CISSP Certification Course – How to Pass the Certified Information Security Professional Exam
Earning the Certified Information Systems Security Professional (CISSP) Certification proves you have what it takes to effectively design, implement and manage a best-in-class cybersecurity program. The CISSP is one of the most valuable Cyber Security Certificates in the market today.
We just posted a 13-hour course on the freeCodeCamp.org YouTube channel that will prepare you to pass the CISSP exam.
Mohamed Atef created this course. Mohamed is a Cyber Security consultant and a certified instructor with 20+ years of experience in Cyber Security projects.
The course teaches you the theoretical concepts and explains the implementation of those concepts in a real business environment.
The course covers the main 8 domains that are included in the exam:
- Domain 1: Security and Risk Management.
- Domain 2: Asset Security
- Domain 3: Security Architecture and Engineering
- Domain 4: Communications and Network Security.
- Domain 5: Identity and Access Management.
- Domain 6: Security Assessment and Testing
- Domain 7: Security Operations
- Domain 8: Software Development Security
Watch the full course on the freeCodeCamp.org YouTube channel (13-hour watch).
Transcript
(autogenerated)
I work with different types of organizations, government, multinational organizations such as IBM, private sectors, and law enforcement.
And I have 16 courses published online.
nine of them are bestseller courses.
And all my courses are in information security.
And as you can hack my previous CISSP training was a best-seller course for two years.
And I'm proud to say that I helped hundreds of students to clear their CISSP exam from the first step and, and get certified and joining the information security career, which has a very high demand in the market today.
So the course is not just about the skills and knowledge set you will learn.
But also it will guarantee that if you follow my plan, and use my resources, you will be able to pass the CISSP exam easily, which is a must if you plan to get an information security job or position.
Before starting our training, allow me to give you a brief about the value of the CISSP certificate what is exactly the CISSP certificate.
If you know about that you can skip this lecture and move to the next lecture.
But if you are new to information security, and you need to know more about the information security field, and what kind of certificate you need to hold, to be able to find a decent job in this field.
Maybe you need to listen to this lecture and the upcoming lecture.
If you plan to work in information security, or you are moving from your current career to an information security career, you need to hold a professional certificate holding a professional certificate in in this field.
It's like holding a license. Think about it.
If you know how to drive a car, but you don't hold a license, you don't have a license driving license, no one will allow you to drive his car.
While if you have a driver's license.
It means that you know how to drive a vehicle and how to manage a car.
The same concept applies to information security.
If you plan to work in this field, you need to hold the license.
So holding an information security certificate, it's like having a license.
And usually when we are doing interview for candidate for information security position, if they hold a certificate like CISSP it reflect that they have a good knowledge in information security.
And sometimes we can skip some questions because just by having this certificate, it indicates that those people know about information security implementation.
So it's a very, very valuable asset to have if you plan to work in information security.
Now, it's not the only certificate in information security, we have a lot of certificates, we have the CISSP we have the system we have also certified Information Security Manager we have certified Information System auditor, we have a lot of certificates.
But what is the value of the certificate? Should I start with it or should I start with another certificate CISSP or Certified Information Systems Security professional is a certificate issued by IC squared.
And you can go to their website, know about the certificate and the value of this certificate and how to hold certificate versus what is the prerequisite for the certificate and so on.
But if you do a lot of research yourself about the top 10 information security certificate, you're going to find that CISSP is the first one we have other certificate but still CISSP is the most valuable certificate.
And if you do more research about the value of the CISSP certificate, you can find out that the most recognized certificate in this field is the CISSP remain one of the most widely recognized of all information security certification, and it's mentioned more frequently in job posting and classify job ads.
So you can do your homework, you can do some research.
To know which certificate you should start with And you will end up that CISSP is the most valuable one.
Now, it's not a hard certificate or it's not a technical certificate, you need to be aware of CISSP, it's more into the information security management area.
So even if you have like a weak technical background, you don't have to worry, you may spend more effort and more time, and I'll be supporting you the full way until you get certified.
But we should not consider this as a technical certificate, because CISSP is not a technical certificate, it's more into the information security management certificate.
So this is quite important to understand that even if you are just starting, it will take you a little bit more time, and it will take a little bit more effort.
But you don't have to worry about it.
Because to be able to get your certificate.
It's not about the amount of knowledge, you know, it's about thinking as management, or sinking as information security specialist.
This is not thinking as a technical people.
And actually, I know a lot of people that came from a technical background, some of them were network administrator or security administrator, they came from a pure technical background, and they failed the exam, because they depend on the on their technical knowledge, which is not the main issue here.
Okay.
And in the upcoming lectures, I'm going to give you some idea about what I'm talking about how to think, as an Information Security Manager, or information security officer and so on.
But the objective of this specific lecture is to show you the value of this certificate.
And as you can see, it's very, very valuable, and very, very recognized.
So it was it's a very good investment in your effort and your time, until you get the certificate CISSP curriculum consists of eight different domains.
And to be able to pass the exam and get certified and find a decent job, you need to not just understand the terminology and concepts related to those eight domains.
But also you need to know how we should implement them in a real environment or a real organization.
That's why I will not depend on your background.
But I will start from scratch.
