CISSP Domain 1 Study notes and Resources
Security Governance
CIA / DAD
(insert photo)
Parkerian Hexad
(insert photo)
Confidentiality
Integrity
Availability
Authenticity
Utility
Possession or Control
Confidentiality Terms
sensitivity – The Level of damage or harm that could occur if the asset is revealed or disclosed.
Discretion – The ability for a person to control the level of access to, or disclosure of and asset.
Criticality – The level of importance of an asset to the mission or objective.
Concealment – The act of hiding or preventing disclosure of an asset.
Secrecy – The practice of preventing or limiting information disclosure.
Privacy – The protection of confidential or personal information.
Seclusion – The act of storing something in a location that is out of the way and thus not easily observed or found.
Isolation – The act of keeping something separate from other things that are similar in nature.
Integrity Terms
Accuracy – The degree to which the data is correct and precise.
Truthfulness – The quality of a source of information being factual and realistic.
Validity – The quality of an asset being genuine.
Accountability – The condition of a person or entity being held responsible for their actions.
Responsibility – The obligation of a person or entity to take ownership or components.
Completeness – The quality of an asset that has all its necessary parts or components.
Comprehensiveness – The quality of an asset being complete in scope, and fully inclusive or all relevant elements.
Availability Terms
Usability – Learned, understood, utilized or controlled by a subject
Accessibility – Under a wide range of circumstances an asset can be used by a subject regardless of capabilities or limitations.
Timeliness – Asset ( for example information ) needs to be prompt and available within a reasonable frame of time with low latency.
Auditing and Accounting
- Auditing – internal process of providing a manual or systematic, measurable technical assessment of a system or application
- Accounting – logging of access and use of information resources.
- Accountability – tracing actions to the source
- Non-Repudiation – the assurance that an action taken cannot be denied
- Identification – Claiming an identity – ie username
- Authentication – Proving your identity – ie password, fingerprint, pin number
- Authorization – What are you allowed to do / have access to after you are Authenticated
Security Terms – P4 and P5
Asset – Anything of Value
Threat – event or action that could potentially cause damage to an asset or an interruption of service.
Threat Actor – Person/group or other entity that could potentially damage attack or compromise a system resource.
- ||| Finish this section |||
IT Governance Institute – www.itgi.org
Security Control Frameworks
ISO/IEC 27000 Series
- Security program Development standard on developing and maintaining an Information Security Management System (ISMS)
- 27000:2018 – Overview of ISMSs and vocabulary
- 27001:2013 – ISMS Requirements
- 27002:2013 – Code of Practice for IS controls
- 27003:2017 – Guidance on the requirements for an ISMS
- 27004:2016 – ISMS monitoring, measurement, analysis, and evaluation guidelines
Zachman Framework
- Six Communications Questions
- What
- Where
- When
- Why
- Who
- How
- Perspectives
- Executive
- Business Management
- Architect
- Engineer
- Technician
- Enterprise
TOGAF – The open architecture group framework
- Technology
- Applications
- Data
- Business
DoDAF – Department of Defense Architecture Framework
- AV – All Viewpoint
- CV – Capability Viewpoint
- DIV = Data and Information Viewpoint
- OV – Operation ViewPoint
- PV – Project Viewpoint
- SvcV – Services Viewpoint
- STDV – Standards Viewpoint
- SV – Sytems Viewpoint
MODAF
- Strategic StV
- Operational OV
- Service-Oriented SOV
- Systems Viewpoint SV
- Acquisition AcV
- Technical TV
- All Viewpoint AV
SABSA
- Sherwood Applied Business Security Architecture
(insert photo)
COBIT – Control Objectives for Information and Related Technology
- Five Principles
o Meeting Stakeholder Needs
o Covering the Enterprise end-to-end
o Applying a single integrated framework
o Enabling a holistic approach
o Separating governance from management
- Seven Enablers
o Principles, Policies, and frameworks
o Processes
o Organization Structures
o Culture, Ethics, and behavior
o Information
- Services, infrastructure, and applications
- People, skills, and competencies
NIST – National Institute of Standards and Technology – 800 Special Publication Series
HITRUST CSF (Common Security Framework)
- 14 control categories
o 0.0: Information Security Management Program
o 1.0: Access Control
o 2.0: Human Resources Security
o 3.0: Risk Management
o 4.0: Security Policy
