If you're a security professional seeking your CISSP certification, this book is a perfect way to prepare for the exam. Covering in detail all eight domains, the expert advice inside gives you the key information you'll need to pass the exam. Plus, you'll get tips on setting up a 60-day study plan, tips for exam day, and access to an online test bank of questions.
CISSP For Dummies is fully updated and reorganized to reflect upcoming changes (ISC)2 has made to the Common Body of Knowledge. Complete with access to an online test bank this book is the secret weapon you need to pass the exam and gain certification.
Get key information for all eight exam domains
Find test-taking and exam-day tips and tricks
Benefit from access to free online practice questions and flash cards
Prepare for the CISSP certification in 2018 and beyond
You've put in the time as a security professional--and now you can reach your long-term goal of CISSP certification.
Why buy from World of Books
Our excellent value books literally don't cost the earth
Lawrence Miller, CISSP, is a security consultant with experience in consulting, defense, legal, nonprofit, retail, and telecommunications. Peter Gregory, CISSP, is a CISO and an executive security advisor with experience in SaaS, retail, telecommunications, nonprofit, legalized gaming, manufacturing, consulting, healthcare, and local government.
Table of Contents
Introduction 1 About This Book 2 Foolish Assumptions 3 Icons Used in This Book 4 Beyond the Book 4 Where to Go from Here 5 Part 1: Getting Started with Cissp Certification 7 Chapter 1: (ISC)2 and the CISSP Certification 9 About (ISC)2 and the CISSP Certification 9 You Must Be This Tall to Ride This Ride (and Other Requirements) 10 Preparing for the Exam 12 Studying on your own 12 Getting hands-on experience 13 Getting official (ISC)2 CISSP training 14 Attending other training courses or study groups 14 Take the practice exam 15 Are you ready for the exam? 15 Registering for the Exam 16 About the CISSP Examination 17 After the Examination 20 Chapter 2: Putting Your Certification to Good Use 23 Networking with Other Security Professionals 24 Being an Active (ISC)2 Member 25 Considering (ISC)2 Volunteer Opportunities 26 Writing certification exam questions 26 Speaking at events 26 Helping at (ISC)2 conferences 27 Read and contribute to (ISC)2 publications 27 Support the (ISC)2 Center for Cyber Safety and Education 27 Participating in (ISC)2 focus groups 28 Join the (ISC)2 Community 28 Get involved with a CISSP study group 28 Help others learn more about data security 28 Becoming an Active Member of Your Local Security Chapter 29 Spreading the Good Word about CISSP Certification 30 Wear the colors proudly 31 Lead by example 31 Using Your CISSP Certification to Be an Agent of Change 32 Earning Other Certifications 32 Other (ISC)2 certifications 33 CISSP concentrations 33 Non-(ISC)2 certifications 34 Choosing the right certifications 37 Find a mentor, be a mentor 38 Pursue Security Excellence 38 Part 2: Certification Domains 41 Chapter 3: Security and Risk Management 43 Apply Security Governance Principles 44 Alignment of security function to business strategy, goals, mission, and objectives 44 Organizational processes (security executive oversight) 45 Security roles and responsibilities 46 Control frameworks 48 Due care 50 Due diligence 50 Understand and Apply Concepts of Confidentiality, Integrity, and Availability 51 Confidentiality 51 Integrity 52 Availability 52 Compliance 53 Legislative and regulatory compliance 53 Privacy requirements compliance 57 Understand Legal and Regulatory Issues that Pertain to Information Security in a Global Context 58 Computer crimes 58 Licensing and intellectual property 72 Import/export controls 74 Trans-border data flow 75 Privacy 75 Data breaches 80 Understand Professional Ethics 82 Exercise the (ISC)2 Code of Professional Ethics 83 Support your organization's code of ethics 83 Develop and Implement Documented Security Policies, Standards, Procedures, and Guidelines 85 Policies 86 Standards (and baselines) 87 Procedures 87 Guidelines 87 Understand Business Continuity Requirements 87 Develop and document project scope and plan 90 Conduct Business Impact Analysis 98 Developing the Business Continuity Plan 106 Implementing the BCP 110 Contribute to Personnel Security Policies 111 Employment candidate screening 112 Employment agreements and policies 114 Employment termination processes 115 Vendor, consultant, and contractor controls 115 Compliance 115 Privacy 116 Understand and Apply Risk Management Concepts 116 Identify threats and