Your cart is currently empty!
CISSP 8 Security Domains
- Security and Risk Management: defining security goals and objectives, risk mitigation, compliance, business continuity, and legal regulations.
- Asset Security: The asset security domain is focused on securing digital and physical assets. It’s also related to the storage, maintenance, retention, and destruction of data. This means that assets such as PII or SPII should be securely handled and protected, whether stored on a computer, transferred over a network like the internet, or even physically collected. Organizations also need to have policies and procedures that ensure data is properly stored, maintained, retained, and destroyed.
- Security Architecture and Engineering: Involves the design and implementation of policies, system, processes, secure architectures, including security models, frameworks, and cryptography. Shared responsibility means everyone in the organization take active roles in identifying security risks
- Communication and Network Security: Deals with securing network infrastructure and the integrity of data transmission over networks.
- Identity and Access Management (IAM): Covers access control processes, authentication, and authorization mechanisms, ensuring that only authorized individuals can access certain information. Identify, Authenticate, Authorize, Accountability
- Security Assessment and Testing: Includes evaluating and testing security controls, performing vulnerability assessments, and understanding audit techniques. Security testing to identify risks and vulnerabilities
- Security Operations: Encompasses incident management, monitoring and responding to security events, and disaster recovery. Conduct investigation, and implementing preventative measures, after the attack, conduct forensic investigation.
- Software Development Security: Focuses on ensuring that security is integrated into the software development lifecycle, including understanding threats and vulnerabilities in code.
The NIST Risk Management Framework (RMF) consists of seven steps, which guide organizations in managing and securing information systems:
Please Check Security In All Measures is the phrase use to memorize this
- Prepare – Develop an organizational understanding of the risk management process, including identifying key roles and setting the foundation for risk management.
- Categorize – Classify the information system based on the type and sensitivity of the data processed, stored, and transmitted.
- Select – Choose appropriate security controls based on the categorization, and tailor them to the specific system requirements.
- Implement – Put the selected security controls into place and ensure they are functioning as intended.
- Assess – Evaluate the effectiveness of the implemented controls to ensure they meet the security objectives.
- Authorize – A senior official reviews the security controls and decides whether to accept the associated risks, formally authorizing the system for use.
- Monitor – Continuously observe and assess the system for security controls and risks, updating as necessary over the system’s lifecycle.
Glossary terms
Terms and definitions
Assess: The fifth step of the NIST RMF that means to determine if established controls are implemented correctly
Authorize: The sixth step of the NIST RMF that refers to being accountable for the security and privacy risks that may exist in an organization
Business continuity: An organization’s ability to maintain their everyday productivity by establishing risk disaster recovery plans
Categorize: The second step of the NIST RMF that is used to develop risk management processes and tasks
External threat: Anything outside the organization that has the potential to harm organizational assets
Implement: The fourth step of the NIST RMF that means to implement security and privacy plans for an organization
Internal threat: A current or former employee, external vendor, or trusted partner who poses a security risk
Monitor: The seventh step of the NIST RMF that means be aware of how systems are operating
Prepare: The first step of the NIST RMF related to activities that are necessary to manage security and privacy risks before a breach occurs
Ransomware: A malicious attack where threat actors encrypt an organization’s data and demand payment to restore access
Risk: Anything that can impact the confidentiality, integrity, or availability of an asset
Risk mitigation: The process of having the right procedures and rules in place to quickly reduce the impact of a risk like a breach
Security posture: An organization’s ability to manage its defense of critical assets and data and react to change
Select: The third step of the NIST RMF that means to choose, customize, and capture documentation of the controls that protect an organization
Shared responsibility: The idea that all individuals within an organization take an active role in lowering risk and maintaining both physical and virtual security
Social engineering: A manipulation technique that exploits human error to gain private information, access, or valuables
Vulnerability: A weakness that can be exploited by a threat