The document outlines key principles of managing engineering processes, including threat modeling, security models, and system security requirements. It discusses various security frameworks, controls, and methodologies for vulnerability assessment and cryptographic solutions, emphasizing the importance of confidentiality, integrity, and availability. Additionally, it details site and facility security design principles, highlighting measures to protect physical assets and information systems.

1. #
l
e
a
r
n
t
o
r
i
s
e

2. 3.1 KEY PRINCIPLES TO RESEARCH, IMPLEMENT, AND MANAGE
ENGINEERING PROCESSES
CISSP
DOMAIN
3
Threat Modeling
Least Privilege
Defense in Depth
Secure Defaults
Fail Securely
Separation of
Duties (SoD)
Zero Trust
Privacy by Design
Trust but Verify
Identify threats, assess vulnerabilities, determine
mitigation
Minimize access rights, limit permissions
Layered security, multiple controls, protect
against diverse attacks
Use secure default settings to reduce risk
Secure state during failures
Divide tasks and reduce fraud risks
Verify all access requests, continuous monitoring,
no implicit trust
Embed privacy, protect data throughout its
lifecycle, ensure compliance
Build trust, validate actions, maintain compliance
www.infosectrain.com

3. www.infosectrain.com
3.2 UNDERSTAND THE FUNDAMENTAL CONCEPTS OF SECURITY MODELS
CISSP
DOMAIN
3
Trusted
Computing Base
State Machine
Model
Information
Flow Model
Noninterference
Model
Take-Grant
Model
Access Control
Matrix
Bell–LaPadula
Model
Overview
Key
Properties
Core security components
System state validation
Controls how information flows
Isolate actions to prevent interference
Rules for transferring access rights
Rules for transferring access rights
Focus on data confidentiality
Simple Security Property:
No read-up
Star (*) Security Property: No
write-down (Confinement Property)
Discretionary Security Property:
Enforces DAC through access matrix

4. www.infosectrain.com
CISSP
DOMAIN
3
Biba
Model
Clark–Wilson
Model
Brewer and
Nash Model
Goguen–Meseguer
Model
Sutherland
Model
Graham–Denning
Model
Harrison–Ruzzo–
Ullman Model
Enforce well-formed transactions
Dynamic access control for conflict of interest
Noninterference in multilevel security systems
Integrity model based on state transitions
Formal model for access control with a focus
on authorization
Secure creation and deletion of subjects/objects
3.2 UNDERSTAND THE FUNDAMENTAL CONCEPTS OF SECURITY MODELS
Overview
Key
Properties
Focus on data integrity
Simple Integrity Property: No read-down
Star (*) Integrity Property: No write-up

5. www.infosectrain.com
CISSP
DOMAIN
3
Understand
System Security
Requirements
Common
Criteria (CC)
Framework
Types of
Security
Controls
Confidentiality: Ensure data privacy
Integrity: Ensure data accuracy and completeness
Availability: Ensure data and systems are accessible
when needed
Evaluation Assurance Levels (EALs)
Protection Profiles (PPs)
Security Targets (STs)
Policies and Procedures
Training and Awareness
Risk Assessment
Incident Response Planning
Locks and Fences
Security Guards
Surveillance Cameras
Environmental Controls (e.g., HVAC,
fire suppression)
Encryption & Access Controls
(e.g., RBAC, ACLs)
Firewalls and IDS/IPS
Antivirus and Anti-malware
Administrative
Controls
Technical
Controls
Physical
Controls
Overview: International standard for evaluating
and certifying information security products
Key
Components
of the CC
Process
3.3 SELECT CONTROLS BASED ON SYSTEMS SECURITY REQUIREMENTS

6. www.infosectrain.com
3.4 UNDERSTAND THE SECURITY CAPABILITIES OF INFORMATION SYSTEMS
CISSP
DOMAIN
3
Memory
Protection
Trusted
Platform
Module (TPM)
Virtualization
Purpose: Prevent unauthorized access and
corruption of data in memory
Techniques
Purpose: Isolate and secure virtual environments
Types
Hardware Virtualization
(e.g., Hypervisors)
Software Virtualization
Purpose: Provide hardware-based security functions
Capabilities
Segmentation
Paging
Address Space Layout
Randomization (ASLR)
Memory Management Units (MMUs)
Secure Cryptographic Operations
Secure Boot Process
Remote Attestation

7. www.infosectrain.com
3.4 UNDERSTAND THE SECURITY CAPABILITIES OF INFORMATION SYSTEMS
CISSP
DOMAIN
3
Interfaces
Encryption/
Decryption
Fault
Tolerance
Purpose: Secure communication channels
between systems
Types
Purpose: Ensure system reliability and availability
Techniques
Symmetric Encryption (e.g., AES, DES)
Asymmetric Encryption (e.g., RSA, ECC)
Purpose: Protect data confidentiality and integrity
Types
Redundancy (e.g., RAID,
Failover Systems)
Error Detection and Correction (EDAC)
Load Balancing
Application Programming Interfaces (APIs)
User Interfaces (UIs)
Network Interfaces

