34
Curriculum CISSP 2018 CISSP Certified Information Systems Security Professional Version 1.0

CISSP CurriculumCurriculum CISSP 2018 CISSP Certified Information Systems Security Professional Version 1.0

  • Upload
    others

  • View
    73

  • Download
    4

Embed Size (px)

Citation preview

Curriculum CISSP 2018

CISSP

Certified Information Systems Security Professional Version 1.0

iii© 2020 Boson Software, LLC

CISSPCISSP 2018 Curriculum

LM20200202/BV1.0

iv © 2020 Boson Software, LLC

Copyright © 2020 Boson Software, LLC. All rights reserved. Boson, Boson NetSim, Boson Network Simulator, and Boson Software are trademarks or registered trademarks of Boson Software, LLC. CISSP and (ISC)² are trademarks or registered certification marks of (ISC)², inc. Media elements, including images and clip art, are available in the public domain. All other trademarks and/or registered trademarks are the property of their respective owners. Any use of a third-party trademark does not constitute a challenge to said mark. Any use of a product name or company name herein does not imply any sponsorship of, recommendation of, endorsement of, or affiliation with Boson, its licensors, licensees, partners, affiliates, and/or publishers.

2 5 C e n t u r y B l v d . , S t e . 5 0 0 , N a s h v i l l e , T N 3 7 2 14 | B o s o n . c o m

v© 2020 Boson Software, LLC

CISSP Curriculum Table of Contents

Module 1: The Business Frame of Mind ......................................................................................17

Overview .................................................................................................................................................. 18Objectives ................................................................................................................................................ 18Protecting the Business ........................................................................................................................... 19

How Much Security Is Enough? ........................................................................................................ 20Proactive vs. Reactive Security ......................................................................................................... 21

Thinking Like a Manager .......................................................................................................................... 22Putting People First ........................................................................................................................... 23

Understanding the (ISC)² Code of Ethics ................................................................................................ 24Approaching the CISSP Exam................................................................................................................. 25

Choosing From Multiple Correct Answers ......................................................................................... 26Summary ................................................................................................................................................. 27Review Question 1 ................................................................................................................................... 29Review Question 2 ................................................................................................................................... 31

Module 2: Security and Risk Management .................................................................................33

Overview .................................................................................................................................................. 34Objectives ................................................................................................................................................ 34The CIA Triad ........................................................................................................................................... 35

Confidentiality .................................................................................................................................... 36Integrity .............................................................................................................................................. 37Availability .......................................................................................................................................... 38Balancing the CIA Triad ..................................................................................................................... 39

Security Governance ............................................................................................................................... 40Organizational Governance Structure ................................................................................................41Security Roles ................................................................................................................................... 42

Legal, Regulatory, and Compliance Issues ............................................................................................. 44U.S. Information Privacy Law ............................................................................................................ 45International Information Privacy Law ............................................................................................... 48

The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data 49The EU Data Protection Directive ............................................................................................. 50The EU GDPR .......................................................................................................................... 51

U.S. Computer Crime Law ................................................................................................................ 52Import/Export Law ............................................................................................................................. 54Intellectual Property Law ................................................................................................................... 55

Intellectual Property Protections ............................................................................................... 56Intellectual Property Attacks ..................................................................................................... 58

Legal Liability ..................................................................................................................................... 60Industry Standards ............................................................................................................................ 61

Security Documentation .......................................................................................................................... 62Policies .............................................................................................................................................. 63Procedures ........................................................................................................................................ 65Standards .......................................................................................................................................... 66

Content in these modules is available in the full version of the curriculum. Please visit www.boson.com for more information.

vi © 2020 Boson Software, LLC

CISSP Curriculum Table of Contents

Guidelines ......................................................................................................................................... 67Baselines ........................................................................................................................................... 68

Risk-based Management Concepts ......................................................................................................... 69Qualitative vs. Quantitative Risk Assessment ................................................................................... 70Qualitative Risk Equation .................................................................................................................. 71Qualitative Risk Equation Example ................................................................................................... 72Quantitative Risk Equation .................................................................................................................74Quantitative Risk Equation Example ................................................................................................. 75Responses to Risk ............................................................................................................................ 76Threat Modeling ................................................................................................................................ 78

DREAD ..................................................................................................................................... 79STRIDE ..................................................................................................................................... 80PASTA ....................................................................................................................................... 81Trike .......................................................................................................................................... 82SCAP ........................................................................................................................................ 83

Other Risk Assessment Methodologies ............................................................................................ 84Summary ................................................................................................................................................. 85Review Question 1 ................................................................................................................................... 87Review Question 2 ................................................................................................................................... 89Review Question 3 ................................................................................................................................... 91

