Cybersecurity: The Essential Body of Knowledge
Chapter 2
A Global Roadmap for Security
At a Glance
Instructor’s Manual Table of Contents

Overview

Chapter Topics

Teaching Tips

Quick Quizzes

Class Discussion Topics

Additional Projects

Additional Resources

Key Terms
1-1
Cybersecurity: The Essential Body of Knowledge
1-2
Lecture Notes
Overview
This chapter introduces the EBK framework and discusses the logical relationship of the
elements of security within it. The roles, competency areas, and functions within the EBK
are explored.
Chapter Topics
In this chapter, your students learn about:
 Narrowing the Search: More Questions
 EBK Competency Areas
 Getting Real: Focusing on Implementation
 Roles in the EBK
 Organization of Roles in the EBK Framework
 Common Functions
 The Story Continues: It’s Never As Easy As It Seems
 The Story Evolves: Learning How to Make Adjustments
 Adapting the EBK to the Actual Situation
Teaching Tips
Narrowing the Search: More Questions
1. Explain that the CEO was concerned that the EBK would remain a viable model for the
organization’s information security program.
2. Explain that the EBK is based on the expert opinions of subject matter experts and
represents a best practice in most security situations.
3. Discuss that the most important task ahead of the study team was to develop a
methodology for applying the EBK to the specific needs of the organization.
EBK Competency Areas
1. Explain that there are fourteen competency areas in the EBK, and that each competency
area represents a required component of good security practice.
2. Discuss that by using the detailed specification of practices that the EBK provides, a
company can model its own tangible security infrastructure.
Cybersecurity: The Essential Body of Knowledge
1-3
Fifty-Three Critical Work Functions
1. Explain that the experts who formulated the EBK included the specific behaviors that
they deemed necessary to ensure correct security practice within each competency area.
2. Discuss that the standards for these behaviors became the 53 critical work functions
(CWF), and that each of the critical work functions encompasses multiple tasks.
3. Explain that each of the competency areas were given a functional definition in section
4.0 of the EBK.
4. Explain that there are four standard types of functional activity, and those activities are
to manage, design, implement, and evaluate.
Fourteen Competency Areas
1. Describe the fourteen competency areas
a. Data Security—techniques aimed at ensuring electronic data
b. Digital Forensics—techniques aimed at evidence collection after an adverse
event
c. Enterprise Continuity—techniques aimed at ensuring the continuing functioning
of the enterprise after an adverse event
d. Incident Management—techniques specifically aimed at responding to incidents
as they occur
e. IT Security Training and Awareness—techniques aimed at ensuring the
competency of the members of the organization
f. IT Systems Operations and Maintenance—techniques aimed at ensuring
continuous secure functioning of the enterprise
g. Network Security and Telecommunications—techniques aimed at ensuring the
continuing secure functioning of all information communications
h. Personnel Security—techniques aimed at ensuring secure practice by the
employees of the organization
i. Physical and Environmental Security—techniques aimed at ensuring secure
physical practice within a secure space
j. Procurement—techniques aimed at ensuring that purchased goods and services
are delivered in a secure state
k. Regulatory and Standards Compliance—techniques aimed at ensuring that the
enterprise does not violate a regulation, standard, or law related to security
l. Risk Management—techniques for ongoing assessment and assurance of
identified risk
m. Strategic Security Management—strategic methods for ensuring that the
organization maintains a secure infrastructure
n. System and Application Security—techniques for ensuring that the operating
environment of the machine and all of its associated applications remains secure
Cybersecurity: The Essential Body of Knowledge
Teaching
Tip
1-4
Provide and discuss examples of the fourteen competencies.
Quick Quiz 1
1. What is the competency aimed at ensuring secure practice by the employees of the
organization?
Answer: Personnel Security
2. Which competency area ensures the continuing functioning of the enterprise after an
adverse event?
Answer: Enterprise Continuity
3. True or False: There are 10 competency areas in the EBK.
Answer: False
Getting Real: Focusing on Implementation
1. Explain that the EBK is role-based rather than based on a static implementation process
like ISO 27000.
2. Discuss the issue that the EBK is not a certifiable information security management
system (ISMS.
3. Explain that the essence of the implementation was to translate the generic security
activities in the EBK into an explicit policy and procedure framework for the various
