TEAM LinG AU2341 half title 8/24/05 12:23 AM Page 1 OFFICIAL (ISC) 2 ® GUIDE TO THE CISSP ® -ISSEP ® CBK ® TEAM LinG Auerbach sec 6 7/21/05 10:07 AM Page 1 AUERBACH PUBLICATIONS www.auerbach-publications.com To Order Call: 1-800-272-7737 • Fax: 1-800-374-3401 E-mail: orders@crcpress.com Asset Protection and Security Management Handbook POA Publishing ISBN: 0-8493-1603-0 Building a Global Information Assurance Program Raymond J. Curts and Douglas E. Campbell ISBN: 0-8493-1368-6 Building an Information Security Awareness Program Mark B. Desman ISBN: 0-8493-0116-5 Critical Incident Management Alan B. Sterneckert ISBN: 0-8493-0010-X Cyber Crime Investigator's Field Guide, Second Edition Bruce Middleton ISBN: 0-8493-2768-7 Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes Albert J. Marcella, Jr. and Robert S. Greenfield ISBN: 0-8493-0955-7 The Ethical Hack: A Framework for Business Value Penetration Testing James S. Tiller ISBN: 0-8493-1609-X The Hacker's Handbook: The Strategy Behind Breaking into and Defending Networks Susan Young and Dave Aitel ISBN: 0-8493-0888-7 Information Security Architecture: An Integrated Approach to Security in the Organization Jan Killmeyer Tudor ISBN: 0-8493-9988-2 Information Security Fundamentals Thomas R. Peltier ISBN: 0-8493-1957-9 Information Security Management Handbook, 5th Edition Harold F. Tipton and Micki Krause ISBN: 0-8493-1997-8 Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management Thomas R. Peltier ISBN: 0-8493-1137-3 Information Security Risk Analysis Thomas R. Peltier ISBN: 0-8493-0880-1 Information Technology Control and Audit, Second Edition Fredrick Gallegos, Daniel Manson, Sandra Allen-Senft, and Carol Gonzales ISBN: 0-8493-2032-1 Investigator's Guide to Steganography Gregory Kipper 0-8493-2433-5 Managing a Network Vulnerability Assessment Thomas Peltier, Justin Peltier, and John A. Blackley ISBN: 0-8493-1270-1 Network Perimeter Security: Building Defense In-Depth Cliff Riggs ISBN: 0-8493-1628-6 The Practical Guide to HIPAA Privacy and Security Compliance Kevin Beaver and Rebecca Herold ISBN: 0-8493-1953-6 A Practical Guide to Security Engineering and Information Assurance Debra S. Herrmann ISBN: 0-8493-1163-2 The Privacy Papers: Managing Technology, Consumer, Employee and Legislative Actions Rebecca Herold ISBN: 0-8493-1248-5 Public Key Infrastructure: Building Trusted Applications and Web Services John R. Vacca ISBN: 0-8493-0822-4 Securing and Controlling Cisco Routers Peter T. Davis ISBN: 0-8493-1290-6 Strategic Information Security John Wylder ISBN: 0-8493-2041-0 Surviving Security: How to Integrate People, Process, and Technology, Second Edition Amanda Andress ISBN: 0-8493-2042-9 A Technical Guide to IPSec Virtual Private Networks James S. Tiller ISBN: 0-8493-0876-3 Using the Common Criteria for IT Security Evaluation Debra S. Herrmann ISBN: 0-8493-1404-6 OTHER INFORMATION SECURITY BOOKS FROM AUERBACH TEAM LinG AU2341-title 8/24/05 3:15 PM Page 1 Boca Raton New York Susan Hansche, CISSP-ISSEP OFFICIAL (ISC) 2 ® GUIDE TO THE CISSP ® -ISSEP ® CBK ® TEAM LinG (ISC) 2 , CISSP, ISSEP, and CBK are registered trademarks of the International Information Systems Security Certification Consortium. Published in 2006 by Auerbach Publications Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2006 by Taylor & Francis Group, LLC Auerbach is an imprint of Taylor & Francis Group No claim to original U.S. Government works Printed in the United States of America on acid-free paper 10987654321 International Standard Book Number-10: 0-8493-2341-X (Hardcover) International Standard Book Number-13: 978-0-8493-2341-6 (Hardcover) Library of Congress Card Number 2005041144 This book contains information obtained from authentic and highly regarded sources. Reprinted material is quoted with permission, and sources are indicated. A wide variety of references are listed. Reasonable efforts have been made to publish reliable data and information, but the author and the publisher cannot assume responsibility for the validity of all materials or for the consequences of their use. No part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC) 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. Library of Congress Cataloging-in-Publication Data Hansche, Susan. Official (ISC)2 guide to the CISSP-ISSEP CBK / Susan Hansche. p. cm. Includes bibliographical references and index. ISBN 0-8493-2341-X (alk. paper) 1. Electronic data processing personnel Certification. 