CISSP All-in-One Exam Guide,

Cover
About the Authors
Title Page
Copyright Page
Dedication
Contents at a Glance
Contents
From the Author
Acknowledgments
Why Become a CISSP?
Part I Security and Risk Management
	Chapter 1 Cybersecurity Governance
		Fundamental Cybersecurity Concepts and Terms
			Confidentiality
			Integrity
			Availability
			Authenticity
			Nonrepudiation
			Balanced Security
			Other Security Terms
		Security Governance Principles
			Aligning Security to Business Strategy
			Organizational Processes
			Organizational Roles and Responsibilities
		Security Policies, Standards, Procedures, and Guidelines
			Security Policy
			Standards
			Baselines
			Guidelines
			Procedures
			Implementation
		Personnel Security
			Candidate Screening and Hiring
			Employment Agreements and Policies
			Onboarding, Transfers, and Termination Processes
			Vendors, Consultants, and Contractors
			Compliance Policies
			Privacy Policies
		Security Awareness, Education, and Training Programs
			Degree or Certification?
			Methods and Techniques to Present Awareness and Training
			Periodic Content Reviews
			Program Effectiveness Evaluation
		Professional Ethics
			(ISC)2 Code of Professional Ethics
			Organizational Code of Ethics
			The Computer Ethics Institute
		Chapter Review
			Quick Review
			Questions
			Answers
	Chapter 2 Risk Management
		Risk Management Concepts
			Holistic Risk Management
			Information Systems Risk Management Policy
			The Risk Management Team
			The Risk Management Process
			Overview of Vulnerabilities and Threats
			Identifying Threats and Vulnerabilities
		Assessing Risks
			Asset Valuation
			Risk Assessment Teams
			Methodologies for Risk Assessment
			Risk Analysis Approaches
			Qualitative Risk Analysis
		Responding to Risks
			Total Risk vs. Residual Risk
			Countermeasure Selection and Implementation
			Types of Controls
			Control Assessments
		Monitoring Risks
			Effectiveness Monitoring
			Change Monitoring
			Compliance Monitoring
			Risk Reporting
			Continuous Improvement
		Supply Chain Risk Management
			Upstream and Downstream Suppliers
			Risks Associated with Hardware, Software, and Services
			Other Third-Party Risks
			Minimum Security Requirements
			Service Level Agreements
		Business Continuity
			Standards and Best Practices
			Making BCM Part of the Enterprise Security Program
			Business Impact Analysis
		Chapter Review
			Quick Review
			Questions
			Answers
	Chapter 3 Compliance
		Laws and Regulations
			Types of Legal Systems
			Common Law Revisited
		Cybercrimes and Data Breaches
			Complexities in Cybercrime
			The Evolution of Attacks
			International Issues
			Data Breaches
			Import/Export Controls
			Transborder Data Flow
			Privacy
		Licensing and Intellectual Property Requirements
			Trade Secret
			Copyright
			Trademark
			Patent
			Internal Protection of Intellectual Property
			Software Piracy
		Compliance Requirements
			Contractual, Legal, Industry Standards, and Regulatory Requirements
			Privacy Requirements
			Liability and Its Ramifications
		Requirements for Investigations
			Administrative
			Criminal
			Civil
			Regulatory
		Chapter Review
			Quick Review
			Questions
			Answers
	Chapter 4 Frameworks
		Overview of Frameworks
		Risk Frameworks
			NIST RMF
			ISO/IEC 27005
			OCTAVE
			FAIR
		Information Security Frameworks
			Security Program Frameworks
			Security Control Frameworks
		Enterprise Architecture Frameworks
			Why Do We Need Enterprise Architecture Frameworks?