existing roles in the company.
Roles in the EBK
1. Explain that the 10 roles in the EBK represent job functions rather than job titles.
2. Discuss that job titles can vary but roles are a generic approach to defining jobs in any
organization.
3. Explain the mapping process of roles and existing job titles in an organization is
accomplished by examining the tasks associated with the roles.
Cybersecurity: The Essential Body of Knowledge
1-5
Organization Roles in the EBK Framework
1. Explain that the ten roles in the EBK fall into one of three groups: executive, functional,
and corollary.
2. Discuss that security is complete if all of the job functions associated with security can
be mapped to an EBK role and work requirement, and that all role and work
requirements in the EBK are satisfied by the mapping.
3. Remind students that the EBK was developed from a broad set of frameworks,
including, COBIT, ISO 27000 series, the CISSP body of knowledge, and the many best
practices in the NIST 800 series special publications.
Executive Roles
1. Explain the three executive roles in the EBK, which are typically single positions, are
the chief information officer, information security officer, and IT security compliance
officer.
2. Describe the function of the CIO and explain that it is probably the easiest role to satisfy
as the executive leader for IT operations.
3. Explain that the information security officer can have many titles, that the most
common title is chief information security officer, and that this role is the strategic
manager of the IT security operation.
4. Describe the primary responsibility of the IT security compliance officer as one of
ensuring that the IT function has all the necessary security controls in place and that
those controls are operating properly.
Functional Roles
1. Describe the responsibilities of the functional roles, which are the digital forensics
professional, IT security engineer, IT systems operations and maintenance professional,
and the IT security professional.
2. Define the digital forensics professional as a highly specialized role that is expressly
oriented toward the collection and analysis of digital evidence.
3. Explain that the IT security engineer is typically the architect of the IT security solution.
4. Explain that the IT security professional role differentiates from the IT security engineer
role in that the professional implements rather than designs.
Corollary Roles
1. Describe the remaining roles that support the information security function, which do
not necessarily execute the information security function directly.
Cybersecurity: The Essential Body of Knowledge
1-6
2. Explain that the corollary roles are the physical security professional, privacy
professional, and procurement professional.
Common Functions
1. Explain that the roles and competencies are further broken down into functions, which
are to manage, design, implement, and evaluate.
2. Define the manage functions as those related to the supervision and administration of
the competency area.
3. Explain that the design functions are those that relate to the conceptualization and
development of security-related functionality.
4. Describe the implementation functions as those that involve the tasks associated with
the establishment of the operational security measures.
5. Remind students that the evaluation functions are equivalent to internal audit of security
functionality.
Teaching
Tip
Work with students to establish the conceptual boundaries between roles,
competencies, and common functions.
Quick Quiz 2
1. True or False: The executive role of the CIO is clearly defined in most organizations.
Answer: True
2. The EBK defines ____ roles.
a. 8
b. 9
c. 10
d. 11
Answer: C
3. The _____ roles are typically single positions.
Answer: executive
4. The common function _____ group describes functions related to the conceptualization
and development of security-related functionality.
a. manage
b. design
c. implement
d. evaluate
Cybersecurity: The Essential Body of Knowledge
1-7
Answer: B
5. True or False: The privacy professional ensures that personally identifiable information
(PII) is kept confidential.
Answer: True
The Story Continues: It’s Never as Easy as it Seems
1. Explain that even though the material defined for each role in the EBK is very
straightforward, it is very difficult to map the operational duties of individuals in an
organization to the intentionally generic definitions of the EBK.
Converting Roles, Competencies, and Functions into an Actionable Plan
1. Explain that every organization must undergo a tailoring process to adapt the generic
aims of the EBK or any standard generic model into a set of concrete actions.
2. Explain that the company-wide information security system, which a tailoring process
eventually produces, integrates all necessary controls for all relevant recommendations
into a single comprehensive solution.
3. Describe the aim of the tailoring process is to drill-down from the framework’s abstract
