Certification for Information System Security Professional (CISSP)

Similar documents
IT Security Management 100 Success Secrets

Disaster recovery planning 38 Success Secrets - 38 Most Asked Questions On Disaster recovery planning - What You Need To Know

The Next Generation of Security Leaders

Security Transcends Technology

(Instructor-led; 3 Days)

Domain 5 Information Security Governance and Risk Management

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

Information Security Specialist Training on the Basis of ISO/IEC 27002

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

IT Security Training. Why Security Certification? A Serious Business - Fear Drives the Demand High Demand Freedom to Make and Break Rules

The Value of Information Security Certifications

DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE

HIPAA Security Alert

Certified Software Development Associate (CSDA)

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

An expert s tips for cracking tough CISSP exam

Certification and Training

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

Supporting FISMA and NIST SP with Secure Managed File Transfer

BUDGET LETTER PEER-TO-PEER FILE SHARING , , EXECUTIVE ORDER S-16-04

Safeguarding U.S. Cyber Assets with Well-Balanced, Proven Information Security Professionals

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

CLASSIFICATION SPECIFICATION FORM

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

RARITAN VALLEY COMMUNITY COLLEGE COURSE OUTLINE. CISY 229 Information Security Fundamentals

Information Security Program Management Standard

SNAP WEBHOST SECURITY POLICY

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Technical Proposition. Security

Contingency Plan 32 Success Secrets. Copyright by Philip Downs

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One

Information Technology Branch Access Control Technical Standard

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

ISO 27001: Information Security and the Road to Certification

InfoSec Academy Application & Secure Code Track

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

Information Security Awareness Training

IT Security. Securing Your Business Investments

Career Survey. 1. In which country are you based? 2. What is your job title? 3. Travel budget. 1 of 28. Response Count. answered question 88

Responsible Access and Use of Information Technology Resources and Services Policy

Bellevue University Cybersecurity Programs & Courses

CESG Certification of Cyber Security Training Courses

Encyclopedia of Information Assurance Suggested Titles: March 25, 2013 The following titles have not been contracted.

Information security controls. Briefing for clients on Experian information security controls

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

Information Circular

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Information Systems Security Certificate Program

Service Support 123 Success Secrets. Copyright by Jonathan Hammond

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

Key Performance Indicator 26 Success Secrets. Copyright by Benjamin Hodges

Data Management Policies. Sage ERP Online

Information Security Program

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

Cyber Security solutions

have adequate policies and practices for secure data disposal have not established a formal 22% risk management program

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

Full-Speed Ahead: The Demand for Security Certification by James R. Wade

Certified Information Security Manager

Office 365 Data Processing Agreement with Model Clauses

VMware vcloud Air HIPAA Matrix

Service Oriented Architecture 68 Success Secrets. Copyright by Irene Gray

LINUX / INFORMATION SECURITY

C ETS C/ETS: CYBER INTELLIGENCE + ENTERPRISE SOLUTIONS CSCSS / ENTERPRISE TECHNOLOGY + SECURITY

CANADIAN PAYMENTS ASSOCIATION ASSOCIATION CANADIENNE DES PAIEMENTS STANDARD 012 IMAGE SECURITY STANDARD

State of West Virginia Office of Technology Policy: Information Security Audit Program Issued by the CTO

R345, Information Technology Resource Security 1

Disaster Recovery 100 Success Secrets

Getting and Finding Computer Network, Systems, and Database Administrators Jobs. The Ultimate Guide for Job Seekers and Recruiters

Office of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget

Fundamentals of Information Systems Security Unit 1 Information Systems Security Fundamentals

WCA WEBINAR SERIES: The Case for Cyber Security Training

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

How To Improve Security Awareness In Organizations

Information Systems Security Engineering Professional (ISSEP)

Executive Management of Information Security

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Information Security Policy

Delphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11

Data Protection Act Bring your own device (BYOD)

Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services

The Second National HIPAA Summit

HP Security Solutions for Microsoft

Chapter 11 Manage Computing Securely, Safely and Ethically. Discovering Computers Your Interactive Guide to the Digital World

Ensuring HIPAA Compliance with Computer BYTES Online Backup and Archiving Services

Point of sale 22 Success Secrets - 22 Most Asked Questions On Point of sale - What You Need To Know. Copyright by Henry Alford

IBX Business Network Platform Information Security Controls Document Classification [Public]

(ISC) Career Impact Survey Executive Summary. The Double Edged Sword: Security Career Opportunities Spike While Hiring Challenges Grow

