CISSP For Dummies

Title Page
Copyright Page
Table of Contents
Introduction
	About This Book
	Foolish Assumptions
	Icons Used in This Book
	Beyond the Book
	Where to Go from Here
Part 1 Getting Started with CISSP Certification
	Chapter 1 ISC2 and the CISSP Certification
		You Must Be This Tall to Ride This Ride (And Other Requirements)
		Preparing for the Exam
			Studying on your own
			Getting hands-on experience
			Getting official ISC2 CISSP training
			Attending other training courses or study groups
			Taking practice exams
			Are you ready for the exam?
		Registering for the Exam
		About the CISSP Examination
		After the Examination
	Chapter 2 Putting Your Certification to Good Use
		Networking with Other Security Professionals
		Being an Active ISC2 Member
		Considering ISC2 Volunteer Opportunities
			Writing certification exam questions
			Speaking at events
			Helping at ISC2 conferences
			Reading and contributing to ISC2 publications
			Supporting the ISC2 Center for Cyber Safety and Education
			Participating in bug-bounty programs
			Participating in ISC2 focus groups
			Joining the ISC2 community
			Getting involved with a CISSP study group
		Becoming an Active Member of Your Local Security Chapter
		Spreading the Good Word about CISSP Certification
		Helping Others
		Using Your CISSP Certification to Be an Agent of Change
		Earning Other Certifications
			Other ISC2 certifications
			CISSP concentrations
			Non-ISC2 certifications
				Non-technical/non-vendor certifications
				Technical/vendor certifications
			Choosing the right certifications
			Building your professional brand
		Pursuing Security Excellence
Part 2 Certification Domains
	Chapter 3 Security and Risk Management
		Understand, Adhere to, and Promote Professional Ethics
			ISC2 Code of Professional Ethics
			Organizational code of ethics
				Internet Architecture Board: Ethics and the Internet (RFC 1087)
				Ten Commandments of Computer Ethics
		Understand and Apply Security Concepts
			Confidentiality
			Integrity
			Availability
			Authenticity
			Nonrepudiation
		Evaluate, Apply, and Sustain Security Governance Principles
			Alignment of the security function to business strategy, goals, mission, and objectives
				Mission (not-so-impossible) and strategy
				Goals and objectives
			Organizational processes
				Acquisitions and divestitures
				Governance committees and executive oversight
			Organizational roles and responsibilities
				Management
				Users
			Security control frameworks
			Due care and due diligence
		Understand Legal, Regulatory, and Compliance Issues That Pertain to Information Security
			Cybercrimes and data breaches
				U.S. Computer Fraud and Abuse Act of 1986, 18 U.S.C. § 1030 (as amended)
				U.S. Electronic Communications Privacy Act (ECPA) of 1986
				U.S. Computer Security Act of 1987
				U.S. Federal Sentencing Guidelines of 1991
				U.S. Communications Assistance for Law Enforcement Act of 1994
				U.S. Economic Espionage Act of 1996
				U.S. Child Pornography Prevention Act of 1996
				USA PATRIOT Act of 2001
				U.S. Sarbanes-Oxley Act of 2002 (SOX)
				U.S. Homeland Security Act of 2002
				U.S. Federal Information Systems Modernization Act (FISMA) of 2014
				U.S. Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003
				U.S. Identity Theft and Assumption Deterrence Act of 2003
				U.S. Intelligence Reform and Terrorism Prevention Act of 2004
				California Security Breach Information Act
				The Council of Europe’s Convention on Cybercrime (2001)
				The Computer Misuse Act of 1990 (UK)
				Privacy and Electronic Communications Regulations of 2003 (UK)
				Information Technology Act 2000 (India)
				Cybercrime Act of 2001 (Australia)
				General Data Protection Regulation (GDPR)
				Payment Card Industry Data Security Standard (PCI DSS)
			Licensing and intellectual property requirements
				Patents
				Trademarks
				Copyrights
				Trade secrets
			Import/export controls
			Transborder data flow
			Issues related to privacy
				U.S. Federal Privacy Act of 1974, 5 U.S.C. § 552A
				U.S. Health Insurance Portability and Accountability Act (HIPAA) of 1996, PL 104–191
				U.S. Children’s Online Privacy Protection Act (COPPA) of 1998
				U.S. Gramm-Leach-Bliley Financial Services Modernization Act (GLBA) of 1999, PL 106-102
				U.S. Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009
				California Consumer Privacy Act of 2018 (CCPA)
				California Privacy Rights Act of 2020 (CPRA)
				UK Data Protection Act of 1998
				UK Data Protection Act 2018
				European Union General Data Protection Regulation (GDPR)
				China Personal Information Protection Law (PIPL)
				South Africa Protection of Personal Information Act (PoPIA)
			Contractual, legal, industry standards, and regulatory requirements
				Contractual
				Legal
				Industry standards