2. Computer security Examinations Study guides. I. Title: Official ISC squared guide. II. Title. QA76.3.H364 2005 005.8 dc22 2005041144 Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the Auerbach Publications Web site at http://www.auerbach-publications.com Taylor & Francis Group is the Academic Division of T&F Informa plc. AU2341_Discl.fm Page 1 Monday, August 29, 2005 11:04 AM TEAM LinG This book is dedicated to my late father, Sam Hansche, who encouraged me to do my best and gave me confidence to believe in myself, and my mother, Sandra Montgomery, who showers me with love and support. TEAM LinG TEAM LinG vii Table of Contents Preface xxv About the Author xxix ISSE Domain 1: Information Systems Security Engineering (ISSE) Overview 1 Contributors and Reviewers 4 1 ISSE Introduction 7 Introduction 7 SE and ISSE Overview 8 IEEE 1220 Overview 15 The ISSE Model 17 Basic SE and ISSE Principles 21 Principle 1: Always keep the problem and the solution spaces separate 23 Principle 2: The problem space is defined by the customer’s mission or business needs. 23 Principle 3: The systems engineer and information systems security engineer define the solution space driven by the problem space 25 Life Cycle and ISSE 27 NIST SP 800-27, Rev. A: Engineering Principles 28 Risk Management 29 Defense in Depth 34 People 35 Technology 35 Operations 36 Defense in Multiple Places 38 Layered Defenses 39 Security Robustness 40 TEAM LinG viii Ⅲ Official (ISC) 2 ® Guide to the CISSP ® –ISSEP ® CBK ® Deploy KMI/PKI 40 Deploy Intrusion Detection Systems 40 Summary 41 References 42 2 ISSE Model Phase 1: Discover Infor mation Pr otection Needs 45 Introduction 45 Systems Engineering Activity: Discover Needs 48 ISSE Activity: Discover Information Protection Needs 49 Task 1: Define the Customer’s Mission/Business Needs 50 Task 2: Define the Information Management 53 From Mission Needs to Information Management Needs 53 Creating an Information Management Model (IMM) 54 Step 1: Identify Processes 56 Step 2: Identify the Information Being Processed 56 FIPS 199 56 NIST SP 800-60 62 NIST SP 800-59 66 DoD Mission Assurance Categories (MACs) 67 Information Domains 68 Step 3: Identify the Users of the Information and the Process 72 Task 3: Define the Information Protection Policy (IPP) 73 Conducting the Threat Analysis and Developing the Information Protection Policy 73 Potential Harmful Events (PHEs) 75 Harm to Information (HTI) 84 Identifying Security Services and Developing the Information Protection Policy 89 Security Services 90 Access Control 90 Confidentiality 91 Integrity 91 Availability 92 Non-Repudiation 93 Security Management 93 Additional Security Controls 95 Creating the Information Protection Policy (IPP) 98 Creating the IPP Document 99 Introduction 99 General Policies 100 Establish Roles and Responsibilities 100 Identify Decision Makers 100 Define Certification and Accreditation (C&A) Team Members and Procedures 100 Identify Information Domains and Information Management 101 TEAM LinG Table of Contents Ⅲ ix Identify Security Service Requirements 101 Signatures 102 The Information Management Plan (IMP) 102 Final Deliverable of Step 1 103 Summary 103 References 104 3 ISSE Model Phase 2: Defi ne System Security Requir ements 107 Introduction 107 System Engineering Activity: Defining System Requirements 113 Defining the System Context 114 IEEE 1220: 5.1.1.1 System Concept 115 Define System Requirements 117 Define Customer Expectations (Task 6.1.1) 120 Define Constraints (Tasks 6.1.2 and 6.1.3) 120 Define Operational Scenarios (Task 6.1.4) 122 Define Measures of Effectiveness (MOEs) (Task 6.1.5) 122 Define System Boundaries (Task 6.1.6) 122 Define Interfaces (Task 6.1.7) 123 Define Utilization Environments (Task 6.1.8) 123 Define Life-Cycle Process Concepts (Task 6.1.9) 123 Define Functional Requirements (Task 6.1.10) 125 Define Performance Requirements (Task 6.1.11) 125 Define Modes of Operations (Task 6.1.12) 126 Define Technical Performance Measures (Task 6.1.13) 126 Define Design Characteristics (Task 6.1.14) 126 Define Human Factors (Task 6.1.15) 126 Establish Requirements Baseline (Task 6.1.16) 126 Define Design Constraints 127 The Preliminary System Concept of Operations (CONOPS) 128 ISSE Activity: Defining System Security Requirements 129 Define the System Security Context 129 Define System Security Requirements 131 Define the Preliminary System Security CONOPS 132 Final Deliverable of Step 2 134 Summary 134 References 136 4 ISSE Model Phase 3: Defi ne System Security Ar chitectur e 139 Introduction 139 Defining System and Security Architecture 142 Defining System Architecture 142 Defining System Security Architecture 144 Guidelines for Designing System Architectures from DoDAF and FEAF 144 DoD Architectural Framework 145 Federal Enterprise Architecture Framework (FEAF) 150 TEAM LinG [...]