• Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

Card Range To Study

through

image

Play button

image

Play button

image

Progress

1/55

Click to flip

Use LEFT and RIGHT arrow keys to navigate between flashcards;

Use UP and DOWN arrow keys to flip the card;

H to show hint;

A reads text to speech;

55 Cards in this Set

  • Front
  • Back

8 Domains of CISSP

1 Security & Risk Management (governance)


2 Asset Security (classify info & supting assets)


3 Security Engineering (implement lifecycle)


4 Communication & Network Security


5 Identity & Access Mgt


6 Security Assessment & Testing


7 Security Operations


8 Software Development Security



1 Security & Risk Management Domain

addresses the framework and policies, concepts, principles, structures and standards used to establish criteria for the protection of information assets and to assess the effectiveness of that protection

2 Asset Security Domain

contains the concepts, principles, structures & standards used to monitor and secure assets & those controls used to enforce various levels of confidentiality, integrity and availability.

3 Security Engineering Domain

contains the concepts, principles, structures & standards used to DESIGN, IMPLEMENT, monitor & secure operating systems, equipment, networks, applications and those controls used to enforce various levels of confidentiality, integrity and availability.

4 Communication & Network Security Domain

encompasses the structures, transmission methods, transport formats, and security measures used to provide confidentiality, integrity and availability for TRANSMISSIONS over private and public communication networks and media. network is most central asset in most IT environments.

NETWORK ASSURANCE

the combined properties of confidentiality, integrity, availability, authentication & non-repudiation. loss of network assurance is devastating to org providing many venues for attacks

5 Identity & Access Management Domain

most pervasive aspect of information security. Access controls encompass all operational levels of an organization including: facilities; support systems; information systems; & personnel.

6 Security Assessment & Testing Domain

covers a broad range of ongoing and point of time based testing methods used to determine vulnerabilities & associated risk. Test & Evaluation (T&E) provides knowledge to assist in managing the risks involved in developing, producing, operating, & sustaining systems & capabilities.

7 Security Operations Domain

used to identify critical information & the execution of selected measures that eliminate or reduce adversary exploitation of this information. Includes controls over hardware, media and operators with access privileges; includes auditing and monitoring to id security events.

8 Software Development Security Domain

understand & apply security in the software development life-cycle; enforce security controls in the development environment; assess the effectiveness of software security; assess software acquisition security

D1 Security & Risk Mgt - Information Security Mgt

establishes the foundation of a proactive and comprehensive security program to assure the protection of an organization's information assets. Also: communicates risks currently accepted by the organization of implemented security controls; works to cost-effectively enhance the controls to mitigate risk

D1 Security & Risk Mgt - Security Mgt

encompasses the administrative, technical & physical controls necessary to adequately protect the confidentiality, integrity, and availability of information assets. Controls are manifested through a foundation of policies, procedures, standards, baselines, & guidelines. requirements for Managing data as it flows between various parties for business use

D1 Security & Risk Mgt -


Info Security Mgt Practices

information assets are classified & through risk assessment, related threats & vulnerabilities are categorized, & appropriate safeguards to mitigate risk of compromise can be identified and prioiritized.

D1 Security & Risk Mgt -


Risk Management

minimizes the loss of information assets due to undesirable events through identification, measurement & control. Mechanism to ensure management knows current risks and can make informed decisions based on risk mgt principles

D1


Business Continuity Planning & Disaster Recovery Planning

the preparation, processes and practices required to ensure preservation of the organization in the face of major disruptions to normal operations

D1 Security & Risk Management


6 Parts of Risk Mgt Framework

1 Strategic


2 Financial (liquidity/credit/market)


3 Organization


4 Technology


5 Operations (people/process/events)


6 Legal/Regulatory


(see figure 1.1)

D1Security & Risk Management


Confidentiality, Integrity & Availability (CIA)


CONFIDENTIALITY

Confidentiality supports the concept of "least privilege" - people, processes, or systems should only have access to information on a need to know basis. Data Classification (public, SBU, internal use only, confidential) is a measure used to help ensure confidentiality controls are in place

D1 Security & Risk management


Confidentiality, Integrity & Availability (CIA)


INTEGRITY

INTEGRITY - information should be protected from intentional, unauthorized or accidental changes. Controls include segregation of duties, SDLC checkpoints, testing practices, limited update capabilities.

