The Official (ISC)2 CISSP CBK Reference

Cover
Title Page
Copyright Page
Contents at a Glance
Contents
Foreword
Introduction
	Security and Risk Management
	Asset Security
	Security Architecture and Engineering
	Communication and Network Security
	Identity and Access Management
	Security Assessment and Testing
	Security Operations
	Software Development Security
Domain 1 Security and Risk Management
	Understand, Adhere to, and Promote Professional Ethics
		(ISC)2 Code of Professional Ethics
		Organizational Code of Ethics
	Understand and Apply Security Concepts
		Confidentiality
		Integrity
		Availability
	Evaluate and Apply Security Governance Principles
		Alignment of the Security Function to Business Strategy, Goals, Mission, and Objectives
		Organizational Processes
		Organizational Roles and Responsibilities
		Security Control Frameworks
		Due Care and Due Diligence
	Determine Compliance and Other Requirements
		Legislative and Regulatory Requirements
		Industry Standards and Other Compliance Requirements
		Privacy Requirements
	Understand Legal and Regulatory Issues That Pertain to Information Security in a Holistic Context
		Cybercrimes and Data Breaches
		Licensing and Intellectual Property Requirements
		Import/Export Controls
		Transborder Data Flow
		Privacy
	Understand Requirements for Investigation Types
		Administrative
		Criminal
		Civil
		Regulatory
		Industry Standards
	Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines
		Policies
		Standards
		Procedures
		Guidelines
	Identify, Analyze, and Prioritize Business Continuity Requirements
		Business Impact Analysis
		Develop and Document the Scope and the Plan
	Contribute to and Enforce Personnel Security Policies and Procedures
		Candidate Screening and Hiring
		Employment Agreements and Policies
		Onboarding, Transfers, and Termination Processes
		Vendor, Consultant, and Contractor Agreements and Controls
		Compliance Policy Requirements
		Privacy Policy Requirements
	Understand and Apply Risk Management Concepts
		Identify Threats and Vulnerabilities
		Risk Assessment
		Risk Response/Treatment
		Countermeasure Selection and Implementation
		Applicable Types of Controls
		Control Assessments
		Monitoring and Measurement
		Reporting
		Continuous Improvement
		Risk Frameworks
	Understand and Apply Threat Modeling Concepts and Methodologies
		Threat Modeling Concepts
		Threat Modeling Methodologies
	Apply Supply Chain Risk Management Concepts
		Risks Associated with Hardware, Software, and Services
		Third-Party Assessment and Monitoring
		Minimum Security Requirements
		Service-Level Requirements
		Frameworks
	Establish and Maintain a Security Awareness, Education, and Training Program
		Methods and Techniques to Present Awareness and Training
		Periodic Content Reviews
		Program Effectiveness Evaluation
	Summary
Domain 2 Asset Security
	Identify and Classify Information and Assets
		Data Classification and Data Categorization
		Asset Classification
	Establish Information and Asset Handling Requirements
		Marking and Labeling
		Handling
		Storage
		Declassification
	Provision Resources Securely
		Information and Asset Ownership
		Asset Inventory
		Asset Management
	Manage Data Lifecycle
		Data Roles
		Data Collection
		Data Location
		Data Maintenance
		Data Retention
		Data Destruction
		Data Remanence
	Ensure Appropriate Asset Retention
		Determining Appropriate Records Retention
		Records Retention Best Practices
	Determine Data Security Controls and Compliance Requirements
		Data States
		Scoping and Tailoring
		Standards Selection
		Data Protection Methods
	Summary
Domain 3 Security Architecture and Engineering
	Research, Implement, and Manage Engineering Processes Using Secure Design Principles
		ISO/IEC 19249
		Threat Modeling
		Secure Defaults
		Fail Securely
		Separation of Duties
		Keep It Simple
		Trust, but Verify
		Zero Trust
		Privacy by Design
		Shared Responsibility
		Defense in Depth
	Understand the Fundamental Concepts of Security Models
		Primer on Common Model Components
		Information Flow Model
		Noninterference Model
		Bell–LaPadula Model
		Biba Integrity Model
		Clark–Wilson Model
		Brewer–Nash Model
		Take-Grant Model
	Select Controls Based Upon Systems Security Requirements
	Understand Security Capabilities of Information Systems
		Memory Protection
		Secure Cryptoprocessor
	Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements
		Client-Based Systems
		Server-Based Systems
		Database Systems
		Cryptographic Systems
		Industrial Control Systems
		Cloud-Based Systems
		Distributed Systems
		Internet of Things
		Microservices
		Containerization
		Serverless
		Embedded Systems
		High-Performance Computing Systems
		Edge Computing Systems
		Virtualized Systems
	Select and Determine Cryptographic Solutions
		Cryptography Basics
		Cryptographic Lifecycle
		Cryptographic Methods
		Public Key Infrastructure
		Key Management Practices
		Digital Signatures and Digital Certificates
		Nonrepudiation
		Integrity
	Understand Methods of Cryptanalytic Attacks
		Brute Force
		Ciphertext Only
		Known Plaintext
		Chosen Plaintext Attack
		Frequency Analysis
		Chosen Ciphertext
		Implementation Attacks
		Side-Channel Attacks
		Fault Injection
		Timing Attacks
		Man-in-the-Middle
		Pass the Hash
		Kerberos Exploitation
		Ransomware
	Apply Security Principles to Site and Facility Design
	Design Site and Facility Security Controls
		Wiring Closets/Intermediate Distribution Facilities
		Server Rooms/Data Centers
		Media Storage Facilities
		Evidence Storage
		Restricted and Work Area Security
		Utilities and Heating, Ventilation, and Air Conditioning
		Environmental Issues
		Fire Prevention, Detection, and Suppression
	Summary
Domain 4 Communication and Network Security
	Assess and Implement Secure Design Principles in Network Architectures
		Open System Interconnection and Transmission Control Protocol/Internet Protocol Models
		The OSI Reference Model
		The TCP/IP Reference Model
		Internet Protocol Networking
		Secure Protocols
		Implications of Multilayer Protocols
		Converged Protocols
		Microsegmentation
		Wireless Networks
		Cellular Networks
		Content Distribution Networks
	Secure Network Components
		Operation of Hardware
		Repeaters, Concentrators, and Amplifiers
		Hubs
		Bridges
		Switches
		Routers
		Gateways
		Proxies
		Transmission Media
		Network Access Control
		Endpoint Security
		Mobile Devices
	Implement Secure Communication Channels According to Design
		Voice
		Multimedia Collaboration
		Remote Access
		Data Communications
		Virtualized Networks
		Third-Party Connectivity
	Summary
Domain 5 Identity and Access Management
	Control Physical and Logical Access to Assets
		Access Control Definitions
		Information
		Systems
		Devices
		Facilities
		Applications
	Manage Identification and Authentication of People, Devices, and Services
		Identity Management Implementation
		Single/Multifactor Authentication
		Accountability
		Session Management
		Registration, Proofing, and Establishment of Identity
		Federated Identity Management
		Credential Management Systems
		Single Sign-On
		Just-In-Time
	Federated Identity with a Third-Party Service
		On Premises
		Cloud
		Hybrid
	Implement and Manage Authorization Mechanisms
		Role-Based Access Control
		Rule-Based Access Control
		Mandatory Access Control
		Discretionary Access Control
		Attribute-Based Access Control
		Risk-Based Access Control
	Manage the Identity and Access Provisioning Lifecycle
		Account Access Review
		Account Usage Review
		Provisioning and Deprovisioning
		Role Definition
		Privilege Escalation
	Implement Authentication Systems
		OpenID Connect/Open Authorization
		Security Assertion Markup Language
		Kerberos
		Remote Authentication Dial-In User Service/Terminal Access Controller Access Control System Plus
	Summary
Domain 6 Security Assessment and Testing
	Design and Validate Assessment, Test, and Audit Strategies
		Internal
		External
		Third-Party
	Conduct Security Control Testing
		Vulnerability Assessment
		Penetration Testing
		Log Reviews
		Synthetic Transactions
