CramX Logo
RegisterLog in

The Official ISC2 CISSP CBK Reference (2021)

The Official ISC2 CISSP CBK Reference (2021) helps you master complex topics with simplified explanations.

Benjamin Clark
Contributor
4.5
53
about 1 year ago
Preview (31 of 674 Pages)
100%
Log in to unlock

Page 1

The Official ISC2 CISSP CBK Reference (2021) - Page 1 preview image

Loading page ...

T=StudyX

Page 2

The Official ISC2 CISSP CBK Reference (2021) - Page 2 preview image

Loading page ...

DownloadedfromStudyXY.com&+StudyXYnas,as.aTBStudy[|AnythingThisContentHasbeenPostedOnStudyXY.comassupplementarylearningmaterial.StudyXYdoesnotendroseanyuniversity,collegeorpublisher.Allmaterialspostedareundertheliabilityofthecontribu:ors.wv6)www.studyxy.com

Page 3

The Official ISC2 CISSP CBK Reference (2021) - Page 3 preview image

Loading page ...

T=StudyX

Page 4

The Official ISC2 CISSP CBK Reference (2021) - Page 4 preview image

Loading page ...

CISSP:CertifiedInformationSystemsSecurityProfessionalTheOfficial(1SC)?®CISSP®CBK®ReferenceSixthEdition

Page 5

The Official ISC2 CISSP CBK Reference (2021) - Page 5 preview image

Loading page ...

Copyright©2021byJohnWiley&Sons,Inc.Allrightsreserved.PublishedbyJohnWiley&Sons,Inc.,Hoboken,NewJerseyPublishedsimultaneouslyinCanada.ISBN:978-1-119-78999-4ISBN:978-1-119-79001-3(ebk.)ISBN:978-1-119-79000-6(ebk.)Nopartofthispublicationmaybereproduced,storedinaretrievalsystem,ortransmittedinanyformorbyanymeans,electronic,mechanical,photocopying,recording,scanning,orotherwise,exceptaspermittedunderSection107or108ofthe1976UnitedStatesCopyrightAct,withoutcitherthepriorwrittenpermissionofthePublisher,orauthorizationthroughpaymentoftheappropriateper-copyfeetotheCopyrightClearanceCenter,Inc.,222RosewoodDrive,Danvers,MA01923,(978)750-8400,fax(978)750-4470,oronthewebatwww.copyright.com.RequeststothePub-lisherforpermissionshouldbeaddressedtothePermissionsDepartment,JohnWiley&Sons,Inc.,111RiverStreet,Hoboken,NJ07030,(201)748-6011,fax(201)748-6008,oronlineathttp://www.wiTey.com/go/permissionLimitofLiability/DisclaimerofWarranty:Whilethepublisherandauthorhaveusedtheirbesteffortsinpreparingthisbook,theymakenorepresentationsorwarrantieswithrespecttotheaccuracyorcompletenessofthecontentsofthisbookandspecificallydisclaimanyimpliedwarrantiesofmerchantabilityorfitnessforaparticularpurpose.Nowarrantymaybecreatedorextendedbysalesrepresentativesorwrittensalesmaterials.Theadviceandstrategiescontainedhereinmaynotbesuitableforyoursituation.Youshouldconsultwithaprofessionalwhereappropriate.Neitherthepublishernorauthorshallbeliableforanylossofprofitoranyothercommercialdamages,includingbutnotlimitedtospecial,incidental,consequential,orotherdamages.Forgeneralinformationonourotherproductsandservicesorfortechnicalsupport,pleasecontactourCustomerCareDepartmentwithintheUnitedStatesat(800)762-2974,outsidetheUnitedStatesat(317)572-3993orfax(317)572-4002.Wileyalsopublishesitsbooksinavarietyofelectronicformats.Somecontentthatappearsinprintmaynotbeavail-ableinelectronicformats.FormoreinformationaboutWileyproducts,visitourwebsiteatwww.wiley.com.LibraryofCongressControlNumber:2021942306TRADEMARKS:Wiley,theWileylogo,andtheSybexlogoaretrademarksorregisteredtrademarksofJohnWiley&Sons,Inc.and/oritsaffiliates,intheUnitedStatesandothercountries,andmaynotbeusedwithoutwrittenpermis-sion.(ISC)’,CISSP,andCBKareregisteredcertificationmarksortrademarksof(ISC)?,Inc.Allothertrademarksarethepropertyoftheirrespectiveowners.JohnWiley&Sons,Inc.isnotassociatedwithanyproductorvendormen-tionedinthisbook.CoverDesign:Wileyand(ISC)*Study

Page 6

The Official ISC2 CISSP CBK Reference (2021) - Page 6 preview image

Loading page ...

LeadAuthorsARTHURDEANE,CISSP,CCSPisaseniordirectoratCapitalOneFinancial,whereheleadsinformationsecurityactivitiesintheCarddivision.PriortoCapitalOne,ArthurheldsecurityleadershiprolesatGoogle,Amazon,andPwC,inadditiontoseveralsecurityengi-neeringandconsultingroleswiththeU.S.federalgovernment.ArthurisanadjunctprofessoratAmericanUniversityandamemberoftheComputerScienceAdvisoryBoardatHowardUniversity.Heholdsabachelor'sdegreeinelectricalengineeringfromRochesterInstituteofTechnology(RIT)andamaster'sdegreeininformationsecurityfromtheUniversityofMaryland.ArthurisalsotheauthorofCCSPforDummies.AARONKRAUS,CISSP,CCSP|isaninformationsecurityprofessionalwithmorethan15yearsofexperienceinsecurityriskmanagement,auditing,andteachingcybersecuritytopics.HehasworkedinsecurityandcomplianceleadershiprolesacrossindustriesincludingU.S.federalgovernmentcivilianagencies,financialservices,insurance,andtechnologystartups.Aaronisacourseauthor,instructor,andcybersecuritycurriculumdeanatLearningTreeInternational,andhemostrecentlytaughttheOfficial(ISC)*CISSPCBKReviewSeminar.Heisaco-authorofTheOfficial(ISC)?GuidetotheCCSPCBK,3rdEdition,andservedastechnicaleditorfornumerousWileypublicationsincluding(ISC)*CCSPCertifiedCloudSecurityProfessionalOfficialStudyGuide,2ndEdition;CCSPOffi-cial(ISC)?PracticeTests;TheOfficial(ISC)*GuidetotheCISSPCBKReference,SthEdition;and(ISC)?CISSPCertifiedInformationSystemsSecurityProfessionalOfficialPracticeTests,2ndEdition.

