2 of 20

Learning Objectives

1. Understand why security maintenance is continuous — not a one-time event

2. Describe security management models: PDCA cycle and IDEAL model

3. Explain the NIST Cybersecurity Framework (CSF 2.0): 6 functions and 4 tiers

4. Understand vulnerability management: CVE, CVSS scoring, and prioritization

5. Describe patch management lifecycle and common challenges

6. Explain continuous monitoring: SIEM, log management, and SOC tiers

7. Understand security auditing: types, methodology, and audit report components

8. Explain penetration testing: black/white/gray box, ROE, and authorization requirement

Chapter 12: Information Security Maintenance

Objectives

3 of 20

Security Management Models — PDCA & IDEAL

PDCA — DEMING CYCLE (ISO 27001 foundation)

PLAN — Establish ISMS scope; assess risks; identify controls; set security objectives; develop security plan.

Risk assessment; policy development; control selection

DO — Implement and operate the controls identified in the Plan phase; execute the security program.

Deploy tools; train staff; implement procedures

CHECK — Monitor and review controls for effectiveness; conduct audits; measure performance against objectives.

Audits; metrics; incident analysis; compliance review

ACT — Take corrective and preventive actions based on Check findings; update policies; improve controls.

Corrective actions; policy updates; new risk treatments

IDEAL MODEL — SEI Improvement Framework

Initiating: Identify business reason; secure management sponsorship; establish improvement infrastructure

Diagnosing: Assess current vs desired state; characterize current practices; develop recommendations

Establishing: Plan improvement effort; prioritize actions; establish teams; develop detailed action plan

Acting: Implement improvement actions; develop solutions; pilot test; refine; deploy org-wide

Learning: Analyze results; capture lessons learned; propose future improvements; institutionalize successes

★ PDCA = iterative improvement (ISO 27001). IDEAL = structured program improvement (SEI/CMU).

Chapter 12: Information Security Maintenance

PDCA & IDEAL

4 of 20

NIST Cybersecurity Framework (CSF 2.0)

GOVERN

NEW in CSF 2.0

Establish and monitor cybersecurity risk management strategy, expectations, and policy. Organizational context; risk management strategy; supply chain risk.

IDENTIFY

Know your assets

Develop organizational understanding of assets, risks, and capabilities. Asset management; business environment; risk assessment; governance.

PROTECT

Implement safeguards

Implement appropriate safeguards to limit event impact. Access control; awareness training; data security; maintenance; protective technology.

DETECT

Find events

Develop and implement activities to identify cybersecurity events. Anomalies detection; continuous monitoring; detection processes.

RESPOND

Take action

Develop and implement activities to take action on detected events. Response planning; communications; analysis; mitigation; improvements.

RECOVER

Restore capabilities

Develop and implement activities to restore capabilities after a cybersecurity event. Recovery planning; improvements; communications.

CSF Tiers: 1=Partial → 2=Risk Informed → 3=Repeatable → 4=Adaptive (measures risk management maturity). Profiles: Current vs Target state roadmap.

Chapter 12: Information Security Maintenance

NIST CSF 2.0

5 of 20

Vulnerability Management Lifecycle

Asset Discovery

Identify ALL assets: servers, workstations, network devices, apps, cloud resources. You cannot protect what you don't know exists.

Tools: Nmap; CMDB; agent-based; cloud inventory

Vulnerability Scan

Automated scanning to detect known vulnerabilities, missing patches, and misconfigurations across all identified assets.

Tools: Nessus; Qualys; Rapid7; OpenVAS

Assessment

Analyze scan results; validate findings in context of the specific environment; determine exploitability and false positives.

Tools: Manual verification; vendor advisories

Risk Prioritization

Rank by severity × exploitability × asset criticality. CVSS score alone is insufficient — add threat intelligence.

Tools: CVSS; CISA KEV; EPSS; asset criticality

Remediation

Apply patches; deploy compensating controls; update configurations; decommission vulnerable systems where patching is impossible.

