Читать книгу CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide - Gibson Darril - Страница 21

THE CISSP EXAM TOPICS COVERED IN THIS CHAPTER INCLUDE:

✓ Domain 1: Security and Risk Management (Security, Risk, Compliance, Law, Regulations, Business Continuity)

■ H. Contribute to personnel security policies

■ H.1 Employment candidate screening (e.g., reference checks, education verification)

■ H.2 Employment agreements and policies

■ H.3 Employment termination processes

■ H.4 Vendor, consultant, and contractor controls

■ H.5 Compliance

■ H.6 Privacy

■ l. Understand and apply risk management concepts

■ I.1 Identify threats and vulnerabilities

■ I.2 Risk assessment/analysis (qualitative, quantitative, hybrid)

■ I.3 Risk assignment/acceptance (e.g., system authorization)

■ I.4 Countermeasure selection

■ I.5 Implementation

■ I.6 Types of controls (preventive, detective, corrective, etc.)

■ I.7 Control assessment

■ I.8 Monitoring and measurement

■ I.9 Asset valuation

■ I.10 Reporting

■ I.11 Continuous improvement

■ I.12 Risk frameworks

■ L. Establish and manage information security education, training, and awareness

■ L.1 Appropriate levels of awareness, training, and education required within organization

■ L.2 Periodic reviews for content relevancy

✓ Domain 6: Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing)

■ C.5 Training and awareness

The Security and Risk Management domain of the Common Body of Knowledge (CBK) for the CISSP certification exam deals with many of the foundational elements of security solutions. These include elements essential to the design, implementation, and administration of security mechanisms.

Additional elements of this domain are discussed in various chapters: Chapter 1, “Security Governance Through Principles and Policies”; Chapter 3, “Business Continuity Planning”; and Chapter 4, “Laws, Regulations, and Compliance”. Please be sure to review all of these chapters to have a complete perspective on the topics of this domain.

Because of the complexity and importance of hardware and software controls, security management for employees is often overlooked in overall security planning. This chapter explores the human side of security, from establishing secure hiring practices and job descriptions to developing an employee infrastructure. Additionally, we look at how employee training, management, and termination practices are considered an integral part of creating a secure environment. Finally, we examine how to assess and manage security risks.