What do you get with eBook?

Instant access to your Digital eBook purchase

Download this book in EPUB and PDF formats

Access this title in our online reader with advanced features

DRM FREE - Read whenever, wherever and however you want

CISSP in 21 Days

Chapter 1. Day 1 – Security and Risk Management - Security, Compliance, and Policies

Information security and risk management are analogous to each other. The security and risk management domain forms the baseline for all information security concepts and practices. This is the first domain in CISSP CBK. Concepts on the key areas explained in this domain are across the next seven domains of CISSP, and will serve as the conceptual foundation for more complicated topics. Hence, a strong foundational knowledge in this domain will help the students in understanding the concepts in the rest of the domains.

A candidate appearing for the CISSP exam is expected to have foundational concepts and knowledge in the following key areas of the security and risk management domain:

Asset protection
Confidentiality, Integrity, and Availability (CIA)
Security governance principles
Compliance
Legal and regulatory issues that pertain to information security in the global context
Professional ethics
Personnel security policies
Risk management principles
Threat modeling
Business continuity planning
Security risk considerations in acquisition strategy and practice
Security education training and awareness

This chapter gives an overview of Security, Compliance, and Policies using a high-level illustration. This is followed with an overview of asset and asset protection. Furthermore, the concepts of Confidentiality, Integrity, and Availability (CIA) are explained with suitable examples. Security governance principles, compliance frameworks, and legal and regulatory issues that can impact on compliance are covered from a global perspective. Management practices that relate to security policies, standards, procedures and guidelines, as well as personnel security policies, are covered toward the end.

Overview of security, compliance, and policies

Asset protection forms the baseline for security. Unintended disclosure and unauthorized modification or destruction of an asset can affect security.

Observe the following illustration:

Overview of security, compliance, and policies

Asset requires protection
Protection is based on the requirements of Confidentiality, Integrity and Availability (CIA) for the
Security is ensured through Security Governance that comprises management practices and management oversight
Security is demonstrated through compliance that could be legal or regulatory
Compliance consists of adherence to applicable legal and regulatory requirements; applicable policies, standards, procedures and guidelines; and personnel security policies
Compliance can be affected by security issues

Asset

Assets can be tangible, that is, perceptible by touch. An example of a tangible asset could be a desktop computer or a laptop. Assets can be intangible, that is, not have physical presence. An example of an intangible asset could be a corporate image or an intellectual property, such as patents.

Assets are used by the organization for business processes. Every asset, whether tangible or intangible, has a certain intrinsic value to the business. The value can be monetary, or of importance, or both. For example, a simple firewall that costs less than $10000 may be protecting important business applications worth millions of dollars.

If an asset is compromised, for example, stolen or modified, and the data or a secret information is disclosed, it will have an impact that could lead to monetary loss, customer dissatisfaction, or legal and regulatory non-compliance.

An asset can be hardware, software, data, process, product, or infrastructure that is of value to an organization, and hence, needs protection. The level of protection is based on the value of the asset to the business.

To assess protection requirements, assets are grouped based on the type of assets, such as tangible or intangible, physical or virtual, and computing or noncomputing. For example, a computer can be a physical asset as well as a computing asset, such as hardware.

Note

Note that equipment, such as plumbing tools, can also be called hardware in some countries. However, in the information security domain, hardware generally implies computing and computer-related equipment.

Assets are generally grouped as follows:

Physical assets: They are tangible in nature and examples include buildings, furniture, Heating, Ventilating and Air Conditioning (HVAC) equipment, and so on.
Hardware assets: They are related to computer and network systems. Examples include, servers, desktop computers, laptop, router, network cables and so on.
Software assets: They are intangible assets that an organization owns a license to use. In general, organizations may not have Intellectual Property Rights (IPR) over such assets. Examples include, Operating Systems (OS), Data Base Management Systems (DBMS), office applications, web server software, and so on.
Information assets: They are intangible in nature. They are owned by the organization. Examples include, business processes, policies and procedures, customer information, personnel information, agreements, and formulas developed in-house or purchased outright.
Personnel assets: People associated with the organization, such as employees, contractors, and third-party consultants, are grouped under this type.

Note

Note that, in certain accounting practices, software can also be classified under Property, Plant and Equipment (PPE). However, in the information security domain, software is classified as an intangible asset. Besides, software or information may be stored in hardware or physical assets, such as on hard disk or DVD.

Asset protection

In the information security domain, asset protection involves security management practices that are subjected to business and compliance requirements. Such practices for asset protection are called security controls.

Types of security controls include:

Physical entry controls to an office building that allow only authorized personnel
Monitoring controls, such as CCTV, for surveillance of critical assets
Controls, such as locks, for hardware assets for protection from theft
Tamper proofing controls, such as hashing and encryption, for software and data asset
Copyrights or patent for information assets to protect legal rights
Identity management systems to protect personnel assets from identity theft

This is not a comprehensive list of security controls. This book provides hundreds of such requirements and controls in subsequent chapters. However, a requirement or a control is not determined ad-hoc. Instead, asset protection requirements are identified through a structured method of risk analysis, evaluation, and assessment. Similarly, controls are identified through risk mitigation strategies. Risk assessment and risk mitigation strategies are covered in the next chapter.

