Читаем CISSP Practice полностью

Program permissions such as the right to execute a program on an application server

Data rights such as the right to retrieve or update information in a database

The candidate should fully understand access control concepts, methodologies, and implementation within centralized and decentralized environments across the enterprise’s computer systems. Access control techniques and detective and corrective measures should be studied to understand the potential risks, vulnerabilities, and exposures.

Key Areas of Knowledge

Control access by applying the following concepts/methodologies/techniques.

1. Policies

2. Types of controls such as preventive, detective, and corrective

3. Techniques such as nondiscretionary, discretionary, and mandatory

4. Identification and authentication

5. Decentralized/distributed access control techniques

6. Authorization mechanisms

7. Logging and monitoring

Understand access control attacks.

1. Threat modeling

2. Asset valuation

3. Vulnerability analysis

4. Access aggregation

Assess effectiveness of access controls.

1. User entitlement

2. Access review and audit

Identity and access provisioning life cycle such as provisioning, review, and revocation.

DOMAIN 2: TELECOMMUNICATIONS AND NETWORK SECURITY

Overview

The telecommunications and network security domain encompasses the structures, techniques, transport protocols, and security measures used to provide integrity, availability, confidentiality, and authentication for transmissions over private and public communications networks and media.

The candidate is expected to demonstrate an understanding of communications and network security as it relates to data communications in local-area and wide-area networks, remote access; Internet/intranet/extranet configurations, and other network equipment (such as switches, bridges, and routers), protocols (such as TCP/IP); VPNs and, techniques (such as the correct use and placement of firewalls and IDS) for preventing and detecting network based attacks.

Key Areas of Knowledge

Understand secure network architecture and design such as IP and non-IP protocols, and segmentation.

1. OSI and TCP/IP models

2. IP networking

3. Implications of multi-layer protocols

Secure network components.

1. Hardware such as modems, switches, routers, and wireless access points

2. Transmission media such as wired, wireless, and fiber

3. Network access control devices such as firewalls and proxies

4. End-point security

Establish secure communication channels such as VPN, TLS/SSL, and VLAN.

1. Voice such as POTS, PBX, and VoIP

2. Multimedia collaboration such as remote meeting technology and instant messaging

3. Remote access such as screen scraper, virtual application/desktop, and telecommuting

4. Data communications

Understand network attacks such as DDoS and spoofing.

DOMAIN 3: INFORMATION SECURITY GOVERNANCE AND RISK MANAGEMENT

Overview

Information security governance and risk management domain entails the identification of an organization’s information assets and the development, documentation, implementation, and updating of policies, standards, procedures, and guidelines that ensure confidentiality, integrity, and availability. Management tools such as data classification, risk assessment, and risk analysis are used to identify threats, classify assets, and to rate their vulnerabilities so that effective security measures and controls can be implemented.

The candidate is expected to understand the planning, organization, and roles and responsibilities of individuals in identifying and securing an organization’s information assets; the development and use of policies stating management’s views and position on particular topics, and the use of guidelines, standards, and procedures to support the policies; security training to make employees aware of the importance of information security, its significance, and the specific security-related requirements relative to their position; the importance of confidentiality, proprietary, and private information; third party management and service level agreements related to information security; employment agreements; employee hiring and termination practices; and risk management practices and tools to identify, rate, and reduce the risk to specific resources.

Key Areas of Knowledge

Understand and align security function to goals, mission, and objectives of the organization.

Understand and apply security governance.

1. Organizational processes such as acquisitions, divestitures, and governance committees

2. Security roles and responsibilities

3. Legislative and regulatory compliance

4. Privacy requirements compliance

5. Control frameworks

6. Due care

7. Due diligence

Understand and apply concepts of confidentiality, integrity, and availability.

Develop and implement security policy.

1. Security policies