Security Controls What Works. Southside Virginia Community College: Security Awareness

Utica College. Information Security Plan

HIPAA DATA SECURITY & PRIVACY COMPLIANCE

Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services

Transcription:

Certification for Information System Security Professional (CISSP) The Art of Service

Copyright Notice of rights All rights reserved. No part of this book may be reproduced or transmitted in any form by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. Notice of Liability The information in this book is distributed on an As Is basis without warranty. While every precaution has been taken in the preparation of the book, neither the author nor the publisher shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the instructions contained in this book or by the products described in it. Trademarks Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and the publisher was aware of a trademark claim, the designations appear as requested by the owner of the trademark. All other product names and services identified throughout this book are used in editorial fashion only and for the benefit of such companies with no intention of infringement of the trademark. No such use, or the use of any trade name, is intended to convey endorsement or other affiliation with this book. The Art of Service

TABLE OF CONTENTS 1 INTRODUCTION 9 1.1 INTRODUCTION TO CISSP 9 1.2 WHERE DID CISSP COME FROM? 10 1.3 WHAT IS CISSP? 12 1.4 HISTORY OF INFORMATION SECURITY 14 1.5 WHAT IS INFORMATION SECURITY? 16 1.6 UNDERSTANDING THE CIA TRIAD 18 1.6.1 CONFIDENTIALITY 18 1.6.2 INTEGRITY 19 1.6.3 AVAILABILITY 20 1.6.4 LIMITATIONS TO CIA TRIAD 21 1.7 WHY CERTIFY FOR CISSP? 21 1.8 COMPANIES USING CISSP 23 2 DOMAIN ONE INFORMATION SECURITY AND RISK MANAGEMENT 27 2.1 EXPECTATIONS FOR CISSP 27 2.2 UNDERSTANDING SECURITY POLICIES, PROCEDURES, STANDARDS, GUIDELINES AND BASELINES 29 2.3 WHAT ARE THE COMPLIANCE FRAMEWORKS? 31 2.3.1 COSO 31 2.3.2 ITIL 32 2.3.3 COBIT 32 2.3.4 ISO 17799 / BS 7799 33 2.4 CHANGING ORGANIZATIONAL BEHAVIOR 35 2.5 RESPONSIBILITIES OF THE INFORMATION SECURITY OFFICER 37 2.6 CREATING AN ENTERPRISE SECURITY OVERSIGHT 3

COMMITTEE 39 2.7 WHY SECURITY AWARENESS TRAINING? 42 2.8 UNDERSTANDING RISK MANAGEMENT 43 3 DOMAIN TWO ACCESS CONTROL 47 3.1 PRINCIPLES OF ACCESS CONTROL 49 3.2 INFORMATION CLASSIFICATION 50 3.3 CREATING A DATA CLASSIFICATION PROGRAM 52 3.4 UNDERSTANDING CATEGORIES TO ACCESS CONTROL 55 3.5 UNDERSTANDING ACCESS CONTROL TYPES 57 3.6 LOOKING MORE AT ADMINISTRATION ACCESS CONTROLS 59 3.7 UNDERSTANDING CHANGE CONTROL 61 3.8 UNDERSTANDING BUSINESS CONTINUITY AND DISASTER RECOVERY 63 3.9 UNDERSTANDING THE PERFORMANCE MANAGEMENT, CONFIGURATION MANAGEMENT, LIFECYCLE MANAGEMENT AND NETWORK MANAGEMENT 65 3.10 UNDERSTANDING VULNERABILITY MANAGEMENT 67 3.11 UNDERSTANDING USER MANAGEMENT 68 3.12 UNDERSTANDING PRIVILEGE MANAGEMENT 71 3.13 UNDERSTANDING TECHNICAL CONTROLS 72 3.14 UNDERSTANDING ACCESS CONTROL THREATS 75 3.15 EMPLOYING DIFFERENT TYPES OF IDENTIFICATION 78 3.16 EMPLOYING DIFFERENT TYPES OF AUTHENTICATION 80 3.17 UNDERSTANDING MEMORY CARDS AND SMART CARDS 83 3.18 USING BIOMETRICS 85 3.19 PERFORMING AUDITS 87 4

