CISSP Cram Sheet:
Compiled by: Jason Robinett, Ascend Solutions
Last Updated 4/10/02
NOTE:
This guide does not replace in any way the outstanding value of the ISC2 CISSP CBK Seminar,
nor the fact that you must have been directly involved in the security field or one of the 10
domains of expertise for at least 3 years if you intend to take the CISSP exam. This booklet
simply intends to make your life easier and to provide you with a centralized and compiled list of
resources for this particular domain of expertise. Instead of a list of headings, we will attempt to
give you the headings along with the information to supplement the headings.
As with any security related topic, this is a living document that will and must evolve as other
people read it and technology evolves. Please feel free to send comments and input to be added
to this document. Any comments, typo correction, etc… are most welcome and can be sent
directly to jasonr@ascendsolutions.com. Thanks.
Domain 3 – Security Management Practices
Description:
Security management entails the identification of an organization's information assets and the
development, documentation, and implementation of policies, standards, procedures and
guidelines which ensure confidentiality, integrity, and availability. Management tools such as date
classification, risk assessment, and risk analysis are used to identify the threats, classify assets,
and to rate their vulnerabilities so that effective security controls can be implemented.
 Security Management Concepts & Principles













Privacy – The level of confidentiality and privacy protection that a user is given in a
system. This is an important security control.
Confidentiality - Attempts to prevent the intentional or unintentional unauthorized
disclosure of a message’s contents.
Integrity – Ensures that modifications are not made to data by unauthorized personnel
or processes.
Availability – Ensures that reliable and timely access to data or computing resources by
the appropriate personnel.
Authorization – The rights and permissions granted to an individual which enables
access to a computer resource.
Identification – The means in which users claim their identity to a system.
Authentication - The testing or reconciliation of evidence of a user’s identity.
Accountability – A system’s ability to determine the actions and behavior of a single
individual within a system.
Non-repudiation – TBD
Documentation – – TBD
Audit – TDB
CIA Triad – Confidentiality, Integrity, & Availability.
Protection Mechanisms – TBD
 Layering – TBD
 Abstraction – TBD
 Data hiding – TBD
 Encryption – TBD

Change Control/Management – The process of tracking and approving changes to a
system. It involves identifying, controlling, and auditing all changes made to the system.
Requirement for B2, B3, & A1 systems.
 Hardware Configuration – TBD
 System & Application Software – TBD
 Change Control Process – 5 generally accepted procedures exist to implement a
process.
 Applying to introduce a change
 Cataloging the intended change
 Scheduling the change
 Implementing the change
 Reporting the change to appropriate parties

Data Classification – Has a long history of use within the government. Is often used
today to comply with privacy laws or enable regulatory compliance.
 Objectives of a Classification Scheme
 Demonstrates an organizations commitment to security protections
 Helps identify valuable data
 Supports the CIA tenets
 Helps to identify which protections apply to which data
 May be required for regulatory, compliance, or legal reasons.
 Criteria by Which Data is Classified
 Value – Is the information valuable to the organization or competitor.
 Age – Classification may be lowered if information’s values decreases over time.
 Useful Life – If information has been made obsolete due to new information, it
may be declassified.
 Personal Association – If information is personally associated with specific
individuals.
 Commercial Data Classification
 Public – Information that shouldn’t be disclosed, but if it does, it will not cause
serious damage.
 Sensitive – Information requires a high level of protection from loss of
confidentiality and integrity.
 Private – Information that is of a personal nature and is for company use only.
Disclosure will cause damage.
 Confidential – Information is considered very sensitive and is for internal use
only. Disclosure will cause extreme damage.
 Government Data Classification
 Unclassified – Information is neither sensitive nor classified. Public release is
alright.
 Sensitive but Unclassified (SBU) – Information is a minor secret, but may
not cause serious damage if disclosed.
 Confidential – Information that is deemed confidential. Unauthorized disclosure
of this information could cause some damage.
 Secret – Unauthorized disclosure of this information could cause serious
damage.
 Top Secret – Highest level of classification. Disclosure of this information will
cause grave damage.

Information/Data
 Worth/Value
 Collection & Analysis Techniques

Employment Policies & Practices
 Background Checks/Security Clearances
 Employment Agreements
 Hiring and Termination Practices
 Job Descriptions
 Roles & Responsibilities
 Senior Management – Assigned the overall responsibility for the security of
information.
 InfoSec Professionals – Delegated the responsibility for implementing and
maintaining security by management.
 Data Owners – Responsible for determining the data’s sensitivity levels.
 Users – Responsible for following procedures set our by the organization.
 IS Auditors – Responsible for providing reports to management on the
effectiveness of the security controls.



