Shon haris about CISSP 1.1 to 1.

9
Introduction to CISSP course
Submitted by: Muhammad Uzair Siddiqui
Submitted To: IEC Team(Cyber Security)
Assignment No: Probation Assignment

CONTENTS
 Security Definition.
 Fundamental Principles of Security
 Information Classification Program
 Approach to security management
 Organizational Policy.
 Hiring and Firing Issues
 Security-Awareness Training
 Training Characteristics
 What is meant by CISSP?
Certified Information Systems Security Professional (CISSP) is an information security certification
developed by the International Information Systems Security Certification Consortium, also known
as (ISC)².

 Security Definition.

The words “vulnerability,” “threat,” “risk,” “exposure” and “Countermeasure” are often
interchanged, even
Though they have different meanings. It is important to understand each word’s definition and the
relationships between the concepts they represent.

Vulnerability

 Lack of security understanding

 Lack of countermeasure

Threat

 Someone uncovering Vulnerability & Exploiting it.

Risk

 A risk comprises a threat and a vulnerability of an asset,

 Probability of vulnerability being exploited by a threat and the resulting business
impact.

Exposure

 An exposure is a software error that allows hackers to break into a system. During
an exposure, attackers may gain information or hide unauthorized actions.

Countermeasure

 A countermeasure is an action, process, device, or system that can prevent, or

mitigate the effects of, threats to a computer, server or network.
 Fundamental Principles of Security
We need to understand the core goals of security, which are to provide availability, integrity, and
confidentiality (AIC triad) protection for critical assets. Each asset will require
different levels of these types of protection, as we will see in the following sections. All
security controls, mechanisms, and safeguards are implemented to provide one or more
of these protection types, and all risks, threats, and vulnerabilities are measured for their
potential capability to compromise one or all of the AIC principles.
 Why AIC triad is important?

The CIA triad is a common model that forms the basis for the development of security systems.
They are used for finding vulnerabilities and methods for creating solutions.

The three letters in "AIC triad" stand for,

Availability:
This means that the information is available to authorized users when it is needed. For a system to
demonstrate availability, it must have properly functioning computing systems, security controls
and communication channels. Systems defined as critical (power generation, medical equipment,
safety systems) often have extreme requirements related to availability. These systems must be
resilient against cyber threats, and have safeguards against power outages, hardware failures and
other events that might impact the system availability.

Integrity:
Data integrity refers to the certainty that the data is not tampered with or degraded during or after
submission. It is the certainty that the data has not been subject to unauthorized modification,
either intentional or unintentional. There are two points during the transmission process during
which the integrity could be compromised: during the upload or transmission of data or during the
storage of the document in the database or collection.

Confidentiality:
This component is often associated with secrecy and the use of encryption. Confidentiality in this
context means that the data is only available to authorized parties. When information has been kept
confidential it means that it has not been compromised by other parties; confidential data are not
disclosed to people who do not require them or who should not have access to them. Ensuring
confidentiality means that information is organized in terms of who needs to have access, as well as
the sensitivity of the data. A breach of confidentiality may take place through different means, for
instance hacking or social engineering.

Information Classification Program

An important metadata item that should be attached to all our information is a classification level. This
classification tag, which remains attached (and perhaps updated)
Throughout the life cycle of the information, is important to determining the protective
Controls we apply to the information.
The rationale behind assigning values to different types of data is that it enables a
Company to gauge the amount of funds and resources that should go toward protecting
each type of data, because not all data has the same value to a company. After identifying
All important information, it should be properly classified. A company copies and
Creates a lot of information that it must maintain, so classification is an ongoing process
And not a one-time effort.
 Classification goals

 Return on investment by implementing controls where they are needed the most
 map data protection levels with organizational needs
 mitigate threats of unauthorized access and disclosure
 comply with legal and regulation requirements
 maintain competitive status

Classifications Levels

There are no hard and fast rules on the classification levels that an organization should use. An
organization could choose to use any of the classification levels presented in Table 2-1. One organization
may choose to use only two layers of classifications, while another company may choose to use four.
Table 2-1 explains the types of classifications available. Note that some classifications are more
commonly used for commercial businesses, whereas others are military classifications. The following
shows the common levels of sensitivity from the highest to the lowest for commercial business:

Testing classification program

 Are documents in open view?

 is sensitive information viewable on computer screen?
 how is sensitive data destroyed?
 Review users access levels
 Review an information flow matrix

Approach to security management

Top-down Approach
 Security is directed, driven, and supported by senior management

Bottom-Up Approach
 Staff member or group drives initative

Top-down Approach Bottom-Up Approach

Senior Management Staff

Middle Management Middle Management

Staff Senior Management

Organizational Policy.
Policy should have the following goals:

 Define security program

 Set strategic
 Assign responsibilities
 Identify assists
 Define security team
 Address exceptions and discipline

 Hiring and Firing Issues

Pre-employment

 Background check
 Drug screening
 Credit check

Termination procedure

 Complete and exit interview

 Review the non-disclose agreement
 Users passwords must be changed

Security-Awareness Training
For an organization to achieve the desired results of its security program, it must communicate the
what, how, and why of security to its employees. Security-awareness training should be comprehensive,
tailored for specific groups, and organization-wide. It should repeat the most important messages in
different formats; be kept up to date; be entertaining, positive, and humorous; be simple to understand;
and—most important—be supported by senior management. Management must allocate the resources
for this activity and enforce its attendance within the organization.
Training Characteristics.