My CSSLP Notes

While I am studying for CSSLP, I am keeping notes about it here. This notes may have references from various CSSLP books.

Confidentiality: Confidentiality is the concept of preventing the disclosure of information to unauthorized parties. In layman terms, keeping secret secret is confidentiality.

Integrity: Integrity is similar to confidentiality, except rather than protecting the data from unauthorized access, integrity refers to protecting data from unauthorized alteration.

Availability: Access to systems by authorized personnel can be expressed as the system’s availability.

Authentication: Authentication is the process of determining the identity of a user. Three general methods are used in authentication. In order to verify your identity, you can provide:

  • Something you know
  • Something you have
  • Something about you (something that you are)

Authorization: Authorization is the process of applying access control rules to a user process, determining whether or not a particular user process can access an object. Three elements are used in discussion of authorization:

  • A requester (sometimes referred to as the subject)
  • The object
  • The type or level of access to be granted.

Accounting (Auditing): Accounting is means of measuring activity. With IT systems, this can be done by logging crucial elements of activity as they occur. With respect to Data Elements, accounting is needed when activity is determined to be crucial to the degree that it may be audited at a later date and time.

*** A key element in audit logs is the employment of a monitoring, detection, and response process. Without mechanism or processes to “trigger” alerts or notifications to admins based on particular logged events, the value of logging is diminished or isolated to a post-incident resource instead of contributing to an alerting or incident prevention resource.

Non-repudiation: Non-repudiation is the concept of preventing a subject from denying a previous action with an object in a system. When authentication, authorization and auditing are properly configured, the ability to prevent repudiation by a specific subject with respect to an action and an object is ensured.

System Tenets:

Session Management: Session management refers to the design and implementation of controls to ensure that communication channels are secured from unauthorized access and disruption of a communication.