Hence, asset protection requirements are based on risk. In order to understand risk, to perform risk assessment and select controls for asset protection, the concepts of CIA have to be understood first.

Confidentiality, Integrity, and Availability (CIA)

Information is a business asset and adds value to an organization. Information exists in many forms. It may be printed or written on paper, stored in electronic media, transmitted by electronic means, or spoken in conversations.

Information and its associated infrastructure are accessed and used in business by employees, third-party users or by automated processes. For example, an HR Manager accessing employee profile database through a database application. Each component in this activity, that is, HR manager, employee profile database, and the database application is called entities. Other examples would be a time-based job scheduler, such as cron in UNIX, such as operating systems, or a task scheduler in Windows, such as operating systems updating information through a script in a database. Here, scheduler application, the script or application it runs, and the data being accessed are entities.

Information assets and associated entities have certain levels of CIA requirements. A level could be a numeric value or representational value, such as high, low, or medium. The CIA triad is frequently referred to as tenets of information security. Tenet means something accepted as an important truth. The CIA values of an asset are established through risk analysis, which is a part of risk management. Concepts of risk management are covered in the next chapter.

Information security is characterized by preserving CIA values of an asset. Preserving is to ensure that the CIA values are maintained all the time and at all the locations. Hence, for an effective information security management, defining and maintaining CIA values is a primary requirement.

Confidentiality

Information needs to be disclosed to authorized entities for business processes, for example, an authorized employee accessing information about the prototype under development on the server. Confidentiality is to ensure that the information is not disclosed to unauthorized entities, for example, confidentiality is often achieved by encryption.

Integrity

Information has to be consistent and not altered or modified without established approval policies or procedures. Integrity is to maintain the consistency of the information internally as well as externally. This is to prevent unauthorized modification by authorized entities, for example, an update to the database record is made without approval.

Integrity is also to prevent authorized modification by unauthorized entities, for example, when malicious code is inserted in a web application by an unethical hacker. In this scenario, a hacker (an unauthorized entity) may modify an application through an established procedure (authorized update).

Availability

Availability is to ensure that information and associated services are available to authorized entities as and when required. For example, in an attack on the network through Denial-of-Service (DoS). Sometimes, an authorized update to an application may stop certain essential services and will constitute a breach in availability requirements, for example, inadvertently tripping over a server power cable may constitute as an availability breach.

Security governance

Information security for a long time was considered as a purely technical domain. Hence, the focus was to define and manage security predominantly through the Information Technology department in many organizations. It was more like protecting only the Information systems, such as computers and networks.

Information exists in many forms and the levels of assurance required vary, based on their criticality, business requirements and from legal, regulatory compliance requirements. Hence, the focus has to be on protecting the information itself, which is essential and much broader in scope compared to focusing only on Information Technology.

Information is a business asset and valuable to organizations. Information has a lifecycle. It could be handled, processed, transported, stored, archived, or destroyed. At any stage during the lifecycle, the information can be compromised. A compromise can affect the CIA requirements of the information.

Information protection is a business responsibility. It involves governance challenges, such as risk management, reporting, and accountability. Hence, it requires the involvement of senior management and the board to provide a strategic oversight for implementing and ensuring continual effectiveness.

Strategy, goals, mission, and objectives

Aligning and integrating information security with enterprise governance and IT governance frameworks is the primary strategy for the senior management and the board. It includes the definition of the current state of security and establishing goals and objectives to align with the corporate mission.

For such a strategy, goals and objectives will include understanding protection requirements, which are based on the value of information, expected outcomes of the information security program, benefits that are quantifiable, and methods to integrate information security practices with organizational practices.

A corporate mission is based on the definition of the business, its core purpose, values and beliefs, standards, and behaviors. An information security mission defines security requirements, their purpose, focus on risk management, commitment to continual maintenance, and the improvement of the information security program. Hence, aligning information security mission with the corporate's mission is one of the primary strategies of security governance.

Organizational processes

To support the information security strategy and to meet the goals and objectives, organizational processes need to be aligned to the mission. Such processes include defining the roles and responsibilities of the personnel involved with effective implementation and day-to-day management; establishing monitoring mechanisms that include reporting, review and approval processes, and ensuring that management support is available to such organizational processes.

Security roles and responsibilities

Information security is everyone's responsibility in any organization. Specific security roles and responsibilities are to be considered from the security governance perspective. Hence, the information security responsibilities of the board of directors/trustees, executives, steering committee, and chief information security officer are important at management level.

Control frameworks

To support the information security strategy and the mission, control frameworks are established by the organization. Such frameworks contain controls under three broad categories, namely, management, administrative, and technical.

