Introduction
SECURITY ARCHITECTURE can be defined as the process of creating and maintaining the information security structure of an enterprise to ensure the confidentiality, integrity, and availability of critical and/or sensitive business systems. It follows, then, that the security architect is the individual that is qualified to perform the functions necessary to accomplish the security architecture goals of the organization. To be considered a professional security architect, it is necessary to delve much deeper into the elements that must be understood and employed to perform that role. The CISSP-ISSAP® certification is intended to measure and evaluate the ability of an individual to be accredited as a professional in this demanding field.
There are three requirements that must be met in order to achieve the status of CISSP-ISSAP; one must already be a CISSP in good standing, one must take and pass the CISSP-ISSAP certification exam, and be able to demonstrate a minimum of 2 years of direct full-time security work experience in one or more of the 6 domains of the (ISC)2 CISSP-ISSAP CBK. A firm understanding of what the 6 domains of the CISSP-ISSAP CBK are, and how they relate to the landscape of business is a vital element in successfully being able to meet both requirements and claim the CISSP-ISSAP credential. The mapping of the 6 domains of theCISSP- ISSAP CBK to the job responsibilities of the Information Security architect in today’s world can take many paths, based on a variety of factors such as industry vertical, regulatory oversight and compliance, geography, as well as public versus private versus military as the overarching framework for employment in the first place. In addition, considerations such as cultural practices and differences in language and meaning can also play a substantive role in the interpretation of what aspects of the CBK will mean, and how they will be implemented in any given workplace.
It is not the purpose of this book to attempt to address all of these issues or provide a definitive proscription as to what is “the” path forward in all areas. Rather, it is to provide the official guide to the CISSP-ISSAP CBK, and in so doing, to lay out the information necessary to understand what the CBK is, and how it is used to build the foundation for the CISSP-ISSAP and its role in business today. To that end, it is important to begin any successful project with a plan, specifically one that identifies where you are, and where you want to end up; and as a result, what tools you will need to have in order to make the journey comfortable and successful. The most important tool that the intrepid traveler can have at their disposal is a compass, that trusty device that always allows one to understand in what direction they are heading, and get their bearings when necessary. The compass of the Information Security professional is their knowledge, experience, and understanding of the world around them. The thing that is amazing about a compass is that no matter where you stand on Earth, you can hold one in your hand and it will point toward the North Pole. While we do not need to know where the North Pole always is in Information Security, as a CISSP-ISSAP, you are expected to be able to provide guidance and direction to the businesses and users that you are responsible for. Being able to map the CISSP-ISSAP CBK to your knowledge, experience, and understanding is the way that you will be able to provide that guidance, and to translate the CBK into actionable and tangible elements for both the business and its users that you represent.
1. The Access Control Systems & Methodology domain details the critical requirements to establish adequate and effective access controls for an organization.
Access Control key areas of knowledge include:
Application of control concepts and principles (e.g., discretionary/mandatory, segregation/separation of duties, rule of least privilege).
Account life cycle management (e.g., registration, enrollment, access control administration).
Identification, authentication, authorization, and accounting methods such as centralized, decentralized and federation.
Access Control Protocols and Technologies (e.g., RADIUS, Kerberos, EAP, SAML, XACML, LDAP).
These elements of Access Control Methodology are things that security architects interact with as they design systems for their organizations, as do the users of any systems that the business provides, such as Directory Services for logon authentication, File and Print systems that allow for the secure storage, retrieval, and manipulation of data in a variety of formats, as well as web services that expose data to front end interfaces for user consumption. Whenever a user attempts to access secured data from any legitimate or illegitimate interface, internal or external to the enterprise, the Access Control domain plays an active and indispensable part in the transactions that take place to ultimately either validate, or disqualify that user’s access request. The ability to understand Identity Management, Data Access Controls, Information Classification, System Access Control Strategies, and Threats, are all key elements that go into the Access Control Domain. The security architect needs to be able to bridge the divide that is often present between the organization and the user with regards to Access Control, allowing the organization to secure the systems and information required to do business effectively, while also educating and informing users of their role in the system architecture and their responsibilities to operate securely and safely within the security frameworks that the architect has created.
