Systems Security Professional
Drafting of security policies, standards and supporting guidelines, procedures, and baselines is coordinated through these individuals.
2.
Data/Info/Business Owners
A business executive or manager is typically responsible for an information asset. These are the individuals that assign the appropriate classification to information assets.They ensure that the business information is protected with appropriate controls. Periodically, the information owners need to review the classification and access rights associated with information assets. The owners, or their delegates, may be required to approve access to the information. Owners also need to determine the criticality, sensitivity, retention, backups, and safeguards for the information. Owners, or their delegates, are responsible for understanding the risks that exist with regards to the information that they control.
28). CRC Press. Kindle Edition.
2.
Data/Info Custodian.Steward
A data custodian is an individual or function that takes care of the information on behalf of the owner. These individuals ensure that the information is available to the end-users and is backed up to enable recovery in the event of data loss or corruption. Information may be stored in files, databases, or systems whose technical infrastructure must be managed by systems administrators. This group administers access rights to the information assets on behalf of the information owners.
2.
Info Systems Auditor
IT auditors determine whether users, owners, custodians, systems, and networks are in compliance with the security policies, procedures, standards, baselines, designs, architectures, management direction, and other requirements placed on systems.
2.
Business Continuity Planner
Business continuity planners develop contingency plans to prepare for any occurrence that could have the ability to impact the company’s objectives negatively.
2.
Info Systems/info Technology Professionals
These personnel are responsible for designing security controls into information systems, testing the controls, and implementing the systems in production environments through agreed upon operating policies and procedures.
2.
Security Administrators
A security administrator manages the user access request process and ensures that privileges are provided to those individuals who have been authorized for access by application/ system/ data owners. This individual has elevated privileges and creates and deletes accounts and access permissions. The security administrator also terminates access privileges when individuals leave their jobs or transfer between company divisions. The security administrator maintains records of access request approvals and produces reports of access rights for the auditor during testing in an access controls audit to demonstrate compliance with the policies.
2.
Network/Systems Administrator
A systems administrator configures network and server hardware and the operating systems running on them in order to ensure that the information accessible through these systems will be available when needed. The administrator maintains the computing infrastructure using tools and utilities such as patch management and software distribution mechanisms to install updates and test patches on organization computers. The administrator tests and implements system upgrades to ensure the continued reliability of the servers and network devices. The administrator provides vulnerability management through either commercial off the shelf (COTS) or non-COTS solutions to test the computing environment and mitigate vulnerabilities appropriately.

(2015-03-20). Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) (p. 29). CRC Press. Kindle Edition.

2.
Physical Security
The individuals assigned to the physical security role establish relationships with external law enforcement, such as the local police agencies, state police, or the Federal Bureau of Investigation (FBI) to assist in investigations. Physical security personnel manage the installation, maintenance, and ongoing operation of the closed circuit television (CCTV) surveillance systems, burglar alarm systems, and card reader access control systems. Guards are placed where necessary as a deterrent to unauthorized access and to provide safety for the company employees. Physical security personnel interface with systems security, human resources, facilities, and legal and business areas to ensure that the practices are integrated.
2.
Benefits of Clear Security Roles
Demonstrable executive management support for information security
Increased employee efficiency by reducing confusion about who is expected to perform which tasks
Team coordination to protect information as it moves from department to department
Lower risks to company reputation/ brand recognition due to security problems Capability to manage complex information systems and networks
Personal accountability for information security
Reduction of turf battles between departments Security objectives balanced with business objectives
Support of disciplinary actions for security violations up to and including termination Facilitation of increased communication for resolution of security incidents
Demonstrable compliance with applicable laws and regulations
Shielding of management from liability and negligence claims
Road map for auditors to determine whether necessary work is performed effectively and efficiently
Continuous improvement efforts (i.e., ISO 9000)
Overall risk management
Provision of a foundation for determining the level of security and awareness training required
2.
Elements of a Control Framework
Consistent – A governance program must be consistent in how information security and privacy is approached and applied.

Measurable – The governance program must provide a way to determine progress and set goals. Most control frameworks contain an assessment standard or procedure to determine compliance and in some cases risk as well.

Standardized – should rely on standardization so results from one organization or part of an organization can be compared in a meaningful way.

Comprehensive – The selected framework should cover the minimum legal and regulatory requirements of an organization and be extensible to accommodate additional organization-specific requirements.

Modular – A modular framework is more likely to withstand the changes of an organization since only the controls or requirements needing modification are reviewed and updated.

Due Care
Due care is an important topic for the information security professional to understand. It is primarily a legal term used to describe the care a “reasonable person” would exercise under given circumstances.
2.
Due Diligence
Due diligence is similar to due care with the exception that it is a preemptive measure made to avoid harm to other persons or their property. If performed correctly, due diligence leads to due care when needed and avoids other situations where due care may need to be exercised.
Background checks of employees
Credit checks of business partners Information system security assessments
Risk assessments of physical security systems Penetration tests of firewalls
Contingency testing of backup systems
Threat intelligence services being used to check on the availability of company Intellectual Property (IP) posted to public forums and in the cloud
3. Compliance
is the process of ensuring adherence to security policies.
3.
Sampling of key security and privacy laws
In most European nations, the right to privacy is considered a basic human right. European Union member nations are required to enact laws that comply with the Data Protection Directive (DPD) 95/ 46/ EC.

