Introduction
The Certified Information Systems Security Professional (CISSP) is the ideal certification, for Infosec professionals. As per the survey depicted in the below screenshot, acquiring this gold standard certification requires demonstrating that you have enough work experience and passing an exam covering the eight domains of information security.
This article covers the first of those eight domains, Security and Risk Management. Total of 16% of the questions in the CISSP exam comes from this domain. In this article, we will focus on each topic covered in the first domain. Topics which are covered under this domain are:
- Confidentiality, Integrity, and Availability
- Security Governance,
- Compliance and Ethics
- Security Policies
- Business Continuity
- Personal Security
- Risk Management
- Threat Modelling
- Awareness and Training
Confidentiality, Integrity, and Availability
The CIA triad model is often used when discussing the primary objective of information security. This model features the three most critical functions that information security performs in an enterprise, its confidentiality, integrity, and availability.
Confidentiality guarantees that only authorized individuals have access to information and resources. Malicious individuals seeking to undermine confidentiality are often said to engage in disclosure attacks making sensitive information available to individuals or the general public without the information owners’ consent.
Integrity implies that there ought not to be any unauthorized changes to the information. These unauthorized changes may come as a hacker looking to purposefully modify data or a service disruption that accidentally affects data stored in a system. In either case, it’s the information security professional’s responsibility to prevent these lapses in integrity.
Availability ensures that authorized people can access data when they require it. If users can’t have access to essential business records or systems, that absence of availability may have a big impact on the business. Often hackers impede the availability of the system by causing Denial of Service attack, through these attacks they either attempt to overwhelm a system or make it crash, therefore denying legitimate users the access that they need.
Security governance
Security governance is the set of responsibilities and practices which are exercised by the Board members and Executive Management with the objective of providing strategic direction, ensuring that objectives are achieved, making sure that risks are managed appropriately and verifying that the enterprise’s resources are utilized responsibly.
Apply Security Governance Principles in the following process of the organization.
- Alignment of security functions to strategy, goals, mission, and objectives in business case, budget, and resources.
- Organizational process such as divestitures, governance committees
- Security roles and responsibilities
- Control frameworks
- Due care
- Due Diligence
Compliance & Ethics
Infosec professionals often find themselves becoming more aware towards legal and regulatory compliance, as governments and other regulatory agencies continue to create new laws and regulations that seek to enforce security safeguards to protect the confidentiality, integrity, and availability of information. For CISSP exam students should be aware of regulations and laws pertaining to :
- Legislative and regulatory compliance
- Information/Data Privacy compliance
- Computer crimes, licensing, and intellectual property (e.g., copyright, trademark, digital-rights management)
- Import/Export Controls
- Trans-border data flow
- Privacy
- Data breaches
Understand professional ethics – Information security professionals are also bound by the code of professional ethics to act honorably and responsibly.
- Exercise (ISC)2 Code of Professional Ethics (https://www.isc2.org/ethics/default.aspx)
- Support organization’s code of ethics
Security Policy
Security professionals need to do a lot of writing, and their agenda is to provide clearly-written guidance to help communicate to business leaders, and users, and each other about security expectations and responsibilities. Sometimes security professionals set forth mandatory rules that everyone in the organization must follow. Security professionals achieve this by setting a framework consisting of four different types of documents.
- Security policies
- Standards
- Procedures
- Guidelines
Factors Affecting Security Policy
- Culture of the organization
- Type of Industry
- Regulatory Environment (e.g., PCI DSS- Payment Card Industry)
Common policies every organization should have
- Information security policy
- Privacy policy
- Acceptable use policy
Personnel Policy
People working in an organization are one of the primary causes of Security related breaches. Thus, it is very important to have security policies that clearly outline expectations and the consequences for individual behavior. The following are the personnel security policies to which security professionals should contribute to:
- Employment candidate screening (e.g., reference check, education, verification)
- Employment agreements and policies
- Employment termination processes
- Vendor, consultant, and contractor controls
- Compliance
- Privacy
Business Continuity
Business continuity efforts are a collection of activities designed to keep a business running in the face of adversities such as system failures, earthquakes or tornados, terrorist attacks, hacker intrusion, etc., following are the topics CISSP exam takers should know:
- Stages in Business Continuity Management
- Redundancy
- High availability
- Fault tolerance
- Personnel succession planning
- Single point of failure Analysis (SPOFs)
- Business Impact Analysis (BIA)
- BCP Coordinator Roles and Responsibilities
- Mean Time Between Failure (MTBF)
- Mean Time to Repair (MTTR)
- Recovery Time Objective (RTO)
- Recovery Point Objective (RPO)
Ethical Hacking Training – Resources (InfoSec)
Risk Management
From hackers to malware, lost devices to missing security patches risks are everywhere in the world of information security, and there is a lot on the plate of information security professionals. Therefore, information security professionals need to prioritize their risk lists where they will have the greatest security effect and be able to apply risk management concepts in an organization:
- Identify threats and vulnerabilities
- Risk assessment/analysis(qualitative, quantitative, hybrid)
- Risk assignment/acceptance (e.g., System, authorization)
- Countermeasure selection
- Implementation
- Types of controls (preventive, detective, corrective, etc.)
- Control assessment
- Monitoring and Measurement
- Asset valuation
- Reporting
- Continuous improvement
- Risk frameworks
Threat Modelling
Security professionals use threat modeling techniques to identify and prioritize threats and assist in the implementation of security controls. Here they conduct a structured walk-through of the potential threats to information and systems. Let’s have a look at what’s covered under CISSP exam:
- Asset focused approach, threat focused approach and service focus approach to Identifying threats (e.g., Adversaries, contractors, employees, trusted partners)
- Determining and diagramming potential attacks (e.g., social engineering, spoofing)
- Performing reduction analysis
- Technologies and process to remediate threats (e.g., software architecture and operations)
Vendor Management
It is very important to screen all outside third parties and to integrate security risk considerations into acquisition strategy and practice of vendors. This is described below:
- Managing vendor relationships through established procedure in vendor lifecycle management.
- Third-party assessment and monitoring (e.g., on-site assessment, document exchange, and review process/policy review)
- Minimum security requirements
- Service-level requirements
Awareness and Training
Establish and manage information security education, training, and awareness
- Appropriate levels of awareness, training, and education required within the organization
- Periodic reviews for content relevancy
Conclusion
Certified Information Systems Security Professional exam gives you the prospective of an Information security manager; I hope you all got an overview what the CISSP covers in the first domain I will see you on the remaining domains.