CISSP Mnemonic & Memorization Techniques Mindmap
-
Domain 01
-
Due Diligence vs. Due Care
-
Due diligence – before decisions; research
-
Due care – the decisions & after; actions; prudent person rule
-
-
BC_DR
-
BIA – objectives, critical asset values, threats
-
Business continuity – mission critical – keeps stuff going (beware possible smerging of BCP and BCP – continuity. vs. contingency.)
-
Contingency operations – also mission critical – recovers only critical stuff that failed
-
Disaster Recovery – non-critical – recovers everything else after failed
-
-
BCP Life Cycle Stage (ISC2)
-
Project Scope and Planning - Organization Review, BCP Team Selection, Resource Requirements and Legal and Regulatory Requirements
-
BIA (Business Impact Analysis) - Identifying Priorities, Risk Identification, Likelihood Assessment, Impact Assessment, Resource Prioritization (Quantitative (ALE, MTD, AV, etc) and Qualitative)
- MNEMONICS: Properly Building Continuous Plans (PBCP)
-
Continuity Planning - Strategy Development (Risk Acceptance)and Provisions and Processes
-
Plan Approval and Implementation (Plan testing, Maintenance, Documentation, etc
-
-
NIST 800-37 (Risk Management Framework) 7 Steps
-
Prepare
-
Categorize
-
Select
-
Implement
- MNEMONICS: People Can See I Am Always Monitoring (PCSIAAM) or Piano Concerts Sound Incredibly Artistic And Melodic
-
Assess
-
Authorize
-
Monitor
-
-
Threat Modelling:
-
Focuses on Assets (asset valuation), Attackers (attacker's goals), Software (Potential Threats)
STRIDE (SW), PASTA (Asset), DREAD (?) -
STRIDE
-
S poofing
-
T ampering
-
R epudiation - attacker can deny participation
-
I nformation disclosure
-
D enial of service
-
E levation of privilege
-
-
PASTA
-
Stage I : Definition of Objectives
-
Stage II : Definition of Technical Scope
-
Stage III : App Decomposition & Analysis
-
Stage IV: Threat Analysis
-
Stage V: Weakness & Vulnerability Analysis
-
Stage VI: Attack Modeling & Simulation
-
Stage VII : Risk Analysis & Management
-
-
DREAD
-
Damage potential
-
Reproducibility
-
Exploitability
-
Affected users
-
Discoverability
-
-
-
Standards / Acts / Regulations/Laws
-
Types of Law
-
Criminal Law
-
Civil Law
-
Administrative Law
-
-
Privacy
-
Participation – the data subject should have the option to opt in or opt out.
-
Limitation – data can only use it for the purpose stated
-
Scope – there must be a specific purpose (and it must be legal/ethical), the scope should be included in the notification.
-
Accuracy – the data must be as accurate as possible, and the data subject should be able to make corrections.
- MNEMONICS: People Love Sharing Awesome Recipes, Sipping Delicious Nectars (PLSAR SDN)
-
Retention – the data should be kept only as long as it’s needed.
-
Security – the custodian must protect the data.
-
Dissemination – the custodian must not share the data without notifying the data subject
-
Notification – must notify the user that you’re collecting and creating their data before it’s used, should include purpose of use
-
-
General Data Protection Regulation (GDPR)
-
Purpose limitation – this means it should be collected for the stated purpose.
-
Data minimization – this means it should be used for the stated purpose.
-
Accuracy – this means there should be a method for the data subject to make corrections so that the info is accurate.
-
Storage limitation – basically, don’t keep the information longer than needed.
- MNEMONICS: Pretty Daisies And Sunflowers In Courtyards Always Look Fantastic (PDASICALFT)
-
Integrity/confidentiality – this means you should prevent unauthorized modifications or views of the data.
