Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
CISSP in 21 Days
CISSP in 21 Days

CISSP in 21 Days: Boost your confidence and get the competitive edge you need to crack the exam in just 21 days! , Second Edition

eBook
₹799 ₹2919.99
Paperback
₹3649.99
Subscription
Free Trial
Renews at ₹800p/m

What do you get with eBook?

Product feature icon Instant access to your Digital eBook purchase
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
OR
Modal Close icon
Payment Processing...
tick Completed

Billing Address

Table of content icon View table of contents Preview book icon Preview Book

CISSP in 21 Days

Chapter 1.  Day 1 – Security and Risk Management - Security, Compliance, and Policies

Information security and risk management are analogous to each other. The security and risk management domain forms the baseline for all information security concepts and practices. This is the first domain in CISSP CBK. Concepts on the key areas explained in this domain are across the next seven domains of CISSP, and will serve as the conceptual foundation for more complicated topics. Hence, a strong foundational knowledge in this domain will help the students in understanding the concepts in the rest of the domains.

A candidate appearing for the CISSP exam is expected to have foundational concepts and knowledge in the following key areas of the security and risk management domain:

  • Asset protection
  • Confidentiality, Integrity, and Availability (CIA)
  • Security governance principles
  • Compliance
  • Legal and regulatory issues that pertain to information security in the global context
  • Professional ethics
  • Personnel security policies
  • Risk management principles
  • Threat modeling
  • Business continuity planning
  • Security risk considerations in acquisition strategy and practice
  • Security education training and awareness

This chapter gives an overview of Security, Compliance, and Policies using a high-level illustration. This is followed with an overview of asset and asset protection. Furthermore, the concepts of Confidentiality, Integrity, and Availability (CIA) are explained with suitable examples. Security governance principles, compliance frameworks, and legal and regulatory issues that can impact on compliance are covered from a global perspective. Management practices that relate to security policies, standards, procedures and guidelines, as well as personnel security policies, are covered toward the end.

Overview of security, compliance, and policies

Asset protection forms the baseline for security. Unintended disclosure and unauthorized modification or destruction of an asset can affect security.

Observe the following illustration:

Overview of security, compliance, and policies
  • Asset requires protection
  • Protection is based on the requirements of Confidentiality, Integrity and Availability (CIA) for the
  • Security is ensured through Security Governance that comprises management practices and management oversight
  • Security is demonstrated through compliance that could be legal or regulatory
  • Compliance consists of adherence to applicable legal and regulatory requirements; applicable policies, standards, procedures and guidelines; and personnel security policies
  • Compliance can be affected by security issues

Asset

Assets can be tangible, that is, perceptible by touch. An example of a tangible asset could be a desktop computer or a laptop. Assets can be intangible, that is, not have physical presence. An example of an intangible asset could be a corporate image or an intellectual property, such as patents.

Assets are used by the organization for business processes. Every asset, whether tangible or intangible, has a certain intrinsic value to the business. The value can be monetary, or of importance, or both. For example, a simple firewall that costs less than $10000 may be protecting important business applications worth millions of dollars.

If an asset is compromised, for example, stolen or modified, and the data or a secret information is disclosed, it will have an impact that could lead to monetary loss, customer dissatisfaction, or legal and regulatory non-compliance.

An asset can be hardware, software, data, process, product, or infrastructure that is of value to an organization, and hence, needs protection. The level of protection is based on the value of the asset to the business.

To assess protection requirements, assets are grouped based on the type of assets, such as tangible or intangible, physical or virtual, and computing or noncomputing. For example, a computer can be a physical asset as well as a computing asset, such as hardware.

Note

Note that equipment, such as plumbing tools, can also be called hardware in some countries. However, in the information security domain, hardware generally implies computing and computer-related equipment.

Assets are generally grouped as follows:

  • Physical assets: They are tangible in nature and examples include buildings, furniture, Heating, Ventilating and Air Conditioning (HVAC) equipment, and so on.
  • Hardware assets: They are related to computer and network systems. Examples include, servers, desktop computers, laptop, router, network cables and so on.
  • Software assets: They are intangible assets that an organization owns a license to use. In general, organizations may not have Intellectual Property Rights (IPR) over such assets. Examples include, Operating Systems (OS), Data Base Management Systems (DBMS), office applications, web server software, and so on.
  • Information assets: They are intangible in nature. They are owned by the organization. Examples include, business processes, policies and procedures, customer information, personnel information, agreements, and formulas developed in-house or purchased outright.
  • Personnel assets: People associated with the organization, such as employees, contractors, and third-party consultants, are grouped under this type.