United States, privacy legislation has taken more of a sector-based approach. Different laws regulate how organizations collect, use, and protect the confidentiality of personally identifiable information (PII) in different sectors.
Act (HIPAA) for health-related PII and the Gramm-Leach-Bliley Act (GLBA) for credit-related PII.
The payment card industry (PCI) has taken steps to prevent credit card fraud and protect cardholders against identity theft.

3.
GRC Purpose
An approach commonly known as governance, risk management, and compliance (GRC) has evolved to analyze risks and manage mitigation in alignment with business and compliance objectives.
3.
Governance
Governance ensures that the business focuses on core activities, clarifies who in the organization has the authority to make decisions, determines accountability for actions and responsibility for outcomes, and addresses how expected performance will be evaluated.
.
3.
Risk Management
Risk management is a systematic process for identifying, analyzing, evaluating, remedying, and monitoring risk. As a result of this process, an organization or group might decide to mitigate a risk, transfer it to another party, or assume the risk along with its potential consequences.
4. Legal and regulatory issues
3.
Compliance
Compliance generally refers to actions that ensure behavior complies with established rules as well as the provision of tools to verify that compliance. It encompasses compliance with laws as well the enterprise’s own policies, which in turn can be based on best practices.
3.
Safe Harbor
A safe harbor provision is typically a set of “good faith” conditions that, if met, may temporarily or indefinitely protect the organization from the penalties of a new law or regulation.
3.
Privacy Laws
Privacy laws and regulations pose “confidentiality” challenges for the security professional. Personally identifiable information is becoming an extremely valuable commodity for marketers, as demonstrated by the tremendous growth of social networking sites based on demography and the targeted marketing activities that come with them.
4.
Effect of Cybercrime
The loss of intellectual property and sensitive data.
Opportunity costs, including service and employment disruptions.
Damage to the brand image and company reputation.
Penalties and compensatory payments to customers (for inconvenience or consequential loss) or contractual compensation (for delays, etc.).
Cost of countermeasures and insurance. Cost of mitigation strategies and recovery from cyber-attacks.
4.
Computer and Cyber Crime Examples
CryptoLocker Ransomware – It spreads via email and propagates rapidly. The virus encrypts various file types and then a pop-up window appears on victims’ computers that states their data has been encrypted. The only way to get it back is to send a specified monetary payment to the perpetrator. This ransomware provides the victim with a timeline to pay via a displayed countdown clock.

Child Pornography Scareware – This scareware is transmitted when computer users visit an infected website. The victim’s computer locks up and displays a warning that the user has violated U.S. federal law. Child pornography is either embedded in a banner image that appears on the victims’ screen or revealed via an automatic browser redirecting them to a child pornography website. The scareware is used as an extortion technique by threatening prosecution for visiting or viewing these images. The victim is also informed that he or she has been recorded using audio, video, and other devices.

Citadel Ransomware – The Citadel ransomware, named Reveton, displays a warning on the victims’ computer purportedly from a law enforcement agency claiming that their computer had been used for illegal activities, such as downloading copyrighted software or child pornography. To increase the illusion they are being watched by law enforcement, the screen also displays the victim’s IP address, and some victims even report activity from their webcam. Victims are instructed to pay a fine to

Fake or Rogue Anti-Virus Software – In this scheme, victims are scared into purchasing anti-virus software that would allegedly remove viruses from their computers. A pop-up box appears that informs users that their computers are full of viruses and need to be cleaned. The pop-up message has a button victims can click to purchase anti-virus software that supposedly can immediately get rid of these viruses. If the victims click the pop-up to purchase the anti-virus software, they are infected with malware.

4.
Intellectual Property Laws
Intellectual property laws are designed to protect both tangible and intangible items and property. Although there are various rationales behind the state-based creation of protection for this type of property, the general goal of intellectual property law is to protect property from those wishing to copy or use it, without due compensation to the inventor or creator.
Intellectual property is divided into two categories:
Industrial property, which includes inventions (patents), trademarks, industrial designs, and geographical indications of source;

Copyright, which includes literary and artistic works such as novels, poems and plays, films, musical works, artistic works such as drawings, paintings, photographs and sculptures, and architectural designs.

