CISSP Exam Essentials: Security Principles and Practices, Exams of Computer Security

A concise overview of key cybersecurity concepts essential for the cissp exam. it covers fundamental principles like cia triad, aaa services, authorization, auditing, and accountability, along with crucial topics such as defense in depth, abstraction, data hiding, security governance, and threat modeling. the document also delves into security management planning, organizational processes, key security roles, and the importance of human factors in security.

Typology: Exams

2024/2025

Available from 04/28/2025

Emmicole
Emmicole 🇺🇸

1

(1)

18K documents

1 / 115

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CISSP - Exam Essentials rated A
Understand the CIA Tried elements of confidentiality, integrity, and availability -
Confidentiality is the principle that objects are not disclosed to unauthorized
subjects.
Integrity is the principle that objects retain their veracity and are intentionally
modified only by authorized subjects.
Availability is the principle that authorized subjects are granted timely and
uninterrupted access to objects.
Know the elements of AAA services - AAA is composed of:
- identification,
- authentication,
- authorization,
- auditing, and
- accountability
Be able to explain how identification works - Identification is the process by which
a subject professes an identity and accountability is initiated. A subject must
provide an identity to a system to start the process of authentication,
authorization, and accountability.
Understand the process of authentication - Authentication is the process of
verifying or testing that a claimed identity is valid. Authentication requires
information from the subject that must exactly correspond to the identity
indicated.
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60
pf61
pf62
pf63
pf64

Partial preview of the text

Download CISSP Exam Essentials: Security Principles and Practices and more Exams Computer Security in PDF only on Docsity!

Understand the CIA Tried elements of confidentiality, integrity, and availability - Confidentiality is the principle that objects are not disclosed to unauthorized subjects. Integrity is the principle that objects retain their veracity and are intentionally modified only by authorized subjects. Availability is the principle that authorized subjects are granted timely and uninterrupted access to objects. Know the elements of AAA services - AAA is composed of:

  • identification,
  • authentication,
  • authorization,
  • auditing, and
  • accountability Be able to explain how identification works - Identification is the process by which a subject professes an identity and accountability is initiated. A subject must provide an identity to a system to start the process of authentication, authorization, and accountability. Understand the process of authentication - Authentication is the process of verifying or testing that a claimed identity is valid. Authentication requires information from the subject that must exactly correspond to the identity indicated.

Know how authorization fits into a security plan. - Once a subject is authenticated, its access must be authorized. The process of authorization ensures that the requested activity or object access is possible given the rights and privileges assigned to the authenticated identity. Be able to explain the auditing process - Auditing is the programmatic means by which subjects are held accountable for their actions while authenticated on a system through the documentation or recording of subject activities. Understand the importance of accountability - Security can be maintained only if subjects are held accountable for their actions. Effective accountability relies on the capability to prove a subject's identity and track their activities. Be able to explain nonrepudiation - Nonrepudiation ensures that the subject of an activity or event cannot deny that the event occurred. It prevents a subject from claiming not to have sent a message, not to have performed an action, or not to have been the cause of an event. Know about defense in depth - Defense in depth, also known as layering, is simply the use of multiple controls in a series. Using a multilayered solution allows for numerous different controls to guard against whatever threats come to pass. Be able to explain the concept of abstraction - Abstraction is used to collect similar elements into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective. It adds efficiency to carrying out a security plan.

objectives of the organization. This includes designing and implementing security based on business cases, budget restrictions, or scarcity of resources. Know what a business case is - A business case is usually a documented argument or stated position in order to define a need to make a decision or take some form of action. To make a business case is to demonstrate a business-specific need to alter an existing process or choose an approach to a business task. A business case is often made to justify the start of a new project, especially a project related to security. Understand security management planning - Security management is based on three types of plans: strategic, tactical, and operational. A strategic plan is a long-term plan that is fairly stable. It defines the organization's goals, mission, and objectives. The tactical plan is a midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan. Operational plans are short-term and highly detailed plans based on the strategic and tactical plans.

Know the elements of a formalized security policy structure. - To create a comprehensive security plan, you need the following items in place: security policy, standards, baselines, guidelines, and procedures. Understand organizational process - Security governance needs to address every aspect of an organization. This includes the organizational processes of acquisitions, divestitures, and governance committees. Understand key security roles - The primary security roles are senior manager, security professional, asset owner, custodian, user, and auditor. Know the basics of COBIT - Control Objectives for Information and Related Technology (COBIT) is a security concept infrastructure used to organize the complex security solutions of companies. Understand due diligence and due care - Due diligence is establishing a plan, policy, and process to protect the interests of an organization. Due care is practicing the individual activities that maintain the due diligence effort. Due diligence is knowing what should be done and planning for it; due care is doing the right action at the right time. Know the basics of threat modeling - Threat modeling is the security process where potential threats are identified, categorized, and analyzed. Threat modeling can be performed as a proactive measure during design and development or as a reactive measure once a product has been deployed.