Note

Note that, in certain accounting practices, software can also be classified under Property, Plant and Equipment (PPE). However, in the information security domain, software is classified as an intangible asset. Besides, software or information may be stored in hardware or physical assets, such as on hard disk or DVD.

Asset protection

In the information security domain, asset protection involves security management practices that are subjected to business and compliance requirements. Such practices for asset protection are called security controls.

Types of security controls include:

  • Physical entry controls to an office building that allow only authorized personnel
  • Monitoring controls, such as CCTV, for surveillance of critical assets
  • Controls, such as locks, for hardware assets for protection from theft
  • Tamper proofing controls, such as hashing and encryption, for software and data asset
  • Copyrights or patent for information assets to protect legal rights
  • Identity management systems to protect personnel assets from identity theft

This is not a comprehensive list of security controls. This book provides hundreds of such requirements and controls in subsequent chapters. However, a requirement or a control is not determined ad-hoc. Instead, asset protection requirements are identified through a structured method of risk analysis, evaluation, and assessment. Similarly, controls are identified through risk mitigation strategies. Risk assessment and risk mitigation strategies are covered in the next chapter.

Hence, asset protection requirements are based on risk. In order to understand risk, to perform risk assessment and select controls for asset protection, the concepts of CIA have to be understood first.

Confidentiality, Integrity, and Availability (CIA)

Information is a business asset and adds value to an organization. Information exists in many forms. It may be printed or written on paper, stored in electronic media, transmitted by electronic means, or spoken in conversations.

Information and its associated infrastructure are accessed and used in business by employees, third-party users or by automated processes. For example, an HR Manager accessing employee profile database through a database application. Each component in this activity, that is, HR manager, employee profile database, and the database application is called entities. Other examples would be a time-based job scheduler, such as cron in UNIX, such as operating systems, or a task scheduler in Windows, such as operating systems updating information through a script in a database. Here, scheduler application, the script or application it runs, and the data being accessed are entities.

Information assets and associated entities have certain levels of CIA requirements. A level could be a numeric value or representational value, such as high, low, or medium. The CIA triad is frequently referred to as tenets of information security. Tenet means something accepted as an important truth. The CIA values of an asset are established through risk analysis, which is a part of risk management. Concepts of risk management are covered in the next chapter.

Information security is characterized by preserving CIA values of an asset. Preserving is to ensure that the CIA values are maintained all the time and at all the locations. Hence, for an effective information security management, defining and maintaining CIA values is a primary requirement.

Confidentiality

Information needs to be disclosed to authorized entities for business processes, for example, an authorized employee accessing information about the prototype under development on the server. Confidentiality is to ensure that the information is not disclosed to unauthorized entities, for example, confidentiality is often achieved by encryption.

Integrity

Information has to be consistent and not altered or modified without established approval policies or procedures. Integrity is to maintain the consistency of the information internally as well as externally. This is to prevent unauthorized modification by authorized entities, for example, an update to the database record is made without approval.

Integrity is also to prevent authorized modification by unauthorized entities, for example, when malicious code is inserted in a web application by an unethical hacker. In this scenario, a hacker (an unauthorized entity) may modify an application through an established procedure (authorized update).

Availability

Availability is to ensure that information and associated services are available to authorized entities as and when required. For example, in an attack on the network through Denial-of-Service (DoS). Sometimes, an authorized update to an application may stop certain essential services and will constitute a breach in availability requirements, for example, inadvertently tripping over a server power cable may constitute as an availability breach.

Security governance

Information security for a long time was considered as a purely technical domain. Hence, the focus was to define and manage security predominantly through the Information Technology department in many organizations. It was more like protecting only the Information systems, such as computers and networks.

Information exists in many forms and the levels of assurance required vary, based on their criticality, business requirements and from legal, regulatory compliance requirements. Hence, the focus has to be on protecting the information itself, which is essential and much broader in scope compared to focusing only on Information Technology.

Information is a business asset and valuable to organizations. Information has a lifecycle. It could be handled, processed, transported, stored, archived, or destroyed. At any stage during the lifecycle, the information can be compromised. A compromise can affect the CIA requirements of the information.

Information protection is a business responsibility. It involves governance challenges, such as risk management, reporting, and accountability. Hence, it requires the involvement of senior management and the board to provide a strategic oversight for implementing and ensuring continual effectiveness.

Strategy, goals, mission, and objectives

Aligning and integrating information security with enterprise governance and IT governance frameworks is the primary strategy for the senior management and the board. It includes the definition of the current state of security and establishing goals and objectives to align with the corporate mission.

For such a strategy, goals and objectives will include understanding protection requirements, which are based on the value of information, expected outcomes of the information security program, benefits that are quantifiable, and methods to integrate information security practices with organizational practices.

