Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
8 views12 pages

1 Cissp U

The document outlines key concepts in security and risk management, focusing on the CIA Triad: Confidentiality, Integrity, and Availability. It discusses various attacks on these principles, compliance regulations, ethics in cybersecurity, and the importance of risk assessments and business continuity planning. Additionally, it highlights threat modeling approaches to identify and mitigate potential risks throughout a system's lifecycle.

Uploaded by

Patience TEBUA
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
8 views12 pages

1 Cissp U

The document outlines key concepts in security and risk management, focusing on the CIA Triad: Confidentiality, Integrity, and Availability. It discusses various attacks on these principles, compliance regulations, ethics in cybersecurity, and the importance of risk assessments and business continuity planning. Additionally, it highlights threat modeling approaches to identify and mitigate potential risks throughout a system's lifecycle.

Uploaded by

Patience TEBUA
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

Domain 1 - Security and

Risk Management
CIA Triad

Confidentiality

Integrity

Availability

CISSP Review-1 2
CIA Triad (Confidentiality, Integrity, Availability)

Ø Confidentiality
• Making sure that only those who are supposed
to access the data can access it!

Ø Integrity
• Making sure that the data has not been
changed unintentionally, due to an accident or
malice.

Ø Availability
• Making sure that the data is accessible when
and where it is needed

CISSP Review-1 3
CIA Triad (Confidentiality, Integrity, Availability)

Ø Confidentiality Attacks:
• Shoulder Surfing
• Social Engineering

Ø Integrity Attacks:
• Maliciously deleting files (like configurations)
• Incorrectly modifying data in a database

Ø Availability Attacks:
• Denial of Service (DOS)
• Distributed Denial of Service (DDOS)

CISSP Review-1 4
Compliance

Ø Payment Card Industry Data Security


Standard (PCI DSS)
Ø Overlapping, sometimes contradictory
Ø Compliance audits

CISSP Review-1 5
Computer Crime and related regulations

Ø Computer Fraud and Abuse Act of 1984


Ø 1994 CFAA amendments
Ø Computer Security Act of 1987
Ø Federal Sentencing Guidelines of 1991
Ø Paperwork Reduction Act of 1995
Ø National Information Infrastructure Protection
Act of 1996
Ø Government Information Security Reform Act
of 2000

CISSP Review-1 6
Ethics

Ø Minimum standards for professional behavior


Ø A basis for sound ethical and legal judgments
Ø A high standard of conduct
Ø (ISC)2 Code of Ethics

CISSP Review-1 7
(ISC)2 Code of Ethics

Ø Read the complete Code of Ethics at:


• www.isc2.org
Ø Code of Ethics Preamble
Ø Code of Ethics Cannons
• Protect society, the commonwealth, and
Ø the infrastructure
• Act honorable, honestly, justly, responsibly,
and legally
• Provide diligent and competent services to
principles
• Advance and protect the profession
CISSP Review-1 8
Risk Assessments
Ø A Risk Assessment (RA) is a method of
identifying vulnerabilities & threats and
assessing the possible impacts to determine
where to implement security controls

• Threats need to be identified, classified by


category, and the actual magnitude of the
potential loss needs to be calculated

• Real risk is hard to measure, but making


priorities of the potential risks is attainable

CISSP Review-1 9
Business Continuity
Business Continuity Planning
Ø Goals:
• To maintain the continuous operation of business
process
• Keep the business operating on reduced or
restricted infrastructure
• Mission critical processes are not interrupted
Ø Phases
• Project scope and planning
• Business impact assessment
• Continuity planning
• Approval and implementation

CISSP Review-1 10
Threat Modelling
Process of identifying, understanding, and
categorizing potential threats
Ø Occurs throughout the lifecycle of a system
Ø Two Goals
• Reduce the number of security related design
and coding effects
• Reduce the severity of any remaining defects

Ø Overall Result is REDUCED RISK!!!

CISSP Review-1 11
Threat Modeling Approaches

Ø Focused on assets
• Uses asset valuation results and attempts to
identify threats to the valuable assets
Ø Focused on attackers
• Identify potential attackers and can identify the
threats they represent based on the attacker's
goals
Ø Focused on software
• If an organization develops software, it can
consider potential threats against the software

CISSP Review-1 12

You might also like