[Notes] CISSP Chapter 1: Security Governance Through Principles and Policies

The CIA Triad

Confidentiality:

• The secrecy of data, objects, or resources.
• Encryption is a popular control for managing confidentiality.
• Objects (passive elements) and subjects (active elements).

Confidentiality terms:

• Sensitivity: The attribute that could cause harm if disclosed.
• Discretion: Influencing or controlling data.
• Criticality: The level to which data is mission-critical.
• Concealment: Hiding data to prevent disclosure.
• Privacy: Protection of personally identifiable or potentially harmful data.
• Seclusion: Storing something in an out-of-the-way location.
• Isolation: Keeping something separate from others.

Integrity:

• Ensuring the accuracy of data.
• Preventing unauthorized modifications.
• Cryptographic signing is a popular control for managing integrity.

Integrity terms:

• Accuracy: Being correct and precise.
• Truthfulness: Reflecting reality accurately.
• Authenticity: Being genuine.
• Validity: Being factually or logically sound.
• Nonrepudiation: Preventing denial of activities.
• Accountability: Responsibility for actions and results.
• Responsibility: Control over something.
• Completeness: Having all needed parts.
• Comprehensiveness: Being complete in scope.

Availability:

• Timely and uninterrupted access to objects.
• Denial of service attacks are attacks on availability.

Availability terms:

• Usability: Being easy to use or understand.
• Accessibility: Assuring access regardless of capabilities.
• Timeliness: Being prompt or on time.

Other Security Concepts

• AAA services: Authentication, Authorization, Accounting (Auditing).
• Identification vs. Authentication.
• Auditing vs. Monitoring.
• Layering (Defense in Depth).
• Abstraction: Classifying objects.
• Data hiding vs. Security through obscurity.
• Encryption: Hiding communication intent.

Evaluate and Apply Security Governance Principles

• Security governance: Directing security efforts.
• NIST 800-53 or 800-100 standards.
• Governance’s role in security policies.
• Business case: Demonstrating a business-specific need.
• Top-down approach: Effective security management planning.
• Types of plans: Strategic, Tactical, Operational.
• Change control/management: Ensuring security during change.

Data Classification

• Protecting data based on need for secrecy.
• Declassification.
• Government/military classification.
• Commercial business/private sector classification.
• Ownership: Formal assignment of responsibility.

Organizational Roles and Responsibilities

• Senior manager, Security professional, Data owner, Data custodian, User, Auditor.
• Key responsibilities of each role.

Security Control Frameworks

• COBIT: Control Objectives for Information and Related Technology.
• ISO/IEC 27002, ITIL, and other standards.

Due Care and Due Diligence

• Due care: Using reasonable care to protect organization interests.
• Due diligence: Practicing activities maintaining due care.

Developing Documents

• Security Policies, Acceptable Use Policy, Standards, Baselines, Guidelines, and Security Procedures.
• Importance of not creating monolithic documents.

Threat Modeling

• Identifying, categorizing, and analyzing potential threats.
• Proactive vs. reactive approaches.
• Methods for identifying threats: Focused on assets, attackers, software.
• STRIDE, PASTA, TRIKE, DREAD, VAST methodologies.
• Reduction analysis: Decomposing applications.

Prioritization and Response

• Defining threat means, target, and consequences.
• Ranking threats using probability x damage potential.
• High-priority items require immediate attention.
• DREAD rating system.

Apply Risk-Based Management Concepts to the Supply Chain

• Secure supply chain: Reliability, trustworthiness, and practices disclosure.
• Vendors’ roles in secure supply chains.