Domain 1 – Security & Risk Management Western Governors UniversityCISSP 101Notes - Domain 1 - EDT_JAN18.

Document Content and Description Below

Domain 1 – Security & Risk Management SLIDE 3 - 6 – Domain Objectives and Agenda Objectives = Goals Sld.4 >> Agenda = Definitions, lists, plans, outlines, or the like, ….. things that need to... be done – Overview During our first domain, Security and Risk Management, we will address a broad spectrum of general information security and risk management topics. We will begin by reviewing confidentiality, integrity and availability; better known as the CIA Triad. The CIA triad is commonly referred to as THE “fundamental security principles”. All information security functions are based on providing C- I and A. NOTE: Keep the CIA in mind when considering EVERY question for ALL 8 Domains. The Security and Risk management Domain will continue to build upon these concepts in the areas of security governance and compliance. NIST describes IT governance as the process of establishing and maintaining a framework to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk. Compliance - the action or fact of complying with a wish or command. CISSP Candidates will be tested on understanding both. As is the case with all (ISC)² examinations, CISSP candidates will tested on ethical considerations in general, and the (ISC)² code of ethics in particular. – Know these inside and out. PROVIDE EXAMPLE The unique position of trust from which information security professionals apply their craft MUST be well grounded, and ethically sound. You must consistently apply the code of ethics. Your information security program will not be very successful unless it has been carefully constructed and evenly applied to all security policies and procedures. CISSP Candidates will be tested on their ability to develop and implement policies and procedures within an information security context. DOMAIN 1: P 1 v.01_2018SLIDE 5: Domain Agenda The security and risk management domain includes all aspects of business continuity planning: The BCP includes the following: Information and requirements gathering – This includes interrelationships and interdependencies Business impact analysis (BIA) and Recovery Point Objectives (RPO). Risk management dominates this domain. Be sure to have a thorough understanding of risk management concepts. Risk management topics include: Risk analysis, Countermeasure selection and implementation, Risk monitoring, Reporting, and Risk frameworks. CISSP Candidates will be required to understand threat modeling and the integration of risk management into the acquisition and management of hardware, software and service contracts. CISSP Candidates will be tested in the area of personnel security policies and are expected to be capable of establishing and maintaining security education, training and awareness programs. CISSP Candidate must understand ethical considerations in Information Security. DOMAIN 1: P 2 v.01_2018Understand and Apply Concepts of Confidentiality, Integrity, and Availability Confidentiality:  Confidentiality begins when people, doing their jobs, have a “need to know” to access sensitive resources.  Confidentiality is usually provided using the principle of least privilege, which means that persons are given just the access they need to access the sensitive data. We use data classifications, access controls, and cryptography to help ensure the confidentiality of resources.  The ultimate goal is to keep information and communications private and protected from unauthorized access  This is accomplished using:  data encryption,  physical access controls,  logical access controls, and  security policies.  Managing these controls correctly will help protect the organization against: shoulder surfing, social engineering, and other forms of observational disclosure DOMAIN 1: P 3 v.01_2018Integrity:  Integrity comes in two forms; (1) making sure that information is processed correctly and not modified by unauthorized persons, and (2) protecting information as it traverses a network.  Integrity controls include:  transaction controls,  digital signatures,  well-formed transactions, and  proper System Development methods. Integrity keeps an organizations information accurate, free of errors and without unauthorized modifications  This is accomplished by:  defending against malware,  protecting data against corruption or deletion,  validating source code.  Managing these controls correctly will help protect the organization against: code injection, malformed data input. Data hashing validation will allow for identifying modifications. Limiting the options available to users will allow you to control the amount of data that available [Show More]

Last updated: 2 years ago

Preview 1 out of 80 pages