CramX Logo
RegisterLog in
The Official ISC2 CISSP CBK Reference (2021) - Document preview page 1

The Official ISC2 CISSP CBK Reference (2021) - Page 1

Document preview content for The Official ISC2 CISSP CBK Reference (2021)

The Official ISC2 CISSP CBK Reference (2021)

The Official ISC2 CISSP CBK Reference (2021) helps you master complex topics with simplified explanations.

Benjamin Clark
Contributor
4.7
53
over 1 year ago
Preview (31 of 674 Pages)
100%
Log in to unlock
Page 1 of 31
The Official ISC2 CISSP CBK Reference (2021) - Page 1 preview imageT=StudyX
Page 2 of 31
The Official ISC2 CISSP CBK Reference (2021) - Page 2 preview imageDownloadedfromStudyXY.com&+StudyXYnas,as.aTBStudy[|AnythingThisContentHasbeenPostedOnStudyXY.comassupplementarylearningmaterial.StudyXYdoesnotendroseanyuniversity,collegeorpublisher.Allmaterialspostedareundertheliabilityofthecontribu:ors.wv6)www.studyxy.com
Page 3 of 31
The Official ISC2 CISSP CBK Reference (2021) - Page 3 preview imageT=StudyX
Page 4 of 31
The Official ISC2 CISSP CBK Reference (2021) - Page 4 preview imageCISSP:CertifiedInformationSystemsSecurityProfessionalTheOfficial(1SC)?®CISSP®CBK®ReferenceSixthEdition
Page 5 of 31
The Official ISC2 CISSP CBK Reference (2021) - Page 5 preview imageCopyright©2021byJohnWiley&Sons,Inc.Allrightsreserved.PublishedbyJohnWiley&Sons,Inc.,Hoboken,NewJerseyPublishedsimultaneouslyinCanada.ISBN:978-1-119-78999-4ISBN:978-1-119-79001-3(ebk.)ISBN:978-1-119-79000-6(ebk.)Nopartofthispublicationmaybereproduced,storedinaretrievalsystem,ortransmittedinanyformorbyanymeans,electronic,mechanical,photocopying,recording,scanning,orotherwise,exceptaspermittedunderSection107or108ofthe1976UnitedStatesCopyrightAct,withoutcitherthepriorwrittenpermissionofthePublisher,orauthorizationthroughpaymentoftheappropriateper-copyfeetotheCopyrightClearanceCenter,Inc.,222RosewoodDrive,Danvers,MA01923,(978)750-8400,fax(978)750-4470,oronthewebatwww.copyright.com.RequeststothePub-lisherforpermissionshouldbeaddressedtothePermissionsDepartment,JohnWiley&Sons,Inc.,111RiverStreet,Hoboken,NJ07030,(201)748-6011,fax(201)748-6008,oronlineathttp://www.wiTey.com/go/permissionLimitofLiability/DisclaimerofWarranty:Whilethepublisherandauthorhaveusedtheirbesteffortsinpreparingthisbook,theymakenorepresentationsorwarrantieswithrespecttotheaccuracyorcompletenessofthecontentsofthisbookandspecificallydisclaimanyimpliedwarrantiesofmerchantabilityorfitnessforaparticularpurpose.Nowarrantymaybecreatedorextendedbysalesrepresentativesorwrittensalesmaterials.Theadviceandstrategiescontainedhereinmaynotbesuitableforyoursituation.Youshouldconsultwithaprofessionalwhereappropriate.Neitherthepublishernorauthorshallbeliableforanylossofprofitoranyothercommercialdamages,includingbutnotlimitedtospecial,incidental,consequential,orotherdamages.Forgeneralinformationonourotherproductsandservicesorfortechnicalsupport,pleasecontactourCustomerCareDepartmentwithintheUnitedStatesat(800)762-2974,outsidetheUnitedStatesat(317)572-3993orfax(317)572-4002.Wileyalsopublishesitsbooksinavarietyofelectronicformats.Somecontentthatappearsinprintmaynotbeavail-ableinelectronicformats.FormoreinformationaboutWileyproducts,visitourwebsiteatwww.wiley.com.LibraryofCongressControlNumber:2021942306TRADEMARKS:Wiley,theWileylogo,andtheSybexlogoaretrademarksorregisteredtrademarksofJohnWiley&Sons,Inc.and/oritsaffiliates,intheUnitedStatesandothercountries,andmaynotbeusedwithoutwrittenpermis-sion.(ISC)’,CISSP,andCBKareregisteredcertificationmarksortrademarksof(ISC)?,Inc.Allothertrademarksarethepropertyoftheirrespectiveowners.JohnWiley&Sons,Inc.isnotassociatedwithanyproductorvendormen-tionedinthisbook.CoverDesign:Wileyand(ISC)*Study
Page 6 of 31
The Official ISC2 CISSP CBK Reference (2021) - Page 6 preview imageLeadAuthorsARTHURDEANE,CISSP,CCSPisaseniordirectoratCapitalOneFinancial,whereheleadsinformationsecurityactivitiesintheCarddivision.PriortoCapitalOne,ArthurheldsecurityleadershiprolesatGoogle,Amazon,andPwC,inadditiontoseveralsecurityengi-neeringandconsultingroleswiththeU.S.federalgovernment.ArthurisanadjunctprofessoratAmericanUniversityandamemberoftheComputerScienceAdvisoryBoardatHowardUniversity.Heholdsabachelor'sdegreeinelectricalengineeringfromRochesterInstituteofTechnology(RIT)andamaster'sdegreeininformationsecurityfromtheUniversityofMaryland.ArthurisalsotheauthorofCCSPforDummies.AARONKRAUS,CISSP,CCSP|isaninformationsecurityprofessionalwithmorethan15yearsofexperienceinsecurityriskmanagement,auditing,andteachingcybersecuritytopics.HehasworkedinsecurityandcomplianceleadershiprolesacrossindustriesincludingU.S.federalgovernmentcivilianagencies,financialservices,insurance,andtechnologystartups.Aaronisacourseauthor,instructor,andcybersecuritycurriculumdeanatLearningTreeInternational,andhemostrecentlytaughttheOfficial(ISC)*CISSPCBKReviewSeminar.Heisaco-authorofTheOfficial(ISC)?GuidetotheCCSPCBK,3rdEdition,andservedastechnicaleditorfornumerousWileypublicationsincluding(ISC)*CCSPCertifiedCloudSecurityProfessionalOfficialStudyGuide,2ndEdition;CCSPOffi-cial(ISC)?PracticeTests;TheOfficial(ISC)*GuidetotheCISSPCBKReference,SthEdition;and(ISC)?CISSPCertifiedInformationSystemsSecurityProfessionalOfficialPracticeTests,2ndEdition.