4.
Trademark
Trademark laws are designed to protect the goodwill an organization invests in its products, services, or image. Trademark law creates exclusive rights to the owner of markings that the public uses to identify various vendor or merchant products or goods. A trademark consists of any word, name, symbol, color, sound, product shape, device, or combination of these that is used to identify goods and distinguish them from those made or sold by others. The trademark must be distinctive and cannot mislead or deceive consumers or violate public order or morality.
Trademarks are registered with a government registrar.
4.
Patents
Simply put, a patent grants the owner a legally enforceable right to exclude others from practicing the invention covered for a specific time (usually 20 years). A patent is the “strongest form of intellectual property protection.” A patent protects novel, useful, and nonobvious inventions. The granting of a patent requires the formal application to a government entity. Once a patent is granted, it is published in the public domain to stimulate other innovations. Once a patent expires, the protection ends and the invention enters the public domain. WIPO, an agency of the United Nations, looks after the filing and processing of international patent applications.
Import/Export
Concerns about the inappropriate transfer of new information, technologies, and products with military applications outside the U.S. led to the passage of two laws in the late 1970s that control exports of selected technologies and products.
4.
Copyright
A copyright covers the expression of ideas rather than the ideas themselves; it usually protects artistic property such as writing, recordings, databases, and computer programs. In most countries, once the work or property is completed or is in a tangible form, the copyright protection is automatically assumed. Copyright protection is weaker than patent protection, but the duration of protection is considerably longer (e.g., a minimum of 50 years after the creator’s death or 70 years under U.S. copyright protection). Although individual countries may have slight variations in their domestic copyright laws, as long as the country is a member of the international Berne Convention, the protection afforded will be at least at a minimum level, as dictated by the convention; unfortunately, not all countries are members.
4.
Trade Secret
A trade secret refers to proprietary business or technical information, processes, designs, practices, etc., that are confidential and critical to the business (e.g., Coca-Cola’s formula). The trade secret may provide a competitive advantage or, at the very least, allow the company to compete equally in the marketplace. To be categorized as a trade secret, it must not be generally known and must provide some economic benefit to the company. Additionally, there must be some form of reasonable steps taken to protect its secrecy. A trade secret dispute is unique because the actual contents of the trade secret need not be disclosed. Legal protection for trade secrets depends upon the jurisdiction.
4.
Licensing Issues
The issue of illegal software and piracy is such a large problem that it warrants discussion.
There are several categories of software licensing including freeware, shareware, commercial, and academic.

Within these categories, there are specific types of agreements. Master agreements and end-user licensing agreements (EULAs) are the most prevalent, though most jurisdictions have refused to enforce the shrink-wrap agreements that were commonplace at one time. Master agreements set out the general overall conditions of use along with any restrictions,
whereas the EULA specifies more granular conditions and restrictions. The EULA is often a “click through” or radio button that the end-user must click on to begin the install, indicating that he or she understands the conditions and limitations and agrees to comply.

4.
Export Controls – ITAR
Concerns about the inappropriate transfer of new information, technologies, and products with military applications outside the U.S. led to the passage of two laws in the late 1970s that control exports of selected technologies and products.
International Traffic In Arms Regulations (ITAR)The Arms Export Control Act (Sec. 38) of 1976, as amended (P.L. 90-629), authorizes (22 U.S.C., Chapter 39, Subchapter III, Sec. 2778 entitled Control of Arms Exports and Imports) the President to: Designate those items which shall be considered as defense articles and defense services Control their import and the export.

ITAR, the following 19 are of potential interest to the information security due to the potential lateral applications of computer related technologies and information service technologies inherent in each of these categories and the technology represented by each:
Firearms Artillery Projectors Ammunition Launch Vehicles, Guided Missiles, Ballistic Missiles, Rockets, Torpedoes, Bombs and Mines Explosives, Propellants, Incendiary Agents, and Their Constituents Vessels of War and Special Naval Equipment Tanks and Military Vehicles Aircraft and Associated Equipment Military Training Equipment Protective Personnel Equipment Military Electronics Fire Control, Range Finder, Optical and Guidance and Control Equipment Auxiliary Military Equipment, Toxicological Agents and Equipment and Radiological Equipment Spacecraft Systems and Associated Equipment Nuclear Weapons Design and Test Equipment Classified Articles, Technical Data and Defense Services Not Otherwise Enumerated Submersible Vessels, Oceanographic and Associated Equipment Miscellaneous Articles: Defense articles not specifically enumerated in the other categories that have substantial military applicability and that have been specifically designed or modified for military purposes. The decision on whether any article may be included in this category shall be made by the Director of the Office of Defense Trade Controls. Technical data (Sec. 120.21) and defense services (Sec. 120.8) directly related to the defense articles.

4.
Privacy
defined as the rights and obligations of individuals and organizations with respect to the collection, use, retention, and disclosure of personal information.

Personal information is a rather generic concept and encompasses any information that is about or on an identifiable individual.

With the proliferation of technology and the increasing awareness that most of our personally identifiable information (PII) is stored online or electronically in some way, shape, or form, there is growing pressure to protect personal information.

This public concern has prompted the creation of regulations intended to foster the responsible use and stewardship of personal information.

In the context of this discussion, privacy is one of the primary areas in which business, in almost all industries, is forced to deal with regulations and regulatory compliance.

