Beruflich Dokumente
Kultur Dokumente
Unit 1 Objectives
1. Recognize the growing importance of information security specialists to the information technology (IT) infrastructure. 2. Comprehend information security in the context of the mission of a business. 3. Build an awareness of 12 generally accepted basic principles of information security to help you determine how these basic principles are applied to real-life situations.
Discussion What would computing be like today if no standards had been adopted?
Why are standards so important to the computing Industry?
Importance cont
Recognize Attack Vectors Understand Life Cycles Conduct Security Audit and Testing Develop BCP, BIA and DRP
An organizations security posture defines its tolerance for risk and outlines how it plans to protect information and resources within its charge.
Principle 2: The Three Security Goals Are Confidentiality, Integrity, and Availability
C.I.A.
Confidentiality is the term used to prevent the disclosure of information to unauthorized individuals or systems. Integrity means that data cannot be modified undetectably For any information system to serve its purpose, the information must be available when it is needed.
Principle 3
Principle 3: Defense in Depth as Strategy Explains the importance of creating a layered defense around any information system.
Principle 3 cont
Defense in depth is an information assurance (IA) concept in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited which can cover aspects of personnel, procedural, technical and physical for the duration of the system's life cycle.
Principle 4
Principle 4: When Left on Their Own, People Tend to Make the Worst Security Decisions
Principle 4: Discussion
What are the need for security minded professionals in any organization where people use the information system.
Principle 5
Principle 5: Computer Security Depends on Two Types of Requirements: Functional and Assurance
Principle 6
Principle 6: Security Through Obscurity Is Not an Answer Dispels the myth that hiding details about security mechanisms enhances security.
Principle 6: Arguments
Arguments for: Security through obscurity may (but cannot be guaranteed to) act as a temporary "speed bump" for attackers while a resolution to a known security issue is implemented. Here, the goal is simply to reduce the short-run risk of exploitation of a vulnerability in the main components of the system.
Principle 6: Arguments
Arguments against: In cryptography proper, the argument against security by obscurity dates back to at least Kerckhoffs' principle, put forth in 1883 by Auguste Kerckhoffs. The principle holds that design of a cryptographic system should not require secrecy and should not cause "inconvenience" if it falls into the hands of the enemy.
Principle 7
Principle 7: Security = Risk Management Explains simple methods for evaluating the risk level of any information system.
Principle 8
Principle 8: The Three Types of Security Controls Are Preventative, Detective, and Responsive
Principle 8 cont
Prevention: Detection: Responsive:
Principle 9
Principle 9: Complexity Is the Enemy of Security Explains the need for simplicity in designing and maintaining an information system.
Principle 10
Principle 10: Fear, Uncertainty, and Doubt Do Not Work in Selling Security
Principle 10 - Discussion
Why is it better to taking a business-centric approach (as opposed to scare tactics) when convincing management to make security investment
Principle 11
Principle 11: People, Process, and Technology Are All Needed to Adequately Secure a System or Facility
Principle 11 - Discussions
What role does people, processes, and technology play in information security, and how they interact to enhance security.
Principle 12
Principle 12: Open Disclosure of Vulnerabilities Is Good for Security!
Principle 12 Discussions How does open communications among IT professionals and users can improve security
CISSP
Provides Employers with the confidence Industry assurance First certification accredited by ANSI ISO/IEC Standard 17024:2003 Globally recognized
10 Domains CBK
Access Control Application Development Security Business Continuity and Disaster Recovery Planning Cryptography Information Security Governance and Risk Management Legal, Regulations, Investigations and Compliance Operations Security Physical (Environmental) Security Security Architecture and Design Telecommunications and Network Security
2. Examination
Pass the CISSP examination with a scaled score of 700 points or greater
3. Endorsement
All candidate must be endorsed by a active CISSP in good standing
4. Audit
Candidates may be randomly selected for audit
Maintaining a CISSP
All CISSP must recertify every 3 years: This is primarily accomplished through continuing professional education [CPE], 120 credits of which are required every three years. A minimum of 20 CPEs must be posted during each year of the three-year certification cycle. CISSPs must also pay an annual maintenance fee of $85 per year.