		Understand Requirements for Investigation Types
		Develop, Document, and Implement Security Policies, Standards, Procedures, and Guidelines
			Policies
			Standards (and baselines)
			Procedures
			Processes
			Guidelines
		Identify, Analyze, Assess, Prioritize, and Implement Business Continuity (BC) Requirements
			Business impact analysis
				Assessing vulnerability
				Assessing criticality
				Identifying key players
				Establishing maximum tolerable downtime
				Determining maximum tolerable outage
				Establishing recovery targets
				Defining resource requirements
			External dependencies
				Utilities
				Logistics and supplies
				Fire and water protection
		Contribute to and Enforce Personnel Security Policies and Procedures
			Candidate screening and hiring
			Employment agreements and policy-driven requirements
			Onboarding, transfers, and termination processes
			Vendor, consultant, and contractor agreements and controls
		Understand and Apply Risk Management Concepts
			Threat and vulnerability identification
			Risk analysis, assessment, and scope
				Risk analysis
				Risk assessment
				Scope
			Risk response and treatment
			Applicable types of controls
				Cost-effectiveness
				Legal liability
				Operational impact
				Technical factors
			Control assessments (security and privacy)
				Control assessment approach
				Control assessment methodology
			Continuous monitoring and measurement
			Reporting
			Continuous improvement
			Risk frameworks
				Risk assessment frameworks
				Risk management frameworks
		Understand and Apply Threat Modeling Concepts and Methodologies
			Identifying threats
			Determining and diagramming potential attacks
			Performing reduction analysis
			Remediating threats
			Threat hunting
		Apply Supply Chain Risk Management (SCRM) Concepts
			Risks associated with the acquisition of products and services from suppliers and providers
			Risk mitigations
		Establish and Maintain a Security Awareness, Education, and Training Program
			Methods and techniques to increase awareness and training
				Awareness
				Training
				Education
			Periodic content reviews to include emerging technologies and trends
			Program effectiveness evaluation
	Chapter 4 Asset Security
		Identify and Classify Information and Assets
			Data classification
				Commercial data classification
				Government data classification
				Data handling
			Asset classification
		Establish Information and Asset Handling Requirements
		Provision Information and Assets Securely
			Information and asset ownership
			Asset inventory
			Asset management
		Manage Data Life Cycle
			Data roles
			Data collection
			Data location
			Data maintenance
			Data retention
			Data remanence
			Data destruction
		Ensure Appropriate Asset Retention
			End of life
			End of support
		Determine Data Security Controls and Compliance Requirements
			Data states
			Scoping and tailoring
			Standards selection
			Data protection methods
				Digital rights management (DRM)
				Data loss prevention (DLP)
				Cloud access security broker (CASB)
				Cryptography
				Access controls
				File activity monitoring (FAM) and file integrity monitoring (FIM)
				Privacy controls
	Chapter 5 Security Architecture and Engineering
		Using Secure Design Principles in Engineering Processes
			Threat modeling
				Identifying threats
				Determining and diagramming potential attacks
				Performing reduction analysis
				Remediating threats through the removal of defects and changes in design
			Least privilege
			Defense in depth
			Secure defaults
			Fail securely
			Segregation of duties (SoD)
			Keep it simple and small
			Zero trust or trust but verify
			Privacy by design
			Shared responsibility
			Secure access service edge (SASE)
		Understand the Fundamental Concepts of Security Models
		Select Controls Based Upon Systems Security Requirements
			Evaluation criteria
				Trusted Computer System Evaluation Criteria
				Trusted Network Interpretation
				European Information Technology Security Evaluation Criteria
				Common Criteria
			System certification and accreditation
				DITSCAP
				NIACAP
				FedRAMP
				CMMC
				DCID 6/3
		Understand Security Capabilities of Information Systems
			Memory protection
			Trusted Computing Base
			Trusted Platform Module
			Hardware Security Module (HSM)
			Secure modes of operation
			Open and closed systems
			Encryption and decryption
			Protection rings
			Security modes
		Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements
			Client-based systems
			Server-based systems
			Database systems
			Cryptographic systems
			Operational technology/industrial control systems
			Cloud-based systems
			Distributed systems
			Internet of Things
			Microservices
			Containerization
			Serverless
			Embedded systems
			High-performance computing systems