-
Accountability – means that your organization must demonstrate compliance with these principles and are accountable/responsible for the data
-
Lawfulness, fairness, transparency: Data must be collected, handled, and destroyed in ways that are legal, fair, and transparent (subject to review/audit).
-
-
ISO 27001 -> info sec mgmt system
ISO 22301 -> BCP MS – Business Continuity Management System
PCI-DSS -> card security
NIST 800-37 -> IS information security
FEDRAMP -> Federal risk and authorization program
GLBA Act – Privacy Financial services
SOX -> Publicly Traded Companies – s not a standard but a law for publicliy traded companies doing business in US
PIPEDA - > Canada - Personal Information Protection and Electronic Documents Act of Canada
GDPR -> EU – Privacy
HIPPS -> Healthcare -
IP and Licensing
-
Trademarks
-
Patents
-
Trade Secrets
-
Licensing
-
-
-
Risk Management
-
SLE = AV * EF
-
Single Loss Expectancy (SLE) - Negative impact for one-time occurrence
-
Asset Value (AV)
-
Exposure Factor (EF) - If a flood will damage 40% of your data center, EF is 40%
-
-
ARO
- Annual Rate of Occurance
-
ALE = ARO * SLE
-
🍺 = 😍 (get it?)
-
Annual Loss Expectancy = Rate of Occurrence - Single Loss Expectancy
-
-
-
Control Categories
-
P hysical - Tangible. Locks, guards, alligator moats, etc.
-
T echincal/Logical - Automated or electronic systems.
- PTA keeps the children safe!
-
A dministrative - Policy, signage.
-
-
-
Domain 03
-
Security Model
-
Integrity
-
Biba – No read down, no write
up -
Clarke Wilson-Access control triple
-
Goguen Meseguer -No read up, no write down
-
Sutherland -preventing interference
(information flow and State Machine Model)
-
-
Confidentiality
-
Bell Lapadula – no read up, no write down
-
Brewer Nash – Chinese Wall; conflict of interest
- Brewer-Nash is also known as "The Chinese Wall" and protects against conflict of interest. Remember Chinese "brew" tea. 🍵
-
Take Grant - Employs a "Directed Graph"
-
-
-
Security model properties
-
simple = read;
-
star = write (old-school files have *star in titlebar when modified/edited/written)
-
-
Trusted Computing Base (TCB)
-
Reference monitor
- enforces access control
-
Security kernel
- implements access control
-
-
Cryptography Goal
-
P - Privacy (Confidentiality)
-
A - Authentication
- PAIN
-
I - Integrity
-
N - Non-Repudiation
-
-
Cryptography
-
Asymmetric Algorithms
-
Diffie-Hellman
-
ElGamal
-
RSA
- MNEMONICS: Diffie-Hellman ElGamal RSA ECC Knapsack (DEREK)
-
ECC
-
Knapsack
-
-
Symmetric Algorithms
-
Twofish
- There is a process involved here called Whitening. Mental image of literally 2 fish "whitening" each others teeth.
-
3DES
-
Blowfish
- This is for key size, which can be 32 up to 448. I again think about "blowing" air into a fish, and imagining the fish getting bigger and bigger. Thus, it starts at 32 but can be "blown" up to 448 bits.
-
RC5
- MNEMONICS: Twofish 3DES Blowfish RC5 AES IDEA DES SAFER (23BRAIDS)
-
AES
-
IDEA
-
DES
-
SAFER
-
-
Hash Algorithms
-
- MD2 - Message Digest 2
-
- MD5 (128 bit)
-
- SHA - 0 (Secure Hashing Algorithm)
-
- SHA - 1 (160 bit)
-
- SHA - 2
-
-
-
Cryptanalytic Attacks
-
Brute force
-
Ciphertext only
-
Known plaintext
-
Frequency analysis
-
Chosen ciphertext
-
Implementation attacks
-
Side channel
-
-
DES Modes of Operation
- Remember the first and the last.
The center 3 are alphabetical by name and/or abbreviation.