A corporate mission is based on the definition of the business, its core purpose, values and beliefs, standards, and behaviors. An information security mission defines security requirements, their purpose, focus on risk management, commitment to continual maintenance, and the improvement of the information security program. Hence, aligning information security mission with the corporate's mission is one of the primary strategies of security governance.

Organizational processes

To support the information security strategy and to meet the goals and objectives, organizational processes need to be aligned to the mission. Such processes include defining the roles and responsibilities of the personnel involved with effective implementation and day-to-day management; establishing monitoring mechanisms that include reporting, review and approval processes, and ensuring that management support is available to such organizational processes.

Security roles and responsibilities

Information security is everyone's responsibility in any organization. Specific security roles and responsibilities are to be considered from the security governance perspective. Hence, the information security responsibilities of the board of directors/trustees, executives, steering committee, and chief information security officer are important at management level.

Control frameworks

To support the information security strategy and the mission, control frameworks are established by the organization. Such frameworks contain controls under three broad categories, namely, management, administrative, and technical.

Management controls

Management controls are characterized by stating the views of the management and their position in particular topics, such as information security.

For example, the Information security policy is a management control, wherein the management states its intent, support, and direction for security.

Administrative controls

While a policy is a high-level document that provides the intent of the management, administrative controls are to implement such policies.

For example, procedures, guidelines, and standards are administrative controls that support the policies. These are covered later in this chapter.

Technical controls

Information is stored and processed predominantly in IT systems. Hence, technical controls are established to support management and administrative controls in the information systems.

Firewall, intrusion detection systems, antivirus, and so on, are some examples of technical controls.

Due diligence and due care

It is important that intent and management support to information security programs is visible across the organization to investors and customers. Hence, an organization should demonstrate due diligence and due care pertaining to information security processes and activities.

Understanding risk and estimating the same, in view of the organizations' mission, prevailing threats, vulnerabilities, and attacks, and legal, regulatory compliance, form a part of the due diligence process by the management.

Implementing security governance by way of organizational processes, defining roles and responsibilities, establishing risk management processes, and monitoring effectiveness of the information security controls are due care activities by the management.

Compliance

Information security breaches in the past two decades have necessitated new security-related legal and regulatory frameworks or updates to existing legal and regulatory frameworks to include security-related compliance provisions across various countries. Requirements to comply with legal and legislative frameworks have increased exponentially due to global nature of the Internet, cross-border information exchange, electronic commerce, and services. Compliance frameworks are abundant with terms and jargon that a security professional should be aware of. Following are some of the legal and regulatory frameworks, terms, and jargons that are relevant to the Information Security domain.

Legislative and regulatory compliance

Common law is a law that is developed based on the decisions of courts and tribunals rather than through statutory laws (legislative statutes). The legal system that uses common law is called common law legal systems. Countries, such as the United Kingdom, the United States of America (most of the states in the USA), Canada, Australia, South Africa, India, Malaysia, Singapore, and Hong Kong follow common law.

There are three categories under common law that are generally established:

  1. Regulatory law, also called as Administrative law, primarily deals with the regulations of administrative agencies of the government.
  2. Criminal law deals with the violations of government laws. Criminal laws are filed by government agencies against an individual or an organization. The punishment under criminal laws includes imprisonment as well as financial penalties.
  3. Civil law deals with the lawsuits filed by private parties, such as corporations or individuals. Punishments under this law are financial or punitive damages or both.

Statutory law, legislative statute, or statute law is a legal system that is set down by the legislature or executive branch of the government. Statutory law under certain instances is also termed as codified law.

Religious are legal systems based on religious principles. Examples include Hindu, Islam, and Christian laws.

Civil Law laws are legal systems based on religious principles. Examples include Hindu, Islam, and Christian laws.

Civil Law is a legal system based on codes and legislative statutes as opposed to common law. France, Germany, and many other countries in the world follow civil law. Hence, there is a civil law category in the common law system and a civil law system itself.

Privacy requirements in compliance

Privacy is protection of Personally Identifiable Information (PII)about individuals or Sensitive Personal Information (SPI) that can be used to identify a person in context with a group. Protection under privacy is from disclosure or selective disclosure based on the individual's preferences.

National Institute of Standards and Technology (NIST) has published a guide to protecting the confidentiality of the personally identifiable information-wide NIST special publication 800-122. As per the guide, PII is defined as any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

Privacy laws deal with protecting and preserving the rights of an individual's privacy.

