CISSP For Dummies, 6th Edition
John Wiley & Sons Inc (Verlag)
978-1-119-50581-5 (ISBN)
- Titel erscheint in neuer Auflage
- Artikel merken
If you’re a security professional seeking your CISSP certification, this book is a perfect way to prepare for the exam. Covering in detail all eight domains, the expert advice inside gives you the key information you'll need to pass the exam. Plus, you'll get tips on setting up a 60-day study plan, tips for exam day, and access to an online test bank of questions.
CISSP For Dummies is fully updated and reorganized to reflect upcoming changes (ISC)2 has made to the Common Body of Knowledge. Complete with access to an online test bank this book is the secret weapon you need to pass the exam and gain certification.
Get key information for all eight exam domains
Find test-taking and exam-day tips and tricks
Benefit from access to free online practice questions and flash cards
Prepare for the CISSP certification in 2018 and beyond
You’ve put in the time as a security professional—and now you can reach your long-term goal of CISSP certification.
Lawrence Miller, CISSP, is a security consultant with experience in consulting, defense, legal, nonprofit, retail, and telecommunications. Peter Gregory, CISSP, is a CISO and an executive security advisor with experience in SaaS, retail, telecommunications, nonprofit, legalized gaming, manufacturing, consulting, healthcare, and local government.
Introduction 1
About This Book 2
Foolish Assumptions 3
Icons Used in This Book 4
Beyond the Book 4
Where to Go from Here 5
Part 1: Getting Started with Cissp Certification 7
Chapter 1: (ISC)2 and the CISSP Certification 9
About (ISC)2 and the CISSP Certification 9
You Must Be This Tall to Ride This Ride (and Other Requirements) 10
Preparing for the Exam 12
Studying on your own 12
Getting hands-on experience 13
Getting official (ISC)2 CISSP training 14
Attending other training courses or study groups 14
Take the practice exam 15
Are you ready for the exam? 15
Registering for the Exam 16
About the CISSP Examination 17
After the Examination 20
Chapter 2: Putting Your Certification to Good Use 23
Networking with Other Security Professionals 24
Being an Active (ISC)2 Member 25
Considering (ISC)2 Volunteer Opportunities 26
Writing certification exam questions 26
Speaking at events 26
Helping at (ISC)2 conferences 27
Read and contribute to (ISC)2 publications 27
Support the (ISC)2 Center for Cyber Safety and Education 27
Participating in (ISC)2 focus groups 28
Join the (ISC)2 Community 28
Get involved with a CISSP study group 28
Help others learn more about data security 28
Becoming an Active Member of Your Local Security Chapter 29
Spreading the Good Word about CISSP Certification 30
Wear the colors proudly 31
Lead by example 31
Using Your CISSP Certification to Be an Agent of Change 32
Earning Other Certifications 32
Other (ISC)2 certifications 33
CISSP concentrations 33
Non-(ISC)2 certifications 34
Choosing the right certifications 37
Find a mentor, be a mentor 38
Pursue Security Excellence 38
Part 2: Certification Domains 41
Chapter 3: Security and Risk Management 43
Apply Security Governance Principles 44
Alignment of security function to business strategy, goals, mission, and objectives 44
Organizational processes (security executive oversight) 45
Security roles and responsibilities 46
Control frameworks 48
Due care 50
Due diligence 50
Understand and Apply Concepts of Confidentiality, Integrity, and Availability 51
Confidentiality 51
Integrity 52
Availability 52
Compliance 53
Legislative and regulatory compliance 53
Privacy requirements compliance 57
Understand Legal and Regulatory Issues that Pertain to Information Security in a Global Context 58
Computer crimes 58
Licensing and intellectual property 72
Import/export controls 74
Trans-border data flow 75
Privacy 75
Data breaches 80
Understand Professional Ethics 82
Exercise the (ISC)2 Code of Professional Ethics 83
Support your organization’s code of ethics 83
Develop and Implement Documented Security Policies, Standards, Procedures, and Guidelines 85
Policies 86
Standards (and baselines) 87
Procedures 87
Guidelines 87
Understand Business Continuity Requirements 87
Develop and document project scope and plan 90
Conduct Business Impact Analysis 98
Developing the Business Continuity Plan 106
Implementing the BCP 110
Contribute to Personnel Security Policies 111
Employment candidate screening 112
Employment agreements and policies 114
Employment termination processes 115
Vendor, consultant, and contractor controls 115
Compliance 115
Privacy 116
Understand and Apply Risk Management Concepts 116
Identify threats and vulnerabilities 116