			Zachman Framework
			The Open Group Architecture Framework
			Military-Oriented Architecture Frameworks
		Other Frameworks
			ITIL
			Six Sigma
			Capability Maturity Model
		Putting It All Together
		Chapter Review
			Quick Review
			Questions
			Answers
Part II Asset Security
	Chapter 5 Assets
		Information and Assets
			Identification
			Classification
		Physical Security Considerations
			Protecting Mobile Devices
			Paper Records
			Safes
		Managing the Life Cycle of Assets
			Ownership
			Inventories
			Secure Provisioning
			Asset Retention
		Data Life Cycle
			Data Acquisition
			Data Storage
			Data Use
			Data Sharing
			Data Archival
			Data Destruction
			Data Roles
		Chapter Review
			Quick Review
			Questions
			Answers
	Chapter 6 Data Security
		Data Security Controls
			Data States
			Standards
			Scoping and Tailoring
		Data Protection Methods
			Digital Asset Management
			Digital Rights Management
			Data Loss Prevention
			Cloud Access Security Broker
		Chapter Review
			Quick Review
			Questions
			Answers
Part III Security Architecture and Engineering
	Chapter 7 System Architectures
		General System Architectures
			Client-Based Systems
			Server-Based Systems
			Database Systems
			High-Performance Computing Systems
		Industrial Control Systems
			Devices
			Distributed Control System
			Supervisory Control and Data Acquisition
			ICS Security
		Virtualized Systems
			Virtual Machines
			Containerization
			Microservices
			Serverless
		Cloud-Based Systems
			Software as a Service
			Platform as a Service
			Infrastructure as a Service
			Everything as a Service
			Cloud Deployment Models
		Pervasive Systems
			Embedded Systems
			Internet of Things
		Distributed Systems
			Edge Computing Systems
		Chapter Review
			Quick Review
			Questions
			Answers
	Chapter 8 Cryptology
		The History of Cryptography
		Cryptography Definitions and Concepts
		Cryptosystems
			Kerckhoffs\' Principle
			The Strength of the Cryptosystem
			One-Time Pad
			Cryptographic Life Cycle
		Cryptographic Methods
			Symmetric Key Cryptography
			Asymmetric Key Cryptography
			Elliptic Curve Cryptography
			Quantum Cryptography
			Hybrid Encryption Methods
		Integrity
			Hashing Functions
			Message Integrity Verification
		Public Key Infrastructure
			Digital Certificates
			Certificate Authorities
			Registration Authorities
			PKI Steps
			Key Management
		Attacks Against Cryptography
			Key and Algorithm Attacks
			Implementation Attacks
			Other Attacks
		Chapter Review
			Quick Review
			Questions
			Answers
	Chapter 9 Security Architectures
		Threat Modeling
			Attack Trees
			STRIDE
			The Lockheed Martin Cyber Kill Chain
			The MITRE ATT&CK Framework
			Why Bother with Threat Modeling
		Secure Design Principles
			Defense in Depth
			Zero Trust
			Trust But Verify
			Shared Responsibility
			Separation of Duties
			Least Privilege
			Keep It Simple
			Secure Defaults
			Fail Securely
			Privacy by Design
		Security Models
			Bell-LaPadula Model
			Biba Model
			Clark-Wilson Model
			Noninterference Model
			Brewer and Nash Model
			Graham-Denning Model
			Harrison-Ruzzo-Ullman Model
		Security Requirements
		Security Capabilities of Information Systems
			Trusted Platform Module
			Hardware Security Module
			Self-Encrypting Drive
			Bus Encryption
			Secure Processing
		Chapter Review
			Quick Review
			Questions
			Answers
	Chapter 10 Site and Facility Security
		Site and Facility Design
			Security Principles
			The Site Planning Process
			Crime Prevention Through Environmental Design
			Designing a Physical Security Program
		Site and Facility Controls
			Work Area Security
			Data Processing Facilities
			Distribution Facilities
			Storage Facilities
			Utilities
			Fire Safety
			Environmental Issues
		Chapter Review
			Quick Review
			Questions
			Answers
Part IV Communication and Network Security
	Chapter 11 Networking Fundamentals
		Data Communications Foundations
			Network Reference Models
			Protocols
			Application Layer
			Presentation Layer
			Session Layer
			Transport Layer
			Network Layer
			Data Link Layer
			Physical Layer
			Functions and Protocols in the OSI Model
			Tying the Layers Together
		Local Area Networks
			Network Topology
			Medium Access Control Mechanisms
			Layer 2 Protocols
			Transmission Methods
			Layer 2 Security Standards
		Internet Protocol Networking
			TCP
			IP Addressing
			IPv6
			Address Resolution Protocol
			Dynamic Host Configuration Protocol
			Internet Control Message Protocol
			Simple Network Management Protocol
			Domain Name Service
			Network Address Translation
			Routing Protocols
		Intranets and Extranets
		Metropolitan Area Networks
			Metro Ethernet
		Wide Area Networks
			Dedicated Links
			WAN Technologies