D1 Security & Risk management


Confidentiality, Integrity & Availability (CIA)


AVAILABILITY

AVAILABILITY - ensures information is accessible and available when needed - think of the impact of extended downtime due to "denial of service" attacks or disasters. Controls include virus & malicious code detection, BCP and DR.


(figure 1.2 - CIA triad)


confidentiality / data & services \ integrity


availability

D1 Security & Risk management


SECURITY GOVERNANCE

Information Security Governance provides the mechanisms for the board of directors and management to have the proper oversight to manage the risk to the enterprise to an acceptable level

D1 Security & Risk management


IT Governance Institute (ITGI)-
9 things Board of Directors should do

1 be informed about information security

2 set direction to drive policy & strategy


3 provide resources to security efforts


4 assign management responsibilities


5 set priorities


6 support changes required


7 define cultural values re risk assessment


8 obtain assurance from int/ext auditors


9 security investmts measurable/reported on

D1 Security & Risk management


IT Governance Institute (ITGI)-


10 things Management should do

1 write security policies w business input


2 roles/responsibilities defined/understood


3 id threats/vulnerabilities


4 security infrastructure/control frameworks


5 policy approved by governing body


6 establish priorities & implement projects


7 monitor breeches


8 conduct periodic reviews/tests


9 reinforce awareness education as critical


10 build security into the SDLC

D1 Security & Risk management


Goals, Mission & Objectives of the Organization

protect the assets of the organization through implementation of physical, admin, managerial, technical, & operational controls... reduce risk of loss to confidentiality, integrity, & availability. security exists to support & enable the business vision, mission & business objectives of the organization

D1 Security & Risk management


Security & Risk Management Relationships

ensure risks identified & adequate controls in place


- Assess Risks & Determine Needs


- Monitor & Evaluate


- Promote Awareness


- Implement Policies & Controls

D1 Security & Risk management


Information Security Officer Responsibilities

accountable for insuring the protection of all the information system assets from intentional and unintentional loss, disclosure, alteration, destruction & unavailability. Facilitator of Info Sec because must involve/enlist others in org. Keep up with changes; anticipate threats; regulatory requirements; records of compliance

D1 Security & Risk management


Computer Incident Response Teams (CIRTS)

group of management, tech, comm and infrastracture individuals responsible for evaluating incidents, damage & providing correct response to repair system and collect evidence for potential prosecution or sanctions

D1 Security & Risk managementInformation Security Officer Responsibilities

- write/implement security policies, procedures, baselines, guidelines, & standards


- internal/external compliance audits/reviews


- establish & mange CIRTS


- develop & promote multi-faceted awareness program


- be involved in organization's management teams & organizational meetings


- integrate security into the organization's strategy

D1 Security & Risk management


ISSO must Communicate Risks to Executive Management

the exec team (C-level+1) is interested in balancing acceptable risk with meeting mission objectives of the business. Ask: threat? risk impact & probability? cost of safeguard? residual risk? how long will it take? other competing resource needs?

D1 Security & Risk management


Security Officer should report as high as possible

1. proper visibility of importance of Info Security


2. limit distortion in translation of issues


no matter what there needs to be a person designated for the enterprise with responsibility for security


if done properly security should be viewed as an enabler of the business versus a roadblock that slows innovation



D1 Security & Risk management


Reporting to the CEO

reduces filtering & demonstrates importance


good for eCommerce, Credit Card companies etc


downside CEO may not have time


consider regulatory reporting requirements


confidentiality requirements, notification requirements and methods

D1 Security & Risk management


Reporting to the Admin/Audit/Legal

some good synergies with non-IT, 1 level away from CEO, have access to risk & compliance board committees etc...

D1 Security & Risk management


Metrics

measurements help improve processes they measure, visualize long-term trends, quantify workload and justify tech & non-tech investments


key questions: what will metric prove & will it provide the evidence needed & value

D1 Security & Risk management


Information Security Strategies

Strategic Plans - aligned with strategic IT & business goals. 3-5 years. Should establish strategic goals.