Page 7

The Official ISC2 CISSP CBK Reference (2021) - Page 7 preview image

Loading page ...

TechnicalReviewerMICHAELSCWILLS,CAMS,CISSP,SSCP,isassistantprofessorofappliedandinnovativeinformationtechnologiesattheCollegeofBusinessatEmbry-RiddleAeronauticalUniversityWorldwide,wherehecontinueshisgraduateandundergraduateteachingandresearchincybersecurityandinformationassurance.MikehasalsobeenanadvisoronscienceandtechnologypolicytotheUKsJointIntelligenceCommittee,MinistryofJustice,andDefenseScienceandTechnologyLaboratories,helpingthemtoevolveanoperationalandpolicycon-sensusrelatingtopicsfromcryptographyandvirtualworlds,throughtheburgeoningsurveil-lancesociety,totheproliferationofweaponsofmassdisruption(notjust“destruction”)andtheireffectsonglobal,regional,national,andpersonalsecurity.Foratime,thishadhimsome-timesknownastheUKsnonresidentexpertonouterspacelaw.Mikehasbeensupportingtheworkof(ISC)?bywriting,editing,andupdatingbooks,studyguides,andcoursematerialsforboththeirSSCPandCISSPprograms.HewrotetheSSCPOffi-cialStudyGuide,2ndEdition(Sybex,2019),followedquicklybytheSSCPOfficialCommonBookofKnowledge,5thEdition.Hewasleadauthorforthe2021updateof(ISC)”sofficialCISSPandSSCPtrainingmaterials.MikehasalsocontributedtoseveralindustryroundtablesandwhitepapersondigitalidentityandcyberfrauddetectionandpreventionandhasbeenapanelistandwebinarpresenterontheseandrelatedtopicsforACAMS.

Page 8

The Official ISC2 CISSP CBK Reference (2021) - Page 8 preview image

Loading page ...

ForewordxixIntroductionxxiSECURITYANDRISKMANAGEMENT1ASSETSECURITY97SECURITYARCHITECTUREANDENGINEERING147COMMUNICATIONANDNETWORKSECURITY283IDENTITYANDACCESSMANAGEMENT377SECURITYASSESSMENTANDTESTING419SECURITYOPERATIONS463SOFTWAREDEVELOPMENTSECURITY549Index625

Page 9

The Official ISC2 CISSP CBK Reference (2021) - Page 9 preview image

Loading page ...

T=StudyX

Page 10

The Official ISC2 CISSP CBK Reference (2021) - Page 10 preview image

Loading page ...

ContentsForewordxixIntroductionxxiDOMAIN1:SECURITYANDRISKMANAGEMENT1Understand,Adhereto,andPromoteProfessionalEthics2(ISC)*CodeofProfessionalEthics2OrganizationalCodeofEthics3UnderstandandApplySecurityConcepts4Confidentiality4Integrity5Availability6LimitationsoftheCIATriad7EvaluateandApplySecurityGovernancePrinciples8AlignmentoftheSecurityFunctiontoBusinessStrategy,Goals,Mission,andObjectives9OrganizationalProcesses10OrganizationalRolesandResponsibilities14SecurityControlFrameworks15DueCareandDueDiligence22DetermineComplianceandOtherRequirements23LegislativeandRegulatoryRequirements2IndustryStandardsandOtherComplianceRequirements25PrivacyRequirements27UnderstandLegalandRegulatoryIssuesThatPertaintoInformationSecurityinaHolisticContext28CybercrimesandDataBreaches28LicensingandIntellectualPropertyRequirements36Import/ExportControls39

Page 11

The Official ISC2 CISSP CBK Reference (2021) - Page 11 preview image

Loading page ...

TransborderDataFlow40Privacy41UnderstandRequirementsforInvestigationTypes48Administrative49Criminal50Civil52Regulatory53IndustryStandards54Develop,Document,andImplementSecurityPolicy,Standards,Procedures,andGuidelines55Policies55Standards56Procedures57Guidelines57Identify,Analyze,andPrioritizeBusinessContinuityRequirements58BusinessImpactAnalysis59DevelopandDocumenttheScopeandthePlan61ContributetoandEnforcePersonnelSecurityPoliciesandProcedures63CandidateScreeningandHiring63EmploymentAgreementsandPolicies64Onboarding,Transfers,andTerminationProcesses65Vendor,Consultant,andContractorAgreementsandControls67CompliancePolicyRequirements67PrivacyPolicyRequirements68UnderstandandApplyRiskManagementConcepts68IdentifyThreatsandVulnerabilities68RiskAssessment70RiskResponse/Treatment72CountermeasureSelectionandImplementation73ApplicableTypesofControls75ControlAssessments76MonitoringandMeasurement77Reporting77ContinuousImprovement78RiskFrameworks78UnderstandandApplyThreatModelingConceptsandMethodologies83ThreatModelingConcepts84ThreatModelingMethodologies85ApplySupplyChainRiskManagementConcepts88RisksAssociatedwithHardware,Software,andServices88

Page 12

The Official ISC2 CISSP CBK Reference (2021) - Page 12 preview image

Loading page ...

Third-PartyAssessmentandMonitoring89MinimumSecurityRequirements90Service-LevelRequirements90Frameworks91EstablishandMaintainaSecurityAwareness,Education,andTrainingProgram92MethodsandTechniquestoPresentAwarenessandTraining93PeriodicContentReviews94ProgramEffectivenessEvaluation94Summary95ASSETSECURITY97IdentifyandClassifyInformationandAssets97DataClassificationandDataCategorization99AssetClassification101EstablishInformationandAssetHandlingRequirements104MarkingandLabeling104Handling105Storage105Declassification106ProvisionResourcesSecurely108InformationandAssetOwnership108AssetInventory109AssetManagement112ManageDataLifecycle115DataRoles116DataCollection120DataLocation120DataMaintenance121DataRetention122DataDestruction123DataRemanence123EnsureAppropriateAssetRetention127DeterminingAppropriateRecordsRetention129RecordsRetentionBestPractices130DetermineDataSecurityControlsandComplianceRequirements131DataStates133ScopingandTailoring135StandardsSelection137DataProtectionMethods141Summary144

Page 13

The Official ISC2 CISSP CBK Reference (2021) - Page 13 preview image

Loading page ...

SECURITYARCHITECTUREANDENGINEERING147Research,Implement,andManageEngineeringProcessesUsingSecureDesignPrinciples149ISO/IEC19249150ThreatModeling157SecureDefaults160FailSecurely161SeparationofDuties161KeepItSimple162Trust,butVerify162ZeroTrust163PrivacybyDesign165SharedResponsibility166DefenseinDepth167UnderstandtheFundamentalConceptsofSecurityModels168PrimeronCommonModelComponents168InformationFlowModel169NoninterferenceModel169Bell-LaPadulaModel170BibaIntegrityModel172Clark-WilsonModel173Brewer—NashModel173Take-GrantModel175SelectControlsBasedUponSystemsSecurityRequirements175UnderstandSecurityCapabilitiesofInformationSystems179MemoryProtection180SecureCryptoprocessor182AssessandMitigatetheVulnerabilitiesofSecurityArchitectures,Designs,andSolutionElements187Client-BasedSystems187Server-BasedSystems189DatabaseSystems191CryptographicSystems194IndustrialControlSystems200Cloud-BasedSystems203DistributedSystems207InternetofThings208Microservices212Containerization214

Page 14

The Official ISC2 CISSP CBK Reference (2021) - Page 14 preview image

Loading page ...

Serverless215EmbeddedSystems216High-PerformanceComputingSystems219EdgeComputingSystems220VirtualizedSystems221SelectandDetermineCryptographicSolutions224CryptographyBasics225CryptographicLifecycle226CryptographicMethods229PublicKeyInfrastructure243KeyManagementPractices246DigitalSignaturesandDigitalCertificates250Nonrepudiation252Integrity253UnderstandMethodsofCryptanalyticAttacks257BruteForce258CiphertextOnly260KnownPlaintext260ChosenPlaintextAttack260FrequencyAnalysis261ChosenCiphertext261ImplementationAttacks261Side-ChannelAttacks261FaultInjection263TimingAttacks263Man-in-the-Middle263PasstheHash263KerberosExploitation264Ransomware264ApplySecurityPrinciplestoSiteandFacilityDesign265DesignSiteandFacilitySecurityControls265WiringClosets/IntermediateDistributionFacilities266ServerRooms/DataCenters267MediaStorageFacilities268EvidenceStorage269RestrictedandWorkAreaSecurity270UtilitiesandHeating,Ventilation,andAirConditioning272EnvironmentalIssues275FirePrevention,Detection,andSuppression277Summary281

Page 15

The Official ISC2 CISSP CBK Reference (2021) - Page 15 preview image

Loading page ...

COMMUNICATIONANDNETWORKSECURITY283AssessandImplementSecureDesignPrinciplesinNetworkArchitectures283OpenSystemInterconnectionandTransmissionControlProtocol/InternetProtocolModels285TheOSIReferenceModel286TheTCP/IPReferenceModel299InternetProtocolNetworking302SecureProtocols311ImplicationsofMultilayerProtocols313ConvergedProtocols315Microsegmentation316WirelessNetworks319CellularNetworks333ContentDistributionNetworks334SecureNetworkComponents335OperationofHardware335Repeaters,Concentrators,andAmplifiers341Hubs341Bridges342Switches342Routers343Gateways343Proxies343TransmissionMedia345NetworkAccessControl352EndpointSecurity354MobileDevices355ImplementSecureCommunicationChannelsAccordingtoDesign357Voice357MultimediaCollaboration359RemoteAccess365DataCommunications371VirtualizedNetworks373Third-PartyConnectivity374Summary374IDENTITYANDACCESSMANAGEMENT377ControlPhysicalandLogicalAccesstoAssets378AccessControlDefinitions378Information379

Page 16

The Official ISC2 CISSP CBK Reference (2021) - Page 16 preview image

Loading page ...

Systems380Devices381Facilities383Applications386ManageIdentificationandAuthenticationofPeople,Devices,andServices387IdentityManagementImplementation388Single/MultifactorAuthentication389Accountability396SessionManagement396Registration,Proofing,andEstablishmentofIdentity397FederatedIdentityManagement399CredentialManagementSystems399SingleSign-On400Just-In-Time401FederatedIdentitywithaThird-PartyService401OnPremises402Cloud403Hybrid403ImplementandManageAuthorizationMechanisms404Role-BasedAccessControl405Rule-BasedAccessControl405MandatoryAccessControl406DiscretionaryAccessControl406Attribute-BasedAccessControl407Risk-BasedAccessControl408ManagetheIdentityandAccessProvisioningLifecycle408AccountAccessReview409AccountUsageReview411ProvisioningandDeprovisioning411RoleDefinition412PrivilegeEscalation413ImplementAuthenticationSystems414OpenIDConnect/OpenAuthorization414SecurityAssertionMarkupLanguage415Kerberos416RemoteAuthenticationDial-InUserService/TerminalAccessControllerAccessControlSystemPlus417Summary418

Page 17

The Official ISC2 CISSP CBK Reference (2021) - Page 17 preview image

Loading page ...