ECB - Electronic Code Block (also the only one that doesn't support an initialization vector)
CBC - Cipher Block Chaining
CFB - Cipher Feedback
OFB - Output Feedback Mode
CTR - Counter
- Remember the first and the last.
-
Privacy by Design (IAPP 7 principles)
-
- Proactive and not a reactive approach
-
- Privacy as the Default setting
-
- Privacy must be embedded in the design
-
- Privacy should be a positive-sum approach and not a zero-sum approach
-
- End to end full lifecycle data protection
-
- Visibility and transparency
-
- Keep privacy user-centric
-
-
Cloud Computing
-
Shared responsibility model
-
IaaS
-
PaaS
-
SaaS
-
-
Models
-
Public
-
Private
-
Hybrid
-
-
-
Processor
-
Execution Types
-
Multitasking
-
Multithreading
-
Multicore
-
Multiprocessing
-
Multiprogramming
-
-
PROCESS STATES
-
Ready
-
Running
-
Waiting
-
Supervisory
-
Stopped
-
-
Operating Modes
-
User Mode
-
Processor Operating Mode
-
Privileged Mode
-
-
-
Security modes
-
Dedicated Mode
-
System High Mode
-
Multilevel Mode
- S.C.A.N. (Signed NDA. Clearance. Approval. Need to Know)
-
Compartmented Mode
-
-
Common Criteria: ISO: 15408
-
Structure of Common Criteria:
-
- Introduction: Being familiar with the TOE.
-
- Security Functional Requirement: Describes various functional requirements in terms of security audits, communications security, cryptographic support for security, user data protection, identification and authentication, security management etc.
-
- Security Assurance: Covers assurance requirements for TOEs in the areas of configuration management, delivery and operation, development, guidance documents, and life-cycle support plus assurance tests and vulnerability assessments.
-
EAL1 Functionally Tested
-
EAL2 Structurally Tested
-
EAL3 Methodically tested and checked
-
EAL4 Methodically designed, tested and reviewed
-
EAL5 Semi-formally designed and tested
-
EAL6 Semi-formally designed, verified and tested
-
EAL7 Formally designed, verified and tested
-
-
-
-
Domain 05
-
IAAA
-
Identification : User should be uniquely Identified
- Authentication : Validation of an entity’s identity claim
-
Authorization : Confirms that an authenticated entity has the privileges and permissions necessary.
-
Authentication: Subjects prove their identity by providing authentication credentials such as the
matching password for a username. -
Memory Tips: Identity & Authentication is must for accountability but not authorization. (IAAA)
-
Auditing : Any activity in the application/system should be audited (Identify technical issues/Breaches)
-
Accountability: Tracing an action to a subject
-
-
Authentication Types
-
Type1: Something you know (password, pin)
-
Type2: Something you have (smart card, token)
-
Type3: Something you are (biometric)
-
Type4: Somewhere you are (location)
-
-
Biometrics
-
Biometrics: vein patterns are most reliable and accurate.
-
Biometric Error Type
-
Type 1 error: False Rejection Rate (FRR) – Right person Rejected
-
Type 2 error: False Acceptance Rate (FAR) – number 2 is FARther from zero than number 1
-
Crossover Error Rate: when both error rates are equal, as one goes up, the other goes down.
-
-
Iris vs. retina scans = Iris became “The Flash” so iris scans are quicker (note: the iris bit may have come out of the CBK but leaving here for knowledge & learning).
-
-
Access Control Matrix
-
Access Control List: Object Focused
-
Capability Table: Subject Focused
-
-
Access Control Model
-
- Discretionary Access Control: Owner, creator or custodian define access to the objects. Uses Access control list (known as Identity based access control)
-
- Non-Discretionary Access Control: Centrally managed by administrators. (Hint: Any model which is not DAC, can be called as Non-DAC)
-
- Role Based Access Control: Access is defined based on the role in an organization and subjects are granted access based on their roles. Normally it is implemented in
the organizations with high employee turnover.
