CISSP Prepare Guide NotesWord文档下载推荐.docx
- 文档编号:19895512
- 上传时间:2023-01-11
- 格式:DOCX
- 页数:143
- 大小:167.40KB
CISSP Prepare Guide NotesWord文档下载推荐.docx
《CISSP Prepare Guide NotesWord文档下载推荐.docx》由会员分享,可在线阅读,更多相关《CISSP Prepare Guide NotesWord文档下载推荐.docx(143页珍藏版)》请在冰豆网上搜索。
Domain8–BusinessContinuityandDisasterRecoveryPlanning70
Domain9–Law,InvestigationandEthics78
Domain10–PhysicalSecurity87
Domain1–SecurityManagementPractices
TheBigThree-C.I.A.
nConfidentiality–Preventdisclosureofdata
nIntegrity–Preventmodificationofdata
nAvailability–Ensurereliabletimelyaccesstodata
OtherImportantConcepts
nIdentification–MeansinwhichuserclaimsIdentity
nAuthentication–EstablishestheusersIdentity
nAccountability–Systemsabilitytodetermineactionsofusers
nAuthorization–rightsandpermissionsgrantedtoanindividual
nPrivacy–Levelofconfidentialitythatauserisgiven
ObjectiveofSecurityistoreduceeffectsofthreatsandvulnerabilitiestoatolerablelevel.
RiskAnalysis
Assessthefollowing:
nImpactofthethreat
nRiskofthethreatoccurring(likelihood)
Controlsreduceboththeimpactofthethreatandthelikelihoodofthethreat,importantincostbenefitofcontrols.
DataClassification
nDataclassificationhashighlevelenterprisewidebenefit
nDemonstratesorganizationscommitmenttosecurity
nHelpsidentifysensitiveandvitalinformation
nSupportsC.I.A.
nMayberequiredforlegalregulatoryreasons
Dataownersareresponsiblefordefiningthesensitivitylevelofthedata.
GovernmentClassificationTerms:
nUnclassified–Neithersensitivenorclassified,publicreleaseisacceptable
nSensitiveButUnclassified(SBU)–Minorsecret,noseriousdamageifdisclosed
nConfidential–disclosurecouldcausedamagetoNationalSecurity
nSecret-disclosurecouldcauseseriousdamagetoNationalSecurity
nTopSecret–HighestLevel-disclosurecouldcauseexponentiallygravedamagetoNationalSecurity
InadditionmusthaveaNeedtoKnow–justbecauseyouhave“secret”clearancedoesnotmeanall“secret”datajustdatawithaneedtoknow.
AdditionalPublicClassificationTerms
nPublic–similartounclassified,shouldnotbedisclosedbutisnotaproblemifitis
nSensitive–dataprotectedfromlossofConfidentialityandintegrity
nPrivate–datathatispersonalinnatureandforcompanyuseonly
nConfidential–verysensitiveforinternaluseonly-couldseriouslynegativelyimpactthecompany
ClassificationCriteria
nValue-numberonecriteria,ifitisvaluableitshouldbeprotected
nAge–valueofdatalowersovertime,automaticde-classification
nUsefulLife–Iftheinformationismadeobsoleteitcanoftenbede-classified
nPersonalAssociation–Ifthedatacontainspersonalinformationitshouldremainclassified
Distributionmayberequiredintheeventofthefollowing:
nCourtOrder–mayberequiredbycourtorder
nGovernmentContracts–governmentcontractorsmayneedtodiscloseclassifiedinformation
nSeniorLevelApproval–seniorexecutivesmayapproverelease
InformationClassificationRoles
Owner
nMaybeexecutiveormanager
nOwnerhasfinalcorporateresponsibilityofthedataprotection
nMakesdeterminationofclassificationlevel
nReviewsclassificationlevelregularlyforappropriateness
nDelegatesresponsibilityofdataprotectiontotheCustodian
Custodian
nGenerallyITsystemspersonnel
nRunningregularbackupsandtestingrecovery
nPerformsrestorationwhenrequired
nMaintainsrecordsinaccordancewiththeclassificationpolicy
User
nAnyonetheroutinelyusesthedata
nMustfollowoperatingprocedures
nMusttakeduecaretoprotect
nMustusecomputingresourcesofthecompanyforcompanypurposesonly
PoliciesStandards,GuidelinesandProcedures
nPoliciesarethehighestlevelofdocumentation
nStandards,GuidelinesandProceduresderivedfrompolicies
nShouldbecreatedfirst,butarenomoreimportantthantherest
SeniorManagementStatement–generalhigh-levelstatement
nAcknowledgmentofimportanceofcomputingresources
nStatementofSupportforinformationsecurity
nCommitmenttoauthorizelowerlevelStandards,GuidelinesandProcedures
RegulatoryPolicies–companyisrequiredtoimplementduetolegalorregulatoryrequirements
nUsuallyverydetailedandspecifictotheindustryoftheorganization
nTwomainpurposes
nToensurethecompanyisfollowingindustrystandardprocedures
nTogivethecompanyconfidencetheyarefollowingindustrystandardprocedures
AdvisoryPolices–notmandatedbutstronglysuggested.