Page 7 of 31
The Official ISC2 CISSP CBK Reference (2021) - Page 7 preview imageTechnicalReviewerMICHAELSCWILLS,CAMS,CISSP,SSCP,isassistantprofessorofappliedandinnovativeinformationtechnologiesattheCollegeofBusinessatEmbry-RiddleAeronauticalUniversityWorldwide,wherehecontinueshisgraduateandundergraduateteachingandresearchincybersecurityandinformationassurance.MikehasalsobeenanadvisoronscienceandtechnologypolicytotheUKsJointIntelligenceCommittee,MinistryofJustice,andDefenseScienceandTechnologyLaboratories,helpingthemtoevolveanoperationalandpolicycon-sensusrelatingtopicsfromcryptographyandvirtualworlds,throughtheburgeoningsurveil-lancesociety,totheproliferationofweaponsofmassdisruption(notjust“destruction”)andtheireffectsonglobal,regional,national,andpersonalsecurity.Foratime,thishadhimsome-timesknownastheUKsnonresidentexpertonouterspacelaw.Mikehasbeensupportingtheworkof(ISC)?bywriting,editing,andupdatingbooks,studyguides,andcoursematerialsforboththeirSSCPandCISSPprograms.HewrotetheSSCPOffi-cialStudyGuide,2ndEdition(Sybex,2019),followedquicklybytheSSCPOfficialCommonBookofKnowledge,5thEdition.Hewasleadauthorforthe2021updateof(ISC)”sofficialCISSPandSSCPtrainingmaterials.MikehasalsocontributedtoseveralindustryroundtablesandwhitepapersondigitalidentityandcyberfrauddetectionandpreventionandhasbeenapanelistandwebinarpresenterontheseandrelatedtopicsforACAMS.
Page 8 of 31
The Official ISC2 CISSP CBK Reference (2021) - Page 8 preview imageForewordxixIntroductionxxiSECURITYANDRISKMANAGEMENT1ASSETSECURITY97SECURITYARCHITECTUREANDENGINEERING147COMMUNICATIONANDNETWORKSECURITY283IDENTITYANDACCESSMANAGEMENT377SECURITYASSESSMENTANDTESTING419SECURITYOPERATIONS463SOFTWAREDEVELOPMENTSECURITY549Index625
Page 9 of 31
The Official ISC2 CISSP CBK Reference (2021) - Page 9 preview imageT=StudyX
Page 10 of 31
The Official ISC2 CISSP CBK Reference (2021) - Page 10 preview imageContentsForewordxixIntroductionxxiDOMAIN1:SECURITYANDRISKMANAGEMENT1Understand,Adhereto,andPromoteProfessionalEthics2(ISC)*CodeofProfessionalEthics2OrganizationalCodeofEthics3UnderstandandApplySecurityConcepts4Confidentiality4Integrity5Availability6LimitationsoftheCIATriad7EvaluateandApplySecurityGovernancePrinciples8AlignmentoftheSecurityFunctiontoBusinessStrategy,Goals,Mission,andObjectives9OrganizationalProcesses10OrganizationalRolesandResponsibilities14SecurityControlFrameworks15DueCareandDueDiligence22DetermineComplianceandOtherRequirements23LegislativeandRegulatoryRequirements2IndustryStandardsandOtherComplianceRequirements25PrivacyRequirements27UnderstandLegalandRegulatoryIssuesThatPertaintoInformationSecurityinaHolisticContext28CybercrimesandDataBreaches28LicensingandIntellectualPropertyRequirements36Import/ExportControls39
Page 11 of 31
The Official ISC2 CISSP CBK Reference (2021) - Page 11 preview imageTransborderDataFlow40Privacy41UnderstandRequirementsforInvestigationTypes48Administrative49Criminal50Civil52Regulatory53IndustryStandards54Develop,Document,andImplementSecurityPolicy,Standards,Procedures,andGuidelines55Policies55Standards56Procedures57Guidelines57Identify,Analyze,andPrioritizeBusinessContinuityRequirements58BusinessImpactAnalysis59DevelopandDocumenttheScopeandthePlan61ContributetoandEnforcePersonnelSecurityPoliciesandProcedures63CandidateScreeningandHiring63EmploymentAgreementsandPolicies64Onboarding,Transfers,andTerminationProcesses65Vendor,Consultant,andContractorAgreementsandControls67CompliancePolicyRequirements67PrivacyPolicyRequirements68UnderstandandApplyRiskManagementConcepts68IdentifyThreatsandVulnerabilities68RiskAssessment70RiskResponse/Treatment72CountermeasureSelectionandImplementation73ApplicableTypesofControls75ControlAssessments76MonitoringandMeasurement77Reporting77ContinuousImprovement78RiskFrameworks78UnderstandandApplyThreatModelingConceptsandMethodologies83ThreatModelingConcepts84ThreatModelingMethodologies85ApplySupplyChainRiskManagementConcepts88RisksAssociatedwithHardware,Software,andServices88
Page 12 of 31
The Official ISC2 CISSP CBK Reference (2021) - Page 12 preview imageThird-PartyAssessmentandMonitoring89MinimumSecurityRequirements90Service-LevelRequirements90Frameworks91EstablishandMaintainaSecurityAwareness,Education,andTrainingProgram92MethodsandTechniquestoPresentAwarenessandTraining93PeriodicContentReviews94ProgramEffectivenessEvaluation94Summary95ASSETSECURITY97IdentifyandClassifyInformationandAssets97DataClassificationandDataCategorization99AssetClassification101EstablishInformationandAssetHandlingRequirements104MarkingandLabeling104Handling105Storage105Declassification106ProvisionResourcesSecurely108InformationandAssetOwnership108AssetInventory109AssetManagement112ManageDataLifecycle115DataRoles116DataCollection120DataLocation120DataMaintenance121DataRetention122DataDestruction123DataRemanence123EnsureAppropriateAssetRetention127DeterminingAppropriateRecordsRetention129RecordsRetentionBestPractices130DetermineDataSecurityControlsandComplianceRequirements131DataStates133ScopingandTailoring135StandardsSelection137DataProtectionMethods141Summary144
