The security policy governance life cycle ensures policies remain relevant and effective. The develop phase involves documenting drafts and revisions for ratification. Socialize distributes policies through training and handbooks. Measure provides ongoing compliance review and enforcement mechanisms. Assess reviews policies as internal processes evolve, technology changes emerge, or new threats expose the organization to additional risks that need management.

Organizations mitigate risk by implementing additional controls with defined tolerance levels. This is distinct from accepting risk by continuing current activities, avoiding risk by not engaging in certain activities, or transferring risk to a third party through insurance or hedging agreements. The choice of strategy depends on the organization's risk appetite, available resources, and business objectives.

A program framework like the ISO 27000 series can help an organization assess the state of its overall security program by conducting industry comparisons. The ISO 27000 framework is a systematic and holistic approach for defining, building, operating, and monitoring a security program that helps the organization achieve business objectives. The CIS Controls and NIST 800-53 are control frameworks that provide a baseline of controls better suited for creating a security program than they are for revamping an existing one. FAIR is a risk framework best suited to complement other frameworks by providing a quantitative means of evaluating risk.

The NIST Cybersecurity Framework contains six high-level functions that define a common language for managing security risk. Risk assessment strategy is included within the "Identify" function, along with Asset Management and Improvement. Identity management, authentication, and access control is part of the protect function, supporting the goal of ensuring delivery of important services.

An important step toward reducing risk is to draft security policies that align with the legal, contractual, and regulatory controls for your industry. Policies should reflect the current state of maturity in the organization while meeting compliance obligations. Division-specific policies should be avoided as they can be difficult to implement organization-wide.

This means that you can more easily protect against zero-day exploits, which are only one phase of the overall Kill Chain (that is, Exploitation), by identifying and blocking attackers before they reach their ultimate goal in the final Actions step. Attackers must progress through each phase of the chain to achieve their goal, and breaking just one link disrupts the adversary. By understanding the attackers' perspective, defenders can gain an edge against even the most sophisticated attackers and protect against zero-day exploits.

The SOC performs five key activities: collection of security data from various sources, detection of suspicious events, triage to set priorities for events, investigation to verify whether events are malicious or benign, and incident response to contain and remediate confirmed security incidents. This systematic approach ensures efficient use of security resources while maintaining comprehensive threat coverage.

A program framework like the ISO 27000 series can help an organization assess the state of its overall security program by conducting industry comparisons. The ISO 27000 framework is a systematic and holistic approach for defining, building, operating, and monitoring a security program that helps the organization achieve business objectives.

Kerckhoff's principle states that a cryptosystem should be secure even if everything about the system, except the key, is public knowledge. In other words, there's no such thing as security by obscurity. Do not create your own cryptographic algorithms. Key management is vital—attack the key, not the mathematics. The user can be the target of attack.

Integrity means that it should be possible to prove a message has not been tampered with, that a received message is exactly the same as the one that was sent. This is a fundamental security principle that cryptographic hash functions help achieve through their one-way, collision-resistant properties.

TLS must be used to encrypt data in transit. Do not use the legacy Secure Sockets Layer (SSL). The term "SSL" is still widely used to refer to TLS as well. TLS provides encryption at TCP/IP transport layer with confidentiality through symmetric encryption, integrity through hashing, authentication through signed certificates, and non-repudiation through digital signatures.

Commonly used CAs include IdenTrust, DigiCert, Comodo, Let's Encrypt, and Go Daddy. These are trusted by web browsers and other software. Server-side certificates are usually called SSL or TLS certificates and provide a means for client systems to determine the authenticity of the server, in addition to providing the basis for all encrypted connections to the server.

Trusted Platform Module (TPM) is a separate processor that stores keys on a hardware chip on your device. It enables trusted boot (by verifying the computer's hardware and software) as well as whole disk encryption. TPM also includes a random number generator to generate cryptographically strong random numbers, which is essential for secure key generation.

Proof of stake offers an alternative approach where miners "stake" a portion of their holdings. They promise not to spend it to participate in consensus decisions. The probability of being chosen to create a new block is proportional to the percentage of the overall stake they control. This method is more energy-efficient than proof of work.

Privacy and security principles must be balanced. The left side of the scale includes privacy principles: predictability, manageability, and disassociability. The right side includes security principles: confidentiality, integrity, and availability. Organizations must find the right balance between these competing interests to protect both data and user rights.

