Monday, November 6, 2017

Understanding CISSP domains

Disclaimer: I am writing this blog as a personal notebook for CISSP exam preparation. It shouldn't be used as otherwise.

CISSP Common Body of Knowledge covers 8 domains.

1. Security & Risk Management

2. Security of Asset
3. Security of Network and Communication
4. Security of Software and Development

5.Assessment and Testing
6. Security Engineering
7. Security Operations
8. Identity and Auth Management

1. Security & Risk Management


  • It is all about CIA (Confidentiality, Integrity and Availability), also referred as AIC


  • Administrative/Management(soft) Controls,
  • Technical (logical) Controls and 
  • Physical/Operational Controls

Control Types:

  • Preventive
  • Detective
  • Corrective
  • Deterrant
  • Recovery

Understand these terminologies is crucial:

  • Asset: What we are trying to protect
  • Vulnerability: Weakness or gap in our protection efforts
  • Threats: Anything that can exploit a vulnerability
  • Risk: The potential loss of an asset as a result of a threat exploiting a vulnerability. It is the intersection of above three (Asset, Vulnerability and Threat)
  • Corrective Action : Assessing threats and identifying vulnerabilities is critical to understanding the risk to assets and take appropriate corrective action.

Security Frameworks:
1. ISO/IEC 27000 Series
  • Defines ISMS (Information Security Management System)
  • Specifies the components/controls that need to be in place to have a complete security program
  • It is like a parts list.
2. Enterprise/Security Architecture Frameworks
  • Zachman, ToGAF, DoDAF, MoDAF, SABSA
  • It shows how to integrate those components/controls into the various layers (Executives, Business Managers, System Architects, Engineers, Technicians, Enterprise) within an organization.
  • It is a blueprint to follow when building something with those parts.
3. System Architecture
  • COBIT (private organizations), NIST SP 800-53 (Federal), COSO Internal Control
  • Defines how we can develop those components/controls
4. Process Development
  • Defines how to manage those components/controls
  • Process Management tools (ITIL, Six Sigma, CMMI/Capability Maturity Model Integration)
5. Process Life Cycle
  • Discuss how to keep the process up-to-date and healthy
  • 4 steps process in cyclic order: Plan - Implement - Operate/Maintain - Evaluate

Let's see how these frameworks come in play. Suppose a company hires you to create a comprehensive security program. First you would do is look up ISO 27000 as a guidance to create an ISMS which provides all the controls you should put in place. Then, you choose a security framework such as ToGAF to create the ISMS and start the Process Life Cycle.
You go in the planning phase. You gather the right people, identify what needs to be done and identify the possible solutions.
Then, you go to the implementation phase. You create blueprints and implement them. You continuously make sure framework attributes (Strategic alignment, Business Enablement, Process Enhancement) are being monitored to ensure success. At this point, you have selected and implemented various controls. The categorization of controls into administrative, technical & physical along with the functional grouping (such as preventive, deterrent, detective etc) will have been a great help.
Ideally before going live, external party audits your implementation, more than likely the auditor will check your implementation against COBIT/NIST SP 800-53. They will find your shortcomings.Once you have addressed any audit shortcomings, you will enter the Maintain step.
At this point, you will want to manage the process using ITIL, Six Sigma or CMMI. This will help you in the Evaluate step, which then feeds back into Plan.


No comments: