Get Started. It's Free
or sign up with your email address
Rocket clouds
ISSAP by Mind Map: ISSAP

1. Domain 1 - Access Control Systems and Methodology

1.1. Access Control Concepts

1.1.1. Subject - WHO?

1.1.2. Object - WHAT?

1.1.3. Rights (Subject -> the right to create user) - HOW?

1.1.4. Permissions (Subject R/W/X) - HOW?

1.1.5. Access Control List - RWX

1.1.6. Access Control on OSI model

1.1.7. ACL List

1.1.8. ACL Repository

1.2. Access Control Mechanisms

1.2.1. Mandatory Access control (Labels)

1.2.2. Discretionary Access Control - DAC (Object Owner decides) | evaluates ACL

1.2.2.1. DAC Implementation Strategies

1.2.2.1.1. Limit access to essential objects

1.2.2.1.2. Label data

1.2.2.1.3. Filter information

1.2.2.1.4. Policy

1.2.2.1.5. Monitoring

1.2.2.2. CACLS tool (execute problem)

1.2.2.2.1. Configuration files

1.2.2.2.2. Windows registry

1.2.2.2.3. Services

1.2.2.2.4. Data

1.2.2.2.5. Solutions

1.2.3. Non-Discretionary Access Control (more DAC than MAC)

1.2.3.1. RBAC (roles)

1.2.3.2. ORCON (contest of the originator is required)

1.2.3.3. DRM (Digital - cryptographic)

1.2.3.4. UCON (usage controlled / frequency of access)

1.2.3.5. Rule-based (Firewalls / VPNs) | evaluates activity

1.2.4. Least Functionality

1.2.5. Least Privilege (no limitations)

1.2.6. Separation of Duties

1.3. Architecture

1.3.1. AAA

1.3.2. Single Sign-On

1.3.3. Centralized Access Control

1.3.3.1. Proxy Access Control

1.3.3.2. Gatekeeper

1.3.3.3. Access Control Server

1.3.3.4. Protocols

1.3.3.4.1. TACACS

1.3.3.4.2. RADIUS

1.3.3.4.3. EAP

1.3.3.4.4. KERBEROS

1.3.3.4.5. SESAME

1.3.3.5. Design Considerations

1.3.4. De-centralized Access Control

1.3.4.1. Distributed | Shared database | Robust | Scalable

1.3.4.2. Design Considerations

1.3.5. Trusted Computing Base

1.3.6. Federated Access Control

1.3.6.1. Design Considerations

1.3.7. Directories and Access Control

1.3.7.1. Design Considerations

1.3.8. Identity Management

1.3.9. Accounting

1.3.9.1. Who?What?Where?When?Effect?

1.4. Access Control Administration and Management Concepts

1.4.1. Access Control Administration

1.4.1.1. Authorized | Monitored | Validated

1.4.1.2. P2P

1.4.2. Database Access

1.4.2.1. Views | Triggers | Stored Procedures

1.5. Inherent Rights

1.6. Granted Rights

1.6.1. Change of Privilege Levels

1.6.2. Groups

1.6.2.1. Role based

1.6.2.2. Task based

1.6.3. Dual Control

1.6.4. Location

1.6.5. Topology

1.6.6. Subnet

1.6.7. Geo consideration

1.6.8. Device types

1.6.8.1. Physical and Logical

1.6.8.2. Network based

1.6.8.3. Third Party Software

1.6.9. Authentication

1.6.9.1. Strength and Weaknesses of Authentication Tools

1.6.9.2. Token based Authentication Tools

1.6.9.2.1. Badges

1.6.9.2.2. Magnetic Strips

1.6.9.2.3. Proximity Cards

1.6.9.2.4. Common Issues

1.6.9.3. Biometric Authentication

1.6.9.3.1. Performance

1.6.9.3.2. Implementation

1.6.9.3.3. Common Issues

1.6.9.4. Design Validation

1.6.9.5. Architecture Effectiveness Assurance

1.6.9.6. Testing Strategies

1.6.9.7. Testing Objectives

1.6.9.8. Testing Paradigms

1.6.9.9. Repeatability

1.6.9.10. Methodology

1.6.9.11. Developing Test Procedures

1.6.9.12. Risk-Based Considerations

2. Domain 2 - Cryptography

2.1. Principles

2.1.1. Applications of Cryptography

2.1.2. Message Encryption

2.1.3. Secure IP Communication (IPSEC)

2.1.4. Remote Access

2.1.5. Wireless Communication

2.1.6. Other types of Secure Communication

2.1.7. Identification and Authentication

2.1.8. Storage Encryption

2.1.9. Code Signing

2.1.10. Methods of Cryptography

2.1.10.1. Symmetric

2.1.10.2. Block Cipher

2.1.10.3. Stream Cipher

2.1.10.4. Asymmetric

