Thanks to Suliman A. for these great notes!
The best thing to take away from this is “Ethics and morals is what makes a security guy a security guy”.
CISSP is a conceptual exam, that needs a reasonable, prudent guy with a managerial mindset. CISSP candidate needs to build his mentality around the following general bullet points and apply it on each and every domain. The list is by no means, a full list; you are kindly add yours on the comments, debate and contradict those listed so that to build a more solid mindset for the exam and the real career life as well. The list below is written by me from my humble experience in the info. sec and the CISSP study guides and experts inputs and ideas:
– Security can never and should never preempt safety. People are the uttermost important asset in you organization.
– Info. Sec people are not the ultimate decision-makers; it suits them accurately to be described as reflectors who can represent their recommendations to the senior management regarding security initiatives.
-Senior management on the other side are the ultimate responsible for approving, steering and overseeing security projects within their corporation. They are the ones who held liable for failing to experience due-care and due-diligence concepts. -If your CEO told you “this year’s budget for security is 0$” “0$ it is”, eventually he is the one who get sued when his staff fails off the stairs, because there was no “CAUTION: Wet Area” yellow sign.
-Security people should always be prudent, takes initiatives and see what other people can’t see.
-Your organization is not here to merely invest on security, It’s in the market ONLY to make profit, security is just another function subject to ROI calculations. So your controls needs to be evaluated against these ROI calculations, so only the most cost effective controls are being selected.
-Security is all about maintaining the CIA triad, threats/risks against this triad should be assessed all the way down the security journey.
-Security is a PROGRAM which being broken into PROJECTS. You can not treat security as merely project.
– Your internal staff is the deadliest threat to your security, be aware of them.
-There’s NO way you can totally eliminate risk, you will do your best efforts to mitigate it with the most cost effective manner.
-Be it, a Technical control or Physical control, building those controls around defense-in-depth methodologies is always the best thing to do for your organization.
-Complexity is the security’s biggest enemy. Make it simple.
-You can not install a firewall in your back server room and call it a day “we’re safe now”. Planning, Planning, Planning. A security program without a plan, is just mess, ad-hoc kind of thing, that leads only to one way: false sense of security.
-Risk assessment is about identifying threats and vulnerabilities to determine appropriate security controls. While Risk analysis provides cost/benefit comparison to security controls (this is where qualitative/quantitative concepts applies). However only senior management will agree on those controls. Our part to hand it to him.
-You can’t tell your senior management “we are facing XSS attacks on our infrastructure so we need an application layer7 firewall” the senior management only understand figures, numbers and charts.
-Every and any member of your organization is part of your security program umbrella (from the guard up to the CEO)
-Relativity as it applies to physics, it also applied to info. sec. Security goals for military missions can’t be the same as those of the Pizza restaurants. Also CIA triad is relative to each organization, e.g military facilities care more about the “C” of the triad, while finance and call centers care more about the triad’s “I” and “A” respectively and so on.
-Security needs to be periodically audited and refined. Some times your biggest enemy would the “false sense of security”
-Compliance to the country’s laws and legislation surpasses those of the company’s.
-Ethics and morals is what makes a security guy a security guy.