- Role Based Access Control: Access is defined based on the role in an organization and subjects are granted access based on their roles. Normally it is implemented in
-
- Rule Based Access Control: There are set of rules. e.g. Firewall. Global rules are applied to all users equally.
-
- Mandatory Access Control (Lattice Based): Implemented in high secure organizations such as Military. It is compartment based.
-
a. Hierarchical - Clearance of Top secret gives access to Top secret as well as Secret
-
b. Compartmentalized - Each domain represents a separate isolated compartment.
-
c. Hybrid - Combination of both
-
- Attribute Based Access Control: Rules that can include multiple attributes. e.g. working hours, place of work, type of connection etc.
-
-
-
Domain 07
-
Recovery components
-
Response (declaration) – Personnel (to keep crit. bizops going), Communication (1voice)
-
Assessment (measure dmg), Restoration (from contingency to original site), Training/awareness
-
-
Incident Response
-
Detection
- Identify -Monitoring tools, IPs, firewalls, users, notifications
-
Response
- Triage - is it really an incident? (decision to declare incident)
-
Mitigation
- Correction & containment
(Malware disconnect device)
- Correction & containment
-
Reporting
- to relevant stakeholders , customers, legal, and regulatory
-
MNEMONICS: Detect, Response, Mitigate, Report, Recover, Remediate, Lessons Learnt (DRMRRRL) In Mitigate-you contain, in Recover-you bring to last good known state, in Remediate-you do RCA/fix the Root Cause)
-
Recovery
- Return to normal
operations
- Return to normal
-
Remediation
- Root cause
is addressed
Helps the
- Root cause
-
Lessons Learned
- Helps the org deal with
recurrence , improves the IR process
- Helps the org deal with
-
-
Investigation methods
-
● Automated capture –automated monitoring tools, such as system logs.
-
● Interviewing – soliciting information from witnesses. preserve the witness’ rights. done in private.
-
● Manual capture –making copies of evidence such photo IDs or documents available, and includes capturing photographic/video evidence from the incident/crime scene. Audio recordings in this context would be open, at the scene, not private.
-
● External request –evidence from an external source.
-
-
Backups
-
Types
-
Full backup – as the name indicates, this is a copy of all data in the environment.
-
Differential – copying of data that changed since the last backup. Faster than doing a full backup.
-
Incremental – copying of data that has changed since the last backup (of any kind).
-
-
RAID
-
Striping – divides the data between disks.
-
Raid 0 – stripes over 2 disks.
-
Raid 1 – mirrors 2 disks
-
Raid 5 – data and parity info are striped (3 disk minimum) – data is striped across 2, and parity stored on 1
-
Raid 10 – mirrored, then striped (4 disks)
-
-
-
Change management
-
initiation
-
I - for initiation
-
C - for change requirements (identifying them)
-
R - for conducting risk assessment
-
P - for prioritizing the change
-
D - for documenting the request
-
-
Review and approval
-
R - for review (category)
-
A - for approval (category)
-
E - for evaluating the RFC for completeness
-
A - for assigning to SME for review and assigning to approver/manager
-
S - for stakeholder reviews
-
R - for resource allocation (doing the actual review)
-
A - for approval / rejection; this is the actual act of approving, etc.
-
D - for documenting everything
-
-
implementation / evaluation
-
I - for implementation
-
E - for evaluation
-
S - for scheduling the change
-
T - for testing the change
-
V - for verifying rollback procedures
-
I - for implementing the change
-
E - for evaluating the change (post-implementation)
-
D - documentation
-
-
deployment / release
-
-
Canons of ISC2
-
Protect society, the common good, necessary public trust and confidence, and the infrastructure (Social Responsibility, no unethical hacking),
-
Act honorably, honestly, justly, responsibly, and legally (Maintain Integrity, don't lie, etc)
- MNEMONICS: (PAPA)
-
Provide diligent and competent service to principals (Protect organization you are working for) ,
-
Advance and protect profession (Don't share exam questions, false endorsement)
-
-
Information Lifecycle
-
Create – creation or collection of the data. Classify and value the data, possibly assign security requirements but not implement them.
