You're reading from CISSP in 21 Days Boost your confidence and get the competitive edge you need to crack the exam in just 21 days!

Product type Paperback

Published in Jun 2016

Publisher

ISBN-13 9781785884498

Length 402 pages

Edition 2nd Edition

Concepts

Cybersecurity

Author (1):

M. L. Srinivasan

View More author details

Table of Contents (22) Chapters

Preface

1. Day 1 – Security and Risk Management - Security, Compliance, and Policies FREE CHAPTER

2. Day 2 – Security and Risk Management - Risk Management, Business Continuity, and Security Education

3. Day 3 – Asset Security - Information and Asset Classification

4. Day 4 – Asset Security - Data Security Controls and Handling

5. Day 5 – Exam Cram and Practice Questions

6. Day 6 – Security Engineering - Security Design, Practices, Models, and Vulnerability Mitigation

7. Day 7 – Security Engineering - Cryptography

8. Day 8 – Communication and Network Security - Network Security

9. Day 9 – Communication and Network Security - Communication Security

10. Day 10 – Exam Cram and Practice Questions

11. Day 11 – Identity and Access Management - Identity Management

12. Day 12 – Identity and Access Management - Access Management, Provisioning, and Attacks

13. Day 13 – Security Assessment and Testing - Designing, Performing Security Assessment, and Tests

14. Day 14 – Security Assessment and Testing - Controlling, Analyzing, Auditing, and Reporting

15. Day 15 – Exam Cram and Practice Questions

16. Day 16 – Security Operations - Foundational Concepts

17. Day 17 – Security Operations - Incident Management and Disaster Recovery

18. Day 18 – Software Development Security - Security in Software Development Life Cycle

19. Day 19 – Software Development Security - Assessing effectiveness of Software Security

20. Day 20 – Exam Cram and Practice Questions

21. Day 21 – Exam Cram and Mock Test

Security governance

Information security for a long time was considered as a purely technical domain. Hence, the focus was to define and manage security predominantly through the Information Technology department in many organizations. It was more like protecting only the Information systems, such as computers and networks.

Information exists in many forms and the levels of assurance required vary, based on their criticality, business requirements and from legal, regulatory compliance requirements. Hence, the focus has to be on protecting the information itself, which is essential and much broader in scope compared to focusing only on Information Technology.

Information is a business asset and valuable to organizations. Information has a lifecycle. It could be handled, processed, transported, stored, archived, or destroyed. At any stage during the lifecycle, the information can be compromised. A compromise can affect the CIA requirements of the information.

Information protection is a business responsibility. It involves governance challenges, such as risk management, reporting, and accountability. Hence, it requires the involvement of senior management and the board to provide a strategic oversight for implementing and ensuring continual effectiveness.

Strategy, goals, mission, and objectives

Aligning and integrating information security with enterprise governance and IT governance frameworks is the primary strategy for the senior management and the board. It includes the definition of the current state of security and establishing goals and objectives to align with the corporate mission.

For such a strategy, goals and objectives will include understanding protection requirements, which are based on the value of information, expected outcomes of the information security program, benefits that are quantifiable, and methods to integrate information security practices with organizational practices.

A corporate mission is based on the definition of the business, its core purpose, values and beliefs, standards, and behaviors. An information security mission defines security requirements, their purpose, focus on risk management, commitment to continual maintenance, and the improvement of the information security program. Hence, aligning information security mission with the corporate's mission is one of the primary strategies of security governance.

Organizational processes

To support the information security strategy and to meet the goals and objectives, organizational processes need to be aligned to the mission. Such processes include defining the roles and responsibilities of the personnel involved with effective implementation and day-to-day management; establishing monitoring mechanisms that include reporting, review and approval processes, and ensuring that management support is available to such organizational processes.

Security roles and responsibilities

Information security is everyone's responsibility in any organization. Specific security roles and responsibilities are to be considered from the security governance perspective. Hence, the information security responsibilities of the board of directors/trustees, executives, steering committee, and chief information security officer are important at management level.

Control frameworks

To support the information security strategy and the mission, control frameworks are established by the organization. Such frameworks contain controls under three broad categories, namely, management, administrative, and technical.

Management controls

Management controls are characterized by stating the views of the management and their position in particular topics, such as information security.

For example, the Information security policy is a management control, wherein the management states its intent, support, and direction for security.

Administrative controls

While a policy is a high-level document that provides the intent of the management, administrative controls are to implement such policies.

For example, procedures, guidelines, and standards are administrative controls that support the policies. These are covered later in this chapter.

Technical controls

Information is stored and processed predominantly in IT systems. Hence, technical controls are established to support management and administrative controls in the information systems.

Firewall, intrusion detection systems, antivirus, and so on, are some examples of technical controls.

Due diligence and due care

It is important that intent and management support to information security programs is visible across the organization to investors and customers. Hence, an organization should demonstrate due diligence and due care pertaining to information security processes and activities.

Understanding risk and estimating the same, in view of the organizations' mission, prevailing threats, vulnerabilities, and attacks, and legal, regulatory compliance, form a part of the due diligence process by the management.

Implementing security governance by way of organizational processes, defining roles and responsibilities, establishing risk management processes, and monitoring effectiveness of the information security controls are due care activities by the management.