And I will explain all the terminology and definitions.
But also, I'm going to show you how we are implementing them in a real-life environment.
How if you get hired in a specific job? How can you do a risk assessment? The type of risk management? Or our I'm sorry, the type of risk assessment that we are following? What is asset management? What is asset security? What is a different domain in any information security management system? And how realistically out are we doing it.
So what I'm trying to say is that the objective of this training, it's not just to read the slide, or to explain a definition or the terminology, it's not like that.
It's to give you the real experience, in a sense that if you get hired tomorrow, after getting certified, you will be able to start working in this environment and start doing your task in an effective way.
So I will be sharing with you a lot of plans, document templates, showing you how we are doing it in real organization, and so on.
So the eight different domains in the CISSP curriculum would be first the security and risk management.
And the first part of this domain, it's like an introductory part where we are talking about what do we mean by security? What are the different elements of information security and so on?
And then we're gonna move to a very, very important topic, which is the risk management usually risk it's one of the initial task that we are doing in security implementation, you need to identify what risk you are facing to be able to consider what security control you need to implement.
Then we're going to talk about asset security.
Again, the first two domain is the first step to implement an Information Security Management System.
Think about it if you are implementing security.
in your home, you need to buy some alarm system, or you need to buy some or hire some security guards or something like that, how much you're going to decide how much you will spend on that.
on security, it depends about the asset values that you have, what do you have in your house, right, and it depends about what risk you're facing.
Those are usually two main steps you are doing to be able to decide about what kind of security you will be implementing.
Because if you don't have that much assets at your house, you should not spend 10 or $20,000.
To secure your house, it doesn't make any sense.
If you live in a place where it's a very secure area.
So the risk, it's not that high, maybe you don't need to spend that much.
So same concepts apply to business but on a bigger scale.
So the first two domain, if you understand them very well, you will know how to start implementing Information Security from scratch, how usually you are starting this field, then we're gonna talk about security engineering, then first domain will be about communication and network security, this domain was the previous in the previous version of CISSP, and still the same.
And then we're gonna talk about identity and access management, then security assessment and testing and security operation.
And finally, software development, security.
So those are the eight different domains that we will be covering in our training.
And as I told you, it's not about the terminology.
It's not about because actually, insights exam, they are not testing the amount of knowledge or amount of information, you know, they are testing how you can utilize them for implementing Information Security Management.
So it's quite important to relate or map whatever we are explaining to real-life scenarios.
This is the best way that will allow you in a very short period of time to understand the concept and pass the exam.
To think you need to know about the CISSP certificate first.
This certificate is technology-neutral.
I mean, it's not explaining a specific technology.
It's talking about general terminology related security.
After all, this is not the technical certificate, as I mentioned before, second points as the CISSP keep changing.
Sometimes they change the curriculum.
And sometimes they change the exam.
And they do that every couple of years.
So it's frequently keep changing.
So one that is covered by this course is the latest one, this course is fulfilling the latest CISSP requirement.
According to IC square, the CISSP exam will change on 15 April 2018.
So this course is for the new CISSP exam that is effective after April 15 2018 is the same curriculum, it's still eight domains, but the ways that they will be always that they are changing the exam is completely different than the previous one.
In the new exam, they have specific topics from the course that need to be covered very well to be able to pass the exam and get certified.
And in IC square, you will find a link if you click on this link, it will show you all the details about the new exam.
So this is a document from IC squared website.
I will attach this document to the lecture.
But you still can go yourself to IC squared website and download it.
And here you can find the new exam information right now.
CISSP it's more interactive exams called the cat exam.
It used to be six hour right now it's three hour and it has from 100 to 150 question and multiply choice passing rate is 70%.
Still like previous and exam language is English and where you can take the exam.
Now those are the eight domains that we will be covering inside the course.
The amount of questions related to each domain is here.
So risk management 16% of the exam, which is a high percentage as it management 1012 but still you need to give attention to all domain, you don't want to lose any question.
And this was the old exam information.
It used to be six-hour tones within 50 questions, but it's not there anymore.
And it used to be 10 domain.
But right now it's a to me.
And in each domain, you will find what actually are the important topic that you need to be aware about for this domain.
So you need to understand the security governance and principle, you need to understand the compliance you need to understand the legal and regulation and so on.
So it's like highlighting the important point of each domain, which will allow you to map those points to what you are learning in this training, or in any other training.
So it's quite important that you print this document, and you keep it beside you.
And after finishing each domain, you need to understand or need to highlight the points that have been covered.
And you are comfortable with those points.
And you need also to highlight the points that were not that clear.
And you're going to have a chance to contact me directly in case you are missing any point or you need some additional resources, or you have any doubts or question about any specific point.
But after all, this would be a reference before sitting inside the exam, you should have a check sign beside each one of those points.
So this is a very, very important topic, or a very important issue to consider.
What are the requirement for the new exam that is launched after April 2,018/14 of April 2018.
To think you need to know about the CISSP certificate first.
This certificate is technology neutral.
I mean, it's not explaining a specific technology.
It's talking about general terminology related security.
After all, this is not a technical certificate, as I mentioned before, second point says the CISSP keep changing.
Sometimes they change the curriculum.
