CISSP All-in-One Exam Guide Chapter 1 Summary PDF

Summary

This document is a chapter from a CISSP study guide covering cybersecurity fundamentals and security governance principles. It highlights the importance of people in achieving a robust security posture, discussing security objectives and various security elements, risks, threats, and solutions. It also covers the concept of information security management systems (ISMS) and enterprise security architectures.

Full Transcript

CISSP All-in-One Exam Guide
46
7. Thou shalt not use other people’s computer resources without authorization or
proper compensation.
8. Thou shalt not appropriate other people’s intellectual output.
9. Thou shalt think about the social consequences of the program you are writing or
the system you are designing.
10. Thou shalt always use a computer in ways that ensure consideration and respect
for your fellow humans.

Chapter Review
This chapter laid out some of the fundamental principles of cybersecurity: the mean-
ing of security, how it is governed, and the means by which it is implemented in an
enterprise. It then focused on the most important aspect of security: people. They are
the most important asset to any organization and can also be the greatest champions, or
underminers, of cybersecurity. The difference lies in who we hire, what roles we assign to
them, and how we train them. Bring the right people into the right seats and train them
well and you’ll have a robust security posture. Do otherwise at your own peril.
Our collective goal in information systems security boils down to ensuring the
availability, integrity, and confidentiality of our information in an environment rich in
influencers. These include organizational goals, assets, laws, regulations, privacy, threats,
and, of course, people. Each of these was discussed in some detail in this chapter. Along
the way, we also covered tangible ways in which we can link security to each of the
influencers. As CISSPs we must be skilled in creating these linkages, as we are trusted to
be able to apply the right solution to any security problem.

Quick Review
The objectives of security are to provide confidentiality, integrity, availability,
authenticity, and nonrepudiation.
Confidentiality means keeping unauthorized entities (be they people or processes)
from gaining access to information assets.
Integrity means that that an asset is free from unauthorized alterations.
Availability protection ensures reliability and timely access to data and resources
to authorized individuals.
Authenticity protections ensure we can trust that something comes from its
claimed source.
Nonrepudiation, which is closely related to authenticity, means that someone
cannot disavow being the source of a given action.
A vulnerability is a weakness in a system that allows a threat source to compromise
its security.
 Chapter 1: Cybersecurity Governance
47
A threat is any potential danger that is associated with the exploitation of
a vulnerability.

PART I
A threat source (or threat agent, or threat actor) is any entity that can exploit
a vulnerability.
A risk is the likelihood of a threat source exploiting a vulnerability and the
corresponding business impact.
A control, or countermeasure, is put into place to mitigate (reduce) the
potential risk.
Security governance is a framework that provides oversight, accountability,
and compliance.
An information security management system (ISMS) is a collection of policies,
procedures, baselines, and standards that an organization puts in place to make
sure that its security efforts are aligned with business needs, streamlined, and
effective and that no security controls are missing.
An enterprise security architecture implements an information security strategy
and consists of layers of solutions, processes, and procedures and the way they are
linked across an enterprise strategically, tactically, and operationally.
An enterprise security architecture should tie in strategic alignment, business
enablement, process enhancement, and security effectiveness.
Security governance is a framework that supports the security goals of an
organization being set and expressed by senior management, communicated
throughout the different levels of the organization, and consistently applied
and assessed.
Senior management always carries the ultimate responsibility for the organization.
A security policy is a statement by management dictating the role security plays
in the organization.
Standards are documents that describe specific requirements that are compulsory
in nature and support the organization’s security policies.
A baseline is a minimum level of security.
Guidelines are recommendations and general approaches that provide advice
and flexibility.
Procedures are detailed step-by-step tasks that should be performed to achieve
a certain goal.
Job rotation and mandatory vacations are administrative security controls that
can help detect fraud.
Separation of duties ensures no single person has total control over a critical
activity or task.
Split knowledge and dual control are two variations of separation of duties.
CISSP All-in-One Exam Guide
48
Social engineering is an attack carried out to manipulate a person into providing
sensitive data to an unauthorized individual.
Security awareness training should be comprehensive, tailored for specific groups,
and organization-wide.
Gamification is the application of elements of game play to other activities such
as security awareness training.
Security champions, which are members of an organization that, though their
job descriptions do not include security, inform and encourage the adoption of
security practices within their own teams.
Professional ethics codify the right ways for a group of people to behave.

Questions
Please remember that these questions are formatted and asked in a certain way for
a reason. Keep in mind that the CISSP exam is asking questions at a conceptual level.
Questions may not always have the perfect answer, and the candidate is advised against
always looking for the perfect answer. Instead, the candidate should look for the best
answer in the list.
1. Which factor is the most important item when it comes to ensuring security is
successful in an organization?
A. Senior management support
B. Effective controls and implementation methods
C. Updated and relevant security policies and procedures
D. Security awareness by all employees

Use the following scenario to answer Questions 2–4. Todd is a new security manager and
has the responsibility of implementing personnel security controls within the financial
institution where he works. Todd knows that many employees do not fully understand
how their actions can put the institution at risk; thus, he needs to develop a security
awareness program. He has determined that the bank tellers need to get a supervisory
override when customers have checks over $3,500 that need to be cashed. He has
also uncovered that some employees have stayed in their specific positions within the
company for over three years. Todd would like to be able to investigate some of the
activities of bank personnel to see if any fraudulent activities have taken place. Todd is
already ensuring that two people must use separate keys at the same time to open the
bank vault.