4 DOMAIN THREE - CRYPTOGRAPHY 89 4.1 HISTORY OF CRYPTOGRAPHY 91 4.2 METHODS OF CRYPTOGRAPHY 92 4.3 TYPES OF CIPHERS 94 4.4 UNDERSTANDING ENCRYPTION MANAGEMENT 96 4.5 USING PUBLIC KEY INFRASTRUCTURES (PKI) 97 4.6 IDENTIFYING ATTACKS TO CRYPTOGRAPHY 99 5 DOMAIN 4 PHYSICAL (ENVIRONMENT) SECURITY 101 5.1 IDENTIFYING THREATS AND VULNERABILITIES TO PHYSICAL SECURITY 103 5.2 USING THE LAYERED DEFENCE MODEL 105 5.3 IMPLEMENTING A LAYERED DEFENCE MODEL 107 5.4 UNDERSTANDING INFORMATION PROTECTION AND MANAGEMENT 109 6 DOMAIN FIVE SECURITY ARCHITECTURE AND DESIGN 113 6.1 UNDERSTANDING DESIGN PRINCIPLES 115 6.1.1 HARDWARE 117 6.1.2 SOFTWARE 120 6.2 SECURITY MODELS AND ARCHITECTURE THEORY 121 6.3 SECURITY PRODUCT EVALUATION METHODS AND CRITERIA 124 7 DOMAIN SIX BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING 127 7.1 CONCERNS OF CONTINUITY PLANNING 129 5

7.2 PROJECT INITIATION PHASE 131 7.3 CURRENT STATE ASSESSMENT PHASE 133 7.4 DEVELOPMENT PHASE 135 7.5 IMPLEMENTATION AND MANAGEMENT PHASES 137 8 DOMAIN SEVEN TELECOMMUNICATIONS AND NETWORK SECURITY 139 8.1 LAYER 1 PHYSICAL LAYER 141 8.2 LAYER 2 DATA-LINK LAYER 143 8.3 LAYER 3 NETWORK LAYER 144 8.4 LAYER 4 TRANSPORT LAYER 146 8.5 LAYER 5 SESSION LAYER 147 8.6 LAYERS 6 & 7 PRESENTATION AND APPLICATION LAYERS149 9 DOMAIN EIGHT APPLICATION SECURITY 153 9.1 USING PROGRAMMING EFFECTIVELY 155 9.2 PROTECTING THE SOFTWARE ENVIRONMENT 156 9.3 ENFORCING SECURITY PROTECTION AND CONTROLS 158 9.4 IDENTIFYING MALWARE 160 9.5 DATABASE MANAGEMENT SYSTEM (DBMS) ARCHITECTURE 162 10 DOMAIN NINE OPERATIONS SECURITY 165 10.1 MANAGING THREATS TO OPERATIONS 166 11 DOMAIN TEN LEGAL, REGULATIONS, COMPLIANCE AND INVESTIGATIONS 169 11.1 INFORMATION TECHNOLOGY LAWS AND REGULATIONS 171 6

11.2 UNDERSTANDING COMPUTER CRIMES, PRIVACY AND LIABILITY 172 12 REFERENCES 175 7

8

1 Introduction 1.1 Introduction to CISSP Today s businesses are faced with security threats which are becoming more complex. The use of mobile devices is becoming more widespread; the more mobile the populace, the harder to manage assets and the information on those assets. As a result, companies are increasingly concerned with the security surrounding those assets and information. In addition, the implementation of Sarbanes-Oxley is the U.S. has required focused attention on the security of financial information for companies. And finally, the worldwide scrutiny on security across the board has increased due to global concerns. Because of these reasons, companies are placing more focus on their Information Technology (IT). The IT Governance Global Status Report-200b, compiled by the IT Governance Institute (ITGI), showed 93 percent of corporate executives believed that IT was somewhat to very important to their overall corporate strategy or vision. This was a 6 percent increase from ITGI s 2005 survey. IT, telecom, and financial service-based companies are much more concerned with IT than other business sectors with 71% and 77% respectively. The bottom line: companies are putting more attention on their IT solutions. Security management and the processes supporting security 9

management is one of the top concerns of this increasing attention. Information Security Certifications are becoming more valuable for IT security professionals and companies concerned with IT. According to the 2008 (ISC) 2 Global Information Security Workforce Study, compiled by (ISC) 2, 78% of respondents involved in the hiring process claim certifications are either Very Important or Somewhat Important. This is a diverse change from twenty, even ten years ago when securing a network was a new discipline and not well-understood. According to the 2008 survey, 15 different security certifications were available, which is in contrast to the 40 vendor-neutral and more than 25 vendorspecific certifications available in the marketplace. Of all these certifications, the Certification for Information System Security Professional (CISSP) has become highly recognized. 1.2 Where did CISSP come from? The Certification for Information System Security Professional is administered by the International Information Systems Security Certification Consortium (ISC) 2. First available in 1989, the certification demonstrates the qualifications of information systems security practitioners. 10

