Need 600+ words with no plagiarism and 2+ schoarly references in APA Format.
After this weeks readings and your own research, describe and discuss ways, if any, we can safely share security data.Are there precautions we can take, technical solutions we can use, e.g., like using the CIA triad, or should we just not share these kinds of data? Feel free to argue for and against, just make sure to back up your statements with scholarly support.
A substantive post will do at least TWO of the following:
Ask an interesting, thoughtful question pertaining to the topic
Provide extensive additional information on the topic
Explain, define, or analyze the topic in detail
Share an applicable personal experience
Provide an outside source that applies to the topic, along with additional information about the topic or the source (please cite properly in APA 7)
Make an argument concerning the topic.
At least one scholarly source should be used in the initial discussion thread. Be sure to use information from your readings and other sources Use proper citations and references in your post.
CISSP
Certified Information Systems
Security Professional
Copyright 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.
Used with permission.
1
CISSP Focus
CISSP focuses on security:
Design
Architecture
Theory
Concept
Planning
Managing
2
Topical Domains
Security and Risk Management
Asset Security
Security Architecture and Engineering
Communication and Network Security
Identity and Access Management (IAM)
Security Assessment and Testing
Security Operations
Software Development Security
3
Exam Topic Outline
www.isc2.org/Certifications/CISSP
Download the CISSP Exam Outline
Previously known as the Candidate Information Bulletin
4
Prequalifications
For taking the CISSP exam:
5 years full-time paid work experience
Or, 4 years experience with a recent college degree
Or, 4 years experience with an approved security certification, such as CAP, CISM, CISA, Security+, CCNA Security, MCSA, MCSE, and GIAC
Or, Associate of (ISC)2 if you dont yet have experience
Agree to (ISC)2 Code of Ethics
5
CISSP Exam Overview
CISSP-CAT (Computerized Adaptive Testing)
Minimum 100 questions
Maximum 150 questions
25 unscored items mixed in
3 hours to take the exam
No score issues, just pass or fail
Must achieve passing standard for each domain within the last 75 questions seen
6
Exam Retakes
Take the exam a maximum of 3 times per 12-month period
Wait 30 days after your first attempt
Wait an additional 90 days after your second attempt
Wait an additional 180 days after your third attempt
You will need to pay full price for each additional exam attempt.
7
Question Types
Most questions are standard multiple choice with four answer options with a single correct answer
Some questions require to select two, select three, or select all that apply
Some questions may be based on a provided scenario or situation
Advanced innovative questions may require drag-and-drop, hot-spot, or re-order tasks
8
Exam Advice
Work promptly, dont waste time, keep an eye on your remaining time
It is not possible to return to a question.
Try to reduce/eliminate answer options before guessing
Pay attention to question format and how many answers are needed
Use the provided dry-erase board for notes
9
Updates and Changes
As updates, changes, and errata are need for the book, they are posted online at:
www.wiley.com/go/cissp8e
Visit and write in the corrections to your book!
