Official ISC2 Guide to the CISSP CBK (2019)

Preview (31 of 928 Pages)

100%

Official ISC2 Guide to the CISSP CBK (2019) - Page 1 preview image

Loading page ...

CISSPThe Official (ISC)2®CISSP® CBK® ReferenceFifth Edition

Official ISC2 Guide to the CISSP CBK (2019) - Page 2 preview image

Loading page ...

Official ISC2 Guide to the CISSP CBK (2019) - Page 3 preview image

Loading page ...

Official ISC2 Guide to the CISSP CBK (2019) - Page 4 preview image

Loading page ...

CISSP: Certified InformationSystems Security ProfessionalThe Official (ISC)2®CISSP® CBK®ReferenceFifth EditionJOhn WaRSInKSeWITh: MaRKGRaff, KevInhenRy, ChRISTOPheRhOOveR, Ben MalISOW,Sean MuRPhy, C. Paul OaKeS, GeORGe PaJaRI, Jeff T. PaRKeR,DavIDSeIDl, MIKevaSquez

Official ISC2 Guide to the CISSP CBK (2019) - Page 5 preview image

Loading page ...

Development Editor: Kelly TalbotSenior Production Editor: Christine O’ConnorCopy Editor: Kim WimpsettEditorial Manager: Pete GaughanProduction Manager: Kathleen WisorAssociate Publisher: Jim MinatelProofreader: Louise Watson, Word One New YorkIndexer: Johnna VanHoose DinseProject Coordinator, Cover: Brent SavageCover Designer: WileyCopyright © 2019 by (ISC)2Published simultaneously in CanadaISBN: 978-1-119-42334-8ISBN: 978-1-119-42332-4 (ebk.)ISBN: 978-1-119-42331-7 (ebk.)Manufactured in the United States of AmericaNo part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means,electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorizationthrough payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers,MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to thePermissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201)748-6008, or online athttp://www.wiley.com/go/permissions.Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties withrespect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, includingwithout limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales orpromotional materials. The advice and strategies contained herein may not be suitable for every situation. This workis sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professionalservices. If professional assistance is required, the services of a competent professional person should be sought. Neitherthe publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site isreferred to in this work as a citation and/or a potential source of further information does not mean that the author orthe publisher endorses the information the organization or Web site may provide or recommendations it may make.Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared betweenwhen this work was written and when it is read.For general information on our other products and services or to obtain technical support, please contact our CustomerCare Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included withstandard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to mediasuch as a CD or DVD that is not included in the version you purchased, you may download this material athttp://booksupport.wiley.com. For more information about Wiley products, visitwww.wiley.com.Library of Congress Control Number:2019936840TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley &Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permis-sion. (ISC)2, CISSP, and CBK are registered trademarks of (ISC)2, Inc. All other trademarks are the property of theirrespective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.10 9 8 7 6 5 4 3 2 1

Official ISC2 Guide to the CISSP CBK (2019) - Page 6 preview image

Loading page ...

leadauthor andlead TechnicalReviewerOver the course of his 30-plus years as an information technology professional,John Warsinskehas been exposed to a breadth of technologies and governance structures. He has been, atvarious times, a network analyst, IT manager, project manager, security analyst, and chiefinformation officer. He has worked in local, state, and federal government; has worked inpublic, private, and nonprofit organizations; and has been variously a contractor, directemployee, and volunteer. He has served in the U.S. military in assignments at the tactical,operational, and strategic levels across the entire spectrum from peace to war. In these diverseenvironments, he has experienced both the uniqueness and the similarities in the activitiesnecessary to secure their respective information assets.Mr. Warsinske has been an instructor for (ISC)2for more than five years; prior to that, hewas an adjunct faculty instructor at the College of Southern Maryland. His (ISC)2certificationsinclude the Certified Information Systems Security Professional (CISSP), Certified Cloud-Security Professional (CCSP), and HealthCare Information Security and Privacy Practitioner(HCISPP). He maintains several other industry credentials as well.When he is not traveling, Mr. Warsinske currently resides in Ormond Beach, Florida, withhis wife and two extremely spoiled Carolina dogs.v

Official ISC2 Guide to the CISSP CBK (2019) - Page 7 preview image

Loading page ...

Official ISC2 Guide to the CISSP CBK (2019) - Page 8 preview image

Loading page ...

ContributingauthorsMark Graff (CISSP),former chief information security officer for both NASDAQ and Law-rence Livermore National Laboratory, is a seasoned cybersecurity practitioner and thoughtleader. He has lectured on risk analysis, cybersecurity, and privacy issues before the AmericanAcademy for the Advancement of Science, the Federal Communications Commission, thePentagon, the National Nuclear Security Administration, and other U.S. national securityfacilities. Graff has twice testified before Congress on cybersecurity, and in 2018–2019 servedas an expert witness on software security to the Federal Trade Commission. His books—notablySecure Coding: Principles and Practices—have been used at dozens of universities worldwide inteaching how to design and build secure software-based systems. Today, as head of the consult-ing firm Tellagraff LLC (www.markgraff.com), Graff provides strategic advice to large compa-nies, small businesses, and government agencies. Recent work has included assisting multiplestate governments in the area of election security.Kevin Henry (CAP, CCSP, CISSP, CISSP-ISSAP, CISSP-ISSEP, CISSP-ISSMP, CSSLP,and SSCP)is a passionate and effective educator and consultant in information security.Kevin has taught CISSP classes around the world and has contributed to the development of(ISC)2materials for nearly 20 years. He is a frequent speaker at security conferences and theauthor of several books on security management. Kevin’s years of work in telecommunications,government, and private industry have led to his strength in being able to combine real-worldexperience with the concepts and application of information security topics in an understand-able and effective manner.Chris Hoover,CISSP, CISA, is a cybersecurity and risk management professional with 20years in the field. He spent most of his career protecting the U.S. government’s most sensitivedata in the Pentagon, the Baghdad Embassy, NGA Headquarters, Los Alamos Labs, and manyother locations. Mr. Hoover also developed security products for RSA that are deployed acrossthe U.S. federal government, many state governments, and internationally. He is currentlyconsulting for the DoD and runs a risk management start-up called Riskuary. He has a master’sdegree in information assurance.Ben Malisow,CISSP, CISM, CCSP, Security+, SSCP, has been involved in INFOSEC andeducation for more than 20 years. At Carnegie Mellon University, he crafted and delivered theCISSP prep course for CMU’s CERT/SEU. Malisow was the ISSM for the FBI’s most highlyclassified counterterror intelligence-sharing network, served as an Air Force officer, and taughtvii

Official ISC2 Guide to the CISSP CBK (2019) - Page 9 preview image

Loading page ...

viiiContributing Authorsgrades 6–12 at a reform school in the Las Vegas public school district (probably his mostdangerous employment to date). His latest work has includedCCSP Practice TestsandCCSP (ISC)2Certified Cloud Security Professional Official Study Guide, also from Sybex/Wiley, andHow to Pass Your INFOSEC Certification Test: A Guide to Passing the CISSP,CISA, CISM, Network+, Security+, and CCSP, available from Amazon Direct. In addi-tion to other consulting and teaching, Ben is a certified instructor for (ISC)2, deliveringCISSP, CCSP, and SSCP courses. You can reach him atwww.benmalisow.comor hisINFOSEC blog,securityzed.com. Ben would also like to extend his personal gratitudeto Todd R. Slack, MS, JD, CIPP/US, CIPP/E, CIPM, FIP, CISSP, for his invaluable con-tributions to this book.Sean Murphy,CISSP, HCISSP, is the vice president and chief information securityofficer for Premera Blue Cross (Seattle). He is responsible for providing and optimizingan enterprise-wide security program and architecture that minimizes risk, enables busi-ness imperatives, and further strengthens the health plan company’s security posture. He’sa healthcare information security expert with more than 20 years of experience in highlyregulated, security-focused organizations. Sean retired from the U.S. Air Force (MedicalService Corps) after achieving the rank of lieutenant colonel. He has served as CIO andCISO in the military service and private sector at all levels of healthcare organizations.Sean has a master’s degree in business administration (advanced IT concentration) fromthe University of South Florida, a master’s degree in health services administration fromCentral Michigan University, and a bachelor’s degree in human resource managementfrom the University of Maryland. He is a board chair of the Association for Executivesin Healthcare Information Security (AEHIS). Sean is a past chairman of the HIMSSPrivacy and Security Committee. He served on the (ISC)2committee to develop theHCISPP credential. He is also a noted speaker at the national level and the author ofnumerous industry whitepapers, articles, and educational materials, including his bookHealthcare Information Security and Privacy.C. Paul Oakes,CISSP, CISSP-ISSAP, CCSP, CCSK, CSM, and CSPO, is an author,speaker, educator, technologist, and thought leader in cybersecurity, software devel-opment, and process improvement. Paul has worn many hats over his 20-plus years ofexperience. In his career he has been a security architect, consultant, software engineer,mentor, educator, and executive. Paul has worked with companies in various industriessuch as the financial industry, banking, publishing, utilities, government, e-commerce,education, training, research, and technology start-ups. His work has advanced the causeof software and information security on many fronts, ranging from writing security policyto implementing secure code and showing others how to do the same. Paul’s passion is tohelp people develop the skills they need to most effectively defend the line in cyberspace

Official ISC2 Guide to the CISSP CBK (2019) - Page 10 preview image

Loading page ...

ixContributing Authorsand advance the standard of cybersecurity practice. To this end, Paul continuously col-laborates with experts across many disciplines, ranging from cybersecurity to acceleratedlearning to mind-body medicine, to create and share the most effective strategies torapidly learn cybersecurity and information technology subject matter. Most of all, Paulenjoys his life with his wife and young son, both of whom are the inspirations for hispassion.George E. Pajari,CISSP-ISSAP, CISM, CIPP/E, is a fractional CISO, providingcybersecurity leadership on a consulting basis to a number of cloud service providers.Previously he was the chief information security officer (CISO) at Hootsuite, the mostwidely used social media management platform, trusted by more than 16 millionpeople and employees at 80 percent of the Fortune 1000. He has presented at conferencesincluding CanSecWest, ISACA CACS, and BSides Vancouver. As a volunteer, he helpswith the running of BSides Vancouver, the (ISC)² Vancouver chapter, and the Universityof British Columbia’s Cybersecurity Summit. He is a recipient of the ISACA CISMWorldwide Excellence Award.Jeff Parker,CISSP, CySA+, CASP, is a certified technical trainer and security consultantspecializing in governance, risk management, and compliance (GRC). Jeff began hisinformation security career as a software engineer with an HP consulting group out ofBoston. Enterprise clients for which Jeff has consulted on site include hospitals,universities, the U.S. Senate, and a half-dozen UN agencies. Jeff assessed these clients’security posture and provided gap analysis and remediation. In 2006 Jeff relocated toPrague, Czech Republic, for a few years, where he designed a new risk managementstrategy for a multinational logistics firm. Presently, Jeff resides in Halifax, Canada, whileconsulting primarily for a GRC firm in Virginia.David Seidl,CISSP, GPEN, GCIH, CySA+, Pentest+, is the vice president for infor-mation technology and CIO at Miami University of Ohio. During his IT career, he hasserved in a variety of technical and information security roles, including serving as thesenior director for Campus Technology Services at the University of Notre Dame andleading Notre Dame’s information security team as director of information security.David has taught college courses on information security and writes books on informationsecurity and cyberwarfare, includingCompTIA CySA+ Study Guide: Exam CS0-001,CompTIA PenTest+ Study Guide: Exam PT0-001,CISSP Official (ISC)2PracticeTests, andCompTIA CySA+ Practice Tests: Exam CS0-001, all from Wiley, andCyberwar-fare: Information Operations in a Connected Worldfrom Jones and Bartlett. David holdsa bachelor’s degree in communication technology and a master’s degree in informationsecurity from Eastern Michigan University.

Official ISC2 Guide to the CISSP CBK (2019) - Page 11 preview image

Loading page ...

xMichael Neal Vasquezhas more than 25 years of IT experience and has held severalindustry certifications, including CISSP, MCSE: Security, MCSE+I, MCDBA, andCCNA. Mike is a senior security engineer on the red team for a Fortune 500 financialservices firm, where he spends his days (and nights) looking for security holes. Afterobtaining his BA from Princeton University, he forged a security-focused IT career, bothworking in the trenches and training other IT professionals. Mike is a highly sought-afterinstructor because his classes blend real-world experience and practical knowledge withthe technical information necessary to comprehend difficult material, and his studentspraise his ability to make any course material entertaining and informative. Mike hastaught CISSP, security, and Microsoft to thousands of students across the globe throughlocal colleges and online live classes. He has performed penetration testing engagementsfor healthcare, financial services, retail, utilities, and government entities. He also runshis own consulting and training company and can be reached on LinkedIn athttps://www.linkedin.com/in/mnvasquez.Contributing Authors

Official ISC2 Guide to the CISSP CBK (2019) - Page 12 preview image

Loading page ...

Technical ReviewersBill Burke,CISSP, CCSP, CRISC, CISM, CEH, is a security professional with more than35 years serving the information technology and services community. He specializes in securityarchitecture, governance, and compliance, primarily in the cloud space. He previously servedon the board of directors of the Silicon Valley (ISC)2chapter, in addition to the boardof directors of the Cloud Services Alliance – Silicon Valley. Bill can be reached via email atbillburke@cloudcybersec.com.Charles Gaughf,CISSP, SSCP, CCSP, is both a member and an employee of (ISC)², theglobal nonprofit leader in educating and certifying information security professionals. For morethan 15 years, he has worked in IT and security in different capacities for nonprofit, higher edu-cation, and telecommunications organizations to develop security education for the industryat large. In leading the security team for the last five years as the senior manager of security at(ISC)², he was responsible for the global security operations, security posture, and overall secu-rity health of (ISC)². Most recently he transitioned to the (ISC)² education team to developimmersive and enriching CPE opportunities and security training and education for the industryat large. He holds degrees in management of information systems and communications.Dr. Meng-Chow Kang,CISSP, is a practicing information security professional with morethan 30 years of field experience in various technical information security and risk manage-ment roles for organizations that include the Singapore government, major global financialinstitutions, and security and technology providers. His research and part of his experiencein the field have been published in his bookResponsive Security: Be Ready to Be SecurefromCRC Press. Meng-Chow has been a CISSP since 1998 and was a member of the (ISC)2boardof directors from 2015 through 2017. He is also a recipient of the (ISC)2James Wade ServiceAward.Aaron Kraus,CISSP, CCSP, Security+, began his career as a security auditor for U.S. federalgovernment clients working with the NIST RMF and Cybersecurity Framework, and thenmoved to the healthcare industry as an auditor working with the HIPAA and HITRUST frame-works. Next, he entered the financial services industry, where he designed a control and auditprogram for vendor risk management, incorporating financial compliance requirements andindustry-standard frameworks including COBIT and ISO 27002. Since 2016 Aaron has beenxi

