CISSP重点.docx
《CISSP重点.docx》由会员分享,可在线阅读,更多相关《CISSP重点.docx(23页珍藏版)》请在冰点文库上搜索。
CISSP重点
CISSP重点
通过做题归纳出CISSP重点考察的知识点
Ch1.InformationSecurityGovernanceandRiskManagement
1、CobiT与ITIL关系
TheControlObjectivesforInformationandrelatedTechnology(CobiT)isaframeworkdevelopedbytheInformationSystemsAuditandControlAssociation(ISACA)andtheITGovernanceInstitute(ITGI).ItdefinesgoalsforthecontrolsthatshouldbeusedtoproperlymanageITandensureITmapstobusinessneeds,notspecificallyjustsecurityneeds.
TheInformationTechnologyInfrastructureLibrary(ITIL)isthedefactostandardofbestpracticesforITservicemanagement.Acustomizable可定制framework,ITILprovidesthegoals,thegeneralactivitiesnecessarytoachievethesegoals,andtheinputandoutputvaluesforeachprocessrequiredtomeetthesedeterminedgoals.ITILprovidesstepsforachievingITservicemanagementgoalsastheyrelatetobusinessneeds.
Inessence,CobiTaddresses"whatistobeachieved,"whileITILaddresses"howtoachieveit."InordertoachievemanyoftheobjectivesaddressedinCobiT,anorganizationcanuseITIL,whichprovidesprocess-levelstepsforachievingITservicemanagementobjectives.
CobiTcanbeusedasamodelforITgovernance.Actually,CommitteeofSponsoringOrganizationsoftheTreadwayCommission(COSO)isamodelforcorporategovernance.CobiTisderivedfromtheCOSOframework.YoucanthinkofCobiTasawaytomeetmanyoftheCOSOobjectives,butonlyfromtheITperspective.
2、欧洲Privacy法案(SafeHarbor欧洲安全港)
TheSafeHarborrequirementswerecreatedtoharmonizethedataprivacypracticesoftheU.S.withtheEuropeanUnion'sstricterprivacycontrols,andtopreventaccidentalinformationdisclosureandloss.TheframeworkoutlineshowanyentitythatisgoingtomoveprivatedatatoandfromEuropemustgoaboutprotectingit.
TheHealthInsurancePortabilityandAccountabilityAct(HIPAA)providesaframeworkandguidelinestoensuresecurity,integrity,andprivacywhenhandlingconfidentialmedicalinformationwithintheU.S.
3、安全机构
Securitysteeringcommitteeisresponsibleformakingdecisionsontacticalandstrategicsecurityissueswithintheenterprise.
Securitypolicycommitteeisacommitteechosenbyseniormanagementtoproducesecuritypolicies.Thesteeringcommitteedoesnotdirectlycreatepoliciesbutreviewsandapprovesthemifacceptable.安全指导委员会不会直接新建策略,而是审查和批准可接受的策略。
Theauditcommittee'sgoalistoprovideindependentandopencommunicationsamongtheboardofdirectors,management,internalauditors,andexternalauditors.Theauditcommitteewouldreportitsfindingstothesteeringcommittee,butnotberesponsibleforoverseeingandapprovinganypartofasecurityprogram.审计委员会将发现报告给指导委员会,但是不负责监督和批准安全程序。
Theriskmanagementcommitteeistounderstandtherisksthattheorganizationfacesasawholeandworkwithseniormanagementtoreducetheseriskstoacceptablelevels.Thiscommitteedoesnotoverseethesecurityprogram.Thesecuritysteeringcommitteeusuallyreportsitsfindingstotheriskmanagementcommitteeasitrelatestoinformationsecurity.Ariskmanagementcommitteemustlookatoverallbusinessrisks,notjustITsecurityrisks.指导委员会将发现汇报给风险管理委员会,该委员会将查看所有商业风险,而不仅是IT安全风险
4、data相关人员职责
特别是data(information)owner和data(information)custodian的区别经常考
dataowner职责:
✓Assigninginformationclassifications
✓Dictatinghowdatashouldbeprotected
✓Determininghowlongtoretaindata
✓determinewhocanaccesstheinformation决定谁能访问信息,以及访问的权限
✓regularlyreviewingclassificationlevels
✓delegatingtheresponsibilityofthedataprotectiondutiestothedatacustodian.
datacustodian职责:
Thedatacustodianisresponsibleforimplementingandmaintainingthecontrolsspecifiedbythedataowner.
●performingregularbackupsofdata,
●restoringdatafrombackupmedia
●retainingrecordsofactivity
●fulfillinginformationsecurityanddataprotectionrequirements按照策略、标准、规范等完成配置
●Verifyingtheavailabilityofdata
●implementingandmaintainingcountermeasures,andadministeringcontrols.
Datauser职责:
Anyindividualwhoroutinelyusesdataforwork-relatedtasksisadatauser.Usersmusthavethenecessarylevelofaccesstothedatatoperformthedutieswithintheirpositionandareresponsibleforfollowingoperationalsecurityprocedurestoensurethedata'sconfidentiality,integrity,andavailabilitytoothers.Thismeansthatusersmustpracticeduecareandactinaccordancewithbothsecuritypolicyanddataclassificationrules.
Aninformationsystemsauditorisresponsibleforevaluatingcontrols.Afterevaluatingthecontrols,theauditorprovidesreportstomanagement
Networkorsystemadministratorsareresponsibleforimplementingthesolutionsselectedbythesecurityteamandseniormanagement.
Endusersareresponsibleforcompletingtheirworktasksandcomplyingwiththesecuritypolicyoftheorganization.