-
Store – where to put the data as it is created/collected. Apply the protection levels (note: applying protections is different than “assigning” them). ISC2 says that the storage step is often done at the same time as the creation step.
-
Use – processing of the data; using internally. Unencrypted while “in process”.
- MNEMONICS: Create, Store, Use, Share, Archive, Destroy(CSUSAD)
-
Share – sending the data elsewhere; includes selling, publishing, data exchange agreements, etc. The common body of knowledge talks about having a digital rights management solution in place to control the flow of data, and a data loss prevention solution in place to detect information leakage.
-
Archive – long term storage. When the data leaves active use.
-
Destruction – permanent destruction of the data. Depends on the data’s classification.
-
-
Patch Management
-
- Evaluate --> Release Patches
-
- Test--> Test on isolated systems
-
- Approve--> Use of change management to approve
-
- Deploy--> Deployment of patches on affected systems.
-
- Verify--> Verify if patches are deployed.
-
-
Database Recovery
-
a. Electronic Vaulting---> Transfer data in bulk. Not real time transfers.
-
b. Remote Journaling---> Transaction logs are being transferred. Frequent transfers.
-
c. Remote Mirroring: Real time data is transferred. Exact data sync is there. Very expensive.
-
-
Investigation Types
-
- Operational: Resolving operational issues. Conduct RCA
-
- Criminal: Conducted by law enforcement. Murder, kidnapping, terrorism
- a. Evidence: Beyond a reasonable doubt. (Making it concrete for conviction)
-
- Civil: Legal team (issues inside and outside company), family matter, real estate etc.
- a. Evidence: Preponderance of evidence (convincing enough to justify the claim)
-
- Regulatory: Violation of administrative law (staying in a country despite of expiration of Visa). It is conducted by regulators.
-
-
e-Discovery
-
- Information Governance
-
- Identification
-
- Preservation---> preserving the evidence is must to avoid any deviation
-
- Collection---> collection of evidence should be done by the trained professional
-
- Processing
-
- Review
-
- Analysis
-
- Production--->
-
- Presentation
-
-
Evidence
-
Types
-
- Real Evidence: Which can be brought into court. (murder weapon)
-
- Documentary: Written evidence (agreements etc.)
-
a. Best---> Original copy of document. (copies of the original document are called secondary evidence)
-
b. Parol---> Written agreement between parties.
-
- Testimonial: verbal witness (Gawaah ;-))
-
- Hearsay: Indirect (Whispers)
-
-
Evidence Collection and Forensic Procedure (International Organization on Computer Evidence) IOCE
-
- Action taken on evidence should not change evidence
-
- Person should be trained for this purpose
-
- All activity must be documented, preserved, and reviewed.
-
- An individual is responsible while evidence is in its possession
-
- Agency seizing the evidence is responsible for compliance.
-
-
-
-
Domain 02
-
Data Lifecycle
-
Create
-
Store
-
Use
- MNEMONICS: In Summer, Monkeys Roam Daily (CSUSAD) Curious Squirrels Usually Sneak Around Daisies.
-
Share
-
Archive
-
Destroy
-
-
DATA CLASSIFICATION
-
Government
-
Top Secret
- Can cause Grave Damage if leaked
-
Secret
- Can cause Serious damage
-
MNEMONICS: Tiny Snail carry Umbrella
-
Confidential
- Can cause noticeable damage
-
Unclassified
- No Damage
-
-
Non-Government (public)
-
Confidential
- Can cause Grave Damage if leaked
-
Private
- Serious damage
-
MNEMONICS: Cats Prefers Soft Pillow
-
Sensitive
- Damage
-
Public
- No Damage
-
-
-
Information Lifecycle
-
Creation
-
Classification
-
Storage
- MNEMONICS: Curious Cats Sneak Under A Desk (CCSUAD)
-
Usage
-
Archive
-
Destruction
-
-
Asset classification process
-
● Create an Asset Inventory
-
● Assign Ownership
-
● Classify (Based on Value)
-
● Protect (Based on Classification)
-
● Assess and Review
-
-
Asset protection process
-
● Identify, locate, and Value
-
● Classify (based on value)
-
● Protect (based on classification)
-
-
Asset Lifecycle
-
Identify
-
Secure
-
Monitor
- MNEMONICS: In Summer, Monkeys Roam Daily (ISMRD) or I Start My Rhino Dance
-
Recover
-
Dispose
-
Archive
-
Defensible destruction
-
-
-
IT asset management lifecycle
-
P - for planning, where you would identify the assets, put a value on them, and put them in the inventory.
-
A - for assigning the security needs, this is where you would classify and categorize the assets. This step likely includes assigning the protection levels or baselines if they exist.
-
A - for acquiring the asset(s), whether that’s internally creating the software or purchasing the hardware.
- MNEMONICS: Properly Assess Assets, Document Maintenance Requirements (PAADMR) or People Always Appreciate Delicious Meals, Really
-
D - for deployment refers to deploying the assets and conducting training for all levels of users and support functions
-
M - for managing, refers to ongoing and continuous security assessment of the assets. This step includes backup and recovery activities.
-
R - for retiring,includes disposal.
-
-
Remanence
-
● Clearing Can (be recovered)
-
● Purging is Permanent
-
● Sanitizing is the Same (as purging)
- MNEMONICS: C(ow)P(ig)SOW (CPSOW)
-
● Overwriting with Oh’s (0’s and 1’s)
-
● Wiping is Writing (overwriting, that is)
-
-
Fire Extinguisher/Suppression Agent Classes
-
A: Common combustibles
-
B: Liquid
-
C: Electrical.
- MNEMONICS: A = Ashes (regular fires like paper and wood) B = Boil (liquids like gasoline) C = ElectriCity D = Dent - like a metal can K = Kitchen (oil/grease)
-
D: Metals.
-
K: Kitchen
-
-
-
Domain 04
-
OSI model
-
OSI Layers (7 Layers)
-
Application
-
Presentation
-
Session
-
Transport
- MNEMONICS: All People Seems To Need Data Processing
-
Network
-
Data Link
-
Physical
-
-
Data at Each Stage of OSI Layer
- Don't Don't Don't Stop Pouring Free Beer (Data-Application. Data-Presentation, Data-Session, Segment-Transport, Packet-Network, Frame-Data Link, Bits- Physical) OR Some People Forget Birthday (Segments-Transport , Packets-Network, Frames-Data Link, Bits-Physical)
-
-
TCP/IP Model - 4 Layers
-
Application
-
Transport
- MNEMONICS:(Network, Internet, Transport, Application) - (NITA )
-
Internet
-
Network
-
-
Authentication Protocol
-
CHAP
-
PAP
-
EAP
-
-
Transmission Methods
-
Unicast
- One to One
-
Multicast
- One to Many
-
Broadcast
- One to All
-
-
Converged Protocols
-
iSCSI
-
Fibre Channel & FC o E
-
Storage Area Network (SAN)
-
MPLS (Multiprotocol Label Switching)
-
-
Threats and Countermeasures
-
-
Domain 06
-
SOC reports
-
SOC for Cybersecurity (CS) - how it meets CS controls (trust criteria)
-
SOC 1 – “Finance First” - financial reporting
-
SOC II – “Trust is Two” operations/compliance (trust criteria)
-
SOC III – public audience (trust criteria)
-
-
Type
-
Type 1 – Point in time (point at the top of # 1) - due diligence
-
Type 2 – Two points, thus over period of time - due care
-
-
-
Preparing and Conducting a SOC Audit
-
Two phases - Preparation and Audit.