And sometimes they change the exam.
And they do that every couple of years.
So it's frequently keep changing.
So one that is covered by this course is the latest one, this course is fulfilling the latest CISSP requirement.
According to IC square, the CISSP exam will change on 15 April 2018.
So this course is for the new CISSP exams that is effective after April 15 2018 is the same curriculum, it's still eight domains.
But the ways that they will be always that they are changing the exam.
It's completely different than the previous one.
In the new exam, they have specific topics from the course that need to be covered very well to be able to pass the exam and get certified.
And in IC square, you will find a link if you click on this link, it will show you all the details about the new exam.
So this is a document from IC squared website, I will attach this document to the lecture.
But you still can go yourself to IC squared website and download it.
And here you can find the new exam information right now.
CISSP.
It's a more interactive exam.
It's called a cat exam.
It used to be six hour right now it's three hour and it has from 100 to 150 question and multiply choice passing rate is 70%.
Still like previous and exam language is English and where you can take the exam.
Now those are the eight domains that we will be covering inside the course, the amount of question related to each domain is here.
So risk management 16% of the exam, which is a high percentage as it management 1012.
But still, you need to give attention to all domains you don't want to lose any question.
And this was the old exam information.
It used to be six hour ones and 50 questions, but it's not there anymore and it used to be 10 domain but right now say to me, and in each domain you will find what actually are the important topic that you need to be aware about for this domain.
So So you need to understand the security governance and principle, you need to understand the compliance, you need to understand the legal and regulation and so on.
So it's like highlighting the important point of each domain, which will allow you to map those points to what you are learning in this training, or in any other training.
So it's quite important that you print this document, and you keep it beside you.
And after finishing each domain, you need to understand or need to highlight the points that have been covered.
And you are comfortable with those points.
And you need also to highlight the points that were not that clear.
And you're going to have a channel to contact me directly in case you are missing any point or you need some additional resources, or you have any doubts or questions about any specific point.
But after all, this would be a reference before sitting inside the exam, you should have a check sign beside each one of those points.
So this is a very, very important topic, or a very important issue to consider.
What is the requirement for the new exam that is launched after April 2,018/14 of April 2018?
The first domain of this course will be about security risk management.
And this is very important to me.
And it includes a lot of points and topics that we will be covering.
And even inside the exam, you will find a good amount of questions related to risk management because actually, the first approach to any security implementation should be from a risk management perspective.
So you need to understand what do we mean by risk management? What is risk in the first place? Can we calculate risk? Do we have a risk management strategy?
So you don't have to worry because you're going to start from scratch.
And we're going to explain the risk management process, step by step with a lot of real life scenario, and a lot of document templates that will help you if you are doing a risk assessment yourself to be able to understand how it's done.
But the domain is not only covering risk management, but we're going to cover a lot of other points.
Like for instance, we're going to start with some definitions, which is quite important to this training.
So you need to understand what is risk what is threat, vulnerability, governance, compliance, those are very important terminology for anyone who is working in information security.
So we're gonna start with some definitions, what is CIA and other relevant definition? Then we're going to talk about security documentations.
Realistically, you will be involved with a lot of documentation in your work, policy procedures, guidelines, you need to understand how it's done.
From where can you get templates, what is the difference between the policy and procedures and baseline and guidelines and so on.
So it's important to know the main documentation that we are using.
And then we will talk about risk management.
This is a very, very, very important topic.
You need to understand risk from scratch, because it's it's a main core of areas of any security implementation.
Then we're going to talk about threat modeling.
Also, we'll be talking or covering business continuity planning, and I'm going to show you how it's done.
And what is the difference between business continuity and disaster recovery.
We will be covering acquisition strategy and practice personal security policies and security ordinances and trainings.
So those are some of the points that we're going to cover in this domain.
But it's not about the definitions, because it will not help you if you do just understand the concept.
It's not really what we are looking for.
I want you to relate whatever we are explaining with real life implementation.
So for instance, if we are talking about risk management, you need to understand what is risk management what is risk assessment is a different type of risk assessment, how it is done, what is the risk management strategy, can we calculate risk, so we need to start from scratch, and you need to know how it's done with real implementation, or live documentation.
That's why on the student portal, you will find a lot of templates.
So if we are talking about risk assessment, for instance, and you need to know how it's done, I will show it to you.
But also, I'm going to keep some templates on the student portal that will help you, if you are doing that realistically, or if you get hired somewhere, you will be knowing or having some documents that will guide you how to do it.
So it's important to relate whatever we are talking about with real life implementation.
In this lecture, we're going to explain some important information security terminology, those terminology will be used during this training.
And you will be used them realistically in any job or any position.
So we're going to start with the very basic definition, which is the CIA triad.
Ci, which stands for the confidentiality, integrity and availability is the definition of the security.
Let me explain it in a different way.
How can you define secure security? How can you see that your company is secure? Or let's take it on a smaller scale? If you have a laptop, or a smartphone, how can you see that this smartphone is secure? If you just assign a password on it, you will consider that secure.
Okay, maybe you have a smartphone, and you did assign a password on it.
So you can prevent unauthorized people or unauthorized access.
But what if you lost the phone, that's mean, you're lost information.
So I cannot say say saying that just by assigning a password, we will consider that security.
So security is to provide three different elements first, confidentiality, which is making sure that no authorized user can access the information.
And a good example would be a password when I'm assigning a password on my computer, or on my smartphone, or on any system, why I'm doing that, because I need to make sure that only people who got the password to be able to access the information, which reflect that only people who are authorized can access the information.
But if someone is not authorized to access the information, I will not give him password.
This is a small definition of confidentiality.
Okay, integrity, which means that I should not be manipulated or should not be changed.
So what I have a lot of critical information, they had not been hacked or stolen, but there has been modified.
So I need to prevent that I need to put some control that information should not be been modified unless it's authorized.
So I cannot have a bank account that has $1,000 and tomorrow I check it's $50 someone logged in and change the information he didn't steal the information they change it.
So providing integrity is one of the security element.
Sir is availability.
So also one of the important elements in any security is to make sure that the information is available all the time.
And if you are take if we are talking about the same example which is your smartphone, and assumes as this smartphone has a lot of important information, contacts, emails, personal picture, personal venues, and so on.
And you did secure it with a password but you lost it, you lost the information so it also didn't help you.
But if you are taking backup of the information and you lost your phone and the information, it's backed up so you can restore it on any other device.
Then you provide availability for the information.
So my point here whatever we are doing in information security should provide one of those three elements.
If you are assigning password, we are talking about access control and assigning password.
We are doing that to provide confidentiality.
If we are in Clip things information.
We are encrypting the information to provide confidentiality and integrity.
And we're going to see that while we are talking about cryptography, if you are taking backup, it's for providing availability.
And usually we are writing said in most of our security documents that we did this solution to provide the following elements, confidentiality, integrity, availability, and so on.
It may seem easy to understand, but sometimes you get some question about that.
It's kind of tricky.
Sometimes they will ask you for instant backup is for providing What is it confidentiality, is it integrity is the availability, backup has nothing.
Sorry, encryption encryption is for providing what it's for providing confidentiality and integrity, and it has nothing to do with availability, while backup, its availability solution, and so on.
So, whatever we are doing in this training should be or actually an information security in general should be to provide one of those three elements.
The second important definitions set of definitions that I would like to refer to will be the following First assets, what is an asset? Now, to be able to explain the asset, we need to, like distinguish between physical assets and information assets.
Okay.
So for instance, let's take your smartphone one more time.
your smartphone has a lot of information on it, right? This information, you know, could be very important for you may have important contacts, important email important document, the picture, and so on and so forth.
If you lose your phone, for some reason, you forget your phone somewhere or you lose it somewhere.
What do you what will be your main lost, it will be the phone price, or it will be the information on your phone.
Most probably you will be more upset about the information on your phone, because it will take you time, especially if you're not taking backup frequently.
So you need to get all those contacts again, and you need to get all those emails and all those information one more time.
Right.
So we usually have two different types of assets, we have the physical assets, things like computers, this shares and so on.
And we have the information asset, which is most cases are more important to any business or personal Zen's a physical asset.
So most of the time, the information that you have on your laptop, it's most important, then the laptop itself, or on your smartphone or on your tablet.
And the same concept, it's an even more it's on the business perspective.
So usually business the information that they have, it's more valuable and more important, then the physical assets, think about the bank in the bank, info informations that they have all the customer information and all the financial information, transaction and everything.
If is this more valuable? Zen's the physical asset of this bank, like chairs, and table and so on? I mean, for instance, if a bank lost a share, she'll get broken, or a computer get broken or crashed? It's it's some kind of damage, okay, it will cost them some money.
But what if, what if they lost the customer information? What do you think about that? Think about the banks that lost all the customer information and their balance, what will be the last the damage is the low low cases that will be against them and so on and so forth.
So usually, and because we have a specific domain about that, as an organization, you should have a list of all your assets, especially the information assets, a lot of people will have an inventory for the physical assets, they know all the computer, all the shares, all the tables, they have an inventory for them.
But many companies don't have the same list that includes information assets, which is realistically more important than physical assets.
So it's quite important to understand what we are protecting.
Because in another like way, I cannot have an assets that was million and spend a couple of 1000 of protecting them, or vice versa.
I may have assets doesn't also Much and spending 1 million to protect it.
So it's an important concept to understand.
But don't worry, we'll cover that in upcoming lectures.
So you need to understand that I need to identify what exactly I am protecting What is my assets, information assets, which is more most important and physical assets as well.
Now we're going to talk about threat vulnerability and risk.
I will not spend a lot of lectures talking about definitions because I will devise definitions on different relevant literature.
So, what is the threat? And what is the vulnerability? Okay, vulnerability is a weakness in your system.
Now, before explaining this part as well, you need to understand that we are not talking only about technical security, we are talking about technical security in this course, and physical security and administrative security.
So when I'm talking about weakness, I don't refer only to weakness into the computer system, and the servers and so on, I'm talking about any kind of weakness.
So for instance, you may have a door that doesn't have a look, it's a weakness, you maybe don't have enough firefighting equipment, it's weakness.
So you need to understand that security is a very generic concept.
And when we are talking about information security, we are talking about securing them technically, and physically and administrative security as well.
