 |
CISSP
certification?! |
 |
|
10 security domains to obtain
CISSP certification:
One of the hottest but most difficult-to-achieve IT certifications is the CISSP
(Certification for Information System Security Professional) certification. To
obtain this certification, you must have three or more years of direct security
professional experience, and you must pass a six-hour, 250-question exam
covering the 10 security domains in the ISC2
common body of knowledge. Obviously, the CISSP exam isn’t for everyone, but
even if you aren’t interested in earning your CISSP certification, it’s
worth looking at these 10 security domains.
Security domains 101
If you’re a Windows network administrator, you might assume that a security
domain is the type of domain created within a Windows Server environment.
However, this isn’t the case. For the purposes of this Daily Drill Down, think
of a security domain as just a particular category of security knowledge. ISC2
includes 10 security domains. These security domains are:
- Access Control Systems and Methodology
- Telecommunications and Network Security
- Business Continuity Planning and Disaster Recovery Planning
- Security Management Practices
- Security Architecture and Models
- Law, Investigation, and Ethics
- Application and Systems Development Security
- Cryptography
- Computer Operations Security
- Physical Security
Although all 10 of the ISC2 domains are related to computer security, not all of
the domains refer to things that you can do directly to your network. For
example, one of the security domains is Law, Investigation, and Ethics.
Obviously, this particular security domain addresses some very important issues,
but it has little to do with preventing an attack on your network. Other
security domains, such as Cryptography, provide tools that you can use to
immediately enhance your network’s security.
As you can see, the security domains all cover different areas of security, but
you’re probably wondering what this has to do with security in depth. The idea
behind the 10 security domains is that you should treat each security domain as
a completely independent entity. Furthermore, as you work on a particular
security domain, you should pretend that the other security domains don’t even
exist and that the aspects covered by the current security domain are your only
line of defenses.
So how is this useful? Suppose that a firewall was your network’s only
security mechanism. You’d make sure that the firewall was the best that it
could be, because it would be your network’s only line of defense.
The same idea applies to the security domains. If you work through the security
domains one at a time, pretending that each is your only line of defense,
you’ll work extra hard to make sure that you take advantage of every security
mechanism available through that domain. In doing so, you’ll create an
ultra-secure network consisting of10 highly secure domains.
Likewise, because you’re focusing on one domain at a time, if a failure or a
security breach were to occur in one domain, the integrity of the other domains
would be preserved because the other domains were created completely
independently.
Of course, this all probably sounds rather abstract at the moment, but as I
discuss the individual domains, you’ll get a much better feel for your own
organization’s security needs.
Access Control Systems and Methodology
The first security domain, Access Control Systems and Methodology, is the very
essence of computer security. This particular security domain deals with
protecting critical systems resources from unauthorized modification or
disclosure while making those resources available to authorized personnel. On
the surface, this particular security domain would appear to include access
permissions, user names, and passwords. While these mechanisms are certainly a
part of this domain, it includes other, less obvious security mechanisms as
well.
While passwords and two-factor authentication are definitely included, so are
other authentication solutions. For example, single sign-on (SSO) falls within
this domain. Biometrics would also be included in the Access Control Systems and
Methodology domain.
Telecommunications and Network Security
One of the largest and most encompassing of the security domains is the
Telecommunications and Network Security domain. It’s easy to think of
passwords when you think of network security. However, remember that each domain
is completely independent of the other domains and that passwords are included
only in the Access Control Systems and Methodology domain. Instead, the
Telecommunications and Network Security domain focuses on communications,
protocols, and network services, and the potential vulnerabilities associated
with each.
While the security of communications protocols is certainly a big issue, there
are other topics associated with this domain that you might not expect. One such
topic is perimeter security. Perimeter security includes any form of access to
your network from the outside world, whether it’s by passing through a
firewall, a remote access server, or a wireless access point. Of course, you
can’t really address perimeter security without also addressing extranet
access control and Internet-based attacks. Therefore, these issues are also
included in this domain.