vulnerabilities 116 Risk assessment/analysis (treatment) 117 Risk treatment 122 Countermeasure selection 123 Implementation 124 Types of controls 125 Control assessment 127 Monitoring and measurement 129 Asset valuation 129 Reporting 130 Continuous improvement 130 Risk frameworks 131 Understand and Apply Threat Modeling 132 Identifying threats 133 Determining and diagramming potential attacks 134 Performing reduction analysis 135 Technologies and processes to remediate threats 135 Integrate Security Risk Considerations into Supply Chain Management, Mergers, and Acquisitions 136 Hardware, software, and services 137 Third-party assessment and monitoring 137 Minimum security requirements 137 Service-level requirements 137 Establish and Manage Information Security Education, Training, and Awareness 138 Appropriate levels of awareness, training and education required within organization 138 Measuring the effectiveness of security training 140 Periodic reviews for content relevancy 141 Chapter 4: Asset Security 143 Classify Information and Supporting Assets 143 Commercial data classification 144 Government data classification 145 Determine and Maintain Ownership 146 Protect Privacy 148 Ensure Appropriate Retention 150 Determine Data Security Controls 151 Baselines 152 Scoping and tailoring 152 Standards selection 153 Cryptography 153 Establish Handling Requirements 154 Chapter 5: Security Architecture and Engineering 155 Implement and Manage Engineering Processes Using Secure Design Principles 155 Understand the Fundamental Concepts of Security Models 157 Confidentiality 158 Integrity 158 Availability 159 Access control models 160 Select Controls Based upon Systems Security Requirements 162 Evaluation criteria 163 System certification and accreditation 167 Security controls and countermeasures 169 Understand Security Capabilities of Information Systems 173 Computer architecture 173 Trusted Computing Base (TCB) 180 Trusted Platform Module (TPM) 181 Secure modes of operation 181 Open and closed systems 182 Protection rings 183 Security modes 183 Recovery procedures 184 Vulnerabilities in security architectures 184 Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements 185 Client-based systems 185 Server-based systems 186 Database systems 187 Large-scale parallel data systems 187 Distributed systems 188 Cryptographic systems 189 Industrial control systems 189 Cloud-based systems 190 Internet of Things 192 Assess and Mitigate Vulnerabilities in Web-Based Systems 193 Assess and Mitigate Vulnerabilities in Mobile Systems 194 Assess and Mitigate Vulnerabilities in Embedded Devices 195 Apply Cryptography 196 Cryptographic lifecycle 198 Plaintext and ciphertext 199 Encryption and decryption 199 Cryptography alternatives 205 Not quite the metric system: Symmetric and asymmetric key systems 206 Message authentication 216 Public Key Infrastructure (PKI) 219 Key management functions 220 Key escrow and key recovery 221 Methods of attack 221 Apply Security Principles to Site and Facility Design 224 Choosing a secure location 226 Designing a secure facility 226 Implement Site and Facility Security Controls 229 Wiring closets, server rooms, media storage facilities, and evidence storage 229 Restricted and work area security 230 Utilities and HVAC considerations 231 Water issues 234 Fire prevention, detection, and suppression 234 Chapter 6: Communication and Network Security 239 Implement Secure Design Principles in Network Architectures 239 OSI and TCP/IP models 241 Cryptography used to maintain communication security 279 Secure Network Components 280 Operation of hardware 280 Transmission media 280 Network access control devices 282 Endpoint security 292 Content distribution networks 294 Physical devices 294 Design and Establish Secure Communication Channels 295 Voice 295 Email 296 Web 300 Facsimile 302 Multimedia collaboration 302 Remote access 303 Data communications 308 Virtualized networks 309 Virtualization 309 Prevent or Mitigate Network Attacks 310 Bluejacking and bluesnarfing 310 ICMP flood 311 Smurf 311 Fraggle 311 DNS Server Attacks 311 Man-in-the-Middle 311 Session hijacking (spoofing) 312 Session hijacking (session token interception) 312 SYN flood 312 Teardrop 312 UDP flood 313 Eavesdropping 313 Chapter 7: Identity and Access Management 315 Control Physical and Logical Access to Assets 316 Information 316 Systems and devices 316 Facilities 317 Life safety 318 Manage Identification and Authentication of People, Devices, and Services 319 Identity management implementation 319 Single/multi-factor authentication 328 Accountability 343 Session management 