			Edge computing systems
			Virtualized systems
			Web-based systems
			Mobile systems
		Select and Determine Cryptographic Solutions
			Plaintext and ciphertext
			Encryption and decryption
			End-to-end encryption
			Link encryption
			Putting it all together: The cryptosystem
			Classes of ciphers
				Block ciphers
				Stream ciphers
			Types of ciphers
				Substitution ciphers
				Transposition
			Cryptographic life cycle
			Cryptographic methods
				Symmetric
				Asymmetric ciphers
			Public key infrastructure
			Key management practices
			Digital signatures and digital certificates
			Nonrepudiation
			Integrity (hashing)
				MD
				SHA
				HMAC
				RIPEMD-160
		Understand Methods of Cryptanalytic Attacks
			Brute force
			Ciphertext only
			Known plaintext
			Frequency analysis
			Chosen ciphertext
			Implementation attacks
			Side channel
			Fault injection
			Timing
			Man in the middle
			Pass the hash
			Kerberos exploitation
			Rubber hose
			Ransomware
		Apply Security Principles to Site and Facility Design
		Design Site and Facility Security Controls
			Wiring closets/intermediate distribution frames
			Server rooms/data centers
			Media storage facilities
			Evidence storage
			Restricted and work area security
			Utilities and heating, ventilation, and air conditioning
			Environmental issues
			Fire prevention, detection, and suppression
			Power
		Manage the Information System Lifecycle
			Inception
			Stakeholder needs and requirements
			Requirements analysis
			Architectural design
			Development/Implementation
			Integration
			Verification and validation
			Transition/deployment
			Operations and maintenance/sustainment
			Retirement/disposal
	Chapter 6 Communication and Network Security
		Apply Secure Design Principles in Network Architectures
			Open System Interconnection (OSI) and Transmission Control Protocol/ Internet Protocol (TCP/IP) models
				The OSI Reference Model
				The TCP/IP Model
			Internet Protocol (IP) version 4 and 6
			Secure protocols
				IPsec
				SSH
				SSL/TLS
			Implications of multilayer protocols
			Converged protocols
			Transport architecture
			Performance metrics
			Traffic flows
			Physical segmentation
			Logical segmentation
			Microsegmentation
			Edge networks
			Wireless networks
				Bluetooth
				Wi-Fi
				ZigBee
				NFC
				Satellite
			Cellular/mobile networks
			Content distribution networks (CDN)
			Software-defined networks (SDN)
			Virtual private cloud (VPC)
			Monitoring and management
		Secure Network Components
			Operation of infrastructure
			Transmission media
				Protecting wired networks
				Protecting Wi-Fi networks
			Network access control (NAC) systems
				Pre-admission NAC
				Firewalls and firewall types
				Firewall architectures
				Intrusion detection and prevention systems
				Web content filters
				Data loss prevention
				Cloud access security brokers
			Endpoint security
		Implement Secure Communication Channels According to Design
			Voice, video, and collaboration
			Remote access
				Remote access security methods
				Remote access security
			Data communications
			Third-party connectivity
	Chapter 7 Identity and Access Management
		Control Physical and Logical Access to Assets
			Information
			Systems
			Devices
			Facilities
			Applications
			Services
		Design Identification and Authentication Strategy
			Groups and roles
			Authentication, authorization, and accounting
				Single-factor authentication
				Multifactor authentication
			Session management
			Registration, proofing, and establishment of identity
			Federated identity management
			Credential management systems
			Single sign-on
			Just-in-time
		Federated Identity with a Third-Party Service
			On-premises
			Cloud
			Hybrid
		Implement and Manage Authorization Mechanisms
			Role-based access control
			Rule-based access control
			Mandatory access control
			Discretionary access control
			Attribute-based access control
			Risk-based access control
			Access policy enforcement
		Manage the Identity and Access Provisioning Lifecycle
			Account access review
			Provisioning and deprovisioning
			Role definition and transition
			Privilege escalation
			Service accounts management
		Implement Authentication Systems
			OpenID Connect/Open Authorization
			Security Assertion Markup Language
			Kerberos
			RADIUS and TACACS+
	Chapter 8 Security Assessment and Testing
		Design and Validate Assessment, Test, and Audit Strategies
		Conduct Security Control Testing
			Vulnerability assessment
				Port scanning
				Vulnerability scans
				Unauthenticated and authenticated scans
				Vulnerability scan reports
			Penetration testing
				Network penetration testing
				Application penetration testing
				Physical penetration testing
				Social engineering
			Log reviews
			Synthetic transactions
			Code review and testing
			Misuse case testing
			Test coverage analysis
			Interface testing
			Breach and attack simulations
			Compliance checks
		Collect Security Process Data
			Account management
			Management review and approval
			Key performance and risk indicators
			Backup verification data
			Training and awareness
			Disaster recovery and business continuity
		Analyze Test Output and Generate Reports
			Remediation
			Exception handling
			Ethical disclosure
		Conduct or Facilitate Security Audits
	Chapter 9 Security Operations
		Understand and Comply with Investigations
			Evidence collection and handling
				Types of evidence
				Rules of evidence
				Admissibility of evidence
				Chain of custody and the evidence life cycle
			Reporting and documentation
			Investigative techniques
			Digital forensics tools, tactics, and procedures
			Artifacts
		Conduct Logging and Monitoring Activities
			Intrusion detection and prevention system (IDPS)
			Security information and event management (SIEM)
			Security orchestration, automation, and response (SOAR)
			Continuous monitoring and tuning
			Egress monitoring
			Log management
			Threat intelligence
			User and entity behavior analytics
		Perform Configuration Management (CM)
		Apply Foundational Security Operations Concepts
			Need to know and least privilege
			Segregation of duties and responsibilities
			Privileged account management
			Job rotation
			Service-level agreements
		Apply Resource Protection
			Media management
			Media protection techniques
			Data at rest/data in transit
		Conduct Incident Management
			Detection
			Response
			Mitigation
			Reporting
			Recovery
			Remediation
			Lessons learned
		Operate and Maintain Detective and Preventive Measures
			Firewalls
			Intrusion detection systems (IDS) and intrusion prevention systems (IPS)
			Allow (or permit) list and block (or deny) list
			Third-party provided security services
			Sandboxing
			Honeypots/honeynets
			Anti-malware
			Machine learning and artificial intelligence (AI) based tools
			Performance management
		Implement and Support Patch and Vulnerability Management
		Understand and Participate in Change Management Processes
		Implement Recovery Strategies
			Backup storage strategies
			Recovery site strategies
			Multiple processing sites
			System resilience, high availability (HA), quality of service (QoS), and fault tolerance
		Implement Disaster Recovery (DR) Processes
			Response
				Salvage
				Recovery
				Financial readiness
			Personnel
			Communications
			Assessment
			Restoration
			Training and awareness
			Lessons learned
		Test Disaster Recovery Plans
			Read-through/tabletop
			Walkthrough
			Simulation
			Parallel
			Full interruption
		Participate in Business Continuity Planning and Exercises
		Implement and Manage Physical Security
			Perimeter security controls
			Internal security controls
		Address Personnel Safety and Security Concerns
			Travel
			Security training and awareness
			Emergency management
			Duress
	Chapter 10 Software Development Security
		Understand and Integrate Security in the Software Development Life Cycle
			Development methodologies
				Agile
				Waterfall
				DevOps
				DevSecOps
			Maturity models
			Operation and maintenance
			Change management
			Integrated product team
		Identify and Apply Security Controls in Software Development Ecosystems
			Programming languages
			Libraries
			Tool sets
			Integrated development environment
			Runtime
			Continuous integration/ continuous delivery
			Security orchestration, automation, and response
			Software configuration management
			Code repositories
			Application security testing
				Code reviews
				Static application security testing
				Dynamic application security testing
		Assess the Effectiveness of Software Security
			Auditing and logging of changes
			Risk analysis and mitigation
		Assess the Security Impact of Acquired Software
		Define and Apply Secure Coding Guidelines and Standards
			Security weaknesses and vulnerabilities at the source-code level
			Security of application programming interfaces
			Secure coding practices
			Software-defined security
Part 3 The Part of Tens
	Chapter 11 Ten Ways to Prepare for the Exam
		Know Your Learning Style
		Get a Networking Certification First
		Register Now
		Make a 60-Day Study Plan
		Get Organized and Read
		Join a Study Group
		Take Practice Exams
		Take a CISSP Training Seminar
		Adopt an Exam-Taking Strategy
		Take a Breather
	Chapter 12 Ten Test-Day Tips
		Get a Good Night’s Rest
		Dress Comfortably
		Eat a Good Meal
		Arrive Early
		Bring Approved Identification
		Bring Snacks and Drinks
		Bring Prescription and Over- the-Counter Medications
		Leave Your Mobile Devices Behind
		Take Frequent Breaks
		Guess — As a Last Resort
Glossary
Index
About the Authors
EULA