CISSP for dummies

Title Page
Copyright Page
Table of Contents
Introduction
	About This Book
	Foolish Assumptions
	Icons Used in This Book
	Beyond the Book
	Where to Go from Here
Part 1 Getting Started with CISSP Certification
	Chapter 1 (ISC)2 and the CISSP Certification
		About (ISC)2 and the CISSP Certification
		You Must Be This Tall to Ride This Ride (And Other Requirements)
		Preparing for the Exam
			Studying on your own
			Getting hands-on experience
			Getting official (ISC)2 CISSP training
			Attending other training courses or study groups
			Taking practice exams
			Are you ready for the exam?
		Registering for the Exam
		About the CISSP Examination
		After the Examination
	Chapter 2 Putting Your Certification to Good Use
		Networking with Other Security Professionals
		Being an Active (ISC)2 Member
		Considering (ISC)2 Volunteer Opportunities
			Writing certification exam questions
			Speaking at events
			Helping at (ISC)2 conferences
			Reading and contributing to (ISC)2 publications
			Supporting the (ISC)2 Center for Cyber Safety and Education
			Participating in bug-bounty programs
			Participating in (ISC)2 focus groups
			Joining the (ISC)2 community
			Getting involved with a CISSP study group
			Helping others learn more about data security
		Becoming an Active Member of Your Local Security Chapter
		Spreading the Good Word about CISSP Certification
			Leading by example
		Using Your CISSP Certification to Be an Agent of Change
		Earning Other Certifications
			Other (ISC)2 certifications
			CISSP concentrations
			Non-(ISC)2 certifications
			Choosing the right certifications
			Finding a mentor, being a mentor
			Building your professional brand
		Pursuing Security Excellence
Part 2 Certification Domains
	Chapter 3 Security and Risk Management
		Understand, Adhere to, and Promote Professional Ethics
			(ISC)2 Code of Professional Ethics
			Organizational code of ethics
		Understand and Apply Security Concepts
			Confidentiality
			Integrity
			Availability
			Authenticity
			Nonrepudiation
		Evaluate and Apply Security Governance Principles
			Alignment of security function to business strategy, goals, mission, and objectives
			Organizational processes
			Organizational roles and responsibilities
			Security control frameworks
			Due care and due diligence
		Determine Compliance and Other Requirements
			Contractual, legal, industry standards, and regulatory requirements
			Privacy requirements
		Understand Legal and Regulatory Issues That Pertain to Information Security
			Cybercrimes and data breaches
			Licensing and intellectual property requirements
			Import/export controls
			Transborder data flow
			Privacy
		Understand Requirements for Investigation Types
		Develop, Document, and Implement Security Policies, Standards, Procedures, and Guidelines
			Policies
			Standards (and baselines)
			Procedures
			Guidelines
		Identify, Analyze, and Prioritize Business Continuity (BC) Requirements
			Business impact analysis
			Develop and document the scope and the plan
		Contribute to and Enforce Personnel Security Policies and Procedures
			Candidate screening and hiring
			Employment agreements and policies
			Onboarding, transfers, and termination processes
			Vendor, consultant, and contractor agreements and controls
			Compliance policy requirements
			Privacy policy requirements
		Understand and Apply Risk Management Concepts
			Identify threats and vulnerabilities
			Risk assessment/analysis
			Risk appetite and risk tolerance
			Risk treatment
			Countermeasure selection and implementation
			Applicable types of controls
			Control assessments (security and privacy)
			Monitoring and measurement
			Reporting
			Continuous improvement
			Risk frameworks
		Understand and Apply Threat Modeling Concepts and Methodologies
			Identifying threats
			Determining and diagramming potential attacks
			Performing reduction analysis
			Remediating threats
		Apply Supply Chain Risk Management (SCRM) Concepts
			Risks associated with hardware, software, and services
			Third-party assessment and monitoring
			Fourth-party risk
			Minimum security requirements
			Service-level agreement requirements
		Establish and Maintain a Security Awareness, Education, and Training Program
			Methods and techniques to present awareness and training
