Читать книгу (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide - Mike Chapple - Страница 26
Objective Map
ОглавлениеThis book is designed to cover each of the eight CISSP Common Body of Knowledge domains in sufficient depth to provide you with a clear understanding of the material. The main body of this book consists of 21 chapters. Here is a complete CISSP Exam Outline mapping each objective item to its location in this book's chapters.
We added additional numbering to the bullet-level topic items (i.e., the sub-sub-objectives or sub-objective examples) from the Exam Outline.
| Domain # | Objective | Chapter |
| Domain 1 | Security and Risk Management | |
| 1.1 | Understand, adhere to, and promote professional ethics | 19 |
| 1.1.1 | (ISC)² Code of Professional Ethics | 19 |
| 1.1.2 | Organizational code of ethics | 19 |
| 1.2 | Understand and apply security concepts | 1 |
| 1.2.1 | Confidentiality, integrity, and availability, authenticity and nonrepudiation | 1 |
| 1.3 | Evaluate and apply security governance principles | 1 |
| 1.3.1 | Alignment of security function to business strategy, goals, mission, and objectives | 1 |
| 1.3.2 | Organizational processes (e.g., acquisitions, divestitures, governance committees) | 1 |
| 1.3.3 | Organizational roles and responsibilities | 1 |
| 1.3.4 | Security control frameworks | 1 |
| 1.3.5 | Due care/due diligence | 1 |
| 1.4 | Determine compliance and other requirements | 4 |
| 1.4.1 | Contractual, legal, industry standards, and regulatory requirements | 4 |
| 1.4.2 | Privacy requirements | 4 |
| 1.5 | Understand legal and regulatory issues that pertain to information security in a holistic context | 4 |
| 1.5.1 | Cybercrimes and data breaches | 4 |
| 1.5.2 | Licensing and intellectual property (IP) requirements | 4 |
| 1.5.3 | Import/export controls | 4 |
| 1.5.4 | Transborder data flow | 4 |
| 1.5.5 | Privacy | 4 |
| 1.6 | Understand requirements for investigation types (i.e., administrative, criminal, civil, regulatory, industry standards) | 19 |
| 1.7 | Develop, document, and implement security policy, standards, procedures, and guidelines | 1 |
| 1.8 | Identify, analyze, and prioritize Business Continuity (BC) requirements | 3 |
| 1.8.1 | Business Impact Analysis (BIA) | 3 |
| 1.8.2 | Develop and document the scope and the plan | 3 |
| 1.9 | Contribute to and enforce personnel security policies and procedures | 2 |
| 1.9.1 | Candidate screening and hiring | 2 |
| 1.9.2 | Employment agreements and policies | 2 |
| 1.9.3 | Onboarding, transfers, and termination processes | 2 |
| 1.9.4 | Vendor, consultant, and contractor agreements and controls | 2 |
| 1.9.5 | Compliance policy requirements | 2 |
| 1.9.6 | Privacy policy requirements | 2 |
| 1.10 | Understand and apply risk management concepts | 2 |
| 1.10.1 | Identify threats and vulnerabilities | 2 |
| 1.10.2 | Risk assessment/analysis | 2 |
| 1.10.3 | Risk response | 2 |
| 1.10.4 | Countermeasure selection and implementation | 2 |
| 1.10.5 | Applicable types of controls (e.g., preventive, detective, corrective) | 2 |
| 1.10.6 | Control assessments (security and privacy) | 2 |
| 1.10.7 | Monitoring and measurement | 2 |
| 1.10.8 | Reporting | 2 |
| 1.10.9 | Continuous improvement (e.g., Risk maturity modeling) | 2 |
| 1.10.10 | Risk frameworks | 2 |
| 1.11 | Understand and apply threat modeling concepts and methodologies | 1 |
| 1.12 | Apply Supply Chain Risk Management (SCRM) concepts | 1 |
| 1.12.1 | Risks associated with hardware, software, and services | 1 |
| 1.12.2 | Third-party assessment and monitoring | 1 |
| 1.12.3 | Minimum security requirements | 1 |
| 1.12.4 | Service level requirements | 1 |
