Contents

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Previous Chapter

Contents at a Glance

From the Author

CONTENTS

From the Author

Acknowledgments

Why Become a CISSP?

Part I Security and Risk Management

Chapter 1 Cybersecurity Governance

Fundamental Cybersecurity Concepts and Terms

Confidentiality

Balanced Security

Other Security Terms

Security Governance Principles

Aligning Security to Business Strategy

Organizational Processes

Organizational Roles and Responsibilities

Security Policies, Standards, Procedures, and Guidelines

Security Policy

Personnel Security

Candidate Screening and Hiring

Employment Agreements and Policies

Onboarding, Transfers, and Termination Processes

Vendors, Consultants, and Contractors

Compliance Policies

Privacy Policies

Security Awareness, Education, and Training Programs

Degree or Certification?

Methods and Techniques to Present Awareness and Training

Periodic Content Reviews

Program Effectiveness Evaluation

Professional Ethics

(ISC)² Code of Professional Ethics

Organizational Code of Ethics

The Computer Ethics Institute

Chapter 2 Risk Management

Risk Management Concepts

Holistic Risk Management

Information Systems Risk Management Policy

The Risk Management Team

The Risk Management Process

Overview of Vulnerabilities and Threats

Identifying Threats and Vulnerabilities

Assessing Risks

Asset Valuation

Risk Assessment Teams

Methodologies for Risk Assessment

Risk Analysis Approaches

Qualitative Risk Analysis

Responding to Risks

Total Risk vs. Residual Risk

Countermeasure Selection and Implementation

Types of Controls

Control Assessments

Monitoring Risks

Effectiveness Monitoring

Change Monitoring

Compliance Monitoring

Continuous Improvement

Supply Chain Risk Management

Upstream and Downstream Suppliers

Risks Associated with Hardware, Software, and Services

Other Third-Party Risks

Minimum Security Requirements

Service Level Agreements

Business Continuity

Standards and Best Practices

Making BCM Part of the Enterprise Security Program

Business Impact Analysis

Chapter 3 Compliance

Laws and Regulations

Types of Legal Systems

Common Law Revisited

Cybercrimes and Data Breaches

Complexities in Cybercrime

The Evolution of Attacks

International Issues

Import/Export Controls

Transborder Data Flow

Licensing and Intellectual Property Requirements

Internal Protection of Intellectual Property

Software Piracy

Compliance Requirements

Contractual, Legal, Industry Standards, and Regulatory Requirements

Privacy Requirements

Liability and Its Ramifications

Requirements for Investigations

Chapter 4 Frameworks

Overview of Frameworks

Risk Frameworks

Information Security Frameworks

Security Program Frameworks

Security Control Frameworks

Enterprise Architecture Frameworks

Why Do We Need Enterprise Architecture Frameworks?

