What’s new in Access Control

ISC2 published the 3rd edition of their CISSP CBK in late 2012.  I ordered my copy in December 2012 and said, “So what’s new?”

First, let me say that all quoted material in this article is from the “Official (ISC)2 Guide to the CISSP® CBK Third Edition.”

I started going through the Access Control domain and these are some of the changes that I found:

-      For “Personnel Security, Evaluation, and Clearances” and additional source of information for staff verification has been added.  “…An online search of publicly available information on social media sites…”

-      A whole section has been added for “Session Management” and includes two major areas: 1) Desktop Sessions and 2) Logical Sessions.  The Desktop Session section had several sub-sections including:

  • Screensavers
  • Timeouts and Automatic Logouts
  • Session/Logon Limitation
  • Schedule Limitations

An interesting addition as a key point to remember about Kerberos was added, it reads, “..Kerberos processes are extremely time sensitive and often require the use of Network Time Protocol (NTP) Daemons to ensure times are synchronized.  Failure to maintain a synchronized time infrastructure will lead to authentication failures.  This can be an attractive vector for a DOS attack..”

There’s a new section on Security Information and Event Management.  It goes into some detail with respect to log management and something that I’ve been saying for several years and that is “near real time” management of security information.

Spyware has been expanded to identify and discuss “Malvertisements” and “Malnets.”

Threat Modeling has gotten its own section, including some specific steps for organizations to take as an approach.  Those steps include:

-      Define the Scope and Objectives

-      Understanding or Modeling the System

-      Development of Threats

-      Development of Vulnerabilities

-      Determining Impacts and Risk

-      Develop a Mitigation Plan

We use to see this strategy as part of Business Impact Analysis and Risk Assessment but it has been moved to Access Control.  That is also true for “Asset Valuation” which has been moved to Access Control and includes:

-      Hardware

-      Software

-      Integration

-      Opportunity Costs

-      Regulatory Exposure

-      Information Replacement

-      Reputational Exposure

Also included in this section are the calculations for SLE and ALE which we use to find in the Risk domain.

The last two major areas, which received additional coverage includes, “Access Review and Audit” and “Identity and Access Provisioning Lifecycle.”

Of course along with any change you get re-sequencing, font size change, bolded emphasis, and the occasional colorful metaphor.  All-in-all, I’m pleased with the revisions to this domain and I look forward to the other nine.

InfoSec Institute is in the process of updating their CISSP curriculum and where appropriate will include coverage of any new material which is included in the new CISSP CBK.

Want to learn more?? The InfoSec Institute CISSP Training course trains and prepares you to pass the premier security certification, the CISSP. Professionals that hold the CISSP have demonstrated that they have deep knowledge of all 10 Common Body of Knowledge Domains, and have the necessary skills to provide leadership in the creation and operational duties of enterprise wide information security programs.

InfoSec Institute's proprietary CISSP certification courseware materials are always up to date and synchronized with the latest ISC2 exam objectives. Our industry leading course curriculum combined with our award-winning CISSP training provided by expert instructors delivers the platform you need in order to pass the CISSP exam with flying colors. You will leave the InfoSec Institute CISSP Boot Camp with the knowledge and domain expertise to successfully pass the CISSP exam the first time you take it. Some benefits of the CISSP Boot Camp are:

  • Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
  • We have cultivated a strong reputation for getting at the secrets of the CISSP certification exam
  • Our materials are always updated with the latest information on the exam objectives: This is NOT a Common Body of Knowledge review-it is intense, successful preparation for CISSP certification.
  • We focus on preparing you for the CISSP certification exam through drill sessions, review of the entire Common Body of Knowledge, and practical question and answer scenarios, all following a high-energy seminar approach.