Page 1573 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1573
Chapter 1: Security Governance Through
Principles and Policies
1. The CIA Triad is the combination of confidentiality, integrity, and
availability. Confidentiality is the concept of the measures used to
ensure the protection of the secrecy of data, information, or
resources. Integrity is the concept of protecting the reliability and
correctness of data. Availability is the concept that authorized
subjects are granted timely and uninterrupted access to objects.
The term CIA Triad is used to indicate the three key components of
a security solution.
2. The requirements of accountability are identification,
authentication, authorization, and auditing. Each of these
components needs to be legally supportable to truly hold someone
accountable for their actions.
3. The benefits of change control management include preventing
unwanted security reduction because of uncontrolled change,
documenting and tracking of all alterations in the environment,
standardization, conforming with security policy, and the ability to
roll back changes in the event of an unwanted or unexpected
outcome.
4. (1) Identify the custodian, and define their responsibilities. (2)
Specify the evaluation criteria of how the information will be
classified and labeled. (3) Classify and label each resource.
Although the owner conducts this step, a supervisor should review
it. (4) Document any exceptions to the classification policy that are
discovered, and integrate them into the evaluation criteria. (5)
Select the security controls that will be applied to each
classification level to provide the necessary level of protection. (6)
Specify the procedures for declassifying resources and the
procedures for transferring custody of a resource to an external
entity. (7) Create an enterprise-wide awareness program to instruct
all personnel about the classification system.
5. The six security roles are senior management, IT/security staff,