nCompanywantsemployeestoconsiderthesemandatory.
nAdvisoryPoliciescanhaveexclusionsforcertainemployeesorjobfunctions
InformativePolicies
nExistsimplytoinformthereader
nNoimpliedorspecifiedrequirements
Standards,GuidelinesandProcedures
nContainactualdetailofthepolicy
nHowthepoliciesshouldbeimplemented
nShouldbekeptseparatefromoneanother
nDifferentAudiences
nSecurityControlsaredifferentforeachpolicytype
nUpdatingthepolicyismoremanageable
Standards-Specifyuseoftechnologyinauniformway,compulsory
Guidelines–similartostandardsbutnotcompulsory,moreflexible
Procedures–Detailedsteps,required,sometimescalled“practices”,lowestlevel
Baselines–baselinesaresimilartostandards,standardscanbedevelopedafterthebaselineisestablished
RolesandResponsibilities
nSeniorManagement–Hasultimateresponsibilityforsecurity
nInfosecOfficer–Hasthefunctionalresponsibilityforsecurity
nOwner–Determinesthedataclassification
nCustodian-PreservesC.I.A.
nUser–Performsinaccordancewithstatedpolicy
nAuditor–ExaminesSecurity
RiskManagement
Mitigate(reduce)risktoalevelacceptabletotheorganization.
IdentificationofRisk
nActualthreat
nPossibleconsequences
nProbablefrequency
nLikelyhoodofevent
nIdentificationofrisks
nBenefit-costjustificationofcountermeasures
RiskAnalysisTerms
nAsset–Resource,product,data
nThreat–Actionwithanegativeimpact
nVulnerability–Absenceofcontrol
nSafeguard–Controlorcountermeasure
ExposureFactor
%ofassetlosscausedbythreat
nSingleLossExpectancy(SLE)–Expectedfinanciallossforsingleevent
SLE=AssetValuexExposureFactor
nAnnualizedRateofOccurrence(ARO)–representsestimatedfrequencyinwhichthreatwilloccurwithinoneyear
nAnnualizedLossExpectancy(ALE)–Annuallyexpectedfinancialloss
ALE=SLExARO
nRiskanalysisismorecomprehensivethanaBusinessImpactAnalysis
nQuantitative–assignsobjectivenumericalvalues(dollars)
nQualitative–moreintangiblevalues(data)
nQuantitativeisamajorprojectthatrequiresadetailedprocessplan
PreliminarySecurityExamination(PSE)
nOftenconductedpriortothequantitativeanalysis.
nPSEhelpsgatherelementsthatwillbeneededforactualRA
RiskAnalysisSteps
1)Estimateofpotentialloss
2)Analyzepotentialthreats
3)DefinetheAnnualizedLossExpectancy(ALE)
CategoriesofThreats
nDataClassification–maliciouscodeorlogic
nInformationWarfare–technicallyorientedterrorism
nPersonnel–Unauthorizedsystemaccess
nApplication/Operational–ineffectivesecurityresultsindataentryerrors
nCriminal–Physicaldestruction,orvandalism
nEnvironmental–utilityoutage,naturaldisaster
nComputerInfrastructure–Hardwarefailure,programerrors
nDelayedProcessing–reducedproductivity,delayedcollectionsprocessing
AnnualizedLossExpectancy(ALE)
nRiskanalysisshouldcontainthefollowing:
nValuationofCriticalAssets
nDetailedlistingofsignificantthreats
nEachthreatslikelihood
nLosspotentialbythreat
nRecommendedremedialsafeguards
Remedies
nRiskReduction-implementationofcontrolstoalterriskposition
nRiskTransference–getinsurance,transfercostofalosstoinsurance
nRiskAcceptance–Accepttherisk,absorbloss
QualitativeScenarioProcedure
nScenarioOriented
nListthethreatandthefrequency
nCreateexposureratingscaleforeachscenario
nScenariowrittenthataddresseachmajorthreat
nScenarioreviewedbybusinessusersforrealitycheck
nRiskAnalysisteamevaluatesandrecommendssafeguards
nWorkthrougheachfinalizedscenario
nSubmitfindingstomanagement
ValueAssessment
nAssetvaluationnecessarytoperformcost/benefitanalysis
nNecessaryforinsurance
nSupportssafeguardchoices
SafeguardSelection
nPerformcost/benefitanalysis
nCostsofsafeguardsneedtobeconsideredincluding
nPurchase,developmentandlicensingcosts
nInstallationcosts
nDisruptiontoproduction
nNormaloperatingcosts
CostBenefitAnalysis
ALE(PreControl)–ALE(PostControl)=Annualizedvalueofthecontrol
Levelofmanualoperations
nTheamountofmanualinterventionrequiredtooperatethesafeguard
nShouldnotbetoodifficulttooperate
AuditabilityandAccountability
Safeguardmustallowforauditabilityand
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- CISSP Prepare Guide Notes