Understand the security implications of hiring new employees - To properly plan for security, you must have standards in place for job descriptions, job classification, work tasks, job responsibilities, prevention of collusion, candidate screening, background checks, security clearances, employment agreements, and nondisclosure agreements. By deploying such mechanisms, you ensure that new hires are aware of the required security standards, thus protecting your organization's assets. Understand onboarding and offboarding - Onboarding is the process of adding new employees to the organization using socialization and orientation. Offboarding is the removal of an employee's identity from the IAM system once that person has left the organization. Know the principle of least privilege - The principle of least privilege state that users should be granted the minimum amount of access necessary for them to complete their required work tasks or job responsibilities Understand the need for a nondisclosure agreement (NDA) - An NDA is used to protect the confidential information within an organization from being disclosed by a former employee. When a person signs an NDA, they agree not to disclose any information that is defined as confidential to anyone outside the organization. Know about employee oversight - Throughout the employment lifetime of personnel, managers should regularly review or audit the job descriptions, work tasks, privileges, and responsibilities for every staff member.

Know why mandatory vacations are necessary - Mandatory vacations of one to two weeks are used to audit and verify the work tasks and privileges of employees. This often results in easy detection of abuse, fraud, or negligence. Know about UBA and UEBA - User behavior analytics (UBA) and user and entity behavior analytics (UEBA) are the concepts of analyzing the behavior of users, subjects, visitors, customers, etc. for some specific goal or purpose. Understand employee transfers - Personnel transfers may be treated as a fire/rehire rather than a personnel move. This depends on the organization's policies and the means they have determined to best manage this change. Some of the elements that go into making the decision as to which procedure to use include whether the same user account will be retained, if their clearance will be adjusted, if their new work responsibilities are similar to the previous position, and if a "clean slate" account is required for auditing purposes in the new job position. Be able to explain proper termination policies - A termination policy defines the procedure for terminating employees. It should include items such as always having a witness, disabling the employee's network access, and performing an exit interview. A termination policy should also include escorting the terminated employee off the premises and requiring the return of security tokens and badges and company property.

Understand risk analysis and the key elements involved - Risk analysis is the process by which upper management is provided with details to make decisions about which risks are to be mitigated, which should be transferred, and which should be accepted. To fully evaluate risks and subsequently take the proper precautions, you must analyze the following: assets, asset valuation, threats, vulnerability, exposure, risk, realized risk, safeguards, countermeasures, attacks, and breaches. Know how to evaluate threats - Threats can originate from numerous sources, including IT, humans, and nature. Threat assessment should be performed as a team effort to provide the widest range of perspectives. By fully evaluating risks from all angles, you reduce your system's vulnerability. Understand qualitative risk analysis - Qualitative risk analysis is based more on scenarios than calculations. Exact dollar figures are not assigned to possible losses; instead, threats are ranked on a scale to evaluate their risks, costs, and effects. Such an analysis assists those responsible in creating proper risk management policies. Understand the Delphi technique - The Delphi technique is simply an anonymous feedback-and-response process used to arrive at a consensus. Such a consensus gives the responsible parties the opportunity to properly evaluate risks and implement solutions. Understand quantitative risk analysis - Quantitative risk analysis focuses on hard values and percentages. A complete quantitative analysis is not possible because of intangible aspects of risk. The process involves valuing assets and identifying

threats and then determining a threat's potential frequency and the resulting damage, which leads to the risk response tasks of the cost/benefit analysis of safeguards. Be able to explain the concept of an exposure factor (EF) - An EF is an element of quantitative risk analysis that represented the percentage of loss that an organization would experience if a specific asset were violated by a realized risk. By calculating exposure factors, you are able to implement a sound risk management policy. Know what single loss expectancy (SLE) is and how to calculate it - SLE is an element of quantitative risk analysis that represents the cost associated with a single realized risk against a specific asset. The formula is SLE = asset value (AV) * exposure factor (EF) SLE = AV * EF Understand annualized rate of occurrence (ARO) - ARO is an element of quantitative risk analysis that represents the expected frequency with which a specific threat or risk will occur (in other words, become realized) within a single year. Understanding AROs further enables you to calculate the risk and take proper precautions. Know what annualized loss expectancy (ALE) is and how to calculate it - ALE is an element of quantitative risk analysis that represents the possible yearly cost of all instances of a specific realized threat against a specific asset.

Accepting risk means management has evaluated the cost/benefit analysis of possible safeguards and has determined that the cost of the countermeasure greatly outweighs the possible cost of loss due to a risk. It also means that management has agreed to accept the consequences and the loss of the risk is realized. Be able to explain total risk, residual risk, and the controls gap - Total risk is the amount of risk an organization would face if no safeguards were implemented. To calculate total risk, use this formula: threats * vulnerabilities * asset value = total risk. Residual risk is the risk that management has chosen to accept rather than mitigate. The difference between total risk and residual risk is the controls gap, which is the amount of risk that is reduced by implementing safeguards. To calculate residual risk, use the following formula: total risk - controls gap = residual risk Understand control types - The term control refers to a broad range of controls that perform such tasks as ensuring that only authorized users can log on and preventing unauthorized users from gaining access to resources. Control types include preventive, deterrent, detective, compensation, corrective, recovery, and directive. Controls can also be categorized by how they are implemented: administrative, logical, or physical. Understand security control assessment (SCA) - An SCA is the formal evaluation of a security infrastructure's individual mechanisms against a baseline or reliability expectation.