Official ISC2 Guide to the CISSP CBK (2019) - Page 13 preview image

Loading page ...

xiiTechnical Reviewersworking with startups based in San Francisco, first on a GRC SaaS platform and morerecently in cyber-risk insurance, where he focuses on assisting small- to medium-sizedbusinesses to identify their risks, mitigate them appropriately, and transfer risk via insur-ance. In addition to his technical certifications, he is a Learning Tree certified instructorwho teaches cybersecurity exam prep and risk management.Professor Jill Slay,CISSP, CCFP, is the optus chair of cybersecurity at La Trobe Uni-versity, leads the Optus La Trobe Cyber Security Research Hub, and is the director ofcyber-resilience initiatives for the Australian Computer Society. Jill is a director of theVictorian Oceania Research Centre and previously served two terms as a director of theInternational Information Systems Security Certification Consortium. She has estab-lished an international research reputation in cybersecurity (particularly digital forensics)and has worked in collaboration with many industry partners. She was made a memberof the Order of Australia (AM) for service to the information technology industry throughcontributions in the areas of forensic computer science, security, protection of infrastruc-ture, and cyberterrorism. She is a fellow of the Australian Computer Society and a fellowof the International Information Systems Security Certification Consortium, both for herservice to the information security industry. She also is a MACS CP.

Official ISC2 Guide to the CISSP CBK (2019) - Page 14 preview image

Loading page ...

Contents at a GlanceForewordxxvIntroductionxxviiDomain 1:SEcurity anDriSkmanagEmEnt1Domain 2:aSSEt SEcurity131Domain 3:SEcurityarchitEcturEanDEnginEEring213Domain 4:communication anDnEtwork SEcurity363Domain 5:iDEntity anDaccESSmanagEmEnt483Domain 6:SEcurityaSSESSmEnt anDtESting539Domain 7:SEcurityopErationS597Domain 8:SoFtwarEDEvElopmEnt SEcurity695Index875xiii

Official ISC2 Guide to the CISSP CBK (2019) - Page 15 preview image

Loading page ...

Official ISC2 Guide to the CISSP CBK (2019) - Page 16 preview image

Loading page ...

ContentsForewordxxvIntroductionxxviiDomain 1: Security anDriSkmanagement1Understand and Apply Concepts of Confidentiality, Integrity, and Availability2Information Security3Evaluate and Apply Security Governance Principles6Alignment of Security Functions to Business Strategy, Goals, Mission,and Objectives6Vision, Mission, and Strategy6Governance7Due Care10Determine Compliance Requirements11Legal Compliance12Jurisdiction12Legal Tradition12Legal Compliance Expectations13Understand Legal and Regulatory Issues That Pertain to Information Security in aGlobal Context13Cyber Crimes and Data Breaches14Privacy36Understand, Adhere to, and Promote Professional Ethics49Ethical Decision-Making49Established Standards of Ethical Conduct51(ISC)² Ethical Practices56Develop, Document, and Implement Security Policy, Standards, Procedures,and Guidelines57Organizational Documents58Policy Development61Policy Review Process61xv

Official ISC2 Guide to the CISSP CBK (2019) - Page 17 preview image

Loading page ...

ContentsxviIdentify, Analyze, and Prioritize Business Continuity Requirements62Develop and Document Scope and Plan62Risk Assessment70Business Impact Analysis71Develop the Business Continuity Plan73Contribute to and Enforce Personnel Security Policies and Procedures80Key Control Principles80Candidate Screening and Hiring82Onboarding and Termination Processes91Vendor, Consultant, and Contractor Agreements and Controls96Privacy in the Workplace97Understand and Apply Risk Management Concepts99Risk99Risk Management Frameworks99Risk Assessment Methodologies108Understand and Apply Threat Modeling Concepts and Methodologies111Threat Modeling Concepts111Threat Modeling Methodologies112Apply Risk-Based Management Concepts to the Supply Chain116Supply Chain Risks116Supply Chain Risk Management119Establish and Maintain a Security Awareness, Education, and Training Program121Security Awareness Overview122Developing an Awareness Program123Training127Summary128Domain 2:aSSet Security131Asset Security Concepts131Data Policy132Data Governance132Data Quality133Data Documentation134Data Organization136Identify and Classify Information and Assets139Asset Classification141Determine and Maintain Information and Asset Ownership145Asset Management Lifecycle146Software Asset Management148

Official ISC2 Guide to the CISSP CBK (2019) - Page 18 preview image

Loading page ...