A few examples of privacy laws in the United States include the following:

  • Health Insurance Portability and Accountability Act (HIPAA)
  • Financial Services Modernization Act (GLB), 15 U.S. Code: 6801-6810
  • Final Rule on Privacy of Consumer Financial Information, 16 Code of Federal Regulations, Part 313

In the UK, they include the following:

  • Data Protection Act 1998 (United Kingdom)
  • Data Protection Directive (European Union)

Licensing and intellectual property

Intellectual Property (IP) refers to creative works using intellect, that is, mind, music, literary works, art, inventions, symbols, designs, and so on fall under intellectual property. The creator of such intellectual work has certain exclusive rights over the property. These exclusive rights are called Intellectual Property Rights (IPR).

Intellectual property law is a legal domain that deals with Intellectual Property Rights (IPR).

Following are some of the IPR-related terminologies:

  • Copyright: This is an intellectual property that grants exclusive rights to the creator of the original work, such as deriving financial benefits out of such work, ownership credits, and so on. Others do not have 'right to copy' such work. Copyright is country-specific.
  • Patent: This is a set of exclusive rights granted to the inventor of new, useful, inventive, and industry applicable inventions. This right excludes others from making, using, selling, or importing the invention. Patents are granted for a specific period of time. A patent is a public document.
  • Trademark: This is a unique symbol or mark that is used by individuals or organizations to uniquely represent a product or a service. Trademark is also used to distinguish from products and services of other entities.
  • Trade secret: This is a formula, design, process, practice, or pattern that is not revealed to others. This is to protect the information being copied and gain competitive advantage.

Legal and regulatory issues

Information compromise or security breach that could lead to civil or criminal liability on the part of an organization will be grouped under legal and regulatory issues. For example, if a hacker intrudes into a system, obtains Personally Identifiable Information (PII), and publishes the same in an Internet portal, then the liability for failure to protect such information falls on the organization.

The following list of issues may have legal or regulatory ramifications.

Computer crimes

A computer crime is a fraudulent activity that is perpetrated against computer or IT systems. The motivation could be for financial gain, competitive gain, popularity, fame, or adventure.

In computer crime, the term computer refers to the role it plays in different scenarios. Whether the crime is committed against a computer, whether the crime is committed using the computer, whether the computer is incidental in the crime, or a combination of all the three.

The following paragraphs provide some of the common computer crimes. Remember, CIA compromise or breach will be the end result of a crime.

Fraud

Manipulation of computer records, such as data diddling, salami slicing, or any other techniques, or a deliberate circumvention of computer security systems, such as cracking or unethical hacking for monitory gain, is termed as fraud.

Note

Data diddling is a malicious activity to change the data during input or processing stage of a software program to obtain financial gain. Salami slicing, also known as penny shaving, is a fraudulent activity to regularly siphon extremely small quantity of money so as to prevent from being observed or caught.

Hacking refers to the discovery of vulnerabilities, holes, or weaknesses in computer software and associated IT systems either to exploit the same for improvising the security or to prevent intentional fraud. Hackers are persons who do hacking. However, hacking is classified with different names to distinguish the objective:

  • Black-hat hackers are people with malicious intent, who compromise the computer systems to commit crime. Such a hacker is called a cracker and the malicious hacking activity is termed as cracking.
  • White-hat hackers or ethical hackers are people who try to compromise the computer systems to discover holes and improve the security.
  • Grey-hat hackers are ambiguous wherein their actual intention is not known.

Theft

Identity theft is to steal someone's identity. The intention is to pretend to be someone else to commit fraud. Stealing passwords, login credentials, and credit card information are examples of identity theft.

Intellectual property theft is stealing software code or designs for financial gain.

Malware/malicious code

A malware is malicious software that is designed to compromise, damage, or affect the general functioning of computers, gain unauthorized access, collect private, and sensitive information and/or corrupt the data.

Writing or spreading malware is a computer crime. Viruses, worms, Trojan horses, spyware, such as Key logger, and so on are examples of malware and are explained as follows:

  • A computer virus is a malicious program or a malicious code that attaches to files and can spread from one file to another file or from one computer to another computer. Technically, a virus can spread or infect the computer if the user opens the infected file.
  • Worms are similar to viruses, but are self-replicating and propagating. Generally, worms do not require the human intervention of opening an infected file.
  • A Trojan horse is a malware that hides its identity within a legitimate program. Users are tricked into opening the file containing the malware by way of social engineering.

    Note

    Social engineering is a type of nonintrusive attack in which humans are tricked into circumventing security controls. Some of the attacks, such as phishing and Cross Site Request Forgery (CSRF), use social engineering techniques. More details about CSRF are covered in Chapter 6, Day 6 – Security Engineering - Security Design, Practices, Models and Vulnerability Mitigation.

  • Spyware is a malicious code that tracks the user actions. Examples of user actions include web browsing patterns, files opened, applications accessed, and so on. A spyware is best explained as a snooping software.
  • Key loggers are a type of spyware that capture keystrokes and transmit them to an attacker's server. Sensitive information, such as username and passwords, are captured using key loggers. Key loggers can be a hardware or software.

Cyber crime

Criminal activities that are perpetrated using communication networks, such as the Internet, telephone, wireless, satellite, and mobile networks, are called as cyber crimes:

  • Cyber terrorism is a type of cybercrime perpetrated against computers and computer networks and they generally are premeditated in nature. The objective of the attacks could be to cause harm based on social, ideological, religious, political, or similar objectives.
  • Cyber stalking is a type of cybercrime in which the offender harasses or intimidates the victim using the Internet and other electronic means. It is a criminal offence under various state anti stalking, harassment laws.
  • Information warfare is a type of cybercrime to destabilize the opponent, such as corporations and institutions, to gain a competitive advantage. For example, false propaganda, web page defacement, and so on.
  • Denial-Of-Service (DoS) attack or Distributed Denial-Of-Service (DDoS) attacks are cybercrimes where websites or corporate systems of the corporations or computer systems of any user, made inaccessible by way of multiple services, request to overload the web and application servers. Eventually, the servers stops responding to genuine requests. (Ro)botnets are increasingly used for such crimes. A botnet is an army of computers listening to a control center system for executing orders. Generally, computers in a bot network are compromised systems through security vulnerability exploitation.

Tip

More details about botnets are covered in Chapter 6, Day 6 – Security Engineering - Security Design, Practices, Models and Vulnerability Mitigation.

Making and digitally distributing child pornography is a cyber crime.

Digitally distributing and storing copyrighted materials of others without the copyright owner's explicit permission is a cyber crime.

Using e-mail communication to disrupt or send unsolicited commercial e-mails or induce the user to perform certain actions to steal information or money fall under cyber crime.

Following are examples of such crimes:

  • Sending Unsolicited Commercial Email (UCE) is called spamming. It is a cyber crime that clogs the networks and intrudes into the privacy of the user.
  • Phishing is a type of cyber crime wherein a user is lured to an attacker constructed illegitimate website that looks similar to actual website the user intended to visit. For example, online banking websites, e-mail login pages, and so on. A successful phishing attack would result in the capture of user credentials by the attacker.
  • Pharming is a type of cyber attack wherein a user is redirected to a malicious website constructed by the attacker. Generally, this type of redirection happens without user acceptance or knowledge.
  • SMiShing is a type of cyber attack using mobile networks. In this attack, Short Messaging Service (SMS) is used to lure the user to the attacker-constructed malicious websites. This is similar to phishing.
  • Harassment in the form of cyberstalking, cyberbullying, hate crime, online predating, and trolling are crimes that target specific individuals.

Importing and exporting controls

Many countries have import and export restrictions pertaining to the encryption of data. For example, encryption items specifically designed, developed, configured, adapted, or modified for military applications, command, control, and intelligence applications are generally controlled based on munitions lists.

Transborder data flow

The transfer of computerized data across national borders, states or political boundaries are termed as transborder data flow. Data can be personal, business, technical, and organizational. Legal issues that arise out of such data is related to ownership and the usage.

Data breaches

By definition, a data breach is a security incident in which sensitive, protected, or confidential data is copied, transmitted, viewed, stolen, or used by an individual unauthorized to do so. It can also be owing to unintentional information disclosure, data leak, or data spill.

Data breach can happen owing to hacking (unethical means), organized crimes, negligence in the disposal of media, and so on.

Data breach is a security incident, and hence, many jurisdictions have passed data breach notification laws.

In the United States, data breach-related laws are categorized as security breach laws. National Conference of State Legislatures in the United States defines the provisions of such laws as:

Security breach laws typically have provisions regarding who must comply with the law (e.g. businesses, data/ information brokers, government entities, and so on); definitions of "personal information" (e.g. name combined with SSN, drivers license or state ID, account numbers, and so on.); what constitutes a breach (e.g. unauthorized acquisition of data); requirements for notice (e.g. timing or method of notice, who must be notified); and exemptions (e.g. for encrypted information).

Professional ethics

The information security profession is based on trust, as the professional may be handling sensitive or confidential information. Ethically sound and consistently applied code of professional ethics need to be adhered to by the professional.

Codes of ethics

These are based on the safety of the commonwealth, duty to principals, such as employers, contractors, people whom a professional works for, and to each other. It requires that professionals adhere, and be seen to adhere, to the highest ethical standards of behavior.

