Welcome to the CISSP Tips series by CyberPhorm. This is the first part of this series and we know you will find them useful. 10 tips would be provided in each episode. Tips discussed here are not enough to study for the exams and they do not replace the need to go for training; The series is here to support your study and preparation, by hammering on the major concepts to grasp and to build your confidence as you go for the exam. This series would also be useful for other security management courses/certifications. We know you’re ready, let’s dive right in!
Our 10 tips in this episode
- Have a policy for everything
- Safety of life comes first in any good security program. Lives first always (protect society and commonwealth).
- Every change must go through a risk assessment and must be approved (by senior management).
- Security is part of the repeatable process of any lifecycle. It should be incorporated from the design planning phase and should be considered every step of the way.
- Anywhere you see management, think “strategic”.
- Avoid technical answers as much as possible. No matter how tempting. You are not to fix anything. Your job is to hire the right people to do the work.
- The management answer is usually the best option
- Documentation and updates are important for policies, standards, configurations, asset inventory, changes, etc. Just document everything.
- Layered security is important (also called defense-in-depth). This means having multiple layers of security (devices or measures) such that breaking into one or past one does not necessarily mean a compromise of the entire system or network.
- To know how much security is enough, do a risk assessment. A risk assessment usually informs every other decision, purchase, measures, etc.
Test Quiz
Attempt the below with your answers in the comments section
1. Which of the following is useful in preventing a single point of failure?
a) Policy
b) Risk Assessment
c) Layered Security
d) Management Approval
2. Security should be considered only at the implementation phase of a project and not from the initiation/planning phase
True/false
3. When developing a Response Plan for a fire incident, which of the following should come first?
a) Protection of very sensitive data
b) Quick recovery of important Company systems
c) Evacuation of employees/personnel
d) Call the fire fighters
4. Your company just hired a new intern for data entry and the IT department has created a user account with admin privileges for her. Which of the following security concepts was most-likely not taken into consideration?
a) Need-to-know
b) Confidentiality
c) Mandatory access control
d) Principle of least privilege
5. It is important to do ________ before making a change or making decisions
a) Layered Security
b) Background check
c) Vulnerability Assessment
d) Risk Assessment
1. C
2. FALSE
3. C
4. D
5. D