Zachman Framework

The Open Group Architecture Framework

Military-Oriented Architecture Frameworks

Other Frameworks

Capability Maturity Model

Putting It All Together

Part II Asset Security

Chapter 5 Assets

Information and Assets

Physical Security Considerations

Protecting Mobile Devices

Managing the Life Cycle of Assets

Secure Provisioning

Asset Retention

Data Life Cycle

Data Acquisition

Data Destruction

Chapter 6 Data Security

Data Security Controls

Scoping and Tailoring

Data Protection Methods

Digital Asset Management

Digital Rights Management

Data Loss Prevention

Cloud Access Security Broker

Part III Security Architecture and Engineering

Chapter 7 System Architectures

General System Architectures

Client-Based Systems

Server-Based Systems

Database Systems

High-Performance Computing Systems

Industrial Control Systems

Distributed Control System

Supervisory Control and Data Acquisition

Virtualized Systems

Virtual Machines

Containerization

Cloud-Based Systems

Software as a Service

Platform as a Service

Infrastructure as a Service

Everything as a Service

Cloud Deployment Models

Pervasive Systems

Embedded Systems

Internet of Things

Distributed Systems

Edge Computing Systems

Chapter 8 Cryptology

The History of Cryptography

Cryptography Definitions and Concepts

Kerckhoffs’ Principle

The Strength of the Cryptosystem

Cryptographic Life Cycle

Cryptographic Methods

Symmetric Key Cryptography

Asymmetric Key Cryptography

Elliptic Curve Cryptography

Quantum Cryptography

Hybrid Encryption Methods

Hashing Functions

Message Integrity Verification

Public Key Infrastructure

Digital Certificates

Certificate Authorities

Registration Authorities

Attacks Against Cryptography

Key and Algorithm Attacks

Implementation Attacks

Chapter 9 Security Architectures

Threat Modeling

The Lockheed Martin Cyber Kill Chain

The MITRE ATT&CK Framework

Why Bother with Threat Modeling

Secure Design Principles

Defense in Depth

Trust But Verify

Shared Responsibility

Separation of Duties

Least Privilege

Secure Defaults

Privacy by Design

Security Models

Bell-LaPadula Model

Clark-Wilson Model

Noninterference Model

Brewer and Nash Model

Graham-Denning Model

Harrison-Ruzzo-Ullman Model

Security Requirements

Security Capabilities of Information Systems

Trusted Platform Module

Hardware Security Module

Self-Encrypting Drive

Secure Processing

Chapter 10 Site and Facility Security

Site and Facility Design

Security Principles

The Site Planning Process

Crime Prevention Through Environmental Design

Designing a Physical Security Program

Site and Facility Controls

Work Area Security

Data Processing Facilities

Distribution Facilities

Storage Facilities

Environmental Issues

Part IV Communication and Network Security

Chapter 11 Networking Fundamentals

Data Communications Foundations

Network Reference Models

Application Layer

Presentation Layer

Transport Layer

Data Link Layer

Functions and Protocols in the OSI Model

Tying the Layers Together

Local Area Networks

Network Topology

Medium Access Control Mechanisms

Layer 2 Protocols

Transmission Methods

Layer 2 Security Standards

Internet Protocol Networking

Address Resolution Protocol

Dynamic Host Configuration Protocol

Internet Control Message Protocol

Simple Network Management Protocol

Domain Name Service

Network Address Translation

Routing Protocols

Intranets and Extranets

Metropolitan Area Networks

Wide Area Networks

Dedicated Links

WAN Technologies

Chapter 12 Wireless Networking

Wireless Communications Techniques

Spread Spectrum

Orthogonal Frequency Division Multiplexing

Wireless Networking Fundamentals

WLAN Components

Other Wireless Network Standards

Other Important Standards

Evolution of WLAN Security

Best Practices for Securing WLANs

Mobile Wireless Communication

Multiple Access Technologies

Generations of Mobile Wireless

Chapter 13 Securing the Network

Applying Secure Design Principles to Network Architectures

Secure Networking

Link Encryption vs. End-to-End Encryption

Secure Protocols

Domain Name System

Electronic Mail

Multilayer Protocols

Distributed Network Protocol 3

Controller Area Network Bus

Converged Protocols

Fiber Channel over Ethernet

Internet Small Computer Systems Interface

Network Segmentation

Virtual eXtensible Local Area Network

Software-Defined Networks

Software-Defined Wide Area Network

Chapter 14 Network Components

Transmission Media

Types of Transmission

Bandwidth and Throughput

Network Devices

Network Access Control Devices

Network Diagramming

Operation of Hardware

Endpoint Security

Content Distribution Networks

Chapter 15 Secure Communications Channels

Voice Communications

Public Switched Telephone Network

Multimedia Collaboration

Meeting Applications

Unified Communications

Desktop Virtualization

Data Communications

Network Sockets

Remote Procedure Calls

Virtualized Networks

Third-Party Connectivity

Part V Identity and Access Management

Chapter 16 Identity and Access Fundamentals

Identification, Authentication, Authorization, and Accountability

Identification and Authentication

Knowledge-Based Authentication

Biometric Authentication

Ownership-Based Authentication

Credential Management

Password Managers

Password Synchronization

Self-Service Password Reset