Tools: Patch management; WAF; network isolation

Verify & Report

Rescan to confirm remediation; measure mean time to remediate; trend reporting to management; exception tracking.

Tools: Re-scan; dashboards; exec reports

Chapter 12: Information Security Maintenance

Vulnerability Management

6 of 20

CVE & CVSS — Vulnerability Scoring and Prioritization

CVE & NVD — Vulnerability Databases

CVE:

MITRE dictionary of known vulns; unique IDs (e.g., CVE-2021-44228=Log4Shell)

NVD:

NIST database enriching CVEs with CVSS scores, CPE affected software lists

CISA KEV:

Known Exploited Vulnerabilities — vulns actively exploited in the wild right now; patch FIRST

EPSS:

Exploit Prediction Scoring System — probability vuln will be exploited in next 30 days

CVSS v3.1 Severity Bands & Response SLAs

9.0–10.0 — CRITICAL

Patch within 24–72 hours; immediate compensating controls

7.0–8.9 — HIGH

Patch within 7–14 days; prioritize over normal windows

4.0–6.9 — MEDIUM

Patch within 30 days; next scheduled maintenance window

0.1–3.9 — LOW

Patch within 90 days; regular maintenance cycle

CVSS scores do NOT account for active exploitation. Two equal CVSS scores can have very different real-world risk. Always supplement with CISA KEV catalog and EPSS scores for prioritization.

Verizon DBIR: 60%+ of successful breaches exploit vulnerabilities with patches available for over 1 year. Patch management is the highest-ROI security control.

Chapter 12: Information Security Maintenance

CVE & CVSS

7 of 20

Patch Management Lifecycle

Inventory

Complete, current inventory of all software and hardware. You cannot patch what you don't know exists.

Monitor

Subscribe to vendor advisories; NVD/CVE feeds; CISA KEV catalog. Know about vulnerabilities quickly.

Assess

Does the patch apply? CVSS severity? Actively exploited (CISA KEV)? Asset criticality? Business impact?

Prioritize

Critical and actively exploited vulns first. CVSS × exploitability × criticality. Compensating controls for delayed patches.

Test

Test in representative non-prod environment. Regression testing. Document results. Prepare rollback plan before deploying.

Deploy

Deploy during approved maintenance window. Staged rollout for high-impact patches. Change management process.

Verify

Rescan to confirm patch applied. Update CMDB/baseline. Confirm no regressions in production.

Report

% systems patched; mean time to patch; outstanding critical patches. Executive dashboard. Exception tracking.

Most breaches exploit vulnerabilities that already have patches. Automation (SCCM, Ansible, Qualys VMDR) is essential for managing volume.

Chapter 12: Information Security Maintenance

Patch Management

8 of 20

Continuous Monitoring & SIEM

Continuous Monitoring: Ongoing collection and analysis of security-relevant data to maintain awareness of threats and control effectiveness. (NIST SP 800-137)

SIEM — Security Information and Event Management

Log Aggregation:

Collect and normalize logs from firewalls, IDS, servers, apps, identity providers into central repo

Correlation Rules:

Define cross-source patterns indicating attacks (e.g., 5 failed logins + success = brute force)

Real-time Alerting:

Generate alerts when rules trigger; route to SOC analysts via ticketing systems

Dashboards & Reporting:

Executive dashboards; compliance reports; forensic investigation queries

UEBA:

User/Entity Behavior Analytics: ML-based anomaly detection using behavioral baselines

SOAR Integration:

Security Orchestration + Automation + Response: automate playbooks on SIEM alerts

SOC Tiers — Security Operations Center

Tier 1

Triage Analyst

Monitor dashboards; triage and categorize alerts; open tickets; escalate to Tier 2. First responder to all alerts.

Tier 2

Incident Responder

Deep-dive investigation; malware analysis; forensic examination; determine scope and impact of escalated incidents.

Tier 3

Threat Hunter

Proactive threat hunting; develop new detection rules; advanced forensics; penetration test support; adversary simulation.

