As we all know, (ISC)2 has revised the CISSP syllabus earlier this year and, much to the joy of candidates, the number of domains has been reduced. But the truth is that (ISC)2 has collated a few domains and increased the syllabus overall, which means that candidate now needs to know more to pass the CISSP exam. In this series of articles, I am going to share information about concepts per domain which every candidate should be aware of. So, without wasting any time, let’s get down to CISSP domains.
Security and Risk Management
The main objective of this domain is to test the candidate’s understanding about risk assessment, risk analysis, data classification and security awareness. You may find some of the points to be vague or incorrect, but for CISSP they hold good. Following are the main concepts with regard to this domain:
Understanding of CIA and DAD triad: Under the triad of confidentiality, integrity and availability, be ready to face some questions about the violation of these principles.
- Confidentiality: An important point to note about confidentiality is that it is usually granted with the principle of least privilege.
- Integrity: Information should not be modified by unauthorized means.
- Availability: This principle states that the services/systems should be up and running to fulfill business needs.
In contrast to CIA, there is another triad, DAD, which is just opposite of it. Again, it is very basic but you can get one question out of that. Below list shows the contrast between CIA and DAD
- We all speak that security is everyone’s responsibility, which is true, but within an organization, the accountability for ensuring all the protection of all business information falls under the Information Security Officer. It is the duty of the ISO to ensure that all the security policies and guidelines have been defined to meet information security needs.
- Concept of Due Care and Due Diligence: In simple words, due care is the action taken by a personnel in a particular situation to protect the corporate asset. Due diligence is like an advanced version of due care, i.e., all the actions specified by the organization to protect corporate assets are properly applied.
- Wassenaar Agreement: An important point to remember about the Wassenaar Agreement is that for the signees it defines an international cryptography agreement.
- Organization for Economic Cooperation and Development Guidelines (OECD): An important point to note about these guidelines is that they fall under the privacy part and provide all the guidelines for providing privacy to individual information being collated, such as the collection limitation principle, data safeguard principle, etc.
The most important aspect of a successful business continuity program is NOT
- A well-defined project scope
- Available resources
But “Senior Management Support.“
- The main goal of a Business Impact Analysis is to determine the impact that an unwanted event will have on organization. A BIA exercise defines the criticality of business functions, maximum tolerable downtime (MTD), and available resources to overcome a disruptive event.
- Another important point to note about BIA is that the most overlooked step in a BIA exercise is the last step, which is to document results of BIA and presenting recommendations.
- Concept of RTO, RPO, and MTD: Recovery time objective (RTO) relates with core business applications and is the maximum downtime after which those should be restored. On the other hand, recovery point objective (RPO) is the point in time at which data is restored for further processing. MTD is the point after which the business function is no longer sustainable.
- Concept of Job Rotation and Separation of Duties: Job rotation is done to reduce the risk that individuals may have prolonged exposure to assets/information. This is done to reduce the risk of collusion between individuals. Separation of duties is done to prevent an individual from executing all the steps of a process. The best choice for an organization is to combine both job rotation and separation of duties.
Qualitative Risk Assessment & Quantitative Risk Assessment: Qualitative risk analysis will give results that are not measurable. Risk is usually seen as the product of likelihood and impact. On the other hand, quantitative risk assessment will give results that are measurable. It has a well-defined formula and surely there will be question on this in the exam.
- Single Loss Expectance=Asset Value * Exposure Factor
- Annualized Loss Expectancy=SLE * annualized rate of occurrence (ARO).
- Single Loss Expectance=Asset Value * Exposure Factor
- Risk Assignment: Risk avoidance, risk transfer, risk mitigation, risk acceptance. the important point to note about risk transfer is that not all the risk can be transferred.
Access Controls: This is a very important topic from this domain, as some controls will be given and the question will be to find the type of controls they are. Below are the main categories of access control.
- Directive Controls: These controls provide guidance to accepted behavior.
- Deterrent Controls: These controls mostly discourage unwanted activities.
Preventive Controls: These controls prevent a user from performing an action.
Understand the difference between deterrent & preventive controls: Preventive controls are not optional like deterrent controls.
- Compensating Controls: These controls come to the rescue when the existing control capabilities are not good enough.
- Detective Controls: These controls give notifications of an incident. They fall in the post-incident category.
- Corrective Controls: These control fill the gaps within existing controls that lead to an incident
- Recovery Controls: These controls reinstate the state to normal after an incident.
- All these access controls can be categorized as either Administrative, physical and logical controls.
Penetration Testing Types: It is important to know the following testing types (especially names)
- Internal Testing: This is done within an organization with full knowledge of the whole architecture, deployed controls, etc.
- Blind Testing: This presents more like an attacker scenario, but the internal team is aware of it to defend against it.
- Double Blind Testing: This presents a complete attacker scenario but the internal team is NOT aware of it to defend against it.
- Continuous Improvement cycle: Plan > Do > Act > Check (PDCA). This is also known as the Deming cycle or Shewhart Cycle.
CISSP Instant Pricing- Resources
Differences between the following attacks:
- Social Engineering Attack
- Pretexting Attack
- Phishing Attack
- Baiting Attack
- Tailgating Attack
- Understand the implied risks that happen over an acquisition.
- Difference between SLA and Assurance: SLA provides the acceptable level of performance and penalty between provider and customer. However, SLA does not guarantee compliance. Assurance gives the opportunity to check the profile of the provider by conducting inspection, review, etc.
This draws us to the end of Module 1. Please note that this is not a comprehensive list of all the topics. However, this presents the topics with high probability of appearing in the exam. In the next article, we will see what to cover for Module 2.