ContentsxviiProtect Privacy152Cross-Border Privacy and Data Flow Protection153Data Owners161Data Controllers162Data Processors163Data Stewards164Data Custodians164Data Remanence164Data Sovereignty168Data Localization or Residency169Government and Law Enforcement Access to Data171Collection Limitation172Understanding Data States173Data Issues with Emerging Technologies173Ensure Appropriate Asset Retention175Retention of Records178Determining Appropriate Records Retention178Retention of Records in Data Lifecycle179Records Retention Best Practices180Determine Data Security Controls181Technical, Administrative, and Physical Controls183Establishing the Baseline Security185Scoping and Tailoring186Standards Selection189Data Protection Methods198Establish Information and Asset Handling Requirements208Marking and Labeling208Handling209Declassifying Data210Storage211Summary212Domain 3: Securityarchitecture anDengineering213Implement and Manage Engineering Processes Using Secure Design Principles215Saltzer and Schroeder’s Principles216ISO/IEC 19249221Defense in Depth229Using Security Principles230

Official ISC2 Guide to the CISSP CBK (2019) - Page 19 preview image

Loading page ...

ContentsxviiiUnderstand the Fundamental Concepts of Security Models230Bell-LaPadula Model232The Biba Integrity Model234The Clark-Wilson Model235The Brewer-Nash Model235Select Controls Based upon Systems Security Requirements237Understand Security Capabilities of Information Systems241Memory Protection241Virtualization244Secure Cryptoprocessor247Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, andSolution Elements253Client-Based Systems254Server-Based Systems255Database Systems257Cryptographic Systems260Industrial Control Systems267Cloud-Based Systems271Distributed Systems274Internet of Things275Assess and Mitigate Vulnerabilities in Web-Based Systems278Injection Vulnerabilities279Broken Authentication280Sensitive Data Exposure283XML External Entities284Broken Access Control284Security Misconfiguration285Cross-Site Scripting285Using Components with Known Vulnerabilities286Insufficient Logging and Monitoring286Cross-Site Request Forgery287Assess and Mitigate Vulnerabilities in Mobile Systems287Passwords288Multifactor Authentication288Session Lifetime289Wireless Vulnerabilities290Mobile Malware290Unpatched Operating System or Browser290

Official ISC2 Guide to the CISSP CBK (2019) - Page 20 preview image

Loading page ...

ContentsxixInsecure Devices291Mobile Device Management291Assess and Mitigate Vulnerabilities in Embedded Devices292Apply Cryptography295Cryptographic Lifecycle295Cryptographic Methods298Public Key Infrastructure311Key Management Practices315Digital Signatures318Non-Repudiation320Integrity321Understand Methods of Cryptanalytic Attacks325Digital Rights Management339Apply Security Principles to Site and Facility Design342Implement Site and Facility Security Controls343Physical Access Controls343Wiring Closets/Intermediate Distribution Facilities345Server Rooms/Data Centers346Media Storage Facilities348Evidence Storage349Restricted and Work Area Security349Utilities and Heating, Ventilation, and Air Conditioning351Environmental Issues355Fire Prevention, Detection, and Suppression358Summary362Domain 4:communication anDnetwork Security363Implement Secure Design Principles in Network Architectures364Open Systems Interconnection and Transmission ControlProtocol/Internet Protocol Models365Internet Protocol Networking382Implications of Multilayer Protocols392Converged Protocols394Software-Defined Networks395Wireless Networks396Internet, Intranets, and Extranets409Demilitarized Zones410Virtual LANs410

Official ISC2 Guide to the CISSP CBK (2019) - Page 21 preview image

Loading page ...

ContentsxxSecure Network Components411Firewalls412Network Address Translation418Intrusion Detection System421Security Information and Event Management422Network Security from Hardware Devices423Transmission Media429Endpoint Security442Implementing Defense in Depth447Content Distribution Networks448Implement Secure Communication Channels According to Design449Secure Voice Communications449Multimedia Collaboration452Remote Access458Data Communications466Virtualized Networks470Summary481Domain 5:iDentity anDacceSSmanagement483Control Physical and Logical Access to Assets484Information485Systems486Devices487Facilities488Manage Identification and Authentication of People, Devices, and Services492Identity Management Implementation494Single Factor/Multifactor Authentication496Accountability511Session Management511Registration and Proofing of Identity513Federated Identity Management520Credential Management Systems524Integrate Identity as a Third-Party Service525On-Premise526Cloud527Federated527Implement and Manage Authorization Mechanisms528Role-Based Access Control528Rule-Based Access Control529

Official ISC2 Guide to the CISSP CBK (2019) - Page 22 preview image

Loading page ...