-
Preparation
-
S - schedule
-
S - scope and success criteria
-
I - inventory of controls
-
R - review of gap analysis
-
R - resolve discrepancies
-
-
Audit
-
D - detailed plan
-
A - artifacts in advance
-
A - access to facilities
-
W - work spaces
-
M - meeting areas
-
C - conduct meetings
-
T - testing
-
O - offsite analysis
-
I - issue resolution
-
A - audit reports
-
L - lessons learned
-
R - recommendations
-
-
-
-
Penetration testing
-
-
Domain 08
-
Software Development Lifecycle
-
● Planning/initiation – creation of project, scope, budget/cost, objectives, strategies, and schedules.
-
● Functional requirements definition – security controls and compliance defined. Functional requirements as well.
-
● System design specifications – designing software / architecture, outputs, data flows/interfaces.
-
● Development – source code.
-
● Acceptance – testing the system to make sure it performs within the environment. May be part of the certification and accreditation process. Can include subphases such as:
-
● Testing/evaluation of controls – formal testing processes occur, choosing test data, includes fuzzy testing (unexpected data), data validation, bounds checking, and sanitizing any production data.
-
● Certification/Accreditation – authorization to put the system into production. Certification is the technical analysis of controls. Accreditation is the authorizing official sign-off.
-
● Transition to production/implementation – moving from the acceptance phase into production. includes training and awareness, accreditation, installation, parallel operations with an old system that is being replaced.
-
● Revision/replacement – periodic evaluations for flaws and revisions, and to replace any faulty components that have or could cause security incidents.
-
● Maintenance/operation – system usage across the enterprise. System performance monitoring, regular change management process, backup and recovery procedures, risk analysis that accompanies recertification/accreditation (due to a relocation, change in data classification, or major system change)
-
5 Phase of SDLC
- MNEMONICS: Real Developers Ideas Take Effort (Requirements Analysis, Design, Implementation, Testing, Evolution) RDITE
-
-
Software capability maturity model
-
Initial – good practices are disorganized and chaotic; poorly controlled.
-
Repeatable – reactive practices and a bit more organized but not necessarily defined.
-
Defined – formal practices/processes that are well-understood and proactive.
- Software Capability Maturity Model (IDEAL is the other model) - How mature is your capability? (Think of mature software developers liking Oreo cookies) MNEMONICS: I Really Don't Mind Oreos (Initiating, Repeatable (lifecycle management, proper QA), Defined (documented), Managed (is Quantitative, and Quality Mgmt), Optimized(Change Management is followed)
-
Managed – quantitative, measured, calculable, and assessable.
-
Optimizing – practices/processes are continuously optimized and improved
-
-
Covert channels
-
coVert channel – Violates security policy
-
backdOOr
-
trapdOOr
-
maintenance hOOk
-
(gOOd unless left in)
-
-
Software Assurance During Acquisition
-
Planning
-
Contracting
-
Monitoring, Acceptance and Development
-
Ongoing Use and Support
-
Follow-On
-
-
Change Management Process
-
Request
-
Review
-
Accept/Reject
- MNEMONICS: Red Rabbits Are Trained In Dancing (Request, Review, Accept/Reject, Testing, Implement, Document)
-
Testing
-
Implement
-
Document
-
-
Change and Configuration Management
-
Request
-
Change Control
- MNEMONICS: Rabbits Chasing Rabbits (Request, Change Control, Release Control)(Request - Red, Change Control - Rabbits Are Trained, Release Control - In Dancing
-
Release Control
-
-
Ring computing model
-
Layer 0 - Kernal
-
Layer 1 - Operating System
- MNEMONICS: Remember "Zero KODU"
-
Layer 2 - Drivers
-
Layer 3 - User
-
-