Wondershare EdrawMind
MindMap Gallery CISSP Study Notes-1 (Principles and Strategies for Implementing Security Governance)
- 52
- 1
CISSP Study Notes-1 (Principles and Strategies for Implementing Security Governance)
The study notes and analysis of important exercises in Chapter 1 of CISSP Safety and Risk Management are full of useful information. I hope it will be helpful to everyone!
Edited at 2024-01-19 11:22:47
- bacteria
This is a mind map about bacteria, and its main contents include: overview, morphology, types, structure, reproduction, distribution, application, and expansion. The summary is comprehensive and meticulous, suitable as review materials.
- Plant asexual reproduction
This is a mind map about plant asexual reproduction, and its main contents include: concept, spore reproduction, vegetative reproduction, tissue culture, and buds. The summary is comprehensive and meticulous, suitable as review materials.
- Reproductive development of animals
This is a mind map about the reproductive development of animals, and its main contents include: insects, frogs, birds, sexual reproduction, and asexual reproduction. The summary is comprehensive and meticulous, suitable as review materials.
CISSP Study Notes-1 (Principles and Strategies for Implementing Security Governance)
- bacteria
This is a mind map about bacteria, and its main contents include: overview, morphology, types, structure, reproduction, distribution, application, and expansion. The summary is comprehensive and meticulous, suitable as review materials.
- Plant asexual reproduction
This is a mind map about plant asexual reproduction, and its main contents include: concept, spore reproduction, vegetative reproduction, tissue culture, and buds. The summary is comprehensive and meticulous, suitable as review materials.
- Reproductive development of animals
This is a mind map about the reproductive development of animals, and its main contents include: insects, frogs, birds, sexual reproduction, and asexual reproduction. The summary is comprehensive and meticulous, suitable as review materials.
- Recommended to you
- Outline
CISSP Study Notes-1 (Principles and Strategies for Implementing Security Governance)
Domain 1 - Security and Risk Management
CIA triplet
Understand and apply security concepts
Confidentiality:
Goal - To prevent or minimize unauthorized access to data, protect authorized access while preventing data leakage
Related concepts, conditions and characteristics
sensitivity
Characteristics of information that may cause harm or loss if data is leaked
judgment
Judgment is a decision-making behavior - the operator can influence or control information leakage to minimize harm or loss.
criticality
A measure of criticality. The higher the level, the greater the need for confidentiality of newspaper information.
hide
The act of concealing or preventing disclosure.
Confidential
Keeping things confidential or preventing information leakage
privacy
Keep confidential information that is personally identifiable or that may cause harm or embarrassment to others
Isolate
Strict access control
isolation
the act of separation between things
Sensitivity, 2 hidden, 2 separated, 1 guaranteed
integrity
Protect data reliability and integrity
Check completeness
Prevent modifications by unauthorized parties
Prevent unauthorized modifications by authorized subjects
Keep the object consistent internally and externally so that the object's data can truly reflect the real world, and the connection with other objects is effective, consistent and verifiable
Related concepts, conditions and characteristics
accuracy
correct and precise
authenticity
Really reflects reality
effectiveness
Actually (logically) correct
accountability
Be responsible and accountable for actions and results
Responsibilities
take charge of or control someone or something
integrity
Has all necessary components and parts
Comprehensiveness
Completed scope, including all required elements
5. Nature (accuracy and completeness) 2. Responsibility (accountability)
Availability
Authorized subjects are granted real-time, uninterrupted access to objects
Related concepts, conditions and characteristics
Availability
A state that can be used, learned, and controlled by the subject
accessibility
A subject can interact with a resource regardless of the subject's capabilities or limitations
timeliness
Prompt, punctual, and respond within a reasonable time
2 can reach 1
authenticity
non-repudiation
DAD, overprotection, authenticity, non-repudiation and AAA services
DAD triple: leak, modify, destroy
overprotective
Overprotective confidentiality - limited availability
Overprotective integrity - limited availability
Overprotective Availability - Confidentiality and Integrity Limited
authenticity
Data is credible and not forged
non-repudiation
AAA
core security mechanism Authentication, authorization, accounting
logo
Identity mark
Authentication
Verify identity
Authorize
access permission
audit
Log events and activities
Bookkeeping (Accountability)
Verify compliance and violations through log files
Accountability requirements
protection mechanism
Defense in depth (layered defense)
Multiple protection controls, one failure will not lead to system or data exposure
Use a serial layer, not a parallel layer
abstract
Similar elements are placed into groups, classes, and roles and are safely controlled as collections
Introducing object groups (classes), and assigning access rights and operation rights based on object groups
data hiding
Prevent data from being leaked or accessed by placing data in a logical storage space that cannot be accessed or read by the subject.
