Eric Conrad

Domain 6: Business Continuity and Disaster Recovery Planning

This chapter provides a basic understanding of the overall approach to major phases of BCP/DRP prior to delving into the details of each phase. Business Continuity Planning and Disaster Recovery Planning (BCP/DRP) together have emerged as a critical domain in the common body of knowledge. BCP/DRP is an organizations last line of defense. When all other controls have failed, it is the final control that may prevent drastic events such as injury, loss of life, or failure of an organization. The BCP is an umbrella for multiple specific plans; the most important is the DRP. The DRP serves as a subset of the BCP, which would be doomed to fail if it did not contain a tactical method for immediately dealing with the disruption of information systems. To ensure that all planning is considered, the BCP/DRP has a specific set of requirements to review and implement. The Business Impact Analysis (BIA) is the formal method for determining how a disruption to the organizations IT system(s) will affect the organizations requirements, processes, and interdependencies with respect to the business mission. Testing, training, and awareness must be in place during the “disaster” portion of a BCP/DRP. Skipping them is one of the most common BCP/DRP mistakes. Once the initial BCP/DRP plan is completed, tested, trained, and implemented;it must be kept up to date. Business and IT systems change quickly, and IT professionals are accustomed to adapting. BCP/DRP plans must keep pace with all critical business and IT changes. Given the patchwork of overlapping terms and processes used by various BCP/DRP frameworks, this chapter also focuses on universal best practices. Mapping risk to key business processes can result in preventive risk measures taken in advance of any disaster, which may avoid future disasters entirely.

Domain 1: Access Control

Access Control, the topic of this chapter and Domain 1 of the CISSP, presents numerous critically important terms and concepts that permeate several domains. This chapter introduces the CIA triad of confidentiality, integrity, and availability, which are touched upon in virtually every domain and chapter. In addition to CIA, concepts such as the principle of least privilege and need to know are presented. The application of these principles in the form of access control models such as Mandatory Access Control (MAC), Discretionary Access Control (DAC), and Role-Based Access Control (RBAC) represents a significant amount of this domain’s material. Understanding the key categories of access control defenses, preventive, detective, corrective, recovery, deterrent, and compensating controls, is necessary for this and numerous other domains. The final major content area in this chapter is dealing with authentication by introducing methods, protocols, and concepts related to ensuring and identity claim can be validated appropriately.

Domain 1: Security risk management

This chapter, Domain 1 of the CISSP, presents numerous critically important terms and concepts that permeate several domains. This chapter introduces the CIA triad of confidentiality, integrity, and availability, which are touched upon in virtually every domain and chapter. In addition to CIA, concepts such as the principle of least privilege and need to know are presented. Key terms, concepts, and formulas related to risk management are presented within this chapter. Risk, threat, vulnerability are basic terms that must be understood to prove successful with this domain. Understanding how to perform calculations using annualized loss expectancy, single-loss expectancy, annualized rate of occurrence, and exposure factor is highlighted as part of quantitative risk analysis. Important concepts related to information security governance such as privacy, due care, due diligence, certification, and accreditation are also a focus of this chapter.

Domain 3: Security engineering

This chapter represents a large and complex technical domain. The chapter presents key cryptographic concepts of authentication and nonrepudiation in addition to confidentiality and integrity, which are concepts presented in many of the domains. Beyond the foundational operations, such as substitution and permutation, and types of cryptosystems, symmetric, asymmetric, and hashing, this chapter also introduces key modes of operation for symmetric cryptosystems, Electronic Code Book, Cipher Block Chaining, Cipher Feedback, Output Feedback, and Counter Mode. The goal of the domain’s final section is to ensure that the safety of personnel is a key consideration when considering physical and environmental security. Ensuring this safety requires an understanding of common issues that could negatively impact personnel’s safety, such as fire, smoke, flood, and toxins, with particular emphasis on smoke and fire detection and suppression. Physical security is the other main focus of this chapter and attention is given to physical access control matters including fences, gates, lights, cameras, locks, mantraps, and guards.

Chapter 5 – Domain 5: Identity and access management (controlling access and managing identity)

This chapter focuses on the application of access control models such as mandatory access control (MAC), discretionary access control (DAC), and role-based access control (RBAC) represent a significant amount of this domain’s material. Understanding the key categories of access control defenses, as well as preventive, detective, corrective, recovery, deterrent, and compensating controls, is necessary for this and numerous other domains. The final major content area in this chapter is dealing with authentication by introducing methods, protocols, and concepts related to ensuring that an identity claim can be validated appropriately.

Domain 2: Asset security

The Asset Security domain focuses on controls such as data classification clearances, labels, retention, and ownership of data. Data remanence is discussed, including newly testable material such as the remanence properties of solid-state drives, which are a combination of EEPROM and RAM, and have quite different remanence properties compared to magnetic drives. The domain wraps up with a discussion of controls determination, including scoping and tailoring. The domain concludes with a discussion of well-known standards, including PCI-DSS and the ISO 27000 series.

Domain 7: Security operations

Security operations focus on configuration and change management. Continuity of operations is also presented in this chapter with discussions of different methods of ensuring availability through highly available systems, redundant array of inexpensive disks, and service level agreements. A methodology and discussion about incident response is the final focus of the Operations Security domain. The second part of this chapter focuses on business continuity and disaster recovery. A thorough understanding of both business continuity planning (BCP) and disaster recovery planning (DRP) is required in order to be successful in answering questions from this domain. A key goal is to understand the differences in the scope and purpose of BCP and DRP. DRP represents a more tactical information systems focused exercise while BCP, which includes DRP as one of its components, is considerably more vast and high level. Key concepts for this domain include that of performing a business impact analysis and determining a systems maximum tolerable downtime.

Domain 6: Security assessment and testing

Domain 6 discusses security assessment and testing, which are critical components of any information security program. Organizations must accurately assess their real-world security, focus on the most critical components, and make necessary changes to improve. This domain describes two major components of assessment and testing: overall security assessments (including vulnerability scanning, penetration testing, security assessments, and security audits) and testing software via static and dynamic methods. Static testing tests the code passively, meaning that the code is not running. This includes walkthroughs, syntax checking, and code reviews. Dynamic methods include fuzzing, a type of black-box testing that submits random, malformed data as inputs into software programs to determine if they will crash.

Domain 4: Communication and network security

Domain 4: Communications and network security, covered in this chapter, is another very technical domain to be tested. One of the most technical of the domains included in the CISSP, Domain 4 requires an understanding of networking and the TCP/IP suite of protocols at a fairly substantial level of depth. Networking hardware such as routers, switches, and the less common repeaters, hubs, and bridges are all presented within this domain. Technical aspects of intrusion detection systems, intrusion prevention systems, virtual private network, 802.11 wireless, radio frequency identification, and also authentication devices and protocols are found in this large domain. More recently added topics such as endpoint security, remote access, and virtualization are also represented in this chapter.

Chapter 8 – Domain 8: Software development security

Chapter 8 introduces Domain 8 of the CISSP, Software Development Security. The most important aspects of this domain are related to managing the development of software and applications. Approaches to software development that attempt to reduce the likelihood of defects or flaws are a key topic in this domain. In particular, the waterfall, spiral, and rapid application development models of the software development are considered. Another significant portion of this chapter is dedicated to understanding the principles of object-oriented programming and design. A basic discussion of several types of software vulnerabilities and the issues surrounding disclosure of the vulnerabilities are also a topic for this domain. Finally, databases are considered, as they are a key component of many applications.