Chapter 12: Information Security Maintenance

SIEM & Continuous Monitoring

9 of 20

Security Auditing — Types and Methodology

TYPES OF SECURITY AUDITS

Internal Audit

Own internal audit function (independent of IT/security). Ongoing assurance; prepares for external audits.

External Audit

Third-party auditing firm or regulatory auditor. Independent assurance for management and regulators.

Regulatory/Compliance

Regulatory body or authorized representative. Verify compliance with PCI DSS, HIPAA, SOX, FISMA.

Certification Audit

Accredited certification body. Assess conformance with ISO 27001, SOC 2 Type II, FedRAMP.

AUDIT METHODOLOGY & REPORT

Planning:

Scope; standards; prior findings; authorization; audit plan

Fieldwork:

Interviews; documentation review; control testing; evidence collection

Analysis:

Evaluate evidence; identify gaps; assess severity; compensating controls

Reporting:

Draft; management discussion; finalize; issue to stakeholders

AUDIT FINDING COMPONENTS

Condition:

What is currently happening (the gap)

Criteria:

What should be happening (the standard)

Cause:

Why the gap exists

Consequence:

The risk/impact of the gap

Recommendation:

Specific action to remediate

Chapter 12: Information Security Maintenance

Security Auditing

10 of 20

Penetration Testing — Types, Methodology & Authorization

WRITTEN AUTHORIZATION REQUIRED — Conducting a penetration test without explicit written authorization from an appropriate executive is a CRIMINAL OFFENSE.

Black Box

Zero prior knowledge

No info about target. Simulates external attacker. Realistic but may miss deeper vulnerabilities.

White Box

Full knowledge

Source code, architecture, credentials provided. Deepest possible testing. Finds most vulnerabilities.

Gray Box

Partial knowledge

Some credentials or architecture info. Most realistic balance of depth and realism.

Red Team

Full adversarial simulation

Multiple TTPs; tests DETECTION and RESPONSE — not just vulnerabilities. Full kill chain.

RULES OF ENGAGEMENT (ROE) MUST SPECIFY:

Scope

Exact IP ranges, systems, apps in scope; explicit exclusions

Timeline

Start/end dates; allowed testing hours; maintenance windows

Methods

Permitted techniques; explicitly prohibited actions (DoS, production DB)

Contacts

Emergency contacts; procedure if critical system disruption occurs

Data Handling

How discovered credentials/PII handled; data destruction post-test

Reporting

Interim/final report format; who receives; confidentiality requirements

Chapter 12: Information Security Maintenance

Penetration Testing

11 of 20

Security Benchmarks & Baselines — CIS, DISA STIGs, NIST

CIS Benchmarks

Center for Internet Security

Free, consensus-based security configuration guides. Covers 100+ platforms: Windows, Linux, macOS, cloud providers (AWS, Azure, GCP), network devices, browsers.

Use: Configuration hardening; audit evidence; security baseline; free to use

DISA STIGs

Defense Information Systems Agency

US DoD mandatory security configuration standards. Very detailed and prescriptive. Available for most commercial platforms used in government.

Use: US government and defense contractors; compliance; system authorization

NIST SP 800 Series

National Institute of Standards and Technology

Special publications covering security controls, guidelines, and frameworks. Key SPs: 800-53 (controls), 800-171 (CUI), 800-30 (risk management), 800-137 (monitoring).

Use: Risk management; access control; federal compliance (FISMA, FedRAMP)

OWASP

Open Web Application Security Project

Application security standards. OWASP Top 10 (most critical web app risks); ASVS (Application Security Verification Standard); Testing Guide.

Use: Web application security; secure development; appsec auditing

ISO/IEC 27001

International Organization for Standardization

International ISMS standard. Management framework for establishing, implementing, operating, monitoring, reviewing, and improving information security.

Use: Certification; international recognition; governance framework

Configuration Management

Golden images + IaC + Drift detection

Golden images: pre-hardened OS/app images at build time. IaC: security in Terraform/CloudFormation. Drift detection: alert when config deviates from baseline.

