Table of Contents
- 1 Concepts
- 1.1 Abstraction:
- 1.2 Accounting (Accountability):
- 1.3 Acquisition:
- 1.4 Authentication:
- 1.5 Authorization:
- 1.6 Availability:
- 1.7 Auditing:
- 1.8 Authenticity:
- 1.9 Business Case:
- 1.10 CIA Triad:
- 1.11 Confidentiality:
- 1.12 Criticality:
- 1.13 DAD Triad:
- 1.14 Data Hiding:
- 1.15 Defense in Breadth (Diversity of Defense):
- 1.16 Defense in Depth:
- 1.17 Disclosure:
- 1.18 Due Care:
- 1.19 Due Diligence:
- 1.20 Elevation of Privilege:
- 1.21 Integrity:
- 1.22 Identification:
- 1.23 Isolation:
- 1.24 Nonrepudiation:
- 1.25 Operational Plan:
- 1.26 Organizational Security Policy:
- 1.27 Overprotection:
- 1.28 Penetration Testing:
- 1.29 Physically Unclonable Function (PUF):
- 1.30 Privacy:
- 1.31 Risk Assessment:
- 1.32 Security Boundary:
- 1.33 Security Governance:
- 1.34 Security Management Planning:
- 1.35 Service Level Agreement (SLA):
- 1.36 Service Level Requirement (SLR):
- 1.37 Silicon Root of Trust (RoT):
- 1.38 Software Bill of Materials (SBOM):
- 1.39 Strategic Plan:
- 1.40 STRIDE:
- 1.41 Supply Chain Risk Management (SCRM):
- 1.42 System-Specific Security Policy:
- 1.43 Tactical Plan:
- 1.44 Third-Party Governance:
- 1.45 Threat Modeling:
- 1.46 Top-Down Approach:
- 1.47 Vulnerability Assessment:
- 2 FAQ: Security Governance, Concepts, and Supply Chain Risk Management
- 2.1 What are the five pillars of information security, and why are they important?
- 2.2 How should an organization align its security function with its broader business objectives?
- 2.3 3. What is the CIA Triad, and how does the DAD Triad relate to it?
- 2.4 Explain the concepts of identification, authentication, and authorization, and why they are essential for security.
- 2.5 What is defense in depth, and why is it a recommended security strategy?
- 2.6 What are some key elements or mechanisms that can be incorporated into a supply chain risk management plan?
- 2.7 What is the difference between due diligence and due care in the context of information security? Provide a brief example of each.
- 2.8 Briefly describe the function of a Software Bill of Materials (SBOM) in managing risks within the software supply chain.
Concepts
Here are the important concepts in the first section of CISSP
Abstraction:
Simplifying security by grouping similar elements into classes or roles and assigning security controls collectively.
Accounting (Accountability):
Review log files to check for compliance and violations to hold subjects responsible for their actions, especially policy violations.
Acquisition:
Obtaining hardware, software, and services, or engaging with external entities like contractors or consultants.
Authentication:
The process of verifying that a claimed identity is valid.
Authorization:
Defining the permissions of a resource and object access for a specific authenticated identity or subject.
Availability:
Ensuring that authorized subjects are granted timely and uninterrupted access to objects.
Auditing:
Recording a log of events and activities related to the system and subjects.
Authenticity:
The security concept is that data is genuine and originates from its alleged source.
Business Case:
A documented argument or stated position to define a need to make a decision or take action, often used to justify security projects.
CIA Triad:
Confidentiality, Integrity, and Availability – the three primary goals and objectives of a security infrastructure.
Confidentiality:
The principle is that objects are not disclosed to unauthorized subjects.
Criticality:
The level to which information is mission-critical.
DAD Triad:
Disclosure, Alteration, and Destruction – represent the failures of security protections in the CIA Triad.
Data Hiding:
Preventing data from being discovered or accessed by a subject by positioning it in a logically inaccessible storage compartment.
