The official (ISC)2 CCSP CBK reference / Arthur Deane, Aaron Kraus.

Format:

Book

Author/Creator:

Deane, Arthur, author.

Kraus, Aaron, author.

Language:

English

Subjects (All):

Computer networks--Security measures--Examinations--Study guides.

Computer networks.

Electronic data processing personnel--Certification--Study guides.

Electronic data processing personnel.

Computer networks--Security measures--Examinations.

Physical Description:

1 online resource (674 pages)

Edition:

6th ed.

Place of Publication:

Hoboken, New Jersey : John Wiley & Sons, Inc., [2021]

Summary:

The only official, comprehensive reference guide to the CISSP Thoroughly updated for 2021 and beyond, this is the authoritative common body of knowledge (CBK) from (ISC) 2 for information security professionals charged with designing, engineering, implementing, and managing the overall information security program to protect organizations from increasingly sophisticated attacks. Vendor neutral and backed by (ISC) 2, the CISSP credential meets the stringent requirements of ISO/IEC Standard 17024. This CBK covers the current eight domains of CISSP with the necessary depth to apply them to the daily practice of information security. Revised and updated by a team of subject matter experts, this comprehensive reference covers all of the more than 300 CISSP objectives and sub-objectives in a structured format with: * Common and good practices for each objective * Common vocabulary and definitions * References to widely accepted computing standards * Highlights of successful approaches through case studies Whether you've earned your CISSP credential or are looking for a valuable resource to help advance your security career, this comprehensive guide offers everything you need to apply the knowledge of the most recognized body of influence in information security.

Contents:

Cover

Title Page

Copyright Page

Contents at a Glance

Contents

Foreword

Introduction

Security and Risk Management

Asset Security

Security Architecture and Engineering

Communication and Network Security

Identity and Access Management

Security Assessment and Testing

Security Operations

Software Development Security

Domain 1 Security and Risk Management

Understand, Adhere to, and Promote Professional Ethics

(ISC)2 Code of Professional Ethics

Organizational Code of Ethics

Understand and Apply Security Concepts

Confidentiality

Integrity

Availability

Evaluate and Apply Security Governance Principles

Alignment of the Security Function to Business Strategy, Goals, Mission, and Objectives

Organizational Processes

Organizational Roles and Responsibilities

Security Control Frameworks

Due Care and Due Diligence

Determine Compliance and Other Requirements

Legislative and Regulatory Requirements

Industry Standards and Other Compliance Requirements

Privacy Requirements

Understand Legal and Regulatory Issues That Pertain to Information Security in a Holistic Context

Cybercrimes and Data Breaches

Licensing and Intellectual Property Requirements

Import/Export Controls

Transborder Data Flow

Privacy

Understand Requirements for Investigation Types

Administrative

Criminal

Civil

Regulatory

Industry Standards

Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines

Policies

Standards

Procedures

Guidelines

Identify, Analyze, and Prioritize Business Continuity Requirements

Business Impact Analysis

Develop and Document the Scope and the Plan

Contribute to and Enforce Personnel Security Policies and Procedures

Candidate Screening and Hiring

Employment Agreements and Policies.

Onboarding, Transfers, and Termination Processes

Vendor, Consultant, and Contractor Agreements and Controls

Compliance Policy Requirements

Privacy Policy Requirements

Understand and Apply Risk Management Concepts

Identify Threats and Vulnerabilities

Risk Assessment

Risk Response/Treatment

Countermeasure Selection and Implementation

Applicable Types of Controls

Control Assessments

Monitoring and Measurement

Reporting

Continuous Improvement

Risk Frameworks

Understand and Apply Threat Modeling Concepts and Methodologies

Threat Modeling Concepts

Threat Modeling Methodologies

Apply Supply Chain Risk Management Concepts

Risks Associated with Hardware, Software, and Services

Third-Party Assessment and Monitoring

Minimum Security Requirements

Service-Level Requirements

Frameworks

Establish and Maintain a Security Awareness, Education, and Training Program

Methods and Techniques to Present Awareness and Training

Periodic Content Reviews

Program Effectiveness Evaluation

Summary

Domain 2 Asset Security

Identify and Classify Information and Assets

Data Classification and Data Categorization

Asset Classification

Establish Information and Asset Handling Requirements

Marking and Labeling

Handling

Storage

Declassification

Provision Resources Securely

Information and Asset Ownership

Asset Inventory

Asset Management

Manage Data Lifecycle

Data Roles

Data Collection

Data Location

Data Maintenance

Data Retention

Data Destruction

Data Remanence

Ensure Appropriate Asset Retention

Determining Appropriate Records Retention

Records Retention Best Practices

Determine Data Security Controls and Compliance Requirements

Data States

Scoping and Tailoring

Standards Selection

Data Protection Methods

Summary.

