BOOK SUMMARY
(ICS)2 CISSP OFFICIAL STUDY GUIDE
EIGHT EDITION
2
,CHAPTER I
SECURITY GOVERNANCE THROUGH PRINCIPLES AND POLICIES
CIA Triad
Security often starts with a list of the most important security principles. In such a list, Confidentiality, Integrity
and Availability (CIA) are usually present. This CIA triad is typically viewed as the primary goals and objectives
of a security infrastructure.
Confidentiality is the concept of the measures used to ensure the protection of the secrecy of data,
objects or resources. The goal of confidentiality protection is to prevent or minimize unauthorized access
to data. Confidentiality protection provides a means for authorized users to access and interact with
resources, but it actively prevents unauthorized users from doing so.
Confidentiality and integrity depend on each other. Other concepts, conditions and aspects include the
following:
Sensitivity
Discretion
Criticality
Concealment
Secrecy
Privacy
Seclusion
Isolation
Integrity is the concept of protecting the reliability and correctness of data. Integrity protection prevents
unauthorized alterations of data. It ensures that data remains correct, unaltered and preserved. Properly
implemented integrity protection provides a means for authorized changes while protecting against
intended and malicious unauthorized activities as well as mistakes made by authorized users.
Other concepts, conditions and aspects of integrity include the following:
Accuracy
Truthfulness
Authenticity
Validity
Nonrepudiation
Accountability
Responsibility
Completeness
Comprehensiveness
Availability, which means that authorized subjects are granted timely and uninterrupted access to objects.
Often, availability protection controls support bandwidth and timelines of processing as deemed
necessary by the organization or situation. If a security mechanism offers availability it offers a high level
of assurance that the data, objects and resources are accessible to authorized subjects.
Availability depends on both confidentiality and integrity. Without confidentiality and integrity, availability
cannot be maintained. Other concepts, conditions and aspects of availability include the following:
Usability
Accessibility
Timeliness
AAA Services
2
,You may have heard of the concept of AAA Services. The three A’s in this abbreviation refer to Authentication,
Authorization and Accounting (or sometimes Auditing). It actually refers to five elements:
Identification is the process by which a subject possesses an identity and accountability is initiated. A
subject must provide an identity to a system to start the process of authentication, authorization and
accounting.
Authentication is the process of verifying or testing that the claimed identity is valid. Authentication
requires the subject to provide additional information (e.g. a password) that corresponds to the identity
they are claiming.
Authorization ensures that the requested activity or access to an object is possible given the rights and
privileges assigned to the authenticated identity.
Auditing, or monitoring, is the programmatic means by which a subject’s actions are tracked and recorded
for the purpose of holding the subject accountable for their actions while authenticated on a system. It is
also the process by which unauthorized or abnormal activities are detected on a system.
NOTE
Monitoring is part of what is needed for audits, and audit logs are part of a monitoring system, but the
two terms have different meanings. Monitoring is a type of watching or oversight, while auditing is a
recording of the information into a record or file. It is possible to monitor without auditing, but you can’t
audit without some form of monitoring. But even so, these terms are often used interchangeably in casual
discussions of these topics.
Accounting (or Accountability) relies on the capability to prove a subject’s identity and track their
activities. Accountability is established by linking a human to the activities of an online identity through
the security services and mechanisms of auditing, authorization, authentication and identification.
Protection mechanisms
Protection mechanisms are common characteristics of security controls. Not all security controls must have
them, but many controls offer their protection for confidentiality, integrity and availability through the use of
these mechanisms:
Layering is the use of multiple controls in a series. No one control can protect against all possible threats.
Using a multilayered solution allows for numerous, different controls to guard against whatever threats
come to pass.
Abstraction is used for efficiency. Similar elements are put into groups, classes or roles that are assigned
security controls, restrictions or permissions as a collective. This concept is used when classifying objects
or assigning roles to subjects. The concept of abstraction also includes the definition of object and subject
types or of objects themselves.
Data hiding is exactly what it sounds like: preventing data from being discovered or accessed by a subject
by positioning the data in a logical storage compartment that is not accessible or seen by the subject.
Encryption is the art and science of hiding the meaning or intent of a communication from unintended
recipients.
Evaluate and apply security governance principles
Security governance is the collection of practices related to supporting, defining and directing the security
efforts of an organization. All forms of governance, including security governance, must be assessed and
verified from time to time. Ultimately, security governance is the implementation of a security solution and a
management method that are tightly interconnected.
Security governance is commonly managed by a governance committee of at least a board of directors. This is
the group of influential knowledge experts whose primary task is to oversee and guide the actions of security
and operations for an organization.
Alignment of security function to business strategy, goals, mission and objectives.
2
, Security management planning ensures proper creation, implementation and enforcement of a security policy.
Security management planning aligns the security functions to the strategy, goals, mission and objectives of
the organization.
Placing the autonomy of the CISO and the CISO’s team outside the typical hierarchical structure in an
organization can improve security management across the entire organization.
Organizational processes
Security governance needs to address every aspect of an organization. This includes the organizational
processes of acquisitions, divestitures and governance committees. Acquisitions and mergers place an
organization at an increased level of risk. In addition to all the typical business and financial aspects of mergers
and acquisitions, a healthy dose of security oversight and increased scrutiny is often essential to reduce the
likelihood of losses during such a period of transformation.
Change Control/Management
The goal of change management is to ensure that any change does not lead to reduced or compromised
security. Change management is also responsible for making it possible to roll back any change to a previous
secure state.
The change control process of configuration- or change management has several goals or requirements:
Implement changes in a monitored and orderly manner. Changes are always controlled.
A formalized test process is included to verify that a change produces expected results.
All changes can be reversed.
Users are informed of changes before they occur to prevent loss of productivity.
The effects of changes are systematically analyzed to determine whether security or business processes
are negatively affected.
The negative impact of changes on capabilities, functionality and performance is minimized.
Changes are reviewed and approved by a Change Advisory Board (CAB).
Data classification
Data classification, or categorization, is the primary means by which data is protected based on its need for
secrecy, sensitivity or confidentiality. Data classification is used to determine how much effort, money and
resources are allocated to protect the data and control access to it. Data classification is the process of
organizing items, objects, subjects and so on into groups, categories or collections with similarities.
The following are benefits of using a data classification scheme:
It demonstrates an organization’s commitment to protecting valuable resources and assets.
It assists in identifying those assets that are most critical or valuable to the organization.
It lends credence to the selection of protection mechanisms.
It is often required for regulatory compliance or legal restrictions.
It helps to define access levels, types of authorized uses and parameters for declassification and/or
destruction of resources that are no longer valuable.
It helps with data lifecycle management which in part is the storage length (retention), usage and
destruction of the data.
To implement a classification scheme, you must perform seven major steps or phases:
1. Identify the custodian and define their responsibilities.
2. Specify the evaluation criteria of how the information will be classified and labeled.
3. Classify and label each resource.
4. Document any exceptions to the classification policy that are discovered, and integrate them into the
evaluation criteria.
5. Select the security controls that will be applied to each classification level to provide the necessary level of
protection.
6. Specify the procedures for declassifying resources and the procedures for transferring custody of a
resource to an external party.
7. Create an enterprise-wide awareness program to instruct all personnel about the classification system.
Levels of government/military classification:
2