		Chapter Review
			Quick Review
			Questions
			Answers
	Chapter 12 Wireless Networking
		Wireless Communications Techniques
			Spread Spectrum
			Orthogonal Frequency Division Multiplexing
		Wireless Networking Fundamentals
			WLAN Components
			WLAN Standards
			Other Wireless Network Standards
			Other Important Standards
		Evolution of WLAN Security
			802.11
			802.11i
			802.11w
			WPA3
			802.1X
		Best Practices for Securing WLANs
		Mobile Wireless Communication
			Multiple Access Technologies
			Generations of Mobile Wireless
		Satellites
		Chapter Review
			Quick Review
			Questions
			Answers
	Chapter 13 Securing the Network
		Applying Secure Design Principles to Network Architectures
		Secure Networking
			Link Encryption vs. End-to-End Encryption
			TLS
			VPN
		Secure Protocols
			Web Services
			Domain Name System
			Electronic Mail
		Multilayer Protocols
			Distributed Network Protocol 3
			Controller Area Network Bus
			Modbus
		Converged Protocols
			Encapsulation
			Fiber Channel over Ethernet
			Internet Small Computer Systems Interface
		Network Segmentation
			VLANs
			Virtual eXtensible Local Area Network
			Software-Defined Networks
			Software-Defined Wide Area Network
		Chapter Review
			Quick Review
			Questions
			Answers
	Chapter 14 Network Components
		Transmission Media
			Types of Transmission
			Cabling
			Bandwidth and Throughput
		Network Devices
			Repeaters
			Bridges
			Switches
			Routers
			Gateways
			Proxy Servers
			PBXs
			Network Access Control Devices
			Network Diagramming
			Operation of Hardware
		Endpoint Security
		Content Distribution Networks
		Chapter Review
			Quick Review
			Questions
			Answers
	Chapter 15 Secure Communications Channels
		Voice Communications
			Public Switched Telephone Network
			DSL
			ISDN
			Cable Modems
			IP Telephony
		Multimedia Collaboration
			Meeting Applications
			Unified Communications
		Remote Access
			VPN
			Desktop Virtualization
			Secure Shell
		Data Communications
			Network Sockets
			Remote Procedure Calls
		Virtualized Networks
		Third-Party Connectivity
		Chapter Review
			Quick Review
			Questions
			Answers
Part V Identity and Access Management
	Chapter 16 Identity and Access Fundamentals
		Identification, Authentication, Authorization, and Accountability
			Identification and Authentication
			Knowledge-Based Authentication
			Biometric Authentication
			Ownership-Based Authentication
		Credential Management
			Password Managers
			Password Synchronization
			Self-Service Password Reset
			Assisted Password Reset
			Just-in-Time Access
			Registration and Proofing of Identity
			Profile Update
			Session Management
			Accountability
		Identity Management
			Directory Services
			Directories\' Role in Identity Management
			Single Sign-On
			Federated Identity Management
		Federated Identity with a Third-Party Service
			Integration Issues
			On-Premise
			Cloud
			Hybrid
		Chapter Review
			Quick Review
			Questions
			Answers
	Chapter 17 Managing Identities and Access
		Authorization Mechanisms
			Discretionary Access Control
			Mandatory Access Control
			Role-Based Access Control
			Rule-Based Access Control
			Attribute-Based Access Control
			Risk-Based Access Control
		Implementing Authentication and Authorization Systems
			Access Control and Markup Languages
			OAuth
			OpenID Connect
			Kerberos
			Remote Access Control Technologies
		Managing the Identity and Access Provisioning Life Cycle
			Provisioning
			Access Control
			Compliance
			Configuration Management
			Deprovisioning
		Controlling Physical and Logical Access
			Information Access Control
			System and Application Access Control
			Access Control to Devices
			Facilities Access Control
		Chapter Review
			Quick Review
			Questions
			Answers
Part VI Security Assessment and Testing
	Chapter 18 Security Assessments
		Test, Assessment, and Audit Strategies
			Designing an Assessment
			Validating an Assessment
		Testing Technical Controls
			Vulnerability Testing
			Other Vulnerability Types
			Penetration Testing
			Red Teaming
			Breach Attack Simulations
			Log Reviews
			Synthetic Transactions
			Code Reviews
			Code Testing
			Misuse Case Testing
			Test Coverage
			Interface Testing
			Compliance Checks
		Conducting Security Audits
			Internal Audits
			External Audits
			Third-Party Audits
		Chapter Review
			Quick Review
			Questions
			Answers
	Chapter 19 Measuring Security
		Quantifying Security
			Security Metrics
			Key Performance and Risk Indicators
		Security Process Data
			Account Management
			Backup Verification
			Security Training and Security Awareness Training
			Disaster Recovery and Business Continuity
		Reporting
			Analyzing Results
			Writing Technical Reports
			Executive Summaries
