CISSP is a conceptual exam, that needs a reasonable, prudent person with a managerial mindset. CISSP candidate needs to build his or her mentality around the following general bullet points and apply it on each and every domain.
The list is by no means a full list. The list below is written by me from my humble experience in the info. sec and the CISSP study guides and experts inputs and ideas.
– Security can never and should never preempt safety. People are the utmost important asset in you organization.
– Security professionals are not the ultimate decision-makers; it suits them accurately to be described as reflectors who can represent their recommendations to the senior management regarding security initiatives.
-Senior management on the other side are ultimately responsible for approving, steering and overseeing security projects within their corporation.
They are the ones who held liable for failing to experience due-care and due-diligence concepts. If your CEO told you “this year’s budget for security is 0$” “0$ it is”, eventually he is the one who can get sued when his staff falls off the stairs, because there was no “CAUTION: Wet Area” yellow sign.
-Security people should always be prudent, take initiatives and see what other people can’t see.
-Your organization is not here to merely invest on security, it’s in the market ONLY to make profit, security is just another function subject to ROI calculations. So your controls needs to be evaluated against these ROI calculations, so only the most cost effective controls are being selected.
-Security is all about maintaining the CIA triad, threats/risks against this triad should be assessed all the way down the security journey.
-Security is a PROGRAM which is being broken into PROJECTS. You can not treat security as merely a project.
– Your internal staff is the deadliest threat to your security, be aware of them.
-There’s NO way you can totally eliminate risk, you will do your best efforts to mitigate it with the most cost effective manner.
-Be it, a technical control or physical control, building those controls around defense-in-depth methodologies is always the best thing to do for your organization.
-Complexity is the security’s biggest enemy. Make it simple.
-You can not install a firewall in your back server room and call it a day “we’re safe now”. Planning. Planning. Planning. A security program without a plan, is just mess, ad-hoc kind of thing, that leads only to one way: a false sense of security.
-Risk assessment is about identifying threats and vulnerabilities to determine appropriate security controls. While risk analysis provides cost/benefit comparison to security controls (this is where qualitative/quantitative concepts applies). However only senior management will agree on those controls. Our part is to hand it to them.
-You can’t tell your senior management “we are facing XSS attacks on our infrastructure so we need an application layer7 firewall” the senior management only understand figures, numbers and charts.
-Each and every member of your organization is part of your security program umbrella (from the janitor up to the CEO)
-Relativity as it applies to physics, it also applied to info. sec. Security goals for military missions can’t be the same as those of the pizza restaurants. Also the CIA triad is relative to each organization, e.g military facilities care more about the “C” of the triad, while finance and call centers care more about the triad’s “I” and “A” respectively and so on.
-Security needs to be periodically audited and refined. Some times your biggest enemy would the “false sense of security”
-Compliance to the country’s laws and legislation surpasses those of the company.
-Ethics and morals is what makes a security professional and security professional.