Summary
CISSP summary
- Course
- Institution
- Book
Summary study book CISSP All-in-One Exam Guide, 6th Edition of Shon Harris - ISBN: 9780071781732, Edition: 6, Year of publication: 2012 (summary CISSP)
[Show more]
Connected book
Book Title:
Author(s):
- Edition:
- ISBN:
- Edition:
17 reviews
By: D1993F • 1 year ago
By: fstelte • 5 year ago
By: fdbnl • 5 year ago
By: dennieboy96 • 5 year ago
By: bertstekelenburg • 6 year ago
By: revodi • 5 year ago
By: rvnkrish • 6 year ago
This Summary notes a the most encouraging material. I first read entire chapter in the notes and then go to the study guide or other voluminous books for CISSP. I am not getting overwhelmed by seeing a 1000 pages book
Seller
Follow
kevintjeuh
Reviews received
Content preview
Samenvatting CISSPInhoud
Hoofdstuk 2: information security Governance and Risk Management ................................................. 2
Hoofdstuk 3: access control .................................................................................................................. 21
Hoofdstuk 4: Security Architecture and Design .................................................................................... 33
Hoofdstuk 5: Physical and Environmental Security ............................................................................... 46
Hoofdstuk 6: Telecommunications and Network Security.................................................................... 50
Hoofdstuk 7: cryptography.................................................................................................................... 66
Hoofdstuk 8: Business Continuity and Disaster Recovery ..................................................................... 77
Hoofdstuk 9: Legal, Regulations, Investigations and Compliance ......................................................... 82
Hoofdstuk 10: Software Development Security .................................................................................... 88
Hoofdstuk 11: Security Operations ..................................................................................................... 100
,Hoofdstuk 2: information security Governance and Risk Management
Fundamental Principles of security:
Availability protection ensures reliability and timely access to data and resources to
authorized individuals.
Integrity is upheld when the assurance of the accuracy and reliability of information
and systems is provided and any unauthorized modification is prevented.
Confidentiality ensures that the necessary level of secrecy is enforced at each junction
of data processing and prevents unauthorized disclosure.
Key Terms
• Availability Reliable and timely access to data and resources is
provided to authorized individuals.
• Integrity Accuracy and reliability of the information and systems are
provided and any unauthorized modification is prevented.
• Confidentiality Necessary level of secrecy is enforced and
unauthorized disclosure is prevented.
• Shoulder surfing Viewing information in an unauthorized manner
by looking over the shoulder of someone else.
• Social engineering Gaining unauthorized access by tricking someone
into divulging sensitive information.
A vulnerability is a lack of a countermeasure or a weakness in a countermeasure that
is in place. It can be a software, hardware, procedural, or human weakness that can be
exploited.
A threat is any potential danger that is associated with the exploitation of a vulnerability. The threat is
that someone, or something, will identify a specific vulnerability and use it against the company or
individual.
threat agent: The entity that takes advantage of a vulnerability
A risk is the likelihood of a threat agent exploiting a vulnerability and the corresponding
business impact.
An exposure is an instance of being exposed to losses.
A control, or countermeasure, is put into place to mitigate (reduce) the potential
risk.
2
,Key Terms
• Vulnerability Weakness or a lack of a countermeasure.
• Threat agent Entity that can exploit a vulnerability.
• Threat The danger of a threat agent exploiting a vulnerability.
• Risk The probability of a threat agent exploiting a vulnerability and
the associated impact.
• Control Safeguard that is put in place to reduce a risk, also called a
countermeasure.
• Exposure Presence of a vulnerability, which exposes the organization
to a threat.
Control types
Administrative controls
are commonly referred to as “soft controls” because they are more management-oriented.
Examples of administrative controls are security documentation, risk management,
personnel security, and training.
Technical controls (also called logical controls) are
software or hardware components, as in firewalls, IDS, encryption, identification and
authentication mechanisms
physical controls are items put into place to protect
facility, personnel, and resources.
