(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide
eBook - ePub

(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide

Mike Chapple, James Michael Stewart, Darril Gibson

Share book
  1. English
  2. ePUB (mobile friendly)
  3. Available on iOS & Android
eBook - ePub

(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide

Mike Chapple, James Michael Stewart, Darril Gibson

Book details
Book preview
Table of contents
Citations

About This Book

NOTE: The CISSP objectives this book covered were issued in 2018. For coverage of the most recent CISSP objectives effective in April 2021, please look for the latest edition of this guide: (ISC) 2 CISSP Certified Information Systems Security Professional Official Study Guide, 9th Edition (ISBN: 9781119786238).

CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide, 8 th Edition has been completely updated for the latest 2018 CISSP Body of Knowledge. This bestselling Sybex study guide covers 100% of all exam objectives. You'll prepare for the exam smarter and faster with Sybex thanks to expert content, real-world examples, advice on passing each section of the exam, access to the Sybex online interactive learning environment, and much more. Reinforce what you've learned with key topic exam essentials and chapter review questions.

Along with the book, you also get access to Sybex's superior online interactive learning environment that includes:

  • Six unique 150 question practice exams to help you identify where you need to study more. Get more than 90 percent of the answers correct, and you're ready to take the certification exam.
  • More than 700 Electronic Flashcards to reinforce your learning and give you last-minute test prep before the exam
  • A searchable glossary in PDF to give you instant access to the key terms you need to know for the exam

Coverage of all of the exam topics in the book means you'll be ready for:

  • Security and Risk Management
  • Asset Security
  • Security Engineering
  • Communication and Network Security
  • Identity and Access Management
  • Security Assessment and Testing
  • Security Operations
  • SoftwareDevelopment Security

Frequently asked questions

How do I cancel my subscription?
Simply head over to the account section in settings and click on ā€œCancel Subscriptionā€ - itā€™s as simple as that. After you cancel, your membership will stay active for the remainder of the time youā€™ve paid for. Learn more here.
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlegoā€™s features. The only differences are the price and subscription period: With the annual plan youā€™ll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weā€™ve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide an online PDF/ePUB?
Yes, you can access (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide by Mike Chapple, James Michael Stewart, Darril Gibson in PDF and/or ePUB format, as well as other popular books in Computer Science & Certification Guides in Computer Science. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Sybex
Year
2018
ISBN
9781119475873

Chapter 1
Security Governance Through Principles and Policies

THE CISSP EXAM TOPICS COVERED IN THIS CHAPTER INCLUDE:
  • images
    Domain 1: Security and Risk Management
    • 1.1 Understand and apply concepts of confidentiality, integrity and availability
    • 1.2 Evaluate and apply security governance principles
      • 1.2.1 Alignment of security function to business strategy, goals, mission, and objectives
      • 1.2.2 Organizational processes
      • 1.2.3 Organizational roles and responsibilities
      • 1.2.4 Security control frameworks
      • 1.2.5 Due care/due diligence
    • 1.6 Develop, document, and implement security policy, standards, procedures, and guidelines
    • 1.10 Understand and apply threat modeling concepts and methodologies
      • 1.10.1 Threat modeling methodologies
      • 1.10.2 Threat modeling concepts
    • 1.11 Apply risk-based management concepts to the supply chain
      • 1.11.1 Risks associated with hardware, software, and services
      • 1.11.2 Third-party assessment and monitoring
      • 1.11.3 Minimum security requirements
      • 1.11.4 Service-level requirements
images
The Security and Risk Management domain of the Common Body of Knowledge (CBK) for the CISSP certification exam deals with many of the foundational elements of security solutions. These include elements essential to the design, implementation, and administration of security mechanisms. Additional elements of this domain are discussed in various chapters: Chapter 2, ā€œPersonal Security and Risk Management Conceptsā€; Chapter 3, ā€œBusiness Continuity Planningā€; Chapter 4, ā€œLaws, Regulations, and Complianceā€; and Chapter 19, ā€œInvestigations and Ethics.ā€ Please be sure to review all of these chapters to have a complete perspective on the topics of this domain.