344 Registration and proofing of identity 344 Federated identity management 346 Credential management systems 346 Integrate Identity-as-a-Service 347 Integrate Third-Party Identity Services 348 Implement and Manage Authorization Mechanisms 348 Access control techniques 349 Prevent or Mitigate Access Control Attacks 353 Manage the Identity and Access Provisioning Lifecycle 355 Chapter 8: Security Assessment and Testing 357 Design and Validate Assessment and Test Strategies 357 Conduct Security Control Testing 359 Vulnerability assessments 359 Penetration testing 361 Log reviews 365 Synthetic transactions 367 Code review and testing 368 Misuse case testing 368 Test coverage analysis 370 Interface testing 370 Collect Security Process Data 371 Account management 371 Management review 372 Key performance and risk indicators 373 Backup verification data 374 Training and awareness 375 Disaster recovery and business continuity 375 Analyze Test Output and Generate Reports 376 Conduct or Facilitate Security Audits 376 Chapter 9: Security Operations 379 Understand and Support Investigations 379 Evidence collection and handling 379 Reporting and documentation 386 Investigative techniques 387 Digital forensics tools, tactics, and procedures 389 Understand Requirements for Investigation Types 390 Conduct Logging and Monitoring Activities 391 Intrusion detection and prevention 391 Security information and event management 393 Continuous monitoring 393 Egress monitoring 394 Securely Provisioning Resources 394 Understand and Apply Foundational Security Operations Concepts 396 Need-to-know and least privilege 396 Separation of duties and responsibilities 397 Privileged account management 398 Job rotation 400 Information lifecycle 402 Service-level agreements 402 Apply Resource Protection Techniques 405 Media management 406 Hardware and software asset management 407 Conduct Incident Management 407 Operate and Maintain Detective and Preventive Measures 409 Implement and Support Patch and Vulnerability Management 411 Understand and Participate in Change Management Processes 412 Implement Recovery Strategies 412 Backup storage strategies 413 Recovery site strategies 413 Multiple processing sites 413 System resilience, high availability, quality of service, and fault tolerance 414 Implement Disaster Recovery (DR) Processes 415 Response 419 Personnel 421 Communications 421 Assessment 422 Restoration 423 Training and awareness 423 Test Disaster Recovery Plans 423 Read-through 424 Walkthrough or tabletop 424 Simulation 424 Parallel 425 Full interruption (or cutover) 426 Participate in Business Continuity (BC) Planning and Exercises 427 Implement and Manage Physical Security 427 Address Personnel Safety and Security Concerns 428 Chapter 10: Software Development Security 429 Understand and Integrate Security in the Software Development Lifecycle 429 Development methodologies 430 Maturity models 437 Operation and maintenance 438 Change management 439 Integrated product team 439 Identify and Apply Security Controls in Development Environments 440 Security of the software environments 440 Configuration management as an aspect of secure coding 442 Security of code repositories 443 Assess the Effectiveness of Software Security 444 Auditing and logging of changes 444 Risk analysis and mitigation 445 Acceptance testing 446 Assess Security Impact of Acquired Software 447 Define and Apply Secure Coding Guidelines and Standards 448 Security weaknesses and vulnerabilities at the source-code level 448 Security of application programming interfaces 450 Secure coding practices 451 Part 3: The Part of Tens 453 Chapter 11: Ten Test-Planning Tips 455 Know Your Learning Style 455 Get a Networking Certification First 456 Register Now! 456 Make a 60-Day Study Plan 456 Get Organized and Read! 457 Join a Study Group 458 Take Practice Exams 458 Take a CISSP Training Seminar 458 Adopt an Exam-Taking Strategy 459 Take a Breather 459 Chapter 12: Ten Test-Day Tips 461 Get a Good Night's Rest 461 Dress Comfortably 461 Eat a Good Meal 462 Arrive Early 462 Bring a Photo ID 462 Bring Snacks and Drinks 462 Bring Prescription and Over-the-Counter Medications 463 Leave Your Mobile Devices Behind 463 Take Frequent Breaks 463 Guess - as a Last Resort 464 Glossary 465 Index 509
CISSP For Dummies by Lawrence C. Miller
Lawrence C. Miller
John Wiley & Sons Inc
Book picture is for illustrative purposes only, actual binding, cover or edition may vary.
This is a new book - be the first to read this copy. With untouched pages and a perfect binding, your brand new copy is ready to be opened for the first time.