Tactical Planning - broad initiatives to support goals in strategic plan 8-16 months




Operational & Project Planning - break into tasks & perform waterfall or "agile"

D1 Security & Risk Management


The Complete & Effective Security Program


"The Security Council"

an oversight committee at the management level, chaired by the security officer, with broad organizational participation (middle management or line).



should have a clear vision statement drawing on confidentiality, integrity, & availability to support business objectives.


D1 Security & Risk Management


Mission Statement

objectives that support the overall vision

D1 Security & Risk Management


"The Security Council" Oversight Responsibilities

decide on project initiatives


prioritize information security efforts


review and recommend security policies


review and audit the security program


champion organizational security efforts


recommend areas requiring investment

D1 Security & Risk Management


Control Framework characteristics

provide a governance program that is
1. consistent


2. measurable


3. standardized


4. comprehensive


5. modular




examples: NIST 800-53r4 has 285 controls in 19 families; ISO 27001:2013



D1 Security & Risk Management


Control Framework: NIST 800-53r4

285 controls in 19 families


(AC - access control; MC - media control; PC - privacy control etc...)


mandatory for US government agencies

D1 Global Legal & Regulatory Issues


computer/cyber crime examples

average company has over 100 events & 11 million lost... highest in defense, financial services, energy & utilities...




cryptolocker ransomware


child porn scareware


fake/rouge antivirus software



D1 Intellectual Property Laws

protect property from those wanting to copy or use it without due compensation to the inventor or creator.




Two types: Industrial (trademarks/patents) & Copywright (artistic works)

D1 Patent

grants owner legally enforceable right to exclude others from practicing the invention covered for a specific period of time. protects novel, useful and non-obvious inventions for 20 years (typically).




WIPO, an agency of the UN, protects international patents. File with PTO in the USA.

D1 Trademark

protects the goodwill an organization invests in it's products, services, or image. Creates exclusive rights to the owner of markings the public uses to identify various vendor or merchant products or goods.

D1 Copyright

protects the expression of ideas rather than the ideas themselves... writings, recordings, computer programs. 50 years after creator's death or 70 years.

D1 Trade Secret

must not be generally known and provide some economic benefit to the company... also there must be reasonable steps to protect security

D1 International Travel In Arms Regulation & Export Admin Regulation

firearms, artillery, guidance systems etc..


and items that have multi-use (computers, telecom, info security)

D1 PRIVACY

Rights and obligations of individuals & organizations with respect to the collection, use, retention and disclosure of personal information. Guidelines established by the Organization for Economic Cooperation and Development (OECD)

D1 OECD PRIVACY GUIDELINES

there should be limits to the collection of personal data, & it should be obtained lawfully &, where appropriate, with consent




Personal data should be relevant to the purposes for which they are used and accurate, complete & up to date




Purpose collected specified by time of collection




Use should only be done for purpose or with consent by law




reasonable safeguards & openness of policies




individual rights

D1 DATA BREACHES

incident - an event that compromises the confidentiality, integrity or availability of information




breach - an incident that results in disclosure or potential disclosure of data




data disclosure - breach when confirmed that data was disclosed.

D1 2014 Large Data Breaches & Causes

ebay, michaels, montana gov




POS Intrusions - 14%


Web App Attacks - 35%


Insider Misuse - 8%


Card Skimmers - 9%


Cyber Espionage - 22%

D1 VERIS


Vocabulary for Event Recording & Incident Sharing

common language for describing security incidents - who did what to what with what result?




VERIS Community Database (VCDB) vcdg.org

D1 International Compendium of Privacy Laws by BakerHostetler

Resource for staying abreast of international privacy laws in each region/country


D1 Cybernetics & computer ethics

cybernetics is the science of information feedback systems. Norgert Wiener published the Human Use of Human Beings (1950)




also Donn Parker published Rules of Ethics in Information processing in 1968

D1 National Computer Ethics and Responsibilities Campaign (NCERC)

developed the ISC2 Code of Professional Ethics which has Cannons:


(1) protect society, the commonwealth and the infrastructure


(2) act honorably, justly, responsibly, and legaly


(3) provide diligent and competent service to prinipals


(4) Advance and protect the profession

D1 Develop & Implement Security Policy

procedures, standards, guidelines and baselines are components of a security policy.


policies communicate management's expectations


procedures fulfill policies through their execution


adherence to standards, baselines, and guidelines also support policy

D1

pg 75 of 172