Foreword xv
Introduction 1
About This Book 2
How This Book Is Organized 2
Icons Used in This Book 3
Beyond the Book 4
Getting Started 4
Part I: Getting Started With CISSP Certification 5
Chapter 1: (ISC)2 and the CISSP Certification 7
About (ISC)2 and the CISSP Certification 7
You Must Be This Tall to Ride This Ride (and Other Requirements) 8
Preparing for the Exam 9
Studying on your own 10
Getting hands on experience 11
Attending an (ISC)2 CISSP CBK Review or Live OnLine Seminar 11
Attending other training courses or study groups 12
Take the testing tutorial and practice exam 12
Are you ready for the exam? 13
Registering for the Exam 13
About the CISSP Examination 14
After the Examination 16
Chapter 2: Putting Your Certification to Good Use 19
Being an Active (ISC)2 Member 19
Considering (ISC)2 Volunteer Opportunities 20
Writing certification exam questions 20
Speaking at events 20
Read and contribute to (ISC)2 publications 21
Support the (ISC)2 Center for Cyber Safety and Education 21
Participating in (ISC)2 focus groups 22
Get involved with a CISSP study group 22
Help others learn more about data security 22
Becoming an Active Member of Your Local Security Chapter 23
Spreading the Good Word about CISSP Certification 24
Promoting other certifications 25
Wear the colors proudly 25
Lead by example 25
Using Your CISSP Certification to Be an Agent of Change 26
Earning Other Certifications 26
Other (ISC)2 certifications 27
CISSP concentrations 27
Non (ISC)2 certifications 28
Choosing the right certifications 31
Pursue Security Excellence 32
Part II: Certification Domains 33
Chapter 3: Security and Risk Management 35
Understand and Apply Concepts of Confidentiality, Integrity, and Availability 35
Confidentiality 36
Integrity 37
Availability 37
Apply Security Governance Principles 37
Alignment of security function to business strategy, goals, mission and objectives 38
Organizational processes (security executive oversight) 39
Security roles and responsibilities 40
Control frameworks 41
Due care 43
Due diligence 44
Compliance 44
Legislative and regulatory compliance 44
Privacy requirements compliance 49
Understand Legal and Regulatory Issues that Pertain to Information Security in a Global Context 49
Computer crimes 50
Licensing and intellectual property 60
Import/export controls 63
Trans border data flow 63
Privacy 63
Data breaches 69
Understand Professional Ethics 70
Exercise the (ISC)2 Code of Professional Ethics 71
Support your organization s code of ethics 72
Develop and Implement Documented Security Policies, Standards, Procedures, and Guidelines 73
Policies 74
Standards (and baselines) 75
Procedures 75
Guidelines 75
Understand Business Continuity Requirements 76
Develop and document project scope and plan 78
Conduct Business Impact Analysis 86
Developing the Business Continuity Plan 93
Implementing the BCP 96
Contribute to Personnel Security Policies 98
Employment candidate screening 98
Employment agreements and policies 100
Employment termination processes 101
Vendor, consultant and contractor controls 101
Compliance 102
Privacy 102
Understand and Apply Risk Management Concepts 102
Identify threats and vulnerabilities 103
Risk assessment/analysis (treatment) 103
Risk assignment/acceptance 108
Countermeasure selection 108
Implementation 110
Types of controls 110
Control assessment 112
Monitoring and measurement 114
Asset valuation 114
Reporting 115
Continuous improvement 115
Risk frameworks 116
Understand and Apply Threat Modeling 117
Identifying threats 117
Determining and diagramming potential attacks 118
Performing reduction analysis 119
Technologies and processes to remediate threats 119
Integrate Security Risk Considerations into Acquisition
Strategy and Practice 120
Hardware, software, and services 121
Third party assessment and monitoring 121
Minimum security requirements 121
Service level requirements 122
Establish and Manage Information Security Education,
Training, and Awareness 122
Appropriate levels of awareness, training and
education required within organization 122
Periodic reviews for content relevancy 124
Chapter 4: Asset Security 125
Classify Information and Supporting Assets 125
Commercial data classification 126
Government data classification 126
Determine and Maintain Ownership 128
Protect Privacy 129
Ensure Appropriate Retention 131
Determine Data Security Controls 132
Baselines 133
Scoping and tailoring 134
Standards selection 134
Cryptography 135
Establish Handling Requirements 135
Chapter 5: Security Engineering 137
Implement and Manage Engineering Processes Using
Secure Design Principles 137
Understand the Fundamental Concepts of Security Models 139
Confidentiality 139
Integrity 140
Availability 140
Access control models 141
Select Controls and Countermeasures based upon Systems Security Evaluation Models 144
Evaluation criteria 144
System certification and accreditation 149
Security controls and countermeasures 151
Understand Security Capabilities of Information Systems 154
Computer architecture 154
Trusted Computing Base (TCB) 161
Trusted Platform Module (TPM) 161
Secure modes of operation 162
Open and closed systems 163
Protection rings 163
Security modes 163
Recovery procedures 164
Vulnerabilities in security architectures 165
Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements 166
Client based 166
Server based 167
Database security 167
Large scale parallel data systems 168
Distributed systems 168
Cryptographic systems 169
Industrial control systems 170
Assess and Mitigate Vulnerabilities in Web Based Systems 171
Assess and Mitigate Vulnerabilities in Mobile Systems 172
Assess and Mitigate Vulnerabilities in Embedded Devices and Cyber Physical Systems 173
Apply Cryptography 174
Cryptographic Life Cycle 176
Plaintext and ciphertext 177
Encryption and decryption 177
Cryptography alternatives 183
Not quite the metric system: Symmetric and asymmetric key systems 184
Message authentication 193
Public Key Infrastructure (PKI) 196
Key management functions 197
Key escrow and key recovery 198
Methods of attack 198
Apply Secure Principles to Site and Facility Design 201
Choosing a secure location 202
Designing a secure facility 203
Design and Implement Physical Security 205
Wiring closets, server rooms, media storage
facilities, and evidence storage 206
Restricted and work area security 207
Utilities and HVAC considerations 207
Water issues 211
Fire prevention, detection and suppression 211
Chapter 6: Communication and Network Security 215
Apply Secure Design Principles to Network Architecture 215
OSI and TCP/IP models 219
Cryptography used to maintain communication security 251
Secure Network Components 251
Operation of hardware 252
Transmission media 252
Network access control devices 254
Endpoint security 262
Content distribution networks 264
Physical devices 265
Design and Establish Secure Communication Channels 265
Voice 266
Email 266
Web 270
Facsimile 271
Multimedia collaboration 272
Remote access 272
Data communications 277
Virtualized networks 277
Prevent or Mitigate Network Attacks 279
Bluejacking and bluesnarfing 279
Fraggle 279
Smurf 279
DNS Server Attacks 280
Man in the Middle 280
ICMP flood 280
Session hijacking (spoofing) 280
Session hijacking (session token interception) 280
SYN flood 281
Teardrop 281
UDP flood 281
Chapter 7: Identity and Access Management 283
Control Physical and Logical Access to Assets 284
Information 284
Systems and devices 284
Facilities 285
Manage Identification and Authentication of People and Devices 285
Identity management implementation 286
Single/multi factor authentication 295
Accountability 309
Session management 309
Registration and proofing of identity 310
Federated identity management 311
Credential management systems 312
Integrate Identity as a Service 312
Integrate Third Party Identity Services 314
Implement and Manage Authorization Mechanisms 314
Access control techniques 314
Prevent or Mitigate Access Control Attacks 318
Manage the Identity and Access Provisioning Lifecycle 320
Chapter 8: Security Assessment and Testing 323
Design and Validate Assessment and Test Strategies 323
Conduct Security Control Testing 324
Vulnerability assessment 324
Penetration testing 324
Log reviews 326
Synthetic transactions 328
Code review and testing 328
Misuse case testing 329
Test coverage analysis 329
Interface testing 329
Collect Security Process Data 330
Account management 330
Management review 331
Key performance and risk indicators 331
Backup verification data 331
Training and awareness 332
Disaster recovery and business continuity 332
Analyze and Report Test Outputs 332
Conduct or Facilitate Internal and Third Party Audits 332
Chapter 9: Security Operations 335
Understand and Support Investigations 335
Evidence collection and handling 335
Reporting and documenting 342
Investigative techniques 342
Digital forensics 344
Understand Requirements for Investigation Types 345
Conduct Logging and Monitoring Activities 346
Intrusion detection and prevention 347
Security information and event management 348
Continuous monitoring 348
Egress monitoring 349
Secure the Provisioning of Resources 349
Understand and Apply Foundational Security Operations Concepts 351
Need to know and least privilege 351
Separation of duties and responsibilities 352
Monitor special privileges 353
Job rotation 355
Information lifecycle 356
Service level agreements 357
Employ Resource Protection Techniques 359
Media management 359
Hardware and software asset management 361
Conduct Incident Management 361
Operate and Maintain Preventative Measures 363
Implement and Support Patch and Vulnerability Management 364
Participate in and Understand Change Management Processes 365
Implement Recovery Strategies 366
Backup storage strategies 366
Recovery site strategies 366
Multiple processing sites 367
System resilience, high availability, and fault tolerance 367
Quality of Service (QoS) 367
Implement Disaster Recovery Processes 368
Response 372
Personnel 373
Communications 374
Assessment 375
Restoration 375
Training and awareness 376
Test Disaster Recovery Plans 376
Read through 376
Walkthrough 377
Simulation 377
Parallel 378
Full interruption (or cutover) 379
Participate in Business Continuity Planning and Exercises 379
Implement and Manage Physical Security 380
Participate in Addressing Personnel Safety Concerns 380
Chapter 10: Software Development Security 381
Understand and Apply Security in the Software Development Lifecycle 381
Development methodologies 382
Maturity models 388
Operation and maintenance 389
Change management 390
Integrated product team 391
Enforce Security Controls in Development Environments 392
Security of the software environments 392
Configuration management as an aspect of secure coding 394
Security of code repositories 395
Security of application programming interfaces 395
Assess the Effectiveness of Software Security 396
Auditing and logging of changes 397
Risk analysis and mitigation 397
Acceptance testing 398
Assess Security Impact of Acquired Software 399
Part III: The Part of Tens 401
Chapter 11: Ten (Okay, Nine) Test-Planning Tips 403
Know Your Learning Style 403
Get a Networking Certification First 403
Register NOW! 404
Make a 60 Day Study Plan 404
Get Organized and READ! 405
Join a Study Group 405
Take Practice Exams 406
Take a CISSP Review Seminar 406
Take a Breather 406
Chapter 12: Ten Test Day Tips 407
Get a Good Night s Rest 407
Dress Comfortably 407
Eat a Good Breakfast 407
Arrive Early 408
Bring a Photo ID 408
Bring Snacks and Drinks 408
Bring Prescription and Over the Counter Medications 408
Leave Your Electronic Devices Behind 409
Take Frequent Breaks 409
Guess as a Last Resort 409
Glossary 411
Index 455