SECURITYASSESSMENTANDTESTING419DesignandValidateAssessment,Test,andAuditStrategies420Internal421External422Third-Party423ConductSecurityControlTesting423VulnerabilityAssessment423PenetrationTesting428LogReviews435SyntheticTransactions435CodeReviewandTesting436MisuseCaseTesting437TestCoverageAnalysis438InterfaceTesting439BreachAttackSimulations440ComplianceChecks441CollectSecurityProcessData442TechnicalControlsandProcesses“43AdministrativeControls“43AccountManagement444ManagementReviewandApproval445ManagementReviewsforCompliance446KeyPerformanceandRiskIndicators447BackupVerificationData450TrainingandAwareness450DisasterRecoveryandBusinessContinuity451AnalyzeTestOutputandGenerateReport452TypicalAuditReportContents453Remediation454ExceptionHandling455EthicalDisclosure456ConductorFacilitateSecurityAudits458DesigninganAuditProgram458InternalAudits459ExternalAudits460Third-PartyAudits460Summary461SECURITYOPERATIONS463UnderstandandComplywithInvestigations464EvidenceCollectionandHandling465

Page 18

The Official ISC2 CISSP CBK Reference (2021) - Page 18 preview image

Loading page ...

ReportingandDocumentation467InvestigativeTechniques469DigitalForensicsTools,Tactics,andProcedures470Artifacts475ConductLoggingandMonitoringActivities478IntrusionDetectionandPrevention478SecurityInformationandEventManagement480ContinuousMonitoring481EgressMonitoring483LogManagement484ThreatIntelligence486UserandEntityBehaviorAnalytics488PerformConfigurationManagement489Provisioning490AssetInventory492Baselining492Automation493ApplyFoundationalSecurityOperationsConcepts494Need-to-Know/LeastPrivilege494SeparationofDutiesandResponsibilities495PrivilegedAccountManagement496JobRotation498Service-LevelAgreements498ApplyResourceProtection499MediaManagement500MediaProtectionTechniques501ConductIncidentManagement502IncidentManagementPlan503Detection505Response506Mitigation507Reporting508Recovery510Remediation510LessonsLearned511OperateandMaintainDetectiveandPreventativeMeasures51Firewalls512IntrusionDetectionSystemsandIntrusionPreventionSystems514Whitelisting/Blacklisting515Third-Party-ProvidedSecurityServices515Sandboxing517

Page 19

The Official ISC2 CISSP CBK Reference (2021) - Page 19 preview image

Loading page ...

Honeypots/Honeynets517Anti-malware518MachineLearningandArtificialIntelligenceBasedTools518ImplementandSupportPatchandVulnerabilityManagement519PatchManagement519VulnerabilityManagement521UnderstandandParticipateinChangeManagementProcesses522ImplementRecoveryStrategies523BackupStorageStrategies524RecoverySiteStrategies527MultipleProcessingSites527SystemResilience,HighAvailability,QualityofService,andFaultTolerance528ImplementDisasterRecoveryProcesses529Response529Personnel530Communications531Assessment532Restoration533TrainingandAwareness534LessonsLearned534TestDisasterRecoveryPlans535Read-through/Tabletop536Walkthrough536Simulation537Parallel537FullInterruption537ParticipateinBusinessContinuityPlanningandExercises538ImplementandManagePhysicalSecurity539PerimeterSecurityControls541InternalSecurityControls543AddressPersonnelSafetyandSecurityConcerns545Travel545SecurityTrainingandAwareness546EmergencyManagement546Duress547Summary548SOFTWAREDEVELOPMENTSECURITY549UnderstandandIntegrateSecurityintheSoftwareDevelopmentLifeCycle(SDLC)550DevelopmentMethodologies551

Page 20

The Official ISC2 CISSP CBK Reference (2021) - Page 20 preview image

Loading page ...

MaturityModels561OperationandMaintenance567ChangeManagement568IntegratedProductTeam571IdentifyandApplySecurityControlsinSoftwareDevelopmentEcosystems572ProgrammingLanguages572Libraries577Toolsets578IntegratedDevelopmentEnvironment579Runtime580ContinuousIntegrationandContinuousDelivery581SecurityOrchestration,Automation,andResponse583SoftwareConfigurationManagement585CodeRepositories586ApplicationSecurityTesting588AssesstheEffectivenessofSoftwareSecurity590AuditingandLoggingofChanges590RiskAnalysisandMitigation595AssessSecurityImpactofAcquiredSoftware599CommercialOff-the-Shelf599OpenSource601Third-Party602ManagedServices(SaaS,laa$,PaaS)602DefineandApplySecureCodingGuidelinesandStandards604SecurityWeaknessesandVulnerabilitiesattheSource-CodeLevel605SecurityofApplicationProgrammingInterfaces613APISecurityBestPractices613SecureCodingPractices618Software-DefinedSecurity621Summary624Index625

Page 21

The Official ISC2 CISSP CBK Reference (2021) - Page 21 preview image

Loading page ...

T=StudyX

Page 22

The Official ISC2 CISSP CBK Reference (2021) - Page 22 preview image

Loading page ...

ForewordEARNINGTHEGLOBALLYRECOGNIZEDCISSP®securitycertificationisaprovenwaytobuildyourcareeranddemonstratedeepknowledgeofcybersecurityconceptsacrossabroadrangeofdomains.WhetheryouarepickingupthisbooktosupplementyourpreparationtositfortheexamorareanexistingCISSPusingitasadeskreference,you'llfindtheTheOfficial(ISC)**CISSP*CBK*ReferencetobetheperfectprimeronthesecurityconceptscoveredinthecightdomainsoftheCISSPCBK.TheCISSPisthemostgloballyrecognizedcertificationintheinformationsecuritymarket.Itimmediatelysignifiesthattheholderhastheadvancedcybersecurityskillsandknowledgetodesign,engineer,implement,andmanageinformationsecurityprogramsandteamsthatpro-tectagainstincreasinglysophisticatedattacks.Italsoconveysanadherencetobestpractices,policies,andproceduresestablishedby(ISC)?cybersecurityexperts.Therecognizedleaderinthefieldofinformationsecurityeducationandcertification,(ISC*promotesthedevelopmentofinformationsecurityprofessionalsthroughouttheworld.AsaCISSPwithallthebenefitsof(ISC)?membership,youarepartofaglobalnetworkofmorethan161,000certifiedprofessionalswhoareworkingtoinspireasafeandsecurecyberworld.Drawingfromacomprehensive,up-to-dateglobalbodyofknowledge,theCISSPCBKprovidesyouwithvaluableinsightsontheskills,techniques,andbestpracticesasecurityprofessionalshouldbefamiliarwith,includinghowdifferentelementsoftheinformationtech-nologyecosysteminteract.IfyouareanexperiencedCISSP,youwillfindthiseditionoftheCISSPCBKanindispens-ablereference.IfyouarestillgainingtheexperienceandknowledgeyouneedtojointheranksofCISSPs,theCISSPCBKisadeepdivethatcanbeusedtosupplementyourstudies.Asthelargestnonprofitmembershipbodyofcertifiedinformationsecurityprofessionalsworldwide,(ISC)?recognizestheneedtoidentifyandvalidatenotonlyinformationsecuritycompetency,butalsotheabilitytobuild,manage,andleadasecurityorganization.Writtenbyateamofsubjectmatterexperts,thiscomprehensivecompendiumcoversallCISSPobjectives

