ISC2 CISSP Certified Information Systems Security Professional Official Study Guide

by Mike Chapple

Confidentiality is the concept of the measures used to ensure the protection of the secrecy of data, objects, or resources.

minimize unauthorized access to data.

The management of the relationship between subjects and objects is known as access control.

Numerous countermeasures can help ensure confidentiality against possible threats. These include encryption, network traffic padding, strict access control, rigorous authentication procedures, data classification, and extensive personnel training.

Integrity is the concept of protecting the reliability and correctness of data.

Integrity can be examined from three perspectives: Preventing unauthorized subjects from making modifications Preventing authorized subjects from making unauthorized modifications, such as mistakes Maintaining the internal and external consistency of objects so that their data is a correct and true reflection of the real world and any relationship with any child, peer, or parent object is valid, consistent, and verifiable

Numerous attacks focus on the violation of integrity. These include viruses, logic bombs, unauthorized access, errors in coding and applications, malicious modification, intentional replacement, and system back doors.

availability, which means authorized subjects are granted timely and uninterrupted access to objects.

The process of verifying or testing that the claimed identity is valid is authentication.

access control matrix that compares the subject, the object, and the intended activity.

Authorization is usually defined using one of the models of access control, such as Discretionary Access Control (DAC), Mandatory Access Control (MAC), or Role Based Access Control (RBAC or role-BAC);

Monitoring is a type of watching or oversight, while auditing is a recording of the information into a record or file.

The point of security is to keep bad things from happening while supporting the occurrence of good things.

Layering, also known as defense in depth, is simply the use of multiple controls in a series.

Serial configurations are very narrow but very deep, whereas parallel configurations are very wide but very shallow. Parallel systems are useful in distributed computing applications, but parallelism is not often a useful concept in the realm of security.

Abstraction is used for efficiency. Similar elements are put into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective. Thus, the concept of abstraction is used when classifying objects or assigning roles to subjects.

The term security through obscurity may seem relevant here. However, that concept is different. Data hiding is the act of intentionally positioning data so that it is not viewable or accessible to an unauthorized subject, while security through obscurity is the idea of not informing a subject about an object being present and thus hoping that the subject will not discover the object.

Security governance is the collection of practices related to supporting, defining, and directing the security efforts of an organization. Security governance principles are often closely related to and often intertwined with corporate and IT governance.

A business case is usually a documented argument or stated position in order to define a need to make a decision or take some form of action.

One of the most effective ways to tackle security management planning is to use a top-down approach.

is the responsibility of middle management to flesh out the security policy into standards, baselines, guidelines, and procedures.

The operational managers or security professionals must then implement the configurations prescribed in the security management documentation. Finally, the end users must comply with all the security policies of the organization.

Security management is a responsibility of upper management, not of the IT staff, and is considered an issue of business operations rather than IT administration.

Developing and implementing a security policy is evidence of due care and due diligence on the part of senior management.

The goal of change management is to ensure that any change does not lead to reduced or compromised security. Change management is also responsible for making it possible to roll back any change to a previous secured state.

its primary purpose is to make all changes subject to detailed documentation and auditing and thus able to be reviewed and scrutinized by management.

It requires a detailed inventory of every component and configuration. It also requires the collection and maintenance of complete documentation for every system component, from hardware to software and from configuration settings to security features.

Implement changes in a monitored and orderly manner. Changes are always controlled.

formalized testing process is included to verify that a change produces expected results.

All changes can be reversed (also known as backout or rollbac...

Users are informed of changes before they occur to prevent lo...

The effects of changes are systematically analyzed to determine whether security or business proce...

The negative impact of changes on capabilities, functionality, and per...

Changes are reviewed and approved by a Change Advi...

Data classification, or categorization, is the primary means by which data is protected based on its need for secrecy, sensitivity, or confidentiality.

Data classification, or categorization, is the process of organizing items, objects, subjects, and so on into groups, categories, or collections with similarities.

These similarities could include value, cost, sensitivity, risk, vulnerability, power, privilege, possible levels of loss or damage, or need to know.

The primary objective of data classification schemes is to formalize and stratify the process of securing data based on assigned ...

cause grave damage to national security.

cause critical damage to national security.

serious damage to national security.

used for data that is for internal use or for office use only (FOUO).

Sometimes the label proprietary is substituted for confidential.

The real difference between the two labels is that confidential data is company data whereas private data is data related to individuals, such as medical data.

Control Objectives for Information and Related Technology (COBIT). COBIT is a documented set of best IT security practices crafted by the Information Systems Audit and Control Association (ISACA).

COBIT 5 is based on five key principles for governance and management of enterprise IT: Principle 1: Meeting Stakeholder Needs Principle 2: Covering the Enterprise End-to-End Principle 3: Applying a Single, Integrated Framework Principle 4: Enabling a Holistic Approach Principle 5: Separating Governance From Management

Due care is using reasonable care to protect the interests of an organization. Due diligence is practicing the activities that maintain the due care effort.

The top tier of the formalization is known as a security policy. A security policy is a document that defines the scope of security needed by the organization and discusses the assets that require protection and the extent to which security solutions should go to provide the necessary protection.

there are three overall categories of security policies: regulatory, advisory, and informative.

An acceptable use policy is a commonly produced document that exists as part of the overall security documentation infrastructure. The acceptable use policy is specifically designed to assign security roles within the organization as well as ensure the responsibilities tied to those roles. This policy defines a level of acceptable performance and expectation of behavior and activity. Failure to comply with the policy may result in job action warnings, penalties, or termination.