ISC(2) CISSP Revision Notes – Overarching Themes for the CISSP

Some common and overarching themes within the CISSP CBK.  Collected here as an additional to revision.

[alert style=”red”]In NO way should these notes be used as your sole source of study for the CISSP exam.  These notes lack things completely that could be included on your exam.  I in no way provide any guarantee or assurance that these notes are correct or satisfactory for your learning.  For further information see my CISSP Study and Exam Tips.[/alert]

ISC(2) CISSP Revision Notes – Study and Exam Tips
ISC(2) CISSP Revision Notes – Overarching Themes for the CISSP (You are here)
ISC(2) CISSP Revision Notes – Access Control
ISC(2) CISSP Revision Notes – Business Continuity and Disaster Planning
ISC(2) CISSP Revision Notes – Cryptography
ISC(2) CISSP Revision Notes – Information Security Governance and Risk Management
ISC(2) CISSP Revision Notes – Legal, Regulatory, Investigations and Compliance
ISC(2) CISSP Revision Notes – Operations Security
ISC(2) CISSP Revision Notes – Security Architectural Design
ISC(2) CISSP Revision Notes – Software Development Security
ISC(2) CISSP Revision Notes – Telecommunications and Network Security

Safety of people is a paramount concern to information security.

CIA Triad

Core security principals which must be met (at least one of, usually all)

Security must maintain CIA of an organisations assets

• Confidentiality – Prevent unauthorised disclosure of information
• Integrity – Prevent unauthorised (through any actor inc environment etc.) modification of systems and information
• Availability – Prevent disruption of service and/or productivity

Applying these principals provides features and benefits to the organisation

Control

Default Stance & Underlying Philosophy

1)   Allow by Default

1. Eg universities
2. Can access everything unless there is a specific need to restrict
3. Few organisations are “pure” Allow by Default throughout, eh Universities restricting access to HR systems

2)   Deny by Default

1. Eg commercial entities, governments & military
2. Any access that isn’t specifically permitted is denied

Defence in Depth

• The practice of applying multiple layers of security protection
• If one layer should fail then there is still protection
• Not just IT related, can be used anywhere (eg facilities with fences, guards, CCTV, locked offices, etc)
• Compromise should be a challenge against all layers
• Limit exposure to possible threats

Individual Points

• “Prevention is ideal but detection is a must; however detection without response is useless.” – Eric Cole
• Prevention inbound, detective outbound
• Successful security program integrates effectively within a business or operational goals of an organisation
• Least privilege
• Risk Management?
• Security Domains – Different areas of different risks and controls (eg DMZ compared to internal LAN)
• Risk cannot be eliminated, it must be managed
• Information Governance is the framework, policies, concepts, principles, structures and standards used to protect information assets.

[alert style=”red”]In NO way should these notes be used as your sole source of study for the CISSP exam.  These notes lack things completely that could be included on your exam.  I in no way provide any guarantee or assurance that these notes are correct or satisfactory for your learning.  For further information see my CISSP Study and Exam Tips.[/alert]