Module 3: Asset Security .............................................................................................................93

Overview .................................................................................................................................................. 94Objectives ................................................................................................................................................ 94Privacy ..................................................................................................................................................... 95

EU Privacy Principles ........................................................................................................................ 96Documentation .................................................................................................................................. 97

Classification/Ownership of Information and Assets ............................................................................... 98Classification Schemes ................................................................................................................... 100

Data Handling ........................................................................................................................................ 102Security Controls ................................................................................................................................... 104

Encryption ....................................................................................................................................... 105Anonymization ................................................................................................................................. 106Data Masking .................................................................................................................................. 107Pseudonymization and Tokenization ............................................................................................... 108Access Control .................................................................................................................................110Security Control Standards .............................................................................................................112

Data Storage and Retention ...................................................................................................................113Data Sanitization .....................................................................................................................................114Summary ................................................................................................................................................116Review Question 1 ..................................................................................................................................117Review Question 2 ..................................................................................................................................119Review Question 3 ..................................................................................................................................121

Content in these modules is available in the full version of the curriculum. Please visit www.boson.com for more information.

vii© 2020 Boson Software, LLC

CISSP Curriculum Table of Contents

Module 4: Security and Architecture Engineering ..................................................................123

Overview ................................................................................................................................................ 124Objectives .............................................................................................................................................. 124Implementing Secure Design Principles ................................................................................................ 126

Security Engineering Life Cycle ...................................................................................................... 127Initiation Phase ........................................................................................................................127Development/Acquisition Phase ..............................................................................................128Implementation Phase .............................................................................................................128Operations/Maintenance Phase ..............................................................................................128Disposal Phase ........................................................................................................................128

Security Engineering Nomenclature................................................................................................ 129Subjects vs. Objects ............................................................................................................... 130Controls and Confinement .......................................................................................................131Trust and Assurance ............................................................................................................... 133

Common Security Models ............................................................................................................... 134Theoretical Security Models ................................................................................................... 135Practical Security Models ....................................................................................................... 136Evaluation Models .................................................................................................................. 138

Common Security Frameworks ....................................................................................................... 140Viewing Information Systems at a Glance ............................................................................................. 143

Hardware ......................................................................................................................................... 144CPU ........................................................................................................................................ 145Memory ................................................................................................................................... 146Storage ....................................................................................................................................147Peripherals .............................................................................................................................. 148

Software .......................................................................................................................................... 149Firmware .......................................................................................................................................... 150Virtualization .....................................................................................................................................151

Implementing Digital Security ................................................................................................................ 152Client Systems ................................................................................................................................. 153

Desktop Systems .................................................................................................................... 154Mobile Systems ...................................................................................................................... 156Embedded Systems ................................................................................................................ 158

Server Systems ............................................................................................................................... 160Web Services ...........................................................................................................................161Database Services ................................................................................................................. 166

Distributed Systems ........................................................................................................................ 169Cloud Computing .....................................................................................................................170

Architectural Considerations ............................................................................................................172Single Points of Failure ........................................................................................................... 172Covert Channels ......................................................................................................................174Emanation ................................................................................................................................174

Implementing Physical Security ..............................................................................................................175

Content in these modules is available in the full version of the curriculum. Please visit www.boson.com for more information.

viii © 2020 Boson Software, LLC

CISSP Curriculum Table of Contents

Physical Threats ...............................................................................................................................176Environmental Threats .................................................................................................................... 177

Power .......................................................................................................................................178HVAC and Windows ............................................................................................................... 179Fire Suppression ..................................................................................................................... 180

Summary ............................................................................................................................................... 182Review Question 1 ................................................................................................................................. 183Review Question 2 ................................................................................................................................. 185

Module 5: Communication and Network Security ...................................................................189

Overview ................................................................................................................................................ 190Objectives .............................................................................................................................................. 190Understanding Network Architecture Basics ......................................................................................... 192

Network Types ................................................................................................................................. 193PANs ....................................................................................................................................... 194LANs ....................................................................................................................................... 195MANs ...................................................................................................................................... 196WANs ...................................................................................................................................... 197

Network Topologies ......................................................................................................................... 205Bus Topology .......................................................................................................................... 206Ring Topology ......................................................................................................................... 207Dual-ring Topology ................................................................................................................. 208Star Topology .......................................................................................................................... 209Extended Star Topology ......................................................................................................... 210Full-mesh Topology .................................................................................................................211Partial-mesh Topology .............................................................................................................212Physical vs. Logical Topologies ...............................................................................................213

Network Devices ..............................................................................................................................214Hubs ........................................................................................................................................215Bridges .................................................................................................................................... 216Switches ..................................................................................................................................217Routers ................................................................................................................................... 218Servers ................................................................................................................................... 219Hosts ....................................................................................................................................... 220

Transmission Media ........................................................................................................................ 221Copper Cables ........................................................................................................................ 222Fiber-optic Cables ................................................................................................................... 223Radio Frequency..................................................................................................................... 224

Recognizing Network Models ................................................................................................................ 225The OSI Model ................................................................................................................................ 226

Application Layer .................................................................................................................... 227Presentation Layer .................................................................................................................. 228Session Layer ......................................................................................................................... 229

Content in these modules is available in the full version of the curriculum. Please visit www.boson.com for more information.

ix© 2020 Boson Software, LLC

CISSP Curriculum Table of Contents

Transport Layer ....................................................................................................................... 230Network Layer ......................................................................................................................... 231Data Link Layer ....................................................................................................................... 232Physical Layer ......................................................................................................................... 233

The TCP/IP Model ........................................................................................................................... 234Application Layer .................................................................................................................... 235Transport Layer ....................................................................................................................... 236Internet Layer .......................................................................................................................... 237Network Access Layer ............................................................................................................ 238

Network Model Comparison ............................................................................................................ 239Becoming Familiar With the Packet Delivery Process ........................................................................... 240

Devices in the Packet Delivery Process ...........................................................................................241Hubs ....................................................................................................................................... 242Switches ................................................................................................................................. 243Routers ................................................................................................................................... 244Gateways ................................................................................................................................ 246Hosts ....................................................................................................................................... 247

The Flow of Data ............................................................................................................................. 248Protocol Data Units and Service Data Units ........................................................................... 249

The Packet Delivery Process in Action ........................................................................................... 252Application Layer .................................................................................................................... 253Transport Layer ....................................................................................................................... 254Internet Layer .......................................................................................................................... 261Network Access Layer ............................................................................................................ 263

Understanding Network Security Basics ............................................................................................... 264Recognizing Adversaries................................................................................................................. 265

Goals and Motivations ............................................................................................................ 266Identifying Classes of Attacks ......................................................................................................... 267Perceiving Common Threats ........................................................................................................... 269

Reconnaissance Attacks ........................................................................................................ 270Penetration Attacks ..................................................................................................................274Control Attacks ....................................................................................................................... 277

Protecting Assets ............................................................................................................................ 280Securing Connections............................................................................................................................ 281

Understanding NAT/PAT .................................................................................................................. 282NAT/PAT Address Terminology ............................................................................................. 283NAT Translation Methods ....................................................................................................... 284

Understanding Secure VPNs and Tunneling ................................................................................... 288Understanding the Purpose of a VPN .................................................................................... 289The Two Types of VPNs ......................................................................................................... 290Understanding the IPSec Protocol ......................................................................................... 295Understanding GRE Tunnels .................................................................................................. 299Differences Between Secure VPNs and GRE Tunnels .......................................................... 300

Content in these modules is available in the full version of the curriculum. Please visit www.boson.com for more information.

x © 2020 Boson Software, LLC

CISSP Curriculum Table of Contents

Summary ............................................................................................................................................... 301Review Question 1 ................................................................................................................................. 303Review Question 2 ................................................................................................................................. 305

Module 6: Identity and Access Management (IAM) .................................................................309

Overview .................................................................................................................................................310Objectives ...............................................................................................................................................311Access Control Types .............................................................................................................................312

Administrative Access Controls ........................................................................................................313Physical Access Controls .................................................................................................................314Technical Access Controls ...............................................................................................................315

Access Control Categories .....................................................................................................................316Directive Access Controls ................................................................................................................317Deterrent Access Controls ...............................................................................................................318Preventive Access Controls .............................................................................................................319Compensating Access Controls ...................................................................................................... 320Detective Access Controls .............................................................................................................. 321Corrective Access Controls ............................................................................................................. 322Recovery Access Controls .............................................................................................................. 323

Identification, Authentication, and Authorization ................................................................................... 324Identification .................................................................................................................................... 325

Attacking Identity .................................................................................................................... 326Authentication .................................................................................................................................. 327

Authentication Factors ............................................................................................................ 327Combining Authentication Factors .......................................................................................... 339

Authorization ................................................................................................................................... 341DACs ....................................................................................................................................... 342MACs ...................................................................................................................................... 343Nondiscretionary Access Controls ......................................................................................... 344RBACs .................................................................................................................................... 345Rule-based Access Controls .................................................................................................. 346Attacking Authorization ........................................................................................................... 348

