CISSP Domain 3: Security Engineering CISSP- What you need to know for the Exam

April 8, 2017 by Aroosa Ashraf

What is the CISSP?

The Certified Information Systems Security Professional is a certification for those with a proven track record of managerial and technical competence, experience, credibility and skills to engineer, design, manage and implement an entire information security program meant to shield organizations from the increase in sophisticated attacks.

The CISSP certification was created by the non-profit organization (ISC)2, the world’s largest IT security institution, to help employers with industry conventions regarding security and privacy. Established in 1989, (ISC)2 have recently celebrated their 25th anniversary, with approximately 10,000 members in over 135 countries. The CISSP was the first qualification of its kind.

The CISSP examination is six hours in length consisting of 250 multiple choice questions. Candidates must achieve 700 out of 1000 points to pass. The exam is available in nine languages: English, German, French, Brazilian Portuguese, Japanese, Korean, Spanish, and Simplified Chinese. It is also available for the visually impaired.

Continuing Professional Education Credits (CPEs)

Security technology is continuously changing. The (ISC)2 board of directors requires that CISSP certificate holders earn continuing education credits over a three year certification cycle.

Who should become CISSP qualified?

The CISSP certification is ideal for professionals employed in the following careers:

  • Security Manager
  • Security Consultant
  • IT Director/Manager
  • Security Architect
  • Security Auditor
  • Network Architect
  • Chief Information Security Officer
  • Security Analyst
  • Security Systems Engineer
  • Director of Security

What are the CISSP domains?

The CISSP is made up of an extensive current global common body of knowledge that ensures leaders in security have in-depth understanding and knowledge of regulations, practices, and technologies. The CISSP examination tests individuals in one of eight domains:

1. Asset security (Protecting asset security)

  • Asset and information classification
  • Privacy protection
  • Handling requirements (e.g., labels, markings, storage)
  • Ownership (e.g., system owners, data owners)
  • Appropriate retention
  • Data security controls

2. Risk and Security Management (Risk, Security, Compliance, Regulations, Law and Business Continuity)

  • Integrity, availability concepts and confidentiality
  • Security governance principles
  • Compliance
  • Regularity and legal issues
  • Professional ethics
  • Standards, guidelines, procedures, and security policies

3. Network and Security Communication (Protecting and Designing Security Network)

  • Securing network components
  • Secure communication channels
  • Secure network architecture design (e.g., segmentation, non IP protocols, IP)
  • Network attacks

4. Access and Identity Management (Managing identity and controlling access)

  • Authentication and identification of devices and people
  • Logical and physical assets control
  • Access and identity provisioning lifecycle (e.g., provisioning review)
  • Access control attacks
  • Third party identity services (e.g., on the premises)

5. Security Operations (Investigations, disaster recovery, incident management, foundational concepts)

  • Requirements, support and investigations
  • Monitoring and logging activities
  • Resource provisioning
  • Concepts of foundational security operations
  • Techniques in research protection
  • Managing incidents
  • Ensuring prevention
  • Vulnerability and patch management
  • Processes in change management
  • Strategies in recovery
  • Processes and plans in disaster recovery
  • Planning and exercises in business continuity
  • Physical security
  • Concerns with personal safety

6. Software Development Security (Applying, understanding and enforcing software security)

  • Software development lifecycle security
  • Security controls in the development environment
  • Effectiveness in software security
  • Acquired software security impact

7. Testing Security Assessment ( Performing, designing, and analyzing security testing)

  • Test and assessment strategies
  • Data process security (e.g., operational controls and management)
  • Testing security control
  • Test outputs (e.g., manual, automated)
  • Vulnerabilities in security architectures

8. Security engineering (Management and engineering of security)

  • Utilizing secure design principles for engineering processes
  • Fundamental concepts of security models
  • Evaluating security models
  • Information system security capabilities
  • Designs, security architectures, and solution elements vulnerabilities
  • Vulnerabilities in web-based systems
  • Cyber-physical systems vulnerabilities and embedded devices
  • Cryptography
  • Facility and site design secure principles
  • Physical security

Prior to sitting the CISSP exam, all candidates must have a minimum of five years’ full time paid employment in two or more of the above domains.

NIST system development lifecycle

The system development lifecycle is the complete process of implementing, developing, and retiring information systems through a process of multiple steps including, initiation, implementation, maintenance and disposal. There are a variety of SDLC methodologies and models; however, each one is made up of a range of defined phases or steps. For every SDLC model utilized, there must be an integration of information security to make sure that the most effective method of protection is used for the data that the system will process, transmit and store.