Use: All systems; DevSecOps; cloud environments; automated compliance checking

Chapter 12: Information Security Maintenance

Security Benchmarks

12 of 20

BC/DR Plan Maintenance & Testing Types

BC/DR plans must be tested and updated regularly. A plan written once and never tested is no better than no plan at all.

Checklist Review

Intensity: Minimal

Each team member independently reviews their portion of the plan. Ensures it is up-to-date and roles are understood.

Validates: Plan completeness; contact info; roles

Structured Walk-Through

Intensity: Low

Team meets to walk through the plan step-by-step verbally. Reveals interdependencies and gaps in plan logic.

Validates: Team understanding; plan logic; dependencies

Simulation

Intensity: Medium

A specific scenario is simulated; teams talk through their responses without activating actual systems.

Validates: Decision-making; communication; procedures

Parallel Test

Intensity: High

Recovery systems brought online in parallel with production. Does NOT fail over production. High confidence without risk.

Validates: Technical recovery — without production risk

Full Interruption Test

Intensity: Very High

Production systems actually failed over to recovery systems. Maximum validation — also maximum risk. Rarely done.

Validates: Complete end-to-end; actual RTO/RPO

Order (most→least conservative): Checklist → Walk-through → Simulation → Parallel → Full Interruption

Chapter 12: Information Security Maintenance

BC/DR Testing

13 of 20

Key Exam Distinctions — Chapter 12

PDCA vs IDEAL model?

PDCA: Plan→Do→Check→Act — iterative improvement; foundation of ISO 27001 (Deming). IDEAL: Initiating→Diagnosing→Establishing→Acting→Learning — SEI improvement model.

CVSS Critical vs High?

Critical: 9.0–10.0, patch within 24–72 hrs. High: 7.0–8.9, patch within 7–14 days. Medium: 4.0–6.9, 30 days. Low: 0.1–3.9, 90 days.

Black box vs White box pen test?

Black box: no knowledge of target — simulates external attacker. White box: full knowledge (code, architecture) — deepest finding. Gray box: partial knowledge — most realistic.

What is REQUIRED before pen test?

Explicit WRITTEN AUTHORIZATION from an appropriate executive. Must specify scope, dates, permitted methods. Without authorization = criminal offense.

SOC Tier 1 vs Tier 2 vs Tier 3?

Tier 1: triage and escalation (alert monitoring). Tier 2: deep investigation and forensics. Tier 3: threat hunting and advanced research.

NIST CSF functions (CSF 2.0)?

GOVERN (new in 2.0) + Identify + Protect + Detect + Respond + Recover. Tiers 1–4 measure maturity. Profiles = current vs target state.

BC/DR test — most to least rigorous?

Full Interruption (most rigorous) → Parallel → Simulation → Walk-through → Checklist Review (least rigorous). Full Interruption = actual production failover.

Why is CVSS alone insufficient?

CVSS measures severity, not active exploitation. Two equal CVSS scores may have very different real risk. Supplement with CISA KEV (actively exploited) and EPSS scores.

Chapter 12: Information Security Maintenance

Key Distinctions

14 of 20

Exam Tips — Chapter 12: Information Security Maintenance

Security is a PROCESS, not a product. New CVEs daily, evolving threats, org changes — maintenance never ends.

PDCA: Plan→Do→Check→Act. Iterative. Foundation of ISO 27001. Deming cycle for continuous improvement.

NIST CSF 2.0: GOVERN (new)+Identify+Protect+Detect+Respond+Recover. Tiers 1–4 (Partial→Adaptive). Profiles = gap analysis.

CVSS: Critical 9–10 (72 hrs), High 7–8.9 (14 days), Med 4–6.9 (30 days), Low 0.1–3.9 (90 days). Add CISA KEV for real priority.

Patch management: 60%+ of breaches exploit vulns with patches available >1 year. Automation essential for volume.

Penetration test: REQUIRES written authorization. Black=no knowledge. White=full knowledge. Gray=partial. Red team=full TTPs.

SIEM: log aggregation + correlation + alerting. SOC Tier 1=triage, Tier 2=investigate, Tier 3=hunt. SOAR automates response.

BC/DR testing order: Checklist→Walk-through→Simulation→Parallel→Full Interruption (most to least conservative).

Chapter 12: Information Security Maintenance

Exam Tips

15 of 20

Capstone Review — Chapters 1–6 Key Exam Points

Ch 1

Introduction to IS

CIA triad (Confidentiality, Integrity, Availability). CNSS security model. Five components of IS. Definitions: threat/vulnerability/asset.

Ch 2

Need for Security

Threats vs attacks. Threat agents. Threat categories. Attack types (DoS, DDoS, malware, social engineering). InfoSec history.

Ch 3

Security Investigation

Legal, ethical, professional issues. Key laws: CFAA, ECPA, HIPAA, SOX, GLBA, PCI DSS. Computer crime categories.

Ch 4

Security Policy

Policy hierarchy: enterprise → issue-specific → system-specific. 5 enforceability criteria. Standards vs guidelines vs procedures.

Ch 5

Risk Management

SLE=AV×EF; ALE=SLE×ARO. 4 risk responses: Avoidance, Transference, Mitigation, Acceptance. NIST RMF 6 steps.

Ch 6

Security Technology

Firewall types (packet, stateful, proxy, NGFW). IDS=passive, IPS=active. VPN: transport vs tunnel mode. IPSec: AH vs ESP. DMZ.

Chapter 12: Information Security Maintenance

Capstone Ch 1–6

16 of 20

Capstone Review — Chapters 7–12 Key Exam Points

Ch 7

Cryptography

DES=BROKEN, AES=standard. Sign with PRIVATE key, verify with PUBLIC. MD5/SHA-1=BROKEN; SHA-256=standard. Hybrid encryption=TLS. PFS via ECDHE.

Ch 8

Access Controls

IAAA. MFA=different factors. MAC=system (Bell-LaPadula/Biba). DAC=owner. RBAC=role. WEP=BROKEN; WPA3=best. RADIUS=UDP; TACACS+=TCP 49.

Ch 9

Physical Security

Foundation of security. Mantrap=no tailgating. CPTED principles. FM-200=Halon replacement. VESDA=earliest detection. N+1/2N redundancy.

Ch 10

Implementation

CISO→CEO or Board (not CIO). SETA: Education/Training/Awareness. (ISC)² ethics: Society>Integrity>Employer>Profession. KPI vs KRI.

Ch 11

Personnel Security

People=#1 threat (74–85% breaches). Insider: Malicious/Negligent/Compromised. Involuntary termination: same-day access revocation. NDA survives employment.

Ch 12

IS Maintenance

Security=continuous process. PDCA cycle. NIST CSF 2.0 (Govern+5). CVSS severity bands. Pen test requires written auth. BC/DR test order.

Chapter 12: Information Security Maintenance

Capstone Ch 7–12

17 of 20

Most-Tested Facts — Across All 12 Chapters

Key Concept

Fact / Value

CIA Triad

Confidentiality + Integrity + Availability — foundation of IS

SLE formula

SLE = Asset Value (AV) × Exposure Factor (EF)

ALE formula

ALE = SLE × Annual Rate of Occurrence (ARO) = AV × EF × ARO

DES status

BROKEN — 56-bit key, brute-forceable. AES replaced it (FIPS 197).

SHA-1/MD5

BROKEN — collision attacks. Use SHA-256+ for security.

Sign/Verify direction

Sign with PRIVATE key. Verify with PUBLIC key.

Bell-LaPadula

Confidentiality: No Read Up, No Write Down.

Biba model

Integrity: No Read Down, No Write Up.

WEP status

COMPLETELY BROKEN — 24-bit IV reuse. Never use.

WPA3 key feature

SAE (Simultaneous Auth of Equals) eliminates offline dictionary attacks.