Managing Identity and Access ........................................................................................................ 349Secure Account Creation ........................................................................................................ 350Secure Credentials ................................................................................................................. 351SSO ........................................................................................................................................ 355Federated Identity Management ............................................................................................. 360AAA Protocols ........................................................................................................................ 361Directory Services .................................................................................................................. 365

Summary ............................................................................................................................................... 370Review Question 1 ..................................................................................................................................371Review Question 2 ................................................................................................................................. 373

Module 7: Security Assessment and Testing ...........................................................................375

Content in these modules is available in the full version of the curriculum. Please visit www.boson.com for more information.

xi© 2020 Boson Software, LLC

CISSP Curriculum Table of Contents

Overview ................................................................................................................................................ 376Objectives .............................................................................................................................................. 376Assessment Strategy ............................................................................................................................. 377

Develop an Assessment Policy ....................................................................................................... 378Determine the Requirements/Scope of the Assessment ........................................................ 378Determine the Roles and Responsibilities of the Assessors .................................................. 379Describe the Logistics of the Assessment .............................................................................. 379Describe How Sensitive Data Is Handled During the Assessment ........................................ 379Describe the Incident-handling Process During the Assessment .......................................... 380Review the Policy on an Annual Basis ................................................................................... 380

Schedule and Prioritize Assessments ............................................................................................. 381System Category/Impact Ratings ........................................................................................... 382Adjust Frequency by Resource Availability ............................................................................. 383

Choose Assessment Techniques .................................................................................................... 384Execute the Security Assessment................................................................................................... 386Deal With Obstacles ........................................................................................................................ 387

When Obstacles Arise ............................................................................................................ 388Analyze and Report ......................................................................................................................... 389Mitigate ............................................................................................................................................ 390

Systems Security Assessments ............................................................................................................ 392Vulnerability Tests ........................................................................................................................... 393

When to Perform Vulnerability Tests ...................................................................................... 394Vulnerability Test Tools ........................................................................................................... 395Vulnerability Test Phases ....................................................................................................... 396

Penetration Tests ............................................................................................................................. 397Commissioning Penetration Tests .......................................................................................... 398Penetration Test Types ........................................................................................................... 399Penetration Test Phases ......................................................................................................... 400Conducting Penetration Tests ................................................................................................. 401

Software Security Assessments ............................................................................................................ 402Software Vulnerabilities ................................................................................................................... 403

Code Injection ......................................................................................................................... 403CSRF or XSRF ....................................................................................................................... 403XSS ......................................................................................................................................... 404Data Storage ........................................................................................................................... 404Error Handling ......................................................................................................................... 404Buffer Overflows ..................................................................................................................... 404Integer Overflows .................................................................................................................... 404Memory Leaks ........................................................................................................................ 404Session Attacks ...................................................................................................................... 405

Common Software-testing Methods ................................................................................................ 406Automated Testing .................................................................................................................. 406Black-box Testing ................................................................................................................... 406

Content in these modules is available in the full version of the curriculum. Please visit www.boson.com for more information.

xii © 2020 Boson Software, LLC

CISSP Curriculum Table of Contents

Dynamic Testing ..................................................................................................................... 407Gray-box Testing .................................................................................................................... 407Manual Testing........................................................................................................................ 407Static Testing .......................................................................................................................... 407White-box Testing ................................................................................................................... 407

Development Stages Testing........................................................................................................... 408Code Tests .............................................................................................................................. 408Front-end Tests ....................................................................................................................... 409

Auditing ...................................................................................................................................................410Log Management Policy ...................................................................................................................411Log Management Procedures ..........................................................................................................412

Log Storage and Review .........................................................................................................413Types of Event Logs .........................................................................................................................414

Summary ................................................................................................................................................415Review Question 1 ..................................................................................................................................417Review Question 2 ..................................................................................................................................419

Module 8: Security Operations ..................................................................................................423

Overview ................................................................................................................................................ 424Objectives .............................................................................................................................................. 424Protecting Human Resources ................................................................................................................ 426

Psychological Security .................................................................................................................... 427Training ................................................................................................................................... 427Privacy .................................................................................................................................... 428Physical Safety ....................................................................................................................... 428

Physical Security ............................................................................................................................. 429Common Access Controls ...................................................................................................... 431Common Environmental Controls ........................................................................................... 437Common System Controls ...................................................................................................... 442

Protecting Data ...................................................................................................................................... 445Administrative Access Control Principles ........................................................................................ 446