Page 13 of 31
The Official ISC2 CISSP CBK Reference (2021) - Page 13 preview imageSECURITYARCHITECTUREANDENGINEERING147Research,Implement,andManageEngineeringProcessesUsingSecureDesignPrinciples149ISO/IEC19249150ThreatModeling157SecureDefaults160FailSecurely161SeparationofDuties161KeepItSimple162Trust,butVerify162ZeroTrust163PrivacybyDesign165SharedResponsibility166DefenseinDepth167UnderstandtheFundamentalConceptsofSecurityModels168PrimeronCommonModelComponents168InformationFlowModel169NoninterferenceModel169Bell-LaPadulaModel170BibaIntegrityModel172Clark-WilsonModel173Brewer—NashModel173Take-GrantModel175SelectControlsBasedUponSystemsSecurityRequirements175UnderstandSecurityCapabilitiesofInformationSystems179MemoryProtection180SecureCryptoprocessor182AssessandMitigatetheVulnerabilitiesofSecurityArchitectures,Designs,andSolutionElements187Client-BasedSystems187Server-BasedSystems189DatabaseSystems191CryptographicSystems194IndustrialControlSystems200Cloud-BasedSystems203DistributedSystems207InternetofThings208Microservices212Containerization214
Page 14 of 31
The Official ISC2 CISSP CBK Reference (2021) - Page 14 preview imageServerless215EmbeddedSystems216High-PerformanceComputingSystems219EdgeComputingSystems220VirtualizedSystems221SelectandDetermineCryptographicSolutions224CryptographyBasics225CryptographicLifecycle226CryptographicMethods229PublicKeyInfrastructure243KeyManagementPractices246DigitalSignaturesandDigitalCertificates250Nonrepudiation252Integrity253UnderstandMethodsofCryptanalyticAttacks257BruteForce258CiphertextOnly260KnownPlaintext260ChosenPlaintextAttack260FrequencyAnalysis261ChosenCiphertext261ImplementationAttacks261Side-ChannelAttacks261FaultInjection263TimingAttacks263Man-in-the-Middle263PasstheHash263KerberosExploitation264Ransomware264ApplySecurityPrinciplestoSiteandFacilityDesign265DesignSiteandFacilitySecurityControls265WiringClosets/IntermediateDistributionFacilities266ServerRooms/DataCenters267MediaStorageFacilities268EvidenceStorage269RestrictedandWorkAreaSecurity270UtilitiesandHeating,Ventilation,andAirConditioning272EnvironmentalIssues275FirePrevention,Detection,andSuppression277Summary281
Page 15 of 31
The Official ISC2 CISSP CBK Reference (2021) - Page 15 preview imageCOMMUNICATIONANDNETWORKSECURITY283AssessandImplementSecureDesignPrinciplesinNetworkArchitectures283OpenSystemInterconnectionandTransmissionControlProtocol/InternetProtocolModels285TheOSIReferenceModel286TheTCP/IPReferenceModel299InternetProtocolNetworking302SecureProtocols311ImplicationsofMultilayerProtocols313ConvergedProtocols315Microsegmentation316WirelessNetworks319CellularNetworks333ContentDistributionNetworks334SecureNetworkComponents335OperationofHardware335Repeaters,Concentrators,andAmplifiers341Hubs341Bridges342Switches342Routers343Gateways343Proxies343TransmissionMedia345NetworkAccessControl352EndpointSecurity354MobileDevices355ImplementSecureCommunicationChannelsAccordingtoDesign357Voice357MultimediaCollaboration359RemoteAccess365DataCommunications371VirtualizedNetworks373Third-PartyConnectivity374Summary374IDENTITYANDACCESSMANAGEMENT377ControlPhysicalandLogicalAccesstoAssets378AccessControlDefinitions378Information379
Page 16 of 31
The Official ISC2 CISSP CBK Reference (2021) - Page 16 preview imageSystems380Devices381Facilities383Applications386ManageIdentificationandAuthenticationofPeople,Devices,andServices387IdentityManagementImplementation388Single/MultifactorAuthentication389Accountability396SessionManagement396Registration,Proofing,andEstablishmentofIdentity397FederatedIdentityManagement399CredentialManagementSystems399SingleSign-On400Just-In-Time401FederatedIdentitywithaThird-PartyService401OnPremises402Cloud403Hybrid403ImplementandManageAuthorizationMechanisms404Role-BasedAccessControl405Rule-BasedAccessControl405MandatoryAccessControl406DiscretionaryAccessControl406Attribute-BasedAccessControl407Risk-BasedAccessControl408ManagetheIdentityandAccessProvisioningLifecycle408AccountAccessReview409AccountUsageReview411ProvisioningandDeprovisioning411RoleDefinition412PrivilegeEscalation413ImplementAuthenticationSystems414OpenIDConnect/OpenAuthorization414SecurityAssertionMarkupLanguage415Kerberos416RemoteAuthenticationDial-InUserService/TerminalAccessControllerAccessControlSystemPlus417Summary418
Page 17 of 31