| 1.13 | Establish and maintain a security awareness, education, and training program | 2 |
| 1.13.1 | Methods and techniques to present awareness and training (e.g., social engineering, phishing, security champions, gamification) | 2 |
| 1.13.2 | Periodic content reviews | 2 |
| 1.13.3 | Program effectiveness evaluation | 2 |
| Domain 2 | Asset Security | |
| 2.1 | Identify and classify information and assets | 5 |
| 2.1.1 | Data classification | 5 |
| 2.1.2 | Asset Classification | 5 |
| 2.2 | Establish information and asset handling requirements | 5 |
| 2.3 | Provision resources securely | 16 |
| 2.3.1 | Information and asset ownership | 16 |
| 2.3.2 | Asset inventory (e.g., tangible, intangible) | 16 |
| 2.3.3 | Asset management | 16 |
| 2.4 | Manage data lifecycle | 5 |
| 2.4.1 | Data roles (i.e., owners, controllers, custodians, processors, users/subjects) | 5 |
| 2.4.2 | Data collection | 5 |
| 2.4.3 | Data location | 5 |
| 2.4.4 | Data maintenance | 5 |
| 2.4.5 | Data retention | 5 |
| 2.4.6 | Data remanence | 5 |
| 2.4.7 | Data destruction | 5 |
| 2.5 | Ensure appropriate asset retention (e.g., End-of-Life (EOL) End-of-Support (EOS)) | 5 |
| 2.6 | Determine data security controls and compliance requirements | 5 |
| 2.6.1 | Data states (e.g., in use, in transit, at rest) | 5 |
| 2.6.2 | Scoping and tailoring | 5 |
| 2.6.3 | Standards selection | 5 |
| 2.6.4 | Data protection methods (e.g., Digital Rights Management (DRM), Data Loss Prevention (DLP), Cloud Access Security Broker (CASB)) | 5 |
| Domain 3 | Security Architecture and Engineering | |
| 3.1 | Research, implement and manage engineering processes using secure design principles | 1, 8, 9, 16 |
| 3.1.1 | Threat Modeling | 1 |
| 3.1.2 | Least Privilege | 16 |
| 3.1.3 | Defense in Depth | 1 |
| 3.1.4 | Secure defaults | 8 |
| 3.1.5 | Fail securely | 8 |
| 3.1.6 | Separation of duties (SoD) | 16 |
| 3.1.7 | Keep it simple | 8 |
| 3.1.8 | Zero Trust | 8 |
| 3.1.9 | Privacy by design | 8 |
| 3.1.10 | Trust but verify | 8 |
| 3.1.11 | Shared responsibility | 9 |
| 3.2 | Understand the fundamental concepts of security models (e.g., Biba, Star Model, Bell-LaPadula) | 8 |
| 3.3 | Select controls based upon systems security requirements | 8 |
| 3.4 | Understand security capabilities of Information Systems (IS) (e.g., memory protection, Trusted Platform Module (TPM), encryption/decryption) | 8 |
| 3.5 | Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements | 9, 16, 20 |
| 3.5.1 | Client-based systems | 9 |
| 3.5.2 | Server-based systems | 9 |
| 3.5.3 | Database systems | 20 |
| 3.5.4 | Cryptographic systems | 7 |
| 3.5.5 | Industrial Control Systems (ICS) | 9 |
| 3.5.6 | Cloud-based systems (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS)) | 16 |
| 3.5.7 | Distributed systems | 9 |
| 3.5.8 | Internet of Things (IoT) | 9 |
| 3.5.9 | Microservices | 9 |
| 3.5.10 | Containerization | 9 |
| 3.5.11 | Serverless | 9 |
| 3.5.12 | Embedded systems | 9 |
| 3.5.13 | High-Performance Computing (HPC) systems | 9 |
| 3.5.14 | Edge computing systems | 9 |
| 3.5.15 | Virtualized systems | 9 |
| 3.6 | Select and determine cryptographic solutions | 6, 7 |
| 3.6.1 | Cryptographic life cycle (e.g., keys, algorithm selection) | 6, 7 |
| 3.6.2 | Cryptographic methods (e.g., symmetric, asymmetric, elliptic curves, quantum) | 6, 7 |
| 3.6.3 | Public Key Infrastructure (PKI) | 7 |
| 3.6.4 | Key management practices | 7 |
| 3.6.5 | Digital signatures and digital certificates | 7 |
| 3.6.6 | Non-repudiation | 6, 7 |
| 3.6.7 | Integrity (e.g., hashing) | 6, 7 |
| 3.7 | Understand methods of cryptanalytic attacks | 7, 14, 21 |
| 3.7.1 | Brute force | 7 |