Background Checks ................................................................................................................ 446Compartmentalization ............................................................................................................. 446Job Rotation ............................................................................................................................ 447Least Privilege ........................................................................................................................ 447Mandatory Leave .................................................................................................................... 447NDAs....................................................................................................................................... 447Need to Know ......................................................................................................................... 447Security Domain ..................................................................................................................... 448Separation of Duties ............................................................................................................... 448

Monitoring Networks ....................................................................................................................... 449Anti-malware ........................................................................................................................... 449DLP Systems .......................................................................................................................... 449

Content in these modules is available in the full version of the curriculum. Please visit www.boson.com for more information.

xiii© 2020 Boson Software, LLC

CISSP Curriculum Table of Contents

SIEM Systems ........................................................................................................................ 450Honeypots and Honeynets ...................................................................................................... 450IDS and IPS ............................................................................................................................ 450

Logging ............................................................................................................................................ 454Application Events Logs ......................................................................................................... 454Network Events Logs .............................................................................................................. 454System Events Logs ............................................................................................................... 455User Activity Logs ................................................................................................................... 455

Backing Up Data ............................................................................................................................. 456Asset Management ......................................................................................................................... 458

Hardware Asset Management ................................................................................................ 459Virtual Asset Management ..................................................................................................... 460Configuration Management .................................................................................................... 461Media Asset Management ...................................................................................................... 463Software Asset Management ................................................................................................. 465

Managing Incidents ................................................................................................................................ 469Disaster Recovery ........................................................................................................................... 470

DRPs and Alternate Locations................................................................................................ 470Other DRP Considerations ......................................................................................................471Testing DRPs .......................................................................................................................... 472

Business Continuity ..........................................................................................................................474Develop a BCP Policy Statement ............................................................................................474Conduct a BIA ..........................................................................................................................474Identify Preventive Controls .................................................................................................... 475Develop Recovery Strategies ................................................................................................. 475Develop an IT Contingency Plan ............................................................................................ 475Perform DRP Training and Testing ......................................................................................... 475Perform BCP/DRP Maintenance ............................................................................................ 475BCP Formulas ........................................................................................................................ 476

Redundancy Is Key ......................................................................................................................... 478Incident Response ........................................................................................................................... 479Investigations ................................................................................................................................... 480

Types of Investigations ........................................................................................................... 481Evidence ................................................................................................................................. 483Presenting Findings ................................................................................................................ 494

Summary ............................................................................................................................................... 496Review Question 1 ................................................................................................................................. 497Review Question 2 ................................................................................................................................. 499Review Question 3 ................................................................................................................................. 501

Module 9: Software Development Security ..............................................................................503

Overview ................................................................................................................................................ 504Objectives .............................................................................................................................................. 504

Content in these modules is available in the full version of the curriculum. Please visit www.boson.com for more information.

xiv © 2020 Boson Software, LLC

CISSP Curriculum Table of Contents

Software Project Management .............................................................................................................. 506The SEI CMM and Software Maturity ............................................................................................. 507The SDLC ........................................................................................................................................ 509

Software Development Methodologies ...................................................................................................511Waterfall ...........................................................................................................................................512Spiral ................................................................................................................................................513IDEAL ...............................................................................................................................................514Agile ..................................................................................................................................................515DevOps.............................................................................................................................................516

Coding Techniques .................................................................................................................................517Structured Programming ..................................................................................................................518Object-oriented Design and Programming .......................................................................................519

Instantiation .............................................................................................................................519Coupling and Cohesion ...........................................................................................................519Encapsulation ..........................................................................................................................519Inheritance .............................................................................................................................. 520Polyinstantiation ...................................................................................................................... 520Polymorphism ......................................................................................................................... 520

Databases ....................................................................................................................................... 521Flat-file Databases .................................................................................................................. 522Hierarchical Databases........................................................................................................... 522Object-oriented Databases ..................................................................................................... 522Relational Databases .............................................................................................................. 522Data Access Tasks ................................................................................................................. 527

Web-based Applications ................................................................................................................. 528Markup Languages ................................................................................................................. 528Scripting Languages ............................................................................................................... 528Database Back Ends .............................................................................................................. 529

APIs ................................................................................................................................................. 530REST ...................................................................................................................................... 530SOAP ...................................................................................................................................... 531

Common Software Vulnerabilities ......................................................................................................... 532Back Doors ...................................................................................................................................... 532Buffer Overflows .............................................................................................................................. 532

ASLR ...................................................................................................................................... 533DEP ........................................................................................................................................ 533Heap Metadata Protection ...................................................................................................... 533Pointer Encoding .................................................................................................................... 533

