In today’s world, where practically every transaction can be done and completed online, high-level security is of utmost importance in battling different forms of cyberspace attacks. Companies catering to different markets have been victims of security breaches, identity thefts, and other forms of information security risks.
It doesn’t come as a surprise that companies that put a premium on information security invest not only in the best software, but also in the most competent information security professionals who are equipped with up-to-date knowledge and are at par with global standards. The certified information systems security professional (CISSP) is a globally-recognized certification that companies and business owners look for when hiring information security professionals like security managers, security consultants, security directors, security systems engineers, and security architects, among others. It is awarded by the International Information System Security Consortium (ISC).
Information security professionals who are interested in taking the CISSP exam should expect challenging, sometimes tricky questions that will help separate the qualified from the unqualified. There are several different areas that are covered by the exam; one of them involves security governance principles.
What are the CISSP security governance principles you need to know for the exam?Exam takers should be prepared to answer questions pertaining to principles of security governance, if they hope to pass the exam with flying colors. Some of the questions on principles one can expect from the exam involve security, risk, compliance, law, regulations, and business continuity.
Confidentiality, integrity, and availability concepts, more commonly known as the CIA triad, is a model designed to serve as a guide to policies for information security being used in a company or organization. Confidentiality means a set of rules that limits access to information. It ensures that data is not shared or disclosed to any unauthorized person. Confidentiality can be achieved by having Access Controls, which restricts users from gaining access to information, especially the sensitive ones, without permission.
Another tool is encryption, which provides protection for the information while in transit or at rest. Third is steganography, which hides information within files and images.
Meanwhile, integrity means ensuring that the information is safe, accurate, and reliable. It keeps unauthorized subjects from altering data and, at the same time, prevents authorized subjects from making unauthorized data alterations. Hashing is one good tool to use, as it indicates changes in the underlying file.
Availability, the last part of the triad, ensures that authorized subjects receive timely and uninterrupted access to data and other key resources. To aid availability, Redundant Components are used to protect system from failure of a single portion. High availability, on the other hand, protects services against single server failures. There is also fault tolerance, which protects services from small failure disruptions and, lastly, the OS and application patching, which also help to enhance data availability.
Security governance principles There are six security governance principles that will be covered in the exam, namely, responsibility, strategy, acquisition, performance, conformance, and human behavior. These practices should support, define, and direct the security efforts of an organization, with the goal of maintaining business processes in the middle of growth.
Compliance Compliance means being aligned with the industry regulations, guidelines, and specifications. It is a crucial part of security governance as accountability can only take place when employees are properly taught the rules, standards, policies, and regulations that they need to adhere to.
Legal and regulatory issues These tackle the legal and regulatory repercussions when compliance to standards is not met, or if certain security governance laws are breached or broken. Some of the key terms one needs to know and understand are:
Criminal Law Involves guilt beyond reasonable doubt, the burden of which is difficult to prove in the case of computer-related crimes. Penalties vary from fines to time in prison and, in some cases, death. Civil Law Designed to facilitate an orderly society, dealing with matters that are not criminal in nature, but still require settlement among individuals and organizations through an impartial arbitrator. Regulatory (administrative law) These are rules and regulations used by government agencies in their day-to-day tasks, with penalties ranging from fines to incarceration. The Computer Fraud and Abuse Act of 1984 Amended in 1994 to battle malicious code, the act provides protection to federal government computers from different kinds of abuse. The Computer Security Act The act that helps outline vital steps that the government should take to keep its own systems from different types of attacks. National Information Infrastructure Protection Act of 1996 This act covers computer crimes that are perpetrated in international trade and commerce. Reckless or intentional acts resulting to damages of national infrastructure that play crucial roles are also considered felony under this act. Regulatory Acts Health Insurance Portability and Accountability Act States that covered entities should disclose breaches in security pertaining to personal information. This act applies to health insurers, health providers, and claims and processing agencies. Gramm-Leach-Bliley Financial Modernization Act This act covers financial agencies and aims to increase protection of customer’s PII. Patriot Act of 2011 Provides a wider coverage for wiretapping and allows searching and seizure without immediate disclosure. Electronic Communications Privacy Act (ECPA) Enacted in 1986, it aims to extend government restrictions when it comes to wiretapping phone calls to cover transmissions of electronic data. Sarbanes-Oxley Act (SOX) Enacted in 2006, this helps ensure that all publicly held companies should have their own procedures and internal controls necessary for financial reporting. The act aims to minimize, if not eliminate, corporate fraud.Professional Ethics The CISSP has a code of ethics that is to be followed by certified information security professionals. Those who intentionally or knowingly violate the code of ethics will face action from a peer review panel, which, could result in the revocation and nullification of the certification. The code of ethics comprises four canons: Protect society, the government, and the infrastructure; act honorably, honestly, justly, responsibly, and legally; provide diligent and competent service to principals; and advance and protect the profession.
Business Continuity Planning (BCP) This is a process that is mainly focused on maintaining and sustaining business operations with a reduced infrastructure capabilities and restricted resources. Reduction and/or restriction of resources comes as a result of emergencies and unexpected situations like major disasters. The BCP is divided into four phases:
Project Scope and Planning This involves forming a team of representatives who are members of the organization’s core services department. These departments include senior management, legal representatives, the IT department, and security representatives who are adept at the BCP process. Business Impact Assessment Part of the assessment process are identifying priorities, identifying risk, as well as likelihood assessment, impact assessment, and resource prioritization. Continuity Planning Planning for continuity involves strategy development, provis