Académique Documents
Professionnel Documents
Culture Documents
CISSP
Domain
#1
Cheat
Sheet:
Security
and
Risk
Management
The
main
objective
of
this
domain
is
to
test
the
candidate’s
understanding
about
risk
assessment,
risk
analysis,
data
classification
and
security
awareness.
You
may
find
some
of
the
points
to
be
vague
or
incorrect,
but
for
CISSP
they
hold
good.
Following
are
the
main
concepts
with
regard
to
this
domain:
• Understanding
of
CIA
and
DAD
triad:
Under
the
triad
of
confidentiality,
integrity
andavailability,
be
ready
to
face
some
questions
about
the
violation
of
these
principles.
• Confidentiality:
An
important
point
to
note
about
confidentiality
is
that
it
is
usually
granted
with
the
principle
of
least
privilege.
• Integrity:
Information
should
not
be
modified
by
unauthorized
means.
• Availability:
This
principle
states
that
the
services/systems
should
be
up
and
running
to
fulfill
business
needs.
In
contrast
to
CIA,
there
is
another
triad,
DAD,
which
is
just
opposite
of
it.
Again,
it
is
very
basic
but
you
can
get
one
question
out
of
that.
Below
list
shows
the
contrast
between
CIA
and
DAD
Confidentiality
Disclosure
Integrity
Alteration
Availability
Destruction
• We
all
speak
that
security
is
everyone’s
responsibility,
which
is
true,
but
within
an
organization,
the
accountability
for
ensuring
all
the
protection
of
all
business
information
falls
under
the
Information
Security
Officer.
It
is
the
duty
of
the
ISO
to
ensure
that
all
the
security
policies
and
guidelines
have
been
defined
to
meet
information
security
needs.
• Concept
of
Due
Care
and
Due
Diligence:
In
simple
words,
due
care
is
the
action
taken
by
a
personnel
in
a
particular
situation
to
protect
the
corporate
asset.
Due
diligence
is
like
an
advanced
version
of
due
care,
i.e.,
all
the
actions
specified
by
the
organization
to
protect
corporate
assets
are
properly
applied.
• Wassenaar
Agreement:
An
important
point
to
remember
about
the
Wassenaar
Agreement
is
that
for
the
signees
it
defines
an
international
cryptography
agreement.
• Organization
for
Economic
Cooperation
and
Development
Guidelines
(OECD):
An
important
point
to
note
about
these
guidelines
is
that
they
fall
http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
under
the
privacy
part
and
provide
all
the
guidelines
for
providing
privacy
to
individual
information
being
collated,
such
as
the
collection
limitation
principle,
data
safeguard
principle,
etc.
• The
most
important
aspect
of
a
successful
business
continuity
program
is
NOT
• A
well-‐defined
project
scope
• Available
resources
• Timeline
But
“Senior
Management
Support.“
• The
main
goal
of
a
Business
Impact
Analysis
is
to
determine
the
impact
that
an
unwanted
event
will
have
on
organization.
A
BIA
exercise
defines
the
criticality
of
business
functions,
maximum
tolerable
downtime
(MTD),
and
available
resources
to
overcome
a
disruptive
event.
• Another
important
point
to
note
about
BIA
is
that
the
most
overlooked
step
in
a
BIA
exercise
is
the
last
step,
which
is
to
document
results
of
BIA
and
presenting
recommendations.
• Concept
of
RTO,
RPO,
and
MTD:
Recovery
time
objective
(RTO)
relates
with
core
business
applications
and
is
the
maximum
downtime
after
which
those
should
be
restored.
On
the
other
hand,
recovery
point
objective
(RPO)
is
the
point
in
time
at
which
data
is
restored
for
further
processing.
MTD
is
the
point
after
which
the
business
function
is
no
longer
sustainable.
• Concept
of
Job
Rotation
and
Separation
of
Duties:
Job
rotation
is
done
to
reduce
the
risk
that
individuals
may
have
prolonged
exposure
to
assets/information.