Separation of Duties & Responsibilities
Job Rotations
Policies, Standards, Guidelines & Procedures
 Risk Management – Main function is to mitigate risk. This means to reduce the risk
to an acceptable level. The identification of risk to an organization requires defining
the four elements:
 The actual threat
 The possible consequences of the realized threat
 The probable frequency of the occurrence of the threat
 The extent of how confident we are that the threat will happen.
 Principles of Risk Management – To enable the risk management process, you
will nee to determine the value of assets, threats, and vulnerabilities, and the
likelihood of events using the RA formulas to follow.
 Performing a Risk Analysis, including the cost benefit analysis of protections.
 Implementing, reviewing, and maintaining protections.
 Terms
 Asset – a resource, process, product, computing infrastructure, etc.. that an
organization has determined to be protected.
 Threat – The occurrence of any event that causes an undesirable impact on
the organization.
 Vulnerability – The absence or weakness of a safeguard.
 Safeguard – The control or countermeasure employed to reduce the risk
associated with a threat.
 Probability Determination – (ARO)
 Asset Valuation – Asset Valuation Process
 RA Tools & Techniques
 Quantitative Risk Analysis – Attempts to assign objective numeric values to
the components of the risk assessment and the assessment of potential losses. A
major project requiring project management and a lot of time and effort.
 Estimate the potential losses to assets by determining their value
 Analyze potential threats to the assets
 Define the Annualized Loss Expectancy.
 Qualitative Risk Analysis – More scenario-oriented. The seriousness of threats
and the relative sensitivity of assets are given a ranking, by using a scenario and
then creating an exposure scale.
 Scenario is written that addresses each threat
 Scenario is reviewed by business managers for a reality check











RA team recommends & evaluates various safeguards for each threat.
RA team works through each finalized scenario using a threat, asset, and
safeguard.
 Team prepares their findings.
 Asset Valuation Process – Basic elements that are used to determine an
information asset’s value:
 The initial and on-going cost of purchasing, licensing, developing, and
supporting the asset.
 The asset’s value to the organization’s production operations, research, and
development, and business model viability.
 The asset’s value established in the external marketplace, and the estimated
value of intellectual property.
 Safeguard Selection – The most important part of the selection process is the
Cost/Benefit Analysis. This total cost includes the purchase, development, and/or
licensing costs, the physical installation costs, and the normal operating costs.
Use the following formula:
 (ALE before safeguard – ALE after safeguard) – Annual Cost = Safeguard
Value
 Also take into consideration the amount of manual intervention to operate
the safeguard. The more automated the more sustainable.
 The safeguard must allow of the inclusion of auditing and accounting
functions.
 The safeguard should be evaluated in regard to its state after a reset and
must meet the following:
 No asset destruction during reset
 No covert channel access
 No security loss or increase in exposure
 Defaults to a state that doesn’t enable any operator access rights until all
controls are fully functional.
Qualitative vs. Quantitative Risk Assessment Methodologies – Qualitative is
far less expensive but less, but requires a lot more guess work.
Exposure Factor (EF) – Represents the percentage of loss a realized threat event
would have on a specific asset.
Single Loss Expectancy – The dollar amount figure assigned to a single
occurrence. Derived from the formula: Asset Value($) * EF = SWE
Average Rate of Occurrence (ARO) – Number that estimates the frequency in
which a threat is expect to occur.
Annual Loss Expectancy (ALE) – Derived from the formula:
SLE * ARO = ALE
Countermeasure Selection – TBD
Countermeasure Evaluation – TBD
Risk Reduction/Assignment/Acceptance – You can either take the necessary
measures to alter the risk position of an asset (Reduction), Assign or transfer the
potential cost of a loss to another part (Assignment), or Accept the level of loss
(Acceptance).
Roles & Responsibilities
 Management – Responsible for protecting all assets directly and indirectly under
their control. They must enforce and make sure that employees abide by security
policies.
 Owner – The business owner or manager responsible for the asset of information
that must be protected. The owner has final corporate responsibility of data
protection. Responsibilities include:






Making the determination to decide what level of classification the information
requires.
 Reviewing the classification assignments and making necessary changes
 Delegating the responsibility of data protection.
Custodian – A delegated responsibility for protecting information assets. Duties
include:
 Performing and testing backups
 Performing data restores
 Maintaining records per the classification policy
User – Considered to be anyone that routinely uses the information as part of their
job. Must take “due care” to preserve the information while doing their work.
IS/IT Function – TBD
Other Individuals – TBD
Security Awareness Training – Refers to the general, collective awareness of an
organization’s personnel of the importance of security and security controls.
 Benefits:
 Makes a measurable reduction in unauthorized actions
 Significantly increase the effectiveness of protection controls
 Help to avoid fraud, waste, and abuse.
Personnel are considered to be “security aware” when they clearly understand the need
for security, and how security impacts the viability of the company.


Awareness Training:
 Live/Interactive Presentations
 Publishing/Distributions
 Incentives
 Reminders
Security Management Planning – TBD