Page 23

The Official ISC2 CISSP CBK Reference (2021) - Page 23 preview image

Loading page ...

andsubobjectivesinastructuredformatwithcommonpracticesforeachobjective,acommonlexiconandreferencestowidelyacceptedcomputingstandardsandcasestudies.Theopportunityhasneverbeengreaterfordedicatedprofessionalstoadvancetheircareersandinspireasafeandsecurecyberworld.TheCISSPCBKwillbeyourconstantcompanioninprotectingyourorganizationandwillserveyouforyearstocome.Sincerely,ClarRossoCEO,(ISC)*ForewordStudy

Page 24

The Official ISC2 CISSP CBK Reference (2021) - Page 24 preview image

Loading page ...

IntroductionPHCERTIFIEDINFORMATIONSYSTEMSSecurityProfessional(CISSP)certificationidentifiesaprofessionalwhohasdemonstratedskills,knowledge,andabilitiesacrossawidearrayofsecuritypracticesandprinciples.Theexamcoverseightdomainsofpractice,whicharecodifiedintheCISSPCommonBodyofKnowledge(CBK).TheCBKpresentstopicsthataCISSPcanuseintheirdailyroletoidentifyandmanagesecurityriskstodataandinformationsystemsandisbuiltonafoundationcomprisingfundamentalsecurityconceptsofconfidenti-ality,integrity,availability,nonrepudiation,andauthenticity(CIANA),aswellasprivacyandsecurity(CIANA+PS).Avarietyofcontrolscanbeimplementedforbothdataandsystems,withthegoalofeithersafeguardingormitigatingsecurityriskstoeachofthesefoundationalprinciples.Globalprofessionalstakemanypathsintoinformationsecurity,andeachcandidate'sexperiencemustbecombinedwithvariationsinpracticeandperspectiveacrossindustriesandregionsduetotheglobalreachofthecertification.Formostsecuritypractitioners,achiev-ingCISSPrequiresstudyandlearningnewdisciplines,andprofessionalsareunlikelytoworkacrossalleightdomainsonadailybasis.TheCISSPCBKisabaselinestandardofsecurityknowledgetohelpsecuritypractitionersdealwithnewandevolvingrisks,andthisguidepro-videseasyreferencetoaidpractitionersinapplyingsecuritytopicsandprinciples.Thisbaselinemustbeconnectedwiththereadersownexperienceandtheuniqueoperatingenvironmentofthereader'sorganizationtobeeffective.Therapidpaceofchangeinsecurityalsodemandsthatpractitionerscontinuouslymaintaintheirknowledge,soCISSPcredentialholdersarealsoexpectedtomaintaintheirknowledgeviacontinuingeducation.Referencematerialslikethisguide,alongwithothercontentsourcessuchasindustryconferences,webinars,andresearcharevitaltomaintainingthisknowledge.ThedomainspresentedintheCBKareprogressive,startingwithafoundationofbasicsecurityandriskmanagementconceptsinChapter1,“SecurityandRiskManagement,”aswellasfundamentaltopicsofidentifying,valuing,andapplyingproperriskmitigationsforassetsecurityinChapter2,“AssetSecurity.”Applyingsecuritytocomplextechnologyenvironmentscanbeachievedbyapplyingarchitectureandengineeringconcepts,whicharepresentedinChapter3,“SecurityArchitectureandEngineering.”

Page 25

The Official ISC2 CISSP CBK Reference (2021) - Page 25 preview image

Loading page ...

Chapter4,“CommunicationandNetworkSecurity,”detailsboththecriticalriskstoaswellasthecriticaldefensiveroleplayedbycommunicationsnetworks,andChapter5,“IdentityandAccessManagement,”coversthecrucialpracticesofidentifyingusers(bothhumanandnonhuman)andcontrollingtheiraccesstosystems,data,andotherresources.Onceasecurityprogramisdesigned,itisvitaltogatherinformationaboutandassessitseffectiveness,whichiscoveredinChapter6,“SecurityAssessmentandTesting,”andkeeptheentireaffairrunningalsoknownassecurityoperationsorSecOps,whichiscoveredinChapter7,“SecurityOperations.”Finally,thevitalroleplayedbysoftwareisaddressedinChapter8,“SoftwareDevelopmentSecurity,”whichcoversbothprinciplesofsecurelydevelopingsoftwareaswellasrisksandthreatstosoftwareanddevelopmentenvironments.Thefollowingpresentsoverviewsforeachofthesechaptersinalittlemoredetail.SecurityandRiskManagementThefoundationoftheCISSPCBKistheassessmentandmanagementofrisktodataandtheinformationsystemsthatprocessit.TheSecurityandRiskManagementdomainintroducesthefoundationalCIANA+PSconceptsneededtobuildariskmanagementprogram.Usingtheseconcepts,asecuritypractitionercanbuildaprogramforgover-nance,risk,andcompliance(GRC),whichallowstheorganizationtodesignasystemofgovernanceneededtoimplementsecuritycontrols.Thesecontrolsshouldaddresstherisksfacedbytheorganizationaswellasanynecessarylegalandregulatorycomplianceobligations.Riskmanagementprinciplesmustbeappliedthroughoutanorganization'sopera-tions,sotopicsofbusinesscontinuity(BC),personnelsecurity,andsupplychainriskmanagementarealsointroducedinthisdomain.Ensuringthatoperationscancontinueintheeventofadisruptionsupportsthegoalofavailability,whileproperlydesignedper-sonnelsecuritycontrolsrequiretrainingprogramsandwell-documentedpoliciesandothersecurityguidance.Onecriticalconceptispresentedinthisdomain:the(ISC)?codeofprofessionalethics.AllCISSPcandidatesmustagreetobeboundbythecodeaspartofthecertificationprocess,andcredentialholdersfacepenaltiesuptoandincludinglossoftheircredentialsforviolatingthecode.Regardlessofwhatareaofsecurityapractitionerisworkingin,theneedtopreservetheintegrityoftheprofessionbyadheringtoacodeofethicsiscriticaltofosteringtrustinthesecurityprofession.AssetSecurityAssetsareanythingthatanorganizationusestogeneratevalue,includingideas,processes,information,andcomputinghardware.ClassifyingandcategorizingassetsallowsorganizationstoprioritizelimitedsecurityresourcestoachieveaproperbalancexxiiIntroduction(+studyxy|

