The CISSP 2015 Update brings new viewpoints on the key domains covered in this certification. The CISSP is already one of the broadest of all certs in that the amount of information it covers in different fields is staggering. However, breaking it down into its component domains or fields can help to chop at it bit by bit. With the new updates, each domain is a bit more streamlined – a bit easier to manage in the overall picture – and becomes easier to understand.
We will be diving into each domain over the course of the coming weeks, to see what you need to know if you have just started studying for the CISSP. Right off the bat, we can say that with very few exceptions, the old domains are gone. That’s not to say the information isn’t there anymore, its just that the perspectives on that information have shifted. The CISSP certification has always been a managerial-level certification – understanding is required for a lot of topics across a wide range of requirements. The new update zeroes-in on that concept, making it easier to look at things from particular scenarios with a bird’s eye view.
CISSP Instant Pricing- Resources
With that in mind, let’s take a look at our fifth domain: Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing).
Defense in Depth
Defense in Depth is best described as ‘buying time’ – allowing lightly defended areas to fall to enemies, while at the same time removing enemy resources and giving more time to increase defenses in more significant areas. In order to properly test out a system, an attacker must be allowed to gain access during at least some scenarios. If a test or audit only tries to break in all the time and does so unsuccessfully, it will be unknown how much damage an attacker will be able to do when they finally do break in.
Understand Vulnerabilities and Threats
Assessing where defenses are at requires knowledge of what can be used against it. As such, having resources that can provide currently known vulnerabilities and threats allows for a more effective test and learning environment.
Exercise, Assess and Maintain Plans
Testing Disaster Recovery plans requires exercises, not only for security forces and IT staff, but all users. This means at least once a quarter running through drills and simulations to see what users will do in particular situations. This allows for better training to be implemented and removing weak points from potentially hazardous attack vectors.
Understand International Legal Issues
Auditing against more than one set of legal rules can help to make sure that an organization is prepared for more substantial audits, whether by government entities or third parties. For international organizations, this can be a significant issue, as laws governing Information Systems seem to change on a daily basis.
Understand and Support Investigations
Testing is useless without being able to document the findings of the test, as well as understand how the persons, procedures and systems reacted during the test. When findings are understood, reports can then be given to those with the need to know how the organization fared during the test. Please note, this is not the kind of test that you want to try to fudge the numbers. Glossing over potential failings will not help anyone, especially in the case of a genuine emergency. These tests are performed for the benefit of everyone.
Understand Forensic Procedures
Analyzing how systems are affected during attacks can help to better understand how to train and defend against them. To do this, it is important to understand basic digital forensics procedures as well as understand how to keep the information from becoming damaged or corrupted so that it does not appear tampered with.
Ensure Security in Contracts and Procurement Processes
Outsourcing systems does not mean the removal of all liability involved in them: contracts for dedicated providers need to be analyzed for how difficult things can become for the organization if the 3rd party provider becomes compromised. Once this is done, these risks need to be included in standard testing practices.
Manage Third Party Governance
If a third party is granted access to sensitive systems, it is STRONGLY recommended to include their systems as well in an audit – not just the fallout for what happens when they do get compromised. This means examining their systems, documenting how they manage your data, and inspecting the facility itself to see if there are any potential physical security issues.