Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
55 Cards in this Set
- Front
- Back
8 Domains of CISSP |
1 Security & Risk Management (governance) 2 Asset Security (classify info & supting assets) 3 Security Engineering (implement lifecycle) 4 Communication & Network Security 5 Identity & Access Mgt 6 Security Assessment & Testing 7 Security Operations 8 Software Development Security |
|
1 Security & Risk Management Domain |
addresses the framework and policies, concepts, principles, structures and standards used to establish criteria for the protection of information assets and to assess the effectiveness of that protection |
|
2 Asset Security Domain |
contains the concepts, principles, structures & standards used to monitor and secure assets & those controls used to enforce various levels of confidentiality, integrity and availability. |
|
3 Security Engineering Domain |
contains the concepts, principles, structures & standards used to DESIGN, IMPLEMENT, monitor & secure operating systems, equipment, networks, applications and those controls used to enforce various levels of confidentiality, integrity and availability. |
|
4 Communication & Network Security Domain |
encompasses the structures, transmission methods, transport formats, and security measures used to provide confidentiality, integrity and availability for TRANSMISSIONS over private and public communication networks and media. network is most central asset in most IT environments. |
|
NETWORK ASSURANCE |
the combined properties of confidentiality, integrity, availability, authentication & non-repudiation. loss of network assurance is devastating to org providing many venues for attacks |
|
5 Identity & Access Management Domain |
most pervasive aspect of information security. Access controls encompass all operational levels of an organization including: facilities; support systems; information systems; & personnel. |
|
6 Security Assessment & Testing Domain |
covers a broad range of ongoing and point of time based testing methods used to determine vulnerabilities & associated risk. Test & Evaluation (T&E) provides knowledge to assist in managing the risks involved in developing, producing, operating, & sustaining systems & capabilities. |
|
7 Security Operations Domain |
used to identify critical information & the execution of selected measures that eliminate or reduce adversary exploitation of this information. Includes controls over hardware, media and operators with access privileges; includes auditing and monitoring to id security events. |
|
8 Software Development Security Domain |
understand & apply security in the software development life-cycle; enforce security controls in the development environment; assess the effectiveness of software security; assess software acquisition security |
|
D1 Security & Risk Mgt - Information Security Mgt |
establishes the foundation of a proactive and comprehensive security program to assure the protection of an organization's information assets. Also: communicates risks currently accepted by the organization of implemented security controls; works to cost-effectively enhance the controls to mitigate risk |
|
D1 Security & Risk Mgt - Security Mgt |
encompasses the administrative, technical & physical controls necessary to adequately protect the confidentiality, integrity, and availability of information assets. Controls are manifested through a foundation of policies, procedures, standards, baselines, & guidelines. requirements for Managing data as it flows between various parties for business use |
|
D1 Security & Risk Mgt - Info Security Mgt Practices |
information assets are classified & through risk assessment, related threats & vulnerabilities are categorized, & appropriate safeguards to mitigate risk of compromise can be identified and prioiritized. |
|
D1 Security & Risk Mgt - Risk Management |
minimizes the loss of information assets due to undesirable events through identification, measurement & control. Mechanism to ensure management knows current risks and can make informed decisions based on risk mgt principles |
|
D1 Business Continuity Planning & Disaster Recovery Planning |
the preparation, processes and practices required to ensure preservation of the organization in the face of major disruptions to normal operations |
|
D1 Security & Risk Management 6 Parts of Risk Mgt Framework |
1 Strategic 2 Financial (liquidity/credit/market) 3 Organization 4 Technology 5 Operations (people/process/events) 6 Legal/Regulatory (see figure 1.1) |
|
D1Security & Risk Management Confidentiality, Integrity & Availability (CIA) CONFIDENTIALITY |
Confidentiality supports the concept of "least privilege" - people, processes, or systems should only have access to information on a need to know basis. Data Classification (public, SBU, internal use only, confidential) is a measure used to help ensure confidentiality controls are in place |
|
D1 Security & Risk management Confidentiality, Integrity & Availability (CIA) INTEGRITY |
INTEGRITY - information should be protected from intentional, unauthorized or accidental changes. Controls include segregation of duties, SDLC checkpoints, testing practices, limited update capabilities. |
|
D1 Security & Risk management Confidentiality, Integrity & Availability (CIA) AVAILABILITY |
