- About the risks that abound, in the world of technology when everything is connected and snooped upon, one way or another. Are you safe?

Follow by Email

Sunday, August 17, 2014

CISSP


I have included this post and the preceding ten posts about CISSP for readers who are interested to find out more about the certification, or proceed with their own studies on information security. It is a structured and comprehensive scope about information security. I am not related to (ISC)2 and am not CISSP accredited myself.

In my 25 years of experience serving MNCs and small businesses alike around the world, I have met fantastic practitioners who are CISSP certified and those who are not CISSP certified. I have also presided over a harrowing experience of protecting an organisation from a live  cyberspace attack and bringing the situation back to business-as-usual. Believe me, during those stressful moments, the first thing that struck my mind was definitely not what certifications I hold, but how I could effectively quell the attack with minimum disruption to the business.

CISSP® - Certified Information Systems Security Professional - is a globally recognized certification in the field of information security, hosted by (ISC)2.

It has ten domains:
  • Access Control
  • Telecommunications and Network Security 
  • Information Security Governance and Risk Management
  • Software Development Security
  • Cryptography
  • Security Architecture and Design
  • Operations Security
  • Business Continuity and Disaster Recovery Planning
  • Legal, Regulations, Investigations and Compliance
  • Physical (Environmental) Security


The CISSP® examination consists of 250 multiple choice questions with four (4) choices each,  within 6 hours.

Multiple choice question style of examination is efficient and highly scalable, and so can be extended worldwide to measure and certify information security professionals, 

However, in real life, I have not had a problem that is so explicitly stated that it comes with four possible answers, out of which one will be definitely correct and the other three definitely wrong. Real life  is a lot fuzzier and ambiguous, and often, we will not even know what the real problem is on the outset. Usually, we confront a 'situation', interprete it and construct a scenario based on the information that is obtained or presented before us. Sometimes, there are information that we have failed to uncover, and/or information that are deliberately kept away from us.

So is CISSP bad? No.
Is it super? No either.



CISSP: Access Control



Access control, in one form or another, is considered by most information systems security professionals to be the cornerstone of their security programs. The various features of physical, technical, and administrative access control mechanisms work together to construct the security architecture so important in the protection of an organization’s critical and sensitive information assets.


This domain includes:
  • Concepts/methodologies/techniques
  • Effectiveness
  • Attacks
Here are some videos which explains Access Control well:


[more coming up...]

CISSP: Telecommunications and Network Security



Telecommunications is the electrical transmission of data between systems, whether it is analog, digital, or wireless communication. The data can be converted (digital to analog), compressed, encrypted, and multiplexed many times taking on different forms such a datagram(UDP is one style), packet (IP), cell (ATM), and so on. When it all works together the result is awesome.


As data travels around a network (telecomm or otherwise) it must adhere to a set of rules to be transferred correctly and semi-efficiently.



The most common and largest set of rules is known as the Internet. The Internet is based upon the TCP/IP protocol, which adheres to the world standard ISO layer model.
 


 
This domain includes:
  • Network architecture and design
  • Communication channels
  • Network components
  • Network attacks
Here are some videos which explains Telecommunications and Network Security  well:




DMZ  



False Positive



Symmetric and Asymmetric Encryption


http://youtu.be/jV9-VkvDPk8 



Wireless Packet Analysis



Subnetting



Types of Firewalls

http://youtu.be/o43Vhslg2EA



Intrusion Detection System
http://youtu.be/O2Gz-v8WswQ