Remerciez-le!

Remerciez @Admin pour avoir partagé cet document gratuitement, de la manière la plus simple, en partageant sur les réseaux sociaux.

CISSP PROCESS GUIDE |V.16| made by madunix | SNT FB group|2018 1 CISSP PROCESS

CISSP PROCESS GUIDE |V.16| made by madunix | SNT FB group|2018 1 CISSP PROCESS GUIDE V.16 CISSP PROCESS GUIDE |V.16| made by madunix | SNT FB group|2018 2 After passing the CISSP exam, and for the purpose of benefiting others with the knowledge and experienced I gained during my study term, I have summarized the main basic concepts in a general overview. I am hoping this consolidation of core concepts and processes would benefit those interested in becoming members of the CISSP study group and community. The intention of this document is to be supplementary, not a replacement for officially published study guides and books. I may have added multiple definitions of the same process or procedure due to the varying definitions from different resources such as the Official CBK, Sybex, NIST publications, SANS papers, or the AIO Shon Harris books. If you encounter any conflicts, please refer to the latest Official CISSP CBK. Being a CISSP candidate you should fully understand CISSP concepts, methodologies and their implementations within the organization. Fadi Sodah (madunix) Cyber Security Responder (CFR) - Certified Information Systems Security Professional (CISSP) - Certified Information Systems Auditor (CISA) - IBM Certified Advanced Technical Expert (ICATE) - VMWARE certs - Sophos Certs - KEMP Certs - Juniper Certs - Microsoft Certs - Cisco Certs https://www.linkedin.com/in/madunix/ https://www.experts-exchange.com/members/madunix.html If you find this document useful and the information valuable, please consider making a donation to help defray the costs of the bandwidth and hosting services required to distribute it. Every little bit helps. To make a contribution, please go to https://www.studynotesandtheory.com/single-post/Donations CISSP PROCESS GUIDE |V.16| made by madunix | SNT FB group|2018 3 Corporate Governance: Corporate governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risk is managed appropriately and verifying that the enterprise's resources are used responsibly. • Auditing supply chains • Board and management structure and process • Corporate responsibility and compliance • Financial transparency and information disclosure • Ownership structure and exercise of control rights 5 areas of focus for IT Governance: • Strategic alignment • Value delivery • Resource management • Risk management • Performance management Governance vs. Management: • Oversight vs. Implementation • Assigning authority vs. authorizing actions • Enacting policy vs. enforcing • Accountability vs. responsibility • Strategic planning vs. project planning • Resource allocation vs. resource utilization Note: Governance: (What do we need to accomplish). Governance typically focuses on the alignment of internal requirements, such as corporate policies, business objectives, and strategy. Management: (How) CISSP PROCESS GUIDE |V.16| made by madunix | SNT FB group|2018 4 Main security requirements and their subcomponents: • Network Security •• Confidentiality •• Integrity •• Authenticity •• Availability • Identity Management •• Authentication •• Authorization •• Accountability •• Revocation • Privacy •• Data Privacy •• Anonymity •• Pseudonimity •• Unlinkability • Trust •• Device Trust •• Entity Trust •• Data Trust • Resilience •• Robustness against attacks •• Resilience against failures CISSP PROCESS GUIDE |V.16| made by madunix | SNT FB group|2018 5 CIA-AP • Confidentiality: The capability of limiting information access and disclosure to authorized clients only. • Integrity: The capability of preserving structure and content of information resources. • Availability: The capability of guaranteeing continuous access to data and resources by authorized clients. • Authenticity: The capability of ensuring that clients or objects are genuine. • Privacy: The capability of protecting all information pertaining to the personal sphere of users. Authorization approval procedure: • Formalized • Approval by the direct manager, data owner, security professional • Access permissions follow the principle of least privilege • Balance security with the need for access • Avoid allowing too much privilege — Conflicts of interest • Remove privilege when no longer needed Key Metrics to establish BIA: • SLO • RPO • MTD • RTO • WRT • MTBF • MTTR • MOR Business Impact Assessment: • Identify Priorities • Identify Risk • Likelihood Assessment • Impact Assessment • Resource prioritization Note: Risk can never be mitigated to zero (there is no such thing as “no risk” or “perfect security”) CISSP PROCESS GUIDE |V.16| made by madunix | SNT FB group|2018 6 Business Impact Analysis: • Identify critical functions • Identify critical resources • Calculate MTD for resources • Identify threats • Calculate risks • Identify backup solutions Business Impact Analysis: • Select individuals to interview for data gathering • Create data-gathering techniques • Identify critical business functions • Identify resources these functions depend upon • Calculate how long these functions can survive without these resources • Identify vulnerabilities and threats • Calculate the risk for each different business function • Document findings and report them to management Business Continuity Planning (BCP): • Project Initiation • Business Impact Analysis • Recovery Strategy • Plan design and development • Implementation • Testing • Continual Maintenance CISSP PROCESS GUIDE |V.16| made by madunix | SNT FB group|2018 7 BCP: (NIST 800-34) • Develop planning policy; • BIA • Identify preventive controls • Create contingency strategies • Develop contingency plan • Test • Maintenance WHY - Business Continuity Planning (BCP): • Provide an immediate and appropriate response to emergency situations • Protect lives and ensure safety • Reduce business impact • Resume critical business functions • Work with outside vendors and partners during the recovery period • Reduce confusion during a crisis • Ensure survivability of the business • Get "up and running" quickly after a disaster DRP vs. BCP: • BCP - Corrective Control • DRP - Recovery Control • Both BCP and DRP - fall under the category of Compensating Control • BCP – is not a preventive control as it can NOT prevent a disaster • BCP - helps in the continuity of organization function in the event of a disaster • BCP - maintaining critical functions during a disruption of normal operations • DRP - recovering to normal operations after a disruption CISSP PROCESS GUIDE |V.16| made by madunix | SNT FB group|2018 8 Business Continuity Planning (BCP): • Continuity Policy • Business Impact Assessment (BIA) • Identify Preventive Controls • Develop Recovery Strategies • Develop BCP • Exercise/Drill/Test • Maintain BCP Team: • Rescue Team: Responsible for dealing with the immediacy of disaster –employee evacuation, crashing the server room, etc. • Recovery Team: Responsible for getting the alternate facility up and running and restoring the most critical services first. • Salvage Team: Responsible for the return of operations to the original or permanent facility (reconstitution) – (get us back to the stage of normalcy) Business Continuity Planning (BCP) Documents: • Continuity of planning goals • Statement of importance and statement of priorities • Statement of Organizational responsibilities • Statement of Urgency and Timing • Risk assessment, Risk Acceptance, and Risk mitigation document • Vital Records Program • Emergency Response Guidelines • Documentation for maintaining and testing the plan CISSP PROCESS GUIDE |V.16| made by madunix | SNT FB group|2018 9 DRP/BCP document plan should be: • Created for an enterprise with individual functional managers responsible for plans specific to their departments • Copies of Plan should be kept in multiple locations • Both Electronic and paper copies should be kept • The plan should be distributed to those with a need to know • Most employees will only see a small portion of the plan Business Continuity Planning (BCP): • Project scope and planning •• Business Organization Analysis •• BCP team selection •• Resource Requirements •• Legal and regulatory requirements • Business impact assessment •• Identify priorities •• Risk Identification •• Likelihood Assessment •• Impact Assessment •• Resource Prioritization • Continuity planning •• Strategy Development •• Provisions and Processes •• Plan Approval •• Plan Implementation •• Training and Education • Approval and implementation •• Approval by senior management (APPROVAL) •• Creating an awareness of the plan enterprise-wide (AWARENESS) •• Maintenance of the plan, including updating when needed (MAINTENANCE) •• Implementation CISSP PROCESS GUIDE |V.16| made by madunix | SNT FB group|2018 10 Development of Disaster Recovery Plan (DRP): • Plan Scope and Objectives • Business Recovery Organization (BRO) and Responsibilities (Recovery Team) • Major Plan Components - format and structure • Scenario to Execute Plan • Escalation, Notification and Plan Activation • Vital Records and Off-Site Storage Program • Personnel Control Program • Data Loss Limitations • Plan Administration Disaster Recovery Plan (DRP) procedures: • Respond to disaster in accordance with a pre-defined disaster level • Assess damage and estimate time required to resume operations • Perform salvage and repair Elements of Recovery Strategies: • Business recovery strategy •• Focus on the recovery of business operations • Facility & supply recovery strategy •• Focus on facility restoration and enable alternate recovery site(s) • User recovery strategy •• Focus on people and accommodations • Technical recovery strategy •• Focus on the recovery of IT services • Data recovery strategy •• Focus on the recovery of information assets CISSP PROCESS GUIDE |V.16| made by madunix | SNT FB group|2018 11 uploads/Management/ cissp-process-guide.pdf