Code Injection ................................................................................................................................. 534SQL Injection .......................................................................................................................... 534LDAP Injection ........................................................................................................................ 534XML Injection .......................................................................................................................... 534

Covert Channels .............................................................................................................................. 534

Content in these modules is available in the full version of the curriculum. Please visit www.boson.com for more information.

xv© 2020 Boson Software, LLC

CISSP Curriculum Table of Contents

CSRF ............................................................................................................................................... 535Directory Traversal .......................................................................................................................... 535Logic Bombs .................................................................................................................................... 535Mobile Code .................................................................................................................................... 535Object Reuse ................................................................................................................................... 535XSS ................................................................................................................................................. 536Zero-day Vulnerabilities and Exploits .............................................................................................. 536

Secure Coding Standards ...................................................................................................................... 537Code Certification and Accreditation .............................................................................................. 538Code Obfuscation ........................................................................................................................... 539Code Repository Security ............................................................................................................... 541Secure Software Development Controls ......................................................................................... 542

Software Security Assessments ............................................................................................................ 543Code Review and Secure Development Metrics ............................................................................. 545

Summary ............................................................................................................................................... 546Review Question 1 ................................................................................................................................. 547Review Question 2 ................................................................................................................................. 549

Module 10: Preparing for the CISSP Exam ...............................................................................551

Overview ................................................................................................................................................ 552Objectives .............................................................................................................................................. 552How to Schedule Your Exam ................................................................................................................. 553What to Expect on Exam Day ................................................................................................................ 554

Arrive Early ...................................................................................................................................... 555Bring Only What You Need ............................................................................................................. 556Identify Yourself ............................................................................................................................... 557Take the Test ................................................................................................................................... 558How CAT Affects Your Testing Experience ..................................................................................... 559

How CAT Affects Your Studies ............................................................................................... 560Finish the Test ................................................................................................................................. 561

What Happens if You Fail ...................................................................................................................... 562What You Should Do After You Pass ..................................................................................................... 563

Wait for Official Notification ............................................................................................................. 564Get Endorsed .................................................................................................................................. 565Pay the AMF .................................................................................................................................... 566Renew the Certification Every Three Years .................................................................................... 567

Recommendations for Additional Study ................................................................................................. 568ExSim-Max Practice Exams ............................................................................................................ 568Boson Practice Labs ....................................................................................................................... 568Boson Instructor-led Training .......................................................................................................... 568

Summary ............................................................................................................................................... 569Review Question 1 ................................................................................................................................. 571Review Question 2 ................................................................................................................................. 573

Content in these modules is available in the full version of the curriculum. Please visit www.boson.com for more information.

xvi © 2020 Boson Software, LLC

CISSP Curriculum Table of Contents

17© 2020 Boson Software, LLC

Module 1The Business Frame of Mind

Module 1: The Business Frame of Mind

18 © 2020 Boson Software, LLC

CISSP Module 1: The Business Frame of Mind

Overview

People who work in the information technology field tend to focus on the technical aspects of a business. However, to succeed on the Certified Information Systems Security Professional (CISSP) exam, you have to get into the business frame of mind. Security involves protecting the business as a whole, not solely from a technological standpoint. Not only should you be concerned with the security of data and equipment, but you should also be concerned with the security of personnel. Although thinking like a manager requires a certain degree of technical knowledge, you must also be able to evaluate decisions based on their potential impacts on employees, customers, and the general financial health and legal compliance of your company. You should also strive to adhere to ethical principles, such as those outlined in the International Information System Security Certification Consortium, or (ISC)2, Code of Ethics.

Objectives

After completing this module, you should have the basic knowledge required to complete all of the following tasks:

• Understand how to protect the business.• Recognize your most valuable assets.• Understand how to think like a manager.• Understand the (ISC)2 Code of Ethics.

19© 2020 Boson Software, LLC

CISSP Module 1: The Business Frame of Mind

Protecting the Business

Protecting the business is not limited to securing a company’s computer systems, nor is it as simple as protecting a company’s assets. Your goal should be the development of and adherence to a balanced, common-sense, multilayered approach to security that protects its employees and customers without sacrificing profitability. A multilayered approach to security is often called “defense-in-depth.”

But how much security is enough? As a CISSP, you should be able to assess a company’s risks and vulnerabilities so that you can make knowledgeable recommendations to senior management. Further, you should implement a proactive approach to security whenever possible. In addition, you must ensure your company’s compliance with all applicable legal requirements.

20 © 2020 Boson Software, LLC

CISSP Module 1: The Business Frame of Mind

How Much Security Is Enough?