| 3.7.2 | Ciphertext only | 7 |
| 3.7.3 | Known plaintext | 7 |
| 3.7.4 | Frequency analysis | 7 |
| 3.7.5 | Chosen ciphertext | 7 |
| 3.7.6 | Implementation attacks | 7 |
| 3.7.7 | Side-channel | 7 |
| 3.7.8 | Fault injection | 7 |
| 3.7.9 | Timing | 7 |
| 3.7.10 | Man-in-the-Middle (MITM) | 7 |
| 3.7.11 | Pass the hash | 14 |
| 3.7.12 | Kerberos exploitation | 14 |
| 3.7.13 | Ransomware | 21 |
| 3.8 | Apply security principles to site and facility design | 10 |
| 3.9 | Design site and facility security controls | 10 |
| 3.9.1 | Wiring closets/intermediate distribution facilities | 10 |
| 3.9.2 | Server rooms/data centers | 10 |
| 3.9.3 | Media storage facilities | 10 |
| 3.9.4 | Evidence storage | 10 |
| 3.9.5 | Restricted and work area security | 10 |
| 3.9.6 | Utilities and Heating, Ventilation, and Air Conditioning (HVAC) | 10 |
| 3.9.7 | Environmental issues | 10 |
| 3.9.8 | Fire prevention, detection, and suppression | 10 |
| 3.9.9 | Power (e.g., redundant, backup) | 10 |
| Domain 4 | Communication and Network Security | |
| 4.1 | Assess and implement secure design principles in network architectures | 11, 12 |
| 4.1.1 | Open System Interconnection (OSI) and Transmission Control Protocol/Internet Protocol (TCP/IP) models | 11 |
| 4.1.2 | Internet Protocol (IP) networking (e.g., Internet Protocol Security (IPSec), Internet Protocol (IP) v4/6) | 11, 12 |
| 4.1.3 | Secure protocols | 11 |
| 4.1.4 | Implications of multilayer protocols | 11 |
| 4.1.5 | Converged protocols (e.g., Fiber Channel Over Ethernet (FCoE), Internet Small Computer Systems Interface (iSCSI), Voice over Internet Protocol (VoIP)) | 11 |
| 4.1.6 | Micro-segmentation (e.g., Software Defined Networks (SDN), Virtual eXtensible Local Area Network (VXLAN), Encapsulation, Software-Defined Wide Area Network (SD-WAN)) | 11 |
| 4.1.7 | Wireless networks (e.g., LiFi, Wi-Fi, Zigbee, satellite) | 11 |
| 4.1.8 | Cellular networks (e.g., 4G, 5G) | 11 |
| 4.1.9 | Content Distribution Networks (CDN) | 11 |
| 4.2 | Secure network components | 11 |
| 4.2.1 | Operation of hardware (e.g., redundant power, warranty, support) | 11 |
| 4.2.2 | Transmission media | 11 |
| 4.2.3 | Network Access Control (NAC) devices | 11 |
| 4.2.4 | Endpoint security | 11 |
| 4.3 | Implement secure communication channels according to design | 12 |
| 4.3.1 | Voice | 12 |
| 4.3.2 | Multimedia collaboration | 12 |
| 4.3.3 | Remote access | 12 |
| 4.3.4 | Data communications | 12 |
| 4.3.5 | Virtualized networks | 12 |
| 4.3.6 | Third-party connectivity | 12 |
| Domain 5 | Identity and Access Management (IAM) | |
| 5.1 | Control physical and logical access to assets | 13 |
| 5.1.1 | Information | 13 |
| 5.1.2 | Systems | 13 |
| 5.1.3 | Devices | 13 |
| 5.1.4 | Facilities | 13 |
| 5.1.5 | Applications | 13 |
| 5.2 | Manage identification and authentication of people, devices, and services | 13 |
| 5.2.1 | Identity Management (IdM) implementation | 13 |
| 5.2.2 | Single/multi-factor authentication (MFA) | 13 |
| 5.2.3 | Accountability | 13 |
| 5.2.4 | Session management | 13 |
| 5.2.5 | Registration, proofing, and establishment of identity | 13 |
| 5.2.6 | Federated Identity Management (FIM) | 13 |
| 5.2.7 | Credential management systems | 13 |
| 5.2.8 | Single Sign On (SSO) | 13 |
| 5.2.9 | Just-In-Time (JIT) | 13 |
| 5.3 | Federated identity with a third-party service | 13 |
| 5.3.1 | On-premise | 13 |
| 5.3.2 | Cloud | 13 |
| 5.3.3 | Hybrid | 13 |
| 5.4 | Implement and manage authorization mechanisms | 14 |
| 5.4.1 | Role Based Access Control (RBAC) | 14 |
| 5.4.2 | Rule based access control | 14 |
| 5.4.3 | Mandatory Access Control (MAC) | 14 |
| 5.4.4 | Discretionary Access Control (DAC) | 14 |
