Scribd
Upload
46 views14 pages

Domain 1

The document outlines the schedule and key details for a Certified Information System Security (CISSP) session led by Chandresh Singh, including exam tips and necessary materials. It covers various topics related to security governance, risk management, business continuity, compliance, and frameworks relevant to cybersecurity. Participants are encouraged to mute their microphones during the session and will have opportunities for questions at the end.

Uploaded by

rpvitesh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
46 views14 pages

Domain 1

The document outlines the schedule and key details for a Certified Information System Security (CISSP) session led by Chandresh Singh, including exam tips and necessary materials. It covers various topics related to security governance, risk management, business continuity, compliance, and frameworks relevant to cybersecurity. Participants are encouraged to mute their microphones during the session and will have opportunities for questions at the end.

Uploaded by

rpvitesh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 14

Certified Information

System Security (CISSP)


by Chandresh Singh
Announcement

● This session is recorded and will be available for review later.


You will get it from Tromenz learning support team.
● Please keep your mics on mute during the session, if you
have any questions we can discuss those at the end of the
session.
● Schedule:
● Start time: 18:30 IST

● Break 1: 20:00 to 20:15 IST

● Break 2: 21:15 to 21:30 IST

● End time: ~22:30 IST


About the exam

Don’t waste time figuring out the
questions that doesn’t look familiar.

Choose the options carefully, you
won’t be able to change selection once
submitted.

Remember that you’ve worked hard
and only need to get 88/125 questions
right.
Material that you’ll need
Certified Information
System Security (CISSP)
Domain 1- Security and Risk Management
Security Governance
(concepts)
• Cybersecurity Governance
• Key concepts: CIA triad, DAD, Authenticity and Non-
repudiation, Privacy and Security.
• AAA – Identity, Authenticate, Authorize, Audit,
Accounting
• Key definitions: Threat actor, Threat, Vulnerability,
Risk, Asset, Exposure, Controls/ Countermeasure/
Safeguards.
• Due diligence and Due care
• Organizational process: Acquisition and Divestiture
• Organization structure (corporate hierarchy). Data
owner> Data custodian> System owner.
• Policies, Standards, Procedures, Guidelines and
Baselines
Security Governance
(concepts)
• Threat modeling: STRIDE, PASTA (risk centric) and
VAST (integrates threat and risk management to
agile)
• Diagramming potential attacks
• Prioritization and response: Heat-map, Rating,
DREAD (Disaster, Reproduceability, Exploitability,
Affected users, Discoverability), etc.
• Supply chain risk management
• Change management
• Data classification
• Protection mechanism: Defense in depth,
Abstraction, Data hiding, Encryption
• Strategic > Tactical > Operational plans
People
• Personnel Security: Job roles : Job description :: Roles :
Responsibilities
• Separation of duty, Split knowledge, Collusion, Quorum
authentication and Dual control, Job rotation, Mandatory
vacation, etc.
• Candidate screening and hiring, Employment agreements,
Policies, On-boarding, Transfers, Terminations, and NDAs.
• Vendors, Consultants, Contractors and Downstream
liabilities.
• Compliance policies, PCI DSS, GDPR, Privacy policy.
• Security Awareness and training, Social engineering,
review and update material, and Evaluation metrics.
• Professional ethics, ISC2 COE- 4 canons.
• Public- C1 & 2, Principals- C3 , Professional- C4
Risk management
• Risk Management Frameworks- ISO31000, NIST 800-39,
etc.
• Threats and Vulnerabilities: People, Process, Technology.
• Controls: Physical, Technical, Administrative.
• Risk assessment > Risk analysis- Loss potential, Delayed
loss.
• Qualitative and Quantitative Risk Analysis.
• Risk treatment, cost of control, residual risk.
• Preventive, Detective, Corrective, Deterrent, Recovery, and
Compensating.
• Controls Measures and Metrics, Compliance, Continuous
improvement.
• Supply chain risk management, upstream, downstream,
escrow.
Business
continuity
• Business continuity and Disaster recovery

Scope and plan > BIA > Continuity planning > Plan Approval and Implementation
• Business Impact Analysis (RTO, RPO, MTD)
• Continuity of operations plan (COOP) to protect people, facility/ building, infrastructure
• DR testing (Simulation, Parallel, Full interruption, etc.)
• Training and exercise
Compliance
• Laws, Regulation, and Jurisdiction.

• Civil and Criminal laws and repercussions of


breaching.

• Computer-assisted, computer-targeted,
computer is incidental

• A typical attack or breach- Cyber kill chain, TTP

• IP: Trade secret, Copyright, Trademark, Patent,


License

• Due care and Due diligence, Downstream


liability

• Responsibility and Accountability

• Investigations
Frameworks
Level Capability levels Maturity Levels
• Frameworks provide structure to our efforts. Level 0 Incomplete
Level 1 Performed Initial
• RMF, SPF, SCF, PMF, and EDF Level 2 Managed Managed
Level 3 Defined Defined
• Risk Frameworks- NIST RMF, ISO 27005 Quantitavely
Level 4 managed
• Information security frameworks
Level 5 Optimizing
• Security program frameworks- controls, procedures,
business, processes, and people. NIST CSF, ISO
27000.
• Security control frameworks- purpose of controls and
selection based on security category of assets.
• Enterprise architecture frameworks- stakeholders > views.
• ITIL Information Technology Infrastructure Library (ITIL)-
service management, Six sigma- process improvement
• CMM- Level 0-5, goes in increasing order of maturity of
Process and Assessment of security program.
Questions?
THANK YOU

You might also like