The CISSP is accredited by the American National Standards Institute (ANSI). The ANSU has been coordinating a voluntary standardization system in the United States since 1918. It is a private, non-profit membership organization representing the interests of over 125,000 companies and 3.5 million professionals. The ANSI does not develop standards; rather they facilitate the development of American National Standards (ANS). They also assist in ensuring that ANS complement the standards used internationally, allowing American products to be recognized and used in the global market. Accreditation means that the standard complies with the ANSI Essential Requirements, a set of requirements or procedures used by standard developers. These requirements focus on: Openness Lack of dominance Balance Coordination and harmonization Notification of standards development Consideration of views and objections Consensus vote Appeals Written procedures Compliance with normative American National Standards policies and procedures. 11

The ANSI accredits CISSP to ISO/IEC Standard 17024:2003. The purpose of the standard is for organizations and entities wishing international recognition for certifying the competence of individuals through education, knowledge, skills, and experience. It was developed by the International Organization of Standardization (ISO) and the International Electrotechnical Commission (IEC). Fully enacted on April 2003, 17024:2003 is considered a benchmark for organizations responsible for certifying personnel. In short, the CISSP has become a globally recognized standard of achievement for the Information Systems Security Professional. CISSP is the baseline for the U.S. National Security Agency s ISSEP (Information Systems Security Engineering Professional) program. The U.S. Department of Defence Directive 8570.1 requires every defence worker, military or civilian, with privileged access to a DoD system to obtain a certification credential, of which CISSP is fully accepted. 1.3 What is CISSP? CISSP is a credential for persons working in the field of information security. It requires at least five years experience in information security. A person can take an exam based on the CISSP Common Book of Knowledge (CBK), a common framework of information security terms and principles. 12

The CISSP CBK is based on the CIA triad, the core information security and assurance tenets: confidentiality, integrity, and availability. It works with ten areas of interest, or domains. Those domains are: Access control Application Security Business Continuity and Disaster Recovery Planning Cyptography Information Security and Risk Management Legal, regulations, compliance and Investigations Operations Security Physical (Environmental) Security Security Architecture and Design Telecommunications and Network Security For CISSP credential, professional experience must be in two or more of the domains listed above. Fortunately for those lacking the experience required for the certification, the certification administrator, (ISC)2, has a program for those who pass the exam, called Associate of (ISC)2. Each certification is valid for three years and a professional must be recertified at the end of that period. In addition, a CISSP credential holder in good standing is also completing the minimum annual number of Continuing Professional Education credits (CPEs). 13

As information security continues to evolve, additional credentials have been developed beyond the foundational CISSP to meet the specific needs of the business. These credentials concentrate on key areas of information security: Architecture (ISSAP) appropriate for persons who develop, design, or analyze a business overall security plan, such as Chief Security Architects and Analysts. Engineering (ISSEP) developed in conjunction with the U.S. National Security Agency, this Concentration serves as a guide for integrating security into all areas of operations. Management (ISSMP) provides deeper elements into managing security policies and procedures that support the overall goals of a business. Each Concentration has its own (CBK) domains. Of course additional experience must be proven as well as the successful passing of the examination for each Concentration. 1.4 History of Information Security Before moving forward, it would be wise to understand the discipline of information security, what it is and how it evolved. Since the invention of writing, messages from heads of state and military leaders have been intercepted or stolen, even forged. Julius Caesar used the Caesar cipher to ensure that his messages did not fall into enemy 14

hands, one of the earliest known encryption techniques. To ensure authenticity of a message, persons of importance would use a wax seal with their families crest on messages. Throughout the ages, different techniques were used to maintain the security of information. However, the professional field of information security started during World War II, where information, both physical and intellectual, needed protection. A formalized classification of data was introduced that described the sensitivity of the information and identified those individuals who had access to it. Background checks started to be conducted during WWII. The years after WWII, particularly the McCarthy era, showed governments increased concern with the protection of intelligence, information concerning the workings, military build-ups, and technological advancements of government and the country, both domestic and foreign. The Cold War struggle between the United States and the Soviet Union perpetuated the need for information security. But even then, the number of professionals who were dedicated to the tenets of this disciplined were few. Not until the widespread emergence of the Internet did information security have such a strong presence in our society. With the rapid advancements of telecommunications and computers, the availability of smaller, more powerful equipment became less expensive. Now the small business owner, the home owner, and the 15

