CISSPills are short-lasting presentations covering topics to study in order to prepare CISSP exam. CISSPills is a digest of my notes and doesn't want to replace a studybook, it wants to be only just another companion for self-paced students.
Every issue covers different topics of CISSP's CCBK and the goal is addressing all the 10 domains which compose CISSP.
IN THIS ISSUE:
Domain 3: Information Security Governance and Risk Management
- Security’s Core Principles Information
- A-I-C Triad
- Balanced Security
- Security Definitions
- Security Definitions – Key Terms
- Control Types
- The Onion Approach (Defense-in-depth)
- Control Functionalities
- Control Functionalities – Incident-Time Standpoint
- Information Security Management System (ISMS)
- Enterprise Architecture
- Enterprise Security Architecture
- ISMS vs. Enterprise Security Architecture
2. CISSPills Table of Contents
Security Core Principles
A-I-C Triad
Balanced Security
Security Definitions
Security Definitions – Key Terms
Control Types
The Onion Approach (Defense-in-depth)
Control Functionalities
Control Functionalities – Incident-Time Standpoint
Information Security Management System (ISMS)
Enterprise Architecture
Enterprise Security Architecture
ISMS vs. Security Enterprise Architecture
3. CISSPills Security Core Principles
Information Security aims to
provide assets with protection, by
assuring:
Availability
Integrity
Confidentiality
This is known as A-I-C triad
(somewhere else also known as C-
I-A triad).
4. CISSPills A-I-C Triad
Availability
It aims at ensuring a reliable and timely access to data and resources to
authorized users. Assets have to be accessible to authorized people
whenever and the way they are expected to.
Integrity
It aims at preventing unauthorized modifications of the information. It
assures the accuracy and reliability of the data. Integrity can be affected
mistakenly or maliciously.
Confidentiality
It aims at ensuring a proper level of secrecy by preventing unauthorized
disclosures of information. Data have to be protected both when they are
stored (data at rest) and while they are transmitted.
5. CISSPills Balanced Security
Different systems have different priorities in terms of requirements to meet: an e-
commerce company needs the website to be available all the time, an engineering
company needs confidentiality in order to protect Intellectual Property, while a Bank
needs to assure integrity in order to avoid frauds.
A good Security strategy should rely on controls for addressing all the principles that
made up A-I-C triad, so that a comprehensive protection is provided.
6. CISSPills Security Definitions
Controls can eliminate exposures and risks, but not the threat agent.
exploits
poses
can damage
counteracts
directly affects
characterized by
triggers
7. CISSPills Security Definitions – Key Terms
Threat Agent: entity willing to exploit a vulnerability;
Threat: the potential risk related to the exploitation of a vulnerability;
Vulnerability: weakness affecting an asset;
Exposure: the consequence of an exploited vulnerability that exposes the
organization to a threat;
Risk: the probability that a vulnerability is exploited and the associated
impact;
Control: a countermeasure implemented in order to reduce the risk.
8. CISSPills Control Types
Administrative (NIST: Management)
Management-oriented controls (e.g. policies, documentation, training,
risk management, etc.).
Technical (NIST: Logical)
Hardware and software solutions (e.g. firewalls, multi-factor
authentication, encryption, etc.).
Physical (NIST: Operational)
Physical safeguards aimed at protecting mainly the personnel and then
facilities and resources (e.g. CCTV, guards, fences, etc.)
9. CISSPills The Onion Approach (Defense-in-depth)
Just like the coats of an onion encompass the core of the vegetable, likewise the
security controls put in place to protect an asset have to ‘embrace’ it, following a
layered approach and acting in a coordinated fashion.
Each layer represents a security mechanism which ‘encompasses’ both the controls
below and the asset. In this way, even if an attacker breaches one layer, the asset is not
compromised because other layers are protecting it.
The more critical the asset is, the more layers
of protection are implemented.
10. CISSPills Control Functionalities
Controls can be administrative, technical or physical. Indeed, they can be further
categorized based on the protection they offer. Controls can fall into seven categories:
Directive: guidelines and rule users (internal and external) must follow if they want
access systems and data;
Deterrent: controls intended to discourage malicious users from performing attacks;
Preventive: controls intended to avoid an incident to occur;
Detective: controls intended to detect an incident after it has occurred;
Corrective: controls put in place once the incident has occurred in order to limit the
damage or solve the issue;
Recovery: controls put in place to bring the systems back to regular operations;
Compensating: controls intended to be an alternative to other controls that cannot
be put in place because of affordability or business requirements.
12. CISSPills Information Security Management System (ISMS)
An ISMS (also known as Security Program) is a technology-independent
framework composed by physical, logical and administrative controls, as well
as people and processes, that work together in order to provide the
organization with an adequate level of protection.
The goal of a Security Program is building an holistic approach to the
management of the Information Security.
The most adopted ISMS framework is the ISO/IEC 27001 series, which depicts
how to build and maintain an effective Security Program.
13. CISSPills Enterprise Architecture
Organization can be very complex entities, made up of several processes and elements
that work jointly, thus adding security controls to an organization requires a deep
analysis of how these controls would impact the organizational flows.
An Enterprise Architecture framework is a conceptual model which, through a modular
representation, allows to ease the understanding of complex systems (like
organizations).
EAs are fundamental during the implementation of security services because take into
account the environment, the business needs and the relationships within the
organization. The advantages of using an EA are:
Splitting a complex model in smaller blocks easier to understand;
Providing different “views” of the same organization so that people with different
roles can access information presented in a way that they can understand and that
makes sense to them;
Providing an all-round view of the organization that allows to understand how a
change would impact the other elements which compose the organization.
14. CISSPills Enterprise Security Architecture
Enterprise Security Architecture are a subset of an Enterprise Architecture that allows
to implement a security strategy (composed by solutions, processes and procedures)
within an organization.
It is a comprehensive and rigorous method which takes into account how security ties
to the organization, as well as describes the structure and the behaviour of the
elements that compose an ISMS.
The main reason behind the adoption of an ESA is assuring that the security strategy
the organization is going to implement integrates properly. By adopting an ESA, it is
possible to integrate properly the security into the different organizational processes.
15. CISSPills ISMS vs. Enterprise Security Architecture
An ISMS (Security Program) specifies the controls to implement (risk
management, vulnerability management, auditing, etc.) and provides
guidance about how these controls should be maintained. Basically it
specifies what to put in place in order to manage security holistically and
how to manage the components implemented.
An Enterprise Security Architecture describes how to integrate the security
components into the different elements of the organization. An ESA allows to
take a generic framework, like the ISO/IEC 27001 series, and implement it into
own specific environment, thanks to a model which describes the
components of an organization and their interactions.
16. CISSPills That’s all Folks!
We are done, thank you for the interest! Hope you have enjoyed these pills as much as
I have had fun writing them.
For comments, typos, complaints or whatever your want, drop me an e-mail at:
cisspills <at> outlook <dot> com
More resources:
Stay tuned on for the next issues;
Join ”CISSP Study Group Italia” if you are preparing your exam.
Brought to you by Pierluigi Falcone. More info about me on
Contact Details