You're reading from CISSP in 21 Days Boost your confidence and get the competitive edge you need to crack the exam in just 21 days!

Product type Paperback

Published in Jun 2016

Publisher

ISBN-13 9781785884498

Length 402 pages

Edition 2nd Edition

Concepts

Cybersecurity

Author (1):

M. L. Srinivasan

View More author details

Table of Contents (22) Chapters

Preface

1. Day 1 – Security and Risk Management - Security, Compliance, and Policies FREE CHAPTER

2. Day 2 – Security and Risk Management - Risk Management, Business Continuity, and Security Education

3. Day 3 – Asset Security - Information and Asset Classification

4. Day 4 – Asset Security - Data Security Controls and Handling

5. Day 5 – Exam Cram and Practice Questions

6. Day 6 – Security Engineering - Security Design, Practices, Models, and Vulnerability Mitigation

7. Day 7 – Security Engineering - Cryptography

8. Day 8 – Communication and Network Security - Network Security

9. Day 9 – Communication and Network Security - Communication Security

10. Day 10 – Exam Cram and Practice Questions

11. Day 11 – Identity and Access Management - Identity Management

12. Day 12 – Identity and Access Management - Access Management, Provisioning, and Attacks

13. Day 13 – Security Assessment and Testing - Designing, Performing Security Assessment, and Tests

14. Day 14 – Security Assessment and Testing - Controlling, Analyzing, Auditing, and Reporting

15. Day 15 – Exam Cram and Practice Questions

16. Day 16 – Security Operations - Foundational Concepts

17. Day 17 – Security Operations - Incident Management and Disaster Recovery

18. Day 18 – Software Development Security - Security in Software Development Life Cycle

19. Day 19 – Software Development Security - Assessing effectiveness of Software Security

20. Day 20 – Exam Cram and Practice Questions

21. Day 21 – Exam Cram and Mock Test

Confidentiality, Integrity, and Availability (CIA)

Information is a business asset and adds value to an organization. Information exists in many forms. It may be printed or written on paper, stored in electronic media, transmitted by electronic means, or spoken in conversations.

Information and its associated infrastructure are accessed and used in business by employees, third-party users or by automated processes. For example, an HR Manager accessing employee profile database through a database application. Each component in this activity, that is, HR manager, employee profile database, and the database application is called entities. Other examples would be a time-based job scheduler, such as cron in UNIX, such as operating systems, or a task scheduler in Windows, such as operating systems updating information through a script in a database. Here, scheduler application, the script or application it runs, and the data being accessed are entities.

Information assets and associated entities have certain levels of CIA requirements. A level could be a numeric value or representational value, such as high, low, or medium. The CIA triad is frequently referred to as tenets of information security. Tenet means something accepted as an important truth. The CIA values of an asset are established through risk analysis, which is a part of risk management. Concepts of risk management are covered in the next chapter.

Information security is characterized by preserving CIA values of an asset. Preserving is to ensure that the CIA values are maintained all the time and at all the locations. Hence, for an effective information security management, defining and maintaining CIA values is a primary requirement.

Confidentiality

Information needs to be disclosed to authorized entities for business processes, for example, an authorized employee accessing information about the prototype under development on the server. Confidentiality is to ensure that the information is not disclosed to unauthorized entities, for example, confidentiality is often achieved by encryption.

Integrity

Information has to be consistent and not altered or modified without established approval policies or procedures. Integrity is to maintain the consistency of the information internally as well as externally. This is to prevent unauthorized modification by authorized entities, for example, an update to the database record is made without approval.

Integrity is also to prevent authorized modification by unauthorized entities, for example, when malicious code is inserted in a web application by an unethical hacker. In this scenario, a hacker (an unauthorized entity) may modify an application through an established procedure (authorized update).

Availability

Availability is to ensure that information and associated services are available to authorized entities as and when required. For example, in an attack on the network through Denial-of-Service (DoS). Sometimes, an authorized update to an application may stop certain essential services and will constitute a breach in availability requirements, for example, inadvertently tripping over a server power cable may constitute as an availability breach.