AVAILABILITY - ensures information is accessible and available when needed - think of the impact of extended downtime due to "denial of service" attacks or disasters. Controls include virus & malicious code detection, BCP and DR. (figure 1.2 - CIA triad) confidentiality / data & services \ integrity availability |
|
D1 Security & Risk management SECURITY GOVERNANCE |
Information Security Governance provides the mechanisms for the board of directors and management to have the proper oversight to manage the risk to the enterprise to an acceptable level |
|
D1 Security & Risk management IT Governance Institute (ITGI)- |
1 be informed about information security
2 set direction to drive policy & strategy 3 provide resources to security efforts 4 assign management responsibilities 5 set priorities 6 support changes required 7 define cultural values re risk assessment 8 obtain assurance from int/ext auditors 9 security investmts measurable/reported on |
|
D1 Security & Risk management IT Governance Institute (ITGI)- 10 things Management should do |
1 write security policies w business input 2 roles/responsibilities defined/understood 3 id threats/vulnerabilities 4 security infrastructure/control frameworks 5 policy approved by governing body 6 establish priorities & implement projects 7 monitor breeches 8 conduct periodic reviews/tests 9 reinforce awareness education as critical 10 build security into the SDLC |
|
D1 Security & Risk management Goals, Mission & Objectives of the Organization |
protect the assets of the organization through implementation of physical, admin, managerial, technical, & operational controls... reduce risk of loss to confidentiality, integrity, & availability. security exists to support & enable the business vision, mission & business objectives of the organization |
|
D1 Security & Risk management Security & Risk Management Relationships |
ensure risks identified & adequate controls in place - Assess Risks & Determine Needs - Monitor & Evaluate - Promote Awareness - Implement Policies & Controls |
|
D1 Security & Risk management Information Security Officer Responsibilities |
accountable for insuring the protection of all the information system assets from intentional and unintentional loss, disclosure, alteration, destruction & unavailability. Facilitator of Info Sec because must involve/enlist others in org. Keep up with changes; anticipate threats; regulatory requirements; records of compliance |
|
D1 Security & Risk management Computer Incident Response Teams (CIRTS) |
group of management, tech, comm and infrastracture individuals responsible for evaluating incidents, damage & providing correct response to repair system and collect evidence for potential prosecution or sanctions |
|
D1 Security & Risk managementInformation Security Officer Responsibilities |
- write/implement security policies, procedures, baselines, guidelines, & standards - internal/external compliance audits/reviews - establish & mange CIRTS - develop & promote multi-faceted awareness program - be involved in organization's management teams & organizational meetings - integrate security into the organization's strategy |
|
D1 Security & Risk management ISSO must Communicate Risks to Executive Management |
the exec team (C-level+1) is interested in balancing acceptable risk with meeting mission objectives of the business. Ask: threat? risk impact & probability? cost of safeguard? residual risk? how long will it take? other competing resource needs? |
|
D1 Security & Risk management Security Officer should report as high as possible |
1. proper visibility of importance of Info Security 2. limit distortion in translation of issues no matter what there needs to be a person designated for the enterprise with responsibility for security if done properly security should be viewed as an enabler of the business versus a roadblock that slows innovation |
|
D1 Security & Risk management Reporting to the CEO |
reduces filtering & demonstrates importance good for eCommerce, Credit Card companies etc downside CEO may not have time consider regulatory reporting requirements confidentiality requirements, notification requirements and methods |
|
D1 Security & Risk management Reporting to the Admin/Audit/Legal |
some good synergies with non-IT, 1 level away from CEO, have access to risk & compliance board committees etc... |
|
D1 Security & Risk management Metrics |
measurements help improve processes they measure, visualize long-term trends, quantify workload and justify tech & non-tech investments key questions: what will metric prove & will it provide the evidence needed & value |
|
D1 Security & Risk management Information Security Strategies |
Strategic Plans - aligned with strategic IT & business goals. 3-5 years. Should establish strategic goals. Tactical Planning - broad initiatives to support goals in strategic plan 8-16 months Operational & Project Planning - break into tasks & perform waterfall or "agile" |
|
D1 Security & Risk Management The Complete & Effective Security Program "The Security Council" |
an oversight committee at the management level, chaired by the security officer, with broad organizational participation (middle management or line).
