Foundational Concepts in Agile and Cybersecurity

Posted on Jun 7, 2025 in Business Administration and Management (BAM)

Pre-Sprint: Agile Fundamentals

This section covers foundational concepts for effective problem-solving and collaborative work within an Agile framework.

Problem Solving & Decision Making

  • Problem Solving: The ability to develop and apply solutions to challenging situations, encompassing:
    • Research
    • Active Listening
    • Analysis
    • Communication
    • Team Building
  • Decision Making: The ability to choose appropriate solutions for challenging situations, requiring:
    • Problem Solving skills
    • Leadership
    • Emotional Intelligence

7 Characteristics of Creative Collaboration

Effective collaboration is built upon these core characteristics:

  • Ownership
  • Dependability
  • Trust
  • Structure
  • Shared Vision
  • Fun
  • Candor

Scrum Framework Essentials

Scrum’s 3 Pillars

The Scrum framework is founded on three essential pillars:

  • Transparency: Significant aspects of the process must be visible to those responsible for the outcome.
  • Inspection: Scrum artifacts and progress toward a Sprint Goal must be inspected frequently and diligently.
  • Adaptation: If any deviations are detected, the process or the material being produced must be adjusted as soon as possible.

Scrum Team Roles

A Scrum Team is composed of three specific roles:

  • Developers: Individuals who commit to creating any aspect of a usable Increment.
  • Scrum Master: Accountable for establishing Scrum as defined in the Scrum Guide. They do this by helping everyone understand Scrum theory and practice.
  • Product Owner: Accountable for maximizing the value of the product resulting from the work of the Scrum Team. They are responsible for maintaining the product backlog and delegating responsibilities.

Scrum Artifacts

Scrum artifacts represent work or value. They are designed to maximize transparency of key information.

  • Product Backlog: An ordered list of everything that is known to be needed in the product. Features are typically generated by the Product Owner and prioritized by business value.
  • Sprint Backlog: A selection of the highest priority items from the Product Backlog, chosen for implementation in the current Sprint.
  • Increment: A usable, valuable, and potentially releasable deliverable toward the Product Goal.

Sprint Events

Sprints are fixed-length events of one month or less to create consistency. Each Sprint includes all Scrum events:

  • Sprint Planning: An event to select work from the Product Backlog for the Sprint.
  • Daily Scrum: A short, daily meeting for the Development Team to share challenges and progress.
  • Sprint Review: The team demonstrates to the Product Owner what has been completed during the Sprint.
  • Sprint Retrospective: The team looks for ways to improve its process and effectiveness.

AD_4nXcF032PWojkX_tOplfIV6I4mljl112DqceApv599f7yiVo-1HXVyUjYG2-E8-wyPvq5dnRSIGccM1bzlE0F8_Nj3yekmnkSPS062Ps53OClqIPhzVdGJVBsHzcY3XOsPvzT_j4ZyQ?key=7yov1xQYOGZSI9S-LF4pb0Y2

Module 1: Information Security Fundamentals

This module introduces core concepts and terminology in information security.

Understanding Security

  • Security: Freedom from danger or risks.
  • CNSS Security Model / McCumber Cube: A framework with 27 cells representing areas that must be addressed to secure data controls.
  • CIA Triad: Fundamental principles of information security:
    • Confidentiality: Protecting information from unauthorized access.
    • Integrity: Ensuring information can be trusted to be accurate and whole.
    • Availability: Ensuring authorized users have timely and reliable access to information.
  • Authenticity: The quality or state of being genuine or original.
  • Utility: The characteristic of data having value or usefulness.
  • Possession: The characteristic of data ownership being legitimate and authorized.

Components of Information Systems (IS)

Information systems are comprised of interconnected components:

  • Hardware
  • Software
  • Data
  • People
  • Procedures
  • Networks

Information Security Project Team Roles

An effective information security project team typically includes:

  • Champion: A senior executive who advocates for the project.
  • Leader: The project manager responsible for overseeing the project.
  • Security Policy Developer: Understands organizational culture and existing policies.
  • Risk Assessment Specialist: Understands financial risk assessment techniques.
  • Security Professionals: Well-trained in information security practices.
  • Systems Administrator: Responsible for administering the systems.
  • End Users: Individuals who interact with the systems and data.

Data Responsibilities

Clear roles are essential for data governance and security:

  • Data Owners: Senior management responsible for the security and use of specific data.
  • Data Custodian/Steward: Responsible for the information and systems that process, transmit, and use it.
  • Data Trustees: Appointed by data owners to oversee the management of information and coordinate with custodians for its storage, protection, and use.
  • Data Users: Individuals who have access to information and play an information security role.

Security Artisan Perspectives

Security can be perceived in different ways, influencing implementation approaches:

  • Security as Art: No hard and fast universal rules for implementing an entire system, requiring creativity and judgment.
  • Security as a Science: Developed by scientists, where every issue has an explanation that developers could resolve through systematic methods.
  • Security as Social Science: Examines the behaviors of individuals interacting with systems, focusing on human factors.

Key Information Security Terminology

Understanding these terms is crucial for discussing and managing security risks:

  • Attack: An intentional or unintentional, direct or indirect (e.g., hacker using a PC or bots) action that can be passive or active.
  • Control, Safeguard, Countermeasure: Mechanisms, policies, or procedures that can counter an attack, reduce risk, and resolve vulnerabilities.
  • Loss: A single instance of an information asset suffering damage, unauthorized modification, or disclosure.
  • Protection Profile / Security Posture: The entire set of controls and safeguards implemented, including policy, education, training, awareness, and technology.
  • Risk: The probability of an unwanted occurrence.
  • Subject/Object of Attack: A computer can be the subject (used to conduct an attack) or the object (the target entity of an attack).
  • Threat: An event or circumstance that has the potential to adversely affect operations.
  • Threat Agent: A specific instance of a threat (e.g., lightning, a hacker).
  • Threat Event: The occurrence of an event caused by a threat agent.
  • Threat Source: A category of objects, people, or other entities that represent the origin of danger (e.g., the threat agent “severe storms” as part of the threat source “acts of nature”).
  • Vulnerability: A potential weakness in an asset.
  • Exposure: A vulnerability that is known to an attacker.
  • Exploit: A technique used to compromise a system.

Common Attack Techniques

Understanding how systems are attacked helps in defense:

  • Brute Force: Attempting all possible combinations to guess credentials or keys.
  • Dictionary Attack: Using a list of commonly used passwords to gain unauthorized access.
  • Credential Stuffing: Using leaked usernames and passwords from one site to attempt access on different sites.
  • Hybrid Attack: A mix of dictionary and brute force, often involving changing one letter or adding a character to dictionary words.
  • Rainbow Table: Using a precomputed table of hashes to compare against stolen password hashes in a database.

Malware Types

Malicious software designed to cause harm or unwanted actions:

  • Ransomware: Designed to identify and encrypt valuable information, then extort payment for the decryption key.
  • Malware: A broad term for software designed to perform malicious or unwanted actions, including:
    • Adware
    • Spyware
    • Worms
    • Trojan Horses
    • Polymorphic Malware
    • Hoaxes
    • Backdoors