Understand security monitoring and measurement - Security controls should provide benefits that can be monitored and measured. If a security control's benefits cannot be quantified, evaluated, or compared, then it does not actually provide any security. Understand risk reporting - Risk reporting involves the production of a risk report and a presentation of that report to the interested/relevant parties. A risk report should be accurate, timely, comprehensive of the entire organization, clear and precise to support decision making, and update on a regular basis. Know the need for continuous improvement - Security is always changing. Thus, any implemented security solution requires updates and changes over time. If a continuous improvement path is not provided by a selected countermeasure, then it should be replaced with one that offers scalable improvements to security. Understand the Risk Maturity Model (RMM) - The Risk Maturity Model (RMM) is a means to assess the key indicators and activities of a mature, sustainable, and repeatable risk management process. The RMM levels are:

  • ad hoc
  • preliminary
  • defined
  • integrated, and
  • optimized.

All new employees require some level of training so that they will be able to comply with all standards, guidelines, and procedures mandated by the security policy. Education is a more detailed endeavor in which students/users learn much more than they actually need to know to perform their work tasks. Education is most often associated with users pursuing certification or seeking job promotion. Know about security champions - Often a security champion is a member of a group who decides (or is assigned) to take charge of leading the adoption and integration of security concepts into the group's work activities. Security champions are often non-security employees who take up the mantle to encourage others to support and adopt more security practices and behaviors. Understand gamification - Gamification is a means to encourage compliance and engagement by integrating common elements of game play into other activities, such as security compliance and behavior change. Know about the need for periodic content reviews and effectiveness evaluations - It is important to perform periodic content reviews of all training materials. This is to ensure that the training materials and presentation stays in line with business goals, organizational mission, and security objectives. Some means of verification should be used to measure whether the training is beneficial or a waste of time and resources. Understand the four steps of the business continuity planning process - Business continuity planning involves four distinct phases:

  1. Project scope and planning,
  2. Business impact analysis,
  3. Continuity planning, and
  1. Approval and implementation Each task contributes to the overall goal of ensuring that business operations continue uninterrupted in the face of an emergency. Describe how to perform the business organization analysis - In the business organization analysis, the individuals responsible for leading the BCP process determine which departments and individuals have a stake in the business continuity plan. This analysis serves as the foundation for BCP team selection and, after validation by the BCP team, is used to guide the next stages of BCP development. List the necessary members of the business continuity planning team - The BCP team should contain, at a minimum:
  • representatives from each of the operational and support departments
  • technical experts from the IT department
  • physical and IT security personnel with BCP skills
  • legal representatives familiar with corporate legal, regulatory, and contractual responsibilities
  • representatives from senior management Additional team members depend on the structure and nature of the organization. Know the legal and regulatory requirements that face business continuity planners
  • Business leaders must exercise due diligence to ensure that shareholders' interest are protected in the even disaster strikes. Some industries are also subject

believe in. Violations of criminal law are prosecuted by federal and state governments. Civil law provides the framework for the transaction of business between people and organizations. Violations of civil law are brought to the court and argued by the two affected parties. Administrative law is used by government agencies to effectively carry out their day-to-day business. Be able to explain the basic provisions of the major laws designed to protect society against computer crime - The Computer Fraud and Abuse Act (as amended) protects computers used by the government or in interstate commerce from a variety of abuses. The Electronic Communications Privacy Act (ECPA) makes it a crime to invade the electronic privacy of an individual. Know the differences among copyrights, trademarks, patents, and trade secrets. - Copyrights protect original works of authorship, such as books, articles, poems, and songs. Trademarks are names, slogans, and logos that identify a company, product, or service. Patents provide protection to the creators of new inventions.

Trade secret law protects the operating secrets of a firm. Be able to explain the basic provisions of the Digital Millennium Copyright Act of 1988 - The Digital Millennium Copyright Act prohibits the circumvention of copy protection mechanisms placed in digital media and limits the liability of internet service providers for the activities of their users Know the basic provisions of the Economic Espionage Act of 1996 - The Economic Espionage Act provides penalties for individuals found guilty of the theft of trade secrets. Harsher penalties apply when the individual knows that the information will benefit a foreign government. Understand the various types of software license agreements - Contractual license agreements are written agreements between a software vendor and user. Shrink-wrap agreements are written on software packaging and take effect when a user opens the package. Click-through agreements are included in a package but require the user to accept the terms during the software installation process. Understand the notification requirements placed on organizations that experience a data breach - California's SB 1386 implemented the first statewide requirements to notify individuals of a breach of their personal information. All other states eventually followed through with similar laws. Currently, federal law only requires that notification of individuals when a a HIPAA-covered entity breaches their protected health information.