Risk assessment/analysis (treatment) 117
Risk treatment 122
Countermeasure selection 123
Implementation 124
Types of controls 125
Control assessment 127
Monitoring and measurement 129
Asset valuation 129
Reporting 130
Continuous improvement 130
Risk frameworks 131
Understand and Apply Threat Modeling 132
Identifying threats 133
Determining and diagramming potential attacks 134
Performing reduction analysis 135
Technologies and processes to remediate threats 135
Integrate Security Risk Considerations into Supply Chain Management, Mergers, and Acquisitions 136
Hardware, software, and services 137
Third-party assessment and monitoring 137
Minimum security requirements 137
Service-level requirements 137
Establish and Manage Information Security Education, Training, and Awareness 138
Appropriate levels of awareness, training and education required within organization 138
Measuring the effectiveness of security training 140
Periodic reviews for content relevancy 141
Chapter 4: Asset Security 143
Classify Information and Supporting Assets 143
Commercial data classification 144
Government data classification 145
Determine and Maintain Ownership 146
Protect Privacy 148
Ensure Appropriate Retention 150
Determine Data Security Controls 151
Baselines 152
Scoping and tailoring 152
Standards selection 153
Cryptography 153
Establish Handling Requirements 154
Chapter 5: Security Architecture and Engineering 155
Implement and Manage Engineering Processes Using Secure Design Principles 155
Understand the Fundamental Concepts of Security Models 157
Confidentiality 158
Integrity 158
Availability 159
Access control models 160
Select Controls Based upon Systems Security Requirements 162
Evaluation criteria 163
System certification and accreditation 167
Security controls and countermeasures 169
Understand Security Capabilities of Information Systems 173
Computer architecture 173
Trusted Computing Base (TCB) 180
Trusted Platform Module (TPM) 181
Secure modes of operation 181
Open and closed systems 182
Protection rings 183
Security modes 183
Recovery procedures 184
Vulnerabilities in security architectures 184
Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements 185
Client-based systems 185
Server-based systems 186
Database systems 187
Large-scale parallel data systems 187
Distributed systems 188
Cryptographic systems 189
Industrial control systems 189
Cloud-based systems 190
Internet of Things 192
Assess and Mitigate Vulnerabilities in Web-Based Systems 193
Assess and Mitigate Vulnerabilities in Mobile Systems 194
Assess and Mitigate Vulnerabilities in Embedded Devices 195
Apply Cryptography 196
Cryptographic lifecycle 198
Plaintext and ciphertext 199
Encryption and decryption 199
Cryptography alternatives 205
Not quite the metric system: Symmetric and asymmetric key systems 206
Message authentication 216
Public Key Infrastructure (PKI) 219
Key management functions 220
Key escrow and key recovery 221
Methods of attack 221
Apply Security Principles to Site and Facility Design 224
Choosing a secure location 226
Designing a secure facility 226
Implement Site and Facility Security Controls 229
Wiring closets, server rooms, media storage facilities, and evidence storage 229
Restricted and work area security 230
Utilities and HVAC considerations 231
Water issues 234
Fire prevention, detection, and suppression 234
Chapter 6: Communication and Network Security 239
Implement Secure Design Principles in Network Architectures 239
OSI and TCP/IP models 241
Cryptography used to maintain communication security 279
Secure Network Components 280
Operation of hardware 280
Transmission media 280
Network access control devices 282
Endpoint security 292
Content distribution networks 294
Physical devices 294
Design and Establish Secure Communication Channels 295
Voice 295
Email 296
Web 300
Facsimile 302
Multimedia collaboration 302
Remote access 303
Data communications 308
Virtualized networks 309
Virtualization 309
Prevent or Mitigate Network Attacks 310
Bluejacking and bluesnarfing 310
ICMP flood 311
Smurf 311
Fraggle 311
DNS Server Attacks 311
Man-in-the-Middle 311
Session hijacking (spoofing) 312
Session hijacking (session token interception) 312
SYN flood 312
Teardrop 312
UDP flood 313
Eavesdropping 313
Chapter 7: Identity and Access Management 315
Control Physical and Logical Access to Assets 316
Information 316
Systems and devices 316
Facilities 317
Life safety 318
Manage Identification and Authentication of People, Devices, and Services 319
Identity management implementation 319
Single/multi-factor authentication 328
Accountability 343
Session management 344
Registration and proofing of identity 344