2. The Communications & Network Security domain addresses the security concerns related to the critical role of communications and networks in today’s computing environments.
Communications & Network Security key areas of knowledge include:
Unified communications (e.g., convergence, collaboration, messaging)
Communication topologies (e.g., centralized, distributed, cloud, mesh)
Gateways, routers, switches and architecture (e.g., access control segmentation, out-of-band management, OSI layers)
Monitoring (e.g., sensor placement, time reconciliation, span of control, record compatibility)
The Security Architecture Professional must understand the risks to communications networks whether they are data, voice or multimedia. This includes understanding of communications processes and protocols, threats and countermeasures, support for organizational growth and operations, and the ability to design, implement and monitor, secure architectures. The security architect needs to be comfortable designing architectures that are able to encompass the structures, techniques, transport protocols, and security measures used to provide integrity, availability, confidentiality and authentication for transmissions over private and public communication networks. The security architect is responsible for security at all levels of the business based on the system designs that they implement; whether it is with regards to a request to access controlled information, or the testing and deployment of an application, or the documentation for processes and procedures that are in place to safeguard mobile access to the business’s data. Identification of threat and risk, and the implementation of mitigation techniques and strategies to counteract and minimize their impacts also play an important part in the list of activities that the security architect is responsible for carrying out and managing on a daily basis within the business. All of these things are part of the Communications & Network Security domain in one way or another.
3. The Cryptography domain addresses the principles, means, and methods of applying mathematical algorithms and data transformations to information to ensure its integrity, confidentiality and authenticity.
Cryptography key areas of knowledge include:
Identifying Cryptographic Design Considerations and Constraints
Defining the Key Management Lifecycle (e.g., creation, distribution, escrow, recovery)
Designing integrated cryptographic solutions (e.g., Public Key Infrastructure (PKI), API selection, identity system integration)
While many of the physical elements of the Cryptography domain are used by business all the time to safeguard data and to ensure data integrity, security architects may not be aware of these functions and how they operate at the level of detail required to successfully create the security architecture that the organization relies on for protection of its information and sensitive data. Whether it is the use of Symmetric or Asymmetric Cryptography to protect data and ensure confidentiality, or the use of Hash Functions or Digital Signatures to ensure message integrity, or the practice of Encryption Management to ensure data availability on demand for authenticated users of a system, the security architect plays an active role in all aspects of the Cryptography domain, and its application to data security in the enterprise. The Security Architecture Professional should understand the responsibility involved in choosing, implementing and monitoring cryptographic products and adoption of corporate cryptographic standards and policy. This may include oversight of digital signatures and PKI implementations and a secure manner of addressing the issues and risks associated with management of cryptographic keys.
4. The Security Architecture Analysis domain is focused on the skills necessary to create diligence and attention to standards, awareness of threats, and identification of risks within the security architecture.
Security Architecture Analysis key areas of knowledge include:
Identifying frameworks (e.g., Sherwood Applied Business Security Architecture (SABSA), Service-Oriented Modeling Framework (SOMF))
Defining of business and functional needs (e.g., locations, jurisdictions, business sectors, cost, stakeholder preferences, quality attributes, capacity, manageability)
Applying existing information security standards and guidelines (e.g., ISO/IEC, PCI, NIST) to the organization
The Systems Development Life Cycle (SDLC) (e.g., requirements traceability matrix, security architecture documentation, secure coding)
The Security Architecture Professional should know and follow the best practices and standards for network and information systems design, and implement an architecture that will provide adequate security to accomplish the business goals of the enterprise. This requires the evaluation and choice of different architectures, and understanding the risks associated with each type of design. Security architectures that are designed and validated for the organization should contain the concepts, principles, structures, and standards used to design, implement, monitor, and secure, operating systems, equipment, networks, applications, and those controls used to enforce various levels of confidentiality, integrity, and availability.
5. The Technology Related Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP) domain addresses the preservation of the business in the face of major disruptions to normal business operations. BCP and DRP involve the preparation, testing and updating of specific actions to protect critical business processes from the effect of major system and network failures.
Technology Related Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP) key areas of knowledge include:
Incorporation of the Business Impact Analysis (BIA) (e.g., legal, financial, stakeholders) into the security architecture
Defining processing agreement requirements (e.g., reciprocal, mutual, cloud, outsourcing, virtualization)
Ensuring availability of service provider/supplier support (e.g., cloud, SLAs)
BCP/DRP Architecture Validation (e.g., test scenarios, requirements trace-ability matrix, trade-off matrices)
The security architect may or may not have direct experience with an actual disaster and the recovery actions that would be necessary to bring the business back to full functionality, while ensuring the safety and integrity of the business systems and information, as well as the safety and well- being of the users in the systems. A solid grounding in Project Management skills and the ability to interface with other risk management areas such as records management, regulatory compliance, vendor management, and physical security in the context of a Risk Management Framework that is used to help all areas of the business respond to and deal with risk effectively is a critical success factor for the security architect. The security architect should implement countermeasures to reduce the risk of incidents occurring that can lead to the necessity for a BCP/DRP plan to beactivated in the first place. Furthermore the Security Architecture Professional should play a key role in designing and developing business continuity plans that will meet the operational business requirements of the organization through planning for the provisioning of appropriate recovery solutions.
Business Continuity Planning (BCP) helps to identify the organization's exposure to internal and external threats. BCP counteracts interruptions to business activities and should be available to protect critical business processes from the effects of major failures or disasters. It deals with the natural and man-made events and the consequences, if not dealt with promptly and effectively.
Business Impact Analysis (BIA) determines the proportion of impact an individual business unit would sustain subsequent to a significant interruption of computing or telecommunication services. These impacts may be financial, in terms of monetary loss, or operational, in terms of inability to deliver.
Disaster Recovery Plans (DRP) contain procedures for emergency response, extended backup operation and post-disaster recovery, should a computer installation experience a partial or total loss of computer resources and physical facilities. The primary objective of the disaster recovery plan is to provide the capability to process mission-essential applications, in a degraded mode, and return to normal mode of operation within a reasonable amount of time.
6. The Physical Security Considerations domain recognizes the importance of physical security and personnel controls in a complete information systems security model.
Physical Security Considerations key areas of knowledge include:
Policies and standards (e.g., export controls, escort policy, liaise with law enforcement and external media)
Integrating physical security with identity management (e.g., wiring closet access, badge and enterprise identity management)
Perimeter protection and internal zoning
Physical security describes measures that are designed to deny access to unauthorized personnel (including attackers) from physically accessing a building, facility, resource, or stored information; and guidance on how to design structures to resist potentially hostile acts.
The Security Architecture Professional should be able to demonstrate an understanding of the risks and tools used in providing physical security. These include secure management, administration and deployment of physical access controls, as well as whether to prevent, detect or react to suspicious activity. Designing architectures that seek to address the threats, vulnerabilities, and countermeasures that can be utilized to physically protect an enterprise’s resources and sensitive information is the primary concern for the security architect. These resources include people, the facility in which they work, and the data, equipment, support systems, media, and supplies they utilize.
While many security architects will not be involved with the initial site and facility design criteria, and even the location choices for the organizations that they are a part of, that does not mean that they should not be aware of these factors with regards to their impact on security. Further, security architects need to play an active part in creating a focus within the business on the efficacy of its physical security posture, and if necessary, to be the agent that drives changes as required to ensure that security is maintained at appropriate levels given the threats and risks that are present in the operating environment.