CISSP 认证详细知识点总结文档格式.docx
- 文档编号:22525010
- 上传时间:2023-02-04
- 格式:DOCX
- 页数:42
- 大小:47.87KB
CISSP 认证详细知识点总结文档格式.docx
《CISSP 认证详细知识点总结文档格式.docx》由会员分享,可在线阅读,更多相关《CISSP 认证详细知识点总结文档格式.docx(42页珍藏版)》请在冰豆网上搜索。
■Ifsomeoneispracticingduecare,theyareactingresponsiblyandwillhavealowerprobabilityofbeingfoundnegligentandliableifasecuritybreachtakesplace.
■Securitymanagementhasbecomemoreimportantovertheyearsbecausenetworkshaveevolvedfromcentralizedenvironmentstodistributedenvironments.
■Theobjectivesofsecurityaretoprovideavailability,integrity,andconfidentialityprotectiontodataandresources.
■Strategicplanningislongterm,tacticalplanningismidterm,andoperationalplanningisdaytoday.Thesemakeupaplanninghorizon.
■ISO/IEC27002(formerlyISO17799Part1)isacomprehensivesetofcontrolscomprisingbestpracticesininformationsecurityandprovidesguidelinesonhowtosetupandmaintainsecurityprograms.
■Securitycomponentscanbetechnical(firewalls,encryption,andaccesscontrollists)ornontechnical(securitypolicy,procedures,andcomplianceenforcement).
■Assetidentificationshouldincludetangibleassets(facilitiesandhardware)andintangibleassets(corporatedataandreputation).
■Projectsizing,whichmeanstounderstandanddocumentthescopeoftheproject,mustbedonebeforeariskanalysisisperformed.
■Assuranceisadegreeofconfidencethatacertainsecuritylevelisbeingprovided.
■CobiTisaframeworkthatdefinesgoalsforthecontrolsthatshouldbeusedtoproperlymanageITandtoensurethatITmapstobusinessneeds.
■CobiTisbrokendownintofourdomains;
PlanandOrganize,AcquireandImplement,DeliverandSupport,andMonitorandEvaluate.
■ISO/IEC27001isthestandardfortheestablishment,implementation,control,andimprovementoftheInformationSecurityManagementSystem.
■Securitymanagementshouldworkfromthetopdown(fromseniormanagementdowntothestaff).
■Governanceisthesetofresponsibilitiesandpracticesexercisedbytheboardandexecutivemanagementwiththegoalofprovidingstrategicdirection,ensuringthatobjectivesareachieved,ascertainingthatrisksaremanagedappropriately,andverifyingthattheenterprise’sresourcesareusedresponsibly.
■Whichsecuritymodelacompanyshouldchoosedependsonthetypeofbusiness,itscriticalmissions,anditsobjectives.
■TheOECDisaninternationalorganizationthathelpsdifferentgovernmentscometogetherandtackletheeconomic,social,andgovernancechallengesofaglobalizedeconomy.
■Riskcanbetransferred,avoided,reduced,oraccepted.
■Anexampleofrisktransferenceiswhenacompanybuysinsurance.
■Waystoreduceriskincludeimprovingsecurityproceduresandimplementingsafeguards.
■Threats×
vulnerability×
assetvalue=totalrisk
■(Threats×
assetvalue)×
controlsgap=residualrisk
■Themaingoalsofriskanalysisarethefollowing:
identifyassetsandassignvaluestothem,identifyvulnerabilitiesandthreats,quantifytheimpactofpotentialthreats,andprovideaneconomicbalancebetweentheimpactoftheriskandthecostofthesafeguards.
■Informationriskmanagement(IRM)istheprocessofidentifying,assessing,andreducingrisktoanacceptablelevelandimplementingtherightmechanismstomaintainthatlevelofrisk.
■FailureModesandEffectAnalysis(FMEA)isamethodfordeterminingfunctions,identifyingfunctionalfailures,andassessingthecausesoffailureandtheirfailureeffectsthroughastructuredprocess.
■Afaulttreeanalysisisausefulapproachtodetectfailuresthatcantakeplacewithincomplexenvironmentsandsystems.
■Aquantitativeriskanalysisattemptstoassignmonetaryvaluestocomponentswithintheanalysis.
■Apurelyquantitativeriskanalysisisnotpossiblebecausequalitativeitemscannotbequantifiedwithprecision.
■Capturingthedegreeofuncertaintywhencarryingoutariskanalysisisimportant,becauseitindicatesthelevelofconfidencetheteamandmanagementshouldhaveintheresultingfigures.
■Whendeterminingthevalueofinformation,thefollowingissuesmustbeconsidered:
thecosttoacquireanddevelopdata;
thecosttomaintainandprotectdata;
thevalueofthedatatoowners,users,andadversaries;
thecostofreplacementifthedataislost;
thepriceothersarewillingtopayforthedata;
lostopportunities;
andtheusefulnessofthedata,
■Automatedriskanalysistoolsreducetheamountofmanualworkinvolvedintheanalysis.Theycanbeusedtoestimatefutureexpectedlossesandcalculatethebenefitsofdifferentsecuritymeasures.