		Code Review and Testing
		Misuse Case Testing
		Test Coverage Analysis
		Interface Testing
		Breach Attack Simulations
		Compliance Checks
	Collect Security Process Data
		Technical Controls and Processes
		Administrative Controls
		Account Management
		Management Review and Approval
		Management Reviews for Compliance
		Key Performance and Risk Indicators
		Backup Verification Data
		Training and Awareness
		Disaster Recovery and Business Continuity
	Analyze Test Output and Generate Report
		Typical Audit Report Contents
		Remediation
		Exception Handling
		Ethical Disclosure
	Conduct or Facilitate Security Audits
		Designing an Audit Program
		Internal Audits
		External Audits
		Third-Party Audits
	Summary
Domain 7 Security Operations
	Understand and Comply with Investigations
		Evidence Collection and Handling
		Reporting and Documentation
		Investigative Techniques
		Digital Forensics Tools, Tactics, and Procedures
		Artifacts
	Conduct Logging and Monitoring Activities
		Intrusion Detection and Prevention
		Security Information and Event Management
		Continuous Monitoring
		Egress Monitoring
		Log Management
		Threat Intelligence
		User and Entity Behavior Analytics
	Perform Configuration Management
		Provisioning
		Asset Inventory
		Baselining
		Automation
	Apply Foundational Security Operations Concepts
		Need-to-Know/Least Privilege
		Separation of Duties and Responsibilities
		Privileged Account Management
		Job Rotation
		Service-Level Agreements
	Apply Resource Protection
		Media Management
		Media Protection Techniques
	Conduct Incident Management
		Incident Management Plan
		Detection
		Response
		Mitigation
		Reporting
		Recovery
		Remediation
		Lessons Learned
	Operate and Maintain Detective and Preventative Measures
		Firewalls
		Intrusion Detection Systems and Intrusion Prevention Systems
		Whitelisting/Blacklisting
		Third-Party-Provided Security Services
		Sandboxing
		Honeypots/Honeynets
		Anti-malware
		Machine Learning and Artificial Intelligence Based Tools
	Implement and Support Patch and Vulnerability Management
		Patch Management
		Vulnerability Management
	Understand and Participate in Change Management Processes
	Implement Recovery Strategies
		Backup Storage Strategies
		Recovery Site Strategies
		Multiple Processing Sites
		System Resilience, High Availability, Quality of Service, and Fault Tolerance
	Implement Disaster Recovery Processes
		Response
		Personnel
		Communications
		Assessment
		Restoration
		Training and Awareness
		Lessons Learned
	Test Disaster Recovery Plans
		Read-through/Tabletop
		Walkthrough
		Simulation
		Parallel
		Full Interruption
	Participate in Business Continuity Planning and Exercises
	Implement and Manage Physical Security
		Perimeter Security Controls
		Internal Security Controls
	Address Personnel Safety and Security Concerns
		Travel
		Security Training and Awareness
		Emergency Management
		Duress
	Summary
Domain 8 Software Development Security
	Understand and Integrate Security in the Software Development Life Cycle (SDLC)
		Development Methodologies
		Maturity Models
		Operation and Maintenance
		Change Management
		Integrated Product Team
	Identify and Apply Security Controls in Software Development Ecosystems
		Programming Languages
		Libraries
		Toolsets
		Integrated Development Environment
		Runtime
		Continuous Integration and Continuous Delivery
		Security Orchestration, Automation, and Response
		Software Configuration Management
		Code Repositories
		Application Security Testing
	Assess the Effectiveness of Software Security
		Auditing and Logging of Changes
		Risk Analysis and Mitigation
	Assess Security Impact of Acquired Software
		Commercial Off-the-Shelf
		Open Source
		Third-Party
		Managed Services (SaaS, IaaS, PaaS)
	Define and Apply Secure Coding Guidelines and Standards
		Security Weaknesses and Vulnerabilities at the Source-Code Level
		Security of Application Programming Interfaces
		API Security Best Practices
		Secure Coding Practices
		Software-Defined Security
	Summary
Index
EULA