And we were going to give a lot of example while going through this course.
But again, vulnerability is a weakness in the system, while threats, it's an event that potentially may come and may do some damage.
Let me give you a small example.
Let me start with the technical example, if your computer doesn't have an antivirus, this is a vulnerability, it's a weakness.
What could go wrong, because of that, you may get infected with a virus, this is a threat.
If you don't have a firefighting equipment in your building, this is a vulnerability.
What could go wrong because of that fire may happen, this is a threat.
So this is the difference between a vulnerability and not all vulnerability will have a threat.
So for instance, I maybe don't have an alarm system in my company.
It's a vulnerability.
But I have an alarm system in the whole building.
So I have a threat because I already have a lot of meaning in a different place, but in my company I don't have.
So what I'm trying to say is that not all vulnerability, would have said, I may have an open port on my computer.
It's a vulnerability.
But I don't have any program or any service that can be hacked, because of this port.
So I don't have this right.
So usually, when we are identifying all vulnerability, we need also to identify the threats related to them.
I will not spend too much time explaining definitions because I decided to divide them on different lectures, relevant lectures.
But I will go through the important part.
So I explains assets, the threats, the vulnerability, I need to talk about risk, which is the main concept in this domain.
And a main concept in security in general, what is the risk? A lot of people think about risks that it's a technical terminology, which is not it's a business terminology.
So what do we mean by risk? Because you need to distinguish between threat and risk.
What is risk? I'll give you a small example.
Because in this domain, you're going to learn how to calculate risk.
It's important.
So I will assume that we have we don't have enough firefighting equipment in our company.
What do you consider that? Is it a threat or vulnerability? It's even an ability that I don't have enough firefighting equipment, sprinkles and so on.
Now, what if a fire happened? What do you consider the fire? It's a threat.
So what if a fire happened? And according to that there was some damage in the company that was 100,000.
What do you consider that this is the risk.
So the risk is the likelihood of a threat occurring, but most important, is the damage that will happen because of this threat.
And we're going to learn how to calculate that because actually, this is your approach to management.
If you To implement the information security management system in any company, you need to explain the management if anything went wrong, how much they will be losing? And accordingly, how much do you need to as a countermeasure, so I can see for my management, okay? If a fire happened, we're going to lose 100,000.
So I need 10,000 to buy some firefighting equipment, it makes sense, right? But if you need goes there, and you tell them, you know, we need 200,000 to secure against fire, no one will, will will obey No, I will understand that you need to have figured so the risk is the amount of loss that the company will lose in case of any threat, or cure.
We also have a terminology control, which is the countermeasure.
If I install an antivirus to mitigate risk, again, we're going to explain all those definition in the risk management part.
What do we consider that control, I'm putting an antivirus, if I'm assigning a password, it's a control.
If we are like getting firefighting equipment, it's a control.
So is the countermeasure that we are using to mitigate the risk or try to reduce the risk? Okay.
social engineering is weakness into human play people.
And we're going to explain this part by the end of this domain.
So social engineering engineering is a type of attacks that target people try to compromise system from.
So it's a type of attack sometimes, you know, someone is calling an employee and company and ask them for like some informations or credential.
It's an attack that target people, it's not targeting technology, or physical security, and so on.
And finally, defense in depth, which reflects that you should have different layer in security, I should not depend on only one layer.
So only having a password on my smartphone and consider that security, or having a password on the company.
laptop, and this is his best security I can implement.
But if I'm have I have a password on my computer, and it's inside a room that has a lock, or an access control outside, and I'm also taking backup in case anything crash.
So you should have different layers.
So if one failed, you can use the other one.
So those are some of the definitions that I need you to be aware of.
While we are starting our training, and to understand the different terminologies that we are going to use.
We still in the introductory part.
And let me ask you this question.
Why are we implementing information security in any organization? Why we are buying equipment and hiring resources? and spending money to secure the information in any organization? Yes, I agree that it's because the information is a real asset of any business.
But what I'm trying to say is it an option, can any organization today decide not to implement information security and the lose whatever threat it's not information security in any business.
Today, it's more as a mandatory, it's not an option.
And there is a lot of regulation and compliance and governance that enforce the implementation of information security in any business.
So for instance, if you are holding credit card information from your customer, you need to follow the PCI DSS which we're gonna talk about it's, it's a standards that you need to follow if you are working in health industry, or health business, hospital or a clinic or something like that, you are following HIPAA law and so on and so forth.
So what I'm trying to say that the first approach to the implementation of information security, it's to understand which standard or which compliance or regulation you are following as a business.
And if you get an interview in like, hospital, for instance, as an information security officer or whatever the title is, you need to know About the HIPAA law, what is needed to be implemented to follow their great because it's not an option.
And if you do not comply with the regulation, there is some legal consequences for that.
If you get hired, or you have an interview in a bank, as an information security specialist, you need to know what rules I'm sorry, workflow and regulation and compliance, they are following.
So implementation of information security, it's not an option.
And this is why is there is a lot of like needs for professional Information Security right now, to implement and to comply with the law, as arise, there will be a lot of consequences, legal consequences for that.
So implementing information security, it's not an option, and it should align with the business, it should not be holding the business down.
