Samenvatting CISSP
Inhoud
Hoofdstuk 2: information security Governance and Risk Management ................................................. 2
Hoofdstuk 3: access control .................................................................................................................. 21
Hoofdstuk 4: Security Architecture and Design .................................................................................... 33
Hoofdstuk 5: Physical and Environmental Security ............................................................................... 46
Hoofdstuk 6: Telecommunications and Network Security.................................................................... 50
Hoofdstuk 7: cryptography.................................................................................................................... 66
Hoofdstuk 8: Business Continuity and Disaster Recovery ..................................................................... 77
Hoofdstuk 9: Legal, Regulations, Investigations and Compliance ......................................................... 82
Hoofdstuk 10: Software Development Security .................................................................................... 88
Hoofdstuk 11: Security Operations ..................................................................................................... 100
,Hoofdstuk 2: information security Governance and Risk Management
Fundamental Principles of security:
Availability protection ensures reliability and timely access to data and resources to
authorized individuals.
Integrity is upheld when the assurance of the accuracy and reliability of information
and systems is provided and any unauthorized modification is prevented.
Confidentiality ensures that the necessary level of secrecy is enforced at each junction
of data processing and prevents unauthorized disclosure.
Key Terms
• Availability Reliable and timely access to data and resources is
provided to authorized individuals.
• Integrity Accuracy and reliability of the information and systems are
provided and any unauthorized modification is prevented.
• Confidentiality Necessary level of secrecy is enforced and
unauthorized disclosure is prevented.
• Shoulder surfing Viewing information in an unauthorized manner
by looking over the shoulder of someone else.
• Social engineering Gaining unauthorized access by tricking someone
into divulging sensitive information.
A vulnerability is a lack of a countermeasure or a weakness in a countermeasure that
is in place. It can be a software, hardware, procedural, or human weakness that can be
exploited.
A threat is any potential danger that is associated with the exploitation of a vulnerability. The threat is
that someone, or something, will identify a specific vulnerability and use it against the company or
individual.
threat agent: The entity that takes advantage of a vulnerability
A risk is the likelihood of a threat agent exploiting a vulnerability and the corresponding
business impact.
An exposure is an instance of being exposed to losses.
A control, or countermeasure, is put into place to mitigate (reduce) the potential
risk.
2
,Key Terms
• Vulnerability Weakness or a lack of a countermeasure.
• Threat agent Entity that can exploit a vulnerability.
• Threat The danger of a threat agent exploiting a vulnerability.
• Risk The probability of a threat agent exploiting a vulnerability and
the associated impact.
• Control Safeguard that is put in place to reduce a risk, also called a
countermeasure.
• Exposure Presence of a vulnerability, which exposes the organization
to a threat.
Control types
Administrative controls
are commonly referred to as “soft controls” because they are more management-oriented.
Examples of administrative controls are security documentation, risk management,
personnel security, and training.
Technical controls (also called logical controls) are
software or hardware components, as in firewalls, IDS, encryption, identification and
authentication mechanisms
physical controls are items put into place to protect
facility, personnel, and resources.
These control types need to be put into place to provide defense-in-depth, which is
3
,the coordinated use of multiple security controls in a layered approach,
• Deterrent Intended to discourage a potential attacker
• Preventive Intended to avoid an incident from occurring
• Corrective Fixes components or systems after an incident has occurred
• Recovery Intended to bring the environment back to regular operations
• Detective Helps identify an incident’s activities and potentially an intruder
• Compensating Controls that provide an alternative measure of control
4
,Key Terms Control Types and Functionalities
• Control types Administrative, technical, and physical
• Control functionalities
• Deterrent Discourage a potential attacker
• Preventive Stop an incident from occurring
• Corrective Fix items after an incident has occurred
• Recovery Restore necessary components to return to normal
operations
• Detective Identify an incident’s activities after it took place
• Compensating Alternative control that provides similar protection
as the original control
• Defense-in-depth Implementation of multiple controls so that
successful penetration and compromise is more difficult to attain
Security Frameworks
The concept of security through obscurity is assuming that your enemies are not as smart as you
are and that they cannot figure out something that you feel is very tricky. “There are only two people in
the world I trust: you and me—and I’m not so sure about you.”
ISO/IEC 27000 Series
• Frameworks:
– ISO/IEC 27000 Series
– Enterprise Architecture Development (partly)
– Security Controls Development
– COSO
– Process Management Development
• Security Program Development
• ISO/IEC 27000 series International standards on how to develop
and maintain an ISMS developed by ISO and IEC
• Enterprise Architecture Development
• Zachman framework Model for the development of enterprise
architectures developed by John Zachman
• TOGAF Model and methodology for the development of enterprise
architectures developed by The Open Group
• DoDAF U.S. Department of Defense architecture framework that
ensures interoperability of systems to meet military mission goals
• MODAF Architecture framework used mainly in military support
missions developed by the British Ministry of Defence
• Security Enterprise Architecture Development
• SABSA model Model and methodology for the development of
information security enterprise architectures
• Security Controls Development
• CobiT Set of control objectives for IT management developed by
Information Systems Audit and Control Association (ISACA) and the
IT Governance Institute (ITGI)
• SP 800-53 Set of controls to protect U.S. federal systems developed
by the National Institute of Standards and Technology (NIST)
• Corporate Governance
• COSO Set of internal corporate controls to help reduce the risk
of financial fraud developed by the Committee of Sponsoring
Organizations (COSO) of the Treadway Commission
• Process Management
• ITIL Processes to allow for IT service management developed by the
United Kingdom’s Office of Government Commerce
• Six Sigma Business management strategy that can be used to carry
out process improvement
• Capability Maturity Model Integration (CMMI) Organizational
development for process improvement developed by Carnegie Mellon
5
,Enterprise Architecture development
• Guides modeling of an enterprise
– Stakeholders
– Views: information that is most important to the different stakeholders is illustrated
in the most useful manner
• Alignment of business and technology
• Business and technology view the same organization in ways that make sense to them
Zachman framework
6
,The open group architecture framework(TOGAF)
Security frameworks
• DoDAF: U.S. Department of Defense architecture framework that ensures interoperability of
systems to meet military mission goals
– focus on command, control, communications, computers, intelligence, surveillance,
and reconnaissance systems and processes.
• MODAF: Architecture framework used mainly in military support missions developed by the
British Ministry of Defense
– get data in the right format to the right people as soon as possible.
• SABSA model: Model and methodology for the development of information security
enterprise architectures (Sherwood Applied Business Security Architecture)
– Integrates the requirements outlined in our security program into our existing
business structure
7
, Strategic alignment means the business drivers and the regulatory and legal requirements
are being met by the security enterprise architecture.
When looking at the business enablement requirement of the security enterprise architecture,
we need to remind ourselves that companies are in business to make money.
The process enhancement piece can be quite beneficial to an organization if it takes
advantage of this capability when it is presented to them.
Security effectiveness deals with metrics, meeting service level agreement (SLA) requirements,
achieving return on investment (ROI), meeting set baselines, and providing
management with a dashboard or balanced scorecard system. These are ways to
determine how useful the current security solutions and architecture as a whole are
performing.
• CobiT (Control Objectives for Information and related Technology): Set of control objectives
for IT management developed by Information Systems Audit and Control Association (ISACA)
and the IT Governance Institute (ITGI)
– Defines goals for the controls that should be used to properly manage IT and to
ensure that IT maps to business needs
– “checklist” approach to IT governance by providing a list of things that must be
thought through and accomplished when carrying out different IT functions
8
Inhoud
Hoofdstuk 2: information security Governance and Risk Management ................................................. 2
Hoofdstuk 3: access control .................................................................................................................. 21
Hoofdstuk 4: Security Architecture and Design .................................................................................... 33
Hoofdstuk 5: Physical and Environmental Security ............................................................................... 46
Hoofdstuk 6: Telecommunications and Network Security.................................................................... 50
Hoofdstuk 7: cryptography.................................................................................................................... 66
Hoofdstuk 8: Business Continuity and Disaster Recovery ..................................................................... 77
Hoofdstuk 9: Legal, Regulations, Investigations and Compliance ......................................................... 82
Hoofdstuk 10: Software Development Security .................................................................................... 88
Hoofdstuk 11: Security Operations ..................................................................................................... 100
,Hoofdstuk 2: information security Governance and Risk Management
Fundamental Principles of security:
Availability protection ensures reliability and timely access to data and resources to
authorized individuals.
Integrity is upheld when the assurance of the accuracy and reliability of information
and systems is provided and any unauthorized modification is prevented.
Confidentiality ensures that the necessary level of secrecy is enforced at each junction
of data processing and prevents unauthorized disclosure.
Key Terms
• Availability Reliable and timely access to data and resources is
provided to authorized individuals.
• Integrity Accuracy and reliability of the information and systems are
provided and any unauthorized modification is prevented.
• Confidentiality Necessary level of secrecy is enforced and
unauthorized disclosure is prevented.
• Shoulder surfing Viewing information in an unauthorized manner
by looking over the shoulder of someone else.
• Social engineering Gaining unauthorized access by tricking someone
into divulging sensitive information.
A vulnerability is a lack of a countermeasure or a weakness in a countermeasure that
is in place. It can be a software, hardware, procedural, or human weakness that can be
exploited.
A threat is any potential danger that is associated with the exploitation of a vulnerability. The threat is
that someone, or something, will identify a specific vulnerability and use it against the company or
individual.
threat agent: The entity that takes advantage of a vulnerability
A risk is the likelihood of a threat agent exploiting a vulnerability and the corresponding
business impact.
An exposure is an instance of being exposed to losses.
A control, or countermeasure, is put into place to mitigate (reduce) the potential
risk.
2
,Key Terms
• Vulnerability Weakness or a lack of a countermeasure.
• Threat agent Entity that can exploit a vulnerability.
• Threat The danger of a threat agent exploiting a vulnerability.
• Risk The probability of a threat agent exploiting a vulnerability and
the associated impact.