		Management Review and Approval
			Before the Management Review
			Reviewing Inputs
			Management Approval
		Chapter Review
			Quick Review
			Questions
			Answers
Part VII Security Operations
	Chapter 20 Managing Security Operations
		Foundational Security Operations Concepts
			Accountability
			Need-to-Know/Least Privilege
			Separation of Duties and Responsibilities
			Privileged Account Management
			Job Rotation
			Service Level Agreements
		Change Management
			Change Management Practices
			Change Management Documentation
		Configuration Management
			Baselining
			Provisioning
			Automation
		Resource Protection
			System Images
			Source Files
			Backups
		Vulnerability and Patch Management
			Vulnerability Management
			Patch Management
		Physical Security
			External Perimeter Security Controls
			Facility Access Control
			Internal Security Controls
			Personnel Access Controls
			Intrusion Detection Systems
			Auditing Physical Access
		Personnel Safety and Security
			Travel
			Security Training and Awareness
			Emergency Management
			Duress
		Chapter Review
			Quick Review
			Questions
			Answers
	Chapter 21 Security Operations
		The Security Operations Center
			Elements of a Mature SOC
			Threat Intelligence
		Preventive and Detective Measures
			Firewalls
			Intrusion Detection and Prevention Systems
			Antimalware Software
			Sandboxing
			Outsourced Security Services
			Honeypots and Honeynets
			Artificial Intelligence Tools
		Logging and Monitoring
			Log Management
			Security Information and Event Management
			Egress Monitoring
			User and Entity Behavior Analytics
			Continuous Monitoring
		Chapter Review
			Quick Review
			Questions
			Answers
	Chapter 22 Security Incidents
		Overview of Incident Management
			Detection
			Response
			Mitigation
			Reporting
			Recovery
			Remediation
			Lessons Learned
		Incident Response Planning
			Roles and Responsibilities
			Incident Classification
			Notifications
			Operational Tasks
			Runbooks
		Investigations
			Motive, Opportunity, and Means
			Computer Criminal Behavior
			Evidence Collection and Handling
			What Is Admissible in Court?
			Digital Forensics Tools, Tactics, and Procedures
			Forensic Investigation Techniques
			Other Investigative Techniques
			Forensic Artifacts
			Reporting and Documenting
		Chapter Review
			Quick Review
			Questions
			Answers
	Chapter 23 Disasters
		Recovery Strategies
			Business Process Recovery
			Data Backup
			Documentation
			Human Resources
			Recovery Site Strategies
			Availability
		Disaster Recovery Processes
			Response
			Personnel
			Communications
			Assessment
			Restoration
			Training and Awareness
			Lessons Learned
			Testing Disaster Recovery Plans
		Business Continuity
			BCP Life Cycle
			Information Systems Availability
			End-User Environment
		Chapter Review
			Quick Review
			Questions
			Answers
Part VIII Software Development Security
	Chapter 24 Software Development
		Software Development Life Cycle
			Project Management
			Requirements Gathering Phase
			Design Phase
			Development Phase
			Testing Phase
			Operations and Maintenance Phase
		Development Methodologies
			Waterfall Methodology
			Prototyping
			Incremental Methodology
			Spiral Methodology
			Rapid Application Development
			Agile Methodologies
			DevOps
			DevSecOps
			Other Methodologies
		Maturity Models
			Capability Maturity Model Integration
			Software Assurance Maturity Model
		Chapter Review
			Quick Review
			Questions
			Answers
	Chapter 25 Secure Software
		Programming Languages and Concepts
			Assemblers, Compilers, Interpreters
			Runtime Environments
			Object-Oriented Programming Concepts
			Cohesion and Coupling
			Application Programming Interfaces
			Software Libraries
		Secure Software Development
			Source Code Vulnerabilities
			Secure Coding Practices
		Security Controls for Software Development
			Development Platforms
			Tool Sets
			Application Security Testing
			Continuous Integration and Delivery
			Security Orchestration, Automation, and Response
			Software Configuration Management
			Code Repositories
		Software Security Assessments
			Risk Analysis and Mitigation
			Change Management
		Assessing the Security of Acquired Software
			Commercial Software
			Open-Source Software
			Third-Party Software
			Managed Services
		Chapter Review
			Quick Review
			Questions
			Answers
Appendix A Comprehensive Questions
	Answers
Appendix B Objective Map
Appendix C About the Online Content
	System Requirements
	Your Total Seminars Training Hub Account
		Privacy Notice
	Single User License Terms and Conditions
	TotalTester Online
	Graphical Questions
	Online Flash Cards
	Single User License Terms and Conditions
	Technical Support
Glossary
Index