Saturday, 4 June 2011

CISSP CBK 1 Information Security and Risk Mgmt

Information Security and Risk Mgmt

Hi guys, I have strated writing down Cramm sheet for CISSP Exam, though it is tough task buy I am commited to complete it by the end of June 2011.

All the best for Exam.

Control Objectives for Information and related Technology (CobiT) is a framework and set of best practices developed by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI)

CobiT was derived from the COSO framework, developed by the Committee of Sponsoring Organizations (COSO)

COSO is a model for corporate governance and CobiT is a model for IT governance. COSO deals more at the strategic level, while CobiT focuses more at the operational level. You can think of CobiT as a way to meet many of the COSO objectives, but only from the IT perspective.

BS7799 Part 1, which outlines control objectives and a range of controls that can be used to meet those objectives; and BS7799 Part 2, which outlines how a security program can be set up and maintained. BS7799 Part 2 also served as a baseline that organizations could be certified against. Organization can decide to be accredited against for part 2 or only the portion of part 2 same is the case with ISO17799

ISO9000 Quality Control

ISO/IEC 27001 Based on British Standard BS7799 Part 2, which is establishment, implementation, control, and improvement of the Information Security Management System
• ISO/IEC 27002 Code of practice providing good practice advice on ISMS (previously known as ISO 17799), itself based on British Standard BS 7799 Part 1
• ISO/IEC 27004 A standard for information security management measurements
• ISO/IEC 27005 Designed to assist the satisfactory implementation of information security based on a risk management approach
• ISO/IEC 27006 A guide to the certification/registration process
• ISO/IEC 27799 A guide to illustrate how to protect personal health information

CobiT and COSO provide the “what is to be achieved,” but not the “how to achieve
it.” This is where ITIL and the ISO/IEC 27000 series come in

Annualized Loss Expectancy (ALE) is the average monetary value of losses per year.

Annualized Loss Expectancy = Single Loss Expectancy * Annualized Rate of Occurrence

Discretionary Access Control (DAC) DACs are an access control policy that restricts
access to files and other system resources based on the identity and assignment of
the user and/or the groups to which the user belongs. DACs are considered a
policy-based control.

Functional Requirements evaluation means, “Does this solution carry out the
required tasks?”

Assurance requirements evaluation means, “How sure are we of the level of
protection this solution provides?” Assurance requirements encompass the integrity,
availability, and confidentially aspects of the solution

The Annnualized Rate of Occurence (ARO) is a value that represents the estimated
frequency in which a threat is expected to occur.if 100 DEO doo 1 mistake every
month and 12*100 = 1200 ARO

Good Configuration Management process is one that can
(1) accommodate change;
(2)accommodate the reuse of proven standards and best practices;
(3) ensure that all requirements remain clear, concise, and valid;
(4) ensure changes, standards, and requirements are communicated promptly and precisely;
(5) ensure that the results conform to each instance of the product.

Risk is the possibility of damage happening and the ramifications of such damage
should it occur. Information risk management (IRM) is the process of identifying
and assessing risk, reducing it to an acceptable level, and implementing the right
mechanisms to maintain that level. There is no such thing as a 100 percent secure

Standards are a "Mandatory statement of minimum requirements that support some part
of a policy, the standards in this case is your own company standards and not
standards such as the ISO standards

Guidelines are discretionary or optional controls used to enable individuals to make judgments with respect to security actions

Procedures are step-by-step instructions in support of of the policies, standards, guidelines and baselines. The procedure indicates how the policy will be implemented and who does what to accomplish the tasks

Test equipment must be secured. There are equipment and other tools that if in the wrong hands can "sniff" a network traffic and be used to commit fraud. The storage and use of this equipment should be detailed in the security policy for this reason.

It is common for system development and systems maintenance to be undertaken by the same person. In both cases the programmer requires access to the source code in the development environment, but should not be allowed access in the production environment.
Other choices are not correct.

The roles of security administration and change management are incompatible functions. The level of security administration access rights could allow changes to go undetected. Computer operations and system development are incompatible since it would be possible for an operator to run a program that he/she had amended. The system development and change management task are incompatible because the combination of system development and change control would allow program modifications to bypass change control approvals.