10
Exam Prep Recommendations
Read each chapter thoroughly
Research each practice question you get wrong
Complete the written labs
View the online flashcards
Use the 6 online bonus exams to test your knowledge across all of the domains
Consider using: (ISC) CISSP Official Practice Tests, 2nd Edition (ISBN:978-1-119-47592-7)
11
Completing Certification
Endorsement
A CISSP certified individual in good standing
Within 90 days of passing the exam
After CISSP, consider the post-CISSP Concentrations:
Information Systems Security Architecture Professional (ISSAP)
Information Systems Security Management Professional (ISSMP)
Information Systems Security Engineering Professional (ISSEP)
12
Book Organization 1/2
Security and Risk Management
Chapters 1-4
Asset Security
Chapter 5
Security Architecture and Engineering
Chapters 6-10
Communication and Network Security
Chapters 11-12
13
Book Organization 2/2
Identity and Access Management (IAM)
Chapters 13-14
Security Assessment and Testing
Chapter 15
Security Operations
Chapters 16-19
Software Development Security
Chapters 20-21
14
Study Guide Elements
Exam Essentials
Chapter Review Questions
Written Labs
Real-World Scenarios
Summaries
15
Additional Study Tools
www.wiley.com/go/cissptestprep
Electronic flashcards
Glossary in PDF
Bonus Practice Exams:
6x 150 question practice exams covering the full range of domain topics
16 Chapter 1
Security Governance Through Principles and Policies
Understand and Apply Concepts of Confidentiality, Integrity, and Availability
CIA Triad
AAA Services
Protection Mechanisms
overview
CIA Triad
Confidentiality
Integrity
Availability
Confidentiality
Sensitivity
Discretion
Criticality
Concealment
Secrecy
Privacy
Seclusion
Isolation
Integrity 1/3
Preventing unauthorized subjects from making modifications
Preventing authorized subjects from making unauthorized modifications
Maintaining the internal and external consistency of objects
Integrity 2/3
Accuracy: Being correct and precise
Truthfulness: Being a true reflection of reality
Authenticity: Being authentic or genuine
Validity: Being factually or logically sound
Nonrepudiation: Not being able to deny having performed an action or activity or being able to verify the origin of a communication or event
Integrity 3/3
Accountability: Being responsible or obligated for actions and results
Responsibility: Being in charge or having control over something or someone
Completeness: Having all needed and necessary components or parts
Comprehensiveness: Being complete in scope; the full inclusion of all needed elements
Availability
Usability: The state of being easy to use or learn or being able to be understood and controlled by a subject
Accessibility: The assurance that the widest range of subjects can interact with a resource regardless of their capabilities or limitations
Timeliness: Being prompt, on time, within a reasonable time frame, or providing low latency response
AAA Services
Identification
Authentication
Authorization
Auditing
Accounting/
Accountability
Protection Mechanisms
Layering/Defense in Depth
Abstraction
Data Hiding
Security through obscurity
Encryption
Evaluate and Apply Security Governance Principles
Alignment of Security Function
Security Management Plans
Organizational Processes
Change Control/Management
Data Classification
Organizational Roles and Responsibilities
Security Control Frameworks
Due Care and Due Diligence
overview
Alignment of Security Function
Alignment to Strategy, Goals, Mission, and Objectives
Security Policy
Based on business case
Top-Down Approach
Senior Management Approval
Security Management:
InfoSec team, CISO, CSP, ISO
Security Management Plans
Strategic
Tactical
Operational
Organizational Processes
Security governance
Acquisitions and divestitures risks:
Inappropriate information disclosure
Data loss
Downtime
Failure to achieve sufficient return on investment (ROI)
Change Control/
Management 1/2
Implement changes in a monitored and orderly manner. Changes are always controlled.
A formalized testing process is included to verify that a change produces expected results.
All changes can be reversed (also known as backout or rollback plans/procedures).
Users are informed of changes before they occur to prevent loss of productivity.
Change Control/
Management 2/2
The effects of changes are systematically analyzed to determine whether security or business processes are negatively affected.
The negative impact of changes on capabilities, functionality, and performance is minimized.
Changes are reviewed and approved by a change approval board (CAB).
Data Classification 1/2
Determines: effort, money, and resources
Government/military vs. commercial/private sector
Declassification
Data Classification 2/2
1. Identify the custodian, define responsibilities.
2. Specify the evaluation criteria.
3. Classify and label each resource.
4. Document any exceptions.
5. Select the security controls for each level.
6. Specify declassification and external transfer.
7. Create an enterprise-wide awareness program.
Organizational Roles and Responsibilities
Senior Manager
Security Professional
Data Owner
Data Custodian
User
Auditor
Security Control Frameworks
COBIT (see next slide)
Used to plan the IT security of an organization and as a guideline for auditors
Information Systems Audit and Control Association (ISACA)
Open Source Security Testing Methodology Manual (OSSTMM)
ISO/IEC 27001 and 27002
Information Technology Infrastructure Library (ITIL)
Control Objectives for Information and
Related Technologies (COBIT)
Principle 1: Meeting Stakeholder Needs
Principle 2: Covering the Enterprise End-to-End
Principle 3: Applying a Single, Integrated Framework
Principle 4: Enabling a Holistic Approach
Principle 5: Separating Governance From Management
Due Care and Due Diligence
Due care is using reasonable care to protect the interests of an organization.
Due diligence is practicing the activities that maintain the due care effort.
Develop, Document, and Implement
Security Policy, Standards, Procedures, and Guidelines
Security Policies
Security Standards, Baselines, and Guidelines
Security Procedures
overview
Security Policies
Defines the scope of security needed by the organization
Organizational, issue-specific, system-specific
Regulatory, advisory, informative
Security Standards, Baselines, and Guidelines
Standards define compulsory requirements
Baselines define a minimum level of security
Guidelines offer recommendations on how standards and baselines are implemented
Security Procedures
Standard operating procedure (SOP)
A detailed, step-by-step how-to
To ensure the integrity of business processes
Understand and Apply Threat Modeling Concepts and Methodologies
Threat Modeling
Identifying Threats
Threat Categorization Schemes
Determining and Diagramming Potential Attacks
Performing Reduction Analysis
Prioritization and Response
overview
Threat Modeling
Microsofts Security Development Lifecycle (SDL)
Secure by Design, Secure by Default, Secure in Deployment and Communication
(also known as SD3+C)
Proactive vs. reactive approach
Identifying Threats
Focused on Assets
Focused on Attackers
Focused on Software
Threat Categorization Schemes
STRIDE
Process for Attack Simulation and Threat Analysis (PASTA)
Trike
Visual, Agile, and Simple Threat (VAST)
STRIDE
Spoofing
Tampering
Repudiation
Information disclosure
Denial of service
Elevation of privilege
PASTA 1/2
Stage I: Definition of the Objectives (DO) for the Analysis of Risks
Stage II: Definition of the Technical Scope (DTS)
Stage III: Application Decomposition and Analysis (ADA)
Stage IV: Threat Analysis (TA)
Stage V: Weakness and Vulnerability Analysis (WVA)
Stage VI: Attack Modeling and Simulation (AMS)
Stage VII: Risk Analysis and Management (RAM)
PASTA 2/2
Determining and Diagramming Potential Attacks
Diagram the infrastructure
Identify data flow
Identify privilege boundaries
Identify attacks for each diagrammed element
Diagramming to Reveal Threat Concerns
Performing Reduction Analysis
Decomposing
Trust boundaries
Data flow paths
Input points
Privileged operations
Details about security stance and approach
Prioritization and Response
Probability Damage Potential ranking
High/medium/low rating
DREAD system
Damage potential
Reproducibility
Exploitability
Affected users
Discoverability
Apply Risk-Based Management
Concepts to the Supply Chain
Resilient integrated security
Cost of ownership
Outsourcing
Integrated security assessments
Monitoring and management
On-site assessment
Document exchange and review
Process/policy review
Third-party audit (AICPA SOC1 and SOC2)
Conclusion
Read the Exam Essentials
Review the Chapter
Perform the Written Labs
Answer the Review Questions Chapter 2
Personnel Security and Risk Management Concepts
Personnel Security Policies
and Procedures
Personnel Management
Candidate Screening and Hiring
Employment Agreements and Policies
Onboarding and Termination Processes
Vendor, Consultant, and Contractor Agreements and Controls
Compliance Policy Requirements
Privacy Policy Requirements
overview
Personnel Management
Job descriptions, position descriptions
Separation of duties
Job responsibilities
Job rotation
Cross-training
Collusion
Candidate Screening and Hiring
Based on job description
Background checks
Reference checks
Education verification
Security clearance validation
Online background checks
Employment
Agreements and Policies
Non-disclosure agreement
Non-compete agreement
Audit job descriptions, work tasks, privileges, and responsibilities
Mandatory vacations
Onboarding and
Termination Processes
Onboarding vs. offboarding
Maintain control and minimize risks
Exit interview
Terminate access
Return company property
Vendor, Consultant, and Contractor Agreements and Controls
Define the levels of performance, expectation, compensation, and consequences
Service-level agreement (SLA)
Risk reduction and risk avoidance
Compliance Policy Requirements