Page 26

The Official ISC2 CISSP CBK Reference (2021) - Page 26 preview image

Loading page ...

ofcostsandbenefits,andthisdomainintroducesimportantconceptsofassetvaluation,classificationandcategorization,andassethandlingtoapplyappropriateprotectionbasedonanassetsvalue.Thevalueofanassetdictatesthelevelofprotectionitrequires,whichisoftenexpressedasasecuritybaselineorcomplianceobligationthattheassetownermustmeet.CISSPcredentialholderswillspendalargeamountoftheirtimefocusedondataandinformationsecurityconcerns.Thedatalifecycleisintroducedinthisdomaintoprovidedistinctphasesfordeterminingdatasecurityrequirements.Protectionbeginsbydefiningrolesandprocessesforhandlingdata,andoncethedataiscreated,theseprocessesmustbefollowed.Thisincludesmanagingdatathroughoutcreation,use,archival,andeven-tualdestructionwhennolongerneeded,anditfocusesondatainthreemainstates:inuse,intransit,andatrest.Handlingsensitivedataformanyorganizationswillinvolvelegalorregulatoryobligationstoprotectspecificdatatypes,suchaspersonallyidentifiableinformation(PII)ortransactionaldatarelatedtopaymentcards.PaymentcarddataisregulatedbythePaymentCardIndustry(PCI)Council,andPIIoftenrequiresprotectionstocomplywithregionalorlocallawsliketheEuropeanUnionGeneralDataProtectionRegulation(EUGDPR).Bothcomplianceframeworksdictatespecificprotectionobligationsanorganizationmustmeetwhencollecting,handling,andusingtheregu-lateddata.SecurityArchitectureandEngineeringTheSecurityArchitectureandEngineeringdomaincoverstopicsrelevanttoimple-mentingandmanagingsecuritycontrolsacrossavarietyofsystems.Securedesignprin-ciplesareintroducedthatareusedtobuildasecurityprogram,suchassecuredefaults,zerotrust,andprivacybydesign.Commonsecuritymodelsarealsocoveredinthisdomain,whichprovideanabstractwayofviewingasystemorenvironmentandallowforidentificationofsecurityrequirementsrelatedtotheCIANA+PSprinciples.Specificsystemtypesarediscussedindetailtohighlighttheapplicationofsecuritycontrolsinavarietyofarchitectures,includingclient-andserver-basedsystems,industrialcontrolsys-tems(ICSs),InternetofThings(oT),andemergingsystemtypeslikemicroservicesandcontainerizedapplications.Thisdomainpresentsthefoundationaldetailsofcryptographyandintroducestopicscoveringbasicdefinitionsofencryption,hashing,andvariouscryptographicmethods,aswellasattacksagainstcryptographyknownascryptanalysis.Applicationsofcryptographyareintegratedthroughoutalldomainswhererelevant,suchastheuseofencryptioninsecurenetworkprotocols,whichiscoveredinChapter4.Physicalarchitecturesecurityincludingfiresuppressionanddetection,securefacilitydesign,andenvironmentalcontrolisalsointroducedinthisdomain.PR|StudyXY

Page 27

The Official ISC2 CISSP CBK Reference (2021) - Page 27 preview image

Loading page ...

CommunicationandNetworkSecurityOnemajorvalueofmoderninformationsystemsliesintheirabilitytoshareandexchangedata,sofundamentalsofnetworkingarepresentedintheCommunicationandNetworkSecuritydomainalongwithdetailsofimplementingadequatesecuritypro-tectionsforthesecommunications.Thisdomainintroducescommonmodelsusedfornetworkservices,includingtheOpenSystemsInterconnection(OSI)andTransmissionControlProtocol/InternetProtocol(TCP/IP)models.Theselayeredabstractionsprovideamethodforidentifyingspecificsecurityrisksandcontrolcapabilitiestosafeguarddata,andthedomainpresentsfundamentals,risks,andcountermeasuresavailableatcachleveloftheOSIandTCP/IPmodels.Properlysecuringnetworksandcommunicationsrequiresstrategicplanningtoensureproperarchitecturalchoicesaremadeandimplemented.Conceptsofsecurenetworkdesignsuchasplanningandsegmentation,availabilityofhardware,andnetworkaccesscontrol(NAC)areintroducedinthisdomain.Commonnetworktypesandtheirspecificsecurityrisksareintroducedaswell,includingsoftware-definednetworks(SDN),voicenetworks,andremoteaccessandcollaborationtechnologies.IdentityandAccessManagementControllingaccesstoassetsisoneofthefundamentalgoalsofsecurityandofferstheabilitytosafeguardallfiveCIANA+PSsecurityconcepts.Properlyidentifyingusersandauthenticatingtheaccesstheyrequestcanpreserveconfidentialityandauthenticityofinformation,whileproperlyimplementedcontrolsreducetheriskoflostorcorrupteddata,therebypreservingavailabilityandintegrity.Loggingtheactionstakenbyidentifiedusersoraccountssupportsnonrepudiationbyverifiablydemonstratingwhichuserorpro-cessperformedtookaparticularaction.TheIdentityandAccessManagement(IAM)domainintroducesimportantconceptsrelatedtoidentifyingsubjectsandcontrollingtheiraccesstoobjects.Subjectscanbeusers,processes,orothersystems,andobjectsaretypicallysystemsordatathatasubjectiistryingtoaccess.IAMrequirementsarepresentedthroughfourfundamentalaspects,includingidentification,authentication,authorization,andaccountability(AAA).Thedomainalsopresentsimportantconceptsformanagingidentitiesandaccess,includingfederationandtheuseofthird-partyidentityserviceproviders.SecurityAssessmentandTestingItisnecessarytoevaluatetheeffectivenessofsecuritycontrolstodetermineiftheyareprovidingsufficientriskmitigation.Assessment,testing,andauditingaremethodspre-sentedinthisdomainthatallowasecuritypractitionertoidentifydeficienciesinthesecurityprogramandprioritizeremedialactivities.xxivIntroduction(+studyxy|

Page 28

The Official ISC2 CISSP CBK Reference (2021) - Page 28 preview image

Loading page ...