(ISC)2 code of professional ethics

International Information System Security Certification Consortium (ISC)2 has a published code of professional ethics for its members provided as follows:

  • Protect society, the commonwealth, and the infrastructure
  • Act honorably, honestly, justly, responsibly, and legally
  • Provide diligent and competent service to principals
  • Advance and protect the profession

Security policies, standards, procedures, and guidelines

Policies, standards, procedures, and guidelines form a quartet of organizational mechanisms in protecting information:

  • Security policies are high-level statements that provide management intent and direction for information security. They describe the what of the description.
  • Security standards provide prescriptive statements, control objectives, and controls for enforcing security policies. In a way, they provide the how of the description. They can be internally developed by the organization and/or published by standard bodies, such as National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO), or country-specific standard bodies.
  • Security procedures are step-by-step instructions to implement the policies and standards.
  • Security guidelines provide the best practice methods to support security controls selection and implementation. They can be used in whole or part while implementing security standards.

    For example, NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems provides procedures and guidelines for System security life cycle.

International Organization for Standardization (ISO) along with International Electro-Technical Commission (IEC) has published code of practice guidelines and a standard for Information Security Management System (ISMS). They are as follows:

  • ISO/IEC 27002: Code of practice for information security. This standard provides a list of best practices an organization could adopt for security management.
  • ISO/IEC 27001: This standard specifies the management framework required for Information Security and is a certifiable standard. Organizations can seek certification against this standard for their Information Security Management System (ISMS).

Personnel security policies

Personnel security policies concern people associated with the organization, such as employees, contractors, and consultants. These policies encompass the following:

  • Screening processes to validate security requirements
  • Understanding their security responsibilities
  • Understanding their suitability to security roles
  • Reducing the risk of theft, fraud, or the misuse of facilities

Employment candidate screening

Background verification checks are primarily used in employment candidate screening processes. They may include the following:

  1. Character references to evaluate the personal traits of the applicant. Best practice guidelines indicate character references from at least two entities, such as from business and personnel.
  2. Completeness and accuracy of the applicant's curriculum vitae and the verification of claimed academic and professional qualifications are critical checks in the screening process.
  3. Identity checks by verifying identification documents.
  4. Checking criminal records as well as credit checks.

Employment agreement and policies

Besides general job roles, based on the business requirements, information security responsibilities that include information handling requirements should form part of the employment agreement and policies.

Employees should also be aware of organization's information security policies, and when they are given access to sensitive or confidential information, they need to additionally sign confidentiality and nondisclosure agreements.

Employment termination processes

Employee termination processes have to be in accordance with the established security policies and practices. The primary objective of the process is to ensure that employees, contractors, and third-party users exit or change employment as per established procedures without compromising security. The procedures may include termination of responsibilities, return of assets, removal of access rights, and so on.

Vendor, consultant, and contractor controls

Third-party users, such as vendors, consultants, and contractors, need access to the information and associated systems based on the job function. Information protection starts from screening process, confidentiality, and nondisclosure agreements.

Compliance and privacy

Adherence to policies, procedures, and so on, performing job functions as per the legal, regulatory requirements, and adherence to privacy protection mechanisms, are applicable across the board in an organization.

Summary

This chapter has covered foundational concepts in Information Security. In a nutshell, assets such as physical, hardware, software, information and personnel require protection. Protection of assets is based on CIA requirements. CIA values are determined using risk assessment methods (covered in the next chapter). Information security is ensured through security governance and demonstrated through compliance.

Continued in the next chapter are topics, such as understanding and applying risk management concepts, threat modeling, and establishing business continuity requirements in this first domain.

Sample questions

Q1. Which one of the following statements about security standards reflect the most appropriate definition?

  1. Security standards are step-by-step instructions to implement a security policy
  2. Security standards contains prescriptive statements, control objectives, and controls for implementing security
  3. Security standards document best practices
  4. Security standards are technology specific blue print diagrams

Q2. Security breach laws typically have provisions regarding who must comply with the law and additional applicable provisions. Which one of the following may not be an applicable provision?

  1. Definitions of personnel information
  2. Exemptions
  3. What constitutes a breach
  4. Requirements for certification

Q3. Which statements, among the following are published by (ISC)2 in the Code of professional ethics (this is a drag and drop type of question. Here you can draw a line from the list of answers from the left to the empty box on the right-hand side)?

Sample questions

Q4. A security practitioner is evaluating a privacy breach scenario for an ecommerce order placement and process setup. Choose a location where a possible privacy security breach could happen due to insecure implementation (this is a hot spot type of question. Place a tick mark in the appropriate circle).

