Information Systems Security

Introduction

Muhammad Yousaf
Riphah Institute of Systems Engineering (RISE), Riphah International University (RIU), Islamabad

Instructor
MUHAMMAD YOUSAF

M.Sc (Computer Science)

Department of Computer Science Karachi University

MS (Computer Engineering)
Specialization in Computer Networks Center for Advanced Studies in Engineering (CASE) U.E.T. Taxila

Ph.D (Computer Engineering)

In progress from CASE, Islamabad
muhammad.yousaf@riu.edu.pk +92-321-600-7922
muhammad.yousaf@riu.edu.pk 2

Becoming a CISSP
Certified Information Systems Security Professional

muhammad.yousaf@riu.edu.pk

Contents

Why to become a CISSP The CISSP exam Recommended Books Grading Policy The Common Body of Knowledge and

what it contains Ten Domains of CISSP

muhammad.yousaf@riu.edu.pk

Why to Become a CISSP?

To meet the growing demand and to thrive in an ever-expanding field To broaden your current knowledge of security concepts and practices To bring security expertise to your current occupation To become more marketable in a competitive workforce To show a dedication to the security discipline To increase your salary and be eligible for more employment opportunities

muhammad.yousaf@riu.edu.pk

The CISSP Exam

International Information Systems Security Certification Consortium (ISC)2

Ten domains of security make up the CISSP Common Body of Knowledge (CBK) Covers breath of the Information Systems Security
An Inch Deep & A Mile Wide

250 MCQs in 6 Hours Exam Minimum passing score is 700/1000 Exam is NOT product or vendor oriented
muhammad.yousaf@riu.edu.pk 6

Recommended Books
ALL-IN-ONE CISSP EXAM GUIDE
By Shon Harris Sixth Edition McGraw Hill, 2013

Official (ISC)2 Guide to the CISSP CBK

3rd Edition 2012

muhammad.yousaf@riu.edu.pk

Grading Policy Quizzes (10) Mid Term (2) Final Exam 10*3=30 2*15=30 40

muhammad.yousaf@riu.edu.pk

Ten Security Domains of CISSP

1. Information Security Governance & Risk Management 2. Access Control 3. Security Architecture & Design 4. Physical (Environmental) Security 5. Telecommunications & Network Security 6. Cryptography 7. Business Continuity & Disaster Recovery Planning 8. Legal, Regulations, Investigations & Compliance 9. Software Development Security 10.Security Operations
muhammad.yousaf@riu.edu.pk 9

InfoSec Governance & Risk Management

Examines the identification of company assets, Proper way to determine the necessary level of protection required, Type of budget to develop for security implementations, With the goal of reducing threats and monetary loss. Some of the topics covered include
Data classification Risk assessment and management Policies, procedures, standards, and guidelines Personnel security, training, and awareness

muhammad.yousaf@riu.edu.pk

10

Access Control
Examines mechanisms that enable administrators and managers to control what subjects can access, Extent of their capabilities after authorization and authentication, Auditing and monitoring of these activities. Some of the topics covered include
Access control threats Attack methods Identification and authentication techniques Single sign-on technologies Access control administration

muhammad.yousaf@riu.edu.pk

11

Security Architecture and Design

This domain examines ways that software should be designed securely. It also covers international security measurement standards and their meaning for different types of platforms. Some of the topics covered include
Common flaws in applications and systems Operating states, kernel functions, and memory mapping Security models, architectures, and evaluations Trusted Computer Security Evaluation Criteria (TCSEC), Information Technology Security Evaluation Criteria (ITSEC), and Common Criteria (CC) Certification and accreditation
muhammad.yousaf@riu.edu.pk 12

Physical (Environmental) Security

Examines threats, risks, and countermeasures to protect facilities, hardware, data, media, and personnel. This involves facility selection, authorized entry methods, and environmental and safety procedures. Some of the topics covered include
Restricted areas, authorization methods, and controls Fencing, security guards, and security badge types Motion detectors, sensors, and alarms Intrusion detection Fire detection, prevention, and suppression, etc.

muhammad.yousaf@riu.edu.pk

13

Telecommunications & Network Security

Examines internal, external, public, and private communication systems; networking structures; devices; protocols; and remote access and administration. Some of the topics covered include
OSI model and layers Network topologies and cabling Local area network (LAN), metropolitan area network (MAN), wide area network (WAN) technologies Internet, intranet, and extranet issues Virtual private networks (VPNs), firewalls, routers, switches, and repeaters Attack methods
muhammad.yousaf@riu.edu.pk 14

Cryptography
This domain examines cryptography techniques, approaches, and technologies. Some of the topics covered include
Encryption protocols and implementation Symmetric versus asymmetric algorithms and uses Public key infrastructure (PKI) and hashing functions Attack methods

muhammad.yousaf@riu.edu.pk

15

Business Continuity & Disaster Recovery Planning

This domain examines the preservation of business activities when faced with disruptions or disasters. It involves the identification of real risks, proper risk assessment, and countermeasure implementation. Some of the topics covered include
Business resource identification and value assignment Business impact analysis and prediction of possible losses Unit priorities and crisis management Development, implementation, and maintenance plan

muhammad.yousaf@riu.edu.pk

16

Legal, Regulations, Investigations, and Compliance

Examines computer crimes, laws, and regulations. Techniques for investigating a crime, gathering evidence, and handling procedures. How to develop and implement an incidenthandling program. Some of the topics covered include
Types of laws, regulations, and crimes Export and import laws and issues Licensing and software piracy issues Forensics Incident handling Evidence types and admissibility into court
muhammad.yousaf@riu.edu.pk 17

Software Development Security

This domain examines secure software development approaches, application security, and software flaws. Some of the topics covered include
Data warehousing and data mining Various development practices and their risks Software components and vulnerabilities Malicious code

muhammad.yousaf@riu.edu.pk

18

Security Operations
Examines controls over personnel, hardware, systems, and auditing and monitoring techniques. Possible abuse channels and how to recognize and address them. Some of the topics covered include
Administrative responsibilities pertaining to personnel and job functions Maintenance concepts of antivirus, training, auditing, and resource protection activities Preventive, detective, corrective, and recovery controls Security and fault-tolerance technologies

muhammad.yousaf@riu.edu.pk

19

Questions ???

muhammad.yousaf@riu.edu.pk

20