			Periodic content reviews
			Program effectiveness evaluation
	Chapter 4 Asset Security
		Identify and Classify Information and Assets
			Data classification
			Asset classification
		Establish Information and Asset Handling Requirements
		Provision Resources Securely
			Information and asset ownership
			Asset inventory
			Asset management
		Manage Data Life Cycle
			Data roles
			Data collection
			Data location
			Data maintenance
			Data retention
			Data remanence
			Data destruction
		Ensure Appropriate Asset Retention
			End of life
			End of support
		Determine Data Security Controls and Compliance Requirements
			Data states
			Scoping and tailoring
			Standards selection
			Data protection methods
	Chapter 5 Security Architecture and Engineering
		Research, Implement, and Manage Engineering Processes Using Secure Design Principles
			Threat modeling
			Least privilege (and need to know)
			Defense in depth
			Secure defaults
			Fail securely
			Separation of duties
			Keep it simple
			Zero trust
			Privacy by design
			Trust but verify
			Shared responsibility
		Understand the Fundamental Concepts of Security Models
		Select Controls Based Upon Systems Security Requirements
			Evaluation criteria
			System certification and accreditation
		Understand Security Capabilities of Information Systems
			Trusted Computing Base
			Trusted Platform Module
			Secure modes of operation
			Open and closed systems
			Memory protection
			Encryption and decryption
			Protection rings
			Security modes
			Recovery procedures
		Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements
			Client-based systems
			Server-based systems
			Database systems
			Cryptographic systems
			Industrial control systems
			Cloud-based systems
			Distributed systems
			Internet of Things
			Microservices
			Containerization
			Serverless
			Embedded systems
			High-performance computing systems
			Edge computing systems
			Virtualized systems
			Web-based systems
			Mobile systems
		Select and Determine Cryptographic Solutions
			Plaintext and ciphertext
			Encryption and decryption
			End-to-end encryption
			Link encryption
			Putting it all together: The cryptosystem
			Classes of ciphers
			Types of ciphers
			Cryptographic life cycle
			Cryptographic methods
			Public key infrastructure
			Key management practices
			Digital signatures and digital certificates
			Nonrepudiation
			Integrity (hashing)
		Understand Methods of Cryptanalytic Attacks
			Brute force
			Ciphertext only
			Known plaintext
			Frequency analysis
			Chosen ciphertext
			Implementation attacks
			Side channel
			Fault injection
			Timing
			Man in the middle
			Pass the hash
			Kerberos exploitation
			Ransomware
		Apply Security Principles to Site and Facility Design
		Design Site and Facility Security Controls
			Wiring closets, server rooms, and more
			Restricted and work area security
			Utilities and heating, ventilation, and air conditioning
			Environmental issues
			Fire prevention, detection, and suppression
			Power
	Chapter 6 Communication and Network Security
		Assess and Implement Secure Design Principles in Network Architectures
			OSI and TCP/IP models
			The OSI Reference Model
			The TCP/IP Model
		Secure Network Components
			Operation of hardware
			Transmission media
			Network access control devices
			Endpoint security
		Implement Secure Communication Channels According to Design
			Voice
			Multimedia collaboration
			Remote access
			Data communications
			Virtualized networks
			Third-party connectivity
	Chapter 7 Identity and Access Management
		Control Physical and Logical Access to Assets
			Information
			Systems and devices
			Facilities
			Applications
		Manage Identification and Authentication of People, Devices, and Services
			Identity management implementation
			Single-/multifactor authentication
			Accountability
			Session management
			Registration, proofing, and establishment of identity
			Federated identity management
			Credential management systems
			Single sign-on
			Just-in-Time
		Federated Identity with a Third-Party Service
			On-premises
			Cloud
			Hybrid
		Implement and Manage Authorization Mechanisms
			Role-based access control
			Rule-based access control
			Mandatory access control
			Discretionary access control
			Attribute-based access control