Sample questions
Left arrow icon Right arrow icon

Key benefits

  • Day-by-day plan to study and assimilate core concepts from CISSP CBK
  • Revise and take a mock test at the end of every four chapters
  • A systematic study and revision of myriad concepts to help you crack the CISSP examination

Description

Certified Information Systems Security Professional (CISSP) is an internationally recognized and coveted qualification. Success in this respected exam opens the door to your dream job as a security expert with an eye-catching salary. But passing the final exam is challenging. Every year a lot of candidates do not prepare sufficiently for the examination, and fail at the final stage. This happens when they cover everything but do not revise properly and hence lack confidence. This simple yet informative book will take you through the final weeks before the exam with a day-by-day plan covering all of the exam topics. It will build your confidence and enable you to crack the Gold Standard exam, knowing that you have done all you can to prepare for the big day. This book provides concise explanations of important concepts in all 10 domains of the CISSP Common Body of Knowledge (CBK). Starting with Confidentiality, Integrity, and Availability, you will focus on classifying information and supporting assets. You will understand data handling requirements for sensitive information before gradually moving on to using secure design principles while implementing and managing engineering processes. You will understand the application of cryptography in communication security and prevent or mitigate strategies for network attacks. You will also learn security control requirements and how to assess their effectiveness. Finally, you will explore advanced topics such as automated and manual test result analysis and reporting methods. A complete mock test is included at the end to evaluate whether you're ready for the exam. This book is not a replacement for full study guides; instead, it builds on and reemphasizes concepts learned from them.

Who is this book for?

If you are a Networking professional aspiring to take the CISSP examination and obtain the coveted CISSP certification (considered to be the Gold Standard in Information Security personal certification), then this is the book you want. This book assumes that you already have sufficient knowledge in all 10 domains of the CISSP CBK by way of work experience and knowledge gained from other study books.

What you will learn

  • Review Exam Cram and Practice review questions to reinforce the required concepts
  • Follow the day–by-day plan to revise important concepts a month before the CISSP® exam
  • Boost your time management for the exam by attempting the mock question paper
  • Develop a structured study plan for all 10 CISSP® domains
  • Build your understanding of myriad concepts in the Information Security domain
  • Practice the full-blown mock test to evaluate your knowledge and exam preparation

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Jun 30, 2016
Length: 402 pages
Edition : 2nd
Language : English
ISBN-13 : 9781785880704
Category :
Concepts :

What do you get with eBook?

Product feature icon Instant access to your Digital eBook purchase
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
OR
Modal Close icon
Payment Processing...
tick Completed

Billing Address

Product Details

Publication date : Jun 30, 2016
Length: 402 pages
Edition : 2nd
Language : English
ISBN-13 : 9781785880704
Category :
Concepts :

Packt Subscriptions

See our plans and pricing
Modal Close icon
₹800 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
₹4500 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just ₹400 each
Feature tick icon Exclusive print discounts
₹5000 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just ₹400 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total 11,396.97
Kali Linux 2:  Windows Penetration Testing
₹4096.99
CISSP in 21 Days
₹3649.99
Information Security Handbook
₹3649.99
Total 11,396.97 Stars icon
Banner background image

Table of Contents

21 Chapters
1. Day 1 – Security and Risk Management - Security, Compliance, and Policies Chevron down icon Chevron up icon
2. Day 2 – Security and Risk Management - Risk Management, Business Continuity, and Security Education Chevron down icon Chevron up icon
3. Day 3 – Asset Security - Information and Asset Classification Chevron down icon Chevron up icon
4. Day 4 – Asset Security - Data Security Controls and Handling Chevron down icon Chevron up icon
5. Day 5 – Exam Cram and Practice Questions Chevron down icon Chevron up icon
6. Day 6 – Security Engineering - Security Design, Practices, Models, and Vulnerability Mitigation Chevron down icon Chevron up icon
7. Day 7 – Security Engineering - Cryptography Chevron down icon Chevron up icon
8. Day 8 – Communication and Network Security - Network Security Chevron down icon Chevron up icon
9. Day 9 – Communication and Network Security - Communication Security Chevron down icon Chevron up icon
10. Day 10 – Exam Cram and Practice Questions Chevron down icon Chevron up icon
11. Day 11 – Identity and Access Management - Identity Management Chevron down icon Chevron up icon
12. Day 12 – Identity and Access Management - Access Management, Provisioning, and Attacks Chevron down icon Chevron up icon
13. Day 13 – Security Assessment and Testing - Designing, Performing Security Assessment, and Tests Chevron down icon Chevron up icon
14. Day 14 – Security Assessment and Testing - Controlling, Analyzing, Auditing, and Reporting Chevron down icon Chevron up icon
15. Day 15 – Exam Cram and Practice Questions Chevron down icon Chevron up icon
16. Day 16 – Security Operations - Foundational Concepts Chevron down icon Chevron up icon
17. Day 17 – Security Operations - Incident Management and Disaster Recovery Chevron down icon Chevron up icon
18. Day 18 – Software Development Security - Security in Software Development Life Cycle Chevron down icon Chevron up icon
19. Day 19 – Software Development Security - Assessing effectiveness of Software Security Chevron down icon Chevron up icon
20. Day 20 – Exam Cram and Practice Questions Chevron down icon Chevron up icon
21. Day 21 – Exam Cram and Mock Test Chevron down icon Chevron up icon