o 5.0: Organization of Information Security
o 6.0: Compliance
o 7.0: Asset Management
o 8.0: Physical and Environmental Security
o 9.0: Communications and Operations Management
o 10.0: Information Systems Acquisition, Development, and Maintenance
o 11.0: Information Security Incident Management
o 12.0: Business Continuity Management
o 13.0: Privacy Practices
Center for Internet Security – CIS – Critical Security Controls
- Inventory and control of hardware assets
- Inventory and control of software assets
- Continuous vulnerability management
- Controlled use of administrative privileges
- Secure configuration for hardware and software on mobile devices, laptops, workstations, and servers
- Maintenance, monitoring, and analysis of audit logs
- Email and web browser protections
- Malware defenses
- Limitation and control of network ports, protocols, and services
- Data recovery capabilities
- Secure configurations for network devices, such as firewalls, routers, and Switches
- Boundary defense
- Data protection
- Controlled access based on the need to know
- Wireless access control
- Account monitoring and control
- Implement a security awareness training program
- Application software security
- Incident response and management
- Penetration tests and red team exercises
COSO – Committee of Sponsoring Organizations of the Treadway Commission Framework
- Control Environment
- Risk Assessment
- Control Activities
- Information and communication
- Monitoring Activities
OCTAVE – Operationally Critical Threat, Asset, and Vulnerability Evaluation
(insert photo)
ITIL – Information Technology Infrastructure Library
- These certifications are GREAT add-ons for CISSP
- Currently at v4
Six Sigma
(insert photo) and example
CMMI – Capability Maturity Model Integration
CRAMM – CCTA Risk Analysis and Management Method
- Qualitative Risk Analysis Management tool
- Three Steps
- Identify and Value Assets
- Identify threats and vulnerabilities and calculate risks
- Identify and prioritize countermeasures
Due Care vs Due Diligence
[write definitions]
Major Legal Systems
- Civil Code Law
- Napoleonic
- Common Law
- Criminal Law
- Civil Tort Law
- Administrative Law
- Customary Law
- Religious
- Mixed
US Information Privacy Law – page 19
- FERPA
- ECPA
- HIPAA
- GLBA
COPPA - USA PATIOT Act
- USA Freedom Act
- SOX
- FCRA
Licensing and Intellectual Property
Patents
Trademarks
Copyright
Trade Secrets
2 Issues
- Piracy / Licensing
- DRM – Digital Rights Management
CCCA – Comprehensive Crime Control Act of 1984
CFAA – Computer Fraud and Abuse Act – 1986
Raised threshold of damage from $1000 to $5000
- Any computer used exclusively by the US gov
- Any computer used exclusively by a financial institution
- Any computer .., when the offense impedes the ability of the gov or inst. To use that system
- Any combination of computers used to commit an offense when they are not all located in the same state
- Amended in 1986, 1994 (Computer Abuse Amendments), 1996, 2001, 2002, 2008
Federal Sentencing Guidelines
- Formalized the Prudent Man Rule
- Minimize punishment by demonstrating due diligence
- Three burdens of proof for negligence
- Legally recognized obligation
- Failed to comply with recognized standards
- Causal relationship between the negligent act and damages
National Information Infrastructure Protection Act of 1996 -NIIPA
Set of amendments to CFAA
FISMA – Federal Information Security Management Act – 2002
Replaced and Repealed
- Computer Security Act of 1987 (CSA)
- GISRA – General Information Security Reform Act of 2000
FISMA – Federal Information Systems Modernization Act – 2014
Cybersecurity Enhancement Act – 2014
NIST SP 800-53
NIST SP 800-171
NIST CSF
National Cybersecurity Protection Act – 2014
Risk Terminology
- Asset
- Asset Valuation
- Threats
- Threat Agent – usually people – intentional
- Threat Event – Accidental (but could be intentional)
- Vulnerability
- Exposure
- Risk
- Risk = threat * vulnerability
- Safeguard
- Attack
- Breach
Quantitative Risk Analysis
AV – Asset Value
EF – Exposure Factor
SLE – Single Loss Expectancy
ARO- Annualized Rate of Occurrence
ALE – Annualized Loss Expectancy
Single Loss Expectancy
SLE = AV x EF
SLE = $20,000 X 25%
SLE = 20000 x .25 = 5000
SLE = $5,000
Annualized Loss Expectancy
ALE = SLE x ARO
ALE = 5000 x .5 = 2500
ALE= $2,500
Value of the Safeguard
(ALE before Safeguard) – (ALE After Safeguard) – (Annual Cost of the Safeguard) = Value of Safeguard
(ALE1 – ALE2) – ACS = Cost Benefit / Value
(2500 – 500) – 1000 = 1000
Residual Risk = Inherent Risk – Countermeasures
Residual Risk = Total Risk x Controls gap
Residual risk = total risk – security controls
A Great Resource for Risk Analysis by Thor – https://thorteaches.com/cissp-certification-quantitative-risk-analysis/