CISSP Domain 3 Refresh: Security Architecture and Engineering

Security Architecture and Engineering is a very important component of Domain #3 in the CISSP exam. It counts for a good chunk of it, as 13% of the topics in this domain are covered on the exam. But apart from that, the knowledge gained from this particular domain provides a crucial, fundamental background for any type or kind of cybersecurity professional.

The following is a list of knowledge areas that the aspiring CISSP-certified individual must have at least a baseline knowledge of.

As the CISSP exam questions are also scenario-based, you must be able to understand these principles and apply them:

Incorporating security into the design process

Security engineers attempt to retrofit an existing system with security features designed to protect the confidentiality, integrity and availability of the data handled by that system.

Subject/object model

In this approach, every access request is seen as having two different components: a subject who is requesting some type of access and an object which is the resource being requested.

Failure modes

There are two possible failure modes:

  • Fail open system. If the security controls fail, they are automatically bypassed
  • Fail secure system. This is where a security control fails, and the system locks itself down to a state where no access is granted

This part of the domain can be considered more theoretical in nature. Nevertheless, you still should have an understanding of them, as the CISSP exam will cover them to some degree or another. It is important to note that this not an all-inclusive list of the security models; you should refer to your study book or boot camp notes to get all of the details of all of the relevant models.

  • Bell-LaPadula security model
  • Biba integrity model
  • Lattice-Based Access controls
  • Integrity models
  • Clark-Wilson
  • Information Flow model
  • Chinese Wall model
  • Noninterference (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Sumit Bhattacharya. Read the original post at: