CISSP Exam Preparation by Rob Witcher

Overview

• Presentation by Rob Witcher from Destination Certification.
• Aim: Help participants pass the CISSP exam.
• Focus on aligning security with business goals and objectives.
• First in a series of mind map videos (30 total).
• Links to other mind map videos available in the description.

Mindset for Studying

• Critical Advice: Have the right mindset for studying and the exam.
• CISSP is a management-level certification.
• Think like a CEO rather than focusing on technical aspects.

Corporate Governance

• Definition: System of rules, practices, and processes for directing and controlling an organization.
• Focus on achieving organizational goals and objectives, enhancing value.
• Security Governance: Similar system applied to security functions.
  • Aligns security with organizational goals, emphasizing security as a business enabler.
  • Security professionals should support business objectives rather than be seen as a roadblock.

Roles and Responsibilities

• Clearly defined roles are critical for accountability and responsibility.
  • Accountability: Ownership and liability for security; cannot be delegated.
  • Responsibility: Can be delegated; involves implementing and enforcing security controls.
  • Example: Cloud Service Provider (CSP) is responsible for data security, but the customer is accountable.

Due Diligence and Due Care

• Due Diligence: Processes to prove due care to stakeholders.

Security History: Export Controls

• Significant advancements in cryptography during the 1970s and 80s.
• Creation of laws to restrict export of cryptographic technologies (e.g., ITAR, EAR).
  • ITAR: International Traffic in Arms Regulations; focuses on defense articles.
  • EAR: Export Administration Regulations; regulates dual-use items.
• WASSAR Arrangement: Voluntary multinational agreement for conventional weapons and dual-use technologies.

Data Residency Laws

• Focus on restricting data flow across borders; important for privacy.
• Privacy and Security: Interdependence; cannot achieve privacy without security.

Ethics in Security

• Importance of ethical behavior in organizations.
• Codifying Ethics: Writing them down in policies to ensure consistency.
• ISC2 Code of Ethics:
  1. Protect society, the common good, and public trust.
  2. Act honorably, honestly, justly, responsibly, and legally.
  3. Provide diligent and competent service to principals.
  4. Advance and protect the profession.

Policies and Procedures

• Policies: Corporate laws directing behavior; define overall security approach.
• Standards: Mandatory hardware and software requirements.
• Procedures: Step-by-step instructions for actions.
• Baselines: Minimum security levels and configurations.
• Guidelines: Recommended actions, not mandatory.

Risk Management

• Vital for protecting organizational assets with limited resources.
• Mentioned in dedicated mind map for deeper exploration.

Procurement Process

• Security must be involved from the start of procurement.
• Service Level Requirements (SLR): Document defining security requirements.
• Service Level Agreement (SLA): Legally binding document outlining responsibilities.

Awareness, Training, and Education

• Awareness: Informal communication to foster sensitivity to security issues.
• Training: Specific skills necessary for security practices.
• Education: Teaching fundamental concepts (e.g., CISSP master class).

Conclusion

• Summary of key concepts in security governance relevant for the CISSP exam.
• Final Advice: Approach studies and the exam with a CEO mindset to succeed.
• Recommended video on thinking like a CEO available in the description.