Chapter I: What is Information Security?
A Information Security vs. Information Assurance 1. Information security is a sub field of Information Assurance.
a. Information security is more specific and geared towards technology, the component level and operations.
b. Information Assurance is more strategy focused and concerned with information in terms of the ‘big picture’.
2. Risks, Threats, Vulnerablities. a. Risks b. Threats c. Vulnerablilities
B. Three tenets of Information Security. 1. Confidentiality a b 2. Integrity a b 3. Assurance
C. Seven major areas an Information Security must address. 1. Acceptable Use (of data, facilities, resources, etc.)
2. Security Awareness and Training (of employees and other users of the system)
3. Asset Classification (public, private, confidential, etc.)
4. Asset Protection and Access Protocols (protection, permissions, etc.)
5. Asset Management and Operation (systems development, system operation, day‐to‐day procedures)
6. Identification, Assessment and Management of Vulnerabilities (for management)
7.Identification, Assessment and Management of Threats Policies (for management)
D. Twelve generally accepted principles of Information Security.
Principle 1: There is no such thing as Absolute Security.
Principle 2 The three Security Goals are Confidentiality, Integrity, and Availability
Principle 3: Defense in Depth should be the fundamental strategy
Principle 4: When left on their own, most people tend to make the worst security decisions.
Principle 5: Security depends on two types of requirements: Functional and Assurance (in other words,security systems must not only be designed, they must be tested and proven to meet the requirements)
Principle 6: Security Through Obscurity is not Security
Principle 7: Security = Risk Management
Principle 8: The three types of Security Controls are Preventive, Detective, and Responsive
Principle 9: Complexity is the Enemy of Security
Principle 10: Fear, Uncertainty and Doubt do not work when selling security
Principle 11: People, Process, and Technology are ALL needed to adequately secure a system or facility.
Principle 12: Open disclosure of Vulnerabilities is good for security
E. Industry recognized Information Security certifications. 1. CompTIA Security + 2. (ISC)2 CISSP- Certified Information Systems Security Professional 3. CEH – Certified Ethical Hacker 4. CPTE- Certified Penetration Testing Engineer 5. CPTC- Certified Penetration Testing Consultant 6. CEPT – Certified Expert Penetration Tester
F. CISSP ten common body of Knowledge Domains
1. Information Security Governance and Risk Management
2. Security Architecture, Models, and Design
3. Software Development Controls and Security
4. Operations Security
5. Physical Security and the Physical Environment
6. Access Control
7. Telecommunications and Network Security
9. Legal Issues, Regulations, Investigations and Forensics
10. Business Continuity and Disaster Recovery Planning
Chapter II Policies, Procedures, Standards, Regulations, Guidelines
A . Policies
2 a b