2.1.10.5. Hash and MAC

2.1.10.6. Digital Signatures

2.2. Key Management

2.2.1. Key Types

2.2.2. Strength and Key Size

2.2.3. Key Life Cycle

2.2.4. Key Creation

2.2.5. Key Distribution

2.2.6. Key Storage

2.2.7. Key Update

2.2.8. Key Revocation

2.2.9. Key Escrow

2.2.10. Backup and Recovery

2.3. Public Key Infrastructure

2.3.1. Key Distribution

2.3.2. Certificates and Key Storage

2.3.3. PKI Registration

2.3.4. Certificate Issuance

2.3.5. Trust Models

2.3.6. Certificate Chains

2.3.7. Certificate Revocation

2.3.8. Cross Certification

2.4. Design Validation

2.4.1. Review of Cryptanalytic Attacks

2.5. Risk-Based Cryptographic Architecture

2.6. Cryptographic Compliance

2.6.1. Standards

2.6.1.1. NSA-FIPS-197

2.6.1.2. NSA-FIPS-140

2.6.1.3. NIST CAVP

2.6.1.4. NIST CMVP

2.6.2. Industry- specific Standards

2.6.2.1. PCI DSS

2.6.2.2. HIPAA

2.6.2.3. EU Data Protection Act

3. Domain 3 - Physical Security

3.1. Physical Security Risks

3.1.1. Unauthorized access

3.1.1.1. Traffic Monitoring

3.1.1.1.1. Roadway Design

3.1.1.1.2. Parking

3.1.1.1.3. Open Area Parking

3.1.1.1.4. Loading Docks

3.1.1.2. Surveillance Devices

3.1.1.2.1. Infrared Sensors

3.1.1.2.2. Microwave

3.1.1.2.3. Coaxial Strain-Sensitive Cable

3.1.1.2.4. Taut-Wire Systems

3.1.1.2.5. Time Domain Reflectometry Systems

3.1.1.2.6. CCTV

3.1.1.2.7. DVR

3.1.1.2.8. Video Content Analysis

3.1.1.2.9. Guard Force

3.1.1.3. Access Control Systems

3.1.1.3.1. Card Types

3.1.1.3.2. Badge Equipment

3.1.1.3.3. Biometrics

3.1.1.3.4. Access control Head-End

3.1.2. Facility Risk

3.1.2.1. Low Profile

3.1.2.2. Location Hazard

3.1.2.3. Threat Assessment

3.1.2.4. Site Planning

3.1.2.5. Restricted Work Areas

3.1.2.6. Entrances and Exits

3.1.2.7. Mobile Devices

3.2. Protection Plan

3.2.1. Evacuation Drills

3.2.2. Incident Response

3.3. Design Validation

3.3.1. Penetration Tests

3.3.2. Access Control Violation Monitoring

4. Domain 6 - Telecommunications and Network Security

4.1. Voice Communication

4.2. Network Architecture

4.3. Network Design Considerations

5. Domain 5 - BCP and DR

5.1. Risk Analysis

5.1.1. Natural

5.1.2. Industry

5.1.3. Neighbours

5.2. Business Impact Analysis

5.3. Data stored in electronic Form

5.4. Remote Replication and Off-site journaling

5.5. Backup Strategies

5.5.1. Selecting Recovery Strategy

5.6. Cost-Benefit Analysis

5.6.1. Implementing Recovery Strategy

5.6.2. Documenting the Plan

5.6.3. The Human Factor

5.6.4. Logistics

5.6.5. Plan Maintenance

6. Domain 4 - Requirements Analysis and Security Standards

6.1. Risk Analysis

6.1.1. Risk Theory

6.2. Attack Vectors

6.2.1. Attack by email

6.2.2. Attack by Deception

6.2.3. Hoaxes

6.2.4. Hackers

6.2.5. Web Page Attacks

6.2.6. Attack of the Worms

6.2.7. IRC and P2P

6.2.8. Viruses

6.2.9. Asset and Data Valuation

6.2.10. Context and Data Value

6.2.11. Corporate vs Departmental

6.2.12. Business Legal and Regulatory Requirements

6.2.13. Product Assurance Evaluation Criteria

6.2.13.1. TOE

6.2.13.2. EAL

6.2.13.3. CC Assurance

6.3. ISO 27000 series

6.4. Capability Maturity Model (SEI-CMM)

6.5. ISO 7498 series

6.5.1. Concept of Layered Architecture

6.5.2. PCI DSS

6.5.3. Architectural Solution

6.5.4. Architecture Frameworks

6.5.5. Department of Defence DoDAF

6.5.6. The Zachman Framework

6.5.7. System Security Engineering Methodology

6.5.8. Design Validation

6.5.9. Certification

6.5.10. Peer Reviews

6.5.11. Documentation

7. Write Permission Problem - give permissions to write anything, i.e. virus

8. Read Permission Problem - subject reads file and create a copy of this file with its ownership

9. Untitled