2 Certified Information Systems Security Professional
2 Certified Information Systems Security Professional
Summary
Summary (ISC)2 Certified Information Systems Security Professional (CISSP)
59 views 3 purchases
Course
2 Certified Information Systems Security Professional
Institution
2 Certified Information Systems Security Professional
Book
(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide & Practice Tests Bundle
The Certified Information Systems Security Professional (CISSP) by (ISC)2 is ideal for information security professionals seeking
to prove their understanding of cybersecurity strategy and
hands-on implementation. It shows you have the advanced
knowledge and technical skills to design, develop a...
certified information systems security professional
business continuity planning
Connected book
Book Title:
Author(s):
Edition:
ISBN:
Edition:
Written for
2 Certified Information Systems Security Professional
All documents for this subject (1)
Seller
Follow
jeroenkloet
Reviews received
Content preview
BOOK SUMMARY
(ICS)2 CISSP OFFICIAL STUDY GUIDE
EIGHT EDITION
2
,CHAPTER I
SECURITY GOVERNANCE THROUGH PRINCIPLES AND POLICIES
CIA Triad
Security often starts with a list of the most important security principles. In such a list, Confidentiality, Integrity
and Availability (CIA) are usually present. This CIA triad is typically viewed as the primary goals and objectives
of a security infrastructure.
Confidentiality is the concept of the measures used to ensure the protection of the secrecy of data,
objects or resources. The goal of confidentiality protection is to prevent or minimize unauthorized access
to data. Confidentiality protection provides a means for authorized users to access and interact with
resources, but it actively prevents unauthorized users from doing so.
Confidentiality and integrity depend on each other. Other concepts, conditions and aspects include the
following:
Sensitivity
Discretion
Criticality
Concealment
Secrecy
Privacy
Seclusion
Isolation
Integrity is the concept of protecting the reliability and correctness of data. Integrity protection prevents
unauthorized alterations of data. It ensures that data remains correct, unaltered and preserved. Properly
implemented integrity protection provides a means for authorized changes while protecting against
intended and malicious unauthorized activities as well as mistakes made by authorized users.
Other concepts, conditions and aspects of integrity include the following:
Accuracy
Truthfulness
Authenticity
Validity
Nonrepudiation
Accountability
Responsibility
Completeness
Comprehensiveness
Availability, which means that authorized subjects are granted timely and uninterrupted access to objects.
Often, availability protection controls support bandwidth and timelines of processing as deemed
necessary by the organization or situation. If a security mechanism offers availability it offers a high level
of assurance that the data, objects and resources are accessible to authorized subjects.
Availability depends on both confidentiality and integrity. Without confidentiality and integrity, availability
cannot be maintained. Other concepts, conditions and aspects of availability include the following:
Usability
Accessibility
Timeliness
AAA Services
2
,You may have heard of the concept of AAA Services. The three A’s in this abbreviation refer to Authentication,
Authorization and Accounting (or sometimes Auditing). It actually refers to five elements:
Identification is the process by which a subject possesses an identity and accountability is initiated. A
subject must provide an identity to a system to start the process of authentication, authorization and
accounting.
Authentication is the process of verifying or testing that the claimed identity is valid. Authentication
requires the subject to provide additional information (e.g. a password) that corresponds to the identity
they are claiming.
Authorization ensures that the requested activity or access to an object is possible given the rights and
privileges assigned to the authenticated identity.
Auditing, or monitoring, is the programmatic means by which a subject’s actions are tracked and recorded
for the purpose of holding the subject accountable for their actions while authenticated on a system. It is
also the process by which unauthorized or abnormal activities are detected on a system.
NOTE
Monitoring is part of what is needed for audits, and audit logs are part of a monitoring system, but the
two terms have different meanings. Monitoring is a type of watching or oversight, while auditing is a
recording of the information into a record or file. It is possible to monitor without auditing, but you can’t
audit without some form of monitoring. But even so, these terms are often used interchangeably in casual
discussions of these topics.
Accounting (or Accountability) relies on the capability to prove a subject’s identity and track their
activities. Accountability is established by linking a human to the activities of an online identity through
the security services and mechanisms of auditing, authorization, authentication and identification.