Customer reviews

Rating distribution
Full star icon Empty star icon Empty star icon Empty star icon Empty star icon 1
(1 Ratings)
5 star 0%
4 star 0%
3 star 0%
2 star 0%
1 star 100%
S. Rose Sep 02, 2016
Full star icon Empty star icon Empty star icon Empty star icon Empty star icon 1
This book is a brief overview of everything that may appear on the exam, with brief explanations.Pros:Quickly run through, marking unfamiliar subjects to use other study products for.Cons:Uses acronyms way too much. I counted about 34 times IP was used in different context outside of Internet Protocol.There are NO answers to the "sample" questions given at the end of each chapter, nor the mock exam.The "Full Blown Mock Test" that is verbatim on the back of the book, is only 178 questions... not even close to the actual CISSP.This book was suppose to be written in 2016. In the preface, it claims to go over the 8 domains covered. On the back of the book refers to the 10 domains covered. In 2015 the exam switched to 8 domains. Who doesn't check for this. I would of been fine if at LEAST the questions had answers, but this is ridiculous, and clearly this was a rushed out book with minimal updates to the current exam, which by current, is over a year old.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

How do I buy and download an eBook? Chevron down icon Chevron up icon

Where there is an eBook version of a title available, you can buy it from the book details for that title. Add either the standalone eBook or the eBook and print book bundle to your shopping cart. Your eBook will show in your cart as a product on its own. After completing checkout and payment in the normal way, you will receive your receipt on the screen containing a link to a personalised PDF download file. This link will remain active for 30 days. You can download backup copies of the file by logging in to your account at any time.

If you already have Adobe reader installed, then clicking on the link will download and open the PDF file directly. If you don't, then save the PDF file on your machine and download the Reader to view it.

Please Note: Packt eBooks are non-returnable and non-refundable.

Packt eBook and Licensing When you buy an eBook from Packt Publishing, completing your purchase means you accept the terms of our licence agreement. Please read the full text of the agreement. In it we have tried to balance the need for the ebook to be usable for you the reader with our needs to protect the rights of us as Publishers and of our authors. In summary, the agreement says:

  • You may make copies of your eBook for your own use onto any machine
  • You may not pass copies of the eBook on to anyone else
How can I make a purchase on your website? Chevron down icon Chevron up icon

If you want to purchase a video course, eBook or Bundle (Print+eBook) please follow below steps:

  1. Register on our website using your email address and the password.
  2. Search for the title by name or ISBN using the search option.
  3. Select the title you want to purchase.
  4. Choose the format you wish to purchase the title in; if you order the Print Book, you get a free eBook copy of the same title. 
  5. Proceed with the checkout process (payment to be made using Credit Card, Debit Cart, or PayPal)
Where can I access support around an eBook? Chevron down icon Chevron up icon
  • If you experience a problem with using or installing Adobe Reader, the contact Adobe directly.
  • To view the errata for the book, see www.packtpub.com/support and view the pages for the title you have.
  • To view your account details or to download a new copy of the book go to www.packtpub.com/account
  • To contact us directly if a problem is not resolved, use www.packtpub.com/contact-us
What eBook formats do Packt support? Chevron down icon Chevron up icon

Our eBooks are currently available in a variety of formats such as PDF and ePubs. In the future, this may well change with trends and development in technology, but please note that our PDFs are not Adobe eBook Reader format, which has greater restrictions on security.

You will need to use Adobe Reader v9 or later in order to read Packt's PDF eBooks.

What are the benefits of eBooks? Chevron down icon Chevron up icon
  • You can get the information you need immediately
  • You can easily take them with you on a laptop
  • You can download them an unlimited number of times
  • You can print them out
  • They are copy-paste enabled
  • They are searchable
  • There is no password protection
  • They are lower price than print
  • They save resources and space
What is an eBook? Chevron down icon Chevron up icon

Packt eBooks are a complete electronic version of the print edition, available in PDF and ePub formats. Every piece of content down to the page numbering is the same. Because we save the costs of printing and shipping the book to you, we are able to offer eBooks at a lower cost than print editions.

When you have purchased an eBook, simply login to your account and click on the link in Your Download Area. We recommend you saving the file to your hard drive before opening it.

For optimal viewing of our eBooks, we recommend you download and install the free Adobe Reader version 9.