CISSP Domain 1 Study notes and Resources

Security Governance

CIA / DAD

(insert photo)               

 

Parkerian Hexad

(insert photo)

 

Confidentiality

Integrity

Availability

Authenticity

Utility

Possession or Control

 

Confidentiality Terms

sensitivity – The Level of damage or harm that could occur if the asset is revealed or disclosed.

Discretion – The ability for a person to control the level of access to, or disclosure of and asset.

Criticality – The level of importance of an asset to the mission or objective.

Concealment – The act of hiding or preventing disclosure of an asset.

Secrecy – The practice of preventing or limiting information disclosure.

Privacy – The protection of confidential or personal information.

Seclusion – The act of storing something in a location that is out of the way and thus not easily observed or found.

Isolation – The act of keeping something separate from other things that are similar in nature.

 

Integrity Terms

Accuracy – The degree to which the data is correct and precise.

Truthfulness – The quality of a source of information being factual and realistic.

Validity – The quality of an asset being genuine.

Accountability – The condition of a person or entity being held responsible for their actions.

Responsibility – The obligation of a person or entity to take ownership or components.

Completeness – The quality of an asset that has all its necessary parts or components.

Comprehensiveness – The quality of an asset being complete in scope, and fully inclusive or all relevant elements.

 

Availability Terms

Usability – Learned, understood, utilized or controlled by a subject

Accessibility – Under a wide range of circumstances an asset can be used by a subject regardless of capabilities or limitations.

Timeliness – Asset ( for example information ) needs to be prompt and available within a reasonable frame of time with low latency.

 

Auditing and Accounting

  • Auditing – internal process of providing a manual or systematic, measurable technical assessment of a system or application
  • Accounting – logging of access and use of information resources.
  • Accountability – tracing actions to the source
  • Non-Repudiation – the assurance that an action taken cannot be denied
  • Identification – Claiming an identity – ie username
  • Authentication – Proving your identity – ie password, fingerprint, pin number
  • Authorization – What are you allowed to do / have access to after you are Authenticated

 

Security Terms – P4 and P5

Asset – Anything of Value

Threat – event or action that could potentially cause damage to an asset or an interruption of service.

Threat Actor – Person/group or other entity that could potentially damage attack or compromise a system resource.

  • ||| Finish this section |||

 

IT Governance Institutewww.itgi.org

 

Security Control Frameworks

 

ISO/IEC 27000 Series

  • Security program Development standard on developing and maintaining an Information Security Management System (ISMS)
  • 27000:2018 – Overview of ISMSs and vocabulary
  • 27001:2013 – ISMS Requirements
  • 27002:2013 – Code of Practice for IS controls
  • 27003:2017 – Guidance on the requirements for an ISMS
  • 27004:2016 – ISMS monitoring, measurement, analysis, and evaluation guidelines

 

Zachman Framework

  • Six Communications Questions
  • What
  • Where
  • When
  • Why
  • Who
  • How
  • Perspectives
    • Executive
    • Business Management
    • Architect
    • Engineer
    • Technician
    • Enterprise

 

TOGAF – The open architecture group framework

  • Technology
  • Applications
  • Data
  • Business

 

DoDAF – Department of Defense Architecture Framework

  • AV – All Viewpoint
  • CV – Capability Viewpoint
  • DIV = Data and Information Viewpoint
  • OV – Operation ViewPoint
  • PV – Project Viewpoint
  • SvcV – Services Viewpoint
  • STDV – Standards Viewpoint
  • SV – Sytems Viewpoint

 

MODAF

  • Strategic StV
  • Operational OV
  • Service-Oriented SOV
  • Systems Viewpoint SV
  • Acquisition AcV
  • Technical TV
  • All Viewpoint AV

 

SABSA

  • Sherwood Applied Business Security Architecture

(insert photo)

 

COBIT – Control Objectives for Information and Related Technology

  • Five Principles

o             Meeting Stakeholder Needs

o             Covering the Enterprise end-to-end

o             Applying a single integrated framework

o             Enabling a holistic approach

o             Separating governance from management

  • Seven Enablers

o             Principles, Policies, and frameworks

o             Processes

o             Organization Structures

o             Culture, Ethics, and behavior

o             Information

  • Services, infrastructure, and applications
  • People, skills, and competencies

 

 

 

 

NIST – National Institute of Standards and Technology – 800 Special Publication Series

 

HITRUST CSF (Common Security Framework)

  • 14 control categories

o             0.0: Information Security Management Program

o             1.0: Access Control

o             2.0: Human Resources Security

o             3.0: Risk Management

o             4.0: Security Policy

o             5.0: Organization of Information Security

o             6.0: Compliance

o             7.0: Asset Management

o             8.0: Physical and Environmental Security

o             9.0: Communications and Operations Management

o             10.0: Information Systems Acquisition, Development, and Maintenance

o             11.0: Information Security Incident Management

o             12.0: Business Continuity Management

o             13.0: Privacy Practices

 

 