4.
Export Controls -EAR
Export Administration Regulations (EAR) – The Export Administration Act of 1979 authorized the President to regulate exports of civilian goods and technologies (equipment, materials, software, and technology, including data and know-how) that have military

Of the 9 declared categories, the following are of interest to the information security professional in particular:
Category 4 – Computers
Category 5 Part 1 – Telecommunications Category 5 Part 2 – Information Security

In addition, Section 734.3 paragraph (b) (3) of EAR exempts publicly available technology and software from controls, except for software controlled for “Encryption Item” reasons under Export Control Classification Number (ECCN) 5D002, Information Security – “Software”, on the Commerce Control List and mass market encryption software with symmetric key length exceeding 64-bits controlled under ECCN 5D992, if it: Is already published or will be published; Arises during, or results from, fundamental research; Is educational; or Is included in certain patent applications

Security professionals need for a broad understanding of basic concepts related to export controls
The nature of the technology that is export controlled and how it is recognized,

What is an “export” (ITAR) or a “deemed export” (EAR),

The fundamental research exclusion and the meaning of “Public Domain”, and
Whether or not there are: Restrictions imposed on publication of scientific and technical information resulting from the project or activity, OR Controls imposed on access and dissemination of information resulting from the research by federal funding agencies.

4.
Wassenaar Arrangement.
The Wassenaar Arrangement has been established in order to contribute to regional and international security and stability by promoting transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies, thus preventing destabilizing accumulations.

Participating States seek, through their national policies, to ensure that transfers of these items do not contribute to the development or enhancement of military capabilities that undermine these goals and are not diverted to support such capabilities.

(2015-03-20). Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) (p. 49). CRC Press. Kindle Edition.
(2015-03-20). Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) (p. 49). CRC Press. Kindle Edition.

4.
Trans-Border Data Flow Movement
The movement of information across national borders drives today’s global economy.

Cross-border data transfers allow businesses and consumers access to the best available technology and services, wherever those resources may be located around the world. The free-flow of data across borders benefits all industry sectors, from manufacturing to financial services, education, healthcare, and beyond. The seamless transfer of information is as critically important as it is inexorably linked to the growth and success of the global economy.

Governments throughout the world are looking at new ways to identify their citizens and visitors to fight terrorism, to combat fraud, and to deliver services. This has prompted governments to consider identity cards, enhanced passports and other travel documents, and the use of biometrics in health cards, drivers’ licenses, and other entitlement documents. These documents will leave data trails that may create risks in countries without adequate data protection.

Corporations and governments, in a drive to reduce costs and become more efficient, are outsourcing activities, including the processing of personal information of their customers and citizens. The phenomenon is not new; the scale and speed and number of players having access to the data is unprecedented and shows little sign of abating. This has led to legitimate concerns about the security and misuse of information being transferred to countries without data protection legislation.

Technologies and applications as diverse as search engines, radio frequency identification chips (RFIDs), Voice Over Internet Protocol (VOIP), Web logging, and wireless communications generate huge amounts of personal transactional information and create data trails that can survive long after the transaction or conversation has taken place.

The fight against terrorism and the related concerns about public safety have prompted governments to put individuals under unprecedented scrutiny. Governments are demanding significant amounts of personal information about people entering their countries, developing assessment tools to detect suspicious patterns of travel and behavior, creating watch lists, and sharing this information with other countries.

Trans-border data flows are increasing exponentially, whether for processing purposes, to facilitate e-commerce, for law enforcement and national security purposes, or simply the result of people going about their daily lives. These trends are creating new and complex challenges for security professionals and other organizations charged with overseeing privacy and data protection laws.

Organization for Economic Cooperation and Development (OECD) Guidelines
cautious about not creating barriers to the legitimate trans-border flow of personal information.

cautions members to be aware of, and sensitive to, regional or domestic differences and safeguard personal information from countries that do not follow the OECD guidelines or an equivalent.

4.
Organization for Economic Cooperation and Development (OECD) Principles

(2015-03-20). Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) (p. 51). CRC Press. Kindle Edition.

collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation, and accountability.
Organization for Economic Cooperation and Development (OECD) Guidelines
There should be limits to the collection of Personal data, and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

Personal data should be relevant to the purposes for which they are to be used and, to the extent necessary for those purposes, should be accurate, complete, and kept up to date.

The purposes for which personal data is collected should be specified not later than at the time of data collection, and the subsequent use should be limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.

Personal data should not be disclosed, made available, or otherwise used for purposes other than those specified above except:
With the consent of the data subject.
By the authority of law.

Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure of data.

There should be a general policy of openness about developments, practices, and policies concerning personal data. Means should be readily available for establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.

An individual should have the right: To obtain from a data controller, or otherwise, confirmation of whether the data controller has data relating to him.

To have communicated to him, data relating to him: Within a reasonable time. At a charge, if any, that is not excessive. In a reasonable manner. In a form that is readily intelligible to him.

To be given reasons if a request made is denied and to be able to challenge such denial.

To challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed, or amended.

A data controller should be accountable for complying with measures that give effect to the principles stated above.

