1.6.3 AVAILABILITY PAGEREF _TOC88271924 \H 20 1.6.4 LIMITATIONS TO CIA TRIAD PAGEREF _TOC88271925 \H 21 1.7 WHY CERTIFY FOR CISSP? PAGEREF _TOC88271926 \H 21 1.8 COMPANIES USING CISSP PAGEREF _TOC88271927 \H 23 2 DOMAIN ONE – INFORMATION SECURITY AND RISK MANAGEMENT PAGEREF _TOC88271928 \H 27 2.1 EXPECTATIONS FOR CISSP PAGEREF _TOC88271929 \H 27 2.2 UNDERSTANDING SECURITY POLICIES, PROCEDURES, STANDARDS, GUIDELINES AND BASELINES PAGEREF _TOC88271930 \H 29 2.3 WHAT ARE THE COMPLIANCE FRAMEWORKS? PAGEREF _TOC88271931 \H 31 2.3.1 COSO PAGEREF _TOC88271932 \H 31 2.3.2 ITIL PAGEREF _TOC88271933 \H 32 2.3.3 COBIT PAGEREF _TOC88271934 \H 32 2.3.4 ISO 17799 / BS 7799 PAGEREF _TOC88271935 \H 33 2.4 CHANGING ORGANIZATIONAL BEHAVIOR PAGEREF _TOC88271936 \H 35 2.5 RESPONSIBILITIES OF THE INFORMATION SECURITY OFFICER PAGEREF _TOC88271937 \H 37 2.6 CREATING AN ENTERPRISE SECURITY OVERSIGHT COMMITTEE PAGEREF _TOC88271938 \H 39 2.7 WHY SECURITY AWARENESS TRAINING? PAGEREF _TOC88271939 \H 42 2.8 UNDERSTANDING RISK MANAGEMENT PAGEREF _TOC88271940 \H 43 3 DOMAIN TWO – ACCESS CONTROL PAGEREF _TOC88271941 \H 47 3.1 PRINCIPLES OF ACCESS CONTROL PAGEREF _TOC88271942 \H 49 3.2 INFORMATION CLASSIFICATION PAGEREF _TOC88271943 \H 50 3.3 CREATING A DATA CLASSIFICATION PROGRAM PAGEREF _TOC88271944 \H 52 3.4 UNDERSTANDING CATEGORIES TO ACCESS CONTROL PAGEREF _TOC88271945 \H 55 3.5 UNDERSTANDING ACCESS CONTROL TYPES PAGEREF _TOC88271946 \H 57 — Finally, guidelines provide additional recommendations for every level of the company as it relates to the implementation and use of hardware and software on the network, use of email, blogs, and communication methods, or password creation and maintenance, just to name a few applications.
What are the Compliance Frameworks? Implementation of policies, procedures, standards, baselines, and guidelines are important to the consistent adherence of a business’ information security strategy.
However to understand the extent of implementation in the company, audits must be performed.
Companies may use multiple frameworks based on their industry and strategic focus.
The following frameworks have proven to be acceptable for information security audit.
COSO In 1985, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) was formed to sponsor the National Commission on Fraudulent Financial Reporting.
COSO identified five areas of control necessary for meeting objectives related to financial reporting and objectives.
They are control environment, risk assessment, control activities, information and communication, and monitoring.
Some organizations working toward compliance to Sarbanes-Oxley Section 404 have adopted the COSO internal control model as an audit framework.
ITIL The British government’s Stationary Office created a set of 34 books between 1989 and 1992 to improve IT service management.
This framework is called the IT Infrastructure Library (ITIL).
It contains best practices for core operational processes such as change, release, and configuration management, problem and incident management, capacity and availability management, and financial management as they pertain to IT service.
ITIL shows how controls can be implemented for these IT process, but are required to be maintained and implemented daily.
Achievement of the ITIL standard is an ongoing process requiring management support and planning.
COBIT The IT Governance Institute published 34 high-level processes called the Control Objectives of Information and related Technology (COBIT).
A total of 214 control objectives were created to support these processes.
The COBIT model defines four domains for governance: planning and organization, acquisition and implementation, delivery and support, and monitoring.
Within these domains, processes and IT activities are defined.
ISO 17799 / BS 7799 The ISO 17799/BS 7799 standard has a rich history starting in 1993 and started with the U.K.
Department of Trade and Industry.
In 1999, ISO 17799:2000 became the first international information security management standard by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).
Modified in June 2005, the ISO 17799 standard contains 134 detailed information security controls in 11 areas consisting of: Information security policy Organizing information security Asset management Human resources security Physical and environmental security Communications and operations management Access control — interpreter 156 Intranet 145-6 Intrusion detection systems (IDS) 108, 143 Investigations • Operations Security 13 IRC (Internet Relay Chat) 150 ISC 10, 13, 22, 175 ISDN (Integrated Services Digital Network) 145 ISO 3, 12, 33, 125 ISSMP 14, 175 IT Governance Institute (ITGI) 9, 32 IT Infrastructure Library, see ITIL ITGI (IT Governance Institute) 9, 32 ITIL (IT Infrastructure Library) 3, 32 ITSEC (Information Technology Security Evaluation Criteria) 124-5 J Java Database Connectivity (JDBC) 164 Java Virtual Machine (JVM) 118, 156 JDBC (Java Database Connectivity) 164 job positions 37 JVM (Java Virtual Machine) 118, 156 K KDCs (key distribution center) 97 key distribution center (KDCs) 97 key management 96 key stream 93 key word 94-5 — PAGE ©The Art of Service PAGE 0 ITIL®® V3 Foundation Complete Certification Kit – Study Guide ©The Art of Service 2008 Certification for Information System Security Professional (CISSP) PAGE 6 PAGE \* MERGEFORMAT 6
Read more about ITIL: