Details

<p><b>Introduction 1</b></p> <p>About This Book 2</p> <p>Foolish Assumptions 3</p> <p>Icons Used in This Book 3</p> <p>Beyond the Book 4</p> <p>Where to Go from Here 5</p> <p><b>Part 1: Getting Started with CISSP Certification 7</b></p> <p><b>Chapter 1: (ISC)2 and the CISSP Certification 9</b></p> <p>About (ISC)2 and the CISSP Certification 9</p> <p>You Must Be This Tall to Ride This Ride (And Other Requirements) 10</p> <p>Preparing for the Exam 12</p> <p>Studying on your own 13</p> <p>Getting hands-on experience 14</p> <p>Getting official (ISC)2 CISSP training 14</p> <p>Attending other training courses or study groups 15</p> <p>Taking practice exams 15</p> <p>Are you ready for the exam? 16</p> <p>Registering for the Exam 16</p> <p>About the CISSP Examination 17</p> <p>After the Examination 20</p> <p><b>Chapter 2: Putting Your Certification to Good Use 23</b></p> <p>Networking with Other Security Professionals 24</p> <p>Being an Active (ISC)2 Member 25</p> <p>Considering (ISC)2 Volunteer Opportunities 26</p> <p>Writing certification exam questions 27</p> <p>Speaking at events 27</p> <p>Helping at (ISC)2 conferences 27</p> <p>Reading and contributing to (ISC)2 publications 27</p> <p>Supporting the (ISC)2 Center for Cyber Safety and Education 28</p> <p>Participating in bug-bounty programs 28</p> <p>Participating in (ISC)2 focus groups 28</p> <p>Joining the (ISC)2 community 28</p> <p>Getting involved with a CISSP study group 28</p> <p>Helping others learn more about data security 29</p> <p>Becoming an Active Member of Your Local Security Chapter 30</p> <p>Spreading the Good Word about CISSP Certification 31</p> <p>Leading by example 32</p> <p>Using Your CISSP Certification to Be an Agent of Change 32</p> <p>Earning Other Certifications 33</p> <p>Other (ISC)2 certifications 33</p> <p>CISSP concentrations 34</p> <p>Non-(ISC)2 certifications 34</p> <p>Choosing the right certifications 38</p> <p>Finding a mentor, being a mentor 39</p> <p>Building your professional brand 39</p> <p>Pursuing Security Excellence 40</p> <p><b>Part 2: Certification Domains 43</b></p> <p><b>Chapter 3: Security and Risk Management 45</b></p> <p>Understand, Adhere to, and Promote Professional Ethics 45</p> <p>(ISC)2 Code of Professional Ethics 46</p> <p>Organizational code of ethics 47</p> <p>Understand and Apply Security Concepts 49</p> <p>Confidentiality 50</p> <p>Integrity 51</p> <p>Availability 51</p> <p>Authenticity 52</p> <p>Nonrepudiation 52</p> <p>Evaluate and Apply Security Governance Principles 53</p> <p>Alignment of security function to business strategy, goals, mission, and objectives 53</p> <p>Organizational processes 54</p> <p>Organizational roles and responsibilities 56</p> <p>Security control frameworks 57</p> <p>Due care and due diligence 60</p> <p>Determine Compliance and Other Requirements 61</p> <p>Contractual, legal, industry standards, and regulatory requirements 61</p> <p>Privacy requirements 66</p> <p>Understand Legal and Regulatory Issues That Pertain to Information Security 67</p> <p>Cybercrimes and data breaches 67</p> <p>Licensing and intellectual property requirements 82</p> <p>Import/export controls 85</p> <p>Transborder data flow 85</p> <p>Privacy 86</p> <p>Understand Requirements for Investigation Types 93</p> <p>Develop, Document, and Implement Security Policies, Standards, Procedures, and Guidelines 94</p> <p>Policies 95</p> <p>Standards (and baselines) 95</p> <p>Procedures 96</p> <p>Guidelines 96</p> <p>Identify, Analyze, and Prioritize Business Continuity (BC) Requirements 96</p> <p>Business impact analysis 99</p> <p>Develop and document the scope and the plan 107</p> <p>Contribute to and Enforce Personnel Security Policies and Procedures 120</p> <p>Candidate screening and hiring 120</p> <p>Employment agreements and policies 123</p> <p>Onboarding, transfers, and termination processes 123</p> <p>Vendor, consultant, and contractor agreements and controls 124</p> <p>Compliance policy requirements 125</p> <p>Privacy policy requirements 125</p> <p>Understand and Apply Risk Management Concepts 125</p> <p>Identify threats and vulnerabilities 126</p> <p>Risk assessment/analysis 126</p> <p>Risk appetite and risk tolerance 132</p> <p>Risk treatment 133</p> <p>Countermeasure selection and implementation 133</p> <p>Applicable types of controls 135</p> <p>Control assessments (security and privacy) 137</p> <p>Monitoring and measurement 139</p> <p>Reporting 140</p> <p>Continuous improvement 141</p> <p>Risk frameworks 141</p> <p>Understand and Apply Threat Modeling Concepts and Methodologies 143</p> <p>Identifying threats 143</p> <p>Determining and diagramming potential attacks 144</p> <p>Performing reduction analysis 145</p> <p>Remediating threats 145</p> <p>Apply Supply Chain Risk Management (SCRM) Concepts 146</p> <p>Risks associated with hardware, software, and services 147</p> <p>Third-party assessment and monitoring 147</p> <p>Fourth-party risk 147</p> <p>Minimum security requirements 147</p> <p>Service-level agreement requirements 147</p> <p>Establish and Maintain a Security Awareness, Education, and Training Program 148</p> <p>Methods and techniques to present awareness and training 148</p> <p>Periodic content reviews 151</p> <p>Program effectiveness evaluation 151</p> <p><b>Chapter 4: Asset Security 153</b></p> <p>Identify and Classify Information and Assets 153</p> <p>Data classification 157</p> <p>Asset classification 161</p> <p>Establish Information and Asset Handling Requirements 162</p> <p>Provision Resources Securely 164</p> <p>Information and asset ownership 164</p> <p>Asset inventory 165</p> <p>Asset management 166</p> <p>Manage Data Life Cycle 167</p> <p>Data roles 168</p> <p>Data collection 168</p> <p>Data location 169</p> <p>Data maintenance 169</p> <p>Data retention 169</p> <p>Data remanence 170</p> <p>Data destruction 171</p> <p>Ensure Appropriate Asset Retention 171</p> <p>End of life 171</p> <p>End of support 172</p> <p>Determine Data Security Controls and Compliance Requirements 172</p> <p>Data states 173</p> <p>Scoping and tailoring 174</p> <p>Standards selection 175</p> <p>Data protection methods 176</p> <p><b>Chapter 5: Security Architecture and Engineering 179</b></p> <p>Research, Implement, and Manage Engineering Processes Using Secure Design Principles 180</p> <p>Threat modeling 182</p> <p>Least privilege (and need to know) 186</p> <p>Defense in depth 187</p> <p>Secure defaults 188</p> <p>Fail securely 188</p> <p>Separation of duties 189</p> <p>Keep it simple 189</p> <p>Zero trust 189</p> <p>Privacy by design 191</p> <p>Trust but verify 192</p> <p>Shared responsibility 194</p> <p>Understand the Fundamental Concepts of Security Models 196</p> <p>Select Controls Based Upon Systems Security Requirements 199</p> <p>Evaluation criteria 200</p> <p>System certification and accreditation 205</p> <p>Understand Security Capabilities of Information Systems 208</p> <p>Trusted Computing Base 208</p> <p>Trusted Platform Module 209</p> <p>Secure modes of operation 209</p> <p>Open and closed systems 210</p> <p>Memory protection 210</p> <p>Encryption and decryption 210</p> <p>Protection rings 