Technicians often say, “You can never have too much security.” But is that true? Anything can be secured, and that security can often be improved, given unlimited resources. But in business, resources are not unlimited. The primary goal of IT is to support the business processes that make the company profitable, and it would be difficult for any company to remain profitable if it were to spend all of its income on security.

As an IT manager, your goal is to balance the benefits of IT versus the cost of IT—to get the best “bang for the company’s buck.” To do so, you will need a clear understanding of the assets that must be protected and the risk to those assets. You can then make informed recommendations to senior management regarding the company’s security posture. This is discussed further in Module 2: Security and Risk Management .

21© 2020 Boson Software, LLC

CISSP Module 1: The Business Frame of Mind

Proactive vs. Reactive Security

Whenever possible, you should always approach security in a proactive manner. By taking a proactive approach, you can resolve potential security issues before they arise. A proactive security measure might involve performing a network vulnerability analysis or disabling unnecessary services on a server.

Those who do not approach security proactively are typically forced to deal with security in a reactive fashion. Reactive security involves actions that are taken in response to security issues that have already occurred. A reactive security measure might involve removing viruses from an infected computer or modifying the security policy in response to an incident. Reactive security tends to lead to more reactive security, because time, resources, and money must be spent fixing damage that is caused by security incidents.

22 © 2020 Boson Software, LLC

CISSP Module 1: The Business Frame of Mind

Thinking Like a Manager

Many IT managers and security managers started out in technical roles. Therefore, it is sometimes difficult for seasoned technicians to stop thinking solely as technicians and start thinking like managers as they transition to a management role. This is particularly true for technicians who take the CISSP exam. The most important thing you can do to prepare yourself for the exam is to get into the managerial mindset.

This is not to say that you should ignore your technical knowledge. A complete understanding of technical concepts is vital to becoming an effective manager. However, as you are taking the CISSP exam, you should resist the urge to “fix” whatever technological problems exist in the scenario. Instead, you should select those choices that enable the company to stay in business.

Consider this example: You are an IT manager of a medical facility, and you must choose the highest business priority regarding patient medical records. A technician might focus on the technical aspects, like encrypting the data or configuring access control lists (ACLs) to keep out unauthorized individuals. Although those things are important, as an IT manager, you are likely responsible for ensuring that the facility is in compliance with all legal requirements regarding patient privacy.

23© 2020 Boson Software, LLC

CISSP Module 1: The Business Frame of Mind

Putting People First

A company’s most valuable assets might appear to be the company’s data, its financial assets, or its real estate holdings. However, a company’s most valuable asset is its people. Companies have a moral, ethical, and legal obligation to ensure the protection of people: not just the company’s employees, but also its customers. This concept is discussed further in the Protecting Human Resources section of Module 8: Security Operations.

The protection of human life should always take precedence, both in the real world and in the scenarios presented by the CISSP exam. Whenever you are forced to make a choice between saving money, saving technology, or saving lives, you should always choose to save human lives.

24 © 2020 Boson Software, LLC

CISSP Module 1: The Business Frame of Mind

Understanding the (ISC)² Code of Ethics

All members certified by (ISC)2 must agree to abide by the (ISC)2 Code of Ethics, which contains a preamble and four mandatory canons.

The Code of Ethics preamble contains the following two statements:

• The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.

• Therefore, strict adherence to this Code is a condition of certification.

The Code of Ethics canons are ranked in the following order of importance:

1. Protect society, the common good, necessary public trust and confidence, and the infrastructure.2. Act honorably, honestly, justly, responsibly, and legally.3. Provide diligent and competent service to principals.4. Advance and protect the profession.

If, during the course of work, you find yourself debating a conflict among any of the four canons, you should adhere to the canon that ranks highest. For example, if you must choose between “acting honorably, honestly, justly, responsibly, and legally” or “advancing and protecting the profession,” you should choose the former.

If a member observes another member violating the Code of Ethics, he or she must file an ethics complaint with (ISC)2. Failure to report a violation can also be considered a breach of the Code of Ethics. Any member who violates the Code of Ethics is subject to peer review, which might involve the revocation of that member’s certifications.

25© 2020 Boson Software, LLC

CISSP Module 1: The Business Frame of Mind

Approaching the CISSP Exam

When you take the CISSP exam, it is important to remember that you should look at the material as if you are in a management position rather than a technician. It is also important to remember the (ISC)2 Code of Ethics. When you encounter questions in the CISSP exam that directly or indirectly relate to the Code of Ethics, you should keep it in mind as you consider the available choices.

