CISSP Cram Sheet:

Compiled by: Jason Robinett, Ascend Solutions

Last Updated 4/10/02

NOTE:

This guide does not replace in any way the outstanding value of the ISC2 CISSP CBK Seminar, nor the fact that you must have been directly involved in the security field or one of the 10 domains of expertise for at least 3 years if you intend to take the CISSP exam. This booklet simply intends to make your life easier and to provide you with a centralized and compiled list of resources for this particular domain of expertise. Instead of a list of headings, we will attempt to give you the headings along with the information to supplement the headings.

As with any security related topic, this is a living document that will and must evolve as other people read it and technology evolves. Please feel free to send comments and input to be added to this document. Any comments, typo correction, etc… are most welcome and can be sent directly to . Thanks.

Domain 3 – Security Management Practices

Description:

Security management entails the identification of an organization's information assets and the development, documentation, and implementation of policies, standards, procedures and guidelines which ensure confidentiality, integrity, and availability. Management tools such as date classification, risk assessment, and risk analysis are used to identify the threats, classify assets, and to rate their vulnerabilities so that effective security controls can be implemented.

Security Management Concepts & Principles

Privacy – The level of confidentiality and privacy protection that a user is given in a system. This is an important security control.

Confidentiality - Attempts to prevent the intentional or unintentional unauthorized disclosure of a message’s contents.

Integrity – Ensures that modifications are not made to data by unauthorized personnel or processes.

Availability – Ensures that reliable and timely access to data or computing resources by the appropriate personnel.

Authorization – The rights and permissions granted to an individual which enables access to a computer resource.

Identification – The means in which users claim their identity to a system.

Authentication - The testing or reconciliation of evidence of a user’s identity.

Accountability – A system’s ability to determine the actions and behavior of a single individual within a system.

Non-repudiation – TBD

Documentation – – TBD

Audit –TDB

CIA Triad – Confidentiality, Integrity, & Availability.

Protection Mechanisms– TBD

  • Layering– TBD
  • Abstraction– TBD
  • Data hiding– TBD
  • Encryption – TBD

Change Control/Management – The process of tracking and approving changes to a system. It involves identifying, controlling, and auditing all changes made to the system. Requirement for B2, B3, & A1 systems.

  • Hardware Configuration – TBD
  • System & Application Software– TBD
  • Change Control Process – 5 generally accepted procedures exist to implement a process.
  • Applying to introduce a change
  • Cataloging the intended change
  • Scheduling the change
  • Implementing the change
  • Reporting the change to appropriate parties

Data Classification – Has a long history of use within the government. Is often used today to comply with privacy laws or enable regulatory compliance.

  • Objectives of a Classification Scheme
  • Demonstrates an organizations commitment to security protections
  • Helps identify valuable data
  • Supports the CIA tenets
  • Helps to identify which protections apply to which data
  • May be required for regulatory, compliance, or legal reasons.
  • Criteria by Which Data is Classified
  • Value – Is the information valuable to the organization or competitor.
  • Age – Classification may be lowered if information’s values decreases over time.
  • Useful Life – If information has been made obsolete due to new information, it may be declassified.
  • Personal Association – If information is personally associated with specific individuals.
  • Commercial Data Classification
  • Public – Information that shouldn’t be disclosed, but if it does, it will not cause serious damage.
  • Sensitive – Information requires a high level of protection from loss of confidentiality and integrity.
  • Private – Information that is of a personal nature and is for company use only. Disclosure will cause damage.
  • Confidential – Information is considered very sensitive and is for internal use only. Disclosure will cause extreme damage.
  • Government Data Classification
  • Unclassified – Information is neither sensitive nor classified. Public release is alright.
  • Sensitive but Unclassified (SBU) – Information is a minor secret, but may not cause serious damage if disclosed.
  • Confidential – Information that is deemed confidential. Unauthorized disclosure of this information could cause some damage.
  • Secret – Unauthorized disclosure of this information could cause serious damage.
  • Top Secret – Highest level of classification. Disclosure of this information will cause grave damage.

Information/Data

  • Worth/Value
  • Collection & Analysis Techniques

Employment Policies & Practices

  • Background Checks/Security Clearances
  • Employment Agreements
  • Hiring and Termination Practices
  • Job Descriptions
  • Roles & Responsibilities
  • Senior Management – Assigned the overall responsibility for the security of information.
  • InfoSec Professionals – Delegated the responsibility for implementing and maintaining security by management.
  • Data Owners – Responsible for determining the data’s sensitivity levels.
  • Users – Responsible for following procedures set our by the organization.
  • IS Auditors – Responsible for providing reports to management on the effectiveness of the security controls.
  • Separation of Duties & Responsibilities
  • Job Rotations

Policies, Standards, Guidelines & Procedures

  • Risk Management – Main function is to mitigate risk. This means to reduce the risk to an acceptable level. The identification of risk to an organization requires defining the four elements:
  • The actual threat
  • The possible consequences of the realized threat
  • The probable frequency of the occurrence of the threat
  • The extent of how confident we are that the threat will happen.
  • Principles of Risk Management – To enable the risk management process, you will nee to determine the value of assets, threats, and vulnerabilities, and the likelihood of events using the RA formulas to follow.
  • Performing a Risk Analysis, including the cost benefit analysis of protections.
  • Implementing, reviewing, and maintaining protections.
  • Terms

Asset – a resource, process, product, computing infrastructure, etc.. that an organization has determined to be protected.