Defense in Breadth (Diversity of Defense):
Using a range of security products from varied vendors to reduce the risk of a single exploit compromising multiple layers.
Defense in Depth:
Implementing multiple layers of security controls to protect an asset.
Disclosure:
Occurs when sensitive or confidential material is accessed by unauthorized entities (violation of confidentiality).
Due Care:
Performing the right action at the right time in security.
Due Diligence:
Establishing a plan, policy, and process for security; knowing what should be done and planning for it.
Elevation of Privilege:
An attack where a limited user account is transformed into an account with greater privileges.
Integrity:
The concept of protecting the reliability and correctness of data.
Identification:
Claiming to be an identity when attempting to access a secured area or system.
Isolation:
The act of keeping something separated from others to maintain confidentiality.
Nonrepudiation:
Ensures that the subject of an activity cannot deny that the event occurred.
Operational Plan:
A short-term, highly detailed plan based on strategic and tactical plans.
Organizational Security Policy:
A security policy that focuses on issues relevant to every aspect of an organization.
Overprotection:
Too much security can negatively impact availability or other security principles.
Penetration Testing:
Using trusted teams to stress-test the security infrastructure to find issues before an adversary does.
Physically Unclonable Function (PUF):
A physical electronic component that generates a unique digital identifier based on its inherent physical properties, is used for device authentication.
Privacy:
Keeping personally identifiable information confidential.
Risk Assessment:
Identifying assets, threats, and vulnerabilities to calculate risk.
Security Boundary:
The line of intersection between any two areas, subnets, or environments that have different security requirements or needs.
Security Governance:
The collection of practices related to supporting, defining, and directing the security efforts of an organization in alignment with business goals.
Security Management Planning:
Ensures the proper creation, implementation, and enforcement of a security policy, aligning security functions with organizational objectives.
Service Level Agreement (SLA):
A contract between a service provider and a customer that defines the level of service expected.
Service Level Requirement (SLR):
Security requirements defined by the customer/client for an external provider.
Silicon Root of Trust (RoT):
A tamper-resistant hardware component that provides a secure starting point for establishing trust and security in a system.
Software Bill of Materials (SBOM):
A structured and comprehensive inventory of components within a software product.
Strategic Plan:
A long-term, fairly stable plan that defines the organization’s security purpose and aligns it with business goals.
STRIDE:
A threat categorization scheme:
Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege.
Supply Chain Risk Management (SCRM):
The means to ensure the reliability and trustworthiness of all vendors or links in the supply chain.
System-Specific Security Policy:
A security policy that focuses on individual systems or types of systems.
Tactical Plan:
A midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan.
Third-Party Governance:
The system of external entity oversight mandated by law, regulation, industry standards, or contractual obligations.
Threat Modeling:
A security process where potential threats are identified, categorized, and analyzed.
Top-Down Approach:
Security decisions are initiated and driven by senior management.
Vulnerability Assessment:
Using automated tools to locate known security weaknesses.
FAQ: Security Governance, Concepts, and Supply Chain Risk Management
What are the five pillars of information security, and why are they important?
The five pillars of information security are confidentiality, integrity, availability, authenticity, and nonrepudiation.
Confidentiality ensures that information is not disclosed to unauthorized individuals.
Integrity guarantees the reliability and correctness of data, preventing unauthorized modification.
Availability ensures that authorized users have timely and uninterrupted access to resources.
Authenticity verifies the genuineness of data and its origin.
Nonrepudiation ensures that the sender of a message or the performer of an action cannot deny that the event occurred. These pillars are fundamental goals and objectives for designing and maintaining a secure IT environment, forming the basis of security policies and controls.
How should an organization align its security function with its broader business objectives?
The security function must be aligned with the organization’s business strategy, goals, mission, and objectives. This involves understanding the business context and tailoring security efforts to support its aims. Security management planning should be based on business cases, considering budget restrictions and resource scarcity.