Conforming to or adhering to rules, policies, regulations, standards, or requirements
Maintain high levels of quality, consistency, efficiency, and cost savings
Privacy Policy Requirements
Active prevention of unauthorized access to information that is personally identifiable
Freedom from unauthorized access to information deemed personal or confidential
Freedom from being observed, monitored, or examined without consent or knowledge
Legislative and regulatory compliance issues
HIPAA, SOX, FERPA, GLB, DPD, and GDPR
PCI-DSS
Security Governance
Maintain business processes while striving toward growth and resiliency
Third-party governance
Auditing security objectives, requirements, regulations, and contractual obligations
Compliance
Documentation review
Authorization to operate (ATO)
Understand and Apply Risk Management Concepts
Risk Terminology
Identify Threats and Vulnerabilities
Risk Assessment/Analysis
Risk Responses
Countermeasure Selection and Implementation
Types of Controls
Security Control Assessment
Monitoring and Measurement
Asset Valuation and Reporting
Continuous Improvement
Risk Frameworks
overview
Risk Terminology
Asset
Asset valuation
Threats
Vulnerability
Exposure
Risk
Safeguard, security control, countermeasure
Attack, breach
Identify Threats and Vulnerabilities
Inventory all threats for each asset
Threat agents
Threat events
Include non-IT sources
Risk Assessment/Analysis
Quantitative analysis
Qualitative analysis
overview
Quantitative Analysis
AV
EF
SLE = AV * EF
ARO
ALE = SLE * ARO
Cost benefit:
ALE before ALE after annual cost safeguard (ACS) = value of the safeguard to the company
Qualitative Analysis
Brainstorming
Delphi technique
Storyboarding, scenarios
Focus groups
Surveys
Questionnaires
Checklists
One-on-one meetings
Interviews
Risk Responses
Reduce or mitigate
Assign or transfer
Accept
Deter
Avoid
Reject or ignore
Total risk vs. residual risk
threats vulnerabilities asset value = total risk
total risk controls gap = residual risk
Countermeasure Selection
Costs and benefits
Reduce attack benefit
Solve a real problem
Not dependent upon secrecy
Testable
Uniform protection
No dependencies
Tamperproof
Countermeasure Implementation
Administrative
Logical/technical
Physical
Defense in depth
Types of Controls
Deterrent
Preventive
Detective
Compensating
Corrective
Recovery
Directive
Security Control Assessment
Formal evaluation of a security infrastructures individual mechanisms against a baseline or reliability expectation
Ensure the effectiveness
Evaluate the quality and thoroughness
Identify relative strengths and weaknesses of security infrastructures
NIST SP 800-53A Guide for Assessing the Security Controls in Federal Information Systems
Monitoring and Measurement
Quantified, evaluated, or compared
Native/internal monitoring or external monitoring
Measuring the effectiveness
Asset Valuation and Reporting
Used to justify protections
Tangible value
Intangible value
Used in cost/benefit analysis
Helps select safeguards
Defines level of risk
Risk reporting
Internal or to relevant/interested third parties
Continuous Improvement
Security is always changing
Needs to be integrated into deployed security solutions
Risk analysis is a point in time metric
As threats change, so must security
Risk Frameworks 1/3
Guideline or recipe for how risk is to be assessed, resolved, and monitored
NIST SP 800-37
Risk Management Framework (RMF)
1. Categorize 2. Select
3. Implement 4. Assess
5. Authorize 6. Monitor
Risk Frameworks 2/3
Risk Frameworks 3/3
Operationally Critical Threat, Asset, And Vulnerability Evaluation (OCTAVE)
Factor Analysis Of Information Risk (FAIR)
Threat Agent Risk Assessment (TARA)
Establish and Maintain a Security
Awareness, Education, and Training Program
Security requires changes in user behavior
Seek policy compliance
Awareness
Training
Education
Manage the Security Function
Security governance
Risk assessment
Craft security policy
Cost effective
Measurable security
Resource management
Conclusion
Read the Exam Essentials
Review the Chapter
Perform the Written Labs
Answer the Review Questions