| 5.4.5 | Attribute Based Access Control (ABAC) | 14 |
| 5.4.6 | Risk based access control | 14 |
| 5.5 | Manage the identity and access provisioning lifecycle | 13, 14 |
| 5.5.1 | Account access review (e.g., user, system, service) | 13 |
| 5.5.2 | Provisioning and deprovisioning (e.g., on/off boarding and transfers) | 13 |
| 5.5.3 | Role definition (e.g., people assigned to new roles) | 13 |
| 5.5.4 | Privilege escalation (e.g., managed service accounts, use of sudo, minimizing its use) | 14 |
| 5.6 | Implement authentication systems | 14 |
| 5.6.1 | OpenID Connect (OIDC)/Open Authorization (Oauth) | 14 |
| 5.6.2 | Security Assertion Markup Language (SAML) | 14 |
| 5.6.3 | Kerberos | 14 |
| 5.6.4 | Remote Authentication Dial-In User Service (RADIUS)/Terminal Access Controller Access Control System Plus (TACACS+) | 14 |
| Domain 6 | Security Assessment and Testing | |
| 6.1 | Design and validate assessment, test, and audit strategies | 15 |
| 6.1.1 | Internal | 15 |
| 6.1.2 | External | 15 |
| 6.1.3 | Third-party | 15 |
| 6.2 | Conduct security control testing | 15 |
| 6.2.1 | Vulnerability assessment | 15 |
| 6.2.2 | Penetration testing | 15 |
| 6.2.3 | Log reviews | 15 |
| 6.2.4 | Synthetic transactions | 15 |
| 6.2.5 | Code review and testing | 15 |
| 6.2.6 | Misuse case testing | 15 |
| 6.2.7 | Test coverage analysis | 15 |
| 6.2.8 | Interface testing | 15 |
| 6.2.9 | Breach attack simulations | 15 |
| 6.2.10 | Compliance checks | 15 |
| 6.3 | Collect security process data (e.g., technical and administrative) | 15, 18 |
| 6.3.1 | Account management | 15 |
| 6.3.2 | Management review and approval | 15 |
| 6.3.3 | Key performance and risk indicators | 15 |
| 6.3.4 | Backup verification data | 15 |
| 6.3.5 | Training and awareness | 15, 18 |
| 6.3.6 | Disaster Recovery (DR) and Business Continuity (BC) | 18, 3 |
| 6.4 | Analyze test output and generate report | 15 |
| 6.4.1 | Remediation | 15 |
| 6.4.2 | Exception handling | 15 |
| 6.4.3 | Ethical disclosure | 15 |
| 6.5 | Conduct or facilitate security audits | 15 |
| 6.5.1 | Internal | 15 |
| 6.5.2 | External | 15 |
| 6.5.3 | Third-party | 15 |
| Domain 7 | Security Operations | |
| 7.1 | Understand and comply with investigations | 19 |
| 7.1.1 | Evidence collection and handling | 19 |
| 7.1.2 | Reporting and documentation | 19 |
| 7.1.3 | Investigative techniques | 19 |
| 7.1.4 | Digital forensics tools, tactics, and procedures | 19 |
| 7.1.5 | Artifacts (e.g., computer, network, mobile device) | 19 |
| 7.2 | Conduct logging and monitoring activities | 17, 21 |
| 7.2.1 | Intrusion detection and prevention | 17 |
| 7.2.2 | Security Information and Event Management (SIEM) | 17 |
| 7.2.3 | Continuous monitoring | 17 |
| 7.2.4 | Egress monitoring | 17 |
| 7.2.5 | Log management | 17 |
| 7.2.6 | Threat intelligence (e.g., threat feeds, threat hunting) | 17 |
| 7.2.7 | User and Entity Behavior Analytics (UEBA) | 21 |
| 7.3 | Perform Configuration Management (CM) (e.g., provisioning, baselining, automation) | 16 |
| 7.4 | Apply foundational security operations concepts | 16 |
| 7.4.1 | Need-to-know/least privilege | 16 |
| 7.4.2 | Separation of Duties (SoD) and responsibilities | 16 |
| 7.4.3 | Privileged account management | 16 |
| 7.4.4 | Job rotation | 16 |
| 7.4.5 | Service Level Agreements (SLA) | 16 |
| 7.5 | Apply resource protection | 16 |
| 7.5.1 | Media management | 16 |
| 7.5.2 | Media protection techniques | 16 |
| 7.6 | Conduct incident management | 17 |
| 7.6.1 | Detection | 17 |
| 7.6.2 | Response | 17 |
| 7.6.3 | Mitigation | 17 |
| 7.6.4 | Reporting | 17 |
| 7.6.5 | Recovery | 17 |
| 7.6.6 | Remediation | 17 |
| 7.6.7 | Lessons learned | 17 |