The Official ISC2 CISSP CBK Reference (2021) - Page 17 preview imageSECURITYASSESSMENTANDTESTING419DesignandValidateAssessment,Test,andAuditStrategies420Internal421External422Third-Party423ConductSecurityControlTesting423VulnerabilityAssessment423PenetrationTesting428LogReviews435SyntheticTransactions435CodeReviewandTesting436MisuseCaseTesting437TestCoverageAnalysis438InterfaceTesting439BreachAttackSimulations440ComplianceChecks441CollectSecurityProcessData442TechnicalControlsandProcesses“43AdministrativeControls“43AccountManagement444ManagementReviewandApproval445ManagementReviewsforCompliance446KeyPerformanceandRiskIndicators447BackupVerificationData450TrainingandAwareness450DisasterRecoveryandBusinessContinuity451AnalyzeTestOutputandGenerateReport452TypicalAuditReportContents453Remediation454ExceptionHandling455EthicalDisclosure456ConductorFacilitateSecurityAudits458DesigninganAuditProgram458InternalAudits459ExternalAudits460Third-PartyAudits460Summary461SECURITYOPERATIONS463UnderstandandComplywithInvestigations464EvidenceCollectionandHandling465
Page 18 of 31
The Official ISC2 CISSP CBK Reference (2021) - Page 18 preview imageReportingandDocumentation467InvestigativeTechniques469DigitalForensicsTools,Tactics,andProcedures470Artifacts475ConductLoggingandMonitoringActivities478IntrusionDetectionandPrevention478SecurityInformationandEventManagement480ContinuousMonitoring481EgressMonitoring483LogManagement484ThreatIntelligence486UserandEntityBehaviorAnalytics488PerformConfigurationManagement489Provisioning490AssetInventory492Baselining492Automation493ApplyFoundationalSecurityOperationsConcepts494Need-to-Know/LeastPrivilege494SeparationofDutiesandResponsibilities495PrivilegedAccountManagement496JobRotation498Service-LevelAgreements498ApplyResourceProtection499MediaManagement500MediaProtectionTechniques501ConductIncidentManagement502IncidentManagementPlan503Detection505Response506Mitigation507Reporting508Recovery510Remediation510LessonsLearned511OperateandMaintainDetectiveandPreventativeMeasures51Firewalls512IntrusionDetectionSystemsandIntrusionPreventionSystems514Whitelisting/Blacklisting515Third-Party-ProvidedSecurityServices515Sandboxing517
Page 19 of 31
The Official ISC2 CISSP CBK Reference (2021) - Page 19 preview imageHoneypots/Honeynets517Anti-malware518MachineLearningandArtificialIntelligenceBasedTools518ImplementandSupportPatchandVulnerabilityManagement519PatchManagement519VulnerabilityManagement521UnderstandandParticipateinChangeManagementProcesses522ImplementRecoveryStrategies523BackupStorageStrategies524RecoverySiteStrategies527MultipleProcessingSites527SystemResilience,HighAvailability,QualityofService,andFaultTolerance528ImplementDisasterRecoveryProcesses529Response529Personnel530Communications531Assessment532Restoration533TrainingandAwareness534LessonsLearned534TestDisasterRecoveryPlans535Read-through/Tabletop536Walkthrough536Simulation537Parallel537FullInterruption537ParticipateinBusinessContinuityPlanningandExercises538ImplementandManagePhysicalSecurity539PerimeterSecurityControls541InternalSecurityControls543AddressPersonnelSafetyandSecurityConcerns545Travel545SecurityTrainingandAwareness546EmergencyManagement546Duress547Summary548SOFTWAREDEVELOPMENTSECURITY549UnderstandandIntegrateSecurityintheSoftwareDevelopmentLifeCycle(SDLC)550DevelopmentMethodologies551
Page 20 of 31
The Official ISC2 CISSP CBK Reference (2021) - Page 20 preview imageMaturityModels561OperationandMaintenance567ChangeManagement568IntegratedProductTeam571IdentifyandApplySecurityControlsinSoftwareDevelopmentEcosystems572ProgrammingLanguages572Libraries577Toolsets578IntegratedDevelopmentEnvironment579Runtime580ContinuousIntegrationandContinuousDelivery581SecurityOrchestration,Automation,andResponse583SoftwareConfigurationManagement585CodeRepositories586ApplicationSecurityTesting588AssesstheEffectivenessofSoftwareSecurity590AuditingandLoggingofChanges590RiskAnalysisandMitigation595AssessSecurityImpactofAcquiredSoftware599CommercialOff-the-Shelf599OpenSource601Third-Party602ManagedServices(SaaS,laa$,PaaS)602DefineandApplySecureCodingGuidelinesandStandards604SecurityWeaknessesandVulnerabilitiesattheSource-CodeLevel605SecurityofApplicationProgrammingInterfaces613APISecurityBestPractices613SecureCodingPractices618Software-DefinedSecurity621Summary624Index625
Page 21 of 31
The Official ISC2 CISSP CBK Reference (2021) - Page 21 preview imageT=StudyX
Page 22 of 31
The Official ISC2 CISSP CBK Reference (2021) - Page 22 preview imageForewordEARNINGTHEGLOBALLYRECOGNIZEDCISSP®securitycertificationisaprovenwaytobuildyourcareeranddemonstratedeepknowledgeofcybersecurityconceptsacrossabroadrangeofdomains.WhetheryouarepickingupthisbooktosupplementyourpreparationtositfortheexamorareanexistingCISSPusingitasadeskreference,you'llfindtheTheOfficial(ISC)**CISSP*CBK*ReferencetobetheperfectprimeronthesecurityconceptscoveredinthecightdomainsoftheCISSPCBK.TheCISSPisthemostgloballyrecognizedcertificationintheinformationsecuritymarket.Itimmediatelysignifiesthattheholderhastheadvancedcybersecurityskillsandknowledgetodesign,engineer,implement,andmanageinformationsecurityprogramsandteamsthatpro-tectagainstincreasinglysophisticatedattacks.Italsoconveysanadherencetobestpractices,policies,andproceduresestablishedby(ISC)?cybersecurityexperts.Therecognizedleaderinthefieldofinformationsecurityeducationandcertification,(ISC*promotesthedevelopmentofinformationsecurityprofessionalsthroughouttheworld.AsaCISSPwithallthebenefitsof(ISC)?membership,youarepartofaglobalnetworkofmorethan161,000certifiedprofessionalswhoareworkingtoinspireasafeandsecurecyberworld.Drawingfromacomprehensive,up-to-dateglobalbodyofknowledge,theCISSPCBKprovidesyouwithvaluableinsightsontheskills,techniques,andbestpracticesasecurityprofessionalshouldbefamiliarwith,includinghowdifferentelementsoftheinformationtech-nologyecosysteminteract.IfyouareanexperiencedCISSP,youwillfindthiseditionoftheCISSPCBKanindispens-ablereference.IfyouarestillgainingtheexperienceandknowledgeyouneedtojointheranksofCISSPs,theCISSPCBKisadeepdivethatcanbeusedtosupplementyourstudies.Asthelargestnonprofitmembershipbodyofcertifiedinformationsecurityprofessionalsworldwide,(ISC)?recognizestheneedtoidentifyandvalidatenotonlyinformationsecuritycompetency,butalsotheabilitytobuild,manage,andleadasecurityorganization.Writtenbyateamofsubjectmatterexperts,thiscomprehensivecompendiumcoversallCISSPobjectives
Page 23 of 31
The Official ISC2 CISSP CBK Reference (2021) - Page 23 preview imageandsubobjectivesinastructuredformatwithcommonpracticesforeachobjective,acommonlexiconandreferencestowidelyacceptedcomputingstandardsandcasestudies.Theopportunityhasneverbeengreaterfordedicatedprofessionalstoadvancetheircareersandinspireasafeandsecurecyberworld.TheCISSPCBKwillbeyourconstantcompanioninprotectingyourorganizationandwillserveyouforyearstocome.Sincerely,ClarRossoCEO,(ISC)*ForewordStudy
Page 24 of 31
The Official ISC2 CISSP CBK Reference (2021) - Page 24 preview imageIntroductionPHCERTIFIEDINFORMATIONSYSTEMSSecurityProfessional(CISSP)certificationidentifiesaprofessionalwhohasdemonstratedskills,knowledge,andabilitiesacrossawidearrayofsecuritypracticesandprinciples.Theexamcoverseightdomainsofpractice,whicharecodifiedintheCISSPCommonBodyofKnowledge(CBK).TheCBKpresentstopicsthataCISSPcanuseintheirdailyroletoidentifyandmanagesecurityriskstodataandinformationsystemsandisbuiltonafoundationcomprisingfundamentalsecurityconceptsofconfidenti-ality,integrity,availability,nonrepudiation,andauthenticity(CIANA),aswellasprivacyandsecurity(CIANA+PS).Avarietyofcontrolscanbeimplementedforbothdataandsystems,withthegoalofeithersafeguardingormitigatingsecurityriskstoeachofthesefoundationalprinciples.Globalprofessionalstakemanypathsintoinformationsecurity,andeachcandidate'sexperiencemustbecombinedwithvariationsinpracticeandperspectiveacrossindustriesandregionsduetotheglobalreachofthecertification.Formostsecuritypractitioners,achiev-ingCISSPrequiresstudyandlearningnewdisciplines,andprofessionalsareunlikelytoworkacrossalleightdomainsonadailybasis.TheCISSPCBKisabaselinestandardofsecurityknowledgetohelpsecuritypractitionersdealwithnewandevolvingrisks,andthisguidepro-videseasyreferencetoaidpractitionersinapplyingsecuritytopicsandprinciples.Thisbaselinemustbeconnectedwiththereadersownexperienceandtheuniqueoperatingenvironmentofthereader'sorganizationtobeeffective.Therapidpaceofchangeinsecurityalsodemandsthatpractitionerscontinuouslymaintaintheirknowledge,soCISSPcredentialholdersarealsoexpectedtomaintaintheirknowledgeviacontinuingeducation.Referencematerialslikethisguide,alongwithothercontentsourcessuchasindustryconferences,webinars,andresearcharevitaltomaintainingthisknowledge.ThedomainspresentedintheCBKareprogressive,startingwithafoundationofbasicsecurityandriskmanagementconceptsinChapter1,“SecurityandRiskManagement,”aswellasfundamentaltopicsofidentifying,valuing,andapplyingproperriskmitigationsforassetsecurityinChapter2,“AssetSecurity.”Applyingsecuritytocomplextechnologyenvironmentscanbeachievedbyapplyingarchitectureandengineeringconcepts,whicharepresentedinChapter3,“SecurityArchitectureandEngineering.”
Page 25 of 31
The Official ISC2 CISSP CBK Reference (2021) - Page 25 preview imageChapter4,“CommunicationandNetworkSecurity,”detailsboththecriticalriskstoaswellasthecriticaldefensiveroleplayedbycommunicationsnetworks,andChapter5,“IdentityandAccessManagement,”coversthecrucialpracticesofidentifyingusers(bothhumanandnonhuman)andcontrollingtheiraccesstosystems,data,andotherresources.Onceasecurityprogramisdesigned,itisvitaltogatherinformationaboutandassessitseffectiveness,whichiscoveredinChapter6,“SecurityAssessmentandTesting,”andkeeptheentireaffairrunningalsoknownassecurityoperationsorSecOps,whichiscoveredinChapter7,“SecurityOperations.”Finally,thevitalroleplayedbysoftwareisaddressedinChapter8,“SoftwareDevelopmentSecurity,”whichcoversbothprinciplesofsecurelydevelopingsoftwareaswellasrisksandthreatstosoftwareanddevelopmentenvironments.Thefollowingpresentsoverviewsforeachofthesechaptersinalittlemoredetail.SecurityandRiskManagementThefoundationoftheCISSPCBKistheassessmentandmanagementofrisktodataandtheinformationsystemsthatprocessit.TheSecurityandRiskManagementdomainintroducesthefoundationalCIANA+PSconceptsneededtobuildariskmanagementprogram.Usingtheseconcepts,asecuritypractitionercanbuildaprogramforgover-nance,risk,andcompliance(GRC),whichallowstheorganizationtodesignasystemofgovernanceneededtoimplementsecuritycontrols.Thesecontrolsshouldaddresstherisksfacedbytheorganizationaswellasanynecessarylegalandregulatorycomplianceobligations.Riskmanagementprinciplesmustbeappliedthroughoutanorganization'sopera-tions,sotopicsofbusinesscontinuity(BC),personnelsecurity,andsupplychainriskmanagementarealsointroducedinthisdomain.Ensuringthatoperationscancontinueintheeventofadisruptionsupportsthegoalofavailability,whileproperlydesignedper-sonnelsecuritycontrolsrequiretrainingprogramsandwell-documentedpoliciesandothersecurityguidance.Onecriticalconceptispresentedinthisdomain:the(ISC)?codeofprofessionalethics.AllCISSPcandidatesmustagreetobeboundbythecodeaspartofthecertificationprocess,andcredentialholdersfacepenaltiesuptoandincludinglossoftheircredentialsforviolatingthecode.Regardlessofwhatareaofsecurityapractitionerisworkingin,theneedtopreservetheintegrityoftheprofessionbyadheringtoacodeofethicsiscriticaltofosteringtrustinthesecurityprofession.AssetSecurityAssetsareanythingthatanorganizationusestogeneratevalue,includingideas,processes,information,andcomputinghardware.ClassifyingandcategorizingassetsallowsorganizationstoprioritizelimitedsecurityresourcestoachieveaproperbalancexxiiIntroduction(+studyxy|
Page 26 of 31
The Official ISC2 CISSP CBK Reference (2021) - Page 26 preview imageofcostsandbenefits,andthisdomainintroducesimportantconceptsofassetvaluation,classificationandcategorization,andassethandlingtoapplyappropriateprotectionbasedonanassetsvalue.Thevalueofanassetdictatesthelevelofprotectionitrequires,whichisoftenexpressedasasecuritybaselineorcomplianceobligationthattheassetownermustmeet.CISSPcredentialholderswillspendalargeamountoftheirtimefocusedondataandinformationsecurityconcerns.Thedatalifecycleisintroducedinthisdomaintoprovidedistinctphasesfordeterminingdatasecurityrequirements.Protectionbeginsbydefiningrolesandprocessesforhandlingdata,andoncethedataiscreated,theseprocessesmustbefollowed.Thisincludesmanagingdatathroughoutcreation,use,archival,andeven-tualdestructionwhennolongerneeded,anditfocusesondatainthreemainstates:inuse,intransit,andatrest.Handlingsensitivedataformanyorganizationswillinvolvelegalorregulatoryobligationstoprotectspecificdatatypes,suchaspersonallyidentifiableinformation(PII)ortransactionaldatarelatedtopaymentcards.PaymentcarddataisregulatedbythePaymentCardIndustry(PCI)Council,andPIIoftenrequiresprotectionstocomplywithregionalorlocallawsliketheEuropeanUnionGeneralDataProtectionRegulation(EUGDPR).Bothcomplianceframeworksdictatespecificprotectionobligationsanorganizationmustmeetwhencollecting,handling,andusingtheregu-lateddata.SecurityArchitectureandEngineeringTheSecurityArchitectureandEngineeringdomaincoverstopicsrelevanttoimple-mentingandmanagingsecuritycontrolsacrossavarietyofsystems.Securedesignprin-ciplesareintroducedthatareusedtobuildasecurityprogram,suchassecuredefaults,zerotrust,andprivacybydesign.Commonsecuritymodelsarealsocoveredinthisdomain,whichprovideanabstractwayofviewingasystemorenvironmentandallowforidentificationofsecurityrequirementsrelatedtotheCIANA+PSprinciples.Specificsystemtypesarediscussedindetailtohighlighttheapplicationofsecuritycontrolsinavarietyofarchitectures,includingclient-andserver-basedsystems,industrialcontrolsys-tems(ICSs),InternetofThings(oT),andemergingsystemtypeslikemicroservicesandcontainerizedapplications.Thisdomainpresentsthefoundationaldetailsofcryptographyandintroducestopicscoveringbasicdefinitionsofencryption,hashing,andvariouscryptographicmethods,aswellasattacksagainstcryptographyknownascryptanalysis.Applicationsofcryptographyareintegratedthroughoutalldomainswhererelevant,suchastheuseofencryptioninsecurenetworkprotocols,whichiscoveredinChapter4.Physicalarchitecturesecurityincludingfiresuppressionanddetection,securefacilitydesign,andenvironmentalcontrolisalsointroducedinthisdomain.PR|StudyXY
Page 27 of 31
The Official ISC2 CISSP CBK Reference (2021) - Page 27 preview imageCommunicationandNetworkSecurityOnemajorvalueofmoderninformationsystemsliesintheirabilitytoshareandexchangedata,sofundamentalsofnetworkingarepresentedintheCommunicationandNetworkSecuritydomainalongwithdetailsofimplementingadequatesecuritypro-tectionsforthesecommunications.Thisdomainintroducescommonmodelsusedfornetworkservices,includingtheOpenSystemsInterconnection(OSI)andTransmissionControlProtocol/InternetProtocol(TCP/IP)models.Theselayeredabstractionsprovideamethodforidentifyingspecificsecurityrisksandcontrolcapabilitiestosafeguarddata,andthedomainpresentsfundamentals,risks,andcountermeasuresavailableatcachleveloftheOSIandTCP/IPmodels.Properlysecuringnetworksandcommunicationsrequiresstrategicplanningtoensureproperarchitecturalchoicesaremadeandimplemented.Conceptsofsecurenetworkdesignsuchasplanningandsegmentation,availabilityofhardware,andnetworkaccesscontrol(NAC)areintroducedinthisdomain.Commonnetworktypesandtheirspecificsecurityrisksareintroducedaswell,includingsoftware-definednetworks(SDN),voicenetworks,andremoteaccessandcollaborationtechnologies.IdentityandAccessManagementControllingaccesstoassetsisoneofthefundamentalgoalsofsecurityandofferstheabilitytosafeguardallfiveCIANA+PSsecurityconcepts.Properlyidentifyingusersandauthenticatingtheaccesstheyrequestcanpreserveconfidentialityandauthenticityofinformation,whileproperlyimplementedcontrolsreducetheriskoflostorcorrupteddata,therebypreservingavailabilityandintegrity.Loggingtheactionstakenbyidentifiedusersoraccountssupportsnonrepudiationbyverifiablydemonstratingwhichuserorpro-cessperformedtookaparticularaction.TheIdentityandAccessManagement(IAM)domainintroducesimportantconceptsrelatedtoidentifyingsubjectsandcontrollingtheiraccesstoobjects.Subjectscanbeusers,processes,orothersystems,andobjectsaretypicallysystemsordatathatasubjectiistryingtoaccess.IAMrequirementsarepresentedthroughfourfundamentalaspects,includingidentification,authentication,authorization,andaccountability(AAA).Thedomainalsopresentsimportantconceptsformanagingidentitiesandaccess,includingfederationandtheuseofthird-partyidentityserviceproviders.SecurityAssessmentandTestingItisnecessarytoevaluatetheeffectivenessofsecuritycontrolstodetermineiftheyareprovidingsufficientriskmitigation.Assessment,testing,andauditingaremethodspre-sentedinthisdomainthatallowasecuritypractitionertoidentifydeficienciesinthesecurityprogramandprioritizeremedialactivities.xxivIntroduction(+studyxy|
Page 28 of 31
The Official ISC2 CISSP CBK Reference (2021) - Page 28 preview imageAssessmentandtestingcanbeperformedasaninternalorexternalfunction;whilebothareappropriateformonitoringsecurityprogramstatus,therearesituationsthatrequireexternalevaluations.Forinstance,third-partyauditsarecommoninsituationswhereanassessmentmustbeconductedthatisfreeofanyconflictofinterest.Externalauditreports,suchastheServiceOrganizationControlorSOC2,canbeusefulfororga-nizationstocommunicatedetailsoftheirsecuritypracticestoexternalpartieslikevendorsorbusinesspartners.Inthiscase,theauditor'sindependencefromtheauditedorganiza-tionprovidesadditionalassurancetoconsumersofthereport.Ethicalpenetrationtestingandrelatedtechnicaltestingtopicsarepresentedinthisdomain,includingtestcoverageandbreachattacksimulations.Thesetypesoftestscanbeconductedagainstarangeoftargetsfromindividualinformationsystemstoentireorganizationsandareavaluabletooltoidentifydeficienciesinsecuritycontrols.Thedis-closureandhandlingofanyfindingsfromsuchtestingisalsodiscussed,includinglegalandethicalimplicationsofinformationthatmightbediscovered.Anongoingassessmentandtestingprogramisalsousefulforestablishingcontinuousmonitoringandsupportingcomplianceneeds.Properlydesignedandimplementedstrat-egiesfortestingsecuritycontrols,vulnerabilities,andattacksimulationsmeasuretheeffectivenessoftheorganization'sexistingcontrolprogram.Anyidentifieddeficienciesmustbeaddressedtoensureadequateriskmanagement.SecurityOperationsSecurityOperations(SecOps)isacompaniontotheotherdomainsintheCBK,andthischapterdealswithimplementing,operating,andmaintaininginfrastructureneededtoenabletheorganization'ssecurityprogram.Securitypractitionersmustfirstperformariskassessmentandthendesignandoperatesecuritycontrolsspanningtechnology,people,andprocesstomitigatethoserisks.SecOpsisakeyintegrationpointbetweensecurityteamsandotherpartsoftheorganizationsuchasHumanResources(HR)forkeytaskslikedesigningjobrotationsorsegregationofduties,oranetworkengineeringteamthatisresponsibleforimplementingandmaintainingfirewallsandintrusiondetectionsys-tems(IDSs).LogicalsecurityaspectsofSecOpsincluderunningandmaintainingasecurityoperationscenter(SOC),whichisbecominganincreasinglycrucialpartofasecurityprogram.TheSOCcentralizesinformationlikethreatintelligence,incidentresponse,andsecurityalerts,permittinginformationsharing,moreefficientresponse,andoversightforthesecurityprogramandfunctions.Planningforandexercisingcrucialbusinessplanslikebusinesscontinuityanddisasterrecovery(BCDR)arealsoanimportantelementofSecOps.SecOpsalsoencompassesimportantphysicalsecurityconceptslikefacilitydesignandenvironmentalcontrols,whichareoftencompletelynewconceptsforsecurityPR|StudyXY
Page 29 of 31
The Official ISC2 CISSP CBK Reference (2021) - Page 29 preview imagepractitionerswhohaveexperienceincybersecurityorinformationtechnology(IT).How-ever,thephysicalsecurityofinformationsystemsandthedatatheycontainisanimpor-tantelementofmaintainingallaspectsofsecurity.Insomecases,physicallimitationslikeexistingorsharedbuildingsaredriversforadditionallogicalcontrolstocompensateforpotentialunauthorizedphysicalaccess.SoftwareDevelopmentSecurityInformationsystemsrelyonsoftware,sopropersecurityisessentialforthetoolsandprocessesusedtodevelopsoftware.Thisincludesbothcustom-builtsoftwareaswellaspurchasedsystemcomponentsthatareintegratedintoinformationsystems.Cloudcom-putingischangingtheparadigmofsoftwaredevelopment,sothisdomainalsoincludessecurityrequirementsforcomputingresourcesthatareconsumedasaservicelikesoft-wareasaservice(SaaS),platformasaservice(PaaS),andemergingarchitectureslikecontainerizationandmicroservices.Softwarecanbebothatargetforattackersandtheattackvector.Theincreasinglycomplexsoftwareenvironmentmakesuseofopen-sourcesoftware,prebuiltmodulesandlibraries,anddistributedapplicationstoprovidegreaterspeedfordevelopersandfun-ctionalityforusers.Thesebusinessadvantages,however,introduceriskslikethepotentialforuntrustworthythird-partycodetobeincludedinanapplicationorattackerstargetingremoteaccessfeatures.Adequatesecurityinthesoftwaredevelopmentlifecycle(SDLC)requiresacombinedapproachaddressingpeople,process,andtechnology.Thisdomainrevisitsthecriticalpersonnelsecurityconceptoftraining,withaspecificfocusondevelopersecuritytraining,Well-documentedsoftwaredevelopmentmethodologies,guidelines,andpro-ceduresareessentialprocesscontrolscoveredinthedomain.Technologycontrolsencompassingboththesoftwaredevelopmentenvironmentandsoftwaresecuritytestingarepresented,aswellastestingapproachesforapplicationsecurity(AppSec)includingstaticanddynamictesting.soiIntroduction(+studyxy|