5、dataclassification数据分类
数据分类的好处是:
【数据分类流程】
1.DefineClassificationlevels定义分类级别
2.Specifythecriteriathatwilldeterminehowdataareclassified指定数据分类准则
3.Identifydataownerswhowillberesponsibleforclassifyingdata确定数据所有者,负责数据定级
4.Identifydatacustodianwhowillberesponsibleformaintainingdataanditssecuritylevel确定数据管理者,负责维护数据和数据安全
5.Indicatethesecuritycontrols,orprotectionmechanisms,requiredforeachclassificationlevel确定每个数据级别的安全控件和保护措施
6.Documentanyexceptionstothepreviousclassificationissues将违背上述分类的文档记录
7.Indicatethemethodsthatcanbeusedtotransfercustodyoftheinformationtoadifferentdataowner规定数据转交的方法
8.Createaproceduretopereiodicallyreviewtheclassificationandownership.Communicateanychangestothedatacustodian.创建定期审查分类和归属的程序,将任何变化通知给数据管理者
9.Indicateproceduresfordeclassifyingthedata规定解密数据的程序
10.Integratetheseissuesintothesecurity-awarenessprogramsoallemployeesunderstandhowtohandledataatdifferentclassificationlevels.将上述问题归入安全意识培训,让所有员工了解怎样处理不同级别的数据
6、风险评估
内容包括:
Ariskanalysishasfourmaingoals:
●Identifyassetsandtheirvaluetotheorganization标识资产和它们的价值
●Identifyvulnerabilitiesandthreats识别脆弱性和威胁
●Quantifytheprobabilityandbusinessimpactofthesepotentialthreats量化潜在威胁的可能性和商业影响
●Provideaneconomicbalancebetweentheimpactofthethreatandthecostofthecountermeasure在风险影响和对策费用之间达到预算的平衡
Theprimarygoalofriskmanagementistoreducerisktoanacceptablelevel.Thepurposeofriskmanagementisriskmitigation.
Safeguardevaluationisthegoalofriskanalysis,whichispartofriskmanagement.Lossestimationisthegoalofriskanalysis,whichispartofriskmanagement.Theobjectiveofriskanalysisistoidentifyrisk,quantifytheimpactofeachrisk,andevaluatethecosteffectivenessofsafeguards.Riskanalysisisusedtocomparesafeguards,butitdoesnotselectthecountermeasuretoimplement.Countermeasureselectionislefttothedecisionmakers,i.e.,seniormanagementortheirdelegatedadministrators.
Countermeasureselectionisnotastepinriskanalysis.Itisataskleftuptoseniormanagementafterriskanalysishastakenplace.
Cost/benefitanalysisisthelaststepinriskanalysis,otherthan除了reportingthefindingstoseniormanagement.Assetvaluationisthefirststepinriskanalysis.
Riskanalysisisusedtodeterminewhethersafeguardsarecosteffective,relevantandtimely.
Seniormanagementdirectsandsupportsriskanalysis.Seniormanagementactsappropriatelyupontheresults.Seniormanagementreviewstheoutcomeoftheanalysis.
7、风险处理
⏹transferrisk转移风险
⏹avoidrisk避免风险
⏹reducerisk/mitigaterisk减轻风险
⏹acceptrisk接受风险
8、CIA安全属性的含义
●Availability:
Reliabilityandtimelyaccesstodataandresourcestoauthorizedindividuals.
●Integrity:
Accuracyandreliabilityofinformationandsystemsisprovidedandanyunauthorizedmodificationisprevented.
●Confidentiality:
Necessarylevelofsecrecyisenforcedandunauthorizeddisclosureisprevented.
Privatesectororganizationsareprimarilyconcernedaboutdataavailabilityandintegrity.Confidentialityistheprimaryconcernofmilitaryorganizations.
Backupsareanexampleofasecuritycontrolthatfocusesonmaintainingavailability.Inputvalidityverificationisanexampleofasecuritycontrolthatfocusesonmaintainingintegrity.Networktrafficpaddingisanexampleofasecuritycontrolthatfocusesonmaintainingconfidentiality.Restrictedaccessisanexampleofasecuritycontrolthatfocusesonmaintainingintegrity.
9、安全概念
一些攻击手段的定义,如masquerading伪装,Anattempttogainunauthorizedaccessasanotheruser
Exposureisaninstanceofbeingexposedtolossesfromathreat.
Vulnerabilityisaweaknessortheabsenceofasafeguardthatcouldbeexploited.
Riskisthepossibilityofsomethinghappeningthatwilldamageassets.Riskisthelikelihoodofathreattakingadvantageofvulnerability.
Mitigationistheremovalorpatchingofvulnerability.
Anattackistherealizationofathreattakingadvantageofvulnerability.
10、assetvalue资产价值
在给信息和资产定价的时候,应该考虑下列问题:
●获取或开发该资产所需的成本
●维护和保护该资产所需的成本
●该资产对所有者和用户所具有的价值
●该资产对竞争对手所具有的价值
●其他人愿意为购买该资产所付出的价格
●在损失的情况下更换该资产所需的费用
●在该资产不可用的情况下受影响的运营和生产活动
●该资产贬值时的债务问题
●该资产在组织中的用处和角色
11、风险计算
1)residualrisk剩余风险计算:
(threats*vulnerability*assetvalue)*controlgap=residualrisk
Totalrisk–countermeasures=residualrisk
Singlelossexpectancy(SLE)isthepossiblemaximumassetlossthatwouldbeexperiencedwithasingleincidentofasecuritybreach.
12、AuthorizationCreep授权蔓延
与“need-to-know”区别
The"need-to-know"conceptisbasedontheideathatusersareonlygivenaccessrightstoresourcesthattheyneedinordertofulfilltheirjobresponsibilities.Insteadofgivingaccesstoeverything,andthentakingprivilegesawaybasedon"need-to-know,"thebetterapproachistostartwithnothing
升级会员 