ebook img

Official (ISC) 2 Guide to the CISSP-ISSEP CBK PDF

1025 Pages·2005·30.634 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Official (ISC) 2 Guide to the CISSP-ISSEP CBK

TEAM LinG AU2341 half title 8/24/05 12:23 AM Page 1 OFFICIAL (ISC)2® GUIDE TO THE CISSP®-ISSEP® CBK® TEAM LinG Auerbach sec 6 7/21/05 10:07 AM Page 1 OTHER INFORMATION SECURITY BOOKS FROM AUERBACH Asset Protection and Security Management Information Technology Control and Audit, Handbook Second Edition POA Publishing Fredrick Gallegos, Daniel Manson, ISBN: 0-8493-1603-0 Sandra Allen-Senft, and Carol Gonzales Building a Global Information Assurance ISBN: 0-8493-2032-1 Program Investigator's Guide to Steganography Raymond J. Curts and Douglas E. Campbell Gregory Kipper ISBN: 0-8493-1368-6 0-8493-2433-5 Building an Information Security Awareness Managing a Network Vulnerability Assessment Program Thomas Peltier, Justin Peltier, and John A. Blackley Mark B. Desman ISBN: 0-8493-1270-1 ISBN: 0-8493-0116-5 Network Perimeter Security: Building Defense Critical Incident Management In-Depth Alan B. Sterneckert Cliff Riggs ISBN: 0-8493-0010-X ISBN: 0-8493-1628-6 Cyber Crime Investigator's Field Guide, The Practical Guide to HIPAA Privacy and Second Edition Security Compliance Bruce Middleton Kevin Beaver and Rebecca Herold ISBN: 0-8493-2768-7 ISBN: 0-8493-1953-6 Cyber Forensics: A Field Manual for Collecting, A Practical Guide to Security Engineering and Examining, and Preserving Evidence of Information Assurance Computer Crimes Debra S. Herrmann Albert J. Marcella, Jr. and Robert S. Greenfield ISBN: 0-8493-1163-2 ISBN: 0-8493-0955-7 The Privacy Papers: Managing Technology, The Ethical Hack: A Framework for Business Consumer, Employee and Legislative Actions Value Penetration Testing Rebecca Herold James S. Tiller ISBN: 0-8493-1248-5 ISBN: 0-8493-1609-X Public Key Infrastructure: Building Trusted The Hacker's Handbook: The Strategy Behind Applications and Web Services Breaking into and Defending Networks John R. Vacca Susan Young and Dave Aitel ISBN: 0-8493-0822-4 ISBN: 0-8493-0888-7 Securing and Controlling Cisco Routers Information Security Architecture: Peter T. Davis An Integrated Approach to Security in the ISBN: 0-8493-1290-6 Organization Strategic Information Security Jan Killmeyer Tudor John Wylder ISBN: 0-8493-9988-2 ISBN: 0-8493-2041-0 Information Security Fundamentals Surviving Security: How to Integrate People, Thomas R. Peltier Process, and Technology, Second Edition ISBN: 0-8493-1957-9 Amanda Andress Information Security Management Handbook, ISBN: 0-8493-2042-9 5th Edition A Technical Guide to IPSec Virtual Harold F. Tipton and Micki Krause Private Networks ISBN: 0-8493-1997-8 James S. Tiller Information Security Policies, Procedures, and ISBN: 0-8493-0876-3 Standards: Guidelines for Effective Information Using the Common Criteria for IT Security Security Management Evaluation Thomas R. Peltier Debra S. Herrmann ISBN: 0-8493-1137-3 ISBN: 0-8493-1404-6 Information Security Risk Analysis Thomas R. Peltier ISBN: 0-8493-0880-1 AUERBACH PUBLICATIONS www.auerbach-publications.com To Order Call: 1-800-272-7737 • Fax: 1-800-374-3401 TEAM LinG E-mail: [email protected] AU2341-title 8/24/05 3:15 PM Page 1 OFFICIAL (ISC)2® GUIDE TO THE CISSP®-ISSEP® CBK® Susan Hansche, CISSP-ISSEP Boca Raton New York TEAM LinG AU2341_Discl.fm Page 1 Monday, August 29, 2005 11:04 AM (ISC)2, CISSP, ISSEP, and CBK are registered trademarks of the International Information Systems Security Certification Consortium. Published in 2006 by Auerbach Publications Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2006 by Taylor & Francis Group, LLC Auerbach is an imprint of Taylor & Francis Group No claim to original U.S. Government works Printed in the United States of America on acid-free paper 10 9 8 7 6 5 4 3 2 1 International Standard Book Number-10: 0-8493-2341-X (Hardcover) International Standard Book Number-13: 978-0-8493-2341-6 (Hardcover) Library of Congress Card Number 2005041144 This book contains information obtained from authentic and highly regarded sources. Reprinted material is quoted with permission, and sources are indicated. A wide variety of references are listed. Reasonable efforts have been made to publish reliable data and information, but the author and the publisher cannot assume responsibility for the validity of all materials or for the consequences of their use. No part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC) 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. Library of Congress Cataloging-in-Publication Data Hansche, Susan. Official (ISC)2 guide to the CISSP-ISSEP CBK / Susan Hansche. p. cm. Includes bibliographical references and index. ISBN 0-8493-2341-X (alk. paper) 1. Electronic data processing personnel--Certification. 2. Computer security--Examinations--Study guides. I. Title: Official ISC squared guide. II. Title. QA76.3.H364 2005 005.8--dc22 2005041144 Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com Taylor & Francis Group and the Auerbach Publications Web site at is the Academic Division of T&F Informa plc. http://www.auerbach-publications.com TEAM LinG This book is dedicated to my late father, Sam Hansche, who encouraged me to do my best and gave me confidence to believe in myself, and my mother, Sandra Montgomery, who showers me with love and support. TEAM LinG TEAM LinG Table of Contents Preface.....................................................................................................................xxv About the Author...................................................................................................xxix ISSE Domain 1: Information Systems Security Engineering (ISSE) Overview...........................................................................................................1 Contributors and Reviewers.............................................................................4 1 ISSE Introduction ......................................................................... 7 Introduction.......................................................................................................7 SE and ISSE Overview......................................................................................8 IEEE 1220 Overview..................................................................................15 The ISSE Model...............................................................................................17 Basic SE and ISSE Principles.....................................................................21 Principle 1: Always keep the problem and the solution spaces separate......................................................................................23 Principle 2: The problem space is defined by the customer’s mission or business needs...................................................................23 Principle 3: The systems engineer and information systems security engineer define the solution space driven by the problem space.......................................................................................25 Life Cycle and ISSE.........................................................................................27 NIST SP 800-27, Rev. A: Engineering Principles................................28 Risk Management............................................................................................29 Defense in Depth............................................................................................34 People.........................................................................................................35 Technology.................................................................................................35 Operations..................................................................................................36 Defense in Multiple Places...................................................................38 Layered Defenses..................................................................................39 Security Robustness...............................................................................40 vii TEAM LinG viii (cid:2) Official (ISC)2® Guide to the CISSP®–ISSEP® CBK® Deploy KMI/PKI....................................................................................40 Deploy Intrusion Detection Systems...................................................40 Summary..........................................................................................................41 References........................................................................................................42 2 ISSE Model Phase 1: Discover Infor mation Pr otection Needs ........................................................................................... 