RADIUS vs TACACS+

RADIUS: UDP 1812, password encryption only. TACACS+: TCP 49, full packet encryption.

Mantrap purpose

Prevents tailgating — two interlocking doors, one person at a time.

FM-200

Most common Halon replacement (clean agent). Halon = BANNED (Montreal Protocol).

VESDA

Very Early Smoke Detection Apparatus — best fire detection for data centers.

(ISC)² Ethics canon 1

Protect society FIRST — above employer interests.

Involuntary termination

Access revocation SAME DAY as notification — simultaneously.

Pen test requirement

Explicit WRITTEN authorization from senior executive REQUIRED.

CVSS Critical threshold

9.0–10.0 = Critical. Patch within 24–72 hours.

PDCA

Plan→Do→Check→Act — iterative improvement, ISO 27001 foundation.

NIST CSF 2.0 functions

Govern, Identify, Protect, Detect, Respond, Recover (6 functions).

Chapter 12: Information Security Maintenance

Most-Tested Facts

18 of 20

Commonly Confused Concepts — Final Exam Prep

Identification

Authentication

Identification: CLAIMING an identity (e.g., entering username). Authentication: PROVING the claimed identity (e.g., password, biometric).

RADIUS

TACACS+

RADIUS: UDP, encrypts password only, network access, combined AAA. TACACS+: TCP 49, encrypts everything, separates A/A/A, device admin.

Bell-LaPadula

Biba

Bell-LaPadula = CONFIDENTIALITY (No Read Up/Write Down). Biba = INTEGRITY (No Read Down/Write Up). Opposite rules for different goals.

Transport Mode

Tunnel Mode

Transport mode: encrypts payload only, original IP header visible. Tunnel mode: encrypts ENTIRE packet including header (site-to-site VPN).

Symmetric

Asymmetric

Symmetric: same key encrypt/decrypt, fast, key distribution problem. Asymmetric: key pair (public/private), slow, solves key distribution.

Data Owner

Data Custodian

Data Owner: business executive deciding classification/protection requirements. Data Custodian: IT staff IMPLEMENTING those protections.

KPI

KRI

KPI: backward-looking (what was achieved). KRI: forward-looking early warning (risk is increasing). Both needed for security governance.

SIEM

SOAR

SIEM: collects logs, correlates events, generates alerts. SOAR: automates response playbooks triggered by SIEM alerts. SOAR acts on SIEM findings.

Chapter 12: Information Security Maintenance

Commonly Confused

19 of 20

Chapter 12 Quick Reference Table

20 of 20

Chapter 12 Summary — Key Takeaways

Security = continuous process. New CVEs daily, evolving threats, org changes. PDCA: Plan→Do→Check→Act. IDEAL: I→D→E→A→L (SEI).

NIST CSF 2.0: Govern (new) + Identify + Protect + Detect + Respond + Recover. Tiers 1–4 measure maturity. Profiles = current vs target.

CVSS: Critical 9–10 (72hrs), High 7–8.9 (14 days), Medium 4–6.9 (30 days), Low 0.1–3.9 (90 days). Supplement with CISA KEV and EPSS.

Patch management: 60%+ of breaches exploit vulns with available patches. Inventory→Monitor→Assess→Prioritize→Test→Deploy→Verify→Report.

SIEM: log aggregation + correlation + alerting. SOC Tier 1=triage, Tier 2=investigate, Tier 3=hunt. SOAR automates response playbooks.

Security auditing: Internal, External, Regulatory, Certification. Audit findings: Condition, Criteria, Cause, Consequence, Recommendation.

Penetration test REQUIRES written authorization. Black box=no knowledge. White box=full knowledge. Gray=partial. Red team=full adversarial TTPs.

BC/DR testing (conservative to rigorous): Checklist → Walk-through → Simulation → Parallel → Full Interruption. Update plans after every test.

Principles of Information Security, 6th Edition | Whitman & Mattord | Chapter 12: Information Security Maintenance