Category Archives: CISSP

Controlling Access to Information and Functions

Computer systems, databases, and storage and retrieval systems contain information that has some monetary or intrinsic value. After all, the organization that has acquired and set up the system has expended valuable resources to establish and operate the system. After undergoing this effort, one would think that the organization would wish to control who can access the information that it has collected and stored.

Access controls are used to control access to information and functions. In simplistic terms, the steps undertaken are something like this:

  1. Reliably identify the subject (e.g., the person, program, or system)
  2. Find out what object (e.g., information or function) the subject wishes to access
  3. Determine whether the subject is allowed to access the object
  4. Permit (or deny) the subject’s access to the object
  5. Repeat

The actual practice of access control is far more complex than these five steps. This is due primarily to the high-speed, automated, complex, and distributed nature of information systems. Even in simple environments, information often exists in many forms and locations, and yet these systems must somehow interact and quickly retrieve and render the desired information, without violating any access rules that are in place. These same systems must also be able to quickly distinguish “friendly” accesses from hostile and unfriendly attempts to access—or even alter—this same information.

The success of an access control system is completely dependent upon the effectiveness of the business processes that support it. User access provisioning, review, and revocation are key activities that ensure only authorized persons may have access to information and functions.

— excerpt from an upcoming textbook on information systems security

Compliance risk, the risk management trump card

Bookmark This (opens in new window)

Organizations that perform risk management are generally aware of the laws, regulations, and standards they are required to follow. For instance, U.S. based banks, brokerages, and insurance companies are required to comply with GLBA (the Gramm Leach Bliley Act), and organizations that store, process, or transmit credit card numbers are required to comply with PCI-DSS (Payment Card Industry Data Security Standard).

GLBA, PCI-DSS, and other regulations often state in specific terms what controls are required in an organization’s IT systems. This brings to light the matter of compliance risk. Sometimes, the risk associated with a specific control (or lack of a control) may be rated as a low risk, either because the probability of a risk event is low, or because the impact of the event is low. However, if a given law, regulation, or standard requires that the control be enacted anyway, then the organization must consider the compliance risk. The risk of non-compliance may result in fines or other sanctions against the organization, which may (or may not) have consequences greater than the actual risk.

The end result of this is that organizations often implement specific security controls because they are required by laws, regulations, or standards – not because their risk analysis would otherwise compel them to.

Excerpt from CISA All-In-One Study Guide, second edition

I’m back, after a year off

Bookmark This (opens in new window)

After teaching the UW Information Systems Security certification course for two years, completing CISSP For Dummies (3rd edition), CISA All-In-One Exam Guide and CISSP Guide to Security Essentials, I was burned out and needed a year off. I didn’t do any public speaking either, which means interrupting an eight year run speaking for SecureWorld Expo in Seattle and other cities. But, I needed time for my family and for me.

Earlier this year we purchased an RV and spent about 40 nights in it all over Washington State, including American River, Whidbey Island, Vasa Resort, Ames Lake, Alder Lake, Riffe Lake, and Kitsap Memorial State Park. We spent much of this time with good friends whose company we enjoy very much.

My wife and I went on several motorcycle rides, although none were overnight trips as I had hoped. Still, we were blessed with great weather and safe riding.

One one particularly nice weekend day, I took a very early morning ride up Mt. Rainier, arriving at Paradise Lodge at around 8am. There was practically no traffic on the way up the mountain – the entire two lane highway was mine.

After writing twenty-two books in ten years, my list of honey-do’s around the house was growing, and I got a lot of things done in this department.

We have also become parents – of four lovely society finches that are the offspring of a mating pair we purchased last year. We also have zebra finches, parakeets, quail, and an african weaver. None of these others have had chicks yet, but we’re still hopeful.

We also had an exchange student from the Czech Republic stay in our home for a year. She arrived in mid August 2009 and returned home in July 2010. This was a great experience for everyone. She was a member of our family and she participated in everything we all do together.

Today I completed the draft manuscript for a book on security technology that will be published in December or January. This was a short project that took just a few weeks.  Today I met with my literary agent to plan the next five years of my writing. My business manager and I are both quite excited about the next few years.

While I took the year off of bookwriting, I was still involved in some other things. I’m a member of the Cloud Security Alliance and contributed to its Security Guidance for Critical Areas of Focus in Cloud Computing V2.1, and am a member of the Cloud Security Alliance Certification Board. I also earned the CRISC (Certified in Risk, Information Security, and Control), a new certification offered by ISACA (Information Systems Audit and Control Association), which I’ve been a member of since 2002.

