Information Security Governance and Risk Management
This is the foundational domain for professional information security work (Walsh). It provides standards and policies for monitoring information security programs. The domain ensures data quality necessary to support an organization’s objectives. This is critical especially to sensitive and critical information that an organization uses.
Risk management is the identification and prioritization of all risks to confidentiality. The most important step in the domain is risk analysis. This involves identification of threats and vulnerabilities on applications and systems. The last phase in the domain is the implementation of the most appropriate and cost-effective security measures and controls to deter or minimize risks.
Access Control
Access control determines the threats and vulnerabilities of an organization’s system. This helps in determining the type of controls to implement. The importance of access control in an organization is to maintain data integrity, confidentiality, and availability. It does this by preventing unauthorized users from retrieving, using, or altering data.
Access control entails four processes. Identification determines who a user is. Authentication proves the user’s identity. Authorization permits what a user can access within a system. Accountability involves holding users accountable for their actions (Tipton and Henry 94).
Security Architecture and Design
Every type of information system platform has its unique vulnerabilities. This domain helps in enforcing security policies applied in different types of system platforms. Security professionals must require deep knowledge on each type of system platform to design appropriate security architecture. The security architecture is based on how it will handle hardware and software upgrades, vulnerability scanning, patch management, and allowable and disallowable service protocols.
An engineer assumes the role of an attacker to determine major vulnerabilities of various platforms (Kurtz and Vines 216). This involves using the methods and tools that an attacker might use. The engineer then sets standards for safeguarding and controlling risks in each platform. The level of security provided is determined by the identified risks.
Physical and Environmental Security
This domain encompasses the elements in a workplace environment. It helps determine and implement measures to physically protect information infrastructure. Physical and environmental vulnerabilities are identified using the hazard vulnerability assessment. The assessment includes such things as natural disasters, sabotage, and service interruptions.
The most important aspect of physical and environment security is protecting electric power in events such as noise and static (Miller and Gregory 313). The domain includes controls such as locks, surveillance, guards, and alarms. Systems for fire detection and suppression, air conditioning, and ventilation should also be present. It also controls computer equipment through a maintenance system, and retention, storage, and destruction process.
Telecommunications and Network Security
This is the most technical of all CISSP domains. Its main focus is network design and architecture to prevent intrusion and disruption in information flow. It requires knowledge of network infrastructure, communication methods, data transport formats, and network and transmission security (Bass and Berlich 407). It is also important because the network is the link between information and users.
The main components of this domain are confidentiality, integrity, and availability. Confidentiality includes data encryption services, network security protocols, and network authentication services. Integrity includes intrusion detection, firewall services, and communication security. Availability includes operating process performance, fault tolerance, and network security mechanisms.
Cryptography
Cryptography involves the use of digital signatures and other alternatives to disguise data. This ensures data integrity, confidentiality, and authenticity. Cryptography protects both data in storage and in transit. This ensures that only the authorized users can read the available information.
There are two types of cryptography; symmetrical and asymmetrical cryptography (Peltier and Howard 59). Symmetrical cryptography involves the use of the same private key to encode and decode a message. Asymmetrical cryptography involves using a public and private key. One of the keys is used for encryption and the other for decryption of a message.
Business Continuity and Disaster Recovery
Business continuity planning is the process of ensuring the critical functions of an organization can withstand emergencies. The first phase of the domain is scope and planning initiation. This is followed by business impact analysis, business continuity plan development, and plan implementation (Tittel et al 511). However, before the plan is implemented it needs to be approved first.
Disaster recovery planning involves making important decisions and guiding action in case of a disaster. In information security, disaster recovery plans address how systems will systematically recover in the event of a disaster to the system infrastructure. After a plan has been developed it is tested using predetermined scenarios. This helps in identifying required improvements and staff training.
Legal, Regulations, Investigations, and Compliance
This domain deals with the laws of a country, international laws, and specific industry requirements. This laws and regulations govern information system security. An information security professional needs to understand all of them. This is to prevent them from being in violation of the laws.
This domain deals with issues relevant to investigating computer crimes. This may include such things as forensic procedures and legal protocols for collection and storage of evidence (Grama 7). The domain also includes procedures for breach notification. Federal governments stipulate different procedures for reporting breaches in different industries.
Applications Security
This domain focuses on system application development life cycle from its conception to design to its eventual retirement from service. Some of the key concerns addressed in application design include access controls and encryption. Information security professionals should be involved in all stages of application development. This is to ensure that all security concerns are addressed (Meunier 27).
The vulnerability of personal mobile devices has led to the proliferation of confidential business information. This has made frequent updates and patches are necessary to prevent exploitation of the vulnerabilities. Special care should also be taken when developing web applications that are accessible through the Internet. Secure coding guidelines should be used while written such application codes.
Security Operations
These are the daily activities for implementing, maintaining, and monitoring security measures and controls to prevent security incidents. There are numerous processes that organizations engage in to secure their operations. These processes include preventive controls, detection controls, back-ups, and information protection. The domain also deals with employee background checks.
Other processes involved in the domain include intrusion detection, vulnerability scanning and violation analysis (Shon 134). Intrusion prevention involves monitoring the network to identify any intrusions that may have passed the firewall. Vulnerability scanning involves running of known vulnerability tests on systems to determine their overall effectiveness. Violation analysis is a tool used by organizations to determine areas of trouble.
Works Cited
Bass, Alec, and Peter Berlich. Official (ISC)2® Guide to the CISSP®-ISSEP® CBK®. Edited by Susan Hansche, United Kingdom, Auerbach, 29 Sept. 2005.
Grama, Joanna. L. Legal, Regulations, Investigations, and Compliance. Purdue University, 2012.
Harrison, Shon. All-in-One CISSP Exam Guide. Fifth ed., Berkeley, CA, McGraw-Hill, 2010.
Kurtz, Ronald. L., and Russell Dean Vines. The CISSP Prep Guide. Indianapolis, IN, Wiley, 2003.
Meunier, Pascal. CISSP Applications Security. Purdue University, 2007.
Miller, Lawrence, and Peter H Gregory. CISSP for Dummies. 3rd ed., 12 Nov. 2009.
Peltier, Thomas R, and Patrick D Howard. The Total CISSP Exam Prep Book Practice Questions, Answers, and Test Taking Tips and Techniques. Boca Raton, Auerbach Publications, 2002.
Tipton, Harold F, and Kevin Henry. Official (ISC)[superscript]2 Guide to the CISSP CBK. Edited by Steven Hernandez, Boca Raton, FL, Auerbach Publications, 19 Apr. 2016.
Tittel, Ed, et al. CISSP: Certified Information Systems Security Professional Study Guide. 3rd ed., New York, Sybex Inc., 21 Nov. 2005.
Walsh, Tom. “Selecting and Implementing Security Controls.” AHIMA and HIMSS Seminar, 2003.