■Singlelossexpectancy(SLE)istheamountthatcouldbelostifaspecificthreatagentexploitedavulnerability.
■Singlelossexpectancy×
frequencyperyear=annualizedlossexpectancy(SLE×
ARO=ALE).
■Qualitativeriskanalysisusesjudgmentandintuitioninsteadofnumbers.
■Qualitativeriskanalysisinvolvespeoplewiththerequisiteexperienceandeducationevaluatingthreatscenariosandratingtheprobability,potentialloss,andseverityofeachthreatbasedontheirpersonalexperience.
■TheDelphitechniqueisagroupdecisionmethodwhereeachgroupmembercancommunicateanonymously.
■Whenchoosingtherightsafeguardtoreduceaspecificrisk,thecost,functionality,andeffectivenessmustbeevaluatedandacost/benefitanalysisperformed.
■Asecuritypolicyisastatementbymanagementdictatingtherolesecurityplaysintheorganization.
■Proceduresaredetailedstep-by-stepactionsthatshouldbefollowedtoachieveacertaintask.
■Astandardspecifieshowhardwareandsoftwarearetobeused.Standardsarecompulsory.
■Abaselineisaminimumlevelofsecurity.
■Guidelinesarerecommendationsandgeneralapproachesthatprovideadviceandflexibility.
■Jobrotationisacontroltodetectfraud.
■Mandatoryvacationsareacontroltypethatcanhelpdetectfraudulentactivities.
■Separationofdutiesensuresnosinglepersonhastotalcontroloveranactivityortask.
■Splitknowledgeanddualcontrolaretwoaspectsofseparationofduties.
■Dataisclassifiedtoassignprioritiestodataandensuretheappropriatelevelofprotectionisprovided.
■Dataownersspecifytheclassificationofdata.
■Securityhasfunctionalrequirements,whichdefinetheexpectedbehaviorfromaproductorsystem,andassurancerequirements,whichestablishconfidenceintheimplementedproductsorsystemsoverall.
■Thesecurityprogramshouldbeintegratedwithcurrentbusinessobjectivesandgoals.
■Managementmustdefinethescopeandpurposeofsecuritymanagement,providesupport,appointasecurityteam,delegateresponsibility,andreviewtheteam’sfindings.
■Theriskmanagementteamshouldincludeindividualsfromdifferentdepartmentswithintheorganization,notjusttechnicalpersonnel.
■Aqualitativeratingwouldbeexpressedinhigh,medium,orlow,oronascaleof1to5or1to10.Aquantitativeresultwouldbeexpressedindollaramountsandpercentages.
■Safeguardsshoulddefaulttoleastprivilege,andhavefail-safedefaultsandoverridecapabilities.
■Safeguardsshouldbeimposeduniformlysoeveryonehasthesamerestrictionsandfunctionality.
■Akeyelementduringtheinitialsecurityplanningprocessistodefinereportingrelationships.
■Thedatacustodian(informationcustodian)isresponsibleformaintainingandprotectingdata.
■Asecurityanalystworksatastrategiclevelandhelpsdeveloppolicies,standards,andguidelines,andalsosetsvariousbaselines.
■Applicationownersareresponsiblefordictatingwhocanandcannotaccesstheirapplications,aswellasthelevelofprotectiontheseapplicationsprovideforthedatatheyprocessandforthecompany.
2.AccessControl
■Accessisaflowofinformationbetweenasubjectandanobject.
■Asubjectisanactiveentitythatrequestsaccesstoanobject,whichisapassiveentity.
■Confidentialityistheassurancethatinformationisnotdisclosedtounauthorizedsubjects.
■Somesecuritymechanismsthatprovideconfidentialityareencryption,logicalandphysicalaccesscontrol,transmissionprotocols,databaseviews,andcontrolledtrafficflow.
■Identitymanagementsolutionsincludedirectories,webaccessmanagement,passwordmanagement,legacysinglesign-on,accountmanagement,andprofileupdate.
■Passwordsynchronizationreducesthecomplexityofkeepingupwithdifferentpasswordsfordifferentsystems.
■Self-servicepasswordresetreduceshelp-deskcallvolumesbyallowinguserstoresettheirownpasswords.
■Assistedpasswordresetreducestheresolutionprocessforpasswordissuesforthehelp-deskdepartment.
■IdMdirectoriescontainallresourceinformation,users’attributes,authorizationprofiles,roles,andpossiblyaccesscontrolpoliciessootherIdMapplicationshaveonecentralizedresourcefromwhichtogatherthisinformation.
■AnautomatedworkflowcomponentiscommoninaccountmanagementproductsthatprovideIdMsolutions.
■Userprovisioningreferstothecreation,maintenance,anddeactivationofuserobjectsandattributes,astheyexistinoneormoresystems,directories,orapplications.
■TheHRdatabaseisusuallyconsid
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- CISSP 认证详细知识点总结 认证 详细 知识点 总结
![提示](https://static.bdocx.com/images/bang_tan.gif)