ContentsxxiMandatory Access Control530Discretionary Access Control531Attribute-Based Access Control531Manage the Identity and Access Provisioning Lifecycle533User Access Review534System Account Access Review535Provisioning and Deprovisioning535Auditing and Enforcement536Summary537Domain 6: SecurityaSSeSSment anDteSting539Design and Validate Assessment, Test, and Audit Strategies540Assessment Standards543Conduct Security Control Testing545Vulnerability Assessment546Penetration Testing554Log Reviews564Synthetic Transactions565Code Review and Testing567Misuse Case Testing571Test Coverage Analysis573Interface Testing574Collect Security Process Data575Account Management577Management Review and Approval579Key Performance and Risk Indicators580Backup Verification Data583Training and Awareness584Disaster Recovery and Business Continuity585Analyze Test Output and Generate Report587Conduct or Facilitate Security Audits590Internal Audits591External Audits591Third-Party Audits592Integrating Internal and External Audits593Auditing Principles593Audit Programs594Summary596

Official ISC2 Guide to the CISSP CBK (2019) - Page 23 preview image

Loading page ...

ContentsxxiiDomain 7: SecurityoperationS597Understand and Support Investigations598Evidence Collection and Handling599Reporting and Documentation601Investigative Techniques602Digital Forensics Tools, Techniques, and Procedures604Understand Requirements for Investigation Types610Administrative611Criminal613Civil614Regulatory616Industry Standards616Conduct Logging and Monitoring Activities617Define Auditable Events618Time619Protect Logs620Intrusion Detection and Prevention621Security Information and Event Management623Continuous Monitoring625Ingress Monitoring629Egress Monitoring631Securely Provision Resources632Asset Inventory632Asset Management634Configuration Management635Understand and Apply Foundational Security Operations Concepts637Need to Know/Least Privilege637Separation of Duties and Responsibilities638Privileged Account Management640Job Rotation642Information Lifecycle643Service Level Agreements644Apply Resource Protection Techniques to Media647Marking647Protecting647Transport648Sanitization and Disposal649

Official ISC2 Guide to the CISSP CBK (2019) - Page 24 preview image

Loading page ...

ContentsxxiiiConduct Incident Management650An Incident Management Program651Detection653Response656Mitigation657Reporting658Recovery661Remediation661Lessons Learned661Third-Party Considerations662Operate and Maintain Detective and Preventative Measures663White-listing/Black-listing665Third-Party Security Services665Honeypots/Honeynets667Anti-Malware667Implement and Support Patch and Vulnerability Management670Understand and Participate in Change Management Processes672Implement Recovery Strategies673Backup Storage Strategies673Recovery Site Strategies676Multiple Processing Sites678System Resilience, High Availability, Quality of Service, and Fault Tolerance679Implement Disaster Recovery Processes679Response680Personnel680Communications682Assessment682Restoration683Training and Awareness684Test Disaster Recovery Plans685Read-Through/Tabletop686Walk-Through687Simulation687Parallel687Full Interruption688Participate in Business Continuity Planning and Exercises688Implement and Manage Physical Security689Physical Access Control689The Data Center692

Official ISC2 Guide to the CISSP CBK (2019) - Page 25 preview image

Loading page ...

ContentsxxivAddress Personnel Safety and Security Concerns693Travel693Duress693Summary694Domain 8: Software Development Security695Understand and Integrate Security in the Software Development Lifecycle696Development Methodologies696Maturity Models753Operations and Maintenance768Change Management770Integrated Product Team773Identify and Apply Security Controls in Development Environments776Security of the Software Environment777Configuration Management as an Aspect of Secure Coding796Security of Code Repositories798Assess the Effectiveness of Software Security802Logging and Auditing of Changes802Risk Analysis and Mitigation817Assess the Security Impact of Acquired Software835Acquired Software Types835Software Acquisition Process842Relevant Standards845Software Assurance848Certification and Accreditation852Define and Apply Secure Coding Standards and Guidelines853Security Weaknesses and Vulnerabilities at theSource-Code Level854Security of Application Programming Interfaces859Secure Coding Practices868Summary874Index875

Official ISC2 Guide to the CISSP CBK (2019) - Page 26 preview image

Loading page ...

ForewordBeing recognized as acissP is an important step in investingin your information security career. Whether you are picking up this bookto supplement your preparation to sit for the exam or you are an existingcissP using this as a desk reference, you’ve acknowledged that this certifi-cation makes you recognized as one of the most respected and sought-aftercybersecurity leaders in the world.after all, that’s what thecissP sym-bolizes. You and your peers are among the ranks of the most knowledge-able practitioners in our community. The designation ofcissP instantlycommunicates to everyone within our industry that you are intellectually curious and travelingalong a path of lifelong learning and improvement.importantly, as a member of (isc)² youhave officially committed to ethical conduct commensurate to your position of trust as a cyber-security professional.The recognized leader in the field of information security education and certification,(isc)2promotes the development of information security professionals throughout the world.as acissP with all the benefits of (isc)2membership, you are part of a global network of morethan 140,000 certified professionals who are working to inspire a safe and secure cyber world.Being acissP, though, is more than a credential; it is what you demonstrate daily in yourinformation security role. The value of your knowledge is the proven ability to effectivelydesign, implement, and manage a best-in-class cybersecurity program within your organization.To that end, it is my great pleasure to present theOfficial (ISC)2Guide to the CISSP (CertifiedInformation Systems Security Professional) CBK.drawing from a comprehensive, up-to-dateglobal body of knowledge, theCISSP CBKprovides you with valuable insights on how toimplement every aspect of cybersecurity in your organization.if you are an experiencedcissP, you will find this edition of theCISSP CBKto be atimely book to frequently reference for reminders on best practices.if you are still gaining theexperience and knowledge you need to join the ranks ofcissPs, theCISSP CBKis a deep divethat can be used to supplement your studies.as the largest nonprofit membership body of certified information security professionalsworldwide, (isc)² recognizes the need to identify and validate not only information securityxxv

