Sage Teach- Back C725 (based upon CISSP Guide)
Lesson One – Security Governance
CIA Triad
A formalized security policy structure consists of
... [Show More] policies, standards,
baselines, guidelines, and procedures. These individual documents are essential
elements to the design and implementation of security in any environment.
The control or management of change is an important aspect of security
management practices. When a secure environment is changed, loopholes,
overlaps, missing objects, and oversights can lead to new vulnerabilities. You
can, however, maintain security by systematically managing change. This
typically involves extensive logging, auditing, and monitoring of activities related
to security controls and security mechanisms. The resulting data is then used to
identify agents of change, whether objects, subjects, programs, communication
pathways, or even the network itself.
Data classification is the primary means by which data is protected based on its
secrecy, sensitivity, or confidentiality.
An important aspect of security management planning is the proper
implementation of a security policy. To be effective, the approach to security
management must be a top-down approach.
Security management planning includes defining security roles, developing
security policies, performing risk analysis, and requiring security
education for employees. These responsibilities are guided by the
developments of management plans. The security management team should
develop strategic, tactical, and operational plans.
Threat modeling is the security process where potential threats are identified,
categorized, and analyzed. Threat modeling can be performed as a proactive
measure during design and development or as a reactive measure once a
product has been deployed. In either case, the process identifies the potential
harm, the probability of occurrence, the priority of concern, and the means to
eradicate or reduce the threat.
Integrating cyber security risk management with supply chain, acquisition
strategies, and business practices is a means to ensure a more robust and
WGU C725 CISSP STUDY GUIDE NOTES
2
successful security strategy in organizations of all sizes. When purchases are
made without security considerations, the risks inherent in those products remain
throughout their deployment life span.
Know the basics of COBIT. Control Objectives for Information and Related
Technologies (COBIT) is a security concept infrastructure used to organize the
complex security solutions of companies.
Lesson Two - Personnel and Risk Management
Understand the security implications of hiring new employees. To
properly plan for security, you must have standards in place for job
descriptions, job classification, work tasks, job responsibilities, preventing
collusion, candidate screening, background checks, security clearances,
employment agreements, and nondisclosure agreements. By deploying
such mechanisms, you ensure that new hires are aware of the required
security standards, thus protecting your organization's assets.
Be able to explain separation of duties. Separation of duties is the
security concept of dividing critical, significant, sensitive work tasks among
several individuals. By separating duties in this manner, you ensure that no
one person can compromise system security.
Understand the principle of least privilege. The principle of least
privilege states that in a sec [Show Less]