CISSPills #3.01


Published on

CISSPills are short-lasting presentations covering topics to study in order to prepare CISSP exam. CISSPills is a digest of my notes and doesn't want to replace a studybook, it wants to be only just another companion for self-paced students.

Every issue covers different topics of CISSP's CCBK and the goal is addressing all the 10 domains which compose CISSP.


Domain 3: Information Security Governance and Risk Management
- Security’s Core Principles Information
- A-I-C Triad
- Balanced Security
- Security Definitions
- Security Definitions – Key Terms
- Control Types
- The Onion Approach (Defense-in-depth)
- Control Functionalities
- Control Functionalities – Incident-Time Standpoint
- Information Security Management System (ISMS)
- Enterprise Architecture
- Enterprise Security Architecture
- ISMS vs. Enterprise Security Architecture

Published in: Education, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

CISSPills #3.01

  1. 1. DOMAIN 3: Information Security Governance and RiskManagement# 3.01
  2. 2. CISSPills Table of Contents Security’s Core Principles A-I-C Triad Balanced Security Security Definitions Security Definitions – Key Terms Control Types The Onion Approach (Defense-in-depth) Control Functionalities Control Functionalities – Incident-Time Standpoint Information Security Management System (ISMS) Enterprise Architecture Enterprise Security Architecture ISMS vs. Security Enterprise Architecture
  3. 3. CISSPills Security’s Core PrinciplesInformation Security aims toprovide assets with protection,by assuring: Availability Integrity ConfidentialityThis is known as A-I-C triad(somewhere else also known asC-I-A triad).
  4. 4. CISSPills A-I-C Triad AvailabilityIt aims at ensuring a reliable and timely access to data and resources toauthorized users. Assets have to be accessible to authorized peoplewhenever and the way they are expected to. IntegrityIt aims at preventing unauthorized modifications of the information. Itassures the accuracy and reliability of the data. Integrity can be affectedmistakenly or maliciously. ConfidentialityIt aims at ensuring a proper level of secrecy by preventing unauthorizeddisclosures of information. Data have to be protected both when they arestored (data at rest) and while they are transmitted.
  5. 5. CISSPills Balanced SecurityDifferent systems have different priorities in terms of requirements to meet: ane-commerce company needs the website to be available all the time, anengineering company needs confidentiality in order to protect IntellectualProperty, while a Bank needs to assure integrity in order to avoid frauds.A good Security strategy should rely on controls for addressing all the principlesthat made up A-I-C triad, so that a comprehensive protection is provided.
  6. 6. CISSPills Security DefinitionsControls can eliminate exposures and risks, but not the threat agent.exploitsposescan damagecounteractsdirectly affectscharacterized bytriggers
  7. 7. CISSPills Security Definitions – Key Terms Threat Agent: entity willing to exploit a vulnerability; Threat: the potential risk related to the exploitation of a vulnerability; Vulnerability: weakness affecting an asset; Exposure: the consequence of an exploited vulnerability that exposes theorganization to a threat; Risk: the probability that a vulnerability is exploited and the associatedimpact; Control: a countermeasure implemented in order to reduce the risk.
  8. 8. CISSPills Control Types Administrative (NIST: Management)Management-oriented controls (e.g. policies, documentation, training, riskmanagement, etc.). Technical (NIST: Logical)Hardware and software solutions (e.g. firewalls, multi-factorauthentication, encryption, etc.). Physical (NIST: Operational)Physical safeguards aimed at protecting mainly the personnel and thenfacilities and resources (e.g. CCTV, guards, fences, etc.)
  9. 9. CISSPills The Onion Approach (Defense-in-depth)Just like the coats of an onion encompass the core of the vegetable, likewisethe security controls put in place to protect an asset have to ‘embrace’ it,following a layered approach and acting in a coordinated fashion.Each layer represents a security mechanism which ‘encompasses’ both thecontrols below and the asset. In this way, even if an attacker breaches onelayer, the asset is not compromised because other layers are protecting it.The more critical the asset is, the more layersof protection are implemented.
  10. 10. CISSPills Control FunctionalitiesControls can be administrative, technical or physical. Indeed, they can befurther categorized based on the protection they offer. Controls can fall intoseven categories: Directive: guidelines and rule users (internal and external) must follow if theywant access systems and data; Deterrent: controls intended to discourage malicious users from performingattacks; Preventive: controls intended to avoid an incident to occur; Detective: controls intended to detect an incident after it has occurred; Corrective: controls put in place once the incident has occurred in order tolimit the damage or solve the issue; Recovery: controls put in place to bring the systems back to regularoperations; Compensating: controls intended to be an alternative to other controls thatcannot be put in place because of affordability or business requirements.
  11. 11. CISSPills Control Functionalities – Incident-Time StandpointTIMEIncident
  12. 12. CISSPills Information Security Management System (ISMS)An ISMS (also known as Security Program) is a technology-independentframework composed by physical, logical and administrative controls, as wellas people and processes, that work together in order to provide theorganization with an adequate level of protection.The goal of a Security Program is building an holistic approach to themanagement of the Information Security.The most adopted ISMS framework is the ISO/IEC 27001 series, which depictshow to build and maintain an effective Security Program.
  13. 13. CISSPills Enterprise ArchitectureOrganization can be very complex entities, made up of several processes andelements that work jointly, thus adding security controls to an organizationrequires a deep analysis of how these controls would impact theorganizational flows.An Enterprise Architecture framework is a conceptual model which, through amodular representation, allows to ease the understanding of complex systems(like organizations).EAs are fundamental during the implementation of security services becausetake into account the environment, the business needs and the relationshipswithin the organization. The advantages of using an EA are: Splitting a complex model in smaller blocks easier to understand; Providing different “views” of the same organization so that people withdifferent roles can access information presented in a way that they canunderstand and that makes sense to them; Providing an all-round view of the organization that allows to understandhow a change would impact the other elements which compose theorganization.
  14. 14. CISSPills Enterprise Security ArchitectureEnterprise Security Architecture are a subset of an Enterprise Architecture thatallows to implement a security strategy (composed by solutions, processes andprocedures) within an organization.It is a comprehensive and rigorous method which takes into account howsecurity ties to the organization, as well as describes the structure and thebehaviour of the elements that compose an ISMS.The main reason behind the adoption of an ESA is assuring that the securitystrategy the organization is going to implement integrates properly. Byadopting an ESA, it is possible to integrate properly the security into thedifferent organizational processes.
  15. 15. CISSPills ISMS vs. Enterprise Security ArchitectureAn ISMS (Security Program) specifies the controls to implement (riskmanagement, vulnerability management, auditing, etc.) and providesguidance about how these controls should be maintained. Basically it specifieswhat to put in place in order to manage security holistically and how tomanage the components implemented.An Enterprise Security Architecture describes how to integrate the securitycomponents into the different elements of the organization. An ESA allows totake a generic framework, like the ISO/IEC 27001 series, and implement it intoown specific environment, thanks to a model which describes thecomponents of an organization and their interactions.
  16. 16. CISSPills That’s all Folks!We are done, thank you for the interest! Hope you have enjoyed these pills asmuch as I have had fun in writing them.For comments, typos, complains or whatever your want, drop me an e-mail to:cisspills <at> gmail <dot> comMore resources: Stay tuned on for the next issues; Join ”CISSP Study Group Italia” if you are preparing your exam.Brought to you by Pierluigi Falcone. More info about me at