These control types need to be put into place to provide defense-in-depth, which is
3
,the coordinated use of multiple security controls in a layered approach,
• Deterrent Intended to discourage a potential attacker
• Preventive Intended to avoid an incident from occurring
• Corrective Fixes components or systems after an incident has occurred
• Recovery Intended to bring the environment back to regular operations
• Detective Helps identify an incident’s activities and potentially an intruder
• Compensating Controls that provide an alternative measure of control
4
,Key Terms Control Types and Functionalities
• Control types Administrative, technical, and physical
• Control functionalities
• Deterrent Discourage a potential attacker
• Preventive Stop an incident from occurring
• Corrective Fix items after an incident has occurred
• Recovery Restore necessary components to return to normal
operations
• Detective Identify an incident’s activities after it took place
• Compensating Alternative control that provides similar protection
as the original control
• Defense-in-depth Implementation of multiple controls so that
successful penetration and compromise is more difficult to attain
Security Frameworks
The concept of security through obscurity is assuming that your enemies are not as smart as you
are and that they cannot figure out something that you feel is very tricky. “There are only two people in
the world I trust: you and me—and I’m not so sure about you.”
ISO/IEC 27000 Series
• Frameworks:
– ISO/IEC 27000 Series
– Enterprise Architecture Development (partly)
– Security Controls Development
– COSO
– Process Management Development
• Security Program Development
• ISO/IEC 27000 series International standards on how to develop
and maintain an ISMS developed by ISO and IEC
• Enterprise Architecture Development
• Zachman framework Model for the development of enterprise
architectures developed by John Zachman
• TOGAF Model and methodology for the development of enterprise
architectures developed by The Open Group
• DoDAF U.S. Department of Defense architecture framework that
ensures interoperability of systems to meet military mission goals
• MODAF Architecture framework used mainly in military support
missions developed by the British Ministry of Defence
• Security Enterprise Architecture Development
• SABSA model Model and methodology for the development of
information security enterprise architectures
• Security Controls Development
• CobiT Set of control objectives for IT management developed by
Information Systems Audit and Control Association (ISACA) and the
IT Governance Institute (ITGI)
• SP 800-53 Set of controls to protect U.S. federal systems developed
by the National Institute of Standards and Technology (NIST)
• Corporate Governance
• COSO Set of internal corporate controls to help reduce the risk
of financial fraud developed by the Committee of Sponsoring
Organizations (COSO) of the Treadway Commission
• Process Management
• ITIL Processes to allow for IT service management developed by the
United Kingdom’s Office of Government Commerce
• Six Sigma Business management strategy that can be used to carry
out process improvement
• Capability Maturity Model Integration (CMMI) Organizational
development for process improvement developed by Carnegie Mellon
5
,Enterprise Architecture development
• Guides modeling of an enterprise
– Stakeholders
– Views: information that is most important to the different stakeholders is illustrated
in the most useful manner
• Alignment of business and technology
• Business and technology view the same organization in ways that make sense to them
Zachman framework
6
,The open group architecture framework(TOGAF)
Security frameworks
• DoDAF: U.S. Department of Defense architecture framework that ensures interoperability of
systems to meet military mission goals
– focus on command, control, communications, computers, intelligence, surveillance,
and reconnaissance systems and processes.
• MODAF: Architecture framework used mainly in military support missions developed by the
British Ministry of Defense
– get data in the right format to the right people as soon as possible.
• SABSA model: Model and methodology for the development of information security
enterprise architectures (Sherwood Applied Business Security Architecture)
– Integrates the requirements outlined in our security program into our existing
business structure
7
, Strategic alignment means the business drivers and the regulatory and legal requirements
are being met by the security enterprise architecture.
When looking at the business enablement requirement of the security enterprise architecture,
we need to remind ourselves that companies are in business to make money.
The process enhancement piece can be quite beneficial to an organization if it takes
advantage of this capability when it is presented to them.
Security effectiveness deals with metrics, meeting service level agreement (SLA) requirements,
achieving return on investment (ROI), meeting set baselines, and providing
management with a dashboard or balanced scorecard system. These are ways to
determine how useful the current security solutions and architecture as a whole are
performing.
• CobiT (Control Objectives for Information and related Technology): Set of control objectives
for IT management developed by Information Systems Audit and Control Association (ISACA)
and the IT Governance Institute (ITGI)
– Defines goals for the controls that should be used to properly manage IT and to
ensure that IT maps to business needs
– “checklist” approach to IT governance by providing a list of things that must be
thought through and accomplished when carrying out different IT functions
8
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller kevintjeuh. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $5.92. You're not tied to anything after your purchase.
Can Stuvia be trusted?
4.6 stars on Google & Trustpilot (+1000 reviews)
66579 documents were sold in the last 30 days
Founded in 2010, the go-to place to buy study notes for 14 years now