The common steps used the the development of security policy are initiation of the
project, evaluation, development, approval, publication, implementation, and

The other choices listed are the phases of the software development life cycle and not the step used to develop documents such as Policies, Standards, etc...

The data owner, not the database administrator, is responsible for accurate use of the information and should normally provide authorization for users to gain access to computerized information. The database administrator (DBA) handles technical matters, not access authorization to data.

Threat analysis is the examination of threat sources against system vulnerabilities to determine the threats for a particular system in a particular operational environment.

A risk analysis has three main goals: identify risks, quantify the impact of potential threats, and provide an economic balance between the impact of the risk and the cost of the associated countermeasure.

Choosing the best countermeasure is not part of the risk analysis. The Operations Security domain is concerned with triples - threats, vulnerabilities and assets.

Risk Analysis Steps

1 Assign Vlaue to Assets
2 Estimate Potential loss per threat (SLE)
3 Perform a threat Analysis (ARO)
4 Derive overall annlai Loss potential per threat (ALE)
5 Reduce/ Transfer/ Avoid and Accept the Risk
SLE = Asset Value x Exposure Factor

Risk Analysis = value to assets + risk analysis and assessment + Countermeasure

Advisory policies are security polices that are not mandated to be followed but are strongly suggested, perhaps with serious consequences defined for failure to follow them (such as termination, a job action warning, and so forth). A company with such policies wants most employees to consider these policies mandatory.

Most policies fall under this broad category.

Advisory policies can have many exclusions or application levels. Thus, these policies can control some employees more than others, according to their roles and responsibilities within that organization. For example, a policy that
requires a certain procedure for transaction processing might allow for an alternative procedure under certain, specified conditions.
Regulatory policies are security policies that an organization must implement due to compliance, regulation, or other legal requirements. These companies might be financial institutions, public utilities, or some other type of organization that operates in the public interest. These policies are usually very detailed and are specific to the industry in which the organization perates.
Regulatory polices commonly have two main purposes:

1. To ensure that an organization is following the standard procedures or base practices of operation in its specific industry
2. To give an organization the confidence that it is following the standard and accepted industry policy

Informative policies are policies that exist simply to inform the reader. There are no implied or specified requirements, and the audience for this information could be certain internal (within the organization) or external parties. This does not mean that the policies are authorized for public consumption but that they are general enough to be distributed to external parties (vendors accessing an extranet, for example) without a loss of confidentiality.
Computer security should be first and foremost cost-effective.

Access to facilities by is not considered as a personnel security control, but as a Physical/environmental control.

threats × vulnerability × asset value = total risk
(threats × vulnerability × asset value) × controls gap = residual risk

The Sec policy should not dictate business objectives
Isssue Specific Policy (email usage policy)
system-specific policy (approved SW list, Hos IDS and FW are deployed

**standards, guidelines, and procedures are the tactical (short term Goal) tools used to achieve and support the directives in the security policy, which is considered the strategic goal (long term end point Goal)

security policy says customer information should be protected standard says data stored in DB should be AES and If in transit should be IPSEC and Procedure explains how to setup AES encryption, guidelines cover how to handle cases when data is accidentally corrupted or compromised during transmission

Due Diligence = Do Detect (understand risk company faces)
Due Care = Do Correct (steps taken do identify the risk)
  • Confidential
  • Private
  • Sensitive
  • Public

and now Military
  • Top Secret
  • Secret
  • Confidential
  • sensitive but unclassified
  • unclassified

commercial sector is described next:
  • For official use only Financially sensitive
  • Proprietary Protects competitive edge
  • Privileged Ensures conformance with business standards and laws
  • Private Contains records about individuals

Sensitive : Requires special precautions to ensure the integrity and confidentiality of the data by protecting it from unauthorized modification or deletion. b) Requires higher than normal assurance of accuracy and completeness.
Examples : Financial Information , Details Of Projects , Profit Earnings and Forecasts
Organization : Commercial Businesses
Private : a) Personal information for use within a company b) Unauthorized disclosure could adversely affect personnel or company.
Examples : Work History , Human resources information , Medical information
Organization : Commercial Businesses
Secret : a) If disclosed , it could cause serious damage to national security.
Examples : Deployment plans for troops , Nuclear bomb placement

1 comment: