CISSP TERMS AND DEFINITIONS

 Domain 1: Security & Risk Management

 CIA Traid

  Confidentiality 

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. Note-Encryption (At transit - TLS)(At rest -AES-256).

  Integrity

Guarding against improper information modification or destruction and includes ensuring information or destruction and includes ensuring information or destruction and includes ensuring information non-repudiation and authenticity.

  Availability

Ensuring timely and reliable access to and use of information by authorized users.

 D.A.D

  Disclosure, Alteration and Destruction

 Disclosure:

Opposite of Confidentiality

Alteration:

Opposite of Integrity

Destruction:

Opposite of Availability

Achieving CIA Best Practices

  • Separation of Duties
  • Mandatory Vacations
  • Job Rotation
  • Least Privileges
  • Need to know
  • Need to know
  • Dual Control

What is IAAAA?

  • Identification: Unique user identification
  • Authentication: Validation of identification
  • Authorization: Verification of privileges and permissions for authenticated user
  • Accountability: Only authorized users are accessing and use the system accordingly
  • Auditing: Tools, processes, and activities used to achieve and maintain compliance

 Plans

   Type                                  Duration                                            Example

Strategic Plan                     up to 5 year                                   Risk Assessment

Tactical Plan                  maximum of 1 year                           Project budget, staffing etc.

Operational Plan               a few months                                  Patching computers updating

                                                                                                 AV signatures Daily network                                                                                                                              administration

Protection Mechanisms

  • Layering
  • Abstractions
  • Data Hiding
  • Encryption

What is Data Classification?

Entails analyzing the data that the organization retain, determining its importance and value, and then assigning it to a category.

 Risk Management

  1.  No risk can be completely avoided.
  2.  Risks can be minimized and controlled to avoid impact of damages.
  3.  Risk management is the process of identifying, examining, measuring, mitigating, or transferring risk.

Risk Terminology

  • Asset: Anything of value to the company.
  • Vulnerability: A weakness; the absence of a safeguard.
  • Threat: Things that could pose a risk to all or part of an asset.
  • Threat Agent: The entity which carries out the attack.
  • Exploit: An instance of compromise.
  • Risk: The probability of a threat materializing.

Risk Management Frameworks

Preventive Ex ISO 27001:

Security Policies, Security cameras, Call back, Security Awareness Training, Job Rotation, Encryption, Data Classification, Smart cards.

Deterrent Ex ISO 27000:

Security Personnel, Guards, Security Cameras, Separation of Duties, Intrusion Alarms, Awareness Training, Firewalls, Encryption.

Detective:

Logs, Security Cameras, Intrusion Detection Systems, Honey Pots, Audit Trails, Mandatory Vacations.

Corrective:

Alarms, Antivirus Solutions, Intrusion Detection Systems, Business Continuity Plans.

Recovery:

Backups, Server Clustering, Fault Tolerance, Database Shadowing, Antivirus Software.

Risk Management Life Cycle

  • Assessment
  • Analysis
  • Mitigation/Response

Assessment:


Comments

Post a Comment

Popular posts from this blog

CYBER BODY OF KNOWLEDGE

 1 Human, Organizational & Regulatory Aspects Risk Management and Governance 1.1 INTRODUCTION This knowledge Area will explain the fundamental principles of cyber risk assessment and management and their role in risk governance, expanding on these to cover the knowledge required to gain a working understanding of the topic and its sub-area. We begin by discussing the relationship between everyday risk and why this is important in today's interconnected digital world. We explain why, as humans, we need effective risk assessment and management principles to support the capture and communication of factors that may impact our values. We then move on to describe different perspectives on cyber risk assessment -from individual assets, to whole-system goals and objectives. We unpick some of the major risk assessment methods and highlight their main uses and limitations, as well as providing pointers to more detailed information. Security metrics are an ongoing topic of debate in the
Read more