Skip to main content

Domain 1 Security and Risk Management - Part 1

First Domain of the CISSP hold 12 Sections and discuss aspects of Risk Management Concepts, Tools, Laws, Standards, around People Process and Technology.  here are some short highlights from my notes:

Understand and apply concepts of confidentiality, integrity, and availability 

CIA (Confidentiality / Integrity / Availability ) if I would to say them in my own words I would say that  Confidentiality is the way to assure asset is kept secret from any unauthorized system and / or person. 
  • How To Protect: most common is the use of encryption taking data and encrypting is done by multiple different techniques.
Integrity is the assurance that asset you have was not handled in any way shape or form by an unauthorized system and / or person.
  • How To Protect: That is more complex however can be done by introducing multiple mechanisms like together refereed to as the AAA (Triple AAA from networking or 5 A from ISC2 world) Identification Authentication Authorization Audit Accounting 
Availability making sure asset is obtainable (I had to look for other word :-)) when needed
  • How To Protect: In a high level that is by assuring service / asset health and stability 

Now often the CIA is refereed to as CIA triad 


Note: the word asset was mentioned multiple times to assure we get use to the terminology.
Asset: can be "data / person / company / resource / service..." or anything you can put a value to it and is worth protecting.
Google Definition: a useful or valuable thing, person, or quality.

What is AAA in the CISSP world?

Identification - Process of providing Identity available to the next stage of authentication in the world I am from Identification and Authentication are part of the same process as without one the other can't exist however for the sake of CISSP lets keep open mind.
Authentication - Once you received the Identifier we need to be able to authenticate and make sure that this is indeed the account and there are different authentication methods like password, pin code, bio (finger print)...
Authorization - After we have passed Authentication then we need to be able to provide limit access to resources according to our job requirement providing to much may impact confidentiality and integrity and providing to little may impact availability  
Audit - auditing is a very important function and again from my networking world it was part of accounting, the audit function is to provide monitoring and ability to go back and look who did what and when, very important part in troubleshooting and fundamental part of ability to be able  prove non-repudiation  
Accounting - The ability to prove a subject identity and track his activities if needed to later be presented in court of law.

Alignment of security function to business strategy, goals, mission, and objectives  

First maybe lets define what is Governance - according to google dictionary it is the action of governing, meaning ?! if you own a company or if you are one of the C-level function in a company it would be expected of you to govern and lead the company in the path to success, and part of it would be taking responsibility to providing company policies, goals, mission statements.





Elements to remember with related to Governance:
  1. Corporate Executive Must be committed to the Security Plan - Due Care!
  2. Corporate Executive are to define the mission statement and company policy.
  3. CISO / CSO should not be subject to company politics and avoid and possible conflict of interest
  4. Company Executive have the responsibility highest responsibility to the company security and in case they where care less they also may be subject to personal legal actions against them.
  5. Security Plan is subject to Due Diligence, always be responsive to the needed changes

Organizational processes 

Like with life when you get to a cross road there is higher risk as a cross road increase complexity and evolve cars moving on the same road in different directions, introducing proper mechanism like rules signs, light.. will reduce the risk, same is with Organizational Changes when purchasing new company / systems or god forbid when laying of personal the Organization need to be ready to face the implications

  • make sure there is a well elaborated and sorted plan
  • make sure all personal and / or systems are informed and ready for the change
  • prepare a backup / restoration / rollback (you name it) plan
  • make sure you have a way to monitor and measure the change and identify and negative impact

Organizational roles and responsibilities 

Roles and responsibilities are highly important, to do your job well especially in large organization you need to know what are your duties what is expected from you and how can you assist to the goals of your organization.

Key Roles To Know and remember:

Data Owner - as the name suggest it is the data highest authority for making sure data security is in order and normally will be senior manager, the Data owner is responsible for classifying also the data security level.

Data Custodian - this is  for whom that is being given the task of practically making sure data security is addressed as classified and according to the guidelines, normally would be IT / IS.

