The Official (ISC)2 CISSP CBK Reference. Aaron Kraus

Чтение книги онлайн.

СКАЧАТЬ

The five core functions are divided into 23 categories, and these categories are further divided into a total of 108 subcategories. Each subcategory describes a specific security control or desired outcome. Visit www.nist.gov/cyberframework for the complete list of subcategories and additional guidance on using the NIST Cybersecurity Framework.

      CIS Critical Security Controls

      The CIS Critical Security Controls (or CIS Controls) is a publication of 20 best-practice guidelines for information security. The publication was initially created by SANS Institute but was transferred to the Center for Internet Security (CIS) in 2015. Today, you may see these 20 critical controls labeled CIS CSC, CIS 20, Sans Top 20, or other variants.

      CIS Controls v7.1 was released in April 2019, and identifies the basic, foundational, and organizational controls that CIS recommends mitigating the most common attacks against networks and systems. According to the Center for Internet Security, the 20 Critical Security Controls are as follows:

       CIS Control 1: Inventory and Control of Hardware Assets

       CIS Control 2: Inventory and Control of Software Assets

       CIS Control 3: Continuous Vulnerability Management

       CIS Control 4: Controlled Use of Administrative Privileges

       CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

       CIS Control 6: Maintenance, Monitoring, and Analysis of Audit Logs

       CIS Control 7: Email and Web Browser Protections

       CIS Control 8: Malware Defenses

       CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services

       CIS Control 10: Data Recovery Capabilities

       CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches

       CIS Control 12: Boundary Defense

       CIS Control 13: Data Protection

       CIS Control 14: Controlled Access Based on the Need to Know

       CIS Control 15: Wireless Access Control

       CIS Control 16: Account Monitoring and Control

       CIS Control 17: Implement a Security Awareness and Training Program

       CIS Control 18: Application Software Security

       CIS Control 19: Incident Response and Management

       CIS Control 20: Penetration Tests and Red Team Exercises

      NOTE The controls and subcontrols within the CIS CSC break down into what are known as Implementation Groups. According to CIS, “Implementation Groups provide a simple and accessible way to help organizations of different classes focus their security resources, and still leverage the value of the CIS Controls program ….” In essence, these Implementation Groups help organizations prioritize controls and identify the subcontrols that are most reasonable for level of expertise and their risk profile. Visit www.cissecurity.org for more information on the CSC and their Implementation Groups.

      Due Care and Due Diligence

      Governance requires that the individuals setting the strategic direction and mission of the organization act on behalf of the stakeholders. The minimum standard for their governance action requires that they act with due care. Due care is a legal term used to describe the conduct that a reasonable person would exercise in a given situation. In business, due care is using reasonable care to protect the interests of your organization. More specifically, in regard to information security, due care relates to the conduct that a reasonable person would exercise to maintain the confidentiality, integrity, and availability of their organization's assets. This concept of “reasonable” can be a bit nebulous at first, but it is intended to protect a person or organization from accusations of negligence. In short, court decisions around the world have demonstrated that a person's actions can be assumed “reasonable” if a person of similar background and experience, confronted with the same situation would enact the same or similar actions. Examples of due care in security are activities like scanning and patching security vulnerabilities, enabling security logging, and writing restrictive firewall rules that enforce least privilege (discussed in Chapter 3, “Security Architecture and Engineering”).

      Due diligence is another legal concept that relates to continually ensuring that behavior maintains due care. In other words, due diligence is the ongoing execution and monitoring of due care. In relation to information security, due diligence relates to the ongoing actions that an organization and its personnel conduct to ensure organizational assets are reasonably protected. Examples of due diligence in security are activities like reviewing security log output for suspicious activity and conducting penetration tests to determine if firewall rules are sufficiently restrictive.

      The concepts of due care and due diligence are incredibly important in the legal and finance world, but they must also be understood by information security professionals. Exercising due care and conducting due diligence are required to avoid claims of negligence in court. The CISSP CBK aims to establish the set of knowledge and activities required of a “reasonable” security leader.

DETERMINE COMPLIANCE AND OTHER REQUIREMENTS

      (ISC)² defines compliance as adherence to a mandate; it includes the set of activities that an organization conducts to understand and satisfy all applicable laws, regulatory requirements, industry standards, and contractual agreements.

      Legislative and Regulatory Requirements

      Many compliance expectations come from statutory or regulatory requirements that apply broadly to all industries. Others are specific to certain industries or products. This ever-changing set of expectations requires a continuous review of organizational practices to ensure that information is protected in compliance with all applicable requirements.

      NOTE Because there are many compliance requirements that relate to information security, many people often confuse the two or assume that being compliant is the same as being secure. As a CISSP, you should understand that compliance requirements generally serve as a solid baseline for security, but being compliant with security regulations and standards is only the first step toward being secure.

      The first challenge in identifying compliance requirements involves knowing which jurisdiction has the legal authority to set those requirements. Jurisdiction is a legal concept that establishes the official power to make legal decisions and judgments. It is not enough to know the relevant geography or political boundaries; jurisdiction may also be influenced by international treaties and agreements, the activity of your organization, or any number СКАЧАТЬ