... assurance problems According to the IATFF, The ultimate objective of the IATFF is to agree on a framework for information assurance solutions that meet customers’ needs and foster the development and use of solutions that are compatible with the framework” (IATFF Introduction, p 1) 1 TEAM LinG 2 Ⅲ Official (ISC)2 Guide to the CISSP ®–ISSEP ® CBK ® Figure D1.1 IATF relationship to GIG policy (Source: From... throughout the system life cycle and provides xxv TEAM LinG xxvi Ⅲ Official (ISC)2 Guide to the CISSP ®–ISSEP ® CBK ® mechanisms for identifying and evolving security products and processes An ISSEP follows and practices the ISSE model to ensure that security is included in the life cycle of systems Regardless of where in its life cycle the system is, the ISSEP provides security expertise to analyze the protection... play a role in protecting the nation’s information and information systems Susan Hansche September 2005 TEAM LinG TEAM LinG About the Author Susan Hansche, CISSP-ISSEP, is the training director for information assurance at Nortel PEC Solutions in Fairfax, Virginia She is the lead author of The Official (ISC)2 Guide to the CISSP Exam, which is a reference for professionals in the information systems security... between (ISC)2 and the National Security Agency If you are performing ISSEP or other information systems security work for the USG, you should take the time to read the entire policies in more detail Remember you are responsible for the implementation of information security policies If your organization requires you to follow a specific policy or guideline, it is absolutely necessary that you take the. .. adds a security element into each phase of the system life cycle Regardless of your specific background, the principles described throughout the book will be beneficial in all aspects of performing the role of an information systems security professional One does not need to be a systems engineer to understand the ISSE framework, nor does one need to be a systems engineer to find the ISSE framework useful... to take the Information Systems Security Engineering Professional® (ISSEP) exam As the book began to take shape, I realized it was developing into more than just a study book for the ISSEP exam It had become an encompassing overview of information systems security for the federal government sector, which has been the focus of my career as an information systems security professional By the time I took... Essentially, the IATF outlines the requirements and activities necessary to provide Information Assurance (IA) to the system life-cycle phases The IATF is supported by the Information Assurance Technical Framework Forum (IATFF) The IATFF is a National Security Agency (NSA) sponsored outreach activity created to foster dialog among U.S government agencies, U.S industry, and U.S academia that provide their customers... 512 TEAM LinG xviii Ⅲ Official (ISC)2 Guide to the CISSP ®–ISSEP ® CBK ® What a WBS Is Not 512 Other Work Breakdown Structures 514 Milestones 514 Development of Project Schedules 514 Preparation of Cost Projections 515 Technical Management Tools 516 Scheduling Tools 517 The Gantt Chart 517 The PERT Chart 519 PERT... obtained by the way the system is built) 331 2 Properties (can be obtained by the way the system is built) 332 3 Analysis (can be obtained by an analysis of system descriptions for conformance to requirements and vulnerabilities) 333 4 Testing (can be obtained by testing the system itself to determine operating characteristics and to find vulnerabilities) 333 5 Guidance (can be obtained by the way the system... outlines of the threats, requirements, and recommended solutions for a variety of specific protection needs in specific TEAM LinG 4 Ⅲ Official (ISC)2 Guide to the CISSP ®–ISSEP ® CBK ® environments Appendix G discusses the Common Criteria Protection Profiles for a system or product The IATF is considered an evolving document; thus, some sections are still in development and continue to be updated by the IATFF . identification and explanation without intent to infringe. Library of Congress Cataloging-in-Publication Data Hansche, Susan. Official (ISC)2 guide to the CISSP-ISSEP CBK / Susan Hansche. p. cm. Includes. 0-8493-1404-6 OTHER INFORMATION SECURITY BOOKS FROM AUERBACH TEAM LinG AU2341-title 8/24/05 3:15 PM Page 1 Boca Raton New York Susan Hansche, CISSP-ISSEP OFFICIAL (ISC) 2 ® GUIDE TO THE CISSP ® -ISSEP ®. 12:23 AM Page 1 OFFICIAL (ISC) 2 ® GUIDE TO THE CISSP ® -ISSEP ® CBK ® TEAM LinG Auerbach sec 6 7/21/05 10:07 AM Page 1 AUERBACH PUBLICATIONS www.auerbach-publications.com To Order Call: 1-800-272-7737