| 7.7 | Operate and maintain detective and preventative measures | 11, 17 |
| 7.7.1 | Firewalls (e.g., next generation, web application, network) | 11 |
| 7.7.2 | Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) | 17 |
| 7.7.3 | Whitelisting/blacklisting | 17 |
| 7.7.4 | Third-party provided security services | 17 |
| 7.7.5 | Sandboxing | 17 |
| 7.7.6 | Honeypots/honeynets | 17 |
| 7.7.7 | Anti-malware | 17 |
| 7.7.8 | Machine learning and Artificial Intelligence (AI) based tools | 17 |
| 7.8 | Implement and support patch and vulnerability management | 16 |
| 7.9 | Understand and participate in change management processes | 16 |
| 7.10 | Implement recovery strategies | 18 |
| 7.10.1 | Backup storage strategies | 18 |
| 7.10.2 | Recovery site strategies | 18 |
| 7.10.3 | Multiple processing sites | 18 |
| 7.10.4 | System resilience, High Availability (HA), Quality of Service (QoS), and fault tolerance | 18 |
| 7.11 | Implement Disaster Recovery (DR) processes | 18 |
| 7.11.1 | Response | 18 |
| 7.11.2 | Personnel | 18 |
| 7.11.3 | Communications | 18 |
| 7.11.4 | Assessment | 18 |
| 7.11.5 | Restoration | 18 |
| 7.11.6 | Training and awareness | 18 |
| 7.11.7 | Lessons learned | 18 |
| 7.12 | Test Disaster Recovery Plans (DRP) | 18 |
| 7.12.1 | Read-through/tabletop | 18 |
| 7.12.2 | Walkthrough | 18 |
| 7.12.3 | Simulation | 18 |
| 7.12.4 | Parallel | 18 |
| 7.12.5 | Full interruption | 18 |
| 7.13 | Participate in Business Continuity (BC) planning and exercises | 3 |
| 7.14 | Implement and manage physical security | 10 |
| 7.14.1 | Perimeter security controls | 10 |
| 7.14.2 | Internal security controls | 10 |
| 7.15 | Address personnel safety and security concerns | 16 |
| 7.15.1 | Travel | 16 |
| 7.15.2 | Security training and awareness | 16 |
| 7.15.3 | Emergency management | 16 |
| 7.15.4 | Duress | 16 |
| Domain 8 | Software Development Security | |
| 8.1 | Understand and integrate security in the Software Development Life Cycle (SDLC) | 20 |
| 8.1.1 | Development methodologies (e.g., Agile, Waterfall, DevOps, DevSecOps) | 20 |
| 8.1.2 | Maturity models (e.g., Capability Maturity Model (CMM), Software Assurance Maturity Model (SAMM)) | 20 |
| 8.1.3 | Operation and maintenance | 20 |
| 8.1.4 | Change management | 20 |
| 8.1.5 | Integrated Product Team (IPT) | 20 |
| 8.2 | Identify and apply security controls in software development ecosystems | 15, 17, 20, 21 |
| 8.2.1 | Programming languages | 20 |
| 8.2.2 | Libraries | 20 |
| 8.2.3 | Tool sets | 20 |
| 8.2.4 | Integrated Development Environment (IDE) | 20 |
| 8.2.5 | Runtime | 20 |
| 8.2.6 | Continuous Integration and Continuous Delivery (CI/CD) | 20 |
| 8.2.7 | Security Orchestration, Automation, and Response (SOAR) | 17 |
| 8.2.8 | Software Configuration Management (SCM) | 20 |
| 8.2.9 | Code repositories | 20 |
| 8.2.10 | Application security testing (e.g., Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST)) | 15 |
| 8.3 | Assess the effectiveness of software security | 20 |
| 8.3.1 | Auditing and logging of changes | 20 |
| 8.3.2 | Risk analysis and mitigation | 20 |
| 8.4 | Assess security impact of acquired software | 16, 20 |
| 8.4.1 | Commercial-off-the-shelf (COTS) | 20 |
| 8.4.2 | Open source | 20 |
| 8.4.3 | Third-party | 20 |
| 8.4.4 | Managed services (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS)) | 16 |
| 8.5 | Define and apply secure coding guidelines and standards | 20, 21 |
| 8.5.1 | Security weaknesses and vulnerabilities at the source-code level | 21 |
| 8.5.2 | Security of Application Programming Interfaces (APIs) | 20 |
| 8.5.3 | Secure coding practices | 20 |
| 8.5.4 | Software-defined security | 20 |
