Eleventh Hour CISSP ABSTRACT

CONTENIDO
Cornerstone Information Security CONCEPTS. ....................................................................................... 2
Confidentiality ..................................................................................................................................... 2
Integrity ............................................................................................................................................... 2
Availability ........................................................................................................................................... 2
IDENTITY AND AUTHENTICATION, AUTHORIZATION, AND ACCOUNTABILITY..................................... 2
norepudiation ..................................................................................................................................... 3
DEFENSE IN DEPTH.............................................................................................................................. 3
LEGAL AND REGULATORY ISSUES ............................................................................................................ 3
COMPLIANCE WITH LAWS AND REGULATIONS ................................................................................... 3
Civil law (legal system) ........................................................................................................................ 3
DUE CARE AND DUE DILIGENCE .......................................................................................................... 3
SECURITY AND THIRD PARTIES ................................................................................................................ 4
Service level agreements .................................................................................................................... 4
Attestation ........................................................................................................................................... 4
Right to penetration test/right to audit .............................................................................................. 4
COMPUTER ETHICS INSTITUTE ............................................................................................................ 4
INFORMATION SECURITY GOVERNANCE ................................................................................................ 5
SECURITY POLICY AND RELATED DOCUMENTS ................................................................................... 5
Policy ................................................................................................................................................... 5
Procedures .......................................................................................................................................... 5
Standards ............................................................................................................................................ 5
PERSONNEL SECURITY ............................................................................................................................. 6
Security awareness and training ......................................................................................................... 6
Background checks.............................................................................................................................. 6
Employee termination ........................................................................................................................ 6
ACCESS CONTROL DEFENSIVE CATEGORIES AND TYPES ......................................................................... 7

Probabilidad 1
PLAN DE COMUNICACIÓN DEL PROYECTO

The most import in space of the security information’s is concepts that we use, in this chapter the
pillars security information.

CONFIDENTIALITY

It can be understood as confidentiality to the search of not divulgation of data. avoid

unauthorized access.

INTEGRITY
Your objective is to avoid unauthorized modification.

AVAILABILITY
This action that information is active, availability.

IDENTITY AND AUTHENTICATION, AUTHORIZATION, AND ACCOUNTABILITY

The concept of identity and authentication is defined as a claim. your example can be a
password.

The authorization is the action next of the authentication, everything that can be done
within a system when entering.

The accountability is the action of assign responsibility the users for his actions in a system.

Probabilidad 2
NOREPUDIATION

Nonrepudiation is when the user can not refuse of his actions or transactions, is the set of
integrity and authentication.

DEFENSE IN DEPTH
It is used for risk reduction. It is describe as protections for segments or capas ,
improvement the confidentiality, integrity, and availability of your data.

LEGAL AND REGULATORY ISSUES

This chapter develops legal environments in conjunction with computer security and
information security.

COMPLIANCE WITH LAWS AND REGULATIONS

The organization must be in compliance with all laws and regulations that apply to it.

CIVIL LAW (LEGAL SYSTEM)

There is a judicial power that is responsible for the interpretation of the laws in force.

DUE CARE AND DUE DILIGENCE

Due care can be defined with the phrase “the man prudence”, as a personal opinion due
care is to do what is due. The difference between due care and due diligence is that due care is
informal and due diligence it has processes to follow.

A concept related to due diligence, is negligence, refers to the opposite of the processes
that must be followed

Probabilidad 3
 SECURITY AND THIRD PARTIES

This chapter considers concepts of services that it proposes to a company, a company

different from the business model.

SERVICE LEVEL AGREEMENTS

Identify key expectations that the vendor is contractually required to meet. SLAs are widely
used for general performance expectations, but are increasingly leveraged for security purposes as
well. Comprehend which is the response of a third party to the needs of the company at the service
level

ATTESTATION
The security information in your certification it implies the good practices implemented and
its revision of external suppliers.

RIGHT TO PENETRATION TEST/RIGHT TO AUDIT

Organizations may have the right to audit and penetration testing of their systems, must be
approved by the directives.

COMPUTER ETHICS INSTITUTE

It has 10 informatics rules:

1. Thou shalt not use a computer to harm other people.

2. Thou shalt not interfere with other people’s computer work.
3. Thou shalt not snoop around in other people’s computer files.
4. Thou shalt not use a computer to steal.
5. Thou shalt not use a computer to bear false witness.
6. Thou shalt not copy or use proprietary software for which you have not paid.
7. Thou shalt not use other people’s computer resources without authorization or
proper compensation.
8. Thou shalt not appropriate other people’s intellectual output.

Probabilidad 4
9. Thou shalt think about the social consequences of the program you are writing
or the system you are designing.
10. Thou shalt always use a computer in ways that ensure consideration and
respect for your fellow humans.2

INFORMATION SECURITY GOVERNANCE

Understands the security of information at the organization level

SECURITY POLICY AND RELATED DOCUMENTS

In this concept, it contains policies and procedures your goal is the correct way to perform,
results in a successful program on information security.

POLICY

The policies are obligatory that, they must meet, they are high level and do not fall into
specifications. They are made according to regulations

PROCEDURES

The procedures are steps to follow, (Como una guia a seguir). Policy difference, the
procedures are specific and low level

STANDARDS

Refers to the specific use of technology for example, specifications of a computer to be used
in the company .

Probabilidad 5
PERSONNEL SECURITY

SECURITY AWARENESS AND TRAINING

Consciousness changes user behavior, while training provides a skill set.

BACKGROUND CHECKS

Organizations should conduct a thorough background check before hiring an individual. This
includes a check of criminal records and verification of all experience, education, and certifications.

EMPLOYEE TERMINATION

Termination should result in immediate revocation of all employee access. Beyond account
revocation, termination should be a fair process. There are ethical and legal reasons for employing
fair termination, but there is also an additional information security advantage.

Probabilidad 6
ACCESS CONTROL DEFENSIVE CATEGORIES AND TYPES

In order to understand and appropriately implement access controls, it is vital to understand what
benefits each control can add to security. In this section, each type of access control will be defined
on the basis of how it adds to the security of the system.
There are six access control types:
• Preventive
• Detective
• Corrective
• Recovery
• Deterrent
• Compensating

Probabilidad 7