Initiation: The initiation phase involves the company establishing the need for a system and retains documents detailing the purpose of the system.

Maintenance:  During the maintenance phase, products and systems have been implemented, modifications and enhancements to the system are tested and developed, and software and hardware components are replaced or added. To ensure the efficient operation of the system, the organization should monitor system performance continuously.

Implementation: During the implementation phase, the company enables and configures security features, implements or installs the system, tests how functional the features are, and then obtains official authorization to put the system into place.

Disposal: The disposal phase involves the construction of plans to discard hardware, system information, software and making the shift from the old to a new system. The hardware, information and software may be moved to another system, discarded, archived or destroyed. If this phase is not carried out efficiently, it can lead to the exposure of sensitive information.

Enterprise security architecture framework

An enterprise architecture (EA) plan is an extensive blueprint or view for a company. It is a fundamental blueprint for balancing information technology and business. It also assists in adding value to an organization. Today, security is an essential element for enterprises, with its main purpose being to prevent private information from being exposed, lost or stolen. There are several studies that focus solely on enterprise security architecture.

The aim of security architecture is to design a framework of information systems to make sure that they are providing sufficient security to businesses and organizations. Today, the majority of businesses rely heavily on IT, much more than they did in the past. Security architecture that has been inefficiently designed has major negative implications for a business, such as not being able to perform daily business operations. This high dependency on information systems pinpoints the urgency of constructing effective security architecture throughout the entire enterprise.

What does the future hold for security engineering?

Security engineering handles the integrity and security of real world systems. There are many similarities to systems engineering, one of which is that their function is to ensure that systems meet the requirements that have been outlined. The main difference is that security engineering is responsible for enforcing a security policy.

Security engineering has been in existence informally for hundreds of years in the fields of security printing and locksmithing. Computer technology has accelerated so rapidly that it has allowed for the creation of much more convoluted systems, with even more intricate security problems.

Due to the fact that modern systems cross the lines of several arenas of human endeavours, security engineers must consider the physical and mathematical properties of systems. They are also required to consider the attacks on the people who form and use the systems utilizing social engineering attacks.

Secure systems must be capable of withstanding a wide range of attacks such as fraud, technical and deception. Due to this fact, it involves aspects of psychology, social science and economics as well as mathematics, physics and chemistry.

Today, security is being addressed and acknowledged throughout all departments within an organization. For organizations to operate efficiently and effectively and compete successfully within the global market, they are going to have to make integrity, availability and safeguarding of intellectual property a main priority. Whether we like it or not, the majority of the world is connected through information technology. Governments and industry bodies are continuously passing legislation which is forcing many sectors to address the laws required to comply with IT security.

There has been much progress made in educating organizations, businesses and individual users that problems exist. However, solving the problems has been a completely different issue. The IT world has many security challenges to contend with, and this is something that isn’t going to change overnight. Devices are still being built containing security vulnerabilities that are easy to discover and exploit.

Security engineering is going to become much more complex at the technological level before it gets any easier. This is partly a result of the ever-increasing and continuous stream of technology that continues to arrive. At the same time as there is an increase in researchers, there is also an increase in attackers looking for systems that are vulnerable. As security improves, so do attackers. They adapt to emerging or new technologies.

Experienced professionals have predicted many risks and threats that we may experience in the future. There is no easy answer for security at present, there are certain industries who are only now just beginning to understand the possible issues from several years of investing in IT security. As the years go on, violations will continue to occur requiring new laws to preserve and protect organizations as well as individuals.

As a result of the constant need to find new ways to prevent security breaches, organizations are always going to need security engineers. It is a profession that is constantly evolving and growing requiring a constant stream of professionals in this arena.


Posted: April 8, 2017
Articles Author
Aroosa Ashraf
View Profile

Aroosa Ashraf is a trained and registered pharmacist from the Government College University of Faisalabad (GCUF). She completed her graduation in 2013. She is an experienced researcher and technical writer and for the last 4 years, she is working as a writer on different platforms. Currently, she is writing many technical and non-technical articles for her national and international clients.

Notice: Undefined index: visitor_id12882 in /www/resourcesinfosecinstitute_601/public/wp-content/plugins/infosec-user-info/infosec-user-info.php on line 117