Anatomy of (ISC)2 CISSP Common Body Knowledge
Get the big picture
The brain is wider than the sky. — Emily Dickinson
Before we start studying together and prepare for the CISSP exam. I want to give you an overview of the anatomy of the content (CISSP CBK) we are going to dissect.
Domesticate the wild animal
CISSP is not a Unicorn or Phenix, just a wild animal you need to observe in order to understand it. The first impression of CISSP and CISSP books in general is that’s a lot of content, and it can easily become overwhelming to go over one thousand pages.
Get a clear understanding of the essence of each domain, you need to be able to see it as a body, each domain has a function in the cybersecurity field.
Let’s take a look on the inside
In this section we will go over the outline of CISSP Common Body Knowledge, and discover the goal of each domain, and what to expect.
Domain 1. Security and Risk Management
- The first thing to understand when getting into cybersecurity is to learn the CIA triad (Confidentiality, Integrity, and Availability). It represents the cornerstones of Information security.
- Understanding the business and its corporate functions and how cybersecurity enables the business is a key success factor, along with being familiar with the compliance and regulatory requirements that the company has to comply with.
- Cybersecurity governance starts with laying down the policies, standards, procedures, and guidelines that will facilitate the implementation and operationalization of the security controls to mitigate the risk the company is exposed to.
- Humans are the weakest point for any organization’s, even when having a layered defense implemented, it is crucial to educate and aware of the employees since their first day at work.
“First, Do no harm” — Hippocratic Oath
- Reading the (ISC)2 Code of Ethics helps you understand the spirit of working in cybersecurity and being honest and accountable.
- Since disasters happen, you will need to understand the business continuity planning principles and how to recover from disasters.
Domain 2. Asset Security
- Information is the most valuable asset for a company.
- Asset management must follow a lifecycle, and information must be classified.
- Each asset is tied to its owner.
- Data security controls allow organizations to safeguard their most valuable informational assets, such as IP (Intellectual Property) and Trade secrets.
- Security and Privacy are different but can serve the same purpose.
Domain 3. Security Architecture and Engineering
- Learn security models and design principles in order to create and/or implement security controls.
- Get familiar with the different security capabilities you can leverage to protect an organization.
- For me it is an art, it fascinates me. But I don’t know if you agree with me. Yes, It is Cryptography. It is one of the most important topics in cybersecurity in general and CISSP CBK specifically.
- Physical security is important to safeguard the company’s assets. But also safeguard what is most important, “Human Lives”.
Domain 4. Communication and Network Security
- Is important to know the OSI model seven layers, but having security in mind is a must.
- Get familiar with the security components of a network and how to secure the different communication channels.
Domain 5. Identity and Access Management (IAM)
- With the world of IT getting more focused on the users, and the spread of BYOD (Bring Your Own Device) policies, security controls around the user’s identity is the new way to protect the corporate data regardless of its location.
- AAA (Authentication, Authorization, and Accountability) three principles that help to manage physical and logical access to assets. It identifies subjects (e.g. users), validates their identity and eligibility to access an object (e.g. asset).
Domain 6. Security Assessment and Testing
- Secure by design is a must, but it is not possible to eliminate human errors. That’s where security assessment and audit strategies play a key role in making sure the security controls are effective and operating as expected.
Domain 7. Security Operations
- Being ready for the worst and planning for disaster recovery is primordial, as much as being proactive and designing layered secure applications and systems is a stepping stone for robust security.
- However, running flawless security operations is the reflection of agility and adaptive security architecture.
- Security operation teams are responsible for administrating and maintaining the security platforms, respond to incidents, investigate, and collect intelligence.
- Testing real-life scenarios are the ultimate proof of security strategy effectiveness.
Domain 8. Software Development Security
- Planning and testing are important steps in a software development lifecycle, but with security in mind, it will enable the company of deploying secure software.
- Development teams must be trained to code securely and follow security guidelines and standards.
- In order to have an effective software security, all logging and changes must be audited, and software periodically tested and validated.
Now that you have the big picture, we will start studying the shapes and forms of the CISSP Common Body Knowledge.