Enterprise Architecture


As information security is a business issue and not only protects information and information systems but also supports business and organizational objectives, enterprise architecture is a means for security professionals to understand the organizational structure and processes.

Enterprise Architecture Frameworks


The Zachman Framework, created by John Zachman in the 1980s, then working for IBM, is NOT a methodology for constructing an enterprise architecture but a tool for describing the enterprise.

Source: Wikipedia


The Open Group Architecture Framework (TOGAF), developed starting in 1995 by The Open Group, is a framework for enterprise architecture. It provides a set of tools for developing a broad range of different architectures, e.g. business, applications, data, and technical architecture.

Source: Wikipedia

Enterprise Models

McKinsey 7-S Framework

Value Chain



Effective CISSP Questions

The incident response (IR) team in your company submitted an urgent human resource request for a security analyst. The job description of a security analyst requires at least five years of work experience and the CISSP certificate. Nawwar is an experienced network engineer with ten years of experience and the Cisco Certified Network Professional certificate. The head of the IR team proposed to hire Nawwar as soon as possible. As a security professional, which of the following suggestion will you make to the Human Resources department?
A. Reject. Nawwar is incompetent.
B. Reject. The demand for the security analyst is not so urgent.
C. Accept. The IR team can conduct cross-training.
D. Accept. It’s a regular practice of job rotation.

Continue reading

What is a Domain Model in Domain-Driven Design (DDD)?


Domain Model

I would define a domain as a collection of entities. A domain model is a structural representation of entities and the relationship among them to describe a problem or solution.


An entity is anything in real life that has a unique identity to distinguish from one another. It comprises a set of attributes to describe its characteristics and operations to achieve one or more stated purposes.


Common relationships between entities are containment, aggregation, inheritance, implementation, and use or invocation.

Buffer Overflow

Pls don’t dive into the technical details too much. CISSP is a management test with a solid conceptual understanding of technical stuff. Just focus on:

  • what is a buffer, and overflow?
  • what is a heap, and stack?
  • watch or experience how attackers inject the machine code into the input values.



Effective CISSP Questions

Your company decides to start the business of selling toys online and shipping globally. A team in-house is in charge of developing an E-Commerce system that supports the new business. The testing team was conducting dynamic application security testing (DAST) and activated the Calculator app, one of the Windows accessories, on one of the web servers through an input field in an HTML form. This test demonstrated a successful attempt of intrusion. Which of the following is least feasible to prevent the attack?
A. Apply limit of the input length.
B. Enable Data Execution Prevention (DEP)
C. Enable Address Space Layout Randomization (ASLR)
D. Conduct Time-of-check to time-of-use (TOC/TOU) check

Continue reading


Effective CISSP Questions

Your company decides to start the business of selling toys online and shipping globally. A team in-house is in charge of developing an E-Commerce system that supports the new business. The project team is evaluating secure information system development processes to follow. Which of the following is least applicable to the system engineering for this project?
A. System Security Engineering Capability Maturity Model (SSE-CMM).
B. INCOSE Systems Engineering Handbook
C. NIST SP 800-160 (Systems Security Engineering)
D. ISO/IEC/IEEE 15288 (Systems and software engineering — System life cycle processes)

Continue reading


Effective CISSP Questions

Your company decides to start the business of selling toys online and shipping globally. A team in-house is in charge of developing an E-Commerce system that supports the new business. SSL/TLS protects communication between browsers and web server farms. The performance tester observed that the CPU utilization of web servers kept as high as 100%, and some connections will time out. However, the webserver farms work fine under HTTP connections. Moreover, the web servers are I/O bound in nature; they mostly accept file requests and dispatch transactions to the application server clusters.  Which of the following is most feasible to address the time-out and improve availability?
A. Increase the bandwidth, e.g., from T1 to T3.
B. Add more RAM/memory to improve system performance
C. Implement hardware security modules to offload processing
D. Upgrade to faster CPUs on each web server to speed up the processing

Continue reading

Hardware Security Module


Hardware security module

The functions of an HSM are:

  • onboard secure cryptographic key generation
  • onboard secure cryptographic key storage, at least for the top level and most sensitive keys, which are often called master keys
  • key management
  • use of cryptographic and sensitive data material, for example, performing encryption or digital signature functions
  • offloading application servers for complete asymmetric and symmetric cryptography.


In PKI environments, the HSMs may be used by certification authorities (CAs) and registration authorities (RAs) to generate, store, and handle asymmetric key pairs.


Performance critical applications that have to use HTTPS (SSL/TLS), can benefit from the use of an SSL Acceleration HSM by moving the RSA operations, which typically requires several large integer multiplications, from the host CPU to the HSM device.

Bank HSMs

HSMs support both general-purpose functions and specialized functions required to process transactions and comply with industry standards.

Source: Hardware security module


InfoSec and Privacy ISO Standards


ISO/IEC 27701:2019

  • Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines
  • Publication date: 2019-08

Thanks go to Richard Nealon for reminding me that ISO/IEC 27701:2019 has been published in August to replace the draft, ISO 27552.

How does ISO Work?

  • Stage 0 (preliminary stage): A study period is underway.
  • Stage 1 (proposal stage): An NP (New Project) is under consideration.
  • Stage 2 (preparatory stage): A WD (Working Draft) is under consideration.
  • Stage 3 (committee stage): A CD/DIS (Committee Draft/Draft International Standard) is under consideration.
  • Stage 4 (approval stage): An FDIS (Final Draft International Standard) is under consideration.
  • Stage 5 (publication stage): An IS (International Standard) is being prepared for publication.