			Risk-based access control
		Manage the Identity and Access Provisioning Life Cycle
		Implement Authentication Systems
			OpenID Connect/Open Authorization
			Security Assertion Markup Language
			Kerberos
			RADIUS and TACACS+
	Chapter 8 Security Assessment and Testing
		Design and Validate Assessment, Test, and Audit Strategies
		Conduct Security Control Testing
			Vulnerability assessment
			Penetration testing
			Log reviews
			Synthetic transactions
			Code review and testing
			Misuse case testing
			Test coverage analysis
			Interface testing
			Breach attack simulations
			Compliance checks
		Collect Security Process Data
			Account management
			Management review and approval
			Key performance and risk indicators
			Backup verification data
			Training and awareness
			Disaster recovery and business continuity
		Analyze Test Output and Generate Reports
			Remediation
			Exception handling
			Ethical disclosure
		Conduct or Facilitate Security Audits
	Chapter 9 Security Operations
		Understand and Comply with Investigations
			Evidence collection and handling
			Reporting and documentation
			Investigative techniques
			Digital forensics tools, tactics, and procedures
			Artifacts
		Conduct Logging and Monitoring Activities
			Intrusion detection and prevention
			Security information and event management
			Security orchestration, automation, and response
			Continuous monitoring
			Egress monitoring
			Log management
			Threat intelligence
			User and entity behavior analysis
		Perform Configuration Management
		Apply Foundational Security Operations Concepts
			Need-to-know and least privilege
			Separation of duties and responsibilities
			Privileged account management
			Job rotation
			Service-level agreements
		Apply Resource Protection
			Media management
			Media protection techniques
		Conduct Incident Management
		Operate and Maintain Detective and Preventative Measures
		Implement and Support Patch and Vulnerability Management
		Understand and Participate in Change Management Processes
		Implement Recovery Strategies
			Backup storage strategies
			Recovery site strategies
			Multiple processing sites
			System resilience, high availability, quality of service, and fault tolerance
		Implement Disaster Recovery Processes
			Response
			Personnel
			Communications
			Assessment
			Restoration
			Training and awareness
			Lessons learned
		Test Disaster Recovery Plans
			Read-through or tabletop
			Walkthrough
			Simulation
			Parallel
			Full interruption (or cutover)
		Participate in Business Continuity Planning and Exercises
		Implement and Manage Physical Security
		Address Personnel Safety and Security Concerns
	Chapter 10 Software Development Security
		Understand and Integrate Security in the Software Development Life Cycle
			Development methodologies
			Maturity models
			Operation and maintenance
			Change management
			Integrated product team
		Identify and Apply Security Controls in Software Development Ecosystems
			Programming languages
			Libraries
			Tool sets
			Integrated development environment
			Runtime
			Continuous integration/ continuous delivery
			Security orchestration, automation, and response
			Software configuration management
			Code repositories
			Application security testing
		Assess the Effectiveness of Software Security
			Auditing and logging of changes
			Risk analysis and mitigation
		Assess Security Impact of Acquired Software
		Define and Apply Secure Coding Guidelines and Standards
			Security weaknesses and vulnerabilities at the source-code level
			Security of application programming interfaces
			Secure coding practices
			Software-defined security
Part 3 The Part of Tens
	Chapter 11 Ten Ways to Prepare for the Exam
		Know Your Learning Style
		Get a Networking Certification First
		Register Now
		Make a 60-Day Study Plan
		Get Organized and Read
		Join a Study Group
		Take Practice Exams
		Take a CISSP Training Seminar
		Adopt an Exam-Taking Strategy
		Take a Breather
	Chapter 12 Ten Test-Day Tips
		Get a Good Night’s Rest
		Dress Comfortably
		Eat a Good Meal
		Arrive Early
		Bring Approved Identification
		Bring Snacks and Drinks
		Bring Prescription and Over-the-Counter Medications
		Leave Your Mobile Devices Behind
		Take Frequent Breaks
		Guess — As a Last Resort
Glossary
Index
EULA