Domain 3 Security Architecture and Engineering

Research, Implement, and Manage Engineering Processes Using Secure Design Principles

ISO/IEC 19249

Threat Modeling

Secure Defaults

Fail Securely

Separation of Duties

Keep It Simple

Trust, but Verify

Zero Trust

Privacy by Design

Shared Responsibility

Defense in Depth

Understand the Fundamental Concepts of Security Models

Primer on Common Model Components

Information Flow Model

Noninterference Model

Bell-LaPadula Model

Biba Integrity Model

Clark-Wilson Model

Brewer-Nash Model

Take-Grant Model

Select Controls Based Upon Systems Security Requirements

Understand Security Capabilities of Information Systems

Memory Protection

Secure Cryptoprocessor

Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements

Client-Based Systems

Server-Based Systems

Database Systems

Cryptographic Systems

Industrial Control Systems

Cloud-Based Systems

Distributed Systems

Internet of Things

Microservices

Containerization

Serverless

Embedded Systems

High-Performance Computing Systems

Edge Computing Systems

Virtualized Systems

Select and Determine Cryptographic Solutions

Cryptography Basics

Cryptographic Lifecycle

Cryptographic Methods

Public Key Infrastructure

Key Management Practices

Digital Signatures and Digital Certificates

Nonrepudiation

Understand Methods of Cryptanalytic Attacks

Brute Force

Ciphertext Only

Known Plaintext

Chosen Plaintext Attack

Frequency Analysis

Chosen Ciphertext

Implementation Attacks

Side-Channel Attacks

Fault Injection

Timing Attacks

Man-in-the-Middle

Pass the Hash

Kerberos Exploitation

Ransomware

Apply Security Principles to Site and Facility Design.

Design Site and Facility Security Controls

Wiring Closets/Intermediate Distribution Facilities

Server Rooms/Data Centers

Media Storage Facilities

Evidence Storage

Restricted and Work Area Security

Utilities and Heating, Ventilation, and Air Conditioning

Environmental Issues

Fire Prevention, Detection, and Suppression

Domain 4 Communication and Network Security

Assess and Implement Secure Design Principles in Network Architectures

Open System Interconnection and Transmission Control Protocol/Internet Protocol Models

The OSI Reference Model

The TCP/IP Reference Model

Internet Protocol Networking

Secure Protocols

Implications of Multilayer Protocols

Converged Protocols

Microsegmentation

Wireless Networks

Cellular Networks

Content Distribution Networks

Secure Network Components

Operation of Hardware

Repeaters, Concentrators, and Amplifiers

Hubs

Bridges

Switches

Routers

Gateways

Proxies

Transmission Media

Network Access Control

Endpoint Security

Mobile Devices

Implement Secure Communication Channels According to Design

Voice

Multimedia Collaboration

Remote Access

Data Communications

Virtualized Networks

Third-Party Connectivity

Domain 5 Identity and Access Management

Control Physical and Logical Access to Assets

Access Control Definitions

Information

Systems

Devices

Facilities

Applications

Manage Identification and Authentication of People, Devices, and Services

Identity Management Implementation

Single/Multifactor Authentication

Accountability

Session Management

Registration, Proofing, and Establishment of Identity

Federated Identity Management

Credential Management Systems

Single Sign-On

Just-In-Time

Federated Identity with a Third-Party Service.

On Premises

Cloud

Hybrid

Implement and Manage Authorization Mechanisms

Role-Based Access Control

Rule-Based Access Control

Mandatory Access Control

Discretionary Access Control

Attribute-Based Access Control

Risk-Based Access Control

Manage the Identity and Access Provisioning Lifecycle

Account Access Review

Account Usage Review

Provisioning and Deprovisioning

Role Definition

Privilege Escalation

Implement Authentication Systems

OpenID Connect/Open Authorization

Security Assertion Markup Language

Kerberos

Remote Authentication Dial-In User Service/Terminal Access Controller Access Control System Plus

Domain 6 Security Assessment and Testing

Design and Validate Assessment, Test, and Audit Strategies

Internal

External

Third-Party

Conduct Security Control Testing

Vulnerability Assessment

Penetration Testing

Log Reviews

Synthetic Transactions

Code Review and Testing

Misuse Case Testing

Test Coverage Analysis

Interface Testing

Breach Attack Simulations

Compliance Checks

Collect Security Process Data

Technical Controls and Processes

Administrative Controls

Account Management

Management Review and Approval

Management Reviews for Compliance

Key Performance and Risk Indicators

Backup Verification Data

Training and Awareness

Disaster Recovery and Business Continuity

Analyze Test Output and Generate Report

Typical Audit Report Contents

Remediation

Exception Handling

Ethical Disclosure

Conduct or Facilitate Security Audits

Designing an Audit Program

Internal Audits

External Audits

Third-Party Audits

Domain 7 Security Operations

Understand and Comply with Investigations

Evidence Collection and Handling

Reporting and Documentation

Investigative Techniques.

Digital Forensics Tools, Tactics, and Procedures.

Notes:

Description based on print version record.

ISBN:

9781119790006

111979000X

9781119790013

1119790018

OCLC:

1263869385