Professional Documents
Culture Documents
9
Introduction to CISSP course
Submitted by: Muhammad Uzair Siddiqui
Submitted To: IEC Team(Cyber Security)
Assignment No: Probation Assignment
CONTENTS
Security Definition.
Fundamental Principles of Security
Information Classification Program
Approach to security management
Organizational Policy.
Hiring and Firing Issues
Security-Awareness Training
Training Characteristics
What is meant by CISSP?
Certified Information Systems Security Professional (CISSP) is an information security certification
developed by the International Information Systems Security Certification Consortium, also known
as (ISC)².
Security Definition.
The words “vulnerability,” “threat,” “risk,” “exposure” and “Countermeasure” are often
interchanged, even
Though they have different meanings. It is important to understand each word’s definition and the
relationships between the concepts they represent.
Vulnerability
Threat
Risk
Exposure
An exposure is a software error that allows hackers to break into a system. During
an exposure, attackers may gain information or hide unauthorized actions.
Countermeasure
The CIA triad is a common model that forms the basis for the development of security systems.
They are used for finding vulnerabilities and methods for creating solutions.
Availability:
This means that the information is available to authorized users when it is needed. For a system to
demonstrate availability, it must have properly functioning computing systems, security controls
and communication channels. Systems defined as critical (power generation, medical equipment,
safety systems) often have extreme requirements related to availability. These systems must be
resilient against cyber threats, and have safeguards against power outages, hardware failures and
other events that might impact the system availability.
Integrity:
Data integrity refers to the certainty that the data is not tampered with or degraded during or after
submission. It is the certainty that the data has not been subject to unauthorized modification,
either intentional or unintentional. There are two points during the transmission process during
which the integrity could be compromised: during the upload or transmission of data or during the
storage of the document in the database or collection.
Confidentiality:
This component is often associated with secrecy and the use of encryption. Confidentiality in this
context means that the data is only available to authorized parties. When information has been kept
confidential it means that it has not been compromised by other parties; confidential data are not
disclosed to people who do not require them or who should not have access to them. Ensuring
confidentiality means that information is organized in terms of who needs to have access, as well as
the sensitivity of the data. A breach of confidentiality may take place through different means, for
instance hacking or social engineering.
Return on investment by implementing controls where they are needed the most
map data protection levels with organizational needs
mitigate threats of unauthorized access and disclosure
comply with legal and regulation requirements
maintain competitive status
Classifications Levels
There are no hard and fast rules on the classification levels that an organization should use. An
organization could choose to use any of the classification levels presented in Table 2-1. One organization
may choose to use only two layers of classifications, while another company may choose to use four.
Table 2-1 explains the types of classifications available. Note that some classifications are more
commonly used for commercial businesses, whereas others are military classifications. The following
shows the common levels of sensitivity from the highest to the lowest for commercial business:
Bottom-Up Approach
Staff member or group drives initative
Background check
Drug screening
Credit check
Termination procedure
Security-Awareness Training
For an organization to achieve the desired results of its security program, it must communicate the
what, how, and why of security to its employees. Security-awareness training should be comprehensive,
tailored for specific groups, and organization-wide. It should repeat the most important messages in
different formats; be kept up to date; be entertaining, positive, and humorous; be simple to understand;
and—most important—be supported by senior management. Management must allocate the resources
for this activity and enforce its attendance within the organization.
Training Characteristics.