Exam Essentials: Chapter 1

Posted byChrisPosted inUncategorized

Chapter 1: Security Governance Through Principles & Policies (WIP)

Understand the CIA Triad elements of confidentiality, integrity & availability

  • Confidentiality is the principle that objects are not disclosed to unauthorised subjects.
  • Integrity is the principle that objects retain their veracity and are intentionally modified by only authorised subjects.
  • Availability is the principle that authorised subjects are granted timely & uninterrupted access to objects.
  • Know why these are important, the mechanisms that support them, the attacks that focus on each, and the effective countermeasures.

Understand the process of authentication

  • Authentication is the process of verifying or testing that a claimed identity is valid.
  • Authentication requires information from the subject that must exactly correspond to the identity indicated.

Know how authorisation fits into a security plan

  • Once a subject is authenticated, its access must be authorised.
  • The process of authorisation ensures that the requested activity or object access is possible given the rights & privileges assigned to the authenticated identity.

Understand security governance

  • Security governance is the collection of practices related to supporting, defining & directing the security efforts of an organisation.

Be able to explain the auditing process

  • Auditing, or monitoring, is the programmatic means by which subjects are held accountable for their actions while authenticated on a system.
  • Auditing is also the process by which unauthorised or abnormal activities are detected on a system.
  • Auditing is needed to:
    • detect malicious actions by subjects
    • detect attempted intrusions
    • detect system failures
    • reconstruct events
    • provide evidence for prosecution
    • provide problem reports & analysis

Understand the importance of accountability

  • An organisation’s security policy can be properly enforced only if accountability is in place: security can be maintained only if subjects are held accountable for their actions.
  • Effective accountability relies on the capability to prove a subject’s identity and track their actions.

Be able to explain non-repudiation

  • Non-repudiation ensures that the subject of an activity or event cannot deny that the event occurred
  • It prevents a subject from claiming not to have sent a message, not to have performed an action, or not to have been the cause of an event.

Understand security management planning

  • Security managemetnt is based on three types of plans:
    • A strategic plan is a long-term plan that is fairly stable. It defines the organisation’s goals, missions & objectives.
    • The tactical plan is a mid-term plan developed to provide more details on accomplishing the goals set forth in the strategic plan.
    • Operational plans are short-term, highly-detailed plans based on the strategic & tactical plans.

Know the elements of a formalised security structure

  • To create a comprehensive security plan, you need the following items in place:
    • Security policy
    • Standards
    • Baselines
    • Guidelines
    • Procedures
  • Such documentation clearly states security requirements and creates due diligence on the part of the responsible parties.

Understand key security roles

  • The primary security roles are:
    • security manager
    • organisational owner
    • upper management
    • security professional
    • user
    • data owner
    • data custodian
    • auditor
  • By creating a security role hierarchy, you limit risk overall.

Know how to implement security awareness training

  • Before actual training can take place ,awareness of security as a recognised entity must be created for users.
  • Once this is accomplished, training (teaching employees to perform their work tasks and comply with the security policy) can begin.
  • All new employees require some level of training so they will be able to comply with all standards, guidelines & procedures mandated by the security policy.
  • Education is a more detailed endeavour where students/users learn much more than they actually need to know to perform their work tasks.
  • Education is most often associated with users pursuing certification or seeking job promotion.

Know how layering simplifies security

  • Layering is the use of multiple controls in series.
  • Using a multi-layered solution allows for numerous controls to guard against threats.

Be able to explain the concept of abstraction

  • Abstraction is used to collect similar elements into groups, classes or roles that are assigned security controls, restrictions or permissions as a collective.
  • It adds efficiency to carrying out a security plan.

Understand data hiding

  • Data hiding, as the name suggests, is preventing data from being discovered or accessed by a subject.
  • It is often a key element in security controls as well as in programming.

Understand the need for encryption

  • Encryption is the art & science of hiding the meaning or intent of a communication from unintended recipients.
  • It can take many forms and be applied to every time of electronic communication, including text, audio & video files, as well as programs themselves.
  • Encryption is an important element in security controls, especially in regard to the transmission of data between systems.

Know why and how data is classified (TODO)

  • Data is classified to simplify the process of assigning security controls to groups of objects rather than individual objects.
  • The two common classification schemes are government/military and commercial business/private sector.
  • Know the five levels of government classification and the four levels of commercial classification.
  • The seven major steps or phases in the implementation of a classification scheme are:
    • TODO
    • TODO
    • TODO
    • TODO
    • TODO
    • TODO
    • TODO

Understand the importance of declassification

  • Declassification is required once an asset no longer warrants the protection of its currently-assigned classification or sensitivity level.

Know the basics of COBIT (TODO)

  • Control Objectives for Information & Related Technologies (COBIT) is a security concept infrastructure used to organise the complex security solutions of compliance.

Know the basics of threat modelling (TODO)

  • Threat modelling is the security process where potential threats are identified, categorised & analysed.
  • Threat modelling can be performed as a proactive measure during design & development, or as a a reactive measure once a product has been deployed.
  • Key concepts include:
    • assets
    • attackers
    • software
    • STRIDE
    • PASTA
    • Trike
    • VAST
    • diagramming
    • reduction/decomposing
    • DREAD

Understand the need to apply risk-based management concepts to the supply chain

  • Applying risk-based management concepts to the supply chain is a means to ensure a more robust and successful security strategy in organisations of all sizes.
  • When purchases and acquisitions are made without security considerations, the risks inherent in those products remain throughout their deployment life span.

Leave a comment

Design a site like this with WordPress.com
Get started