Prevent unauthorized access and restrict low-level subjects from accessing high-level data
Characteristics of multi-level security systems
encryption
security boundary
Define the functions performed by the subject on the object. The safety boundaries between different categories are
There are also security boundaries between the physical environment and the logical environment. The security boundaries of the physical environment and the logical environment usually correspond to each other.
Security boundaries should be clearly defined
When translating security policies into actual controls, each environment and security boundary must be considered separately, the value of the object to be protected must be weighed, and the corresponding protection must be matched
Evaluate and apply security governance principles
Security governance: The set of practices that support, assess, define and guide an organization's security efforts
Third-party governance: laws, regulations, industry standards, contractual obligations or licensing requirements
Document review:
Manage security features
Security capabilities aligned with business strategy, goals, mission and purpose
Approach: Top-down - safety management is the responsibility of upper management
Security management plan content: define security roles, stipulate how to manage security, who is responsible for security and how to verify security effectiveness, formulate security policies, perform risk analysis, and security education
safety management plan
Strategic Plan
Long-term plan, 5 years, including risk assessment
tactical plan
Mid-term plan, 1 year, project plan, acquisition plan, recruitment plan, budget plan, maintenance plan, development plan, support plan
Operation plan
short term plan
organizational process
Organizational roles and responsibilities
senior manager
Be ultimately responsible for the maintenance of organizational security and focus on the protection of organizational assets.
security professionals
Implementers, including writing and enforcing security policies, have functional responsibilities
asset owner
custodian
user
auditor
Responsible for reviewing and verifying whether security policies are correctly implemented and whether related security solutions are complete
security control framework
The first step in security planning
The most widely used framework: Control Objectives for Information and Related Technology - COBIT
COBIT principles
Create value for stakeholders
Holistic analysis
dynamic governance system
Separate governance from management
Tailored to business needs
Adopt an end-to-end governance system
Other IT standards and guidelines
NIST SP 800-53 Rev.5
Center for Internet Security-CIS
NIST Risk Management Framework-RMF
NIST Cybersecurity Framework-CSF
ISO/IEC 27000
Information Technology Infrastructure Implementation Library-ITIL
Due care and due diligence
due care
Develop a formal security framework that includes security policies, standards, baselines, guidelines, and procedures
is knowing what to do and making a plan for it
due diligence
Continuously apply security frameworks to the organization’s IT infrastructure
is taking the right action at the right time
Operational security
Continuous implementation of due care and due diligence by all responsible parties within the organization
Security policies, standards, procedures and guidelines
security strategy
Four components: policies, standards, guidelines and procedures
Standardized top-level document
Security Standards, Baselines and Guidelines
safety procedures
Threat modeling
The security process of identifying, classifying, and analyzing threats
Identify threats
STRIDE classification method
Spoofing
Tampering
Denial-Repudiation
Information Disclosure
Denial of Service-DoS
Elevation of Privilege-Elevation Privilege
PASTA modeling method
VAST visualization, agility and simple threats
Identify and map potential attacks
Perform simplified analysis
Five key concepts for safe decomposition
trust boundary
data flow path
input point
Privileged operations
Security Statement and Method Details
Prioritization and response
DREAD rating system
potential damage
Reproducibility
availability
Affected users
discoverability
Apply risk-based management concepts to supply chains
2-Exam key points
1. Understand the CIA triad consisting of confidentiality, integrity and availability
2. Understand how ID works
3. Understand the identity authentication process
4. Understand how authorization is used in security programs
5. Explain the audit process
6. Understand the importance of accountability
7. Explain non-repudiation
8. Understand defense in depth
9. Ability to explain abstract concepts
10. Understand data hiding
11. Understand safety boundaries
12. Understand security governance
13. Understand third-party governance
14. Understanding document review
15. Understand security capabilities aligned with business strategy, goals, mission and purpose
16. Understand business scenarios
17. Understand the safety management plan
18. Understand the components of a standardized security policy
19. Understand organizational processes
20. Understand key security roles
21. Understand the basics of COBIT
22. Understand due care and due diligence
23. Understand the basics of threat modeling
24. Understand supply chain risk management concepts
3-Important exercises and analysis
1. Regarding security governance, which of the following statements is correct: A. Security governance ensures that the requested activity or access to the subject is achievable given the rights and privileges granted to the authenticated identity. B. Security governance is about improving efficiency. Similar elements are placed into groups, classes, or roles, and as a collection are assigned security controls, restrictions, and permissions. C. Security governance is a set of documents documenting IT security best practices. It specifies the goals and requirements for security controls and encourages mapping IT security ideas to business goals. D. Security governance aims to map all security processes and infrastructure within an organization against knowledge and insights gained from external sources
