CISSP Domain 1: Security and Risk
Management - Cornerstone information
1 Cornerstone of information Security Concepts
1.1 CIA Triad
- Its opposing force is Disclosure.
- An example of a confidentiality attack would be the theft of Personally Identifiable Information
- An example of Laws that govern confidentiality is Health Insurance Portability and Accountability Act (HIPAA)
- A system "back door" will violate system integrity.
- it seeks to protect information from unauthorized modification
- It seeks to protect a system
- A Denial of Service (DoS) Attack which seeks to deny the availibility of a system.
1.2 DAD opposing Triad
- unauthorized release of information
1.3 Tension Between the Concepts
1.3.1 Finding balance within CIA
1.4.1 Identity and
- identity along is weak because it has no proof
- You could claim to be someone that you are not.
- Identities must be unique
- authentication is the method of proving you are who you identified yourself to be.
- this can be done by giving a thing that only you posses such as a password.
- describes the actions you can perform on a system once .
- action may include read, write and execution permissions.
22.214.171.124 Least Privilege
-the user should only be granted the minimum amount of access to do there job.
126.96.36.199 Need to
- it is more granular than least privilege
- the user must need to know that specific piece of information before accessing it.
- holding a person responsible for thier actions.
- this requires that auditing and logging of data.
- this means that a user cant deny having performed a transaction.
You must have both authentication and integrity to have non repudiation.
- A subject is a active entity on a data system. such as people trying to access data files.
-Active programs and scripts can be considered subjects.
- is any passive data with a system. such as documents, database tables and text files.
- also called layered defense
- a single security control can fail , but multiple controls improve the CIA of your data
1.8 Due Care and Due Diligence
1.8.1 Due Care
- is doing what a reasonable person would do.
- It is also called the prudent man rule.
- Expecting your staff to patch there systems is expecting them to exercise due care