Federated identity management 346
Credential management systems 346
Integrate Identity-as-a-Service 347
Integrate Third-Party Identity Services 348
Implement and Manage Authorization Mechanisms 348
Access control techniques 349
Prevent or Mitigate Access Control Attacks 353
Manage the Identity and Access Provisioning Lifecycle 355
Chapter 8: Security Assessment and Testing 357
Design and Validate Assessment and Test Strategies 357
Conduct Security Control Testing 359
Vulnerability assessments 359
Penetration testing 361
Log reviews 365
Synthetic transactions 367
Code review and testing 368
Misuse case testing 368
Test coverage analysis 370
Interface testing 370
Collect Security Process Data 371
Account management 371
Management review 372
Key performance and risk indicators 373
Backup verification data 374
Training and awareness 375
Disaster recovery and business continuity 375
Analyze Test Output and Generate Reports 376
Conduct or Facilitate Security Audits 376
Chapter 9: Security Operations 379
Understand and Support Investigations 379
Evidence collection and handling 379
Reporting and documentation 386
Investigative techniques 387
Digital forensics tools, tactics, and procedures 389
Understand Requirements for Investigation Types 390
Conduct Logging and Monitoring Activities 391
Intrusion detection and prevention 391
Security information and event management 393
Continuous monitoring 393
Egress monitoring 394
Securely Provisioning Resources 394
Understand and Apply Foundational Security Operations Concepts 396
Need-to-know and least privilege 396
Separation of duties and responsibilities 397
Privileged account management 398
Job rotation 400
Information lifecycle 402
Service-level agreements 402
Apply Resource Protection Techniques 405
Media management 406
Hardware and software asset management 407
Conduct Incident Management 407
Operate and Maintain Detective and Preventive Measures 409
Implement and Support Patch and Vulnerability Management 411
Understand and Participate in Change Management Processes 412
Implement Recovery Strategies 412
Backup storage strategies 413
Recovery site strategies 413
Multiple processing sites 413
System resilience, high availability, quality of service, and fault tolerance 414
Implement Disaster Recovery (DR) Processes 415
Response 419
Personnel 421
Communications 421
Assessment 422
Restoration 423
Training and awareness 423
Test Disaster Recovery Plans 423
Read-through 424
Walkthrough or tabletop 424
Simulation 424
Parallel 425
Full interruption (or cutover) 426
Participate in Business Continuity (BC) Planning and Exercises 427
Implement and Manage Physical Security 427
Address Personnel Safety and Security Concerns 428
Chapter 10: Software Development Security 429
Understand and Integrate Security in the Software Development Lifecycle 429
Development methodologies 430
Maturity models 437
Operation and maintenance 438
Change management 439
Integrated product team 439
Identify and Apply Security Controls in Development Environments 440
Security of the software environments 440
Configuration management as an aspect of secure coding 442
Security of code repositories 443
Assess the Effectiveness of Software Security 444
Auditing and logging of changes 444
Risk analysis and mitigation 445
Acceptance testing 446
Assess Security Impact of Acquired Software 447
Define and Apply Secure Coding Guidelines and Standards 448
Security weaknesses and vulnerabilities at the source-code level 448
Security of application programming interfaces 450
Secure coding practices 451
Part 3: The Part of Tens 453
Chapter 11: Ten Test-Planning Tips 455
Know Your Learning Style 455
Get a Networking Certification First 456
Register Now! 456
Make a 60-Day Study Plan 456
Get Organized and Read! 457
Join a Study Group 458
Take Practice Exams 458
Take a CISSP Training Seminar 458
Adopt an Exam-Taking Strategy 459
Take a Breather 459
Chapter 12: Ten Test-Day Tips 461
Get a Good Night’s Rest 461
Dress Comfortably 461
Eat a Good Meal 462
Arrive Early 462
Bring a Photo ID 462
Bring Snacks and Drinks 462
Bring Prescription and Over-the-Counter Medications 463
Leave Your Mobile Devices Behind 463
Take Frequent Breaks 463
Guess — as a Last Resort 464
Glossary 465
Index 509
| Erscheinungsdatum | 11.07.2018 |
|---|---|
| Verlagsort | New York |
| Sprache | englisch |
| Maße | 188 x 233 mm |
| Gewicht | 748 g |
| Themenwelt | Informatik ► Weitere Themen ► Zertifizierung |
| ISBN-10 | 1-119-50581-X / 111950581X |
| ISBN-13 | 978-1-119-50581-5 / 9781119505815 |
| Zustand | Neuware |
| Informationen gemäß Produktsicherheitsverordnung (GPSR) | |
| Haben Sie eine Frage zum Produkt? |
aus dem Bereich