Official ISC2 Guide to the CISSP CBK (2019) - Page 27 preview image

Loading page ...

Forewordxxvicompetency but also the ability to connect knowledge of several domains when buildinghigh-functioning cybersecurity teams that demonstrate cyber resiliency. ThecissP cre-dential represents advanced knowledge and competency in security design, implementa-tion, architecture, operations, controls, and more.if you are leading or ready to lead your security team, reviewing theOfficial (ISC)2Guide to the CISSP CBKwill be a great way to refresh your knowledge of the many fac-tors that go into securely implementing and managing cybersecurity systems that matchyour organization’siT strategy and governance requirements. The goal forcissP cre-dential holders is to achieve the highest standard for cybersecurity expertise—managingmultiplatformiT infrastructures while keeping sensitive data secure. This becomes espe-cially crucial in the era of digital transformation, where cybersecurity permeates virtuallyevery value stream imaginable.organizations that can demonstrate world-class cyberse-curity capabilities and trusted transaction methods can enable customer loyalty and fuelsuccess.The opportunity has never been greater for dedicated men and women to carve out ameaningful career and make a difference in their organizations. TheCISSP CBKwill beyour constant companion in protecting and securing the critical data assets of your orga-nization that will serve you for years to come.regards,david P.shearer,cissPceo, (isc)2

Official ISC2 Guide to the CISSP CBK (2019) - Page 28 preview image

Loading page ...

IntroductionThecerTifiedinforMaTionsYsTeMssecurity Professional (cissP) sig-nifies that an individual has a cross-disciplinary expertise across the broad spectrum ofinformation security and that he or she understands the context of it within a businessenvironment. There are two main requirements that must be met in order to achievethe status ofcissP.one must take and pass the certification exam, while also proving aminimum of five years of direct full-time security work experience in two or more of thedomains of the (isc)²cissPcBK. The field of information security is wide, and thereare many potential paths along one’s journey through this constantly and rapidly chang-ing profession.afirm comprehension of the domains within thecissPcBK and an understand-ing of how they connect back to the business and its people are important componentsin meeting the requirements of thecissP credential.every reader will connect thesedomains to their own background and perspective. These connections will vary basedon industry, regulatory environment, geography, culture, and unique business operatingenvironment. With that sentiment in mind, this book’s purpose is not to address all ofthese issues or prescribe a set path in these areas.instead, the aim is to provide an officialguide to thecissPcBK and allow you, as a security professional, to connect your ownknowledge, experience, and understanding to thecissP domains and translate thecBKinto value for your organization and the users you protect.SecurIty andrISk ManageMentThesecurity andrisk Management domain entails many of the foundational securityconcepts and principles of information security. This domain covers a broad set of topicsand demonstrates how to generally apply the concepts of confidentiality, integrity andavailability across a security program. This domain also includes understanding compli-ance requirements, governance, building security policies and procedures, business con-tinuity planning, risk management, security education, and training and awareness, andxxvii

Official ISC2 Guide to the CISSP CBK (2019) - Page 29 preview image

Loading page ...

Introductionxxviiimost importantly it lays out the ethnical canons and professional conduct to be demon-strated by (isc)2members.The information security professional will be involved in all facets of security and riskmanagement as part of the functions they perform across the enterprise. These functionsmay include developing and enforcing policy, championing governance and risk man-agement, and ensuring the continuity of operations across an organization in the event ofunforeseen circumstances. To that end, the information security professional must safe-guard the organization’s people and data.aSSet SecurItyTheassetsecurity domain covers the safeguarding of information and information assetsacross their lifecycle to include the proper collection, classification, handling, selection,and application of controls.important concepts within this domain are data ownership,privacy, data security controls, and cryptography.asset security is used to identify controlsfor information and the technology that supports the exchange of that information toinclude systems, media, transmission, and privilege.The information security professional is expected to have a solid understanding ofwhat must be protected, what access should be restricted, the control mechanisms avail-able, how those mechanisms may be abused, and the appropriateness of those controls,and they should be able to apply the principles of confidentiality, integrity, availability,and privacy against those assets.SecurItyarchItecture andengIneerIngThesecurityarchitecture andengineering domain covers the process of designing andbuilding secure and resilient information systems and associated architecture so that theinformation systems can perform their function while minimizing the threats that can becaused by malicious actors, human error, natural disasters, or system failures.securitymust be considered in the design, in the implementation, and during the continuousdelivery of an information system through its lifecycle.it is paramount to understandsecure design principles and to be able to apply security models to a wide variety of dis-tributed and disparate systems and to protect the facilities that house these systems.an information security professional is expected to develop designs that demonstrate howcontrols are positioned and how they function within a system. The security controls must tieback to the overall system architecture and demonstrate how, through security engineering,those systems maintain the attributes of confidentiality, integrity, and availability.