4.
Incident
A security event that compromises the integrity, confidentiality, or availability of an information asset.
4.
Breach
An incident that results in the disclosure or potential exposure of data.
4.
Data Disclosure
A breach for which it was confirmed that data was actually disclosed (not just exposed) to an unauthorized party.
Regulatory Requirements for Ethics Programs
These provide the basis for a minimal ethical standard upon which an organization can expand to fit its own unique organizational environment and requirements.

Reduced penalties provide strong motivation to establish an ethics program.

4.
A Brief Primer on VERIS & VCDB & Security Prof Resources

(2015-03-20). Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) (p. 55). CRC Press. Kindle Edition.

Both are good companion references for the security professional to help with understanding terminology and context. www.veriscommunity.com
www.github.com/ vz-risk/ veris
www.vcdb.org
http:// www.databreachtoday.com/ news (Lists information for the U.S., U.K., Europe, India, and Asia) http:// www.informationisbeautiful.net/

(2015-03-20). Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) (p. 55). CRC Press. Kindle Edition.

4.
Understand Professional Ethics- Key People
Norbert Wiener
1940s Consideration of computer ethics is recognized to have begun with the work of MIT professor Norbert Wiener during World War II, when he helped to develop anti-aircraft cannons that were capable of shooting down fast warplanes.
He and colleagues created a new field of research that called cybernetics, the science of information feedback systems.
The concepts of cybernetics, combined with the developing computer technologies, led Wiener to make some ethical conclusions about the technology called information and communication technology (ICT), in which Wiener predicted social and ethical consequences.
1950 published the book The Human Use of Human Beings, which described a comprehensive foundation that is still the basis for computer ethics research and analysis.

Donn B. Parker
mid-1960s, at the time with SRI International in Menlo Park, CA, began examining unethical and illegal uses of computers and documenting examples of computer crime and other unethical computerized activities.
1968, published “Rules of Ethics in Information Processing” in Communications of the ACM
1973 headed the development of the first Code of Professional Conduct for the Association for Computing Machinery, which was adopted by the ACM

Joseph Weizenbaum
Late 1960s , a computer scientist at MIT in Boston, created a computer program that he called ELIZA that he scripted to provide a crude imitation of “a Rogerian psychotherapist engaged in an initial interview with a patient.”
1976 wrote Computer Power and Human Reason in which he expressed his concerns about the growing tendency to see humans as mere machines.

Walter Maner
in the mid-1970s is credited with coining the phrase “computer ethics” when discussing the ethical problems and issues created by computer technology, and taught a course on the subject at Old Dominion University.
1978 published the Starter Kit in Computer Ethics, which contained curriculum materials and advice for developing computer ethics courses.

James Moor of Dartmouth College
published “What Is Computer Ethics?” in Computers and Ethics

Deborah Johnson of Rensselaer Polytechnic Institute
mid-1980spublished Computer Ethics, the first textbook in the field in the .

4.
What is FSGO
Federal Sentencing Guidelines for Organizations
4. FSGO Updates for responsibilities
board members and senior executives must assume more specific responsibilities for a program to be found effective:

Organizational leaders must be knowledgeable about the content and operation of the compliance and ethics program, perform their assigned duties exercising due diligence, and promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.

4.
Purpose of an effective compliance and ethics program
exercise due diligence to prevent and detect criminal conduct and otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.
4.
U.S. Securities and Exchange Commission approved a new governance structure for the New York Stock Exchange (NYSE) in December 2003.
It includes a requirement for companies to adopt and disclose a code of business conduct and ethics for directors, officers, and employees, and promptly disclose any waivers of the code for directors or executive officers. The NYSE regulations require all listed companies to possess and communicate, both internally and externally, a code of conduct or face delisting.
4.
U.S. Sarbanes- Oxley Act of 2002
introduced accounting reform and requires attestation to the accuracy of financial reporting documents:
4.
Ethics – Computers in the workplace
It is a computer ethics issue to consider how computers impact health and job satisfaction when information technology is introduced into a workplace.
4.
Ethics – Computer Crime
With the proliferation of computer viruses, spyware, phishing and fraud schemes, and hacking activity from every location in the world, computer crime and security are certainly topics of concern when discussing computer ethics.
4.
Ethics- Privacy and Anonymity
One of the earliest computer ethics topics to arouse public interest was privacy. The ease and efficiency with which computers and networks can be used to gather, store, search, compare, retrieve, and share personal information make computer technology especially threatening to anyone who wishes to keep personal information out of the public domain or out
4.
Ethics- Intellectual Property
One of the more controversial areas of computer ethics concerns the intellectual property rights connected with software ownership.
Richard Stallman, who started the Free Software Foundation, believe that software ownership should not be allowed at all. He claims that all information should be free, and all programs should be available for copying, studying, and modifying by anyone who wishes to do so.
Deborah Johnson, author of the first major textbook on computer ethics, argue that software companies or programmers would not invest weeks and months of work and significant funds in the development of software if they could not get the investment back in the form of license fees or sales.
4.
Professional Responsibility and Globalization
Such globalization issues that include ethics considerations include: Global laws Global business Global education Global information flows Information-rich and information-poor nations Information interpretation
4.
The Hacker Ethic
the so-called hacker ethic as follows:
Access to computers should be unlimited and total.
All information should be free.
Authority should be mistrusted and decentralization promoted.
Hackers should be judged solely by their skills at hacking, rather than by race, class, age, gender, or position.
Computers can be used to create art and beauty.
Computers can change your life for the better.
4.
Common Computer Ethics Fallacies
Computer Game Fallacy: Computer users tend to think that computers will generally prevent them from cheating and doing wrong.