Threat – The occurrence of any event that causes an undesirable impact on the organization.

Vulnerability – The absence or weakness of a safeguard.

Safeguard – The control or countermeasure employed to reduce the risk associated with a threat.

  • Probability Determination – (ARO)
  • Asset Valuation – Asset Valuation Process
  • RA Tools & Techniques
  • Quantitative Risk Analysis – Attempts to assign objective numeric values to the components of the risk assessment and the assessment of potential losses. A major project requiring project management and a lot of time and effort.

Estimate the potential losses to assets by determining their value

Analyze potential threats to the assets

Define the Annualized Loss Expectancy.

  • Qualitative Risk Analysis – More scenario-oriented. The seriousness of threats and the relative sensitivity of assets are given a ranking, by using a scenario and then creating an exposure scale.

Scenario is written that addresses each threat

Scenario is reviewed by business managers for a reality check

RA team recommends & evaluates various safeguards for each threat.

RA team works through each finalized scenario using a threat, asset, and safeguard.

Team prepares their findings.

  • Asset Valuation Process – Basic elements that are used to determine an information asset’s value:

The initial and on-going cost of purchasing, licensing, developing, and supporting the asset.

The asset’s value to the organization’s production operations, research, and development, and business model viability.

The asset’s value established in the external marketplace, and the estimated value of intellectual property.

  • Safeguard Selection – The most important part of the selection process is the Cost/Benefit Analysis. This total cost includes the purchase, development, and/or licensing costs, the physical installation costs, and the normal operating costs. Use the following formula:

(ALE before safeguard – ALE after safeguard) – Annual Cost = Safeguard Value

Also take into consideration the amount of manual intervention to operate the safeguard. The more automated the more sustainable.

The safeguard must allow of the inclusion of auditing and accounting functions.

The safeguard should be evaluated in regard to its state after a reset and must meet the following:

No asset destruction during reset

No covert channel access

No security loss or increase in exposure

Defaults to a state that doesn’t enable any operator access rights until all controls are fully functional.

  • Qualitative vs. Quantitative Risk Assessment Methodologies – Qualitative is far less expensive but less, but requires a lot more guess work.
  • Exposure Factor (EF) – Represents the percentage of loss a realized threat event would have on a specific asset.
  • Single Loss Expectancy – The dollar amount figure assigned to a single occurrence. Derived from the formula: Asset Value($) * EF = SWE
  • Average Rate of Occurrence (ARO) – Number that estimates the frequency in which a threat is expect to occur.
  • Annual Loss Expectancy (ALE) – Derived from the formula: SLE * ARO = ALE
  • Countermeasure Selection– TBD
  • Countermeasure Evaluation– TBD
  • Risk Reduction/Assignment/Acceptance – You can either take the necessary measures to alter the risk position of an asset (Reduction), Assign or transfer the potential cost of a loss to another part (Assignment), or Accept the level of loss (Acceptance).

Roles & Responsibilities

  • Management – Responsible for protecting all assets directly and indirectly under their control. They must enforce and make sure that employees abide by security policies.
  • Owner – The business owner or manager responsible for the asset of information that must be protected. The owner has final corporate responsibility of data protection. Responsibilities include:
  • Making the determination to decide what level of classification the information requires.
  • Reviewing the classification assignments and making necessary changes
  • Delegating the responsibility of data protection.
  • Custodian – A delegated responsibility for protecting information assets. Duties include:
  • Performing and testing backups
  • Performing data restores
  • Maintaining records per the classification policy
  • User – Considered to be anyone that routinely uses the information as part of their job. Must take “due care” to preserve the information while doing their work.
  • IS/IT Function– TBD
  • Other Individuals – TBD

Security Awareness Training – Refers to the general, collective awareness of an organization’s personnel of the importance of security and security controls.

  • Benefits:
  • Makes a measurable reduction in unauthorized actions
  • Significantly increase the effectiveness of protection controls
  • Help to avoid fraud, waste, and abuse.

Personnel are considered to be “security aware” when they clearly understand the need for security, and how security impacts the viability of the company.

  • Awareness Training:
  • Live/Interactive Presentations
  • Publishing/Distributions
  • Incentives
  • Reminders

Security Management Planning– TBD