Introduction to the eight CISSP security domains Flashcards
CISSP
Certified information systems security professional
8 Security Domains
- Security and Risk Management
- Asset Security
- Security Architecture and Engineering
- Communications and Network Security
- Identify and Access Management
- Security Assessment and Testing
- Security Operations
- Software Development Security
Domain 1
Security and Risk Management
Security and risk management focuses on defining security goals and objectives, risk mitigation, compliance, business continuity, and the law.
e.g security analysts may need to update company policies related to private health information if a change is made to a federal compliance regulation such as the Health Insurance Portability and Accountability Act, also known as HIPAA.
Domain 2
Asset Security
This domain focuses on securing digital and physical assets. It’s also related to the storage, maintenance, retention, and destruction of data.
When working with this domain, security analysts may be tasked with making sure that old equipment is properly disposed of and destroyed, including any type of confidential information.
Domain 3
Security Architecture and Engineering
This domain focuses on optimising data security by ensuring effective tools, systems, and processes are in place.
As a security analyst, you may be tasked with configuring a firewall. A firewall is a device used to monitor and filter incoming and outgoing computer network traffic. Setting up a firewall correctly helps prevent attacks that could affect productivity.
Domain 4
Communications and Network Security
This domain focuses on managing and securing physical networks and wireless communications.
As a security analyst, you may be asked to analyse user behaviour within your organisation.
Imagine discovering that users are connecting to unsecured wireless hotspots. This could leave the organization and its employees vulnerable to attacks. To ensure communications are secure, you would create a network policy to prevent and mitigate exposure.
Domain 5
Identity and access management
Identity and access management focuses on keeping data secure, by ensuring users follow established policies to control and manage physical assets, like office spaces, and logical assets, such as networks and applications. Validating the identities of employees and documenting access roles are essential to maintaining the organization’s physical and digital security.
For example, as a security analyst, you may be tasked with setting up employees’ keycard access to buildings.
Domain 6
Security Assessment and Testing
This domain focuses on conducting security control testing, collecting and analyzing data, and conducting security audits to monitor for risks, threats, and vulnerabilities. Security analysts may conduct regular audits of user permissions, to make sure that users have the correct level of access.
For example, access to payroll information is often limited to certain employees, so analysts may be asked to regularly audit permissions to ensure that no unauthorized person can view employee salaries.
Domain 7
Security Operations
This domain focuses on conducting investigations and implementing preventative measures. Imagine that you, as a security analyst, receive an alert that an unknown device has been connected to your internal network. You would need to follow the organization’s policies and procedures to quickly stop the potential threat.
Domain 8
Software Development Security
his domain focuses on using secure coding practices, which are a set of recommended guidelines that are used to create secure applications and services. A security analyst may work with software development teams to ensure security practices are incorporated into the software development life-cycle.
For example, one of your partner teams is creating a new mobile app, then you may be asked to advise on the password policies or ensure that any user data is properly secured and ma