view of the question, in order to define an explicit set of behaviors that align with the
needs of the particular situation.
4. Explain that each control has to be documented individually in order to put it into
practice.
The Importance of Planning
1. Define the management plan as the plan that lays out the planned behaviors that the
organization feels will satisfy the intent of the management functions described in the
EBK.
2. Explain that the design and implementation plan defines the behaviors that the
organization thinks will satisfy the EBK’s recommendations regarding the design and
implementation of common functions that are a part of each competency area.
3. Describe how the evaluation plan documents how the company will assure
performance, and that the evaluation plan is written to ensure the consistent execution
of the behaviors that are specified in the management and the design and
implementation plans.
Cybersecurity: The Essential Body of Knowledge
Teaching
Tip
1-8
Discuss with students the importance of tailoring and the importance of the
planning process that turns a generic framework into an implementable
information security management system.
The Story Evolves: Learning How to Make Adjustments
1. Describe to students how even the most detailed plans cannot encompass all possible
implementations.
Adapting the EBK to the Actual Situation
1. Explain that although the EBK was developed using the most authoritative sources
available, it was never intended to provide the single monolithic definition of secure
practice.
2. Explain that it is likely that an organization will need to add roles and competencies that
are not in the basic model.
3. The EBK expands in two logical dimensions, beginning with additional roles and then
by adding competencies to the role.
Teaching
Tip
Discuss with students the complex process involved in adapting a generic
framework to an organization and its processes.
Quick Quiz 3
1. True or False: The tailoring process is a standard mechanism that the organization
adopts to transform the general aims of any generic model into a set of concrete actions
that will define, in each instance, how the work will be done.
Answer: True
2. The _____ information security system, which a tailoring process eventually produces,
integrates all necessary controls for all relevant recommendations into a single
comprehensive solution.
a. department
b. master
c. company-wide
d. unit
Answer: C
Cybersecurity: The Essential Body of Knowledge
1-9
3. It takes a great deal of exhaustive _____ in order to establish the necessary controls to
ensure company-wide security, particularly in a large and complex organization.
Answer: planning
4. Which plan will plan document how the company will assure performance?
Answer: evaluation plan
Class Discussion Topics
1. What are some possible methods for adapting generic frameworks into operational
plans?
2. Why is a generic framework like the EBK insufficient to meet all the information
security needs of an organization?
Additional Projects
1. Have students look at jobs in the information security field and try to assign those jobs
to a role in the EBK.
2. Have students analyze a job description for an information security position to assign
individual job duties to common functions.
Additional Resources
1. CISSP CBK
https://www.isc2.org/cissp/default.aspx
2. Security Process Map
http://technet.microsoft.com/en-us/security/cc451907
3. The 20 Coolest Jobs in Information
http://www.sans.org/20coolestcareers/
4. What is a Chief Security Officer
http://www.csoonline.com/article/221739/what-is-a-chief-security-officer-
Key Terms
 Best practice: The commonly accepted best way to perform a task.
 Completeness: A state in which all necessary criteria and requirements have been
satisfied. In the case of the EBK, it refers to the mapping requirements for
competencies.
Cybersecurity: The Essential Body of Knowledge
1-10
 Design functions: In the EBK, these relate to the design of security related
functionality; these can be technical, architectural, or work process related.
 EBK framework: The overall conceptual model for the EBK.
 Evaluate functions: In the EBK, these are equivalent to an internal audit of security
functionality to assess the effectiveness of policies, procedures, programs, or controls in
achieving security objectives.
 Implement functions: In the EBK, these involve tasks associated with the
implementation of operational security measures, including programs, policies, and
procedures.
 Manage functions: In the EBK, these are management activities such as overseeing
technical and operational work from the highest levels. These functions ensure security
system currency with the changing risk and threat environments.
 Mapping: Making an explicit and documented connection between two entities.
 Terminology: The terms used for a given purpose by a particular field, or in a specific
context.