Business Continuity Planning and Disaster Recovery
Planning
The next security domain is Business Continuity Planning and Disaster Recovery
Planning. The first time that I saw Business Continuity and Disaster Recovery on
a list of security domains, it seemed rather strange to me. After all, security
is supposed to be all about keeping out the bad guys, right? However, as I
explained earlier, the10 security domains are designed to address all issues
associated with computer security, not just those issues pertaining to
passwords, hackers, and the like.
The primary issues involved in this domain are those related to dealing
effectively with catastrophic systems failures, natural disasters, and other
types of service interruptions. As an administrator, it’s up to you to figure
out what network-related services are critical to the survival of the
organization. Once you’ve identified those critical services, you must figure
out how to make them available after natural disasters like fires, floods, and
earthquakes, and man-made disasters like terrorist attacks.
Planning for business continuity involves things like testing backup media,
planning backup sites, developing off-site data storage facilities, and coming
up with a place where your company can temporarily set up shop after a disaster.
You could say that business continuity planning and disaster-recovery security
involve your organization’s very survival, not just the security of its data.
However, data security is an issue in this security domain as well. After all,
each night you back up your most sensitive data to a tape or some other backup
media. What’s to keep someone from stealing that tape and restoring your data
to another computer that isn’t even a part of your network? As you can see,
the security of your backups is a consideration within this security domain.
Security Management Practices
The next security domain is Security Management Practices. This particular
domain is one of my favorites because it’s so often overlooked. The Security
Management Practices domain has less to do with computers than with people.
The primary focus of this domain is security awareness. This means educating
your IT staff and end users about security threats. Some examples of security
education might be explaining to users how to deal with the latest e-mail virus
or how to spot a social engineering operation.
Another aspect of the Security Management Practices domain is risk assessment.
Risk assessment means keeping a constant lookout for anything that could be a
potential security problem, and then doing something about it.
There’s a people-oriented aspect to Security Management Practices as well.
Remember that a well-organized security team operates much more efficiently
during a potential security crisis than a security team in which no one knows
who’s supposed to be doing what and when.
Security Architecture and Models
The Security Architecture and Models domain focuses mostly on having security
policies and procedures in place. This particular security domain involves
policy planning for just about every type of security issue that I’ve
discussed here. Desktop security policies, data backup security issues, and
antivirus planning would all be examples of the types of policies that you’d
develop as a part of this security domain.
Law, Investigation, and Ethics
One of the more interesting security domains is Law, Investigation, and Ethics.
As the name implies, this security domain covers the legal issues associated
with computer security. For example, suppose that someone were to break into
your network. In such a case, you’d need not only to know who to report the
crime to, but also a knowledge of net forensics, and you must know what
constitutes an acceptable chain of evidence that will hold up in court.
The Law, Investigation, and Ethics security domain addresses internal security
practices as well. Among those areas of coverage are topics like employee
surveillance and privacy laws.
Application and Systems Development Security
The Application and System Development security domain covers things like
database security models and the implementation of multilevel security for
in-house applications. This domain also addresses some other very interesting
issues.
The first issue that this domain takes into account is what happens when an
application needs a different set of permissions than the user who’s running
the application. For example, if the application requires read, write, and
execute permissions to a specific directory, and the end user only has read
permissions to that directory, then the user has a problem. Traditionally, this
problem has been solved through the use of service accounts, but even working
with service accounts can pose security risks.
Another issue covered by this security domain is the integrity of the
programming staff. How do you ensure that your programmers aren’t embedding
spyware into their applications? For example, you wouldn’t want your
programming staff adding code to a program that was designed to e-mail them your
client’s credit card numbers. Usually, it’s best to handle these types of
integrity issues through employee background checks and policies and procedures.
