Hi everyone,

Last call for the promotion of my book.
It is ticking to the end, Day 3 of 3!

This book is nominally on Domain 1 only. The truth is, it weaves the core management concepts across the CISSP exam!

The Kindle version is now 50% off for US$4.99. 👍🎉
I hope you enjoy it! Please don’t hesitate to comment on my book on Amazon. Thank you for your attention!🙏😀

Amazon Reviews

J. Stapp

Mr Wu is going to help you pass your exam and understand the content!

This book should be part of your study plan for the CISSP. I recommend reading it before you begin with other texts on the subject. Mr. Wu is an expert in the field and is able to explain difficult concepts in a concise and easy to understand way.

Background on me: I hold the CISSP as well as other certifications in IT and management.

NING, EN-WEI

Excellent and effective CISSP

Wentz Wu is a very good scholar, the leader has the correct security concept, and maintains a high degree of enthusiasm and optimism. Purchasing Wentz Wu’s book is exactly the right way to get you to the security CISSP

Amazon Customer

Highly recommended for every information security consultant !

Highly recommended for every information security consultant ,especially if you want planing to pass the CISSP exam.
Excellent book that explains in detail all the security concepts.
My rate – 5 of 5 stars.

pascual del rosario

Superb book

There’s no better way to name this book other than “The Effective CISSP”. The author has a great outline of objectives for those looking to obtain the CISSP certification. It is spelled out that the official isc2 book should still be your main resource for studying for this exam. This book highlights all of the main objectives for the exam and really gives you a high level (managerial) way of thinking which is what’s ultimately needed for this exam. Strongly encourage anyone studying to read this book during and right before taking this exam.

jamie garcia

Worth The Wait!

I was so happy to hear Mr. Wu talk about this book he was writing and coming out soon. I waited for months for this book and I knew it would be worth the wait. It definitely is worth it and I’m so glad it’s now available during my CISSP studies!

Mohammad Usman

Excellent write up and highly recommended

The book is an excellent write up by the author. It goes in great detail explaining the core concepts of Risk management processes which is one of challenging domain of CISSP exam. I highly recommend this book if you are weak in this domain.

Brad E.

A MUST-HAVE FOR THOSE THAT WANT TO PASS CISSP!!!!!!

Ohhhhhhh I wish I had this book when I was preparing for the CISSP exam last year!!! I bought my copy the day after it came out and the book instantly became a cherished favorite of mine!! Wentz knows how to write a well-polished, captivating showpiece. This is not your ordinary book that you read once and then put back on the shelf. This is something that you should treasure and keep as a prized collection!! As somebody who has taken the exam before, I can say that one of the CISSP exam’s MAIN focus is on the roles and responsibilities of risk management. So it’s no wonder why I’m stressing that everybody should get this book!! You will see various security models, straightforward breakdowns of CISSP concepts and vocabulary terms, review questions, well-written references for ISO/NIST standards, and MUCH MUCH MORE!!! Trust me, you will definitely love this book and won’t be disappointed in adding it to your CISSP study materials!! Put this as a priority!!!

P.S.: The image is a photo of The Effective CISSP book that I bought for my Amazon Kindle Fire.

Amazon Reviews, India

Sagar Bansal

Deep Dive Knowledge

I think Wentz has done a marvelous work with this book.

It’s not a CISSP cheatsheet like passing material.

I think this book is for serious people who actually want to study the subject in deep and want to gain expertise.

There are tons of mind maps amd charts in the book which made reading and remembering stuff easier.

In short, Highly Recommended

Basant Kumar Sharma

It’s a good collection on multiple aspects

It’s have good and understandable content,it may help to gain more knowledge on Domain 1 in Cissp, hope may help to gain more knowledge on R&A

Information systems are certified and accreditated by the officer of authorization to operate under the approved Security Mode of Operation, which determines the baseline controls. There are four types of security modes:

Classification Levels and Categories

In the environment of mandatory access control (MAC), data can be classified into different hierarchical levels (Confidential, Secret, and Top Secret) and non-hierarchical categories in terms of sensitivity.