Correct answer: D Examine the implications of security governance: 1. Security governance is a collection of practices related to supporting, assessing, defining and directing an organization’s security efforts 2. Optimal - Board executive, smaller - CEO or CISO 3. Security governance aims to map all security processes and infrastructure within an organization against knowledge and insights gained from external sources
2. An organization is in a period of business expansion and is undergoing a large number of mergers and acquisitions. Organizations are concerned about the risks associated with these activities. Which of the following are examples of these risks: A. Inappropriate disclosure of information B. Improve personnel compliance C. Data loss D. Shutdown E. Enter to understand the motivations for insider attacks F. Not getting adequate return on investment
Correct answer:ACDF Examine organizational processes, those on acquisitions, divestitures, and governance committees. 1. Mergers and Acquisitions- 2. Asset divestiture, asset reduction and employee reduction - asset purification to prevent data leakage, deletion and destruction of storage media, and for employees, exit interviews
3. COBIT principles: A. Adopt holistic analysis method B. Adopt an end-to-end governance system C. Create value for stakeholders D. Maintain authenticity and accountability E. Dynamic governance system
Correct answer: ABCE Examine COBIT Principles
4. The correct statement about due care and due diligence is: A. Due care is the development of plans, strategies, and procedures to protect the interests of the organization B. Due diligence is the development of a formal security framework that protects security policies, standards, baselines, guidelines and procedures C. Due care is the ongoing application of a security framework to the organization’s IT infrastructure D. Due diligence is the practice of those activities that maintain safe work E. Due diligence is knowing what to do and making a plan for it F. Due care is taking the right action at the right time
Fight for the answer: AD Examination rooms should be scrutinized with care and due diligence
5. Baseline - defines the minimum level of security that every system across the organization must meet Policy - A document that defines the scope of security required by an organization, discusses the assets that need to be protected, and the necessary degree of protection that a security solution needs to provide Standards - define mandatory requirements for consistency of hardware, software, technology and security control methods Procedure - A detailed distributed implementation document that describes the specific actions required to implement a specific security mechanism, control, or solution Guidance - Provides advice on how to implement security requirements and is a how-to guide for security professionals and users
6.
7. The development team is working on a new project. In the early stages of development, the team considers the solution's vulnerabilities, threats, and risks and integrates protections to prevent unintended consequences. This is the kind of threat modeling concept: A. Threat hunting B. Proactive approach C. Qualitative methods D. Adversarial approach
Correct answer: B Proactive threat modeling approach, also known as defensive approach A reactive or adversarial approach is threat modeling after product creation and deployment, also known as threat hunting Qualitative methods are risk assessment methods
8. C’s employer asked him to conduct a document review of the third-party vendor’s policies and procedures. C discovered a problem with the supplier: communication was not encrypted and multi-factor authentication was required. How did C respond: A. Write a report and submit it to the CEO B. Cancel the supplier’s ATO C. Ask suppliers to review their terms and requirements D. Have suppliers sign NDA
Correct answer: B
9. Which of the following is a risk-centric approach to threat modeling that seeks to select or develop countermeasures based on the value of the asset being protected: A.VAST B. SD3 C C.PASTA D. STRIDE
Correct answer: C The attack simulation and threat analysis process PASTA is a risk-focused approach designed to select or develop protective measures relevant to the value of the assets to be protected. Visual, Agile and Simple Threats VAST is a threat modeling concept that integrates threat and risk management into agile programming environments on a scalable basis SD3 C used by Microsoft, secure by design, secure by default, secure deployment and communication, secure development lifecycle SDL STRIDE is a threat classification scheme developed by Microsoft
10. The next step in threat modeling is to perform a reduction analysis, also known as profiling the application, system, or environment. Which of the following are key components to identify when performing decomposition: A. Patch or version update B. Trust boundaries C. Data flow path D. Open and closed source code usage E. Input point F. Privileged operations G. Security Statement and Method Details
Correct answer: BCEFG Five key concepts of decomposition: trust boundaries, data flow paths, entry points, privileged operations, and details of security claims and methods
11. Related terms for defense in depth: layering, classification, partitioning, domain division, isolation, island, segmentation, lattice structure, protection ring