ARTICULOS
- Cambios en certificación CISSP II Parte
Tal como lo mencionamos en nuestro articulo del mes de enero publicado en este sitio ( http://www.isec.pe/deta_articulos.php?s=28) , la Certificacion CISSP ha sufrido cambios, he aqui algunos detalles mas saltantes.
La cantidad de dominios se ha reducido de 10 a 8 pero todavía hay una cantidad enorme de información que es cubierta por el CISSP (incluso quizás más). Cada dominio se ha reorganizado y se ha mejorado con contenido adicional.
La actualización CISSP 2015 aporta nuevos puntos de vista sobre todos los dominios. Con muy pocas excepciones, los dominios antiguos han desaparecido. No así la información cubierta, que sigue siendo la misma, pero ha cambiado la perspectiva.
La certificación CISSP siempre ha sido una certificación de nivel gerencial que requiere comprensión de muchos temas a través de una amplia gama de requerimientos. Con esta nueva actualización, CISSP ya es una de las certificaciones que cubre la mayor cantidad de información sobre seguridad y, ahora supuestamente cada dominio es un poco más fácil de administrar y un poco más fácil de entender.
En esencia, el examen continúa igual: se permite hasta 6 horas para completar el examen de 250 preguntas de las cuales 25 están clasificadas como experimentales y por lo tanto no se evalúan. El puntaje de aprobación es 700 puntos sobre 1000 sin respuestas que sumen negativo.
La certificación CISSP es válida por tres años más 120 créditos de educación continua (CPE) que deben lograrse en el ciclo de 3 años. Se deben obtener al menos 20 CPE por año.
Para tomar el examen, el candidato debe tener al menos 5 años de experiencia en 2 dominios pero, en el caso de tener título universitario, la experiencia requerida es de 4 años.
Dominios CISSP 2015
La cantidad de dominios actual es de 8. Todos ellos se han reordenado y reescrito totalmente. Aquí hay una revisión de los mismos.
Dominio 1:
Security and Risk Management (Security, Risk, Compliance, Law, Regulations, and Business Continuity)
· Confidentiality, integrity, and availability concepts
· Security governance principles
· Compliance
· Legal and regulatory issues
· Professional ethic
· Security policies, standards, procedures and guidelines
Dominio 2:
Asset Security (Protecting Security of Assets)
· Information and asset classification
· Ownership (e.g. data owners, system owners)
· Protect privacy
· Appropriate retention
· Data security controls
· Handling requirements (e.g. markings, labels, storage)
Dominio 3:
Security Engineering (Engineering and Management of Security)
· Engineering processes using secure design principles
· Security models fundamental concepts
· Security evaluation models
· Security capabilities of information systems
· Security architectures, designs, and solution elements vulnerabilities
· Web-based systems vulnerabilities
· Mobile systems vulnerabilities
· Embedded devices and cyber-physical systems vulnerabilities
· Cryptography
· Site and facility design secure principles
· Physical security
Dominio 4:
Communication and Network Security (Designing and Protecting Network Security)
· Secure network architecture design (e.g. IP & non-IP protocols, segmentation)
· Secure network components
· Secure communication channels
· Network attacks
Dominio 5:
Identity and Access Management (Controlling Access and Managing Identity)
· Physical and logical assets control
· Identification and authentication of people and devices
· Identity as a service (e.g. cloud identity)
· Third-party identity services (e.g. on-premise)
· Access control attacks
· Identity and access provisioning lifecycle (e.g. provisioning review)
Dominio 6:
Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing)
· Assessment and test strategies
· Security process data (e.g. management and operational controls)
· Security control testing
· Test outputs (e.g. automated, manual)
· Security architectures vulnerabilities
Dominio 7:
Security Operations (Foundational Concepts, Investigations, Incident Management, and Disaster Recovery)
· Investigations support and requirements
· Logging and monitoring activities
· Provisioning of resources
· Foundational security operations concepts
· Resource protection techniques
· Incident management
· Preventative measures
· Patch and vulnerability management
· Change management processes
· Recovery strategies
· Disaster recovery processes and plans
· Business continuity planning and exercises
· Physical security
· Personnel safety concerns
Dominio 8:
Software Development Security (Understanding, Applying, and Enforcing Software Security)
· Security in the software development lifecycle
· Development environment security controls
· Software security effectiveness
· Acquired software security impact
Nuevo contenido en CISSP 2015
El contenido que se ha agregado al ya existente es el siguiente:
1. Security and Risk Management
· Compliance
· Data Breaches
· Conducting a Business Impact Analysis (BIA)
· Implementation
· Continuous improvement
· Threat Modeling
· Determining potential attacks
· Performing a Reduction Analysis
· Technologies and processes used to remediate threats
· Integrating security risk considerations into acquisitions strategy and
· practice
· Third-Party assessments
· Minimum security requirements
· Service-Level requirements
· Appropriate levels of awareness, training, and education within an
· organization
· Periodic reviews for content relevancy
2. Asset Security
· Data owners
· Data processes
· Data Remanence
· Baselines
· Scoping and tailoring
· Standards selection
3. Security Engineering
· Implementing and managing an engineering lifecycle using security
· design principles
· Large scale parallel data systems
· Cryptographic systems
· Assessing and mitigating vulnerabilities in mobile systems
· Embedded devices and cyber-physical systems
· Data Rights Management (DRM)
· Designing and implementing facility security
· Wiring closets
4. Communications and Network Security
· Converged protocols
· Software defined networks
· Content distribution networks
· Physical devices
· Virtualized networks
5. Identity and Access Management
· Controlling physical and logical access to assets
· Registration and proof of identity
· Credential management systems
· Integrating Identity as a Service
· Integrating third-party identity services
· Preventing or mitigating access control attacks
6. Security Assessment and Testing
· Assessment and testing strategies
· Security control testing
· Log reviews
· Code review and testing
· Negative testing
· Misuse case testing
· Test coverage analysis
· Interface testing
· Collecting security process data
· Account management
· Management review
· Key performance and risk indicators
· Analyzing and reporting test output
7. Security Operations
· Understanding the requirements for various investigation types
· Operational
· Criminal
· Civil
· Regulatory
· Electronic Discovery (eDiscovery)
· Continuous monitoring
· Egress monitoring
· Securing the provisioning of resources
· Configuration Management
· Physical assets
· Virtual assets
· Cloud assets
· Application provisioning
· Service Level Agreements (SLA)
· Hardware and Software asset management
· Mitigation
· Lessons learned
· Whitelisting/Blacklisting
· Third-Party security services
· Sandboxing
· Honeypots/Honeynets
· Antimalware
· Testing a Disaster Recovery Plan
· Read through
· Walk through
· Simulation
· Parallel
· Full interruption
8. Software Development Security
· Integrated product teams
· Code repositories
· Application Program Interfaces (APIs)
· Acceptance testing
· Assessing software acquisition security
ACTIVIDADES
TODOS LOS DERECHOS RESERVADOS ©2022