What is Formal Access Approval?

• Users must have the clearance/authorization and need-to-know (per official duties) to get access to a certain level of classified data.
• However, they must have formal access approval to access the categorized (compartmented) data.
• A category is “a grouping of classified or sensitive (but) unclassified information to which an additional restrictive label is applied for signifying that personnel are granted access to the information only if they have formal access approval or other applicable authorization (e.g., proprietary information, for official use only, compartmented information).” (DODD 5200.28, March 21, 1988)
• Sensitive compartmented information (SCI), special access program (SAP) information, or other compartment information is a special category.

Sensitive But Unclassified (SBU)

Sensitive But Unclassified (SBU) is a designation of information in the United States federal government that, though unclassified, often requires strict controls over its distribution. SBU is a broad category of information that includes material covered by such designations as:

• For Official Use Only (FOUO),
• Law Enforcement Sensitive (LES),
• Sensitive Homeland Security Information,
• Sensitive Security Information (SSI),
• Critical Infrastructure Information (CII), etc.

It also includes Internal Revenue Service materials like individual tax records, systems information, and enforcement procedures. Some categories of SBU information have authority in statute or regulation (e.g. SSI, CII) while others, including FOUO, do not.

Source: Wikipedia

Sensitive Compartmented Information (SCI)

Sensitive compartmented information (SCI) is a type of United States classified information concerning or derived from sensitive intelligence sources, methods, or analytical processes. All SCI must be handled within formal access control systems established by the Director of National Intelligence.

SCI is not a classification. SCI clearance has sometimes been called “above Top Secret,” but information at any classification level may exist within an SCI control system. When “decompartmentalized” this information is treated the same as collateral information at the same classification level. 

Source: Wikipedia

Special Access Programs (SAPs)

Special Access Programs (SAPs) in the U.S. Federal Government are security protocols that provide highly classified information with safeguards and access restrictions that exceed those for regular (collateral) classified information. SAPs can range from black projects to routine but especially-sensitive operations, such as COMSEC maintenance or Presidential transportation support. In addition to collateral controls, a SAP may impose more stringent investigative or adjudicative requirements, specialized nondisclosure agreements, special terminology or markings, exclusion from standard contract investigations (carve-outs), and centralized billet systems. Within the Department of Defense, SAP is better known as “SAR” by the mandatory Special Access Required (SAR) markings.

Source: Wikipedia

References

• Classified information
• Sensitive But Unclassified (SBU)
• Sensitive Compartmented Information (SCI)
• DoD 5200.28

Hi everyone,

The promotion of my book, The Effective CISSP: Security and Risk Management is ticking.
The Kindle version is now 50% off for US$4.99. 👍🎉
I hope you enjoy it! 😀

Physical Later

Networks are nodes connected to share resources and made of physical devices, media, connectors, signals, and so forth.

Data Link Layer

A link is a connection between two adjacent nodes. Point-to-point or P2P refers to the link. The Data Link layer describes the data transmission between any two nodes on a network that are connected as a link logically. The transmission over the physical media is mediated through contention (CSMA/CD), queueing (token passing, e.g., Token Ring), or polling. In brief, the data link layer deals with logical link control and media access control.

Network Layer

A path, or route, is the connection between two end nodes across a series of connected links. End-to-end refers to a path that connects two endpoints. Routing is the decision of path selection. A router is a node making routing decisions. Nodes and networks are uniquely identified and path selection decisions are made by routers to support transmission or transportation. The Network layer deals with addressing and routing. IPv4 uniquely identifies nodes and networks with a 32-bit address delimited by a subnet mask.