Auditor - is responsible for the monitor and making sure security policy's are being followed implemented and issue periodic reporting to be review by senior management. in case auditor discover and report issues the senior management must address.

Senior Manager- have the top responsibility and liability for organization security however the implementation of security is a function that is delegated to Security professionals

User - Any user in the organization have his role in keeping the corporate security policy by following the provided policies and procedures.

Due Care/Due Diligence

Due Care

It is the action of "caring" about the possible of system / person other might do harm to an asset!
  •  Data Owner (normally Organization Executive) is obligated to Due Care
Law: the conduct that a reasonable man or woman will exercise in a particular situation, in looking out for the safety of others. If one uses due care then an injured party cannot prove negligence. This is one of those nebulous standards by which negligence is tested. Each juror has to determine what a "reasonable" man or woman would do.  reference 

Due Diligence

It is an action performed in iterative and repeatable manner with steps taken for verifying / monitoring and applying actions in order to preserve company policy and standards.
  • Data Owner is obligated to make sure a due diligence is conducted on normal basis 
  • Data Custodian are normally performing the due diligence in practice.
Google Translate: reasonable steps taken by a person in order to satisfy a legal requirement, especially in buying or selling something.


To be continue...

Post a Comment

Popular posts from this blog

Step By Step MPLS – Basic MPLS Setup

Initial configuration , very basic with no MPLS, connectivity only to directly connected interfaces.R1R2R3R4!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 10.0.31.1 255.255.255.0
duplex auto
speed auto
!
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
ip address 10.0.42.2 255.255.255.0
duplex auto
speed auto
!
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
ip address 10.0.31.3 255.255.255.0
duplex auto
speed auto
  no clns route-cache
!
interface Serial1/0
ip address 10.0.43.3 255.255.255.0
  serial restart-delay 0
no clns route-cache
!
!
!
interface Loopback0
ip address 4.4.4.4 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
ip address 10.0.42.4 255.255.255.0
duplex auto
speed auto
!
interface Serial1/0
ip address 10.0.43.4 255.255.255.0
  serial restart-delay 0
no clns route-cache
!
adding to the following configuration MPLS labels we will start wi…

What is about to change in CISSP from Apr 2018

Change have arrived and like with other professional certification there is almost a standard time before certification gets its update, with most anywhere it is between 3 - 4 years, CISSP is no different and since last update was on 2015 the change is arriving here as well.

For the people that wish to see the official existing and new outline

I have decided to write this post as the new out line is more of a list of Domain and Sections within the domain without hint or indication to what was modified actually and I could not find anyone else that done that comparison, I had to take the task and do the comparison, please be advised that I have done it for my own "pleasure" so apologies if I missed something :-)
Lets start with the obvious change:
CISSP - Before Apr 2018CISSP - from Apr 20181. Security and Risk Management16%15%2. Asset Security10%10%3. Security Engineering12%13%4. Communications and Network Security12%14%5. Identity and Access Management13%13%6. …

VRF Maximum Routes

Maximum routes under customer vrf, if the service provider had unlimited resources he would not have needed that!
however normally resources are limited and expensive, and Service provider would like to make money from his available resources. maximum routes configured under VRF provide a mean of controlling PE local resource and abuse avoidance from the CE side.I have vrf called DC_EXTRANET, you can see that I have 16 routes, I have configured 10 maximum routes under that vrf however I did not want to be aggressive so I have set the warning only option. See that immediately I get a notice that I have more routes then the maximum, however no action is taken other then alerting and sending a syslog. ! PE_ashdod_otherisp.n(config-vrf)# maximum routes 10 warning-only % The current number of routes in the routing table is equal to, or exceeds the configured warning limit PE_ashdod_otherisp.n(config-vrf)# *Nov 26 20:39:41.175: %IPRT-3-ROUTELIMITWARNING: IP routing table limit warning - DC_…