211</p> <p>Security modes 211</p> <p>Recovery procedures 212</p> <p>Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements 213</p> <p>Client-based systems 214</p> <p>Server-based systems 215</p> <p>Database systems 215</p> <p>Cryptographic systems 216</p> <p>Industrial control systems 217</p> <p>Cloud-based systems 218</p> <p>Distributed systems 220</p> <p>Internet of Things 221</p> <p>Microservices 221</p> <p>Containerization 222</p> <p>Serverless 223</p> <p>Embedded systems 224</p> <p>High-performance computing systems 225</p> <p>Edge computing systems 225</p> <p>Virtualized systems 226</p> <p>Web-based systems 226</p> <p>Mobile systems 228</p> <p>Select and Determine Cryptographic Solutions 228</p> <p>Plaintext and ciphertext 230</p> <p>Encryption and decryption 230</p> <p>End-to-end encryption 230</p> <p>Link encryption 231</p> <p>Putting it all together: The cryptosystem 232</p> <p>Classes of ciphers 233</p> <p>Types of ciphers 234</p> <p>Cryptographic life cycle 237</p> <p>Cryptographic methods 238</p> <p>Public key infrastructure 248</p> <p>Key management practices 248</p> <p>Digital signatures and digital certificates 250</p> <p>Nonrepudiation 250</p> <p>Integrity (hashing) 251</p> <p>Understand Methods of Cryptanalytic Attacks 253</p> <p>Brute force 254</p> <p>Ciphertext only 254</p> <p>Known plaintext 255</p> <p>Frequency analysis 255</p> <p>Chosen ciphertext 255</p> <p>Implementation attacks 255</p> <p>Side channel 255</p> <p>Fault injection 256</p> <p>Timing 256</p> <p>Man in the middle 256</p> <p>Pass the hash 257</p> <p>Kerberos exploitation 257</p> <p>Ransomware 257</p> <p>Apply Security Principles to Site and Facility Design 259</p> <p>Design Site and Facility Security Controls 261</p> <p>Wiring closets, server rooms, and more 264</p> <p>Restricted and work area security 265</p> <p>Utilities and heating, ventilation, and air conditioning 266</p> <p>Environmental issues 267</p> <p>Fire prevention, detection, and suppression 268</p> <p>Power 272</p> <p><b>Chapter 6: Communication and Network Security 275</b></p> <p>Assess and Implement Secure Design Principles in Network Architectures 275</p> <p>OSI and TCP/IP models 277</p> <p>The OSI Reference Model 278</p> <p>The TCP/IP Model 315</p> <p>Secure Network Components 316</p> <p>Operation of hardware 316</p> <p>Transmission media 317</p> <p>Network access control devices 318</p> <p>Endpoint security 328</p> <p>Implement Secure Communication Channels According to Design 331</p> <p>Voice 331</p> <p>Multimedia collaboration 332</p> <p>Remote access 332</p> <p>Data communications 336</p> <p>Virtualized networks 336</p> <p>Third-party connectivity 338</p> <p><b>Chapter 7: Identity and Access Management 339</b></p> <p>Control Physical and Logical Access to Assets 340</p> <p>Information 340</p> <p>Systems and devices 340</p> <p>Facilities 342</p> <p>Applications 342</p> <p>Manage Identification and Authentication of People, Devices, and Services 343</p> <p>Identity management implementation 343</p> <p>Single-/multifactor authentication 343</p> <p>Accountability 358</p> <p>Session management 359</p> <p>Registration, proofing, and establishment of identity 360</p> <p>Federated identity management 361</p> <p>Credential management systems 361</p> <p>Single sign-on 362</p> <p>Just-in-Time 363</p> <p>Federated Identity with a Third-Party Service 363</p> <p>On-premises 365</p> <p>Cloud 365</p> <p>Hybrid 365</p> <p>Implement and Manage Authorization Mechanisms 365</p> <p>Role-based access control 366</p> <p>Rule-based access control 367</p> <p>Mandatory