Understand and Apply Concepts of Confidentiality, Integrity, and Availability

Security management concepts and principles are inherent elements in a security policy and solution deployment. They define the basic parameters needed for a secure environment. They also define the goals and objectives that both policy designers and system implementers must achieve to create a secure solution. It is important for real-world security professionals, as well as CISSP exam students, to understand these items thoroughly. This chapter includes a range of topics related to the governance of security for global enterprises as well as smaller businesses.
Security must start somewhere. Often that somewhere is the list of most important security principles. In such a list, confidentiality, integrity, and availability (CIA) are usually present because these are typically viewed as the primary goals and objectives of a security infrastructure. They are so commonly seen as security essentials that they are referenced by the term CIA Triad (see Figure 1.1).
Image described by caption and surrounding text.
FIGURE 1.1 The CIA Triad
Security controls are typically evaluated on how well they address these three core information security tenets. Overall, a complete security solution should adequately address each of these tenets. Vulnerabilities and risks are also evaluated based on the threat they pose against one or more of the CIA Triad principles. Thus, it is a good idea to be familiar with these principles and use them as guidelines for judging all things related to security.
These three principles are considered the most important within the realm of security. However important each specific principle is to a specific organization depends on the organizationā€™s security goals and requirements and on the extent to which the organizationā€™s security might be threatened.

Confidentiality

The first principle of the CIA Triad is confidentiality. Confidentiality is the concept of the measures used to ensure the protection of the secrecy of data, objects, or resources. The goal of confidentiality protection is to prevent or minimize unauthorized access to data. Confidentiality focuses security measures on ensuring that no one other than the intended recipient of a message receives it or is able to read it. Confidentiality protection provides a means for authorized users to access and interact with resources, but it actively prevents unauthorized users from doing so. A wide range of security controls can provide protection for confidentiality, including, but not limited to, encryption, access controls, and steganography.
If a security mechanism offers confidentiality, it offers a high level of assurance that data, objects, or resources are restricted from unauthorized subjects. If a threat exists against confidentiality, unauthorized disclosure could take place. An object is the passive element in a security relationship, such as files, computers, network connections, and applications. A subject is the active element in a security relationship, such as users, programs, and computers. A subject acts upon or against an object. The management of the relationship between subjects and objects is known as access control.
In general, for confidentiality to be maintained on a network, data must be protected from unauthorized access, use, or disclosure while in storage, in process, and in transit. Unique and specific security controls are required for each of these states of data, resources, and objects to maintain confidentiality.
Numerous attacks focus on the violation of confidentiality. These include capturing network traffic and stealing password files as well as social engineering, port scanning, shoulder surfing, eavesdropping, sniffing, escalation of privileges, and so on.
Violations of confidentiality are not limited to directed intentional attacks. Many instances of unauthorized disclosure of sensitive or confidential information are the result of human error, oversight, or ineptitude. Events that lead to confidentiality breaches include failing to properly encrypt a transmission, failing to fully authenticate a remote system before transferring data, leaving open otherwise secured access points, accessing malicious code that opens a back door, misrouted faxes, documents left on printers, or even walking away from an access terminal while data is displayed on the monitor. Confidentiality violations can result from the actions of an end user or a system administrator. They can also occur because of an oversight in a security policy or a misconfigured security control.
Numerous countermeasures can help ensure confidentiality against possible threats. These include encryption, network traffic padding, strict access control, rigorous authentication procedures, data classification, and extensive personnel training.
Confidentiality and integrity depend on each other. Without object integrity (in other words, the inability of an object to be modified without permission), confidentiality cannot be maintained. Other concepts, conditions, and aspects of confidentiality include the following:
Sensitivity Sensitivity refers to the quality of information, which could cause harm or damage if disclosed. Maintaining confidentiality of sensitive information helps to prevent harm or damage.
Discretion Discretion is an act of decision where an operator can influence or control disclosure in order to minimize harm or damage.
Criticality The level to which information is mission critical is its measure of criticality. The higher the level of criticality, the more likely the need to maintain the confidentiality of the information. High levels of criticality are essential to the operation or function of an organization.
Concealment Concealment is the act of hiding or preventing disclosure. Often concealment is viewed as a means of cover, obfuscation, or distraction. A related concept to concealment is security through obscurity, which is the concept of attempting to gain protection through hiding, silence, or secrecy. While security through obscurity is typically not considered a valid security measure, it may still have value in some cases.
Secrecy Secrecy is the act of keeping something a secret or preventing the disclosure of information.
Privacy Privacy refers to keeping information confidential that is personally identifiable or that might cause harm, embarrassment, or disgrace to someone if revealed.
Seclusion Seclusion involves storing something in an out-of-the-way location. This location can also provide strict access controls. Seclusion can help enforcement of confidentiality protections.
Isolation Isolation is the act of keeping something separated from others. Isolation can be used to prevent commingling of information or disclosure of information.
Each organization needs to evaluate the nuances of confidentiality they wish to enforce. Tools and technology that implements one form of confidentiality might not support or allow other forms.

Integrity

The second principle of the CIA Triad is integrity. Integrity is the concept of protecting the reliability and correctne...

Table of contents