Assisted Password Reset

Just-in-Time Access

Registration and Proofing of Identity

Session Management

Identity Management

Directory Services

Directories’ Role in Identity Management

Federated Identity Management

Federated Identity with a Third-Party Service

Integration Issues

Chapter 17 Managing Identities and Access

Authorization Mechanisms

Discretionary Access Control

Mandatory Access Control

Role-Based Access Control

Rule-Based Access Control

Attribute-Based Access Control

Risk-Based Access Control

Implementing Authentication and Authorization Systems

Access Control and Markup Languages

Remote Access Control Technologies

Managing the Identity and Access Provisioning Life Cycle

Configuration Management

Controlling Physical and Logical Access

Information Access Control

System and Application Access Control

Access Control to Devices

Facilities Access Control

Part VI Security Assessment and Testing

Chapter 18 Security Assessments

Test, Assessment, and Audit Strategies

Designing an Assessment

Validating an Assessment

Testing Technical Controls

Vulnerability Testing

Other Vulnerability Types

Penetration Testing

Breach Attack Simulations

Synthetic Transactions

Misuse Case Testing

Interface Testing

Compliance Checks

Conducting Security Audits

Internal Audits

External Audits

Third-Party Audits

Chapter 19 Measuring Security

Quantifying Security

Security Metrics

Key Performance and Risk Indicators

Security Process Data

Account Management

Backup Verification

Security Training and Security Awareness Training

Disaster Recovery and Business Continuity

Analyzing Results

Writing Technical Reports

Executive Summaries

Management Review and Approval

Before the Management Review

Reviewing Inputs

Management Approval

Part VII Security Operations

Chapter 20 Managing Security Operations

Foundational Security Operations Concepts

Need-to-Know/Least Privilege

Separation of Duties and Responsibilities

Privileged Account Management

Service Level Agreements

Change Management

Change Management Practices

Change Management Documentation

Configuration Management

Resource Protection

Vulnerability and Patch Management

Vulnerability Management

Patch Management

Physical Security

External Perimeter Security Controls

Facility Access Control

Internal Security Controls

Personnel Access Controls

Intrusion Detection Systems

Auditing Physical Access

Personnel Safety and Security

Security Training and Awareness

Emergency Management

Chapter 21 Security Operations

The Security Operations Center

Elements of a Mature SOC

Threat Intelligence

Preventive and Detective Measures

Intrusion Detection and Prevention Systems

Antimalware Software

Outsourced Security Services

Honeypots and Honeynets

Artificial Intelligence Tools

Logging and Monitoring

Security Information and Event Management

Egress Monitoring

User and Entity Behavior Analytics

Continuous Monitoring

Chapter 22 Security Incidents

Overview of Incident Management

Lessons Learned

Incident Response Planning

Roles and Responsibilities

Incident Classification

Operational Tasks

Motive, Opportunity, and Means

Computer Criminal Behavior

Evidence Collection and Handling

What Is Admissible in Court?

Digital Forensics Tools, Tactics, and Procedures

Forensic Investigation Techniques

Other Investigative Techniques

Forensic Artifacts

Reporting and Documenting

Chapter 23 Disasters

Recovery Strategies

Business Process Recovery

Human Resources

Recovery Site Strategies

Disaster Recovery Processes

Training and Awareness

Lessons Learned

Testing Disaster Recovery Plans

Business Continuity

Information Systems Availability

End-User Environment

Part VIII Software Development Security

Chapter 24 Software Development

Software Development Life Cycle

Project Management

Requirements Gathering Phase

Development Phase

Operations and Maintenance Phase

Development Methodologies

Waterfall Methodology

Incremental Methodology

Spiral Methodology

Rapid Application Development

Agile Methodologies

Other Methodologies

Maturity Models

Capability Maturity Model Integration

Software Assurance Maturity Model

Chapter 25 Secure Software

Programming Languages and Concepts

Assemblers, Compilers, Interpreters

Runtime Environments

Object-Oriented Programming Concepts

Cohesion and Coupling

Application Programming Interfaces

Software Libraries

Secure Software Development

Source Code Vulnerabilities

Secure Coding Practices

Security Controls for Software Development

Development Platforms

Application Security Testing

Continuous Integration and Delivery

Security Orchestration, Automation, and Response

Software Configuration Management

Code Repositories

Software Security Assessments

Risk Analysis and Mitigation

Change Management

Assessing the Security of Acquired Software

Commercial Software

Open-Source Software

Third-Party Software

Managed Services

Appendix A Comprehensive Questions

Appendix B Objective Map

Appendix C About the Online Content

System Requirements

Your Total Seminars Training Hub Account

Single User License Terms and Conditions

TotalTester Online

Graphical Questions

Online Flash Cards

Single User License Terms and Conditions

Technical Support

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.