45 Introduction.....................................................................................................45 Systems Engineering Activity: Discover Needs.............................................48 ISSE Activity: Discover Information Protection Needs.................................49 Task 1: Define the Customer’s Mission/Business Needs........................50 Task 2: Define the Information Management..........................................53 From Mission Needs to Information Management Needs.................53 Creating an Information Management Model (IMM).........................54 Step 1: Identify Processes.....................................................................56 Step 2: Identify the Information Being Processed.............................56 FIPS 199.................................................................................................56 NIST SP 800-60......................................................................................62 NIST SP 800-59......................................................................................66 DoD Mission Assurance Categories (MACs).......................................67 Information Domains............................................................................68 Step 3: Identify the Users of the Information and the Process........72 Task 3: Define the Information Protection Policy (IPP).........................73 Conducting the Threat Analysis and Developing the Information Protection Policy...................................................................................73 Potential Harmful Events (PHEs).........................................................75 Harm to Information (HTI)..................................................................84 Identifying Security Services and Developing the Information Protection Policy.............................................................................................89 Security Services.........................................................................................90 Access Control............................................................................................90 Confidentiality.............................................................................................91 Integrity.......................................................................................................91 Availability...................................................................................................92 Non-Repudiation........................................................................................93 Security Management.................................................................................93 Additional Security Controls......................................................................95 Creating the Information Protection Policy (IPP)........................................98 Creating the IPP Document...........................................................................99 Introduction...........................................................................................99 General Policies...................................................................................100 Establish Roles and Responsibilities..................................................100 Identify Decision Makers....................................................................100 Define Certification and Accreditation (C&A) Team Members and Procedures....................................................................................100 Identify Information Domains and Information Management........101 TEAM LinG Table of Contents (cid:2) ix Identify Security Service Requirements.............................................101 Signatures.............................................................................................102 The Information Management Plan (IMP)..................................................102 Final Deliverable of Step 1..........................................................................103 Summary........................................................................................................103 References......................................................................................................104 3 ISSE Model Phase 2: Defi ne System Security Requir ements ...107 Introduction...................................................................................................107 System Engineering Activity: Defining System Requirements...................113 Defining the System Context..................................................................114 IEEE 1220: 5.1.1.1 System Concept...................................................115 Define System Requirements..................................................................117 Define Customer Expectations (Task 6.1.1)......................................120 Define Constraints (Tasks 6.1.2 and 6.1.3).......................................120 Define Operational Scenarios (Task 6.1.4).......................................122 Define Measures of Effectiveness (MOEs) (Task 6.1.5)...................122 Define System Boundaries (Task 6.1.6)............................................122 Define Interfaces (Task 6.1.7)............................................................123 Define Utilization Environments (Task 6.1.8)...................................123 Define Life-Cycle Process Concepts (Task 6.1.9).............................123 Define Functional Requirements (Task 6.1.10).................................125 Define Performance Requirements (Task 6.1.11).............................125 Define Modes of Operations (Task 6.1.12).......................................126 Define Technical Performance Measures (Task 6.1.13)...................126 Define Design Characteristics (Task 6.1.14).....................................126 Define Human Factors (Task 6.1.15).................................................126 Establish Requirements Baseline (Task 6.1.16).................................126 Define Design Constraints.......................................................................127 The Preliminary System Concept of Operations (CONOPS)................128 ISSE Activity: Defining System Security Requirements..............................129 Define the System Security Context.......................................................129 Define System Security Requirements....................................................131 Define the Preliminary System Security CONOPS................................132 Final Deliverable of Step 2..........................................................................134 Summary........................................................................................................134 References......................................................................................................136 4 ISSE Model Phase 3: Defi ne System Security Ar chitectur e ..139 Introduction...................................................................................................139 Defining System and Security Architecture.................................................142 Defining System Architecture..................................................................142 Defining System Security Architecture...................................................144 Guidelines for Designing System Architectures from DoDAF and FEAF..........................................................................................................144 DoD Architectural Framework...........................................................145 Federal Enterprise Architecture Framework (FEAF).........................150 TEAM LinG

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.