And this is also quite important.
Some people think about security is that you go somewhere and you just block everything, you do not allow USB on your computer, you do not allow people to connect to the internet, you do not allow people to download anything, you do not allow people to go to like different places inside the company.
And you know, these things, this is security.
But it's not, you need to balance between the efficiency of the business.
And between the security.
Beside as we just spoke, that information security is should be aligning with business strategy and objective, and law and regulation as well.
So for instance, if you are working in a hospital, and you fail to implement the requirements for a specific framework, it may end up with a big fine on this organization, and maybe some jail times for the CEO or for the senior management.
So you need to align with that you need to implement the information security to secure the customer information.
And most important, secure all kinds of information, not just the customer information, but all the business information, and most important to comply with the law as well.
So keep that in your mind.
That business should align, I'm sorry, security, information security should align with the business strategy.
And it should follow the law and regulation and standard risks need to be mitigated which we're going to cover very well in this domain.
Resource Management, you need to measure the performance by evaluating and monitoring and reporting information security, governance, so it's not just implementing, but you need to know how effective is it.
And this will involve things like Incident Management and log management, and we will cover those topics.
But as an overview about the importance of information security, implementation, and how important is it to follow the compliance regulation, and even certificate like ISO 27,000.
In the previous lecture, we spoke about the importance of information security implementation.
And we clarified that this is a requirement, sometimes legal requirement or compliance requirement or standard requirement.
But after all, its requirement.
Now I would like to focus about two different terminology is that you should expect the question about them inside the exam, because it's quite important due diligence and due care.
What do we mean by that? And instead of reading the definition, let me give you a small example.
And let me know what you think about it assumes that you get hired in a bank as an information security officer, in a sense that you you will be someone who are responsible for securing the information of this bank, customer information, transaction information and so on.
And assumes that this bank has been compromised has been hacked, and some financial information like credit card, customer credit card information has been stolen.
Now, whose responsibilities? Is it your responsibility? Definitely, it's yours because you were hired to secure those information, right? So it's your responsibility.
And it's not just like, a regular responsibility is a legal responsibility.
So what will happen in this case, if the bank get hacked and some information gets stolen or lost? Most probably you will be taken to the court.
Now when you go to the court They will ask you two different questions.
The first question will be, are you aware of those vulnerability and those weakness in your system, you will aware that there is a lot of weakness inside your system, technical and physical and so on.
Okay, so if your answer was yes, I was aware, because I used to do a risk assessment, I used to do vulnerability assessment penetration testing.
So I used to check the weakness in our system system.
And I was aware that the rose weakness that may lead to compromise ation, this is called due diligence that you did your research, you were aware about your setting your infrastructure, your equipment, your software, and what is their weakness? The second question from the court will be, what did you do to secure those weakness? Did you follow the standard? Did you request like some additional resources? Did you update the software, and so on and so forth.
So this is called you care that you were following the standards, the best practice the compliance to mitigate those risks to fix those vulnerability.
This is called you care.
So what if you answer yes, I requested some equipment, I requested some resources to the management, because I knew that those verbal cues, risky, but management said we don't have a budget this year.
Now whose responsibility it became right now it became management responsibility.
So the point here is the due diligence and due care concept said, when you get hired somewhere, you need first to be aware of the weakness and vulnerabilities that they have.
And we can do that usually by checking or doing Governability assessment, doing the risk assessment, which we're going to do in this domain, doing a penetration testing, following the standards, these are some standards that we're going to talk about in future lectures that you can follow just to be sure of awareness.
And I'm sorry, to be sure of the weakness and vulnerability.
But this is not enough, you need also to take action to secure them.
This is called Did you care and liability here mean who's responsible for securing the business information and securing the business assets, because the role and responsibilities should be quite important.
If you have a policy and procedures in your organization, and you all your your employee are aware of that and they break this policy, it becomes every legal responsibility.
But if you don't have a policy and procedures and some employee did something wrong, he do not hold any responsibility, it's your responsibility, that you didn't have a policy and procedures.
And even if you have an employee is not aware of it's useless.
That's why we need to do awareness for people telling them this is according to the company policy, it's not right or result should not be done.
And after that they can take responsibility for from their action.
And a small example for the liability part assumes that you have a possible policy and we're going to talk about the policy and the major policy in your company saying that policy should not be shared.
If you have an sorry password, you have a password policy and the password policy is saying that password should not be shared.
So, each employee knows that if you have a password to his account, he should not share it with the colleague, his colleague, okay.
And maybe this makes sense, but realistically what I saw in many companies that sometimes someone take a day off, so he will give a policy to his colleague, so he can follow up with past daily tasks that you need to do okay.
If there is a policy saying that and you find out that one of the employee give gave a password to his colleague, and for some reason the password get lost or someone logged in with this password and did something wrong, okay.
He will take responsibility for that because he knew that there is a policy in the company and you as an information security specialist or officer, you did some awareness about the major policy in your organization.
So he will take responsibility for them.
But if you don't have such policy and the same scenario happened, what you can do about it, you will take the responsibility for not having a policy so those terminology, you delegate and you care and liability is quite important, because after all, you will be involved in some legal requirement.
So we need to be aware of that you need to be aware of the legal requirement for any system.
Let me end up this lecture is another example.
If your company or your bank most probably has severe and scam, where you are capturing video, and or recording video and keep them for a while in your organization, how long it should be kept? Low surveillance can because it's one of your responsibility, how long it should be kept? Should it be kept one months? Should it be kept two months? Should What do you think? whatever number you're going to answer with is wrong.
Because you need to know according to the law and regulation to your country, how long did you begin? So I'm working in some places where they have to keep all the logs or let's say the recordings valence recording for 90 days, if you as an information security officer are not aware of that, and he decided to kept them for only 30 days to save storage on your servers.
And some incident happened.
Like someone breaking or any incident happened and law enforcement came to you and told you me Show me the video recording from two months.
And you said I don't have that I only keeps up for one month.
This is a big problem for you.
Okay, illegal problem.
It's something.
So you need to be aware of the legal requirements, the compliance standards deniability, because you don't want to get into legal problem in your position.
Information Security positions are getting paid very well.
But they also have a big legal responsibility, you need to be aware of them.
I know we didn't cover that much yet.
But let's take a question related to the introductory part, just to give you an idea, or to relate the topic or the points that we covered so far, with real exam questions.
So the question is, which factor is the most important item? When it comes to ensuring security is successful in an organization? Is it senior management support? Is it effective control and implementation methods? And is it updated, and relevant security policy and procedures? Is it security awareness by employees, actually, all of them are important to implement security in any organization, but which one is the most important one? Now, think about it.
If you get hired somewhere to work as an information security professional officer or specialist or consulting, whatever the title is, and you need to implement information security, and as we agreed information security is yours is not just technical security.
It's to implement technical security, to implement physical security, to implement administrative security, and so on and so forth.
Right? To be able to do that, you need two people, you need the employee of this company to support you, in a way or another.
Giving you the requested information explained to us the business function to be able to decide about what controls you need to have and so on.
If you do not have management support for that, no one will cooperate with you.
But if you have a senior management support at the beginning, in a sense that management sent an email for all the people in a company or I'm sorry, all the employees in this company telling them that we are implementing an Information Security Management System and you need to cooperate with this specific person.
Otherwise, no one would give you support.
So the right answer for that would be senior management.
So it should start if you get hired at any organization, it should start is that you need to sit with management and tell them that you need to have management support.
Otherwise, you will not be able to implement anything.
No one will cooperate with you not because they want to do it this way.
But unless they have a management sub requirement or it's I'm sorry, unless it's a management requirement.
You know, they will not consider that as a high priority.
So It's a very important point that security without management support is useless.
In previous lectures, we spoke about the concept and definitions related to information security.
So, from where should I start? If you get hired somewhere, or you got this question, in any interview, how to start the information security implementation? Should I start requesting hardware and software and requesting document and requesting? Should I start working right away? If I get hired in a bank or in any organization, I should start by checking the compliance.
Because as we agreed that the implementation of information security today, it's a legal requirement.
So I need to know what compliance do I follow.
If you are a bank, you are following specific laws and regulation.
While if you are a hospital or clinic, you are following us of law and regulation.
While if you are a small grocery store, there is as of law and regulation as well.
So we need to understand what is the legal requirement when it comes to information security.
So it's not by buying the latest and greatest equipment and hire the most sophisticated expert in the field.
It's not like that, it understand what is needed, according to the law and regulation.
And this is a compliance.
So this is from where she should start.
And you you will find a lot of like similarity between different compliance.
So most of them will request you to do a risk assessment, for instance, you need to identify the risks that you are facing, to be able to select or to be able to get the right countermeasure for them.
Most of them will request to have like a annual penetration testing, and vulnerability assessment, and so on and so forth.
So it's not that hard.
But the thing is, you need to start from there.
Because you're going to build your policy and procedures and whatever is coming, according to that.
And I believe I already give you an example in a previous lecture, for instance, the surveillance cam, is a surveillance video recording, how long should you keep it? Okay, this is critical because if you are not aware, this will not be like a an excuse, that I didn't know that I should keep it for 30 for 30 days, or for 90 days or so on, it will be a legal problem.
We don't have something called I didn't knew about that.
You need to read the compliance, you need to sit with the legal department and ask them which compliance and regulation and law we are following.
So you should start from this point, because there is some critical point that you cannot ignore.
So compliance is quite important in our business.
And as I was saying, you should start by sitting with the legal department and ask them what is the regulation and compliance that you are following.
And you need to understand those flow very well.
And consider them in your information security implementation.
Identify the safe harbors that could help 's organization avoid penalties.
You didn't know that you need to keep those recording video recording for 90 days, you will hold some legal consequences ends organization, it may end up with fines, it may end up with some jail times in some low end regulation.
So it's not easy.
It's a critical.
So for instance, if you are following HIPAA law, which is regulation, and it's a compliance for holding the patient information in any hands, business, so you are hospital, you are working in hospital, and you didn't implement the right control to secure the patient information.
And for some reason it gets leaked or compromised or even lost.
I think it's a very big fine on the hospital.
I think it's 200 million or something like that.
So it's not an easy punishment.
It's a hard one.
So it's very important to start from this point.