access control 367</p> <p>Discretionary access control 368</p> <p>Attribute-based access control 369</p> <p>Risk-based access control 370</p> <p>Manage the Identity and Access Provisioning Life Cycle 370</p> <p>Implement Authentication Systems 372</p> <p>OpenID Connect/Open Authorization 372</p> <p>Security Assertion Markup Language 372</p> <p>Kerberos 373</p> <p>Radius and Tacacs+ 376</p> <p><b>Chapter 8: Security Assessment and Testing 379</b></p> <p>Design and Validate Assessment, Test, and Audit Strategies 379</p> <p>Conduct Security Control Testing 381</p> <p>Vulnerability assessment 381</p> <p>Penetration testing 383</p> <p>Log reviews 388</p> <p>Synthetic transactions 389</p> <p>Code review and testing 390</p> <p>Misuse case testing 391</p> <p>Test coverage analysis 392</p> <p>Interface testing 392</p> <p>Breach attack simulations 393</p> <p>Compliance checks 393</p> <p>Collect Security Process Data 393</p> <p>Account management 395</p> <p>Management review and approval 395</p> <p>Key performance and risk indicators 396</p> <p>Backup verification data 397</p> <p>Training and awareness 399</p> <p>Disaster recovery and business continuity 400</p> <p>Analyze Test Output and Generate Reports 400</p> <p>Remediation 401</p> <p>Exception handling 402</p> <p>Ethical disclosure 403</p> <p>Conduct or Facilitate Security Audits 404</p> <p><b>Chapter 9: Security Operations 407</b></p> <p>Understand and Comply with Investigations 408</p> <p>Evidence collection and handling 408</p> <p>Reporting and documentation 415</p> <p>Investigative techniques 416</p> <p>Digital forensics tools, tactics, and procedures 418</p> <p>Artifacts 419</p> <p>Conduct Logging and Monitoring Activities 419</p> <p>Intrusion detection and prevention 419</p> <p>Security information and event management 421</p> <p>Security orchestration, automation, and response 421</p> <p>Continuous monitoring 422</p> <p>Egress monitoring 422</p> <p>Log management 423</p> <p>Threat intelligence 423</p> <p>User and entity behavior analysis 424</p> <p>Perform Configuration Management 424</p> <p>Apply Foundational Security Operations Concepts 426</p> <p>Need-to-know and least privilege 427</p> <p>Separation of duties and responsibilities 428</p> <p>Privileged account management 429</p> <p>Job rotation 431</p> <p>Service-level agreements 433</p> <p>Apply Resource Protection 436</p> <p>Media management 436</p> <p>Media protection techniques 438</p> <p>Conduct Incident Management 438</p> <p>Operate and Maintain Detective and Preventative Measures 440</p> <p>Implement and Support Patch and Vulnerability Management 442</p> <p>Understand and Participate in Change Management Processes 443</p> <p>Implement Recovery Strategies 444</p> <p>Backup storage strategies 444</p> <p>Recovery site strategies 445</p> <p>Multiple processing sites 445</p> <p>System resilience, high availability, quality of service, and fault tolerance 445</p> <p>Implement Disaster Recovery Processes 448</p> <p>Response 451</p> <p>Personnel 453</p> <p>Communications 454</p> <p>Assessment 455</p> <p>Restoration 455</p> <p>Training and awareness 456</p> <p>Lessons learned 456</p> <p>Test Disaster Recovery Plans 456</p> <p>Read-through or tabletop 457</p> <p>Walkthrough 457</p> <p>Simulation 458</p> <p>Parallel 459</p> <p>Full interruption (or cutover) 459</p> <p>Participate in Business Continuity Planning and Exercises 460</p> <p>Implement and Manage Physical Security 460</p> <p>Address Personnel Safety and Security Concerns 461</p> <p><b>Chapter 10: Software Development Security 463</b></p> <p>Understand