The secure SDLC includes security requirements and abuse cases in the requirements phase, threat modeling and attack surface analysis in design, code review and static analysis in development, security testing and dynamic analysis in testing, and final security review with incident response planning in production. Each phase builds upon the previous to create a comprehensive security approach.

The OWASP Top Ten from the Open Web Application Security Project is a consensus list of the most critical security risks to web applications. Developers can use it to introduce security early in the development cycle. This list is regularly updated to reflect the current threat landscape and provides practical guidance for addressing each risk category.

Tool support varies across technology stacks. There is good support for widely used languages and platforms, but a lag in support for new languages and technologies. Good security-focused tools are typically commercial offerings. DAST tools can be run through a GUI requiring a skilled operator, or in headless mode to automate regular scans.

The Center for Internet Security (CIS) has published security benchmarks for the leading cloud providers that can be used as a baseline for the security of cloud services and platforms. These benchmarks provide detailed configuration guidance for securing cloud environments according to industry best practices.

Switches operate at the data link layer and can provide a basic type of segmentation. A switch consults its content-addressable memory (CAM) table and only directs a data frame to the system or network segment for which it is destined, narrowing each port to its own collision domain. Routers and firewalls operate at layer 3 and direct traffic based on internal route tables and destination addresses.

Asset inventory is the lynchpin of an effective vulnerability management improvement program. A comprehensive and well-maintained asset inventory is a foundational capability for every security program. Knowing the footprint of an organization (or the scale of the problem) is vital for determining approach and prioritization strategies.

Vulnerabilities for which exploits exist usually present the highest risk. The focus should be on vulnerabilities that have a known exploit, then determine which CVEs are being exploited. Addressing these vulnerabilities first reduces the chances of an attacker gaining unauthorized access. Strategies based on volume or age of vulnerabilities may address low severity vulnerabilities with no known exploits first, leaving exploitable vulnerabilities available to attack.

Some patches can be defined as standard or routine changes. These patches are known to have no impact or minimal impact to systems and are approved by default; they can be deployed at any time. Emergency changes cannot always be started immediately—define an emergency change schedule to guide patch rollout with priority based on business impact to the systems in question.

Tailor your approach for your organization. Small companies might integrate with service management tools because the service desk administers endpoints. Large companies should consider scalability, number of endpoints per patching server, distribution methods, and bandwidth usage. Don't patch the whole cluster at once, and sequence patches appropriately considering dependencies between web, application, and database servers.

If you are only doing primary training, then you are in compliance mode. The forgetting curve shows that without reinforcement, people quickly forget what they learned. Regular reinforcement activities help maintain knowledge and change behaviors over time. This can include simulated phishing exercises, security tips, posters, newsletters, and other ongoing communications.

The biggest difference between technical and human metrics is that people have feelings. Announce your metrics program ahead of time, start slow and simple, do not embarrass people, do not release names of those who fail, include Board/Executives as targets, and focus on real-world risks rather than tricking people.

Many real-world negotiations combine both strategies. First the parties increase the pie by creating value through integrative bargaining. Then each party claims value to get as big a piece of the pie as it can through distributive tactics. Understanding when to use each approach is key to successful negotiations.

A standard set of questions makes it possible to compare vendors using the same criteria. Managers must ensure proper attention has been spent on determining requirements before investigating the tools. Regardless of what security tools will be implemented, start with a requirements document. A solid requirements document should have its own list of requirements to ensure mutual acceptance and agreement on what's required to be secured.

The level of formality applied to project management processes should be commensurate with the project scope and overall importance of the project to the performing organization. Smaller projects need a less formal approach, while larger projects will benefit from a more detailed approach.

Every project should have a formally documented project charter. The charter identifies a project sponsor and is used as authorization to start deploying organizational resources. It usually contains project objectives and high-level purpose, needs and requirements, initial milestones and critical success factors, stakeholders, assumptions, constraints, boundaries and initial budget, initial risks, project impacts and dependencies, business needs and ROI, and approval requirements.

Research shows that the principles of persuasion lead people to say yes. These principles can be used to proactively consider how to persuade people to undertake activities they might otherwise not normally do. Understanding these principles helps security leaders communicate more effectively and drive organizational change.