• Control Safeguard that is put in place to reduce a risk, also called a
countermeasure.
• Exposure Presence of a vulnerability, which exposes the organization
to a threat.
Control types
Administrative controls
are commonly referred to as “soft controls” because they are more management-oriented.
Examples of administrative controls are security documentation, risk management,
personnel security, and training.
Technical controls (also called logical controls) are
software or hardware components, as in firewalls, IDS, encryption, identification and
authentication mechanisms
physical controls are items put into place to protect
facility, personnel, and resources.
These control types need to be put into place to provide defense-in-depth, which is
3
,the coordinated use of multiple security controls in a layered approach,
• Deterrent Intended to discourage a potential attacker
• Preventive Intended to avoid an incident from occurring
• Corrective Fixes components or systems after an incident has occurred
• Recovery Intended to bring the environment back to regular operations
• Detective Helps identify an incident’s activities and potentially an intruder
• Compensating Controls that provide an alternative measure of control
4
,Key Terms Control Types and Functionalities
• Control types Administrative, technical, and physical
• Control functionalities
• Deterrent Discourage a potential attacker
• Preventive Stop an incident from occurring
• Corrective Fix items after an incident has occurred
• Recovery Restore necessary components to return to normal
operations
• Detective Identify an incident’s activities after it took place
• Compensating Alternative control that provides similar protection
as the original control
• Defense-in-depth Implementation of multiple controls so that
successful penetration and compromise is more difficult to attain
Security Frameworks
The concept of security through obscurity is assuming that your enemies are not as smart as you
are and that they cannot figure out something that you feel is very tricky. “There are only two people in
the world I trust: you and me—and I’m not so sure about you.”
ISO/IEC 27000 Series
• Frameworks:
– ISO/IEC 27000 Series
– Enterprise Architecture Development (partly)
– Security Controls Development
– COSO
– Process Management Development
• Security Program Development
• ISO/IEC 27000 series International standards on how to develop
and maintain an ISMS developed by ISO and IEC
• Enterprise Architecture Development
• Zachman framework Model for the development of enterprise
architectures developed by John Zachman
• TOGAF Model and methodology for the development of enterprise
architectures developed by The Open Group
• DoDAF U.S. Department of Defense architecture framework that
ensures interoperability of systems to meet military mission goals
• MODAF Architecture framework used mainly in military support
missions developed by the British Ministry of Defence
• Security Enterprise Architecture Development
• SABSA model Model and methodology for the development of
information security enterprise architectures
• Security Controls Development
• CobiT Set of control objectives for IT management developed by
Information Systems Audit and Control Association (ISACA) and the
IT Governance Institute (ITGI)
• SP 800-53 Set of controls to protect U.S. federal systems developed
by the National Institute of Standards and Technology (NIST)
• Corporate Governance
• COSO Set of internal corporate controls to help reduce the risk
of financial fraud developed by the Committee of Sponsoring
Organizations (COSO) of the Treadway Commission
• Process Management
• ITIL Processes to allow for IT service management developed by the
United Kingdom’s Office of Government Commerce
• Six Sigma Business management strategy that can be used to carry
out process improvement
• Capability Maturity Model Integration (CMMI) Organizational
development for process improvement developed by Carnegie Mellon
5
,Enterprise Architecture development
• Guides modeling of an enterprise
– Stakeholders
– Views: information that is most important to the different stakeholders is illustrated
in the most useful manner
• Alignment of business and technology
• Business and technology view the same organization in ways that make sense to them
Zachman framework
6
,The open group architecture framework(TOGAF)
Security frameworks
• DoDAF: U.S. Department of Defense architecture framework that ensures interoperability of
systems to meet military mission goals
– focus on command, control, communications, computers, intelligence, surveillance,
and reconnaissance systems and processes.
• MODAF: Architecture framework used mainly in military support missions developed by the
British Ministry of Defense
– get data in the right format to the right people as soon as possible.
• SABSA model: Model and methodology for the development of information security
enterprise architectures (Sherwood Applied Business Security Architecture)
– Integrates the requirements outlined in our security program into our existing
business structure
7
, Strategic alignment means the business drivers and the regulatory and legal requirements
are being met by the security enterprise architecture.
When looking at the business enablement requirement of the security enterprise architecture,
we need to remind ourselves that companies are in business to make money.
The process enhancement piece can be quite beneficial to an organization if it takes
advantage of this capability when it is presented to them.
Security effectiveness deals with metrics, meeting service level agreement (SLA) requirements,
achieving return on investment (ROI), meeting set baselines, and providing
management with a dashboard or balanced scorecard system. These are ways to
determine how useful the current security solutions and architecture as a whole are
performing.
• CobiT (Control Objectives for Information and related Technology): Set of control objectives
for IT management developed by Information Systems Audit and Control Association (ISACA)
and the IT Governance Institute (ITGI)
– Defines goals for the controls that should be used to properly manage IT and to
ensure that IT maps to business needs
– “checklist” approach to IT governance by providing a list of things that must be
thought through and accomplished when carrying out different IT functions
8
