Reminders for CISSP Aspirants

Reminders for CISSP Aspirants

Why is CISSP so challenging? Its comprehensiveness that we all agree with is just the exposed tip of the CISSP iceberg; The general management concepts as the hidden part of it under the sea is the substantial stumbling block.

CISSP is an experience-based exam. It requires at least 5 years of security-related work experience for CISSP aspirants to sit for the exam. Why is the 5-year experience one of the prerequisites? One should develop general management concepts and fundamental project management capabilities that are required in almost every business setting before or during your CISSP journey.

IMHO, The following are some of the key concepts or skills:

  • Focus on effectiveness and understand the difference between effectiveness and efficiency.
  • Understand leadership and management. Lead and/or follow people passionately and strategically; manage things or projects effectively and efficiently.
  • Management by objectives; Plan-Do-Check-Act.
  • Be curious and learn how the business works.
  • Think strategically and integrate projects, programs, and portfolios.

Security is a business issue and by far beyond the scope of IT. CISSP aspirants have to be acquainted with specific technical and business areas, eg. operations, governance, and risk management.

System Security Engineering

System Security Engineering

  • System Security Engineering, or Security Engineering, is the process of applying knowledge to build systems from its inception to retirement or throughout the life cycle while considering security.
  • The “systems” means information systems.
    • An information system is built based on an architecture that is well-designed by principles.
    • An information system comprises a variety of components that can be built in-house or bought from vendors.

NIST SDLC

InformationSystem

 

Information Security

InformationSecurityDefinition

The Onion diagram is updated to emphasize that Information Security is a business issue. Security people should protect assets while always keeping business in mind, that is enabling business and delivering values. The tunnel vision and function boundary should be broken and removed.

Information Security is a discipline to protect information and information systems from threats through security controls to:

  1. achieve the objectives of confidentiality, integrity, and availability, or CIA for short,
  2. support the organizational mission and processes, and
  3. create and deliver values.

The definition of Information Security is revised as Information Security is a business issue and should be aligned with the business mission, goals, and strategies, enable and streamline business processes, and create and deliver values ultimately.

Case Study – AmyPro Consultant

AmyProNetworks

  • AmyPro Consultant is headquartered in Taipei with a branch in New York, US.
  • An offshore software partner in Bengaluru, India develops and maintains the proprietary CRM system.
  • Staff is working on-site in Taipei, on the road, and from home.
  • How do you implement and support the secure network?