Assessmentandtestingcanbeperformedasaninternalorexternalfunction;whilebothareappropriateformonitoringsecurityprogramstatus,therearesituationsthatrequireexternalevaluations.Forinstance,third-partyauditsarecommoninsituationswhereanassessmentmustbeconductedthatisfreeofanyconflictofinterest.Externalauditreports,suchastheServiceOrganizationControlorSOC2,canbeusefulfororga-nizationstocommunicatedetailsoftheirsecuritypracticestoexternalpartieslikevendorsorbusinesspartners.Inthiscase,theauditor'sindependencefromtheauditedorganiza-tionprovidesadditionalassurancetoconsumersofthereport.Ethicalpenetrationtestingandrelatedtechnicaltestingtopicsarepresentedinthisdomain,includingtestcoverageandbreachattacksimulations.Thesetypesoftestscanbeconductedagainstarangeoftargetsfromindividualinformationsystemstoentireorganizationsandareavaluabletooltoidentifydeficienciesinsecuritycontrols.Thedis-closureandhandlingofanyfindingsfromsuchtestingisalsodiscussed,includinglegalandethicalimplicationsofinformationthatmightbediscovered.Anongoingassessmentandtestingprogramisalsousefulforestablishingcontinuousmonitoringandsupportingcomplianceneeds.Properlydesignedandimplementedstrat-egiesfortestingsecuritycontrols,vulnerabilities,andattacksimulationsmeasuretheeffectivenessoftheorganization'sexistingcontrolprogram.Anyidentifieddeficienciesmustbeaddressedtoensureadequateriskmanagement.SecurityOperationsSecurityOperations(SecOps)isacompaniontotheotherdomainsintheCBK,andthischapterdealswithimplementing,operating,andmaintaininginfrastructureneededtoenabletheorganization'ssecurityprogram.Securitypractitionersmustfirstperformariskassessmentandthendesignandoperatesecuritycontrolsspanningtechnology,people,andprocesstomitigatethoserisks.SecOpsisakeyintegrationpointbetweensecurityteamsandotherpartsoftheorganizationsuchasHumanResources(HR)forkeytaskslikedesigningjobrotationsorsegregationofduties,oranetworkengineeringteamthatisresponsibleforimplementingandmaintainingfirewallsandintrusiondetectionsys-tems(IDSs).LogicalsecurityaspectsofSecOpsincluderunningandmaintainingasecurityoperationscenter(SOC),whichisbecominganincreasinglycrucialpartofasecurityprogram.TheSOCcentralizesinformationlikethreatintelligence,incidentresponse,andsecurityalerts,permittinginformationsharing,moreefficientresponse,andoversightforthesecurityprogramandfunctions.Planningforandexercisingcrucialbusinessplanslikebusinesscontinuityanddisasterrecovery(BCDR)arealsoanimportantelementofSecOps.SecOpsalsoencompassesimportantphysicalsecurityconceptslikefacilitydesignandenvironmentalcontrols,whichareoftencompletelynewconceptsforsecurityPR|StudyXY

Page 29

The Official ISC2 CISSP CBK Reference (2021) - Page 29 preview image

Loading page ...

practitionerswhohaveexperienceincybersecurityorinformationtechnology(IT).How-ever,thephysicalsecurityofinformationsystemsandthedatatheycontainisanimpor-tantelementofmaintainingallaspectsofsecurity.Insomecases,physicallimitationslikeexistingorsharedbuildingsaredriversforadditionallogicalcontrolstocompensateforpotentialunauthorizedphysicalaccess.SoftwareDevelopmentSecurityInformationsystemsrelyonsoftware,sopropersecurityisessentialforthetoolsandprocessesusedtodevelopsoftware.Thisincludesbothcustom-builtsoftwareaswellaspurchasedsystemcomponentsthatareintegratedintoinformationsystems.Cloudcom-putingischangingtheparadigmofsoftwaredevelopment,sothisdomainalsoincludessecurityrequirementsforcomputingresourcesthatareconsumedasaservicelikesoft-wareasaservice(SaaS),platformasaservice(PaaS),andemergingarchitectureslikecontainerizationandmicroservices.Softwarecanbebothatargetforattackersandtheattackvector.Theincreasinglycomplexsoftwareenvironmentmakesuseofopen-sourcesoftware,prebuiltmodulesandlibraries,anddistributedapplicationstoprovidegreaterspeedfordevelopersandfun-ctionalityforusers.Thesebusinessadvantages,however,introduceriskslikethepotentialforuntrustworthythird-partycodetobeincludedinanapplicationorattackerstargetingremoteaccessfeatures.Adequatesecurityinthesoftwaredevelopmentlifecycle(SDLC)requiresacombinedapproachaddressingpeople,process,andtechnology.Thisdomainrevisitsthecriticalpersonnelsecurityconceptoftraining,withaspecificfocusondevelopersecuritytraining,Well-documentedsoftwaredevelopmentmethodologies,guidelines,andpro-ceduresareessentialprocesscontrolscoveredinthedomain.Technologycontrolsencompassingboththesoftwaredevelopmentenvironmentandsoftwaresecuritytestingarepresented,aswellastestingapproachesforapplicationsecurity(AppSec)includingstaticanddynamictesting.soiIntroduction(+studyxy|

Page 30

The Official ISC2 CISSP CBK Reference (2021) - Page 30 preview image

Loading page ...

