Читаем CISSP Practice полностью

The security architecture and design domain contains the concepts, principles, structures, and standards used to design, implement, monitor, and secure operating systems, equipment, networks, applications, and those controls used to enforce various levels of confidentiality, integrity, and availability.

Information security architecture and design covers the practice of applying a comprehensive and rigorous method for describing a current and/or future structure and behavior for an organization’s security processes, information security systems, personnel and organizational sub-units, so that these practices and processes align with the organization’s core goals and strategic direction.

The candidate is expected to understand security models in terms of confidentiality, integrity, information flow; system models in terms of the Common Criteria (CC); technical platforms in terms of hardware, firmware, and software; and system security techniques in terms of preventative, detective, and corrective controls.

Key Areas of Knowledge

Understand the fundamental concepts of security models (e.g., confidentiality, integrity, and multilevel models).

Understand the components of information systems security evaluation models.

1. Product evaluation models such as Common Criteria

2. Industry and international security implementation guidelines such as PCI-DSS and ISO

Understand security capabilities of information systems (e.g., memory protection, virtualization, and trusted platform module).

Understand the vulnerabilities of security architectures.

1. Systems such as covert channels, state attacks, and emanations

2. Technology and process integration such as single point of failure and service-oriented architecture (SOA)

Understand software and system vulnerabilities and threats.

1. Web-based vulnerabilities/threats such as XML, SAML, and OWASP

2. Client-based vulnerabilities/threats such as applets

3. Server-based vulnerabilities/threats such as data flow control

4. Database security such as inference, aggregation, data mining, and data warehousing

5. Distributed systems such as cloud computing, grid computing, and peer-to-peer computing

Understand countermeasure principles such as defense-in-depth.

DOMAIN 7: SECURITY OPERATIONS

Overview

Security operations domain is used to identify critical information and the execution of selected measures that eliminate or reduce adversary exploitation of critical information. It includes the definition of the controls over hardware, media, and the operators with access privileges to any of these resources. Auditing and monitoring are the mechanisms, tools, and facilities that permit the identification of security events and subsequent actions to identify the key elements and report the pertinent information to the appropriate individual, group, or process.

The candidate is expected to know the resources that must be protected, the privileges that must be restricted, the control mechanisms available, the potential for abuse of access, the appropriate controls, and the principles of good practice.

Key Areas of Knowledge

Understand security operations concepts.

1. Need-to-know/least privilege

2. Separation of duties and responsibilities

3. Monitor special privileges (e.g., operators and administrators)

4. Job rotation

5. Marking, handling, storing, and destroying of sensitive information

6. Record retention

Employ resource protection.

1. Media management

2. Asset management (e.g., equipment life cycle and software licensing)

Manage incident response.

1. Detection

2. Response

3. Reporting

4. Recovery

5. Remediation and review (e.g., root cause analysis)

Implement preventative measures against attacks (e.g., malicious code, zero-day exploit, and denial-of-service).

Implement and support patch and vulnerability management.

Understand change and configuration management (e.g., versioning and base lining).

Understand system resilience and fault tolerance requirements.

DOMAIN 8: BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING

Overview

The business continuity planning (BCP) and disaster recovery planning (DRP) domain addresses the preservation of the business in the face of major disruptions to normal business operations. BCP and DRP involve the preparation, testing, and updating of specific actions to protect critical business processes from the effect of major systems and network failures.