CISSP Domain 3 Review / Mind Map (1 of 9) | Models and Frameworks

we just hit a thousand subscribers which is amazing thank you thank you for all of your likes thank you for subscribing and for all of your wonderful comments it's been awesome to hear how these videos are helping you learn become better security professionals and pass the CISSP exam so thank you and now back to our regular scheduled programming [Music] hey I'm Rob Witcher and I'm here to help you pass the CISSP exam we're going to go through a review of the major topics related to models and frameworks in domain 3 to understand how they interrelate

and to guide your studies this is the first of nine videos for domain 3 I've included links to the other mind map videos in the description below as security professionals we need to protect the assets of the organization everything from the people the data the systems the processes the network in the entire enterprise this is not an easy thing to do it's difficult to conceptualize and think through all of the components of these complex systems and processes of an entire organization and security needs to be involved and embedded throughout all of this throughout the entire

organization how then do we tackle this rather intractable problem models so what are models there are conceptual representations of things they allow us to shrink something down and simplify it we have models of cars and models of planes and models of enterprise security architectures models help us break down complex systems into their components once we understand the components that combine to create a complex system we can protect each of the components and thus tackle the problem of baking security into every aspect of even highly complex systems we're going to talk through how we have models

that focus just on confidentiality or integrity or preventing conflicts of interest and we're going to start with models that cover the entire enterprise security architecture let's begin with some definitions an architecture is simply a bunch of components that work together a security architecture is how we protect how we secure each of the components in the architecture and an enterprise security architecture is how we protect all of the components of the enterprise the people processes systems networks etc there are three major enterprise security architectures that you should know about the first is the Zachman framework it

defines a two-dimensional table which provides a structured way of defining an enterprise and therefore breaking it down into its components the Zachman framework defines how where who and and why as the columns of the table and then some other stuff as the rows the table honestly you don't need to memorize this table just know that Zachman is an enterprise security architecture Samsa the Sherwood applied business security architecture was developed independently of Zachman but has a very similar structure the primary characteristic of SABS ax is that it defines a risk driven Enterprise security architecture model that

is derived from an analysis of the business requirements for security but again you don't need to memorize the specifics of SAP's ax TOGAF the open group architecture framework is the third major enterprise security architecture framework and just like Zachman and saps ax TOGAF helps you break an organization down into components so you can build security into each component and those are the three enterprise security architectures that you need to know about now let's look at security models of which there are two major groupings lattice based and rule based we'll start with lattice based latticed based

essentially means layers we define different layers of confidentiality or integrity and then defined rules about what can be read or written between the layers to maintain confidentiality or integrity balla patch Allah or Bala Padilla's depending on how you want to pronounce it is a confidentiality only model it is entirely focused on maintaining the confidentiality of information because it is a lattice or layer based model you've defined different layers of confidentiality from lower secrecy or confidentiality up to higher layers of secrecy and the model defines rules for controlling what a subject a person or a process

can do between these layers the first rule is the simple security property and it states that to maintain confidentiality you can only read at your own level and below you can only read down the second rule is the star property and it states that to maintain confidentiality you can only write data at your own level and above you can only write up and the third rule is the strong star or property and it states that if you are both reading and writing you can only do so at your own level so Bala pajela all about

confidence you can only read down write up and read right at your own level ii latticed or layer based model is Biba Biba is all about integrity just remember the I in Biba stands for integrity and again because it is a layer based model you define layers but with Biba they are layers of integrity lower medium or higher integrity and as you've probably guessed the model defines rules controlling what a subject can do between layers to maintain integrity the first rule is the simple integrity property and it states that to maintain integrity you can only

read up if you were to read down you would be reading less meaningful or accurate data so you can only read at your own level or above you can only read up the second rule is the star integrity property which states that to maintain integrity you can only write down if you wrote up you would be corrupting more accurate data so you can only write down just remember it's the inverse of béla padula there is a third rule the invocation property but you don't need to know about it here's a simple diagram that might help