Page 30 of 31
The Official ISC2 CISSP CBK Reference (2021) - Page 30 preview imageCom]CISSP*ISecurityandRiskManagementDOMAIN1OFTHECISSPCommonBodyofKnowledge(CBK)coversthefounda-tionaltopicsofbuildingandmanagingarisk-basedinformationsecurityprogram.ThisdomaincoversawidevarietyofconceptsuponwhichtheremainderoftheCBKbuilds.Beforedivingintotheheartofsecurityandriskmanagementconcepts,thischapterbeginswithcoverageofprofessionalethicsandhowtheyapplyinthefieldofinformationsecurity.Understandingyourresponsibilitiesasasecurityprofessionalisequallyasimportantasknowinghowtoapplythesecuritycon-cepts.Wethenmoveontotopicsrelatedtounderstandingyourorganization'smission,strategy,goals,andbusinessobjectives,andevaluatinghowtoproperlysatisfyyourorganization'sbusinessneedssecurely.Understandingriskmanagement,andhowitsconceptsapplytoinformationsecurity,isoneofthemostimportantthingsyoushouldtakeawayfromthischapter.Wedescriberiskmanagementconceptsandexplainhowtoapplythemwithinyourorganization'ssecurityprogram.Inaddition,understandingrelevantlegal,regulatory,andcompliancerequirementsisacriticalcomponentofeveryinformationsecurityprogram.Domain1includescoverageofconceptssuchas
Page 31 of 31
The Official ISC2 CISSP CBK Reference (2021) - Page 31 preview imagecybercrimesanddatabreaches,import/exportcontrols,andrequirementsforcon-ductingvarioustypesofinvestigations.Thischapterintroducesthehumanelementofsecurityandincludescoverageofmethodsforeducatingyourorganization'semployeesonkeysecurityconcepts.Wecoverthestructureofasecurityawarenessprogramanddiscusshowtoeval-uatetheeffectivenessofyoureducationandtrainingmethods.UNDERSTAND,ADHERETO,ANDPROMOTEPROFESSIONALETHICSUnderstandingandfollowingastrictcodeofethicsshouldbeatoppriorityforanysecu-rityprofessional.AsaCISSP(oranyinformationsecurityprofessionalwhoiscertifiedby(ISC)?),youarerequiredtounderstandandfullycommittosupportingthe(ISC)*CodeofEthics.Any(ISC)2memberwhoknowinglyviolatesthe(SC)?CodeofEthicswillbesubjecttopeerreviewandpotentialpenalties,whichmayincluderevocationofthemember's(ISC)*certification(s).(ISC)?CodeofProfessionalEthicsThe(ISC)*CodeofEthicsPreambleisasfollows:=Thesafetyandwelfareofsocietyandthecommongood,dutytoourprincipals,andtoeachother,requiresthatweadhere,andbeseentoadhere,tothehighestethicalstandardsofbehavior.=Therefore,strictadherencetothisCodeofEthicsisaconditionofcertification.Inshort,theCodeofEthicsPreamblestatesthatitisrequiredthateveryCISSPcerti-fiedmembernotonlyfollowstheCodeofEthicsbutmustbevisiblyseenasfollowingtheCodeofEthics.Eventheperceptionofimproprietyorethicaldeviationmaybringintoquestionamember'sstanding,Assuch,CISSPcertifiedmembersmustserveasvisibleethicalleaderswithintheirorganizationsandindustry,atalltimes.The(ISC)*CodeofEthicsincludesfourcanonsthatareintendedtoserveashigh-levelguidelinestoaugment,notreplace,members’professionaljudgment.The(ISC)?CodeofEthicsCanonsareasfollows:=CanonI:Protectsociety,thecommongood,necessarypublictrustandconfidence,andtheinfrastructure.=CanonIL:Acthonorably,honestly,justly,responsibly,andlegally.2DOMAIN1SecurityandRiskManagement(+studyxy|
Preview Mode

This document has 674 pages. Sign in to access the full document!

Study Now!

X-Copilot AI
Unlimited Access
Secure Payment
Instant Access
24/7 Support
Document Chat

Document Details

Subject
Certified Information Systems Security Professional

Related Documents

View all
Certification Guides

ISC2 CISSP Certified Information Systems Security Professional Official Practice Tests, 4th Edition (2024)

4.2
00
Certification Guides

ISC2� CISSP� Certified Information Systems Security Professional Official Study Guide, 10th Edition (2024)

4.4
00
Certification Guides

ISC2 CISSP Certified Information Systems Security Professional Official Study Guide and Practice Tests (2024)

4.2
00
Certification Guides

Official ISC2 Guide to the CISSP CBK (2019)

4.5
40
Certification Guides

ISC2 Cissp Certified Information Systems Security Professional Official Practice Tests (2021)

4.1
109
Certification Guides

CISSP Official Practice Tests (2021)

4.1
109
Certification Guides

CISSP All-in-One Exam Guide (2021)

4.6
145
Certification Guides

All in One CISSP Exam Guide (2022)

5.0
143
Certification Guides

CISSP Official Study Guide (2021)

4.7
143
Certification Guides

CISSP Cert Guide (2022)

4.6
148