Com]CISSP*ISecurityandRiskManagementDOMAIN1OFTHECISSPCommonBodyofKnowledge(CBK)coversthefounda-tionaltopicsofbuildingandmanagingarisk-basedinformationsecurityprogram.ThisdomaincoversawidevarietyofconceptsuponwhichtheremainderoftheCBKbuilds.Beforedivingintotheheartofsecurityandriskmanagementconcepts,thischapterbeginswithcoverageofprofessionalethicsandhowtheyapplyinthefieldofinformationsecurity.Understandingyourresponsibilitiesasasecurityprofessionalisequallyasimportantasknowinghowtoapplythesecuritycon-cepts.Wethenmoveontotopicsrelatedtounderstandingyourorganization'smission,strategy,goals,andbusinessobjectives,andevaluatinghowtoproperlysatisfyyourorganization'sbusinessneedssecurely.Understandingriskmanagement,andhowitsconceptsapplytoinformationsecurity,isoneofthemostimportantthingsyoushouldtakeawayfromthischapter.Wedescriberiskmanagementconceptsandexplainhowtoapplythemwithinyourorganization'ssecurityprogram.Inaddition,understandingrelevantlegal,regulatory,andcompliancerequirementsisacriticalcomponentofeveryinformationsecurityprogram.Domain1includescoverageofconceptssuchas

Page 31

The Official ISC2 CISSP CBK Reference (2021) - Page 31 preview image

Loading page ...

cybercrimesanddatabreaches,import/exportcontrols,andrequirementsforcon-ductingvarioustypesofinvestigations.Thischapterintroducesthehumanelementofsecurityandincludescoverageofmethodsforeducatingyourorganization'semployeesonkeysecurityconcepts.Wecoverthestructureofasecurityawarenessprogramanddiscusshowtoeval-uatetheeffectivenessofyoureducationandtrainingmethods.UNDERSTAND,ADHERETO,ANDPROMOTEPROFESSIONALETHICSUnderstandingandfollowingastrictcodeofethicsshouldbeatoppriorityforanysecu-rityprofessional.AsaCISSP(oranyinformationsecurityprofessionalwhoiscertifiedby(ISC)?),youarerequiredtounderstandandfullycommittosupportingthe(ISC)*CodeofEthics.Any(ISC)2memberwhoknowinglyviolatesthe(SC)?CodeofEthicswillbesubjecttopeerreviewandpotentialpenalties,whichmayincluderevocationofthemember's(ISC)*certification(s).(ISC)?CodeofProfessionalEthicsThe(ISC)*CodeofEthicsPreambleisasfollows:=Thesafetyandwelfareofsocietyandthecommongood,dutytoourprincipals,andtoeachother,requiresthatweadhere,andbeseentoadhere,tothehighestethicalstandardsofbehavior.=Therefore,strictadherencetothisCodeofEthicsisaconditionofcertification.Inshort,theCodeofEthicsPreamblestatesthatitisrequiredthateveryCISSPcerti-fiedmembernotonlyfollowstheCodeofEthicsbutmustbevisiblyseenasfollowingtheCodeofEthics.Eventheperceptionofimproprietyorethicaldeviationmaybringintoquestionamember'sstanding,Assuch,CISSPcertifiedmembersmustserveasvisibleethicalleaderswithintheirorganizationsandindustry,atalltimes.The(ISC)*CodeofEthicsincludesfourcanonsthatareintendedtoserveashigh-levelguidelinestoaugment,notreplace,members’professionaljudgment.The(ISC)?CodeofEthicsCanonsareasfollows:=CanonI:Protectsociety,thecommongood,necessarypublictrustandconfidence,andtheinfrastructure.=CanonIL:Acthonorably,honestly,justly,responsibly,andlegally.2DOMAIN1SecurityandRiskManagement(+studyxy|
Preview Mode

This document has 674 pages. Sign in to access the full document!

Study Now!

X-Copilot AI
Unlimited Access
Secure Payment
Instant Access
24/7 Support
Document Chat

Document Details

Subject
Certified Information Systems Security Professional

Related Documents

View all
Certification Guides

ISC2 CISSP Certified Information Systems Security Professional Official Practice Tests, 4th Edition (2024)

ISC2 CISSP Certified Information Systems Security Professional Official Practice Tests, 4th Edition (2024) is your go-to practice exam, covering essential topics needed for your certification success.

Certification Guides

ISC2� CISSP� Certified Information Systems Security Professional Official Study Guide, 10th Edition (2024)

Boost your confidence with ISC2� CISSP� Certified Information Systems Security Professional Official Study Guide, 10th Edition (2024), a collection of solved certification exam papers for thorough preparation.

Certification Guides

ISC2 CISSP Certified Information Systems Security Professional Official Study Guide and Practice Tests (2024)

Prepare confidently with ISC2 CISSP Certified Information Systems Security Professional Official Study Guide and Practice Tests (2024), offering structured revision tests to reinforce key concepts.

Certification Guides

Official ISC2 Guide to the CISSP CBK (2019)

Official ISC2 Guide to the CISSP CBK (2019) provides detailed explanations to help you understand key concepts.

Certification Guides

ISC2 Cissp Certified Information Systems Security Professional Official Practice Tests (2021)

ISC2 Cissp Certified Information Systems Security Professional Official Practice Tests (2021) makes exam prep stress-free with structured learning.

Certification Guides

CISSP Official Practice Tests (2021)

CISSP Official Practice Tests (2021) is your shortcut to certification success—start preparing today!

Certification Guides

CISSP All-in-One Exam Guide (2021)

CISSP All-in-One Exam Guide (2021) ensures you are exam-ready with expert-curated content.

Certification Guides

All in One CISSP Exam Guide (2022)

All in One CISSP Exam Guide (2022) is designed to make certification prep easy and effective.

Certification Guides

CISSP Official Study Guide (2021)

CISSP Official Study Guide (2021) provides detailed explanations to help you understand key concepts.

Certification Guides

CISSP Cert Guide (2022)

CISSP Cert Guide (2022) is your essential resource for acing certification exams with confidence.