Page 71 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 71

a challenge. A possible solution to this challenge is to start with

                  prioritizing the three primary security tenets of confidentiality,
                  integrity, and availability. Defining which of these elements is most
                  important to the organization is essential in crafting a sufficient
                  security solution. This establishes a pattern that can be replicated
                  from concept through design, architecture, deployment, and
                  finally, maintenance.

                  Do you know the priority your organization places on each of the

                  components of the CIA Triad? If not, find out.
                  An interesting generalization of this concept of CIA prioritization is

                  that in many cases military and government organizations tend to
                  prioritize confidentiality above integrity and availability, whereas
                  private companies tend to prioritize availability above
                  confidentiality and integrity. Although such prioritization focuses
                  efforts on one aspect of security over another, it does not imply

                  that the second or third prioritized items are ignored or improperly
                  addressed. Another perspective on this is discovered when
                  comparing standard IT systems with Operational Technology (OT)
                  systems such as programmable logic controllers (PLCs),
                  supervisory control and data acquisition (SCADA), and MES
                  (Manufacturing Execution Systems) devices and systems used on
                  manufacturing plant floors. IT systems, even in private companies,

                  tend to follow the CIA Triad; however, OT systems tend to follow
                  the AIC Triad, where availability is prioritized overall and integrity
                  is valued over confidentiality. Again, this is just a generalization
                  but one that may serve you well in deciphering questions on the
                  CISSP exam. Each individual organization decides its own security
                  priorities.




               Other Security Concepts


               In addition to the CIA Triad, you need to consider a plethora of other
               security-related concepts and principles when designing a security
               policy and deploying a security solution.

               You may have heard of the concept of AAA services. The three A’s in
   66   67   68   69   70   71   72   73   74   75   76