Protection mechanisms
Protection mechanisms are common characteristics of security controls. Not all security controls must have
them, but many controls offer their protection for confidentiality, integrity and availability through the use of
these mechanisms:
Layering is the use of multiple controls in a series. No one control can protect against all possible threats.
Using a multilayered solution allows for numerous, different controls to guard against whatever threats
come to pass.
Abstraction is used for efficiency. Similar elements are put into groups, classes or roles that are assigned
security controls, restrictions or permissions as a collective. This concept is used when classifying objects
or assigning roles to subjects. The concept of abstraction also includes the definition of object and subject
types or of objects themselves.
Data hiding is exactly what it sounds like: preventing data from being discovered or accessed by a subject
by positioning the data in a logical storage compartment that is not accessible or seen by the subject.
Encryption is the art and science of hiding the meaning or intent of a communication from unintended
recipients.
Evaluate and apply security governance principles
Security governance is the collection of practices related to supporting, defining and directing the security
efforts of an organization. All forms of governance, including security governance, must be assessed and
verified from time to time. Ultimately, security governance is the implementation of a security solution and a
management method that are tightly interconnected.
Security governance is commonly managed by a governance committee of at least a board of directors. This is
the group of influential knowledge experts whose primary task is to oversee and guide the actions of security
and operations for an organization.
Alignment of security function to business strategy, goals, mission and objectives.
2
, Security management planning ensures proper creation, implementation and enforcement of a security policy.
Security management planning aligns the security functions to the strategy, goals, mission and objectives of
the organization.
Placing the autonomy of the CISO and the CISO’s team outside the typical hierarchical structure in an
organization can improve security management across the entire organization.
Organizational processes
Security governance needs to address every aspect of an organization. This includes the organizational
processes of acquisitions, divestitures and governance committees. Acquisitions and mergers place an
organization at an increased level of risk. In addition to all the typical business and financial aspects of mergers
and acquisitions, a healthy dose of security oversight and increased scrutiny is often essential to reduce the
likelihood of losses during such a period of transformation.
Change Control/Management
The goal of change management is to ensure that any change does not lead to reduced or compromised
security. Change management is also responsible for making it possible to roll back any change to a previous
secure state.
The change control process of configuration- or change management has several goals or requirements:
Implement changes in a monitored and orderly manner. Changes are always controlled.
A formalized test process is included to verify that a change produces expected results.
All changes can be reversed.
Users are informed of changes before they occur to prevent loss of productivity.
The effects of changes are systematically analyzed to determine whether security or business processes
are negatively affected.
The negative impact of changes on capabilities, functionality and performance is minimized.
Changes are reviewed and approved by a Change Advisory Board (CAB).
Data classification
Data classification, or categorization, is the primary means by which data is protected based on its need for
secrecy, sensitivity or confidentiality. Data classification is used to determine how much effort, money and
resources are allocated to protect the data and control access to it. Data classification is the process of
organizing items, objects, subjects and so on into groups, categories or collections with similarities.
The following are benefits of using a data classification scheme:
It demonstrates an organization’s commitment to protecting valuable resources and assets.
It assists in identifying those assets that are most critical or valuable to the organization.
It lends credence to the selection of protection mechanisms.
It is often required for regulatory compliance or legal restrictions.
It helps to define access levels, types of authorized uses and parameters for declassification and/or
destruction of resources that are no longer valuable.
It helps with data lifecycle management which in part is the storage length (retention), usage and
destruction of the data.
To implement a classification scheme, you must perform seven major steps or phases:
1. Identify the custodian and define their responsibilities.
2. Specify the evaluation criteria of how the information will be classified and labeled.
3. Classify and label each resource.
4. Document any exceptions to the classification policy that are discovered, and integrate them into the
evaluation criteria.
5. Select the security controls that will be applied to each classification level to provide the necessary level of
protection.
6. Specify the procedures for declassifying resources and the procedures for transferring custody of a
resource to an external party.
7. Create an enterprise-wide awareness program to instruct all personnel about the classification system.
Levels of government/military classification:
2
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller jeroenkloet. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $5.42. You're not tied to anything after your purchase.
