Domain 1: Security and Risk Management
Study Notes
Everything CISSP and everything SECURITY revolves around the CIA TRIAD.
Confidentiality
Integrity
Availability
​
-
Confidentiality
-
Goal: Don't let anyone see or disclose the data, otherwise what's the point of having it?
-
Encryption​, data classification, privacy, secrecy, isolation, seclusion
-
-
-
Integrity
-
Goal: Don't let anyone change the data without authorization, otherwise what's the point of having it?
-
No alterations to data, accuracy, validity, nonrepudiation, accountability, ​accidental mistakes
-
-
-
Availability
-
Goal: Make sure data can be accessed whenever needed, otherwise what's the point of having it?
-
High availability, failover, redundancy, no interruptions to service, 99.99% uptime​, backups, DDOS
-
-
The CIA Triad
CIA - Confidentiality, Integrity, and Availability. It is the basis of all security policies.
Confidentiality, integrity, and availability are all really important, but there's also these concepts too:
-
Identification
-
Identification is not the same as authentication. This is just to identify you - things like a username, but not the password.​​​
-
-
Authentication
-
Authentication is when you enter the password (that only you should know) to verify your username or identification​.
-
-
Authorization
-
After authentication, authorization is what will allow you access to just the objects you need to do your job - nothing less, nothing more. Need-to-know and least privilege are concepts that belong in authorization. ​
-
-
Logging and Auditing
-
Without logging and auditing, there would be no point of authorization or authentication. We need proper logging and auditing techniques in order to track user or system action for compliance or general investigative requirements.​
-
-
Accountability
-
Accountability occurs as a result of proper logging and auditing controls. Accountability makes sure that users performing illegal actions are held responsible, or at least properly identified.​
-
-
Nonrepudiation
-
Nonrepudiation is a great concept. If someone does something malicious on a system, nonrepudiation controls makes sure that person cannot deny it was them who performed the malicious action. It is a way to undeniably verify the sender of a message, or the action of a subject. ​
-
​
​
-
Defense-in-depth
-
Also known as a layered approach to security. ​
-
Put as many security controls in between a critical asset and an intruder
-
-
Video explanation of the above defense in depth graphic
The Four Canons of the CISSP Code of Ethics
-
Protect society, the common good, necessary public trust and confidence, and the infrastructure.
-
Act honorably, honestly, justly, responsibly, and legally.
-
Provide diligent and competent service to principles.
-
Advance and protect the profession.
What Affects and Protects the CIA?
Availability
Risks: Denial of service attack, disasters
Countermeasures: Physical security, failover or redundant systems, warm/cold/hot sites, RAID backups, fault tolerance, eliminating any single points of failure
​
Integrity