Center for Internet Security – CIS – Critical Security Controls

  1. Inventory and control of hardware assets
  2. Inventory and control of software assets
  3. Continuous vulnerability management
  4. Controlled use of administrative privileges
  5. Secure configuration for hardware and software on mobile devices, laptops, workstations, and servers
  6. Maintenance, monitoring, and analysis of audit logs
  7. Email and web browser protections
  8. Malware defenses
  9. Limitation and control of network ports, protocols, and services
  10. Data recovery capabilities
  11. Secure configurations for network devices, such as firewalls, routers, and Switches
  12. Boundary defense
  13. Data protection
  14. Controlled access based on the need to know
  15. Wireless access control
  16. Account monitoring and control
  17. Implement a security awareness training program
  18. Application software security
  19. Incident response and management
  20. Penetration tests and red team exercises

 

 

COSO – Committee of Sponsoring Organizations of the Treadway Commission Framework

  • Control Environment
  • Risk Assessment
  • Control Activities
  • Information and communication
  • Monitoring Activities

 

OCTAVE – Operationally Critical Threat, Asset, and Vulnerability Evaluation

(insert photo)

 

ITIL – Information Technology Infrastructure Library

  • These certifications are GREAT add-ons for CISSP
  • Currently at v4

 

Six Sigma

(insert photo) and example

 

CMMI – Capability Maturity Model Integration

 

CRAMM – CCTA Risk Analysis and Management Method

  • Qualitative Risk Analysis Management tool
  • Three Steps
  • Identify and Value Assets
  • Identify threats and vulnerabilities and calculate risks
  • Identify and prioritize countermeasures

 

 

Due Care vs Due Diligence

[write definitions]

https://resources.infosecinstitute.com/category/certifications-training/cissp/domains/security-and-risk-management/due-care-vs-due-diligence/

 

Major Legal Systems

  • Civil Code Law
    • Napoleonic
  • Common Law
    • Criminal Law
    • Civil Tort Law
    • Administrative Law
  • Customary Law
  • Religious
  • Mixed

 

US Information Privacy Law – page 19  

  • FERPA
  • ECPA
  • HIPAA
  • GLBA
    COPPA
  • USA PATIOT Act
    • USA Freedom Act
  • SOX
  • FCRA

 

Licensing and Intellectual Property

Patents

Trademarks

Copyright

Trade Secrets

2 Issues

  • Piracy / Licensing
  • DRM – Digital Rights Management

 

 

CCCA – Comprehensive Crime Control Act of 1984

 

CFAA – Computer Fraud and Abuse Act – 1986

Raised threshold of damage from $1000 to $5000

  • Any computer used exclusively by the US gov
  • Any computer used exclusively by a financial institution
  • Any computer .., when the offense impedes the ability of the gov or inst. To use that system
  • Any combination of computers used to commit an offense when they are not all located in the same state
  • Amended in 1986, 1994 (Computer Abuse Amendments), 1996, 2001, 2002, 2008

 

Federal Sentencing Guidelines

  • Formalized the Prudent Man Rule
  • Minimize punishment by demonstrating due diligence
  • Three burdens of proof for negligence
    • Legally recognized obligation
    • Failed to comply with recognized standards
    • Causal relationship between the negligent act and damages

 

National Information Infrastructure Protection Act of 1996 -NIIPA

                Set of amendments to CFAA

 

 

FISMA – Federal Information Security Management Act – 2002

Replaced and Repealed

  • Computer Security Act of 1987 (CSA)
  • GISRA – General Information Security Reform Act of 2000

 

FISMA – Federal Information Systems Modernization Act – 2014

 

Cybersecurity Enhancement Act – 2014

                NIST SP 800-53

                NIST SP 800-171

                NIST CSF

National Cybersecurity Protection Act – 2014

 

Risk Terminology

  • Asset
  • Asset Valuation
  • Threats
    • Threat Agent – usually people – intentional
    • Threat Event – Accidental (but could be intentional)
  • Vulnerability
  • Exposure
  • Risk
    • Risk = threat * vulnerability
  • Safeguard
  • Attack
  • Breach

 

Quantitative Risk Analysis

 

AV – Asset Value

EF – Exposure Factor

SLE – Single Loss Expectancy

ARO- Annualized Rate of Occurrence

ALE – Annualized Loss Expectancy

 

Single Loss Expectancy

SLE = AV x EF

SLE = $20,000 X 25%

SLE = 20000 x .25 = 5000

SLE = $5,000

 

Annualized Loss Expectancy

ALE = SLE x ARO

ALE = 5000 x .5 = 2500

ALE= $2,500

 

Value of the Safeguard

(ALE before Safeguard) – (ALE After Safeguard) – (Annual Cost of the Safeguard) = Value of Safeguard

 

(ALE1 – ALE2) – ACS = Cost Benefit / Value

(2500 – 500) – 1000 = 1000

 

Residual Risk = Inherent Risk – Countermeasures

Residual Risk = Total Risk x Controls gap

Residual risk = total risk – security controls

 

A Great Resource for Risk Analysis by Thor – https://thorteaches.com/cissp-certification-quantitative-risk-analysis/