Mobile Voice Recording – Your Story!

November 23rd, 2011 by admin No comments »

As you know, Mobile Voice Recording is a regulatory requirement within the Financial Services Sector.

In Q4 2010, The FSA announced that the taping of Mobile Phones will no longer be treated as an exemption.   Subsequently, the rules and requirements were published, leaving affected financial institutions no more than 1 year to take ‘reasonable’ steps in implementing a recording strategy for all relevant Mobile Phones. For some businesses, this meant significant changes in both business process and IT infrastructure. Naturally, a substantial amount of resistance was generated; nevertheless the regulatory requirement stands, and is now in force.

So! That being said, it would be great to hear about your involvement in becoming compliant. What challenges did you encounter, and how were they overcome? More importantly, did you meet the deadline?

I worked on implementing Mobile Voice Recording for several large-scale projects in order to meet compliance.  It would be great to hear your story!

» Read more: Mobile Voice Recording – Your Story!

SSE-CMM – Maturity Model

June 21st, 2011 by admin No comments »

“The SSE-CMM describes the essential characteristics of an organization’s security engineering process that must exist to ensure sound security engineering. This model is something that will most definitely be covered on the CISSP examination, so make sure you study it well!

 

Employing this model has several benefits; its primary focal points are the following:

  • Tool for engineering organizations to evaluate security engineering practices and define improvements to them
  • Standards mechanism for customers to evaluate a provider’s security engineering capability
  • Basis for security engineering evaluation organization (system certifiers and product evaluators) to establish organization capability-based confidences (as an ingredient to system or project security assurance)”

In addition to this the maturity model addresses Continuity, Repeatability, Efficiency, and Assurance

So what exactly is the SSE-CCM? Well, it’s a process reference model which focuses on the requirements for implementing security across systems in the Information Technology Security Domain.  The SSE-CMM has a relationship to the ISO/IEC TR 15504 standard (particularly ISO/IEC TR 15504-2)

 

 

 

Practices

Within the SSE-CCM there are several Generic Practices, these are considered applicable for to all processes. The generic practices are used in a process appraisal to determine the capability of any process. These practices are grouped according to common feature and capability level.

Capability Level 1 – Performed Informally
Capability Level 2 – Planned and Tracked
Capability Level 3 – Well Defined
Capability Level 4 – Quantitatively Controlled
Capability Level 5 – Continuously Improving


 

More Information: http://www.sse-cmm.org/docs/ssecmmv3final.pdf

I Keep Six Honest Serving Men

May 30th, 2011 by admin No comments »

The SABSA Matrix – Enterprise Security Architecture

The SABSA matrix  provides a detailed analysis of each of the six layers (see below). If all of these layers are addressed then you have covered the entire range of questions to be asked and you can have a  high level of assurance that your security architecture is complete.

To be more specific, the SABSA matrix aids us in mapping through the implementation of the Enterprise Security Architecture, focusing on the What, Why, How, Who, Where and When security is implemented on assets through different perspectives, or layers.

 

» Read more: I Keep Six Honest Serving Men

Fire Suppressents!

May 27th, 2011 by admin No comments »

The Physical (Environmental) Security domain of the CISSP CBK incorporates protection techniques for the entire facility. One topic inparticular covers Fire Suppressents and Suppression Systems, this information is a must for the certification exam. Fire Suppression Systems in their entirity also include  detection and alarm controls.  Further information on Suppression systems can be found in the NFPA 13 handbook.  What you will find below are some crimson notes I have written over the past few days.

 

Which Fire Extinguisher?

* Fire Extinguishers should always be within 50 meters of Electric Equipment

» Read more: Fire Suppressents!

The DRII Top Ten Professional Practices

April 26th, 2011 by admin No comments »

Throughout the course of the past few days (weeks, if I’m honest) I have been quite intensly researching the Business Continuity and Disaster Recovery Planning  CBK.  Due to the ever-increasing legalities and regulations involved with BCP/DRP dont be suprised to find several dozen BC-related articles over the coming few weeks!

One De jure standard which sparks particular interest is the DRII Top Ten Professional Practices, which is actually the basis of the NFPA 1600.

The DRII Top Ten Professional Practices is a Business Continuity Management (“BCM”) program, which has been structured/broken down into 10 key areas.  The primary objective of this program, much like any other BC program is to allow the company executives to continue to manage the organization under adverse, or undesirable conditions, by the introduction of appropriate business continuity strategies.


Project Initiation and Management
Where do you begin the task of developing a Business Continuity Plan for your organisation?  Take time in establishing the need for BCP. It is crucial to obtain support from senior management, without this level of support, the Business Continuity Program will most certainly fail.

» Read more: The DRII Top Ten Professional Practices

What is the C-I-A?

March 14th, 2011 by admin No comments »

What is the C-I-A?

Referenced from CISSP Exam Cram 2

The C-I-A (Confidentiality, Integrity, and Availability) is a fundamental principle when it comes to effective information security. Organisations which have an active approach towards information security and adhere to the C-I-A concept are in the optimal stance in preventing unwanted influences, attacks, and other malicious activity.

As mentioned, the C-I-A is comprised of three important elements.

Confidentiality:  Refers to the efforts made in ensuring information is not disclosed to those individuals who do not have the need, or write to see it. For example, If a user were to intercept an email between the CIO and CEO of the organisation, confidentiality has been breached.  

Integrity:             The concept of integrity means that data has not been modified by unauthorised users. In business terms, data integrity is the assurance that data is consistent, and is identically maintained throughout any operation, such as transfer, storage, and retrieval.  For example, a MitM (Man in the Middle) attack is executed by intercepting the data, between the intended end-points, modifying the data, and re-sending the data to the destination.

Availability:       this refers to the efforts made to ensure data is always available. These efforts will involve preventative controls to mitigate disruption to service or productivity.  

» Read more: What is the C-I-A?

Welcome

March 13th, 2011 by admin No comments »

Welcome to my Blog, CISSP Journal!

Welcome to my personal Blog. My name is David Prince. For the past several years I have been a Systems/Security Engineer with a strong focus on Networking & Telecommunications, Information Security, and Virtualization. 

LinkedIn:   http://www.linkedin.com/pub/david-prince/21/502/104
Twitter:     http://www.twitter.com/DavidPrince88

Throughout the duration of my CISSP studies I will be writing articles and posting relevent thoughts, findings, and experiments regarding the CISSP exam and its vast syllabus (and on some occasions other areas of interest). Although the primary purpose of this blog is to aid my personal studies I welcome feedback.

About the Author