Skip to main content

What are CISSP domains?

 The CISSP certification is assembled into eight domains. The extensive stretch of topics embraced in CISSP certify its aptness through all directions in information security. Productive candidates are proficient in these domains. Diverse exposure of information is dealt by these 8 domains. Individual lookout of all the domains will be apprehended symbolically.

1. Security and Risk Management 

This domain consists of the fundamentals of security policies, compliance law and regulations, professional ethics, risk management, and threat modeling. The following approaches are adopted to implement cybersecurity. There are some points that you need heed in this domain:

  • Here, security measures are decided compliance based.
  • Confidentiality - It means that information and functions can be accessed only by authorized parties. For example, military secrets. 
  • Integrity - Here, information and features can be added, altered, or removed only by authorized people and means. 
  • Governance - Such a program ensures that goals are achieved, provides strategic plans, and so on.
  • the organizations look into all types of risks such as investment and cyber-security, cyber-risks.
  • Let's have a look at the characteristics of the security policies: 
  • Firstly, these policies should align with the vision and mission of the company.
  • Secondly, these policies must integrate all the business units.
  • Thirdly, they should also be regularly updated. 
  • Lastly, these security policies should be easy to comprehend, and this allows everyone to abide by them without any issues.

A risk analysis team is also formed in an organization to perform the analysis of each known risk. The team first 

assesses the value of the company’s assets, then there is an analysis made based on the risks to assets, and finally, the team discovers solutions to mitigate these risks.

2. Asset Security 

In the second domain of CISSP asset security, is about dealing protection of assets such as data, and devices. There are various areas or points that you need heed in Asset security:

  • Data Classification - Here, first, the data owner classifies the data. This classification is carried out based on a set of predefined criteria. After which the classification is annually reviewed to see if there has to be some change or not.
  • Data Management - This manages the information lifecycle needs of an enterprise effectively.
  • Data Remanence - This is a term used for the residual of digital data that is present, despite trying to erase it.

3. Security Engineering

This domain considers security architecture, security models, cryptography, and physical security. Here, we have few points that you need heed in security engineering:

The security engineering domain establishes a common practice for creating, analyzing, and using architecture descriptions within a particular domain. 

Semaphore is a part of security engineering. Here, Semaphore secures information by converting data from a readable format to a non-readable format.

4. Communication and Network Security 

This domain is all about network structures, transmission methods, and security measures used to achieve the CIA in an organization. For a few points you need heed in this domain. Let’s throw some insight into a few of these measures:

  • OSI model - This is the foundation of networking. The Open Systems Interconnection, known as the OSI model, describes how data is transferred from one computer to another.
  • Firewall - This fourth domain also speaks about firewalls. A firewall is a hardware or software which is used to filter the malicious traffic from the internet to your computer. 
  • Here IDS(intrusion detect system) detect a unauthorized data.

Moving ahead, let us see how CISSP deals with authentication in the next domain. 

5. Identity and Access Management

This domain of CISSP is all about access control, identification, authorization, and attacks on access control and its countermeasures. To access a dataset or a resource, a subject must be identified, authenticated, and authorized. Let’s have a look at a few of the crucial fields in this domain:

  • In Identity management, various automated means, users are identified and authenticated. 
  • Kerberos - This is an authentication protocol based on symmetric-key cryptography that provides end-to-end security.
  • Access criteria - Access to data shouldn’t be granted to anyone and everyone. It should be issued based on the level of trust and the job role in the organization. It is also better if it is provided based on the location and the time.

6. Security Assessment and Testing

The sixth domain of CISSP is - security assessment and testing. Like other fields, you must perform regular assessments even in this field. So in this domain, we will look into audits, security control assessment, and testing reports. 

  • Audits - An audit is nothing but a repeated process wherein an independent professional evaluates and analyzes evidence.
  • destructibility Assessment - Here, IT risks are identified and assessed. It helps in identifying, quantifying, and prioritizing detructibility.
  • Testing allows well-planned assessment and test strategy can provide valuable information about risk and risk mitigation. The evaluation and test are executed by a working group called the integrated product team. Testing is performed to check the data flow between the application and the system.