Certification and Experience: Putting the Cart Before the Horse

Bookmark This (opens in new window)

When I earned my CISSP in 2000, and my CISA in 2002, I desired to earn these certifications as a way of demonstrating the knowledge and experience that I had already accumulated. To me, these certifications are a visible symbol of my professional qualifications in the professional community.

In recent years, I have seen many people who do not have the knowledge or the experience, and they desire to earn these certifications so that they may be better qualified for positions where they can earn the knowledge and experience that these certifications require.

These people have it backwards. They are showing impatience: they want the positions that require experience, but they do not yet have it. They ask, now that I have my CISSP (or CISA or CISM), how can I now get security specialist, security manager, security auditor, or other positions? And they wonder why they have difficulty finding these jobs that require CISSP, CISA, or CISM certification.

What I believe they fail to understand is that they do not have the required experience.

The correct path for professional certification and experience is this: acquire the knowledge and the experience, and then earn the certification. This is the method expected by employers, professionals, and the organizations that develop and manage these certifications.

Would you go to a doctor who had his license to practice but did not yet have the required experience? Of course not, and likewise employers do not hire candidates based only on their certifications. Instead, employers hire based upon knowledge, experience, and particular skills.

I believe that many of these aspiring certification candidates are being led astray by training organizations who are implicitly (if not explicitly) fostering the expectation that one can earn a certification based on a short training course alone, as though it is a “shortcut” to positions with greater responsibility, expectations, and compensation.

To IT professionals who want to get ahead and earn certifications: good for you! I wish you well! However, do know that you need to accumulate years of work experience first – then earning those certifications will be relatively easy, and you will have greater satisfaction through knowing that you have rightfully earned your certification, not only because you were able to pass a certification exam, but also because you have the experience that goes with it.

CISA study group

CISM study group

CISSP study group

CRISC study group

CISSP Study Group Formed

Seattle (WA USA) Sept 8, 2009. Noted security expert Peter H. Gregory, CISA,
CISSP, DRCE who started CISA and CISM certification study groups in 2002, has
launched a CISSP certification study group. Like the CISA and CISM groups, the
new CISSP study group is hosted by Yahoo Groups.

This group is for technology and security professionals who are interested in
learning more about the CISSP certification, as well as for instructors who
teach courses on information security. People who are already certified are also
invited to join as “mentors” who can help those who are just starting out.

People who are interested in joining the group may go to the following URL:

http://groups.yahoo.com/group/CISSP-study/join

People who are already members may go to the group at this URL:

http://groups.yahoo.com/group/CISSP-study

The CISSP Study group will have the following features:

* Message archive
* Moderated messages (no spam)
* Files upload
* Links pages
* Surveys

Only active members of the group may access these features.

Information that will be discussed in the forum include:

* CISSP qualifications
* CISSP study tips
* CISSP study books and courses
* CISSP study questions
* Registering for the certification exam
* Test tips
* Questions on any topic of information and business security

How to study for the CISSP examination

Bookmark This (opens in new window)

Whitepaper by Ernie Hayden, a noted security expert, on studying for the CISSP exam.

Download here (PDF)

Is the CISSP certification still relevant?

Bookmark This (opens in new window)

Some argue that, because more people have earned it, the CISSP certification is becoming less relevant.

The CISSP certification is not less relevant because more people are passing it – more people are passing it because there is a much higher demand for CISSP-certified professionals than at any time in the past. Information and business security are far more relevant than in the past, because more organizations are using information systems in increasingly-complex ways to support critical business processes.

In my opinion the growth of CISSPs is still not keeping up with the demand for such professionals. If anything, the certification is MORE relevant now than at any time before.

I disagree with the statement that it will become less relevant. On the contrary, as the number of people who earn the CISSP certification grows, the MORE relevant it will become! Say, for instance, 20 years from now, that 1/3 of all IT professionals have the certification. That would make CISSP *HIGHLY* relevant!

I think that maybe you are asking a completely different question. Today, having a CISSP gives relevance to the individual person who holds it. When CISSP is rare, having it makes the person more relevant. But if CISSP were to become plentiful, that would make the certification far more relevant.

Take MCSE. Lots of IT pros have it. The certification is *highly* relevant – so much so that it is practically a standard. A person who does *not* have the MCSE is not relevant. In many companies you can’t play in the game if you don’t have it. That sounds like high relevance to me.