CISSP Learning: Chapter 1 Principles and Strategies for Realizing Security Governance

Enterprise 2021-02-14 14:22:49 views: null

February 11, 2021

Three principles of security: CIA triples (confidentiality, integrity, availability: Confidentiality, Integrity, Availability)

Confidentiality: to ensure the confidentiality of data, objects or resources. Violation events: incorrectly implemented encrypted transmission, unidentified authentication, open insecure access points, files left on the printer, and the access terminal walks away while displaying data.

Integrity: protect the reliability and correctness of data and prevent unauthorized data changes. Measures: Strict access control, identity verification, *** detection, data encryption, hash value verification, interface restrictions, input checks, and personnel training.

Availability: The authorized subject is granted real-time, uninterrupted object access. Destruction events: accidental deletion of files, misuse of hardware and software, insufficient resource allocation, incorrect marking, incorrect object classification.

AAA:
Authentication authentication
Authoriztion authorization
Accounting/Audit accounting/auditing

Represents five items:
identification: user name, card number, process ID...
Identity verification: one or more factors authentication and
authorization: access matrix
audit: tracking and recording subject operation
accounting:

Protection mechanism:
layered: a system failure will not lead to system or data exposure
Abstract: improve efficiency
Data hiding:
encryption

Safety management plan: strategic plan, tactical plan, operation plan

Organizational process:
change control/change management
data classification, common split: government/military classification, commercial/private sector classification.

Government/Military Classification: Top Secret, Secret, Confidential, Sensitive but Unclassified, Unclassified
Commercial/Private Sector Classification: Confidential, Private, Sensitive, Public

Organizational roles: senior administrators, security professionals, data owners, users, auditors

STRIDE (identified threat, developed by Microsoft):
Spoofing deception, Tampering tampering, Repudiation denial, Information Disclosure information disclosure, DOS denial of service, Elevation of Privilege

PASTA ( Simulation and Threat Analysis):
1. Risk analysis defines objectives
2. Defines technical scope DTS
3. Decomposes and analyzes application ADA
4. Threat analysis TA
5. Weakness and vulnerability analysis WVA
6. Modeling and simulation AMS
7. Risk analysis and management RAM

Prioritization: probability * potential loss

My homework, 20 questions, 16 correct.

Guess you like

Origin blog.51cto.com/314837/2626010
Recommended
Ranking
Reason Codes enhanced accounting documents
The first test case appium
Force command and dispatch emergency communication plan
Interview - What is concurrent programming
21 classic Python interview questions [recommended collection]
[Dahua Data Structure-Introduction to Data Structure ①]
Spring @ConfigurationProperties
Why do we want to broadcast live on WeChat public account? What are the advantages?
How to bring up the toolbar under the desktop of Apple laptop
Dialog: Manually enter information
Daily
More
2024-05-21(35)
2024-05-20(5)
2024-05-19(0)
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)

Code World

© 2018 codetd.com