CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide

Оглавление

Gibson Darril. CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide

Acknowledgments

About the Authors

Introduction

Overview of the CISSP Exam

Notes on This Book’s Organization

Assessment Test

Answers to Assessment Test

Chapter 1. Security Governance Through Principles and Policies

Understand and Apply Concepts of Confidentiality, Integrity, and Availability

Apply Security Governance Principles

Develop and Implement Documented Security Policy, Standards, Procedures, and Guidelines

Understand and Apply Threat Modeling

Integrate Security Risk Considerations into Acquisition Strategy and Practice

Summary

Exam Essentials

Written Lab

Chapter 2. Personnel Security and Risk Management Concepts

Contribute to Personnel Security Policies

Security Governance

Understand and Apply Risk Management Concepts

Establish and Manage Information Security Education, Training, and Awareness

Manage the Security Function

Summary

Exam Essentials

Written Lab

Chapter 3. Business Continuity Planning

Planning for Business Continuity

Project Scope and Planning

Business Impact Assessment

Continuity Planning

Plan Approval and Implementation

Summary

Exam Essentials

Written Lab

Chapter 4. Laws, Regulations, and Compliance

Categories of Laws

Laws

Compliance

Contracting and Procurement

Summary

Exam Essentials

Written Lab

Chapter 5. Protecting Security of Assets

Classifying and Labeling Assets

Identifying Data Roles

Protecting Privacy

Summary

Exam Essentials

Written Lab

Chapter 6. Cryptography and Symmetric Key Algorithms

Historical Milestones in Cryptography

Cryptographic Basics

Modern Cryptography

Symmetric Cryptography

Cryptographic Life Cycle

Summary

Exam Essentials

Written Lab

Chapter 7. PKI and Cryptographic Applications

Asymmetric Cryptography

Hash Functions

Digital Signatures

Public Key Infrastructure

Asymmetric Key Management

Applied Cryptography

Cryptographic Attacks

Summary

Exam Essentials

Written Lab

Chapter 8. Principles of Security Models, Design, and Capabilities

Implement and Manage Engineering Processes Using Secure Design Principles

Understand the Fundamental Concepts of Security Models

Select Controls and Countermeasures Based on Systems Security Evaluation Models

Understand Security Capabilities of Information Systems

Summary

Exam Essentials

Written Lab

Chapter 9. Security Vulnerabilities, Threats, and Countermeasures

Assess and Mitigate Security Vulnerabilities

Client-Based

Server-Based

Database Security

Distributed Systems

Industrial Control Systems

Assess and Mitigate Vulnerabilities in Web-Based Systems

Assess and Mitigate Vulnerabilities in Mobile Systems

Assess and Mitigate Vulnerabilities in Embedded Devices and Cyber-Physical Systems