Transportation Layer

Transportation between two nodes can fail because of the network dynamics. Depending on applications and users’ needs, control mechanisms may be optionally applied to ensure the reliability of data transmission. TCP is a reliable version of the transmission, while UDP is an unreliable one. Both of them provide services for software applications to connect to each other through the so-called “ports.” A TCP Port 80 is a well-known port number reserved for applications that provide HTTP services, e.g., the web server.

Session Layer

Applications are, in fact, agents of users. It is the users that communicate with each other through software applications. A session is a dialog between users who use applications as agents to communicate.

Presentation Layer

User messages shall be encoded, formatted, recorded, expressed, and transmitted consistently. In other words, they shall be presented so much so readable to all machines. It may or may not compressed for performance or encrypted for security.

Application Layer

Applications solve problems and create values for people. They should be friendly and meaningful to users. The style of windows, scroll bars, and buttons are de facto protocols for the graphical user interface. SMTP commands, such as HELO, RCPT TO, DATA FROM, etc., can be viewed as a command-line interface (CLI). HTML and XML impose semantics and rules on data that are readable to humans.

Multilevel Security

Multilevel security is a security policy that allows you to classify objects and users based on a system of hierarchical security levels and a system of non-hierarchical security categories.

Multilevel security provides the capability to prevent unauthorized users from accessing information at a higher classification than their authorization, and prevents users from declassifying information.

Multilevel security offers the following advantages:

• Multilevel security enforcement is mandatory and automatic.
• Multilevel security can use methods that are difficult to express through traditional SQL views or queries.
• Multilevel security does not rely on special views or database variables to provide row-level security control.
• Multilevel security controls are consistent and integrated across the system, so that you can avoid defining users and authorizations more than once.
• Multilevel security does not allow users to declassify information.

Source: IBM

What is a multilevel database?

Here is a link to pages that describe multilevel databases from Security in Computing By Shari Lawrence Pfleeger at Google Books.

Briefly, a multilevel database provides granular security for data depending on the sensitivity of the data field and clearance of the user for both writing and reading data.

Source: serverfault

Multi-level security in database management systems

Multi-level secure database management system (MLS-DBMS) security requirements are defined in terms of the view of the database presented to users with different authorizations.

These security requirements are intended to be consistent with DoD secure computing system requirements. An informal security policy for a multi-level secure database management system is outlined, and mechanisms are introduced that support the policy.

Security constraints are the mechanism for defining classification rules, and query modification is the mechanism for implementing the classification policy. These mechanisms ensure that responses to users’ queries can be assigned classifications which will make them observable to the querying users.

Source: ScienceDirect

Multilevel Database

The first formulation of multilevel mandatory policies and the Bell LaPadulamodel, simply assumed the existence of objects (information containers) to which a classification is assigned. This assumption works well in the operating system context, where objects to be protected are essentially files containing the data. Later studies investigated the extension of mandatory policies to database systems. While in operating systems security classes are assigned to files, database systems can afford a finer-grained classification. Classification can in fact be considered at the level of relations (equivalent to file-level classification in OS), at the level of columns (different properties can have a different classification), at the level of rows (properties referred to…

Source: Springer Link

MAC Security Issues

• Inference: Derivation of new information from known information. The inference problem refers to the fact that the derived information may be classified at a level for which the user is not cleared. The inference problem is that of users deducing unauthorized information from the legitimate information they acquire.
• Aggregation: The result of assembling or combining distinct units of data when handling sensitive information. Aggregation of data at one sensitivity level may result in the total data being designated at a higher sensitivity level.
• Polyinstantiation: Polyinstantiation allows a relation to contain multiple rows with the same primary key; the multiple instances are distinguished by their security levels.
• Referential integrity: A database has referential integrity if all foreign keys reference existing primary keys.
• Entity integrity: A tuple in a relation cannot have a null value for any of the primary key attributes.
• Granularity: The degree to which access to objects can be restricted. Granularity can be applied to both the actions allowable on objects, as well as to the users allowed to perform those actions on the object.

Source: NIST SP 800-8 (obsoleted)

References

• MAC Security Issues