ISC(2) CISSP Revision Notes – Overarching Themes for the CISSP

overarching-themes-for-the-cissp

Some common and overarching themes within the CISSP CBK.  Collected here as an additional to revision.

In NO way should these notes be used as your sole source of study for the CISSP exam.  These notes lack things completely that could be included on your exam.  I in no way provide any guarantee or assurance that these notes are correct or satisfactory for your learning.  For further information see my CISSP Study and Exam Tips.

ISC(2) CISSP Revision Notes – Study and Exam Tips
ISC(2) CISSP Revision Notes – Overarching Themes for the CISSP (You are here)
ISC(2) CISSP Revision Notes – Access Control
ISC(2) CISSP Revision Notes – Business Continuity and Disaster Planning
ISC(2) CISSP Revision Notes – Cryptography
ISC(2) CISSP Revision Notes – Information Security Governance and Risk Management
ISC(2) CISSP Revision Notes – Legal, Regulatory, Investigations and Compliance
ISC(2) CISSP Revision Notes – Operations Security
ISC(2) CISSP Revision Notes – Security Architectural Design
ISC(2) CISSP Revision Notes – Software Development Security
ISC(2) CISSP Revision Notes – Telecommunications and Network Security

 

Safety of people is a paramount concern to information security.

CIA Triad

Core security principals which must be met (at least one of, usually all)

Security must maintain CIA of an organisations assets

  • Confidentiality – Prevent unauthorised disclosure of information
  • Integrity – Prevent unauthorised (through any actor inc environment etc.) modification of systems and information
  • Availability – Prevent disruption of service and/or productivity

Applying these principals provides features and benefits to the organisation

Control

Default Stance & Underlying Philosophy

1)   Allow by Default

  1. Eg universities
  2. Can access everything unless there is a specific need to restrict
  3. Few organisations are “pure” Allow by Default throughout, eh Universities restricting access to HR systems

2)   Deny by Default

  1. Eg commercial entities, governments & military
  2. Any access that isn’t specifically permitted is denied

Defence in Depth

  • The practice of applying multiple layers of security protection
  • If one layer should fail then there is still protection
  • Not just IT related, can be used anywhere (eg facilities with fences, guards, CCTV, locked offices, etc)
  • Compromise should be a challenge against all layers
  • Limit exposure to possible threats

Individual Points

  • “Prevention is ideal but detection is a must; however detection without response is useless.” – Eric Cole
  • Prevention inbound, detective outbound
  • Successful security program integrates effectively within a business or operational goals of an organisation
  • Least privilege
  • Risk Management?
  • Security Domains – Different areas of different risks and controls (eg DMZ compared to internal LAN)
  • Risk cannot be eliminated, it must be managed
  • Information Governance is the framework, policies, concepts, principles, structures and standards used to protect information assets.
In NO way should these notes be used as your sole source of study for the CISSP exam.  These notes lack things completely that could be included on your exam.  I in no way provide any guarantee or assurance that these notes are correct or satisfactory for your learning.  For further information see my CISSP Study and Exam Tips.

 

Trackbacks for this post

  1. ISC(2) CISSP Revision Notes – Study and Exam Tips | Gyp the Cat dot Com

Got something to say? Go for it!