26 © 2020 Boson Software, LLC

CISSP Module 1: The Business Frame of Mind

Choosing From Multiple Correct Answers

You will encounter many questions on the CISSP exam that will seem to have multiple correct answers. However, there is one best answer for every question.

When you encounter a question with multiple correct answers, follow these tips:

• Be careful. Avoid the impulse of choosing the first correct answer you see.• Read all the choices carefully, and eliminate those that are obviously incorrect.• Watch for qualifiers, such as MOST, BEST, LEAST, and NOT. Some choices can be correct

sometimes or in certain situations, but one choice will be correct in most situations.• Watch for keywords that indicate your role, your responsibilities, your company’s policy, and other

aspects of the scenario. If you have trouble deciding between two choices, check for these keywords to guide you.

Other test-taking tips are discussed in Module 10: Preparing for the CISSP Exam.

27© 2020 Boson Software, LLC

CISSP Module 1: The Business Frame of Mind

Summary

Getting into the business frame of mind will help you, not only on the CISSP exam, but also in becoming an effective IT or security manager. Always think like a manager, not like a technician. As you make decisions, balance the costs and benefits of security to ensure that the company can maintain profitability. Do your best to take proactive security measures, or you will be forced to take reactive ones instead. Remember that people are always more important than technology.

When you take the exam, answer carefully, eliminating wrong choices when possible. Choose the best answer by paying attention to qualifiers and keywords.

Finally, be sure to follow the (ISC)2 Code of Ethics. Ensure that you follow the four canons, and report any violations to (ISC)2.

28 © 2020 Boson Software, LLC

CISSP Module 1: The Business Frame of Mind

Module Notes

29© 2020 Boson Software, LLC

CISSP Module 1: The Business Frame of Mind

Review Question 1

30 © 2020 Boson Software, LLC

CISSP Module 1: The Business Frame of Mind

If your company’s building has experienced a fire, the first thing you should do as an IT manager is to ensure that all employees are safe. The safety and security of human life should always be the top priority of any organization.

It is important to verify whether backups were run the night before to ensure that valuable business data is not lost. However, ensuring that backups were run is not the first thing you should do as an IT manager.

It is important to ensure that customers are notified of how the fire will impact them and their business relationship with the company. However, notifying customers is not the first thing you should do as an IT manager.

It is important to ensure that the fire suppression systems in the server room activated successfully. If the fire suppression systems activated, it is likely that no data or equipment was lost. However, ensuring the activation of the fire suppression systems is not the first thing you should do as an IT manager.

31© 2020 Boson Software, LLC

CISSP Module 1: The Business Frame of Mind

Review Question 2

32 © 2020 Boson Software, LLC

CISSP Module 1: The Business Frame of Mind

The most important canon in the International Information System Security Certification Consortium, or (ISC)2, Code of Ethics is the first canon: Protect society, the common good, necessary public trust and confidence, and the infrastructure. The four canons in the Code of Ethics are arranged from top to bottom in order of their importance:

1. Protect society, the common good, necessary public trust and confidence, and the infrastructure.2. Act honorably, honestly, justly, responsibly, and legally.3. Provide diligent and competent service to principals.4. Advance and protect the profession.

If, in a work environment, a security professional finds himself or herself debating a conflict among any of the four canons, he or she should adhere to the canon that ranks highest. For example, if the security professional must choose between “acting honorably, honestly, justly, responsibly, and legally” or “advancing and protecting the profession,” the professional should choose the former.

Certification Candidates

Boson Software’s ExSim-Max practice exams are designed to simulate the complete exam experience. These practice exams have been written by in-house authors who have over 30 years combined experience writing practice exams. ExSim-Max is designed to simulate the live exam, including topics covered, question types, question difficulty, and time allowed, so you know what to expect. To learn more about ExSim-Max practice exams, please visit www.boson.com/exsim-max-practice-exams or contact Boson Software.

Organizational and Volume Customers

Boson Software’s outstanding IT training tools serve the skill development needs of organizations such as colleges, technical training educators, corporations, and governmental agencies. If your organization would like to inquire about volume opportunities and discounts, please contact Boson Software at [email protected].

Contact Information

E-Mail: [email protected]: 877-333-EXAM (3926) 615-889-0121Fax: 615-889-0122Address: 25 Century Blvd., Ste. 500 Nashville, TN 37214

© C o p y r ig h t 2 0 2 0 B o s o n S o f t w a r e , L L C . A l l r ig h t s r e s e r v e d .

B o s o n . c o m8 7 7 . 3 3 3 . 3 9 2 6 s u p p o r t @ b o s o n . c o m