A top-down approach, where senior management drives security decisions, is crucial for ensuring this alignment. Strategic, tactical, and operational security plans should all reflect and support the overarching business direction.
3. What is the CIA Triad, and how does the DAD Triad relate to it?
The CIA Triad consists of confidentiality, integrity, and availability, which are considered the primary goals of a security infrastructure.
The DAD Triad (disclosure, alteration, and destruction) represents the failures of security protections that aim to uphold the CIA Triad. Disclosure is a violation of confidentiality, alteration is a violation of integrity, and destruction (often leading to denial of service) is a violation of availability. Understanding the DAD Triad helps recognize the potential consequences when security mechanisms fail.
Identification is the process of claiming an identity.
Authentication is the process of proving that the claimed identity is valid.
Authorization determines the permissions and access rights granted to an authenticated identity.
These three concepts, along with auditing and accounting, form the core of AAA services and are crucial for controlling access to resources and maintaining accountability within a secure environment. Without proper identification, authentication, and authorization, unauthorized access and actions cannot be effectively prevented or tracked.
What is defense in depth, and why is it a recommended security strategy?
Defense in depth is a security strategy that employs multiple layers of security controls to protect an organization’s assets. The principle is that if one security control fails, others are in place to provide continued protection.
These layers should ideally be implemented in series and utilize diverse security products to avoid single points of failure. Concepts like security boundaries, abstraction, and data hiding contribute to a defense-in-depth strategy, making it significantly harder for attackers to compromise a system or gain unauthorized access.
What is threat modeling, and what are some common methodologies used?
Threat modeling is a security process used to identify, categorize, and analyze potential threats to an organization’s assets. It helps determine potential harm, the probability of occurrence, and the priority of concern, guiding efforts to mitigate these threats.
Common methodologies include STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege), PASTA (Process for Attack Simulation and Threat Analysis), and VAST (Visual, Agile, and Simple Threat). Threat modeling should be an ongoing process throughout the system development life cycle.
What is supply chain risk management (SCRM), and why is it important for organizations?
Supply chain risk management (SCRM) is the practice of ensuring that all vendors and entities within an organization’s supply chain are reliable, trustworthy, and adhere to appropriate security practices. It’s crucial because vulnerabilities in any part of the supply chain, including hardware, software, and services acquired from third parties, can introduce significant risks such as product tampering, counterfeits, and implants.
SCRM involves assessing supplier risks, establishing minimum security requirements, conducting third-party assessments and monitoring, and defining service-level requirements to mitigate these threats.
What are some key elements or mechanisms that can be incorporated into a supply chain risk management plan?
Several key elements can enhance an SCRM plan. These include establishing minimum security requirements for all supply chain entities and incorporating security considerations into service-level agreements (SLAs) and service-level requirements (SLRs). Technical mechanisms such as silicon root of trust (hardware-based security), physically unclonable functions (PUFs) for device authentication, and software bills of materials (SBOMs) to track software components and vulnerabilities can also be integrated. Ongoing security monitoring and assessments of supply chain partners are essential to ensure continued adherence to security standards.
What is the difference between due diligence and due care in the context of information security? Provide a brief example of each.
Due diligence is establishing plans, policies, and processes – knowing what should be done and planning for it. An example is developing a comprehensive security policy.
Due care is performing the right actions at the right time – the actual implementation and maintenance of those plans and policies. An example is consistently applying security patches according to the patching policy.
Briefly describe the function of a Software Bill of Materials (SBOM) in managing risks within the software supply chain.
A Software Bill of Materials (SBOM) is a comprehensive inventory of all software components used in a product or system. It helps organizations track the origins of these components, identify known vulnerabilities within them, and ensure they come from trusted sources, thus aiding in software supply chain risk management.
I build softwares that solve problems. I also love writing/documenting things I learn/want to learn.