In cryptography, Lucifer was a direct precursor to the Data Encryption Standard (DES). IBM submitted the Feistel-network version of Lucifer as a candidate for the Data Encryption Standard.

The name “Lucifer” was apparently a pun on “Demon”. This was in turn a truncation of “Demonstration”, the name for a privacy system Feistel was working on.
It’s also an interesting television series on Netflix.

Old English, from Latin, ‘light-bringing, morning star’, from lux, luc- ‘light’ + -fer ‘bearing’. Lucifer (sense 1)is by association with the ‘son of the morning’ (Isa. 14:12), believed by Christian interpreters to be a reference to Satan. (Google Dictionary)

• https://www.netflix.com/title/80057918
• https://en.wikipedia.org/wiki/Lucifer_(cipher)

1. Position the CISSP as a PI-shaped exam (technical and managerial)
   CISSP needs deep “technical” and “managerial” knowledge and experience. It’s comprehensive, and CISSP aspirants have to think from a variety of perspectives, such as board director, senior management, CISO, auditor, law school student, procurement staff, engineer, developer, project/program manager, end user, attacker, and so forth.
2. Stick to the CISSP Exam Outline
   Build a conceptual-level understanding of the Common Body Knowledge (CBK) presented as the CISSP Exam Outline. Understand every single terminology in the CISSP Exam Outline and explain to or teach your friends till you are feeling confident. For example, how do you define “security“, “risk“, and “management” in the title of Domain 1?
3. Do at least 2500 practice questions to verify your knowledge
   Mere reading is not enough. Read and do questions iteratively to build and train your body of knowledge incrementally.
4. Polish your test-taking skills
   The CISSP exam is an exam after all; you have to cultivate the test-taking skills on purpose as the real exam questions are deliberately “designed“.
5. Study actively every day
   Keep studying every day to develop long-term memory. Follow Dale’s “Cone of Experience” to learn effectively.
6. Determine to succeed in 3 months, no more than 6 months.
   Passing the CISSP exam is a project with a specific scope, schedule, and budget. You have to communicate well with your stakeholders to ensure your success; say, your family, boss, ISC2, mentors, peers, study groups, or online communities.

The CISSP Starter Page

Agile is what without Scrum, XP, Kanban, etc.

Agile is a mindset, a collection of values, principles, and practices. The values and principles are explicitly expressed in a statement or so-called manifesto. Common practices are Scrum, XP, Kanban, and the like.

Implementing Agile practices is not sufficient to realize the values, let alone doing it without defining or clarifying the values.

Agile is not a concept based on intuition or implementation of Scrum, XP, or Kanban; it starts with a thoughtful and written statement of values. It implies that the problem in question has been considered and the values and principles are developed. Agile practices are the means to solve the problem based on the principles to deliver the values.

Start your Agile journey with an Agile Manifesto, no matter you develop your own or adopt a generally accepted one; say, the Manifesto for Agile Software Development.

敏捷就是沒有Scrum，XP，看板等的東西。

敏捷是一種思維方式，是價值觀，原則和實務作法的集合。 價值觀和原則可在聲明或所謂的宣言中明確表達。 常見的實務作法是Scrum，XP，看板等。

實施敏捷的實務作法不足以實現價值，更不用說在沒有定義或澄清敏捷價值的情況下就這麼作。

敏捷不是只憑感覺的一種觀念或只是實施Scrum，XP或看板就叫敏捷; 它始於一份經過深思熟慮的書面價值觀。 這意味著已經考慮了希望藉由敏捷解決的問題，並且制定了價值觀和原則。 敏捷實踐是解決問題的手段，須奠基於(敏捷)原則，以實現價值。

無論您是自己發展或是採用已普遍被接受的現有敏捷宣言，都可以通過敏捷宣言開始您的敏捷之旅; 比如，敏捷軟體開發宣言。

The traditional concepts of continuous monitoring and continuous audit cover the concerns of security automation decorated with agile terminologies.

Oftentimes people think of implementing tools with Agile brands or getting faster as agile, while others consider it’s about business agility. I do think the original idea of Agile is about how people work together (as a self-organizing and cross-functional team) to cope with changes and to deliver values (iteratively and incrementally).

You are developing the Transportation Management System (TMS) that handles the information types of Ground Transportation and Air Transportation.

1. Determine the security category of the TMS per FIPS 199 and NIST SP 800-60 in the following format:
   e.g., SC TMS = {(confidentiality, impact), (integrity, impact), (availability, impact)}.
2. Select baseline security controls according to FISP 200 and NIST SP 800-53 R4. (Scoping)
3. Tailor the baseline security controls and justify your decisions. (Tailoring)

A chart speaks a thousand words…

• Audit Department
  • Audit Committee
• Well-known Certification Bodies
  • SGS
  • TUV
  • BSI
• The Big Four Accounting Firms
  • PwC
  • Deloitte
  • KPMG
  • EY

Certification and Accreditation (C&A)

Verification and Validation (V&V)

What do verification and validation (V&V) and certification and accreditation (C&A) mean? They are indeed jargons, aren’t they?

Take software development project as an example; the software must be verified against solution requirements to confirm if they are implemented correctly, while validated against stakeholder and business requirements to ensure the effectiveness.

Once the software solution is developed, tested, and delivered, it becomes part of the information system as a whole. The information system must be verified (or certified) to ensure it meets the security requirements. The verification report is the objective evidence for the management to accept the residual risks and authorize (accredit) it into operation.

The traditional Certification and Accreditation (C&A) process is transformed into the six-step Risk Management Framework (RMF). Please refer to the latest revision of NIST SP 800-37 for details.

Added on 2020/07/21:

C&A can be applied to IT products (CC), management systems (ISO 27001, ISO 22301, or ISO 9001), engineering/procurement/service capabilities (CMMI), or people competency (CISSP).

Certification is typically conducted by independent or 3rd party through evaluation against agreed standards. The evaluation result is accredited by trusted authorities. C&A is the core element of assurance.

In the private sector, C&A is not quite fit for in-house information systems in most companies. I prefer using V&V. Verifying if the system is implemented correctly by internal team members, and validating if it is implemented effectively to solve users’ problems or meet their requirements and accepted by external users. The system is then authorized (some may use the term, accredited) to operate.

I’d summarize the key concept as follows: C&A is about the product’s trustworthiness, customer’s confidence, and authority’s assurance. V&V is about doing things right (correctness) and doing the right things (effectiveness).

Added on 2020/07/30:

There were various information system certification and accreditation processes across the US federal agencies, such as DITSCAP, DIACAP, NIACAP, NISCAP, and DCID 6/3. Those legacy C&A processes can be confusing because of the diversity and inconsistency across agencies. For example, the obsolete DITSCAP C&A process treated V&V as phases in its C&A process. Thanks to the NIST RMF (SP 800-37 R2), it becomes the latest and unified version of C&A.

• CISSP PRACTICE QUESTIONS – 20200623 has details.

The NIST RMF is integrated with the SDLC detailed in NIST SP 800-160 v1, which is aligned with the SDLC introduced in ISO 15288. In other words, terminologies certification and accreditation are not used in the NIST RMF any more. C&A (Certification and Accreditation) is replaced by A&A (Assessment and Authorization) in RMF and V&V (Verification and Validation) in ISO 15288.

I would conclude,

• Verification and Validation (V&V) are engineering processes.
• Certification and Accreditation (C&A) are formal assurance processes.
• Every system should go through V&V, but not every organization requires C&A.

References

• CISSP PRACTICE QUESTIONS – 20200623

Which of the following provides the most flexible access control?

A. A subject asserting unmarried
B. A subject with the Top Secret clearance
C. A subject with need-to-know
D. A subject assigned to the Admin role

Kindly be reminded that the recommended answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications. 

The recommended answer is A, A subject asserting unmarried.

This question is designed to help you understand the characteristics of the common access control mechanisms as follows:

• A subject asserting unmarried ⇒ Attribute-based access control (ABAC)
• A subject with the Top Secret clearance ⇒ Mandatory access control (MAC)
• A subject with need-to-know ⇒ Discretionary access control (DAC)
• A subject assigned to the Admin role ⇒ Role-based access control (RBAC)

Access control mechanism comprises 3 parts: authentication, authorization, and accounting. A subject implies a user or principal completes the identification process and its identity has been authenticated.

A subject’s access to objects must be authorized. ABAC, MAC, DAC, and RBAC can enforce the authorization process.

Attribute-based access control (ABAC)

An entity comes with attributes. For example, a user is an entity with attributes, such as Full Name, Marriage Status, Gender, and Aage, to name a few.

Privileges can be granted by attributes. e.g. Access to the Corporate Bonus Mileage Program, a web page, is granted to those members who are female (gender), married (marriage) and come from Taiwan (nationality).

A subject’s attributes, shaping claims or assertions, are dynamic in nature. It’s the most flexible way among the four mechanisms to implement authorization.

Mandatory access control (MAC)

MAC is based on the subject’s security clearance and the object’s classification level, or label. A security clearance is determined through a formal process. Both security clearance and object label are hard to change.

Discretionary access control (DAC)

DAC is based on the Access Control Matrix, a two-dimension matrix of subjects on the row by objects on the column. A row is a subject’s capability; a column is an object’s access control list.

The granularity of DAC is at the entity level (subject or object). ABAC is at the attribute level.

Role-based access control (RBAC)

As the name suggests, RBAS is based on roles. A role is a named collection of predefined permissions and rights; it usually maps to the organizational structure.

A user assigned a role is automatically granted the predefined permissions and rights. It reduces the administrative burden, unlike that of DAC. As the permissions and rights are predefined, or sometimes hard-coded, it’s not convenient to change them.

Notes

The concept of flexibility is not rigidly defined in the question, as the question is designed to help you understand the characteristics of the common access control mechanisms. You can evaluate flexibility in terms of granularity of criteria, convenience to change, and administrative or implementation burden.

References

• Attribute-based access control
• XACML (eXtensible Access Control Markup Language
• SAML (Security Assertion Markup Language)