Welcome to our library of study guides to help you pass the CISSP. The first domain starts us off with the basics of information security and risk management and it will cover about 15% of the CISSP exam. At a high level, this domain we will focus on the principles of confidentiality, availability, and integrity and how they can relate to information security within an organisation. Security and Risk management is also a huge part of Domain 1 and covers the CISSP CIA Triad, Security control principles and governance, Risk Control and analysis and the Important Laws and regulations that govern Information security.
CISSP CIA Triad
Confidentiality, integrity and availability (the CISSP CIA triad), you can look at as a typical security framework that is intended to guide policies for information security within an organization. All decisions that are to be made in regard to security should have these 3 principles of the CISSP CIA Triad in mind as a guide.
Confidentiality
The Confidentiality of Information refers to the protection of information from unauthorized access. This will involve restricting access so that only authorized users and processes should be able to access or modify data.
Integrity
The Integrity of Information refers to the trustworthiness, reliability, and authenticity of the information stored in a system. It involves the protection of sensitive information and guards against improper modification or destruction by unauthorised parties and includes ensuring information non-repudiation and authenticity.
Availability
The Availability of information, means that all data and assets in an organization and system should be readily accessible to authorized users at all times.
The Opposite of the CIA Triad – Disclosure, Alteration and Destruction – DAD Triad
Disclosure – unauthorized release of information
Alteration – unauthorized modification of data
Destruction – making systems or data unavailable
Best practices to support CIA
- Encrypt sensitive data: such as credit card numbers or personal information, stored data on computer and server storage and when data is in transit over a network.
- Restrict access to sensitive data: Use access controls, such as user authentication and authorization, to limit who can access sensitive data and what they can do with it.
- Use physical controls, such as locks and security cameras, to prevent unauthorized access to sensitive data in physical locations, such as data centers or office buildings.
- Maintain a clear data protection policy and regularly train employees on security best practices to teach them how to handle sensitive information properly.
- Separation of duties: Prevents any one person from becoming too powerful within an organization. This policy also provides singleness of focus. For instance, a network administrator who is concerned with providing users access to resources should never be the security administrator. This policy also helps prevent collusion as there are many individuals with discrete capabilities. Separation of duties is a preventative control.
- Force Mandatory vacations: This will prevent users that have a high level of privilege from having exclusive use of a system. Periodically, these high privilege users should be forced to take a vacation and relegate control of the system to someone else. This policy is a detective control.
- Rotate Job and responsibilities: Similar in purpose to mandatory vacations, but with the added benefit of cross-training employees.
- Deploy redundant systems such as multiple servers or backup power sources or implement caching. This way, when one system fails, the others can continue to operate and provide the data you need.
- Use load balancers, which distribute incoming requests across multiple systems so that no single system becomes overwhelmed and unavailable.
- Regularly test and maintain your systems to help identify and address potential availability issues before they cause disruptions.
- Implement Least privilege: Allowing users to have only the required access to do their jobs.
- Need to know principle: In addition to clearance, users must also have a “need to know” to access classified data.
- Dual control: Requiring more than one user to perform a task.
- Disaster Recovery and Business Continuity Plan: Ensure a data recovery and business continuity (BC) plan is in place in case of data loss
Identity and Authentication, Authorization, and Accountability (AAA)
Identity and Authentication – Proving who you claim you are (authenticate) by providing a piece of information or an object that only you possess – such as a password.
Authorization – Describes the actions you can perform on a system once you have been identified and authenticated.
Accountability – Holds users accountable for their actions. Can be done by logging and analyzing audit data.
Non-repudiation
Non-repudiation is a legal concept that is often used in information security and refers to where a user cannot deny (repudiate) having performed a transaction, such as a message, a signature, or a contract. Non-repudiation is often seen in electronic communications where one party cannot only deny they performed an action but also cannot deny as being confirmed as the recipient or deny seeing a contract or document. It requires both authentication and Integrity to have non-repudiation.
Test out your knowledge – CISSP Domain 1 Example Questions