and Integrate Security in the Software</p> <p>Development Life Cycle 464</p> <p>Development methodologies 464</p> <p>Maturity models 473</p> <p>Operation and maintenance 474</p> <p>Change management 475</p> <p>Integrated product team 476</p> <p>Identify and Apply Security Controls in Software Development Ecosystems 476</p> <p>Programming languages 477</p> <p>Libraries 478</p> <p>Tool sets 478</p> <p>Integrated development environment 480</p> <p>Runtime 480</p> <p>Continuous integration/continuous delivery 481</p> <p>Security orchestration, automation, and response 481</p> <p>Software configuration management 482</p> <p>Code repositories 483</p> <p>Application security testing 484</p> <p>Assess the Effectiveness of Software Security 486</p> <p>Auditing and logging of changes 486</p> <p>Risk analysis and mitigation 487</p> <p>Assess Security Impact of Acquired Software 489</p> <p>Define and Apply Secure Coding Guidelines and Standards 490</p> <p>Security weaknesses and vulnerabilities at the source-code level 491</p> <p>Security of application programming interfaces 492</p> <p>Secure coding practices 493</p> <p>Software-defined security 495</p> <p><b>Part 3: The Part of Tens 497</b></p> <p><b>Chapter 11: Ten Ways to Prepare for the Exam 499</b></p> <p>Know Your Learning Style 499</p> <p>Get a Networking Certification First 500</p> <p>Register Now 500</p> <p>Make a 60-Day Study Plan 500</p> <p>Get Organized and Read 501</p> <p>Join a Study Group 501</p> <p>Take Practice Exams 502</p> <p>Take a CISSP Training Seminar 502</p> <p>Adopt an Exam-Taking Strategy 502</p> <p>Take a Breather 503</p> <p><b>Chapter 12: Ten Test-Day Tips 505</b></p> <p>Get a Good Night’s Rest 505</p> <p>Dress Comfortably 506</p> <p>Eat a Good Meal 506</p> <p>Arrive Early 506</p> <p>Bring Approved Identification 506</p> <p>Bring Snacks and Drinks 507</p> <p>Bring Prescription and Over-the-Counter Medications 507</p> <p>Leave Your Mobile Devices Behind 507</p> <p>Take Frequent Breaks 507</p> <p>Guess — As a Last Resort 508</p> <p>Glossary 509</p> <p>Index 565 </p>

<p><b>Lawrence C. Miller, CISSP,</b> is a veteran information security professional. He has served as a consultant for multinational corporations and holds many networking certifications.</p> <p><b>Peter H. Gregory, CISSP,</b> is a security, risk, and technology director with experience in SAAS, retail, telecommunications, non-profit, manufacturing, healthcare, and beyond. Larry and Peter have been coauthors of <i>CISSP For Dummies</i> for more than 20 years.

<p><b>Lock down your CISSP^® certification! </b></p> <p>You have at least 5 years of professional experience in security, so it’s time to give your career a boost with CISSP. This book is your key to succeeding on test day and beyond. You’ll learn everything you need to know about the popular (ISC)² certification and what’s on the test. Get smart about each of the 8 domains, and prepare with practice questions and online study tools that will help make test day a breeze. This latest edition covers all of the 2021 exam updates, too. With exam-day tips and advice for making the most of your CISSP certification, <i>CISSP For Dummies</i> is your one-stop-shop as you take your occupation to new heights. <p><b> Inside… <ul><li>Understand how the CISSP exam works</li> <li>Study for the individual domains of the exam</li> <li>Create a 60-day study plan</li> <li>New privacy regulations</li> <li>Prepare for a smooth and stress-free test day</li> <li>Advice on getting the most from your CISSP certification</b></li></ul>

US