As you can see, there are no easy answers to the situations that I’ve
presented in this section. However, the Application and Systems Development
Security domain is designed to help you understand and defend yourself against
these types of issues.
Cryptography
One of the most widely used security techniques today is cryptography, the
encryption of data. The Cryptography security domain is designed to help you
understand how and when to use encryption. This domain also covers the various
types of encryption and the mathematics behind them. One of the more interesting
issues addressed by this domain is key management procedures in a PKI
environment. After all, all of the encryption in the world won’t do you any
good if your encryption keys aren’t secure.
Computer Operations Security
The Computer Operations Security domain is one of those domains that are easy to
define but tough to master. Computer operations security covers all of those
things that happen while your computers are running. An example of this would be
the damage that could occur from malicious Java script or other mobile code.
Also included in this domain are any holes that could make it possible for a
hacker to bring down any part of your network, as in a denial-of-service attack.
Physical Security
On occasion, I’ve heard physical security described as the three G’s: gates,
guards, and guns. Physical security primarily addresses questions about physical
access to your servers and workstations. For example, are the servers behind a
locked door? Are there guards on duty? Is there any mechanism for logging
whoever goes into the computer room?
It’s easy to look at the topic of physical security and just dismiss it. After
all, during all the years that I’ve worked in IT, I’ve seen only a few
companies whose servers weren’t behind a locked door. However, locks alone
aren’t the answer. The lesson here is to take a long, hard look at your
organization’s physical security and see if it’s really up to par.
Safe and secure
Now that I’ve shown you the10 security domains, you hopefully have a better
understanding of how focusing on each one individually can help your
organization achieve an overall higher level of security.
If you’d like more information on the various security domains, specifically
how-to information, go to ISC2,
the official Web site of the International Information Systems Security
Certification Consortium. The Web site contains detailed information about the
CISSP certification and the courses you can take to help you pass it.
|
The
Registration Process?!
|
|
|
Registering your copyright is fairly straightforward. To register your
copyright, you must send three items in the same package to the Copyright
Office:
- a
completed application,
- A
deposit of your song or sound recording, and
- the
filing fee.
It will take the Copyright
Office approximately six months to process your application and send you a
certificate of registration. However, the effective date or your registration
is the date on which the Copyright Office receives your completed application
package.
The Application Form
Copyrights in sound recordings are always registered on Copyright Form SR.
Copyrights in songs are usually filed on Copyright Form PA. However, if you
are the copyright owner of both the song and the sound recording of that song,
you can use Copyright Form SR to register both elements together. By
registering the song and sound recording together, you will pay one filing fee
instead of two. Another way to avoid multiple filing fees is to register
several of your unpublished songs or sound recordings as a collection on one
Form PA or Form SR.
The Copyright
Office will give you free applications along with detailed instructions for
completing them. You can get the forms from the Copyright
Office's internet site. You can also request the forms by calling the
Copyright Office's forms and publication hotline at 202-707-9100, or by
writing to the Copyright Office at the following address:
Library
of Congress
Copyright Office
101 Independence Avenue, SE,
Washington, DC 20559
The Deposit of Your Song or Sound Recording
Your deposit consists of samples of your song or sound recording. The deposit
requirement is usually one copy for unpublished works and two copies for
published works. A sound recording should be deposited on a phonorecord (such
as a cassette tape, CD, LP, or disk as well as other formats). A song can be
deposited either in notation form on lead sheet or sheet music, or in the form
of a phonorecord.
For Additional Information
The Copyright Office publishes several information circulars about copyrights
in songs and sound recordings. You can get the information circulars by
calling the forms and publication hotline at 202-707-9100, or through the
Copyright Office's internet site. Here are some of the information
circulars that may be most helpful to musicians:
- Circular
50, Copyright Registration of Musical Compositions
- Circular
56, Copyright Registration of Sound Recordings
- Circular
56a, Distinction Between Copyright Registration of Musical Compositions
and Sound Recordings
To Top of Page
|
|
