Wednesday, February 20, 2008

Security Management Introduction

The responsibilities of a Security Manager:

* What data is valuable, and needs to be protected.
* Ho is responsible for protecting it.
* Define actions for the employees, and consequences for non compliance.
* What type of role security will play in the organization.

Information Security is NOT a technical issue. Is a management issue that may require technical solutions.

To Create Security -> Planed, Designed, Implemented and Maintained

Applied in Top-Down.

The security has to be in line of business objectives.

If the company is damaged by an attacker, the Security Manager will have the responsibility of giving explanatinons.

The best security practices implemented at some technical area are:
Policy, change control and configuration management, trainig and awareness.

Monday, February 11, 2008

CISSP 10 Domains Overview

Here you can see the main concepts of each domain.

Access Control Systems and Methodology

Mechanisms and methods used to enable administrators and managers to control what subjects can access.
* Identification, Authentication, Authorization, Monitoring.
* Access Control Administration.
* Categories and Controls.
* Control Threats and Measures.
* Dana ownership.
* Attacks to the Access Control.

Telecommunications and Network Security

Protocols and devices security.
* OSI.
* LAN, MAN (metropolitan) and WAN technologies.
* Internet, intranet, extranet.
* VPN's, routers, bridges and repeaters.
* topologies.
* Network Attacks.
* Network Security Concepts and Risks.
* Business Goals and Network Security.

Security Management Practices

Company assets to determine the level of protection required, in order to reducing threats and monetary loss.
* Data classification.
* Policies, procedures, standards and guidelines.
* Risk assessment and management.
* Personal security and awareness.

Applications and Systems Development Security

* Data mining and data warehousing.
* Development practices.
* System storage.
* Malicious code.
* Software Based Controls.
* Software Development Lifecyle and Principles.


Cryptographic technologies, and attacks to the cryptography.
* Basic Concepts and Algorithms.
* Symetric vs Asymetric algorithms.
* Signatures and Certification.
* Cryptanalysis.
* PKI.

Security Architecture and Models

Concepts, Principles and Standards for designing and implementing secure applications.
* SO states, kernel functions and memory mapping.
* Security models.
* TCSSE Trusted Computer Security Evaluations (evaluation criteria)
* Common Criteria and ITSEC
* Common flaws in applications and systems.
* Principles and Benefits
* Trusted Systems and Computing Base.
* System and Enterprise Architecture.

Operations Security

Controls over personnel, hardware, systems, auditing and monitoring.
* Administrative responsibilities to personnel and jobs.
* Maintenance concepts. (AV,FW,auditing)
* Preventive, corrective, and recovery controls.
* Standards.
* Media, Backups and Change Control Management.
* Controls Categories.

Business Continuity Planning and Disaster Recovery Planning

Preservation of business activities when faced with disruptions or disasters.
* Resource identification and value.
* Risk assessment.
* Crisis management.
* Response and Recovery Plans.
* Restoration Activities.
* Plan development, implementation and maintenance.

Laws Investigations and Ethics

* Laws, regulations and crimes.
* Licensing and software privacy.
* Export and import laws and issues.
* Evidence types and admissibility into court.
* Incident handling, and forensics.
* Major Legal Systems
* Common and Civil Law
* Regulations, Laws and Information Security

Physical Security

Threats, risks and contra measures to protect: facilities,hardware,data,media and personnel.
* Restricted areas, authorization methods and controls.
* Sensors and alarms.
* Intrusion detection.
* Fire detection, prevention and suppression.
* Fencing security guards, and security badge types.
* Layered Physical Defense and Entry Points.
* Site Location Principle.

How to study CISSP

CISSP Has many domains (10), but it has not much deepening at every domain,"inch deep and a mile wide"

so, is more important to know all domains than getting deeper in few domains.
In all certifications, the most important is to get testing exams, and secondary to study.
You must take notes about every domain, and don't loose much time with the domains where you work every day.
I don't recommend to read only a book, especially if it is not updated.

The exam:
* 250 questions 4 choices and only 1 correct
* 6h I'm slow with exams, and I did it in 5h20'
* 225 scored and 25 questions for research purpose.
* You have to score 700 points.

The trick is to learn concepts like word/phrase -> meaning then it will be easier, for example:
(ISC)2 -> International Information Systems Security Certification Consortium