you memorize these two important models Biba is essentially a mirror or the inverse of béla padula and remember the eye in Biba stands for integrity the final piece we will talk about related to latticed based models is not actually a model at all it's an implementation the Bala Padua and Biba models are essentially inverse to each other so if you want to maintain both confidentiality and integrity how would you combine these models Lipner figured it out and thus it is known as the Lipner implementation combining both confidentiality and integrity now let's talk about rule based

models there are a few of them first we have the Clark Wilson model which just like Viva is all about integrity but the Clark Wilson model goes a lot deeper it defines three goals of integrity preventing unauthorized subjects from making any changes preventing authorized subjects from making bad changes and maintaining the consistency of the system to achieve these three goals it defines three rules you must have well-formed transactions you must have separation of duties and number three you must have the access triple subject program and object the brewer Nash model also known as the Chinese

wall model has one goal preventing conflicts of interest there are a couple of other models that you should simply recognized as being rule-based models Graham Denning for instance specifies rules about allowing subjects access to an object's and Harrison Rousseau almond is an enhancement of Graham Denning it adds generic rights but again just know what is a rule based model now let's talk about the major security privacy and risk frameworks that you need to know about for the exam we will begin with the security frameworks which focus on security Wow they focus on security the major

framework that you need to know a fair bit about is ISO 27001 it is the most widely used security framework in the world ISO 27001 provides best practice recommendations for an is ms an information security management system in other words ISO 27001 defines a hundred and fourteen controls across fourteen domains or categories these controls define all of the best practices you should have in place for a well-run security program starting from the top with security governance security policies through onboarding asset management access control cryptography physical security network security and all the way to having a

compliant function is important to remember that ISO 27001 defines the controls and you can therefore be ISO 27001 certified ISO 27001 to on the other hand provides the code of practice for information security controls provides the implementation guidance for the controls in 27001 so can you be certified against ISO 27000 and to know it's just a guidance document now the next few security control frameworks that I'm going to talk about you do not need to be an expert on them simply know what they are primarily focused on and used for nist 800-53 for instance provides

a set of security and privacy controls for US federal agencies COBIT the control objectives for information and related technologies was created by IT security auditors at Osaka and because it was created by IG auditors it is particularly useful for IT audit and assurance work Co so the committee of sponsoring organizations of the Treadway commission that's a both full was an initiative in the u.s. in the 1980s to combat corporate fraud while COSO is primarily focused on financial reporting controls it does contain a requirement for reasonable security ITIL the information technology infrastructure library defines a framework

of best practices for delivering IT services that are aligned with business goals and objectives so ITIL is particularly useful for looking at IT processes like change management configuration management access management event management availability management and so on and so on HIPAA the Health Insurance Portability and Accountability Act predictably is a framework focused on safeguarding medical healthcare information Sox the sarbanes-oxley Act we can thank Enron and world Khan for this US federal law Sox requires top management the CEO CFO to individually certify the accuracy of financial information and if fraudulent activity is found the penalties are

much more severe the security aspect of Sox is that the financial records must have integrity and be available now let's look at an important privacy guideline and a major privacy regulation we'll start with the guideline specifically the organization of our Economic Cooperation and Development the OECD privacy guidelines or principles I cover the OECD guidelines in a lot more detail as part of the second domain to video which I've linked to the major privacy regulation that you need to know about a is GDP are the general data protection regulation which is the core of the European

Union's digital privacy legislation I also talked about GPR in more detail in that same domain to video now let's talk about risk frameworks the major risk framework that you need to know a wee bit about is NIST 837 the risk management framework the RMF provides a structured process for managing security and privacy risk make sure you know the six steps of the RMF and the order of them basically step one categorize information systems to select security controls 3 implement security controls for assess security controls 5 authorize information systems and a six monitor the following three

framework so you should just recognized as frameworks that contain risk management components it is highly unlikely to get specific questions on any of them ISO 31000 COSO and a sack of risk IT and that is an overview of models and frameworks within domain 3 covering the most critical concepts to know for the exam if you found this video helpful you can hit the thumbs up button and if you want to be notified when we release additional videos in this mind map series then please subscribe and hit the bell icon to get notifications I'll provide links

to the other mind map videos in the description below thanks very much for watching and all the best in your studies [Music]