8. www.infosectrain.com
CISSP
DOMAIN
3
Vulnerability
Identification
Encryption/
Decryption
Threat
Analysis
Techniques
Tools
Threat
Modeling
Risk
Assessment
Strategies
Implementation
Steps
Techniques
Automated Scanners (e.g., Nessus, Qualys)
Manual Testing Tools (e.g., Burp Suite, Metasploit)
Source Code Analysis Tools (e.g., SonarQube)
Patching and Updates
Access Control Enhancements
Encryption and Data Protection
Plan Mitigation Actions
Execute Mitigation Measures
Validate and Test Effectiveness
3.5 ASSESS AND MITIGATE THE VULNERABILITIES OF SECURITY
ARCHITECTURES, DESIGNS, AND SOLUTION ELEMENTS
Vulnerability Scanning
Penetration Testing
Code Reviews
Configuration Reviews
Identify Assets
Evaluate Impact and Likelihoo
STRIDE
DREAD
Assessing Risk Levels (High, Medium, Low)
Prioritizing Threats Based on Impact

9. www.infosectrain.com
3.6 SELECT AND DETERMINE CRYPTOGRAPHIC SOLUTIONS
CISSP
DOMAIN
3
Understanding
Security Goals
Analyzing
Options
Considering
Implementation
Constraints
Selecting and
Implementing
Pros: Faster, simpler
Cons: Key distribution challenges
Pros: Secure key exchange
Cons: Slower, more complex
Pros: Data integrity, password storage
Cons: Not reversible
Pros: Authentication, non-repudiation
Cons: Computationally intensive
Choosing Algorithms: Select based on security
goals and constraints
Key
Management
Confidentiality
Integrity
Availability
Performance
Compatibility
Cost
Usage
Symmetric
Encryption
Asymmetric
Encryption
Hashing
Digital
Signatures
Secure generation
Distribution
Storage
Destruction

10. www.infosectrain.com
3.7 UNDERSTAND METHODS OF CRYPTANALYTIC ATTACKS
CISSP
DOMAIN
3
Brute Force
Ciphertext Only
Known Plaintext
Access to ciphertext only
Pattern analysis
Mitigation: Strong encryption algorithms
Access to plaintext and ciphertext
Easier key deduction
Mitigation: Unique keys, strong encryption
Attempt all combinations
Time-consuming
Guaranteed success with time
Mitigation: Strong, complex passwords

11. www.infosectrain.com
3.7 UNDERSTAND METHODS OF CRYPTANALYTIC ATTACKS
CISSP
DOMAIN
3
Frequency
Analysis
Man-in-the-Middle
Attack
Pass the Hash
Analyzing character frequency
Effective against substitution ciphers
Statistical analysis
Mitigation: Polyalphabetic ciphers
Intercepting communication
Capturing/modifying data
Exploits weak/no encryption
Mitigation: TLS, mutual authentication
Reuse hashed passwords
Targets NTLM protocols
Enables lateral movement
Mitigation: Multifactor authentication, limit NTLM,
endpoint security

12. www.infosectrain.com
3.8 APPLY SECURITY PRINCIPLES TO SITE AND FACILITY DESIGN
CISSP
DOMAIN
3
Site
Selection
Facility Design
Principles
Location: Assess geographic risks
Accessibility: Control access points
Utilities: Ensure reliable power, water, and
communication services
Regulatory Compliance: Adhere to regulations
Zoning: Public, restricted, high-security zones
Natural Surveillance: Lighting, landscape design
Territorial Reinforcement: Fences, walls
Target Hardening: Reinforced doors, windows
Access Control: Badges, biometrics, guards

13. www.infosectrain.com
3.8 APPLY SECURITY PRINCIPLES TO SITE AND FACILITY DESIGN
CISSP
DOMAIN
3
Physical
Security
Measures
Monitoring and
Maintenance
Perimeter Security
Building Security
Environmental
Controls
Fencing
Gates
Security Lighting
Surveillance Cameras (CCTV)
Surveillance
Inspections
Maintenance
Incident Response
Secure Entrances
Intrusion Detection Systems
Secure Areas
HVAC Systems
Fire Suppression Systems
Flood Prevention Measures

14. www.infosectrain.com
3.9 DESIGN SITE AND FACILITY SECURITY CONTROLS
CISSP
DOMAIN
3
Wiring Closets/Intermediate
Distribution Facilities
Server Rooms/
Data Centers
Media Storage
Facilities
Evidence
Storage
Purpose: Converge networking
equipment and cabling
Security Measures: Controlled access,
monitoring
Purpose: House critical IT infrastructure
Security Measures: Access control, surveillance
Purpose: Store physical media assets (tapes, disks)
Security Measures: Restricted access,
environmental controls
Purpose: Store evidential materials
Security Measures: Access restrictions, surveillance

15. www.infosectrain.com
CISSP
DOMAIN
3
3.9 DESIGN SITE AND FACILITY SECURITY CONTROLS
Restricted and Work
Area Security
Utilities and
HVAC
Fire Prevention,
Detection, and
Suppression
Power (e.g.,
Redundant,
Backup)
Purpose: Protect sensitive information/
operations
Security Measures: Access controls, handling
policies
Purpose: Secure essential utilities and HVAC
systems
Security Measures: Prevent unauthorized access
Purpose: Mitigate fire risks
Security Measures: Detection systems,
suppression mechanisms
Environmental
Issues
Purpose: Manage physical environment
(climate control, sustainability)
Security Measures: Monitoring systems
Purpose: Ensure reliable and secure power sources
Security Measures: Redundancy, backup systems

16. To Get More Insights Through Our FREE
FOUND THIS USEFUL?
Courses | Workshops | eBooks | Checklists | Mock Tests
LIKE FOLLOW
SHARE