Essential Security Protection Mechanisms

Common Architecture Flaws and Security Issues

Summary

Exam Essentials

Written Lab

Chapter 10. Physical Security Requirements

Apply Secure Principles to Site and Facility Design

Design and Implement Physical Security

Implement and Manage Physical Security

Summary

Exam Essentials

Written Lab

Chapter 11. Secure Network Architecture and Securing Network Components

OSI Model

TCP/IP Model

Converged Protocols

Wireless Networks

General Wi-Fi Security Procedure

Cabling, Wireless, Topology, and Communications Technology

Summary

Exam Essentials

Written Lab

Chapter 12. Secure Communications and Network Attacks

Network and Protocol Security Mechanisms

Secure Voice Communications

Multimedia Collaboration

Manage Email Security

Remote Access Security Management

Virtual Private Network

Virtualization

Network Address Translation

Switching Technologies

WAN Technologies

Miscellaneous Security Control Characteristics

Security Boundaries

Prevent or Mitigate Network Attacks

Summary

Exam Essentials

Written Lab

Chapter 13. Managing Identity and Authentication

Controlling Access to Assets

Comparing Identification and Authentication

Implementing Identity Management

Managing the Identity and Access Provisioning Life Cycle

Summary

Exam Essentials

Written Lab

Chapter 14. Controlling and Monitoring Access

Comparing Access Control Models

Understanding Access Control Attacks

Summary

Exam Essentials

Written Lab

Chapter 15. Security Assessment and Testing

Building a Security Assessment and Testing Program

Performing Vulnerability Assessments

Testing Your Software

Implementing Security Management Processes

Summary

Exam Essentials

Written Lab

Chapter 16. Managing Security Operations

Applying Security Operations Concepts

Provisioning and Managing Resources

Managing Configuration

Managing Change

Summary

Exam Essentials

Written Lab

Chapter 17. Preventing and Responding to Incidents

Managing Incident Response

Implementing Preventive Measures

Logging, Monitoring, and Auditing

Summary

Exam Essentials

Written Lab

Chapter 18. Disaster Recovery Planning

The Nature of Disaster

Understand System Resilience and Fault Tolerance

Recovery Strategy

Recovery Plan Development

Training, Awareness, and Documentation

Testing and Maintenance

Summary

Exam Essentials

Written Lab

Chapter 19. Incidents and Ethics

Investigations

Major Categories of Computer Crime

Incident Handling

Ethics

Summary

Exam Essentials

Written Lab

Chapter 20. Software Development Security

Introducing Systems Development Controls

Establishing Databases and Data Warehousing

Storing Data and Information

Understanding Knowledge-Based Systems

Summary

Exam Essentials

Written Lab

Chapter 21. Malicious Code and Application Attacks

Malicious Code

Password Attacks

Application Attacks

Web Application Security

Reconnaissance Attacks

Masquerading Attacks

Summary

Exam Essentials

Written Lab

Appendix A. Answers to Review Questions

Chapter 1: Security Governance Through Principles and Policies

Chapter 2: Personnel Security and Risk Management Concepts

Chapter 3: Business Continuity Planning

Chapter 4: Laws, Regulations, and Compliance

Chapter 5: Protecting Security of Assets

Chapter 6: Cryptography and Symmetric Key Algorithms

Chapter 7: PKI and Cryptographic Applications

Chapter 8: Principles of Security Models, Design, and Capabilities

Chapter 9: Security Vulnerabilities, Threats, and Countermeasures

Chapter 10: Physical Security Requirements

Chapter 11: Secure Network Architecture and Securing Network Components

Chapter 12: Secure Communications and Network Attacks

Chapter 13: Managing Identity and Authentication

Chapter 14: Controlling and Monitoring Access

Chapter 15: Security Assessment and Testing

Chapter 16: Managing Security Operations

Chapter 17: Preventing and Responding to Incidents

Chapter 18: Disaster Recovery Planning

Chapter 19: Incidents and Ethics

Chapter 20: Software Development Security

Chapter 21: Malicious Code and Application Attacks

Appendix B. Answers to Written Labs

Chapter 1: Security Governance Through Principles and Policies

Chapter 2: Personnel Security and Risk Management Concepts

Chapter 3: Business Continuity Planning

Chapter 4: Laws, Regulations, and Compliance

Chapter 5: Protecting Security of Assets

Chapter 6: Cryptography and Symmetric Key Algorithms

Chapter 7: PKI and Cryptographic Applications

Chapter 8: Principles of Security Models, Design, and Capabilities

Chapter 9: Security Vulnerabilities, Threats, and Countermeasures

Chapter 10: Physical Security Requirements

Chapter 11: Secure Network Architecture and Securing Network Components

Chapter 12: Secure Communications and Network Attacks

Chapter 13: Managing Identity and Authentication

Chapter 14: Controlling and Monitoring Access

Chapter 15: Security Assessment and Testing

Chapter 16: Managing Security Operations

Chapter 17: Preventing and Responding to Incidents

Chapter 18: Disaster Recovery Planning

Chapter 19: Incidents and Ethics

Chapter 20: Software Development Security

Chapter 21: Malicious Code and Application Attacks

Comprehensive Online Learning Environment

WILEY END USER LICENSE AGREEMENT

Отрывок из книги

Whenever we look toward the future, we have to first look back and think about where we came from. Back in 1989, (ISC)2 was established by a handful of passionate volunteers who wanted to create a set of standards for a new concept, not yet a full-fledged career field, called information security. In the minds of those volunteers, having the initial 500 applicants sign up to take the Certified Information Systems Security Professional (CISSP®) exam was considered quite a success. Little did they imagine that 26 years later, not only would those 500 applicants grow to a cadre of 100,00 °CISSP credential holders across more than 160 countries, the CISSP would also become recognized as the standard certification for the information security industry.

Advancements in technology bring about the need for updates, and we work tirelessly to ensure that our content is always relevant to the industry. As the information security industry continues to transition, and cybersecurity becomes a global focus, the CISSP Common Body of Knowledge (CBK) is even more relevant to today's challenges.

.....

Data Owner The data owner role is assigned to the person who is responsible for classifying information for placement and protection within the security solution. The data owner is typically a high-level manager who is ultimately responsible for data protection. However, the data owner usually delegates the responsibility of the actual data management tasks to a data custodian.

Data Custodian The data custodian role is assigned to the user who is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management. The data custodian performs all activities necessary to provide adequate protection for the CIA Triad (confidentiality, integrity, and availability) of data and to fulfill the requirements and responsibilities delegated from upper management. These activities can include performing and testing backups, validating data integrity, deploying security solutions, and managing data storage based on classification.

.....