ISC(2) CISSP Revision Notes – Overarching Themes for the CISSP
Some common and overarching themes within the CISSP CBK. Collected here as an additional to revision.
[alert style=”red”]In NO way should these notes be used as your sole source of study for the CISSP exam. These notes lack things completely that could be included on your exam. I in no way provide any guarantee or assurance that these notes are correct or satisfactory for your learning. For further information see my CISSP Study and Exam Tips.[/alert]
ISC(2) CISSP Revision Notes – Study and Exam Tips
ISC(2) CISSP Revision Notes – Overarching Themes for the CISSP (You are here)
ISC(2) CISSP Revision Notes – Access Control
ISC(2) CISSP Revision Notes – Business Continuity and Disaster Planning
ISC(2) CISSP Revision Notes – Cryptography
ISC(2) CISSP Revision Notes – Information Security Governance and Risk Management
ISC(2) CISSP Revision Notes – Legal, Regulatory, Investigations and Compliance
ISC(2) CISSP Revision Notes – Operations Security
ISC(2) CISSP Revision Notes – Security Architectural Design
ISC(2) CISSP Revision Notes – Software Development Security
ISC(2) CISSP Revision Notes – Telecommunications and Network Security
Safety of people is a paramount concern to information security.
CIA Triad
Core security principals which must be met (at least one of, usually all)
Security must maintain CIA of an organisations assets
- Confidentiality – Prevent unauthorised disclosure of information
- Integrity – Prevent unauthorised (through any actor inc environment etc.) modification of systems and information
- Availability – Prevent disruption of service and/or productivity
Applying these principals provides features and benefits to the organisation
Control
Default Stance & Underlying Philosophy
1) Allow by Default
- Eg universities
- Can access everything unless there is a specific need to restrict
- Few organisations are “pure” Allow by Default throughout, eh Universities restricting access to HR systems
2) Deny by Default
- Eg commercial entities, governments & military
- Any access that isn’t specifically permitted is denied
Defence in Depth
- The practice of applying multiple layers of security protection
- If one layer should fail then there is still protection
- Not just IT related, can be used anywhere (eg facilities with fences, guards, CCTV, locked offices, etc)
- Compromise should be a challenge against all layers
- Limit exposure to possible threats
Individual Points
- “Prevention is ideal but detection is a must; however detection without response is useless.” – Eric Cole
- Prevention inbound, detective outbound
- Successful security program integrates effectively within a business or operational goals of an organisation
- Least privilege
- Risk Management?
- Security Domains – Different areas of different risks and controls (eg DMZ compared to internal LAN)
- Risk cannot be eliminated, it must be managed
- Information Governance is the framework, policies, concepts, principles, structures and standards used to protect information assets.
[alert style=”red”]In NO way should these notes be used as your sole source of study for the CISSP exam. These notes lack things completely that could be included on your exam. I in no way provide any guarantee or assurance that these notes are correct or satisfactory for your learning. For further information see my CISSP Study and Exam Tips.[/alert]
1 Comment
[…] CISSP Revision Notes – Study and Exam Tips (You are here) ISC(2) CISSP Revision Notes – Overarching Themes for the CISSP ISC(2) CISSP Revision Notes – Access Control ISC(2) CISSP Revision Notes – Business Continuity […]