Official ISC2 Guide to the CISSP CBK (2019) - Page 30 preview image

Loading page ...

IntroductionxxixcoMMunIcatIon andnetwork SecurItyThecommunication andnetworksecurity domain covers secure design principles as theyrelate to network architectures. The domain provides a thorough understanding of com-ponents of a secure network, secure design, and models for secure network operation. Thedomain covers aspects of a layered defense, secure network technologies, and managementtechniques to prevent threats across a number of network types and converged networks.it is necessary for an information security professional to have a thorough understand-ing of networks and the way in which organizations communicate. The connected worldin which security professionals operate requires that organizations be able to access infor-mation and execute transactions in real time with an assurance of security.it is thereforeimportant that an information security professional be able to identify threats and risksand then implement mitigation techniques and strategies to protect these communicationchannels.IdentIty andacceSSManageMent (IaM)Theidentity andaccess Management (iaM) domain covers the mechanisms by whichan information system permits or revokes the right to access information or perform anaction against an information system.iaM is the mechanism by which organizationsmanage digital identities.iaM also includes the organizational policies and processes formanaging digital identities as well as the underlying technologies and protocols neededto support identity management.information security professionals and users alike interact with components ofiaMevery day. This includes business services logon authentication, file and print systems,and nearly any information system that retrieves and manipulates data. This can meanusers or a web service that exposes data for user consumption.iaM plays a critical andindispensable part in these transactions and in determining whether a user’s request isvalidated or disqualified from access.SecurItyaSSeSSMent andteStIngThesecurityassessment and Testing domain covers the tenets of how to perform andmanage the activities involved in security assessment and testing, which includes provid-ing a check and balance to regularly verify that security controls are performing optimallyand efficiently to protect information assets. The domain describes the array of tools andmethodologies for performing various activities such as vulnerability assessments, pene-tration tests, and software tests.

Official ISC2 Guide to the CISSP CBK (2019) - Page 31 preview image

Loading page ...

IntroductionxxxThe information security professional plays a critical role in ensuring that securitycontrols remain effective over time.changes to the business environment, technicalenvironment, and new threats will alter the effectiveness of controls.it is important thatthe security professional be able to adapt controls in order to protect the confidentiality,integrity, and availability of information assets.SecurItyoperatIonSThesecurityoperations domain includes a wide range of concepts, principles, bestpractices, and responsibilities that are core to effectively running security operations inany organization. This domain explains how to protect and control information pro-cessing assets in centralized and distributed environments and how to execute the dailytasks required to keep security services operating reliably and efficiently. These activitiesinclude performing and supporting investigations, monitoring security, performing inci-dent response, implementing disaster recovery strategies, and managing physical securityand personnel safety.in the day-to-day operations of the organization, sustaining expected levels of con-fidentiality, availability, and integrity of information and business services is where theinformation security professional affects operational resiliency. The day-to-day securing,responding, monitoring, and maintenance of resources demonstrates how the informa-tion security professional is able to protect information assets and provide value to theorganization.SoFtwaredevelopMent SecurItyThesoftwaredevelopmentsecurity domain refers to the controls around software, itsdevelopment lifecycle, and the vulnerabilities inherent in systems and applications.applications and data are the foundation of an information system.an understanding ofthis process is essential to the development and maintenance required to ensure depend-able and secure software. This domain also covers the development of secure codingguidelines and standards, as well as the impacts of acquired software.software underpins of every system that the information security professional andusers in every business interact with on a daily basis. Being able to provide leadershipand direction to the development process, audit mechanisms, database controls, and webapplication threats are all elements that the information security professional will put inplace as part of thesoftwaredevelopmentsecurity domain.

Preview Mode

This document has 928 pages. Sign in to access the full document!

Report

Study Now!

Document Details

Related Documents

ISC2 CISSP Certified Information Systems Security Professional Official Practice Tests, 4th Edition (2024)

ISC2� CISSP� Certified Information Systems Security Professional Official Study Guide, 10th Edition (2024)

ISC2 CISSP Certified Information Systems Security Professional Official Study Guide and Practice Tests (2024)

The Official ISC2 CISSP CBK Reference (2021)

ISC2 Cissp Certified Information Systems Security Professional Official Practice Tests (2021)

CISSP Official Practice Tests (2021)

CISSP All-in-One Exam Guide (2021)

All in One CISSP Exam Guide (2022)

CISSP Official Study Guide (2021)

CISSP Cert Guide (2022)

Company

Explore

Study Tools