And I suggest as an assignment that you can do because I don't want to just to depend on those videos and the resources and the books that I will provide you, but I need you to do some research yourself.
So, I want you to check for instance some information about HIPAA law or some information about some standard regarding, for instance, holding a credit card information, if you are taking credit card information, you are accepting payment by credit card and you are securing the savings.
Do you have some standards that you can follow? Do you have some regulations that you can follow? expect that this is like an interview questions.
And let me know is there any standard related to credit to holding credit card information? I will keep that as an assignment.
And feel free to drop me an email with your answer.
And I will let you know what I think about it.
Another point that I would like to raise here and this is become very, very common right now, which is a privacy issue.
Okay.
The personal informations that you are keeping in your organization? Do you have any, like cry using them.
And I believe, you know, those there you are following this Facebook case.
And this session that happened in Congress regarding the leakage of some personal information.
This is an exact privacy issues that we are talking about.
And people who are working in security in Facebook, if they find out that they didn't get those personal information, safe, and they didn't, because the say the point here is that say we're sending those information to other vendors.
So they take permission from the owner of source information that say we'll give it to vendors or as a business and so on.
So here we have a very important terminology is called personally identifiable information, PII, you will find this terminology in different places.
Okay, which is what are you doing with the personal information? Who are getting access to the information? Do you have the right to exchange those information or sell this information to other marketing entity or something like that? This is quite important.
So holding personal information is a big responsibility.
And you need to make sure that you are following whatever law and regulation regarding personal information, personal information could be something like your name, social security number, your address, your phone number, your email also says consider personal information.
Finally, I would like just to refer to some us information privacy law, I want you to have a look about them, you know, some information related to privacy, we are not actually it's not a legal course, you just need to have an idea about it.
Most probably you may get one question.
So these examples are not, because as you may know, those flow are only applicable in us.
And we have a lot of international students.
So in the exam itself, you don't find that much of question related to a specific US law.
Because most of the information law are related in Europe and US.
But still getting a brief about zero, with the name of it will not hurt you, at least you will know that there is a law related to health industrial or where there is an old lady to privacy and so on and so forth.
before resuming in our domain, I would like to refer to a very important document that you need to have while preparing for your exam, which is a sunflower document.
When you enroll in this course at the beginning, you receive a lot of material and resources, books and PDFs and presentation and so on, which goes through the different topic and terminology and explaining everything related to the curriculum.
But there is a document that you need to have which summarize everything inside the CISSP which is a CISSP sunflower document, the sunflower document, it's the documents that summarize all the definition inside this course and even point to some of the important point and The like tricks inside the exam.
So it's a summarization document when you finish the course.
And actually, while you are studying the course, whenever you finish one domain or another, you need to go through the related terminology in the CISSP document.
And there is two different versions, the first version was 1.1, under the name of the CISSP summary, and the second version was version two, under the name of the sunflower CISSP, cram study.
So let me show you how to document look like and then let me give you my recommendation about which one you need to study.
So the document consists of 25 page, and it's divided by domain.
As you can see, we have domain one in different color, where all the concept and definition about domain one is explained here.
And even sometimes, you will find that they are pointing to some important terminology by putting some underline or in capital letter, or something like that.
So you know, domain to domain three.
So sometimes, as you can see, here, they are writing a definition about hosted based ideas, and they are putting that it's getting the event from the lock system, for instance.
And they put that in capital letter, which reflects the importance of this piece of information.
And actually, I saw a question, what is they're asking you from where they are getting the host based IDs from where he's getting the event.
So you will find this kind of, of pointing to the important point.
And as you can see, each domain has different color.
And what I usually suggest that you should print it on an EC paper.
And literally, you need to memorize all this document before sitting inside the exam.
Because as you may notice, CISSP it's filled of definitions.
So it's covering too many topics.
Okay, but just a brief about each topic.
And this is a concept related to the CISSP.
It's one mile wide, and one inch deep.
So we are covering a lot of topics, but just a small definition about each one of them.
So you need to have all those definitions related somewhere or written somewhere, because actually, some of the question Unless, you know, I mean, not all the questions are scenario based.
But we have a good amount of question which is actually description or right definition about something.
So they may ask you about the speed of light.
So you should know that the T one is 1.5 megahertz.
So all the definitions are combined in this document.
And it's very, very important that whenever you finish any domain to go to the relevant domain in the sunflower good through old terminal terminology, and highlighted the points that you are not aware of, or it's new to.
And after a while, you will find yourself memorizing most of the content of this document, this is a very, very critical document that you need to study to pass the exam.
Now let's get back Why we are using two different versions, we have 1.1, which I just show you.
And we have version two 1.1 with the previous CISSP edition, which was 10 domain.
So you will find the structure of the 10 domain, while version two is a new version, which is the eighth domain.
Now is the point in the point is why I should not use only version two.
Since this is a new one, actually, I still find the version 1.5 1.1.
more effective, maybe it will take some it will take you some effort to find out the terminology in the old same old structure of 10 domain.
But I can see that this one was really well made in the sense that whatever they are writing, it's very, very applicable to the exam.
So I still trust this one's a new one.
Read more in the original article...
@Credits: FreeCodeCamp