should have a clear vision statement drawing on confidentiality, integrity, & availability to support business objectives. |
|
D1 Security & Risk Management Mission Statement |
objectives that support the overall vision |
|
D1 Security & Risk Management "The Security Council" Oversight Responsibilities |
decide on project initiatives prioritize information security efforts review and recommend security policies review and audit the security program champion organizational security efforts recommend areas requiring investment |
|
D1 Security & Risk Management Control Framework characteristics |
provide a governance program that is 2. measurable 3. standardized 4. comprehensive 5. modular examples: NIST 800-53r4 has 285 controls in 19 families; ISO 27001:2013 |
|
D1 Security & Risk Management Control Framework: NIST 800-53r4 |
285 controls in 19 families (AC - access control; MC - media control; PC - privacy control etc...) mandatory for US government agencies |
|
D1 Global Legal & Regulatory Issues computer/cyber crime examples |
average company has over 100 events & 11 million lost... highest in defense, financial services, energy & utilities... cryptolocker ransomware child porn scareware fake/rouge antivirus software |
|
D1 Intellectual Property Laws |
protect property from those wanting to copy or use it without due compensation to the inventor or creator. Two types: Industrial (trademarks/patents) & Copywright (artistic works) |
|
D1 Patent |
grants owner legally enforceable right to exclude others from practicing the invention covered for a specific period of time. protects novel, useful and non-obvious inventions for 20 years (typically). WIPO, an agency of the UN, protects international patents. File with PTO in the USA. |
|
D1 Trademark |
protects the goodwill an organization invests in it's products, services, or image. Creates exclusive rights to the owner of markings the public uses to identify various vendor or merchant products or goods. |
|
D1 Copyright |
protects the expression of ideas rather than the ideas themselves... writings, recordings, computer programs. 50 years after creator's death or 70 years. |
|
D1 Trade Secret |
must not be generally known and provide some economic benefit to the company... also there must be reasonable steps to protect security |
|
D1 International Travel In Arms Regulation & Export Admin Regulation |
firearms, artillery, guidance systems etc.. and items that have multi-use (computers, telecom, info security) |
|
D1 PRIVACY |
Rights and obligations of individuals & organizations with respect to the collection, use, retention and disclosure of personal information. Guidelines established by the Organization for Economic Cooperation and Development (OECD) |
|
D1 OECD PRIVACY GUIDELINES |
there should be limits to the collection of personal data, & it should be obtained lawfully &, where appropriate, with consent Personal data should be relevant to the purposes for which they are used and accurate, complete & up to date Purpose collected specified by time of collection Use should only be done for purpose or with consent by law reasonable safeguards & openness of policies individual rights |
|
D1 DATA BREACHES |
incident - an event that compromises the confidentiality, integrity or availability of information breach - an incident that results in disclosure or potential disclosure of data data disclosure - breach when confirmed that data was disclosed. |
|
D1 2014 Large Data Breaches & Causes |
ebay, michaels, montana gov POS Intrusions - 14% Web App Attacks - 35% Insider Misuse - 8% Card Skimmers - 9% Cyber Espionage - 22% |
|
D1 VERIS Vocabulary for Event Recording & Incident Sharing |
common language for describing security incidents - who did what to what with what result? VERIS Community Database (VCDB) vcdg.org |
|
D1 International Compendium of Privacy Laws by BakerHostetler |
Resource for staying abreast of international privacy laws in each region/country
|
|
D1 Cybernetics & computer ethics |
cybernetics is the science of information feedback systems. Norgert Wiener published the Human Use of Human Beings (1950) also Donn Parker published Rules of Ethics in Information processing in 1968 |
|
D1 National Computer Ethics and Responsibilities Campaign (NCERC) |
developed the ISC2 Code of Professional Ethics which has Cannons: (1) protect society, the commonwealth and the infrastructure (2) act honorably, justly, responsibly, and legaly (3) provide diligent and competent service to prinipals (4) Advance and protect the profession |
|
D1 Develop & Implement Security Policy |
procedures, standards, guidelines and baselines are components of a security policy. policies communicate management's expectations procedures fulfill policies through their execution adherence to standards, baselines, and guidelines also support policy |
|
D1 |
pg 75 of 172 |