7. Security Operations

This one is about investigations, monitoring and logging, recovery, and change management. The security operations domain of this CISSP tutorial will focus on digital forensics, incident management, and perimeter security such as:

  • Digital Forensics - Here, digital data is examined to identify, recover, and analyze opinions about digital information.
  • Incident Management - Incident management works towards restoring the services to normalcy, as soon as possible. A team called the incident response team is deployed to handle emergencies. Incidence response is defined as detecting a problem, determining its cause, minimizing the damage, resolving the issue, and documenting each step. This team provides management with sufficient information and defends the company against future attacks.
  • Perimeter Security - Perimeter defense allows us to detect and keep a check on unauthorized physical access. This field also controls access to the facility.

With that, we have explored security operations as a domain. Now, let’s move onto our eighth and final domain. 

8. Software Development Security

As the name suggests, this domain talks about security in a software development lifecycle. We will be looking into topics like API, Malware, Spyware, Adware, social engineering attacks, and SQL injection attacks.

  • Application Program Interface (API) - API is a collection of protocols and functions used to create applications. It supports formats such as Representational State Transfer (REST) and Simple Object Access Protocol (SOAP).
  • In Malware, we have a term referring to malicious software, viruses, ransomware, and worms. We can also call a trojan virus a form of malware capable of disguising itself as legitimate software.
  • Spyware - It is a type of malware used to secretly gather information of the victim to give it to a third party.
  • Adware - As the name suggests, this is a type of malware that continually displays ads and pop-ups. These are capable of gathering your information. 
  • Social Engineering Attack - It is the art of manipulating people to give their confidential information. It is broken down into Phishing, Spear Phishing, and Whaling Phishing Attacks.
  • SQL Injection - In a database-driven website, the hacker manipulates a standard SQL query and inserts malicious codes into a SQL server to obtain information.

Apart from this entire syllabus available online you can also get CISSP dumps which are intended to assist IT professionals in making the most of their expertise and experience gained over several years in the most recent syllabus.


Originally Published at https://www.aclassblogs.com/2021/05/what-are-cissp-domains.html




Suit Stores Vancouver

Comments

Popular posts from this blog

How to become a certified CISSP professional?

Certified Information System Security Professional certification (CISSP) is very salient, important and modish certification for general cybersecurity knowledge. For network security there are numerous IT companies which consider CISSP a base need for employees. The  CISSP certification  is one of the toughest, vigorous and desired certification.  This certification challenges you in different cybersecurity domains like Telecommunications, Access Control, Networking, Data-Management, Data-Remanence, Cryptography, Forensics, and perimeter security. It leads to extremely profitable positions, once you pass this exam. Folks who are looking to move into a Chief Information Security Officer (CISO) designation must have this CISSP certification. It is equally a salary-enhancer for systems engineers, analysts, consultants and IT security managers as well. Is it a good certification? Certified Information Systems Security Professional (CISSP) Certification is one of the most requ...

TOP 10 SECURITY AND RISK TRENDS FOR INFORMATION INFRASTRUCTURE IN 2021

  TOP SECURITY AND RISK TRENDS The information infrastructure is a worldwide network of people, groups, organizations, policies, procedures, and technology that collaborate to better the creation, diffusion, organization, storage, retrieval, and preservation of information and knowledge for people. This network's principal objective is to distribute information across society. With the digital revolution sweeping the world, all companies, big and small, organizations, and even governments depend on computerized systems to perform day-to-day operations, making Cybersecurity a major concern to safeguard data from different online attacks or data breaches. What is a Cyber Threat? The Oxford Dictionary definition of cyber threat is a bit inadequate for a cybersecurity expert: "the prospect of a malevolent effort to harm or impair a computer network or system." This definition is incomplete unless the effort to harm or steal data and disrupt digital activities is included....

Google Cloud vs AWS: How do the Two Cloud Providers Compare?

Amazon Web Services (AWS) is that the leading public cloud supplier by a mile,  however before taking the plunge and choosing the market leader, make certain to require a glance at Google Cloud Platform and perform a Google Cloud vs AWS analysis. You will be stunned to seek out that Google Cloud offers multiple benefits over AWS and should higher match the wants of your business. To help you discover the most effective cloud supplier to fit your wants, we've compared Google Cloud vs AWS and known a number of the strengths and weaknesses of each cloud platforms. Google Cloud vs AWS: Market share In 2020 figures from Canalys show AWS had revenues of $10.8 billion and an IaaS market share of thirty first, compared to Microsoft Azure in second place with an calculable market ...