This
is
done
to
reduce
the
risk
of
collusion
between
individuals.
Separation
of
duties
is
done
to
prevent
an
individual
from
executing
all
the
steps
of
a
process.
The
best
choice
for
an
organization
is
to
combine
both
job
rotation
and
separation
of
duties.
• Qualitative
Risk
Assessment
&
Quantitative
Risk
Assessment:
Qualitative
risk
analysis
will
give
results
that
are
not
measurable.
Risk
is
usually
seen
as
the
product
of
likelihood
and
impact.
On
the
other
hand,
quantitative
risk
assessment
will
give
results
that
are
measurable.
It
has
a
well-‐defined
formula
and
surely
there
will
be
question
on
this
in
the
exam.
• Single
Loss
Expectance=Asset
Value
*
Exposure
Factor
• Annualized
Loss
Expectancy=SLE
*
annualized
rate
of
occurrence
(ARO).
http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
Risk
Assignment:
Risk
avoidance,
risk
transfer,
risk
mitigation,
risk
•
acceptance.
the
important
point
to
note
about
risk
transfer
is
that
not
all
the
risk
can
be
transferred.
• Access
Controls:
This
is
a
very
important
topic
from
this
domain,
as
some
controls
will
be
given
and
the
question
will
be
to
find
the
type
of
controls
they
are.
Below
are
the
main
categories
of
access
control.
• Directive
Controls:
These
controls
provide
guidance
to
accepted
behavior.
• Deterrent
Controls:
These
controls
mostly
discourage
unwanted
activities.
• Preventive
Controls:
These
controls
prevent
a
user
from
performing
an
action.
Understand
the
difference
between
deterrent
&
preventive
controls:
Preventive
controls
are
not
optional
like
deterrent
controls.
• Compensating
Controls:
These
controls
come
to
the
rescue
when
the
existing
control
capabilities
are
not
good
enough.
• Detective
Controls:
These
controls
give
notifications
of
an
incident.
They
fall
in
the
post-‐incident
category.
• Corrective
Controls:
These
control
fill
the
gaps
within
existing
controls
that
lead
to
an
incident
• Recovery
Controls:
These
controls
reinstate
the
state
to
normal
after
an
incident.
• All
these
access
controls
can
be
categorized
as
either
Administrative,
physical
and
logical
controls.
• Penetration
Testing
Types:
It
is
important
to
know
the
following
testing
types
(especially
names)
• Internal
Testing:
This
is
done
within
an
organization
with
full
knowledge
of
the
whole
architecture,
deployed
controls,
etc.
• Blind
Testing:
This
presents
more
like
an
attacker
scenario,
but
the
internal
team
is
aware
of
it
to
defend
against
it.
• Double
Blind
Testing:
This
presents
a
complete
attacker
scenario
but
the
internal
team
is
NOT
aware
of
it
to
defend
against
it.
• Continuous
Improvement
cycle:
Plan
>
Do
>
Act
>
Check
(PDCA).
This
is
also
known
as
the
Deming
cycle
or
Shewhart
Cycle.
http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
• Differences
between
the
following
attacks:
• Social
Engineering
Attack
• Pretexting
Attack
• Phishing
Attack
• Baiting
Attack
• Tailgating
Attack
• Understand
the
implied
risks
that
happen
over
an
acquisition.
• Difference
between
SLA
and
Assurance:
SLA
provides
the
acceptable
level
of
performance
and
penalty
between
provider
and
customer.
However,
SLA
does
not
guarantee
compliance.
Assurance
gives
the
opportunity
to
check
the
profile
of
the
provider
by
conducting
inspection,
review,
etc.
This
draws
us
to
the
end
of
Module
1.
Please
note
that
this
is
not
a
comprehensive
list
of
all
the
topics.
However,
this
presents
the
topics
with
high
probability
of
appearing
in
the
exam.
http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html