Management controls

Management controls are characterized by stating the views of the management and their position in particular topics, such as information security.

For example, the Information security policy is a management control, wherein the management states its intent, support, and direction for security.

Administrative controls

While a policy is a high-level document that provides the intent of the management, administrative controls are to implement such policies.

For example, procedures, guidelines, and standards are administrative controls that support the policies. These are covered later in this chapter.

Technical controls

Information is stored and processed predominantly in IT systems. Hence, technical controls are established to support management and administrative controls in the information systems.

Firewall, intrusion detection systems, antivirus, and so on, are some examples of technical controls.

Due diligence and due care

It is important that intent and management support to information security programs is visible across the organization to investors and customers. Hence, an organization should demonstrate due diligence and due care pertaining to information security processes and activities.

Understanding risk and estimating the same, in view of the organizations' mission, prevailing threats, vulnerabilities, and attacks, and legal, regulatory compliance, form a part of the due diligence process by the management.

Implementing security governance by way of organizational processes, defining roles and responsibilities, establishing risk management processes, and monitoring effectiveness of the information security controls are due care activities by the management.

Key benefits

Day-by-day plan to study and assimilate core concepts from CISSP CBK

Revise and take a mock test at the end of every four chapters

A systematic study and revision of myriad concepts to help you crack the CISSP examination

Description

Certified Information Systems Security Professional (CISSP) is an internationally recognized and coveted qualification. Success in this respected exam opens the door to your dream job as a security expert with an eye-catching salary. But passing the final exam is challenging. Every year a lot of candidates do not prepare sufficiently for the examination, and fail at the final stage. This happens when they cover everything but do not revise properly and hence lack confidence. This simple yet informative book will take you through the final weeks before the exam with a day-by-day plan covering all of the exam topics. It will build your confidence and enable you to crack the Gold Standard exam, knowing that you have done all you can to prepare for the big day. This book provides concise explanations of important concepts in all 10 domains of the CISSP Common Body of Knowledge (CBK). Starting with Confidentiality, Integrity, and Availability, you will focus on classifying information and supporting assets. You will understand data handling requirements for sensitive information before gradually moving on to using secure design principles while implementing and managing engineering processes. You will understand the application of cryptography in communication security and prevent or mitigate strategies for network attacks. You will also learn security control requirements and how to assess their effectiveness. Finally, you will explore advanced topics such as automated and manual test result analysis and reporting methods. A complete mock test is included at the end to evaluate whether you're ready for the exam. This book is not a replacement for full study guides; instead, it builds on and reemphasizes concepts learned from them.

Who is this book for?

If you are a Networking professional aspiring to take the CISSP examination and obtain the coveted CISSP certification (considered to be the Gold Standard in Information Security personal certification), then this is the book you want. This book assumes that you already have sufficient knowledge in all 10 domains of the CISSP CBK by way of work experience and knowledge gained from other study books.

What you will learn

Review Exam Cram and Practice review questions to reinforce the required concepts

Follow the day–by-day plan to revise important concepts a month before the CISSP® exam

Boost your time management for the exam by attempting the mock question paper

Develop a structured study plan for all 10 CISSP® domains

Build your understanding of myriad concepts in the Information Security domain

Practice the full-blown mock test to evaluate your knowledge and exam preparation

What do you get with eBook?

Instant access to your Digital eBook purchase

Download this book in EPUB and PDF formats

Access this title in our online reader with advanced features

DRM FREE - Read whenever, wherever and however you want

Frequently bought together

$48.99

$48.99

Kali Linux 2: Windows Penetration Testing

$54.99

Total $ 152.97

S. Rose Sep 02, 2016

This book is a brief overview of everything that may appear on the exam, with brief explanations.Pros:Quickly run through, marking unfamiliar subjects to use other study products for.Cons:Uses acronyms way too much. I counted about 34 times IP was used in different context outside of Internet Protocol.There are NO answers to the "sample" questions given at the end of each chapter, nor the mock exam.The "Full Blown Mock Test" that is verbatim on the back of the book, is only 178 questions... not even close to the actual CISSP.This book was suppose to be written in 2016. In the preface, it claims to go over the 8 domains covered. On the back of the book refers to the 10 domains covered. In 2015 the exam switched to 8 domains. Who doesn't check for this. I would of been fine if at LEAST the questions had answers, but this is ridiculous, and clearly this was a rushed out book with minimal updates to the current exam, which by current, is over a year old.

Amazon Verified review

CISSP in 21 Days: Boost your confidence and get the competitive edge you need to crack the exam in just 21 days! , Second Edition

What do you get with eBook?

CISSP in 21 Days

Chapter 1. Day 1 – Security and Risk Management - Security, Compliance, and Policies

Overview of security, compliance, and policies

Asset

Note

Note

Asset protection

Confidentiality, Integrity, and Availability (CIA)

Confidentiality

Integrity

Availability

Security governance

Strategy, goals, mission, and objectives

Organizational processes

Security roles and responsibilities