CISSP Introduction
Certification, sometimes it’s worth doing, sometimes it isn’t. The Certified Information Systems Security Professional(CISSP) which is officiated by the ISC2 certainly is.
I’ve been looking at boosting my cert. status over the last few months and assessed a few professional level certifications, particularly in the area of Information Security. Having examined the various possibilities my conclusion was that the CISSP is simply awesome. I’ve been studying for it for a few months now and thought it would be a great idea to blurb my findings into blogs. Not only to help me remember the vast amount of information incorporated into the certification, but also to help anyone else who may be thinking of or in the process of taking the exam.
The first thing that struck me when investigating the requirements for the CISSP, was the shear breadth of topics covered. It really does touch every area of IT, after-all,if we are going to try to secure a thing, we need to understand how the thing works. Delving deeply into each of the subject areas would present a lifetime of activity. So, if you are into InfoSec, this is a great place to start to examine all of the possible paths. I should mentioned at this stage that it doesn’t cover each area exhaustively, you will only be required to understand an overview of how each area works and then in more depth the security considerations for that area.
Ok, let’s skirt the perimeter and take a look at the structure of the information we need to learn. This information is defined as the Common Body of Knowledge (CBK). The CBK breaks down into 10 sub-categories (or domains to use the official terminology) which are as follows:
- Access Control – Access control is defined as the control of the flow of information between two entities, an object to a subject.
- Application Development Security – This are delves into application and database security concerns. It highlights common security issues in the development cycle and how these are exploited.
- Business Continuity and Disaster Recovery Planning – What happens when we have a major breach? How do we continue to maintain the availability of systems and data.
- Cryptography – Primarily focused around Encryption of information so it can’t be disclosed in transit. Cryptography may also be used in operations which ensure integrity.
- Information Security Governance and Risk Management – How does an organisation manage its security policies, risks and people?
- Legal, Regulations, Investigations and Compliance – The long arm of the law, how we can use it, how it can be used against us.
- Operations Security – Security of administration and maintenance of networks, systems and applications.
- Physical (Environmental) Security – The tangibles – Security of things which can be seen, touched, stolen, burnt and flooded.
- Security Architecture and Design – Architectures, expect to discuss hardware (CPUs, Memory, etc) as well as operating system design.
- Telecommunications and Network Security- WANs, LANs, MANs and PANs.
Throughout each of these domains, we can reinforce at every stage the how each control supports the three primary objectives of Information Security. Theses being:
- C – Confidentiality – Objective to prevent disclosure of information to those unauthorised to see it
- I – Integrity – Objective to ensure that the data presented to a consumer is accurate, in as much as it hasn’t been maliciously or inadvertently altered at any point.
- A – Availability – Objective to ensure data is available for consumption, when it is required.
This is known as the CIA Triad and as you explore the CBK, these should always be kept in mind.
UPDATE: Further blogs on CISSP are unscheduled and may come in an ad-hoc fashion. The sheer magnitude of the content of the certification is mindboggling and it would take a signficant amount of time to essentially re-cover what so many others have already covered so well. For further reading search on Google for Shon Harris and Ed Tittel. Great training resources for CISSP.
Loading ...