Law-Abiding Citizen Fallacy: Laws provide guidance for many things, including computer use. Sometimes users confuse what is legal with regard to computer use with what is reasonable behavior for using computers.

Shatterproof Fallacy: fallacy is the belief that what a person does with a computer can do minimal harm, and only affects perhaps a few files on the computer itself; it is not considering the impact of actions before doing them (libel, stalking, harassment)

Candy-from-a-Baby Fallacy: Illegal and unethical activity, such as software piracy and plagiarism, are very easy to do with a computer. However, just because it is easy does not mean that it is right.

Hacker Fallacy: Numerous reports and publications of the commonly accepted hacker belief is that it is acceptable to do anything with a computer as long as the motivation is to learn and not to gain or make a profit from such activities.

Free Information Fallacy: A somewhat curious opinion of many is the notion that information “wants to be free,” as mentioned earlier.

4.
Hacking and Hacktivism
Manuel Castells considers hacker culture as the “informationalism” that incubates technological breakthrough, identifying hackers as “the actors in the transition from an academically and institutionally constructed milieu of innovation to the emergence of self-organizing networks transcending organizational control”.
4.
Three main functions of the hacker ethic
It promotes the belief of individual activity over any form of corporate authority or system of ideals.

It supports a completely free-market approach to the exchange of and access to information.
It promotes the belief that computers can have a beneficial and life-changing effect.

4.
Ethics Codes of Conduct and Resources
The Code of Fair Information Practices (1973)
To secure the privacy and rights of citizens
1. There must be no personal data record-keeping systems whose very existence is secret. 2. There must be a way for an individual to find out what information is in his or her file and how the information is being used.
3. There must be a way for an individual to correct information in his or her records.
4. Any organization creating, maintaining, using, or disseminating records of personally identifiable information must assure the reliability of the data for its intended use and must take precautions to prevent misuse. 5. There must be a way for an individual to prevent personal information obtained for one purpose from being used for another purpose without his or her consent.
4.
Ethics Codes of Conduct and Resources
National Conference on Computing and Values (1991)
It proposed the following four primary values for computing, originally intended to serve as the ethical foundation and guidance for computer security:
1. Preserve the public trust and confidence in computers.
2. Enforce fair information practices.
3. Protect the legitimate interests of the constituents of the system.
4. Resist fraud, waste, and abuse.
4.
Ethics Codes of Conduct and Resources
Internet Architecture Board(IAB) (1989)
RFC 1087 is a statement of policy by the Internet Activities Board (IAB) concerning the ethical and proper use of the resources of the Internet.

The IAB “strongly endorses the view of the Division Advisory Panel of the National Science Foundation Division of Network, Communications Research and Infrastructure,” which characterized as unethical and unacceptable any activity that purposely
1. Seeks to gain unauthorized access to the resources of the Internet
2. Disrupts the intended use of the Internet
3. Wastes resources (people, capacity, computer) through such actions
4. Destroys the integrity of computer-based information or
5. Compromises the privacy of users

4.
Ethics Codes of Conduct and Resources
Computer Ethics Institute (CEI) (1992)
The Ten Commandments of
1.Thou Shalt Not Use a Computer to Harm Other People.
2. Thou Shalt Not Interfere with Other People’s Computer Work.
3. Thou Shalt Not Snoop around in Other People’s Computer Files.
4. Thou Shalt Not Use a Computer to Steal.
5. Thou Shalt Not Use a Computer to Bear False Witness.
6. Thou Shalt Not Copy or Use Proprietary Software for Which You Have Not Paid.
7. Thou Shalt Not Use Other People’s Computer Resources without Authorization or Proper Compensation.
8. Thou Shalt Not Appropriate Other People’s Intellectual Output.
9. Thou Shalt Think about the Social Consequences of the Program You Are Writing or the System You Are Designing.
0. Thou Shalt Always Use a Computer in Ways That Insure Consideration and Respect for Your Fellow Humans.

(2015-03-20). Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) (p. 64). CRC Press. Kindle Edition.

4.
Ethics Codes of Conduct and Resources
National Computer Ethics and Responsibilities Campaign (NCERC)(1994)
The goal of NCERC is to foster computer ethics awareness and education. The campaign does this by making tools and other resources available for people who want to hold events, campaigns, awareness programs, seminars, and conferences or to write or communicate about computer ethics.
4.
How a Code of Ethics Applies to CISSPs
A code of ethics would then specify how professionals should pursue their common ideals so that each may do his or her best to reach the goals at a minimum cost while appropriately addressing the issues involved.

The code helps to protect professionals from certain stresses and pressures (such as the pressure to cut corners with information security to save money) by making it reasonably likely that most other members of the profession will not take advantage of the resulting conduct of such pressures.

An ethics code also protects members of a profession from certain consequences of competition, and encourages cooperation and support among the professionals.

A code of ethics should also provide a guide to what computer professionals may expect other members of our profession to help each other do.

4.
Ethics Codes of Conduct and Resources
The Working Group on Computer Ethics (1991)
End User’s Basic Tenets of Responsible Computing:
1. I understand that just because something is legal, it isn’t necessarily moral or right.
2. I understand that people are always the ones ultimately harmed when computers are used unethically. The fact that computers, software, or a communications medium exists between me and those harmed does not in any way change moral responsibility toward my fellow humans.
3. I will respect the rights of authors, including authors and publishers of software as well as authors and owners of information. I understand that just because copying programs and data is easy, it is not necessarily right.
4. I will not break into or use other people’s computers or read or use their information without their consent.
5. I will not write or knowingly acquire, distribute, or allow intentional distribution of harmful software like bombs, worms, and computer viruses.

65). CRC Press. Kindle Edition.

4.
ethical bases for IT decision making 1-9
Golden Rule – Treat others as you wish to be treated.

Kant’s Categorical Imperative – If an action is not right for everyone, it is not right for anyone.

Descartes’ Rule of Change (also called the Slippery Slope) – If an action is not repeatable at all times, it is not right at any time.

Utilitarian Principle (also called Universalism) – Take the action that achieves the most good. Put a value on outcomes and strive to achieve the best results.

Risk Aversion Principle – Incur least harm or cost. When there are alternatives that have varying degrees of harm and gain, choose the one that causes the least damage.

Avoid Harm – Avoid malfeasance or “do no harm.” This basis implies a proactive obligation of companies to protect their customers and clients from systems with known harm.

No Free Lunch Rule – Assume that all property and information belong to someone. This principle is primarily applicable to intellectual property that should not be taken without just compensation.

Legalism – Is it against the law? Moral actions may not be legal, and vice versa.

Professionalism – Is an action contrary to codes of ethics?

4.
ethical bases for IT decision making 10-18
Evidentiary Guidance – Is there hard data to support or deny the value of taking an action? This is not a traditional “ethics” value but one that is a significant factor related to IT’s policy decisions about the impact of systems on individuals and groups. This value involves probabilistic reasoning where outcomes can be predicted based on hard evidence based on research.

Client/ Customer/ Patient Choice – Let the people affected decide.

Equity – Will the costs and benefits be equitably distributed? Adherence to this principle obligates a company to provide similarly situated persons with the same access to data and systems.

Competition – This principle derives from the marketplace where consumers and institutions can select among competing companies, based on all considerations such as degree of privacy, cost, and quality.

Compassion/ Last Chance – Religious and philosophical traditions promote the need to find ways to assist the most vulnerable parties. Refusing to take unfair advantage of users or others who do not have technical knowledge is recognized in several professional codes of ethics.

Impartiality/ Objectivity – Are decisions biased in favor of one group or another? Is there an even playing field? IT personnel should avoid potential or apparent conflicts of interest.

Openness/ Full Disclosure – Are persons affected by this system aware of its existence, aware of what data are being collected, and knowledgeable about how it will be used?

Confidentiality – IT is obligated to determine whether data it collects on individuals can be adequately protected to avoid disclosure to parties whose need to know is not proven.

Trustworthiness and Honesty – Does IT stand behind ethical principles to the point where it is accountable for the actions it takes?

4.
five ethical principles that apply to processing information in the workplace –
#1 INFORMED CONSENT
Informed consent. Try to make sure that the people affected by a decision are aware of your planned actions and that they either agree with your decision, or disagree but understand your intentions.

Example: An employee gives a copy of a program that she wrote for her employer to a friend, and does not tell her employer about it.

5.
Policy
High level document that outlines senior management’s security directives
4.
five ethical principles that apply to processing information in the workplace –
#2 HIGHER ETHIC IN WORST CASE
Higher ethic in the worst case. Think carefully about your possible alternative actions and select the beneficial necessary ones that will cause the least, or no, harm under the worst circumstances.

Example: A manager secretly monitors an employee’s email, which may violate his privacy, but the manager has evidence-based reason to believe that the employee may be involved in a serious theft of trade secrets.

4.
five ethical principles that apply to processing information in the workplace –
#3 CHANGE OF SCALE
Change of scale test. Consider that an action you may take on a small scale, or by you alone, could result in significant harm if carried
out on a larger scale or by many others.

Examples: A teacher lets a friend try out, just once, a database that he bought to see if the friend wants to buy a copy, too. The teacher does not let an entire classroom of his students use the database for a class assignment without first getting permission from the vendor. A computer user thinks it’s okay to use a small amount of her employer’s computer services for personal business, since the others’ use is unaffected.

4.
five ethical principles that apply to processing information in the workplace –
#4 OWNER CONVERSATION OF OWNERSHIP
Owners’ conservation of ownership. As a person who owns or is responsible for information, always make sure that the information is reasonably protected and that ownership of it, and rights to it, are clear to users.

Example: A vendor, who sells a commercial electronic bulletin board service with no proprietary notice at log-on, loses control of the service to a group of hackers who take it over, misuse it, and offend customers.

4.
five ethical principles that apply to processing information in the workplace –
#5 USERS CONVERSATION OF OWNERSHIP
Users’ conservation of ownership. As a person who uses information, always assume others own it and their interests must be protected unless you explicitly know that you are free to use it in any way that you wish.

Example: Hacker discovers a commercial electronic bulletin board with no proprietary notice at logon, and informs his friends, who take control of it, misuse it, and then uses it to offend other customers.

4.
(ISC) ² Code of Professional Ethics

(2015-03-20). Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) (p. 65). CRC Press. Kindle Edition.

Protect Society, the Commonwealth, and the Infrastructure
Promote and preserve public trust and confidence in information and systems.
Promote the understanding and acceptance of prudent information security measures
Preserve and strengthen the integrity of the public infrastructure.
Discourage unsafe practice.

Act Honorably, Honestly, Justly, Responsibly, and Legally
Tell the truth; make all stakeholders aware of your actions on a timely basis.
Observe all contracts and agreements, express or implied.
Treat all constituents fairly. In resolving conflicts, consider public safety and duties to principals, individuals, and the profession in that order.
Give prudent advice; avoid raising unnecessary alarm or giving unwarranted comfort. Take care to be truthful, objective, cautious, and within your competence.
When resolving differing laws in different jurisdictions, give preference to the laws of the jurisdiction in which you render your service.

Provide Diligent and Competent Service to Principals
Preserve the value of their systems, applications, and information.
Respect their trust and the privileges that they grant you.
Avoid conflicts of interest or the appearance thereof.
Render only those services for which you are fully competent and qualified.

Advance and Protect the Profession
Sponsor for professional advancement those best qualified. All other things equal, prefer those who are certified and who adhere to these canons. Avoid professional association with those whose practices or reputation might diminish the profession.
Take care not to injure the reputation of other professionals through malice or indifference.
Maintain your competence; keep your skills and knowledge current.
Give generously of your time and knowledge in training others. Support

5. Documented security policy, standards, procedures, and guidelines
Procedures, standards, guidelines, and baselines (illustrated in Figure 1.7) are components that support the implementation of the security policy.

A policy without mechanisms supporting its implementation is analogous to an organization having a business strategy without action plans to execute the strategy.

Policies communicate the management’s expectations, which are fulfilled through the execution of procedures and adherence to standards, baselines, and guidelines.

(2015-03-20). Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) (p. 71). CRC Press. Kindle Edition.

5.
Policy Involvement
The security professional should consider inviting areas such as HR, legal, compliance, various IT areas, and specific business area representatives who represent critical business units to participate in the drafting process.

(2015-03-20). Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) (p. 72). CRC Press. Kindle Edition.

5.
Procedure
Step-by-step implementation instructions
5.
Standard
Compulsory rules that support security policies
5.
Guideline
Suggestions or Best Practices
Personnel security policies
6.
Business continuity requirements
The first step in building the Business Continuity (BC) program is project initiation and management.
During this phase, the following activities will occur:
Obtain senior management support to go forward with the project
Define a project scope, the objectives to be achieved, and the planning assumptions Estimate the project resources needed to be successful, both human resources and financial resources
Define a timeline and major deliverables of the project

(2015-03-20). Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) (p. 72). CRC Press. Kindle Edition.

6.
Senior Leadership Goals
Senior leadership in any organization has two major goals: Execute the mission and protect the organization.

(2015-03-20). Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) (p. 72). CRC Press. Kindle Edition.

6.
Rationale for Need
To convince leadership of the need to build a viable Disaster Recovery Plan (DRP) and Business Continuity Plan (BCP), the planner needs to help them understand the risk they are accepting by not having one and the potential cost to the organization if a disaster were to occur.
The risks to the organization are found in three areas:
financial (how much money the organization stands to lose),
reputational (how negatively the organization will be perceived by its customers and its shareholders), and
regulatory (fines or penalties incurred, lawsuits filed against them).

There is also the potential that the leaders of the organization could be held personally liable, financially and even criminally, if it is determined that they did not use due care to adequately protect the organization and its resources.

(2015-03-20). Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) (p. 73). CRC Press. Kindle Edition.

6.
Financial Risk
One of the ways financial risk can be calculated is using the formula P * M = C:
Probability of Harm (P) – the chance that a damaging event will occur,
times the Magnitude of Harm (M) – the amount of financial damage that would occur should a disaster happen
= Cost of Prevention (C) – the price of putting in place a countermeasure preventing the disaster’s effects.
The cost of countermeasures should not be more than the cost of the event.

(2015-03-20). Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) (p. 73). CRC Press. Kindle Edition.

Risk management concepts
Threat modeling Integrating security risk
Integrating security risk considerations into acquisitions strategy and practice
Security education, training, and awareness