underage computer geek had access to information from every area of the world. Electronic data processing and electronic business is rapidly growing because of the Internet, along with more occurrences of global terrorism. As a result, information security is now an academic discipline designed to insure the security and reliability of information security. But information security is not just a concern for the business owner, but everyone. The rise of ID theft has required more attention on the security of information on the individual, as well. Currently every software package being released, specifically office productivity software, has to be concerned with providing features for securing information. 1.5 What is Information Security? Information security is simply the methods used to protect information and information systems. Using the tenets of the CIA triad, information security is concerned with protecting data regardless of form: electronic, print, film, or any other form. Information is being collected everywhere by everyone. An individual is compiling information about themselves and others nearly every moment. And information, such as credit ratings, police records, financial holdings, and trivial facts are being collected on every individual over time. As individuals connect or forced together into a network, such 16

as a business, the amount of data being collected increases exponentially. Most of this information is being collected, processed, and stored electronically and transmitted across networks to other computers. Some information is so sensitive, that unauthorized access to it could result in financial loss, loss in credibility, and legal problems. For businesses, protecting sensitive information is a requirement, in many cases an ethical or legal requirement. Several concerns are presented to the information security professional dealing with the protection of data. The foremost concern is ensuring the appropriate access to data by authorized personnel, while restricting all or part of the information from unauthorized persons. While some information may not be confidential, disclosure of the information must be regulated. How data is used or even modified has been a concern for information security professionals. The disruption of data transmissions from one computer to another, even one network to another, has had increasing concerns with the growth of the Internet. And finally, even the proper disposal or destruction of information, or prevention against destruction, is a concern for the information security professional. 17

1.6 Understanding the CIA Triad Information security is based on three fundamental tenets, called the CIA triad. Those tenets are confidentiality, integrity, and availability. As a security model, the CIA triad has been used to identify possible problems in a system and discover appropriate solutions for information security. 1.6.1 Confidentiality Whether the information is considered confidential, or a person would simply like it to be private requires systems and processes to be put into place preventing unauthorized access and use. For this reason, one leg of the CIA triad model is confidentiality. The first step in this area is to provide an ability to identify a specific piece of data as confidential. Not all information is confidential, and not all information has the same level of confidentiality. Therefore, a simple task of identifying the level of privacy data should have can become a rather complex project. However, once the information has been declared confidential appropriately, the next step is to identify who has access to that information. File permissions, access control lists, and encryption methods are all means by which to control access to data. A information security professional is concerned with managing, monitoring, and 18

verifying those means constantly, enforcing access based on policies given from management. 1.6.2 Integrity One of the most important concerns in data control is the integrity of the data; that is, the ability of the data to be accurate, reliable, and available at any given time. In order to maintain a world class business, it is a necessity to have a solid ability to modify the data available to the business, whether that data is customer and employee records, intellectual property, company policies and procedures, press releases, or the like. At the same time, it is important to ensure that the data isn t changed by unauthorized personnel. The CIA triad leg of integrity focuses on these concerns. Sarbanes-Oxley forced the business community into understanding the need for integrity within financial records, requiring the need to track financial transactions in detail to understand exactly where money was coming and where it was going. As businesses started adapting to those requirements, they also started recognizing the value this commitment to integrity had on other information groups used in the business. The concerns became apparent. A) The slightest change in the most sensitive information could result in service disruptions or breaches in security. 19

B) Unapproved changes to policy information could pose concerns to customer relations and possible loss of business. C) Possible deletion of information, through accident or malicious conduct, could render a business paralyzed in its ability to conduct business. These are just a few examples of the important concerns for information security. The more popular techniques for managing integrity of data is version control systems, backups, and file permissions. 1.6.3 Availability When information is not available, it might as well be useless. This is the concern of the third leg of the CIA triad: availability. In this area, the information security professional is focused on creating and maintaining a computer architecture that allows for the greater availability to the information housed on the system. One major concern is to manage the computer infrastructure from possible threats, such as malicious viruses, power outages, and failures in hardware. The second major concern is ensuring that components are maintained appropriately, providing the required health checks, and making upgrades to hardware and software as required. Approaches to maintaining availability include, but not limited to, clustering, redundancy systems and capabilities 20

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information