System Security Engineering

Posted on by
Reply

System Security Engineering

  • System Security Engineering, or Security Engineering, is the process of applying knowledge to build systems from its inception to retirement or throughout the life cycle while considering security.
  • The “systems” means information systems.
    • An information system is built based on an architecture that is well-designed by principles.
    • An information system comprises a variety of components that can be built in-house or bought from vendors.

NIST SDLC

InformationSystem

 

Information Security

Posted on by
Reply
What Is Information Security?
What Is Information Security?

The Onion diagram is updated to emphasize that Information Security is a business issue. Security people should protect assets while always keeping business in mind, that is enabling business and delivering values. The tunnel vision and function boundary should be broken and removed.

Information Security is a discipline to protect information and information systems from threats through security controls to:

  1. achieve the objectives of confidentiality, integrity, and availability, or CIA for short,
  2. support the organizational mission and processes, and
  3. create and deliver values.

The definition of Information Security is revised as Information Security is a business issue and should be aligned with the business mission, goals, and strategies, enable and streamline business processes, and create and deliver values ultimately.

The Peacock as a Metaphor for Information System
The Peacock as a Metaphor for Information System
Wentz’s Information Risk Model
Wentz’s Information Risk Model

Case Study – AmyPro Consultant

Posted on by
Reply

AmyProNetworks

  • AmyPro Consultant is headquartered in Taipei with a branch in New York, US.
  • An offshore software partner in Bengaluru, India develops and maintains the proprietary CRM system.
  • Staff is working on-site in Taipei, on the road, and from home.
  • How do you implement and support the secure network?

Intonation Patterns

Posted on by
Reply

  • Different Patterns of Intonation
    • Rising: sentence not finished
    • Failing: end of a sentence
    • Rising-falling
    • Falling-rising
    • Flat
    • High
    • Low
  • New Information vs. Old Information
    • Rising: old information
    • Failing: new information
  • Intonation in Questions
    • Rising: you think you know the answer
    • Failing: you already have some idea of the answer but don’t know it. You just ask to check or confirm that your idea is right.
  • More Ways to Use Intonation in Questions
    • Rising: criticizing someone
    • Falling: make a comment
    • Rising(indirect,hesitant)/Falling(direct,confident): make a suggestion
    • Surprise, Doubt, Excitement, Sarcasm, and Annoyance
  • Practice Sentences
    • Do you need some help?

Identity and Access Management

Posted on by
Reply

IdentityAndAccessManagement

  • Identity
    • An identity is the unique identifier of an entity.
    • An entity is anything that exists or comes into being.
  • Identification
    • Identification is the process for a subject to confess or present its identity to the authentication server.
  • Authentication
    • Authentication is the process for the authentication server to verify if the identity presented by the subject is authentic against the directory or account repository.
    • An access token is returned if the authentication succeeds.
  • Authorization
    • Authorization is the process for the service or resource provider to determine if the access request can be granted to the subject based on the access token presented and the access control matrix.
  • Accounting
    • Accounting is the process for the service or resource provider to generate records or logs against the subject’s activities so that the accountability can be enforced.
  • Session
    • A session is a two-way communication during a period of time with specific start and closure time.
    • It’s common for applications to track user activities during the session from logging in to logging out.
  • Get Started Your CISSP Journey!

CISSP = The Onion + The Peacock

Posted on by
Reply

OnionAndPeacock

  • CISSP is an ISC2 certified security professional of information systems.
  • The Onion and The Peacock as metaphors are the foundational concepts for CISSP aspirants to prepare for the CISSP exam.
    • The Onion is a metaphor as a concept model to protect assets (information systems) from threats through security controls to achieve the objectives of confidentiality, integrity, and availability (CIA), support the organizational mission and processes and deliver business values. (The triangle stands for the organization.)
    • The Peacock is a metaphor as a concept model to demonstrate the information system components, the target we are protecting.
  • The Amicliens InfoSec Conceptual Model is developed by Wentz Wu, co-founder of Amicliens, based on The Onion and The Peacock that integrates the CISSP and CISM knowledge areas seamlessly.
  • To start your CISSP journey, please visit the CISSP page.
    (https://wentzwu.com/cissp)
  • To know more about the author, Wentz Wu, please visit the About Me page.
    (https://wentzwu.com/about)

CISSP Domains

Posted on by
1

CISSP_Domains

The CISSP domains can be divided into two parts: management and technical parts. The management part comprises domain 1, 2, 5, 6, and 7, and focuses on concepts, principles, processes, and practices, while the technical part, domain 3, 4, and 8, emphasizes the engineering things such as foundational technical and security knowledge, architecture, system lifecycle, and specific types of systems.

I suggest CISSP aspirants study the management part first and in sequence, then move onto the technical part. Both parts are equally important for you to pass the CISSP exam.